From a4dd8d894be59701ec60fa8e3936a2c301dbb5df Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 2 Mar 2022 17:24:53 -0500 Subject: [PATCH 01/69] generated assembly for mulmod --- src/SlowPrimeSynthesisExamplesCopy.v | 575 +++++++++++++++++++++++++++ src/log.out | 73 ++++ 2 files changed, 648 insertions(+) create mode 100644 src/SlowPrimeSynthesisExamplesCopy.v create mode 100644 src/log.out diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v new file mode 100644 index 0000000000..7fa3610762 --- /dev/null +++ b/src/SlowPrimeSynthesisExamplesCopy.v @@ -0,0 +1,575 @@ +Require Import Coq.ZArith.ZArith. +Require Import Coq.QArith.QArith. +Require Import Coq.QArith.Qround. +Require Import Coq.Strings.String. +Require Import Coq.derive.Derive. +Require Import Coq.Lists.List. +Require Import Crypto.Util.ZRange. +Require Import Crypto.Arithmetic.Core. +Require Import Crypto.Arithmetic.ModOps. +Require Import Crypto.Arithmetic.Partition. +Require Import Crypto.PushButtonSynthesis.UnsaturatedSolinas. +Require Import Crypto.UnsaturatedSolinasHeuristics. +Require Crypto.PushButtonSynthesis.SaturatedSolinas. +Require Crypto.PushButtonSynthesis.WordByWordMontgomery. +Require Crypto.Stringification.C. +Require Crypto.Stringification.Go. +Require Crypto.Stringification.Java. +Require Import Crypto.BoundsPipeline. +Require Import Crypto.Util.ZUtil.ModInv. + +Require Import Coq.ZArith.Znat. + +Require Import Crypto.Util.Notations. +Local Open Scope string_scope. +Local Open Scope list_scope. +Import ListNotations. Local Open Scope Z_scope. + +Import + AbstractInterpretation.Compilers + Language.Compilers + Language.API.Compilers. + +Import Language.API.Compilers.API. + +Import Associational Positional. + +Local Coercion Z.of_nat : nat >-> Z. +Local Coercion QArith_base.inject_Z : Z >-> Q. +Local Coercion Z.pos : positive >-> Z. + +Local Existing Instance default_low_level_rewriter_method. +Local Existing Instance AbstractInterpretation.default_Options. +Local Instance : unfold_value_barrier_opt := true. +Local Instance : assembly_hints_lines_opt := None. +Local Instance : ignore_unique_asm_names_opt := false. +Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. +Local Existing Instance default_language_naming_conventions. +Local Existing Instance default_documentation_options. +Local Instance : package_name_opt := None. +Local Instance : class_name_opt := None. + +Local Existing Instance default_output_options. + +Module debugging_mul. + Import Crypto.Arithmetic.Saturated. + Import Stringification.C. + Import Stringification.C.Compilers. + Import Stringification.C.Compilers.ToString. + + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. + Local Instance : only_signed_opt := false. + Local Instance : no_select_opt := false. + Local Instance : static_opt := true. + Local Instance : internal_static_opt := true. + Local Instance : inline_opt := true. + Local Instance : inline_internal_opt := true. + Local Instance : use_mul_for_cmovznz_opt := false. + Local Instance : emit_primitives_opt := true. + Local Instance : should_split_mul_opt := false. + Local Instance : should_split_multiret_opt := false. + Local Instance : widen_carry_opt := false. + Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + + Let s := 2^256. + Let c := [(1, 38)]. + Let machine_wordsize := 64. + + Let possible_values := prefix_with_carry [machine_wordsize]. + Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) + Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. + Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := Z.to_nat (2*n). + + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Let boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound n. + + Let out_bound := Some r[0 ~> (2^(machine_wordsize*2) - 1)]%zrange. + Let out_boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat out_bound n. + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let m := (eval cbv in m) in + let r := Reify (@Saturated.Rows.mul (weight machine_wordsize 1) (2^machine_wordsize) n m) in + exact r) + (fun _ _ => []) + (Some boundsn, (Some boundsn, tt)) + (Some boundsn, None) + (None, (None, tt)) + (None, None) + : Pipeline.ErrorT _). + +End debugging_mul. + +Module debugging_red. + + Import PreExtra. + Import Util.LetIn. + Import ZUtil.Definitions. + Import Weight. + + Section solinas_reduction. + + Context weight {wprops : @weight_properties weight}. + + (* Definition sat_reduce base s c n (p : list (Z * Z)) := *) + (* let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in *) + (* let lo_hi := Associational.split s' p in *) + (* fst lo_hi ++ (Saturated.Associational.sat_mul_const base [(1, s'/s)] (Saturated.Associational.sat_mul_const base c (snd lo_hi))). *) + + Definition sat_mul_const_test s n (p : list (Z * Z)) (q : list Z) := + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul_const s p q_a in + let pq_r := Saturated.Rows.from_associational weight n pq_a in + let pq_f := Saturated.Rows.flatten weight n pq_r in + pq_f. + + Definition sat_mul_const_test2 s n (p : list (Z * Z)) (q : list Z) := + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul_const s p q_a in + let pq_r := Saturated.Rows.from_associational weight n pq_a in + pq_r. + + (* Definition sat_reduce_positional base s c m n (p : list Z) := *) + (* let p_a := Positional.to_associational weight m p in *) + (* let r_a := sat_reduce base s c m p_a in *) + (* let r_r := Saturated.Rows.from_associational weight n r_a in *) + (* let r_f := Saturated.Rows.flatten weight n r_r in *) + (* r_f. *) + + Definition sat_reduce base s c n (p : list (Z * Z)) := + let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in + let lo_hi := Associational.split s' p in + let mul_residue := Saturated.Associational.sat_mul base [(1, s'/s)] c in + fst lo_hi ++ (Saturated.Associational.sat_mul_const base mul_residue (snd lo_hi)). + + Definition repeat_sat_reduce base s c (p : list (Z * Z)) n := + fold_right (fun _ q => sat_reduce base s c n q) p (seq 0 n). + + Definition mulmod base s c n nreductions (p q : list Z) := + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let r_a := repeat_sat_reduce base s c pq_a nreductions in + Saturated.Rows.flatten weight n (Saturated.Rows.from_associational weight n r_a). + + End solinas_reduction. + + Section __. + + Let s := 2^255. + Let c := [(1, 19)]. + Let machine_wordsize := 64. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let nreductions : nat := + let i := fold_right Z.max 0 (map (fun t => Z.log2 (fst t) / machine_wordsize) c) in + if Z.of_nat m - i <=? 1 + then n + else Z.to_nat (Qceiling (Z.of_nat m / (Z.of_nat m - i - 1))). + Let nreductions' : nat := nreductions * 2%nat. + Compute nreductions. + + Let w : nat -> Z := weight machine_wordsize 1. + Let base : Z := 2 ^ machine_wordsize. + + Compute (sat_mul_const_test w base 2 c [5; 5]). + Compute (sat_mul_const_test2 w base 2 c [5; 5]). + Compute (sat_mul_const_test w base 2 [(1, 2)] [5; 5]). + + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Let bounds : list (ZRange.type.option.interp base.type.Z) + := repeat bound 1. + Let boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound (n). + Let in_boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound (2 * n). + Let out_boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound n. + + Import Crypto.Arithmetic.Saturated. + Import Stringification.C. + Import Stringification.C.Compilers. + Import Stringification.C.Compilers.ToString. + + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. + Local Instance : only_signed_opt := false. + Local Instance : no_select_opt := false. + Local Instance : static_opt := true. + Local Instance : internal_static_opt := true. + Local Instance : inline_opt := true. + Local Instance : inline_internal_opt := true. + Local Instance : use_mul_for_cmovznz_opt := false. + Local Instance : emit_primitives_opt := true. + Local Instance : should_split_mul_opt := false. + Local Instance : should_split_multiret_opt := false. + Local Instance : widen_carry_opt := false. + Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + + Let possible_values := prefix_with_carry [machine_wordsize]. + Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) + Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. + Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + (* Time Compute *) + (* Show.show *) + (* (Pipeline.BoundsPipelineToString *) + (* "fiat" "mul" *) + (* false (* subst01 *) *) + (* false (* inline *) *) + (* None (* fancy *) *) + (* possible_values *) + (* machine_wordsize *) + (* ltac:(let n := (eval cbv in n) in *) + (* let r := Reify (sat_mul_const_test (weight machine_wordsize 1) s n c) in *) + (* exact r) *) + (* (fun _ _ => []) *) + (* (Some boundsn, tt) *) + (* (Some boundsn, None) *) + (* (None, tt) *) + (* (None, None) *) + (* : Pipeline.ErrorT _). *) + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false (* subst01 *) + false (* inline *) + None (* fancy *) + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let nreductions' := (eval cbv in nreductions') in + let r := Reify (mulmod (weight machine_wordsize 1) (2^machine_wordsize) s c n 3) in + exact r) + (fun _ _ => []) + (Some boundsn, (Some boundsn, tt)) + (Some boundsn, None) + (None, (None, tt)) + (None, None) + : Pipeline.ErrorT _). + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false (* subst01 *) + false (* inline *) + None (* fancy *) + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let nreductions' := (eval cbv in nreductions') in + let r := Reify (Saturated.Rows.mulmod (weight machine_wordsize 1) (2^machine_wordsize) s c n 3) in + exact r) + (fun _ _ => []) + (Some boundsn, (Some boundsn, tt)) + (Some boundsn, None) + (None, (None, tt)) + (None, None) + : Pipeline.ErrorT _). + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let m := (eval cbv in m) in + let r := Reify (sat_reduce_positional (weight machine_wordsize 1) (2^machine_wordsize) s c m n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), tt) + (Some (repeat bound n), None) + (None, tt) + (None, None) + : Pipeline.ErrorT _). + + End __. + +End debugging_red. + +(** + = "Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out2: None + */ +static void mul(uint64_t out1[4], uint64_t* out2, const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + fiatuint1 x68; + uint64_t x69; + uint64_t x70; + fiatuint1 x71; + uint64_t x72; + fiatuint1 x73; + uint64_t x74; + uint64_t x75; + fiatuint1 x76; + uint64_t x77; + fiatuint1 x78; + uint64_t x79; + fiatuint1 x80; + uint64_t x81; + fiatuint1 x82; + uint64_t x83; + fiatuint1 x84; + uint64_t x85; + fiatuint1 x86; + uint64_t x87; + fiatuint1 x88; + uint64_t x89; + fiatuint1 x90; + uint64_t x91; + fiatuint1 x92; + uint64_t x93; + fiatuint1 x94; + uint64_t x95; + fiatuint1 x96; + uint64_t x97; + fiatuint1 x98; + uint64_t x99; + fiatuint1 x100; + uint64_t x101; + fiatuint1 x102; + uint64_t x103; + fiatuint1 x104; + uint64_t x105; + fiatuint1 x106; + uint64_t x107; + fiatuint1 x108; + uint64_t x109; + fiatuint1 x110; + uint64_t x111; + fiatuint1 x112; + uint64_t x113; + fiatuint1 x114; + uint64_t x115; + fiatuint1 x116; + uint64_t x117; + fiatuint1 x118; + uint64_t x119; + fiatuint1 x120; + uint64_t x121; + fiatuint1 x122; + uint64_t x123; + fiatuint1 x124; + uint64_t x125; + fiatuint1 x126; + uint64_t x127; + fiatuint1 x128; + uint64_t x129; + fiatuint1 x130; + uint64_t x131; + fiatuint1 x132; + uint64_t x133; + fiatuint1 x134; + uint64_t x135; + fiatuint1 x136; + uint64_t x137; + fiatuint1 x138; + uint64_t x139; + fiatuint1 x140; + uint64_t x141; + fiatuint1 x142; + uint64_t x143; + fiatuint1 x144; + uint64_t x145; + fiatuint1 x146; + uint64_t x147; + fiatuint1 x148; + uint64_t x149; + fiatuint1 x150; + uint64_t x151; + fiatuint1 x152; + uint64_t x153; + fiatuint1 x154; + uint64_t x155; + fiatuint1 x156; + uint64_t x157; + fiatuint1 x158; + uint64_t x159; + fiatuint1 x160; + uint64_t x161; + fiatuint1 x162; + uint64_t x163; + fiatmulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + fiatmulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + fiatmulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + fiatmulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + fiatmulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + fiatmulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + fiatmulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + fiatmulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + fiatmulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + fiatmulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + fiatmulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + fiatmulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + fiatmulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + fiatmulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + fiatmulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + fiatmulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + fiatmulx_u64(&x33, &x34, UINT8_C(0x26), x2); + fiatmulx_u64(&x35, &x36, UINT8_C(0x26), x1); + fiatmulx_u64(&x37, &x38, UINT8_C(0x26), x4); + fiatmulx_u64(&x39, &x40, UINT8_C(0x26), x3); + fiatmulx_u64(&x41, &x42, UINT8_C(0x26), x6); + fiatmulx_u64(&x43, &x44, UINT8_C(0x26), x5); + fiatmulx_u64(&x45, &x46, UINT8_C(0x26), x8); + fiatmulx_u64(&x47, &x48, UINT8_C(0x26), x10); + fiatmulx_u64(&x49, &x50, UINT8_C(0x26), x9); + fiatmulx_u64(&x51, &x52, UINT8_C(0x26), x12); + fiatmulx_u64(&x53, &x54, UINT8_C(0x26), x11); + fiatmulx_u64(&x55, &x56, UINT8_C(0x26), x14); + fiatmulx_u64(&x57, &x58, UINT8_C(0x26), x18); + fiatmulx_u64(&x59, &x60, UINT8_C(0x26), x17); + fiatmulx_u64(&x61, &x62, UINT8_C(0x26), x20); + fiatmulx_u64(&x63, &x64, UINT8_C(0x26), x26); + fiatmulx_u64(&x65, &x66, UINT8_C(0x26), x34); + fiataddcarryx_u64(&x67, &x68, 0x0, x32, x39); + x69 = (x68 + x30); + fiataddcarryx_u64(&x70, &x71, 0x0, x67, x41); + fiataddcarryx_u64(&x72, &x73, x71, x69, 0x0); + x74 = (x73 + x28); + fiataddcarryx_u64(&x75, &x76, 0x0, x70, x44); + fiataddcarryx_u64(&x77, &x78, x76, x72, x35); + fiataddcarryx_u64(&x79, &x80, x78, x74, 0x0); + fiataddcarryx_u64(&x81, &x82, 0x0, x75, x46); + fiataddcarryx_u64(&x83, &x84, x82, x77, x37); + fiataddcarryx_u64(&x85, &x86, x84, x79, 0x0); + fiataddcarryx_u64(&x87, &x88, 0x0, x81, x49); + fiataddcarryx_u64(&x89, &x90, x88, x83, x40); + fiataddcarryx_u64(&x91, &x92, x90, x85, x33); + fiataddcarryx_u64(&x93, &x94, 0x0, x87, x51); + fiataddcarryx_u64(&x95, &x96, x94, x89, x42); + fiataddcarryx_u64(&x97, &x98, x96, x91, x36); + fiataddcarryx_u64(&x99, &x100, 0x0, x31, x65); + fiataddcarryx_u64(&x101, &x102, x100, x93, x54); + fiataddcarryx_u64(&x103, &x104, x102, x95, x47); + fiataddcarryx_u64(&x105, &x106, x104, x97, x38); + fiataddcarryx_u64(&x107, &x108, 0x0, x99, x43); + fiataddcarryx_u64(&x109, &x110, x108, x101, x56); + fiataddcarryx_u64(&x111, &x112, x110, x103, x50); + fiataddcarryx_u64(&x113, &x114, x112, x105, x48); + fiataddcarryx_u64(&x115, &x116, 0x0, x107, x45); + fiataddcarryx_u64(&x117, &x118, x116, x109, x57); + fiataddcarryx_u64(&x119, &x120, x118, x111, x52); + fiataddcarryx_u64(&x121, &x122, x120, x113, x7); + fiataddcarryx_u64(&x123, &x124, 0x0, x115, x53); + fiataddcarryx_u64(&x125, &x126, x124, x117, x60); + fiataddcarryx_u64(&x127, &x128, x126, x119, x58); + fiataddcarryx_u64(&x129, &x130, x128, x121, x13); + fiataddcarryx_u64(&x131, &x132, 0x0, x123, x55); + fiataddcarryx_u64(&x133, &x134, x132, x125, x62); + fiataddcarryx_u64(&x135, &x136, x134, x127, x15); + fiataddcarryx_u64(&x137, &x138, x136, x129, x16); + fiataddcarryx_u64(&x139, &x140, 0x0, x131, x59); + fiataddcarryx_u64(&x141, &x142, x140, x133, x64); + fiataddcarryx_u64(&x143, &x144, x142, x135, x21); + fiataddcarryx_u64(&x145, &x146, x144, x137, x19); + fiataddcarryx_u64(&x147, &x148, 0x0, x139, x61); + fiataddcarryx_u64(&x149, &x150, x148, x141, x23); + fiataddcarryx_u64(&x151, &x152, x150, x143, x24); + fiataddcarryx_u64(&x153, &x154, x152, x145, x22); + fiataddcarryx_u64(&x155, &x156, 0x0, x147, x63); + fiataddcarryx_u64(&x157, &x158, x156, x149, x29); + fiataddcarryx_u64(&x159, &x160, x158, x151, x27); + fiataddcarryx_u64(&x161, &x162, x160, x153, x25); + x163 = ((((((((((((uint64_t)x80 + x86) + (uint64_t)x92) + (uint64_t)x98) + (uint64_t)x106) + (uint64_t)x114) + (uint64_t)x122) + (uint64_t)x130) + (uint64_t)x138) + (uint64_t)x146) + (uint64_t)x154) + (uint64_t)x162); + out1[0] = x155; + out1[1] = x157; + out1[2] = x159; + out1[3] = x161; + *out2 = x163; +}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string +Finished transaction in 3.993 secs (3.94u,0.009s) (successful) +**) diff --git a/src/log.out b/src/log.out new file mode 100644 index 0000000000..60f390f0d3 --- /dev/null +++ b/src/log.out @@ -0,0 +1,73 @@ + = "Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out2: None + */ +static void mul(uint64_t out1[2], uint64_t* out2, const uint64_t arg1[2], const uint64_t arg2[2]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + fiatuint1 x20; + uint64_t x21; + fiatuint1 x22; + uint64_t x23; + fiatuint1 x24; + uint64_t x25; + fiatuint1 x26; + uint64_t x27; + fiatuint1 x28; + uint64_t x29; + fiatuint1 x30; + uint64_t x31; + fiatuint1 x32; + uint64_t x33; + fiatuint1 x34; + uint64_t x35; + fiatuint1 x36; + uint64_t x37; + fiatuint1 x38; + uint64_t x39; + fiatmulx_u64(&x1, &x2, (arg1[1]), (arg2[1])); + fiatmulx_u64(&x3, &x4, (arg1[1]), (arg2[0])); + fiatmulx_u64(&x5, &x6, (arg1[0]), (arg2[1])); + fiatmulx_u64(&x7, &x8, (arg1[0]), (arg2[0])); + fiatmulx_u64(&x9, &x10, 0x2, x2); + fiatmulx_u64(&x11, &x12, 0x2, x1); + fiatmulx_u64(&x13, &x14, 0x2, x4); + fiatmulx_u64(&x15, &x16, 0x2, x6); + fiatmulx_u64(&x17, &x18, 0x2, (fiatuint1)x10); + fiataddcarryx_u64(&x19, &x20, 0x0, x8, x9); + fiataddcarryx_u64(&x21, &x22, 0x0, x19, (fiatuint1)x12); + fiataddcarryx_u64(&x23, &x24, 0x0, x7, x17); + fiataddcarryx_u64(&x25, &x26, x24, x21, (fiatuint1)x14); + fiataddcarryx_u64(&x27, &x28, 0x0, x23, x11); + fiataddcarryx_u64(&x29, &x30, x28, x25, (fiatuint1)x16); + fiataddcarryx_u64(&x31, &x32, 0x0, x27, x13); + fiataddcarryx_u64(&x33, &x34, x32, x29, x3); + fiataddcarryx_u64(&x35, &x36, 0x0, x31, x15); + fiataddcarryx_u64(&x37, &x38, x36, x33, x5); + x39 = ((((((uint64_t)x20 + x22) + (uint64_t)x26) + (uint64_t)x30) + (uint64_t)x34) + (uint64_t)x38); + out1[0] = x35; + out1[1] = x37; + *out2 = x39; +}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string From b0c926daa14f82adc503b5e6c2aa5adfeffa7b09 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 6 Mar 2022 18:08:20 -0500 Subject: [PATCH 02/69] updated assembly for solinas reduction --- src/SlowPrimeSynthesisExamplesCopy.v | 469 +++++++++++++-------------- 1 file changed, 230 insertions(+), 239 deletions(-) diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v index 7fa3610762..57826a5cf8 100644 --- a/src/SlowPrimeSynthesisExamplesCopy.v +++ b/src/SlowPrimeSynthesisExamplesCopy.v @@ -125,11 +125,7 @@ Module debugging_red. Context weight {wprops : @weight_properties weight}. - (* Definition sat_reduce base s c n (p : list (Z * Z)) := *) - (* let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in *) - (* let lo_hi := Associational.split s' p in *) - (* fst lo_hi ++ (Saturated.Associational.sat_mul_const base [(1, s'/s)] (Saturated.Associational.sat_mul_const base c (snd lo_hi))). *) - + (* Definition sat_mul_const_test s n (p : list (Z * Z)) (q : list Z) := let q_a := Positional.to_associational weight n q in let pq_a := Saturated.Associational.sat_mul_const s p q_a in @@ -141,14 +137,7 @@ Module debugging_red. let q_a := Positional.to_associational weight n q in let pq_a := Saturated.Associational.sat_mul_const s p q_a in let pq_r := Saturated.Rows.from_associational weight n pq_a in - pq_r. - - (* Definition sat_reduce_positional base s c m n (p : list Z) := *) - (* let p_a := Positional.to_associational weight m p in *) - (* let r_a := sat_reduce base s c m p_a in *) - (* let r_r := Saturated.Rows.from_associational weight n r_a in *) - (* let r_f := Saturated.Rows.flatten weight n r_r in *) - (* r_f. *) + pq_r. *) Definition sat_reduce base s c n (p : list (Z * Z)) := let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in @@ -159,12 +148,30 @@ Module debugging_red. Definition repeat_sat_reduce base s c (p : list (Z * Z)) n := fold_right (fun _ q => sat_reduce base s c n q) p (seq 0 n). - Definition mulmod base s c n nreductions (p q : list Z) := + Definition mul_no_reduce base n (p q : list Z) := let p_a := Positional.to_associational weight n p in let q_a := Positional.to_associational weight n q in let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let r_a := repeat_sat_reduce base s c pq_a nreductions in - Saturated.Rows.flatten weight n (Saturated.Rows.from_associational weight n r_a). + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + pq. + + Definition reduce_double_wide base s c n m nreductions (p : list Z) := + let p_a := Positional.to_associational weight n p in + let r_a := repeat_sat_reduce base s c p_a nreductions in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in + r_flat. + + Definition mulmod base s c n nreductions (p q : list Z) := + let pq := mul_no_reduce base n p q in + let pq_f := fst pq in + let pq_r := reduce_double_wide base s c (2*n) n nreductions pq_f in + pq_r. +(* let pq_f := fst pq in + let pq_a' := Positional.to_associational weight (2*n) pq_f in + let r_a := Saturated.Rows.repeat_sat_reduce weight base s c pq_a' nreductions in + Saturated.Rows.flatten weight n (Saturated.Rows.from_associational weight n r_a). *) End solinas_reduction. @@ -186,9 +193,23 @@ Module debugging_red. Let w : nat -> Z := weight machine_wordsize 1. Let base : Z := 2 ^ machine_wordsize. - Compute (sat_mul_const_test w base 2 c [5; 5]). - Compute (sat_mul_const_test2 w base 2 c [5; 5]). - Compute (sat_mul_const_test w base 2 [(1, 2)] [5; 5]). + Let v : Z := 2^64 - 1. + + Let p : list Z := (repeat v n). + Let q : list Z := (repeat v n). + + Let pq : list Z * Z:= mul_no_reduce w base n p q. + Compute p. + Compute pq. + Compute (Positional.eval w n p). + Compute (Positional.eval w n q). + Compute (mul_no_reduce w base n p q). + Compute (mulmod w base s c n nreductions p q). + Compute (let p_a := Positional.to_associational w 2 p in + let q_a := Positional.to_associational w 2 q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_p := Positional.from_associational w 5 pq_a in + pq_p). Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Let bounds : list (ZRange.type.option.interp base.type.Z) @@ -225,25 +246,6 @@ Module debugging_red. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - (* Time Compute *) - (* Show.show *) - (* (Pipeline.BoundsPipelineToString *) - (* "fiat" "mul" *) - (* false (* subst01 *) *) - (* false (* inline *) *) - (* None (* fancy *) *) - (* possible_values *) - (* machine_wordsize *) - (* ltac:(let n := (eval cbv in n) in *) - (* let r := Reify (sat_mul_const_test (weight machine_wordsize 1) s n c) in *) - (* exact r) *) - (* (fun _ _ => []) *) - (* (Some boundsn, tt) *) - (* (Some boundsn, None) *) - (* (None, tt) *) - (* (None, None) *) - (* : Pipeline.ErrorT _). *) - Time Compute Show.show (Pipeline.BoundsPipelineToString @@ -264,26 +266,7 @@ Module debugging_red. (None, None) : Pipeline.ErrorT _). - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false (* subst01 *) - false (* inline *) - None (* fancy *) - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let nreductions' := (eval cbv in nreductions') in - let r := Reify (Saturated.Rows.mulmod (weight machine_wordsize 1) (2^machine_wordsize) s c n 3) in - exact r) - (fun _ _ => []) - (Some boundsn, (Some boundsn, tt)) - (Some boundsn, None) - (None, (None, tt)) - (None, None) - : Pipeline.ErrorT _). - + (* compiling standalone reduce *) Time Compute Show.show (Pipeline.BoundsPipelineToString @@ -294,12 +277,13 @@ Module debugging_red. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let m := (eval cbv in m) in - let r := Reify (sat_reduce_positional (weight machine_wordsize 1) (2^machine_wordsize) s c m n) in + let r := Reify (reduce_double_wide (weight machine_wordsize 1) + (2^machine_wordsize) + s c (2*n) n 3) in exact r) (fun _ _ => []) (Some (repeat bound (2*n)), tt) - (Some (repeat bound n), None) + (Some boundsn, None) (None, tt) (None, None) : Pipeline.ErrorT _). @@ -308,8 +292,8 @@ Module debugging_red. End debugging_red. -(** - = "Success (""/* +(* += "Success (""/* * Input Bounds: * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] @@ -351,136 +335,95 @@ static void mul(uint64_t out1[4], uint64_t* out2, const uint64_t arg1[4], const uint64_t x31; uint64_t x32; uint64_t x33; - uint64_t x34; + fiatuint1 x34; uint64_t x35; - uint64_t x36; + fiatuint1 x36; uint64_t x37; uint64_t x38; - uint64_t x39; + fiatuint1 x39; uint64_t x40; - uint64_t x41; + fiatuint1 x41; uint64_t x42; - uint64_t x43; + fiatuint1 x43; uint64_t x44; uint64_t x45; - uint64_t x46; + fiatuint1 x46; uint64_t x47; - uint64_t x48; + fiatuint1 x48; uint64_t x49; - uint64_t x50; + fiatuint1 x50; uint64_t x51; - uint64_t x52; + fiatuint1 x52; uint64_t x53; - uint64_t x54; + fiatuint1 x54; uint64_t x55; uint64_t x56; - uint64_t x57; + fiatuint1 x57; uint64_t x58; - uint64_t x59; + fiatuint1 x59; uint64_t x60; - uint64_t x61; + fiatuint1 x61; uint64_t x62; - uint64_t x63; + fiatuint1 x63; uint64_t x64; - uint64_t x65; + fiatuint1 x65; uint64_t x66; - uint64_t x67; - fiatuint1 x68; - uint64_t x69; + fiatuint1 x67; + uint64_t x68; + fiatuint1 x69; uint64_t x70; fiatuint1 x71; uint64_t x72; fiatuint1 x73; uint64_t x74; - uint64_t x75; - fiatuint1 x76; - uint64_t x77; - fiatuint1 x78; - uint64_t x79; - fiatuint1 x80; - uint64_t x81; - fiatuint1 x82; - uint64_t x83; - fiatuint1 x84; - uint64_t x85; - fiatuint1 x86; - uint64_t x87; - fiatuint1 x88; - uint64_t x89; - fiatuint1 x90; - uint64_t x91; - fiatuint1 x92; - uint64_t x93; - fiatuint1 x94; - uint64_t x95; - fiatuint1 x96; + fiatuint1 x75; + uint64_t x76; + fiatuint1 x77; + uint64_t x78; + fiatuint1 x79; + uint64_t x80; + fiatuint1 x81; + uint64_t x82; + fiatuint1 x83; + uint64_t x84; + fiatuint1 x85; + uint64_t x86; + fiatuint1 x87; + uint64_t x88; + fiatuint1 x89; + uint64_t x90; + fiatuint1 x91; + uint64_t x92; + fiatuint1 x93; + uint64_t x94; + fiatuint1 x95; + uint64_t x96; uint64_t x97; - fiatuint1 x98; + uint64_t x98; uint64_t x99; - fiatuint1 x100; + uint64_t x100; uint64_t x101; - fiatuint1 x102; + uint64_t x102; uint64_t x103; - fiatuint1 x104; + uint64_t x104; uint64_t x105; - fiatuint1 x106; - uint64_t x107; - fiatuint1 x108; - uint64_t x109; - fiatuint1 x110; - uint64_t x111; - fiatuint1 x112; - uint64_t x113; - fiatuint1 x114; - uint64_t x115; - fiatuint1 x116; - uint64_t x117; - fiatuint1 x118; - uint64_t x119; - fiatuint1 x120; - uint64_t x121; - fiatuint1 x122; - uint64_t x123; - fiatuint1 x124; - uint64_t x125; - fiatuint1 x126; - uint64_t x127; - fiatuint1 x128; - uint64_t x129; - fiatuint1 x130; - uint64_t x131; - fiatuint1 x132; - uint64_t x133; - fiatuint1 x134; - uint64_t x135; - fiatuint1 x136; - uint64_t x137; - fiatuint1 x138; - uint64_t x139; - fiatuint1 x140; - uint64_t x141; - fiatuint1 x142; - uint64_t x143; - fiatuint1 x144; - uint64_t x145; - fiatuint1 x146; - uint64_t x147; - fiatuint1 x148; - uint64_t x149; - fiatuint1 x150; - uint64_t x151; - fiatuint1 x152; - uint64_t x153; - fiatuint1 x154; - uint64_t x155; - fiatuint1 x156; - uint64_t x157; - fiatuint1 x158; - uint64_t x159; - fiatuint1 x160; - uint64_t x161; - fiatuint1 x162; - uint64_t x163; + uint64_t x106; + fiatuint1 x107; + uint64_t x108; + fiatuint1 x109; + uint64_t x110; + fiatuint1 x111; + uint64_t x112; + fiatuint1 x113; + uint64_t x114; + fiatuint1 x115; + uint64_t x116; + fiatuint1 x117; + uint64_t x118; + fiatuint1 x119; + uint64_t x120; + fiatuint1 x121; + uint64_t x122; fiatmulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); fiatmulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); fiatmulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); @@ -497,79 +440,127 @@ static void mul(uint64_t out1[4], uint64_t* out2, const uint64_t arg1[4], const fiatmulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); fiatmulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); fiatmulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - fiatmulx_u64(&x33, &x34, UINT8_C(0x26), x2); - fiatmulx_u64(&x35, &x36, UINT8_C(0x26), x1); - fiatmulx_u64(&x37, &x38, UINT8_C(0x26), x4); - fiatmulx_u64(&x39, &x40, UINT8_C(0x26), x3); - fiatmulx_u64(&x41, &x42, UINT8_C(0x26), x6); - fiatmulx_u64(&x43, &x44, UINT8_C(0x26), x5); - fiatmulx_u64(&x45, &x46, UINT8_C(0x26), x8); - fiatmulx_u64(&x47, &x48, UINT8_C(0x26), x10); - fiatmulx_u64(&x49, &x50, UINT8_C(0x26), x9); - fiatmulx_u64(&x51, &x52, UINT8_C(0x26), x12); - fiatmulx_u64(&x53, &x54, UINT8_C(0x26), x11); - fiatmulx_u64(&x55, &x56, UINT8_C(0x26), x14); - fiatmulx_u64(&x57, &x58, UINT8_C(0x26), x18); - fiatmulx_u64(&x59, &x60, UINT8_C(0x26), x17); - fiatmulx_u64(&x61, &x62, UINT8_C(0x26), x20); - fiatmulx_u64(&x63, &x64, UINT8_C(0x26), x26); - fiatmulx_u64(&x65, &x66, UINT8_C(0x26), x34); - fiataddcarryx_u64(&x67, &x68, 0x0, x32, x39); - x69 = (x68 + x30); - fiataddcarryx_u64(&x70, &x71, 0x0, x67, x41); - fiataddcarryx_u64(&x72, &x73, x71, x69, 0x0); - x74 = (x73 + x28); - fiataddcarryx_u64(&x75, &x76, 0x0, x70, x44); - fiataddcarryx_u64(&x77, &x78, x76, x72, x35); - fiataddcarryx_u64(&x79, &x80, x78, x74, 0x0); - fiataddcarryx_u64(&x81, &x82, 0x0, x75, x46); - fiataddcarryx_u64(&x83, &x84, x82, x77, x37); - fiataddcarryx_u64(&x85, &x86, x84, x79, 0x0); - fiataddcarryx_u64(&x87, &x88, 0x0, x81, x49); - fiataddcarryx_u64(&x89, &x90, x88, x83, x40); - fiataddcarryx_u64(&x91, &x92, x90, x85, x33); - fiataddcarryx_u64(&x93, &x94, 0x0, x87, x51); - fiataddcarryx_u64(&x95, &x96, x94, x89, x42); - fiataddcarryx_u64(&x97, &x98, x96, x91, x36); - fiataddcarryx_u64(&x99, &x100, 0x0, x31, x65); - fiataddcarryx_u64(&x101, &x102, x100, x93, x54); - fiataddcarryx_u64(&x103, &x104, x102, x95, x47); - fiataddcarryx_u64(&x105, &x106, x104, x97, x38); - fiataddcarryx_u64(&x107, &x108, 0x0, x99, x43); - fiataddcarryx_u64(&x109, &x110, x108, x101, x56); - fiataddcarryx_u64(&x111, &x112, x110, x103, x50); - fiataddcarryx_u64(&x113, &x114, x112, x105, x48); - fiataddcarryx_u64(&x115, &x116, 0x0, x107, x45); - fiataddcarryx_u64(&x117, &x118, x116, x109, x57); - fiataddcarryx_u64(&x119, &x120, x118, x111, x52); - fiataddcarryx_u64(&x121, &x122, x120, x113, x7); - fiataddcarryx_u64(&x123, &x124, 0x0, x115, x53); - fiataddcarryx_u64(&x125, &x126, x124, x117, x60); - fiataddcarryx_u64(&x127, &x128, x126, x119, x58); - fiataddcarryx_u64(&x129, &x130, x128, x121, x13); - fiataddcarryx_u64(&x131, &x132, 0x0, x123, x55); - fiataddcarryx_u64(&x133, &x134, x132, x125, x62); - fiataddcarryx_u64(&x135, &x136, x134, x127, x15); - fiataddcarryx_u64(&x137, &x138, x136, x129, x16); - fiataddcarryx_u64(&x139, &x140, 0x0, x131, x59); - fiataddcarryx_u64(&x141, &x142, x140, x133, x64); - fiataddcarryx_u64(&x143, &x144, x142, x135, x21); - fiataddcarryx_u64(&x145, &x146, x144, x137, x19); - fiataddcarryx_u64(&x147, &x148, 0x0, x139, x61); - fiataddcarryx_u64(&x149, &x150, x148, x141, x23); - fiataddcarryx_u64(&x151, &x152, x150, x143, x24); - fiataddcarryx_u64(&x153, &x154, x152, x145, x22); - fiataddcarryx_u64(&x155, &x156, 0x0, x147, x63); - fiataddcarryx_u64(&x157, &x158, x156, x149, x29); - fiataddcarryx_u64(&x159, &x160, x158, x151, x27); - fiataddcarryx_u64(&x161, &x162, x160, x153, x25); - x163 = ((((((((((((uint64_t)x80 + x86) + (uint64_t)x92) + (uint64_t)x98) + (uint64_t)x106) + (uint64_t)x114) + (uint64_t)x122) + (uint64_t)x130) + (uint64_t)x138) + (uint64_t)x146) + (uint64_t)x154) + (uint64_t)x162); - out1[0] = x155; - out1[1] = x157; - out1[2] = x159; - out1[3] = x161; - *out2 = x163; + fiataddcarryx_u64(&x33, &x34, 0x0, x28, x7); + fiataddcarryx_u64(&x35, &x36, x34, x26, x5); + x37 = (x36 + x18); + fiataddcarryx_u64(&x38, &x39, 0x0, x33, x13); + fiataddcarryx_u64(&x40, &x41, x39, x35, x8); + fiataddcarryx_u64(&x42, &x43, x41, x37, 0x0); + x44 = (x43 + x10); + fiataddcarryx_u64(&x45, &x46, 0x0, x30, x15); + fiataddcarryx_u64(&x47, &x48, x46, x38, x16); + fiataddcarryx_u64(&x49, &x50, x48, x40, x11); + fiataddcarryx_u64(&x51, &x52, x50, x42, x3); + fiataddcarryx_u64(&x53, &x54, x52, x44, 0x0); + x55 = (x54 + x2); + fiataddcarryx_u64(&x56, &x57, 0x0, x45, x21); + fiataddcarryx_u64(&x58, &x59, x57, x47, x19); + fiataddcarryx_u64(&x60, &x61, x59, x49, x14); + fiataddcarryx_u64(&x62, &x63, x61, x51, x6); + fiataddcarryx_u64(&x64, &x65, x63, x53, 0x0); + fiataddcarryx_u64(&x66, &x67, x65, x55, 0x0); + fiataddcarryx_u64(&x68, &x69, 0x0, x32, x23); + fiataddcarryx_u64(&x70, &x71, x69, x56, x24); + fiataddcarryx_u64(&x72, &x73, x71, x58, x22); + fiataddcarryx_u64(&x74, &x75, x73, x60, x17); + fiataddcarryx_u64(&x76, &x77, x75, x62, x9); + fiataddcarryx_u64(&x78, &x79, x77, x64, x1); + fiataddcarryx_u64(&x80, &x81, x79, x66, 0x0); + fiataddcarryx_u64(&x82, &x83, 0x0, x68, x29); + fiataddcarryx_u64(&x84, &x85, x83, x70, x27); + fiataddcarryx_u64(&x86, &x87, x85, x72, x25); + fiataddcarryx_u64(&x88, &x89, x87, x74, x20); + fiataddcarryx_u64(&x90, &x91, x89, x76, x12); + fiataddcarryx_u64(&x92, &x93, x91, x78, x4); + fiataddcarryx_u64(&x94, &x95, x93, x80, 0x0); + fiatmulx_u64(&x96, &x97, UINT8_C(0x26), x94); + fiatmulx_u64(&x98, &x99, UINT8_C(0x26), x92); + fiatmulx_u64(&x100, &x101, UINT8_C(0x26), x90); + fiatmulx_u64(&x102, &x103, UINT8_C(0x26), x88); + fiatmulx_u64(&x104, &x105, UINT8_C(0x26), x97); + fiataddcarryx_u64(&x106, &x107, 0x0, x31, x104); + fiataddcarryx_u64(&x108, &x109, x107, x82, x100); + fiataddcarryx_u64(&x110, &x111, x109, x84, x98); + fiataddcarryx_u64(&x112, &x113, x111, x86, x96); + fiataddcarryx_u64(&x114, &x115, 0x0, x106, x102); + fiataddcarryx_u64(&x116, &x117, x115, x108, x103); + fiataddcarryx_u64(&x118, &x119, x117, x110, x101); + fiataddcarryx_u64(&x120, &x121, x119, x112, x99); + x122 = ((uint64_t)x113 + x121); + out1[0] = x114; + out1[1] = x116; + out1[2] = x118; + out1[3] = x120; + *out2 = x122; +}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string +Finished transaction in 5.047 secs (5.032u,0.009s) (successful) +*) + +(* +"Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out2: None + */ +static void mul(uint64_t out1[4], uint64_t* out2, const uint64_t arg1[8]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + fiatuint1 x16; + uint64_t x17; + fiatuint1 x18; + uint64_t x19; + fiatuint1 x20; + uint64_t x21; + fiatuint1 x22; + uint64_t x23; + fiatuint1 x24; + uint64_t x25; + fiatuint1 x26; + uint64_t x27; + fiatuint1 x28; + uint64_t x29; + fiatuint1 x30; + uint64_t x31; + fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[7])); + fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[6])); + fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[5])); + fiatmulx_u64(&x7, &x8, UINT8_C(0x26), (arg1[4])); + fiatmulx_u64(&x9, &x10, UINT8_C(0x26), x2); + x11 = (arg1[3]); + x12 = (arg1[2]); + x13 = (arg1[1]); + x14 = (arg1[0]); + fiataddcarryx_u64(&x15, &x16, 0x0, x14, x9); + fiataddcarryx_u64(&x17, &x18, x16, x13, x5); + fiataddcarryx_u64(&x19, &x20, x18, x12, x3); + fiataddcarryx_u64(&x21, &x22, x20, x11, x1); + fiataddcarryx_u64(&x23, &x24, 0x0, x15, x7); + fiataddcarryx_u64(&x25, &x26, x24, x17, x8); + fiataddcarryx_u64(&x27, &x28, x26, x19, x6); + fiataddcarryx_u64(&x29, &x30, x28, x21, x4); + x31 = ((uint64_t)x22 + x30); + out1[0] = x23; + out1[1] = x25; + out1[2] = x27; + out1[3] = x29; + *out2 = x31; }"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" : string -Finished transaction in 3.993 secs (3.94u,0.009s) (successful) -**) +Finished transaction in 2.767 secs (2.76u,0.s) (successful) +*) From e624d7d7dce74bbc8c892eecb8b6c53a18498d9d Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 10 Apr 2022 18:34:51 -0400 Subject: [PATCH 03/69] implemented reduce, working on bounds inference --- src/SlowPrimeSynthesisExamplesCopy.v | 577 +++++++++++---------------- src/log.out | 73 ---- 2 files changed, 222 insertions(+), 428 deletions(-) delete mode 100644 src/log.out diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v index 57826a5cf8..c886f18a5d 100644 --- a/src/SlowPrimeSynthesisExamplesCopy.v +++ b/src/SlowPrimeSynthesisExamplesCopy.v @@ -51,7 +51,8 @@ Local Instance : class_name_opt := None. Local Existing Instance default_output_options. -Module debugging_mul. +Module compiling_mul. + Import Crypto.Arithmetic.Saturated. Import Stringification.C. Import Stringification.C.Compilers. @@ -88,10 +89,6 @@ Module debugging_mul. Let boundsn : list (ZRange.type.option.interp base.type.Z) := repeat bound n. - Let out_bound := Some r[0 ~> (2^(machine_wordsize*2) - 1)]%zrange. - Let out_boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat out_bound n. - Time Compute Show.show (Pipeline.BoundsPipelineToString @@ -112,32 +109,156 @@ Module debugging_mul. (None, None) : Pipeline.ErrorT _). -End debugging_mul. +End compiling_mul. -Module debugging_red. +Module compiling_reduce_flatten. Import PreExtra. Import Util.LetIn. Import ZUtil.Definitions. Import Weight. - Section solinas_reduction. + Let s := 2^255. + Let c := [(1, 19)]. + Let machine_wordsize := 64. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let w : nat -> Z := weight machine_wordsize 1. + Let base : Z := 2 ^ machine_wordsize. + + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Let boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound (n). + + Import Stringification.C.Compilers. + Import Stringification.C.Compilers.ToString. + + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. + Local Instance : only_signed_opt := false. + Local Instance : no_select_opt := false. + Local Instance : static_opt := true. + Local Instance : internal_static_opt := true. + Local Instance : inline_opt := true. + Local Instance : inline_internal_opt := true. + Local Instance : use_mul_for_cmovznz_opt := false. + Local Instance : emit_primitives_opt := true. + Local Instance : should_split_mul_opt := false. + Local Instance : should_split_multiret_opt := false. + Local Instance : widen_carry_opt := false. + Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + + Let possible_values := prefix_with_carry [machine_wordsize]. + Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) + Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. + Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + Section single_reduction. Context weight {wprops : @weight_properties weight}. - (* - Definition sat_mul_const_test s n (p : list (Z * Z)) (q : list Z) := - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul_const s p q_a in - let pq_r := Saturated.Rows.from_associational weight n pq_a in - let pq_f := Saturated.Rows.flatten weight n pq_r in - pq_f. + Definition sat_reduce base s c n (p : list (Z * Z)) := + let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in + let lo_hi := Associational.split s' p in + let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in + let r := (fst lo_hi) ++ hi in + r. - Definition sat_mul_const_test2 s n (p : list (Z * Z)) (q : list Z) := + (* n is input width *) + Definition reduce1 base s c n (p : list Z) := + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight n r_a in + let r_flat := Saturated.Rows.flatten weight n r_rows in + fst r_flat. + + Definition reduce base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) p in + let r2 := reduce1 base s c (2*n) (r1) in + let r3 := reduce1 base s c (2*n) (r2) in + r3. + + Definition reduce' base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) p in + let r2 := reduce1 base s c (2*n) (r1) in + let r3 := reduce1 base s c (2*n) (r2) in + r3. + + Definition mul_no_reduce base n (p q : list Z) := + let p_a := Positional.to_associational weight n p in let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul_const s p q_a in - let pq_r := Saturated.Rows.from_associational weight n pq_a in - pq_r. *) + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + fst pq. + + Definition mulmod base s c n (p q : list Z) := + let prod := mul_no_reduce base n p q in + let red := reduce base s c n prod in + red. + + End single_reduction. + + Let v := (2^64-1). + Let p := repeat v (2*n). + Let r' := reduce' w base s c n p. + Compute r'. + + Let out_boundsn := (repeat bound n) ++ + [Some r[0~>0]%zrange] ++ + (repeat (Some r[0~>0]%zrange) (n-1)). + Compute out_boundsn. + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (reduce' w base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), tt) + (Some out_boundsn) + (None, tt) + (None) + : Pipeline.ErrorT _). + +(* Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (mulmod w base s c (2*n)) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), (Some (repeat bound (2*n)), tt)) + (None, None) + (None, (None, tt)) + (None, None) + : Pipeline.ErrorT _). *) + +End compiling_reduce_flatten. + +Module compiling_red. + + Import PreExtra. + Import Util.LetIn. + Import ZUtil.Definitions. + Import Weight. + + Section solinas_reduction. + + Context weight {wprops : @weight_properties weight}. Definition sat_reduce base s c n (p : list (Z * Z)) := let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in @@ -145,8 +266,16 @@ Module debugging_red. let mul_residue := Saturated.Associational.sat_mul base [(1, s'/s)] c in fst lo_hi ++ (Saturated.Associational.sat_mul_const base mul_residue (snd lo_hi)). - Definition repeat_sat_reduce base s c (p : list (Z * Z)) n := - fold_right (fun _ q => sat_reduce base s c n q) p (seq 0 n). + Definition flatten_to_positional (p : list Z * Z) := + fst p ++ [snd p]. + + Definition sat_reduce' base s c n (p : list (Z * Z)) := + let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in + let lo_hi := Associational.split s' p in + let v := Saturated.Associational.sat_mul base [(1, s'/s)] c in + let hi := Saturated.Associational.sat_mul base v (snd lo_hi) in + let r := fst lo_hi ++ hi in + r. Definition mul_no_reduce base n (p q : list Z) := let p_a := Positional.to_associational weight n p in @@ -154,24 +283,29 @@ Module debugging_red. let pq_a := Saturated.Associational.sat_mul base p_a q_a in let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in let pq := Saturated.Rows.flatten weight (2*n) pq_rows in - pq. + fst pq. - Definition reduce_double_wide base s c n m nreductions (p : list Z) := + Definition reduce_flatten base s c n nreductions (p : list Z) := let p_a := Positional.to_associational weight n p in - let r_a := repeat_sat_reduce base s c p_a nreductions in - let r_rows := Saturated.Rows.from_associational weight m r_a in - let r_flat := Saturated.Rows.flatten weight m r_rows in - r_flat. + let r_a := sat_reduce' base s c nreductions p_a in + let r_rows := Saturated.Rows.from_associational weight n r_a in + let r_flat := Saturated.Rows.flatten weight n r_rows in + fst r_flat. + + Definition repeat_reduce_flatten base s c n nreductions (p : list Z) := + fold_right (fun _ q => reduce_flatten base s c n nreductions q) p (seq 0 nreductions). + + Definition reduce_product base s c n m nreductions (p : list Z) := + let r := repeat_reduce_flatten base s c n nreductions p in + let r_a := Positional.to_associational weight n r in + let r_r := Saturated.Rows.from_associational weight m r_a in + let r_f := Saturated.Rows.flatten weight m r_r in + fst r_f. Definition mulmod base s c n nreductions (p q : list Z) := let pq := mul_no_reduce base n p q in - let pq_f := fst pq in - let pq_r := reduce_double_wide base s c (2*n) n nreductions pq_f in + let pq_r := reduce_product base s c (2*n) n nreductions pq in pq_r. -(* let pq_f := fst pq in - let pq_a' := Positional.to_associational weight (2*n) pq_f in - let r_a := Saturated.Rows.repeat_sat_reduce weight base s c pq_a' nreductions in - Saturated.Rows.flatten weight n (Saturated.Rows.from_associational weight n r_a). *) End solinas_reduction. @@ -187,39 +321,29 @@ Module debugging_red. if Z.of_nat m - i <=? 1 then n else Z.to_nat (Qceiling (Z.of_nat m / (Z.of_nat m - i - 1))). - Let nreductions' : nat := nreductions * 2%nat. Compute nreductions. - Let w : nat -> Z := weight machine_wordsize 1. Let base : Z := 2 ^ machine_wordsize. - Let v : Z := 2^64 - 1. - - Let p : list Z := (repeat v n). - Let q : list Z := (repeat v n). - - Let pq : list Z * Z:= mul_no_reduce w base n p q. - Compute p. + Let v := 2^64-1. + Let p := repeat v n. + Let q := repeat v n. + Let pq_nor := mul_no_reduce w base n p q. + Let pq_1 := (reduce_flatten w base s c 8 3 pq_nor). + Let pq_2 := (reduce_flatten w base s c 8 3 pq_1). + Let pq_3 := (reduce_flatten w base s c 8 3 pq_2). + Compute pq_nor. + Compute pq_1. + Compute pq_2. + Compute pq_3. + Let pq_red := (reduce_product w base s c (2*n) n 3 pq_nor). + Compute pq_red. + Let pq := mulmod w base s c n 3 p q. Compute pq. - Compute (Positional.eval w n p). - Compute (Positional.eval w n q). - Compute (mul_no_reduce w base n p q). - Compute (mulmod w base s c n nreductions p q). - Compute (let p_a := Positional.to_associational w 2 p in - let q_a := Positional.to_associational w 2 q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_p := Positional.from_associational w 5 pq_a in - pq_p). Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let bounds : list (ZRange.type.option.interp base.type.Z) - := repeat bound 1. Let boundsn : list (ZRange.type.option.interp base.type.Z) := repeat bound (n). - Let in_boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound (2 * n). - Let out_boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound n. Import Crypto.Arithmetic.Saturated. Import Stringification.C. @@ -246,25 +370,43 @@ Module debugging_red. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false (* subst01 *) - false (* inline *) - None (* fancy *) - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let nreductions' := (eval cbv in nreductions') in - let r := Reify (mulmod (weight machine_wordsize 1) (2^machine_wordsize) s c n 3) in - exact r) - (fun _ _ => []) - (Some boundsn, (Some boundsn, tt)) - (Some boundsn, None) - (None, (None, tt)) - (None, None) - : Pipeline.ErrorT _). + (* Time Compute *) + (* Show.show *) + (* (Pipeline.BoundsPipelineToString *) + (* "fiat" "mul" *) + (* false (* subst01 *) *) + (* false (* inline *) *) + (* None (* fancy *) *) + (* possible_values *) + (* machine_wordsize *) + (* ltac:(let n := (eval cbv in n) in *) + (* let r := Reify (mulmod w base s c n 5) in *) + (* exact r) *) + (* (fun _ _ => []) *) + (* (Some boundsn, (Some boundsn, tt)) *) + (* (Some boundsn, None) *) + (* (None, (None, tt)) *) + (* (None, None) *) + (* : Pipeline.ErrorT _). *) + + (* Time Compute *) + (* Show.show *) + (* (Pipeline.BoundsPipelineToString *) + (* "fiat" "mul" *) + (* false *) + (* false *) + (* None *) + (* possible_values *) + (* machine_wordsize *) + (* ltac:(let n := (eval cbv in n) in *) + (* let r := Reify (reduce_flatten w base s c (2*n) 3) in *) + (* exact r) *) + (* (fun _ _ => []) *) + (* (Some (repeat bound (2*n)), tt) *) + (* (Some (repeat bound (2*n))) *) + (* (None, tt) *) + (* (None) *) + (* : Pipeline.ErrorT _). *) (* compiling standalone reduce *) Time Compute @@ -277,290 +419,15 @@ Module debugging_red. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (reduce_double_wide (weight machine_wordsize 1) - (2^machine_wordsize) - s c (2*n) n 3) in + let r := Reify (reduce_product w base s c (2*n) n 3) in exact r) (fun _ _ => []) (Some (repeat bound (2*n)), tt) - (Some boundsn, None) + (Some boundsn) (None, tt) - (None, None) + (None) : Pipeline.ErrorT _). End __. -End debugging_red. - -(* -= "Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out2: None - */ -static void mul(uint64_t out1[4], uint64_t* out2, const uint64_t arg1[4], const uint64_t arg2[4]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - fiatuint1 x34; - uint64_t x35; - fiatuint1 x36; - uint64_t x37; - uint64_t x38; - fiatuint1 x39; - uint64_t x40; - fiatuint1 x41; - uint64_t x42; - fiatuint1 x43; - uint64_t x44; - uint64_t x45; - fiatuint1 x46; - uint64_t x47; - fiatuint1 x48; - uint64_t x49; - fiatuint1 x50; - uint64_t x51; - fiatuint1 x52; - uint64_t x53; - fiatuint1 x54; - uint64_t x55; - uint64_t x56; - fiatuint1 x57; - uint64_t x58; - fiatuint1 x59; - uint64_t x60; - fiatuint1 x61; - uint64_t x62; - fiatuint1 x63; - uint64_t x64; - fiatuint1 x65; - uint64_t x66; - fiatuint1 x67; - uint64_t x68; - fiatuint1 x69; - uint64_t x70; - fiatuint1 x71; - uint64_t x72; - fiatuint1 x73; - uint64_t x74; - fiatuint1 x75; - uint64_t x76; - fiatuint1 x77; - uint64_t x78; - fiatuint1 x79; - uint64_t x80; - fiatuint1 x81; - uint64_t x82; - fiatuint1 x83; - uint64_t x84; - fiatuint1 x85; - uint64_t x86; - fiatuint1 x87; - uint64_t x88; - fiatuint1 x89; - uint64_t x90; - fiatuint1 x91; - uint64_t x92; - fiatuint1 x93; - uint64_t x94; - fiatuint1 x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - uint64_t x104; - uint64_t x105; - uint64_t x106; - fiatuint1 x107; - uint64_t x108; - fiatuint1 x109; - uint64_t x110; - fiatuint1 x111; - uint64_t x112; - fiatuint1 x113; - uint64_t x114; - fiatuint1 x115; - uint64_t x116; - fiatuint1 x117; - uint64_t x118; - fiatuint1 x119; - uint64_t x120; - fiatuint1 x121; - uint64_t x122; - fiatmulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); - fiatmulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); - fiatmulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); - fiatmulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); - fiatmulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); - fiatmulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); - fiatmulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); - fiatmulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); - fiatmulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); - fiatmulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); - fiatmulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); - fiatmulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); - fiatmulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); - fiatmulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); - fiatmulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); - fiatmulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - fiataddcarryx_u64(&x33, &x34, 0x0, x28, x7); - fiataddcarryx_u64(&x35, &x36, x34, x26, x5); - x37 = (x36 + x18); - fiataddcarryx_u64(&x38, &x39, 0x0, x33, x13); - fiataddcarryx_u64(&x40, &x41, x39, x35, x8); - fiataddcarryx_u64(&x42, &x43, x41, x37, 0x0); - x44 = (x43 + x10); - fiataddcarryx_u64(&x45, &x46, 0x0, x30, x15); - fiataddcarryx_u64(&x47, &x48, x46, x38, x16); - fiataddcarryx_u64(&x49, &x50, x48, x40, x11); - fiataddcarryx_u64(&x51, &x52, x50, x42, x3); - fiataddcarryx_u64(&x53, &x54, x52, x44, 0x0); - x55 = (x54 + x2); - fiataddcarryx_u64(&x56, &x57, 0x0, x45, x21); - fiataddcarryx_u64(&x58, &x59, x57, x47, x19); - fiataddcarryx_u64(&x60, &x61, x59, x49, x14); - fiataddcarryx_u64(&x62, &x63, x61, x51, x6); - fiataddcarryx_u64(&x64, &x65, x63, x53, 0x0); - fiataddcarryx_u64(&x66, &x67, x65, x55, 0x0); - fiataddcarryx_u64(&x68, &x69, 0x0, x32, x23); - fiataddcarryx_u64(&x70, &x71, x69, x56, x24); - fiataddcarryx_u64(&x72, &x73, x71, x58, x22); - fiataddcarryx_u64(&x74, &x75, x73, x60, x17); - fiataddcarryx_u64(&x76, &x77, x75, x62, x9); - fiataddcarryx_u64(&x78, &x79, x77, x64, x1); - fiataddcarryx_u64(&x80, &x81, x79, x66, 0x0); - fiataddcarryx_u64(&x82, &x83, 0x0, x68, x29); - fiataddcarryx_u64(&x84, &x85, x83, x70, x27); - fiataddcarryx_u64(&x86, &x87, x85, x72, x25); - fiataddcarryx_u64(&x88, &x89, x87, x74, x20); - fiataddcarryx_u64(&x90, &x91, x89, x76, x12); - fiataddcarryx_u64(&x92, &x93, x91, x78, x4); - fiataddcarryx_u64(&x94, &x95, x93, x80, 0x0); - fiatmulx_u64(&x96, &x97, UINT8_C(0x26), x94); - fiatmulx_u64(&x98, &x99, UINT8_C(0x26), x92); - fiatmulx_u64(&x100, &x101, UINT8_C(0x26), x90); - fiatmulx_u64(&x102, &x103, UINT8_C(0x26), x88); - fiatmulx_u64(&x104, &x105, UINT8_C(0x26), x97); - fiataddcarryx_u64(&x106, &x107, 0x0, x31, x104); - fiataddcarryx_u64(&x108, &x109, x107, x82, x100); - fiataddcarryx_u64(&x110, &x111, x109, x84, x98); - fiataddcarryx_u64(&x112, &x113, x111, x86, x96); - fiataddcarryx_u64(&x114, &x115, 0x0, x106, x102); - fiataddcarryx_u64(&x116, &x117, x115, x108, x103); - fiataddcarryx_u64(&x118, &x119, x117, x110, x101); - fiataddcarryx_u64(&x120, &x121, x119, x112, x99); - x122 = ((uint64_t)x113 + x121); - out1[0] = x114; - out1[1] = x116; - out1[2] = x118; - out1[3] = x120; - *out2 = x122; -}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string -Finished transaction in 5.047 secs (5.032u,0.009s) (successful) -*) - -(* -"Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out2: None - */ -static void mul(uint64_t out1[4], uint64_t* out2, const uint64_t arg1[8]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - fiatuint1 x16; - uint64_t x17; - fiatuint1 x18; - uint64_t x19; - fiatuint1 x20; - uint64_t x21; - fiatuint1 x22; - uint64_t x23; - fiatuint1 x24; - uint64_t x25; - fiatuint1 x26; - uint64_t x27; - fiatuint1 x28; - uint64_t x29; - fiatuint1 x30; - uint64_t x31; - fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[7])); - fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[6])); - fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[5])); - fiatmulx_u64(&x7, &x8, UINT8_C(0x26), (arg1[4])); - fiatmulx_u64(&x9, &x10, UINT8_C(0x26), x2); - x11 = (arg1[3]); - x12 = (arg1[2]); - x13 = (arg1[1]); - x14 = (arg1[0]); - fiataddcarryx_u64(&x15, &x16, 0x0, x14, x9); - fiataddcarryx_u64(&x17, &x18, x16, x13, x5); - fiataddcarryx_u64(&x19, &x20, x18, x12, x3); - fiataddcarryx_u64(&x21, &x22, x20, x11, x1); - fiataddcarryx_u64(&x23, &x24, 0x0, x15, x7); - fiataddcarryx_u64(&x25, &x26, x24, x17, x8); - fiataddcarryx_u64(&x27, &x28, x26, x19, x6); - fiataddcarryx_u64(&x29, &x30, x28, x21, x4); - x31 = ((uint64_t)x22 + x30); - out1[0] = x23; - out1[1] = x25; - out1[2] = x27; - out1[3] = x29; - *out2 = x31; -}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string -Finished transaction in 2.767 secs (2.76u,0.s) (successful) -*) +End compiling_red. diff --git a/src/log.out b/src/log.out deleted file mode 100644 index 60f390f0d3..0000000000 --- a/src/log.out +++ /dev/null @@ -1,73 +0,0 @@ - = "Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out2: None - */ -static void mul(uint64_t out1[2], uint64_t* out2, const uint64_t arg1[2], const uint64_t arg2[2]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - fiatuint1 x20; - uint64_t x21; - fiatuint1 x22; - uint64_t x23; - fiatuint1 x24; - uint64_t x25; - fiatuint1 x26; - uint64_t x27; - fiatuint1 x28; - uint64_t x29; - fiatuint1 x30; - uint64_t x31; - fiatuint1 x32; - uint64_t x33; - fiatuint1 x34; - uint64_t x35; - fiatuint1 x36; - uint64_t x37; - fiatuint1 x38; - uint64_t x39; - fiatmulx_u64(&x1, &x2, (arg1[1]), (arg2[1])); - fiatmulx_u64(&x3, &x4, (arg1[1]), (arg2[0])); - fiatmulx_u64(&x5, &x6, (arg1[0]), (arg2[1])); - fiatmulx_u64(&x7, &x8, (arg1[0]), (arg2[0])); - fiatmulx_u64(&x9, &x10, 0x2, x2); - fiatmulx_u64(&x11, &x12, 0x2, x1); - fiatmulx_u64(&x13, &x14, 0x2, x4); - fiatmulx_u64(&x15, &x16, 0x2, x6); - fiatmulx_u64(&x17, &x18, 0x2, (fiatuint1)x10); - fiataddcarryx_u64(&x19, &x20, 0x0, x8, x9); - fiataddcarryx_u64(&x21, &x22, 0x0, x19, (fiatuint1)x12); - fiataddcarryx_u64(&x23, &x24, 0x0, x7, x17); - fiataddcarryx_u64(&x25, &x26, x24, x21, (fiatuint1)x14); - fiataddcarryx_u64(&x27, &x28, 0x0, x23, x11); - fiataddcarryx_u64(&x29, &x30, x28, x25, (fiatuint1)x16); - fiataddcarryx_u64(&x31, &x32, 0x0, x27, x13); - fiataddcarryx_u64(&x33, &x34, x32, x29, x3); - fiataddcarryx_u64(&x35, &x36, 0x0, x31, x15); - fiataddcarryx_u64(&x37, &x38, x36, x33, x5); - x39 = ((((((uint64_t)x20 + x22) + (uint64_t)x26) + (uint64_t)x30) + (uint64_t)x34) + (uint64_t)x38); - out1[0] = x35; - out1[1] = x37; - *out2 = x39; -}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string From 60e2e7990d001786b6c3e0346c732ad0c92e8bf7 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 10 Apr 2022 18:43:23 -0400 Subject: [PATCH 04/69] add compiled reduce result --- src/SlowPrimeSynthesisExamplesCopy.v | 97 +++++++++++++++++++++++++++- 1 file changed, 96 insertions(+), 1 deletion(-) diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v index c886f18a5d..2c756d432a 100644 --- a/src/SlowPrimeSynthesisExamplesCopy.v +++ b/src/SlowPrimeSynthesisExamplesCopy.v @@ -208,7 +208,6 @@ Module compiling_reduce_flatten. Let out_boundsn := (repeat bound n) ++ [Some r[0~>0]%zrange] ++ (repeat (Some r[0~>0]%zrange) (n-1)). - Compute out_boundsn. Time Compute Show.show (Pipeline.BoundsPipelineToString @@ -247,6 +246,102 @@ Module compiling_reduce_flatten. (None, None) : Pipeline.ErrorT _). *) + (* + = "Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1], [0x0 ~> 0x0], [0x0 ~> 0x0], [0x0 ~> 0x0]] + */ +static void mul(uint64_t out1[8], const uint64_t arg1[8]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiatuint1 x14; + uint64_t x15; + fiatuint1 x16; + uint64_t x17; + fiatuint1 x18; + uint64_t x19; + uint64_t x20; + fiatuint1 x21; + uint64_t x22; + fiatuint1 x23; + uint64_t x24; + fiatuint1 x25; + uint64_t x26; + fiatuint1 x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + fiatuint1 x32; + uint64_t x33; + fiatuint1 x34; + uint64_t x35; + fiatuint1 x36; + uint64_t x37; + fiatuint1 x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + fiatuint1 x42; + uint64_t x43; + fiatuint1 x44; + uint64_t x45; + fiatuint1 x46; + uint64_t x47; + fiatuint1 x48; + fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[7])); + fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[6])); + fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[5])); + fiatmulx_u64(&x7, &x8, UINT8_C(0x26), (arg1[4])); + x9 = (arg1[3]); + x10 = (arg1[2]); + x11 = (arg1[1]); + x12 = (arg1[0]); + fiataddcarryx_u64(&x13, &x14, 0x0, x11, x5); + fiataddcarryx_u64(&x15, &x16, x14, x10, x3); + fiataddcarryx_u64(&x17, &x18, x16, x9, x1); + x19 = (x18 + x2); + fiataddcarryx_u64(&x20, &x21, 0x0, x12, x7); + fiataddcarryx_u64(&x22, &x23, x21, x13, x8); + fiataddcarryx_u64(&x24, &x25, x23, x15, x6); + fiataddcarryx_u64(&x26, &x27, x25, x17, x4); + x28 = (x27 + x19); + fiatmulx_u64(&x29, &x30, UINT8_C(0x26), x28); + fiataddcarryx_u64(&x31, &x32, 0x0, x20, x29); + fiataddcarryx_u64(&x33, &x34, x32, x22, 0x0); + fiataddcarryx_u64(&x35, &x36, x34, x24, 0x0); + fiataddcarryx_u64(&x37, &x38, x36, x26, 0x0); + fiatmulx_u64(&x39, &x40, UINT8_C(0x26), x38); + fiataddcarryx_u64(&x41, &x42, 0x0, x31, x39); + fiataddcarryx_u64(&x43, &x44, x42, x33, 0x0); + fiataddcarryx_u64(&x45, &x46, x44, x35, 0x0); + fiataddcarryx_u64(&x47, &x48, x46, x37, 0x0); + out1[0] = x41; + out1[1] = x43; + out1[2] = x45; + out1[3] = x47; + out1[4] = x48; + out1[5] = 0x0; + out1[6] = 0x0; + out1[7] = 0x0; +}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string +Finished transaction in 4.122 secs (4.07u,0.05s) (successful) +*) + End compiling_reduce_flatten. Module compiling_red. From c998e12096233963e9f17d4e16c242c099b314d9 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 26 Apr 2022 15:23:12 -0400 Subject: [PATCH 05/69] starting proof of second reduction --- src/SlowPrimeSynthesisExamplesCopy.v | 9 +- src/SolinasReduction.v | 210 +++++++++++++++++++++++++++ 2 files changed, 217 insertions(+), 2 deletions(-) create mode 100644 src/SolinasReduction.v diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v index 2c756d432a..b427935eab 100644 --- a/src/SlowPrimeSynthesisExamplesCopy.v +++ b/src/SlowPrimeSynthesisExamplesCopy.v @@ -183,7 +183,7 @@ Module compiling_reduce_flatten. let r1 := reduce1 base s c (2*n) p in let r2 := reduce1 base s c (2*n) (r1) in let r3 := reduce1 base s c (2*n) (r2) in - r3. + r1. Definition mul_no_reduce base n (p q : list Z) := let p_a := Positional.to_associational weight n p in @@ -200,13 +200,18 @@ Module compiling_reduce_flatten. End single_reduction. + Search Saturated.Rows.sum_rows. + Search Partition.partition. + Search Partition.partition app. + Search Saturated.Rows.flatten. + Let v := (2^64-1). Let p := repeat v (2*n). Let r' := reduce' w base s c n p. Compute r'. Let out_boundsn := (repeat bound n) ++ - [Some r[0~>0]%zrange] ++ + [Some r[0~>39]%zrange] ++ (repeat (Some r[0~>0]%zrange) (n-1)). Time Compute Show.show diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v new file mode 100644 index 0000000000..2f28442f0b --- /dev/null +++ b/src/SolinasReduction.v @@ -0,0 +1,210 @@ +Require Import Coq.ZArith.ZArith. +Require Import Coq.QArith.QArith. +Require Import Coq.QArith.Qround. +Require Import Coq.Strings.String. +Require Import Coq.derive.Derive. +Require Import Coq.Lists.List. +Require Import Crypto.Util.ZRange. +Require Import Crypto.Arithmetic.Core. +Require Import Crypto.Arithmetic.ModOps. +Require Import Crypto.Arithmetic.Partition. +Require Import Crypto.PushButtonSynthesis.UnsaturatedSolinas. +Require Import Crypto.UnsaturatedSolinasHeuristics. +Require Crypto.PushButtonSynthesis.SaturatedSolinas. +Require Crypto.PushButtonSynthesis.WordByWordMontgomery. +Require Crypto.Stringification.C. +Require Crypto.Stringification.Go. +Require Crypto.Stringification.Java. +Require Import Crypto.BoundsPipeline. +Require Import Crypto.Util.ZUtil.ModInv. + +Require Import Coq.micromega.Lia. +Require Import Crypto.Algebra.Ring. +Require Import Crypto.Util.Decidable. +Require Import Crypto.Util.LetIn. +Require Import Crypto.Util.ListUtil. +Require Import Crypto.Util.NatUtil. +Require Import Crypto.Util.Prod. +Require Import Crypto.Util.Tactics.BreakMatch. +Require Import Crypto.Util.Tactics.UniquePose. +Require Import Crypto.Util.ZUtil.Definitions. +Require Import Crypto.Util.ZUtil.AddGetCarry Crypto.Util.ZUtil.MulSplit. +Require Import Crypto.Util.ZUtil.Modulo Crypto.Util.ZUtil.Div. +Require Import Crypto.Util.ZUtil.Hints.Core. +Require Import Crypto.Util.ZUtil.Tactics.LtbToLt. +Require Import Crypto.Util.ZUtil.Tactics.RewriteModSmall. +Require Import Crypto.Util.ZUtil.Tactics.PullPush.Modulo. + +Require Import Coq.ZArith.Znat. + +Require Import Crypto.Util.Notations. +Local Open Scope string_scope. +Local Open Scope list_scope. +Import ListNotations. Local Open Scope Z_scope. + +Import + AbstractInterpretation.Compilers + Language.Compilers + Language.API.Compilers. + +Import Language.API.Compilers.API. + +Import Associational Positional. + +Local Existing Instance default_low_level_rewriter_method. +Local Existing Instance AbstractInterpretation.default_Options. +Local Instance : unfold_value_barrier_opt := true. +Local Instance : assembly_hints_lines_opt := None. +Local Instance : ignore_unique_asm_names_opt := false. +Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. +Local Existing Instance default_language_naming_conventions. +Local Existing Instance default_documentation_options. +Local Instance : package_name_opt := None. +Local Instance : class_name_opt := None. + +Local Existing Instance default_output_options. + +Module solinas_reduction. + + Import Crypto.Arithmetic.Saturated. + + Section __. + + Context weight {wprops : @weight_properties weight}. + + Definition sat_reduce base s c n (p : list (Z * Z)) := + let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in + let lo_hi := Associational.split s' p in + let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in + let r := (fst lo_hi) ++ hi in + r. + + Lemma adjust_s_invariant fuel s (s_nz:s<>0) : + fst (Saturated.Rows.adjust_s weight fuel s) mod s = 0 + /\ fst (Saturated.Rows.adjust_s weight fuel s) <> 0. + Proof using wprops. + cbv [Saturated.Rows.adjust_s]; rewrite fold_right_map; generalize (List.rev (seq 0 fuel)); intro ls; induction ls as [|l ls IHls]; + cbn. + { rewrite Z.mod_same by assumption; auto. } + { break_match; cbn in *; auto with zarith. } + Qed. + + Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. + Hint Rewrite eval_split using solve [auto] : push_eval. + + Lemma eval_sat_reduce base s c n p : + base <> 0 + -> s - Associational.eval c <> 0 + -> s <> 0 + -> Associational.eval (sat_reduce base s c n p) mod (s - Associational.eval c) + = Associational.eval p mod (s - Associational.eval c). + Proof using wprops. + intros; cbv [sat_reduce]. + lazymatch goal with + | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => + destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] + end. + eta_expand; autorewrite with push_eval zsimplify_const; cbn [fst snd]. + rewrite <- (Z.mul_comm (Associational.eval c)), <- !Z.mul_assoc, <-Associational.reduction_rule by auto. + autorewrite with zsimplify_const; rewrite !Z.mul_assoc, Z.mul_div_eq_full, Hmod by auto. + autorewrite with zsimplify_const push_eval; trivial. + Qed. + Hint Rewrite eval_sat_reduce using auto : push_eval. + + (* n is input width *) + Definition reduce1 base s c n (p : list Z) := + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight n r_a in + let r_flat := Saturated.Rows.flatten weight n r_rows in + fst r_flat. + + Definition reduce base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) p in + let r2 := reduce1 base s c (2*n) (r1) in + let r3 := reduce1 base s c (2*n) (r2) in + r3. + + Definition reduce' base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) p in + let r2 := reduce1 base s c (2*n) (r1) in + let r3 := reduce1 base s c (2*n) (r2) in + r1. + + Definition mul_no_reduce base n (p q : list Z) := + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + fst pq. + + Definition mulmod base s c n (p q : list Z) := + let prod := mul_no_reduce base n p q in + let red := reduce base s c n prod in + red. + + Definition valid_number n (p : list Z) : Prop := + length p = n /\ + p = Partition.partition weight n (Positional.eval weight n p). + + Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. + + Lemma eval_mod_eq base s c n p : + Rows.eval weight n + (Rows.from_associational weight n + (sat_reduce base s c n (to_associational weight n p))) < weight n. + Proof. + Search Saturated.Rows.eval. + intros. + autorewrite with push_eval. + Search Associational.eval. + Admitted. + + Hint Resolve length_partition : push_length. + Hint Resolve Rows.length_from_associational : push_length. + + Lemma reduce_valid_number base s c n : forall (p : list Z), + valid_number n (reduce1 base s c n p). + Proof using wprops. + intros. + unfold reduce1 in *. + unfold valid_number. + rewrite Saturated.Rows.flatten_correct; auto. + { intuition. + { cbn [fst]. + auto with push_length. } + { simpl. + rewrite Partition.eval_partition; auto. + f_equal. + apply Z.mod_small_sym. + intuition. + Search Associational.eval 0. + admit. + apply eval_mod_eq. } + } + { intros. + eauto with push_length. } + Admitted. + + Theorem reduce_second base s c n : forall (p : list Z) lo hi, + p = lo ++ [hi] -> + (valid_number weight n p /\ hi <= 39) -> + forall q_lo q_hi1 q_hi2, + let q := reduce1 base s c n p in + q = q_lo ++ [q_hi1] ++ [q_hi2] -> + (valid_number weight n q /\ + ((q_hi2 = 1 /\ q_hi1 = 0) \/ + (q_hi2 = 0))). + Proof using wprops. + intros. + intuition. + { unfold valid_number in *. + Search Partition.partition eval. + Admitted. + + End __. + +End solinas_reduction. From 5d11435797e989e04f22b869ff2ec46a62faaace Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Fri, 29 Apr 2022 00:08:28 -0400 Subject: [PATCH 06/69] starting proof of reduction value --- src/SolinasReduction.v | 232 +++++++++++++++++++++++++++++++++-------- 1 file changed, 186 insertions(+), 46 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 2f28442f0b..2d8e993693 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -51,6 +51,10 @@ Import Language.API.Compilers.API. Import Associational Positional. +Local Coercion Z.of_nat : nat >-> Z. +Local Coercion QArith_base.inject_Z : Z >-> Q. +Local Coercion Z.pos : positive >-> Z. + Local Existing Instance default_low_level_rewriter_method. Local Existing Instance AbstractInterpretation.default_Options. Local Instance : unfold_value_barrier_opt := true. @@ -73,13 +77,29 @@ Module solinas_reduction. Context weight {wprops : @weight_properties weight}. Definition sat_reduce base s c n (p : list (Z * Z)) := - let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let lo_hi := Associational.split s' p in let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in let r := (fst lo_hi) ++ hi in r. + Hint Rewrite eval_app : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. + Hint Rewrite eval_split using solve [auto] : push_eval. + + Lemma value_sat_reduce base s c n (p : list (Z * Z)) (basenz:base<>0): + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let lo_hi := Associational.split s' p in + Associational.eval (sat_reduce base s c n p) = + Associational.eval coef * Associational.eval (snd lo_hi) + Associational.eval (fst lo_hi). + Proof. + intros; cbv [sat_reduce] in *; cbv [s' lo_hi coef]. + autorewrite with push_eval; lia. + Qed. + Lemma adjust_s_invariant fuel s (s_nz:s<>0) : fst (Saturated.Rows.adjust_s weight fuel s) mod s = 0 /\ fst (Saturated.Rows.adjust_s weight fuel s) <> 0. @@ -90,10 +110,6 @@ Module solinas_reduction. { break_match; cbn in *; auto with zarith. } Qed. - Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. - Hint Rewrite eval_split using solve [auto] : push_eval. - Lemma eval_sat_reduce base s c n p : base <> 0 -> s - Associational.eval c <> 0 @@ -108,31 +124,25 @@ Module solinas_reduction. end. eta_expand; autorewrite with push_eval zsimplify_const; cbn [fst snd]. rewrite <- (Z.mul_comm (Associational.eval c)), <- !Z.mul_assoc, <-Associational.reduction_rule by auto. - autorewrite with zsimplify_const; rewrite !Z.mul_assoc, Z.mul_div_eq_full, Hmod by auto. - autorewrite with zsimplify_const push_eval; trivial. + autorewrite with zsimplify_const; rewrite !Z.mul_assoc, Z.mul_div_eq_full, Hmod by auto. + autorewrite with zsimplify_const push_eval; trivial. Qed. Hint Rewrite eval_sat_reduce using auto : push_eval. (* n is input width *) - Definition reduce1 base s c n (p : list Z) := + Definition reduce1 base s c n m (p : list Z) := let p_a := Positional.to_associational weight n p in let r_a := sat_reduce base s c n p_a in let r_rows := Saturated.Rows.from_associational weight n r_a in - let r_flat := Saturated.Rows.flatten weight n r_rows in + let r_flat := Saturated.Rows.flatten weight m r_rows in fst r_flat. Definition reduce base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) p in - let r2 := reduce1 base s c (2*n) (r1) in - let r3 := reduce1 base s c (2*n) (r2) in + let r1 := reduce1 base s c (2*n) (S n) p in + let r2 := reduce1 base s c (S n) (S n) (r1) in + let r3 := reduce1 base s c (S n) (n) (r2) in r3. - Definition reduce' base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) p in - let r2 := reduce1 base s c (2*n) (r1) in - let r3 := reduce1 base s c (2*n) (r2) in - r1. - Definition mul_no_reduce base n (p q : list Z) := let p_a := Positional.to_associational weight n p in let q_a := Positional.to_associational weight n q in @@ -146,32 +156,21 @@ Module solinas_reduction. let red := reduce base s c n prod in red. - Definition valid_number n (p : list Z) : Prop := + Definition canonical_repr n (p : list Z) : Prop := length p = n /\ p = Partition.partition weight n (Positional.eval weight n p). Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. - Lemma eval_mod_eq base s c n p : - Rows.eval weight n - (Rows.from_associational weight n - (sat_reduce base s c n (to_associational weight n p))) < weight n. - Proof. - Search Saturated.Rows.eval. - intros. - autorewrite with push_eval. - Search Associational.eval. - Admitted. - Hint Resolve length_partition : push_length. Hint Resolve Rows.length_from_associational : push_length. - Lemma reduce_valid_number base s c n : forall (p : list Z), - valid_number n (reduce1 base s c n p). + Lemma reduce_canonical_repr base s c n m : forall (p : list Z), + canonical_repr m (reduce1 base s c n m p). Proof using wprops. intros. unfold reduce1 in *. - unfold valid_number. + unfold canonical_repr. rewrite Saturated.Rows.flatten_correct; auto. { intuition. { cbn [fst]. @@ -179,32 +178,173 @@ Module solinas_reduction. { simpl. rewrite Partition.eval_partition; auto. f_equal. - apply Z.mod_small_sym. - intuition. - Search Associational.eval 0. - admit. - apply eval_mod_eq. } + admit. } } - { intros. - eauto with push_length. } + { admit. } Admitted. - Theorem reduce_second base s c n : forall (p : list Z) lo hi, + Theorem reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, p = lo ++ [hi] -> - (valid_number weight n p /\ hi <= 39) -> + (canonical_repr (S n) p /\ hi <= 39) -> forall q_lo q_hi1 q_hi2, - let q := reduce1 base s c n p in + let q := reduce1 base s c (S n) (S n) p in q = q_lo ++ [q_hi1] ++ [q_hi2] -> - (valid_number weight n q /\ + canonical_repr n q -> + ((* canonical_repr n q /\ *) ((q_hi2 = 1 /\ q_hi1 = 0) \/ (q_hi2 = 0))). Proof using wprops. intros. intuition. - { unfold valid_number in *. - Search Partition.partition eval. + + assert (Hevalq : eval weight (S n) q = 38 * hi + eval weight n lo). + { cbv [reduce1] in *. + cbv [q]. + rewrite !H. + Search eval Rows.flatten. + rewrite Rows.flatten_mod. + Search Rows.eval Rows.from_associational. + rewrite Rows.eval_from_associational. + Search Associational.eval sat_reduce. + rewrite value_sat_reduce. + + lazymatch goal with + | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => + destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] + end. + destruct Rows.adjust_s. + cbn [fst] in *. + cbv [to_associational]. + Search combine app. + Search seq app. + rewrite seq_snoc. + rewrite map_app. + replace (map weight [(0 + n)%nat]) with [weight n] by auto. + rewrite combine_snoc. + + Search split snd. + rewrite fst_split_app. + rewrite snd_split_app. + autorewrite with push_eval. + + assert (z = 2^256) by admit. + subst. + + + Search Rows.adjust_s. + + all: admit. + } + + assert (q_hi2 < 2). + { pose proof fun pf => nth_default_partition weight 0 n (eval weight n q) (1 + length q_lo) pf. + unfold canonical_repr in H2. + destruct H2. + rewrite <-H5 in H0. + rewrite H1 in H0 at 1. + Search nth_default app. + rewrite nth_default_app in H0. + destruct (lt_dec) in H0. + lia. + replace (1 + Datatypes.length q_lo - Datatypes.length q_lo)%nat with 1%nat in H0 by lia. + unfold nth_default in H0. + simpl in H0. + rewrite Hevalq in H0. + rewrite H0. + replace 1 with (weight (S (Datatypes.length q_lo)) / weight (S (Datatypes.length q_lo))) by admit. + Search (_ / _ < _). + apply Z.div_lt_upper_bound. + admit. + + Search Z.lt Z.le 1 iff. + apply Le.Z.le_sub_1_iff. + + etransitivity. + apply Z.mod_le. + admit. + apply wprops. + + admit. + admit. } + + assert (q_hi2 >= 0) by admit. + assert (q_hi2 = 1 \/ q_hi2 = 0) by lia. + intuition. + left. + intuition. + pose proof f_equal (eval weight n) H1. + rewrite app_assoc in H6. + Search eval app. + erewrite eval_snoc in H6. + 2: eauto. + erewrite eval_snoc in H6. + 2: eauto. + rewrite Hevalq in H6. + pose proof Z.mod_le. + Admitted. End __. + Section compile. + + Let s := 2^255. + Let c := [(1, 19)]. + Let machine_wordsize := 64. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let w : nat -> Z := weight machine_wordsize 1. + Let base : Z := 2 ^ machine_wordsize. + + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Let boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound (n). + + Import Stringification.C.Compilers. + Import Stringification.C.Compilers.ToString. + + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. + Local Instance : only_signed_opt := false. + Local Instance : no_select_opt := false. + Local Instance : static_opt := true. + Local Instance : internal_static_opt := true. + Local Instance : inline_opt := true. + Local Instance : inline_internal_opt := true. + Local Instance : use_mul_for_cmovznz_opt := false. + Local Instance : emit_primitives_opt := true. + Local Instance : should_split_mul_opt := false. + Local Instance : should_split_multiret_opt := false. + Local Instance : widen_carry_opt := false. + Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + + Let possible_values := prefix_with_carry [machine_wordsize]. + Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) + Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. + Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + + Compute reduce + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (reduce w base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), tt) + (Some (repeat bound (n))) + (None, tt) + (None) + : Pipeline.ErrorT _). + + End compile. + End solinas_reduction. From 07ab110d147aa6fc0b02ab800ef368372bf57d6e Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 1 May 2022 22:17:43 -0400 Subject: [PATCH 07/69] starting to prove q_hi1 = 0 when q_hi2 = 1 --- src/SolinasReduction.v | 60 +++++++++++++++++++++++++++++++++--------- 1 file changed, 48 insertions(+), 12 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 2d8e993693..832669e197 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -189,7 +189,7 @@ Module solinas_reduction. forall q_lo q_hi1 q_hi2, let q := reduce1 base s c (S n) (S n) p in q = q_lo ++ [q_hi1] ++ [q_hi2] -> - canonical_repr n q -> + canonical_repr (S n) q -> ((* canonical_repr n q /\ *) ((q_hi2 = 1 /\ q_hi1 = 0) \/ (q_hi2 = 0))). @@ -227,17 +227,11 @@ Module solinas_reduction. rewrite snd_split_app. autorewrite with push_eval. - assert (z = 2^256) by admit. - subst. - - - Search Rows.adjust_s. - all: admit. } assert (q_hi2 < 2). - { pose proof fun pf => nth_default_partition weight 0 n (eval weight n q) (1 + length q_lo) pf. + { pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf. unfold canonical_repr in H2. destruct H2. rewrite <-H5 in H0. @@ -251,7 +245,6 @@ Module solinas_reduction. simpl in H0. rewrite Hevalq in H0. rewrite H0. - replace 1 with (weight (S (Datatypes.length q_lo)) / weight (S (Datatypes.length q_lo))) by admit. Search (_ / _ < _). apply Z.div_lt_upper_bound. admit. @@ -272,16 +265,59 @@ Module solinas_reduction. intuition. left. intuition. - pose proof f_equal (eval weight n) H1. + pose proof f_equal (eval weight (S n)) H1. rewrite app_assoc in H6. Search eval app. erewrite eval_snoc in H6. 2: eauto. erewrite eval_snoc in H6. 2: eauto. + Search (_ = _ + _ -> _ - _ = _). rewrite Hevalq in H6. - pose proof Z.mod_le. - + subst. + autorewrite with zsimplify_const in H6. + apply LinearSubstitute.Z.move_L_pX with (y:=weight (Datatypes.length (q_lo ++ [q_hi1]))) in H6. + Search nth_default Partition.partition. + pose proof fun pf => nth_default_partition weight 0 (n) (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) (length q_lo) pf. + assert (Partition.partition weight n (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) = q_lo ++ [q_hi1]) by admit. + rewrite H7 in H. + rewrite nth_default_app in H. + destruct lt_dec in H. + lia. + replace (Datatypes.length q_lo - Datatypes.length q_lo)%nat with 0%nat in H by lia. + replace (nth_default 0 [q_hi1] 0) with (q_hi1) in H. + 2: { unfold nth_default. + reflexivity. } + rewrite H. + Search (_ / _ = 0). + apply Z.div_small. + split. + admit. + apply Le.Z.le_sub_1_iff. + etransitivity. + apply Z.mod_le. + admit. + apply wprops. + { admit. } + unfold canonical_repr in H2. + intuition. + apply f_equal with (f:=fun l => length l) in H1. + rewrite !app_length in H1. + cbn [Datatypes.length] in H1. + assert (Datatypes.length q_lo = (n - 1)%nat) by lia. + lia. + rewrite app_length. + cbn [Datatypes.length]. + lia. + + unfold canonical_repr in H2. + intuition. + apply f_equal with (f:=fun l => length l) in H1. + rewrite !app_length in *. + cbn [Datatypes.length] in *. + apply f_equal. + rewrite H8 in H1. + lia. Admitted. End __. From 8b3564fcdf672b1e8fbee8d16714634d71783d1a Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 10 May 2022 15:33:48 -0400 Subject: [PATCH 08/69] plugging in constant values --- src/SolinasReduction.v | 68 +++++++++++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 14 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 832669e197..3005124478 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -10,6 +10,7 @@ Require Import Crypto.Arithmetic.ModOps. Require Import Crypto.Arithmetic.Partition. Require Import Crypto.PushButtonSynthesis.UnsaturatedSolinas. Require Import Crypto.UnsaturatedSolinasHeuristics. +Require Import Crypto.Arithmetic.UniformWeight. Require Crypto.PushButtonSynthesis.SaturatedSolinas. Require Crypto.PushButtonSynthesis.WordByWordMontgomery. Require Crypto.Stringification.C. @@ -74,7 +75,10 @@ Module solinas_reduction. Section __. - Context weight {wprops : @weight_properties weight}. + Print weight_properties. + + Context (weight := uweight 64) + {wprops : @weight_properties weight}. Definition sat_reduce base s c n (p : list (Z * Z)) := let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in @@ -190,45 +194,81 @@ Module solinas_reduction. let q := reduce1 base s c (S n) (S n) p in q = q_lo ++ [q_hi1] ++ [q_hi2] -> canonical_repr (S n) q -> - ((* canonical_repr n q /\ *) - ((q_hi2 = 1 /\ q_hi1 = 0) \/ - (q_hi2 = 0))). + ((q_hi2 = 1 /\ q_hi1 = 0) \/ + (q_hi2 = 0)). Proof using wprops. intros. intuition. assert (Hevalq : eval weight (S n) q = 38 * hi + eval weight n lo). - { cbv [reduce1] in *. + { cbv [reduce1 canonical_repr] in *. + intuition. cbv [q]. rewrite !H. - Search eval Rows.flatten. rewrite Rows.flatten_mod. - Search Rows.eval Rows.from_associational. rewrite Rows.eval_from_associational. - Search Associational.eval sat_reduce. rewrite value_sat_reduce. lazymatch goal with | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] end. - destruct Rows.adjust_s. + + assert (Rows.adjust_s weight (S (S (S n))) s = (weight 4, true)) by admit. + rewrite H7 in *. + + Search Rows.adjust_s. cbn [fst] in *. cbv [to_associational]. - Search combine app. - Search seq app. rewrite seq_snoc. rewrite map_app. replace (map weight [(0 + n)%nat]) with [weight n] by auto. rewrite combine_snoc. - Search split snd. rewrite fst_split_app. rewrite snd_split_app. autorewrite with push_eval. - all: admit. - } + assert (n = 4%nat) by admit. + rewrite H8. + assert (split (weight 4) [(weight 4, hi)] = ([], [(1, hi)])) by eauto. + rewrite H9; cbn [fst snd]. + autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. + assert (split (weight 4) (combine (map weight (seq 0 4)) lo) = + ((combine (map weight (seq 0 4)) lo), [])). + { admit. } + rewrite H10; cbn [fst snd]. + autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. + assert (s = 2^255) by admit. + assert (c = [(1, 19)]) by admit. + assert (base = 2^256) by admit. + rewrite H11, H12, H13. + replace (weight 4 / 2 ^ 255) with 2 by eauto. + replace (Associational.sat_mul_const (2 ^ 256) [(1, 2)] [(1, 19)]) with ([(1, 38)]) by admit. + autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. + unfold eval, to_associational. + Search (?x mod _ = ?x). + apply Zmod_small. + split. + admit. + Locate "<=". + + admit. (* plugging in constant values *) + + rewrite H in H2. + rewrite app_length in H2. + simpl in H2. + rewrite plus_comm in H2. + rewrite map_length. + rewrite seq_length. + lia. + + admit. (* base <> 0 *) + eauto. + lia. + eauto. + intros. + eapply Rows.length_from_associational; eauto. } assert (q_hi2 < 2). { pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf. From 9c56609370dd13914660f794ce46b0b292b77a13 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 12 May 2022 16:46:56 -0400 Subject: [PATCH 09/69] generalized output of eval of second reduce --- src/SolinasReduction.v | 176 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 159 insertions(+), 17 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 3005124478..f7350fadc2 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -77,7 +77,8 @@ Module solinas_reduction. Print weight_properties. - Context (weight := uweight 64) + Context (machine_wordsize := 64) + (weight := uweight machine_wordsize) {wprops : @weight_properties weight}. Definition sat_reduce base s c n (p : list (Z * Z)) := @@ -169,6 +170,43 @@ Module solinas_reduction. Hint Resolve length_partition : push_length. Hint Resolve Rows.length_from_associational : push_length. + Lemma canonical_bounded n : forall (p : list Z), + canonical_repr n p -> + forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. + Proof. + intros. + unfold canonical_repr, Partition.partition in *. + destruct H. + rewrite H1 in H0. + rewrite in_map_iff in H0. + destruct H0. + intuition. + Print Partition.partition. + { rewrite <-H2. + assert (0 <= eval weight n p) by admit. + apply Z.div_nonneg. + apply Z_mod_nonneg_nonneg. + assumption. + eauto using Z.lt_le_incl. + eauto using Z.lt_le_incl. } + { rewrite <-H2. + Search (_ < _ * _ -> _ / _ < _). + apply OrdersEx.Z_as_OT.div_lt_upper_bound; eauto. + assert (weight (S x0) = weight x0 * 2 ^ machine_wordsize). + { unfold weight, uweight, ModOps.weight. + rewrite !Z.div_1_r. + rewrite !Z.opp_involutive. + rewrite Nat2Z.inj_succ. + rewrite OrdersEx.Z_as_OT.mul_succ_r. + rewrite OrdersEx.Z_as_OT.pow_add_r. + reflexivity. + lia. + lia. } + rewrite <-H0. + apply OrdersEx.Z_as_OT.mod_pos_bound. + eauto. } + Admitted. + Lemma reduce_canonical_repr base s c n m : forall (p : list Z), canonical_repr m (reduce1 base s c n m p). Proof using wprops. @@ -187,6 +225,96 @@ Module solinas_reduction. { admit. } Admitted. + Lemma value_reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, + p = lo ++ [hi] -> + (canonical_repr (S n) p /\ hi <= 39) -> + let q := reduce1 base s c (S n) (S n) p in + let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + canonical_repr (S n) q -> + eval weight (S n) q = Associational.eval coef * hi + eval weight n lo. + Proof. + intros. + intuition. + cbv [reduce1 canonical_repr] in *; intuition. + cbv [q coef s']. + rewrite !H. + rewrite Rows.flatten_mod. + rewrite Rows.eval_from_associational. + rewrite value_sat_reduce. + lazymatch goal with + | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => + destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] + end. + + unfold to_associational. + rewrite seq_snoc. + rewrite map_app. + rewrite Nat.add_0_l; cbn [map]. + rewrite combine_snoc. + rewrite fst_split_app, snd_split_app. + autorewrite with push_eval. + assert (Rows.adjust_s weight (S (S (S n))) s = (weight n, true)) by admit. (* maybe a property about the Solinas primes? *) + rewrite H6 in *; cbn [fst] in *. + assert (split (weight n) [(weight n, hi)] = ([], [(1, hi)])). + { unfold split. + simpl. + assert (weight n mod weight n = 0) by (apply Z_mod_same_full). + rewrite H7. + simpl. + assert (weight n / weight n = 1) by + eauto using Z_div_same, Z.lt_gt, weight_positive. + rewrite H8. + reflexivity. } + rewrite H7; cbn [fst snd]. + autorewrite with push_eval zsimplify_const; cbn [fst snd]. + assert (split (weight n) (combine (map weight (seq 0 n)) lo) = + ((combine (map weight (seq 0 n)) lo), [])). + { admit. } + rewrite H8; cbn [fst snd]. + autorewrite with push_eval zsimplify_const; cbn [fst snd]. + unfold eval, to_associational. + apply Z.mod_small. + pose proof BYInv.eval_bound. + assert (0 < machine_wordsize) by lia. + apply H9 with (n:=n) (f:=lo) in H10. + unfold eval, to_associational in H10. + unfold weight. + intuition. + admit. (* prove value is positive *) + Search (_ < _ -> _ + _ < _ + _). + apply Zplus_lt_compat_l with + (p:=Associational.eval (Associational.sat_mul_const base [(1, uweight machine_wordsize n / s)] c) * hi) in H12. + etransitivity. + eauto. + admit. (* add a premise about the relationship between coef and weight *) + + (* proving statements generated by apply lemmas *) + intros. + apply canonical_bounded with (p:=p) (n:=S n). + unfold canonical_repr; intuition. + rewrite H. + apply in_or_app; intuition. + apply f_equal with (f:=fun l => length l) in H. + rewrite app_length in H. + simpl in H. + rewrite H1 in H. + lia. + rewrite map_length. + rewrite seq_length. + apply f_equal with (f:=fun l => length l) in H. + rewrite app_length in H. + simpl in H. + rewrite H1 in H. + lia. + admit. (* base <> 0 *) + eauto. + left; lia. + eauto. + intros. + eapply Rows.length_from_associational; eauto. + Admitted. + Theorem reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> @@ -244,7 +372,8 @@ Module solinas_reduction. assert (base = 2^256) by admit. rewrite H11, H12, H13. replace (weight 4 / 2 ^ 255) with 2 by eauto. - replace (Associational.sat_mul_const (2 ^ 256) [(1, 2)] [(1, 19)]) with ([(1, 38)]) by admit. + replace (Associational.eval (Associational.sat_mul_const (2 ^ 256) [(1, 2)] [(1, 19)])) with (38) by reflexivity. + autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. unfold eval, to_associational. Search (?x mod _ = ?x). @@ -252,23 +381,36 @@ Module solinas_reduction. split. admit. Locate "<=". - - admit. (* plugging in constant values *) - - rewrite H in H2. - rewrite app_length in H2. - simpl in H2. - rewrite plus_comm in H2. - rewrite map_length. - rewrite seq_length. + Search Positional.eval . + pose proof BYInv.eval_bound. + assert (0 < 64) by lia. + apply H14 with (n:=4%nat) (f:=lo) in H15. + unfold eval, to_associational in H15. + assert (2 ^ (64 * Z.of_nat 4) <= weight 5 - 38 * 39). + { + vm_compute. + intuition. + discriminate x. } + unfold weight in *. lia. - admit. (* base <> 0 *) - eauto. - lia. - eauto. - intros. - eapply Rows.length_from_associational; eauto. } + all: admit. + + (* rewrite H in H2. *) + (* rewrite app_length in H2. *) + (* simpl in H2. *) + (* rewrite plus_comm in H2. *) + (* rewrite map_length. *) + (* rewrite seq_length. *) + (* lia. *) + + (* admit. (* base <> 0 *) *) + (* eauto. *) + (* lia. *) + (* eauto. *) + (* intros. *) + (* eapply Rows.length_from_associational; eauto. *) + } assert (q_hi2 < 2). { pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf. From bb77297696c6d0a3969a6ea0d8535583417a0d41 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 12 May 2022 21:21:48 -0400 Subject: [PATCH 10/69] prove canonical representation is positive --- src/SolinasReduction.v | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index f7350fadc2..d263824da4 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -170,27 +170,40 @@ Module solinas_reduction. Hint Resolve length_partition : push_length. Hint Resolve Rows.length_from_associational : push_length. + Lemma canonical_pos n : forall (p : list Z), + canonical_repr n p -> + 0 <= eval weight n p. + Proof. + intros. + unfold canonical_repr in *. + intuition. + pose proof Partition.eval_partition. + specialize (H weight wprops n (eval weight n p)). + rewrite <-H1 in H. + rewrite H. + apply Z.mod_pos_bound. + eauto. + Qed. + Lemma canonical_bounded n : forall (p : list Z), canonical_repr n p -> forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. Proof. intros. - unfold canonical_repr, Partition.partition in *. + pose proof (canonical_pos n p H). + unfold canonical_repr, Partition.partition in H. destruct H. - rewrite H1 in H0. + rewrite H2 in H0. rewrite in_map_iff in H0. destruct H0. intuition. - Print Partition.partition. - { rewrite <-H2. - assert (0 <= eval weight n p) by admit. + { rewrite <-H3. apply Z.div_nonneg. apply Z_mod_nonneg_nonneg. assumption. eauto using Z.lt_le_incl. eauto using Z.lt_le_incl. } - { rewrite <-H2. - Search (_ < _ * _ -> _ / _ < _). + { rewrite <-H3. apply OrdersEx.Z_as_OT.div_lt_upper_bound; eauto. assert (weight (S x0) = weight x0 * 2 ^ machine_wordsize). { unfold weight, uweight, ModOps.weight. @@ -205,7 +218,7 @@ Module solinas_reduction. rewrite <-H0. apply OrdersEx.Z_as_OT.mod_pos_bound. eauto. } - Admitted. + Qed. Lemma reduce_canonical_repr base s c n m : forall (p : list Z), canonical_repr m (reduce1 base s c n m p). @@ -326,6 +339,10 @@ Module solinas_reduction. (q_hi2 = 0)). Proof using wprops. intros. + + (* pose proof *) + (* (value_reduce_second base s c n s_nz p lo hi H H0 H2). *) + intuition. assert (Hevalq : eval weight (S n) q = 38 * hi + eval weight n lo). @@ -392,7 +409,6 @@ Module solinas_reduction. intuition. discriminate x. } unfold weight in *. - lia. all: admit. From ef3643d81a4054febec258735814cffb563dadb7 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Fri, 13 May 2022 20:35:37 -0400 Subject: [PATCH 11/69] proving subsequences of canonical representations are canonical --- src/SolinasReduction.v | 164 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 159 insertions(+), 5 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index d263824da4..f9481bb552 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -220,6 +220,48 @@ Module solinas_reduction. eauto. } Qed. + Lemma canonical_eval_bounded n : forall (p : list Z), + canonical_repr n p -> + eval weight n p < weight n. + Proof. + intros. + pose proof (canonical_bounded _ _ H). + unfold canonical_repr in *; intuition. + induction p; simpl. + { simpl in H1; subst. + vm_compute. + eauto. } + { simpl in H1; subst. + rewrite eval_cons. + autorewrite with zsimplify_const. + rewrite <-IHp. + Admitted. + + Lemma canonical_app : forall n n1 n2 (p p1 p2: list Z), + p = p1 ++ p2 -> + length p1 = n1 -> + length p2 = n2 -> + canonical_repr (n) p -> + canonical_repr n1 p1 /\ canonical_repr n2 p2. + Proof. + intros. + unfold canonical_repr in *. + rewrite H in H2. + intuition. + unfold weight in H4. + Search (eval _ _ (_ ++ _)). + rewrite uweight_eval_app with (n:=n1) in H4. + Search (Partition.partition _ _ (_ + _)). + pose proof uweight_partition_app. + assert (eval (uweight machine_wordsize) n1 p1 = + eval (uweight machine_wordsize) n1 p1 mod uweight machine_wordsize n1). + { rewrite Z.mod_small. + eauto. + split. + admit. + + Admitted. + Lemma reduce_canonical_repr base s c n m : forall (p : list Z), canonical_repr m (reduce1 base s c n m p). Proof using wprops. @@ -328,7 +370,7 @@ Module solinas_reduction. eapply Rows.length_from_associational; eauto. Admitted. - Theorem reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, + Theorem reduce_second' base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> forall q_lo q_hi1 q_hi2, @@ -340,8 +382,118 @@ Module solinas_reduction. Proof using wprops. intros. - (* pose proof *) - (* (value_reduce_second base s c n s_nz p lo hi H H0 H2). *) + pose proof + (value_reduce_second base s c n s_nz p lo hi H H0 H2). + + assert (0 <= q_hi2 < 2). + { split. + { pose proof (canonical_bounded _ _ H2). + assert (In q_hi2 q). + { rewrite H1. + simpl. + apply in_or_app. + right. + simpl. + intuition. } + apply H4 in H5. + lia. } + { pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf. + unfold canonical_repr in H2. + intuition. + rewrite <-H7 in H4. + rewrite H1 in H4 at 1. + rewrite nth_default_app in H4. + destruct (lt_dec) in H4; try lia. + replace (1 + Datatypes.length q_lo - Datatypes.length q_lo)%nat with 1%nat in H4 by lia. + unfold nth_default in H4. + simpl in H4. + cbv [q] in H4. + rewrite H3 in H4. + rewrite H4. + apply Z.div_lt_upper_bound. + eauto. + admit. + apply f_equal with (f:=fun l => length l) in H1. + rewrite !app_length in H1. + rewrite H0 in H1. + rewrite H1. + simpl. + lia. } + } + assert (q_hi2 = 1 \/ q_hi2 = 0) by lia. + intuition. + left. + intuition. + pose proof f_equal (eval weight (S n)) H1. + erewrite app_assoc, !eval_snoc in H5; eauto. + cbv [q] in H5. + rewrite H3 in H5. + subst. + autorewrite with zsimplify_const in H5. + Search (_ + _ + _). + (* rewrite <-Z.add_assoc in H5. *) + apply LinearSubstitute.Z.move_L_pX in H5. + + remember (Associational.eval (Associational.sat_mul_const base [(1, fst (Rows.adjust_s weight (S (S (S n))) s) / s)] c)) as coef. + pose proof + fun pf => nth_default_partition weight 0 n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) (length q_lo) pf. + assert (Partition.partition weight n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) = q_lo ++ [q_hi1]) by admit. + + (* apply LinearSubstitute.Z.move_L_pX with (y:=weight (Datatypes.length (q_lo ++ [q_hi1]))) in H5. *) + (* Search nth_default Partition.partition. *) + (* pose proof fun pf => nth_default_partition weight 0 (n) (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) (length q_lo) pf. *) + (* assert (Partition.partition weight n (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) = q_lo ++ [q_hi1]) by admit. *) + (* rewrite H7 in H. *) + (* rewrite nth_default_app in H. *) + (* destruct lt_dec in H. *) + (* lia. *) + (* replace (Datatypes.length q_lo - Datatypes.length q_lo)%nat with 0%nat in H by lia. *) + (* replace (nth_default 0 [q_hi1] 0) with (q_hi1) in H. *) + (* 2: { unfold nth_default. *) + (* reflexivity. } *) + (* rewrite H. *) + (* Search (_ / _ = 0). *) + (* apply Z.div_small. *) + (* split. *) + (* admit. *) + (* apply Le.Z.le_sub_1_iff. *) + (* etransitivity. *) + (* apply Z.mod_le. *) + (* admit. *) + (* apply wprops. *) + (* { admit. } *) + (* unfold canonical_repr in H2. *) + (* intuition. *) + (* apply f_equal with (f:=fun l => length l) in H1. *) + (* rewrite !app_length in H1. *) + (* cbn [Datatypes.length] in H1. *) + (* assert (Datatypes.length q_lo = (n - 1)%nat) by lia. *) + (* lia. *) + (* rewrite app_length. *) + (* cbn [Datatypes.length]. *) + (* lia. *) + + (* unfold canonical_repr in H2. *) + (* intuition. *) + (* apply f_equal with (f:=fun l => length l) in H1. *) + (* rewrite !app_length in *. *) + (* cbn [Datatypes.length] in *. *) + (* apply f_equal. *) + (* rewrite H8 in H1. *) + (* lia. *) + Admitted. + + Theorem reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, + p = lo ++ [hi] -> + (canonical_repr (S n) p /\ hi <= 39) -> + forall q_lo q_hi1 q_hi2, + let q := reduce1 base s c (S n) (S n) p in + q = q_lo ++ [q_hi1] ++ [q_hi2] -> + canonical_repr (S n) q -> + ((q_hi2 = 1 /\ q_hi1 = 0) \/ + (q_hi2 = 0)). + Proof using wprops. + intros. intuition. @@ -445,7 +597,7 @@ Module solinas_reduction. rewrite H0. Search (_ / _ < _). apply Z.div_lt_upper_bound. - admit. + eauto. Search Z.lt Z.le 1 iff. apply Le.Z.le_sub_1_iff. @@ -453,7 +605,9 @@ Module solinas_reduction. etransitivity. apply Z.mod_le. admit. - apply wprops. + eauto. + + admit. admit. } From da013d0ef4fe743f3b234677365172032c155d53 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 2 Jun 2022 14:05:46 -0400 Subject: [PATCH 12/69] finish lemmas about canonical_repr, finish most side lemmas in reduce theorem --- src/SolinasReduction.v | 439 +++++++++++++++++++++++++++++++++-------- 1 file changed, 362 insertions(+), 77 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index f9481bb552..ab2f28ff1f 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -170,6 +170,16 @@ Module solinas_reduction. Hint Resolve length_partition : push_length. Hint Resolve Rows.length_from_associational : push_length. + Ltac weight_comp := + unfold weight, uweight, ModOps.weight; + rewrite !Z.div_1_r; + rewrite !Z.opp_involutive; + rewrite Nat2Z.inj_succ; + rewrite OrdersEx.Z_as_OT.mul_succ_r; + rewrite OrdersEx.Z_as_OT.pow_add_r; + autorewrite with zsimplify_const; + ring_simplify. + Lemma canonical_pos n : forall (p : list Z), canonical_repr n p -> 0 <= eval weight n p. @@ -220,47 +230,177 @@ Module solinas_reduction. eauto. } Qed. + Lemma canonical_iff p n : + canonical_repr n p <-> + length p = n /\ + forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. + Proof. + split. + { intros. + intuition. + unfold canonical_repr in *. + intuition. + eapply canonical_bounded; eauto. + eapply canonical_bounded; eauto. } + { intros. + unfold canonical_repr. + intuition. + + apply uweight_partition_unique. + lia. + assumption. + intros. + rewrite Le.Z.le_sub_1_iff. + eauto. } + Qed. + + Lemma canonical_cons n a p: + canonical_repr (S n) (a :: p) -> + canonical_repr n p. + Proof. + intros. + rewrite canonical_iff in *. + intuition; apply H1; simpl; eauto. + Qed. + + Lemma canonical_app_l n n1 n2 l l1 l2 : + canonical_repr n l -> + length l1 = n1 -> + length l2 = n2 -> + n = (n1 + n2)%nat -> + l = l1 ++ l2 -> + canonical_repr n1 l1. + Proof. + intros. + intuition; + rewrite canonical_iff in *; + intuition; apply H5; rewrite H3; apply in_or_app; eauto. + Qed. + + Lemma canonical_app_r n n1 n2 l l1 l2 : + canonical_repr n l -> + length l1 = n1 -> + length l2 = n2 -> + n = (n1 + n2)%nat -> + l = l1 ++ l2 -> + canonical_repr n2 l2. + Proof. + intros. + intuition; + rewrite canonical_iff in *; + intuition; apply H5; rewrite H3; apply in_or_app; eauto. + Qed. + + Definition eval_weight_P p := + eval (fun i : nat => weight (S i)) (Datatypes.length p) p = + (eval weight (Datatypes.length p) p) * weight 1. + + Lemma eval_weight_S' : forall p, + eval_weight_P p. + Proof. + apply (ListAux.list_length_induction Z). + intros. + pose proof (@break_list_last Z l1). + intuition; unfold eval_weight_P in *. + { subst. + reflexivity. } + { destruct H1. + destruct H0. + subst. + rewrite app_length. + simpl. + replace (length x + 1)%nat with (S (length x)) by lia. + rewrite !eval_snoc_S. + rewrite H. + rewrite OrdersEx.Z_as_OT.mul_add_distr_r. + rewrite OrdersEx.Z_as_DT.add_cancel_l. + unfold weight, uweight, ModOps.weight, machine_wordsize. + rewrite !Z.div_1_r. + rewrite !Z.opp_involutive. + rewrite Nat2Z.inj_succ. + rewrite OrdersEx.Z_as_OT.mul_succ_r. + rewrite OrdersEx.Z_as_OT.pow_add_r. + lia. + lia. + lia. + rewrite app_length. + simpl. + lia. + lia. + lia. } + Qed. + + Lemma eval_weight_S p n: + n = Datatypes.length p -> + eval (fun i : nat => weight (S i)) n p = + (eval weight n p) * weight 1. + Proof. + pose proof eval_weight_S'. + unfold eval_weight_P in *. + intros. + subst. + eauto. + Qed. + Lemma canonical_eval_bounded n : forall (p : list Z), canonical_repr n p -> eval weight n p < weight n. Proof. intros. pose proof (canonical_bounded _ _ H). - unfold canonical_repr in *; intuition. - induction p; simpl. + assert (Hcanon: canonical_repr n p) by assumption. + unfold canonical_repr in H; intuition. + generalize dependent n. + induction p; intros. { simpl in H1; subst. vm_compute. eauto. } { simpl in H1; subst. rewrite eval_cons. autorewrite with zsimplify_const. - rewrite <-IHp. - Admitted. - - Lemma canonical_app : forall n n1 n2 (p p1 p2: list Z), - p = p1 ++ p2 -> - length p1 = n1 -> - length p2 = n2 -> - canonical_repr (n) p -> - canonical_repr n1 p1 /\ canonical_repr n2 p2. - Proof. - intros. - unfold canonical_repr in *. - rewrite H in H2. - intuition. - unfold weight in H4. - Search (eval _ _ (_ ++ _)). - rewrite uweight_eval_app with (n:=n1) in H4. - Search (Partition.partition _ _ (_ + _)). - pose proof uweight_partition_app. - assert (eval (uweight machine_wordsize) n1 p1 = - eval (uweight machine_wordsize) n1 p1 mod uweight machine_wordsize n1). - { rewrite Z.mod_small. + rewrite eval_weight_S. + assert (a + eval weight (Datatypes.length p) p * weight 1 < 2^machine_wordsize + eval weight (Datatypes.length p) p * weight 1). + rewrite <-OrdersEx.Z_as_OT.add_lt_mono_r. + apply H0. + simpl. + left. + reflexivity. + rewrite <-Le.Z.le_sub_1_iff. + rewrite <-Le.Z.le_sub_1_iff in H. + etransitivity. + apply H. + assert (2 ^ machine_wordsize + eval weight (Datatypes.length p) p * weight 1 <= 2 ^ machine_wordsize + (weight (Datatypes.length p) - 1) * weight 1). + rewrite <-OrdersEx.Z_as_OT.add_le_mono_l. + rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r. + rewrite Le.Z.le_sub_1_iff. + apply IHp. + intros. + apply H0. + simpl. eauto. - split. - admit. - - Admitted. + eapply canonical_cons; eauto. + reflexivity. + apply canonical_cons in Hcanon. + unfold canonical_repr in Hcanon. + intuition. + apply wprops. + rewrite OrdersEx.Z_as_OT.sub_le_mono_r with (p:=1) in H1. + etransitivity. + apply H1. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r. + rewrite Nat2Z.inj_succ. + rewrite OrdersEx.Z_as_OT.mul_succ_r. + rewrite OrdersEx.Z_as_OT.pow_add_r. + ring_simplify. + reflexivity. + lia. + lia. + lia. + lia. + reflexivity. + reflexivity. } + Qed. Lemma reduce_canonical_repr base s c n m : forall (p : list Z), canonical_repr m (reduce1 base s c n m p). @@ -280,6 +420,96 @@ Module solinas_reduction. { admit. } Admitted. + Lemma split_lt w l1 l2: + (forall x, In x l1 -> 0 < x < w) -> + length l1 = length l2 -> + split w (combine l1 l2) = (combine l1 l2, []). + Proof. + intros. + generalize dependent l2. + induction l1; intros. + { reflexivity. } + { simpl. + destruct l2 eqn:E. + simpl in H0. + discriminate. + match goal with + | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto + end. + rewrite split_app. + rewrite IHl1. + cbn [fst snd]. + simpl. + assert (In a (a :: l1)) by apply in_eq. + apply H in H1. + assert (a mod w = a). + { apply Z.mod_small. + lia. } + rewrite H2. + destruct (a =? 0) eqn:E1. + rewrite Z.eqb_eq in E1. + lia. + reflexivity. + intros. + apply H. + apply in_cons. + assumption. + simpl in H0. + lia. } + Qed. + + Lemma weight_mono' x : + weight x < weight (S x). + Proof. + intros. + unfold weight, uweight, ModOps.weight, machine_wordsize. + rewrite !Z.div_1_r. + rewrite !Z.opp_involutive. + rewrite Nat2Z.inj_succ. + rewrite OrdersEx.Z_as_OT.mul_succ_r. + rewrite OrdersEx.Z_as_OT.pow_add_r. + lia. + lia. + lia. + Qed. + + Lemma weight_mono'' x1 x2 : + (x2 > 0)%nat + -> weight x1 < weight (x2 + x1). + Proof. + intros. + induction H. + { apply weight_mono'. } + { etransitivity. + apply IHle. + apply weight_mono'. } + Qed. + + Lemma weight_mono x1 x2 : + (x1 < x2)%nat -> + weight x1 < weight x2. + Proof. + intros. + replace x2%nat with ((x2 - x1) + x1)%nat. + apply weight_mono''. + lia. + lia. + Qed. + + (* helps with proving lemmas about the length of the reduction *) + Ltac length_q q := + try match goal with + | [ H : canonical_repr _ q |- _ ] => + unfold canonical_repr in H; intuition + end; + match goal with + | [ H1 : q = _ |- _ ] => + apply f_equal with (f:=fun l => length l) in H1; + rewrite !app_length in H1; + try rewrite !app_length; + cbn [length] in H1; cbn [length]; lia + end. + Lemma value_reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> @@ -325,7 +555,22 @@ Module solinas_reduction. autorewrite with push_eval zsimplify_const; cbn [fst snd]. assert (split (weight n) (combine (map weight (seq 0 n)) lo) = ((combine (map weight (seq 0 n)) lo), [])). - { admit. } + { apply split_lt. + intros. + rewrite in_map_iff in H8. + destruct H8. + intuition. + rewrite <-H9. + apply wprops. + rewrite <-H9. + rewrite in_seq in H10. + intuition. + simpl in H11. + apply weight_mono. + lia. + rewrite map_length. + rewrite seq_length. + length_q p. } rewrite H8; cbn [fst snd]. autorewrite with push_eval zsimplify_const; cbn [fst snd]. unfold eval, to_associational. @@ -337,7 +582,6 @@ Module solinas_reduction. unfold weight. intuition. admit. (* prove value is positive *) - Search (_ < _ -> _ + _ < _ + _). apply Zplus_lt_compat_l with (p:=Associational.eval (Associational.sat_mul_const base [(1, uweight machine_wordsize n / s)] c) * hi) in H12. etransitivity. @@ -370,6 +614,7 @@ Module solinas_reduction. eapply Rows.length_from_associational; eauto. Admitted. + Theorem reduce_second' base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> @@ -412,7 +657,32 @@ Module solinas_reduction. rewrite H4. apply Z.div_lt_upper_bound. eauto. - admit. + apply Le.Z.le_sub_1_iff. + etransitivity. + apply Z.mod_le. + admit. (* value of reduction is positive *) + apply wprops. + rewrite OrdersEx.Z_as_OT.le_add_le_sub_r. + etransitivity. + admit. (* relationship between coef and weight *) + assert (weight (S (Datatypes.length q_lo)) <= weight (S (Datatypes.length q_lo)) * 2 - 1 - eval weight n lo). + { rewrite <-OrdersEx.Z_as_OT.le_add_le_sub_l. + rewrite <-OrdersEx.Z_as_OT.le_add_le_sub_l. + rewrite Z.add_assoc. + rewrite OrdersEx.Z_as_OT.le_add_le_sub_r. + ring_simplify. + eapply canonical_app_l with (l1:=lo) (n1:=n) in H5. + apply canonical_eval_bounded in H5. + rewrite Le.Z.le_add_1_iff. + replace (S (length q_lo)) with n by (length_q q). + assumption. + length_q p. + 3: eauto. + reflexivity. + simpl. + lia. } + eassumption. + apply f_equal with (f:=fun l => length l) in H1. rewrite !app_length in H1. rewrite H0 in H1. @@ -430,57 +700,72 @@ Module solinas_reduction. rewrite H3 in H5. subst. autorewrite with zsimplify_const in H5. - Search (_ + _ + _). - (* rewrite <-Z.add_assoc in H5. *) apply LinearSubstitute.Z.move_L_pX in H5. remember (Associational.eval (Associational.sat_mul_const base [(1, fst (Rows.adjust_s weight (S (S (S n))) s) / s)] c)) as coef. pose proof fun pf => nth_default_partition weight 0 n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) (length q_lo) pf. - assert (Partition.partition weight n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) = q_lo ++ [q_hi1]) by admit. - - (* apply LinearSubstitute.Z.move_L_pX with (y:=weight (Datatypes.length (q_lo ++ [q_hi1]))) in H5. *) - (* Search nth_default Partition.partition. *) - (* pose proof fun pf => nth_default_partition weight 0 (n) (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) (length q_lo) pf. *) - (* assert (Partition.partition weight n (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) = q_lo ++ [q_hi1]) by admit. *) - (* rewrite H7 in H. *) - (* rewrite nth_default_app in H. *) - (* destruct lt_dec in H. *) - (* lia. *) - (* replace (Datatypes.length q_lo - Datatypes.length q_lo)%nat with 0%nat in H by lia. *) - (* replace (nth_default 0 [q_hi1] 0) with (q_hi1) in H. *) - (* 2: { unfold nth_default. *) - (* reflexivity. } *) - (* rewrite H. *) - (* Search (_ / _ = 0). *) - (* apply Z.div_small. *) - (* split. *) - (* admit. *) - (* apply Le.Z.le_sub_1_iff. *) - (* etransitivity. *) - (* apply Z.mod_le. *) - (* admit. *) - (* apply wprops. *) - (* { admit. } *) - (* unfold canonical_repr in H2. *) - (* intuition. *) - (* apply f_equal with (f:=fun l => length l) in H1. *) - (* rewrite !app_length in H1. *) - (* cbn [Datatypes.length] in H1. *) - (* assert (Datatypes.length q_lo = (n - 1)%nat) by lia. *) - (* lia. *) - (* rewrite app_length. *) - (* cbn [Datatypes.length]. *) - (* lia. *) - - (* unfold canonical_repr in H2. *) - (* intuition. *) - (* apply f_equal with (f:=fun l => length l) in H1. *) - (* rewrite !app_length in *. *) - (* cbn [Datatypes.length] in *. *) - (* apply f_equal. *) - (* rewrite H8 in H1. *) - (* lia. *) + assert (Partition.partition weight n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) = q_lo ++ [q_hi1]). + { assert (canonical_repr n (q_lo ++ [q_hi1])). + { eapply canonical_app_l; eauto. + length_q q. + 2: rewrite <-app_assoc; eauto. + simpl. + lia. } + unfold canonical_repr in H4; intuition. + rewrite H10. + f_equal. + rewrite H5. + assert (n = S (length q_lo)) by length_q q. + rewrite H4. + rewrite eval_snoc_S. + reflexivity. + reflexivity. } + + rewrite H4 in H. + rewrite nth_default_app in H. + destruct lt_dec in H. + lia. + replace (Datatypes.length q_lo - Datatypes.length q_lo)%nat with 0%nat in H by lia. + replace (nth_default 0 [q_hi1] 0) with (q_hi1) in H. + + rewrite H. + apply Z.div_small. + split. + apply Z_mod_nonneg_nonneg. + rewrite H5. + etransitivity. + assert (canonical_repr (length q_lo) q_lo). + { eapply canonical_app_l. + eauto. + length_q q. + eauto. + 2: eauto. + length_q q. } + apply canonical_pos in H9. + apply H9. + replace (eval weight (Datatypes.length q_lo) q_lo) with + (eval weight (Datatypes.length q_lo) q_lo + 0) at 1. + apply Zplus_le_compat_l. + apply OrdersEx.Z_as_DT.mul_nonneg_nonneg. + apply OrdersEx.Z_as_OT.lt_le_incl. + apply wprops. + pose proof (canonical_bounded _ _ H2). + apply H9. + rewrite H1. + apply in_or_app. + right. + apply in_or_app. + simpl. + intuition. + lia. + apply OrdersEx.Z_as_OT.lt_le_incl. + apply wprops. + admit. (* coef and weight *) + length_q q. + reflexivity. + length_q q. + length_q q. Admitted. Theorem reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, From 6e301f6a87ba237e398ea3ca645ec5dc99c68113 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 6 Jun 2022 18:42:05 -0400 Subject: [PATCH 13/69] add context assumptions, second reduce proof QED --- src/SolinasReduction.v | 317 ++++++++++++++++++++++++++++++++--------- 1 file changed, 251 insertions(+), 66 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index ab2f28ff1f..91924fdbd6 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -174,9 +174,9 @@ Module solinas_reduction. unfold weight, uweight, ModOps.weight; rewrite !Z.div_1_r; rewrite !Z.opp_involutive; - rewrite Nat2Z.inj_succ; - rewrite OrdersEx.Z_as_OT.mul_succ_r; - rewrite OrdersEx.Z_as_OT.pow_add_r; + try rewrite Nat2Z.inj_succ; + try rewrite OrdersEx.Z_as_OT.mul_succ_r; + try rewrite OrdersEx.Z_as_OT.pow_add_r; autorewrite with zsimplify_const; ring_simplify. @@ -291,6 +291,26 @@ Module solinas_reduction. intuition; apply H5; rewrite H3; apply in_or_app; eauto. Qed. + (* helps with proving lemmas about the length of the reduction *) + Ltac length_q q := + try match goal with + | [ H : canonical_repr _ q |- _ ] => + unfold canonical_repr in H; intuition + end; + try match goal with + | [ H : length q = _ |- _] => + rewrite !app_length in H; + try rewrite !app_length; + cbn [length] in H; cbn [length]; lia + end; + match goal with + | [ H : q = _ |- _ ] => + apply f_equal with (f:=fun l => length l) in H; + rewrite !app_length in H; + try rewrite !app_length; + cbn [length] in H; cbn [length]; lia + end. + Definition eval_weight_P p := eval (fun i : nat => weight (S i)) (Datatypes.length p) p = (eval weight (Datatypes.length p) p) * weight 1. @@ -496,21 +516,20 @@ Module solinas_reduction. lia. Qed. - (* helps with proving lemmas about the length of the reduction *) - Ltac length_q q := - try match goal with - | [ H : canonical_repr _ q |- _ ] => - unfold canonical_repr in H; intuition - end; - match goal with - | [ H1 : q = _ |- _ ] => - apply f_equal with (f:=fun l => length l) in H1; - rewrite !app_length in H1; - try rewrite !app_length; - cbn [length] in H1; cbn [length]; lia - end. + Context (base : Z) + (s : Z) + (c : list (Z * Z)) + (n : nat). + + Context (s_nz : s <> 0) + (n_gt_1 : n > 1) + (s_pos : s > 0) + (c_pos : Associational.eval c > 0) + (base_nz : base <> 0) + (solinas_property : Rows.adjust_s weight (S (S (S n))) s = (weight n, true)) + (coef_small : weight n / s * Associational.eval c <= 2^(machine_wordsize/2)). - Lemma value_reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, + Lemma value_reduce_second (* base s c n (s_nz:s<>0) *) : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> let q := reduce1 base s c (S n) (S n) p in @@ -521,7 +540,10 @@ Module solinas_reduction. Proof. intros. intuition. - cbv [reduce1 canonical_repr] in *; intuition. + assert (Hcanon : canonical_repr (S n) p) by assumption. + apply OrdersEx.Z_as_OT.le_trans with (p:=2^machine_wordsize) in coef_small. + 2: unfold machine_wordsize; simpl; lia. + cbv [reduce1 canonical_repr] in H1, H2, q; intuition. cbv [q coef s']. rewrite !H. rewrite Rows.flatten_mod. @@ -539,7 +561,7 @@ Module solinas_reduction. rewrite combine_snoc. rewrite fst_split_app, snd_split_app. autorewrite with push_eval. - assert (Rows.adjust_s weight (S (S (S n))) s = (weight n, true)) by admit. (* maybe a property about the Solinas primes? *) + pose proof solinas_property. rewrite H6 in *; cbn [fst] in *. assert (split (weight n) [(weight n, hi)] = ([], [(1, hi)])). { unfold split. @@ -581,12 +603,75 @@ Module solinas_reduction. unfold eval, to_associational in H10. unfold weight. intuition. - admit. (* prove value is positive *) + + etransitivity. + assert (0 <= uweight machine_wordsize n / s * Associational.eval c * hi). + { apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. + apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. + apply OrdersEx.Z_as_DT.div_pos. + replace (uweight machine_wordsize n) with (weight n) by reflexivity. + apply OrdersEx.Z_as_OT.lt_le_incl. + apply wprops. + lia. + lia. + rewrite canonical_iff in Hcanon. + intuition. + apply H13. + rewrite H. + apply in_or_app. + right. + simpl. + eauto. } + eassumption. + replace (uweight machine_wordsize n / s * Associational.eval c * hi) with (uweight machine_wordsize n / s * Associational.eval c * hi + 0) at 1 by lia. + rewrite <-OrdersEx.Z_as_OT.add_le_mono_l. + pose proof (canonical_pos _ _ Hcanon). + unfold eval, to_associational in H10. + assumption. apply Zplus_lt_compat_l with - (p:=Associational.eval (Associational.sat_mul_const base [(1, uweight machine_wordsize n / s)] c) * hi) in H12. + (p:=uweight machine_wordsize n / s * Associational.eval c * hi) in H12. etransitivity. eauto. - admit. (* add a premise about the relationship between coef and weight *) + + rewrite <-Le.Z.le_sub_1_iff. + etransitivity. + unfold weight in coef_small. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r with (p:=hi) in coef_small. + rewrite OrdersEx.Z_as_OT.add_le_mono_r with (p:=2 ^ (machine_wordsize * Z.of_nat n)) in coef_small. + apply coef_small. + apply canonical_bounded with (x:=hi) in Hcanon. + apply Hcanon. + rewrite H. + apply in_or_app. + right. + simpl. + eauto. + + etransitivity. + assert (2^machine_wordsize <= 2^(machine_wordsize * n)). + apply OrdersEx.Z_as_OT.pow_le_mono_r. + lia. + lia. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r with (p:=hi) in H10. + rewrite OrdersEx.Z_as_OT.add_le_mono_r with (p:=2 ^ (machine_wordsize * Z.of_nat n)) in H10. + apply H10. + apply canonical_bounded with (x:=hi) in Hcanon. + apply Hcanon. + rewrite H. + apply in_or_app; right; simpl; eauto. + + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l with (p:=(2 ^ (machine_wordsize * Z.of_nat n))) in H3. + rewrite OrdersEx.Z_as_OT.add_le_mono_r with (p:=2 ^ (machine_wordsize * Z.of_nat n)) in H3. + apply H3. + lia. + weight_comp. + rewrite Z.mul_comm. + rewrite Le.Z.le_sub_1_iff. + cbv [machine_wordsize]. + lia. + lia. + lia. (* proving statements generated by apply lemmas *) intros. @@ -606,16 +691,15 @@ Module solinas_reduction. simpl in H. rewrite H1 in H. lia. - admit. (* base <> 0 *) + eauto. eauto. left; lia. eauto. intros. eapply Rows.length_from_associational; eauto. - Admitted. - + Qed. - Theorem reduce_second' base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, + Theorem reduce_second' : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> forall q_lo q_hi1 q_hi2, @@ -624,11 +708,15 @@ Module solinas_reduction. canonical_repr (S n) q -> ((q_hi2 = 1 /\ q_hi1 = 0) \/ (q_hi2 = 0)). - Proof using wprops. + Proof using base base_nz c c_pos coef_small machine_wordsize n n_gt_1 s s_nz s_pos solinas_property weight wprops. intros. pose proof - (value_reduce_second base s c n s_nz p lo hi H H0 H2). + (value_reduce_second p lo hi H H0 H2). + assert (coef_small2: weight n / s * Associational.eval c <= 2^machine_wordsize). + { eapply OrdersEx.Z_as_OT.le_trans. + eauto. + unfold machine_wordsize; simpl; lia. } assert (0 <= q_hi2 < 2). { split. @@ -660,11 +748,32 @@ Module solinas_reduction. apply Le.Z.le_sub_1_iff. etransitivity. apply Z.mod_le. - admit. (* value of reduction is positive *) + autorewrite with push_eval zsimplify_const. + rewrite solinas_property. + cbn [fst snd]. + + apply OrdersEx.Z_as_OT.add_nonneg_nonneg. + apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. + apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. + apply Z.div_nonneg. + apply OrdersEx.Z_as_OT.lt_le_incl. + apply wprops. + lia. + lia. + eapply canonical_bounded. + apply H5. + rewrite H. + apply in_or_app; right; simpl; eauto. + apply canonical_pos. + eapply canonical_app_l. + eauto. + length_q p. + 3: eauto. + eauto. + length_q p. apply wprops. rewrite OrdersEx.Z_as_OT.le_add_le_sub_r. - etransitivity. - admit. (* relationship between coef and weight *) + assert (weight (S (Datatypes.length q_lo)) <= weight (S (Datatypes.length q_lo)) * 2 - 1 - eval weight n lo). { rewrite <-OrdersEx.Z_as_OT.le_add_le_sub_l. rewrite <-OrdersEx.Z_as_OT.le_add_le_sub_l. @@ -681,14 +790,39 @@ Module solinas_reduction. reflexivity. simpl. lia. } - eassumption. - - apply f_equal with (f:=fun l => length l) in H1. - rewrite !app_length in H1. - rewrite H0 in H1. - rewrite H1. - simpl. - lia. } + etransitivity. + 2: eassumption. + autorewrite with push_eval zsimplify_const. + rewrite solinas_property. + cbn [fst snd]. + etransitivity. + apply Zmult_le_compat_r with (p:=hi) in coef_small2. + apply coef_small2. + eapply canonical_bounded; eauto. + rewrite H. + apply in_or_app; right; simpl; eauto. + weight_comp. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l. + lia. + eauto. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l. + lia. + etransitivity. + assert (39 <= 2^machine_wordsize). + unfold machine_wordsize. + lia. + eauto. + apply OrdersEx.Z_as_OT.pow_le_mono_r. + lia. + rewrite <-OrdersEx.Z_as_OT.le_mul_diag_r. + replace (length q_lo) with (n-1)%nat. + lia. + length_q q. + lia. + lia. + lia. + length_q q. } } assert (q_hi2 = 1 \/ q_hi2 = 0) by lia. intuition. @@ -707,10 +841,12 @@ Module solinas_reduction. fun pf => nth_default_partition weight 0 n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) (length q_lo) pf. assert (Partition.partition weight n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) = q_lo ++ [q_hi1]). { assert (canonical_repr n (q_lo ++ [q_hi1])). - { eapply canonical_app_l; eauto. + { eapply canonical_app_l. + apply H2. length_q q. - 2: rewrite <-app_assoc; eauto. + 3: rewrite <-app_assoc; eauto. simpl. + eauto. lia. } unfold canonical_repr in H4; intuition. rewrite H10. @@ -731,42 +867,92 @@ Module solinas_reduction. rewrite H. apply Z.div_small. + assert (0 <= (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo)))). + { rewrite H5. + etransitivity. + assert (canonical_repr (length q_lo) q_lo). + { eapply canonical_app_l. + apply H2. + length_q q. + eauto. + 2: eauto. + length_q q. } + apply canonical_pos in H9. + apply H9. + replace (eval weight (Datatypes.length q_lo) q_lo) with + (eval weight (Datatypes.length q_lo) q_lo + 0) at 1. + apply Zplus_le_compat_l. + apply OrdersEx.Z_as_DT.mul_nonneg_nonneg. + apply OrdersEx.Z_as_OT.lt_le_incl. + apply wprops. + pose proof (canonical_bounded _ _ H2). + apply H9. + rewrite H1. + apply in_or_app. + right. + apply in_or_app. + simpl. + intuition. + lia. } split. apply Z_mod_nonneg_nonneg. - rewrite H5. + eauto. + apply OrdersEx.Z_as_OT.lt_le_incl. + apply wprops. + + rewrite <- Le.Z.le_sub_1_iff. etransitivity. - assert (canonical_repr (length q_lo) q_lo). + apply OrdersEx.Z_as_OT.mod_le. + eauto. + apply wprops. + rewrite Le.Z.le_sub_1_iff. + rewrite OrdersEx.Z_as_OT.lt_sub_lt_add_r. + etransitivity. + assert (canonical_repr n lo). { eapply canonical_app_l. - eauto. - length_q q. + apply H6. + length_q (lo ++ [hi]). eauto. 2: eauto. - length_q q. } - apply canonical_pos in H9. - apply H9. - replace (eval weight (Datatypes.length q_lo) q_lo) with - (eval weight (Datatypes.length q_lo) q_lo + 0) at 1. - apply Zplus_le_compat_l. - apply OrdersEx.Z_as_DT.mul_nonneg_nonneg. - apply OrdersEx.Z_as_OT.lt_le_incl. - apply wprops. - pose proof (canonical_bounded _ _ H2). - apply H9. - rewrite H1. - apply in_or_app. - right. - apply in_or_app. + length_q (lo ++ [hi]). } + pose proof (canonical_eval_bounded _ _ H10). + apply Zplus_lt_compat_l with (p:=coef*hi). + eauto. + replace (S (length q_lo)) with n by (length_q q). + apply Zplus_lt_compat_r. + rewrite Heqcoef. + autorewrite with push_eval. + rewrite solinas_property. + cbn [fst snd]. + ring_simplify. + rewrite <- Le.Z.le_sub_1_iff. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r with (p:=hi) in coef_small. + apply coef_small. + eapply canonical_bounded. + apply H6. + apply in_or_app; right; simpl; eauto. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l with (p:=2^(machine_wordsize/2)) in H7. + eauto. + lia. + rewrite Le.Z.le_sub_1_iff. + replace (length q_lo) with (n-1)%nat by (length_q q). + weight_comp. + unfold machine_wordsize. + rewrite <- Le.Z.le_sub_1_iff. + eapply OrdersEx.Z_as_OT.le_trans with (m:=2 ^ (64 * Z.of_nat (2 - 1))-1). simpl. - intuition. lia. - apply OrdersEx.Z_as_OT.lt_le_incl. - apply wprops. - admit. (* coef and weight *) + apply OrdersEx.Z_as_OT.sub_le_mono_r. + apply OrdersEx.Z_as_OT.pow_le_mono_r. + lia. + lia. length_q q. reflexivity. length_q q. length_q q. - Admitted. + Qed. Theorem reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, p = lo ++ [hi] -> @@ -830,7 +1016,6 @@ Module solinas_reduction. autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. unfold eval, to_associational. - Search (?x mod _ = ?x). apply Zmod_small. split. admit. From 0b629b44c53701b1d11558c76bc5298891f3ff74 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 7 Jun 2022 15:44:31 -0400 Subject: [PATCH 14/69] starting to clean proofs --- src/SolinasReduction.v | 384 +++++++++++++++++++---------------------- 1 file changed, 175 insertions(+), 209 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 91924fdbd6..35d339ad1b 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -115,6 +115,31 @@ Module solinas_reduction. { break_match; cbn in *; auto with zarith. } Qed. + Lemma adjust_s_finished' fuel s w (s_nz:s<>0) : + Rows.adjust_s weight fuel s = (w, true) -> + Rows.adjust_s weight (S fuel) s = (w, true). + Proof. + cbv [Rows.adjust_s]. + rewrite !fold_right_map. + replace (rev (seq 0 (S fuel))) with (fuel :: rev (seq 0 fuel)). + generalize (rev (seq 0 fuel)). + cbn in *. + intros. + induction l; + break_match; auto; discriminate. + rewrite seq_snoc. + rewrite rev_app_distr. + reflexivity. + Qed. + + Lemma adjust_s_finished fuel fuel' s w (s_nz:s<>0) : + (fuel' > fuel)%nat -> + Saturated.Rows.adjust_s weight fuel s = (w, true) -> + Saturated.Rows.adjust_s weight fuel' s = (w, true). + Proof. + induction 1; intros; apply adjust_s_finished'; auto. + Qed. + Lemma eval_sat_reduce base s c n p : base <> 0 -> s - Associational.eval c <> 0 @@ -138,7 +163,7 @@ Module solinas_reduction. Definition reduce1 base s c n m (p : list Z) := let p_a := Positional.to_associational weight n p in let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight n r_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in let r_flat := Saturated.Rows.flatten weight m r_rows in fst r_flat. @@ -422,24 +447,6 @@ Module solinas_reduction. reflexivity. } Qed. - Lemma reduce_canonical_repr base s c n m : forall (p : list Z), - canonical_repr m (reduce1 base s c n m p). - Proof using wprops. - intros. - unfold reduce1 in *. - unfold canonical_repr. - rewrite Saturated.Rows.flatten_correct; auto. - { intuition. - { cbn [fst]. - auto with push_length. } - { simpl. - rewrite Partition.eval_partition; auto. - f_equal. - admit. } - } - { admit. } - Admitted. - Lemma split_lt w l1 l2: (forall x, In x l1 -> 0 < x < w) -> length l1 = length l2 -> @@ -526,9 +533,143 @@ Module solinas_reduction. (s_pos : s > 0) (c_pos : Associational.eval c > 0) (base_nz : base <> 0) - (solinas_property : Rows.adjust_s weight (S (S (S n))) s = (weight n, true)) + (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) (coef_small : weight n / s * Associational.eval c <= 2^(machine_wordsize/2)). + Lemma split_p_hi : forall hi, + split (weight n) [(weight n, hi)] = ([], [(1, hi)]). + Proof. + intros. + unfold split. + simpl. + assert (weight n mod weight n = 0) by (apply Z_mod_same_full). + rewrite H. + simpl. + assert (weight n / weight n = 1) by + auto using Z_div_same, Z.lt_gt, weight_positive. + rewrite H0. + reflexivity. + Qed. + + Lemma split_p : forall p lo hi, + p = lo ++ [hi] -> + canonical_repr (S n) p -> + (split (weight n) [(weight n, hi)] = ([], [(1, hi)])) /\ + (split (weight n) (combine (map weight (seq 0 n)) lo) = + ((combine (map weight (seq 0 n)) lo), [])). + Proof. + intros. + intuition. + { intros. + unfold split. + simpl. + assert (weight n mod weight n = 0) by (apply Z_mod_same_full). + rewrite H1. + simpl. + assert (weight n / weight n = 1) by + auto using Z_div_same, Z.lt_gt, weight_positive. + rewrite H2. + reflexivity. } + { apply split_lt. + intros. + rewrite in_map_iff in H1. + destruct H1. + intuition. + rewrite <-H2. + auto. + rewrite <-H2. + rewrite in_seq in H3. + intuition. + simpl in H4. + apply weight_mono. + lia. + rewrite map_length. + rewrite seq_length. + length_q p. } + Qed. + + Lemma reduce_second_canonical : forall (p : list Z) lo hi, + p = lo ++ [hi] -> + canonical_repr (S n) p -> + canonical_repr (S n) (reduce1 base s c (S n) (S n) p). + Proof. + intros. + unfold reduce1 in *. + unfold canonical_repr. + intuition. + { rewrite Rows.flatten_correct. + cbn [fst]. + auto with push_length. + eauto. + intros. + eapply Rows.length_from_associational. + eauto. } + { pose proof (split_p _ _ _ H H0). + intuition. + + rewrite Rows.flatten_correct. + cbn [fst]. + rewrite Partition.eval_partition. + f_equal. + apply Z.mod_small_sym. + + rewrite Rows.eval_from_associational. + rewrite H. + rewrite value_sat_reduce. + apply adjust_s_finished' in solinas_property. + rewrite solinas_property. + autorewrite with push_eval zsimplify_const. + cbn [fst snd]. + unfold to_associational. + rewrite seq_snoc. + rewrite map_app. + rewrite Nat.add_0_l; cbn [map]. + rewrite combine_snoc. + rewrite fst_split_app, snd_split_app. + autorewrite with push_eval. + rewrite H2, H3. + cbn [fst snd]. + autorewrite with push_eval zsimplify_const. + cbn [snd]. + + split. + apply OrdersEx.Z_as_OT.add_nonneg_nonneg. + apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. + apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. + apply Z.div_nonneg. + auto with zarith. + lia. + lia. + eapply canonical_bounded; eauto. + rewrite H; apply in_or_app; right; simpl; eauto. + rewrite H in H0. + assert (canonical_repr n lo). + { eapply canonical_app_l. + apply H0. + length_q (lo++[hi]). + 3: eauto. + eauto. + length_q (lo++[hi]). } + pose proof (canonical_pos _ _ H1). + unfold eval, to_associational in H4. + auto. + + assert (weight n / s * Associational.eval c * hi <= 2 ^ (machine_wordsize / 2) * 39). + { apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. + apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. + apply Z.div_nonneg. + auto with zarith. + lia. + lia. + auto. + eapply canonical_bounded; eauto. + rewrite H; apply in_or_app; right; simpl; eauto. + + + admit. (* value of sat reduce is positive *) + + Admitted. + Lemma value_reduce_second (* base s c n (s_nz:s<>0) *) : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> @@ -541,7 +682,8 @@ Module solinas_reduction. intros. intuition. assert (Hcanon : canonical_repr (S n) p) by assumption. - apply OrdersEx.Z_as_OT.le_trans with (p:=2^machine_wordsize) in coef_small. + apply OrdersEx.Z_as_OT.le_trans with (p:=2^machine_wordsize) in coef_small; [ | simpl; lia]. + apply adjust_s_finished' in solinas_property. 2: unfold machine_wordsize; simpl; lia. cbv [reduce1 canonical_repr] in H1, H2, q; intuition. cbv [q coef s']. @@ -699,7 +841,7 @@ Module solinas_reduction. eapply Rows.length_from_associational; eauto. Qed. - Theorem reduce_second' : forall (p : list Z) lo hi, + Lemma reduce_second : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> forall q_lo q_hi1 q_hi2, @@ -718,6 +860,8 @@ Module solinas_reduction. eauto. unfold machine_wordsize; simpl; lia. } + apply adjust_s_finished' in solinas_property; auto. + assert (0 <= q_hi2 < 2). { split. { pose proof (canonical_bounded _ _ H2). @@ -954,192 +1098,17 @@ Module solinas_reduction. length_q q. Qed. - Theorem reduce_second base s c n (s_nz:s<>0) : forall (p : list Z) lo hi, + Lemma reduce_third : forall (p : list Z) lo hi, p = lo ++ [hi] -> (canonical_repr (S n) p /\ hi <= 39) -> - forall q_lo q_hi1 q_hi2, - let q := reduce1 base s c (S n) (S n) p in - q = q_lo ++ [q_hi1] ++ [q_hi2] -> - canonical_repr (S n) q -> - ((q_hi2 = 1 /\ q_hi1 = 0) \/ - (q_hi2 = 0)). - Proof using wprops. + let q := reduce1 base s c (S n) (S n) p in + let r := reduce1 base s c (S n) n q in + canonical_repr n r. + Proof. intros. - - intuition. - - assert (Hevalq : eval weight (S n) q = 38 * hi + eval weight n lo). - { cbv [reduce1 canonical_repr] in *. - intuition. - cbv [q]. - rewrite !H. - rewrite Rows.flatten_mod. - rewrite Rows.eval_from_associational. - rewrite value_sat_reduce. - - lazymatch goal with - | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => - destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] - end. - - assert (Rows.adjust_s weight (S (S (S n))) s = (weight 4, true)) by admit. - rewrite H7 in *. - - Search Rows.adjust_s. - cbn [fst] in *. - cbv [to_associational]. - rewrite seq_snoc. - rewrite map_app. - replace (map weight [(0 + n)%nat]) with [weight n] by auto. - rewrite combine_snoc. - - rewrite fst_split_app. - rewrite snd_split_app. - autorewrite with push_eval. - - assert (n = 4%nat) by admit. - rewrite H8. - assert (split (weight 4) [(weight 4, hi)] = ([], [(1, hi)])) by eauto. - rewrite H9; cbn [fst snd]. - autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. - assert (split (weight 4) (combine (map weight (seq 0 4)) lo) = - ((combine (map weight (seq 0 4)) lo), [])). - { admit. } - rewrite H10; cbn [fst snd]. - autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. - assert (s = 2^255) by admit. - assert (c = [(1, 19)]) by admit. - assert (base = 2^256) by admit. - rewrite H11, H12, H13. - replace (weight 4 / 2 ^ 255) with 2 by eauto. - replace (Associational.eval (Associational.sat_mul_const (2 ^ 256) [(1, 2)] [(1, 19)])) with (38) by reflexivity. - - autorewrite with push_eval; cbn [fst snd]; autorewrite with zsimplify_const. - unfold eval, to_associational. - apply Zmod_small. - split. - admit. - Locate "<=". - Search Positional.eval . - pose proof BYInv.eval_bound. - assert (0 < 64) by lia. - apply H14 with (n:=4%nat) (f:=lo) in H15. - unfold eval, to_associational in H15. - assert (2 ^ (64 * Z.of_nat 4) <= weight 5 - 38 * 39). - { - vm_compute. - intuition. - discriminate x. } - unfold weight in *. - - all: admit. - - (* rewrite H in H2. *) - (* rewrite app_length in H2. *) - (* simpl in H2. *) - (* rewrite plus_comm in H2. *) - (* rewrite map_length. *) - (* rewrite seq_length. *) - (* lia. *) - - (* admit. (* base <> 0 *) *) - (* eauto. *) - (* lia. *) - (* eauto. *) - (* intros. *) - (* eapply Rows.length_from_associational; eauto. *) - } - - assert (q_hi2 < 2). - { pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf. - unfold canonical_repr in H2. - destruct H2. - rewrite <-H5 in H0. - rewrite H1 in H0 at 1. - Search nth_default app. - rewrite nth_default_app in H0. - destruct (lt_dec) in H0. - lia. - replace (1 + Datatypes.length q_lo - Datatypes.length q_lo)%nat with 1%nat in H0 by lia. - unfold nth_default in H0. - simpl in H0. - rewrite Hevalq in H0. - rewrite H0. - Search (_ / _ < _). - apply Z.div_lt_upper_bound. - eauto. - - Search Z.lt Z.le 1 iff. - apply Le.Z.le_sub_1_iff. - - etransitivity. - apply Z.mod_le. - admit. - eauto. - - - - admit. - admit. } - - assert (q_hi2 >= 0) by admit. - assert (q_hi2 = 1 \/ q_hi2 = 0) by lia. - intuition. - left. - intuition. - pose proof f_equal (eval weight (S n)) H1. - rewrite app_assoc in H6. - Search eval app. - erewrite eval_snoc in H6. - 2: eauto. - erewrite eval_snoc in H6. - 2: eauto. - Search (_ = _ + _ -> _ - _ = _). - rewrite Hevalq in H6. - subst. - autorewrite with zsimplify_const in H6. - apply LinearSubstitute.Z.move_L_pX with (y:=weight (Datatypes.length (q_lo ++ [q_hi1]))) in H6. - Search nth_default Partition.partition. - pose proof fun pf => nth_default_partition weight 0 (n) (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) (length q_lo) pf. - assert (Partition.partition weight n (38 * hi + eval weight n lo - weight (Datatypes.length (q_lo ++ [q_hi1]))) = q_lo ++ [q_hi1]) by admit. - rewrite H7 in H. - rewrite nth_default_app in H. - destruct lt_dec in H. - lia. - replace (Datatypes.length q_lo - Datatypes.length q_lo)%nat with 0%nat in H by lia. - replace (nth_default 0 [q_hi1] 0) with (q_hi1) in H. - 2: { unfold nth_default. - reflexivity. } - rewrite H. - Search (_ / _ = 0). - apply Z.div_small. - split. - admit. - apply Le.Z.le_sub_1_iff. - etransitivity. - apply Z.mod_le. - admit. - apply wprops. - { admit. } - unfold canonical_repr in H2. - intuition. - apply f_equal with (f:=fun l => length l) in H1. - rewrite !app_length in H1. - cbn [Datatypes.length] in H1. - assert (Datatypes.length q_lo = (n - 1)%nat) by lia. - lia. - rewrite app_length. - cbn [Datatypes.length]. - lia. - - unfold canonical_repr in H2. - intuition. - apply f_equal with (f:=fun l => length l) in H1. - rewrite !app_length in *. - cbn [Datatypes.length] in *. - apply f_equal. - rewrite H8 in H1. - lia. + pose proof + (reduce_second _ _ _ H H0). + pose proof value_reduce_second. Admitted. End __. @@ -1160,7 +1129,7 @@ Module solinas_reduction. Import Stringification.C.Compilers. Import Stringification.C.Compilers.ToString. - +p Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. Local Instance : only_signed_opt := false. Local Instance : no_select_opt := false. @@ -1181,9 +1150,6 @@ Module solinas_reduction. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - Compute reduce - Time Compute Show.show (Pipeline.BoundsPipelineToString From b0d10d12e136310a69a756afedc9630cc4526615 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 9 Jun 2022 14:05:02 -0400 Subject: [PATCH 15/69] typo --- src/SolinasReduction.v | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 35d339ad1b..e5c12b39e2 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -1129,7 +1129,7 @@ Module solinas_reduction. Import Stringification.C.Compilers. Import Stringification.C.Compilers.ToString. -p + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. Local Instance : only_signed_opt := false. Local Instance : no_select_opt := false. @@ -1150,24 +1150,24 @@ p Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (reduce w base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some (repeat bound (n))) - (None, tt) - (None) - : Pipeline.ErrorT _). + (* Time Compute *) + (* Show.show *) + (* (Pipeline.BoundsPipelineToString *) + (* "fiat" "mul" *) + (* false *) + (* false *) + (* None *) + (* possible_values *) + (* machine_wordsize *) + (* ltac:(let n := (eval cbv in n) in *) + (* let r := Reify (reduce w base s c n) in *) + (* exact r) *) + (* (fun _ _ => []) *) + (* (Some (repeat bound (2*n)), tt) *) + (* (Some (repeat bound (n))) *) + (* (None, tt) *) + (* (None) *) + (* : Pipeline.ErrorT _). *) End compile. From 961d682b782f222fd79bbd7d1c873c689c20a693 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 14 Jun 2022 03:28:44 -0400 Subject: [PATCH 16/69] cleanup value_reduce_second --- src/SolinasReduction.v | 353 +++++++++++++++++++++++------------------ 1 file changed, 196 insertions(+), 157 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index e5c12b39e2..7196842c26 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -336,6 +336,73 @@ Module solinas_reduction. cbn [length] in H; cbn [length]; lia end. + Ltac solve_ineq := + repeat match goal with + | _ => apply OrdersEx.Z_as_OT.add_nonneg_nonneg + | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg + | _ => apply OrdersEx.Z_as_DT.div_pos + + | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono + | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono + + | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; + apply wprops + | _ => lia + end. + + Ltac solve_in := + match goal with + | [ |- In ?hi ?p ] => + match goal with + | [ H : p = _ ++ [hi] |- _ ] => + rewrite H; apply in_or_app; simpl; auto + end + end. + + Ltac solve_hi := + match goal with + | [ |- 0 <= ?hi ] => + match goal with + | [ H : ?p = _ ++ [hi] |- _ ] => + match goal with + | [ H' : canonical_repr _ p |- _ ] => + rewrite canonical_iff in H'; + destruct H' as [ _ Htmp ]; + apply Htmp; + solve_in + end + end + end. + + Ltac adjust_ineq_lt H := + match type of H with + | context[ ?x < ?y ] => + match goal with + | [ |- context[ x * ?z ] ] => + apply Zmult_lt_compat_r with (p:=z) in H; eauto + end + end. + Ltac adjust_ineq_le H := + match type of H with + | context[ ?x <= ?y ] => + match goal with + | [ |- context[ x * ?z ] ] => + apply Zmult_le_compat_r with (p:=z) in H; eauto + end + end. + Ltac adjust_ineq H := adjust_ineq_lt H || adjust_ineq_le H. + + Ltac canonical_app p := + match goal with + | [ H : p = ?lo ++ [?hi] |- _ ] => + match goal with + | [ H' : canonical_repr _ p |- _ ] => + eapply canonical_app_l with (l1:=lo) (n1:=length lo) (l2:=[hi])(n2:=1%nat) in H' as Hcanon_l; + eapply canonical_app_r with (l1:=lo) (n1:=length lo) (l2:=[hi])(n2:=1%nat) in H' as Hcanon_r; + try (length_q p) + end + end. + Definition eval_weight_P p := eval (fun i : nat => weight (S i)) (Datatypes.length p) p = (eval weight (Datatypes.length p) p) * weight 1. @@ -528,28 +595,13 @@ Module solinas_reduction. (c : list (Z * Z)) (n : nat). - Context (s_nz : s <> 0) - (n_gt_1 : n > 1) + Context (n_gt_1 : n > 1) (s_pos : s > 0) (c_pos : Associational.eval c > 0) (base_nz : base <> 0) (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) - (coef_small : weight n / s * Associational.eval c <= 2^(machine_wordsize/2)). - - Lemma split_p_hi : forall hi, - split (weight n) [(weight n, hi)] = ([], [(1, hi)]). - Proof. - intros. - unfold split. - simpl. - assert (weight n mod weight n = 0) by (apply Z_mod_same_full). - rewrite H. - simpl. - assert (weight n / weight n = 1) by - auto using Z_div_same, Z.lt_gt, weight_positive. - rewrite H0. - reflexivity. - Qed. + (up_bound := 2 ^ (machine_wordsize / 4)) + (coef_small : weight n / s * Associational.eval c < up_bound). Lemma split_p : forall p lo hi, p = lo ++ [hi] -> @@ -588,8 +640,34 @@ Module solinas_reduction. length_q p. } Qed. + Lemma reduce_in_range : forall m, + up_bound * up_bound + weight m < weight (S m). + Proof. + intros. + rewrite OrdersEx.Z_as_DT.lt_add_lt_sub_r. + induction m. + vm_compute; auto. + etransitivity. + apply IHm. + unfold weight. + rewrite uweight_S. + rewrite uweight_S. + rewrite <-uweight_S at 1. + rewrite <-OrdersEx.Z_as_OT.mul_sub_distr_l. + rewrite Z.mul_comm. + rewrite <-OrdersEx.Z_as_OT.lt_mul_diag_r. + simpl; lia. + rewrite OrdersEx.Z_as_OT.lt_0_sub. + fold weight. + apply weight_mono'. + lia. + lia. + lia. + Qed. + Lemma reduce_second_canonical : forall (p : list Z) lo hi, p = lo ++ [hi] -> + hi < up_bound -> canonical_repr (S n) p -> canonical_repr (S n) (reduce1 base s c (S n) (S n) p). Proof. @@ -604,7 +682,7 @@ Module solinas_reduction. intros. eapply Rows.length_from_associational. eauto. } - { pose proof (split_p _ _ _ H H0). + { pose proof (split_p _ _ _ H H1). intuition. rewrite Rows.flatten_correct. @@ -627,7 +705,7 @@ Module solinas_reduction. rewrite combine_snoc. rewrite fst_split_app, snd_split_app. autorewrite with push_eval. - rewrite H2, H3. + rewrite H3, H4. cbn [fst snd]. autorewrite with push_eval zsimplify_const. cbn [snd]. @@ -642,20 +720,20 @@ Module solinas_reduction. lia. eapply canonical_bounded; eauto. rewrite H; apply in_or_app; right; simpl; eauto. - rewrite H in H0. + rewrite H in H1. assert (canonical_repr n lo). { eapply canonical_app_l. - apply H0. + apply H1. length_q (lo++[hi]). 3: eauto. eauto. length_q (lo++[hi]). } - pose proof (canonical_pos _ _ H1). - unfold eval, to_associational in H4. + pose proof (canonical_pos _ _ H2). + unfold eval, to_associational in H5. auto. - assert (weight n / s * Associational.eval c * hi <= 2 ^ (machine_wordsize / 2) * 39). - { apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. + assert (weight n / s * Associational.eval c * hi < up_bound * up_bound). + { apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. apply Z.div_nonneg. auto with zarith. @@ -664,37 +742,51 @@ Module solinas_reduction. auto. eapply canonical_bounded; eauto. rewrite H; apply in_or_app; right; simpl; eauto. + auto. } + assert (canonical_repr n lo). + { eapply canonical_app_l. + apply H1. + length_q p. + 3: eauto. + eauto. + length_q p. } + pose proof (canonical_eval_bounded _ _ H5). - admit. (* value of sat reduce is positive *) + etransitivity. + apply OrdersEx.Z_as_OT.add_lt_mono. + eauto. + eauto. + apply reduce_in_range. - Admitted. + (* generated lemmas *) + rewrite map_length. + rewrite seq_length. + length_q p. + lia. + lia. + auto. + auto. + auto. + auto. + intros. + eapply Rows.length_from_associational; eauto. } + Qed. - Lemma value_reduce_second (* base s c n (s_nz:s<>0) *) : forall (p : list Z) lo hi, + Lemma value_reduce_second : forall (p : list Z) lo hi, p = lo ++ [hi] -> - (canonical_repr (S n) p /\ hi <= 39) -> + canonical_repr (S n) p -> + hi < up_bound -> let q := reduce1 base s c (S n) (S n) p in let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in let coef := Associational.sat_mul_const base [(1, s'/s)] c in - canonical_repr (S n) q -> eval weight (S n) q = Associational.eval coef * hi + eval weight n lo. Proof. intros. - intuition. - assert (Hcanon : canonical_repr (S n) p) by assumption. - apply OrdersEx.Z_as_OT.le_trans with (p:=2^machine_wordsize) in coef_small; [ | simpl; lia]. - apply adjust_s_finished' in solinas_property. - 2: unfold machine_wordsize; simpl; lia. - cbv [reduce1 canonical_repr] in H1, H2, q; intuition. - cbv [q coef s']. - rewrite !H. - rewrite Rows.flatten_mod. - rewrite Rows.eval_from_associational. - rewrite value_sat_reduce. - lazymatch goal with - | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => - destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] - end. + unfold reduce1 in *. + unfold q, coef, s'. + rewrite H. + rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. unfold to_associational. rewrite seq_snoc. @@ -703,140 +795,87 @@ Module solinas_reduction. rewrite combine_snoc. rewrite fst_split_app, snd_split_app. autorewrite with push_eval. - pose proof solinas_property. - rewrite H6 in *; cbn [fst] in *. - assert (split (weight n) [(weight n, hi)] = ([], [(1, hi)])). - { unfold split. - simpl. - assert (weight n mod weight n = 0) by (apply Z_mod_same_full). - rewrite H7. - simpl. - assert (weight n / weight n = 1) by - eauto using Z_div_same, Z.lt_gt, weight_positive. - rewrite H8. - reflexivity. } - rewrite H7; cbn [fst snd]. - autorewrite with push_eval zsimplify_const; cbn [fst snd]. - assert (split (weight n) (combine (map weight (seq 0 n)) lo) = - ((combine (map weight (seq 0 n)) lo), [])). - { apply split_lt. - intros. - rewrite in_map_iff in H8. - destruct H8. - intuition. - rewrite <-H9. - apply wprops. - rewrite <-H9. - rewrite in_seq in H10. - intuition. - simpl in H11. - apply weight_mono. - lia. - rewrite map_length. - rewrite seq_length. - length_q p. } - rewrite H8; cbn [fst snd]. - autorewrite with push_eval zsimplify_const; cbn [fst snd]. + + pose proof solinas_property as Hsol. + apply adjust_s_finished' in Hsol. + rewrite Hsol. + cbn [fst snd]; autorewrite with zsimplify_const. + pose proof (split_p _ _ _ H H0) as Hsplit. + destruct Hsplit as [ Hhi Hlo ]. + rewrite Hhi, Hlo. + cbn [fst snd]; autorewrite with push_eval zsimplify_const; cbn [snd]. + unfold eval, to_associational. apply Z.mod_small. - pose proof BYInv.eval_bound. - assert (0 < machine_wordsize) by lia. - apply H9 with (n:=n) (f:=lo) in H10. - unfold eval, to_associational in H10. - unfold weight. + assert (Hmach : 0 < machine_wordsize) by lia. + apply BYInv.eval_bound with (n:=n) (f:=lo) in Hmach. + unfold eval, to_associational in Hmach. intuition. + solve_ineq. + solve_hi. + auto. + + rewrite <-Le.Z.le_sub_1_iff. etransitivity. - assert (0 <= uweight machine_wordsize n / s * Associational.eval c * hi). - { apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. - apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. - apply OrdersEx.Z_as_DT.div_pos. - replace (uweight machine_wordsize n) with (weight n) by reflexivity. - apply OrdersEx.Z_as_OT.lt_le_incl. - apply wprops. - lia. - lia. - rewrite canonical_iff in Hcanon. - intuition. - apply H13. - rewrite H. - apply in_or_app. - right. - simpl. - eauto. } - eassumption. - replace (uweight machine_wordsize n / s * Associational.eval c * hi) with (uweight machine_wordsize n / s * Associational.eval c * hi + 0) at 1 by lia. - rewrite <-OrdersEx.Z_as_OT.add_le_mono_l. - pose proof (canonical_pos _ _ Hcanon). - unfold eval, to_associational in H10. - assumption. - apply Zplus_lt_compat_l with - (p:=uweight machine_wordsize n / s * Associational.eval c * hi) in H12. - etransitivity. + solve_ineq. + apply OrdersEx.Z_as_OT.lt_le_incl in coef_small as coef_small'. + adjust_ineq coef_small'. + solve_hi. + rewrite Le.Z.le_sub_1_iff. eauto. + rewrite OrdersEx.Z_as_OT.add_sub_assoc. + rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r. - rewrite <-Le.Z.le_sub_1_iff. etransitivity. - unfold weight in coef_small. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r with (p:=hi) in coef_small. - rewrite OrdersEx.Z_as_OT.add_le_mono_r with (p:=2 ^ (machine_wordsize * Z.of_nat n)) in coef_small. - apply coef_small. - apply canonical_bounded with (x:=hi) in Hcanon. - apply Hcanon. - rewrite H. - apply in_or_app. - right. - simpl. + solve_ineq. + apply OrdersEx.Z_as_OT.lt_le_incl in H1 as H1'. + apply Zmult_le_compat_l. eauto. + lia. + reflexivity. etransitivity. - assert (2^machine_wordsize <= 2^(machine_wordsize * n)). + unfold up_bound. + + match goal with + | [ |- context[ ?x + ?y ] ] => + assert (x <= y) + end. + ring_simplify. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. apply OrdersEx.Z_as_OT.pow_le_mono_r. lia. + unfold machine_wordsize. + simpl. + break_match; lia. + (* proving 0 <= 64 / 4... is there an easier way? *) + unfold machine_wordsize. + replace (64 / 4) with 16 by eauto. lia. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r with (p:=hi) in H10. - rewrite OrdersEx.Z_as_OT.add_le_mono_r with (p:=2 ^ (machine_wordsize * Z.of_nat n)) in H10. - apply H10. - apply canonical_bounded with (x:=hi) in Hcanon. - apply Hcanon. - rewrite H. - apply in_or_app; right; simpl; eauto. - - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l with (p:=(2 ^ (machine_wordsize * Z.of_nat n))) in H3. - rewrite OrdersEx.Z_as_OT.add_le_mono_r with (p:=2 ^ (machine_wordsize * Z.of_nat n)) in H3. - apply H3. + (* *) lia. + solve_ineq. + eauto. + reflexivity. weight_comp. - rewrite Z.mul_comm. - rewrite Le.Z.le_sub_1_iff. - cbv [machine_wordsize]. - lia. + simpl. + break_match; lia. lia. lia. - (* proving statements generated by apply lemmas *) - intros. - apply canonical_bounded with (p:=p) (n:=S n). - unfold canonical_repr; intuition. - rewrite H. - apply in_or_app; intuition. - apply f_equal with (f:=fun l => length l) in H. - rewrite app_length in H. - simpl in H. - rewrite H1 in H. + canonical_app p. + eapply canonical_bounded. + apply Hcanon_l. + length_q p. lia. rewrite map_length. rewrite seq_length. - apply f_equal with (f:=fun l => length l) in H. - rewrite app_length in H. - simpl in H. - rewrite H1 in H. + length_q p. lia. - eauto. - eauto. - left; lia. - eauto. + auto. + auto. + auto. intros. eapply Rows.length_from_associational; eauto. Qed. From 8a99161fd92cc7c77ce9f3f07f222d984b071cbe Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 15 Jun 2022 16:57:04 -0400 Subject: [PATCH 17/69] change hi upper bound to machine_wordsize / 4 --- src/SolinasReduction.v | 482 ++++++++++++++++++----------------------- 1 file changed, 216 insertions(+), 266 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 7196842c26..6e7191d82d 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -317,7 +317,7 @@ Module solinas_reduction. Qed. (* helps with proving lemmas about the length of the reduction *) - Ltac length_q q := + Ltac solve_length q := try match goal with | [ H : canonical_repr _ q |- _ ] => unfold canonical_repr in H; intuition @@ -337,40 +337,49 @@ Module solinas_reduction. end. Ltac solve_ineq := - repeat match goal with - | _ => apply OrdersEx.Z_as_OT.add_nonneg_nonneg - | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg - | _ => apply OrdersEx.Z_as_DT.div_pos + repeat + match goal with + | [ |- 0 <= _ + _ ] => apply OrdersEx.Z_as_OT.add_nonneg_nonneg + | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg + | _ => apply OrdersEx.Z_as_DT.div_pos + + | _ => apply OrdersEx.Z_as_OT.add_lt_mono_r - | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono - | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono + | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono + | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono - | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; - apply wprops - | _ => lia - end. + | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; + apply wprops + | _ => lia + end. Ltac solve_in := + repeat + match goal with + | [ |- In ?hi ?p ] => + match goal with + | [ H : p = _ ++ _ |- _ ] => + rewrite H; apply in_or_app; simpl; auto + | [ H : p = _ ++ _ ++ _ |- _ ] => + rewrite app_assoc in H + end + end. + + Ltac apply_iff p := match goal with - | [ |- In ?hi ?p ] => - match goal with - | [ H : p = _ ++ [hi] |- _ ] => - rewrite H; apply in_or_app; simpl; auto - end + | [ H : canonical_repr _ p |- _ ] => + rewrite canonical_iff in H; + destruct H as [ _ Htmp ]; + apply Htmp; + solve_in end. - Ltac solve_hi := match goal with | [ |- 0 <= ?hi ] => match goal with - | [ H : ?p = _ ++ [hi] |- _ ] => - match goal with - | [ H' : canonical_repr _ p |- _ ] => - rewrite canonical_iff in H'; - destruct H' as [ _ Htmp ]; - apply Htmp; - solve_in - end + | [ H : ?p = _ ++ [hi] |- _ ] => apply_iff p + | [ H : ?p = _ ++ [hi] ++ _ |- _ ] => apply_iff p + | [ H : ?p = _ ++ _ ++ [hi] |- _ ] => apply_iff p end end. @@ -393,15 +402,20 @@ Module solinas_reduction. Ltac adjust_ineq H := adjust_ineq_lt H || adjust_ineq_le H. Ltac canonical_app p := + let H' := fresh "TEMP" in + pose proof (eq_refl p) as H'; match goal with - | [ H : p = ?lo ++ [?hi] |- _ ] => + | [ H : p = ?lo ++ ?hi |- _ ] => + let H1 := fresh "Hcanon_l" in + let H2 := fresh "Hcanon_r" in match goal with | [ H' : canonical_repr _ p |- _ ] => - eapply canonical_app_l with (l1:=lo) (n1:=length lo) (l2:=[hi])(n2:=1%nat) in H' as Hcanon_l; - eapply canonical_app_r with (l1:=lo) (n1:=length lo) (l2:=[hi])(n2:=1%nat) in H' as Hcanon_r; - try (length_q p) + eapply canonical_app_l with (l1:=lo) (n1:=length lo) (l2:=hi) (n2:=length hi) in H' as H1; + eapply canonical_app_r with (l1:=lo) (n1:=length lo) (l2:=hi) (n2:=length hi) in H' as H2; + try (solve_length p) end - end. + end; + clear H'. Definition eval_weight_P p := eval (fun i : nat => weight (S i)) (Datatypes.length p) p = @@ -637,7 +651,7 @@ Module solinas_reduction. lia. rewrite map_length. rewrite seq_length. - length_q p. } + solve_length p. } Qed. Lemma reduce_in_range : forall m, @@ -724,10 +738,10 @@ Module solinas_reduction. assert (canonical_repr n lo). { eapply canonical_app_l. apply H1. - length_q (lo++[hi]). + solve_length (lo++[hi]). 3: eauto. eauto. - length_q (lo++[hi]). } + solve_length (lo++[hi]). } pose proof (canonical_pos _ _ H2). unfold eval, to_associational in H5. auto. @@ -747,10 +761,10 @@ Module solinas_reduction. assert (canonical_repr n lo). { eapply canonical_app_l. apply H1. - length_q p. + solve_length p. 3: eauto. eauto. - length_q p. } + solve_length p. } pose proof (canonical_eval_bounded _ _ H5). etransitivity. @@ -762,7 +776,7 @@ Module solinas_reduction. (* generated lemmas *) rewrite map_length. rewrite seq_length. - length_q p. + solve_length p. lia. lia. auto. @@ -867,11 +881,11 @@ Module solinas_reduction. canonical_app p. eapply canonical_bounded. apply Hcanon_l. - length_q p. + solve_length p. lia. rewrite map_length. rewrite seq_length. - length_q p. + solve_length p. lia. auto. auto. @@ -882,259 +896,195 @@ Module solinas_reduction. Lemma reduce_second : forall (p : list Z) lo hi, p = lo ++ [hi] -> - (canonical_repr (S n) p /\ hi <= 39) -> + canonical_repr (S n) p -> + hi < up_bound -> forall q_lo q_hi1 q_hi2, let q := reduce1 base s c (S n) (S n) p in q = q_lo ++ [q_hi1] ++ [q_hi2] -> - canonical_repr (S n) q -> ((q_hi2 = 1 /\ q_hi1 = 0) \/ (q_hi2 = 0)). - Proof using base base_nz c c_pos coef_small machine_wordsize n n_gt_1 s s_nz s_pos solinas_property weight wprops. + Proof. intros. + pose proof (value_reduce_second _ _ _ H H0 H1). + pose proof (reduce_second_canonical _ _ _ H H1 H0) as Hqcanon. + fold q in Hqcanon. - pose proof - (value_reduce_second p lo hi H H0 H2). - assert (coef_small2: weight n / s * Associational.eval c <= 2^machine_wordsize). - { eapply OrdersEx.Z_as_OT.le_trans. + assert (0 <= q_hi2 < 2). + { intuition. + eapply canonical_bounded. + apply Hqcanon. + solve_in. + + pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf as Hnth. + assert (Hqcanon' := Hqcanon). + unfold canonical_repr in Hqcanon'. + destruct Hqcanon' as [ _ Hqpart ]. + rewrite <-Hqpart in Hnth. + rewrite H2 in Hnth at 1. + rewrite nth_default_app in Hnth. + destruct lt_dec in Hnth. + lia. + rewrite Nat.add_sub in Hnth. + unfold nth_default in Hnth. + simpl in Hnth. + rewrite Hnth. + unfold q. + apply Z.div_lt_upper_bound. + auto. + + rewrite H3. + autorewrite with push_eval. + apply adjust_s_finished' in solinas_property. + rewrite solinas_property. + cbn [fst snd]. + autorewrite with zsimplify_const. + apply Le.Z.le_sub_1_iff. + etransitivity. + apply Z.mod_le. + solve_ineq. + solve_hi. + apply canonical_pos. + canonical_app p. + replace n with (length lo). + auto. + solve_length p. + auto. + apply Le.Z.le_sub_1_iff. + + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + solve_hi. eauto. - unfold machine_wordsize; simpl; lia. } + (* apply canonical_eval_bounded. *) + (* canonical_app p. *) + (* replace n with (length lo). *) + (* auto. *) + (* solve_length p. *) - apply adjust_s_finished' in solinas_property; auto. + rewrite <-Zplus_diag_eq_mult_2. + replace (S (length q_lo)) with n by (solve_length q). + solve_ineq. - assert (0 <= q_hi2 < 2). - { split. - { pose proof (canonical_bounded _ _ H2). - assert (In q_hi2 q). - { rewrite H1. - simpl. - apply in_or_app. - right. - simpl. - intuition. } - apply H4 in H5. - lia. } - { pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf. - unfold canonical_repr in H2. - intuition. - rewrite <-H7 in H4. - rewrite H1 in H4 at 1. - rewrite nth_default_app in H4. - destruct (lt_dec) in H4; try lia. - replace (1 + Datatypes.length q_lo - Datatypes.length q_lo)%nat with 1%nat in H4 by lia. - unfold nth_default in H4. - simpl in H4. - cbv [q] in H4. - rewrite H3 in H4. - rewrite H4. - apply Z.div_lt_upper_bound. - eauto. - apply Le.Z.le_sub_1_iff. - etransitivity. - apply Z.mod_le. - autorewrite with push_eval zsimplify_const. - rewrite solinas_property. - cbn [fst snd]. - - apply OrdersEx.Z_as_OT.add_nonneg_nonneg. - apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. - apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. - apply Z.div_nonneg. - apply OrdersEx.Z_as_OT.lt_le_incl. - apply wprops. - lia. - lia. - eapply canonical_bounded. - apply H5. - rewrite H. - apply in_or_app; right; simpl; eauto. - apply canonical_pos. - eapply canonical_app_l. - eauto. - length_q p. - 3: eauto. - eauto. - length_q p. - apply wprops. - rewrite OrdersEx.Z_as_OT.le_add_le_sub_r. - - assert (weight (S (Datatypes.length q_lo)) <= weight (S (Datatypes.length q_lo)) * 2 - 1 - eval weight n lo). - { rewrite <-OrdersEx.Z_as_OT.le_add_le_sub_l. - rewrite <-OrdersEx.Z_as_OT.le_add_le_sub_l. - rewrite Z.add_assoc. - rewrite OrdersEx.Z_as_OT.le_add_le_sub_r. - ring_simplify. - eapply canonical_app_l with (l1:=lo) (n1:=n) in H5. - apply canonical_eval_bounded in H5. - rewrite Le.Z.le_add_1_iff. - replace (S (length q_lo)) with n by (length_q q). - assumption. - length_q p. - 3: eauto. - reflexivity. - simpl. - lia. } - etransitivity. - 2: eassumption. - autorewrite with push_eval zsimplify_const. - rewrite solinas_property. - cbn [fst snd]. - etransitivity. - apply Zmult_le_compat_r with (p:=hi) in coef_small2. - apply coef_small2. - eapply canonical_bounded; eauto. - rewrite H. - apply in_or_app; right; simpl; eauto. - weight_comp. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l. - lia. - eauto. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l. - lia. - etransitivity. - assert (39 <= 2^machine_wordsize). - unfold machine_wordsize. - lia. - eauto. - apply OrdersEx.Z_as_OT.pow_le_mono_r. - lia. - rewrite <-OrdersEx.Z_as_OT.le_mul_diag_r. - replace (length q_lo) with (n-1)%nat. - lia. - length_q q. - lia. - lia. - lia. - length_q q. } - } - assert (q_hi2 = 1 \/ q_hi2 = 0) by lia. + unfold up_bound. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + apply OrdersEx.Z_as_OT.pow_lt_mono_r. + lia. + unfold machine_wordsize. + simpl. + break_match; lia. + unfold machine_wordsize. + simpl. + break_match; lia. + (* proving 0 <= 64 / 4... is there an easier way? *) + unfold machine_wordsize. + replace (64 / 4) with 16 by eauto. + lia. + lia. + apply canonical_eval_bounded. + canonical_app p. + replace n with (length lo). + auto. + solve_length p. + lia. + solve_length q. } + + assert (q_hi2 = 0 \/ q_hi2 = 1) by lia. intuition. left. intuition. - pose proof f_equal (eval weight (S n)) H1. - erewrite app_assoc, !eval_snoc in H5; eauto. - cbv [q] in H5. - rewrite H3 in H5. - subst. - autorewrite with zsimplify_const in H5. - apply LinearSubstitute.Z.move_L_pX in H5. - - remember (Associational.eval (Associational.sat_mul_const base [(1, fst (Rows.adjust_s weight (S (S (S n))) s) / s)] c)) as coef. + pose proof f_equal (eval weight (S n)) H2 as Hqeval. + erewrite app_assoc, !eval_snoc in Hqeval; eauto; try (solve_length q). + unfold q in Hqeval. + rewrite H3 in Hqeval. + subst q_hi2. + autorewrite with push_eval zsimplify_const in Hqeval. + apply adjust_s_finished' in solinas_property. + rewrite solinas_property in Hqeval. + cbn [fst snd] in Hqeval. + apply LinearSubstitute.Z.move_L_pX in Hqeval. + + remember (weight n / s * Associational.eval c) as coef. pose proof - fun pf => nth_default_partition weight 0 n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) (length q_lo) pf. - assert (Partition.partition weight n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) = q_lo ++ [q_hi1]). - { assert (canonical_repr n (q_lo ++ [q_hi1])). - { eapply canonical_app_l. - apply H2. - length_q q. - 3: rewrite <-app_assoc; eauto. - simpl. - eauto. - lia. } - unfold canonical_repr in H4; intuition. - rewrite H10. - f_equal. - rewrite H5. - assert (n = S (length q_lo)) by length_q q. - rewrite H4. - rewrite eval_snoc_S. - reflexivity. - reflexivity. } - - rewrite H4 in H. - rewrite nth_default_app in H. - destruct lt_dec in H. - lia. - replace (Datatypes.length q_lo - Datatypes.length q_lo)%nat with 0%nat in H by lia. - replace (nth_default 0 [q_hi1] 0) with (q_hi1) in H. - - rewrite H. + fun pf => nth_default_partition weight 0 n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) (length q_lo) pf as Heval. + + rewrite app_assoc in H2. + canonical_app q. + rewrite app_length in Hcanon_l. + cbn [length] in Hcanon_l. + unfold canonical_repr in Hcanon_l. + destruct Hcanon_l as [ _ Hcanon_l ]. + + assert (Partition.partition weight n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) = q_lo ++ [q_hi1]) as Hqpart. + rewrite Hcanon_l. + f_equal. + solve_length q. + erewrite eval_snoc; try (solve_length q). + apply Hqeval. + + rewrite Hqpart in Heval. + rewrite nth_default_app in Heval. + destruct lt_dec in Heval; try lia. + rewrite OrdersEx.Nat_as_OT.sub_diag in Heval. + cbn in Heval. + rewrite Heval; try (solve_length q). apply Z.div_small. - assert (0 <= (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo)))). - { rewrite H5. - etransitivity. - assert (canonical_repr (length q_lo) q_lo). - { eapply canonical_app_l. - apply H2. - length_q q. - eauto. - 2: eauto. - length_q q. } - apply canonical_pos in H9. - apply H9. - replace (eval weight (Datatypes.length q_lo) q_lo) with - (eval weight (Datatypes.length q_lo) q_lo + 0) at 1. - apply Zplus_le_compat_l. - apply OrdersEx.Z_as_DT.mul_nonneg_nonneg. - apply OrdersEx.Z_as_OT.lt_le_incl. - apply wprops. - pose proof (canonical_bounded _ _ H2). - apply H9. - rewrite H1. - apply in_or_app. - right. - apply in_or_app. - simpl. - intuition. - lia. } - split. - apply Z_mod_nonneg_nonneg. - eauto. - apply OrdersEx.Z_as_OT.lt_le_incl. - apply wprops. - rewrite <- Le.Z.le_sub_1_iff. - etransitivity. - apply OrdersEx.Z_as_OT.mod_le. - eauto. - apply wprops. - rewrite Le.Z.le_sub_1_iff. + match goal with + | |- 0 <= ?x mod _ < _ => assert (0 <= x) as Hpos + end. + rewrite Hqeval. + solve_ineq. + apply canonical_pos. + canonical_app q. + canonical_app (q_lo ++ [q_hi1]). + rewrite <-app_assoc in H2. + solve_hi. + match goal with + | |- 0 <= ?x mod _ < ?y => assert (x < y) as Hbound + end. + rewrite OrdersEx.Z_as_OT.lt_sub_lt_add_r. + replace (S (length q_lo)) with n by (solve_length q). + solve_ineq. etransitivity. - assert (canonical_repr n lo). - { eapply canonical_app_l. - apply H6. - length_q (lo ++ [hi]). - eauto. - 2: eauto. - length_q (lo ++ [hi]). } - pose proof (canonical_eval_bounded _ _ H10). - apply Zplus_lt_compat_l with (p:=coef*hi). - eauto. - replace (S (length q_lo)) with n by (length_q q). - apply Zplus_lt_compat_r. rewrite Heqcoef. - autorewrite with push_eval. - rewrite solinas_property. - cbn [fst snd]. - ring_simplify. - rewrite <- Le.Z.le_sub_1_iff. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r with (p:=hi) in coef_small. - apply coef_small. - eapply canonical_bounded. - apply H6. - apply in_or_app; right; simpl; eauto. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_l with (p:=2^(machine_wordsize/2)) in H7. + apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. + solve_ineq. + rewrite Heqcoef in coef_small. eauto. - lia. - rewrite Le.Z.le_sub_1_iff. - replace (length q_lo) with (n-1)%nat by (length_q q). + solve_hi. + eauto. + unfold up_bound. weight_comp. - unfold machine_wordsize. - rewrite <- Le.Z.le_sub_1_iff. - eapply OrdersEx.Z_as_OT.le_trans with (m:=2 ^ (64 * Z.of_nat (2 - 1))-1). + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + apply OrdersEx.Z_as_OT.pow_lt_mono_r. + lia. + lia. + replace (length q_lo) with (n-1)%nat by (solve_length q). simpl. + break_match; lia. + unfold machine_wordsize. + replace (64 / 4) with 16 by reflexivity. lia. - apply OrdersEx.Z_as_OT.sub_le_mono_r. - apply OrdersEx.Z_as_OT.pow_le_mono_r. lia. + apply canonical_eval_bounded. + canonical_app p. + replace n with (length lo) by (solve_length p). + auto. + + split; + rewrite Z.mod_small; + auto; + split; + auto; + etransitivity; + eauto; + apply weight_mono'. lia. - length_q q. - reflexivity. - length_q q. - length_q q. Qed. Lemma reduce_third : forall (p : list Z) lo hi, From 71c706eac337172a1673b8e912163b75fc9013c3 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Fri, 17 Jun 2022 12:12:02 -0400 Subject: [PATCH 18/69] proved correctness of third reduction --- src/SolinasReduction.v | 440 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 418 insertions(+), 22 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 6e7191d82d..61bb70e552 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -343,8 +343,7 @@ Module solinas_reduction. | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg | _ => apply OrdersEx.Z_as_DT.div_pos - | _ => apply OrdersEx.Z_as_OT.add_lt_mono_r - + | |- _ + ?x < _ + ?x => apply OrdersEx.Z_as_OT.add_lt_mono_r | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono @@ -399,7 +398,7 @@ Module solinas_reduction. apply Zmult_le_compat_r with (p:=z) in H; eauto end end. - Ltac adjust_ineq H := adjust_ineq_lt H || adjust_ineq_le H. + Ltac adjust_ineq H := adjust_ineq_le H || adjust_ineq_lt H. Ltac canonical_app p := let H' := fresh "TEMP" in @@ -417,6 +416,13 @@ Module solinas_reduction. end; clear H'. + Ltac subst_canon q := + match goal with + | [ H : canonical_repr ?n1 ?p |- canonical_repr ?n2 ?p ] => + replace n2 with n1 by (solve_length q); + auto + end. + Definition eval_weight_P p := eval (fun i : nat => weight (S i)) (Datatypes.length p) p = (eval weight (Datatypes.length p) p) * weight 1. @@ -612,6 +618,7 @@ Module solinas_reduction. Context (n_gt_1 : n > 1) (s_pos : s > 0) (c_pos : Associational.eval c > 0) + (mod_nz : s - Associational.eval c <> 0) (base_nz : base <> 0) (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) (up_bound := 2 ^ (machine_wordsize / 4)) @@ -654,13 +661,14 @@ Module solinas_reduction. solve_length p. } Qed. - Lemma reduce_in_range : forall m, - up_bound * up_bound + weight m < weight (S m). + Lemma reduce_in_range : forall m x, + x < weight 1 - weight 0 -> + x + weight m < weight (S m). Proof. intros. rewrite OrdersEx.Z_as_DT.lt_add_lt_sub_r. induction m. - vm_compute; auto. + auto. etransitivity. apply IHm. unfold weight. @@ -772,6 +780,7 @@ Module solinas_reduction. eauto. eauto. apply reduce_in_range. + vm_compute; auto. (* generated lemmas *) rewrite map_length. @@ -958,11 +967,11 @@ Module solinas_reduction. eauto. solve_hi. eauto. - (* apply canonical_eval_bounded. *) - (* canonical_app p. *) - (* replace n with (length lo). *) - (* auto. *) - (* solve_length p. *) + apply canonical_eval_bounded. + canonical_app p. + replace n with (length lo). + auto. + solve_length p. rewrite <-Zplus_diag_eq_mult_2. replace (S (length q_lo)) with n by (solve_length q). @@ -984,11 +993,6 @@ Module solinas_reduction. replace (64 / 4) with 16 by eauto. lia. lia. - apply canonical_eval_bounded. - canonical_app p. - replace n with (length lo). - auto. - solve_length p. lia. solve_length q. } @@ -1087,18 +1091,410 @@ Module solinas_reduction. lia. Qed. - Lemma reduce_third : forall (p : list Z) lo hi, + Lemma reduce_second_correct : forall p lo hi, p = lo ++ [hi] -> - (canonical_repr (S n) p /\ hi <= 39) -> + canonical_repr (S n) p -> + hi < up_bound -> + let q := reduce1 base s c (S n) (S n) p in + (Positional.eval weight (S n) p) mod (s - Associational.eval c) + = (Positional.eval weight (S n) q) mod (s - Associational.eval c). + Proof. + intros. + pose proof (value_reduce_second _ _ _ H H0 H1) as Hval. + unfold q in *. + rewrite Hval. + rewrite H. + rewrite eval_snoc_S. + autorewrite with push_eval zsimplify_const. + cbn [fst snd]. + apply adjust_s_finished' in solinas_property. + rewrite solinas_property. + cbn [fst]. + rewrite Z.mul_comm with (m:=Associational.eval c) (n:=(weight n / s)). + rewrite (Z.add_comm _ (eval weight n lo)). + rewrite <-Z.mul_assoc. + rewrite <-reduction_rule. + apply Z.elim_mod. + rewrite Z.add_cancel_l. + + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + lia. + lia. + pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. + rewrite solinas_property in Hinv. + cbn [fst] in Hinv. + apply Hinv. + lia. + lia. + lia. + solve_length p. + Qed. + + Lemma reduce_third_canonical : forall (p : list Z) lo hi, + p = lo ++ [hi] -> + (canonical_repr (S n) p) -> + hi < up_bound -> let q := reduce1 base s c (S n) (S n) p in let r := reduce1 base s c (S n) n q in canonical_repr n r. Proof. intros. - pose proof - (reduce_second _ _ _ H H0). - pose proof value_reduce_second. - Admitted. + pose proof (reduce_second_canonical _ _ _ H H1 H0) as Hcanon. + fold q in Hcanon. + assert (Hcanon' := Hcanon). + unfold canonical_repr in Hcanon'. + destruct Hcanon' as [ Hlen _ ]. + assert (exists q_lo q_hi1 q_hi2, q = q_lo ++ [q_hi1] ++ [q_hi2]) as Hq. + { pose proof (break_list_last q) as Hd1. + destruct Hd1 as [ Hd1 | Hd1 ]. + rewrite Hd1 in Hlen. + cbn in Hlen. + lia. + destruct Hd1 as [ q' Hd1 ]. + destruct Hd1 as [ q_hi2 Hd1]. + + pose proof (break_list_last q') as Hd2. + destruct Hd2 as [ Hd2 | Hd2 ]. + subst q'. + rewrite Hd1 in Hlen. + cbn in Hlen. + lia. + destruct Hd2 as [ q_lo Hd2 ]. + destruct Hd2 as [ q_hi1 Hd2 ]. + rewrite Hd2 in Hd1. + rewrite <-app_assoc in Hd1. + eauto. } + destruct Hq as [ q_lo Hq ]. + destruct Hq as [ q_hi1 Hq ]. + destruct Hq as [ q_hi2 Hq ]. + + pose proof (reduce_second _ _ _ H H0 H1 _ _ _ Hq). + rewrite app_assoc in Hq. + intuition. + (* q_hi1 = 0, q_hi2 = 1 *) + subst q_hi1 q_hi2. + unfold canonical_repr. + split. + unfold r, reduce1. + rewrite Rows.flatten_correct. + cbn [fst]. + auto with push_length. + auto. + intros. + eapply Rows.length_from_associational; eassumption. + + unfold r, reduce1. + rewrite Rows.flatten_correct. + cbn [fst]. + rewrite Partition.eval_partition. + f_equal. + apply Z.mod_small_sym. + + rewrite Rows.eval_from_associational. + rewrite value_sat_reduce. + apply adjust_s_finished' in solinas_property. + rewrite solinas_property. + autorewrite with push_eval zsimplify_const. + cbn [fst snd]. + unfold to_associational. + rewrite seq_snoc. + rewrite map_app. + rewrite Nat.add_0_l; cbn [map]. + rewrite Hq. + rewrite combine_snoc. + rewrite fst_split_app, snd_split_app. + autorewrite with push_eval. + destruct (split_p _ _ _ Hq Hcanon) as [Hsplit1 Hsplit2]. + rewrite Hsplit1, Hsplit2. + cbn [fst snd]. + autorewrite with push_eval zsimplify_const. + destruct n eqn:En; try lia. + rewrite seq_snoc. + rewrite map_app. + cbn. + rewrite combine_snoc. + rewrite eval_app. + autorewrite with push_eval zsimplify_const. + split. + + solve_ineq. + apply canonical_pos. + canonical_app q. + canonical_app (q_lo ++ [0]). + replace n0 with (length q_lo) by (solve_length q). + auto. + etransitivity. + solve_ineq. + eauto. + apply canonical_eval_bounded. + canonical_app q. + canonical_app (q_lo ++ [0]). + replace n0 with (length q_lo) by (solve_length q). + auto. + apply reduce_in_range. + vm_compute; auto. + rewrite map_length, seq_length. + solve_length q. + rewrite map_length, seq_length. + solve_length q. + lia. + lia. + auto. + lia. + auto. + auto. + eapply Rows.length_from_associational; eassumption. + + (* q_hi2 = 0 *) + subst q_hi2. + split. + unfold r, reduce1. + rewrite Rows.flatten_correct. + cbn [fst]. + auto with push_length. + auto. + intros. + eapply Rows.length_from_associational; eassumption. + + unfold r, reduce1. + rewrite Rows.flatten_correct. + cbn [fst]. + rewrite Partition.eval_partition. + f_equal. + apply Z.mod_small_sym. + + rewrite Rows.eval_from_associational. + rewrite value_sat_reduce. + apply adjust_s_finished' in solinas_property. + rewrite solinas_property. + autorewrite with push_eval zsimplify_const. + cbn [fst snd]. + unfold to_associational. + rewrite seq_snoc. + rewrite map_app. + rewrite Nat.add_0_l; cbn [map]. + rewrite Hq. + rewrite combine_snoc. + rewrite fst_split_app, snd_split_app. + autorewrite with push_eval. + destruct (split_p _ _ _ Hq Hcanon) as [Hsplit1 Hsplit2]. + rewrite Hsplit1, Hsplit2. + cbn [fst snd]. + autorewrite with push_eval zsimplify_const. + cbn [snd]. + + split. + solve_ineq. + apply canonical_pos. + canonical_app q. + replace n with (length (q_lo ++ [q_hi1])) by (solve_length q). + auto. + apply canonical_eval_bounded. + canonical_app q. + replace n with (length (q_lo ++ [q_hi1])) by (solve_length q). + auto. + rewrite map_length. + rewrite seq_length. + solve_length q. + lia. + lia. + auto. + lia. + auto. + auto. + intros. + eapply Rows.length_from_associational; eassumption. + Qed. + + Lemma value_reduce_third : forall (q : list Z) q_lo q_hi1 q_hi2, + q = q_lo ++ [q_hi1] ++ [q_hi2] -> + canonical_repr (S n) q -> + (q_hi2 = 1 /\ q_hi1 = 0) \/ (q_hi2 = 0) -> + let r := reduce1 base s c (S n) n q in + let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight n r = Associational.eval coef * q_hi2 + eval weight n (q_lo ++ [q_hi1]). + Proof. + intros. + unfold reduce1 in *. + unfold r, coef, s'. + rewrite app_assoc in H. + rewrite H. + rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. + + unfold to_associational. + rewrite seq_snoc. + rewrite map_app. + rewrite Nat.add_0_l; cbn [map]. + rewrite combine_snoc. + rewrite fst_split_app, snd_split_app. + autorewrite with push_eval zsimplify_const. + apply adjust_s_finished' in solinas_property. + rewrite solinas_property. + cbn [fst snd]; autorewrite with zsimplify_const. + pose proof (split_p _ _ _ H H0) as Hsplit. + destruct Hsplit as [ Hhi Hlo ]. + rewrite Hhi, Hlo. + cbn [fst snd]; autorewrite with push_eval zsimplify_const; cbn [snd]. + + destruct n eqn:En; try lia. + rewrite seq_snoc, map_app. + rewrite Nat.add_0_l; cbn [map]. + rewrite combine_snoc. + rewrite eval_app. + rewrite <-En. + autorewrite with push_eval. + rewrite En. + cbn [fst snd]. + autorewrite with zsimplify_const. + rewrite eval_snoc_S. + + apply Z.mod_small. + assert (Hmach : 0 < machine_wordsize) by lia. + apply BYInv.eval_bound with (n:=n0) (f:=q_lo) in Hmach. + unfold eval, to_associational in Hmach. + destruct H1. + + (* q_hi1 = 0, q_hi2 = 1 *) + destruct H1. + subst q_hi1. + autorewrite with zsimplify_const. + intuition. + solve_ineq. + apply canonical_pos. + canonical_app q. + canonical_app (q_lo ++ [0]). + subst_canon q. + etransitivity. + solve_ineq. + adjust_ineq coef_small. + lia. + apply canonical_eval_bounded. + canonical_app q. + canonical_app (q_lo ++ [0]). + subst_canon q. + + apply reduce_in_range. + subst q_hi2. + weight_comp. + unfold up_bound. + vm_compute. + auto. + lia. + lia. + + (* q_hi2 = 0 *) + subst q_hi2. + autorewrite with zsimplify_const. + erewrite <-eval_snoc; try reflexivity. + intuition. + apply canonical_pos. + canonical_app q. + subst_canon q. + apply canonical_eval_bounded. + canonical_app q. + subst_canon q. + solve_length q. + eapply canonical_iff. + canonical_app q. + canonical_app (q_lo ++ [q_hi1]). + eauto. + solve_length q. + solve_length q. + rewrite map_length. + rewrite seq_length. + solve_length q. + lia. + rewrite map_length. + rewrite seq_length. + solve_length q. + lia. + auto. + lia. + auto. + eapply Rows.length_from_associational; eauto. + Qed. + + Lemma reduce_third_correct : forall (p : list Z) lo hi, + p = lo ++ [hi] -> + (canonical_repr (S n) p) -> + hi < up_bound -> + let q := reduce1 base s c (S n) (S n) p in + let r := reduce1 base s c (S n) n q in + (Positional.eval weight (S n) p) mod (s - Associational.eval c) + = (Positional.eval weight n r) mod (s - Associational.eval c). + Proof. + intros. + pose proof (reduce_second_canonical _ _ _ H H1 H0) as Hcanon. + fold q in Hcanon. + assert (Hcanon' := Hcanon). + unfold canonical_repr in Hcanon'. + destruct Hcanon' as [ Hlen _ ]. + assert (exists q_lo q_hi1 q_hi2, q = q_lo ++ [q_hi1] ++ [q_hi2]) as Hq. + { pose proof (break_list_last q) as Hd1. + destruct Hd1 as [ Hd1 | Hd1 ]. + rewrite Hd1 in Hlen. + cbn in Hlen. + lia. + destruct Hd1 as [ q' Hd1 ]. + destruct Hd1 as [ q_hi2 Hd1]. + + pose proof (break_list_last q') as Hd2. + destruct Hd2 as [ Hd2 | Hd2 ]. + subst q'. + rewrite Hd1 in Hlen. + cbn in Hlen. + lia. + destruct Hd2 as [ q_lo Hd2 ]. + destruct Hd2 as [ q_hi1 Hd2 ]. + rewrite Hd2 in Hd1. + rewrite <-app_assoc in Hd1. + eauto. } + destruct Hq as [ q_lo Hq ]. + destruct Hq as [ q_hi1 Hq ]. + destruct Hq as [ q_hi2 Hq ]. + + pose proof (reduce_second _ _ _ H H0 H1 _ _ _ Hq) as Hqhi. + rewrite app_assoc in Hq. + etransitivity. + eapply reduce_second_correct; eauto. + + unfold r, q. + rewrite value_reduce_third with (q_lo:=q_lo) (q_hi1:=q_hi1) (q_hi2:=q_hi2). + autorewrite with push_eval zsimplify_const. + erewrite adjust_s_finished'; eauto. + cbn [fst snd]. + rewrite Z.mul_comm with (m:=Associational.eval c) (n:=(weight n / s)). + rewrite Z.add_comm. + rewrite <-Z.mul_assoc. + rewrite <-reduction_rule. + apply Z.elim_mod. + fold q. + rewrite Hq. + rewrite eval_snoc_S. + rewrite Z.add_cancel_l. + + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + lia. + lia. + pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. + erewrite adjust_s_finished' in Hinv; eauto. + cbn [fst] in Hinv. + apply Hinv. + lia. + lia. + solve_length q. + lia. + lia. + fold q. + rewrite Hq. + rewrite app_assoc. + auto. + auto. + lia. + Qed. End __. From cae95eecfefff002f548d408e3c2f648298b596d Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 20 Jun 2022 18:05:47 -0400 Subject: [PATCH 19/69] prove value_reduce_first --- src/SolinasReduction.v | 217 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 198 insertions(+), 19 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 61bb70e552..0b39bf8171 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -316,7 +316,6 @@ Module solinas_reduction. intuition; apply H5; rewrite H3; apply in_or_app; eauto. Qed. - (* helps with proving lemmas about the length of the reduction *) Ltac solve_length q := try match goal with | [ H : canonical_repr _ q |- _ ] => @@ -572,6 +571,40 @@ Module solinas_reduction. lia. } Qed. + Lemma split_gt w l1 l2: + (forall x, In x l1 -> x mod w = 0) -> + length l1 = length l2 -> + split w (combine l1 l2) = ([], combine (map (fun t => t / w) l1) l2). + Proof. + intros. + generalize dependent l2. + induction l1; intros. + reflexivity. + simpl. + break_match. + auto. + match goal with + | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto + end. + rewrite split_app. + rewrite IHl1. + cbn [fst snd]. + simpl. + break_match; cbn. + reflexivity. + rewrite Z.eqb_neq in Heqb. + rewrite H in Heqb. + lia. + simpl. + auto. + intros. + apply H. + simpl. + auto. + simpl in H0. + lia. + Qed. + Lemma weight_mono' x : weight x < weight (S x). Proof. @@ -687,6 +720,151 @@ Module solinas_reduction. lia. Qed. + Lemma map_weight_seq : forall m p, + map weight (seq 0 p) = map (fun t => t / (weight m)) (map weight (seq m p)). + Proof. + induction m; intros. + { generalize dependent (map weight (seq 0 p)). + intros. + erewrite map_ext. + symmetry. + eapply map_id. + intros. + rewrite weight_0. + rewrite Z.div_1_r. + lia. + auto. } + { rewrite IHm. + rewrite <-map_S_seq. + rewrite !map_map. + Search (map _ ?x = map _ ?x). + apply map_ext_Forall. + Search Forall In. + rewrite Forall_forall. + intros. + rewrite in_seq in H. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_add_r. + rewrite <- !OrdersEx.Z_as_OT.pow_sub_r. + f_equal. + lia. + lia. + lia. + lia. + lia. + lia. + lia. + lia. + lia. } + Qed. + + Lemma split_p' : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + split (weight n) (combine (map weight (seq 0 n)) lo) = (combine (map weight (seq 0 n)) lo, []) /\ + split (weight n) (combine (map weight (seq n n)) hi) = ([], combine (map weight (seq 0 n)) hi). + Proof. + intros. + intuition. + { apply split_lt. + intros. + rewrite in_map_iff in H2. + destruct H2. + intuition; rewrite <-H3. + auto. + rewrite in_seq in H4. + apply weight_mono. + lia. + rewrite map_length. + rewrite seq_length. + auto. } + { rewrite map_weight_seq with (m:=n). + apply split_gt. + intros. + rewrite in_map_iff in H2. + destruct H2. + intuition; rewrite <-H3. + apply Weight.weight_multiples_full. + auto. + auto. + rewrite in_seq in H4. + lia. + rewrite map_length, seq_length. + solve_length p. } + Qed. + + Lemma value_reduce_first : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + let q := reduce1 base s c (2 * n) (S n) p in + let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight (S n) q = Associational.eval coef * eval weight n hi + eval weight n lo. + Proof. + intros. + pose proof (split_p' _ _ _ H H0 H1) as Hsplit. + destruct Hsplit as [ Hlo Hhi ]. + canonical_app p. + replace (length hi) with n in * by (solve_length p). + replace (length lo) with n in *. + unfold q, reduce1. + rewrite H. + rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. + unfold to_associational. + cbn [fst snd]. + erewrite adjust_s_finished; try apply solinas_property. + replace (2 * n)%nat with (n + n)%nat by lia. + rewrite seq_add. + rewrite Nat.add_0_l. + rewrite map_app. + rewrite combine_app_samelength. + rewrite fst_split_app, snd_split_app. + cbn [fst snd]. + rewrite Hlo, Hhi. + autorewrite with push_eval zsimplify_const. + cbn [snd]. + unfold coef, s'. + autorewrite with push_eval zsimplify_const. + erewrite adjust_s_finished; try apply solinas_property. + cbn [fst snd]. + + rewrite Z.mod_small. + reflexivity. + split. + solve_ineq; apply canonical_pos; auto. + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + apply canonical_eval_bounded; auto. + apply canonical_eval_bounded; auto. + weight_comp. + rewrite Z.mul_comm. + rewrite Zred_factor3. + apply Zmult_lt_compat_l. + lia. + simpl. + lia. + lia. + lia. + lia. + lia. + rewrite map_length, seq_length. + solve_length lo. + lia. + lia. + lia. + auto. + lia. + auto. + intros. + eapply Rows.length_from_associational; eauto. + Qed. + Lemma reduce_second_canonical : forall (p : list Z) lo hi, p = lo ++ [hi] -> hi < up_bound -> @@ -1535,24 +1713,25 @@ Module solinas_reduction. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - (* Time Compute *) - (* Show.show *) - (* (Pipeline.BoundsPipelineToString *) - (* "fiat" "mul" *) - (* false *) - (* false *) - (* None *) - (* possible_values *) - (* machine_wordsize *) - (* ltac:(let n := (eval cbv in n) in *) - (* let r := Reify (reduce w base s c n) in *) - (* exact r) *) - (* (fun _ _ => []) *) - (* (Some (repeat bound (2*n)), tt) *) - (* (Some (repeat bound (n))) *) - (* (None, tt) *) - (* (None) *) - (* : Pipeline.ErrorT _). *) + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let m := (eval cbv in m) in + let r := Reify (reduce1 base s c (S n) (S n)) in + exact r) + (fun _ _ => []) + (Some (repeat bound (S n)), tt) + (Some (repeat bound (S n))) + (None, tt) + (None) + : Pipeline.ErrorT _). End compile. From 0895dd020f740012a683c5f26d3c5ec7de9b5c6f Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 23 Jun 2022 14:17:09 -0400 Subject: [PATCH 20/69] error reifying if-then statement --- src/SolinasReduction.v | 52 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 43 insertions(+), 9 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 0b39bf8171..99535c025f 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -24,6 +24,7 @@ Require Import Crypto.Algebra.Ring. Require Import Crypto.Util.Decidable. Require Import Crypto.Util.LetIn. Require Import Crypto.Util.ListUtil. +Require Import Crypto.Util.ListUtil.FoldBool. Require Import Crypto.Util.NatUtil. Require Import Crypto.Util.Prod. Require Import Crypto.Util.Tactics.BreakMatch. @@ -75,10 +76,9 @@ Module solinas_reduction. Section __. - Print weight_properties. - Context (machine_wordsize := 64) (weight := uweight machine_wordsize) + (up_bound := 2 ^ (machine_wordsize / 4)) {wprops : @weight_properties weight}. Definition sat_reduce base s c n (p : list (Z * Z)) := @@ -654,7 +654,6 @@ Module solinas_reduction. (mod_nz : s - Associational.eval c <> 0) (base_nz : base <> 0) (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) - (up_bound := 2 ^ (machine_wordsize / 4)) (coef_small : weight n / s * Associational.eval c < up_bound). Lemma split_p : forall p lo hi, @@ -737,9 +736,7 @@ Module solinas_reduction. { rewrite IHm. rewrite <-map_S_seq. rewrite !map_map. - Search (map _ ?x = map _ ?x). apply map_ext_Forall. - Search Forall In. rewrite Forall_forall. intros. rewrite in_seq in H. @@ -1676,8 +1673,44 @@ Module solinas_reduction. End __. + Section test_reduce_full. + + Context (machine_wordsize := 64) + (up_bound := 2 ^ (machine_wordsize / 4)). + + Definition is_bounded_by0 r v + := ((lower r%zrange <=? v) && (v <=? upper r%zrange)). + Definition is_bounded_by2 r v + := (let '(v1, v2) := v in is_bounded_by0 (fst r) v1 && is_bounded_by0 (snd r) v2). + Definition is_bounded_by0o r + := (match r with Some r' => fun v' => is_bounded_by0 r' v' | None => fun _ => true end). + Definition is_bounded_by bounds ls + := (fold_andb_map (fun r v'' => is_bounded_by0o r v'') bounds ls). + + Definition reduce_full base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange in + let bounds := repeat bound n ++ [Some r[0 ~> (up_bound - 1)]%zrange] in + if (is_bounded_by bounds r1) then + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3 + else r1. + + End test_reduce_full. + Section compile. + Definition test (x : Z) := + if (Z.even x) then + x + else (x+1). + + Print test. + + Compute (ltac:(let r := Reify (test) in + exact r)). + Let s := 2^255. Let c := [(1, 19)]. Let machine_wordsize := 64. @@ -1713,6 +1746,8 @@ Module solinas_reduction. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. + Time Compute Show.show (Pipeline.BoundsPipelineToString @@ -1723,12 +1758,11 @@ Module solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let m := (eval cbv in m) in - let r := Reify (reduce1 base s c (S n) (S n)) in + let r := Reify (reduce1 base s c (2*n) (S n)) in exact r) (fun _ _ => []) - (Some (repeat bound (S n)), tt) - (Some (repeat bound (S n))) + (Some (repeat bound (2*n)), tt) + (Some bounds) (None, tt) (None) : Pipeline.ErrorT _). From cd1e593972d68dcf7e343108846619b02af9ab48 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 27 Jun 2022 02:19:23 -0400 Subject: [PATCH 21/69] fix foldb_andb_map, test zrange projection workarounds --- src/SolinasReduction.v | 92 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 79 insertions(+), 13 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 99535c025f..5cb7c63fff 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -1678,39 +1678,86 @@ Module solinas_reduction. Context (machine_wordsize := 64) (up_bound := 2 ^ (machine_wordsize / 4)). + Definition is_bounded_by0 r v := ((lower r%zrange <=? v) && (v <=? upper r%zrange)). + Fail Compute ltac:(let r := Reify (is_bounded_by0) in exact r). Definition is_bounded_by2 r v := (let '(v1, v2) := v in is_bounded_by0 (fst r) v1 && is_bounded_by0 (snd r) v2). Definition is_bounded_by0o r := (match r with Some r' => fun v' => is_bounded_by0 r' v' | None => fun _ => true end). Definition is_bounded_by bounds ls := (fold_andb_map (fun r v'' => is_bounded_by0o r v'') bounds ls). + Fail Compute ltac:(let r := Reify (is_bounded_by) in exact r). + + Definition fold_andb ls := + fold_right andb true ls. + Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := + map (fun x => (f (fst x) (snd x))) (combine l1 l2). + Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := + fold_andb (dual_map f ls1 ls2). + Succeed Compute ltac:(let r := Reify (@fold_andb_map' zrange Z) in exact r). + Definition is_bounded_by' bounds ls + := (fold_andb_map' (fun r v'' => is_bounded_by0o r v'') bounds ls). + Fail Compute ltac:(let r := Reify (is_bounded_by') in exact r). + Definition reduce_full base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in - let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange in - let bounds := repeat bound n ++ [Some r[0 ~> (up_bound - 1)]%zrange] in - if (is_bounded_by bounds r1) then + let bound := Some r[0 ~> 2^machine_wordsize - 1]%zrange in + let bounds := repeat bound n ++ [Some r[0 ~> up_bound - 1]%zrange ] in + if (is_bounded_by' bounds r1) then let r2 := reduce1 base s c (S n) (S n) r1 in let r3 := reduce1 base s c (S n) (n) r2 in r3 else r1. + Let s := 2^255. + Let c := [(1, 19)]. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let w : nat -> Z := weight machine_wordsize 1. + Let base : Z := 2 ^ machine_wordsize. + Fail Compute ltac:(let n := (eval cbv in n) in + let r := Reify (reduce_full base s c n) in + exact r). + + + Definition tmp r := + let '(x, y) := r in (x + y). + Compute ltac:(let r := Reify (@combine Z Z) in exact r). + Print IdentifiersBasicGENERATED.Compilers.ident. + Locate IdentifiersBasicGENERATED.Compilers.ident. + + Search "zrange" "cast". + Locate ZRange.type.base.option.is_bounded_by. + Compute IdentifiersBasicGENERATED.Compilers.ident + (type.base + (base.type.type_base + IdentifiersBasicGENERATED.Compilers.zrange) -> + type.base + (base.type.type_base + IdentifiersBasicGENERATED.Compilers.Z) -> + type.base + (base.type.type_base + IdentifiersBasicGENERATED.Compilers.Z)). + + Let r : zrange := {| lower := 1; upper := 2 |}. + + Definition test (r : zrange) := + match r with + | {| lower := _; upper := _ |} => r + end. + Fail Compute (ltac:(let r := Reify test in + exact r)). + + Compute (ltac:(let r := Reify r in + exact r)). + (* Search IdentifiersBasicGENERATED.Compilers.zrange. *) End test_reduce_full. Section compile. - Definition test (x : Z) := - if (Z.even x) then - x - else (x+1). - - Print test. - - Compute (ltac:(let r := Reify (test) in - exact r)). - Let s := 2^255. Let c := [(1, 19)]. Let machine_wordsize := 64. @@ -1748,6 +1795,25 @@ Module solinas_reduction. Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. + Fail Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (reduce_full base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), tt) + (Some (repeat bound (n))) + (None, tt) + (None) + : Pipeline.ErrorT _). + Time Compute Show.show (Pipeline.BoundsPipelineToString From 4f3f3b51d508808ebfebb310c08f8353d546ebad Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 27 Jun 2022 11:39:40 -0400 Subject: [PATCH 22/69] compile reduce_full' with Z*Z instead of zrange --- src/SolinasReduction.v | 109 ++++++++++++++++++++++++++++------------- 1 file changed, 74 insertions(+), 35 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 5cb7c63fff..c1452eca2d 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -1701,7 +1701,12 @@ Module solinas_reduction. := (fold_andb_map' (fun r v'' => is_bounded_by0o r v'') bounds ls). Fail Compute ltac:(let r := Reify (is_bounded_by') in exact r). - + Let s := 2^255. + Let c := [(1, 19)]. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let w : nat -> Z := weight machine_wordsize 1. + Let base : Z := 2 ^ machine_wordsize. Definition reduce_full base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in let bound := Some r[0 ~> 2^machine_wordsize - 1]%zrange in @@ -1711,48 +1716,82 @@ Module solinas_reduction. let r3 := reduce1 base s c (S n) (n) r2 in r3 else r1. - Let s := 2^255. - Let c := [(1, 19)]. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let w : nat -> Z := weight machine_wordsize 1. - Let base : Z := 2 ^ machine_wordsize. Fail Compute ltac:(let n := (eval cbv in n) in let r := Reify (reduce_full base s c n) in exact r). + Definition is_bounded_by'' bounds ls := + fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + Definition reduce_full' base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let bound := (0, 2^machine_wordsize - 1) in + let bounds := repeat bound n ++ [(0, up_bound-1)] in + if (is_bounded_by'' bounds r1) then + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3 + else r1. + Print reduce_full'. + (* + = "Error Computed bounds None are not tight enough (expected bounds not looser than (Some [Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff]])). +Found None where Some was expected +(Unprintible syntax tree used in bounds analysis) + +Stringification failed on the syntax tree: +(λ x1, + let x2 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[7], Some [0x0 ~> 0xffffffffffffffff]))) in + let x3 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[6], Some [0x0 ~> 0xffffffffffffffff]))) in + let x4 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[5], Some [0x0 ~> 0xffffffffffffffff]))) in + let x5 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[4], Some [0x0 ~> 0xffffffffffffffff]))) in + let x6 := x1[3] (* : uint64_t *) in + let x7 := x1[2] (* : uint64_t *) in + let x8 := x1[1] (* : uint64_t *) in + let x9 := x1[0] (* : uint64_t *) in + let x10 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x8, Some [0x0 ~> 0xffffffffffffffff], (x4₁, Some [0x0 ~> 0xffffffffffffffff]))) in + let x11 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x10₂, Some [0x0 ~> 0x1], (x7, Some [0x0 ~> 0xffffffffffffffff], (x3₁, Some [0x0 ~> 0xffffffffffffffff])))) in + let x12 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x11₂, Some [0x0 ~> 0x1], (x6, Some [0x0 ~> 0xffffffffffffffff], (x2₁, Some [0x0 ~> 0xffffffffffffffff])))) in + let x13 := x12₂ + x2₂ (* : [0x0 ~> 0x26] *) in + let x14 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x9, Some [0x0 ~> 0xffffffffffffffff], (x5₁, Some [0x0 ~> 0xffffffffffffffff]))) in + let x15 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x14₂, Some [0x0 ~> 0x1], (x10₁, Some [0x0 ~> 0xffffffffffffffff], (x5₂, Some [0x0 ~> 0x25])))) in + let x16 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x15₂, Some [0x0 ~> 0x1], (x11₁, Some [0x0 ~> 0xffffffffffffffff], (x4₂, Some [0x0 ~> 0x25])))) in + let x17 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x16₂, Some [0x0 ~> 0x1], (x12₁, Some [0x0 ~> 0xffffffffffffffff], (x3₂, Some [0x0 ~> 0x25])))) in + let x18 := x17₂ + x13 (* : [0x0 ~> 0x27] *) in + let x19 := if if if 0 ≤ x14₁ then (λ x19, x14₁ ≤ 2^64-1) else (λ x19, false) then (λ x19, if if 0 ≤ x15₁ then (λ x20, x15₁ ≤ 2^64-1) else (λ x20, false) then (λ x20, if if 0 ≤ x16₁ then (λ x21, x16₁ ≤ 2^64-1) else (λ x21, false) then (λ x21, if if 0 ≤ x17₁ then (λ x22, x17₁ ≤ 2^64-1) else (λ x22, false) then (λ x22, if if 0 ≤ x18 then (λ x23, x18 ≤ 2^16-1) else (λ x23, false) then (λ x23, true) else (λ x23, false)) else (λ x22, false)) else (λ x21, false)) else (λ x20, false)) else (λ x19, false) then (λ x19, + let x20 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x14₁, Some [0x0 ~> 0xffffffffffffffff], ((Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x18, Some [0x0 ~> 0x27]))))₁, Some [0x0 ~> 0x5ca]))) in + let x21 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x18, Some [0x0 ~> 0x27]))) in + let x22 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], ((Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x20₂, Some [0x0 ~> 0x1], (x15₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))))₂, Some [0x0 ~> 0x1], (x16₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in + let x23 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x22₂, Some [0x0 ~> 0x1], (x17₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in + let x24 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x23₂, Some [0x0 ~> 0x1]))) in + let x25 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x20₁, Some [0x0 ~> 0xffffffffffffffff], (x24₁, Some [0x0 ~> 0x26]))) in + let x26 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x20₂, Some [0x0 ~> 0x1], (x15₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in + let x27 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x25₂, Some [0x0 ~> 0x1], (x26₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in + let x28 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x27₂, Some [0x0 ~> 0x1], (x22₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in + let x29 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x28₂, Some [0x0 ~> 0x1], (x23₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in + x25₁ :: x27₁ :: x28₁ :: x29₁ :: [] +) else (λ x19, x14₁ :: x15₁ :: x16₁ :: x17₁ :: x18 :: []) in + x19 +) +Error in converting f to C: +Unable to bind names for all return arguments and bounds at type [ℤ]" + *) Definition tmp r := let '(x, y) := r in (x + y). Compute ltac:(let r := Reify (@combine Z Z) in exact r). Print IdentifiersBasicGENERATED.Compilers.ident. - Locate IdentifiersBasicGENERATED.Compilers.ident. - - Search "zrange" "cast". - Locate ZRange.type.base.option.is_bounded_by. - Compute IdentifiersBasicGENERATED.Compilers.ident - (type.base - (base.type.type_base - IdentifiersBasicGENERATED.Compilers.zrange) -> - type.base - (base.type.type_base - IdentifiersBasicGENERATED.Compilers.Z) -> - type.base - (base.type.type_base - IdentifiersBasicGENERATED.Compilers.Z)). - - Let r : zrange := {| lower := 1; upper := 2 |}. - - Definition test (r : zrange) := - match r with - | {| lower := _; upper := _ |} => r - end. - Fail Compute (ltac:(let r := Reify test in - exact r)). + Locate IdentifiersBasicGENERATED.Compilers.ident_Z_cast. + Print ZRange.ident.option.interp_Z_cast. + Fail Compute ltac:(let r := Reify (ZRange.ident.option.interp_Z_cast) in exact r). + + Definition proj_test (r : zrange) := + r.(lower). + Ltac Rewriter.Language.PreCommon.Pre.reify_debug_level ::= constr:(20%nat). + Fail Compute ltac:(let r := Reify lower in exact r). + Compute ltac:(let r := (Reify (@fst Z Z)) in exact r). + Fail Compute ltac:(let r := (Reify (zran_rect (fun _ : zrange => Z) + (fun lower _ : Z => lower) + )) in exact r). - Compute (ltac:(let r := Reify r in - exact r)). - (* Search IdentifiersBasicGENERATED.Compilers.zrange. *) End test_reduce_full. @@ -1795,7 +1834,7 @@ Module solinas_reduction. Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. - Fail Time Compute + Time Compute Show.show (Pipeline.BoundsPipelineToString "fiat" "mul" @@ -1805,7 +1844,7 @@ Module solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (reduce_full base s c n) in + let r := Reify (reduce_full' base s c n) in exact r) (fun _ _ => []) (Some (repeat bound (2*n)), tt) From 3ed1e5b80033b144527c959cc40a1548f0e169c5 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 30 Jun 2022 15:27:49 -0400 Subject: [PATCH 23/69] proved correctness of reduce_full assuming first reduce is in bounds --- src/SlowPrimeSynthesisExamplesCopy.v | 2 +- src/SolinasReduction.v | 421 +++++++++++++++++++++++---- 2 files changed, 364 insertions(+), 59 deletions(-) diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v index b427935eab..141e02085a 100644 --- a/src/SlowPrimeSynthesisExamplesCopy.v +++ b/src/SlowPrimeSynthesisExamplesCopy.v @@ -41,7 +41,7 @@ Local Coercion Z.pos : positive >-> Z. Local Existing Instance default_low_level_rewriter_method. Local Existing Instance AbstractInterpretation.default_Options. Local Instance : unfold_value_barrier_opt := true. -Local Instance : assembly_hints_lines_opt := None. +Local Instance : assembly_hints_lines_opt := []. Local Instance : ignore_unique_asm_names_opt := false. Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. Local Existing Instance default_language_naming_conventions. diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index c1452eca2d..81da05d832 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -36,7 +36,6 @@ Require Import Crypto.Util.ZUtil.Hints.Core. Require Import Crypto.Util.ZUtil.Tactics.LtbToLt. Require Import Crypto.Util.ZUtil.Tactics.RewriteModSmall. Require Import Crypto.Util.ZUtil.Tactics.PullPush.Modulo. - Require Import Coq.ZArith.Znat. Require Import Crypto.Util.Notations. @@ -60,7 +59,7 @@ Local Coercion Z.pos : positive >-> Z. Local Existing Instance default_low_level_rewriter_method. Local Existing Instance AbstractInterpretation.default_Options. Local Instance : unfold_value_barrier_opt := true. -Local Instance : assembly_hints_lines_opt := None. +Local Instance : assembly_hints_lines_opt := []. Local Instance : ignore_unique_asm_names_opt := false. Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. Local Existing Instance default_language_naming_conventions. @@ -173,6 +172,25 @@ Module solinas_reduction. let r3 := reduce1 base s c (S n) (n) (r2) in r3. + Definition fold_andb ls := + fold_right andb true ls. + Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := + map (fun x => (f (fst x) (snd x))) (combine l1 l2). + Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := + fold_andb (dual_map f ls1 ls2). + Definition is_bounded_by bounds ls := + fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + + Definition reduce_full base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let bound := (0, 2^machine_wordsize - 1) in + let bounds := repeat bound n ++ [(0, up_bound-1)] in + if (is_bounded_by bounds r1) then + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3 + else r1. + Definition mul_no_reduce base n (p q : list Z) := let p_a := Positional.to_associational weight n p in let q_a := Positional.to_associational weight n q in @@ -791,6 +809,79 @@ Module solinas_reduction. solve_length p. } Qed. + Lemma reduce_first_canonical : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). + Proof. + intros. + unfold reduce1, canonical_repr. + split. + { rewrite Rows.flatten_correct. + cbn [fst]. + auto with push_length. + auto. + intros. + eapply Rows.length_from_associational; eauto. } + { pose proof (split_p' _ _ _ H H0 H1) as Hsplit. + destruct Hsplit as [ Hlo Hhi ]. + rewrite Rows.flatten_correct. + cbn [fst]. + rewrite Partition.eval_partition. + f_equal. + apply Z.mod_small_sym. + rewrite Rows.eval_from_associational. + rewrite H. + rewrite value_sat_reduce. + erewrite adjust_s_finished; try apply solinas_property. + unfold to_associational. + replace (2 * n)%nat with (n + n)%nat by lia. + rewrite seq_add. + rewrite Nat.add_0_l. + rewrite map_app. + rewrite combine_app_samelength. + rewrite fst_split_app, snd_split_app. + cbn [fst snd]. + rewrite Hlo, Hhi. + autorewrite with push_eval zsimplify_const. + cbn [fst snd]. + + canonical_app p. + replace (length lo) with n in Hcanon_l by (solve_length p). + replace (length hi) with n in Hcanon_r. + split. + solve_ineq. + apply canonical_pos; auto. + apply canonical_pos; auto. + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + apply canonical_eval_bounded; auto. + apply canonical_eval_bounded; auto. + weight_comp. + rewrite Z.mul_comm. + rewrite Zred_factor3. + apply Zmult_lt_compat_l. + lia. + simpl; lia. + lia. + lia. + solve_length p. + rewrite map_length, seq_length; auto. + lia. + lia. + lia. + auto. + lia. + auto. + auto. + eapply Rows.length_from_associational; eauto. } + Qed. + Lemma value_reduce_first : forall (p lo hi : list Z), p = lo ++ hi -> canonical_repr (2 * n) p -> @@ -862,6 +953,135 @@ Module solinas_reduction. eapply Rows.length_from_associational; eauto. Qed. + Lemma reduce_first : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + forall q_lo q_hi, + let q := reduce1 base s c (2*n) (S n) p in + q = q_lo ++ [q_hi] -> + q_hi < up_bound. + Proof. + intros. + pose proof (value_reduce_first _ _ _ H H0 H1). + pose proof (reduce_first_canonical _ _ _ H H0 H1) as Hcanon. + fold q in Hcanon. + + pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (n) pf as Hnth. + assert (Hcanon' := Hcanon). + unfold canonical_repr in Hcanon'. + destruct Hcanon' as [ _ Hpart ]. + rewrite <-Hpart in Hnth. + rewrite H2 in Hnth at 1. + rewrite nth_default_app in Hnth. + destruct lt_dec in Hnth. + solve_length q. + replace (length q_lo) with n in Hnth by (solve_length q). + rewrite Nat.sub_diag in Hnth. + unfold nth_default in Hnth. + simpl in Hnth. + rewrite Hnth. + unfold q. + apply Z.div_lt_upper_bound. + auto. + + canonical_app p. + replace (length lo) with n in Hcanon_l. + replace (length hi) with n in Hcanon_r by (solve_length p). + rewrite H3. + autorewrite with push_eval zsimplify_const. + erewrite adjust_s_finished; try apply solinas_property. + cbn [fst snd]. + rewrite <-Le.Z.le_sub_1_iff. + rewrite Z.mod_small. + etransitivity. + solve_ineq. + rewrite <-Le.Z.le_sub_1_iff in coef_small. + apply Z.mul_le_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + rewrite Le.Z.le_sub_1_iff. + eapply canonical_eval_bounded; auto. + rewrite Le.Z.le_sub_1_iff. + apply canonical_eval_bounded; auto. + ring_simplify. + rewrite OrdersEx.Z_as_OT.le_sub_le_add_r. + unfold up_bound. + weight_comp. + simpl. + nia. + + split. + solve_ineq. + apply canonical_pos; auto. + apply canonical_pos; auto. + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + eapply canonical_eval_bounded; auto. + eapply canonical_eval_bounded; auto. + weight_comp. + unfold up_bound, machine_wordsize. + simpl. + break_match; try lia. + destruct Heqz; break_match; lia. + lia. + lia. + lia. + lia. + lia. + Qed. + + Lemma reduce_first_correct : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + let q := reduce1 base s c (2 * n) (S n) p in + (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) + = (Positional.eval weight (S n) q) mod (s - Associational.eval c). + Proof. + intros. + pose proof (value_reduce_first _ _ _ H H0 H1) as Hval. + canonical_app p. + replace (length hi) with n in Hcanon_r by (solve_length p). + replace (length lo) with n in Hcanon_l. + unfold q in *. + rewrite Hval. + rewrite H. + unfold weight. + replace (2 * n)%nat with (n + (length hi))%nat by (solve_length p). + rewrite uweight_eval_app'. + replace (length hi) with n by (solve_length hi). + fold weight. + autorewrite with push_eval zsimplify_const. + erewrite adjust_s_finished'; try apply solinas_property. + cbn [fst snd]. + rewrite (Z.add_comm _ (eval weight n lo)). + rewrite Z.mul_comm with (m:=Associational.eval c). + rewrite <-Z.mul_assoc. + rewrite <-reduction_rule. + apply Z.elim_mod. + rewrite Z.add_cancel_l. + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + lia. + lia. + pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. + erewrite adjust_s_finished' in Hinv; try apply solinas_property. + cbn [fst] in Hinv. + apply Hinv. + lia. + lia. + lia. + lia. + lia. + solve_length lo. + Qed. + Lemma reduce_second_canonical : forall (p : list Z) lo hi, p = lo ++ [hi] -> hi < up_bound -> @@ -1671,6 +1891,146 @@ Module solinas_reduction. lia. Qed. + (* + Definition reduce_full base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let bound := (0, 2^machine_wordsize - 1) in + let bounds := repeat bound n ++ [(0, up_bound-1)] in + if (is_bounded_by bounds r1) then + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3 + else r1. + *) + + Lemma exists_lists_app : forall (p : list Z) n n', + length p = n -> + (n' <= n)%nat -> + exists l1 l2, p = l1 ++ l2 /\ + length l1 = n' /\ + length l2 = (n - n')%nat. + Proof. + intros. + induction n'. + { exists []. + exists p. + intuition. + lia. } + { destruct IHn' as [l1 IHn']. + lia. + destruct IHn' as [l2 IHn']. + intuition. + destruct l2. + subst p. + rewrite app_length in H. + rewrite H3 in H. + simpl in H. + lia. + + exists (l1 ++ [z]). + exists l2. + intuition. + rewrite H1. + rewrite <-app_assoc. + auto. + rewrite app_length. + simpl. + lia. + rewrite cons_length in H4. + lia. } + Qed. + + Theorem reduce_full_canonical : forall (p : list Z), + canonical_repr (2 * n) p -> + canonical_repr n (reduce_full base s c n p). + Proof. + intros. + pose proof (exists_lists_app p (2*n) n ltac:(solve_length p) ltac:(lia)) as Happ. + destruct Happ as [lo Happ]. + destruct Happ as [hi Happ]. + replace (2*n-n)%nat with n in Happ by lia. + intuition. + unfold reduce_full. + pose proof (reduce_first_canonical _ _ _ H0 H H2) as Hcanon1. + assert (Hcanon' := Hcanon1). + unfold canonical_repr in Hcanon'. + destruct Hcanon' as [ Hlen _ ]. + remember (reduce1 base s c (2 * n) (S n) p) as q. + pose proof (exists_lists_app q (S n) n ltac:(solve_length q) ltac:(lia)) as Happ. + destruct Happ as [q_lo Happ]. + destruct Happ as [q_hi' Happ]. + replace (S n - n)%nat with 1%nat in Happ by lia. + intuition. + assert (exists q_hi, q_hi' = [q_hi]). + { destruct q_hi'. + simpl in H6. + lia. + exists z. + simpl in H6. + replace (z :: q_hi') with ([z] ++ q_hi') by reflexivity. + rewrite <-app_nil_r with (l:=[z]) at 2. + f_equal. + apply length0_nil; auto. } + destruct H4 as [ q_hi ]; subst q_hi'. + rewrite Heqq in H1. + pose proof (reduce_first _ _ _ H0 H H2 _ _ H1). + rewrite <-Heqq in H1. + break_match. + pose proof (reduce_third_canonical _ _ _ H1 Hcanon1 H4). + auto. + + (* proving second case where first reduction is not bounded *) + admit. + Admitted. + + Theorem reduce_full_correct : forall (p : list Z), + canonical_repr (2 * n) p -> + let r := reduce_full base s c n p in + (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) + = (Positional.eval weight n r) mod (s - Associational.eval c). + Proof. + intros. + pose proof (exists_lists_app p (2*n) n ltac:(solve_length p) ltac:(lia)) as Happ. + destruct Happ as [lo Happ]. + destruct Happ as [hi Happ]. + replace (2*n-n)%nat with n in Happ by lia. + intuition. + unfold r, reduce_full. + pose proof (reduce_first_canonical _ _ _ H0 H H2) as Hcanon1. + assert (Hcanon' := Hcanon1). + unfold canonical_repr in Hcanon'. + destruct Hcanon' as [ Hlen _ ]. + remember (reduce1 base s c (2 * n) (S n) p) as q. + pose proof (exists_lists_app q (S n) n ltac:(solve_length q) ltac:(lia)) as Happ. + destruct Happ as [q_lo Happ]. + destruct Happ as [q_hi' Happ]. + replace (S n - n)%nat with 1%nat in Happ by lia. + intuition. + assert (exists q_hi, q_hi' = [q_hi]). + { destruct q_hi'. + simpl in H6. + lia. + exists z. + simpl in H6. + replace (z :: q_hi') with ([z] ++ q_hi') by reflexivity. + rewrite <-app_nil_r with (l:=[z]) at 2. + f_equal. + apply length0_nil; auto. } + destruct H4 as [ q_hi ]; subst q_hi'. + erewrite reduce_first_correct; eauto. + rewrite <-Heqq. + rewrite Heqq in H1. + pose proof (reduce_first _ _ _ H0 H H2 _ _ H1). + rewrite <-Heqq in H1. + break_match. + eapply reduce_third_correct; eauto. + pose proof reduce_third_correct. + + (* proving second case where first reduction is not bounded *) + admit. + + Admitted. + End __. Section test_reduce_full. @@ -1678,55 +2038,18 @@ Module solinas_reduction. Context (machine_wordsize := 64) (up_bound := 2 ^ (machine_wordsize / 4)). - - Definition is_bounded_by0 r v - := ((lower r%zrange <=? v) && (v <=? upper r%zrange)). - Fail Compute ltac:(let r := Reify (is_bounded_by0) in exact r). - Definition is_bounded_by2 r v - := (let '(v1, v2) := v in is_bounded_by0 (fst r) v1 && is_bounded_by0 (snd r) v2). - Definition is_bounded_by0o r - := (match r with Some r' => fun v' => is_bounded_by0 r' v' | None => fun _ => true end). - Definition is_bounded_by bounds ls - := (fold_andb_map (fun r v'' => is_bounded_by0o r v'') bounds ls). - Fail Compute ltac:(let r := Reify (is_bounded_by) in exact r). - - Definition fold_andb ls := - fold_right andb true ls. - Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := - map (fun x => (f (fst x) (snd x))) (combine l1 l2). - Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := - fold_andb (dual_map f ls1 ls2). - Succeed Compute ltac:(let r := Reify (@fold_andb_map' zrange Z) in exact r). - Definition is_bounded_by' bounds ls - := (fold_andb_map' (fun r v'' => is_bounded_by0o r v'') bounds ls). - Fail Compute ltac:(let r := Reify (is_bounded_by') in exact r). - Let s := 2^255. Let c := [(1, 19)]. Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). Let m : nat := 2 * n. Let w : nat -> Z := weight machine_wordsize 1. Let base : Z := 2 ^ machine_wordsize. - Definition reduce_full base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in - let bound := Some r[0 ~> 2^machine_wordsize - 1]%zrange in - let bounds := repeat bound n ++ [Some r[0 ~> up_bound - 1]%zrange ] in - if (is_bounded_by' bounds r1) then - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in - r3 - else r1. - Fail Compute ltac:(let n := (eval cbv in n) in - let r := Reify (reduce_full base s c n) in - exact r). - Definition is_bounded_by'' bounds ls := - fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. Definition reduce_full' base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in let bound := (0, 2^machine_wordsize - 1) in let bounds := repeat bound n ++ [(0, up_bound-1)] in - if (is_bounded_by'' bounds r1) then + if (is_bounded_by bounds r1) then let r2 := reduce1 base s c (S n) (S n) r1 in let r3 := reduce1 base s c (S n) (n) r2 in r3 @@ -1775,24 +2098,6 @@ Error in converting f to C: Unable to bind names for all return arguments and bounds at type [ℤ]" *) - Definition tmp r := - let '(x, y) := r in (x + y). - Compute ltac:(let r := Reify (@combine Z Z) in exact r). - Print IdentifiersBasicGENERATED.Compilers.ident. - Locate IdentifiersBasicGENERATED.Compilers.ident_Z_cast. - Print ZRange.ident.option.interp_Z_cast. - Fail Compute ltac:(let r := Reify (ZRange.ident.option.interp_Z_cast) in exact r). - - Definition proj_test (r : zrange) := - r.(lower). - Ltac Rewriter.Language.PreCommon.Pre.reify_debug_level ::= constr:(20%nat). - Fail Compute ltac:(let r := Reify lower in exact r). - Compute ltac:(let r := (Reify (@fst Z Z)) in exact r). - Fail Compute ltac:(let r := (Reify (zran_rect (fun _ : zrange => Z) - (fun lower _ : Z => lower) - )) in exact r). - - End test_reduce_full. Section compile. From 4534d72f7ca3341fe1a39b5d2128eba83e92d5ab Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 6 Jul 2022 13:40:17 -0400 Subject: [PATCH 24/69] finished proof of reduce_full --- src/SolinasReduction.v | 128 +++++++++++++++++++++++++++++++++-------- 1 file changed, 105 insertions(+), 23 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 81da05d832..679b2db804 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -99,7 +99,7 @@ Module solinas_reduction. let lo_hi := Associational.split s' p in Associational.eval (sat_reduce base s c n p) = Associational.eval coef * Associational.eval (snd lo_hi) + Associational.eval (fst lo_hi). - Proof. + Proof using Type. intros; cbv [sat_reduce] in *; cbv [s' lo_hi coef]. autorewrite with push_eval; lia. Qed. @@ -201,7 +201,7 @@ Module solinas_reduction. Definition mulmod base s c n (p q : list Z) := let prod := mul_no_reduce base n p q in - let red := reduce base s c n prod in + let red := reduce_full base s c n prod in red. Definition canonical_repr n (p : list Z) : Prop := @@ -1710,7 +1710,7 @@ Module solinas_reduction. let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in let coef := Associational.sat_mul_const base [(1, s'/s)] c in eval weight n r = Associational.eval coef * q_hi2 + eval weight n (q_lo ++ [q_hi1]). - Proof. + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. intros. unfold reduce1 in *. unfold r, coef, s'. @@ -1891,18 +1891,6 @@ Module solinas_reduction. lia. Qed. - (* - Definition reduce_full base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in - let bound := (0, 2^machine_wordsize - 1) in - let bounds := repeat bound n ++ [(0, up_bound-1)] in - if (is_bounded_by bounds r1) then - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in - r3 - else r1. - *) - Lemma exists_lists_app : forall (p : list Z) n n', length p = n -> (n' <= n)%nat -> @@ -1940,6 +1928,76 @@ Module solinas_reduction. lia. } Qed. + Lemma fold_right_andb_false : forall d l, + fold_right andb d l = false -> + fold_right andb true l = false \/ d = false. + Proof. + intros. + induction l; auto. + cbn in *. + rewrite andb_false_iff in H. + intuition. + rewrite H0. + auto. + rewrite H1. + rewrite andb_false_r. + auto. + Qed. + + Lemma is_bounded_by_false : forall lo_bound hi_bound lo hi, + length lo_bound = length lo -> + is_bounded_by (lo_bound ++ [hi_bound]) (lo ++ [hi]) = false -> + is_bounded_by lo_bound lo = false \/ (hi < fst hi_bound \/ hi > snd hi_bound). + Proof using Type. + intros. + unfold is_bounded_by, fold_andb_map', fold_andb, dual_map in H0. + rewrite combine_app_samelength in H0. + rewrite map_app in H0. + rewrite fold_right_app in H0. + apply fold_right_andb_false in H0. + intuition. + right. + simpl in H1. + rewrite andb_false_iff in H1. + intuition. + rewrite andb_false_iff in H0. + intuition. + rewrite Z.leb_gt in H1; auto. + rewrite Z.leb_gt in H1; auto. + rewrite <-Z.gt_lt_iff in H1; auto. + discriminate. + auto. + Qed. + + Lemma canonical_is_bounded_by : forall n p, + canonical_repr n p -> + is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true. + Proof. + intros. + rewrite canonical_iff in H. + intuition. + generalize dependent n0. + induction p; intros. + replace n0 with 0%nat. + auto. + unfold is_bounded_by, fold_andb_map', fold_andb, dual_map. + rewrite cons_length in H0. + rewrite <-H0. + cbn [repeat combine map fold_right fst snd]. + apply andb_true_intro. + intuition. + specialize (H1 a). + apply andb_true_intro. + intuition; rewrite Z.leb_le. + apply H1; simpl; auto. + rewrite Le.Z.le_sub_1_iff. + apply H1; simpl; auto. + apply IHp. + intros. + apply H1; simpl; auto. + auto. + Qed. + Theorem reduce_full_canonical : forall (p : list Z), canonical_repr (2 * n) p -> canonical_repr n (reduce_full base s c n p). @@ -1980,15 +2038,28 @@ Module solinas_reduction. auto. (* proving second case where first reduction is not bounded *) - admit. - Admitted. + rewrite H1 in Heqb. + apply is_bounded_by_false in Heqb. + canonical_app q. + replace (length q_lo) with n in Hcanon_l. + apply canonical_is_bounded_by in Hcanon_l. + pose proof (canonical_bounded _ _ Hcanon1 q_hi ltac:(solve_in)). + intuition. + rewrite Hcanon_l in H7; discriminate. + cbn [fst] in H10. + lia. + cbn [snd] in H10. + lia. + rewrite repeat_length. + solve_length q. + Qed. Theorem reduce_full_correct : forall (p : list Z), canonical_repr (2 * n) p -> let r := reduce_full base s c n p in (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) = (Positional.eval weight n r) mod (s - Associational.eval c). - Proof. + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. intros. pose proof (exists_lists_app p (2*n) n ltac:(solve_length p) ltac:(lia)) as Happ. destruct Happ as [lo Happ]. @@ -2024,12 +2095,23 @@ Module solinas_reduction. rewrite <-Heqq in H1. break_match. eapply reduce_third_correct; eauto. - pose proof reduce_third_correct. (* proving second case where first reduction is not bounded *) - admit. - - Admitted. + rewrite H1 in Heqb. + apply is_bounded_by_false in Heqb. + canonical_app q. + replace (length q_lo) with n in Hcanon_l. + apply canonical_is_bounded_by in Hcanon_l. + pose proof (canonical_bounded _ _ Hcanon1 q_hi ltac:(solve_in)). + intuition. + rewrite Hcanon_l in H7; discriminate. + cbn [fst] in H10. + lia. + cbn [snd] in H10. + lia. + rewrite repeat_length. + solve_length q. + Qed. End __. @@ -2149,7 +2231,7 @@ Unable to bind names for all return arguments and bounds at type [ℤ]" possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (reduce_full' base s c n) in + let r := Reify (reduce_full base s c n) in exact r) (fun _ _ => []) (Some (repeat bound (2*n)), tt) From 968a5c7f36e1ff2f5c9df41552ea87e0186e254a Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 11 Jul 2022 16:42:02 -0400 Subject: [PATCH 25/69] prove mulmod correct --- src/SolinasReduction.v | 517 +++++++++++++++++++++++++++++++++++------ 1 file changed, 445 insertions(+), 72 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 679b2db804..14e1b4e1d8 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -157,6 +157,8 @@ Module solinas_reduction. autorewrite with zsimplify_const push_eval; trivial. Qed. Hint Rewrite eval_sat_reduce using auto : push_eval. + Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. + Hint Rewrite Rows.flatten_mod using auto : push_eval. (* n is input width *) Definition reduce1 base s c n m (p : list Z) := @@ -208,8 +210,6 @@ Module solinas_reduction. length p = n /\ p = Partition.partition weight n (Positional.eval weight n p). - Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. - Hint Resolve length_partition : push_length. Hint Resolve Rows.length_from_associational : push_length. @@ -674,6 +674,46 @@ Module solinas_reduction. (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) (coef_small : weight n / s * Associational.eval c < up_bound). + Theorem eval_mul_no_reduce : forall p q, + canonical_repr n p -> + canonical_repr n q -> + Positional.eval weight (2 * n) (mul_no_reduce base n p q) = + Positional.eval weight n p * Positional.eval weight n q. + Proof. + intros. + cbv [mul_no_reduce]. + autorewrite with push_eval. + apply Z.mod_small. + intuition. + solve_ineq; apply canonical_pos; auto. + rewrite <-Le.Z.le_sub_1_iff. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. + apply canonical_pos; auto. + rewrite Le.Z.le_sub_1_iff. + apply canonical_eval_bounded; auto. + apply canonical_pos; auto. + rewrite Le.Z.le_sub_1_iff. + apply canonical_eval_bounded; auto. + rewrite Le.Z.le_sub_1_iff. + replace (weight (2 * n)) with (weight n * weight n). + solve_ineq. + apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. + weight_comp; simpl; break_match; lia. + lia. + weight_comp; simpl; break_match; lia. + lia. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + f_equal. + lia. + lia. + lia. + lia. + lia. + apply Rows.length_from_associational. + Qed. + Lemma split_p : forall p lo hi, p = lo ++ [hi] -> canonical_repr (S n) p -> @@ -2113,74 +2153,69 @@ Module solinas_reduction. solve_length q. Qed. - End __. - - Section test_reduce_full. - - Context (machine_wordsize := 64) - (up_bound := 2 ^ (machine_wordsize / 4)). - - Let s := 2^255. - Let c := [(1, 19)]. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let w : nat -> Z := weight machine_wordsize 1. - Let base : Z := 2 ^ machine_wordsize. + Theorem mulmod_correct : forall p q, + canonical_repr n p -> + canonical_repr n q -> + Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = + (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). + Proof. + intros. + cbv [mulmod]. + rewrite <-reduce_full_correct. + rewrite eval_mul_no_reduce. + auto. + auto. + auto. - Definition reduce_full' base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in - let bound := (0, 2^machine_wordsize - 1) in - let bounds := repeat bound n ++ [(0, up_bound-1)] in - if (is_bounded_by bounds r1) then - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in - r3 - else r1. - Print reduce_full'. - (* - = "Error Computed bounds None are not tight enough (expected bounds not looser than (Some [Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff]])). -Found None where Some was expected -(Unprintible syntax tree used in bounds analysis) - -Stringification failed on the syntax tree: -(λ x1, - let x2 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[7], Some [0x0 ~> 0xffffffffffffffff]))) in - let x3 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[6], Some [0x0 ~> 0xffffffffffffffff]))) in - let x4 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[5], Some [0x0 ~> 0xffffffffffffffff]))) in - let x5 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x1[4], Some [0x0 ~> 0xffffffffffffffff]))) in - let x6 := x1[3] (* : uint64_t *) in - let x7 := x1[2] (* : uint64_t *) in - let x8 := x1[1] (* : uint64_t *) in - let x9 := x1[0] (* : uint64_t *) in - let x10 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x8, Some [0x0 ~> 0xffffffffffffffff], (x4₁, Some [0x0 ~> 0xffffffffffffffff]))) in - let x11 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x10₂, Some [0x0 ~> 0x1], (x7, Some [0x0 ~> 0xffffffffffffffff], (x3₁, Some [0x0 ~> 0xffffffffffffffff])))) in - let x12 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x11₂, Some [0x0 ~> 0x1], (x6, Some [0x0 ~> 0xffffffffffffffff], (x2₁, Some [0x0 ~> 0xffffffffffffffff])))) in - let x13 := x12₂ + x2₂ (* : [0x0 ~> 0x26] *) in - let x14 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x9, Some [0x0 ~> 0xffffffffffffffff], (x5₁, Some [0x0 ~> 0xffffffffffffffff]))) in - let x15 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x14₂, Some [0x0 ~> 0x1], (x10₁, Some [0x0 ~> 0xffffffffffffffff], (x5₂, Some [0x0 ~> 0x25])))) in - let x16 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x15₂, Some [0x0 ~> 0x1], (x11₁, Some [0x0 ~> 0xffffffffffffffff], (x4₂, Some [0x0 ~> 0x25])))) in - let x17 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x16₂, Some [0x0 ~> 0x1], (x12₁, Some [0x0 ~> 0xffffffffffffffff], (x3₂, Some [0x0 ~> 0x25])))) in - let x18 := x17₂ + x13 (* : [0x0 ~> 0x27] *) in - let x19 := if if if 0 ≤ x14₁ then (λ x19, x14₁ ≤ 2^64-1) else (λ x19, false) then (λ x19, if if 0 ≤ x15₁ then (λ x20, x15₁ ≤ 2^64-1) else (λ x20, false) then (λ x20, if if 0 ≤ x16₁ then (λ x21, x16₁ ≤ 2^64-1) else (λ x21, false) then (λ x21, if if 0 ≤ x17₁ then (λ x22, x17₁ ≤ 2^64-1) else (λ x22, false) then (λ x22, if if 0 ≤ x18 then (λ x23, x18 ≤ 2^16-1) else (λ x23, false) then (λ x23, true) else (λ x23, false)) else (λ x22, false)) else (λ x21, false)) else (λ x20, false)) else (λ x19, false) then (λ x19, - let x20 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x14₁, Some [0x0 ~> 0xffffffffffffffff], ((Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x18, Some [0x0 ~> 0x27]))))₁, Some [0x0 ~> 0x5ca]))) in - let x21 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x18, Some [0x0 ~> 0x27]))) in - let x22 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], ((Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x20₂, Some [0x0 ~> 0x1], (x15₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))))₂, Some [0x0 ~> 0x1], (x16₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in - let x23 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x22₂, Some [0x0 ~> 0x1], (x17₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in - let x24 := Z.mul_split(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (38, Some [0x26 ~> 0x26], (x23₂, Some [0x0 ~> 0x1]))) in - let x25 := Z.add_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x20₁, Some [0x0 ~> 0xffffffffffffffff], (x24₁, Some [0x0 ~> 0x26]))) in - let x26 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x20₂, Some [0x0 ~> 0x1], (x15₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in - let x27 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x25₂, Some [0x0 ~> 0x1], (x26₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in - let x28 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x27₂, Some [0x0 ~> 0x1], (x22₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in - let x29 := Z.add_with_get_carry(2^64, Some [0x10000000000000000 ~> 0x10000000000000000], (x28₂, Some [0x0 ~> 0x1], (x23₁, Some [0x0 ~> 0xffffffffffffffff], (0, Some [0x0 ~> 0x0])))) in - x25₁ :: x27₁ :: x28₁ :: x29₁ :: [] -) else (λ x19, x14₁ :: x15₁ :: x16₁ :: x17₁ :: x18 :: []) in - x19 -) -Error in converting f to C: -Unable to bind names for all return arguments and bounds at type [ℤ]" - *) + cbv [mul_no_reduce]. + unfold canonical_repr. + intuition. + unfold mul_no_reduce. + rewrite Rows.length_flatten. + lia. + auto. + apply Rows.length_from_associational. + rewrite Rows.flatten_correct. + cbn [fst]. + rewrite Partition.eval_partition. + f_equal. + apply Z.mod_small_sym. + rewrite Rows.eval_from_associational. + intuition; autorewrite with push_eval zsimplify_const. + solve_ineq; apply canonical_pos; auto. + lia. + rewrite <-Le.Z.le_sub_1_iff. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. + apply canonical_pos; auto. + rewrite Le.Z.le_sub_1_iff. + apply canonical_eval_bounded; auto. + apply canonical_pos; auto. + rewrite Le.Z.le_sub_1_iff. + apply canonical_eval_bounded; auto. + rewrite Le.Z.le_sub_1_iff. + replace (weight (2 * n)) with (weight n * weight n). + solve_ineq. + apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. + weight_comp; simpl; break_match; lia. + lia. + weight_comp; simpl; break_match; lia. + lia. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + f_equal. + lia. + lia. + lia. + lia. + auto. + lia. + auto. + auto. + apply Rows.length_from_associational. + Qed. - End test_reduce_full. + End __. Section compile. @@ -2239,6 +2274,97 @@ Unable to bind names for all return arguments and bounds at type [ℤ]" (None, tt) (None) : Pipeline.ErrorT _). + (* + = "Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static void mul(uint64_t out1[4], const uint64_t arg1[8]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiatuint1 x14; + uint64_t x15; + fiatuint1 x16; + uint64_t x17; + fiatuint1 x18; + uint64_t x19; + uint64_t x20; + fiatuint1 x21; + uint64_t x22; + fiatuint1 x23; + uint64_t x24; + fiatuint1 x25; + uint64_t x26; + fiatuint1 x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + fiatuint1 x32; + uint64_t x33; + fiatuint1 x34; + uint64_t x35; + fiatuint1 x36; + uint64_t x37; + fiatuint1 x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + fiatuint1 x42; + uint64_t x43; + fiatuint1 x44; + uint64_t x45; + fiatuint1 x46; + uint64_t x47; + fiatuint1 x48; + fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[7])); + fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[6])); + fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[5])); + fiatmulx_u64(&x7, &x8, UINT8_C(0x26), (arg1[4])); + x9 = (arg1[3]); + x10 = (arg1[2]); + x11 = (arg1[1]); + x12 = (arg1[0]); + fiataddcarryx_u64(&x13, &x14, 0x0, x11, x5); + fiataddcarryx_u64(&x15, &x16, x14, x10, x3); + fiataddcarryx_u64(&x17, &x18, x16, x9, x1); + x19 = (x18 + x2); + fiataddcarryx_u64(&x20, &x21, 0x0, x12, x7); + fiataddcarryx_u64(&x22, &x23, x21, x13, x8); + fiataddcarryx_u64(&x24, &x25, x23, x15, x6); + fiataddcarryx_u64(&x26, &x27, x25, x17, x4); + x28 = (x27 + x19); + fiatmulx_u64(&x29, &x30, UINT8_C(0x26), x28); + fiataddcarryx_u64(&x31, &x32, 0x0, x20, x29); + fiataddcarryx_u64(&x33, &x34, x32, x22, 0x0); + fiataddcarryx_u64(&x35, &x36, x34, x24, 0x0); + fiataddcarryx_u64(&x37, &x38, x36, x26, 0x0); + fiatmulx_u64(&x39, &x40, UINT8_C(0x26), x38); + fiataddcarryx_u64(&x41, &x42, 0x0, x31, x39); + fiataddcarryx_u64(&x43, &x44, x42, x33, 0x0); + fiataddcarryx_u64(&x45, &x46, x44, x35, 0x0); + fiataddcarryx_u64(&x47, &x48, x46, x37, 0x0); + out1[0] = x41; + out1[1] = x43; + out1[2] = x45; + out1[3] = x47; +}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string +Finished transaction in 4.561 secs (4.508u,0.047s) (successful) + *) Time Compute Show.show @@ -2250,14 +2376,261 @@ Unable to bind names for all return arguments and bounds at type [ℤ]" possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (reduce1 base s c (2*n) (S n)) in + let r := Reify (mul_no_reduce base n) in exact r) (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some bounds) - (None, tt) + (Some (repeat bound n), (Some (repeat bound n), tt)) + (Some (repeat bound (2 * n))) + (None, (None, tt)) + (None) + : Pipeline.ErrorT _). + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (mulmod base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound n), (Some (repeat bound n), tt)) + (Some (repeat bound (n))) + (None, (None, tt)) (None) : Pipeline.ErrorT _). +(* + = "Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static void mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + fiatuint1 x34; + uint64_t x35; + fiatuint1 x36; + uint64_t x37; + uint64_t x38; + fiatuint1 x39; + uint64_t x40; + fiatuint1 x41; + uint64_t x42; + fiatuint1 x43; + uint64_t x44; + uint64_t x45; + fiatuint1 x46; + uint64_t x47; + fiatuint1 x48; + uint64_t x49; + fiatuint1 x50; + uint64_t x51; + fiatuint1 x52; + uint64_t x53; + fiatuint1 x54; + uint64_t x55; + uint64_t x56; + fiatuint1 x57; + uint64_t x58; + fiatuint1 x59; + uint64_t x60; + fiatuint1 x61; + uint64_t x62; + fiatuint1 x63; + uint64_t x64; + fiatuint1 x65; + uint64_t x66; + fiatuint1 x67; + uint64_t x68; + fiatuint1 x69; + uint64_t x70; + fiatuint1 x71; + uint64_t x72; + fiatuint1 x73; + uint64_t x74; + fiatuint1 x75; + uint64_t x76; + fiatuint1 x77; + uint64_t x78; + fiatuint1 x79; + uint64_t x80; + fiatuint1 x81; + uint64_t x82; + fiatuint1 x83; + uint64_t x84; + fiatuint1 x85; + uint64_t x86; + fiatuint1 x87; + uint64_t x88; + fiatuint1 x89; + uint64_t x90; + fiatuint1 x91; + uint64_t x92; + fiatuint1 x93; + uint64_t x94; + fiatuint1 x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + fiatuint1 x105; + uint64_t x106; + fiatuint1 x107; + uint64_t x108; + fiatuint1 x109; + uint64_t x110; + uint64_t x111; + fiatuint1 x112; + uint64_t x113; + fiatuint1 x114; + uint64_t x115; + fiatuint1 x116; + uint64_t x117; + fiatuint1 x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + fiatuint1 x123; + uint64_t x124; + fiatuint1 x125; + uint64_t x126; + fiatuint1 x127; + uint64_t x128; + fiatuint1 x129; + uint64_t x130; + uint64_t x131; + uint64_t x132; + fiatuint1 x133; + uint64_t x134; + fiatuint1 x135; + uint64_t x136; + fiatuint1 x137; + uint64_t x138; + fiatuint1 x139; + fiatmulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + fiatmulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + fiatmulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + fiatmulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + fiatmulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + fiatmulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + fiatmulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + fiatmulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + fiatmulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + fiatmulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + fiatmulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + fiatmulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + fiatmulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + fiatmulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + fiatmulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + fiatmulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + fiataddcarryx_u64(&x33, &x34, 0x0, x28, x7); + fiataddcarryx_u64(&x35, &x36, x34, x26, x5); + x37 = (x36 + x18); + fiataddcarryx_u64(&x38, &x39, 0x0, x33, x13); + fiataddcarryx_u64(&x40, &x41, x39, x35, x8); + fiataddcarryx_u64(&x42, &x43, x41, x37, 0x0); + x44 = (x43 + x10); + fiataddcarryx_u64(&x45, &x46, 0x0, x30, x15); + fiataddcarryx_u64(&x47, &x48, x46, x38, x16); + fiataddcarryx_u64(&x49, &x50, x48, x40, x11); + fiataddcarryx_u64(&x51, &x52, x50, x42, x3); + fiataddcarryx_u64(&x53, &x54, x52, x44, 0x0); + x55 = (x54 + x2); + fiataddcarryx_u64(&x56, &x57, 0x0, x45, x21); + fiataddcarryx_u64(&x58, &x59, x57, x47, x19); + fiataddcarryx_u64(&x60, &x61, x59, x49, x14); + fiataddcarryx_u64(&x62, &x63, x61, x51, x6); + fiataddcarryx_u64(&x64, &x65, x63, x53, 0x0); + fiataddcarryx_u64(&x66, &x67, x65, x55, 0x0); + fiataddcarryx_u64(&x68, &x69, 0x0, x32, x23); + fiataddcarryx_u64(&x70, &x71, x69, x56, x24); + fiataddcarryx_u64(&x72, &x73, x71, x58, x22); + fiataddcarryx_u64(&x74, &x75, x73, x60, x17); + fiataddcarryx_u64(&x76, &x77, x75, x62, x9); + fiataddcarryx_u64(&x78, &x79, x77, x64, x1); + fiataddcarryx_u64(&x80, &x81, x79, x66, 0x0); + fiataddcarryx_u64(&x82, &x83, 0x0, x68, x29); + fiataddcarryx_u64(&x84, &x85, x83, x70, x27); + fiataddcarryx_u64(&x86, &x87, x85, x72, x25); + fiataddcarryx_u64(&x88, &x89, x87, x74, x20); + fiataddcarryx_u64(&x90, &x91, x89, x76, x12); + fiataddcarryx_u64(&x92, &x93, x91, x78, x4); + fiataddcarryx_u64(&x94, &x95, x93, x80, 0x0); + fiatmulx_u64(&x96, &x97, UINT8_C(0x26), x94); + fiatmulx_u64(&x98, &x99, UINT8_C(0x26), x92); + fiatmulx_u64(&x100, &x101, UINT8_C(0x26), x90); + fiatmulx_u64(&x102, &x103, UINT8_C(0x26), x88); + fiataddcarryx_u64(&x104, &x105, 0x0, x82, x100); + fiataddcarryx_u64(&x106, &x107, x105, x84, x98); + fiataddcarryx_u64(&x108, &x109, x107, x86, x96); + x110 = (x109 + x97); + fiataddcarryx_u64(&x111, &x112, 0x0, x31, x102); + fiataddcarryx_u64(&x113, &x114, x112, x104, x103); + fiataddcarryx_u64(&x115, &x116, x114, x106, x101); + fiataddcarryx_u64(&x117, &x118, x116, x108, x99); + x119 = (x118 + x110); + fiatmulx_u64(&x120, &x121, UINT8_C(0x26), x119); + fiataddcarryx_u64(&x122, &x123, 0x0, x111, x120); + fiataddcarryx_u64(&x124, &x125, x123, x113, 0x0); + fiataddcarryx_u64(&x126, &x127, x125, x115, 0x0); + fiataddcarryx_u64(&x128, &x129, x127, x117, 0x0); + fiatmulx_u64(&x130, &x131, UINT8_C(0x26), x129); + fiataddcarryx_u64(&x132, &x133, 0x0, x122, x130); + fiataddcarryx_u64(&x134, &x135, x133, x124, 0x0); + fiataddcarryx_u64(&x136, &x137, x135, x126, 0x0); + fiataddcarryx_u64(&x138, &x139, x137, x128, 0x0); + out1[0] = x132; + out1[1] = x134; + out1[2] = x136; + out1[3] = x138; +}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string +Finished transaction in 5.821 secs (5.782u,0.039s) (successful) +*) End compile. From 04240570e75eaf8dd63a76508523880586293b65 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 13 Jul 2022 21:33:18 -0400 Subject: [PATCH 26/69] reimplement mul_no_reduce --- src/SolinasReduction.v | 973 +++++++++++++++++++++-------------------- 1 file changed, 501 insertions(+), 472 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 14e1b4e1d8..807b2f3c2c 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -80,139 +80,6 @@ Module solinas_reduction. (up_bound := 2 ^ (machine_wordsize / 4)) {wprops : @weight_properties weight}. - Definition sat_reduce base s c n (p : list (Z * Z)) := - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let lo_hi := Associational.split s' p in - let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in - let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in - let r := (fst lo_hi) ++ hi in - r. - - Hint Rewrite eval_app : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. - Hint Rewrite eval_split using solve [auto] : push_eval. - - Lemma value_sat_reduce base s c n (p : list (Z * Z)) (basenz:base<>0): - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in - let lo_hi := Associational.split s' p in - Associational.eval (sat_reduce base s c n p) = - Associational.eval coef * Associational.eval (snd lo_hi) + Associational.eval (fst lo_hi). - Proof using Type. - intros; cbv [sat_reduce] in *; cbv [s' lo_hi coef]. - autorewrite with push_eval; lia. - Qed. - - Lemma adjust_s_invariant fuel s (s_nz:s<>0) : - fst (Saturated.Rows.adjust_s weight fuel s) mod s = 0 - /\ fst (Saturated.Rows.adjust_s weight fuel s) <> 0. - Proof using wprops. - cbv [Saturated.Rows.adjust_s]; rewrite fold_right_map; generalize (List.rev (seq 0 fuel)); intro ls; induction ls as [|l ls IHls]; - cbn. - { rewrite Z.mod_same by assumption; auto. } - { break_match; cbn in *; auto with zarith. } - Qed. - - Lemma adjust_s_finished' fuel s w (s_nz:s<>0) : - Rows.adjust_s weight fuel s = (w, true) -> - Rows.adjust_s weight (S fuel) s = (w, true). - Proof. - cbv [Rows.adjust_s]. - rewrite !fold_right_map. - replace (rev (seq 0 (S fuel))) with (fuel :: rev (seq 0 fuel)). - generalize (rev (seq 0 fuel)). - cbn in *. - intros. - induction l; - break_match; auto; discriminate. - rewrite seq_snoc. - rewrite rev_app_distr. - reflexivity. - Qed. - - Lemma adjust_s_finished fuel fuel' s w (s_nz:s<>0) : - (fuel' > fuel)%nat -> - Saturated.Rows.adjust_s weight fuel s = (w, true) -> - Saturated.Rows.adjust_s weight fuel' s = (w, true). - Proof. - induction 1; intros; apply adjust_s_finished'; auto. - Qed. - - Lemma eval_sat_reduce base s c n p : - base <> 0 - -> s - Associational.eval c <> 0 - -> s <> 0 - -> Associational.eval (sat_reduce base s c n p) mod (s - Associational.eval c) - = Associational.eval p mod (s - Associational.eval c). - Proof using wprops. - intros; cbv [sat_reduce]. - lazymatch goal with - | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => - destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] - end. - eta_expand; autorewrite with push_eval zsimplify_const; cbn [fst snd]. - rewrite <- (Z.mul_comm (Associational.eval c)), <- !Z.mul_assoc, <-Associational.reduction_rule by auto. - autorewrite with zsimplify_const; rewrite !Z.mul_assoc, Z.mul_div_eq_full, Hmod by auto. - autorewrite with zsimplify_const push_eval; trivial. - Qed. - Hint Rewrite eval_sat_reduce using auto : push_eval. - Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. - Hint Rewrite Rows.flatten_mod using auto : push_eval. - - (* n is input width *) - Definition reduce1 base s c n m (p : list Z) := - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight m r_a in - let r_flat := Saturated.Rows.flatten weight m r_rows in - fst r_flat. - - Definition reduce base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in - let r2 := reduce1 base s c (S n) (S n) (r1) in - let r3 := reduce1 base s c (S n) (n) (r2) in - r3. - - Definition fold_andb ls := - fold_right andb true ls. - Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := - map (fun x => (f (fst x) (snd x))) (combine l1 l2). - Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := - fold_andb (dual_map f ls1 ls2). - Definition is_bounded_by bounds ls := - fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. - - Definition reduce_full base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in - let bound := (0, 2^machine_wordsize - 1) in - let bounds := repeat bound n ++ [(0, up_bound-1)] in - if (is_bounded_by bounds r1) then - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in - r3 - else r1. - - Definition mul_no_reduce base n (p q : list Z) := - let p_a := Positional.to_associational weight n p in - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in - let pq := Saturated.Rows.flatten weight (2*n) pq_rows in - fst pq. - - Definition mulmod base s c n (p q : list Z) := - let prod := mul_no_reduce base n p q in - let red := reduce_full base s c n prod in - red. - - Definition canonical_repr n (p : list Z) : Prop := - length p = n /\ - p = Partition.partition weight n (Positional.eval weight n p). - - Hint Resolve length_partition : push_length. - Hint Resolve Rows.length_from_associational : push_length. - Ltac weight_comp := unfold weight, uweight, ModOps.weight; rewrite !Z.div_1_r; @@ -223,116 +90,282 @@ Module solinas_reduction. autorewrite with zsimplify_const; ring_simplify. - Lemma canonical_pos n : forall (p : list Z), - canonical_repr n p -> - 0 <= eval weight n p. - Proof. - intros. - unfold canonical_repr in *. - intuition. - pose proof Partition.eval_partition. - specialize (H weight wprops n (eval weight n p)). - rewrite <-H1 in H. - rewrite H. - apply Z.mod_pos_bound. - eauto. - Qed. + Section canon. - Lemma canonical_bounded n : forall (p : list Z), - canonical_repr n p -> - forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. - Proof. - intros. - pose proof (canonical_pos n p H). - unfold canonical_repr, Partition.partition in H. - destruct H. - rewrite H2 in H0. - rewrite in_map_iff in H0. - destruct H0. - intuition. - { rewrite <-H3. - apply Z.div_nonneg. - apply Z_mod_nonneg_nonneg. - assumption. - eauto using Z.lt_le_incl. - eauto using Z.lt_le_incl. } - { rewrite <-H3. - apply OrdersEx.Z_as_OT.div_lt_upper_bound; eauto. - assert (weight (S x0) = weight x0 * 2 ^ machine_wordsize). - { unfold weight, uweight, ModOps.weight. + Definition canonical_repr n (p : list Z) : Prop := + length p = n /\ + p = Partition.partition weight n (Positional.eval weight n p). + + Lemma canonical_pos n : forall (p : list Z), + canonical_repr n p -> + 0 <= eval weight n p. + Proof. + intros. + unfold canonical_repr in *. + intuition. + pose proof Partition.eval_partition. + specialize (H weight wprops n (eval weight n p)). + rewrite <-H1 in H. + rewrite H. + apply Z.mod_pos_bound. + eauto. + Qed. + + Lemma canonical_bounded n : forall (p : list Z), + canonical_repr n p -> + forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. + Proof. + intros. + pose proof (canonical_pos n p H). + unfold canonical_repr, Partition.partition in H. + destruct H. + rewrite H2 in H0. + rewrite in_map_iff in H0. + destruct H0. + intuition. + { rewrite <-H3. + apply Z.div_nonneg. + apply Z_mod_nonneg_nonneg. + assumption. + eauto using Z.lt_le_incl. + eauto using Z.lt_le_incl. } + { rewrite <-H3. + apply OrdersEx.Z_as_OT.div_lt_upper_bound; eauto. + assert (weight (S x0) = weight x0 * 2 ^ machine_wordsize). + { unfold weight, uweight, ModOps.weight. + rewrite !Z.div_1_r. + rewrite !Z.opp_involutive. + rewrite Nat2Z.inj_succ. + rewrite OrdersEx.Z_as_OT.mul_succ_r. + rewrite OrdersEx.Z_as_OT.pow_add_r. + reflexivity. + lia. + lia. } + rewrite <-H0. + apply OrdersEx.Z_as_OT.mod_pos_bound. + eauto. } + Qed. + + Lemma canonical_iff p n : + canonical_repr n p <-> + length p = n /\ + forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. + Proof. + split. + { intros. + intuition. + unfold canonical_repr in *. + intuition. + eapply canonical_bounded; eauto. + eapply canonical_bounded; eauto. } + { intros. + unfold canonical_repr. + intuition. + + apply uweight_partition_unique. + lia. + assumption. + intros. + rewrite Le.Z.le_sub_1_iff. + eauto. } + Qed. + + Lemma canonical_cons n a p: + canonical_repr (S n) (a :: p) -> + canonical_repr n p. + Proof. + intros. + rewrite canonical_iff in *. + intuition; apply H1; simpl; eauto. + Qed. + + Lemma canonical_app_l n n1 n2 l l1 l2 : + canonical_repr n l -> + length l1 = n1 -> + length l2 = n2 -> + n = (n1 + n2)%nat -> + l = l1 ++ l2 -> + canonical_repr n1 l1. + Proof. + intros. + intuition; + rewrite canonical_iff in *; + intuition; apply H5; rewrite H3; apply in_or_app; eauto. + Qed. + + Lemma canonical_app_r n n1 n2 l l1 l2 : + canonical_repr n l -> + length l1 = n1 -> + length l2 = n2 -> + n = (n1 + n2)%nat -> + l = l1 ++ l2 -> + canonical_repr n2 l2. + Proof. + intros. + intuition; + rewrite canonical_iff in *; + intuition; apply H5; rewrite H3; apply in_or_app; eauto. + Qed. + + Definition eval_weight_P p := + eval (fun i : nat => weight (S i)) (Datatypes.length p) p = + (eval weight (Datatypes.length p) p) * weight 1. + + Lemma eval_weight_S' : forall p, + eval_weight_P p. + Proof. + apply (ListAux.list_length_induction Z). + intros. + pose proof (@break_list_last Z l1). + intuition; unfold eval_weight_P in *. + { subst. + reflexivity. } + { destruct H1. + destruct H0. + subst. + rewrite app_length. + simpl. + replace (length x + 1)%nat with (S (length x)) by lia. + rewrite !eval_snoc_S. + rewrite H. + rewrite OrdersEx.Z_as_OT.mul_add_distr_r. + rewrite OrdersEx.Z_as_DT.add_cancel_l. + unfold weight, uweight, ModOps.weight, machine_wordsize. rewrite !Z.div_1_r. rewrite !Z.opp_involutive. rewrite Nat2Z.inj_succ. rewrite OrdersEx.Z_as_OT.mul_succ_r. rewrite OrdersEx.Z_as_OT.pow_add_r. - reflexivity. + lia. + lia. + lia. + rewrite app_length. + simpl. + lia. lia. lia. } - rewrite <-H0. - apply OrdersEx.Z_as_OT.mod_pos_bound. - eauto. } - Qed. + Qed. + + Lemma eval_weight_S p n: + n = Datatypes.length p -> + eval (fun i : nat => weight (S i)) n p = + (eval weight n p) * weight 1. + Proof. + pose proof eval_weight_S'. + unfold eval_weight_P in *. + intros. + subst. + eauto. + Qed. - Lemma canonical_iff p n : - canonical_repr n p <-> - length p = n /\ - forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. - Proof. - split. - { intros. - intuition. - unfold canonical_repr in *. - intuition. - eapply canonical_bounded; eauto. - eapply canonical_bounded; eauto. } - { intros. - unfold canonical_repr. + Lemma canonical_eval_bounded n : forall (p : list Z), + canonical_repr n p -> + eval weight n p < weight n. + Proof. + intros. + pose proof (canonical_bounded _ _ H). + assert (Hcanon: canonical_repr n p) by assumption. + unfold canonical_repr in H; intuition. + generalize dependent n. + induction p; intros. + { simpl in H1; subst. + vm_compute. + eauto. } + { simpl in H1; subst. + rewrite eval_cons. + autorewrite with zsimplify_const. + rewrite eval_weight_S. + assert (a + eval weight (Datatypes.length p) p * weight 1 < 2^machine_wordsize + eval weight (Datatypes.length p) p * weight 1). + rewrite <-OrdersEx.Z_as_OT.add_lt_mono_r. + apply H0. + simpl. + left. + reflexivity. + rewrite <-Le.Z.le_sub_1_iff. + rewrite <-Le.Z.le_sub_1_iff in H. + etransitivity. + apply H. + assert (2 ^ machine_wordsize + eval weight (Datatypes.length p) p * weight 1 <= 2 ^ machine_wordsize + (weight (Datatypes.length p) - 1) * weight 1). + rewrite <-OrdersEx.Z_as_OT.add_le_mono_l. + rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r. + rewrite Le.Z.le_sub_1_iff. + apply IHp. + intros. + apply H0. + simpl. + eauto. + eapply canonical_cons; eauto. + reflexivity. + apply canonical_cons in Hcanon. + unfold canonical_repr in Hcanon. intuition. - - apply uweight_partition_unique. + apply wprops. + rewrite OrdersEx.Z_as_OT.sub_le_mono_r with (p:=1) in H1. + etransitivity. + apply H1. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r. + rewrite Nat2Z.inj_succ. + rewrite OrdersEx.Z_as_OT.mul_succ_r. + rewrite OrdersEx.Z_as_OT.pow_add_r. + ring_simplify. + reflexivity. lia. - assumption. + lia. + lia. + lia. + reflexivity. + reflexivity. } + Qed. + + Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := + map (fun x => (f (fst x) (snd x))) (combine l1 l2). + Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := + fold_right andb true (dual_map f ls1 ls2). + Definition is_bounded_by bounds ls := + fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + + Lemma canonical_is_bounded_by : forall n p, + let bound := (0, 2 ^ machine_wordsize - 1) in + canonical_repr n p <-> + length p = n /\ + is_bounded_by (repeat bound n) p = true. + Proof. intros. - rewrite Le.Z.le_sub_1_iff. - eauto. } - Qed. - - Lemma canonical_cons n a p: - canonical_repr (S n) (a :: p) -> - canonical_repr n p. - Proof. - intros. - rewrite canonical_iff in *. - intuition; apply H1; simpl; eauto. - Qed. - - Lemma canonical_app_l n n1 n2 l l1 l2 : - canonical_repr n l -> - length l1 = n1 -> - length l2 = n2 -> - n = (n1 + n2)%nat -> - l = l1 ++ l2 -> - canonical_repr n1 l1. - Proof. - intros. - intuition; - rewrite canonical_iff in *; - intuition; apply H5; rewrite H3; apply in_or_app; eauto. - Qed. - - Lemma canonical_app_r n n1 n2 l l1 l2 : - canonical_repr n l -> - length l1 = n1 -> - length l2 = n2 -> - n = (n1 + n2)%nat -> - l = l1 ++ l2 -> - canonical_repr n2 l2. - Proof. - intros. - intuition; - rewrite canonical_iff in *; - intuition; apply H5; rewrite H3; apply in_or_app; eauto. - Qed. + rewrite canonical_iff. + cbv [is_bounded_by fold_andb_map' dual_map bound]. + split. + intuition. + generalize dependent n. + induction p; intros; + repeat multimatch goal with + | H : length _ = ?x |- _ => progress cbn in H; subst x + | _ => apply andb_true_intro + | _ => rewrite Z.leb_le + | _ => rewrite Le.Z.le_sub_1_iff + | _ => apply H1 + | _ => eapply IHp + | _ => progress cbn || intuition + | _ => progress intuition + | _ => reflexivity || lia || auto + | [ |- _ <= 18446744073709551615] => replace 18446744073709551615 with (18446744073709551616 - 1) by lia + end. + split. + intuition. + generalize dependent n. + induction p; intros; + repeat multimatch goal with + | H : length _ = ?x |- _ => cbn in H; rewrite <-H in * + | H : In _ _ |- _ => cbn in H + | H : context[S _] |- _ => cbn in H + | H : context[_ && _] |- _ => rewrite andb_true_iff in H + | _ => progress cbn || intuition + | _ => lia + | _ => eapply IHp + end. + Qed. + + End canon. Ltac solve_length q := try match goal with @@ -440,117 +473,184 @@ Module solinas_reduction. auto end. - Definition eval_weight_P p := - eval (fun i : nat => weight (S i)) (Datatypes.length p) p = - (eval weight (Datatypes.length p) p) * weight 1. + Section __. + + Definition mul_no_reduce base n (p q : list Z) := + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then + fst pq + else + add_to_nth 0 (weight n * snd pq) (fst pq). + + Hint Rewrite eval_app : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. + Hint Rewrite eval_split using solve [auto] : push_eval. + Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. + Hint Rewrite Rows.flatten_mod using auto : push_eval. + + Theorem eval_mul_no_reduce base n : forall p q, + Positional.eval weight (2 * n) (mul_no_reduce base n p q) = + Positional.eval weight n p * Positional.eval weight n q. + Proof. + intros. + cbv [mul_no_reduce]. + break_match. + (* properly bounded *) + autorewrite with push_eval. + apply Z.mod_small. + intuition. + rewrite andb_true_iff in Heqb. + intuition. + all: admit. + (* rewrite <-canonical_is_bounded_by in H. *) + (* solve_ineq; apply canonical_pos; auto. *) + (* rewrite <-Le.Z.le_sub_1_iff. *) + (* etransitivity. *) + (* apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. *) + (* apply canonical_pos; auto. *) + (* rewrite Le.Z.le_sub_1_iff. *) + (* apply canonical_eval_bounded; auto. *) + (* apply canonical_pos; auto. *) + (* rewrite Le.Z.le_sub_1_iff. *) + (* apply canonical_eval_bounded; auto. *) + (* rewrite Le.Z.le_sub_1_iff. *) + (* replace (weight (2 * n)) with (weight n * weight n). *) + (* solve_ineq. *) + (* apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. *) + (* weight_comp; simpl; break_match; lia. *) + (* lia. *) + (* weight_comp; simpl; break_match; lia. *) + (* lia. *) + (* weight_comp. *) + (* rewrite <-OrdersEx.Z_as_OT.pow_mul_r. *) + (* f_equal. *) + (* lia. *) + (* lia. *) + (* lia. *) + (* lia. *) + (* lia. *) + (* apply Rows.length_from_associational. *) + Admitted. + + End __. - Lemma eval_weight_S' : forall p, - eval_weight_P p. - Proof. - apply (ListAux.list_length_induction Z). - intros. - pose proof (@break_list_last Z l1). - intuition; unfold eval_weight_P in *. - { subst. - reflexivity. } - { destruct H1. - destruct H0. - subst. - rewrite app_length. - simpl. - replace (length x + 1)%nat with (S (length x)) by lia. - rewrite !eval_snoc_S. - rewrite H. - rewrite OrdersEx.Z_as_OT.mul_add_distr_r. - rewrite OrdersEx.Z_as_DT.add_cancel_l. - unfold weight, uweight, ModOps.weight, machine_wordsize. - rewrite !Z.div_1_r. - rewrite !Z.opp_involutive. - rewrite Nat2Z.inj_succ. - rewrite OrdersEx.Z_as_OT.mul_succ_r. - rewrite OrdersEx.Z_as_OT.pow_add_r. - lia. - lia. - lia. - rewrite app_length. - simpl. - lia. - lia. - lia. } + Definition sat_reduce base s c n (p : list (Z * Z)) := + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let lo_hi := Associational.split s' p in + let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in + let r := (fst lo_hi) ++ hi in + r. + + Hint Rewrite eval_app : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. + Hint Rewrite eval_split using solve [auto] : push_eval. + + Lemma value_sat_reduce base s c n (p : list (Z * Z)) (basenz:base<>0): + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let lo_hi := Associational.split s' p in + Associational.eval (sat_reduce base s c n p) = + Associational.eval coef * Associational.eval (snd lo_hi) + Associational.eval (fst lo_hi). + Proof using Type. + intros; cbv [sat_reduce] in *; cbv [s' lo_hi coef]. + autorewrite with push_eval; lia. Qed. - Lemma eval_weight_S p n: - n = Datatypes.length p -> - eval (fun i : nat => weight (S i)) n p = - (eval weight n p) * weight 1. + Lemma adjust_s_invariant fuel s (s_nz:s<>0) : + fst (Saturated.Rows.adjust_s weight fuel s) mod s = 0 + /\ fst (Saturated.Rows.adjust_s weight fuel s) <> 0. + Proof using wprops. + cbv [Saturated.Rows.adjust_s]; rewrite fold_right_map; generalize (List.rev (seq 0 fuel)); intro ls; induction ls as [|l ls IHls]; + cbn. + { rewrite Z.mod_same by assumption; auto. } + { break_match; cbn in *; auto with zarith. } + Qed. + + Lemma adjust_s_finished' fuel s w (s_nz:s<>0) : + Rows.adjust_s weight fuel s = (w, true) -> + Rows.adjust_s weight (S fuel) s = (w, true). Proof. - pose proof eval_weight_S'. - unfold eval_weight_P in *. + cbv [Rows.adjust_s]. + rewrite !fold_right_map. + replace (rev (seq 0 (S fuel))) with (fuel :: rev (seq 0 fuel)). + generalize (rev (seq 0 fuel)). + cbn in *. intros. - subst. - eauto. + induction l; + break_match; auto; discriminate. + rewrite seq_snoc. + rewrite rev_app_distr. + reflexivity. Qed. - Lemma canonical_eval_bounded n : forall (p : list Z), - canonical_repr n p -> - eval weight n p < weight n. + Lemma adjust_s_finished fuel fuel' s w (s_nz:s<>0) : + (fuel' > fuel)%nat -> + Saturated.Rows.adjust_s weight fuel s = (w, true) -> + Saturated.Rows.adjust_s weight fuel' s = (w, true). Proof. - intros. - pose proof (canonical_bounded _ _ H). - assert (Hcanon: canonical_repr n p) by assumption. - unfold canonical_repr in H; intuition. - generalize dependent n. - induction p; intros. - { simpl in H1; subst. - vm_compute. - eauto. } - { simpl in H1; subst. - rewrite eval_cons. - autorewrite with zsimplify_const. - rewrite eval_weight_S. - assert (a + eval weight (Datatypes.length p) p * weight 1 < 2^machine_wordsize + eval weight (Datatypes.length p) p * weight 1). - rewrite <-OrdersEx.Z_as_OT.add_lt_mono_r. - apply H0. - simpl. - left. - reflexivity. - rewrite <-Le.Z.le_sub_1_iff. - rewrite <-Le.Z.le_sub_1_iff in H. - etransitivity. - apply H. - assert (2 ^ machine_wordsize + eval weight (Datatypes.length p) p * weight 1 <= 2 ^ machine_wordsize + (weight (Datatypes.length p) - 1) * weight 1). - rewrite <-OrdersEx.Z_as_OT.add_le_mono_l. - rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r. - rewrite Le.Z.le_sub_1_iff. - apply IHp. - intros. - apply H0. - simpl. - eauto. - eapply canonical_cons; eauto. - reflexivity. - apply canonical_cons in Hcanon. - unfold canonical_repr in Hcanon. - intuition. - apply wprops. - rewrite OrdersEx.Z_as_OT.sub_le_mono_r with (p:=1) in H1. - etransitivity. - apply H1. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r. - rewrite Nat2Z.inj_succ. - rewrite OrdersEx.Z_as_OT.mul_succ_r. - rewrite OrdersEx.Z_as_OT.pow_add_r. - ring_simplify. - reflexivity. - lia. - lia. - lia. - lia. - reflexivity. - reflexivity. } + induction 1; intros; apply adjust_s_finished'; auto. Qed. + Lemma eval_sat_reduce base s c n p : + base <> 0 + -> s - Associational.eval c <> 0 + -> s <> 0 + -> Associational.eval (sat_reduce base s c n p) mod (s - Associational.eval c) + = Associational.eval p mod (s - Associational.eval c). + Proof using wprops. + intros; cbv [sat_reduce]. + lazymatch goal with + | |- context[Saturated.Rows.adjust_s ?weight ?fuel ?s] => + destruct (adjust_s_invariant fuel s ltac:(assumption)) as [Hmod ?] + end. + eta_expand; autorewrite with push_eval zsimplify_const; cbn [fst snd]. + rewrite <- (Z.mul_comm (Associational.eval c)), <- !Z.mul_assoc, <-Associational.reduction_rule by auto. + autorewrite with zsimplify_const; rewrite !Z.mul_assoc, Z.mul_div_eq_full, Hmod by auto. + autorewrite with zsimplify_const push_eval; trivial. + Qed. + Hint Rewrite eval_sat_reduce using auto : push_eval. + + (* n is input width *) + Definition reduce1 base s c n m (p : list Z) := + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in + fst r_flat. + + Definition reduce base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let r2 := reduce1 base s c (S n) (S n) (r1) in + let r3 := reduce1 base s c (S n) (n) (r2) in + r3. + + Definition reduce_full base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let bound := (0, 2^machine_wordsize - 1) in + let bounds := repeat bound n ++ [(0, up_bound-1)] in + if (is_bounded_by bounds r1) then + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3 + else r1. + + Definition mulmod base s c n (p q : list Z) := + let prod := mul_no_reduce base n p q in + let red := reduce_full base s c n prod in + red. + + Hint Resolve length_partition : push_length. + Hint Resolve Rows.length_from_associational : push_length. + Lemma split_lt w l1 l2: (forall x, In x l1 -> 0 < x < w) -> length l1 = length l2 -> @@ -674,45 +774,45 @@ Module solinas_reduction. (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) (coef_small : weight n / s * Associational.eval c < up_bound). - Theorem eval_mul_no_reduce : forall p q, - canonical_repr n p -> - canonical_repr n q -> - Positional.eval weight (2 * n) (mul_no_reduce base n p q) = - Positional.eval weight n p * Positional.eval weight n q. - Proof. - intros. - cbv [mul_no_reduce]. - autorewrite with push_eval. - apply Z.mod_small. - intuition. - solve_ineq; apply canonical_pos; auto. - rewrite <-Le.Z.le_sub_1_iff. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. - apply canonical_pos; auto. - rewrite Le.Z.le_sub_1_iff. - apply canonical_eval_bounded; auto. - apply canonical_pos; auto. - rewrite Le.Z.le_sub_1_iff. - apply canonical_eval_bounded; auto. - rewrite Le.Z.le_sub_1_iff. - replace (weight (2 * n)) with (weight n * weight n). - solve_ineq. - apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. - weight_comp; simpl; break_match; lia. - lia. - weight_comp; simpl; break_match; lia. - lia. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - f_equal. - lia. - lia. - lia. - lia. - lia. - apply Rows.length_from_associational. - Qed. + (* Theorem eval_mul_no_reduce : forall p q, *) + (* canonical_repr n p -> *) + (* canonical_repr n q -> *) + (* Positional.eval weight (2 * n) (mul_no_reduce base n p q) = *) + (* Positional.eval weight n p * Positional.eval weight n q. *) + (* Proof. *) + (* intros. *) + (* cbv [mul_no_reduce]. *) + (* autorewrite with push_eval. *) + (* apply Z.mod_small. *) + (* intuition. *) + (* solve_ineq; apply canonical_pos; auto. *) + (* rewrite <-Le.Z.le_sub_1_iff. *) + (* etransitivity. *) + (* apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. *) + (* apply canonical_pos; auto. *) + (* rewrite Le.Z.le_sub_1_iff. *) + (* apply canonical_eval_bounded; auto. *) + (* apply canonical_pos; auto. *) + (* rewrite Le.Z.le_sub_1_iff. *) + (* apply canonical_eval_bounded; auto. *) + (* rewrite Le.Z.le_sub_1_iff. *) + (* replace (weight (2 * n)) with (weight n * weight n). *) + (* solve_ineq. *) + (* apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. *) + (* weight_comp; simpl; break_match; lia. *) + (* lia. *) + (* weight_comp; simpl; break_match; lia. *) + (* lia. *) + (* weight_comp. *) + (* rewrite <-OrdersEx.Z_as_OT.pow_mul_r. *) + (* f_equal. *) + (* lia. *) + (* lia. *) + (* lia. *) + (* lia. *) + (* lia. *) + (* apply Rows.length_from_associational. *) + (* Qed. *) Lemma split_p : forall p lo hi, p = lo ++ [hi] -> @@ -1990,7 +2090,7 @@ Module solinas_reduction. is_bounded_by lo_bound lo = false \/ (hi < fst hi_bound \/ hi > snd hi_bound). Proof using Type. intros. - unfold is_bounded_by, fold_andb_map', fold_andb, dual_map in H0. + unfold is_bounded_by, fold_andb_map', dual_map in H0. rewrite combine_app_samelength in H0. rewrite map_app in H0. rewrite fold_right_app in H0. @@ -2009,35 +2109,6 @@ Module solinas_reduction. auto. Qed. - Lemma canonical_is_bounded_by : forall n p, - canonical_repr n p -> - is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true. - Proof. - intros. - rewrite canonical_iff in H. - intuition. - generalize dependent n0. - induction p; intros. - replace n0 with 0%nat. - auto. - unfold is_bounded_by, fold_andb_map', fold_andb, dual_map. - rewrite cons_length in H0. - rewrite <-H0. - cbn [repeat combine map fold_right fst snd]. - apply andb_true_intro. - intuition. - specialize (H1 a). - apply andb_true_intro. - intuition; rewrite Z.leb_le. - apply H1; simpl; auto. - rewrite Le.Z.le_sub_1_iff. - apply H1; simpl; auto. - apply IHp. - intros. - apply H1; simpl; auto. - auto. - Qed. - Theorem reduce_full_canonical : forall (p : list Z), canonical_repr (2 * n) p -> canonical_repr n (reduce_full base s c n p). @@ -2085,14 +2156,15 @@ Module solinas_reduction. apply canonical_is_bounded_by in Hcanon_l. pose proof (canonical_bounded _ _ Hcanon1 q_hi ltac:(solve_in)). intuition. - rewrite Hcanon_l in H7; discriminate. - cbn [fst] in H10. - lia. - cbn [snd] in H10. - lia. - rewrite repeat_length. - solve_length q. - Qed. + (* rewrite Hcanon_l in H7; discriminate. *) + (* cbn [fst] in H10. *) + (* lia. *) + (* cbn [snd] in H10. *) + (* lia. *) + (* rewrite repeat_length. *) + (* solve_length q. *) + all: admit. + Admitted. Theorem reduce_full_correct : forall (p : list Z), canonical_repr (2 * n) p -> @@ -2144,14 +2216,15 @@ Module solinas_reduction. apply canonical_is_bounded_by in Hcanon_l. pose proof (canonical_bounded _ _ Hcanon1 q_hi ltac:(solve_in)). intuition. - rewrite Hcanon_l in H7; discriminate. - cbn [fst] in H10. - lia. - cbn [snd] in H10. - lia. - rewrite repeat_length. - solve_length q. - Qed. + (* rewrite Hcanon_l in H7; discriminate. *) + (* cbn [fst] in H10. *) + (* lia. *) + (* cbn [snd] in H10. *) + (* lia. *) + (* rewrite repeat_length. *) + (* solve_length q. *) + all: admit. + Admitted. Theorem mulmod_correct : forall p q, canonical_repr n p -> @@ -2159,61 +2232,8 @@ Module solinas_reduction. Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). Proof. - intros. - cbv [mulmod]. - rewrite <-reduce_full_correct. - rewrite eval_mul_no_reduce. - auto. - auto. - auto. - - cbv [mul_no_reduce]. - unfold canonical_repr. - intuition. - unfold mul_no_reduce. - rewrite Rows.length_flatten. - lia. - auto. - apply Rows.length_from_associational. - rewrite Rows.flatten_correct. - cbn [fst]. - rewrite Partition.eval_partition. - f_equal. - apply Z.mod_small_sym. - rewrite Rows.eval_from_associational. - intuition; autorewrite with push_eval zsimplify_const. - solve_ineq; apply canonical_pos; auto. - lia. - rewrite <-Le.Z.le_sub_1_iff. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. - apply canonical_pos; auto. - rewrite Le.Z.le_sub_1_iff. - apply canonical_eval_bounded; auto. - apply canonical_pos; auto. - rewrite Le.Z.le_sub_1_iff. - apply canonical_eval_bounded; auto. - rewrite Le.Z.le_sub_1_iff. - replace (weight (2 * n)) with (weight n * weight n). - solve_ineq. - apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. - weight_comp; simpl; break_match; lia. - lia. - weight_comp; simpl; break_match; lia. - lia. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - f_equal. - lia. - lia. - lia. - lia. - auto. - lia. - auto. - auto. - apply Rows.length_from_associational. - Qed. + admit. + Admitted. End __. @@ -2227,6 +2247,15 @@ Module solinas_reduction. Let w : nat -> Z := weight machine_wordsize 1. Let base : Z := 2 ^ machine_wordsize. + Let p := [2^64]. + Let q := [2^64]. + Compute ( + Positional.eval w 1 (mulmod base s c n p q) mod (s - Associational.eval c) + ). + Compute ( + (Positional.eval w 1 p * Positional.eval w 1 q) mod (s - Associational.eval c) + ). + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Let boundsn : list (ZRange.type.option.interp base.type.Z) := repeat bound (n). From 3b8196a633f27fabe4148536f06eaa2912650d0d Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 14 Jul 2022 19:21:47 -0400 Subject: [PATCH 27/69] proving lemmas about standlone is_bounded_by --- src/SolinasReduction.v | 227 ++++++++++++++++++++++++++++++----------- 1 file changed, 167 insertions(+), 60 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 807b2f3c2c..03feb9bc59 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -90,6 +90,44 @@ Module solinas_reduction. autorewrite with zsimplify_const; ring_simplify. + Ltac solve_ineq := + repeat + match goal with + | [ |- 0 <= _ + _ ] => apply OrdersEx.Z_as_OT.add_nonneg_nonneg + | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg + | _ => apply OrdersEx.Z_as_DT.div_pos + + | |- _ + ?x < _ + ?x => apply OrdersEx.Z_as_OT.add_lt_mono_r + | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono + | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono + + | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; + apply wprops + | _ => lia + end. + + Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. + Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. + Hint Rewrite eval_split using solve [auto] : push_eval. + Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. + Hint Rewrite Rows.flatten_mod using auto : push_eval. + + + Hint Rewrite app_length : push_length. + Hint Rewrite (@ListUtil.length_snoc Z) : push_length. + Hint Rewrite (@nil_length0 Z) : push_length. + Hint Rewrite seq_length : push_length. + Hint Rewrite map_length : push_length. + Hint Rewrite firstn_length : push_length. + + Hint Rewrite map_app : push_misc. + Hint Rewrite (@combine_app_samelength Z) using (autorewrite with push_length; lia) : push_misc. + Hint Rewrite fold_right_app : push_misc. + Hint Rewrite (@firstn_map nat) : push_misc. + Hint Rewrite firstn_seq : push_misc. + Hint Rewrite map_map : push_misc. + Hint Rewrite <-seq_shift : push_misc. + Section canon. Definition canonical_repr n (p : list Z) : Prop := @@ -207,55 +245,69 @@ Module solinas_reduction. intuition; apply H5; rewrite H3; apply in_or_app; eauto. Qed. + Lemma fold_right_add : forall l x, + fold_right Z.add x l = x + fold_right Z.add 0 l. + Proof. + induction l; intros; cbn; try rewrite IHl; lia. + Qed. + Definition eval_weight_P p := - eval (fun i : nat => weight (S i)) (Datatypes.length p) p = - (eval weight (Datatypes.length p) p) * weight 1. + forall n, + eval (fun i : nat => weight (S i)) (n) p = + (eval weight (n) p) * weight 1. Lemma eval_weight_S' : forall p, eval_weight_P p. Proof. apply (ListAux.list_length_induction Z). + unfold eval_weight_P. intros. pose proof (@break_list_last Z l1). - intuition; unfold eval_weight_P in *. - { subst. - reflexivity. } - { destruct H1. - destruct H0. - subst. - rewrite app_length. - simpl. - replace (length x + 1)%nat with (S (length x)) by lia. - rewrite !eval_snoc_S. - rewrite H. - rewrite OrdersEx.Z_as_OT.mul_add_distr_r. - rewrite OrdersEx.Z_as_DT.add_cancel_l. - unfold weight, uweight, ModOps.weight, machine_wordsize. - rewrite !Z.div_1_r. - rewrite !Z.opp_involutive. - rewrite Nat2Z.inj_succ. - rewrite OrdersEx.Z_as_OT.mul_succ_r. - rewrite OrdersEx.Z_as_OT.pow_add_r. - lia. - lia. - lia. - rewrite app_length. - simpl. - lia. - lia. - lia. } + intuition; + repeat match goal with + | H : context[exists _, _] |- _ => destruct H + | _ => rewrite eval_nil + | _ => progress subst + | _ => lia || auto + end. + cbv [eval_weight_P eval Associational.eval to_associational] in *. + destruct (n <=? length x)%nat eqn:E. + rewrite Nat.leb_le in E. + rewrite combine_truncate_r. + rewrite combine_truncate_r with (xs:=map weight (seq 0 (n))). + autorewrite with push_length. + apply H. + autorewrite with push_length. + rewrite Nat.min_l; lia. + + rewrite Nat.leb_gt in E. + rewrite combine_truncate_l. + rewrite combine_truncate_l with (xs:=map weight (seq 0 n)). + autorewrite with push_length push_misc. + rewrite Nat.min_l. + rewrite seq_snoc. + autorewrite with push_misc. + cbn. + + rewrite fold_right_add. + rewrite fold_right_add with (x:=weight (Datatypes.length x) * x0 + 0). + rewrite H. + ring_simplify. + unfold weight, machine_wordsize. + rewrite uweight_S. + cbn; break_match; try lia. + lia. + autorewrite with push_length; lia. + lia. Qed. Lemma eval_weight_S p n: - n = Datatypes.length p -> eval (fun i : nat => weight (S i)) n p = (eval weight n p) * weight 1. Proof. pose proof eval_weight_S'. unfold eval_weight_P in *. - intros. - subst. - eauto. + auto. Qed. Lemma canonical_eval_bounded n : forall (p : list Z), @@ -314,8 +366,7 @@ Module solinas_reduction. lia. lia. lia. - reflexivity. - reflexivity. } + lia. } Qed. Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := @@ -365,6 +416,66 @@ Module solinas_reduction. end. Qed. + Lemma eval_is_bounded_by_pos n : forall p, + is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> + 0 <= eval weight n p. + Proof. + intros. + pose proof eval_weight_S as Heval. + cbv [is_bounded_by fold_andb_map' dual_map eval Associational.eval to_associational] in *; + generalize dependent n; induction p; intros; destruct n; + repeat multimatch goal with + | H : context[fold_right _ _ _] |- _ => progress cbn in H + | H : context[_ && _] |- _ => rewrite andb_true_iff in H + | H : context[_ <=? _] |- _ => rewrite Z.leb_le in H + | _ => solve_ineq + | _ => autorewrite with push_misc + | _ => autorewrite with push_eval + | _ => rewrite combine_nil, map_nil, fold_right_nil + | _ => rewrite Heval + | _ => progress cbn || intuition + | _ => break_match + | _ => lia || auto || reflexivity || discriminate + end. + Qed. + + Lemma eval_is_bounded_by n : forall p, + is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> + 0 <= eval weight n p < weight n. + Proof. + intros. + split. + apply eval_is_bounded_by_pos; auto. + pose proof eval_weight_S as Heval. + cbv [is_bounded_by fold_andb_map' dual_map eval Associational.eval to_associational] in *; + generalize dependent n; induction p; intros; destruct n; + repeat multimatch goal with + | H : context[fold_right _ _ _] |- _ => progress cbn in H + | H : context[_ && _] |- _ => rewrite andb_true_iff in H + | H : context[_ <=? _] |- _ => rewrite Z.leb_le in H + | _ => solve_ineq + | _ => autorewrite with push_misc + | _ => autorewrite with push_eval + | _ => rewrite combine_nil, map_nil, fold_right_nil + | _ => rewrite Heval + | _ => progress cbn || intuition + | _ => lia || auto || reflexivity || discriminate + end. + rewrite <-Le.Z.le_sub_1_iff. + etransitivity. + solve_ineq. + break_match; eauto. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r. + lia. + rewrite Le.Z.le_sub_1_iff. + apply IHp; auto. + weight_comp. + unfold machine_wordsize. + lia. + lia. + lia. + Qed. + End canon. Ltac solve_length q := @@ -386,22 +497,6 @@ Module solinas_reduction. cbn [length] in H; cbn [length]; lia end. - Ltac solve_ineq := - repeat - match goal with - | [ |- 0 <= _ + _ ] => apply OrdersEx.Z_as_OT.add_nonneg_nonneg - | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg - | _ => apply OrdersEx.Z_as_DT.div_pos - - | |- _ + ?x < _ + ?x => apply OrdersEx.Z_as_OT.add_lt_mono_r - | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono - | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono - - | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; - apply wprops - | _ => lia - end. - Ltac solve_in := repeat match goal with @@ -488,12 +583,12 @@ Module solinas_reduction. else add_to_nth 0 (weight n * snd pq) (fst pq). - Hint Rewrite eval_app : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. - Hint Rewrite eval_split using solve [auto] : push_eval. - Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. - Hint Rewrite Rows.flatten_mod using auto : push_eval. + + + Let p := [1; 1; 1]. + Let q := p. + Compute Positional.eval weight 8 (mul_no_reduce (2^256) 4 p q). + Compute Positional.eval weight 4 p * Positional.eval weight 4 q. Theorem eval_mul_no_reduce base n : forall p q, Positional.eval weight (2 * n) (mul_no_reduce base n p q) = @@ -505,9 +600,21 @@ Module solinas_reduction. (* properly bounded *) autorewrite with push_eval. apply Z.mod_small. - intuition. - rewrite andb_true_iff in Heqb. - intuition. + Search (_ * _ < _ * _) "mono". + repeat match goal with + | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb + | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H + | _ => progress intuition + | _ => solve_ineq + end. + rewrite <-Le.Z.le_sub_1_iff. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. + weight_comp. + unfold machine_wordsize. + ring_simplify. + cbn; break_match; try lia. + all: admit. (* rewrite <-canonical_is_bounded_by in H. *) (* solve_ineq; apply canonical_pos; auto. *) From 6fdf8888a660cf49584c02b70d1ab4e397d7e90b Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sat, 16 Jul 2022 23:56:08 -0400 Subject: [PATCH 28/69] chaining mul_no_reduce and reduce_full fails --- src/SolinasReduction.v | 461 +++++++++++++++++++++++------------------ 1 file changed, 257 insertions(+), 204 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 03feb9bc59..2a76e0ae41 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -73,6 +73,133 @@ Module solinas_reduction. Import Crypto.Arithmetic.Saturated. + Module tmp. + + Section __. + + Context (machine_wordsize := 64) + (weight := uweight machine_wordsize) + (up_bound := 2 ^ (machine_wordsize / 4)) + {wprops : @weight_properties weight}. + + Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := + map (fun x => (f (fst x) (snd x))) (combine l1 l2). + Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := + fold_right andb true (dual_map f ls1 ls2). + Definition is_bounded_by bounds ls := + fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + + Definition mul_no_reduce base n (p q : list Z) := + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then + fst pq + else + add_to_nth 0 (weight (2 * n) * snd pq) (fst pq). + + Definition sat_reduce base s c n (p : list (Z * Z)) := + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let lo_hi := Associational.split s' p in + let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in + let r := (fst lo_hi) ++ hi in + r. + + (* n is input width *) + Definition reduce1 base s c n m (p : list Z) := + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in + fst r_flat. + + Definition reduce_full base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let bound := (0, 2^machine_wordsize - 1) in + let bounds := repeat bound n ++ [(0, up_bound-1)] in + if (is_bounded_by bounds r1) then + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3 + else r1. + + (* Definition mulmod base s c n (p q : list Z) := *) + (* let prod := mul_no_reduce base n p q in *) + (* let red := reduce_full base s c n prod in *) + (* red. *) + + Definition mulmod base s c n (p q : list Z) := + let mul := mul_no_reduce base n p q in + let r1 := reduce1 base s c (2*n) (S n) mul in + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3. + + End __. + + Section __. + + Let s := 2^255. + Let c := [(1, 19)]. + Let machine_wordsize := 64. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let w : nat -> Z := weight machine_wordsize 1. + Let base : Z := 2 ^ machine_wordsize. + + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Let boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound (n). + + Import Stringification.C.Compilers. + Import Stringification.C.Compilers.ToString. + + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. + Local Instance : only_signed_opt := false. + Local Instance : no_select_opt := false. + Local Instance : static_opt := true. + Local Instance : internal_static_opt := true. + Local Instance : inline_opt := true. + Local Instance : inline_internal_opt := true. + Local Instance : use_mul_for_cmovznz_opt := false. + Local Instance : emit_primitives_opt := true. + Local Instance : should_split_mul_opt := false. + Local Instance : should_split_multiret_opt := false. + Local Instance : widen_carry_opt := false. + Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + Let possible_values := prefix_with_carry [machine_wordsize]. + Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) + Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. + Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + (* Time Compute *) + (* Show.show *) + (* (Pipeline.BoundsPipelineToString *) + (* "fiat" "mul" *) + (* false *) + (* false *) + (* None *) + (* possible_values *) + (* machine_wordsize *) + (* ltac:(let n := (eval cbv in n) in *) + (* let r := Reify (mulmod base s c n) in *) + (* exact r) *) + (* (fun _ _ => []) *) + (* (Some (repeat bound n), (Some (repeat bound n), tt)) *) + (* (Some (repeat bound (n))) *) + (* (None, (None, tt)) *) + (* (None) *) + (* : Pipeline.ErrorT _). *) + + End __. + + End tmp. + Section __. Context (machine_wordsize := 64) @@ -95,39 +222,50 @@ Module solinas_reduction. match goal with | [ |- 0 <= _ + _ ] => apply OrdersEx.Z_as_OT.add_nonneg_nonneg | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg - | _ => apply OrdersEx.Z_as_DT.div_pos + | _ => apply OrdersEx.Z_as_OT.mul_pos_pos + | _ => apply OrdersEx.Z_as_OT.div_pos + | _ => apply OrdersEx.Z_as_OT.div_lt_upper_bound + | |- _ mod (?x * ?y) < (?y * ?x) => rewrite Z.mul_comm with (n:=x) + | _ => apply OrdersEx.Z_as_OT.mod_pos_bound | |- _ + ?x < _ + ?x => apply OrdersEx.Z_as_OT.add_lt_mono_r | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono - | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; - apply wprops + | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; auto + | [ |- 0 <= _ mod _ ] => apply Z_mod_nonneg_nonneg | _ => lia end. - Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. - Hint Rewrite eval_split using solve [auto] : push_eval. - Hint Rewrite Saturated.Rows.eval_from_associational using auto : push_eval. - Hint Rewrite Rows.flatten_mod using auto : push_eval. - + Hint Rewrite Associational.eval_sat_mul using lia : push_eval. + Hint Rewrite Associational.eval_sat_mul_const using lia : push_eval. + Hint Rewrite eval_split using auto : push_eval. + Hint Rewrite Rows.eval_from_associational using (auto || lia) : push_eval. + Hint Rewrite Rows.flatten_mod using (eauto using Rows.length_from_associational) : push_eval. + Hint Rewrite Rows.flatten_correct using (eauto using Rows.length_from_associational) : push_eval. + Hint Rewrite eval_add_to_nth using auto : push_eval. + Hint Rewrite (@fst_pair) : push_eval. + Hint Rewrite (@snd_pair) : push_eval. Hint Rewrite app_length : push_length. - Hint Rewrite (@ListUtil.length_snoc Z) : push_length. - Hint Rewrite (@nil_length0 Z) : push_length. + Hint Rewrite (@ListUtil.length_snoc) : push_length. + Hint Rewrite (@nil_length0) : push_length. Hint Rewrite seq_length : push_length. Hint Rewrite map_length : push_length. Hint Rewrite firstn_length : push_length. + Hint Rewrite Rows.length_flatten using (eauto using Rows.length_from_associational) : push_length. + Hint Rewrite length_partition : push_length. Hint Rewrite map_app : push_misc. - Hint Rewrite (@combine_app_samelength Z) using (autorewrite with push_length; lia) : push_misc. + Hint Rewrite (@combine_app_samelength) using (autorewrite with push_length; lia) : push_misc. Hint Rewrite fold_right_app : push_misc. - Hint Rewrite (@firstn_map nat) : push_misc. + Hint Rewrite (@firstn_map) : push_misc. Hint Rewrite firstn_seq : push_misc. Hint Rewrite map_map : push_misc. Hint Rewrite <-seq_shift : push_misc. + Ltac push := autorewrite with push_eval push_length push_misc. + Section canon. Definition canonical_repr n (p : list Z) : Prop := @@ -137,75 +275,63 @@ Module solinas_reduction. Lemma canonical_pos n : forall (p : list Z), canonical_repr n p -> 0 <= eval weight n p. - Proof. - intros. - unfold canonical_repr in *. - intuition. - pose proof Partition.eval_partition. - specialize (H weight wprops n (eval weight n p)). - rewrite <-H1 in H. - rewrite H. - apply Z.mod_pos_bound. - eauto. + Proof using wprops. + intros; + repeat match goal with + | H : canonical_repr _ _ |- _ => + unfold canonical_repr in H; + destruct H as [ _ H ]; + rewrite H; + rewrite Partition.eval_partition + | _ => apply Z.mod_pos_bound + | _ => auto + end. Qed. Lemma canonical_bounded n : forall (p : list Z), canonical_repr n p -> forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. - Proof. - intros. - pose proof (canonical_pos n p H). - unfold canonical_repr, Partition.partition in H. - destruct H. - rewrite H2 in H0. - rewrite in_map_iff in H0. - destruct H0. - intuition. - { rewrite <-H3. - apply Z.div_nonneg. - apply Z_mod_nonneg_nonneg. - assumption. - eauto using Z.lt_le_incl. - eauto using Z.lt_le_incl. } - { rewrite <-H3. - apply OrdersEx.Z_as_OT.div_lt_upper_bound; eauto. - assert (weight (S x0) = weight x0 * 2 ^ machine_wordsize). - { unfold weight, uweight, ModOps.weight. - rewrite !Z.div_1_r. - rewrite !Z.opp_involutive. - rewrite Nat2Z.inj_succ. - rewrite OrdersEx.Z_as_OT.mul_succ_r. - rewrite OrdersEx.Z_as_OT.pow_add_r. - reflexivity. - lia. - lia. } - rewrite <-H0. - apply OrdersEx.Z_as_OT.mod_pos_bound. - eauto. } + Proof using wprops. + intros; + repeat multimatch goal with + | H : canonical_repr ?n ?p |- _ => + pose proof (canonical_pos n p H); + cbv [canonical_repr Partition.partition] in H; + destruct H as [ Hlen Hpart ] + | H1 : In _ ?p, H2 : ?p = _ |- _ => + rewrite H2 in H1; + rewrite in_map_iff in H1 + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- 0 <= ?x => rewrite <-H + | H : _ = ?x |- ?x < _ => rewrite <-H + | _ => unfold weight; rewrite uweight_S; fold weight + | _ => solve_ineq + | _ => progress intuition + | _ => auto || lia + end. Qed. Lemma canonical_iff p n : canonical_repr n p <-> length p = n /\ forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. - Proof. - split. - { intros. - intuition. - unfold canonical_repr in *. - intuition. - eapply canonical_bounded; eauto. - eapply canonical_bounded; eauto. } - { intros. - unfold canonical_repr. - intuition. - - apply uweight_partition_unique. - lia. - assumption. - intros. - rewrite Le.Z.le_sub_1_iff. - eauto. } + Proof using wprops. + split; intros; + repeat multimatch goal with + | H : length _ = _ |- _ => rewrite H + | |- length _ = _ => unfold canonical_repr in * + | |- _ = Partition.partition _ _ _ => unfold canonical_repr in * + | |- canonical_repr _ _ => unfold canonical_repr + | _ => eapply canonical_bounded + | _ => progress intuition + | _ => eauto || lia + end. + apply uweight_partition_unique. + lia. + lia. + intros. + rewrite Le.Z.le_sub_1_iff. + auto. Qed. Lemma canonical_cons n a p: @@ -568,86 +694,6 @@ Module solinas_reduction. auto end. - Section __. - - Definition mul_no_reduce base n (p q : list Z) := - let p_a := Positional.to_associational weight n p in - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in - let pq := Saturated.Rows.flatten weight (2*n) pq_rows in - - let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then - fst pq - else - add_to_nth 0 (weight n * snd pq) (fst pq). - - - - Let p := [1; 1; 1]. - Let q := p. - Compute Positional.eval weight 8 (mul_no_reduce (2^256) 4 p q). - Compute Positional.eval weight 4 p * Positional.eval weight 4 q. - - Theorem eval_mul_no_reduce base n : forall p q, - Positional.eval weight (2 * n) (mul_no_reduce base n p q) = - Positional.eval weight n p * Positional.eval weight n q. - Proof. - intros. - cbv [mul_no_reduce]. - break_match. - (* properly bounded *) - autorewrite with push_eval. - apply Z.mod_small. - Search (_ * _ < _ * _) "mono". - repeat match goal with - | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb - | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H - | _ => progress intuition - | _ => solve_ineq - end. - rewrite <-Le.Z.le_sub_1_iff. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. - weight_comp. - unfold machine_wordsize. - ring_simplify. - cbn; break_match; try lia. - - all: admit. - (* rewrite <-canonical_is_bounded_by in H. *) - (* solve_ineq; apply canonical_pos; auto. *) - (* rewrite <-Le.Z.le_sub_1_iff. *) - (* etransitivity. *) - (* apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. *) - (* apply canonical_pos; auto. *) - (* rewrite Le.Z.le_sub_1_iff. *) - (* apply canonical_eval_bounded; auto. *) - (* apply canonical_pos; auto. *) - (* rewrite Le.Z.le_sub_1_iff. *) - (* apply canonical_eval_bounded; auto. *) - (* rewrite Le.Z.le_sub_1_iff. *) - (* replace (weight (2 * n)) with (weight n * weight n). *) - (* solve_ineq. *) - (* apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. *) - (* weight_comp; simpl; break_match; lia. *) - (* lia. *) - (* weight_comp; simpl; break_match; lia. *) - (* lia. *) - (* weight_comp. *) - (* rewrite <-OrdersEx.Z_as_OT.pow_mul_r. *) - (* f_equal. *) - (* lia. *) - (* lia. *) - (* lia. *) - (* lia. *) - (* lia. *) - (* apply Rows.length_from_associational. *) - Admitted. - - End __. - Definition sat_reduce base s c n (p : list (Z * Z)) := let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let lo_hi := Associational.split s' p in @@ -656,11 +702,6 @@ Module solinas_reduction. let r := (fst lo_hi) ++ hi in r. - Hint Rewrite eval_app : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul : push_eval. - Hint Rewrite Saturated.Associational.eval_sat_mul_const using (lia || assumption) : push_eval. - Hint Rewrite eval_split using solve [auto] : push_eval. - Lemma value_sat_reduce base s c n (p : list (Z * Z)) (basenz:base<>0): let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in @@ -726,6 +767,18 @@ Module solinas_reduction. Qed. Hint Rewrite eval_sat_reduce using auto : push_eval. + Definition mul_no_reduce base n (p q : list Z) := + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then + fst pq + else + add_to_nth 0 (weight (2 * n) * snd pq) (fst pq). + (* n is input width *) Definition reduce1 base s c n m (p : list Z) := let p_a := Positional.to_associational weight n p in @@ -881,45 +934,47 @@ Module solinas_reduction. (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) (coef_small : weight n / s * Associational.eval c < up_bound). - (* Theorem eval_mul_no_reduce : forall p q, *) - (* canonical_repr n p -> *) - (* canonical_repr n q -> *) - (* Positional.eval weight (2 * n) (mul_no_reduce base n p q) = *) - (* Positional.eval weight n p * Positional.eval weight n q. *) - (* Proof. *) - (* intros. *) - (* cbv [mul_no_reduce]. *) - (* autorewrite with push_eval. *) - (* apply Z.mod_small. *) - (* intuition. *) - (* solve_ineq; apply canonical_pos; auto. *) - (* rewrite <-Le.Z.le_sub_1_iff. *) - (* etransitivity. *) - (* apply OrdersEx.Z_as_OT.mul_le_mono_nonneg. *) - (* apply canonical_pos; auto. *) - (* rewrite Le.Z.le_sub_1_iff. *) - (* apply canonical_eval_bounded; auto. *) - (* apply canonical_pos; auto. *) - (* rewrite Le.Z.le_sub_1_iff. *) - (* apply canonical_eval_bounded; auto. *) - (* rewrite Le.Z.le_sub_1_iff. *) - (* replace (weight (2 * n)) with (weight n * weight n). *) - (* solve_ineq. *) - (* apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. *) - (* weight_comp; simpl; break_match; lia. *) - (* lia. *) - (* weight_comp; simpl; break_match; lia. *) - (* lia. *) - (* weight_comp. *) - (* rewrite <-OrdersEx.Z_as_OT.pow_mul_r. *) - (* f_equal. *) - (* lia. *) - (* lia. *) - (* lia. *) - (* lia. *) - (* lia. *) - (* apply Rows.length_from_associational. *) - (* Qed. *) + Theorem eval_mul_no_reduce : forall p q, + Positional.eval weight (2 * n) (mul_no_reduce base n p q) = + Positional.eval weight n p * Positional.eval weight n q. + Proof using base_nz n_gt_1 wprops. + intros. + cbv [mul_no_reduce]. + break_match. + (* properly bounded *) + autorewrite with push_eval. + apply Z.mod_small. + repeat match goal with + | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb + | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H + | _ => progress intuition + | _ => solve_ineq + end. + rewrite <-Le.Z.le_sub_1_iff. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. + rewrite Le.Z.le_sub_1_iff. + replace (weight (2 * n)) with (weight n * weight n). + solve_ineq. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + f_equal. + lia. + lia. + lia. + + (* not bounded *) + push. + ring_simplify. + rewrite <-Z_div_mod_eq. + auto. + rewrite Z.gt_lt_iff. + auto. + push. + lia. + push. + lia. + Qed. Lemma split_p : forall p lo hi, p = lo ++ [hi] -> @@ -2263,6 +2318,11 @@ Module solinas_reduction. apply canonical_is_bounded_by in Hcanon_l. pose proof (canonical_bounded _ _ Hcanon1 q_hi ltac:(solve_in)). intuition. + rewrite H7 in H9. + discriminate. + cbn in H12. + lia. + cbn in H12. (* rewrite Hcanon_l in H7; discriminate. *) (* cbn [fst] in H10. *) (* lia. *) @@ -2339,6 +2399,8 @@ Module solinas_reduction. Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). Proof. + intros. + admit. Admitted. @@ -2354,15 +2416,6 @@ Module solinas_reduction. Let w : nat -> Z := weight machine_wordsize 1. Let base : Z := 2 ^ machine_wordsize. - Let p := [2^64]. - Let q := [2^64]. - Compute ( - Positional.eval w 1 (mulmod base s c n p q) mod (s - Associational.eval c) - ). - Compute ( - (Positional.eval w 1 p * Positional.eval w 1 q) mod (s - Associational.eval c) - ). - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Let boundsn : list (ZRange.type.option.interp base.type.Z) := repeat bound (n). From f7aec12302fe180af4eca49895e6b78b0a6e55a7 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 17 Jul 2022 00:00:48 -0400 Subject: [PATCH 29/69] small update to c code --- src/SolinasReduction.v | 284 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 261 insertions(+), 23 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 2a76e0ae41..6da4c7c9da 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -133,11 +133,17 @@ Module solinas_reduction. (* red. *) Definition mulmod base s c n (p q : list Z) := - let mul := mul_no_reduce base n p q in - let r1 := reduce1 base s c (2*n) (S n) mul in - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in - r3. + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then + let mul := fst pq in + reduce_full base s c n mul + else + repeat 0 n. End __. @@ -177,24 +183,256 @@ Module solinas_reduction. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - (* Time Compute *) - (* Show.show *) - (* (Pipeline.BoundsPipelineToString *) - (* "fiat" "mul" *) - (* false *) - (* false *) - (* None *) - (* possible_values *) - (* machine_wordsize *) - (* ltac:(let n := (eval cbv in n) in *) - (* let r := Reify (mulmod base s c n) in *) - (* exact r) *) - (* (fun _ _ => []) *) - (* (Some (repeat bound n), (Some (repeat bound n), tt)) *) - (* (Some (repeat bound (n))) *) - (* (None, (None, tt)) *) - (* (None) *) - (* : Pipeline.ErrorT _). *) + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (mulmod base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound n), (Some (repeat bound n), tt)) + (Some (repeat bound (n))) + (None, (None, tt)) + (None) + : Pipeline.ErrorT _). + + (* + = "Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static void mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + fiatuint1 x34; + uint64_t x35; + fiatuint1 x36; + uint64_t x37; + uint64_t x38; + fiatuint1 x39; + uint64_t x40; + fiatuint1 x41; + uint64_t x42; + fiatuint1 x43; + uint64_t x44; + uint64_t x45; + fiatuint1 x46; + uint64_t x47; + fiatuint1 x48; + uint64_t x49; + fiatuint1 x50; + uint64_t x51; + fiatuint1 x52; + uint64_t x53; + fiatuint1 x54; + uint64_t x55; + uint64_t x56; + fiatuint1 x57; + uint64_t x58; + fiatuint1 x59; + uint64_t x60; + fiatuint1 x61; + uint64_t x62; + fiatuint1 x63; + uint64_t x64; + fiatuint1 x65; + uint64_t x66; + fiatuint1 x67; + uint64_t x68; + fiatuint1 x69; + uint64_t x70; + fiatuint1 x71; + uint64_t x72; + fiatuint1 x73; + uint64_t x74; + fiatuint1 x75; + uint64_t x76; + fiatuint1 x77; + uint64_t x78; + fiatuint1 x79; + uint64_t x80; + fiatuint1 x81; + uint64_t x82; + fiatuint1 x83; + uint64_t x84; + fiatuint1 x85; + uint64_t x86; + fiatuint1 x87; + uint64_t x88; + fiatuint1 x89; + uint64_t x90; + fiatuint1 x91; + uint64_t x92; + fiatuint1 x93; + uint64_t x94; + fiatuint1 x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + fiatuint1 x103; + uint64_t x104; + fiatuint1 x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + fiatuint1 x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + fiatuint1 x114; + uint64_t x115; + fiatuint1 x116; + uint64_t x117; + fiatuint1 x118; + uint64_t x119; + fiatuint1 x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + fiatuint1 x125; + uint64_t x126; + fiatuint1 x127; + uint64_t x128; + fiatuint1 x129; + uint64_t x130; + fiatuint1 x131; + uint64_t x132; + uint64_t x133; + uint64_t x134; + fiatuint1 x135; + uint64_t x136; + fiatuint1 x137; + uint64_t x138; + fiatuint1 x139; + uint64_t x140; + fiatuint1 x141; + fiatmulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + fiatmulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + fiatmulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + fiatmulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + fiatmulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + fiatmulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + fiatmulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + fiatmulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + fiatmulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + fiatmulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + fiatmulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + fiatmulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + fiatmulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + fiatmulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + fiatmulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + fiatmulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + fiataddcarryx_u64(&x33, &x34, 0x0, x28, x7); + fiataddcarryx_u64(&x35, &x36, x34, x26, x5); + x37 = (x36 + x18); + fiataddcarryx_u64(&x38, &x39, 0x0, x33, x13); + fiataddcarryx_u64(&x40, &x41, x39, x35, x8); + fiataddcarryx_u64(&x42, &x43, x41, x37, 0x0); + x44 = (x43 + x10); + fiataddcarryx_u64(&x45, &x46, 0x0, x30, x15); + fiataddcarryx_u64(&x47, &x48, x46, x38, x16); + fiataddcarryx_u64(&x49, &x50, x48, x40, x11); + fiataddcarryx_u64(&x51, &x52, x50, x42, x3); + fiataddcarryx_u64(&x53, &x54, x52, x44, 0x0); + x55 = (x54 + x2); + fiataddcarryx_u64(&x56, &x57, 0x0, x45, x21); + fiataddcarryx_u64(&x58, &x59, x57, x47, x19); + fiataddcarryx_u64(&x60, &x61, x59, x49, x14); + fiataddcarryx_u64(&x62, &x63, x61, x51, x6); + fiataddcarryx_u64(&x64, &x65, x63, x53, 0x0); + fiataddcarryx_u64(&x66, &x67, x65, x55, 0x0); + fiataddcarryx_u64(&x68, &x69, 0x0, x32, x23); + fiataddcarryx_u64(&x70, &x71, x69, x56, x24); + fiataddcarryx_u64(&x72, &x73, x71, x58, x22); + fiataddcarryx_u64(&x74, &x75, x73, x60, x17); + fiataddcarryx_u64(&x76, &x77, x75, x62, x9); + fiataddcarryx_u64(&x78, &x79, x77, x64, x1); + fiataddcarryx_u64(&x80, &x81, x79, x66, 0x0); + fiataddcarryx_u64(&x82, &x83, 0x0, x68, x29); + fiataddcarryx_u64(&x84, &x85, x83, x70, x27); + fiataddcarryx_u64(&x86, &x87, x85, x72, x25); + fiataddcarryx_u64(&x88, &x89, x87, x74, x20); + fiataddcarryx_u64(&x90, &x91, x89, x76, x12); + fiataddcarryx_u64(&x92, &x93, x91, x78, x4); + fiataddcarryx_u64(&x94, &x95, x93, x80, 0x0); + fiatmulx_u64(&x96, &x97, UINT8_C(0x26), x92); + fiatmulx_u64(&x98, &x99, UINT8_C(0x26), x90); + fiatmulx_u64(&x100, &x101, UINT8_C(0x26), x88); + fiataddcarryx_u64(&x102, &x103, 0x0, x82, x98); + fiataddcarryx_u64(&x104, &x105, x103, x84, x96); + fiatmulx_u64(&x106, &x107, UINT8_C(0x26), x94); + fiataddcarryx_u64(&x108, &x109, x105, x86, x106); + fiatmulx_u64(&x110, &x111, UINT8_C(0x26), x94); + x112 = (x109 + x111); + fiataddcarryx_u64(&x113, &x114, 0x0, x31, x100); + fiataddcarryx_u64(&x115, &x116, x114, x102, x101); + fiataddcarryx_u64(&x117, &x118, x116, x104, x99); + fiataddcarryx_u64(&x119, &x120, x118, x108, x97); + x121 = (x120 + x112); + fiatmulx_u64(&x122, &x123, UINT8_C(0x26), x121); + fiataddcarryx_u64(&x124, &x125, 0x0, x113, x122); + fiataddcarryx_u64(&x126, &x127, x125, x115, 0x0); + fiataddcarryx_u64(&x128, &x129, x127, x117, 0x0); + fiataddcarryx_u64(&x130, &x131, x129, x119, 0x0); + fiatmulx_u64(&x132, &x133, UINT8_C(0x26), x131); + fiataddcarryx_u64(&x134, &x135, 0x0, x124, x132); + fiataddcarryx_u64(&x136, &x137, x135, x126, 0x0); + fiataddcarryx_u64(&x138, &x139, x137, x128, 0x0); + fiataddcarryx_u64(&x140, &x141, x139, x130, 0x0); + out1[0] = x134; + out1[1] = x136; + out1[2] = x138; + out1[3] = x140; +}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string +Finished transaction in 7.129 secs (6.859u,0.198s) (successful) + *) End __. From 83817ecd1defc23c276d6991005de24df0e4d258 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 18 Jul 2022 23:05:28 -0400 Subject: [PATCH 30/69] refactoring --- src/SolinasReduction.v | 1495 +++++++++++++++++++--------------------- 1 file changed, 701 insertions(+), 794 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 6da4c7c9da..a7da2c016d 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -89,18 +89,6 @@ Module solinas_reduction. Definition is_bounded_by bounds ls := fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. - Definition mul_no_reduce base n (p q : list Z) := - let p_a := Positional.to_associational weight n p in - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in - let pq := Saturated.Rows.flatten weight (2*n) pq_rows in - let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then - fst pq - else - add_to_nth 0 (weight (2 * n) * snd pq) (fst pq). - Definition sat_reduce base s c n (p : list (Z * Z)) := let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let lo_hi := Associational.split s' p in @@ -118,32 +106,32 @@ Module solinas_reduction. fst r_flat. Definition reduce_full base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in let bound := (0, 2^machine_wordsize - 1) in - let bounds := repeat bound n ++ [(0, up_bound-1)] in - if (is_bounded_by bounds r1) then - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in - r3 - else r1. - - (* Definition mulmod base s c n (p q : list Z) := *) - (* let prod := mul_no_reduce base n p q in *) - (* let red := reduce_full base s c n prod in *) - (* red. *) - - Definition mulmod base s c n (p q : list Z) := + if (is_bounded_by (repeat bound (2*n)) p) then + let r1 := reduce1 base s c (2*n) (S n) p in + if (is_bounded_by (repeat bound n ++ [(0, up_bound-1)]) r1) then + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce1 base s c (S n) (n) r2 in + r3 + else r1 + else + (* reduce down to n limbs *) + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight n r_a in + let r_flat := Saturated.Rows.flatten weight n r_rows in + add_to_nth 0 (weight (n) * snd r_flat) (fst r_flat). + + Definition reduce1' base s c n m (p : list Z) := let p_a := Positional.to_associational weight n p in - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in - let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then - let mul := fst pq in - reduce_full base s c n mul + if (is_bounded_by (repeat bound n) p) then + fst r_flat else - repeat 0 n. + add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat). End __. @@ -155,12 +143,9 @@ Module solinas_reduction. Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). Let m : nat := 2 * n. Let w : nat -> Z := weight machine_wordsize 1. + Let up_bound := 2 ^ (machine_wordsize / 4). Let base : Z := 2 ^ machine_wordsize. - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound (n). - Import Stringification.C.Compilers. Import Stringification.C.Compilers.ToString. @@ -183,6 +168,8 @@ Module solinas_reduction. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Let bound' := Some (repeat bound (n) ++ [Some r[0 ~> 1]%zrange]). Time Compute Show.show (Pipeline.BoundsPipelineToString @@ -193,246 +180,52 @@ Module solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (mulmod base s c n) in + let r := Reify (reduce1' base s c (2*n) (S n)) in exact r) (fun _ _ => []) - (Some (repeat bound n), (Some (repeat bound n), tt)) + (Some (repeat bound (2*n)), tt) + (Some (repeat bound (S n))) + (None, tt) + (None) + : Pipeline.ErrorT _). + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (reduce_full base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), tt) (Some (repeat bound (n))) - (None, (None, tt)) + (None, tt) (None) : Pipeline.ErrorT _). - - (* - = "Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static void mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - fiatuint1 x34; - uint64_t x35; - fiatuint1 x36; - uint64_t x37; - uint64_t x38; - fiatuint1 x39; - uint64_t x40; - fiatuint1 x41; - uint64_t x42; - fiatuint1 x43; - uint64_t x44; - uint64_t x45; - fiatuint1 x46; - uint64_t x47; - fiatuint1 x48; - uint64_t x49; - fiatuint1 x50; - uint64_t x51; - fiatuint1 x52; - uint64_t x53; - fiatuint1 x54; - uint64_t x55; - uint64_t x56; - fiatuint1 x57; - uint64_t x58; - fiatuint1 x59; - uint64_t x60; - fiatuint1 x61; - uint64_t x62; - fiatuint1 x63; - uint64_t x64; - fiatuint1 x65; - uint64_t x66; - fiatuint1 x67; - uint64_t x68; - fiatuint1 x69; - uint64_t x70; - fiatuint1 x71; - uint64_t x72; - fiatuint1 x73; - uint64_t x74; - fiatuint1 x75; - uint64_t x76; - fiatuint1 x77; - uint64_t x78; - fiatuint1 x79; - uint64_t x80; - fiatuint1 x81; - uint64_t x82; - fiatuint1 x83; - uint64_t x84; - fiatuint1 x85; - uint64_t x86; - fiatuint1 x87; - uint64_t x88; - fiatuint1 x89; - uint64_t x90; - fiatuint1 x91; - uint64_t x92; - fiatuint1 x93; - uint64_t x94; - fiatuint1 x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - fiatuint1 x103; - uint64_t x104; - fiatuint1 x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - fiatuint1 x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - fiatuint1 x114; - uint64_t x115; - fiatuint1 x116; - uint64_t x117; - fiatuint1 x118; - uint64_t x119; - fiatuint1 x120; - uint64_t x121; - uint64_t x122; - uint64_t x123; - uint64_t x124; - fiatuint1 x125; - uint64_t x126; - fiatuint1 x127; - uint64_t x128; - fiatuint1 x129; - uint64_t x130; - fiatuint1 x131; - uint64_t x132; - uint64_t x133; - uint64_t x134; - fiatuint1 x135; - uint64_t x136; - fiatuint1 x137; - uint64_t x138; - fiatuint1 x139; - uint64_t x140; - fiatuint1 x141; - fiatmulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); - fiatmulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); - fiatmulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); - fiatmulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); - fiatmulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); - fiatmulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); - fiatmulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); - fiatmulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); - fiatmulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); - fiatmulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); - fiatmulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); - fiatmulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); - fiatmulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); - fiatmulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); - fiatmulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); - fiatmulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - fiataddcarryx_u64(&x33, &x34, 0x0, x28, x7); - fiataddcarryx_u64(&x35, &x36, x34, x26, x5); - x37 = (x36 + x18); - fiataddcarryx_u64(&x38, &x39, 0x0, x33, x13); - fiataddcarryx_u64(&x40, &x41, x39, x35, x8); - fiataddcarryx_u64(&x42, &x43, x41, x37, 0x0); - x44 = (x43 + x10); - fiataddcarryx_u64(&x45, &x46, 0x0, x30, x15); - fiataddcarryx_u64(&x47, &x48, x46, x38, x16); - fiataddcarryx_u64(&x49, &x50, x48, x40, x11); - fiataddcarryx_u64(&x51, &x52, x50, x42, x3); - fiataddcarryx_u64(&x53, &x54, x52, x44, 0x0); - x55 = (x54 + x2); - fiataddcarryx_u64(&x56, &x57, 0x0, x45, x21); - fiataddcarryx_u64(&x58, &x59, x57, x47, x19); - fiataddcarryx_u64(&x60, &x61, x59, x49, x14); - fiataddcarryx_u64(&x62, &x63, x61, x51, x6); - fiataddcarryx_u64(&x64, &x65, x63, x53, 0x0); - fiataddcarryx_u64(&x66, &x67, x65, x55, 0x0); - fiataddcarryx_u64(&x68, &x69, 0x0, x32, x23); - fiataddcarryx_u64(&x70, &x71, x69, x56, x24); - fiataddcarryx_u64(&x72, &x73, x71, x58, x22); - fiataddcarryx_u64(&x74, &x75, x73, x60, x17); - fiataddcarryx_u64(&x76, &x77, x75, x62, x9); - fiataddcarryx_u64(&x78, &x79, x77, x64, x1); - fiataddcarryx_u64(&x80, &x81, x79, x66, 0x0); - fiataddcarryx_u64(&x82, &x83, 0x0, x68, x29); - fiataddcarryx_u64(&x84, &x85, x83, x70, x27); - fiataddcarryx_u64(&x86, &x87, x85, x72, x25); - fiataddcarryx_u64(&x88, &x89, x87, x74, x20); - fiataddcarryx_u64(&x90, &x91, x89, x76, x12); - fiataddcarryx_u64(&x92, &x93, x91, x78, x4); - fiataddcarryx_u64(&x94, &x95, x93, x80, 0x0); - fiatmulx_u64(&x96, &x97, UINT8_C(0x26), x92); - fiatmulx_u64(&x98, &x99, UINT8_C(0x26), x90); - fiatmulx_u64(&x100, &x101, UINT8_C(0x26), x88); - fiataddcarryx_u64(&x102, &x103, 0x0, x82, x98); - fiataddcarryx_u64(&x104, &x105, x103, x84, x96); - fiatmulx_u64(&x106, &x107, UINT8_C(0x26), x94); - fiataddcarryx_u64(&x108, &x109, x105, x86, x106); - fiatmulx_u64(&x110, &x111, UINT8_C(0x26), x94); - x112 = (x109 + x111); - fiataddcarryx_u64(&x113, &x114, 0x0, x31, x100); - fiataddcarryx_u64(&x115, &x116, x114, x102, x101); - fiataddcarryx_u64(&x117, &x118, x116, x104, x99); - fiataddcarryx_u64(&x119, &x120, x118, x108, x97); - x121 = (x120 + x112); - fiatmulx_u64(&x122, &x123, UINT8_C(0x26), x121); - fiataddcarryx_u64(&x124, &x125, 0x0, x113, x122); - fiataddcarryx_u64(&x126, &x127, x125, x115, 0x0); - fiataddcarryx_u64(&x128, &x129, x127, x117, 0x0); - fiataddcarryx_u64(&x130, &x131, x129, x119, 0x0); - fiatmulx_u64(&x132, &x133, UINT8_C(0x26), x131); - fiataddcarryx_u64(&x134, &x135, 0x0, x124, x132); - fiataddcarryx_u64(&x136, &x137, x135, x126, 0x0); - fiataddcarryx_u64(&x138, &x139, x137, x128, 0x0); - fiataddcarryx_u64(&x140, &x141, x139, x130, 0x0); - out1[0] = x134; - out1[1] = x136; - out1[2] = x138; - out1[3] = x140; -}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string -Finished transaction in 7.129 secs (6.859u,0.198s) (successful) - *) +(* first reduction unnecessarily scales one of the limbs twice + fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[6])); + fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[5])); + fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[4])); + x7 = (arg1[3]); + x8 = (arg1[2]); + x9 = (arg1[1]); + x10 = (arg1[0]); + fiataddcarryx_u64(&x11, &x12, 0x0, x9, x3); + fiataddcarryx_u64(&x13, &x14, x12, x8, x1); + fiatmulx_u64(&x15, &x16, UINT8_C(0x26), (arg1[7])); + fiataddcarryx_u64(&x17, &x18, x14, x7, x15); + fiatmulx_u64(&x19, &x20, UINT8_C(0x26), (arg1[7])); + x21 = (x18 + x20); + fiataddcarryx_u64(&x22, &x23, 0x0, x10, x5); + fiataddcarryx_u64(&x24, &x25, x23, x11, x6); + fiataddcarryx_u64(&x26, &x27, x25, x13, x4); + fiataddcarryx_u64(&x28, &x29, x27, x17, x2); + x30 = (x29 + x21); + *) End __. @@ -446,12 +239,12 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) {wprops : @weight_properties weight}. Ltac weight_comp := - unfold weight, uweight, ModOps.weight; - rewrite !Z.div_1_r; - rewrite !Z.opp_involutive; - try rewrite Nat2Z.inj_succ; - try rewrite OrdersEx.Z_as_OT.mul_succ_r; - try rewrite OrdersEx.Z_as_OT.pow_add_r; + unfold weight, uweight, ModOps.weight, machine_wordsize; + try rewrite !Z.div_1_r; + try rewrite !Z.opp_involutive; + try rewrite !Nat2Z.inj_succ; + try rewrite !OrdersEx.Z_as_OT.mul_succ_r; + try rewrite !OrdersEx.Z_as_OT.pow_add_r; autorewrite with zsimplify_const; ring_simplify. @@ -463,6 +256,9 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) | _ => apply OrdersEx.Z_as_OT.mul_pos_pos | _ => apply OrdersEx.Z_as_OT.div_pos | _ => apply OrdersEx.Z_as_OT.div_lt_upper_bound + | _ => apply Z.mod_small + | |- _ - ?x < _ - ?x => rewrite <-OrdersEx.Z_as_OT.sub_lt_mono_r + | |- _ - ?x <= _ - ?x => rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r | |- _ mod (?x * ?y) < (?y * ?x) => rewrite Z.mul_comm with (n:=x) | _ => apply OrdersEx.Z_as_OT.mod_pos_bound @@ -475,6 +271,10 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) | _ => lia end. + Ltac le_lt := + (rewrite Le.Z.le_sub_1_iff || rewrite <-Le.Z.le_sub_1_iff). + + Hint Rewrite eval_cons using auto : push_eval. Hint Rewrite Associational.eval_sat_mul using lia : push_eval. Hint Rewrite Associational.eval_sat_mul_const using lia : push_eval. Hint Rewrite eval_split using auto : push_eval. @@ -482,27 +282,52 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) Hint Rewrite Rows.flatten_mod using (eauto using Rows.length_from_associational) : push_eval. Hint Rewrite Rows.flatten_correct using (eauto using Rows.length_from_associational) : push_eval. Hint Rewrite eval_add_to_nth using auto : push_eval. - Hint Rewrite (@fst_pair) : push_eval. - Hint Rewrite (@snd_pair) : push_eval. + Hint Rewrite cons_length : push_length. Hint Rewrite app_length : push_length. Hint Rewrite (@ListUtil.length_snoc) : push_length. Hint Rewrite (@nil_length0) : push_length. Hint Rewrite seq_length : push_length. Hint Rewrite map_length : push_length. Hint Rewrite firstn_length : push_length. + Hint Rewrite @skipn_length : push_length. Hint Rewrite Rows.length_flatten using (eauto using Rows.length_from_associational) : push_length. Hint Rewrite length_partition : push_length. + Hint Rewrite length_add_to_nth : push_length. Hint Rewrite map_app : push_misc. Hint Rewrite (@combine_app_samelength) using (autorewrite with push_length; lia) : push_misc. + Hint Rewrite @combine_nil_r : push_misc. Hint Rewrite fold_right_app : push_misc. Hint Rewrite (@firstn_map) : push_misc. Hint Rewrite firstn_seq : push_misc. + Hint Rewrite seq_add : push_misc. Hint Rewrite map_map : push_misc. Hint Rewrite <-seq_shift : push_misc. + Hint Rewrite in_map_iff : push_misc. + Hint Rewrite firstn_app : push_misc. + Hint Rewrite @skipn_app : push_misc. + Hint Rewrite @skipn_0 : push_misc. + Hint Rewrite (@fst_pair) : push_misc. + Hint Rewrite (@snd_pair) : push_misc. + Hint Rewrite Nat.sub_diag : push_misc. + Hint Rewrite app_nil_r : push_misc. + Hint Rewrite app_nil_l : push_misc. + + Hint Resolve in_or_app : core. + Hint Resolve in_eq : core. + Hint Resolve in_cons : core. + + Ltac push := + autorewrite with push_eval push_length push_misc zsimplify_const; + auto. - Ltac push := autorewrite with push_eval push_length push_misc. + Lemma seq_double : forall n, + seq 0 (2 * n) = seq 0 n ++ seq n n. + Proof. + intros n; replace (2*n)%nat with (n+n)%nat; push; lia. + Qed. + Hint Rewrite seq_double : push_misc. Section canon. @@ -538,7 +363,7 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) destruct H as [ Hlen Hpart ] | H1 : In _ ?p, H2 : ?p = _ |- _ => rewrite H2 in H1; - rewrite in_map_iff in H1 + autorewrite with push_misc in H1 | H : context[exists _, _] |- _ => destruct H | H : _ = ?x |- 0 <= ?x => rewrite <-H | H : _ = ?x |- ?x < _ => rewrite <-H @@ -578,7 +403,12 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) Proof. intros. rewrite canonical_iff in *. - intuition; apply H1; simpl; eauto. + intuition; + repeat multimatch goal with + | H : context[_ <= _ < _] |- _ => apply H + | _ => cbn + | _ => auto + end. Qed. Lemma canonical_app_l n n1 n2 l l1 l2 : @@ -590,9 +420,13 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) canonical_repr n1 l1. Proof. intros. - intuition; - rewrite canonical_iff in *; - intuition; apply H5; rewrite H3; apply in_or_app; eauto. + rewrite canonical_iff in *; intuition; + repeat multimatch goal with + | H : context[_ <= _ < _] |- _ => apply H + | H : ?x = _ ++ _ |- In _ ?x => rewrite H + | _ => cbn + | _ => auto + end. Qed. Lemma canonical_app_r n n1 n2 l l1 l2 : @@ -604,15 +438,20 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) canonical_repr n2 l2. Proof. intros. - intuition; - rewrite canonical_iff in *; - intuition; apply H5; rewrite H3; apply in_or_app; eauto. + rewrite canonical_iff in *; intuition; + repeat multimatch goal with + | H : context[_ <= _ < _] |- _ => apply H + | H : ?x = _ ++ _ |- In _ ?x => rewrite H + | _ => cbn + | _ => auto + end. Qed. Lemma fold_right_add : forall l x, fold_right Z.add x l = x + fold_right Z.add 0 l. Proof. - induction l; intros; cbn; try rewrite IHl; lia. + intros l x. + induction l as [ | l' IHl ]; cbn; try rewrite IHl; lia. Qed. Definition eval_weight_P p := @@ -625,44 +464,42 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) Proof. apply (ListAux.list_length_induction Z). unfold eval_weight_P. - intros. + intros l1 H n. pose proof (@break_list_last Z l1). + cbv [eval_weight_P eval Associational.eval to_associational] in *. intuition; - repeat match goal with + repeat multimatch goal with | H : context[exists _, _] |- _ => destruct H - | _ => rewrite eval_nil + | _ => autorewrite with push_eval push_misc | _ => progress subst | _ => lia || auto end. - cbv [eval_weight_P eval Associational.eval to_associational] in *. + destruct (n <=? length x)%nat eqn:E. rewrite Nat.leb_le in E. rewrite combine_truncate_r. rewrite combine_truncate_r with (xs:=map weight (seq 0 (n))). - autorewrite with push_length. + push. apply H. - autorewrite with push_length. + push. rewrite Nat.min_l; lia. rewrite Nat.leb_gt in E. rewrite combine_truncate_l. rewrite combine_truncate_l with (xs:=map weight (seq 0 n)). autorewrite with push_length push_misc. - rewrite Nat.min_l. + rewrite Nat.min_l; [|lia]. rewrite seq_snoc. autorewrite with push_misc. cbn. - rewrite fold_right_add. rewrite fold_right_add with (x:=weight (Datatypes.length x) * x0 + 0). rewrite H. ring_simplify. unfold weight, machine_wordsize. - rewrite uweight_S. - cbn; break_match; try lia. - lia. - autorewrite with push_length; lia. - lia. + rewrite uweight_S; [|lia]. + cbn; break_match; lia. + push. Qed. Lemma eval_weight_S p n: @@ -673,64 +510,40 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) unfold eval_weight_P in *. auto. Qed. + Hint Rewrite eval_weight_S : push_eval. Lemma canonical_eval_bounded n : forall (p : list Z), canonical_repr n p -> eval weight n p < weight n. Proof. - intros. - pose proof (canonical_bounded _ _ H). - assert (Hcanon: canonical_repr n p) by assumption. - unfold canonical_repr in H; intuition. + intros p. generalize dependent n. - induction p; intros. - { simpl in H1; subst. - vm_compute. - eauto. } - { simpl in H1; subst. - rewrite eval_cons. - autorewrite with zsimplify_const. - rewrite eval_weight_S. - assert (a + eval weight (Datatypes.length p) p * weight 1 < 2^machine_wordsize + eval weight (Datatypes.length p) p * weight 1). - rewrite <-OrdersEx.Z_as_OT.add_lt_mono_r. - apply H0. - simpl. - left. - reflexivity. - rewrite <-Le.Z.le_sub_1_iff. - rewrite <-Le.Z.le_sub_1_iff in H. - etransitivity. - apply H. - assert (2 ^ machine_wordsize + eval weight (Datatypes.length p) p * weight 1 <= 2 ^ machine_wordsize + (weight (Datatypes.length p) - 1) * weight 1). - rewrite <-OrdersEx.Z_as_OT.add_le_mono_l. - rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r. - rewrite Le.Z.le_sub_1_iff. - apply IHp. - intros. - apply H0. - simpl. - eauto. - eapply canonical_cons; eauto. - reflexivity. - apply canonical_cons in Hcanon. - unfold canonical_repr in Hcanon. - intuition. - apply wprops. - rewrite OrdersEx.Z_as_OT.sub_le_mono_r with (p:=1) in H1. + induction p; intros; destruct n; + repeat multimatch goal with + | H : canonical_repr _ (_ :: _) |- _ => + let H' := fresh "H" in + assert (H' := H); + pose proof (canonical_bounded _ _ H'); + unfold canonical_repr in H'; + apply canonical_cons in H + | H : context[length _] |- _ => autorewrite with push_length in H; rewrite <-H + | _ => push + | _ => intuition + | _ => ring_simplify + | _ => auto || lia + end. + cbn; lia. + le_lt. etransitivity. - apply H1. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r. - rewrite Nat2Z.inj_succ. - rewrite OrdersEx.Z_as_OT.mul_succ_r. - rewrite OrdersEx.Z_as_OT.pow_add_r. + solve_ineq. + le_lt. + apply H1; auto. + rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r; auto. + le_lt; auto. ring_simplify. - reflexivity. - lia. - lia. - lia. - lia. - lia. } + solve_ineq. + rewrite H2. + weight_comp; lia. Qed. Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := @@ -825,19 +638,14 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) | _ => progress cbn || intuition | _ => lia || auto || reflexivity || discriminate end. - rewrite <-Le.Z.le_sub_1_iff. + le_lt. etransitivity. solve_ineq. break_match; eauto. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r. - lia. - rewrite Le.Z.le_sub_1_iff. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r; try lia. + le_lt. apply IHp; auto. - weight_comp. - unfold machine_wordsize. - lia. - lia. - lia. + weight_comp; unfold machine_wordsize; lia. Qed. End canon. @@ -950,6 +758,7 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) intros; cbv [sat_reduce] in *; cbv [s' lo_hi coef]. autorewrite with push_eval; lia. Qed. + Hint Rewrite value_sat_reduce : push_eval. Lemma adjust_s_invariant fuel s (s_nz:s<>0) : fst (Saturated.Rows.adjust_s weight fuel s) mod s = 0 @@ -1025,12 +834,6 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) let r_flat := Saturated.Rows.flatten weight m r_rows in fst r_flat. - Definition reduce base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in - let r2 := reduce1 base s c (S n) (S n) (r1) in - let r3 := reduce1 base s c (S n) (n) (r2) in - r3. - Definition reduce_full base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in let bound := (0, 2^machine_wordsize - 1) in @@ -1056,35 +859,27 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) Proof. intros. generalize dependent l2. - induction l1; intros. - { reflexivity. } - { simpl. - destruct l2 eqn:E. - simpl in H0. - discriminate. - match goal with - | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto - end. - rewrite split_app. - rewrite IHl1. - cbn [fst snd]. - simpl. - assert (In a (a :: l1)) by apply in_eq. - apply H in H1. - assert (a mod w = a). - { apply Z.mod_small. - lia. } - rewrite H2. - destruct (a =? 0) eqn:E1. - rewrite Z.eqb_eq in E1. - lia. - reflexivity. - intros. - apply H. - apply in_cons. - assumption. - simpl in H0. - lia. } + induction l1; intros; destruct l2; + repeat multimatch goal with + | _ => push + | _ => cbn + | _ => auto + end. + + match goal with + | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto + end. + rewrite split_app. + pose proof (H a ltac:(auto)). + rewrite IHl1. + cbn. + replace (a mod w) with a. + destruct (a =? 0) eqn:E. + lia. + reflexivity. + rewrite Z.mod_small; lia. + auto. + auto. Qed. Lemma split_gt w l1 l2: @@ -1159,6 +954,17 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) lia. Qed. + Lemma weight_mono_le x1 x2 : + (x1 <= x2)%nat -> + weight x1 <= weight x2. + Proof. + intros H. + apply le_lt_or_eq in H. + intuition. + pose proof (weight_mono x1 x2 ltac:(auto)); lia. + subst; lia. + Qed. + Context (base : Z) (s : Z) (c : list (Z * Z)) @@ -1172,210 +978,296 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) (coef_small : weight n / s * Associational.eval c < up_bound). - Theorem eval_mul_no_reduce : forall p q, - Positional.eval weight (2 * n) (mul_no_reduce base n p q) = - Positional.eval weight n p * Positional.eval weight n q. - Proof using base_nz n_gt_1 wprops. - intros. - cbv [mul_no_reduce]. - break_match. - (* properly bounded *) - autorewrite with push_eval. - apply Z.mod_small. - repeat match goal with - | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb - | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H - | _ => progress intuition - | _ => solve_ineq - end. - rewrite <-Le.Z.le_sub_1_iff. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. - rewrite Le.Z.le_sub_1_iff. - replace (weight (2 * n)) with (weight n * weight n). - solve_ineq. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - f_equal. - lia. - lia. - lia. + Section mul_no_reduce. - (* not bounded *) - push. - ring_simplify. - rewrite <-Z_div_mod_eq. - auto. - rewrite Z.gt_lt_iff. - auto. - push. - lia. - push. - lia. - Qed. - - Lemma split_p : forall p lo hi, - p = lo ++ [hi] -> - canonical_repr (S n) p -> - (split (weight n) [(weight n, hi)] = ([], [(1, hi)])) /\ - (split (weight n) (combine (map weight (seq 0 n)) lo) = - ((combine (map weight (seq 0 n)) lo), [])). - Proof. - intros. - intuition. - { intros. - unfold split. - simpl. - assert (weight n mod weight n = 0) by (apply Z_mod_same_full). - rewrite H1. - simpl. - assert (weight n / weight n = 1) by - auto using Z_div_same, Z.lt_gt, weight_positive. - rewrite H2. - reflexivity. } - { apply split_lt. - intros. - rewrite in_map_iff in H1. - destruct H1. - intuition. - rewrite <-H2. - auto. - rewrite <-H2. - rewrite in_seq in H3. - intuition. - simpl in H4. - apply weight_mono. - lia. - rewrite map_length. - rewrite seq_length. - solve_length p. } - Qed. - - Lemma reduce_in_range : forall m x, - x < weight 1 - weight 0 -> - x + weight m < weight (S m). - Proof. - intros. - rewrite OrdersEx.Z_as_DT.lt_add_lt_sub_r. - induction m. - auto. - etransitivity. - apply IHm. - unfold weight. - rewrite uweight_S. - rewrite uweight_S. - rewrite <-uweight_S at 1. - rewrite <-OrdersEx.Z_as_OT.mul_sub_distr_l. - rewrite Z.mul_comm. - rewrite <-OrdersEx.Z_as_OT.lt_mul_diag_r. - simpl; lia. - rewrite OrdersEx.Z_as_OT.lt_0_sub. - fold weight. - apply weight_mono'. - lia. - lia. - lia. - Qed. - - Lemma map_weight_seq : forall m p, - map weight (seq 0 p) = map (fun t => t / (weight m)) (map weight (seq m p)). - Proof. - induction m; intros. - { generalize dependent (map weight (seq 0 p)). - intros. - erewrite map_ext. - symmetry. - eapply map_id. + Theorem eval_mul_no_reduce : forall p q, + Positional.eval weight (2 * n) (mul_no_reduce base n p q) = + Positional.eval weight n p * Positional.eval weight n q. + Proof using base_nz n_gt_1 wprops. intros. - rewrite weight_0. - rewrite Z.div_1_r. - lia. - auto. } - { rewrite IHm. - rewrite <-map_S_seq. - rewrite !map_map. - apply map_ext_Forall. - rewrite Forall_forall. - intros. - rewrite in_seq in H. + cbv [mul_no_reduce]. + break_match. + (* properly bounded *) + push. + apply Z.mod_small. + repeat match goal with + | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb + | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H + | _ => progress intuition + | _ => solve_ineq + end. + le_lt. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. + le_lt. + replace (weight (2 * n)) with (weight n * weight n). + solve_ineq. weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_add_r. - rewrite <- !OrdersEx.Z_as_OT.pow_sub_r. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. f_equal. lia. lia. lia. - lia. - lia. - lia. - lia. - lia. - lia. } - Qed. - Lemma split_p' : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - split (weight n) (combine (map weight (seq 0 n)) lo) = (combine (map weight (seq 0 n)) lo, []) /\ - split (weight n) (combine (map weight (seq n n)) hi) = ([], combine (map weight (seq 0 n)) hi). - Proof. - intros. - intuition. - { apply split_lt. - intros. - rewrite in_map_iff in H2. - destruct H2. - intuition; rewrite <-H3. + (* not bounded *) + push. + ring_simplify. + rewrite <-Z_div_mod_eq. + auto. + rewrite Z.gt_lt_iff. auto. - rewrite in_seq in H4. - apply weight_mono. + push. lia. - rewrite map_length. - rewrite seq_length. - auto. } - { rewrite map_weight_seq with (m:=n). - apply split_gt. + push. + Qed. + Hint Rewrite eval_mul_no_reduce : push_eval. + + Theorem length_mul_no_reduce : forall p q, + length (mul_no_reduce base n p q) = (2 * n)%nat. + Proof. + intros; unfold mul_no_reduce; break_match; push. + Qed. + + End mul_no_reduce. + + Section reduce1. + + Lemma reduce1_length : forall p m1 m2, + length (reduce1 base s c m1 m2 p) = m2. + Proof. + intros; unfold reduce1; push. + Qed. + Hint Rewrite reduce1_length : push_length. + + End reduce1. + + Section reduce_first. + + Lemma split_p : forall p lo hi, + p = lo ++ [hi] -> + canonical_repr (S n) p -> + (split (weight n) [(weight n, hi)] = ([], [(1, hi)])) /\ + (split (weight n) (combine (map weight (seq 0 n)) lo) = + ((combine (map weight (seq 0 n)) lo), [])). + Proof. intros. - rewrite in_map_iff in H2. - destruct H2. - intuition; rewrite <-H3. - apply Weight.weight_multiples_full. - auto. + intuition. + { intros. + unfold split. + simpl. + assert (weight n mod weight n = 0) by (apply Z_mod_same_full). + rewrite H1. + simpl. + assert (weight n / weight n = 1) by + auto using Z_div_same, Z.lt_gt, weight_positive. + rewrite H2. + reflexivity. } + { apply split_lt. + intros. + rewrite in_map_iff in H1. + destruct H1. + intuition. + rewrite <-H2. + auto. + rewrite <-H2. + rewrite in_seq in H3. + intuition. + simpl in H4. + apply weight_mono. + lia. + rewrite map_length. + rewrite seq_length. + solve_length p. } + Qed. + + Lemma reduce_in_range : forall m x, + x < weight 1 - weight 0 -> + x + weight m < weight (S m). + Proof. + intros. + rewrite OrdersEx.Z_as_DT.lt_add_lt_sub_r. + induction m. auto. - rewrite in_seq in H4. + etransitivity. + apply IHm. + unfold weight. + rewrite uweight_S. + rewrite uweight_S. + rewrite <-uweight_S at 1. + rewrite <-OrdersEx.Z_as_OT.mul_sub_distr_l. + rewrite Z.mul_comm. + rewrite <-OrdersEx.Z_as_OT.lt_mul_diag_r. + simpl; lia. + rewrite OrdersEx.Z_as_OT.lt_0_sub. + fold weight. + apply weight_mono'. lia. - rewrite map_length, seq_length. - solve_length p. } - Qed. + lia. + lia. + Qed. + + Lemma map_weight_seq : forall m p, + map weight (seq 0 p) = map (fun t => t / (weight m)) (map weight (seq m p)). + Proof. + induction m; intros. + { generalize dependent (map weight (seq 0 p)). + intros. + erewrite map_ext. + symmetry. + eapply map_id. + intros. + rewrite weight_0. + rewrite Z.div_1_r. + lia. + auto. } + { rewrite IHm. + push. + apply map_ext_Forall. + rewrite Forall_forall. + intros. + rewrite in_seq in H. + weight_comp; try lia. + rewrite <-!OrdersEx.Z_as_OT.pow_add_r; try lia. + rewrite <-!OrdersEx.Z_as_OT.pow_sub_r; try lia. + f_equal. + lia. } + Qed. + + Lemma split_p' : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + split (weight n) (combine (map weight (seq 0 n)) lo) = (combine (map weight (seq 0 n)) lo, []) /\ + split (weight n) (combine (map weight (seq n n)) hi) = ([], combine (map weight (seq 0 n)) hi). + Proof. + intros. + intuition. + { apply split_lt. + intros. + rewrite in_map_iff in H2. + destruct H2. + intuition; rewrite <-H3. + auto. + rewrite in_seq in H4. + apply weight_mono. + lia. + rewrite map_length. + rewrite seq_length. + auto. } + { rewrite map_weight_seq with (m:=n). + apply split_gt. + intros. + rewrite in_map_iff in H2. + destruct H2. + intuition; rewrite <-H3. + apply Weight.weight_multiples_full. + auto. + auto. + rewrite in_seq in H4. + lia. + rewrite map_length, seq_length. + solve_length p. } + Qed. - Lemma reduce_first_canonical : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). - Proof. - intros. - unfold reduce1, canonical_repr. - split. - { rewrite Rows.flatten_correct. - cbn [fst]. - auto with push_length. - auto. + Lemma split_p_first_lo : forall p, + length p = (2 * n)%nat -> + split (weight n) (combine (map weight (seq 0 n)) (firstn n p)) = (combine (map weight (seq 0 n)) (firstn n p), []). + Proof. + intros p Hlen. + rewrite split_lt; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_misc in H + | H : _ |- _ => rewrite in_seq in H + | _ => rewrite min_l + | _ => rewrite map_weight_seq with (m:=n) + | _ => apply Weight.weight_multiples_full + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- context[?x] => rewrite <-H + | _ => unfold weight; rewrite <-uweight_sum_indices; fold weight + | _ => push + | _ => apply Z.div_lt_upper_bound + | _ => apply Z.div_str_pos + | _ => apply weight_mono + | _ => apply weight_mono_le + | _ => intuition + | _ => auto || lia + end. + Qed. + Hint Rewrite split_p_first_lo using auto : push_eval. + + Lemma split_p_first_hi : forall p, + length p = (2 * n)%nat -> + split (weight n) (combine (map weight (seq n n)) (skipn n p)) = ([], combine (map weight (seq 0 n)) (skipn n p)). + Proof. + intros p Hlen. + rewrite split_gt; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_misc in H + | H : _ |- _ => rewrite in_seq in H + | _ => rewrite min_l + | _ => rewrite map_weight_seq with (m:=n) + | _ => apply Weight.weight_multiples_full + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- context[?x] => rewrite <-H + | _ => unfold weight; rewrite <-uweight_sum_indices; fold weight + | _ => push + | _ => apply Z.div_lt_upper_bound + | _ => apply Z.div_str_pos + | _ => apply weight_mono + | _ => apply weight_mono_le + | _ => intuition + | _ => auto || lia + end. + Qed. + Hint Rewrite split_p_first_hi using auto : push_eval. + + Lemma value_reduce_first' : forall (p : list Z), + length p = (2 * n)%nat -> + let q := reduce1 base s c (2 * n) (S n) p in + let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight (S n) q = Associational.eval coef * eval weight n (skipn n p) + eval weight n (firstn n p). + Proof. + intros p Hlen ? ? ?. + cbv [q s' coef reduce1 to_associational]. + pose proof (firstn_skipn n p) as Hp. + symmetry in Hp. + rewrite Hp. + push. + rewrite Hlen. + rewrite min_l; try lia. + erewrite !adjust_s_finished; try eapply solinas_property; try lia. + push. + rewrite skipn_all with (xs := firstn n p). + rewrite firstn_all with (xs := firstn n p). + push. + solve_ineq. + split; + solve_ineq. + all: admit. + Admitted. + + Lemma value_reduce_first : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + let q := reduce1 base s c (2 * n) (S n) p in + let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight (S n) q = Associational.eval coef * eval weight n hi + eval weight n lo. + Proof. intros. - eapply Rows.length_from_associational; eauto. } - { pose proof (split_p' _ _ _ H H0 H1) as Hsplit. + pose proof (split_p' _ _ _ H H0 H1) as Hsplit. destruct Hsplit as [ Hlo Hhi ]. - rewrite Rows.flatten_correct. - cbn [fst]. - rewrite Partition.eval_partition. - f_equal. - apply Z.mod_small_sym. - rewrite Rows.eval_from_associational. + canonical_app p. + replace (length hi) with n in * by (solve_length p). + replace (length lo) with n in *. + unfold q, reduce1. rewrite H. - rewrite value_sat_reduce. - erewrite adjust_s_finished; try apply solinas_property. + rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. unfold to_associational. + cbn [fst snd]. + erewrite adjust_s_finished; try apply solinas_property. replace (2 * n)%nat with (n + n)%nat by lia. rewrite seq_add. rewrite Nat.add_0_l. @@ -1385,15 +1277,16 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) cbn [fst snd]. rewrite Hlo, Hhi. autorewrite with push_eval zsimplify_const. + cbn [snd]. + unfold coef, s'. + autorewrite with push_eval zsimplify_const. + erewrite adjust_s_finished; try apply solinas_property. cbn [fst snd]. - canonical_app p. - replace (length lo) with n in Hcanon_l by (solve_length p). - replace (length hi) with n in Hcanon_r. + rewrite Z.mod_small. + reflexivity. split. - solve_ineq. - apply canonical_pos; auto. - apply canonical_pos; auto. + solve_ineq; apply canonical_pos; auto. etransitivity. solve_ineq. apply Z.mul_lt_mono_nonneg. @@ -1405,222 +1298,235 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) weight_comp. rewrite Z.mul_comm. rewrite Zred_factor3. - apply Zmult_lt_compat_l. + rewrite Z.mul_comm. + apply Zmult_lt_compat_r. lia. - simpl; lia. + simpl. lia. lia. - solve_length p. - rewrite map_length, seq_length; auto. lia. lia. lia. - auto. + rewrite map_length, seq_length. + solve_length lo. + lia. + lia. lia. auto. + lia. auto. - eapply Rows.length_from_associational; eauto. } - Qed. - - Lemma value_reduce_first : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - let q := reduce1 base s c (2 * n) (S n) p in - let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight (S n) q = Associational.eval coef * eval weight n hi + eval weight n lo. - Proof. - intros. - pose proof (split_p' _ _ _ H H0 H1) as Hsplit. - destruct Hsplit as [ Hlo Hhi ]. - canonical_app p. - replace (length hi) with n in * by (solve_length p). - replace (length lo) with n in *. - unfold q, reduce1. - rewrite H. - rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. - unfold to_associational. - cbn [fst snd]. - erewrite adjust_s_finished; try apply solinas_property. - replace (2 * n)%nat with (n + n)%nat by lia. - rewrite seq_add. - rewrite Nat.add_0_l. - rewrite map_app. - rewrite combine_app_samelength. - rewrite fst_split_app, snd_split_app. - cbn [fst snd]. - rewrite Hlo, Hhi. - autorewrite with push_eval zsimplify_const. - cbn [snd]. - unfold coef, s'. - autorewrite with push_eval zsimplify_const. - erewrite adjust_s_finished; try apply solinas_property. - cbn [fst snd]. + intros. + eapply Rows.length_from_associational; eauto. + Qed. - rewrite Z.mod_small. - reflexivity. - split. - solve_ineq; apply canonical_pos; auto. - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - apply canonical_eval_bounded; auto. - apply canonical_eval_bounded; auto. - weight_comp. - rewrite Z.mul_comm. - rewrite Zred_factor3. - apply Zmult_lt_compat_l. - lia. - simpl. - lia. - lia. - lia. - lia. - lia. - rewrite map_length, seq_length. - solve_length lo. - lia. - lia. - lia. - auto. - lia. - auto. - intros. - eapply Rows.length_from_associational; eauto. - Qed. + Lemma reduce_first_canonical : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). + Proof. + intros. + unfold reduce1, canonical_repr. + split. + { rewrite Rows.flatten_correct. + cbn [fst]. + auto with push_length. + auto. + intros. + eapply Rows.length_from_associational; eauto. } + { pose proof (split_p' _ _ _ H H0 H1) as Hsplit. + destruct Hsplit as [ Hlo Hhi ]. + rewrite Rows.flatten_correct. + cbn [fst]. + rewrite Partition.eval_partition. + f_equal. + apply Z.mod_small_sym. + rewrite Rows.eval_from_associational. + rewrite H. + rewrite value_sat_reduce. + erewrite adjust_s_finished; try apply solinas_property. + unfold to_associational. + replace (2 * n)%nat with (n + n)%nat by lia. + rewrite seq_add. + rewrite Nat.add_0_l. + rewrite map_app. + rewrite combine_app_samelength. + rewrite fst_split_app, snd_split_app. + cbn [fst snd]. + rewrite Hlo, Hhi. + autorewrite with push_eval zsimplify_const. + cbn [fst snd]. + + canonical_app p. + replace (length lo) with n in Hcanon_l by (solve_length p). + replace (length hi) with n in Hcanon_r. + split. + solve_ineq. + apply canonical_pos; auto. + apply canonical_pos; auto. + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + apply canonical_eval_bounded; auto. + apply canonical_eval_bounded; auto. + weight_comp. + rewrite Z.mul_comm. + rewrite Zred_factor3. + rewrite Z.mul_comm. + apply Zmult_lt_compat_r. + lia. + simpl; lia. + lia. + lia. + solve_length p. + rewrite map_length, seq_length; auto. + lia. + lia. + lia. + auto. + lia. + auto. + auto. + eapply Rows.length_from_associational; eauto. } + Qed. - Lemma reduce_first : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - forall q_lo q_hi, - let q := reduce1 base s c (2*n) (S n) p in - q = q_lo ++ [q_hi] -> - q_hi < up_bound. - Proof. - intros. - pose proof (value_reduce_first _ _ _ H H0 H1). - pose proof (reduce_first_canonical _ _ _ H H0 H1) as Hcanon. - fold q in Hcanon. + Lemma reduce_first : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + forall q_lo q_hi, + let q := reduce1 base s c (2*n) (S n) p in + q = q_lo ++ [q_hi] -> + q_hi < up_bound. + Proof. + intros. + pose proof (value_reduce_first _ _ _ H H0 H1). + pose proof (reduce_first_canonical _ _ _ H H0 H1) as Hcanon. + fold q in Hcanon. + + pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (n) pf as Hnth. + assert (Hcanon' := Hcanon). + unfold canonical_repr in Hcanon'. + destruct Hcanon' as [ _ Hpart ]. + rewrite <-Hpart in Hnth. + rewrite H2 in Hnth at 1. + rewrite nth_default_app in Hnth. + destruct lt_dec in Hnth. + solve_length q. + replace (length q_lo) with n in Hnth by (solve_length q). + rewrite Nat.sub_diag in Hnth. + unfold nth_default in Hnth. + simpl in Hnth. + rewrite Hnth. + unfold q. + apply Z.div_lt_upper_bound. + auto. - pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (n) pf as Hnth. - assert (Hcanon' := Hcanon). - unfold canonical_repr in Hcanon'. - destruct Hcanon' as [ _ Hpart ]. - rewrite <-Hpart in Hnth. - rewrite H2 in Hnth at 1. - rewrite nth_default_app in Hnth. - destruct lt_dec in Hnth. - solve_length q. - replace (length q_lo) with n in Hnth by (solve_length q). - rewrite Nat.sub_diag in Hnth. - unfold nth_default in Hnth. - simpl in Hnth. - rewrite Hnth. - unfold q. - apply Z.div_lt_upper_bound. - auto. + canonical_app p. + replace (length lo) with n in Hcanon_l. + replace (length hi) with n in Hcanon_r by (solve_length p). + rewrite H3. + autorewrite with push_eval zsimplify_const. + erewrite adjust_s_finished; try apply solinas_property. + cbn [fst snd]. + rewrite <-Le.Z.le_sub_1_iff. + rewrite Z.mod_small. + etransitivity. + solve_ineq. + rewrite <-Le.Z.le_sub_1_iff in coef_small. + apply Z.mul_le_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + rewrite Le.Z.le_sub_1_iff. + eapply canonical_eval_bounded; auto. + rewrite Le.Z.le_sub_1_iff. + apply canonical_eval_bounded; auto. + ring_simplify. + rewrite OrdersEx.Z_as_OT.le_sub_le_add_r. + unfold up_bound. + weight_comp. + simpl. + nia. - canonical_app p. - replace (length lo) with n in Hcanon_l. - replace (length hi) with n in Hcanon_r by (solve_length p). - rewrite H3. - autorewrite with push_eval zsimplify_const. - erewrite adjust_s_finished; try apply solinas_property. - cbn [fst snd]. - rewrite <-Le.Z.le_sub_1_iff. - rewrite Z.mod_small. - etransitivity. - solve_ineq. - rewrite <-Le.Z.le_sub_1_iff in coef_small. - apply Z.mul_le_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - rewrite Le.Z.le_sub_1_iff. - eapply canonical_eval_bounded; auto. - rewrite Le.Z.le_sub_1_iff. - apply canonical_eval_bounded; auto. - ring_simplify. - rewrite OrdersEx.Z_as_OT.le_sub_le_add_r. - unfold up_bound. - weight_comp. - simpl. - nia. + split. + solve_ineq. + apply canonical_pos; auto. + apply canonical_pos; auto. + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + eapply canonical_eval_bounded; auto. + eapply canonical_eval_bounded; auto. + weight_comp. + unfold up_bound, machine_wordsize. + rewrite Z.mul_comm. + rewrite Zred_factor3. + rewrite Z.mul_comm. + apply Zmult_lt_compat_r. + lia. + cbn. + lia. + lia. + lia. + lia. + lia. + lia. + Qed. - split. - solve_ineq. - apply canonical_pos; auto. - apply canonical_pos; auto. - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - eapply canonical_eval_bounded; auto. - eapply canonical_eval_bounded; auto. - weight_comp. - unfold up_bound, machine_wordsize. - simpl. - break_match; try lia. - destruct Heqz; break_match; lia. - lia. - lia. - lia. - lia. - lia. - Qed. + Lemma reduce_first_correct : forall (p lo hi : list Z), + p = lo ++ hi -> + canonical_repr (2 * n) p -> + length lo = n -> + let q := reduce1 base s c (2 * n) (S n) p in + (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) + = (Positional.eval weight (S n) q) mod (s - Associational.eval c). + Proof. + intros. + pose proof (value_reduce_first _ _ _ H H0 H1) as Hval. + canonical_app p. + replace (length hi) with n in Hcanon_r by (solve_length p). + replace (length lo) with n in Hcanon_l. + unfold q in *. + rewrite Hval. + rewrite H. + unfold weight. + replace (2 * n)%nat with (n + (length hi))%nat by (solve_length p). + rewrite uweight_eval_app'. + replace (length hi) with n by (solve_length hi). + fold weight. + autorewrite with push_eval zsimplify_const. + erewrite adjust_s_finished'; try apply solinas_property. + cbn [fst snd]. + rewrite (Z.add_comm _ (eval weight n lo)). + rewrite Z.mul_comm with (m:=Associational.eval c). + rewrite <-Z.mul_assoc. + rewrite <-reduction_rule. + apply Z.elim_mod. + rewrite Z.add_cancel_l. + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + lia. + lia. + pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. + erewrite adjust_s_finished' in Hinv; try apply solinas_property. + cbn [fst] in Hinv. + apply Hinv. + lia. + lia. + lia. + lia. + lia. + solve_length lo. + Qed. - Lemma reduce_first_correct : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - let q := reduce1 base s c (2 * n) (S n) p in - (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) - = (Positional.eval weight (S n) q) mod (s - Associational.eval c). - Proof. - intros. - pose proof (value_reduce_first _ _ _ H H0 H1) as Hval. - canonical_app p. - replace (length hi) with n in Hcanon_r by (solve_length p). - replace (length lo) with n in Hcanon_l. - unfold q in *. - rewrite Hval. - rewrite H. - unfold weight. - replace (2 * n)%nat with (n + (length hi))%nat by (solve_length p). - rewrite uweight_eval_app'. - replace (length hi) with n by (solve_length hi). - fold weight. - autorewrite with push_eval zsimplify_const. - erewrite adjust_s_finished'; try apply solinas_property. - cbn [fst snd]. - rewrite (Z.add_comm _ (eval weight n lo)). - rewrite Z.mul_comm with (m:=Associational.eval c). - rewrite <-Z.mul_assoc. - rewrite <-reduction_rule. - apply Z.elim_mod. - rewrite Z.add_cancel_l. - rewrite Z.mul_assoc. - rewrite <-Z_div_exact_2. - lia. - lia. - pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. - erewrite adjust_s_finished' in Hinv; try apply solinas_property. - cbn [fst] in Hinv. - apply Hinv. - lia. - lia. - lia. - lia. - lia. - solve_length lo. - Qed. + End reduce_first. Lemma reduce_second_canonical : forall (p : list Z) lo hi, p = lo ++ [hi] -> @@ -2632,13 +2538,14 @@ Finished transaction in 7.129 secs (6.859u,0.198s) (successful) Admitted. Theorem mulmod_correct : forall p q, - canonical_repr n p -> - canonical_repr n q -> Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). Proof. intros. - + unfold mulmod. + rewrite <-reduce_full_correct. + rewrite <-eval_mul_no_reduce. + auto. admit. Admitted. From 6b3f5d7833f7dc0c2e885cf01142899a35620f14 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Fri, 22 Jul 2022 17:59:13 -0400 Subject: [PATCH 31/69] starting cps implementation + more refactoring --- src/SolinasReduction.v | 249 ++++++++++++++++++++++++----------------- 1 file changed, 147 insertions(+), 102 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index a7da2c016d..b5a459e034 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -38,6 +38,10 @@ Require Import Crypto.Util.ZUtil.Tactics.RewriteModSmall. Require Import Crypto.Util.ZUtil.Tactics.PullPush.Modulo. Require Import Coq.ZArith.Znat. +Require Import Crypto.Util.CPSUtil. +Require Import Crypto.Util.CPSNotations. +Local Open Scope cps_scope. + Require Import Crypto.Util.Notations. Local Open Scope string_scope. Local Open Scope list_scope. @@ -97,41 +101,49 @@ Module solinas_reduction. let r := (fst lo_hi) ++ hi in r. - (* n is input width *) - Definition reduce1 base s c n m (p : list Z) := - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight m r_a in - let r_flat := Saturated.Rows.flatten weight m r_rows in - fst r_flat. - - Definition reduce_full base s c n (p : list Z) := - let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound (2*n)) p) then - let r1 := reduce1 base s c (2*n) (S n) p in - if (is_bounded_by (repeat bound n ++ [(0, up_bound-1)]) r1) then - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in - r3 - else r1 - else - (* reduce down to n limbs *) - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight n r_a in - let r_flat := Saturated.Rows.flatten weight n r_rows in - add_to_nth 0 (weight (n) * snd r_flat) (fst r_flat). - - Definition reduce1' base s c n m (p : list Z) := + Definition reduce1_cps base s c n m (p : list Z) {T} (f : list Z -> T) := let p_a := Positional.to_associational weight n p in let r_a := sat_reduce base s c n p_a in let r_rows := Saturated.Rows.from_associational weight m r_a in let r_flat := Saturated.Rows.flatten weight m r_rows in let bound := (0, 2^machine_wordsize - 1) in if (is_bounded_by (repeat bound n) p) then - fst r_flat + f (fst r_flat) else - add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat). + f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). + Check reduce1_cps. + + Definition reduce_full_cps base s c n (p : list Z) : ~> list Z := + (r1 <- @reduce1_cps base s c (2*n) (S n) p; + (let bound := (0, 2^machine_wordsize) in + if (is_bounded_by (repeat bound (S n)) r1) then + fun T => (r2 <- @reduce1_cps base s c (S n) (S n) r1; + reduce1_cps base s c (S n) n r2) + else + return r1)). + Check reduce_full_cps. + + Definition mul_no_reduce_cps base n (p q : list Z) {T} (f : list Z -> T):= + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then + f (fst pq) + else + f (add_to_nth 0 (weight (2 * n) * snd pq) (fst pq)). + Check mul_no_reduce_cps. + + Definition mulmod_cps base s c n (p q : list Z) : ~> list Z := + (mul <- @mul_no_reduce_cps base n p q; + @reduce_full_cps base s c n mul). + Check mulmod_cps. + + Definition mulmod base s c n (p q : list Z) := + mulmod_cps base s c n p q _ id. + Check mulmod. End __. @@ -170,25 +182,7 @@ Module solinas_reduction. Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Let bound' := Some (repeat bound (n) ++ [Some r[0 ~> 1]%zrange]). - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (reduce1' base s c (2*n) (S n)) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some (repeat bound (S n))) - (None, tt) - (None) - : Pipeline.ErrorT _). - Time Compute + Fail Time Compute Show.show (Pipeline.BoundsPipelineToString "fiat" "mul" @@ -198,7 +192,7 @@ Module solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (reduce_full base s c n) in + let r := Reify (mulmod base s c n) in exact r) (fun _ _ => []) (Some (repeat bound (2*n)), tt) @@ -206,26 +200,6 @@ Module solinas_reduction. (None, tt) (None) : Pipeline.ErrorT _). -(* first reduction unnecessarily scales one of the limbs twice - fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[6])); - fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[5])); - fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[4])); - x7 = (arg1[3]); - x8 = (arg1[2]); - x9 = (arg1[1]); - x10 = (arg1[0]); - fiataddcarryx_u64(&x11, &x12, 0x0, x9, x3); - fiataddcarryx_u64(&x13, &x14, x12, x8, x1); - fiatmulx_u64(&x15, &x16, UINT8_C(0x26), (arg1[7])); - fiataddcarryx_u64(&x17, &x18, x14, x7, x15); - fiatmulx_u64(&x19, &x20, UINT8_C(0x26), (arg1[7])); - x21 = (x18 + x20); - fiataddcarryx_u64(&x22, &x23, 0x0, x10, x5); - fiataddcarryx_u64(&x24, &x25, x23, x11, x6); - fiataddcarryx_u64(&x26, &x27, x25, x13, x4); - fiataddcarryx_u64(&x28, &x29, x27, x17, x2); - x30 = (x29 + x21); - *) End __. @@ -283,45 +257,38 @@ Module solinas_reduction. Hint Rewrite Rows.flatten_correct using (eauto using Rows.length_from_associational) : push_eval. Hint Rewrite eval_add_to_nth using auto : push_eval. - Hint Rewrite cons_length : push_length. - Hint Rewrite app_length : push_length. + Hint Rewrite @nil_length0 cons_length app_length seq_length map_length firstn_length @skipn_length length_partition length_add_to_nth : push_length. Hint Rewrite (@ListUtil.length_snoc) : push_length. - Hint Rewrite (@nil_length0) : push_length. - Hint Rewrite seq_length : push_length. - Hint Rewrite map_length : push_length. - Hint Rewrite firstn_length : push_length. - Hint Rewrite @skipn_length : push_length. Hint Rewrite Rows.length_flatten using (eauto using Rows.length_from_associational) : push_length. - Hint Rewrite length_partition : push_length. - Hint Rewrite length_add_to_nth : push_length. - Hint Rewrite map_app : push_misc. + Hint Rewrite map_cons map_app map_map in_map_iff : push_misc. Hint Rewrite (@combine_app_samelength) using (autorewrite with push_length; lia) : push_misc. - Hint Rewrite @combine_nil_r : push_misc. - Hint Rewrite fold_right_app : push_misc. - Hint Rewrite (@firstn_map) : push_misc. - Hint Rewrite firstn_seq : push_misc. - Hint Rewrite seq_add : push_misc. - Hint Rewrite map_map : push_misc. - Hint Rewrite <-seq_shift : push_misc. - Hint Rewrite in_map_iff : push_misc. - Hint Rewrite firstn_app : push_misc. - Hint Rewrite @skipn_app : push_misc. - Hint Rewrite @skipn_0 : push_misc. - Hint Rewrite (@fst_pair) : push_misc. - Hint Rewrite (@snd_pair) : push_misc. + Hint Rewrite @combine_nil_r @combine_cons : push_misc. + Hint Rewrite @fold_right_cons fold_right_app : push_misc. + Hint Rewrite <-seq_shift seq_add : push_misc. + Hint Rewrite @nth_default_cons_S : push_misc. + Hint Rewrite @firstn_map firstn_seq firstn_app : push_misc. + Hint Rewrite @skipn_app @skipn_0 : push_misc. + Hint Rewrite @fst_pair @snd_pair : push_misc. + Hint Rewrite app_nil_r app_nil_l : push_misc. Hint Rewrite Nat.sub_diag : push_misc. - Hint Rewrite app_nil_r : push_misc. - Hint Rewrite app_nil_l : push_misc. Hint Resolve in_or_app : core. Hint Resolve in_eq : core. Hint Resolve in_cons : core. + Hint Unfold eval : unfold_eval. + Hint Unfold Associational.eval : unfold_eval. + Hint Unfold to_associational : unfold_eval. + Ltac push := autorewrite with push_eval push_length push_misc zsimplify_const; auto. + Ltac push' H := + autorewrite with push_eval push_length push_misc zsimplify_const in H; + auto. + Lemma seq_double : forall n, seq 0 (2 * n) = seq 0 n ++ seq n n. Proof. @@ -552,16 +519,18 @@ Module solinas_reduction. fold_right andb true (dual_map f ls1 ls2). Definition is_bounded_by bounds ls := fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + Hint Unfold is_bounded_by : core. + Hint Unfold fold_andb_map' : core. + Hint Unfold dual_map : core. Lemma canonical_is_bounded_by : forall n p, - let bound := (0, 2 ^ machine_wordsize - 1) in canonical_repr n p <-> length p = n /\ - is_bounded_by (repeat bound n) p = true. + is_bounded_by (repeat (0, 2^machine_wordsize-1) n) p = true. Proof. intros. rewrite canonical_iff. - cbv [is_bounded_by fold_andb_map' dual_map bound]. + autounfold. split. intuition. generalize dependent n. @@ -599,8 +568,8 @@ Module solinas_reduction. Proof. intros. pose proof eval_weight_S as Heval. - cbv [is_bounded_by fold_andb_map' dual_map eval Associational.eval to_associational] in *; - generalize dependent n; induction p; intros; destruct n; + autounfold with * in *. + generalize dependent n; induction p; intros; destruct n; repeat multimatch goal with | H : context[fold_right _ _ _] |- _ => progress cbn in H | H : context[_ && _] |- _ => rewrite andb_true_iff in H @@ -624,8 +593,8 @@ Module solinas_reduction. split. apply eval_is_bounded_by_pos; auto. pose proof eval_weight_S as Heval. - cbv [is_bounded_by fold_andb_map' dual_map eval Associational.eval to_associational] in *; - generalize dependent n; induction p; intros; destruct n; + autounfold with * in *. + generalize dependent n; induction p; intros; destruct n; repeat multimatch goal with | H : context[fold_right _ _ _] |- _ => progress cbn in H | H : context[_ && _] |- _ => rewrite andb_true_iff in H @@ -647,6 +616,79 @@ Module solinas_reduction. apply IHp; auto. weight_comp; unfold machine_wordsize; lia. Qed. + Hint Resolve eval_is_bounded_by : ibb. + + Lemma is_bounded_by_cons1 : forall b bounds p' p, + is_bounded_by (b :: bounds) (p' :: p) = true -> + is_bounded_by bounds p = true. + Proof. + intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + Qed. + Hint Resolve is_bounded_by_cons1 : ibb. + + Lemma is_bounded_by_cons2 : forall b bounds p' p, + is_bounded_by (b :: bounds) (p' :: p) = true -> + fst b <= p' <= snd b. + Proof. + intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + Qed. + Hint Resolve is_bounded_by_cons2 : ibb. + + Lemma is_bounded_by_cons : forall b bounds p' p, + is_bounded_by (b :: bounds) (p' :: p) = true -> + is_bounded_by bounds p = true /\ + fst b <= p' <= snd b. + Proof. + intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + Qed. + Hint Resolve is_bounded_by_cons : ibb. + + Lemma is_bounded_by_nth n : forall p bounds, + is_bounded_by bounds p = true -> + (n < length p)%nat -> + (n < length bounds)%nat -> + fst (nth_default (0,0) bounds n) <= nth_default 0 p n <= snd (nth_default (0,0) bounds n). + Proof. + intros. + generalize dependent n. + generalize dependent p. + induction bounds as [ | b bounds IHbounds ]; + intros p ? n; destruct n; destruct p; intros; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_length in H + | _ => apply IHbounds + | _ => autorewrite with push_misc + | _ => cbn + | _ => eauto with ibb + | _ => lia + end. + Qed. + Hint Resolve is_bounded_by_nth : ibb. + + Lemma is_bounded_by_app_l : forall bound1 bound2 l1 l2, + is_bounded_by (bound1 ++ bound2) (l1 ++ l2) = true -> + length bound1 = length l1 -> + is_bounded_by bound1 l1 = true. + Proof. + intros b1 b2 l1 l2 H H1. + generalize dependent b1. + generalize dependent b2. + generalize dependent l2. + induction l1 as [ | ? ? IHl1 ]; intros; destruct b1; + repeat multimatch goal with + | _ => autounfold in * + | _ => eapply IHl1 + | _ => rewrite Z.leb_le + | H : _ |- _ => rewrite <-!app_comm_cons in H; push' H + | H : _ |- _ => rewrite andb_true_iff in H + | _ => rewrite andb_true_iff + | _ => intuition + | _ => push + | _ => lia + | _ => eauto + end. + Qed. + Hint Resolve is_bounded_by_app_l : ibb. End canon. @@ -826,13 +868,16 @@ Module solinas_reduction. else add_to_nth 0 (weight (2 * n) * snd pq) (fst pq). - (* n is input width *) Definition reduce1 base s c n m (p : list Z) := let p_a := Positional.to_associational weight n p in let r_a := sat_reduce base s c n p_a in let r_rows := Saturated.Rows.from_associational weight m r_a in let r_flat := Saturated.Rows.flatten weight m r_rows in - fst r_flat. + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p) then + fst r_flat + else + add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat). Definition reduce_full base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in From d529bfcce7daf72d1478367c90e5c573cdb34b32 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 26 Jul 2022 02:17:25 -0400 Subject: [PATCH 32/69] refactored proofs of non CPS implementations --- src/SolinasReduction.v | 3142 ++++++++++++++++------------------------ 1 file changed, 1211 insertions(+), 1931 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index b5a459e034..3eaeda351f 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -101,7 +101,7 @@ Module solinas_reduction. let r := (fst lo_hi) ++ hi in r. - Definition reduce1_cps base s c n m (p : list Z) {T} (f : list Z -> T) := + Definition reduce1_cps base s c n m (p : list Z) {T} (f : list Z -> T) : T := let p_a := Positional.to_associational weight n p in let r_a := sat_reduce base s c n p_a in let r_rows := Saturated.Rows.from_associational weight m r_a in @@ -145,6 +145,12 @@ Module solinas_reduction. mulmod_cps base s c n p q _ id. Check mulmod. + Definition reduce1 base s c n m p := + reduce1_cps base s c n m p id. + + Definition x := ltac:(let y := (eval cbv [reduce1_cps] in reduce1) + in exact y). + End __. Section __. @@ -225,29 +231,51 @@ Module solinas_reduction. Ltac solve_ineq := repeat match goal with - | [ |- 0 <= _ + _ ] => apply OrdersEx.Z_as_OT.add_nonneg_nonneg - | _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg - | _ => apply OrdersEx.Z_as_OT.mul_pos_pos - | _ => apply OrdersEx.Z_as_OT.div_pos - | _ => apply OrdersEx.Z_as_OT.div_lt_upper_bound - | _ => apply Z.mod_small + | |- 0 <= _ + _ => apply OrdersEx.Z_as_OT.add_nonneg_nonneg + | |- 0 < _ * _ => apply OrdersEx.Z_as_OT.mul_pos_pos + | |- 0 <= _ * _ => apply OrdersEx.Z_as_OT.mul_nonneg_nonneg + | |- 0 <= _ / _ => apply OrdersEx.Z_as_OT.div_pos + | |- _ / _ < _ => apply OrdersEx.Z_as_OT.div_lt_upper_bound + + | |- _ + ?x < _ + ?x => apply OrdersEx.Z_as_OT.add_lt_mono_r + | |- _ + _ < _ => apply OrdersEx.Z_as_OT.add_lt_mono + | |- _ + _ <= _ => apply OrdersEx.Z_as_OT.add_le_mono | |- _ - ?x < _ - ?x => rewrite <-OrdersEx.Z_as_OT.sub_lt_mono_r | |- _ - ?x <= _ - ?x => rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r + + | _ => apply Z.mod_small | |- _ mod (?x * ?y) < (?y * ?x) => rewrite Z.mul_comm with (n:=x) | _ => apply OrdersEx.Z_as_OT.mod_pos_bound - - | |- _ + ?x < _ + ?x => apply OrdersEx.Z_as_OT.add_lt_mono_r - | [ |- _ + _ < _ ] => apply OrdersEx.Z_as_OT.add_lt_mono - | [ |- _ + _ <= _ ] => apply OrdersEx.Z_as_OT.add_le_mono - - | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; auto | [ |- 0 <= _ mod _ ] => apply Z_mod_nonneg_nonneg + | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; auto + + | _ => split | _ => lia end. Ltac le_lt := (rewrite Le.Z.le_sub_1_iff || rewrite <-Le.Z.le_sub_1_iff). + Hint Rewrite Nat.add_0_l : const_simpl. + Hint Rewrite Nat.add_0_r : const_simpl. + Hint Rewrite Z.add_0_l : const_simpl. + Hint Rewrite Z.add_0_r : const_simpl. + Lemma S_sub_1 : forall (n : nat), + (n > 0)%nat -> + S (n - 1)%nat = n. + Proof. lia. Qed. + Hint Rewrite S_sub_1 using lia : const_simpl. + Lemma Sn_sub_n : forall (n : nat), + (S n - n)%nat = 1%nat. + Proof. lia. Qed. + Hint Rewrite Sn_sub_n : const_simpl. + Lemma n2_sub : forall (n : nat), + (2 * n - n)%nat = n. + Proof. lia. Qed. + Hint Rewrite n2_sub : const_simpl. + Ltac const_simpl := + autorewrite with const_simpl in *. + Hint Rewrite eval_cons using auto : push_eval. Hint Rewrite Associational.eval_sat_mul using lia : push_eval. Hint Rewrite Associational.eval_sat_mul_const using lia : push_eval. @@ -261,11 +289,12 @@ Module solinas_reduction. Hint Rewrite (@ListUtil.length_snoc) : push_length. Hint Rewrite Rows.length_flatten using (eauto using Rows.length_from_associational) : push_length. - Hint Rewrite map_cons map_app map_map in_map_iff : push_misc. - Hint Rewrite (@combine_app_samelength) using (autorewrite with push_length; lia) : push_misc. + Hint Rewrite map_nil map_cons map_app map_map in_map_iff : push_misc. + Hint Rewrite @combine_app_samelength : push_misc. Hint Rewrite @combine_nil_r @combine_cons : push_misc. Hint Rewrite @fold_right_cons fold_right_app : push_misc. - Hint Rewrite <-seq_shift seq_add : push_misc. + Hint Rewrite seq_add : push_misc. + Hint Rewrite split_app : push_misc. Hint Rewrite @nth_default_cons_S : push_misc. Hint Rewrite @firstn_map firstn_seq firstn_app : push_misc. Hint Rewrite @skipn_app @skipn_0 : push_misc. @@ -296,401 +325,514 @@ Module solinas_reduction. Qed. Hint Rewrite seq_double : push_misc. - Section canon. + Lemma map_weight_seq : forall m p, + map weight (seq 0 p) = map (fun t => t / (weight m)) (map weight (seq m p)). + Proof. + induction m; intros; push. + erewrite map_ext. + eauto. + intros. + cbn. + rewrite Z.div_1_r. + lia. + + rewrite IHm. + rewrite <-seq_shift. + push. + apply map_ext_Forall. + rewrite Forall_forall. + intros. + rewrite in_seq in H. + weight_comp; try lia. + rewrite <-!OrdersEx.Z_as_OT.pow_add_r; try lia. + rewrite <-!OrdersEx.Z_as_OT.pow_sub_r; try lia. + f_equal. + lia. + Qed. + Hint Rewrite <-map_weight_seq : push_misc. + + Lemma seq_shift_1 : forall len, + map S (seq 0 len) = seq 1 len. + Proof. + intros. + apply seq_shift. + Qed. + Hint Rewrite <-seq_shift_1 : push_misc. + + (* SECTION CANONICAL_REPR *) + + Definition canonical_repr n (p : list Z) : Prop := + length p = n /\ + p = Partition.partition weight n (Positional.eval weight n p). + + Lemma canonical_pos n : forall (p : list Z), + canonical_repr n p -> + 0 <= eval weight n p. + Proof using wprops. + intros; + repeat match goal with + | H : canonical_repr _ _ |- _ => + unfold canonical_repr in H; + destruct H as [ _ H ]; + rewrite H; + rewrite Partition.eval_partition + | _ => apply Z.mod_pos_bound + | _ => auto + end. + Qed. + + Lemma canonical_bounded n : forall (p : list Z), + canonical_repr n p -> + forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. + Proof using wprops. + intros; + repeat multimatch goal with + | H : canonical_repr ?n ?p |- _ => + pose proof (canonical_pos n p H); + cbv [canonical_repr Partition.partition] in H; + destruct H as [ Hlen Hpart ] + | H1 : In _ ?p, H2 : ?p = _ |- _ => + rewrite H2 in H1; + autorewrite with push_misc in H1 + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- 0 <= ?x => rewrite <-H + | H : _ = ?x |- ?x < _ => rewrite <-H + | _ => unfold weight; rewrite uweight_S; fold weight + | _ => solve_ineq + | _ => progress intuition + | _ => auto || lia + end. + Qed. - Definition canonical_repr n (p : list Z) : Prop := + Lemma canonical_iff p n : + canonical_repr n p <-> length p = n /\ - p = Partition.partition weight n (Positional.eval weight n p). - - Lemma canonical_pos n : forall (p : list Z), - canonical_repr n p -> - 0 <= eval weight n p. - Proof using wprops. - intros; - repeat match goal with - | H : canonical_repr _ _ |- _ => - unfold canonical_repr in H; - destruct H as [ _ H ]; - rewrite H; - rewrite Partition.eval_partition - | _ => apply Z.mod_pos_bound - | _ => auto - end. - Qed. - - Lemma canonical_bounded n : forall (p : list Z), - canonical_repr n p -> forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. - Proof using wprops. - intros; - repeat multimatch goal with - | H : canonical_repr ?n ?p |- _ => - pose proof (canonical_pos n p H); - cbv [canonical_repr Partition.partition] in H; - destruct H as [ Hlen Hpart ] - | H1 : In _ ?p, H2 : ?p = _ |- _ => - rewrite H2 in H1; - autorewrite with push_misc in H1 - | H : context[exists _, _] |- _ => destruct H - | H : _ = ?x |- 0 <= ?x => rewrite <-H - | H : _ = ?x |- ?x < _ => rewrite <-H - | _ => unfold weight; rewrite uweight_S; fold weight - | _ => solve_ineq - | _ => progress intuition - | _ => auto || lia - end. - Qed. - - Lemma canonical_iff p n : - canonical_repr n p <-> - length p = n /\ - forall x, In x p -> 0 <= x < 2 ^ machine_wordsize. - Proof using wprops. - split; intros; - repeat multimatch goal with - | H : length _ = _ |- _ => rewrite H - | |- length _ = _ => unfold canonical_repr in * - | |- _ = Partition.partition _ _ _ => unfold canonical_repr in * - | |- canonical_repr _ _ => unfold canonical_repr - | _ => eapply canonical_bounded - | _ => progress intuition - | _ => eauto || lia - end. - apply uweight_partition_unique. - lia. - lia. - intros. - rewrite Le.Z.le_sub_1_iff. - auto. - Qed. - - Lemma canonical_cons n a p: - canonical_repr (S n) (a :: p) -> - canonical_repr n p. - Proof. - intros. - rewrite canonical_iff in *. - intuition; - repeat multimatch goal with - | H : context[_ <= _ < _] |- _ => apply H - | _ => cbn - | _ => auto - end. - Qed. - - Lemma canonical_app_l n n1 n2 l l1 l2 : - canonical_repr n l -> - length l1 = n1 -> - length l2 = n2 -> - n = (n1 + n2)%nat -> - l = l1 ++ l2 -> - canonical_repr n1 l1. - Proof. - intros. - rewrite canonical_iff in *; intuition; - repeat multimatch goal with - | H : context[_ <= _ < _] |- _ => apply H - | H : ?x = _ ++ _ |- In _ ?x => rewrite H - | _ => cbn - | _ => auto - end. - Qed. - - Lemma canonical_app_r n n1 n2 l l1 l2 : - canonical_repr n l -> - length l1 = n1 -> - length l2 = n2 -> - n = (n1 + n2)%nat -> - l = l1 ++ l2 -> - canonical_repr n2 l2. - Proof. - intros. - rewrite canonical_iff in *; intuition; - repeat multimatch goal with - | H : context[_ <= _ < _] |- _ => apply H - | H : ?x = _ ++ _ |- In _ ?x => rewrite H - | _ => cbn - | _ => auto - end. - Qed. - - Lemma fold_right_add : forall l x, - fold_right Z.add x l = x + fold_right Z.add 0 l. - Proof. - intros l x. - induction l as [ | l' IHl ]; cbn; try rewrite IHl; lia. - Qed. - - Definition eval_weight_P p := - forall n, - eval (fun i : nat => weight (S i)) (n) p = - (eval weight (n) p) * weight 1. - - Lemma eval_weight_S' : forall p, - eval_weight_P p. - Proof. - apply (ListAux.list_length_induction Z). - unfold eval_weight_P. - intros l1 H n. - pose proof (@break_list_last Z l1). - cbv [eval_weight_P eval Associational.eval to_associational] in *. - intuition; - repeat multimatch goal with - | H : context[exists _, _] |- _ => destruct H - | _ => autorewrite with push_eval push_misc - | _ => progress subst - | _ => lia || auto - end. - - destruct (n <=? length x)%nat eqn:E. - rewrite Nat.leb_le in E. - rewrite combine_truncate_r. - rewrite combine_truncate_r with (xs:=map weight (seq 0 (n))). - push. - apply H. - push. - rewrite Nat.min_l; lia. - - rewrite Nat.leb_gt in E. - rewrite combine_truncate_l. - rewrite combine_truncate_l with (xs:=map weight (seq 0 n)). - autorewrite with push_length push_misc. - rewrite Nat.min_l; [|lia]. - rewrite seq_snoc. - autorewrite with push_misc. - cbn. - rewrite fold_right_add. - rewrite fold_right_add with (x:=weight (Datatypes.length x) * x0 + 0). - rewrite H. - ring_simplify. - unfold weight, machine_wordsize. - rewrite uweight_S; [|lia]. - cbn; break_match; lia. - push. - Qed. - - Lemma eval_weight_S p n: - eval (fun i : nat => weight (S i)) n p = - (eval weight n p) * weight 1. - Proof. - pose proof eval_weight_S'. - unfold eval_weight_P in *. - auto. - Qed. - Hint Rewrite eval_weight_S : push_eval. - - Lemma canonical_eval_bounded n : forall (p : list Z), - canonical_repr n p -> - eval weight n p < weight n. - Proof. - intros p. - generalize dependent n. - induction p; intros; destruct n; - repeat multimatch goal with - | H : canonical_repr _ (_ :: _) |- _ => - let H' := fresh "H" in - assert (H' := H); - pose proof (canonical_bounded _ _ H'); - unfold canonical_repr in H'; - apply canonical_cons in H - | H : context[length _] |- _ => autorewrite with push_length in H; rewrite <-H - | _ => push - | _ => intuition - | _ => ring_simplify - | _ => auto || lia - end. - cbn; lia. - le_lt. - etransitivity. - solve_ineq. - le_lt. - apply H1; auto. - rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r; auto. - le_lt; auto. - ring_simplify. - solve_ineq. - rewrite H2. - weight_comp; lia. - Qed. + Proof using wprops. + split; intros; + repeat multimatch goal with + | H : length _ = _ |- _ => rewrite H + | |- length _ = _ => unfold canonical_repr in * + | |- _ = Partition.partition _ _ _ => unfold canonical_repr in * + | |- canonical_repr _ _ => unfold canonical_repr + | _ => eapply canonical_bounded + | _ => progress intuition + | _ => eauto || lia + end. + apply uweight_partition_unique. + lia. + lia. + intros. + rewrite Le.Z.le_sub_1_iff. + auto. + Qed. - Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := - map (fun x => (f (fst x) (snd x))) (combine l1 l2). - Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := - fold_right andb true (dual_map f ls1 ls2). - Definition is_bounded_by bounds ls := - fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. - Hint Unfold is_bounded_by : core. - Hint Unfold fold_andb_map' : core. - Hint Unfold dual_map : core. + Lemma canonical_cons n a p: + canonical_repr (S n) (a :: p) -> + canonical_repr n p. + Proof. + intros. + rewrite canonical_iff in *. + intuition; + repeat multimatch goal with + | H : context[_ <= _ < _] |- _ => apply H + | _ => cbn + | _ => auto + end. + Qed. + + Lemma canonical_app_l n n1 n2 l l1 l2 : + canonical_repr n l -> + length l1 = n1 -> + length l2 = n2 -> + n = (n1 + n2)%nat -> + l = l1 ++ l2 -> + canonical_repr n1 l1. + Proof. + intros. + rewrite canonical_iff in *; intuition; + repeat multimatch goal with + | H : context[_ <= _ < _] |- _ => apply H + | H : ?x = _ ++ _ |- In _ ?x => rewrite H + | _ => cbn + | _ => auto + end. + Qed. + + Lemma canonical_app_r n n1 n2 l l1 l2 : + canonical_repr n l -> + length l1 = n1 -> + length l2 = n2 -> + n = (n1 + n2)%nat -> + l = l1 ++ l2 -> + canonical_repr n2 l2. + Proof. + intros. + rewrite canonical_iff in *; intuition; + repeat multimatch goal with + | H : context[_ <= _ < _] |- _ => apply H + | H : ?x = _ ++ _ |- In _ ?x => rewrite H + | _ => cbn + | _ => auto + end. + Qed. - Lemma canonical_is_bounded_by : forall n p, + Lemma fold_right_add : forall l x, + fold_right Z.add x l = x + fold_right Z.add 0 l. + Proof. + intros l x. + induction l as [ | l' IHl ]; cbn; try rewrite IHl; lia. + Qed. + + Definition eval_weight_P p := forall a b, + Associational.eval (combine (map (fun x0 : nat => weight (S x0)) (seq a b)) p) = + weight 1 * Associational.eval (combine (map weight (seq a b)) p). + + Lemma eval_weight_S' : forall p, + eval_weight_P p. + Proof. + apply (ListAux.list_length_induction Z). + unfold eval_weight_P. + intros l1 H n. + pose proof (@break_list_last Z l1). + cbv [eval_weight_P eval Associational.eval to_associational] in *. + intuition; + repeat multimatch goal with + | H : context[exists _, _] |- _ => destruct H + | _ => autorewrite with push_eval push_misc + | _ => progress subst + | _ => lia || auto + end. + + destruct (b <=? length x)%nat eqn:E. + rewrite Nat.leb_le in E. + rewrite combine_truncate_r. + rewrite combine_truncate_r with (xs:=map weight (seq n b)). + push. + apply H. + push. + rewrite Nat.min_l; lia. + + rewrite Nat.leb_gt in E. + rewrite combine_truncate_l. + rewrite combine_truncate_l with (xs:=map weight (seq n b)). + autorewrite with push_length push_misc. + rewrite Nat.min_l; [|lia]. + rewrite seq_snoc. + autorewrite with push_misc. + push. + rewrite fold_right_add. + rewrite fold_right_add with (x:=weight (n + Datatypes.length x) * x0). + rewrite H. + ring_simplify. + unfold weight, machine_wordsize. + rewrite uweight_S; [|lia]. + cbn; break_match; lia. + push. + push. + push. + Qed. + + Lemma eval_weight_S p n: + eval (fun i : nat => weight (S i)) n p = + (eval weight n p) * weight 1. + Proof. + cbv [eval to_associational]. + rewrite eval_weight_S'. + lia. + Qed. + Hint Rewrite eval_weight_S : push_eval. + + Lemma eval_weight_S_gen p a b : + Associational.eval (combine (map (fun x0 : nat => weight (S x0)) (seq a b)) p) = + weight 1 * Associational.eval (combine (map weight (seq a b)) p). + Proof. + apply eval_weight_S'. + Qed. + Hint Rewrite eval_weight_S_gen : push_eval. + + Lemma canonical_eval_bounded n : forall (p : list Z), + canonical_repr n p -> + eval weight n p < weight n. + Proof. + intros p. + generalize dependent n. + induction p; intros; destruct n; + repeat multimatch goal with + | H : canonical_repr _ (_ :: _) |- _ => + let H' := fresh "H" in + assert (H' := H); + pose proof (canonical_bounded _ _ H'); + unfold canonical_repr in H'; + apply canonical_cons in H + | H : context[length _] |- _ => autorewrite with push_length in H; rewrite <-H + | _ => push + | _ => intuition + | _ => ring_simplify + | _ => auto || lia + end. + cbn; lia. + le_lt. + etransitivity. + solve_ineq. + le_lt. + apply H1; auto. + rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r; auto. + le_lt; auto. + ring_simplify. + solve_ineq. + rewrite H2. + weight_comp; lia. + Qed. + + Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := + map (fun x => (f (fst x) (snd x))) (combine l1 l2). + Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := + fold_right andb true (dual_map f ls1 ls2). + Definition is_bounded_by bounds ls := + fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + Hint Unfold is_bounded_by : core. + Hint Unfold fold_andb_map' : core. + Hint Unfold dual_map : core. + + Lemma canonical_is_bounded_by : forall n p, canonical_repr n p <-> length p = n /\ - is_bounded_by (repeat (0, 2^machine_wordsize-1) n) p = true. - Proof. - intros. - rewrite canonical_iff. - autounfold. - split. - intuition. - generalize dependent n. - induction p; intros; - repeat multimatch goal with - | H : length _ = ?x |- _ => progress cbn in H; subst x - | _ => apply andb_true_intro - | _ => rewrite Z.leb_le - | _ => rewrite Le.Z.le_sub_1_iff - | _ => apply H1 - | _ => eapply IHp - | _ => progress cbn || intuition - | _ => progress intuition - | _ => reflexivity || lia || auto - | [ |- _ <= 18446744073709551615] => replace 18446744073709551615 with (18446744073709551616 - 1) by lia - end. - split. - intuition. - generalize dependent n. - induction p; intros; - repeat multimatch goal with - | H : length _ = ?x |- _ => cbn in H; rewrite <-H in * - | H : In _ _ |- _ => cbn in H - | H : context[S _] |- _ => cbn in H - | H : context[_ && _] |- _ => rewrite andb_true_iff in H - | _ => progress cbn || intuition - | _ => lia - | _ => eapply IHp - end. - Qed. - - Lemma eval_is_bounded_by_pos n : forall p, - is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> - 0 <= eval weight n p. - Proof. - intros. - pose proof eval_weight_S as Heval. - autounfold with * in *. - generalize dependent n; induction p; intros; destruct n; - repeat multimatch goal with - | H : context[fold_right _ _ _] |- _ => progress cbn in H - | H : context[_ && _] |- _ => rewrite andb_true_iff in H - | H : context[_ <=? _] |- _ => rewrite Z.leb_le in H - | _ => solve_ineq - | _ => autorewrite with push_misc - | _ => autorewrite with push_eval - | _ => rewrite combine_nil, map_nil, fold_right_nil - | _ => rewrite Heval - | _ => progress cbn || intuition - | _ => break_match - | _ => lia || auto || reflexivity || discriminate - end. - Qed. - - Lemma eval_is_bounded_by n : forall p, - is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> - 0 <= eval weight n p < weight n. - Proof. - intros. - split. - apply eval_is_bounded_by_pos; auto. - pose proof eval_weight_S as Heval. - autounfold with * in *. - generalize dependent n; induction p; intros; destruct n; - repeat multimatch goal with - | H : context[fold_right _ _ _] |- _ => progress cbn in H - | H : context[_ && _] |- _ => rewrite andb_true_iff in H - | H : context[_ <=? _] |- _ => rewrite Z.leb_le in H - | _ => solve_ineq - | _ => autorewrite with push_misc - | _ => autorewrite with push_eval - | _ => rewrite combine_nil, map_nil, fold_right_nil - | _ => rewrite Heval - | _ => progress cbn || intuition - | _ => lia || auto || reflexivity || discriminate - end. - le_lt. - etransitivity. - solve_ineq. - break_match; eauto. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r; try lia. - le_lt. - apply IHp; auto. - weight_comp; unfold machine_wordsize; lia. - Qed. - Hint Resolve eval_is_bounded_by : ibb. - - Lemma is_bounded_by_cons1 : forall b bounds p' p, - is_bounded_by (b :: bounds) (p' :: p) = true -> - is_bounded_by bounds p = true. - Proof. - intros; autounfold in *; match goal with | H : _ |- _ => push' H end. - Qed. - Hint Resolve is_bounded_by_cons1 : ibb. - - Lemma is_bounded_by_cons2 : forall b bounds p' p, - is_bounded_by (b :: bounds) (p' :: p) = true -> + is_bounded_by (repeat (0, 2^machine_wordsize-1) n) p = true. + Proof. + intros. + rewrite canonical_iff. + autounfold. + split. + intuition. + generalize dependent n. + induction p; intros; + repeat multimatch goal with + | H : length _ = ?x |- _ => progress cbn in H; subst x + | _ => apply andb_true_intro + | _ => rewrite Z.leb_le + | _ => rewrite Le.Z.le_sub_1_iff + | _ => apply H1 + | _ => eapply IHp + | _ => progress cbn || intuition + | _ => progress intuition + | _ => reflexivity || lia || auto + | [ |- _ <= 18446744073709551615] => replace 18446744073709551615 with (18446744073709551616 - 1) by lia + end. + split. + intuition. + generalize dependent n. + induction p; intros; + repeat multimatch goal with + | H : length _ = ?x |- _ => cbn in H; rewrite <-H in * + | H : In _ _ |- _ => cbn in H + | H : context[S _] |- _ => cbn in H + | H : context[_ && _] |- _ => rewrite andb_true_iff in H + | _ => progress cbn || intuition + | _ => lia + | _ => eapply IHp + end. + Qed. + + Lemma eval_is_bounded_by_pos n : forall p, + is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> + 0 <= eval weight n p. + Proof using Type. + intros. + pose proof eval_weight_S as Heval. + autounfold with * in *. + generalize dependent n; induction p; intros; destruct n; + repeat multimatch goal with + | H : context[fold_right _ _ _] |- _ => cbn in H + | _ => solve_ineq + | _ => rewrite Heval + | _ => push + | _ => cbn + | _ => intuition + | _ => break_match + | _ => lia + end. + Qed. + + Lemma eval_is_bounded_by n : forall p, + is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> + 0 <= eval weight n p < weight n. + Proof. + intros. + split. + apply eval_is_bounded_by_pos; auto. + pose proof eval_weight_S as Heval. + autounfold with * in *. + generalize dependent n; induction p; intros; destruct n; + repeat multimatch goal with + | H : context[fold_right _ _ _] |- _ => progress cbn in H + | H : context[_ && _] |- _ => rewrite andb_true_iff in H + | H : context[_ <=? _] |- _ => rewrite Z.leb_le in H + | _ => solve_ineq + | _ => push + | _ => rewrite Heval + | _ => progress cbn || intuition + | _ => lia || auto || reflexivity || discriminate + end. + le_lt. + etransitivity. + solve_ineq. + break_match; eauto. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r; try lia. + le_lt. + apply IHp; auto. + weight_comp; unfold machine_wordsize; lia. + Qed. + Hint Resolve eval_is_bounded_by : ibb. + + Lemma is_bounded_by_cons1 : forall b bounds p' p, + is_bounded_by (b :: bounds) (p' :: p) = true -> + is_bounded_by bounds p = true. + Proof. + intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + Qed. + Hint Resolve is_bounded_by_cons1 : ibb. + + Lemma is_bounded_by_cons2 : forall b bounds p' p, + is_bounded_by (b :: bounds) (p' :: p) = true -> + fst b <= p' <= snd b. + Proof. + intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + Qed. + Hint Resolve is_bounded_by_cons2 : ibb. + + Lemma is_bounded_by_cons : forall b bounds p' p, + is_bounded_by (b :: bounds) (p' :: p) = true -> + is_bounded_by bounds p = true /\ fst b <= p' <= snd b. - Proof. - intros; autounfold in *; match goal with | H : _ |- _ => push' H end. - Qed. - Hint Resolve is_bounded_by_cons2 : ibb. - - Lemma is_bounded_by_cons : forall b bounds p' p, - is_bounded_by (b :: bounds) (p' :: p) = true -> - is_bounded_by bounds p = true /\ - fst b <= p' <= snd b. - Proof. - intros; autounfold in *; match goal with | H : _ |- _ => push' H end. - Qed. - Hint Resolve is_bounded_by_cons : ibb. - - Lemma is_bounded_by_nth n : forall p bounds, - is_bounded_by bounds p = true -> - (n < length p)%nat -> - (n < length bounds)%nat -> - fst (nth_default (0,0) bounds n) <= nth_default 0 p n <= snd (nth_default (0,0) bounds n). - Proof. - intros. - generalize dependent n. - generalize dependent p. - induction bounds as [ | b bounds IHbounds ]; - intros p ? n; destruct n; destruct p; intros; - repeat multimatch goal with - | H : _ |- _ => autorewrite with push_length in H - | _ => apply IHbounds - | _ => autorewrite with push_misc - | _ => cbn - | _ => eauto with ibb - | _ => lia - end. - Qed. - Hint Resolve is_bounded_by_nth : ibb. - - Lemma is_bounded_by_app_l : forall bound1 bound2 l1 l2, - is_bounded_by (bound1 ++ bound2) (l1 ++ l2) = true -> - length bound1 = length l1 -> - is_bounded_by bound1 l1 = true. - Proof. - intros b1 b2 l1 l2 H H1. - generalize dependent b1. - generalize dependent b2. - generalize dependent l2. - induction l1 as [ | ? ? IHl1 ]; intros; destruct b1; - repeat multimatch goal with - | _ => autounfold in * - | _ => eapply IHl1 - | _ => rewrite Z.leb_le - | H : _ |- _ => rewrite <-!app_comm_cons in H; push' H - | H : _ |- _ => rewrite andb_true_iff in H - | _ => rewrite andb_true_iff - | _ => intuition - | _ => push - | _ => lia - | _ => eauto - end. - Qed. - Hint Resolve is_bounded_by_app_l : ibb. - - End canon. + Proof. + intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + Qed. + Hint Resolve is_bounded_by_cons : ibb. + + Lemma is_bounded_by_nth n : forall p bounds, + is_bounded_by bounds p = true -> + (n < length p)%nat -> + (n < length bounds)%nat -> + fst (nth_default (0,0) bounds n) <= nth_default 0 p n <= snd (nth_default (0,0) bounds n). + Proof. + intros. + generalize dependent n. + generalize dependent p. + induction bounds as [ | b bounds IHbounds ]; + intros p ? n; destruct n; destruct p; intros; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_length in H + | _ => apply IHbounds + | _ => autorewrite with push_misc + | _ => cbn + | _ => eauto with ibb + | _ => lia + end. + Qed. + Hint Resolve is_bounded_by_nth : ibb. + + Lemma is_bounded_by_app_l : forall bound1 bound2 l1 l2, + is_bounded_by (bound1 ++ bound2) (l1 ++ l2) = true -> + length bound1 = length l1 -> + is_bounded_by bound1 l1 = true. + Proof. + intros b1 b2 l1 l2 H H1. + generalize dependent b1. + generalize dependent b2. + generalize dependent l2. + induction l1 as [ | ? ? IHl1 ]; intros; destruct b1; + repeat multimatch goal with + | _ => autounfold in * + | _ => eapply IHl1 + | _ => rewrite Z.leb_le + | H : _ |- _ => rewrite <-!app_comm_cons in H; push' H + | H : _ |- _ => rewrite andb_true_iff in H + | _ => rewrite andb_true_iff + | _ => intuition + | _ => push + | _ => lia + | _ => eauto + end. + Qed. + Hint Resolve is_bounded_by_app_l : ibb. + + Lemma fold_right_andb_default : forall d l, + fold_right andb d l = true -> d = true. + Proof. + intros; induction l; + repeat multimatch goal with + | H : context[fold_right _ _ _] |- _ => push' H + end. + Qed. + Hint Resolve fold_right_andb_default : core. + + Lemma is_bounded_by_app_r : forall bound1 bound2 l1 l2, + is_bounded_by (bound1 ++ bound2) (l1 ++ l2) = true -> + length bound1 = length l1 -> + is_bounded_by bound2 l2 = true. + Proof. + intros b1 b2 l1 l2 H H1. + generalize dependent b1. + generalize dependent b2. + generalize dependent l2. + induction l1 as [ | ? ? IHl1 ]; + intros l2 b2 b1; [ | specialize (IHl1 l2 b2 b1)]; destruct b1; + repeat multimatch goal with + | _ => autounfold in * + | _ => rewrite Z.leb_le + | H : context[length _] |- _ => autorewrite with push_length in H + | H : context[(_ :: _) ++ _] |- _ => rewrite <-!app_comm_cons in H; push' H + | H : _ |- _ => rewrite andb_true_iff in H + | _ => rewrite andb_true_iff + | _ => intuition + | _ => eauto + | _ => discriminate + end. + Qed. + + Lemma is_bounded_by_loosen : forall l bound1 bound2, + length bound1 = length bound2 -> + is_bounded_by bound1 l = true -> + fold_andb_map' (fun x y => (fst y <=? fst x) && (snd x <=? snd y)) bound1 bound2 = true -> + is_bounded_by bound2 l = true. + Proof. + intros. + generalize dependent bound1. + generalize dependent bound2. + autounfold. + induction l as [ | ? ? IHl]; intros; destruct bound1; destruct bound2; + repeat match goal with + | H : context[length _] |- _ => progress autorewrite with push_length in H + | H : context[_ :: _] |- _ => progress autorewrite with push_misc in H + | _ => apply IHl + | _ => rewrite Z.leb_le + | H : _ |- _ => rewrite Z.leb_le in H + | _ => rewrite andb_true_iff + | H : _ |- _ => rewrite andb_true_iff in H + | _ => progress intuition + | _ => progress push + | _ => lia + | _ => eauto + end. + Qed. + + Lemma bounds_same : forall b, + fold_andb_map' (fun x y => (fst y <=? fst x) && (snd x <=? snd y)) b b = true. + Proof. + intros. + autounfold. + induction b; + repeat match goal with + | _ => progress push + | _ => rewrite andb_true_iff + | _ => rewrite Z.leb_le + | _ => progress intuition + | _ => lia + end. + Qed. + + (* END SECTION CANONICAL_REPR *) Ltac solve_length q := try match goal with @@ -837,11 +979,11 @@ Module solinas_reduction. induction 1; intros; apply adjust_s_finished'; auto. Qed. - Lemma eval_sat_reduce base s c n p : + Lemma eval_sat_reduce base s c fuel p : base <> 0 -> s - Associational.eval c <> 0 -> s <> 0 - -> Associational.eval (sat_reduce base s c n p) mod (s - Associational.eval c) + -> Associational.eval (sat_reduce base s c fuel p) mod (s - Associational.eval c) = Associational.eval p mod (s - Associational.eval c). Proof using wprops. intros; cbv [sat_reduce]. @@ -887,7 +1029,7 @@ Module solinas_reduction. let r2 := reduce1 base s c (S n) (S n) r1 in let r3 := reduce1 base s c (S n) (n) r2 in r3 - else r1. + else add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1). Definition mulmod base s c n (p q : list Z) := let prod := mul_no_reduce base n p q in @@ -899,93 +1041,66 @@ Module solinas_reduction. Lemma split_lt w l1 l2: (forall x, In x l1 -> 0 < x < w) -> - length l1 = length l2 -> split w (combine l1 l2) = (combine l1 l2, []). Proof. - intros. + intros H. generalize dependent l2. - induction l1; intros; destruct l2; + induction l1; intros; destruct l2; push; + match goal with + | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by auto + end; + specialize (IHl1 ltac:(auto)); + specialize (H a ltac:(auto)); repeat multimatch goal with + | |- context[_ mod _] => rewrite Z.mod_small + | _ => rewrite IHl1 | _ => push | _ => cbn + | _ => lia | _ => auto + | _ => break_match end. - - match goal with - | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto - end. - rewrite split_app. - pose proof (H a ltac:(auto)). - rewrite IHl1. - cbn. - replace (a mod w) with a. - destruct (a =? 0) eqn:E. - lia. - reflexivity. - rewrite Z.mod_small; lia. - auto. - auto. Qed. Lemma split_gt w l1 l2: (forall x, In x l1 -> x mod w = 0) -> - length l1 = length l2 -> split w (combine l1 l2) = ([], combine (map (fun t => t / w) l1) l2). Proof. intros. generalize dependent l2. - induction l1; intros. - reflexivity. - simpl. - break_match. - auto. - match goal with - | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto - end. - rewrite split_app. - rewrite IHl1. - cbn [fst snd]. - simpl. - break_match; cbn. - reflexivity. - rewrite Z.eqb_neq in Heqb. - rewrite H in Heqb. - lia. - simpl. - auto. - intros. - apply H. - simpl. - auto. - simpl in H0. - lia. + induction l1; intros; destruct l2; push; + match goal with + | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto + end; + specialize (IHl1 ltac:(auto)); + specialize (H _ ltac:(auto)); + repeat multimatch goal with + | _ => rewrite IHl1 + | _ => push + | _ => cbn + | _ => lia + | _ => auto + | _ => break_match + end. Qed. Lemma weight_mono' x : weight x < weight (S x). Proof. - intros. - unfold weight, uweight, ModOps.weight, machine_wordsize. - rewrite !Z.div_1_r. - rewrite !Z.opp_involutive. - rewrite Nat2Z.inj_succ. - rewrite OrdersEx.Z_as_OT.mul_succ_r. - rewrite OrdersEx.Z_as_OT.pow_add_r. - lia. - lia. - lia. + weight_comp; lia. Qed. Lemma weight_mono'' x1 x2 : (x2 > 0)%nat -> weight x1 < weight (x2 + x1). Proof. - intros. - induction H. - { apply weight_mono'. } - { etransitivity. - apply IHle. - apply weight_mono'. } + intros H. + induction H; + repeat match goal with + | _ => apply IHle + | _ => apply weight_mono' + | _ => etransitivity + end. Qed. Lemma weight_mono x1 x2 : @@ -993,10 +1108,8 @@ Module solinas_reduction. weight x1 < weight x2. Proof. intros. - replace x2%nat with ((x2 - x1) + x1)%nat. - apply weight_mono''. - lia. - lia. + replace x2%nat with ((x2 - x1) + x1)%nat by lia. + apply weight_mono''; lia. Qed. Lemma weight_mono_le x1 x2 : @@ -1010,12 +1123,59 @@ Module solinas_reduction. subst; lia. Qed. - Context (base : Z) - (s : Z) + Lemma map_seq_start : forall a b, + map weight (seq a b) = + map (fun t => t * weight a) (map weight (seq 0 b)). + Proof. + intros a b. + induction b; + repeat multimatch goal with + | _ => rewrite IHb + | _ => rewrite seq_snoc + | _ => f_equal + | _ => push + | _ => cbn + end. + weight_comp. + rewrite Nat2Z.inj_add. + rewrite Z.mul_add_distr_l. + rewrite Z.pow_add_r; lia. + Qed. + + Lemma weight_dif_mono' : forall n, + weight (S n) - weight n < weight (S (S n)) - weight (S n). + Proof. + intros. + induction n. + weight_comp; lia. + cbv [weight]. + rewrite uweight_S; [ | lia]. + rewrite uweight_S with (n:=n) at 2; [ | lia]. + rewrite uweight_S with (n:=S (S n)); [ | lia]. + fold weight. + rewrite <-!Z.mul_sub_distr_l. + apply Zmult_lt_compat_l; lia. + Qed. + + Lemma weight_dif_mono : forall n m, + (n < m)%nat -> + weight (S n) - weight n < weight (S m) - weight m. + Proof. + intros n m H. + induction H; + repeat multimatch goal with + | _ => apply IHle + | _ => apply weight_dif_mono' + | _ => etransitivity + end. + Qed. + + Context (base : Z) + (s : Z) (c : list (Z * Z)) (n : nat). - Context (n_gt_1 : n > 1) + Context (n_gt_1 : (n > 1)%nat) (s_pos : s > 0) (c_pos : Associational.eval c > 0) (mod_nz : s - Associational.eval c <> 0) @@ -1023,1576 +1183,696 @@ Module solinas_reduction. (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) (coef_small : weight n / s * Associational.eval c < up_bound). - Section mul_no_reduce. - - Theorem eval_mul_no_reduce : forall p q, - Positional.eval weight (2 * n) (mul_no_reduce base n p q) = - Positional.eval weight n p * Positional.eval weight n q. - Proof using base_nz n_gt_1 wprops. - intros. - cbv [mul_no_reduce]. - break_match. - (* properly bounded *) - push. - apply Z.mod_small. - repeat match goal with - | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb - | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H - | _ => progress intuition - | _ => solve_ineq - end. - le_lt. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. - le_lt. - replace (weight (2 * n)) with (weight n * weight n). - solve_ineq. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - f_equal. - lia. - lia. - lia. - - (* not bounded *) - push. - ring_simplify. - rewrite <-Z_div_mod_eq. - auto. - rewrite Z.gt_lt_iff. - auto. - push. - lia. - push. - Qed. - Hint Rewrite eval_mul_no_reduce : push_eval. - - Theorem length_mul_no_reduce : forall p q, - length (mul_no_reduce base n p q) = (2 * n)%nat. - Proof. - intros; unfold mul_no_reduce; break_match; push. - Qed. - - End mul_no_reduce. - - Section reduce1. - - Lemma reduce1_length : forall p m1 m2, - length (reduce1 base s c m1 m2 p) = m2. - Proof. - intros; unfold reduce1; push. - Qed. - Hint Rewrite reduce1_length : push_length. - - End reduce1. - - Section reduce_first. - - Lemma split_p : forall p lo hi, - p = lo ++ [hi] -> - canonical_repr (S n) p -> - (split (weight n) [(weight n, hi)] = ([], [(1, hi)])) /\ - (split (weight n) (combine (map weight (seq 0 n)) lo) = - ((combine (map weight (seq 0 n)) lo), [])). - Proof. - intros. - intuition. - { intros. - unfold split. - simpl. - assert (weight n mod weight n = 0) by (apply Z_mod_same_full). - rewrite H1. - simpl. - assert (weight n / weight n = 1) by - auto using Z_div_same, Z.lt_gt, weight_positive. - rewrite H2. - reflexivity. } - { apply split_lt. - intros. - rewrite in_map_iff in H1. - destruct H1. - intuition. - rewrite <-H2. - auto. - rewrite <-H2. - rewrite in_seq in H3. - intuition. - simpl in H4. - apply weight_mono. - lia. - rewrite map_length. - rewrite seq_length. - solve_length p. } - Qed. - - Lemma reduce_in_range : forall m x, - x < weight 1 - weight 0 -> - x + weight m < weight (S m). - Proof. - intros. - rewrite OrdersEx.Z_as_DT.lt_add_lt_sub_r. - induction m. - auto. - etransitivity. - apply IHm. - unfold weight. - rewrite uweight_S. - rewrite uweight_S. - rewrite <-uweight_S at 1. - rewrite <-OrdersEx.Z_as_OT.mul_sub_distr_l. - rewrite Z.mul_comm. - rewrite <-OrdersEx.Z_as_OT.lt_mul_diag_r. - simpl; lia. - rewrite OrdersEx.Z_as_OT.lt_0_sub. - fold weight. - apply weight_mono'. - lia. - lia. - lia. - Qed. - - Lemma map_weight_seq : forall m p, - map weight (seq 0 p) = map (fun t => t / (weight m)) (map weight (seq m p)). - Proof. - induction m; intros. - { generalize dependent (map weight (seq 0 p)). - intros. - erewrite map_ext. - symmetry. - eapply map_id. - intros. - rewrite weight_0. - rewrite Z.div_1_r. - lia. - auto. } - { rewrite IHm. - push. - apply map_ext_Forall. - rewrite Forall_forall. - intros. - rewrite in_seq in H. - weight_comp; try lia. - rewrite <-!OrdersEx.Z_as_OT.pow_add_r; try lia. - rewrite <-!OrdersEx.Z_as_OT.pow_sub_r; try lia. - f_equal. - lia. } - Qed. - - Lemma split_p' : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - split (weight n) (combine (map weight (seq 0 n)) lo) = (combine (map weight (seq 0 n)) lo, []) /\ - split (weight n) (combine (map weight (seq n n)) hi) = ([], combine (map weight (seq 0 n)) hi). - Proof. - intros. - intuition. - { apply split_lt. - intros. - rewrite in_map_iff in H2. - destruct H2. - intuition; rewrite <-H3. - auto. - rewrite in_seq in H4. - apply weight_mono. - lia. - rewrite map_length. - rewrite seq_length. - auto. } - { rewrite map_weight_seq with (m:=n). - apply split_gt. - intros. - rewrite in_map_iff in H2. - destruct H2. - intuition; rewrite <-H3. - apply Weight.weight_multiples_full. - auto. - auto. - rewrite in_seq in H4. - lia. - rewrite map_length, seq_length. - solve_length p. } - Qed. - - Lemma split_p_first_lo : forall p, - length p = (2 * n)%nat -> - split (weight n) (combine (map weight (seq 0 n)) (firstn n p)) = (combine (map weight (seq 0 n)) (firstn n p), []). - Proof. - intros p Hlen. - rewrite split_lt; - repeat multimatch goal with - | H : _ |- _ => autorewrite with push_misc in H - | H : _ |- _ => rewrite in_seq in H - | _ => rewrite min_l - | _ => rewrite map_weight_seq with (m:=n) - | _ => apply Weight.weight_multiples_full - | H : context[exists _, _] |- _ => destruct H - | H : _ = ?x |- context[?x] => rewrite <-H - | _ => unfold weight; rewrite <-uweight_sum_indices; fold weight - | _ => push - | _ => apply Z.div_lt_upper_bound - | _ => apply Z.div_str_pos - | _ => apply weight_mono - | _ => apply weight_mono_le - | _ => intuition - | _ => auto || lia - end. - Qed. - Hint Rewrite split_p_first_lo using auto : push_eval. - - Lemma split_p_first_hi : forall p, - length p = (2 * n)%nat -> - split (weight n) (combine (map weight (seq n n)) (skipn n p)) = ([], combine (map weight (seq 0 n)) (skipn n p)). - Proof. - intros p Hlen. - rewrite split_gt; - repeat multimatch goal with - | H : _ |- _ => autorewrite with push_misc in H - | H : _ |- _ => rewrite in_seq in H - | _ => rewrite min_l - | _ => rewrite map_weight_seq with (m:=n) - | _ => apply Weight.weight_multiples_full - | H : context[exists _, _] |- _ => destruct H - | H : _ = ?x |- context[?x] => rewrite <-H - | _ => unfold weight; rewrite <-uweight_sum_indices; fold weight - | _ => push - | _ => apply Z.div_lt_upper_bound - | _ => apply Z.div_str_pos - | _ => apply weight_mono - | _ => apply weight_mono_le - | _ => intuition - | _ => auto || lia - end. - Qed. - Hint Rewrite split_p_first_hi using auto : push_eval. - - Lemma value_reduce_first' : forall (p : list Z), - length p = (2 * n)%nat -> - let q := reduce1 base s c (2 * n) (S n) p in - let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight (S n) q = Associational.eval coef * eval weight n (skipn n p) + eval weight n (firstn n p). - Proof. - intros p Hlen ? ? ?. - cbv [q s' coef reduce1 to_associational]. - pose proof (firstn_skipn n p) as Hp. - symmetry in Hp. - rewrite Hp. - push. - rewrite Hlen. - rewrite min_l; try lia. - erewrite !adjust_s_finished; try eapply solinas_property; try lia. - push. - rewrite skipn_all with (xs := firstn n p). - rewrite firstn_all with (xs := firstn n p). - push. - solve_ineq. - split; - solve_ineq. - all: admit. - Admitted. - - Lemma value_reduce_first : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - let q := reduce1 base s c (2 * n) (S n) p in - let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight (S n) q = Associational.eval coef * eval weight n hi + eval weight n lo. - Proof. - intros. - pose proof (split_p' _ _ _ H H0 H1) as Hsplit. - destruct Hsplit as [ Hlo Hhi ]. - canonical_app p. - replace (length hi) with n in * by (solve_length p). - replace (length lo) with n in *. - unfold q, reduce1. - rewrite H. - rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. - unfold to_associational. - cbn [fst snd]. - erewrite adjust_s_finished; try apply solinas_property. - replace (2 * n)%nat with (n + n)%nat by lia. - rewrite seq_add. - rewrite Nat.add_0_l. - rewrite map_app. - rewrite combine_app_samelength. - rewrite fst_split_app, snd_split_app. - cbn [fst snd]. - rewrite Hlo, Hhi. - autorewrite with push_eval zsimplify_const. - cbn [snd]. - unfold coef, s'. - autorewrite with push_eval zsimplify_const. - erewrite adjust_s_finished; try apply solinas_property. - cbn [fst snd]. - - rewrite Z.mod_small. - reflexivity. - split. - solve_ineq; apply canonical_pos; auto. - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - apply canonical_eval_bounded; auto. - apply canonical_eval_bounded; auto. - weight_comp. - rewrite Z.mul_comm. - rewrite Zred_factor3. - rewrite Z.mul_comm. - apply Zmult_lt_compat_r. - lia. - simpl. - lia. - lia. - lia. - lia. - lia. - rewrite map_length, seq_length. - solve_length lo. - lia. - lia. - lia. - auto. - lia. - auto. - intros. - eapply Rows.length_from_associational; eauto. - Qed. - - Lemma reduce_first_canonical : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). - Proof. - intros. - unfold reduce1, canonical_repr. - split. - { rewrite Rows.flatten_correct. - cbn [fst]. - auto with push_length. - auto. - intros. - eapply Rows.length_from_associational; eauto. } - { pose proof (split_p' _ _ _ H H0 H1) as Hsplit. - destruct Hsplit as [ Hlo Hhi ]. - rewrite Rows.flatten_correct. - cbn [fst]. - rewrite Partition.eval_partition. - f_equal. - apply Z.mod_small_sym. - rewrite Rows.eval_from_associational. - rewrite H. - rewrite value_sat_reduce. - erewrite adjust_s_finished; try apply solinas_property. - unfold to_associational. - replace (2 * n)%nat with (n + n)%nat by lia. - rewrite seq_add. - rewrite Nat.add_0_l. - rewrite map_app. - rewrite combine_app_samelength. - rewrite fst_split_app, snd_split_app. - cbn [fst snd]. - rewrite Hlo, Hhi. - autorewrite with push_eval zsimplify_const. - cbn [fst snd]. - - canonical_app p. - replace (length lo) with n in Hcanon_l by (solve_length p). - replace (length hi) with n in Hcanon_r. - split. - solve_ineq. - apply canonical_pos; auto. - apply canonical_pos; auto. - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - apply canonical_eval_bounded; auto. - apply canonical_eval_bounded; auto. - weight_comp. - rewrite Z.mul_comm. - rewrite Zred_factor3. - rewrite Z.mul_comm. - apply Zmult_lt_compat_r. - lia. - simpl; lia. - lia. - lia. - solve_length p. - rewrite map_length, seq_length; auto. - lia. - lia. - lia. - auto. - lia. - auto. - auto. - eapply Rows.length_from_associational; eauto. } - Qed. - - Lemma reduce_first : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - forall q_lo q_hi, - let q := reduce1 base s c (2*n) (S n) p in - q = q_lo ++ [q_hi] -> - q_hi < up_bound. - Proof. - intros. - pose proof (value_reduce_first _ _ _ H H0 H1). - pose proof (reduce_first_canonical _ _ _ H H0 H1) as Hcanon. - fold q in Hcanon. - - pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (n) pf as Hnth. - assert (Hcanon' := Hcanon). - unfold canonical_repr in Hcanon'. - destruct Hcanon' as [ _ Hpart ]. - rewrite <-Hpart in Hnth. - rewrite H2 in Hnth at 1. - rewrite nth_default_app in Hnth. - destruct lt_dec in Hnth. - solve_length q. - replace (length q_lo) with n in Hnth by (solve_length q). - rewrite Nat.sub_diag in Hnth. - unfold nth_default in Hnth. - simpl in Hnth. - rewrite Hnth. - unfold q. - apply Z.div_lt_upper_bound. - auto. + (* SECTION MUL_NO_REDUCE *) - canonical_app p. - replace (length lo) with n in Hcanon_l. - replace (length hi) with n in Hcanon_r by (solve_length p). - rewrite H3. - autorewrite with push_eval zsimplify_const. - erewrite adjust_s_finished; try apply solinas_property. - cbn [fst snd]. - rewrite <-Le.Z.le_sub_1_iff. - rewrite Z.mod_small. - etransitivity. - solve_ineq. - rewrite <-Le.Z.le_sub_1_iff in coef_small. - apply Z.mul_le_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - rewrite Le.Z.le_sub_1_iff. - eapply canonical_eval_bounded; auto. - rewrite Le.Z.le_sub_1_iff. - apply canonical_eval_bounded; auto. - ring_simplify. - rewrite OrdersEx.Z_as_OT.le_sub_le_add_r. - unfold up_bound. - weight_comp. - simpl. - nia. - - split. - solve_ineq. - apply canonical_pos; auto. - apply canonical_pos; auto. - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - eapply canonical_eval_bounded; auto. - eapply canonical_eval_bounded; auto. - weight_comp. - unfold up_bound, machine_wordsize. - rewrite Z.mul_comm. - rewrite Zred_factor3. - rewrite Z.mul_comm. - apply Zmult_lt_compat_r. - lia. - cbn. - lia. - lia. - lia. - lia. - lia. - lia. - Qed. - - Lemma reduce_first_correct : forall (p lo hi : list Z), - p = lo ++ hi -> - canonical_repr (2 * n) p -> - length lo = n -> - let q := reduce1 base s c (2 * n) (S n) p in - (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) - = (Positional.eval weight (S n) q) mod (s - Associational.eval c). - Proof. - intros. - pose proof (value_reduce_first _ _ _ H H0 H1) as Hval. - canonical_app p. - replace (length hi) with n in Hcanon_r by (solve_length p). - replace (length lo) with n in Hcanon_l. - unfold q in *. - rewrite Hval. - rewrite H. - unfold weight. - replace (2 * n)%nat with (n + (length hi))%nat by (solve_length p). - rewrite uweight_eval_app'. - replace (length hi) with n by (solve_length hi). - fold weight. - autorewrite with push_eval zsimplify_const. - erewrite adjust_s_finished'; try apply solinas_property. - cbn [fst snd]. - rewrite (Z.add_comm _ (eval weight n lo)). - rewrite Z.mul_comm with (m:=Associational.eval c). - rewrite <-Z.mul_assoc. - rewrite <-reduction_rule. - apply Z.elim_mod. - rewrite Z.add_cancel_l. - rewrite Z.mul_assoc. - rewrite <-Z_div_exact_2. - lia. - lia. - pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. - erewrite adjust_s_finished' in Hinv; try apply solinas_property. - cbn [fst] in Hinv. - apply Hinv. - lia. - lia. - lia. - lia. - lia. - solve_length lo. - Qed. + Theorem eval_mul_no_reduce : forall p q, + eval weight (2 * n) (mul_no_reduce base n p q) = + eval weight n p * Positional.eval weight n q. + Proof using base_nz n_gt_1 wprops. + intros. + cbv [mul_no_reduce]. + break_match. + (* properly bounded *) + push. + apply Z.mod_small. + repeat match goal with + | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb + | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H + | _ => progress intuition + | _ => solve_ineq + end. + le_lt. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. + le_lt. + replace (weight (2 * n)) with (weight n * weight n). + solve_ineq. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + f_equal. + lia. + lia. + lia. - End reduce_first. + (* not bounded *) + push. + ring_simplify. + rewrite <-Z_div_mod_eq. + auto. + rewrite Z.gt_lt_iff. + auto. + push. + lia. + push. + Qed. + Hint Rewrite eval_mul_no_reduce : push_eval. - Lemma reduce_second_canonical : forall (p : list Z) lo hi, - p = lo ++ [hi] -> - hi < up_bound -> - canonical_repr (S n) p -> - canonical_repr (S n) (reduce1 base s c (S n) (S n) p). + Theorem length_mul_no_reduce : forall p q, + length (mul_no_reduce base n p q) = (2 * n)%nat. Proof. - intros. - unfold reduce1 in *. - unfold canonical_repr. - intuition. - { rewrite Rows.flatten_correct. - cbn [fst]. - auto with push_length. - eauto. - intros. - eapply Rows.length_from_associational. - eauto. } - { pose proof (split_p _ _ _ H H1). - intuition. - - rewrite Rows.flatten_correct. - cbn [fst]. - rewrite Partition.eval_partition. - f_equal. - apply Z.mod_small_sym. - - rewrite Rows.eval_from_associational. - rewrite H. - rewrite value_sat_reduce. - apply adjust_s_finished' in solinas_property. - rewrite solinas_property. - autorewrite with push_eval zsimplify_const. - cbn [fst snd]. - unfold to_associational. - rewrite seq_snoc. - rewrite map_app. - rewrite Nat.add_0_l; cbn [map]. - rewrite combine_snoc. - rewrite fst_split_app, snd_split_app. - autorewrite with push_eval. - rewrite H3, H4. - cbn [fst snd]. - autorewrite with push_eval zsimplify_const. - cbn [snd]. - - split. - apply OrdersEx.Z_as_OT.add_nonneg_nonneg. - apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. - apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. - apply Z.div_nonneg. - auto with zarith. - lia. - lia. - eapply canonical_bounded; eauto. - rewrite H; apply in_or_app; right; simpl; eauto. - rewrite H in H1. - assert (canonical_repr n lo). - { eapply canonical_app_l. - apply H1. - solve_length (lo++[hi]). - 3: eauto. - eauto. - solve_length (lo++[hi]). } - pose proof (canonical_pos _ _ H2). - unfold eval, to_associational in H5. - auto. + intros; unfold mul_no_reduce; break_match; push. + Qed. + Hint Rewrite length_mul_no_reduce : push_length. - assert (weight n / s * Associational.eval c * hi < up_bound * up_bound). - { apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. - apply OrdersEx.Z_as_OT.mul_nonneg_nonneg. - apply Z.div_nonneg. - auto with zarith. - lia. - lia. - auto. - eapply canonical_bounded; eauto. - rewrite H; apply in_or_app; right; simpl; eauto. - auto. } - - assert (canonical_repr n lo). - { eapply canonical_app_l. - apply H1. - solve_length p. - 3: eauto. - eauto. - solve_length p. } - pose proof (canonical_eval_bounded _ _ H5). - - etransitivity. - apply OrdersEx.Z_as_OT.add_lt_mono. - eauto. - eauto. - apply reduce_in_range. - vm_compute; auto. - - (* generated lemmas *) - rewrite map_length. - rewrite seq_length. - solve_length p. - lia. - lia. - auto. - auto. - auto. - auto. - intros. - eapply Rows.length_from_associational; eauto. } + (* END SECTION MUL_NO_REDUCE *) + + (* SECTION REDUCE1 *) + + Lemma reduce1_length : forall p m1 m2, + length (reduce1 base s c m1 m2 p) = m2. + Proof using wprops. + intros; cbv [reduce1]; break_match; push. Qed. + Hint Rewrite reduce1_length : push_length. - Lemma value_reduce_second : forall (p : list Z) lo hi, - p = lo ++ [hi] -> - canonical_repr (S n) p -> - hi < up_bound -> - let q := reduce1 base s c (S n) (S n) p in - let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight (S n) q = Associational.eval coef * hi + eval weight n lo. + Lemma split_p_firstn : forall p, + n <= length p -> + split (weight n) (combine (map weight (seq 0 n)) (firstn n p)) = + (combine (map weight (seq 0 n)) (firstn n p), []). + Proof using wprops. + intros p Hlen. + rewrite split_lt; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_misc in H + | H : _ |- _ => rewrite in_seq in H + | _ => rewrite min_l + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- context[?x] => rewrite <-H + | _ => push + | _ => apply weight_mono + | _ => intuition + | _ => auto || lia + end. + Qed. + Hint Rewrite split_p_firstn : push_misc. + + Lemma split_p_skipn : forall p m1, + n <= length p -> + split (weight n) (combine (map weight (seq n (m1 - n))) (skipn n p)) = + ([], combine (map weight (seq 0 (m1 - n))) (skipn n p)). + Proof using wprops. + intros p m1 Hlen. + rewrite split_gt; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_misc in H + | H : _ |- _ => rewrite in_seq in H + | _ => apply Weight.weight_multiples_full + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- context[?x] => rewrite <-H + | _ => push + | _ => intuition + end. + Qed. + Hint Rewrite split_p_skipn : push_misc. + + Lemma split_p : forall m1 p, + (m1 >= n)%nat -> + n <= length p -> + split (weight n) (combine (map weight (seq 0 m1)) p) = + (combine (map weight (seq 0 n)) (firstn n p), + (combine (map weight (seq 0 (m1 - n))) (skipn n p))). Proof. intros. - unfold reduce1 in *. - unfold q, coef, s'. - rewrite H. - rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. + replace m1 with (n + (m1 - n))%nat at 1 by lia. + rewrite <-(firstn_skipn n p) at 1. + push. + push. + lia. + Qed. + Hint Rewrite split_p : push_misc. - unfold to_associational. - rewrite seq_snoc. - rewrite map_app. - rewrite Nat.add_0_l; cbn [map]. - rewrite combine_snoc. - rewrite fst_split_app, snd_split_app. - autorewrite with push_eval. - - pose proof solinas_property as Hsol. - apply adjust_s_finished' in Hsol. - rewrite Hsol. - cbn [fst snd]; autorewrite with zsimplify_const. - pose proof (split_p _ _ _ H H0) as Hsplit. - destruct Hsplit as [ Hhi Hlo ]. - rewrite Hhi, Hlo. - cbn [fst snd]; autorewrite with push_eval zsimplify_const; cbn [snd]. - - unfold eval, to_associational. - apply Z.mod_small. - assert (Hmach : 0 < machine_wordsize) by lia. - apply BYInv.eval_bound with (n:=n) (f:=lo) in Hmach. - unfold eval, to_associational in Hmach. - intuition. + Hint Rewrite repeat_length : push_length. + Ltac solve_ibb := + apply eval_is_bounded_by; + match goal with + | |- context [firstn _ _] => eapply is_bounded_by_app_l + | |- context [skipn _ _] => eapply is_bounded_by_app_r + end; eauto; push; try lia. + + Lemma value_reduce1 : forall p m1 m2, + (m1 >= n)%nat -> + (m2 > 0)%nat -> + n <= length p -> + up_bound * weight (m1 - n) + weight n < weight m2 -> + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight m2 (reduce1 base s c m1 m2 p) = + Associational.eval coef * eval weight (m1 - n) (skipn n p) + eval weight n (firstn n p). + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. + intros. + assert (Rows.adjust_s weight (S (S m1)) s = + Rows.adjust_s weight (S (S n)) s) as Hadjust. + { destruct H. + auto. + rewrite solinas_property. + eapply adjust_s_finished; try apply solinas_property. + lia. + lia. } + cbv [s' coef reduce1]; break_match; push. + rewrite Hadjust. + rewrite solinas_property. + cbv [to_associational]. + push. + rewrite <-(firstn_skipn n p) in Heqb. + replace m1 with (n + (m1 - n))%nat in Heqb by lia. + rewrite repeat_app in Heqb. solve_ineq. - solve_hi. - auto. - - rewrite <-Le.Z.le_sub_1_iff. + solve_ibb. + solve_ibb. etransitivity. solve_ineq. - apply OrdersEx.Z_as_OT.lt_le_incl in coef_small as coef_small'. - adjust_ineq coef_small'. - solve_hi. - rewrite Le.Z.le_sub_1_iff. - eauto. - rewrite OrdersEx.Z_as_OT.add_sub_assoc. - rewrite <-OrdersEx.Z_as_OT.sub_le_mono_r. - - etransitivity. + apply Z.mul_lt_mono_nonneg. solve_ineq. - apply OrdersEx.Z_as_OT.lt_le_incl in H1 as H1'. - apply Zmult_le_compat_l. eauto. + solve_ibb. + solve_ibb. + solve_ibb. lia. + + rewrite Hadjust. + rewrite solinas_property. + cbv [to_associational]. + push. + rewrite <-Z_div_mod_eq_full. reflexivity. + push. + push. + Qed. - etransitivity. - unfold up_bound. + Lemma eval_seq_start : forall a b p, + Associational.eval (combine (map weight (seq a b)) p) = + weight a * Associational.eval (combine (map weight (seq 0 b)) p). + Proof using n_gt_1 wprops. + intros. + generalize dependent a. + generalize dependent b. + induction p as [ | x p IHp ]; intros. + push. + destruct b. + push. + cbn [seq]. + rewrite <-seq_shift. + push. + rewrite IHp. + lia. + Qed. + Lemma eval_reduce1 : forall p m1 m2, + (m1 >= n)%nat -> + (m2 > 0)%nat -> + n <= length p -> + up_bound * weight (m1 - n) + weight n < weight m2 -> + let q := reduce1 base s c m1 m2 p in + (Positional.eval weight m1 p) mod (s - Associational.eval c) + = (Positional.eval weight m2 q) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + intros. + cbv [q]. + rewrite value_reduce1; try lia. + push. + rewrite solinas_property. + cbn [fst snd]. match goal with - | [ |- context[ ?x + ?y ] ] => - assert (x <= y) + | |- context[_ mod (_ - ?c)] => + lazymatch goal with + | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia + end end. - ring_simplify. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - apply OrdersEx.Z_as_OT.pow_le_mono_r. - lia. - unfold machine_wordsize. - simpl. - break_match; lia. - (* proving 0 <= 64 / 4... is there an easier way? *) - unfold machine_wordsize. - replace (64 / 4) with 16 by eauto. - lia. - (* *) - lia. - solve_ineq. - eauto. - reflexivity. - weight_comp. - simpl. - break_match; lia. + rewrite Z.add_comm. + rewrite <-reduction_rule. + apply Z.elim_mod. + rewrite <-(firstn_skipn n p) at 1. + replace m1 with (n + (m1 - n))%nat by lia. + cbv [eval to_associational]. + push. + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + rewrite Z.add_cancel_l. + cbn. + replace (n + (m1 - n) - n)%nat with (m1 - n)%nat by lia. + rewrite eval_seq_start. lia. lia. - - canonical_app p. - eapply canonical_bounded. - apply Hcanon_l. - solve_length p. + pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hadj. + rewrite solinas_property in Hadj. + intuition. + push. lia. - rewrite map_length. - rewrite seq_length. - solve_length p. lia. - auto. - auto. - auto. - intros. - eapply Rows.length_from_associational; eauto. Qed. - Lemma reduce_second : forall (p : list Z) lo hi, - p = lo ++ [hi] -> - canonical_repr (S n) p -> - hi < up_bound -> - forall q_lo q_hi1 q_hi2, - let q := reduce1 base s c (S n) (S n) p in - q = q_lo ++ [q_hi1] ++ [q_hi2] -> - ((q_hi2 = 1 /\ q_hi1 = 0) \/ - (q_hi2 = 0)). - Proof. - intros. - pose proof (value_reduce_second _ _ _ H H0 H1). - pose proof (reduce_second_canonical _ _ _ H H1 H0) as Hqcanon. - fold q in Hqcanon. - - assert (0 <= q_hi2 < 2). - { intuition. - eapply canonical_bounded. - apply Hqcanon. - solve_in. - - pose proof fun pf => nth_default_partition weight 0 (S n) (eval weight (S n) q) (1 + length q_lo) pf as Hnth. - assert (Hqcanon' := Hqcanon). - unfold canonical_repr in Hqcanon'. - destruct Hqcanon' as [ _ Hqpart ]. - rewrite <-Hqpart in Hnth. - rewrite H2 in Hnth at 1. - rewrite nth_default_app in Hnth. - destruct lt_dec in Hnth. - lia. - rewrite Nat.add_sub in Hnth. - unfold nth_default in Hnth. - simpl in Hnth. - rewrite Hnth. - unfold q. - apply Z.div_lt_upper_bound. - auto. + (* END SECTION REDUCE1 *) - rewrite H3. - autorewrite with push_eval. - apply adjust_s_finished' in solinas_property. - rewrite solinas_property. - cbn [fst snd]. - autorewrite with zsimplify_const. - apply Le.Z.le_sub_1_iff. - etransitivity. - apply Z.mod_le. - solve_ineq. - solve_hi. - apply canonical_pos. - canonical_app p. - replace n with (length lo). - auto. - solve_length p. - auto. - apply Le.Z.le_sub_1_iff. - - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - solve_hi. - eauto. - apply canonical_eval_bounded. - canonical_app p. - replace n with (length lo). - auto. - solve_length p. - - rewrite <-Zplus_diag_eq_mult_2. - replace (S (length q_lo)) with n by (solve_length q). - solve_ineq. - - unfold up_bound. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - apply OrdersEx.Z_as_OT.pow_lt_mono_r. - lia. - unfold machine_wordsize. - simpl. - break_match; lia. - unfold machine_wordsize. - simpl. - break_match; lia. - (* proving 0 <= 64 / 4... is there an easier way? *) - unfold machine_wordsize. - replace (64 / 4) with 16 by eauto. - lia. - lia. - lia. - solve_length q. } + (* SECTION REDUCE_FIRST *) - assert (q_hi2 = 0 \/ q_hi2 = 1) by lia. - intuition. - left. + Lemma reduce_first_canonical : forall p, + length p = (2 * n)%nat -> + is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) (2 * n)) p = true-> + canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). + Proof. + intros p Hlen H. + cbv [reduce1 canonical_repr]. + rewrite H. + push. intuition. - pose proof f_equal (eval weight (S n)) H2 as Hqeval. - erewrite app_assoc, !eval_snoc in Hqeval; eauto; try (solve_length q). - unfold q in Hqeval. - rewrite H3 in Hqeval. - subst q_hi2. - autorewrite with push_eval zsimplify_const in Hqeval. - apply adjust_s_finished' in solinas_property. - rewrite solinas_property in Hqeval. - cbn [fst snd] in Hqeval. - apply LinearSubstitute.Z.move_L_pX in Hqeval. - - remember (weight n / s * Associational.eval c) as coef. - pose proof - fun pf => nth_default_partition weight 0 n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) (length q_lo) pf as Heval. - - rewrite app_assoc in H2. - canonical_app q. - rewrite app_length in Hcanon_l. - cbn [length] in Hcanon_l. - unfold canonical_repr in Hcanon_l. - destruct Hcanon_l as [ _ Hcanon_l ]. - - assert (Partition.partition weight n (coef * hi + eval weight n lo - weight (S (Datatypes.length q_lo))) = q_lo ++ [q_hi1]) as Hqpart. - rewrite Hcanon_l. + erewrite adjust_s_finished; try apply solinas_property; try lia. + push. f_equal. - solve_length q. - erewrite eval_snoc; try (solve_length q). - apply Hqeval. - - rewrite Hqpart in Heval. - rewrite nth_default_app in Heval. - destruct lt_dec in Heval; try lia. - rewrite OrdersEx.Nat_as_OT.sub_diag in Heval. - cbn in Heval. - rewrite Heval; try (solve_length q). - apply Z.div_small. - - match goal with - | |- 0 <= ?x mod _ < _ => assert (0 <= x) as Hpos - end. - rewrite Hqeval. + rewrite Z.mod_small. + reflexivity. + cbv [to_associational]. + push. + rewrite <-(firstn_skipn n p) in H. + replace (2*n-n)%nat with n by lia. + replace (2 * n)%nat with (n + n)%nat in H by lia. + rewrite repeat_app in H. solve_ineq. - apply canonical_pos. - canonical_app q. - canonical_app (q_lo ++ [q_hi1]). - rewrite <-app_assoc in H2. - solve_hi. - match goal with - | |- 0 <= ?x mod _ < ?y => assert (x < y) as Hbound - end. - rewrite OrdersEx.Z_as_OT.lt_sub_lt_add_r. - replace (S (length q_lo)) with n by (solve_length q). - solve_ineq. + solve_ibb. + solve_ibb. etransitivity. - rewrite Heqcoef. - apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. solve_ineq. - rewrite Heqcoef in coef_small. - eauto. - solve_hi. + apply Z.mul_lt_mono_nonneg. + solve_ineq. eauto. - unfold up_bound. + solve_ibb. + solve_ibb. + solve_ibb. + cbv [up_bound machine_wordsize]. weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - apply OrdersEx.Z_as_OT.pow_lt_mono_r. - lia. - lia. - replace (length q_lo) with (n-1)%nat by (solve_length q). - simpl. - break_match; lia. - unfold machine_wordsize. - replace (64 / 4) with 16 by reflexivity. - lia. - lia. - apply canonical_eval_bounded. - canonical_app p. - replace n with (length lo) by (solve_length p). - auto. - - split; - rewrite Z.mod_small; - auto; - split; - auto; - etransitivity; - eauto; - apply weight_mono'. - lia. + rewrite <-Z.mul_succ_l. + apply Zmult_lt_compat_r. + all: cbn; break_match; lia. Qed. - Lemma reduce_second_correct : forall p lo hi, - p = lo ++ [hi] -> + (* END SECTION REDUCE_FIRST *) + + (* SECTION REDUCE_SECOND *) + + Lemma reduce_second_canonical : forall p, canonical_repr (S n) p -> - hi < up_bound -> - let q := reduce1 base s c (S n) (S n) p in - (Positional.eval weight (S n) p) mod (s - Associational.eval c) - = (Positional.eval weight (S n) q) mod (s - Associational.eval c). + canonical_repr (S n) (reduce1 base s c (S n) (S n) p). Proof. intros. - pose proof (value_reduce_second _ _ _ H H0 H1) as Hval. - unfold q in *. - rewrite Hval. - rewrite H. - rewrite eval_snoc_S. - autorewrite with push_eval zsimplify_const. - cbn [fst snd]. - apply adjust_s_finished' in solinas_property. + cbv [canonical_repr]. + push. + assert (Hcanon := H). + cbv [canonical_repr] in H. + intuition. + rewrite value_reduce1. rewrite solinas_property. - cbn [fst]. - rewrite Z.mul_comm with (m:=Associational.eval c) (n:=(weight n / s)). - rewrite (Z.add_comm _ (eval weight n lo)). - rewrite <-Z.mul_assoc. - rewrite <-reduction_rule. - apply Z.elim_mod. - rewrite Z.add_cancel_l. - - rewrite Z.mul_assoc. - rewrite <-Z_div_exact_2. + push. + cbv [reduce1]. + break_match. + push. + erewrite adjust_s_finished'; try eapply solinas_property. + cbv [to_associational]. + rewrite split_p. + push. lia. lia. - pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. - rewrite solinas_property in Hinv. - cbn [fst] in Hinv. - apply Hinv. lia. + + rewrite canonical_is_bounded_by in Hcanon. + intuition. + match goal with + | H : ?x = true, H1 : ?x = false |- _ => rewrite H in H1; discriminate + end. lia. lia. - solve_length p. + lia. + replace (S n - n)%nat with 1%nat by lia. + cbv [up_bound machine_wordsize]. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [ | apply weight_dif_mono with (n:=1%nat); lia ]. + weight_comp; cbn; lia. Qed. - Lemma reduce_third_canonical : forall (p : list Z) lo hi, - p = lo ++ [hi] -> - (canonical_repr (S n) p) -> - hi < up_bound -> + Hint Rewrite nth_default_partition : push_misc. + Lemma reduce_second_bounds : forall p, + canonical_repr (S n) p -> + (nth_default 0 p n) < up_bound -> let q := reduce1 base s c (S n) (S n) p in - let r := reduce1 base s c (S n) n q in - canonical_repr n r. + (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1) \/ + nth_default 0 q n = 0. Proof. intros. - pose proof (reduce_second_canonical _ _ _ H H1 H0) as Hcanon. - fold q in Hcanon. - assert (Hcanon' := Hcanon). - unfold canonical_repr in Hcanon'. - destruct Hcanon' as [ Hlen _ ]. - assert (exists q_lo q_hi1 q_hi2, q = q_lo ++ [q_hi1] ++ [q_hi2]) as Hq. - { pose proof (break_list_last q) as Hd1. - destruct Hd1 as [ Hd1 | Hd1 ]. - rewrite Hd1 in Hlen. - cbn in Hlen. - lia. - destruct Hd1 as [ q' Hd1 ]. - destruct Hd1 as [ q_hi2 Hd1]. - - pose proof (break_list_last q') as Hd2. - destruct Hd2 as [ Hd2 | Hd2 ]. - subst q'. - rewrite Hd1 in Hlen. - cbn in Hlen. - lia. - destruct Hd2 as [ q_lo Hd2 ]. - destruct Hd2 as [ q_hi1 Hd2 ]. - rewrite Hd2 in Hd1. - rewrite <-app_assoc in Hd1. - eauto. } - destruct Hq as [ q_lo Hq ]. - destruct Hq as [ q_hi1 Hq ]. - destruct Hq as [ q_hi2 Hq ]. - - pose proof (reduce_second _ _ _ H H0 H1 _ _ _ Hq). - rewrite app_assoc in Hq. - intuition. - (* q_hi1 = 0, q_hi2 = 1 *) - subst q_hi1 q_hi2. - unfold canonical_repr. - split. - unfold r, reduce1. - rewrite Rows.flatten_correct. - cbn [fst]. - auto with push_length. - auto. - intros. - eapply Rows.length_from_associational; eassumption. - - unfold r, reduce1. - rewrite Rows.flatten_correct. - cbn [fst]. - rewrite Partition.eval_partition. - f_equal. - apply Z.mod_small_sym. - - rewrite Rows.eval_from_associational. - rewrite value_sat_reduce. - apply adjust_s_finished' in solinas_property. + pose proof (reduce_second_canonical p ltac:(auto)) as Hcanonq. + fold q in Hcanonq. + pose proof (firstn_skipn n p) as Hp; symmetry in Hp. + pose proof (firstn_skipn n q) as Hq; symmetry in Hq. + canonical_app p. + push' Hcanon_l. + push' Hcanon_r. + canonical_app q; push' Hcanon_l0; push' Hcanon_r0. + replace (length p) with (S n) in * by (solve_length p). + replace (length q) with (S n) in * by (solve_length q). + rewrite min_l in *; [| lia | solve_length q]. + const_simpl. + + assert (0 <= nth_default 0 q n < 2). + assert (Hcanonq' := Hcanonq). + cbv [canonical_repr] in Hcanonq'. + destruct Hcanonq as [ _ Hpartq ]. + rewrite Hpartq. + push. + solve_ineq; auto. + rewrite Z.mod_small. + cbv [q]. + rewrite value_reduce1. + const_simpl. rewrite solinas_property. - autorewrite with push_eval zsimplify_const. - cbn [fst snd]. - unfold to_associational. - rewrite seq_snoc. - rewrite map_app. - rewrite Nat.add_0_l; cbn [map]. - rewrite Hq. - rewrite combine_snoc. - rewrite fst_split_app, snd_split_app. - autorewrite with push_eval. - destruct (split_p _ _ _ Hq Hcanon) as [Hsplit1 Hsplit2]. - rewrite Hsplit1, Hsplit2. - cbn [fst snd]. - autorewrite with push_eval zsimplify_const. - destruct n eqn:En; try lia. - rewrite seq_snoc. - rewrite map_app. - cbn. - rewrite combine_snoc. - rewrite eval_app. - autorewrite with push_eval zsimplify_const. - split. - + push. + rewrite <-Zplus_diag_eq_mult_2. solve_ineq. - apply canonical_pos. - canonical_app q. - canonical_app (q_lo ++ [0]). - replace n0 with (length q_lo) by (solve_length q). - auto. etransitivity. + apply Z.mul_lt_mono_nonneg. solve_ineq. eauto. - apply canonical_eval_bounded. - canonical_app q. - canonical_app (q_lo ++ [0]). - replace n0 with (length q_lo) by (solve_length q). - auto. - apply reduce_in_range. - vm_compute; auto. - rewrite map_length, seq_length. - solve_length q. - rewrite map_length, seq_length. - solve_length q. + apply canonical_pos; auto. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push; eauto. + solve_length p. + solve_length p. + cbv [up_bound machine_wordsize]. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + apply Z.pow_lt_mono_r; cbn; break_match; lia. + cbn; lia. lia. + apply canonical_eval_bounded; auto. lia. - auto. lia. - auto. - auto. - eapply Rows.length_from_associational; eassumption. - - (* q_hi2 = 0 *) - subst q_hi2. - split. - unfold r, reduce1. - rewrite Rows.flatten_correct. - cbn [fst]. - auto with push_length. - auto. - intros. - eapply Rows.length_from_associational; eassumption. - - unfold r, reduce1. - rewrite Rows.flatten_correct. - cbn [fst]. - rewrite Partition.eval_partition. - f_equal. - apply Z.mod_small_sym. - - rewrite Rows.eval_from_associational. - rewrite value_sat_reduce. - apply adjust_s_finished' in solinas_property. - rewrite solinas_property. - autorewrite with push_eval zsimplify_const. - cbn [fst snd]. - unfold to_associational. + solve_length p. + const_simpl. + cbv [up_bound machine_wordsize]. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [ | apply weight_dif_mono with (n:=1%nat); lia ]. + weight_comp; cbn; lia. + solve_ineq; [apply canonical_pos | apply canonical_eval_bounded]; auto. + + assert (Hnth : nth_default 0 q n = 0 \/ nth_default 0 q n = 1) by lia. + destruct Hnth as [Hnth1 | Hnth2]. + intuition. + left. + intuition. + assert (Hcanonq' := Hcanonq). + destruct Hcanonq' as [_ Hpart]. + rewrite Hpart. + push. + assert (H' : Associational.eval (combine (map weight (seq 0 n)) (firstn n q)) = eval weight (S n) q - weight n). + rewrite Hq at 2. + cbv [eval to_associational]. rewrite seq_snoc. - rewrite map_app. - rewrite Nat.add_0_l; cbn [map]. - rewrite Hq. - rewrite combine_snoc. - rewrite fst_split_app, snd_split_app. - autorewrite with push_eval. - destruct (split_p _ _ _ Hq Hcanon) as [Hsplit1 Hsplit2]. - rewrite Hsplit1, Hsplit2. - cbn [fst snd]. - autorewrite with push_eval zsimplify_const. - cbn [snd]. - - split. + push. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + const_simpl. + cbn [seq]. + push. + lia. + solve_length q. + solve_length q. + push. + rewrite min_l; [lia | solve_length q]. + rewrite <-Z.add_move_l in H'. + rewrite <-H'. + const_simpl. + rewrite Zplus_mod, Z.mod_same, Z.add_0_l, Z.mod_mod. + rewrite Z.add_move_l in H'. + apply Z.div_small. + rewrite Z.mod_small. solve_ineq. - apply canonical_pos. - canonical_app q. - replace n with (length (q_lo ++ [q_hi1])) by (solve_length q). - auto. - apply canonical_eval_bounded. - canonical_app q. - replace n with (length (q_lo ++ [q_hi1])) by (solve_length q). + apply canonical_pos; auto. + rewrite H'. + rewrite Z.lt_sub_lt_add_l. + cbv [q]. + rewrite value_reduce1. + rewrite solinas_property. + push. + const_simpl. + rewrite Z.add_comm. + solve_ineq. + apply canonical_eval_bounded; auto. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push. + etransitivity. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply (canonical_bounded (S n) p). auto. - rewrite map_length. - rewrite seq_length. - solve_length q. + rewrite Hp at 2. + apply in_or_app. + right. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push. + solve_length p. + solve_length p. + eauto. + cbv [up_bound machine_wordsize]. + rewrite <-Le.Z.le_sub_1_iff. + etransitivity; [| rewrite <-Z.sub_le_mono_r; apply (weight_mono_le 1)]. + weight_comp; cbn; lia. + lia. + solve_length p. + solve_length p. lia. lia. - auto. + solve_length p. + const_simpl. + cbv [up_bound machine_wordsize]. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [| apply (weight_dif_mono 1)]. + weight_comp; cbn; lia. lia. + solve_ineq. + apply canonical_pos; auto. + apply canonical_eval_bounded; auto. auto. auto. - intros. - eapply Rows.length_from_associational; eassumption. + lia. Qed. - Lemma value_reduce_third : forall (q : list Z) q_lo q_hi1 q_hi2, - q = q_lo ++ [q_hi1] ++ [q_hi2] -> - canonical_repr (S n) q -> - (q_hi2 = 1 /\ q_hi1 = 0) \/ (q_hi2 = 0) -> + (* END SECTION REDUCE_SECOND *) + + (* SECTION REDUCE_THIRD *) + + Lemma value_reduce_third : forall p, + canonical_repr (S n) p -> + let q := reduce1 base s c (S n) n p in + ((nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1) \/ + nth_default 0 p n = 0) -> let r := reduce1 base s c (S n) n q in let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight n r = Associational.eval coef * q_hi2 + eval weight n (q_lo ++ [q_hi1]). - Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros. - unfold reduce1 in *. - unfold r, coef, s'. - rewrite app_assoc in H. - rewrite H. - rewrite Rows.flatten_mod, Rows.eval_from_associational, value_sat_reduce. - - unfold to_associational. - rewrite seq_snoc. - rewrite map_app. - rewrite Nat.add_0_l; cbn [map]. - rewrite combine_snoc. - rewrite fst_split_app, snd_split_app. - autorewrite with push_eval zsimplify_const. - apply adjust_s_finished' in solinas_property. - rewrite solinas_property. - cbn [fst snd]; autorewrite with zsimplify_const. - pose proof (split_p _ _ _ H H0) as Hsplit. - destruct Hsplit as [ Hhi Hlo ]. - rewrite Hhi, Hlo. - cbn [fst snd]; autorewrite with push_eval zsimplify_const; cbn [snd]. - - destruct n eqn:En; try lia. - rewrite seq_snoc, map_app. - rewrite Nat.add_0_l; cbn [map]. - rewrite combine_snoc. - rewrite eval_app. - rewrite <-En. - autorewrite with push_eval. - rewrite En. - cbn [fst snd]. - autorewrite with zsimplify_const. - rewrite eval_snoc_S. - + eval weight n q = Associational.eval coef * (nth_default 0 p n) + eval weight n (firstn n p). + Proof. + intros p ? ? Hbounds ? ? ?. + pose proof (firstn_skipn n p) as Hp; symmetry in Hp. + canonical_app p. + push' Hcanon_l. + push' Hcanon_r. + replace (length p) with (S n) in * by (solve_length p). + rewrite min_l in Hcanon_l; [| lia]. + const_simpl. + pose proof (firstn_succ 0 (n - 1) p ltac:(solve_length p)) as Hpfirst. + const_simpl. + canonical_app (firstn n p). + push' Hcanon_l0. + push' Hcanon_r0. + rewrite min_l in Hcanon_l0; [| solve_length p]. + cbv [q s' coef reduce1]; push. + erewrite adjust_s_finished'; try apply solinas_property; try lia. + push. + cbv [to_associational]. + rewrite split_p; [| lia | solve_length p]. + const_simpl. + cbn [seq]. + push. + rewrite skipn_nth_default with (d:=0); [| solve_length p]. + rewrite skipn_all; [| solve_length p]. + push. + break_match; push. apply Z.mod_small. - assert (Hmach : 0 < machine_wordsize) by lia. - apply BYInv.eval_bound with (n:=n0) (f:=q_lo) in Hmach. - unfold eval, to_associational in Hmach. - destruct H1. - - (* q_hi1 = 0, q_hi2 = 1 *) - destruct H1. - subst q_hi1. - autorewrite with zsimplify_const. - intuition. + cbv [eval to_associational]. + destruct Hbounds as [ Hbounds | Hbounds ]. + destruct Hbounds as [ Hbounds1 Hbounds2 ]. + replace n with (S (n-1))%nat at 3 4 7 8 by lia. + rewrite firstn_succ with (d:=0). + rewrite seq_snoc. + rewrite Hbounds1. + rewrite Hbounds2. + push. solve_ineq. - apply canonical_pos. - canonical_app q. - canonical_app (q_lo ++ [0]). - subst_canon q. + apply canonical_pos; auto. etransitivity. solve_ineq. - adjust_ineq coef_small. - lia. - apply canonical_eval_bounded. - canonical_app q. - canonical_app (q_lo ++ [0]). - subst_canon q. - - apply reduce_in_range. - subst q_hi2. - weight_comp. - unfold up_bound. - vm_compute. - auto. - lia. - lia. - - (* q_hi2 = 0 *) - subst q_hi2. - autorewrite with zsimplify_const. - erewrite <-eval_snoc; try reflexivity. - intuition. - apply canonical_pos. - canonical_app q. - subst_canon q. - apply canonical_eval_bounded. - canonical_app q. - subst_canon q. - solve_length q. - eapply canonical_iff. - canonical_app q. - canonical_app (q_lo ++ [q_hi1]). eauto. - solve_length q. - solve_length q. - rewrite map_length. - rewrite seq_length. - solve_length q. - lia. - rewrite map_length. - rewrite seq_length. - solve_length q. + apply canonical_eval_bounded; auto. + rewrite Z.lt_add_lt_sub_r. + replace n with (S (n-1))%nat at 1 by lia. + etransitivity; [| apply (weight_dif_mono 0)]. + weight_comp; cbn; lia. lia. + push. + rewrite min_l; solve_length p. + solve_length p. + rewrite Hbounds. + push. + solve_ineq. + apply canonical_pos; auto. + apply canonical_eval_bounded; auto. + + (* not bounded *) + rewrite <-Z_div_mod_eq_full. auto. + push. lia. - auto. - eapply Rows.length_from_associational; eauto. + push. Qed. - Lemma reduce_third_correct : forall (p : list Z) lo hi, - p = lo ++ [hi] -> + Lemma eval_reduce_third : forall p, (canonical_repr (S n) p) -> - hi < up_bound -> - let q := reduce1 base s c (S n) (S n) p in - let r := reduce1 base s c (S n) n q in + let q := reduce1 base s c (S n) n p in + ((nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1) \/ + nth_default 0 p n = 0) -> (Positional.eval weight (S n) p) mod (s - Associational.eval c) - = (Positional.eval weight n r) mod (s - Associational.eval c). + = (Positional.eval weight n q) mod (s - Associational.eval c). Proof. intros. - pose proof (reduce_second_canonical _ _ _ H H1 H0) as Hcanon. - fold q in Hcanon. - assert (Hcanon' := Hcanon). - unfold canonical_repr in Hcanon'. - destruct Hcanon' as [ Hlen _ ]. - assert (exists q_lo q_hi1 q_hi2, q = q_lo ++ [q_hi1] ++ [q_hi2]) as Hq. - { pose proof (break_list_last q) as Hd1. - destruct Hd1 as [ Hd1 | Hd1 ]. - rewrite Hd1 in Hlen. - cbn in Hlen. - lia. - destruct Hd1 as [ q' Hd1 ]. - destruct Hd1 as [ q_hi2 Hd1]. - - pose proof (break_list_last q') as Hd2. - destruct Hd2 as [ Hd2 | Hd2 ]. - subst q'. - rewrite Hd1 in Hlen. - cbn in Hlen. - lia. - destruct Hd2 as [ q_lo Hd2 ]. - destruct Hd2 as [ q_hi1 Hd2 ]. - rewrite Hd2 in Hd1. - rewrite <-app_assoc in Hd1. - eauto. } - destruct Hq as [ q_lo Hq ]. - destruct Hq as [ q_hi1 Hq ]. - destruct Hq as [ q_hi2 Hq ]. - - pose proof (reduce_second _ _ _ H H0 H1 _ _ _ Hq) as Hqhi. - rewrite app_assoc in Hq. - etransitivity. - eapply reduce_second_correct; eauto. - - unfold r, q. - rewrite value_reduce_third with (q_lo:=q_lo) (q_hi1:=q_hi1) (q_hi2:=q_hi2). - autorewrite with push_eval zsimplify_const. - erewrite adjust_s_finished'; eauto. - cbn [fst snd]. - rewrite Z.mul_comm with (m:=Associational.eval c) (n:=(weight n / s)). - rewrite Z.add_comm. - rewrite <-Z.mul_assoc. - rewrite <-reduction_rule. + pose proof (firstn_skipn n p) as Hp; symmetry in Hp. + rewrite Hp at 1. + unfold eval at 1. + unfold to_associational. + rewrite seq_snoc. + rewrite skipn_nth_default with (d:=0) by (solve_length p). + rewrite skipn_all by (solve_length p). + cbv [q]. + rewrite value_reduce_third; auto. + erewrite adjust_s_finished'; try apply solinas_property; [| lia]. + push. + match goal with + | |- context[_ mod (_ - ?c)] => + repeat multimatch goal with + | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia + | |- context[?c * _ + ?x] => rewrite (Z.add_comm _ x) + end + end. + rewrite <-reduction_rule; [| lia]. apply Z.elim_mod. - fold q. - rewrite Hq. - rewrite eval_snoc_S. + unfold eval, to_associational at 1. rewrite Z.add_cancel_l. - rewrite Z.mul_assoc. rewrite <-Z_div_exact_2. + const_simpl. lia. lia. - pose proof (adjust_s_invariant (S (S (S n))) s) as Hinv. - erewrite adjust_s_finished' in Hinv; eauto. + pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hinv. + rewrite solinas_property in Hinv. cbn [fst] in Hinv. apply Hinv. + push. + rewrite min_l by (solve_length p). lia. - lia. - solve_length q. - lia. - lia. - fold q. - rewrite Hq. - rewrite app_assoc. - auto. - auto. - lia. - Qed. - - Lemma exists_lists_app : forall (p : list Z) n n', - length p = n -> - (n' <= n)%nat -> - exists l1 l2, p = l1 ++ l2 /\ - length l1 = n' /\ - length l2 = (n - n')%nat. - Proof. - intros. - induction n'. - { exists []. - exists p. - intuition. - lia. } - { destruct IHn' as [l1 IHn']. - lia. - destruct IHn' as [l2 IHn']. - intuition. - destruct l2. - subst p. - rewrite app_length in H. - rewrite H3 in H. - simpl in H. - lia. - - exists (l1 ++ [z]). - exists l2. - intuition. - rewrite H1. - rewrite <-app_assoc. - auto. - rewrite app_length. - simpl. - lia. - rewrite cons_length in H4. - lia. } Qed. - Lemma fold_right_andb_false : forall d l, - fold_right andb d l = false -> - fold_right andb true l = false \/ d = false. - Proof. - intros. - induction l; auto. - cbn in *. - rewrite andb_false_iff in H. - intuition. - rewrite H0. - auto. - rewrite H1. - rewrite andb_false_r. - auto. - Qed. + (* END SECTION REDUCE_THIRD *) - Lemma is_bounded_by_false : forall lo_bound hi_bound lo hi, - length lo_bound = length lo -> - is_bounded_by (lo_bound ++ [hi_bound]) (lo ++ [hi]) = false -> - is_bounded_by lo_bound lo = false \/ (hi < fst hi_bound \/ hi > snd hi_bound). - Proof using Type. - intros. - unfold is_bounded_by, fold_andb_map', dual_map in H0. - rewrite combine_app_samelength in H0. - rewrite map_app in H0. - rewrite fold_right_app in H0. - apply fold_right_andb_false in H0. - intuition. - right. - simpl in H1. - rewrite andb_false_iff in H1. - intuition. - rewrite andb_false_iff in H0. - intuition. - rewrite Z.leb_gt in H1; auto. - rewrite Z.leb_gt in H1; auto. - rewrite <-Z.gt_lt_iff in H1; auto. - discriminate. - auto. - Qed. - - Theorem reduce_full_canonical : forall (p : list Z), - canonical_repr (2 * n) p -> - canonical_repr n (reduce_full base s c n p). + (* SECTION REDUCE_FULL] *) + Theorem reduce_full_correct : forall (p : list Z), + n <= length p -> + let r := reduce_full base s c n p in + (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) + = (Positional.eval weight n r) mod (s - Associational.eval c). Proof. - intros. - pose proof (exists_lists_app p (2*n) n ltac:(solve_length p) ltac:(lia)) as Happ. - destruct Happ as [lo Happ]. - destruct Happ as [hi Happ]. - replace (2*n-n)%nat with n in Happ by lia. - intuition. - unfold reduce_full. - pose proof (reduce_first_canonical _ _ _ H0 H H2) as Hcanon1. - assert (Hcanon' := Hcanon1). - unfold canonical_repr in Hcanon'. - destruct Hcanon' as [ Hlen _ ]. - remember (reduce1 base s c (2 * n) (S n) p) as q. - pose proof (exists_lists_app q (S n) n ltac:(solve_length q) ltac:(lia)) as Happ. - destruct Happ as [q_lo Happ]. - destruct Happ as [q_hi' Happ]. - replace (S n - n)%nat with 1%nat in Happ by lia. - intuition. - assert (exists q_hi, q_hi' = [q_hi]). - { destruct q_hi'. - simpl in H6. - lia. - exists z. - simpl in H6. - replace (z :: q_hi') with ([z] ++ q_hi') by reflexivity. - rewrite <-app_nil_r with (l:=[z]) at 2. - f_equal. - apply length0_nil; auto. } - destruct H4 as [ q_hi ]; subst q_hi'. - rewrite Heqq in H1. - pose proof (reduce_first _ _ _ H0 H H2 _ _ H1). - rewrite <-Heqq in H1. - break_match. - pose proof (reduce_third_canonical _ _ _ H1 Hcanon1 H4). + intros; cbv [r reduce_full]; break_match. + (* bounds are good *) + pose proof (is_bounded_by_nth n _ _ Heqb ltac:(push) ltac:(push)) as Hnth. + repeat match goal with + | H : context[nth_default _ (_ ++ _) _] |- _ => rewrite nth_default_app in H + | H : context[snd (nth_default _ _ _)] |- _ => progress cbn in H + | H : _ |- _ => progress push' H + | _ => progress destruct lt_dec + | _ => progress intuition + | _ => lia + end. + apply is_bounded_by_loosen with (bound2:=repeat (0, 2^machine_wordsize-1) (S n)) in Heqb. + assert (canonical_repr (S n) (reduce1 base s c (2*n) (S n) p)). + rewrite canonical_is_bounded_by. + intuition; push. + rewrite <-eval_reduce_third. + rewrite <-eval_reduce1. + rewrite <-eval_reduce1. auto. + pose proof (firstn_skipn n p) as Hp; symmetry in Hp. - (* proving second case where first reduction is not bounded *) - rewrite H1 in Heqb. - apply is_bounded_by_false in Heqb. - canonical_app q. - replace (length q_lo) with n in Hcanon_l. - apply canonical_is_bounded_by in Hcanon_l. - pose proof (canonical_bounded _ _ Hcanon1 q_hi ltac:(solve_in)). - intuition. - rewrite H7 in H9. - discriminate. - cbn in H12. + all: + repeat multimatch goal with + | _ => apply reduce_second_canonical + | _ => apply reduce_second_bounds + | _ => solve_length p + | _ => const_simpl + | _ => cbv [up_bound] + | _ => push + | _ => auto + | _ => lia + end. + weight_comp; try lia. + rewrite <-Z.mul_succ_l. + apply Zmult_lt_compat_r; cbn; break_match; lia. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [| apply (weight_dif_mono 1); lia]. + weight_comp; cbn; break_match; lia. + cbn; const_simpl; lia. + replace (S n) with (n+1)%nat. + rewrite repeat_app. + autounfold. + push. + cbn. + apply bounds_same. lia. - cbn in H12. - (* rewrite Hcanon_l in H7; discriminate. *) - (* cbn [fst] in H10. *) - (* lia. *) - (* cbn [snd] in H10. *) - (* lia. *) - (* rewrite repeat_length. *) - (* solve_length q. *) - all: admit. - Admitted. - Theorem reduce_full_correct : forall (p : list Z), - canonical_repr (2 * n) p -> - let r := reduce_full base s c n p in - (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) - = (Positional.eval weight n r) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros. - pose proof (exists_lists_app p (2*n) n ltac:(solve_length p) ltac:(lia)) as Happ. - destruct Happ as [lo Happ]. - destruct Happ as [hi Happ]. - replace (2*n-n)%nat with n in Happ by lia. - intuition. - unfold r, reduce_full. - pose proof (reduce_first_canonical _ _ _ H0 H H2) as Hcanon1. - assert (Hcanon' := Hcanon1). - unfold canonical_repr in Hcanon'. - destruct Hcanon' as [ Hlen _ ]. - remember (reduce1 base s c (2 * n) (S n) p) as q. - pose proof (exists_lists_app q (S n) n ltac:(solve_length q) ltac:(lia)) as Happ. - destruct Happ as [q_lo Happ]. - destruct Happ as [q_hi' Happ]. - replace (S n - n)%nat with 1%nat in Happ by lia. - intuition. - assert (exists q_hi, q_hi' = [q_hi]). - { destruct q_hi'. - simpl in H6. - lia. - exists z. - simpl in H6. - replace (z :: q_hi') with ([z] ++ q_hi') by reflexivity. - rewrite <-app_nil_r with (l:=[z]) at 2. - f_equal. - apply length0_nil; auto. } - destruct H4 as [ q_hi ]; subst q_hi'. - erewrite reduce_first_correct; eauto. - rewrite <-Heqq. - rewrite Heqq in H1. - pose proof (reduce_first _ _ _ H0 H H2 _ _ H1). - rewrite <-Heqq in H1. - break_match. - eapply reduce_third_correct; eauto. - - (* proving second case where first reduction is not bounded *) - rewrite H1 in Heqb. - apply is_bounded_by_false in Heqb. - canonical_app q. - replace (length q_lo) with n in Hcanon_l. - apply canonical_is_bounded_by in Hcanon_l. - pose proof (canonical_bounded _ _ Hcanon1 q_hi ltac:(solve_in)). - intuition. - (* rewrite Hcanon_l in H7; discriminate. *) - (* cbn [fst] in H10. *) - (* lia. *) - (* cbn [snd] in H10. *) - (* lia. *) - (* rewrite repeat_length. *) - (* solve_length q. *) - all: admit. - Admitted. + (* not canonical *) + rewrite eval_reduce1 with (m2:=S n). + rewrite <-(firstn_skipn n (reduce1 base s c (2 * n) (S n) p)) at 1. + unfold eval at 1. + unfold to_associational. + rewrite seq_snoc. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push. + apply Z.elim_mod. + const_simpl. + rewrite Z.add_comm at 1. + auto. + all: + repeat multimatch goal with + | _ => push + | _ => lia + end. + const_simpl. + cbv [up_bound]. + weight_comp; try lia. + rewrite <-Z.mul_succ_l. + apply Zmult_lt_compat_r; cbn; break_match; lia. + Qed. + (* END SECTION REDUCE_FULL *) + (* SECTION MULMOD *) Theorem mulmod_correct : forall p q, Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). Proof. intros. - unfold mulmod. - rewrite <-reduce_full_correct. - rewrite <-eval_mul_no_reduce. - auto. - admit. - Admitted. + cbv [mulmod]. + rewrite <-reduce_full_correct; push; lia. + Qed. + (* END SECTION MULMOD *) End __. From 105e64c3f8aac299d147fcafa2f6b7b76a7605a9 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 31 Jul 2022 23:19:39 -0400 Subject: [PATCH 33/69] cps implementation --- solinas25519.c | 286 +++++++++++++++++++++++++++++++++++++++++ src/SolinasReduction.v | 43 +++---- src/tmp.v | 125 ++++++++++++++++++ 3 files changed, 432 insertions(+), 22 deletions(-) create mode 100644 solinas25519.c create mode 100644 src/tmp.v diff --git a/solinas25519.c b/solinas25519.c new file mode 100644 index 0000000000..f692d4eb11 --- /dev/null +++ b/solinas25519.c @@ -0,0 +1,286 @@ +#include +#include +typedef unsigned char fiat_p25519_uint1; +typedef signed char fiat_p25519_int1; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_P25519_FIAT_EXTENSION __extension__ +# define FIAT_P25519_FIAT_INLINE __inline__ +#else +# define FIAT_P25519_FIAT_EXTENSION +# define FIAT_P25519_FIAT_INLINE +#endif + +FIAT_P25519_FIAT_EXTENSION typedef signed __int128 fiat_p25519_int128; +FIAT_P25519_FIAT_EXTENSION typedef unsigned __int128 fiat_p25519_uint128; + +#if (-1 & 3) != 3 +#error "This code only works on a two's complement system" +#endif + +#if !defined(FIAT_P25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t fiat_p25519_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_p25519_value_barrier_u64(x) (x) +#endif + +static FIAT_P25519_FIAT_INLINE void fiat_p25519_addcarryx_u64(uint64_t* out1, fiat_p25519_uint1* out2, fiat_p25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p25519_uint128 x1; + uint64_t x2; + fiat_p25519_uint1 x3; + x1 = ((arg1 + (fiat_p25519_uint128)arg2) + arg3); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (fiat_p25519_uint1)(x1 >> 64); + *out1 = x2; + *out2 = x3; +} + +static FIAT_P25519_FIAT_INLINE void fiat_p25519_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { + fiat_p25519_uint128 x1; + uint64_t x2; + uint64_t x3; + x1 = ((fiat_p25519_uint128)arg1 * arg2); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (uint64_t)(x1 >> 64); + *out1 = x2; + *out2 = x3; +} + +static FIAT_P25519_FIAT_INLINE void fiat_p25519_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + fiat_p25519_uint1 x34; + uint64_t x35; + fiat_p25519_uint1 x36; + uint64_t x37; + uint64_t x38; + fiat_p25519_uint1 x39; + uint64_t x40; + fiat_p25519_uint1 x41; + uint64_t x42; + fiat_p25519_uint1 x43; + uint64_t x44; + uint64_t x45; + fiat_p25519_uint1 x46; + uint64_t x47; + fiat_p25519_uint1 x48; + uint64_t x49; + fiat_p25519_uint1 x50; + uint64_t x51; + fiat_p25519_uint1 x52; + uint64_t x53; + fiat_p25519_uint1 x54; + uint64_t x55; + uint64_t x56; + fiat_p25519_uint1 x57; + uint64_t x58; + fiat_p25519_uint1 x59; + uint64_t x60; + fiat_p25519_uint1 x61; + uint64_t x62; + fiat_p25519_uint1 x63; + uint64_t x64; + fiat_p25519_uint1 x65; + uint64_t x66; + fiat_p25519_uint1 x67; + uint64_t x68; + fiat_p25519_uint1 x69; + uint64_t x70; + fiat_p25519_uint1 x71; + uint64_t x72; + fiat_p25519_uint1 x73; + uint64_t x74; + fiat_p25519_uint1 x75; + uint64_t x76; + fiat_p25519_uint1 x77; + uint64_t x78; + fiat_p25519_uint1 x79; + uint64_t x80; + fiat_p25519_uint1 x81; + uint64_t x82; + fiat_p25519_uint1 x83; + uint64_t x84; + fiat_p25519_uint1 x85; + uint64_t x86; + fiat_p25519_uint1 x87; + uint64_t x88; + fiat_p25519_uint1 x89; + uint64_t x90; + fiat_p25519_uint1 x91; + uint64_t x92; + fiat_p25519_uint1 x93; + uint64_t x94; + fiat_p25519_uint1 x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + fiat_p25519_uint1 x103; + uint64_t x104; + fiat_p25519_uint1 x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + fiat_p25519_uint1 x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + fiat_p25519_uint1 x114; + uint64_t x115; + fiat_p25519_uint1 x116; + uint64_t x117; + fiat_p25519_uint1 x118; + uint64_t x119; + fiat_p25519_uint1 x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + fiat_p25519_uint1 x125; + uint64_t x126; + fiat_p25519_uint1 x127; + uint64_t x128; + fiat_p25519_uint1 x129; + uint64_t x130; + fiat_p25519_uint1 x131; + uint64_t x132; + uint64_t x133; + uint64_t x134; + fiat_p25519_uint1 x135; + uint64_t x136; + fiat_p25519_uint1 x137; + uint64_t x138; + fiat_p25519_uint1 x139; + uint64_t x140; + fiat_p25519_uint1 x141; + fiat_p25519_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + fiat_p25519_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + fiat_p25519_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + fiat_p25519_mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + fiat_p25519_mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + fiat_p25519_mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + fiat_p25519_mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + fiat_p25519_mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + fiat_p25519_mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + fiat_p25519_mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + fiat_p25519_mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + fiat_p25519_mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + fiat_p25519_mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + fiat_p25519_mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + fiat_p25519_mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + fiat_p25519_mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + fiat_p25519_addcarryx_u64(&x33, &x34, 0x0, x28, x7); + fiat_p25519_addcarryx_u64(&x35, &x36, x34, x26, x5); + x37 = (x36 + x18); + fiat_p25519_addcarryx_u64(&x38, &x39, 0x0, x33, x13); + fiat_p25519_addcarryx_u64(&x40, &x41, x39, x35, x8); + fiat_p25519_addcarryx_u64(&x42, &x43, x41, x37, 0x0); + x44 = (x43 + x10); + fiat_p25519_addcarryx_u64(&x45, &x46, 0x0, x30, x15); + fiat_p25519_addcarryx_u64(&x47, &x48, x46, x38, x16); + fiat_p25519_addcarryx_u64(&x49, &x50, x48, x40, x11); + fiat_p25519_addcarryx_u64(&x51, &x52, x50, x42, x3); + fiat_p25519_addcarryx_u64(&x53, &x54, x52, x44, 0x0); + x55 = (x54 + x2); + fiat_p25519_addcarryx_u64(&x56, &x57, 0x0, x45, x21); + fiat_p25519_addcarryx_u64(&x58, &x59, x57, x47, x19); + fiat_p25519_addcarryx_u64(&x60, &x61, x59, x49, x14); + fiat_p25519_addcarryx_u64(&x62, &x63, x61, x51, x6); + fiat_p25519_addcarryx_u64(&x64, &x65, x63, x53, 0x0); + fiat_p25519_addcarryx_u64(&x66, &x67, x65, x55, 0x0); + fiat_p25519_addcarryx_u64(&x68, &x69, 0x0, x32, x23); + fiat_p25519_addcarryx_u64(&x70, &x71, x69, x56, x24); + fiat_p25519_addcarryx_u64(&x72, &x73, x71, x58, x22); + fiat_p25519_addcarryx_u64(&x74, &x75, x73, x60, x17); + fiat_p25519_addcarryx_u64(&x76, &x77, x75, x62, x9); + fiat_p25519_addcarryx_u64(&x78, &x79, x77, x64, x1); + fiat_p25519_addcarryx_u64(&x80, &x81, x79, x66, 0x0); + fiat_p25519_addcarryx_u64(&x82, &x83, 0x0, x68, x29); + fiat_p25519_addcarryx_u64(&x84, &x85, x83, x70, x27); + fiat_p25519_addcarryx_u64(&x86, &x87, x85, x72, x25); + fiat_p25519_addcarryx_u64(&x88, &x89, x87, x74, x20); + fiat_p25519_addcarryx_u64(&x90, &x91, x89, x76, x12); + fiat_p25519_addcarryx_u64(&x92, &x93, x91, x78, x4); + fiat_p25519_addcarryx_u64(&x94, &x95, x93, x80, 0x0); + fiat_p25519_mulx_u64(&x96, &x97, UINT8_C(0x26), x92); + fiat_p25519_mulx_u64(&x98, &x99, UINT8_C(0x26), x90); + fiat_p25519_mulx_u64(&x100, &x101, UINT8_C(0x26), x88); + fiat_p25519_addcarryx_u64(&x102, &x103, 0x0, x82, x98); + fiat_p25519_addcarryx_u64(&x104, &x105, x103, x84, x96); + fiat_p25519_mulx_u64(&x106, &x107, UINT8_C(0x26), x94); + fiat_p25519_addcarryx_u64(&x108, &x109, x105, x86, x106); + fiat_p25519_mulx_u64(&x110, &x111, UINT8_C(0x26), x94); + x112 = (x109 + x111); + fiat_p25519_addcarryx_u64(&x113, &x114, 0x0, x31, x100); + fiat_p25519_addcarryx_u64(&x115, &x116, x114, x102, x101); + fiat_p25519_addcarryx_u64(&x117, &x118, x116, x104, x99); + fiat_p25519_addcarryx_u64(&x119, &x120, x118, x108, x97); + x121 = (x120 + x112); + fiat_p25519_mulx_u64(&x122, &x123, UINT8_C(0x26), x121); + fiat_p25519_addcarryx_u64(&x124, &x125, 0x0, x113, x122); + fiat_p25519_addcarryx_u64(&x126, &x127, x125, x115, 0x0); + fiat_p25519_addcarryx_u64(&x128, &x129, x127, x117, 0x0); + fiat_p25519_addcarryx_u64(&x130, &x131, x129, x119, 0x0); + fiat_p25519_mulx_u64(&x132, &x133, UINT8_C(0x26), x131); + fiat_p25519_addcarryx_u64(&x134, &x135, 0x0, x124, x132); + fiat_p25519_addcarryx_u64(&x136, &x137, x135, x126, 0x0); + fiat_p25519_addcarryx_u64(&x138, &x139, x137, x128, 0x0); + fiat_p25519_addcarryx_u64(&x140, &x141, x139, x130, 0x0); + out1[0] = x134; + out1[1] = x136; + out1[2] = x138; + out1[3] = x140; +} + +int main() { + uint64_t arg1[4] = {0}; + uint64_t arg2[4] = {0}; + for (int i = 0; i < 4; i++) { + arg1[i] = 0xffffffffffffffff; + arg2[i] = 0xffffffffffffffff; + } + uint64_t out1[4] = {0}; + fiat_p25519_mul(out1, arg1, arg2); + for (int i = 0; i < 4; i++) { + printf("%d ", out1[i]); + } + printf("\n"); + return 0; +} diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 3eaeda351f..4def0dfa4a 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -41,6 +41,7 @@ Require Import Coq.ZArith.Znat. Require Import Crypto.Util.CPSUtil. Require Import Crypto.Util.CPSNotations. Local Open Scope cps_scope. +Notation "x' <- v ; C" := (v (fun x' => C)) (only parsing). Require Import Crypto.Util.Notations. Local Open Scope string_scope. @@ -101,7 +102,7 @@ Module solinas_reduction. let r := (fst lo_hi) ++ hi in r. - Definition reduce1_cps base s c n m (p : list Z) {T} (f : list Z -> T) : T := + Definition reduce1_cps {T} base s c n m (p : list Z) (f : list Z -> T) := let p_a := Positional.to_associational weight n p in let r_a := sat_reduce base s c n p_a in let r_rows := Saturated.Rows.from_associational weight m r_a in @@ -113,17 +114,17 @@ Module solinas_reduction. f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). Check reduce1_cps. - Definition reduce_full_cps base s c n (p : list Z) : ~> list Z := - (r1 <- @reduce1_cps base s c (2*n) (S n) p; + Definition reduce_full_cps {T} base s c n (p : list Z) (f : list Z -> T):= + (r1 <- reduce1_cps base s c (2*n) (S n) p; (let bound := (0, 2^machine_wordsize) in if (is_bounded_by (repeat bound (S n)) r1) then - fun T => (r2 <- @reduce1_cps base s c (S n) (S n) r1; - reduce1_cps base s c (S n) n r2) + (r2 <- reduce1_cps base s c (S n) (S n) r1; + reduce1_cps base s c (S n) n r2 f) else - return r1)). + f r1)). Check reduce_full_cps. - Definition mul_no_reduce_cps base n (p q : list Z) {T} (f : list Z -> T):= + Definition mul_no_reduce_cps {T} base n (p q : list Z) (f : list Z -> T):= let p_a := Positional.to_associational weight n p in let q_a := Positional.to_associational weight n q in let pq_a := Saturated.Associational.sat_mul base p_a q_a in @@ -136,20 +137,18 @@ Module solinas_reduction. f (add_to_nth 0 (weight (2 * n) * snd pq) (fst pq)). Check mul_no_reduce_cps. - Definition mulmod_cps base s c n (p q : list Z) : ~> list Z := - (mul <- @mul_no_reduce_cps base n p q; - @reduce_full_cps base s c n mul). + Definition mulmod_cps {T} base s c n (p q : list Z) (f : list Z -> T) := + (mul <- mul_no_reduce_cps base n p q; + reduce_full_cps base s c n mul f). Check mulmod_cps. Definition mulmod base s c n (p q : list Z) := - mulmod_cps base s c n p q _ id. + mulmod_cps (T := list Z) base s c n p q (id). Check mulmod. - Definition reduce1 base s c n m p := - reduce1_cps base s c n m p id. - - Definition x := ltac:(let y := (eval cbv [reduce1_cps] in reduce1) - in exact y). + Definition x base s c n p q := ltac:(let y := (eval cbv beta delta [mulmod mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps id] in (mulmod base s c n p q)) in exact y). + Print x. + Check x. End __. @@ -187,23 +186,23 @@ Module solinas_reduction. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let bound' := Some (repeat bound (n) ++ [Some r[0 ~> 1]%zrange]). - Fail Time Compute + + Time Compute Show.show (Pipeline.BoundsPipelineToString - "fiat" "mul" + "fiat_p25519_" "fiat_p25519_mul" false false None possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (mulmod base s c n) in + let r := Reify (x base s c n) in exact r) (fun _ _ => []) - (Some (repeat bound (2*n)), tt) + (Some (repeat bound (n)), (Some (repeat bound n), tt)) (Some (repeat bound (n))) - (None, tt) + (None, (None, tt)) (None) : Pipeline.ErrorT _). diff --git a/src/tmp.v b/src/tmp.v new file mode 100644 index 0000000000..c1fb17db33 --- /dev/null +++ b/src/tmp.v @@ -0,0 +1,125 @@ +Require Import Coq.ZArith.ZArith. +Require Import Coq.QArith.QArith. +Require Import Coq.QArith.Qround. +Require Import Coq.Strings.String. +Require Import Coq.derive.Derive. +Require Import Coq.Lists.List. +Require Import Crypto.Util.ZRange. +Require Crypto.Stringification.C. +Require Crypto.Stringification.Go. +Require Crypto.Stringification.Java. +Require Import Crypto.BoundsPipeline. +(* Require Import Crypto.Util.ZUtil.ModInv. *) + +Require Import Crypto.Arithmetic.UniformWeight. +Require Import Coq.micromega.Lia. +Require Import Crypto.Algebra.Ring. +Require Import Crypto.Util.Decidable. +Require Import Coq.ZArith.Znat. + +Require Import Crypto.Util.CPSUtil. +Require Import Crypto.Util.CPSNotations. +Require Import Crypto.ArithmeticCPS.Core. +Require Import Crypto.ArithmeticCPS.ModOps. +Require Import Crypto.ArithmeticCPS.Saturated. +Import CPSBindNotations. +Local Open Scope cps_scope. + +Require Import Crypto.Util.Notations. +Local Open Scope string_scope. +Local Open Scope list_scope. +Import ListNotations. Local Open Scope Z_scope. + +Import + AbstractInterpretation.Compilers + Language.Compilers + Language.API.Compilers. + +Import Language.API.Compilers.API. + +Local Coercion Z.of_nat : nat >-> Z. +Local Coercion QArith_base.inject_Z : Z >-> Q. +Local Coercion Z.pos : positive >-> Z. + +Local Existing Instance default_low_level_rewriter_method. +Local Existing Instance AbstractInterpretation.default_Options. +Local Instance : unfold_value_barrier_opt := true. +Local Instance : assembly_hints_lines_opt := []. +Local Instance : ignore_unique_asm_names_opt := false. +Local Existing Instance default_language_naming_conventions. +Local Existing Instance default_documentation_options. +Local Instance : package_name_opt := None. +Local Instance : class_name_opt := None. + +Local Existing Instance default_output_options. + +Module tmp (Import RT : Runtime). + + Module Import Deps. + Module Positional := Positional RT. + Module Rows := Rows RT. + End Deps. + + Section __. + + Let s := 2^255. + Let c := [(1, 19)]. + Let machine_wordsize := 64. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let w : nat -> Z := weight machine_wordsize 1. + Let up_bound := 2 ^ (machine_wordsize / 4). + Let base : Z := 2 ^ machine_wordsize. + + Check Rows.mulmod_cps. + Definition x w base s c n nreductions p q := + Rows.mulmod_cps w base s c n nreductions p q _ id. + Check x. + Print x. + + Import Stringification.C.Compilers. + Import Stringification.C.Compilers.ToString. + + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. + Local Instance : only_signed_opt := false. + Local Instance : no_select_opt := false. + Local Instance : static_opt := true. + Local Instance : internal_static_opt := true. + Local Instance : inline_opt := true. + Local Instance : inline_internal_opt := true. + Local Instance : use_mul_for_cmovznz_opt := false. + Local Instance : emit_primitives_opt := true. + Local Instance : should_split_mul_opt := false. + Local Instance : should_split_multiret_opt := false. + Local Instance : widen_carry_opt := false. + Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + Let possible_values := prefix_with_carry [machine_wordsize]. + Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) + Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. + Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (x w base s c n 4) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), tt) + (Some (repeat bound (n))) + (None, tt) + (None) + : Pipeline.ErrorT _). + + End __. + +End tmp. From 6d4afaf4f7d4edf1c05e7d996356a9a6da547900 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 1 Aug 2022 03:32:23 -0400 Subject: [PATCH 34/69] equality between CPS and non-CPS implementations --- src/SolinasReduction.v | 520 ++++++++++++++++++++--------------------- 1 file changed, 247 insertions(+), 273 deletions(-) diff --git a/src/SolinasReduction.v b/src/SolinasReduction.v index 4def0dfa4a..71d37b5730 100644 --- a/src/SolinasReduction.v +++ b/src/SolinasReduction.v @@ -1030,11 +1030,101 @@ Module solinas_reduction. r3 else add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1). - Definition mulmod base s c n (p q : list Z) := + Definition mulmod' base s c n (p q : list Z) := let prod := mul_no_reduce base n p q in let red := reduce_full base s c n prod in red. + Definition reduce1_cps {T} base s c n m (p : list Z) (f : list Z -> T) := + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p) then + f (fst r_flat) + else + f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). + + Lemma reduce1_cps_ok {T} base s c n m (f : list Z -> T) : forall p, + reduce1_cps base s c n m p f = f (reduce1 base s c n m p). + Proof. + intros. + cbv [reduce1 reduce1_cps]. + break_match; reflexivity. + Qed. + + Definition reduce_full_cps {T} base s c n (p : list Z) (f : list Z -> T):= + (r1 <- reduce1_cps base s c (2*n) (S n) p; + (let bound := (0, 2^machine_wordsize - 1) in + let bounds := repeat bound n ++ [(0, up_bound-1)] in + if (is_bounded_by bounds r1) then + (r2 <- reduce1_cps base s c (S n) (S n) r1; + reduce1_cps base s c (S n) n r2 f) + else + f (add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1)))). + + Lemma reduce_full_cps_ok {T} base s c n (f : list Z -> T) : forall p, + reduce_full_cps base s c n p f = f (reduce_full base s c n p). + Proof. + intros. + cbv [reduce_full reduce_full_cps]. + repeat (rewrite reduce1_cps_ok || reflexivity || break_match). + Qed. + + Definition mul_no_reduce_cps {T} base n (p q : list Z) (f : list Z -> T):= + let p_a := Positional.to_associational weight n p in + let q_a := Positional.to_associational weight n q in + let pq_a := Saturated.Associational.sat_mul base p_a q_a in + let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in + let pq := Saturated.Rows.flatten weight (2*n) pq_rows in + let bound := (0, 2^machine_wordsize - 1) in + if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then + f (fst pq) + else + f (add_to_nth 0 (weight (2 * n) * snd pq) (fst pq)). + + Lemma mul_no_reduce_cps_ok {T} base n (f : list Z -> T) : forall p q, + mul_no_reduce_cps base n p q f = f (mul_no_reduce base n p q). + Proof. + intros. + cbv [mul_no_reduce mul_no_reduce_cps]. + break_match; reflexivity. + Qed. + + Definition mulmod_cps {T} base s c n (p q : list Z) (f : list Z -> T) := + (mul <- mul_no_reduce_cps base n p q; + reduce_full_cps base s c n mul f). + + Lemma mulmod_cps_ok {T} base s c n (f : list Z -> T) : forall p q, + mulmod_cps base s c n p q f = f (mulmod' base s c n p q). + Proof. + intros. + cbv [mulmod' mulmod_cps]. + rewrite mul_no_reduce_cps_ok, reduce_full_cps_ok. + reflexivity. + Qed. + + Definition mulmod base s c n (p q : list Z) := + ltac:(let x := (eval cbv beta delta [mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps] in (@mulmod_cps (list Z) base s c n p q id)) in + exact x). + + Lemma mulmod_unfold base s c n : forall p q, + mulmod' base s c n p q = mulmod_cps base s c n p q id. + Proof. + intros. + rewrite mulmod_cps_ok. + reflexivity. + Qed. + + Lemma mulmod_cps_conv base s c n : forall p q, + mulmod base s c n p q = mulmod' base s c n p q. + Proof. + intros. + rewrite mulmod_unfold. + reflexivity. + Qed. + Hint Resolve length_partition : push_length. Hint Resolve Rows.length_from_associational : push_length. @@ -1863,13 +1953,22 @@ Module solinas_reduction. (* END SECTION REDUCE_FULL *) (* SECTION MULMOD *) + Theorem mulmod'_correct : forall p q, + Positional.eval weight n (mulmod' base s c n p q) mod (s - Associational.eval c) = + (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). + Proof. + intros. + cbv [mulmod']. + rewrite <-reduce_full_correct; push; lia. + Qed. + Theorem mulmod_correct : forall p q, Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). Proof. intros. - cbv [mulmod]. - rewrite <-reduce_full_correct; push; lia. + rewrite mulmod_cps_conv. + apply mulmod'_correct. Qed. (* END SECTION MULMOD *) @@ -1915,153 +2014,25 @@ Module solinas_reduction. Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (reduce_full base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some (repeat bound (n))) - (None, tt) - (None) - : Pipeline.ErrorT _). - (* - = "Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static void mul(uint64_t out1[4], const uint64_t arg1[8]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - fiatuint1 x14; - uint64_t x15; - fiatuint1 x16; - uint64_t x17; - fiatuint1 x18; - uint64_t x19; - uint64_t x20; - fiatuint1 x21; - uint64_t x22; - fiatuint1 x23; - uint64_t x24; - fiatuint1 x25; - uint64_t x26; - fiatuint1 x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - fiatuint1 x32; - uint64_t x33; - fiatuint1 x34; - uint64_t x35; - fiatuint1 x36; - uint64_t x37; - fiatuint1 x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - fiatuint1 x42; - uint64_t x43; - fiatuint1 x44; - uint64_t x45; - fiatuint1 x46; - uint64_t x47; - fiatuint1 x48; - fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[7])); - fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[6])); - fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[5])); - fiatmulx_u64(&x7, &x8, UINT8_C(0x26), (arg1[4])); - x9 = (arg1[3]); - x10 = (arg1[2]); - x11 = (arg1[1]); - x12 = (arg1[0]); - fiataddcarryx_u64(&x13, &x14, 0x0, x11, x5); - fiataddcarryx_u64(&x15, &x16, x14, x10, x3); - fiataddcarryx_u64(&x17, &x18, x16, x9, x1); - x19 = (x18 + x2); - fiataddcarryx_u64(&x20, &x21, 0x0, x12, x7); - fiataddcarryx_u64(&x22, &x23, x21, x13, x8); - fiataddcarryx_u64(&x24, &x25, x23, x15, x6); - fiataddcarryx_u64(&x26, &x27, x25, x17, x4); - x28 = (x27 + x19); - fiatmulx_u64(&x29, &x30, UINT8_C(0x26), x28); - fiataddcarryx_u64(&x31, &x32, 0x0, x20, x29); - fiataddcarryx_u64(&x33, &x34, x32, x22, 0x0); - fiataddcarryx_u64(&x35, &x36, x34, x24, 0x0); - fiataddcarryx_u64(&x37, &x38, x36, x26, 0x0); - fiatmulx_u64(&x39, &x40, UINT8_C(0x26), x38); - fiataddcarryx_u64(&x41, &x42, 0x0, x31, x39); - fiataddcarryx_u64(&x43, &x44, x42, x33, 0x0); - fiataddcarryx_u64(&x45, &x46, x44, x35, 0x0); - fiataddcarryx_u64(&x47, &x48, x46, x37, 0x0); - out1[0] = x41; - out1[1] = x43; - out1[2] = x45; - out1[3] = x47; -}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string -Finished transaction in 4.561 secs (4.508u,0.047s) (successful) - *) - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (mul_no_reduce base n) in - exact r) - (fun _ _ => []) - (Some (repeat bound n), (Some (repeat bound n), tt)) - (Some (repeat bound (2 * n))) - (None, (None, tt)) - (None) - : Pipeline.ErrorT _). + Show.show + (Pipeline.BoundsPipelineToString + "fiat_p25519_" "fiat_p25519_mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (mulmod base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (n)), (Some (repeat bound n), tt)) + (Some (repeat bound (n))) + (None, (None, tt)) + (None) + : Pipeline.ErrorT _). - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (mulmod base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound n), (Some (repeat bound n), tt)) - (Some (repeat bound (n))) - (None, (None, tt)) - (None) - : Pipeline.ErrorT _). -(* + (* = "Success (""/* * Input Bounds: * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] @@ -2069,7 +2040,7 @@ Finished transaction in 4.561 secs (4.508u,0.047s) (successful) * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { +static void fiat_p25519_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { uint64_t x1; uint64_t x2; uint64_t x3; @@ -2103,68 +2074,68 @@ static void mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4] uint64_t x31; uint64_t x32; uint64_t x33; - fiatuint1 x34; + fiat_p25519_uint1 x34; uint64_t x35; - fiatuint1 x36; + fiat_p25519_uint1 x36; uint64_t x37; uint64_t x38; - fiatuint1 x39; + fiat_p25519_uint1 x39; uint64_t x40; - fiatuint1 x41; + fiat_p25519_uint1 x41; uint64_t x42; - fiatuint1 x43; + fiat_p25519_uint1 x43; uint64_t x44; uint64_t x45; - fiatuint1 x46; + fiat_p25519_uint1 x46; uint64_t x47; - fiatuint1 x48; + fiat_p25519_uint1 x48; uint64_t x49; - fiatuint1 x50; + fiat_p25519_uint1 x50; uint64_t x51; - fiatuint1 x52; + fiat_p25519_uint1 x52; uint64_t x53; - fiatuint1 x54; + fiat_p25519_uint1 x54; uint64_t x55; uint64_t x56; - fiatuint1 x57; + fiat_p25519_uint1 x57; uint64_t x58; - fiatuint1 x59; + fiat_p25519_uint1 x59; uint64_t x60; - fiatuint1 x61; + fiat_p25519_uint1 x61; uint64_t x62; - fiatuint1 x63; + fiat_p25519_uint1 x63; uint64_t x64; - fiatuint1 x65; + fiat_p25519_uint1 x65; uint64_t x66; - fiatuint1 x67; + fiat_p25519_uint1 x67; uint64_t x68; - fiatuint1 x69; + fiat_p25519_uint1 x69; uint64_t x70; - fiatuint1 x71; + fiat_p25519_uint1 x71; uint64_t x72; - fiatuint1 x73; + fiat_p25519_uint1 x73; uint64_t x74; - fiatuint1 x75; + fiat_p25519_uint1 x75; uint64_t x76; - fiatuint1 x77; + fiat_p25519_uint1 x77; uint64_t x78; - fiatuint1 x79; + fiat_p25519_uint1 x79; uint64_t x80; - fiatuint1 x81; + fiat_p25519_uint1 x81; uint64_t x82; - fiatuint1 x83; + fiat_p25519_uint1 x83; uint64_t x84; - fiatuint1 x85; + fiat_p25519_uint1 x85; uint64_t x86; - fiatuint1 x87; + fiat_p25519_uint1 x87; uint64_t x88; - fiatuint1 x89; + fiat_p25519_uint1 x89; uint64_t x90; - fiatuint1 x91; + fiat_p25519_uint1 x91; uint64_t x92; - fiatuint1 x93; + fiat_p25519_uint1 x93; uint64_t x94; - fiatuint1 x95; + fiat_p25519_uint1 x95; uint64_t x96; uint64_t x97; uint64_t x98; @@ -2172,123 +2143,126 @@ static void mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4] uint64_t x100; uint64_t x101; uint64_t x102; - uint64_t x103; + fiat_p25519_uint1 x103; uint64_t x104; - fiatuint1 x105; + fiat_p25519_uint1 x105; uint64_t x106; - fiatuint1 x107; + uint64_t x107; uint64_t x108; - fiatuint1 x109; + fiat_p25519_uint1 x109; uint64_t x110; uint64_t x111; - fiatuint1 x112; + uint64_t x112; uint64_t x113; - fiatuint1 x114; + fiat_p25519_uint1 x114; uint64_t x115; - fiatuint1 x116; + fiat_p25519_uint1 x116; uint64_t x117; - fiatuint1 x118; + fiat_p25519_uint1 x118; uint64_t x119; - uint64_t x120; + fiat_p25519_uint1 x120; uint64_t x121; uint64_t x122; - fiatuint1 x123; + uint64_t x123; uint64_t x124; - fiatuint1 x125; + fiat_p25519_uint1 x125; uint64_t x126; - fiatuint1 x127; + fiat_p25519_uint1 x127; uint64_t x128; - fiatuint1 x129; + fiat_p25519_uint1 x129; uint64_t x130; - uint64_t x131; + fiat_p25519_uint1 x131; uint64_t x132; - fiatuint1 x133; + uint64_t x133; uint64_t x134; - fiatuint1 x135; + fiat_p25519_uint1 x135; uint64_t x136; - fiatuint1 x137; + fiat_p25519_uint1 x137; uint64_t x138; - fiatuint1 x139; - fiatmulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); - fiatmulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); - fiatmulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); - fiatmulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); - fiatmulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); - fiatmulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); - fiatmulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); - fiatmulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); - fiatmulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); - fiatmulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); - fiatmulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); - fiatmulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); - fiatmulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); - fiatmulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); - fiatmulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); - fiatmulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - fiataddcarryx_u64(&x33, &x34, 0x0, x28, x7); - fiataddcarryx_u64(&x35, &x36, x34, x26, x5); + fiat_p25519_uint1 x139; + uint64_t x140; + fiat_p25519_uint1 x141; + fiat_p25519_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + fiat_p25519_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + fiat_p25519_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + fiat_p25519_mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + fiat_p25519_mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + fiat_p25519_mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + fiat_p25519_mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + fiat_p25519_mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + fiat_p25519_mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + fiat_p25519_mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + fiat_p25519_mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + fiat_p25519_mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + fiat_p25519_mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + fiat_p25519_mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + fiat_p25519_mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + fiat_p25519_mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + fiat_p25519_addcarryx_u64(&x33, &x34, 0x0, x28, x7); + fiat_p25519_addcarryx_u64(&x35, &x36, x34, x26, x5); x37 = (x36 + x18); - fiataddcarryx_u64(&x38, &x39, 0x0, x33, x13); - fiataddcarryx_u64(&x40, &x41, x39, x35, x8); - fiataddcarryx_u64(&x42, &x43, x41, x37, 0x0); + fiat_p25519_addcarryx_u64(&x38, &x39, 0x0, x33, x13); + fiat_p25519_addcarryx_u64(&x40, &x41, x39, x35, x8); + fiat_p25519_addcarryx_u64(&x42, &x43, x41, x37, 0x0); x44 = (x43 + x10); - fiataddcarryx_u64(&x45, &x46, 0x0, x30, x15); - fiataddcarryx_u64(&x47, &x48, x46, x38, x16); - fiataddcarryx_u64(&x49, &x50, x48, x40, x11); - fiataddcarryx_u64(&x51, &x52, x50, x42, x3); - fiataddcarryx_u64(&x53, &x54, x52, x44, 0x0); + fiat_p25519_addcarryx_u64(&x45, &x46, 0x0, x30, x15); + fiat_p25519_addcarryx_u64(&x47, &x48, x46, x38, x16); + fiat_p25519_addcarryx_u64(&x49, &x50, x48, x40, x11); + fiat_p25519_addcarryx_u64(&x51, &x52, x50, x42, x3); + fiat_p25519_addcarryx_u64(&x53, &x54, x52, x44, 0x0); x55 = (x54 + x2); - fiataddcarryx_u64(&x56, &x57, 0x0, x45, x21); - fiataddcarryx_u64(&x58, &x59, x57, x47, x19); - fiataddcarryx_u64(&x60, &x61, x59, x49, x14); - fiataddcarryx_u64(&x62, &x63, x61, x51, x6); - fiataddcarryx_u64(&x64, &x65, x63, x53, 0x0); - fiataddcarryx_u64(&x66, &x67, x65, x55, 0x0); - fiataddcarryx_u64(&x68, &x69, 0x0, x32, x23); - fiataddcarryx_u64(&x70, &x71, x69, x56, x24); - fiataddcarryx_u64(&x72, &x73, x71, x58, x22); - fiataddcarryx_u64(&x74, &x75, x73, x60, x17); - fiataddcarryx_u64(&x76, &x77, x75, x62, x9); - fiataddcarryx_u64(&x78, &x79, x77, x64, x1); - fiataddcarryx_u64(&x80, &x81, x79, x66, 0x0); - fiataddcarryx_u64(&x82, &x83, 0x0, x68, x29); - fiataddcarryx_u64(&x84, &x85, x83, x70, x27); - fiataddcarryx_u64(&x86, &x87, x85, x72, x25); - fiataddcarryx_u64(&x88, &x89, x87, x74, x20); - fiataddcarryx_u64(&x90, &x91, x89, x76, x12); - fiataddcarryx_u64(&x92, &x93, x91, x78, x4); - fiataddcarryx_u64(&x94, &x95, x93, x80, 0x0); - fiatmulx_u64(&x96, &x97, UINT8_C(0x26), x94); - fiatmulx_u64(&x98, &x99, UINT8_C(0x26), x92); - fiatmulx_u64(&x100, &x101, UINT8_C(0x26), x90); - fiatmulx_u64(&x102, &x103, UINT8_C(0x26), x88); - fiataddcarryx_u64(&x104, &x105, 0x0, x82, x100); - fiataddcarryx_u64(&x106, &x107, x105, x84, x98); - fiataddcarryx_u64(&x108, &x109, x107, x86, x96); - x110 = (x109 + x97); - fiataddcarryx_u64(&x111, &x112, 0x0, x31, x102); - fiataddcarryx_u64(&x113, &x114, x112, x104, x103); - fiataddcarryx_u64(&x115, &x116, x114, x106, x101); - fiataddcarryx_u64(&x117, &x118, x116, x108, x99); - x119 = (x118 + x110); - fiatmulx_u64(&x120, &x121, UINT8_C(0x26), x119); - fiataddcarryx_u64(&x122, &x123, 0x0, x111, x120); - fiataddcarryx_u64(&x124, &x125, x123, x113, 0x0); - fiataddcarryx_u64(&x126, &x127, x125, x115, 0x0); - fiataddcarryx_u64(&x128, &x129, x127, x117, 0x0); - fiatmulx_u64(&x130, &x131, UINT8_C(0x26), x129); - fiataddcarryx_u64(&x132, &x133, 0x0, x122, x130); - fiataddcarryx_u64(&x134, &x135, x133, x124, 0x0); - fiataddcarryx_u64(&x136, &x137, x135, x126, 0x0); - fiataddcarryx_u64(&x138, &x139, x137, x128, 0x0); - out1[0] = x132; - out1[1] = x134; - out1[2] = x136; - out1[3] = x138; + fiat_p25519_addcarryx_u64(&x56, &x57, 0x0, x45, x21); + fiat_p25519_addcarryx_u64(&x58, &x59, x57, x47, x19); + fiat_p25519_addcarryx_u64(&x60, &x61, x59, x49, x14); + fiat_p25519_addcarryx_u64(&x62, &x63, x61, x51, x6); + fiat_p25519_addcarryx_u64(&x64, &x65, x63, x53, 0x0); + fiat_p25519_addcarryx_u64(&x66, &x67, x65, x55, 0x0); + fiat_p25519_addcarryx_u64(&x68, &x69, 0x0, x32, x23); + fiat_p25519_addcarryx_u64(&x70, &x71, x69, x56, x24); + fiat_p25519_addcarryx_u64(&x72, &x73, x71, x58, x22); + fiat_p25519_addcarryx_u64(&x74, &x75, x73, x60, x17); + fiat_p25519_addcarryx_u64(&x76, &x77, x75, x62, x9); + fiat_p25519_addcarryx_u64(&x78, &x79, x77, x64, x1); + fiat_p25519_addcarryx_u64(&x80, &x81, x79, x66, 0x0); + fiat_p25519_addcarryx_u64(&x82, &x83, 0x0, x68, x29); + fiat_p25519_addcarryx_u64(&x84, &x85, x83, x70, x27); + fiat_p25519_addcarryx_u64(&x86, &x87, x85, x72, x25); + fiat_p25519_addcarryx_u64(&x88, &x89, x87, x74, x20); + fiat_p25519_addcarryx_u64(&x90, &x91, x89, x76, x12); + fiat_p25519_addcarryx_u64(&x92, &x93, x91, x78, x4); + fiat_p25519_addcarryx_u64(&x94, &x95, x93, x80, 0x0); + fiat_p25519_mulx_u64(&x96, &x97, UINT8_C(0x26), x92); + fiat_p25519_mulx_u64(&x98, &x99, UINT8_C(0x26), x90); + fiat_p25519_mulx_u64(&x100, &x101, UINT8_C(0x26), x88); + fiat_p25519_addcarryx_u64(&x102, &x103, 0x0, x82, x98); + fiat_p25519_addcarryx_u64(&x104, &x105, x103, x84, x96); + fiat_p25519_mulx_u64(&x106, &x107, UINT8_C(0x26), x94); + fiat_p25519_addcarryx_u64(&x108, &x109, x105, x86, x106); + fiat_p25519_mulx_u64(&x110, &x111, UINT8_C(0x26), x94); + x112 = (x109 + x111); + fiat_p25519_addcarryx_u64(&x113, &x114, 0x0, x31, x100); + fiat_p25519_addcarryx_u64(&x115, &x116, x114, x102, x101); + fiat_p25519_addcarryx_u64(&x117, &x118, x116, x104, x99); + fiat_p25519_addcarryx_u64(&x119, &x120, x118, x108, x97); + x121 = (x120 + x112); + fiat_p25519_mulx_u64(&x122, &x123, UINT8_C(0x26), x121); + fiat_p25519_addcarryx_u64(&x124, &x125, 0x0, x113, x122); + fiat_p25519_addcarryx_u64(&x126, &x127, x125, x115, 0x0); + fiat_p25519_addcarryx_u64(&x128, &x129, x127, x117, 0x0); + fiat_p25519_addcarryx_u64(&x130, &x131, x129, x119, 0x0); + fiat_p25519_mulx_u64(&x132, &x133, UINT8_C(0x26), x131); + fiat_p25519_addcarryx_u64(&x134, &x135, 0x0, x124, x132); + fiat_p25519_addcarryx_u64(&x136, &x137, x135, x126, 0x0); + fiat_p25519_addcarryx_u64(&x138, &x139, x137, x128, 0x0); + fiat_p25519_addcarryx_u64(&x140, &x141, x139, x130, 0x0); + out1[0] = x134; + out1[1] = x136; + out1[2] = x138; + out1[3] = x140; }"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" : string -Finished transaction in 5.821 secs (5.782u,0.039s) (successful) -*) +Finished transaction in 25.313 secs (25.202u,0.107s) (successful) + *) End compile. From 323dce919a853e0bd1b330cd60f019e60c5cc9a8 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 2 Aug 2022 20:59:22 -0400 Subject: [PATCH 35/69] refactoring --- solinas25519.c | 286 --------------------- src/{ => Arithmetic}/SolinasReduction.v | 168 ++---------- src/COperationSpecifications.v | 19 ++ src/PushButtonSynthesis/SolinasReduction.v | 246 ++++++++++++++++++ src/tmp.v | 125 --------- 5 files changed, 281 insertions(+), 563 deletions(-) delete mode 100644 solinas25519.c rename src/{ => Arithmetic}/SolinasReduction.v (91%) create mode 100644 src/PushButtonSynthesis/SolinasReduction.v delete mode 100644 src/tmp.v diff --git a/solinas25519.c b/solinas25519.c deleted file mode 100644 index f692d4eb11..0000000000 --- a/solinas25519.c +++ /dev/null @@ -1,286 +0,0 @@ -#include -#include -typedef unsigned char fiat_p25519_uint1; -typedef signed char fiat_p25519_int1; -#if defined(__GNUC__) || defined(__clang__) -# define FIAT_P25519_FIAT_EXTENSION __extension__ -# define FIAT_P25519_FIAT_INLINE __inline__ -#else -# define FIAT_P25519_FIAT_EXTENSION -# define FIAT_P25519_FIAT_INLINE -#endif - -FIAT_P25519_FIAT_EXTENSION typedef signed __int128 fiat_p25519_int128; -FIAT_P25519_FIAT_EXTENSION typedef unsigned __int128 fiat_p25519_uint128; - -#if (-1 & 3) != 3 -#error "This code only works on a two's complement system" -#endif - -#if !defined(FIAT_P25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) -static __inline__ uint64_t fiat_p25519_value_barrier_u64(uint64_t a) { - __asm__("" : "+r"(a) : /* no inputs */); - return a; -} -#else -# define fiat_p25519_value_barrier_u64(x) (x) -#endif - -static FIAT_P25519_FIAT_INLINE void fiat_p25519_addcarryx_u64(uint64_t* out1, fiat_p25519_uint1* out2, fiat_p25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_p25519_uint128 x1; - uint64_t x2; - fiat_p25519_uint1 x3; - x1 = ((arg1 + (fiat_p25519_uint128)arg2) + arg3); - x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - x3 = (fiat_p25519_uint1)(x1 >> 64); - *out1 = x2; - *out2 = x3; -} - -static FIAT_P25519_FIAT_INLINE void fiat_p25519_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { - fiat_p25519_uint128 x1; - uint64_t x2; - uint64_t x3; - x1 = ((fiat_p25519_uint128)arg1 * arg2); - x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - x3 = (uint64_t)(x1 >> 64); - *out1 = x2; - *out2 = x3; -} - -static FIAT_P25519_FIAT_INLINE void fiat_p25519_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - fiat_p25519_uint1 x34; - uint64_t x35; - fiat_p25519_uint1 x36; - uint64_t x37; - uint64_t x38; - fiat_p25519_uint1 x39; - uint64_t x40; - fiat_p25519_uint1 x41; - uint64_t x42; - fiat_p25519_uint1 x43; - uint64_t x44; - uint64_t x45; - fiat_p25519_uint1 x46; - uint64_t x47; - fiat_p25519_uint1 x48; - uint64_t x49; - fiat_p25519_uint1 x50; - uint64_t x51; - fiat_p25519_uint1 x52; - uint64_t x53; - fiat_p25519_uint1 x54; - uint64_t x55; - uint64_t x56; - fiat_p25519_uint1 x57; - uint64_t x58; - fiat_p25519_uint1 x59; - uint64_t x60; - fiat_p25519_uint1 x61; - uint64_t x62; - fiat_p25519_uint1 x63; - uint64_t x64; - fiat_p25519_uint1 x65; - uint64_t x66; - fiat_p25519_uint1 x67; - uint64_t x68; - fiat_p25519_uint1 x69; - uint64_t x70; - fiat_p25519_uint1 x71; - uint64_t x72; - fiat_p25519_uint1 x73; - uint64_t x74; - fiat_p25519_uint1 x75; - uint64_t x76; - fiat_p25519_uint1 x77; - uint64_t x78; - fiat_p25519_uint1 x79; - uint64_t x80; - fiat_p25519_uint1 x81; - uint64_t x82; - fiat_p25519_uint1 x83; - uint64_t x84; - fiat_p25519_uint1 x85; - uint64_t x86; - fiat_p25519_uint1 x87; - uint64_t x88; - fiat_p25519_uint1 x89; - uint64_t x90; - fiat_p25519_uint1 x91; - uint64_t x92; - fiat_p25519_uint1 x93; - uint64_t x94; - fiat_p25519_uint1 x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - fiat_p25519_uint1 x103; - uint64_t x104; - fiat_p25519_uint1 x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - fiat_p25519_uint1 x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - fiat_p25519_uint1 x114; - uint64_t x115; - fiat_p25519_uint1 x116; - uint64_t x117; - fiat_p25519_uint1 x118; - uint64_t x119; - fiat_p25519_uint1 x120; - uint64_t x121; - uint64_t x122; - uint64_t x123; - uint64_t x124; - fiat_p25519_uint1 x125; - uint64_t x126; - fiat_p25519_uint1 x127; - uint64_t x128; - fiat_p25519_uint1 x129; - uint64_t x130; - fiat_p25519_uint1 x131; - uint64_t x132; - uint64_t x133; - uint64_t x134; - fiat_p25519_uint1 x135; - uint64_t x136; - fiat_p25519_uint1 x137; - uint64_t x138; - fiat_p25519_uint1 x139; - uint64_t x140; - fiat_p25519_uint1 x141; - fiat_p25519_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); - fiat_p25519_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); - fiat_p25519_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); - fiat_p25519_mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); - fiat_p25519_mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); - fiat_p25519_mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); - fiat_p25519_mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); - fiat_p25519_mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); - fiat_p25519_mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); - fiat_p25519_mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); - fiat_p25519_mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); - fiat_p25519_mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); - fiat_p25519_mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); - fiat_p25519_mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); - fiat_p25519_mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); - fiat_p25519_mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - fiat_p25519_addcarryx_u64(&x33, &x34, 0x0, x28, x7); - fiat_p25519_addcarryx_u64(&x35, &x36, x34, x26, x5); - x37 = (x36 + x18); - fiat_p25519_addcarryx_u64(&x38, &x39, 0x0, x33, x13); - fiat_p25519_addcarryx_u64(&x40, &x41, x39, x35, x8); - fiat_p25519_addcarryx_u64(&x42, &x43, x41, x37, 0x0); - x44 = (x43 + x10); - fiat_p25519_addcarryx_u64(&x45, &x46, 0x0, x30, x15); - fiat_p25519_addcarryx_u64(&x47, &x48, x46, x38, x16); - fiat_p25519_addcarryx_u64(&x49, &x50, x48, x40, x11); - fiat_p25519_addcarryx_u64(&x51, &x52, x50, x42, x3); - fiat_p25519_addcarryx_u64(&x53, &x54, x52, x44, 0x0); - x55 = (x54 + x2); - fiat_p25519_addcarryx_u64(&x56, &x57, 0x0, x45, x21); - fiat_p25519_addcarryx_u64(&x58, &x59, x57, x47, x19); - fiat_p25519_addcarryx_u64(&x60, &x61, x59, x49, x14); - fiat_p25519_addcarryx_u64(&x62, &x63, x61, x51, x6); - fiat_p25519_addcarryx_u64(&x64, &x65, x63, x53, 0x0); - fiat_p25519_addcarryx_u64(&x66, &x67, x65, x55, 0x0); - fiat_p25519_addcarryx_u64(&x68, &x69, 0x0, x32, x23); - fiat_p25519_addcarryx_u64(&x70, &x71, x69, x56, x24); - fiat_p25519_addcarryx_u64(&x72, &x73, x71, x58, x22); - fiat_p25519_addcarryx_u64(&x74, &x75, x73, x60, x17); - fiat_p25519_addcarryx_u64(&x76, &x77, x75, x62, x9); - fiat_p25519_addcarryx_u64(&x78, &x79, x77, x64, x1); - fiat_p25519_addcarryx_u64(&x80, &x81, x79, x66, 0x0); - fiat_p25519_addcarryx_u64(&x82, &x83, 0x0, x68, x29); - fiat_p25519_addcarryx_u64(&x84, &x85, x83, x70, x27); - fiat_p25519_addcarryx_u64(&x86, &x87, x85, x72, x25); - fiat_p25519_addcarryx_u64(&x88, &x89, x87, x74, x20); - fiat_p25519_addcarryx_u64(&x90, &x91, x89, x76, x12); - fiat_p25519_addcarryx_u64(&x92, &x93, x91, x78, x4); - fiat_p25519_addcarryx_u64(&x94, &x95, x93, x80, 0x0); - fiat_p25519_mulx_u64(&x96, &x97, UINT8_C(0x26), x92); - fiat_p25519_mulx_u64(&x98, &x99, UINT8_C(0x26), x90); - fiat_p25519_mulx_u64(&x100, &x101, UINT8_C(0x26), x88); - fiat_p25519_addcarryx_u64(&x102, &x103, 0x0, x82, x98); - fiat_p25519_addcarryx_u64(&x104, &x105, x103, x84, x96); - fiat_p25519_mulx_u64(&x106, &x107, UINT8_C(0x26), x94); - fiat_p25519_addcarryx_u64(&x108, &x109, x105, x86, x106); - fiat_p25519_mulx_u64(&x110, &x111, UINT8_C(0x26), x94); - x112 = (x109 + x111); - fiat_p25519_addcarryx_u64(&x113, &x114, 0x0, x31, x100); - fiat_p25519_addcarryx_u64(&x115, &x116, x114, x102, x101); - fiat_p25519_addcarryx_u64(&x117, &x118, x116, x104, x99); - fiat_p25519_addcarryx_u64(&x119, &x120, x118, x108, x97); - x121 = (x120 + x112); - fiat_p25519_mulx_u64(&x122, &x123, UINT8_C(0x26), x121); - fiat_p25519_addcarryx_u64(&x124, &x125, 0x0, x113, x122); - fiat_p25519_addcarryx_u64(&x126, &x127, x125, x115, 0x0); - fiat_p25519_addcarryx_u64(&x128, &x129, x127, x117, 0x0); - fiat_p25519_addcarryx_u64(&x130, &x131, x129, x119, 0x0); - fiat_p25519_mulx_u64(&x132, &x133, UINT8_C(0x26), x131); - fiat_p25519_addcarryx_u64(&x134, &x135, 0x0, x124, x132); - fiat_p25519_addcarryx_u64(&x136, &x137, x135, x126, 0x0); - fiat_p25519_addcarryx_u64(&x138, &x139, x137, x128, 0x0); - fiat_p25519_addcarryx_u64(&x140, &x141, x139, x130, 0x0); - out1[0] = x134; - out1[1] = x136; - out1[2] = x138; - out1[3] = x140; -} - -int main() { - uint64_t arg1[4] = {0}; - uint64_t arg2[4] = {0}; - for (int i = 0; i < 4; i++) { - arg1[i] = 0xffffffffffffffff; - arg2[i] = 0xffffffffffffffff; - } - uint64_t out1[4] = {0}; - fiat_p25519_mul(out1, arg1, arg2); - for (int i = 0; i < 4; i++) { - printf("%d ", out1[i]); - } - printf("\n"); - return 0; -} diff --git a/src/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v similarity index 91% rename from src/SolinasReduction.v rename to src/Arithmetic/SolinasReduction.v index 71d37b5730..6cdb020e46 100644 --- a/src/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -8,11 +8,8 @@ Require Import Crypto.Util.ZRange. Require Import Crypto.Arithmetic.Core. Require Import Crypto.Arithmetic.ModOps. Require Import Crypto.Arithmetic.Partition. -Require Import Crypto.PushButtonSynthesis.UnsaturatedSolinas. -Require Import Crypto.UnsaturatedSolinasHeuristics. Require Import Crypto.Arithmetic.UniformWeight. -Require Crypto.PushButtonSynthesis.SaturatedSolinas. -Require Crypto.PushButtonSynthesis.WordByWordMontgomery. +Require Import Crypto.Arithmetic.Saturated. Require Crypto.Stringification.C. Require Crypto.Stringification.Go. Require Crypto.Stringification.Java. @@ -61,154 +58,10 @@ Local Coercion Z.of_nat : nat >-> Z. Local Coercion QArith_base.inject_Z : Z >-> Q. Local Coercion Z.pos : positive >-> Z. -Local Existing Instance default_low_level_rewriter_method. -Local Existing Instance AbstractInterpretation.default_Options. -Local Instance : unfold_value_barrier_opt := true. -Local Instance : assembly_hints_lines_opt := []. -Local Instance : ignore_unique_asm_names_opt := false. -Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. -Local Existing Instance default_language_naming_conventions. -Local Existing Instance default_documentation_options. -Local Instance : package_name_opt := None. -Local Instance : class_name_opt := None. - -Local Existing Instance default_output_options. - Module solinas_reduction. - Import Crypto.Arithmetic.Saturated. - - Module tmp. - - Section __. - - Context (machine_wordsize := 64) - (weight := uweight machine_wordsize) - (up_bound := 2 ^ (machine_wordsize / 4)) - {wprops : @weight_properties weight}. - - Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := - map (fun x => (f (fst x) (snd x))) (combine l1 l2). - Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := - fold_right andb true (dual_map f ls1 ls2). - Definition is_bounded_by bounds ls := - fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. - - Definition sat_reduce base s c n (p : list (Z * Z)) := - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let lo_hi := Associational.split s' p in - let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in - let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in - let r := (fst lo_hi) ++ hi in - r. - - Definition reduce1_cps {T} base s c n m (p : list Z) (f : list Z -> T) := - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight m r_a in - let r_flat := Saturated.Rows.flatten weight m r_rows in - let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound n) p) then - f (fst r_flat) - else - f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). - Check reduce1_cps. - - Definition reduce_full_cps {T} base s c n (p : list Z) (f : list Z -> T):= - (r1 <- reduce1_cps base s c (2*n) (S n) p; - (let bound := (0, 2^machine_wordsize) in - if (is_bounded_by (repeat bound (S n)) r1) then - (r2 <- reduce1_cps base s c (S n) (S n) r1; - reduce1_cps base s c (S n) n r2 f) - else - f r1)). - Check reduce_full_cps. - - Definition mul_no_reduce_cps {T} base n (p q : list Z) (f : list Z -> T):= - let p_a := Positional.to_associational weight n p in - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in - let pq := Saturated.Rows.flatten weight (2*n) pq_rows in - let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then - f (fst pq) - else - f (add_to_nth 0 (weight (2 * n) * snd pq) (fst pq)). - Check mul_no_reduce_cps. - - Definition mulmod_cps {T} base s c n (p q : list Z) (f : list Z -> T) := - (mul <- mul_no_reduce_cps base n p q; - reduce_full_cps base s c n mul f). - Check mulmod_cps. - - Definition mulmod base s c n (p q : list Z) := - mulmod_cps (T := list Z) base s c n p q (id). - Check mulmod. - - Definition x base s c n p q := ltac:(let y := (eval cbv beta delta [mulmod mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps id] in (mulmod base s c n p q)) in exact y). - Print x. - Check x. - - End __. - - Section __. - - Let s := 2^255. - Let c := [(1, 19)]. - Let machine_wordsize := 64. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let w : nat -> Z := weight machine_wordsize 1. - Let up_bound := 2 ^ (machine_wordsize / 4). - Let base : Z := 2 ^ machine_wordsize. - - Import Stringification.C.Compilers. - Import Stringification.C.Compilers.ToString. - - Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. - Local Instance : only_signed_opt := false. - Local Instance : no_select_opt := false. - Local Instance : static_opt := true. - Local Instance : internal_static_opt := true. - Local Instance : inline_opt := true. - Local Instance : inline_internal_opt := true. - Local Instance : use_mul_for_cmovznz_opt := false. - Local Instance : emit_primitives_opt := true. - Local Instance : should_split_mul_opt := false. - Local Instance : should_split_multiret_opt := false. - Local Instance : widen_carry_opt := false. - Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) - Let possible_values := prefix_with_carry [machine_wordsize]. - Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. - Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. - Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat_p25519_" "fiat_p25519_mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (x base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound (n)), (Some (repeat bound n), tt)) - (Some (repeat bound (n))) - (None, (None, tt)) - (None) - : Pipeline.ErrorT _). - - End __. - - End tmp. + Import Core.Associational. + Import Core.Positional. Section __. @@ -276,8 +129,8 @@ Module solinas_reduction. autorewrite with const_simpl in *. Hint Rewrite eval_cons using auto : push_eval. - Hint Rewrite Associational.eval_sat_mul using lia : push_eval. - Hint Rewrite Associational.eval_sat_mul_const using lia : push_eval. + Hint Rewrite eval_sat_mul using lia : push_eval. + Hint Rewrite eval_sat_mul_const using lia : push_eval. Hint Rewrite eval_split using auto : push_eval. Hint Rewrite Rows.eval_from_associational using (auto || lia) : push_eval. Hint Rewrite Rows.flatten_mod using (eauto using Rows.length_from_associational) : push_eval. @@ -2011,6 +1864,17 @@ Module solinas_reduction. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + Local Existing Instance default_low_level_rewriter_method. + Local Existing Instance AbstractInterpretation.default_Options. + Local Instance : unfold_value_barrier_opt := true. + Local Instance : assembly_hints_lines_opt := []. + Local Instance : ignore_unique_asm_names_opt := false. + Local Existing Instance default_language_naming_conventions. + Local Existing Instance default_documentation_options. + Local Instance : package_name_opt := None. + Local Instance : class_name_opt := None. + Local Existing Instance default_output_options. + Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. Time Compute diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index fc755b09f8..dba50ac35a 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -494,6 +494,25 @@ Module SaturatedSolinas. End __. End SaturatedSolinas. +Module SolinasReduction. + Section __. + Context (wt : nat -> Z) + (n : nat) + (m : Z) + (saturated_bounds : list (option zrange)) + (length_saturated_bouns : length saturated_bounds = n). + Local Notation eval := (Positional.eval wt n). + + Definition mulmod_correct + (mulmod : list Z -> list Z -> list Z) := + forall x y, + list_Z_bounded_by saturated_bounds x -> + list_Z_bounded_by saturated_bounds y -> + ((eval (mulmod x y)) mod m = (eval x * eval y) mod m) /\ + (is_bounded_by saturated_bounds (mulmod x y) = true). + End __. +End SolinasReduction. + Module WordByWordMontgomery. Import Arithmetic.WordByWordMontgomery. Local Coercion Z.of_nat : nat >-> Z. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v new file mode 100644 index 0000000000..00e8af1817 --- /dev/null +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -0,0 +1,246 @@ +(** * Push-Button Synthesis of Saturated Reduction *) +Require Import Coq.Strings.String. +Require Import Coq.micromega.Lia. +Require Import Coq.ZArith.ZArith. +Require Import Coq.MSets.MSetPositive. +Require Import Coq.Lists.List. +Require Import Coq.QArith.QArith_base Coq.QArith.Qround. +Require Import Coq.derive.Derive. +Require Import Crypto.Util.ErrorT. +Require Import Crypto.Util.ListUtil. +Require Import Crypto.Util.ListUtil.FoldBool. +Require Import Crypto.Util.Strings.Decimal. +Require Import Crypto.Util.Strings.Show. +Require Import Crypto.Util.ZRange. +Require Import Crypto.Util.ZUtil.Definitions. +Require Import Crypto.Util.ZUtil.Zselect. +Require Import Crypto.Util.ZUtil.Tactics.LtbToLt. +Require Import Crypto.Util.Tactics.HasBody. +Require Import Crypto.Util.Tactics.Head. +Require Import Crypto.Util.Tactics.SpecializeBy. +Require Import Rewriter.Language.Wf. +Require Import Rewriter.Language.Language. +Require Import Crypto.Language.API. +Require Import Crypto.AbstractInterpretation.AbstractInterpretation. +Require Import Crypto.Stringification.Language. +Require Import Crypto.Arithmetic.Core. +Require Import Crypto.Arithmetic.ModOps. +Require Import Crypto.Arithmetic.Saturated. +(* Require Import Crypto.Arithmetic.SolinasReduction. *) +Require Import Crypto.BoundsPipeline. +Require Import Crypto.COperationSpecifications. +Require Import Crypto.PushButtonSynthesis.ReificationCache. +Require Import Crypto.PushButtonSynthesis.Primitives. +Require Import Crypto.PushButtonSynthesis.SaturatedSolinasReificationCache. +Require Import Crypto.Assembly.Equivalence. +Import ListNotations. +Local Open Scope string_scope. Local Open Scope Z_scope. Local Open Scope list_scope. Local Open Scope bool_scope. + +Import + Language.Wf.Compilers + Language.Compilers + AbstractInterpretation.Compilers + Stringification.Language.Compilers. +Import Compilers.API. + +Import COperationSpecifications.Primitives. +Import COperationSpecifications.Solinas. +Import COperationSpecifications.SaturatedSolinas. + +Import Associational Positional. + +Local Coercion Z.of_nat : nat >-> Z. +Local Coercion QArith_base.inject_Z : Z >-> Q. +Local Coercion Z.pos : positive >-> Z. + +Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) + +Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) +(* needed for making [autorewrite] with [Set Keyed Unification] fast *) +Local Opaque expr.Interp. + +Section __. + Context {output_language_api : ToString.OutputLanguageAPI} + {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} + {output_options : output_options_opt} + {opts : AbstractInterpretation.Options} + {package_namev : package_name_opt} + {class_namev : class_name_opt} + {static : static_opt} + {internal_static : internal_static_opt} + {inline : inline_opt} + {inline_internal : inline_internal_opt} + {low_level_rewriter_method : low_level_rewriter_method_opt} + {only_signed : only_signed_opt} + {no_select : no_select_opt} + {use_mul_for_cmovznz : use_mul_for_cmovznz_opt} + {emit_primitives : emit_primitives_opt} + {should_split_mul : should_split_mul_opt} + {should_split_multiret : should_split_multiret_opt} + {unfold_value_barrier : unfold_value_barrier_opt} + {assembly_hints_lines : assembly_hints_lines_opt} + {ignore_unique_asm_names : ignore_unique_asm_names_opt} + {widen_carry : widen_carry_opt} + (widen_bytes : widen_bytes_opt := true) (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + {assembly_conventions : assembly_conventions_opt} + {error_on_unused_assembly_functions : error_on_unused_assembly_functions_opt} + (s : Z) + (c : list (Z * Z)) + (machine_wordsize : machine_wordsize_opt). + + Local Existing Instance widen_bytes. + + (* We include [0], so that even after bounds relaxation, we can + notice where the constant 0s are, and remove them. *) + Definition possible_values_of_machine_wordsize + := prefix_with_carry [machine_wordsize]. + + Definition n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Definition m := s - Associational.eval c. + (* Number of reductions is calculated as follows : + Let i be the highest limb index of c. Then, each reduction + decreases the number of extra limbs by (n-i-1). (The -1 comes + from possibly having an extra high partial product at the end + of a reduction.) So, to go from the n extra limbs we have + post-multiplication down to 0, we need ceil (n / (n - i - 1)) + reductions. In some cases. however, [n - i <= 1], and in + this case, we do [n] reductions (is this enough?). *) + Definition nreductions : nat := + let i := fold_right Z.max 0 (List.map (fun t => Z.log2 (fst t) / machine_wordsize) c) in + if Z.of_nat n - i <=? 1 + then n + else Z.to_nat (Qceiling (Z.of_nat n / (Z.of_nat n - i - 1))). + Let possible_values := possible_values_of_machine_wordsize. + Definition bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Definition boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound n. + + Local Instance no_select_size : no_select_size_opt := no_select_size_of_no_select machine_wordsize. + Local Instance split_mul_to : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance split_multiret_to : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + (** Note: If you change the name or type signature of this + function, you will need to update the code in CLI.v *) + Definition check_args {T} (requests : list string) (res : Pipeline.ErrorT T) + : Pipeline.ErrorT T + := check_args_of_list + (List.map + (fun v => (true, v)) + [((0 0 + /\ s <> 0 + /\ 0 < machine_wordsize + /\ n <> 0%nat. + Proof using curve_good. + prepare_use_curve_good (). + { use_curve_good_t. } + Qed. + + Local Notation weightf := (weight machine_wordsize 1). + Local Notation evalf := (eval weightf n). + Local Notation notations_for_docstring + := (CorrectnessStringification.dyn_context.cons + weightf "weight" + (CorrectnessStringification.dyn_context.cons + evalf "eval" + CorrectnessStringification.dyn_context.nil))%string. + Local Notation "'docstring_with_summary_from_lemma!' summary correctness" + := (docstring_with_summary_from_lemma_with_ctx! + notations_for_docstring + summary + correctness) + (only parsing, at level 10, summary at next level, correctness at next level). + + Definition mul + := Pipeline.BoundsPipeline + false (* subst01 *) + None (* fancy *) + possible_values + (reified_mul_gen + @ GallinaReify.Reify s @ GallinaReify.Reify c @ GallinaReify.Reify (machine_wordsize:Z) @ GallinaReify.Reify n @ GallinaReify.Reify nreductions) + (Some boundsn, (Some boundsn, tt)) + (Some boundsn, None (* Should be: Some r[0~>0]%zrange, but bounds analysis is not good enough *) ). + + Definition smul (prefix : string) + : string * (Pipeline.ErrorT (Pipeline.ExtendedSynthesisResult _)) + := Eval cbv beta in + FromPipelineToString! + machine_wordsize prefix "mul" mul + (docstring_with_summary_from_lemma! + (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) + (mul_correct weightf n m boundsn)). + + Local Ltac solve_extra_bounds_side_conditions := + cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. + + Hint Rewrite + (fun pf => @Rows.eval_mulmod (weight machine_wordsize 1) (@wprops _ _ pf)) + using solve [ auto with zarith | congruence | solve_extra_bounds_side_conditions ] : push_eval. + Hint Unfold mulmod : push_eval. + + Local Ltac prove_correctness _ := Primitives.prove_correctness use_curve_good. + + Lemma mul_correct res + (Hres : mul = Success res) + : mul_correct (weight machine_wordsize 1) n m boundsn (Interp res). + Proof using curve_good. prove_correctness (). Qed. + + Lemma Wf_mul res (Hres : mul = Success res) : Wf res. + Proof using Type. prove_pipeline_wf (). Qed. + + Section for_stringification. + Local Open Scope string_scope. + Local Open Scope list_scope. + + Definition known_functions + := [("mul", wrap_s smul)]. + + Definition valid_names : string := Eval compute in String.concat ", " (List.map (@fst _ _) known_functions). + + (** Note: If you change the name or type signature of this + function, you will need to update the code in CLI.v *) + Definition Synthesize (comment_header : list string) (function_name_prefix : string) (requests : list string) + : list (synthesis_output_kind * string * Pipeline.ErrorT (list string)) + := Primitives.Synthesize + machine_wordsize valid_names known_functions (fun _ => nil) all_typedefs! + check_args + ((ToString.comment_file_header_block + (comment_header + ++ [""; + "Computed values:"; + ""; + " # reductions = " ++ show nreductions]%string))) + function_name_prefix requests. + End for_stringification. +End __. + +Module Export Hints. +#[global] + Hint Opaque + mul + : wf_op_cache. +#[global] + Hint Immediate + Wf_mul + : wf_op_cache. +End Hints. diff --git a/src/tmp.v b/src/tmp.v deleted file mode 100644 index c1fb17db33..0000000000 --- a/src/tmp.v +++ /dev/null @@ -1,125 +0,0 @@ -Require Import Coq.ZArith.ZArith. -Require Import Coq.QArith.QArith. -Require Import Coq.QArith.Qround. -Require Import Coq.Strings.String. -Require Import Coq.derive.Derive. -Require Import Coq.Lists.List. -Require Import Crypto.Util.ZRange. -Require Crypto.Stringification.C. -Require Crypto.Stringification.Go. -Require Crypto.Stringification.Java. -Require Import Crypto.BoundsPipeline. -(* Require Import Crypto.Util.ZUtil.ModInv. *) - -Require Import Crypto.Arithmetic.UniformWeight. -Require Import Coq.micromega.Lia. -Require Import Crypto.Algebra.Ring. -Require Import Crypto.Util.Decidable. -Require Import Coq.ZArith.Znat. - -Require Import Crypto.Util.CPSUtil. -Require Import Crypto.Util.CPSNotations. -Require Import Crypto.ArithmeticCPS.Core. -Require Import Crypto.ArithmeticCPS.ModOps. -Require Import Crypto.ArithmeticCPS.Saturated. -Import CPSBindNotations. -Local Open Scope cps_scope. - -Require Import Crypto.Util.Notations. -Local Open Scope string_scope. -Local Open Scope list_scope. -Import ListNotations. Local Open Scope Z_scope. - -Import - AbstractInterpretation.Compilers - Language.Compilers - Language.API.Compilers. - -Import Language.API.Compilers.API. - -Local Coercion Z.of_nat : nat >-> Z. -Local Coercion QArith_base.inject_Z : Z >-> Q. -Local Coercion Z.pos : positive >-> Z. - -Local Existing Instance default_low_level_rewriter_method. -Local Existing Instance AbstractInterpretation.default_Options. -Local Instance : unfold_value_barrier_opt := true. -Local Instance : assembly_hints_lines_opt := []. -Local Instance : ignore_unique_asm_names_opt := false. -Local Existing Instance default_language_naming_conventions. -Local Existing Instance default_documentation_options. -Local Instance : package_name_opt := None. -Local Instance : class_name_opt := None. - -Local Existing Instance default_output_options. - -Module tmp (Import RT : Runtime). - - Module Import Deps. - Module Positional := Positional RT. - Module Rows := Rows RT. - End Deps. - - Section __. - - Let s := 2^255. - Let c := [(1, 19)]. - Let machine_wordsize := 64. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let w : nat -> Z := weight machine_wordsize 1. - Let up_bound := 2 ^ (machine_wordsize / 4). - Let base : Z := 2 ^ machine_wordsize. - - Check Rows.mulmod_cps. - Definition x w base s c n nreductions p q := - Rows.mulmod_cps w base s c n nreductions p q _ id. - Check x. - Print x. - - Import Stringification.C.Compilers. - Import Stringification.C.Compilers.ToString. - - Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. - Local Instance : only_signed_opt := false. - Local Instance : no_select_opt := false. - Local Instance : static_opt := true. - Local Instance : internal_static_opt := true. - Local Instance : inline_opt := true. - Local Instance : inline_internal_opt := true. - Local Instance : use_mul_for_cmovznz_opt := false. - Local Instance : emit_primitives_opt := true. - Local Instance : should_split_mul_opt := false. - Local Instance : should_split_multiret_opt := false. - Local Instance : widen_carry_opt := false. - Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) - Let possible_values := prefix_with_carry [machine_wordsize]. - Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. - Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. - Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (x w base s c n 4) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some (repeat bound (n))) - (None, tt) - (None) - : Pipeline.ErrorT _). - - End __. - -End tmp. From 7dbaae616084b74a8cc03edc9583a75c17bc1017 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 3 Aug 2022 00:08:14 -0400 Subject: [PATCH 36/69] reifying solinas reduction for cli --- src/Arithmetic/SolinasReduction.v | 7 ++-- src/PushButtonSynthesis/SolinasReduction.v | 6 +-- .../SolinasReductionReificationCache.v | 39 +++++++++++++++++++ 3 files changed, 46 insertions(+), 6 deletions(-) create mode 100644 src/PushButtonSynthesis/SolinasReductionReificationCache.v diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 6cdb020e46..d5485eb53d 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -58,7 +58,7 @@ Local Coercion Z.of_nat : nat >-> Z. Local Coercion QArith_base.inject_Z : Z >-> Q. Local Coercion Z.pos : positive >-> Z. -Module solinas_reduction. +Module SolinasReduction. Import Core.Associational. Import Core.Positional. @@ -959,8 +959,9 @@ Module solinas_reduction. Qed. Definition mulmod base s c n (p q : list Z) := - ltac:(let x := (eval cbv beta delta [mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps] in (@mulmod_cps (list Z) base s c n p q id)) in + ltac:(let x := (eval cbv beta delta [mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps id] in (@mulmod_cps (list Z) base s c n p q id)) in exact x). + Print mulmod. Lemma mulmod_unfold base s c n : forall p q, mulmod' base s c n p q = mulmod_cps base s c n p q id. @@ -2130,4 +2131,4 @@ Finished transaction in 25.313 secs (25.202u,0.107s) (successful) End compile. -End solinas_reduction. +End SolinasReduction. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 00e8af1817..ef3899a32e 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -26,12 +26,12 @@ Require Import Crypto.Stringification.Language. Require Import Crypto.Arithmetic.Core. Require Import Crypto.Arithmetic.ModOps. Require Import Crypto.Arithmetic.Saturated. -(* Require Import Crypto.Arithmetic.SolinasReduction. *) +Require Import Crypto.Arithmetic.SolinasReduction. Require Import Crypto.BoundsPipeline. Require Import Crypto.COperationSpecifications. Require Import Crypto.PushButtonSynthesis.ReificationCache. Require Import Crypto.PushButtonSynthesis.Primitives. -Require Import Crypto.PushButtonSynthesis.SaturatedSolinasReificationCache. +(* Require Import Crypto.PushButtonSynthesis.SaturatedSolinasReificationCache. *) Require Import Crypto.Assembly.Equivalence. Import ListNotations. Local Open Scope string_scope. Local Open Scope Z_scope. Local Open Scope list_scope. Local Open Scope bool_scope. @@ -45,7 +45,7 @@ Import Compilers.API. Import COperationSpecifications.Primitives. Import COperationSpecifications.Solinas. -Import COperationSpecifications.SaturatedSolinas. +Import COperationSpecifications.SolinasReduction. Import Associational Positional. diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v new file mode 100644 index 0000000000..f760173168 --- /dev/null +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -0,0 +1,39 @@ +(** * Push-Button Synthesis of Solinas Reduction: Reification Cache *) +Require Import Coq.QArith.QArith_base Coq.QArith.Qround. +Require Import Coq.ZArith.ZArith. +Require Import Coq.derive.Derive. +Require Import Crypto.Arithmetic.Core. +Require Import Crypto.Arithmetic.ModOps. +Require Import Crypto.Arithmetic.Saturated. +Require Import Crypto.Arithmetic.SolinasReduction. +Require Import Crypto.PushButtonSynthesis.ReificationCache. +Local Open Scope Z_scope. + +(* Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) *) + +Module Export SolinasReductionCache. + + Print SolinasReduction.mulmod. + + Compute ltac:(let t := SolinasReduction.mulmod' in exact t). + + Definition mulmod + (base s : Z) + (c : list (Z * Z)) + (n : nat) + := @SolinasReduction.mulmod base s c n. + Print mulmod. + Time Compute ltac:(let t := mulmod in exact t). + + Derive reified_mul_gen + SuchThat (is_reification_of reified_mul_gen mulmod) + As reified_mul_gen_correct. + Proof. Time cache_reify (). Time Qed. +#[global] + Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_mul_gen_correct) : reify_cache_gen. +#[global] + Hint Immediate (proj2 reified_mul_gen_correct) : wf_gen_cache. +#[global] + Hint Rewrite (proj1 reified_mul_gen_correct) : interp_gen_cache. + Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) +End SolinasReduction. From d90e757a628f12eb6b7cb5f8ef5d5cd995f3aecc Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 3 Aug 2022 23:19:56 -0400 Subject: [PATCH 37/69] update --- .../SolinasReductionReificationCache.v | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index f760173168..22e41c0250 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -9,25 +9,24 @@ Require Import Crypto.Arithmetic.SolinasReduction. Require Import Crypto.PushButtonSynthesis.ReificationCache. Local Open Scope Z_scope. -(* Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) *) +Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) Module Export SolinasReductionCache. - Print SolinasReduction.mulmod. + Import SolinasReduction.SolinasReduction. - Compute ltac:(let t := SolinasReduction.mulmod' in exact t). - - Definition mulmod - (base s : Z) + Definition mul + (base : Z) + (s : Z) (c : list (Z * Z)) - (n : nat) - := @SolinasReduction.mulmod base s c n. - Print mulmod. - Time Compute ltac:(let t := mulmod in exact t). + (n: nat) + := mulmod base s c n. + Check mul. + Print mul. - Derive reified_mul_gen - SuchThat (is_reification_of reified_mul_gen mulmod) - As reified_mul_gen_correct. + Derive reified_solred_gen + SuchThat (is_reification_of reified_solred_gen mul) + As reified_solred_gen_correct. Proof. Time cache_reify (). Time Qed. #[global] Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_mul_gen_correct) : reify_cache_gen. From 947723e10076cc2573d63bd182dc09156dc3cf7c Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 10 Aug 2022 13:31:44 -0400 Subject: [PATCH 38/69] add list of identifiers to cache reify --- src/Arithmetic/SolinasReduction.v | 21 ++++ .../SolinasReductionReificationCache.v | 105 ++++++++++++++++-- 2 files changed, 116 insertions(+), 10 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index d5485eb53d..0b123189ca 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -899,6 +899,20 @@ Module SolinasReduction. else f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). + Definition reduce1' base s c n m p := + ltac:(let x := (eval cbv beta delta [reduce1_cps id] in (@reduce1_cps (list Z) base s c n m p id)) in + exact x). + Print reduce1'. + + Definition reduce2_cps {T} base s c n (p : list Z) (f : list Z -> T):= + (r1 <- reduce1_cps base s c (2*n) (S n) p; + reduce1_cps base s c (S n) (S n) r1 f). + + Definition reduce2' base s c n p := + ltac:(let x := (eval cbv beta delta [reduce2_cps reduce1_cps id] in (@reduce2_cps (list Z) base s c n p id)) in + exact x). + Print reduce2'. + Lemma reduce1_cps_ok {T} base s c n m (f : list Z -> T) : forall p, reduce1_cps base s c n m p f = f (reduce1 base s c n m p). Proof. @@ -917,6 +931,11 @@ Module SolinasReduction. else f (add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1)))). + Definition reduce_full' base s c n p := + ltac:(let x := (eval cbv beta delta [reduce_full_cps reduce1_cps id] in (@reduce_full_cps (list Z) base s c n p id)) in + exact x). + Print reduce_full'. + Lemma reduce_full_cps_ok {T} base s c n (f : list Z -> T) : forall p, reduce_full_cps base s c n p f = f (reduce_full base s c n p). Proof. @@ -1828,6 +1847,7 @@ Module SolinasReduction. End __. + (* Section compile. Let s := 2^255. @@ -2130,5 +2150,6 @@ Finished transaction in 25.313 secs (25.202u,0.107s) (successful) *) End compile. + *) End SolinasReduction. diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index 22e41c0250..3c750aa825 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -11,25 +11,110 @@ Local Open Scope Z_scope. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) +Require Import Coq.Relations.Relation_Definitions. +Require Import Crypto.Util.Tactics.Head. +Require Import Crypto.Util.Tactics.SubstEvars. +Require Import Crypto.Language.API. +Require Import Rewriter.Language.Wf. + +Require Import Coq.Strings.String. +Require Import Coq.ZArith.ZArith. +Require Import Crypto.Util.ListUtil Coq.Lists.List. +Require Import Crypto.Util.ZRange. +Require Import Crypto.Util.ZUtil.Definitions. +Require Import Crypto.Language.PreExtra. + +(* Require Import Rewriter.Language.Reify. *) +(* Require Import Crypto.Language.APINotations. *) + +Import + Language.API.Compilers + Language.Wf.Compilers. + Module Export SolinasReductionCache. Import SolinasReduction.SolinasReduction. + Ltac reify := API.Compilers.API.Reify. + (* Ltac PreCommon.Pre.reify_debug_level ::= constr:(2%nat). *) - Definition mul - (base : Z) - (s : Z) - (c : list (Z * Z)) - (n: nat) - := mulmod base s c n. - Check mul. - Print mul. + (* Time Compute ltac:(let x := reify (reduce_full) in exact x). *) + + Ltac cache_reify' _ := + intros; + etransitivity; + [ + | repeat match goal with |- _ = ?f' ?x => is_var x; apply (f_equal (fun f => f _)) end; + Reify_rhs (); + reflexivity ]; + subst_evars; + reflexivity. + + Print reduce2'. + + Strategy -500 [Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by + Crypto.Arithmetic.Saturated.Columns.cons_to_nth + Coq.ZArith.BinInt.Z.to_hex_int + Crypto.Arithmetic.Saturated.Rows.extract_row + Crypto.Arithmetic.Saturated.Associational.sat_multerm + Crypto.Arithmetic.Saturated.Rows.flatten' + Coq.Init.Nat.to_hex_uint + Coq.ZArith.BinInt.Z.to_int + Coq.Init.Nat.to_little_hex_uint + Crypto.Arithmetic.Saturated.Rows.from_columns + Crypto.Arithmetic.Saturated.Rows.adjust_s + Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' + Coq.Init.Nat.to_uint + Crypto.Arithmetic.Core.Associational.split + Coq.Init.Decimal.rev + Coq.Init.Hexadecimal.revapp + Crypto.Arithmetic.Saturated.Columns.from_associational + Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce + Coq.Init.Datatypes.andb + Coq.PArith.BinPos.Pos.to_little_hex_uint + Coq.PArith.BinPos.Pos.to_little_uint + Crypto.Arithmetic.SolinasReduction.SolinasReduction.mulmod + Coq.Init.Decimal.Little.double + Coq.Lists.List.tl + Crypto.Arithmetic.Core.Positional.place + Crypto.Arithmetic.Saturated.Rows.sum_rows' + Crypto.Arithmetic.Core.Positional.add_to_nth + Coq.Init.Decimal.Little.succ + Crypto.Arithmetic.Core.Positional.to_associational + Coq.Init.Nat.to_num_uint + Coq.Init.Hexadecimal.Little.succ + Coq.Init.Nat.to_num_hex_uint + Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map + Crypto.Arithmetic.Saturated.Rows.from_columns' + Coq.Init.Hexadecimal.Little.double + Crypto.Arithmetic.UniformWeight.uweight + Crypto.Arithmetic.Saturated.Associational.sat_mul + Coq.Init.Datatypes.nat_rect + Coq.Init.Nat.to_little_uint + Crypto.Arithmetic.Saturated.Associational.sat_multerm_const + Crypto.Arithmetic.Saturated.Columns.nils + Crypto.Arithmetic.Saturated.Rows.max_column_size + Crypto.Arithmetic.Saturated.Rows.sum_rows + Crypto.Arithmetic.ModOps.weight + Coq.Init.Decimal.revapp + Crypto.Arithmetic.Saturated.Associational.sat_mul_const + Coq.Lists.List.hd + Coq.ZArith.BinInt.Z.to_num_int + Crypto.Arithmetic.Saturated.Rows.from_associational + Coq.PArith.BinPos.Pos.to_uint + Rewriter.Util.LetIn.Let_In + Crypto.Arithmetic.Core.Positional.zeros + Coq.PArith.BinPos.Pos.to_hex_uint + Coq.ZArith.BinInt.Z.to_num_hex_int + Coq.Init.Hexadecimal.rev + Crypto.Arithmetic.Saturated.Rows.flatten]. Derive reified_solred_gen - SuchThat (is_reification_of reified_solred_gen mul) + SuchThat (is_reification_of reified_solred_gen reduce_full') As reified_solred_gen_correct. Proof. Time cache_reify (). Time Qed. + #[global] - Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_mul_gen_correct) : reify_cache_gen. + Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_solred_gen) : reify_cache_gen. #[global] Hint Immediate (proj2 reified_mul_gen_correct) : wf_gen_cache. #[global] From 841a8faf6215c54a1fb5a9ac849e7a4231c6c36f Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 14 Aug 2022 03:48:55 -0400 Subject: [PATCH 39/69] update CLI for solinas reduction --- src/CLI.v | 36 ++++++++ src/COperationSpecifications.v | 3 +- src/PushButtonSynthesis/SolinasReduction.v | 86 +++++++++++-------- .../SolinasReductionReificationCache.v | 48 ++--------- 4 files changed, 95 insertions(+), 78 deletions(-) diff --git a/src/CLI.v b/src/CLI.v index db4edf335d..7d07fb75d6 100644 --- a/src/CLI.v +++ b/src/CLI.v @@ -22,6 +22,7 @@ Require Crypto.PushButtonSynthesis.SaturatedSolinas. Require Crypto.PushButtonSynthesis.UnsaturatedSolinas. Require Crypto.PushButtonSynthesis.WordByWordMontgomery. Require Crypto.PushButtonSynthesis.BaseConversion. +Require Crypto.PushButtonSynthesis.SolinasReduction. Require Import Crypto.UnsaturatedSolinasHeuristics. Require Import Crypto.Stringification.Language. Require Import Crypto.Stringification.C. @@ -1114,6 +1115,41 @@ Module ForExtraction. := Parameterized.PipelineMain argv. End SaturatedSolinas. + Module SolinasReduction. + Local Instance api : PipelineAPI + := { + spec := + {| Arg.named_args := [] + ; Arg.anon_args := [sc_spec] + ; Arg.anon_opt_args := [] + ; Arg.anon_opt_repeated_arg := Some (function_to_synthesize_spec SolinasReduction.valid_names) |}; + + parse_args opts args + := let '(tt, (str_sc, (s, c)), tt, requests) := args in + let show_requests := match requests with nil => "(all)" | _ => String.concat ", " requests end in + inl ((str_sc, show_requests), + (s, c, requests)); + + show_lines_args := + fun '((str_sc, show_requests), + (s, c, requests)) + => ["requested operations: " ++ show_requests; + "s-c = " ++ PowersOfTwo.show_Z s ++ " - " ++ show_c c ++ " (from """ ++ str_sc ++ """)"]; + + Synthesize + := fun _ opts '(s, c, requests) comment_header prefix + => SolinasReduction.Synthesize s c comment_header prefix requests + }. + + Definition PipelineMain + {supported_languages : supported_languagesT} + {A} + {io_driver : IODriverAPI A} + (argv : list string) + : A + := Parameterized.PipelineMain argv. + End SolinasReduction. + Module BaseConversion. Local Instance api : PipelineAPI := { diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index dba50ac35a..4a253326ef 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -509,7 +509,8 @@ Module SolinasReduction. list_Z_bounded_by saturated_bounds x -> list_Z_bounded_by saturated_bounds y -> ((eval (mulmod x y)) mod m = (eval x * eval y) mod m) /\ - (is_bounded_by saturated_bounds (mulmod x y) = true). + (list_Z_bounded_by saturated_bounds (mulmod x y)). + End __. End SolinasReduction. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index ef3899a32e..9179942a55 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -31,7 +31,8 @@ Require Import Crypto.BoundsPipeline. Require Import Crypto.COperationSpecifications. Require Import Crypto.PushButtonSynthesis.ReificationCache. Require Import Crypto.PushButtonSynthesis.Primitives. -(* Require Import Crypto.PushButtonSynthesis.SaturatedSolinasReificationCache. *) +Require Import Crypto.PushButtonSynthesis.SaturatedSolinasReificationCache. +Require Import Crypto.PushButtonSynthesis.SolinasReductionReificationCache. Require Import Crypto.Assembly.Equivalence. Import ListNotations. Local Open Scope string_scope. Local Open Scope Z_scope. Local Open Scope list_scope. Local Open Scope bool_scope. @@ -48,6 +49,7 @@ Import COperationSpecifications.Solinas. Import COperationSpecifications.SolinasReduction. Import Associational Positional. +Import SolinasReduction. Local Coercion Z.of_nat : nat >-> Z. Local Coercion QArith_base.inject_Z : Z >-> Q. @@ -55,7 +57,7 @@ Local Coercion Z.pos : positive >-> Z. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) -Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) +Local Opaque reified_solmul_gen. (* needed for making [autorewrite] not take a very long time *) (* needed for making [autorewrite] with [Set Keyed Unification] fast *) Local Opaque expr.Interp. @@ -86,8 +88,8 @@ Section __. {assembly_conventions : assembly_conventions_opt} {error_on_unused_assembly_functions : error_on_unused_assembly_functions_opt} (s : Z) - (c : list (Z * Z)) - (machine_wordsize : machine_wordsize_opt). + (c : list (Z * Z)). + Context (machine_wordsize := 64). Local Existing Instance widen_bytes. @@ -98,19 +100,10 @@ Section __. Definition n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). Definition m := s - Associational.eval c. - (* Number of reductions is calculated as follows : - Let i be the highest limb index of c. Then, each reduction - decreases the number of extra limbs by (n-i-1). (The -1 comes - from possibly having an extra high partial product at the end - of a reduction.) So, to go from the n extra limbs we have - post-multiplication down to 0, we need ceil (n / (n - i - 1)) - reductions. In some cases. however, [n - i <= 1], and in - this case, we do [n] reductions (is this enough?). *) - Definition nreductions : nat := - let i := fold_right Z.max 0 (List.map (fun t => Z.log2 (fst t) / machine_wordsize) c) in - if Z.of_nat n - i <=? 1 - then n - else Z.to_nat (Qceiling (Z.of_nat n / (Z.of_nat n - i - 1))). + Definition weight := UniformWeight.uweight machine_wordsize. + Definition up_bound := 2 ^ (machine_wordsize / 4). + Definition base := 2 ^ machine_wordsize. + Let possible_values := possible_values_of_machine_wordsize. Definition bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Definition boundsn : list (ZRange.type.option.interp base.type.Z) @@ -127,13 +120,19 @@ Section __. := check_args_of_list (List.map (fun v => (true, v)) - [((0 0 - /\ s <> 0 - /\ 0 < machine_wordsize - /\ n <> 0%nat. + : (n > 1)%nat /\ + s > 0 /\ + Associational.eval c > 0 /\ + s - Associational.eval c <> 0 /\ + base <> 0 /\ + Rows.adjust_s weight (S (S n)) s = (weight n, true) /\ + weight n / s * Associational.eval c < up_bound. Proof using curve_good. prepare_use_curve_good (). { use_curve_good_t. } + { use_curve_good_t. } + { unfold base. + use_curve_good_t. } + { lazymatch goal with + | |- ?x = _ => rewrite surjective_pairing with (p:=x) + end. + repeat match goal with + | H : ?x = _ |- (?x, _) = _ => rewrite H + | H : ?x = _ |- (_, ?x) = _ => rewrite H + end. + auto. } Qed. - Local Notation weightf := (weight machine_wordsize 1). - Local Notation evalf := (eval weightf n). + Local Notation evalf := (eval weight n). Local Notation notations_for_docstring := (CorrectnessStringification.dyn_context.cons - weightf "weight" + evalf "eval" (CorrectnessStringification.dyn_context.cons - evalf "eval" + weight "weight" CorrectnessStringification.dyn_context.nil))%string. Local Notation "'docstring_with_summary_from_lemma!' summary correctness" := (docstring_with_summary_from_lemma_with_ctx! @@ -176,10 +187,13 @@ Section __. false (* subst01 *) None (* fancy *) possible_values - (reified_mul_gen - @ GallinaReify.Reify s @ GallinaReify.Reify c @ GallinaReify.Reify (machine_wordsize:Z) @ GallinaReify.Reify n @ GallinaReify.Reify nreductions) + (reified_solmul_gen + @GallinaReify.Reify base + @GallinaReify.Reify s + @GallinaReify.Reify c + @GallinaReify.Reify n ) (Some boundsn, (Some boundsn, tt)) - (Some boundsn, None (* Should be: Some r[0~>0]%zrange, but bounds analysis is not good enough *) ). + (Some boundsn). Definition smul (prefix : string) : string * (Pipeline.ErrorT (Pipeline.ExtendedSynthesisResult _)) @@ -188,21 +202,20 @@ Section __. machine_wordsize prefix "mul" mul (docstring_with_summary_from_lemma! (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) - (mul_correct weightf n m boundsn)). + (mulmod_correct weight n m boundsn)). Local Ltac solve_extra_bounds_side_conditions := cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. Hint Rewrite - (fun pf => @Rows.eval_mulmod (weight machine_wordsize 1) (@wprops _ _ pf)) - using solve [ auto with zarith | congruence | solve_extra_bounds_side_conditions ] : push_eval. + (fun pf => @SolinasReduction.SolinasReduction.mulmod_correct (@wprops _ _ pf)) using solve [ auto with zarith | congruence | solve_extra_bounds_side_conditions ] : push_eval. Hint Unfold mulmod : push_eval. Local Ltac prove_correctness _ := Primitives.prove_correctness use_curve_good. Lemma mul_correct res (Hres : mul = Success res) - : mul_correct (weight machine_wordsize 1) n m boundsn (Interp res). + : mulmod_correct weight n m boundsn (Interp res). Proof using curve_good. prove_correctness (). Qed. Lemma Wf_mul res (Hres : mul = Success res) : Wf res. @@ -228,8 +241,7 @@ Section __. (comment_header ++ [""; "Computed values:"; - ""; - " # reductions = " ++ show nreductions]%string))) + ""]%string))) function_name_prefix requests. End for_stringification. End __. diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index 3c750aa825..e83befaeef 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -11,22 +11,6 @@ Local Open Scope Z_scope. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) -Require Import Coq.Relations.Relation_Definitions. -Require Import Crypto.Util.Tactics.Head. -Require Import Crypto.Util.Tactics.SubstEvars. -Require Import Crypto.Language.API. -Require Import Rewriter.Language.Wf. - -Require Import Coq.Strings.String. -Require Import Coq.ZArith.ZArith. -Require Import Crypto.Util.ListUtil Coq.Lists.List. -Require Import Crypto.Util.ZRange. -Require Import Crypto.Util.ZUtil.Definitions. -Require Import Crypto.Language.PreExtra. - -(* Require Import Rewriter.Language.Reify. *) -(* Require Import Crypto.Language.APINotations. *) - Import Language.API.Compilers Language.Wf.Compilers. @@ -34,22 +18,6 @@ Import Module Export SolinasReductionCache. Import SolinasReduction.SolinasReduction. - Ltac reify := API.Compilers.API.Reify. - (* Ltac PreCommon.Pre.reify_debug_level ::= constr:(2%nat). *) - - (* Time Compute ltac:(let x := reify (reduce_full) in exact x). *) - - Ltac cache_reify' _ := - intros; - etransitivity; - [ - | repeat match goal with |- _ = ?f' ?x => is_var x; apply (f_equal (fun f => f _)) end; - Reify_rhs (); - reflexivity ]; - subst_evars; - reflexivity. - - Print reduce2'. Strategy -500 [Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by Crypto.Arithmetic.Saturated.Columns.cons_to_nth @@ -108,16 +76,16 @@ Module Export SolinasReductionCache. Coq.Init.Hexadecimal.rev Crypto.Arithmetic.Saturated.Rows.flatten]. - Derive reified_solred_gen - SuchThat (is_reification_of reified_solred_gen reduce_full') - As reified_solred_gen_correct. + Derive reified_solmul_gen + SuchThat (is_reification_of reified_solmul_gen mulmod) + As reified_solmul_gen_correct. Proof. Time cache_reify (). Time Qed. #[global] - Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_solred_gen) : reify_cache_gen. + Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_solmul_gen) : reify_cache_gen. #[global] - Hint Immediate (proj2 reified_mul_gen_correct) : wf_gen_cache. + Hint Immediate (proj2 reified_solmul_gen_correct) : wf_gen_cache. #[global] - Hint Rewrite (proj1 reified_mul_gen_correct) : interp_gen_cache. - Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) -End SolinasReduction. + Hint Rewrite (proj1 reified_solmul_gen_correct) : interp_gen_cache. + Local Opaque reified_solmul_gen. (* needed for making [autorewrite] not take a very long time *) +End SolinasReductionCache. From ee3ab4253c4ea6b4087e4a06ab71486eb34e0bc4 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 14 Aug 2022 17:15:01 -0400 Subject: [PATCH 40/69] updated more CLI files --- Makefile.config | 2 +- Makefile.examples | 5 +++++ src/Bedrock/Standalone/StandaloneHaskellMain.v | 10 ++++++++++ src/Bedrock/Standalone/StandaloneOCamlMain.v | 10 ++++++++++ src/ExtractionOCaml/bedrock2_solinas_reduction.v | 4 ++++ src/ExtractionOCaml/solinas_reduction.v | 3 +++ src/ExtractionOCaml/with_bedrock2_solinas_reduction.v | 4 ++++ src/StandaloneHaskellMain.v | 5 +++++ src/StandaloneOCamlMain.v | 5 +++++ 9 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 src/ExtractionOCaml/bedrock2_solinas_reduction.v create mode 100644 src/ExtractionOCaml/solinas_reduction.v create mode 100644 src/ExtractionOCaml/with_bedrock2_solinas_reduction.v diff --git a/Makefile.config b/Makefile.config index 1781fb0e64..2fc1fb421f 100644 --- a/Makefile.config +++ b/Makefile.config @@ -50,7 +50,7 @@ else if_SKIP_BEDROCK2 = $(1) endif -BASE_STANDALONE := unsaturated_solinas saturated_solinas word_by_word_montgomery base_conversion +BASE_STANDALONE := unsaturated_solinas saturated_solinas solinas_reduction word_by_word_montgomery base_conversion BEDROCK2_STANDALONE := $(addprefix bedrock2_,$(BASE_STANDALONE)) $(addprefix with_bedrock2_,$(BASE_STANDALONE)) STANDALONE := $(BASE_STANDALONE) $(call if_SKIP_BEDROCK2,,$(BEDROCK2_STANDALONE) $(WITH_BEDROCK2_STANDALONE)) PERF_STANDALONE := perf_unsaturated_solinas perf_word_by_word_montgomery diff --git a/Makefile.examples b/Makefile.examples index 7afd1b3da0..be126b676f 100644 --- a/Makefile.examples +++ b/Makefile.examples @@ -87,8 +87,10 @@ endef UNSATURATED_SOLINAS_FUNCTIONS := carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax FUNCTIONS_FOR_25519 := $(UNSATURATED_SOLINAS_FUNCTIONS) carry_scmul121666 WORD_BY_WORD_MONTGOMERY_FUNCTIONS := mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +SOLINAS_REDUCTION_FUNCTIONS := mul UNSATURATED_SOLINAS := src/ExtractionOCaml/unsaturated_solinas WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/word_by_word_montgomery +SOLINAS_REDUCTION := src/ExtractionOCaml/solinas_reduction UNSATURATED_SOLINAS_BASE_FILES := # p224_solinas_64 WORD_BY_WORD_MONTGOMERY_BASE_FILES := # p434_32 @@ -118,6 +120,8 @@ $(foreach bw,64 32,$(eval $(call add_curve_keys,p256_scalar_$(bw),WORD_BY_WORD_M $(foreach bw,64 32,$(eval $(call add_curve_keys,p384_scalar_$(bw),WORD_BY_WORD_MONTGOMERY,'p384_scalar',$(bw),'2^384 - 1388124618062372383947042015309946732620727252194336364173',$(WORD_BY_WORD_MONTGOMERY_FUNCTIONS),WORD_BY_WORD_MONTGOMERY))) $(foreach bw,64 32,$(eval $(call add_curve_keys,secp256k1_scalar_$(bw),WORD_BY_WORD_MONTGOMERY,'secp256k1_scalar',$(bw),'2^256 - 432420386565659656852420866394968145599',$(WORD_BY_WORD_MONTGOMERY_FUNCTIONS),WORD_BY_WORD_MONTGOMERY))) +$(foreach bw,64,$(eval $(call add_curve_keys,curve25519_solinas_$(bw),SOLINAS_REDUCTION,'curve25519_solinas',$(bw),'2^255 - 19',$(SOLINAS_REDUCTION_FUNCTIONS),SOLINAS_REDUCTION))) + # Files taking 30s or less LITE_BASE_FILES := curve25519_64 poly1305_64 poly1305_32 p256_64 secp256k1_64 p384_64 p224_32 p434_64 p448_solinas_64 secp256k1_32 p256_32 p448_solinas_32 \ curve25519_scalar_64 p256_scalar_64 secp256k1_scalar_64 p384_scalar_64 secp256k1_scalar_32 p256_scalar_32 @@ -143,6 +147,7 @@ LITE_ZIG_FILES := $(patsubst %,$(ZIG_DIR)%.zig,$(LITE_BASE_FILES)) BEDROCK2_UNSATURATED_SOLINAS := src/ExtractionOCaml/bedrock2_unsaturated_solinas BEDROCK2_WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/bedrock2_word_by_word_montgomery +BEDROCK2_SOLINAS_REDUCTION := src/ExtractionOCaml/bedrock2_solinas_reduction C_EXTRA_ARGS := --inline --static --use-value-barrier diff --git a/src/Bedrock/Standalone/StandaloneHaskellMain.v b/src/Bedrock/Standalone/StandaloneHaskellMain.v index c37260bf22..778459df42 100644 --- a/src/Bedrock/Standalone/StandaloneHaskellMain.v +++ b/src/Bedrock/Standalone/StandaloneHaskellMain.v @@ -29,6 +29,11 @@ Module Bedrock2First. := main_gen ForExtraction.SaturatedSolinas.PipelineMain. End SaturatedSolinas. + Module SolinasReduction. + Definition main : IO_unit + := main_gen ForExtraction.SolinasReduction.PipelineMain. + End SolinasReduction. + Module BaseConversion. Definition main : IO_unit := main_gen ForExtraction.BaseConversion.PipelineMain. @@ -58,6 +63,11 @@ Module Bedrock2Later. := main_gen ForExtraction.SaturatedSolinas.PipelineMain. End SaturatedSolinas. + Module SolinasReduction. + Definition main : IO_unit + := main_gen ForExtraction.SolinasReduction.PipelineMain. + End SolinasReduction. + Module BaseConversion. Definition main : IO_unit := main_gen ForExtraction.BaseConversion.PipelineMain. diff --git a/src/Bedrock/Standalone/StandaloneOCamlMain.v b/src/Bedrock/Standalone/StandaloneOCamlMain.v index 346a0f1208..456bf504e4 100644 --- a/src/Bedrock/Standalone/StandaloneOCamlMain.v +++ b/src/Bedrock/Standalone/StandaloneOCamlMain.v @@ -32,6 +32,11 @@ Module Bedrock2First. := main_gen ForExtraction.SaturatedSolinas.PipelineMain. End SaturatedSolinas. + Module SolinasReduction. + Definition main : unit + := main_gen ForExtraction.SolinasReduction.PipelineMain. + End SolinasReduction. + Module BaseConversion. Definition main : unit := main_gen ForExtraction.BaseConversion.PipelineMain. @@ -61,6 +66,11 @@ Module Bedrock2Later. := main_gen ForExtraction.SaturatedSolinas.PipelineMain. End SaturatedSolinas. + Module SolinasReduction. + Definition main : unit + := main_gen ForExtraction.SolinasReduction.PipelineMain. + End SolinasReduction. + Module BaseConversion. Definition main : unit := main_gen ForExtraction.BaseConversion.PipelineMain. diff --git a/src/ExtractionOCaml/bedrock2_solinas_reduction.v b/src/ExtractionOCaml/bedrock2_solinas_reduction.v new file mode 100644 index 0000000000..2ca765d0fb --- /dev/null +++ b/src/ExtractionOCaml/bedrock2_solinas_reduction.v @@ -0,0 +1,4 @@ +Require Import Crypto.Bedrock.Standalone.StandaloneOCamlMain. +Import Bedrock2First. + +Extraction "src/ExtractionOCaml/bedrock2_solinas_reduction.tmp" SolinasReduction.main. diff --git a/src/ExtractionOCaml/solinas_reduction.v b/src/ExtractionOCaml/solinas_reduction.v new file mode 100644 index 0000000000..6686bf841a --- /dev/null +++ b/src/ExtractionOCaml/solinas_reduction.v @@ -0,0 +1,3 @@ +Require Import Crypto.StandaloneOCamlMain. + +Extraction "src/ExtractionOCaml/solinas_reduction.tmp" SolinasReduction.main. diff --git a/src/ExtractionOCaml/with_bedrock2_solinas_reduction.v b/src/ExtractionOCaml/with_bedrock2_solinas_reduction.v new file mode 100644 index 0000000000..902958bb0d --- /dev/null +++ b/src/ExtractionOCaml/with_bedrock2_solinas_reduction.v @@ -0,0 +1,4 @@ +Require Import Crypto.Bedrock.Standalone.StandaloneOCamlMain. +Import Bedrock2Later. + +Extraction "src/ExtractionOCaml/with_bedrock2_solinas_reduction.tmp" SolinasReduction.main. diff --git a/src/StandaloneHaskellMain.v b/src/StandaloneHaskellMain.v index ac32bfa168..d5f2a6f30a 100644 --- a/src/StandaloneHaskellMain.v +++ b/src/StandaloneHaskellMain.v @@ -130,6 +130,11 @@ Module SaturatedSolinas. := main_gen ForExtraction.SaturatedSolinas.PipelineMain. End SaturatedSolinas. +Module SolinasReduction. + Definition main : IO_unit + := main_gen ForExtraction.SolinasReduction.PipelineMain. +End SolinasReduction. + Module BaseConversion. Definition main : IO_unit := main_gen ForExtraction.BaseConversion.PipelineMain. diff --git a/src/StandaloneOCamlMain.v b/src/StandaloneOCamlMain.v index 2d60dccec7..795af2a4c8 100644 --- a/src/StandaloneOCamlMain.v +++ b/src/StandaloneOCamlMain.v @@ -219,6 +219,11 @@ Module SaturatedSolinas. := main_gen ForExtraction.SaturatedSolinas.PipelineMain. End SaturatedSolinas. +Module SolinasReduction. + Definition main : unit + := main_gen ForExtraction.SolinasReduction.PipelineMain. +End SolinasReduction. + Module BaseConversion. Definition main : unit := main_gen ForExtraction.BaseConversion.PipelineMain. From 6100053cabe8cf0906401ca97f660d25e35b14d0 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 17 Aug 2022 14:36:52 -0400 Subject: [PATCH 41/69] resolved extraction issues, bedrock fails to compile --- Makefile.examples | 2 +- fiat-bedrock2/src/curve25519_solinas_64.c.tmp | 485 +++ fiat-c/src/curve25519_solinas_64.c | 337 ++ .../64/curve25519solinas/curve25519solinas.go | 241 ++ fiat-json/src/curve25519_solinas_64.json | 3767 +++++++++++++++++ fiat-rust/src/curve25519_solinas_64.rs | 309 ++ fiat-rust/src/lib.rs | 1 + fiat-zig/src/curve25519_solinas_64.zig | 320 ++ src/CLI.v | 44 +- .../bedrock2_solinas_reduction.v | 4 + src/ExtractionHaskell/solinas_reduction.v | 3 + .../with_bedrock2_solinas_reduction.v | 4 + src/PushButtonSynthesis/SolinasReduction.v | 23 +- .../SolinasReductionReificationCache.v | 134 +- src/StandaloneOCamlMain.v | 1 + 15 files changed, 5571 insertions(+), 104 deletions(-) create mode 100644 fiat-bedrock2/src/curve25519_solinas_64.c.tmp create mode 100644 fiat-c/src/curve25519_solinas_64.c create mode 100644 fiat-go/64/curve25519solinas/curve25519solinas.go create mode 100644 fiat-json/src/curve25519_solinas_64.json create mode 100644 fiat-rust/src/curve25519_solinas_64.rs create mode 100644 fiat-zig/src/curve25519_solinas_64.zig create mode 100644 src/ExtractionHaskell/bedrock2_solinas_reduction.v create mode 100644 src/ExtractionHaskell/solinas_reduction.v create mode 100644 src/ExtractionHaskell/with_bedrock2_solinas_reduction.v diff --git a/Makefile.examples b/Makefile.examples index be126b676f..9bbee201c7 100644 --- a/Makefile.examples +++ b/Makefile.examples @@ -87,7 +87,7 @@ endef UNSATURATED_SOLINAS_FUNCTIONS := carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax FUNCTIONS_FOR_25519 := $(UNSATURATED_SOLINAS_FUNCTIONS) carry_scmul121666 WORD_BY_WORD_MONTGOMERY_FUNCTIONS := mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp -SOLINAS_REDUCTION_FUNCTIONS := mul +SOLINAS_REDUCTION_FUNCTIONS := mulmod UNSATURATED_SOLINAS := src/ExtractionOCaml/unsaturated_solinas WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/word_by_word_montgomery SOLINAS_REDUCTION := src/ExtractionOCaml/solinas_reduction diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c.tmp b/fiat-bedrock2/src/curve25519_solinas_64.c.tmp new file mode 100644 index 0000000000..3efd3d1128 --- /dev/null +++ b/fiat-bedrock2/src/curve25519_solinas_64.c.tmp @@ -0,0 +1,485 @@ +check_args +/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mulmod */ +/* curve description: curve25519_solinas */ +/* machine_wordsize = 64 (from "64") */ +/* requested operations: mulmod */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* */ +/* Computed values: */ +/* */ + +#include +#include + +// We use memcpy to work around -fstrict-aliasing. +// A plain memcpy is enough on clang 10, but not on gcc 10, which fails +// to infer the bounds on an integer loaded by memcpy. +// Adding a range mask after memcpy in turn makes slower code in clang. +// Loading individual bytes, shifting them together, and or-ing is fast +// on clang and sometimes on GCC, but other times GCC inlines individual +// byte operations without reconstructing wider accesses. +// The little-endian idiom below seems fast in gcc 9+ and clang 10. +static __attribute__((always_inline)) inline uintptr_t +_br2_load(uintptr_t a, uintptr_t sz) { + switch (sz) { + case 1: { uint8_t r = 0; memcpy(&r, (void*)a, 1); return r; } + case 2: { uint16_t r = 0; memcpy(&r, (void*)a, 2); return r; } + case 4: { uint32_t r = 0; memcpy(&r, (void*)a, 4); return r; } + case 8: { uint64_t r = 0; memcpy(&r, (void*)a, 8); return r; } + default: __builtin_unreachable(); + } +} + +static __attribute__((always_inline)) inline void +_br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { + memcpy((void*)a, &v, sz); +} + + + +In fiat_curve25519_solinas_mulmod: +Stringification failed on the syntax tree: +(λ x1 x2, + let x3 := x1[3] * x2[3] (* : uint64_t *) in + let x4 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[3]))) (* : uint64_t *) in + let x5 := x1[3] * x2[2] (* : uint64_t *) in + let x6 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[2]))) (* : uint64_t *) in + let x7 := x1[3] * x2[1] (* : uint64_t *) in + let x8 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[1]))) (* : uint64_t *) in + let x9 := x1[3] * x2[0] (* : uint64_t *) in + let x10 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[0]))) (* : uint64_t *) in + let x11 := x1[2] * x2[3] (* : uint64_t *) in + let x12 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[3]))) (* : uint64_t *) in + let x13 := x1[2] * x2[2] (* : uint64_t *) in + let x14 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[2]))) (* : uint64_t *) in + let x15 := x1[2] * x2[1] (* : uint64_t *) in + let x16 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[1]))) (* : uint64_t *) in + let x17 := x1[2] * x2[0] (* : uint64_t *) in + let x18 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[0]))) (* : uint64_t *) in + let x19 := x1[1] * x2[3] (* : uint64_t *) in + let x20 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[3]))) (* : uint64_t *) in + let x21 := x1[1] * x2[2] (* : uint64_t *) in + let x22 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[2]))) (* : uint64_t *) in + let x23 := x1[1] * x2[1] (* : uint64_t *) in + let x24 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[1]))) (* : uint64_t *) in + let x25 := x1[1] * x2[0] (* : uint64_t *) in + let x26 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[0]))) (* : uint64_t *) in + let x27 := x1[0] * x2[3] (* : uint64_t *) in + let x28 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[3]))) (* : uint64_t *) in + let x29 := x1[0] * x2[2] (* : uint64_t *) in + let x30 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[2]))) (* : uint64_t *) in + let x31 := x1[0] * x2[1] (* : uint64_t *) in + let x32 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[1]))) (* : uint64_t *) in + let x33 := x1[0] * x2[0] (* : uint64_t *) in + let x34 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[0]))) (* : uint64_t *) in + let x35 := x30 + x9 (* : uint64_t *) in + let x36 := Z.ltz((uint64_t)x35, (uint64_t)x30) (* : uint64_t *) in + let x37 := x36 + x28 (* : uint64_t *) in + let x38 := Z.ltz((uint64_t)x37, (uint64_t)x28) (* : uint64_t *) in + let x39 := x37 + x7 (* : uint64_t *) in + let x40 := Z.ltz((uint64_t)x39, (uint64_t)x7) (* : uint64_t *) in + let x41 := x38 + x40 (* : uint64_t *) in + let x42 := x41 + x20 (* : uint64_t *) in + let x43 := x35 + x15 (* : uint64_t *) in + let x44 := Z.ltz((uint64_t)x43, (uint64_t)x35) (* : uint64_t *) in + let x45 := x44 + x39 (* : uint64_t *) in + let x46 := Z.ltz((uint64_t)x45, (uint64_t)x39) (* : uint64_t *) in + let x47 := x45 + x10 (* : uint64_t *) in + let x48 := Z.ltz((uint64_t)x47, (uint64_t)x10) (* : uint64_t *) in + let x49 := x46 + x48 (* : uint64_t *) in + let x50 := x49 + x42 (* : uint64_t *) in + let x51 := Z.ltz((uint64_t)x50, (uint64_t)x42) (* : uint64_t *) in + let x52 := x51 + x12 (* : uint64_t *) in + let x53 := x32 + x17 (* : uint64_t *) in + let x54 := Z.ltz((uint64_t)x53, (uint64_t)x32) (* : uint64_t *) in + let x55 := x54 + x43 (* : uint64_t *) in + let x56 := Z.ltz((uint64_t)x55, (uint64_t)x43) (* : uint64_t *) in + let x57 := x55 + x18 (* : uint64_t *) in + let x58 := Z.ltz((uint64_t)x57, (uint64_t)x18) (* : uint64_t *) in + let x59 := x56 + x58 (* : uint64_t *) in + let x60 := x59 + x47 (* : uint64_t *) in + let x61 := Z.ltz((uint64_t)x60, (uint64_t)x47) (* : uint64_t *) in + let x62 := x60 + x13 (* : uint64_t *) in + let x63 := Z.ltz((uint64_t)x62, (uint64_t)x13) (* : uint64_t *) in + let x64 := x61 + x63 (* : uint64_t *) in + let x65 := x64 + x50 (* : uint64_t *) in + let x66 := Z.ltz((uint64_t)x65, (uint64_t)x50) (* : uint64_t *) in + let x67 := x65 + x5 (* : uint64_t *) in + let x68 := Z.ltz((uint64_t)x67, (uint64_t)x5) (* : uint64_t *) in + let x69 := x66 + x68 (* : uint64_t *) in + let x70 := x69 + x52 (* : uint64_t *) in + let x71 := Z.ltz((uint64_t)x70, (uint64_t)x52) (* : uint64_t *) in + let x72 := x71 + x4 (* : uint64_t *) in + let x73 := x53 + x23 (* : uint64_t *) in + let x74 := Z.ltz((uint64_t)x73, (uint64_t)x53) (* : uint64_t *) in + let x75 := x74 + x57 (* : uint64_t *) in + let x76 := Z.ltz((uint64_t)x75, (uint64_t)x57) (* : uint64_t *) in + let x77 := x75 + x21 (* : uint64_t *) in + let x78 := Z.ltz((uint64_t)x77, (uint64_t)x21) (* : uint64_t *) in + let x79 := x76 + x78 (* : uint64_t *) in + let x80 := x79 + x62 (* : uint64_t *) in + let x81 := Z.ltz((uint64_t)x80, (uint64_t)x62) (* : uint64_t *) in + let x82 := x80 + x16 (* : uint64_t *) in + let x83 := Z.ltz((uint64_t)x82, (uint64_t)x16) (* : uint64_t *) in + let x84 := x81 + x83 (* : uint64_t *) in + let x85 := x84 + x67 (* : uint64_t *) in + let x86 := Z.ltz((uint64_t)x85, (uint64_t)x67) (* : uint64_t *) in + let x87 := x85 + x8 (* : uint64_t *) in + let x88 := Z.ltz((uint64_t)x87, (uint64_t)x8) (* : uint64_t *) in + let x89 := x86 + x88 (* : uint64_t *) in + let x90 := x89 + x70 (* : uint64_t *) in + let x91 := Z.ltz((uint64_t)x90, (uint64_t)x70) (* : uint64_t *) in + let x92 := x91 + x72 (* : uint64_t *) in + let x93 := x34 + x25 (* : uint64_t *) in + let x94 := Z.ltz((uint64_t)x93, (uint64_t)x34) (* : uint64_t *) in + let x95 := x94 + x73 (* : uint64_t *) in + let x96 := Z.ltz((uint64_t)x95, (uint64_t)x73) (* : uint64_t *) in + let x97 := x95 + x26 (* : uint64_t *) in + let x98 := Z.ltz((uint64_t)x97, (uint64_t)x26) (* : uint64_t *) in + let x99 := x96 + x98 (* : uint64_t *) in + let x100 := x99 + x77 (* : uint64_t *) in + let x101 := Z.ltz((uint64_t)x100, (uint64_t)x77) (* : uint64_t *) in + let x102 := x100 + x24 (* : uint64_t *) in + let x103 := Z.ltz((uint64_t)x102, (uint64_t)x24) (* : uint64_t *) in + let x104 := x101 + x103 (* : uint64_t *) in + let x105 := x104 + x82 (* : uint64_t *) in + let x106 := Z.ltz((uint64_t)x105, (uint64_t)x82) (* : uint64_t *) in + let x107 := x105 + x19 (* : uint64_t *) in + let x108 := Z.ltz((uint64_t)x107, (uint64_t)x19) (* : uint64_t *) in + let x109 := x106 + x108 (* : uint64_t *) in + let x110 := x109 + x87 (* : uint64_t *) in + let x111 := Z.ltz((uint64_t)x110, (uint64_t)x87) (* : uint64_t *) in + let x112 := x110 + x11 (* : uint64_t *) in + let x113 := Z.ltz((uint64_t)x112, (uint64_t)x11) (* : uint64_t *) in + let x114 := x111 + x113 (* : uint64_t *) in + let x115 := x114 + x90 (* : uint64_t *) in + let x116 := Z.ltz((uint64_t)x115, (uint64_t)x90) (* : uint64_t *) in + let x117 := x115 + x3 (* : uint64_t *) in + let x118 := Z.ltz((uint64_t)x117, (uint64_t)x3) (* : uint64_t *) in + let x119 := x116 + x118 (* : uint64_t *) in + let x120 := x119 + x92 (* : uint64_t *) in + let x121 := x93 + x31 (* : uint64_t *) in + let x122 := Z.ltz((uint64_t)x121, (uint64_t)x93) (* : uint64_t *) in + let x123 := x122 + x97 (* : uint64_t *) in + let x124 := Z.ltz((uint64_t)x123, (uint64_t)x97) (* : uint64_t *) in + let x125 := x123 + x29 (* : uint64_t *) in + let x126 := Z.ltz((uint64_t)x125, (uint64_t)x29) (* : uint64_t *) in + let x127 := x124 + x126 (* : uint64_t *) in + let x128 := x127 + x102 (* : uint64_t *) in + let x129 := Z.ltz((uint64_t)x128, (uint64_t)x102) (* : uint64_t *) in + let x130 := x128 + x27 (* : uint64_t *) in + let x131 := Z.ltz((uint64_t)x130, (uint64_t)x27) (* : uint64_t *) in + let x132 := x129 + x131 (* : uint64_t *) in + let x133 := x132 + x107 (* : uint64_t *) in + let x134 := Z.ltz((uint64_t)x133, (uint64_t)x107) (* : uint64_t *) in + let x135 := x133 + x22 (* : uint64_t *) in + let x136 := Z.ltz((uint64_t)x135, (uint64_t)x22) (* : uint64_t *) in + let x137 := x134 + x136 (* : uint64_t *) in + let x138 := x137 + x112 (* : uint64_t *) in + let x139 := Z.ltz((uint64_t)x138, (uint64_t)x112) (* : uint64_t *) in + let x140 := x138 + x14 (* : uint64_t *) in + let x141 := Z.ltz((uint64_t)x140, (uint64_t)x14) (* : uint64_t *) in + let x142 := x139 + x141 (* : uint64_t *) in + let x143 := x142 + x117 (* : uint64_t *) in + let x144 := Z.ltz((uint64_t)x143, (uint64_t)x117) (* : uint64_t *) in + let x145 := x143 + x6 (* : uint64_t *) in + let x146 := Z.ltz((uint64_t)x145, (uint64_t)x6) (* : uint64_t *) in + let x147 := x144 + x146 (* : uint64_t *) in + let x148 := x147 + x120 (* : uint64_t *) in + let x149 := 38 * x145 (* : uint64_t *) in + let x150 := Z.mul_high((2^64), (38, (uint64_t)x145)) (* : uint64_t *) in + let x151 := 38 * x140 (* : uint64_t *) in + let x152 := Z.mul_high((2^64), (38, (uint64_t)x140)) (* : uint64_t *) in + let x153 := 38 * x135 (* : uint64_t *) in + let x154 := Z.mul_high((2^64), (38, (uint64_t)x135)) (* : uint64_t *) in + let x155 := x121 + x151 (* : uint64_t *) in + let x156 := Z.ltz((uint64_t)x155, (uint64_t)x121) (* : uint64_t *) in + let x157 := x156 + x125 (* : uint64_t *) in + let x158 := Z.ltz((uint64_t)x157, (uint64_t)x125) (* : uint64_t *) in + let x159 := x157 + x149 (* : uint64_t *) in + let x160 := Z.ltz((uint64_t)x159, (uint64_t)x149) (* : uint64_t *) in + let x161 := x158 + x160 (* : uint64_t *) in + let x162 := 38 * x148 (* : uint64_t *) in + let x163 := x161 + x130 (* : uint64_t *) in + let x164 := Z.ltz((uint64_t)x163, (uint64_t)x130) (* : uint64_t *) in + let x165 := x163 + x162 (* : uint64_t *) in + let x166 := Z.ltz((uint64_t)x165, (uint64_t)x162) (* : uint64_t *) in + let x167 := x164 + x166 (* : uint64_t *) in + let x168 := Z.mul_high((2^64), (38, (uint64_t)x148)) (* : uint64_t *) in + let x169 := x167 + x168 (* : uint64_t *) in + let x170 := x33 + x153 (* : uint64_t *) in + let x171 := Z.ltz((uint64_t)x170, (uint64_t)x33) (* : uint64_t *) in + let x172 := x171 + x155 (* : uint64_t *) in + let x173 := Z.ltz((uint64_t)x172, (uint64_t)x155) (* : uint64_t *) in + let x174 := x172 + x154 (* : uint64_t *) in + let x175 := Z.ltz((uint64_t)x174, (uint64_t)x154) (* : uint64_t *) in + let x176 := x173 + x175 (* : uint64_t *) in + let x177 := x176 + x159 (* : uint64_t *) in + let x178 := Z.ltz((uint64_t)x177, (uint64_t)x159) (* : uint64_t *) in + let x179 := x177 + x152 (* : uint64_t *) in + let x180 := Z.ltz((uint64_t)x179, (uint64_t)x152) (* : uint64_t *) in + let x181 := x178 + x180 (* : uint64_t *) in + let x182 := x181 + x165 (* : uint64_t *) in + let x183 := Z.ltz((uint64_t)x182, (uint64_t)x165) (* : uint64_t *) in + let x184 := x182 + x150 (* : uint64_t *) in + let x185 := Z.ltz((uint64_t)x184, (uint64_t)x150) (* : uint64_t *) in + let x186 := x183 + x185 (* : uint64_t *) in + let x187 := x186 + x169 (* : uint64_t *) in + let x188 := Z.mul_split((2^64), (38, (uint64_t)x187)) in + let x189 := x170 + x188₁ (* : uint64_t *) in + let x190 := Z.ltz((uint64_t)x189, (uint64_t)x170) (* : uint64_t *) in + let x191 := x190 + x174 (* : uint64_t *) in + let x192 := Z.ltz((uint64_t)x191, (uint64_t)x174) (* : uint64_t *) in + let x193 := x192 + x179 (* : uint64_t *) in + let x194 := Z.ltz((uint64_t)x193, (uint64_t)x179) (* : uint64_t *) in + let x195 := x194 + x184 (* : uint64_t *) in + let x196 := Z.ltz((uint64_t)x195, (uint64_t)x184) (* : uint64_t *) in + let x197 := Z.mul_split((2^64), (38, (uint64_t)x196)) in + let x198 := x189 + x197₁ (* : uint64_t *) in + let x199 := Z.ltz((uint64_t)x198, (uint64_t)x189) (* : uint64_t *) in + let x200 := x199 + x191 (* : uint64_t *) in + let x201 := Z.ltz((uint64_t)x200, (uint64_t)x191) (* : uint64_t *) in + let x202 := x201 + x193 (* : uint64_t *) in + let x203 := Z.ltz((uint64_t)x202, (uint64_t)x193) (* : uint64_t *) in + let x204 := x203 + x195 (* : uint64_t *) in + x198 :: x200 :: x202 :: x204 :: [] +) +ERROR-CONTAINING OUTPUT: +/* + * Input Bounds: + * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * in1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uintptr_t in1) { + uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x14, x35, x41, x33, x42, x12, x43, x45, x46, x25, x20, x40, x49, x44, x50, x15, x51, x53, x54, x47, x56, x17, x22, x37, x59, x48, x60, x23, x61, x63, x64, x52, x65, x18, x66, x68, x69, x55, x70, x10, x71, x73, x74, x57, x76, x9, x28, x58, x79, x62, x80, x26, x81, x83, x84, x67, x85, x21, x86, x88, x89, x72, x90, x13, x91, x93, x94, x75, x96, x77, x30, x39, x99, x78, x100, x31, x101, x103, x104, x82, x105, x29, x106, x108, x109, x87, x110, x24, x111, x113, x114, x92, x115, x16, x116, x118, x119, x95, x120, x8, x121, x123, x124, x97, x36, x98, x127, x102, x128, x34, x129, x131, x132, x107, x133, x32, x134, x136, x137, x112, x138, x27, x139, x141, x142, x117, x143, x19, x144, x146, x147, x122, x148, x11, x149, x151, x152, x125, x150, x145, x140, x156, x126, x161, x130, x162, x154, x163, x165, x166, x135, x168, x167, x169, x171, x153, x172, x173, x158, x38, x176, x160, x177, x159, x178, x180, x181, x164, x182, x157, x183, x185, x186, x170, x187, x155, x188, x190, x192, x191, x174, x193, x194, x175, x196, x179, x198, x184, x200, x202, x189, x203, x204, ERROR, x195, x206, x197, x208, x199, x210, x201, x205, x207, x209, x211, x212, x213, x214, x215; + x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + x4 = _br2_load((in1)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x5 = _br2_load((in1)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x6 = _br2_load((in1)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x7 = _br2_load((in1)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + /*skip*/ + x8 = (x3)*(x7); + x9 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x7))>>32 : ((__uint128_t)(x3)*(x7))>>64); + x10 = (x3)*(x6); + x11 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x6))>>32 : ((__uint128_t)(x3)*(x6))>>64); + x12 = (x3)*(x5); + x13 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x5))>>32 : ((__uint128_t)(x3)*(x5))>>64); + x14 = (x3)*(x4); + x15 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x4))>>32 : ((__uint128_t)(x3)*(x4))>>64); + x16 = (x2)*(x7); + x17 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x7))>>32 : ((__uint128_t)(x2)*(x7))>>64); + x18 = (x2)*(x6); + x19 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x6))>>32 : ((__uint128_t)(x2)*(x6))>>64); + x20 = (x2)*(x5); + x21 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x5))>>32 : ((__uint128_t)(x2)*(x5))>>64); + x22 = (x2)*(x4); + x23 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x4))>>32 : ((__uint128_t)(x2)*(x4))>>64); + x24 = (x1)*(x7); + x25 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x7))>>32 : ((__uint128_t)(x1)*(x7))>>64); + x26 = (x1)*(x6); + x27 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x6))>>32 : ((__uint128_t)(x1)*(x6))>>64); + x28 = (x1)*(x5); + x29 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x5))>>32 : ((__uint128_t)(x1)*(x5))>>64); + x30 = (x1)*(x4); + x31 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x4))>>32 : ((__uint128_t)(x1)*(x4))>>64); + x32 = (x0)*(x7); + x33 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x7))>>32 : ((__uint128_t)(x0)*(x7))>>64); + x34 = (x0)*(x6); + x35 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x6))>>32 : ((__uint128_t)(x0)*(x6))>>64); + x36 = (x0)*(x5); + x37 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x5))>>32 : ((__uint128_t)(x0)*(x5))>>64); + x38 = (x0)*(x4); + x39 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x4))>>32 : ((__uint128_t)(x0)*(x4))>>64); + x40 = (x35)+(x14); + x41 = (uintptr_t)((x40)<(x35)); + x42 = (x41)+(x33); + x43 = (uintptr_t)((x42)<(x33)); + x44 = (x42)+(x12); + x45 = (uintptr_t)((x44)<(x12)); + x46 = (x43)+(x45); + x47 = (x46)+(x25); + x48 = (x40)+(x20); + x49 = (uintptr_t)((x48)<(x40)); + x50 = (x49)+(x44); + x51 = (uintptr_t)((x50)<(x44)); + x52 = (x50)+(x15); + x53 = (uintptr_t)((x52)<(x15)); + x54 = (x51)+(x53); + x55 = (x54)+(x47); + x56 = (uintptr_t)((x55)<(x47)); + x57 = (x56)+(x17); + x58 = (x37)+(x22); + x59 = (uintptr_t)((x58)<(x37)); + x60 = (x59)+(x48); + x61 = (uintptr_t)((x60)<(x48)); + x62 = (x60)+(x23); + x63 = (uintptr_t)((x62)<(x23)); + x64 = (x61)+(x63); + x65 = (x64)+(x52); + x66 = (uintptr_t)((x65)<(x52)); + x67 = (x65)+(x18); + x68 = (uintptr_t)((x67)<(x18)); + x69 = (x66)+(x68); + x70 = (x69)+(x55); + x71 = (uintptr_t)((x70)<(x55)); + x72 = (x70)+(x10); + x73 = (uintptr_t)((x72)<(x10)); + x74 = (x71)+(x73); + x75 = (x74)+(x57); + x76 = (uintptr_t)((x75)<(x57)); + x77 = (x76)+(x9); + x78 = (x58)+(x28); + x79 = (uintptr_t)((x78)<(x58)); + x80 = (x79)+(x62); + x81 = (uintptr_t)((x80)<(x62)); + x82 = (x80)+(x26); + x83 = (uintptr_t)((x82)<(x26)); + x84 = (x81)+(x83); + x85 = (x84)+(x67); + x86 = (uintptr_t)((x85)<(x67)); + x87 = (x85)+(x21); + x88 = (uintptr_t)((x87)<(x21)); + x89 = (x86)+(x88); + x90 = (x89)+(x72); + x91 = (uintptr_t)((x90)<(x72)); + x92 = (x90)+(x13); + x93 = (uintptr_t)((x92)<(x13)); + x94 = (x91)+(x93); + x95 = (x94)+(x75); + x96 = (uintptr_t)((x95)<(x75)); + x97 = (x96)+(x77); + x98 = (x39)+(x30); + x99 = (uintptr_t)((x98)<(x39)); + x100 = (x99)+(x78); + x101 = (uintptr_t)((x100)<(x78)); + x102 = (x100)+(x31); + x103 = (uintptr_t)((x102)<(x31)); + x104 = (x101)+(x103); + x105 = (x104)+(x82); + x106 = (uintptr_t)((x105)<(x82)); + x107 = (x105)+(x29); + x108 = (uintptr_t)((x107)<(x29)); + x109 = (x106)+(x108); + x110 = (x109)+(x87); + x111 = (uintptr_t)((x110)<(x87)); + x112 = (x110)+(x24); + x113 = (uintptr_t)((x112)<(x24)); + x114 = (x111)+(x113); + x115 = (x114)+(x92); + x116 = (uintptr_t)((x115)<(x92)); + x117 = (x115)+(x16); + x118 = (uintptr_t)((x117)<(x16)); + x119 = (x116)+(x118); + x120 = (x119)+(x95); + x121 = (uintptr_t)((x120)<(x95)); + x122 = (x120)+(x8); + x123 = (uintptr_t)((x122)<(x8)); + x124 = (x121)+(x123); + x125 = (x124)+(x97); + x126 = (x98)+(x36); + x127 = (uintptr_t)((x126)<(x98)); + x128 = (x127)+(x102); + x129 = (uintptr_t)((x128)<(x102)); + x130 = (x128)+(x34); + x131 = (uintptr_t)((x130)<(x34)); + x132 = (x129)+(x131); + x133 = (x132)+(x107); + x134 = (uintptr_t)((x133)<(x107)); + x135 = (x133)+(x32); + x136 = (uintptr_t)((x135)<(x32)); + x137 = (x134)+(x136); + x138 = (x137)+(x112); + x139 = (uintptr_t)((x138)<(x112)); + x140 = (x138)+(x27); + x141 = (uintptr_t)((x140)<(x27)); + x142 = (x139)+(x141); + x143 = (x142)+(x117); + x144 = (uintptr_t)((x143)<(x117)); + x145 = (x143)+(x19); + x146 = (uintptr_t)((x145)<(x19)); + x147 = (x144)+(x146); + x148 = (x147)+(x122); + x149 = (uintptr_t)((x148)<(x122)); + x150 = (x148)+(x11); + x151 = (uintptr_t)((x150)<(x11)); + x152 = (x149)+(x151); + x153 = (x152)+(x125); + x154 = ((uintptr_t)38ULL)*(x150); + x155 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x150))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x150))>>64); + x156 = ((uintptr_t)38ULL)*(x145); + x157 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x145))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x145))>>64); + x158 = ((uintptr_t)38ULL)*(x140); + x159 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x140))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x140))>>64); + x160 = (x126)+(x156); + x161 = (uintptr_t)((x160)<(x126)); + x162 = (x161)+(x130); + x163 = (uintptr_t)((x162)<(x130)); + x164 = (x162)+(x154); + x165 = (uintptr_t)((x164)<(x154)); + x166 = (x163)+(x165); + x167 = ((uintptr_t)38ULL)*(x153); + x168 = (x166)+(x135); + x169 = (uintptr_t)((x168)<(x135)); + x170 = (x168)+(x167); + x171 = (uintptr_t)((x170)<(x167)); + x172 = (x169)+(x171); + x173 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x153))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x153))>>64); + x174 = (x172)+(x173); + x175 = (x38)+(x158); + x176 = (uintptr_t)((x175)<(x38)); + x177 = (x176)+(x160); + x178 = (uintptr_t)((x177)<(x160)); + x179 = (x177)+(x159); + x180 = (uintptr_t)((x179)<(x159)); + x181 = (x178)+(x180); + x182 = (x181)+(x164); + x183 = (uintptr_t)((x182)<(x164)); + x184 = (x182)+(x157); + x185 = (uintptr_t)((x184)<(x157)); + x186 = (x183)+(x185); + x187 = (x186)+(x170); + x188 = (uintptr_t)((x187)<(x170)); + x189 = (x187)+(x155); + x190 = (uintptr_t)((x189)<(x155)); + x191 = (x188)+(x190); + x192 = (x191)+(x174); + x193 = ERROR; + x194 = ERROR; + x195 = (x175)+(ERROR); + x196 = (uintptr_t)((x195)<(x175)); + x197 = (x196)+(x179); + x198 = (uintptr_t)((x197)<(x179)); + x199 = (x198)+(x184); + x200 = (uintptr_t)((x199)<(x184)); + x201 = (x200)+(x189); + x202 = (uintptr_t)((x201)<(x189)); + x203 = ERROR; + x204 = ERROR; + x205 = (x195)+(ERROR); + x206 = (uintptr_t)((x205)<(x195)); + x207 = (x206)+(x197); + x208 = (uintptr_t)((x207)<(x197)); + x209 = (x208)+(x199); + x210 = (uintptr_t)((x209)<(x199)); + x211 = (x210)+(x201); + x212 = x205; + x213 = x207; + x214 = x209; + x215 = x211; + /*skip*/ + _br2_store((out0)+((uintptr_t)0ULL), x212, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)8ULL), x213, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)16ULL), x214, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)24ULL), x215, sizeof(uintptr_t)); + /*skip*/ + return; +} + +Error occured during translation to bedrock2. This is likely because a part of the input expression either had unsupported integer types (bedrock2 requires that all integers have the same size) or contained an unsupported operation. diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c new file mode 100644 index 0000000000..b1bef4523a --- /dev/null +++ b/fiat-c/src/curve25519_solinas_64.c @@ -0,0 +1,337 @@ +/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mulmod */ +/* curve description: curve25519_solinas */ +/* machine_wordsize = 64 (from "64") */ +/* requested operations: mulmod */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* */ +/* Computed values: */ +/* */ + +#include +typedef unsigned char fiat_curve25519_solinas_uint1; +typedef signed char fiat_curve25519_solinas_int1; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_CURVE25519_SOLINAS_FIAT_EXTENSION __extension__ +# define FIAT_CURVE25519_SOLINAS_FIAT_INLINE __inline__ +#else +# define FIAT_CURVE25519_SOLINAS_FIAT_EXTENSION +# define FIAT_CURVE25519_SOLINAS_FIAT_INLINE +#endif + +FIAT_CURVE25519_SOLINAS_FIAT_EXTENSION typedef signed __int128 fiat_curve25519_solinas_int128; +FIAT_CURVE25519_SOLINAS_FIAT_EXTENSION typedef unsigned __int128 fiat_curve25519_solinas_uint128; + +#if (-1 & 3) != 3 +#error "This code only works on a two's complement system" +#endif + + +/* + * The function fiat_curve25519_solinas_addcarryx_u64 is an addition with carry. + * + * Postconditions: + * out1 = (arg1 + arg2 + arg3) mod 2^64 + * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_addcarryx_u64(uint64_t* out1, fiat_curve25519_solinas_uint1* out2, fiat_curve25519_solinas_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_curve25519_solinas_uint128 x1; + uint64_t x2; + fiat_curve25519_solinas_uint1 x3; + x1 = ((arg1 + (fiat_curve25519_solinas_uint128)arg2) + arg3); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (fiat_curve25519_solinas_uint1)(x1 >> 64); + *out1 = x2; + *out2 = x3; +} + +/* + * The function fiat_curve25519_solinas_subborrowx_u64 is a subtraction with borrow. + * + * Postconditions: + * out1 = (-arg1 + arg2 + -arg3) mod 2^64 + * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_subborrowx_u64(uint64_t* out1, fiat_curve25519_solinas_uint1* out2, fiat_curve25519_solinas_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_curve25519_solinas_int128 x1; + fiat_curve25519_solinas_int1 x2; + uint64_t x3; + x1 = ((arg2 - (fiat_curve25519_solinas_int128)arg1) - arg3); + x2 = (fiat_curve25519_solinas_int1)(x1 >> 64); + x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + *out1 = x3; + *out2 = (fiat_curve25519_solinas_uint1)(0x0 - x2); +} + +/* + * The function fiat_curve25519_solinas_mulx_u64 is a multiplication, returning the full double-width result. + * + * Postconditions: + * out1 = (arg1 * arg2) mod 2^64 + * out2 = ⌊arg1 * arg2 / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffffffffffff] + * arg2: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0xffffffffffffffff] + */ +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { + fiat_curve25519_solinas_uint128 x1; + uint64_t x2; + uint64_t x3; + x1 = ((fiat_curve25519_solinas_uint128)arg1 * arg2); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (uint64_t)(x1 >> 64); + *out1 = x2; + *out2 = x3; +} + +/* + * The function fiat_curve25519_solinas_mulmod multiplies two field elements. + * + * Postconditions: + * evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 + * + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mulmod(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + fiat_curve25519_solinas_uint1 x34; + uint64_t x35; + fiat_curve25519_solinas_uint1 x36; + uint64_t x37; + uint64_t x38; + fiat_curve25519_solinas_uint1 x39; + uint64_t x40; + fiat_curve25519_solinas_uint1 x41; + uint64_t x42; + fiat_curve25519_solinas_uint1 x43; + uint64_t x44; + uint64_t x45; + fiat_curve25519_solinas_uint1 x46; + uint64_t x47; + fiat_curve25519_solinas_uint1 x48; + uint64_t x49; + fiat_curve25519_solinas_uint1 x50; + uint64_t x51; + fiat_curve25519_solinas_uint1 x52; + uint64_t x53; + fiat_curve25519_solinas_uint1 x54; + uint64_t x55; + uint64_t x56; + fiat_curve25519_solinas_uint1 x57; + uint64_t x58; + fiat_curve25519_solinas_uint1 x59; + uint64_t x60; + fiat_curve25519_solinas_uint1 x61; + uint64_t x62; + fiat_curve25519_solinas_uint1 x63; + uint64_t x64; + fiat_curve25519_solinas_uint1 x65; + uint64_t x66; + fiat_curve25519_solinas_uint1 x67; + uint64_t x68; + fiat_curve25519_solinas_uint1 x69; + uint64_t x70; + fiat_curve25519_solinas_uint1 x71; + uint64_t x72; + fiat_curve25519_solinas_uint1 x73; + uint64_t x74; + fiat_curve25519_solinas_uint1 x75; + uint64_t x76; + fiat_curve25519_solinas_uint1 x77; + uint64_t x78; + fiat_curve25519_solinas_uint1 x79; + uint64_t x80; + fiat_curve25519_solinas_uint1 x81; + uint64_t x82; + fiat_curve25519_solinas_uint1 x83; + uint64_t x84; + fiat_curve25519_solinas_uint1 x85; + uint64_t x86; + fiat_curve25519_solinas_uint1 x87; + uint64_t x88; + fiat_curve25519_solinas_uint1 x89; + uint64_t x90; + fiat_curve25519_solinas_uint1 x91; + uint64_t x92; + fiat_curve25519_solinas_uint1 x93; + uint64_t x94; + fiat_curve25519_solinas_uint1 x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + fiat_curve25519_solinas_uint1 x103; + uint64_t x104; + fiat_curve25519_solinas_uint1 x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + fiat_curve25519_solinas_uint1 x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + fiat_curve25519_solinas_uint1 x114; + uint64_t x115; + fiat_curve25519_solinas_uint1 x116; + uint64_t x117; + fiat_curve25519_solinas_uint1 x118; + uint64_t x119; + fiat_curve25519_solinas_uint1 x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + fiat_curve25519_solinas_uint1 x125; + uint64_t x126; + fiat_curve25519_solinas_uint1 x127; + uint64_t x128; + fiat_curve25519_solinas_uint1 x129; + uint64_t x130; + fiat_curve25519_solinas_uint1 x131; + uint64_t x132; + uint64_t x133; + uint64_t x134; + fiat_curve25519_solinas_uint1 x135; + uint64_t x136; + fiat_curve25519_solinas_uint1 x137; + uint64_t x138; + fiat_curve25519_solinas_uint1 x139; + uint64_t x140; + fiat_curve25519_solinas_uint1 x141; + fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + fiat_curve25519_solinas_mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + fiat_curve25519_solinas_mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + fiat_curve25519_solinas_mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + fiat_curve25519_solinas_addcarryx_u64(&x33, &x34, 0x0, x28, x7); + fiat_curve25519_solinas_addcarryx_u64(&x35, &x36, x34, x26, x5); + x37 = (x36 + x18); + fiat_curve25519_solinas_addcarryx_u64(&x38, &x39, 0x0, x33, x13); + fiat_curve25519_solinas_addcarryx_u64(&x40, &x41, x39, x35, x8); + fiat_curve25519_solinas_addcarryx_u64(&x42, &x43, x41, x37, 0x0); + x44 = (x43 + x10); + fiat_curve25519_solinas_addcarryx_u64(&x45, &x46, 0x0, x30, x15); + fiat_curve25519_solinas_addcarryx_u64(&x47, &x48, x46, x38, x16); + fiat_curve25519_solinas_addcarryx_u64(&x49, &x50, x48, x40, x11); + fiat_curve25519_solinas_addcarryx_u64(&x51, &x52, x50, x42, x3); + fiat_curve25519_solinas_addcarryx_u64(&x53, &x54, x52, x44, 0x0); + x55 = (x54 + x2); + fiat_curve25519_solinas_addcarryx_u64(&x56, &x57, 0x0, x45, x21); + fiat_curve25519_solinas_addcarryx_u64(&x58, &x59, x57, x47, x19); + fiat_curve25519_solinas_addcarryx_u64(&x60, &x61, x59, x49, x14); + fiat_curve25519_solinas_addcarryx_u64(&x62, &x63, x61, x51, x6); + fiat_curve25519_solinas_addcarryx_u64(&x64, &x65, x63, x53, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x66, &x67, x65, x55, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x68, &x69, 0x0, x32, x23); + fiat_curve25519_solinas_addcarryx_u64(&x70, &x71, x69, x56, x24); + fiat_curve25519_solinas_addcarryx_u64(&x72, &x73, x71, x58, x22); + fiat_curve25519_solinas_addcarryx_u64(&x74, &x75, x73, x60, x17); + fiat_curve25519_solinas_addcarryx_u64(&x76, &x77, x75, x62, x9); + fiat_curve25519_solinas_addcarryx_u64(&x78, &x79, x77, x64, x1); + fiat_curve25519_solinas_addcarryx_u64(&x80, &x81, x79, x66, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x82, &x83, 0x0, x68, x29); + fiat_curve25519_solinas_addcarryx_u64(&x84, &x85, x83, x70, x27); + fiat_curve25519_solinas_addcarryx_u64(&x86, &x87, x85, x72, x25); + fiat_curve25519_solinas_addcarryx_u64(&x88, &x89, x87, x74, x20); + fiat_curve25519_solinas_addcarryx_u64(&x90, &x91, x89, x76, x12); + fiat_curve25519_solinas_addcarryx_u64(&x92, &x93, x91, x78, x4); + fiat_curve25519_solinas_addcarryx_u64(&x94, &x95, x93, x80, 0x0); + fiat_curve25519_solinas_mulx_u64(&x96, &x97, UINT8_C(0x26), x92); + fiat_curve25519_solinas_mulx_u64(&x98, &x99, UINT8_C(0x26), x90); + fiat_curve25519_solinas_mulx_u64(&x100, &x101, UINT8_C(0x26), x88); + fiat_curve25519_solinas_addcarryx_u64(&x102, &x103, 0x0, x82, x98); + fiat_curve25519_solinas_addcarryx_u64(&x104, &x105, x103, x84, x96); + fiat_curve25519_solinas_mulx_u64(&x106, &x107, UINT8_C(0x26), x94); + fiat_curve25519_solinas_addcarryx_u64(&x108, &x109, x105, x86, x106); + fiat_curve25519_solinas_mulx_u64(&x110, &x111, UINT8_C(0x26), x94); + x112 = (x109 + x111); + fiat_curve25519_solinas_addcarryx_u64(&x113, &x114, 0x0, x31, x100); + fiat_curve25519_solinas_addcarryx_u64(&x115, &x116, x114, x102, x101); + fiat_curve25519_solinas_addcarryx_u64(&x117, &x118, x116, x104, x99); + fiat_curve25519_solinas_addcarryx_u64(&x119, &x120, x118, x108, x97); + x121 = (x120 + x112); + fiat_curve25519_solinas_mulx_u64(&x122, &x123, UINT8_C(0x26), x121); + fiat_curve25519_solinas_addcarryx_u64(&x124, &x125, 0x0, x113, x122); + fiat_curve25519_solinas_addcarryx_u64(&x126, &x127, x125, x115, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x128, &x129, x127, x117, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x130, &x131, x129, x119, 0x0); + fiat_curve25519_solinas_mulx_u64(&x132, &x133, UINT8_C(0x26), x131); + fiat_curve25519_solinas_addcarryx_u64(&x134, &x135, 0x0, x124, x132); + fiat_curve25519_solinas_addcarryx_u64(&x136, &x137, x135, x126, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x138, &x139, x137, x128, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x140, &x141, x139, x130, 0x0); + out1[0] = x134; + out1[1] = x136; + out1[2] = x138; + out1[3] = x140; +} diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go new file mode 100644 index 0000000000..279f12b385 --- /dev/null +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -0,0 +1,241 @@ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mulmod +// +// curve description (via package name): curve25519solinas +// +// machine_wordsize = 64 (from "64") +// +// requested operations: mulmod +// +// s-c = 2^255 - [(1, 19)] (from "2^255 - 19") +// +// +// +// Computed values: +// +// +package curve25519solinas + +import "math/bits" + +type uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 +type int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 + +// Mulmod multiplies two field elements. +// +// Postconditions: +// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +func Mulmod(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(arg1[3], arg2[3]) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(arg1[3], arg2[2]) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[3], arg2[1]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[3], arg2[0]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[2], arg2[3]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[2], arg2[2]) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[2], arg2[1]) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[2], arg2[0]) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[1], arg2[3]) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(arg1[1], arg2[2]) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(arg1[1], arg2[1]) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(arg1[1], arg2[0]) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(arg1[0], arg2[3]) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(arg1[0], arg2[2]) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(arg1[0], arg2[1]) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(arg1[0], arg2[0]) + var x33 uint64 + var x34 uint64 + x33, x34 = bits.Add64(x28, x7, uint64(0x0)) + var x35 uint64 + var x36 uint64 + x35, x36 = bits.Add64(x26, x5, uint64(uint1(x34))) + x37 := (uint64(uint1(x36)) + x18) + var x38 uint64 + var x39 uint64 + x38, x39 = bits.Add64(x33, x13, uint64(0x0)) + var x40 uint64 + var x41 uint64 + x40, x41 = bits.Add64(x35, x8, uint64(uint1(x39))) + var x42 uint64 + var x43 uint64 + x42, x43 = bits.Add64(x37, uint64(0x0), uint64(uint1(x41))) + x44 := (uint64(uint1(x43)) + x10) + var x45 uint64 + var x46 uint64 + x45, x46 = bits.Add64(x30, x15, uint64(0x0)) + var x47 uint64 + var x48 uint64 + x47, x48 = bits.Add64(x38, x16, uint64(uint1(x46))) + var x49 uint64 + var x50 uint64 + x49, x50 = bits.Add64(x40, x11, uint64(uint1(x48))) + var x51 uint64 + var x52 uint64 + x51, x52 = bits.Add64(x42, x3, uint64(uint1(x50))) + var x53 uint64 + var x54 uint64 + x53, x54 = bits.Add64(x44, uint64(0x0), uint64(uint1(x52))) + x55 := (uint64(uint1(x54)) + x2) + var x56 uint64 + var x57 uint64 + x56, x57 = bits.Add64(x45, x21, uint64(0x0)) + var x58 uint64 + var x59 uint64 + x58, x59 = bits.Add64(x47, x19, uint64(uint1(x57))) + var x60 uint64 + var x61 uint64 + x60, x61 = bits.Add64(x49, x14, uint64(uint1(x59))) + var x62 uint64 + var x63 uint64 + x62, x63 = bits.Add64(x51, x6, uint64(uint1(x61))) + var x64 uint64 + var x65 uint64 + x64, x65 = bits.Add64(x53, uint64(0x0), uint64(uint1(x63))) + var x66 uint64 + x66, _ = bits.Add64(x55, uint64(0x0), uint64(uint1(x65))) + var x68 uint64 + var x69 uint64 + x68, x69 = bits.Add64(x32, x23, uint64(0x0)) + var x70 uint64 + var x71 uint64 + x70, x71 = bits.Add64(x56, x24, uint64(uint1(x69))) + var x72 uint64 + var x73 uint64 + x72, x73 = bits.Add64(x58, x22, uint64(uint1(x71))) + var x74 uint64 + var x75 uint64 + x74, x75 = bits.Add64(x60, x17, uint64(uint1(x73))) + var x76 uint64 + var x77 uint64 + x76, x77 = bits.Add64(x62, x9, uint64(uint1(x75))) + var x78 uint64 + var x79 uint64 + x78, x79 = bits.Add64(x64, x1, uint64(uint1(x77))) + var x80 uint64 + x80, _ = bits.Add64(x66, uint64(0x0), uint64(uint1(x79))) + var x82 uint64 + var x83 uint64 + x82, x83 = bits.Add64(x68, x29, uint64(0x0)) + var x84 uint64 + var x85 uint64 + x84, x85 = bits.Add64(x70, x27, uint64(uint1(x83))) + var x86 uint64 + var x87 uint64 + x86, x87 = bits.Add64(x72, x25, uint64(uint1(x85))) + var x88 uint64 + var x89 uint64 + x88, x89 = bits.Add64(x74, x20, uint64(uint1(x87))) + var x90 uint64 + var x91 uint64 + x90, x91 = bits.Add64(x76, x12, uint64(uint1(x89))) + var x92 uint64 + var x93 uint64 + x92, x93 = bits.Add64(x78, x4, uint64(uint1(x91))) + var x94 uint64 + x94, _ = bits.Add64(x80, uint64(0x0), uint64(uint1(x93))) + var x96 uint64 + var x97 uint64 + x97, x96 = bits.Mul64(0x26, x92) + var x98 uint64 + var x99 uint64 + x99, x98 = bits.Mul64(0x26, x90) + var x100 uint64 + var x101 uint64 + x101, x100 = bits.Mul64(0x26, x88) + var x102 uint64 + var x103 uint64 + x102, x103 = bits.Add64(x82, x98, uint64(0x0)) + var x104 uint64 + var x105 uint64 + x104, x105 = bits.Add64(x84, x96, uint64(uint1(x103))) + var x106 uint64 + _, x106 = bits.Mul64(0x26, x94) + var x108 uint64 + var x109 uint64 + x108, x109 = bits.Add64(x86, x106, uint64(uint1(x105))) + var x111 uint64 + x111, _ = bits.Mul64(0x26, x94) + x112 := (uint64(uint1(x109)) + x111) + var x113 uint64 + var x114 uint64 + x113, x114 = bits.Add64(x31, x100, uint64(0x0)) + var x115 uint64 + var x116 uint64 + x115, x116 = bits.Add64(x102, x101, uint64(uint1(x114))) + var x117 uint64 + var x118 uint64 + x117, x118 = bits.Add64(x104, x99, uint64(uint1(x116))) + var x119 uint64 + var x120 uint64 + x119, x120 = bits.Add64(x108, x97, uint64(uint1(x118))) + x121 := (uint64(uint1(x120)) + x112) + var x122 uint64 + _, x122 = bits.Mul64(0x26, x121) + var x124 uint64 + var x125 uint64 + x124, x125 = bits.Add64(x113, x122, uint64(0x0)) + var x126 uint64 + var x127 uint64 + x126, x127 = bits.Add64(x115, uint64(0x0), uint64(uint1(x125))) + var x128 uint64 + var x129 uint64 + x128, x129 = bits.Add64(x117, uint64(0x0), uint64(uint1(x127))) + var x130 uint64 + var x131 uint64 + x130, x131 = bits.Add64(x119, uint64(0x0), uint64(uint1(x129))) + var x132 uint64 + _, x132 = bits.Mul64(0x26, uint1(x131)) + var x134 uint64 + var x135 uint64 + x134, x135 = bits.Add64(x124, x132, uint64(0x0)) + var x136 uint64 + var x137 uint64 + x136, x137 = bits.Add64(x126, uint64(0x0), uint64(uint1(x135))) + var x138 uint64 + var x139 uint64 + x138, x139 = bits.Add64(x128, uint64(0x0), uint64(uint1(x137))) + var x140 uint64 + x140, _ = bits.Add64(x130, uint64(0x0), uint64(uint1(x139))) + out1[0] = x134 + out1[1] = x136 + out1[2] = x138 + out1[3] = x140 +} diff --git a/fiat-json/src/curve25519_solinas_64.json b/fiat-json/src/curve25519_solinas_64.json new file mode 100644 index 0000000000..c81d5a3787 --- /dev/null +++ b/fiat-json/src/curve25519_solinas_64.json @@ -0,0 +1,3767 @@ +[ + { + "operation": "fiat_curve25519_solinas_addcarryx_u64", + "arguments": [ + { + "datatype": "u1", + "name": "arg1", + "lbound": "0x0", + "ubound": "0x1" + }, + { + "datatype": "u64", + "name": "arg2", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + }, + { + "datatype": "u64", + "name": "arg3", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + } + ], + "returns": [ + { + "datatype": "u64", + "name": "out1", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + }, + { + "datatype": "u1", + "name": "out2", + "lbound": "0x0", + "ubound": "0x1" + } + ], + "body": [ + { + "datatype": "u128", + "name": [ + "x1" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x2" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + }, + "0xffffffffffffffff" + ] + } + ] + }, + { + "datatype": "u1", + "name": [ + "x3" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": ">>", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + }, + "64" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1" + ], + "operation": "static_cast", + "arguments": [ + "x2" + ] + }, + { + "datatype": "u1", + "name": [ + "out2" + ], + "operation": "static_cast", + "arguments": [ + "x3" + ] + } + ] + }, + { + "operation": "fiat_curve25519_solinas_subborrowx_u64", + "arguments": [ + { + "datatype": "u1", + "name": "arg1", + "lbound": "0x0", + "ubound": "0x1" + }, + { + "datatype": "u64", + "name": "arg2", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + }, + { + "datatype": "u64", + "name": "arg3", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + } + ], + "returns": [ + { + "datatype": "u64", + "name": "out1", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + }, + { + "datatype": "u1", + "name": "out2", + "lbound": "0x0", + "ubound": "0x1" + } + ], + "body": [ + { + "datatype": "i128", + "name": [ + "x1" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "i128", + "name": [], + "operation": "-", + "arguments": [ + { + "datatype": "i128", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "i128", + "name": [], + "operation": "-", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2" + ] + }, + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3" + ] + } + ] + } + ] + }, + { + "datatype": "i1", + "name": [ + "x2" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "i1", + "name": [], + "operation": ">>", + "arguments": [ + { + "datatype": "i128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + }, + "64" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x3" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "i128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + }, + "0xffffffffffffffff" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1" + ], + "operation": "static_cast", + "arguments": [ + "x3" + ] + }, + { + "datatype": "u1", + "name": [ + "out2" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "-", + "arguments": [ + "0x0", + { + "datatype": "i1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x2" + ] + } + ] + } + ] + } + ] + }, + { + "operation": "fiat_curve25519_solinas_mulx_u64", + "arguments": [ + { + "datatype": "u64", + "name": "arg1", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + }, + { + "datatype": "u64", + "name": "arg2", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + } + ], + "returns": [ + { + "datatype": "u64", + "name": "out1", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + }, + { + "datatype": "u64", + "name": "out2", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + } + ], + "body": [ + { + "datatype": "u128", + "name": [ + "x1" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "*", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x2" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + }, + "0xffffffffffffffff" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x3" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": ">>", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + }, + "64" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1" + ], + "operation": "static_cast", + "arguments": [ + "x2" + ] + }, + { + "datatype": "u64", + "name": [ + "out2" + ], + "operation": "static_cast", + "arguments": [ + "x3" + ] + } + ] + }, + { + "operation": "fiat_curve25519_solinas_mulmod", + "arguments": [ + { + "datatype": "u64[4]", + "name": "arg1", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + }, + { + "datatype": "u64[4]", + "name": "arg2", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + } + ], + "returns": [ + { + "datatype": "u64[4]", + "name": "out1", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + } + ], + "body": [ + { + "datatype": "(auto)", + "name": [ + "x1", + "x2" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x3", + "x4" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x5", + "x6" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x7", + "x8" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x9", + "x10" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x11", + "x12" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x13", + "x14" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x15", + "x16" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x17", + "x18" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x19", + "x20" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x21", + "x22" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x23", + "x24" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x25", + "x26" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x27", + "x28" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x29", + "x30" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x31", + "x32" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x33", + "x34" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x28" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x7" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x35", + "x36" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x34" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x26" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x5" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x37" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x36" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x18" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x38", + "x39" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x33" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x13" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x40", + "x41" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x39" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x35" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x8" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x42", + "x43" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x41" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x37" + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x44" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x43" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x10" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x45", + "x46" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x30" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x15" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x47", + "x48" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x46" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x38" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x16" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x49", + "x50" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x48" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x40" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x11" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x51", + "x52" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x50" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x42" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x3" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x53", + "x54" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x52" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x44" + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x55" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x54" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x2" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x56", + "x57" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x45" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x21" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x58", + "x59" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x57" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x47" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x19" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x60", + "x61" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x59" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x49" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x14" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x62", + "x63" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x61" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x51" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x6" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x64", + "x65" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x63" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x53" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x66", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x65" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x55" + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x68", + "x69" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x32" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x23" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x70", + "x71" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x69" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x56" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x24" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x72", + "x73" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x71" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x58" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x22" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x74", + "x75" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x73" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x60" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x17" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x76", + "x77" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x75" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x62" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x9" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x78", + "x79" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x77" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x64" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x80", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x79" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x66" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x82", + "x83" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x68" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x29" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x84", + "x85" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x83" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x70" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x27" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x86", + "x87" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x85" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x72" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x25" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x88", + "x89" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x87" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x74" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x20" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x90", + "x91" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x89" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x76" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x12" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x92", + "x93" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x91" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x78" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x4" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x94", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x93" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x80" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x96", + "x97" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x92" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x98", + "x99" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x90" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x100", + "x101" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x88" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x102", + "x103" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x82" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x98" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x104", + "x105" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x103" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x84" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x96" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x106", + "_" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x94" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x108", + "x109" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x105" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x86" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x106" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "_", + "x111" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x94" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x112" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x109" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x111" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x113", + "x114" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x31" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x100" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x115", + "x116" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x114" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x102" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x101" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x117", + "x118" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x116" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x104" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x99" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x119", + "x120" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x118" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x108" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x97" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x121" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x120" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x112" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x122", + "_" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x121" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x124", + "x125" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x113" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x122" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x126", + "x127" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x125" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x115" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x128", + "x129" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x127" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x117" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x130", + "x131" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x129" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x119" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x132", + "_" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x131" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x134", + "x135" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x124" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x132" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x136", + "x137" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x135" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x126" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x138", + "x139" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x137" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x128" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x140", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x139" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x130" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "out1[0]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x134" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[1]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x136" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[2]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x138" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[3]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x140" + ] + } + ] + } + ] + } +] diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs new file mode 100644 index 0000000000..a9f3c32435 --- /dev/null +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -0,0 +1,309 @@ +//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mulmod +//! curve description: curve25519_solinas +//! machine_wordsize = 64 (from "64") +//! requested operations: mulmod +//! s-c = 2^255 - [(1, 19)] (from "2^255 - 19") +//! +//! Computed values: +//! + +#![allow(unused_parens)] +#![allow(non_camel_case_types)] + +pub type fiat_curve25519_solinas_u1 = u8; +pub type fiat_curve25519_solinas_i1 = i8; +pub type fiat_curve25519_solinas_u2 = u8; +pub type fiat_curve25519_solinas_i2 = i8; + + +/// The function fiat_curve25519_solinas_addcarryx_u64 is an addition with carry. +/// +/// Postconditions: +/// out1 = (arg1 + arg2 + arg3) mod 2^64 +/// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0x1] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// arg3: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +/// out2: [0x0 ~> 0x1] +#[inline] +pub fn fiat_curve25519_solinas_addcarryx_u64(out1: &mut u64, out2: &mut fiat_curve25519_solinas_u1, arg1: fiat_curve25519_solinas_u1, arg2: u64, arg3: u64) -> () { + let x1: u128 = (((arg1 as u128) + (arg2 as u128)) + (arg3 as u128)); + let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); + let x3: fiat_curve25519_solinas_u1 = ((x1 >> 64) as fiat_curve25519_solinas_u1); + *out1 = x2; + *out2 = x3; +} + +/// The function fiat_curve25519_solinas_subborrowx_u64 is a subtraction with borrow. +/// +/// Postconditions: +/// out1 = (-arg1 + arg2 + -arg3) mod 2^64 +/// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0x1] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// arg3: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +/// out2: [0x0 ~> 0x1] +#[inline] +pub fn fiat_curve25519_solinas_subborrowx_u64(out1: &mut u64, out2: &mut fiat_curve25519_solinas_u1, arg1: fiat_curve25519_solinas_u1, arg2: u64, arg3: u64) -> () { + let x1: i128 = (((arg2 as i128) - (arg1 as i128)) - (arg3 as i128)); + let x2: fiat_curve25519_solinas_i1 = ((x1 >> 64) as fiat_curve25519_solinas_i1); + let x3: u64 = ((x1 & (0xffffffffffffffff as i128)) as u64); + *out1 = x3; + *out2 = (((0x0 as fiat_curve25519_solinas_i2) - (x2 as fiat_curve25519_solinas_i2)) as fiat_curve25519_solinas_u1); +} + +/// The function fiat_curve25519_solinas_mulx_u64 is a multiplication, returning the full double-width result. +/// +/// Postconditions: +/// out1 = (arg1 * arg2) mod 2^64 +/// out2 = ⌊arg1 * arg2 / 2^64⌋ +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0xffffffffffffffff] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +/// out2: [0x0 ~> 0xffffffffffffffff] +#[inline] +pub fn fiat_curve25519_solinas_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u64, arg2: u64) -> () { + let x1: u128 = ((arg1 as u128) * (arg2 as u128)); + let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); + let x3: u64 = ((x1 >> 64) as u64); + *out1 = x2; + *out2 = x3; +} + +/// The function fiat_curve25519_solinas_mulmod multiplies two field elements. +/// +/// Postconditions: +/// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// +/// Input Bounds: +/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// Output Bounds: +/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +#[inline] +pub fn fiat_curve25519_solinas_mulmod(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> () { + let mut x1: u64 = 0; + let mut x2: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x1, &mut x2, (arg1[3]), (arg2[3])); + let mut x3: u64 = 0; + let mut x4: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x3, &mut x4, (arg1[3]), (arg2[2])); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x5, &mut x6, (arg1[3]), (arg2[1])); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x7, &mut x8, (arg1[3]), (arg2[0])); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x9, &mut x10, (arg1[2]), (arg2[3])); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x11, &mut x12, (arg1[2]), (arg2[2])); + let mut x13: u64 = 0; + let mut x14: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x13, &mut x14, (arg1[2]), (arg2[1])); + let mut x15: u64 = 0; + let mut x16: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x15, &mut x16, (arg1[2]), (arg2[0])); + let mut x17: u64 = 0; + let mut x18: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x17, &mut x18, (arg1[1]), (arg2[3])); + let mut x19: u64 = 0; + let mut x20: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x19, &mut x20, (arg1[1]), (arg2[2])); + let mut x21: u64 = 0; + let mut x22: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x21, &mut x22, (arg1[1]), (arg2[1])); + let mut x23: u64 = 0; + let mut x24: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x23, &mut x24, (arg1[1]), (arg2[0])); + let mut x25: u64 = 0; + let mut x26: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x25, &mut x26, (arg1[0]), (arg2[3])); + let mut x27: u64 = 0; + let mut x28: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x27, &mut x28, (arg1[0]), (arg2[2])); + let mut x29: u64 = 0; + let mut x30: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x29, &mut x30, (arg1[0]), (arg2[1])); + let mut x31: u64 = 0; + let mut x32: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x31, &mut x32, (arg1[0]), (arg2[0])); + let mut x33: u64 = 0; + let mut x34: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x33, &mut x34, 0x0, x28, x7); + let mut x35: u64 = 0; + let mut x36: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x35, &mut x36, x34, x26, x5); + let x37: u64 = ((x36 as u64) + x18); + let mut x38: u64 = 0; + let mut x39: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x38, &mut x39, 0x0, x33, x13); + let mut x40: u64 = 0; + let mut x41: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x40, &mut x41, x39, x35, x8); + let mut x42: u64 = 0; + let mut x43: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x42, &mut x43, x41, x37, (0x0 as u64)); + let x44: u64 = ((x43 as u64) + x10); + let mut x45: u64 = 0; + let mut x46: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x45, &mut x46, 0x0, x30, x15); + let mut x47: u64 = 0; + let mut x48: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x47, &mut x48, x46, x38, x16); + let mut x49: u64 = 0; + let mut x50: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x49, &mut x50, x48, x40, x11); + let mut x51: u64 = 0; + let mut x52: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x51, &mut x52, x50, x42, x3); + let mut x53: u64 = 0; + let mut x54: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x53, &mut x54, x52, x44, (0x0 as u64)); + let x55: u64 = ((x54 as u64) + x2); + let mut x56: u64 = 0; + let mut x57: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x56, &mut x57, 0x0, x45, x21); + let mut x58: u64 = 0; + let mut x59: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x58, &mut x59, x57, x47, x19); + let mut x60: u64 = 0; + let mut x61: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x60, &mut x61, x59, x49, x14); + let mut x62: u64 = 0; + let mut x63: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x62, &mut x63, x61, x51, x6); + let mut x64: u64 = 0; + let mut x65: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x64, &mut x65, x63, x53, (0x0 as u64)); + let mut x66: u64 = 0; + let mut x67: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x66, &mut x67, x65, x55, (0x0 as u64)); + let mut x68: u64 = 0; + let mut x69: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x68, &mut x69, 0x0, x32, x23); + let mut x70: u64 = 0; + let mut x71: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x70, &mut x71, x69, x56, x24); + let mut x72: u64 = 0; + let mut x73: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x72, &mut x73, x71, x58, x22); + let mut x74: u64 = 0; + let mut x75: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x74, &mut x75, x73, x60, x17); + let mut x76: u64 = 0; + let mut x77: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x76, &mut x77, x75, x62, x9); + let mut x78: u64 = 0; + let mut x79: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x78, &mut x79, x77, x64, x1); + let mut x80: u64 = 0; + let mut x81: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x80, &mut x81, x79, x66, (0x0 as u64)); + let mut x82: u64 = 0; + let mut x83: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x82, &mut x83, 0x0, x68, x29); + let mut x84: u64 = 0; + let mut x85: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x84, &mut x85, x83, x70, x27); + let mut x86: u64 = 0; + let mut x87: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x86, &mut x87, x85, x72, x25); + let mut x88: u64 = 0; + let mut x89: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x88, &mut x89, x87, x74, x20); + let mut x90: u64 = 0; + let mut x91: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x90, &mut x91, x89, x76, x12); + let mut x92: u64 = 0; + let mut x93: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x92, &mut x93, x91, x78, x4); + let mut x94: u64 = 0; + let mut x95: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x94, &mut x95, x93, x80, (0x0 as u64)); + let mut x96: u64 = 0; + let mut x97: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x96, &mut x97, 0x26, x92); + let mut x98: u64 = 0; + let mut x99: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x98, &mut x99, 0x26, x90); + let mut x100: u64 = 0; + let mut x101: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x100, &mut x101, 0x26, x88); + let mut x102: u64 = 0; + let mut x103: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x102, &mut x103, 0x0, x82, x98); + let mut x104: u64 = 0; + let mut x105: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x104, &mut x105, x103, x84, x96); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x106, &mut x107, 0x26, x94); + let mut x108: u64 = 0; + let mut x109: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x108, &mut x109, x105, x86, x106); + let mut x110: u64 = 0; + let mut x111: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x110, &mut x111, 0x26, x94); + let x112: u64 = ((x109 as u64) + x111); + let mut x113: u64 = 0; + let mut x114: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x113, &mut x114, 0x0, x31, x100); + let mut x115: u64 = 0; + let mut x116: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x115, &mut x116, x114, x102, x101); + let mut x117: u64 = 0; + let mut x118: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x117, &mut x118, x116, x104, x99); + let mut x119: u64 = 0; + let mut x120: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x119, &mut x120, x118, x108, x97); + let x121: u64 = ((x120 as u64) + x112); + let mut x122: u64 = 0; + let mut x123: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x122, &mut x123, 0x26, x121); + let mut x124: u64 = 0; + let mut x125: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x124, &mut x125, 0x0, x113, x122); + let mut x126: u64 = 0; + let mut x127: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x126, &mut x127, x125, x115, (0x0 as u64)); + let mut x128: u64 = 0; + let mut x129: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x128, &mut x129, x127, x117, (0x0 as u64)); + let mut x130: u64 = 0; + let mut x131: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x130, &mut x131, x129, x119, (0x0 as u64)); + let mut x132: u64 = 0; + let mut x133: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x132, &mut x133, 0x26, x131); + let mut x134: u64 = 0; + let mut x135: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x134, &mut x135, 0x0, x124, x132); + let mut x136: u64 = 0; + let mut x137: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x136, &mut x137, x135, x126, (0x0 as u64)); + let mut x138: u64 = 0; + let mut x139: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x138, &mut x139, x137, x128, (0x0 as u64)); + let mut x140: u64 = 0; + let mut x141: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x140, &mut x141, x139, x130, (0x0 as u64)); + out1[0] = x134; + out1[1] = x136; + out1[2] = x138; + out1[3] = x140; +} diff --git a/fiat-rust/src/lib.rs b/fiat-rust/src/lib.rs index 3a0d1ca25e..3871b637f0 100644 --- a/fiat-rust/src/lib.rs +++ b/fiat-rust/src/lib.rs @@ -4,6 +4,7 @@ pub mod curve25519_32; pub mod curve25519_64; pub mod curve25519_scalar_32; pub mod curve25519_scalar_64; +pub mod curve25519_solinas_64; pub mod p224_32; pub mod p224_64; pub mod p256_32; diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig new file mode 100644 index 0000000000..42b4ddc8e3 --- /dev/null +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -0,0 +1,320 @@ +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mulmod +// curve description (via package name): curve25519_solinas +// machine_wordsize = 64 (from "64") +// requested operations: mulmod +// s-c = 2^255 - [(1, 19)] (from "2^255 - 19") +// +// Computed values: +// + +const std = @import("std"); +const mode = @import("builtin").mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels + +inline fn cast(comptime DestType: type, target: anytype) DestType { + if (@typeInfo(@TypeOf(target)) == .Int) { + const dest = @typeInfo(DestType).Int; + const source = @typeInfo(@TypeOf(target)).Int; + if (dest.bits < source.bits) { + return @bitCast(DestType, @truncate(std.meta.Int(source.signedness, dest.bits), target)); + } else { + return @bitCast(DestType, @as(std.meta.Int(source.signedness, dest.bits), target)); + } + } + return @as(DestType, target); +} + +/// The function addcarryxU64 is an addition with carry. +/// +/// Postconditions: +/// out1 = (arg1 + arg2 + arg3) mod 2^64 +/// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0x1] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// arg3: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +/// out2: [0x0 ~> 0x1] +inline fn addcarryxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) void { + @setRuntimeSafety(mode == .Debug); + + const x1 = ((cast(u128, arg1) + cast(u128, arg2)) + cast(u128, arg3)); + const x2 = cast(u64, (x1 & cast(u128, 0xffffffffffffffff))); + const x3 = cast(u1, (x1 >> 64)); + out1.* = x2; + out2.* = x3; +} + +/// The function subborrowxU64 is a subtraction with borrow. +/// +/// Postconditions: +/// out1 = (-arg1 + arg2 + -arg3) mod 2^64 +/// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0x1] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// arg3: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +/// out2: [0x0 ~> 0x1] +inline fn subborrowxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) void { + @setRuntimeSafety(mode == .Debug); + + const x1 = ((cast(i128, arg2) - cast(i128, arg1)) - cast(i128, arg3)); + const x2 = cast(i1, (x1 >> 64)); + const x3 = cast(u64, (x1 & cast(i128, 0xffffffffffffffff))); + out1.* = x3; + out2.* = cast(u1, (cast(i2, 0x0) - cast(i2, x2))); +} + +/// The function mulxU64 is a multiplication, returning the full double-width result. +/// +/// Postconditions: +/// out1 = (arg1 * arg2) mod 2^64 +/// out2 = ⌊arg1 * arg2 / 2^64⌋ +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0xffffffffffffffff] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +/// out2: [0x0 ~> 0xffffffffffffffff] +inline fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) void { + @setRuntimeSafety(mode == .Debug); + + const x1 = (cast(u128, arg1) * cast(u128, arg2)); + const x2 = cast(u64, (x1 & cast(u128, 0xffffffffffffffff))); + const x3 = cast(u64, (x1 >> 64)); + out1.* = x2; + out2.* = x3; +} + +/// The function mulmod multiplies two field elements. +/// +/// Postconditions: +/// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// +/// Input Bounds: +/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// Output Bounds: +/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +pub fn mulmod(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { + @setRuntimeSafety(mode == .Debug); + + var x1: u64 = undefined; + var x2: u64 = undefined; + mulxU64(&x1, &x2, (arg1[3]), (arg2[3])); + var x3: u64 = undefined; + var x4: u64 = undefined; + mulxU64(&x3, &x4, (arg1[3]), (arg2[2])); + var x5: u64 = undefined; + var x6: u64 = undefined; + mulxU64(&x5, &x6, (arg1[3]), (arg2[1])); + var x7: u64 = undefined; + var x8: u64 = undefined; + mulxU64(&x7, &x8, (arg1[3]), (arg2[0])); + var x9: u64 = undefined; + var x10: u64 = undefined; + mulxU64(&x9, &x10, (arg1[2]), (arg2[3])); + var x11: u64 = undefined; + var x12: u64 = undefined; + mulxU64(&x11, &x12, (arg1[2]), (arg2[2])); + var x13: u64 = undefined; + var x14: u64 = undefined; + mulxU64(&x13, &x14, (arg1[2]), (arg2[1])); + var x15: u64 = undefined; + var x16: u64 = undefined; + mulxU64(&x15, &x16, (arg1[2]), (arg2[0])); + var x17: u64 = undefined; + var x18: u64 = undefined; + mulxU64(&x17, &x18, (arg1[1]), (arg2[3])); + var x19: u64 = undefined; + var x20: u64 = undefined; + mulxU64(&x19, &x20, (arg1[1]), (arg2[2])); + var x21: u64 = undefined; + var x22: u64 = undefined; + mulxU64(&x21, &x22, (arg1[1]), (arg2[1])); + var x23: u64 = undefined; + var x24: u64 = undefined; + mulxU64(&x23, &x24, (arg1[1]), (arg2[0])); + var x25: u64 = undefined; + var x26: u64 = undefined; + mulxU64(&x25, &x26, (arg1[0]), (arg2[3])); + var x27: u64 = undefined; + var x28: u64 = undefined; + mulxU64(&x27, &x28, (arg1[0]), (arg2[2])); + var x29: u64 = undefined; + var x30: u64 = undefined; + mulxU64(&x29, &x30, (arg1[0]), (arg2[1])); + var x31: u64 = undefined; + var x32: u64 = undefined; + mulxU64(&x31, &x32, (arg1[0]), (arg2[0])); + var x33: u64 = undefined; + var x34: u1 = undefined; + addcarryxU64(&x33, &x34, 0x0, x28, x7); + var x35: u64 = undefined; + var x36: u1 = undefined; + addcarryxU64(&x35, &x36, x34, x26, x5); + const x37 = (cast(u64, x36) + x18); + var x38: u64 = undefined; + var x39: u1 = undefined; + addcarryxU64(&x38, &x39, 0x0, x33, x13); + var x40: u64 = undefined; + var x41: u1 = undefined; + addcarryxU64(&x40, &x41, x39, x35, x8); + var x42: u64 = undefined; + var x43: u1 = undefined; + addcarryxU64(&x42, &x43, x41, x37, cast(u64, 0x0)); + const x44 = (cast(u64, x43) + x10); + var x45: u64 = undefined; + var x46: u1 = undefined; + addcarryxU64(&x45, &x46, 0x0, x30, x15); + var x47: u64 = undefined; + var x48: u1 = undefined; + addcarryxU64(&x47, &x48, x46, x38, x16); + var x49: u64 = undefined; + var x50: u1 = undefined; + addcarryxU64(&x49, &x50, x48, x40, x11); + var x51: u64 = undefined; + var x52: u1 = undefined; + addcarryxU64(&x51, &x52, x50, x42, x3); + var x53: u64 = undefined; + var x54: u1 = undefined; + addcarryxU64(&x53, &x54, x52, x44, cast(u64, 0x0)); + const x55 = (cast(u64, x54) + x2); + var x56: u64 = undefined; + var x57: u1 = undefined; + addcarryxU64(&x56, &x57, 0x0, x45, x21); + var x58: u64 = undefined; + var x59: u1 = undefined; + addcarryxU64(&x58, &x59, x57, x47, x19); + var x60: u64 = undefined; + var x61: u1 = undefined; + addcarryxU64(&x60, &x61, x59, x49, x14); + var x62: u64 = undefined; + var x63: u1 = undefined; + addcarryxU64(&x62, &x63, x61, x51, x6); + var x64: u64 = undefined; + var x65: u1 = undefined; + addcarryxU64(&x64, &x65, x63, x53, cast(u64, 0x0)); + var x66: u64 = undefined; + var x67: u1 = undefined; + addcarryxU64(&x66, &x67, x65, x55, cast(u64, 0x0)); + var x68: u64 = undefined; + var x69: u1 = undefined; + addcarryxU64(&x68, &x69, 0x0, x32, x23); + var x70: u64 = undefined; + var x71: u1 = undefined; + addcarryxU64(&x70, &x71, x69, x56, x24); + var x72: u64 = undefined; + var x73: u1 = undefined; + addcarryxU64(&x72, &x73, x71, x58, x22); + var x74: u64 = undefined; + var x75: u1 = undefined; + addcarryxU64(&x74, &x75, x73, x60, x17); + var x76: u64 = undefined; + var x77: u1 = undefined; + addcarryxU64(&x76, &x77, x75, x62, x9); + var x78: u64 = undefined; + var x79: u1 = undefined; + addcarryxU64(&x78, &x79, x77, x64, x1); + var x80: u64 = undefined; + var x81: u1 = undefined; + addcarryxU64(&x80, &x81, x79, x66, cast(u64, 0x0)); + var x82: u64 = undefined; + var x83: u1 = undefined; + addcarryxU64(&x82, &x83, 0x0, x68, x29); + var x84: u64 = undefined; + var x85: u1 = undefined; + addcarryxU64(&x84, &x85, x83, x70, x27); + var x86: u64 = undefined; + var x87: u1 = undefined; + addcarryxU64(&x86, &x87, x85, x72, x25); + var x88: u64 = undefined; + var x89: u1 = undefined; + addcarryxU64(&x88, &x89, x87, x74, x20); + var x90: u64 = undefined; + var x91: u1 = undefined; + addcarryxU64(&x90, &x91, x89, x76, x12); + var x92: u64 = undefined; + var x93: u1 = undefined; + addcarryxU64(&x92, &x93, x91, x78, x4); + var x94: u64 = undefined; + var x95: u1 = undefined; + addcarryxU64(&x94, &x95, x93, x80, cast(u64, 0x0)); + var x96: u64 = undefined; + var x97: u64 = undefined; + mulxU64(&x96, &x97, 0x26, x92); + var x98: u64 = undefined; + var x99: u64 = undefined; + mulxU64(&x98, &x99, 0x26, x90); + var x100: u64 = undefined; + var x101: u64 = undefined; + mulxU64(&x100, &x101, 0x26, x88); + var x102: u64 = undefined; + var x103: u1 = undefined; + addcarryxU64(&x102, &x103, 0x0, x82, x98); + var x104: u64 = undefined; + var x105: u1 = undefined; + addcarryxU64(&x104, &x105, x103, x84, x96); + var x106: u64 = undefined; + var x107: u64 = undefined; + mulxU64(&x106, &x107, 0x26, x94); + var x108: u64 = undefined; + var x109: u1 = undefined; + addcarryxU64(&x108, &x109, x105, x86, x106); + var x110: u64 = undefined; + var x111: u64 = undefined; + mulxU64(&x110, &x111, 0x26, x94); + const x112 = (cast(u64, x109) + x111); + var x113: u64 = undefined; + var x114: u1 = undefined; + addcarryxU64(&x113, &x114, 0x0, x31, x100); + var x115: u64 = undefined; + var x116: u1 = undefined; + addcarryxU64(&x115, &x116, x114, x102, x101); + var x117: u64 = undefined; + var x118: u1 = undefined; + addcarryxU64(&x117, &x118, x116, x104, x99); + var x119: u64 = undefined; + var x120: u1 = undefined; + addcarryxU64(&x119, &x120, x118, x108, x97); + const x121 = (cast(u64, x120) + x112); + var x122: u64 = undefined; + var x123: u64 = undefined; + mulxU64(&x122, &x123, 0x26, x121); + var x124: u64 = undefined; + var x125: u1 = undefined; + addcarryxU64(&x124, &x125, 0x0, x113, x122); + var x126: u64 = undefined; + var x127: u1 = undefined; + addcarryxU64(&x126, &x127, x125, x115, cast(u64, 0x0)); + var x128: u64 = undefined; + var x129: u1 = undefined; + addcarryxU64(&x128, &x129, x127, x117, cast(u64, 0x0)); + var x130: u64 = undefined; + var x131: u1 = undefined; + addcarryxU64(&x130, &x131, x129, x119, cast(u64, 0x0)); + var x132: u64 = undefined; + var x133: u64 = undefined; + mulxU64(&x132, &x133, 0x26, x131); + var x134: u64 = undefined; + var x135: u1 = undefined; + addcarryxU64(&x134, &x135, 0x0, x124, x132); + var x136: u64 = undefined; + var x137: u1 = undefined; + addcarryxU64(&x136, &x137, x135, x126, cast(u64, 0x0)); + var x138: u64 = undefined; + var x139: u1 = undefined; + addcarryxU64(&x138, &x139, x137, x128, cast(u64, 0x0)); + var x140: u64 = undefined; + var x141: u1 = undefined; + addcarryxU64(&x140, &x141, x139, x130, cast(u64, 0x0)); + out1[0] = x134; + out1[1] = x136; + out1[2] = x138; + out1[3] = x140; +} diff --git a/src/CLI.v b/src/CLI.v index 7d07fb75d6..db8b9abc03 100644 --- a/src/CLI.v +++ b/src/CLI.v @@ -1118,28 +1118,28 @@ Module ForExtraction. Module SolinasReduction. Local Instance api : PipelineAPI := { - spec := - {| Arg.named_args := [] - ; Arg.anon_args := [sc_spec] - ; Arg.anon_opt_args := [] - ; Arg.anon_opt_repeated_arg := Some (function_to_synthesize_spec SolinasReduction.valid_names) |}; - - parse_args opts args - := let '(tt, (str_sc, (s, c)), tt, requests) := args in - let show_requests := match requests with nil => "(all)" | _ => String.concat ", " requests end in - inl ((str_sc, show_requests), - (s, c, requests)); - - show_lines_args := - fun '((str_sc, show_requests), - (s, c, requests)) - => ["requested operations: " ++ show_requests; - "s-c = " ++ PowersOfTwo.show_Z s ++ " - " ++ show_c c ++ " (from """ ++ str_sc ++ """)"]; - - Synthesize - := fun _ opts '(s, c, requests) comment_header prefix - => SolinasReduction.Synthesize s c comment_header prefix requests - }. + spec := + {| Arg.named_args := [] + ; Arg.anon_args := [sc_spec] + ; Arg.anon_opt_args := [] + ; Arg.anon_opt_repeated_arg := Some (function_to_synthesize_spec SolinasReduction.valid_names) |}; + + parse_args opts args + := let '(tt, (str_sc, (s, c)), tt, requests) := args in + let show_requests := match requests with nil => "(all)" | _ => String.concat ", " requests end in + inl ((str_sc, show_requests), + (s, c, requests)); + + show_lines_args := + fun '((str_sc, show_requests), + (s, c, requests)) + => ["requested operations: " ++ show_requests; + "s-c = " ++ PowersOfTwo.show_Z s ++ " - " ++ show_c c ++ " (from """ ++ str_sc ++ """)"]; + + Synthesize + := fun _ opts '(s, c, requests) comment_header prefix + => SolinasReduction.Synthesize s c comment_header prefix requests + }. Definition PipelineMain {supported_languages : supported_languagesT} diff --git a/src/ExtractionHaskell/bedrock2_solinas_reduction.v b/src/ExtractionHaskell/bedrock2_solinas_reduction.v new file mode 100644 index 0000000000..0c3d6128d3 --- /dev/null +++ b/src/ExtractionHaskell/bedrock2_solinas_reduction.v @@ -0,0 +1,4 @@ +Require Import Crypto.Bedrock.Standalone.StandaloneHaskellMain. +Import Bedrock2First. + +Recursive Extraction SolinasReduction.main. diff --git a/src/ExtractionHaskell/solinas_reduction.v b/src/ExtractionHaskell/solinas_reduction.v new file mode 100644 index 0000000000..7339d92067 --- /dev/null +++ b/src/ExtractionHaskell/solinas_reduction.v @@ -0,0 +1,3 @@ +Require Import Crypto.StandaloneHaskellMain. + +Recursive Extraction SolinasReduction.main. diff --git a/src/ExtractionHaskell/with_bedrock2_solinas_reduction.v b/src/ExtractionHaskell/with_bedrock2_solinas_reduction.v new file mode 100644 index 0000000000..702f7f1b6e --- /dev/null +++ b/src/ExtractionHaskell/with_bedrock2_solinas_reduction.v @@ -0,0 +1,4 @@ +Require Import Crypto.Bedrock.Standalone.StandaloneHaskellMain. +Import Bedrock2Later. + +Recursive Extraction SolinasReduction.main. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 9179942a55..724c2f337c 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -102,7 +102,7 @@ Section __. Definition m := s - Associational.eval c. Definition weight := UniformWeight.uweight machine_wordsize. Definition up_bound := 2 ^ (machine_wordsize / 4). - Definition base := 2 ^ machine_wordsize. + Definition base : Z := 2 ^ machine_wordsize. Let possible_values := possible_values_of_machine_wordsize. Definition bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. @@ -132,7 +132,6 @@ Section __. ; (weight n / s * Associational.eval c [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) (mulmod_correct weight n m boundsn)). @@ -213,12 +212,12 @@ Locate ErrorMessage. Local Ltac prove_correctness _ := Primitives.prove_correctness use_curve_good. - Lemma mul_correct res - (Hres : mul = Success res) + Lemma mulmod_correct res + (Hres : mulmod = Success res) : mulmod_correct weight n m boundsn (Interp res). Proof using curve_good. prove_correctness (). Qed. - Lemma Wf_mul res (Hres : mul = Success res) : Wf res. + Lemma Wf_mulmod res (Hres : mulmod = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. Section for_stringification. @@ -226,7 +225,7 @@ Locate ErrorMessage. Local Open Scope list_scope. Definition known_functions - := [("mul", wrap_s smul)]. + := [("mulmod", wrap_s smulmod)]. Definition valid_names : string := Eval compute in String.concat ", " (List.map (@fst _ _) known_functions). @@ -249,10 +248,10 @@ End __. Module Export Hints. #[global] Hint Opaque - mul + mulmod : wf_op_cache. #[global] Hint Immediate - Wf_mul + Wf_mulmod : wf_op_cache. End Hints. diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index e83befaeef..b2d63a4cb6 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -14,78 +14,74 @@ Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBU Import Language.API.Compilers Language.Wf.Compilers. +Import SolinasReduction.SolinasReduction. -Module Export SolinasReductionCache. +Strategy -500 [Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by + Crypto.Arithmetic.Saturated.Columns.cons_to_nth + Coq.ZArith.BinInt.Z.to_hex_int + Crypto.Arithmetic.Saturated.Rows.extract_row + Crypto.Arithmetic.Saturated.Associational.sat_multerm + Crypto.Arithmetic.Saturated.Rows.flatten' + Coq.Init.Nat.to_hex_uint + Coq.ZArith.BinInt.Z.to_int + Coq.Init.Nat.to_little_hex_uint + Crypto.Arithmetic.Saturated.Rows.from_columns + Crypto.Arithmetic.Saturated.Rows.adjust_s + Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' + Coq.Init.Nat.to_uint + Crypto.Arithmetic.Core.Associational.split + Coq.Init.Decimal.rev + Coq.Init.Hexadecimal.revapp + Crypto.Arithmetic.Saturated.Columns.from_associational + Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce + Coq.Init.Datatypes.andb + Coq.PArith.BinPos.Pos.to_little_hex_uint + Coq.PArith.BinPos.Pos.to_little_uint + Crypto.Arithmetic.SolinasReduction.SolinasReduction.mulmod + Coq.Init.Decimal.Little.double + Coq.Lists.List.tl + Crypto.Arithmetic.Core.Positional.place + Crypto.Arithmetic.Saturated.Rows.sum_rows' + Crypto.Arithmetic.Core.Positional.add_to_nth + Coq.Init.Decimal.Little.succ + Crypto.Arithmetic.Core.Positional.to_associational + Coq.Init.Nat.to_num_uint + Coq.Init.Hexadecimal.Little.succ + Coq.Init.Nat.to_num_hex_uint + Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map + Crypto.Arithmetic.Saturated.Rows.from_columns' + Coq.Init.Hexadecimal.Little.double + Crypto.Arithmetic.UniformWeight.uweight + Crypto.Arithmetic.Saturated.Associational.sat_mul + Coq.Init.Datatypes.nat_rect + Coq.Init.Nat.to_little_uint + Crypto.Arithmetic.Saturated.Associational.sat_multerm_const + Crypto.Arithmetic.Saturated.Columns.nils + Crypto.Arithmetic.Saturated.Rows.max_column_size + Crypto.Arithmetic.Saturated.Rows.sum_rows + Crypto.Arithmetic.ModOps.weight + Coq.Init.Decimal.revapp + Crypto.Arithmetic.Saturated.Associational.sat_mul_const + Coq.Lists.List.hd + Coq.ZArith.BinInt.Z.to_num_int + Crypto.Arithmetic.Saturated.Rows.from_associational + Coq.PArith.BinPos.Pos.to_uint + Rewriter.Util.LetIn.Let_In + Crypto.Arithmetic.Core.Positional.zeros + Coq.PArith.BinPos.Pos.to_hex_uint + Coq.ZArith.BinInt.Z.to_num_hex_int + Coq.Init.Hexadecimal.rev + Crypto.Arithmetic.Saturated.Rows.flatten]. - Import SolinasReduction.SolinasReduction. - - Strategy -500 [Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by - Crypto.Arithmetic.Saturated.Columns.cons_to_nth - Coq.ZArith.BinInt.Z.to_hex_int - Crypto.Arithmetic.Saturated.Rows.extract_row - Crypto.Arithmetic.Saturated.Associational.sat_multerm - Crypto.Arithmetic.Saturated.Rows.flatten' - Coq.Init.Nat.to_hex_uint - Coq.ZArith.BinInt.Z.to_int - Coq.Init.Nat.to_little_hex_uint - Crypto.Arithmetic.Saturated.Rows.from_columns - Crypto.Arithmetic.Saturated.Rows.adjust_s - Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' - Coq.Init.Nat.to_uint - Crypto.Arithmetic.Core.Associational.split - Coq.Init.Decimal.rev - Coq.Init.Hexadecimal.revapp - Crypto.Arithmetic.Saturated.Columns.from_associational - Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce - Coq.Init.Datatypes.andb - Coq.PArith.BinPos.Pos.to_little_hex_uint - Coq.PArith.BinPos.Pos.to_little_uint - Crypto.Arithmetic.SolinasReduction.SolinasReduction.mulmod - Coq.Init.Decimal.Little.double - Coq.Lists.List.tl - Crypto.Arithmetic.Core.Positional.place - Crypto.Arithmetic.Saturated.Rows.sum_rows' - Crypto.Arithmetic.Core.Positional.add_to_nth - Coq.Init.Decimal.Little.succ - Crypto.Arithmetic.Core.Positional.to_associational - Coq.Init.Nat.to_num_uint - Coq.Init.Hexadecimal.Little.succ - Coq.Init.Nat.to_num_hex_uint - Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map - Crypto.Arithmetic.Saturated.Rows.from_columns' - Coq.Init.Hexadecimal.Little.double - Crypto.Arithmetic.UniformWeight.uweight - Crypto.Arithmetic.Saturated.Associational.sat_mul - Coq.Init.Datatypes.nat_rect - Coq.Init.Nat.to_little_uint - Crypto.Arithmetic.Saturated.Associational.sat_multerm_const - Crypto.Arithmetic.Saturated.Columns.nils - Crypto.Arithmetic.Saturated.Rows.max_column_size - Crypto.Arithmetic.Saturated.Rows.sum_rows - Crypto.Arithmetic.ModOps.weight - Coq.Init.Decimal.revapp - Crypto.Arithmetic.Saturated.Associational.sat_mul_const - Coq.Lists.List.hd - Coq.ZArith.BinInt.Z.to_num_int - Crypto.Arithmetic.Saturated.Rows.from_associational - Coq.PArith.BinPos.Pos.to_uint - Rewriter.Util.LetIn.Let_In - Crypto.Arithmetic.Core.Positional.zeros - Coq.PArith.BinPos.Pos.to_hex_uint - Coq.ZArith.BinInt.Z.to_num_hex_int - Coq.Init.Hexadecimal.rev - Crypto.Arithmetic.Saturated.Rows.flatten]. - - Derive reified_solmul_gen - SuchThat (is_reification_of reified_solmul_gen mulmod) - As reified_solmul_gen_correct. - Proof. Time cache_reify (). Time Qed. +Derive reified_solmul_gen + SuchThat (is_reification_of reified_solmul_gen mulmod) + As reified_solmul_gen_correct. +Proof. Time cache_reify (). Time Qed. #[global] - Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_solmul_gen) : reify_cache_gen. + Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_solmul_gen) : reify_cache_gen. #[global] - Hint Immediate (proj2 reified_solmul_gen_correct) : wf_gen_cache. + Hint Immediate (proj2 reified_solmul_gen_correct) : wf_gen_cache. #[global] - Hint Rewrite (proj1 reified_solmul_gen_correct) : interp_gen_cache. - Local Opaque reified_solmul_gen. (* needed for making [autorewrite] not take a very long time *) -End SolinasReductionCache. + Hint Rewrite (proj1 reified_solmul_gen_correct) : interp_gen_cache. +Local Opaque reified_solmul_gen. (* needed for making [autorewrite] not take a very long time *) diff --git a/src/StandaloneOCamlMain.v b/src/StandaloneOCamlMain.v index 795af2a4c8..b221fb88ea 100644 --- a/src/StandaloneOCamlMain.v +++ b/src/StandaloneOCamlMain.v @@ -15,6 +15,7 @@ Global Unset Extraction Optimize. (** Work around COQBUG(https://github.com/coq/coq/issues/4875) / COQBUG(https://github.com/coq/coq/issues/7954) / COQBUG(https://github.com/coq/coq/issues/7954) / https://discuss.ocaml.org/t/why-wont-ocaml-specialize-weak-type-variables-in-dead-code/7776 *) Extraction Inline Show.ShowLevel_of_Show. +Extraction Inline SolinasReductionReificationCache.reified_solmul_gen. Inductive int : Set := int_O | int_S (x : int). From 9dc092e119906ecd0ba59bc3ff125ff80eb035de Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 24 Aug 2022 19:45:00 -0400 Subject: [PATCH 42/69] initial pr fixes --- src/Arithmetic/SolinasReduction.v | 516 ++++++------------ src/PushButtonSynthesis/SolinasReduction.v | 8 +- .../SolinasReductionReificationCache.v | 191 +++++-- 3 files changed, 333 insertions(+), 382 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 0b123189ca..c7b20a7379 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -98,7 +98,7 @@ Module SolinasReduction. | _ => apply Z.mod_small | |- _ mod (?x * ?y) < (?y * ?x) => rewrite Z.mul_comm with (n:=x) | _ => apply OrdersEx.Z_as_OT.mod_pos_bound - | [ |- 0 <= _ mod _ ] => apply Z_mod_nonneg_nonneg + (* | [ |- 0 <= _ mod _ ] => apply Z_mod_nonneg_nonneg *) | [ |- 0 <= weight _ ] => apply OrdersEx.Z_as_OT.lt_le_incl; auto | _ => split @@ -180,7 +180,7 @@ Module SolinasReduction. Lemma map_weight_seq : forall m p, map weight (seq 0 p) = map (fun t => t / (weight m)) (map weight (seq m p)). Proof. - induction m; intros; push. + induction m as [| m IHm]; intros; push. erewrite map_ext. eauto. intros. @@ -191,13 +191,12 @@ Module SolinasReduction. rewrite IHm. rewrite <-seq_shift. push. - apply map_ext_Forall. - rewrite Forall_forall. - intros. + apply map_ext_in. + intros a H. rewrite in_seq in H. weight_comp; try lia. - rewrite <-!OrdersEx.Z_as_OT.pow_add_r; try lia. - rewrite <-!OrdersEx.Z_as_OT.pow_sub_r; try lia. + rewrite <-!Z.pow_add_r; try lia. + rewrite <-!Z.pow_sub_r; try lia. f_equal. lia. Qed. @@ -454,7 +453,7 @@ Module SolinasReduction. Proof. intros. rewrite canonical_iff. - autounfold. + repeat autounfold. split. intuition. generalize dependent n. @@ -480,7 +479,8 @@ Module SolinasReduction. | H : In _ _ |- _ => cbn in H | H : context[S _] |- _ => cbn in H | H : context[_ && _] |- _ => rewrite andb_true_iff in H - | _ => progress cbn || intuition + | H : context[_ <=? _] |- _ => rewrite <-Zle_is_le_bool in H + | _ => progress cbn || intuition || subst | _ => lia | _ => eapply IHp end. @@ -492,10 +492,12 @@ Module SolinasReduction. Proof using Type. intros. pose proof eval_weight_S as Heval. - autounfold with * in *. + repeat autounfold with * in *. generalize dependent n; induction p; intros; destruct n; repeat multimatch goal with | H : context[fold_right _ _ _] |- _ => cbn in H + | H : context[_ && _] |- _ => rewrite andb_true_iff in H + | H : context[_ <=? _] |- _ => rewrite <-Zle_is_le_bool in H | _ => solve_ineq | _ => rewrite Heval | _ => push @@ -514,7 +516,7 @@ Module SolinasReduction. split. apply eval_is_bounded_by_pos; auto. pose proof eval_weight_S as Heval. - autounfold with * in *. + repeat autounfold with * in *. generalize dependent n; induction p; intros; destruct n; repeat multimatch goal with | H : context[fold_right _ _ _] |- _ => progress cbn in H @@ -530,7 +532,7 @@ Module SolinasReduction. etransitivity. solve_ineq. break_match; eauto. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg_r; try lia. + apply Z.mul_le_mono_nonneg_r; try lia. le_lt. apply IHp; auto. weight_comp; unfold machine_wordsize; lia. @@ -541,7 +543,7 @@ Module SolinasReduction. is_bounded_by (b :: bounds) (p' :: p) = true -> is_bounded_by bounds p = true. Proof. - intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + intros; repeat autounfold in *; match goal with | H : _ |- _ => push' H end. Qed. Hint Resolve is_bounded_by_cons1 : ibb. @@ -549,7 +551,7 @@ Module SolinasReduction. is_bounded_by (b :: bounds) (p' :: p) = true -> fst b <= p' <= snd b. Proof. - intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + intros; repeat autounfold in *; match goal with | H : _ |- _ => push' H end. Qed. Hint Resolve is_bounded_by_cons2 : ibb. @@ -558,7 +560,7 @@ Module SolinasReduction. is_bounded_by bounds p = true /\ fst b <= p' <= snd b. Proof. - intros; autounfold in *; match goal with | H : _ |- _ => push' H end. + intros; repeat autounfold in *; match goal with | H : _ |- _ => push' H end. Qed. Hint Resolve is_bounded_by_cons : ibb. @@ -652,7 +654,7 @@ Module SolinasReduction. intros. generalize dependent bound1. generalize dependent bound2. - autounfold. + repeat autounfold. induction l as [ | ? ? IHl]; intros; destruct bound1; destruct bound2; repeat match goal with | H : context[length _] |- _ => progress autorewrite with push_length in H @@ -673,7 +675,7 @@ Module SolinasReduction. fold_andb_map' (fun x y => (fst y <=? fst x) && (snd x <=? snd y)) b b = true. Proof. intros. - autounfold. + repeat autounfold. induction b; repeat match goal with | _ => progress push @@ -902,7 +904,11 @@ Module SolinasReduction. Definition reduce1' base s c n m p := ltac:(let x := (eval cbv beta delta [reduce1_cps id] in (@reduce1_cps (list Z) base s c n m p id)) in exact x). - Print reduce1'. + + Definition reduce2 base s c n (p : list Z) := + let r1 := reduce1 base s c (2*n) (S n) p in + let r2 := reduce1 base s c (S n) (S n) r1 in + r2. Definition reduce2_cps {T} base s c n (p : list Z) (f : list Z -> T):= (r1 <- reduce1_cps base s c (2*n) (S n) p; @@ -911,7 +917,6 @@ Module SolinasReduction. Definition reduce2' base s c n p := ltac:(let x := (eval cbv beta delta [reduce2_cps reduce1_cps id] in (@reduce2_cps (list Z) base s c n p id)) in exact x). - Print reduce2'. Lemma reduce1_cps_ok {T} base s c n m (f : list Z -> T) : forall p, reduce1_cps base s c n m p f = f (reduce1 base s c n m p). @@ -934,7 +939,6 @@ Module SolinasReduction. Definition reduce_full' base s c n p := ltac:(let x := (eval cbv beta delta [reduce_full_cps reduce1_cps id] in (@reduce_full_cps (list Z) base s c n p id)) in exact x). - Print reduce_full'. Lemma reduce_full_cps_ok {T} base s c n (f : list Z -> T) : forall p, reduce_full_cps base s c n p f = f (reduce_full base s c n p). @@ -980,7 +984,6 @@ Module SolinasReduction. Definition mulmod base s c n (p q : list Z) := ltac:(let x := (eval cbv beta delta [mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps id] in (@mulmod_cps (list Z) base s c n p q id)) in exact x). - Print mulmod. Lemma mulmod_unfold base s c n : forall p q, mulmod' base s c n p q = mulmod_cps base s c n p q id. @@ -1014,6 +1017,7 @@ Module SolinasReduction. specialize (IHl1 ltac:(auto)); specialize (H a ltac:(auto)); repeat multimatch goal with + | H : context[_ =? _] |- _ => rewrite DecidableClass.Decidable_eq_Z_obligation_1 in H | |- context[_ mod _] => rewrite Z.mod_small | _ => rewrite IHl1 | _ => push @@ -1028,7 +1032,7 @@ Module SolinasReduction. (forall x, In x l1 -> x mod w = 0) -> split w (combine l1 l2) = ([], combine (map (fun t => t / w) l1) l2). Proof. - intros. + intros H. generalize dependent l2. induction l1; intros; destruct l2; push; match goal with @@ -1037,19 +1041,26 @@ Module SolinasReduction. specialize (IHl1 ltac:(auto)); specialize (H _ ltac:(auto)); repeat multimatch goal with + | H : ?x = 0, H1 : (?x =? 0) = false |- _ => rewrite H in H1 | _ => rewrite IHl1 | _ => push | _ => cbn | _ => lia | _ => auto | _ => break_match + | _ => discriminate end. Qed. Lemma weight_mono' x : weight x < weight (S x). Proof. - weight_comp; lia. + weight_comp. + rewrite Zred_factor0 at 1. + rewrite Z.mul_comm. + apply Zmult_lt_compat_r. + apply Z.pow_pos_nonneg. + all: lia. Qed. Lemma weight_mono'' x1 x2 : @@ -1116,7 +1127,7 @@ Module SolinasReduction. rewrite uweight_S with (n:=S (S n)); [ | lia]. fold weight. rewrite <-!Z.mul_sub_distr_l. - apply Zmult_lt_compat_l; lia. + apply Zmult_lt_compat_l; unfold machine_wordsize; lia. Qed. Lemma weight_dif_mono : forall n m, @@ -1298,7 +1309,7 @@ Module SolinasReduction. push. rewrite <-(firstn_skipn n p) in Heqb. replace m1 with (n + (m1 - n))%nat in Heqb by lia. - rewrite repeat_app in Heqb. + rewrite StdlibCompat.List.repeat_app in Heqb. solve_ineq. solve_ibb. solve_ibb. @@ -1320,6 +1331,7 @@ Module SolinasReduction. reflexivity. push. push. + push. Qed. Lemma eval_seq_start : forall a b p, @@ -1408,7 +1420,7 @@ Module SolinasReduction. rewrite <-(firstn_skipn n p) in H. replace (2*n-n)%nat with n by lia. replace (2 * n)%nat with (n + n)%nat in H by lia. - rewrite repeat_app in H. + rewrite StdlibCompat.List.repeat_app in H. solve_ineq. solve_ibb. @@ -1425,6 +1437,7 @@ Module SolinasReduction. weight_comp. rewrite <-Z.mul_succ_l. apply Zmult_lt_compat_r. + apply Z.pow_pos_nonneg; lia. all: cbn; break_match; lia. Qed. @@ -1694,6 +1707,7 @@ Module SolinasReduction. rewrite <-Z_div_mod_eq_full. auto. push. + push. lia. push. Qed. @@ -1786,14 +1800,16 @@ Module SolinasReduction. end. weight_comp; try lia. rewrite <-Z.mul_succ_l. - apply Zmult_lt_compat_r; cbn; break_match; lia. + apply Zmult_lt_compat_r. + apply Z.pow_pos_nonneg; cbn; break_match; lia. + cbn; lia. rewrite Z.lt_add_lt_sub_r. etransitivity; [| apply (weight_dif_mono 1); lia]. weight_comp; cbn; break_match; lia. cbn; const_simpl; lia. replace (S n) with (n+1)%nat. - rewrite repeat_app. - autounfold. + rewrite StdlibCompat.List.repeat_app. + repeat autounfold. push. cbn. apply bounds_same. @@ -1821,7 +1837,9 @@ Module SolinasReduction. cbv [up_bound]. weight_comp; try lia. rewrite <-Z.mul_succ_l. - apply Zmult_lt_compat_r; cbn; break_match; lia. + apply Zmult_lt_compat_r. + apply Z.pow_pos_nonneg; cbn; break_match; lia. + cbn; lia. Qed. (* END SECTION REDUCE_FULL *) @@ -1847,309 +1865,139 @@ Module SolinasReduction. End __. - (* - Section compile. - - Let s := 2^255. - Let c := [(1, 19)]. - Let machine_wordsize := 64. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let w : nat -> Z := weight machine_wordsize 1. - Let base : Z := 2 ^ machine_wordsize. - - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound (n). - - Import Stringification.C.Compilers. - Import Stringification.C.Compilers.ToString. - - Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. - Local Instance : only_signed_opt := false. - Local Instance : no_select_opt := false. - Local Instance : static_opt := true. - Local Instance : internal_static_opt := true. - Local Instance : inline_opt := true. - Local Instance : inline_internal_opt := true. - Local Instance : use_mul_for_cmovznz_opt := false. - Local Instance : emit_primitives_opt := true. - Local Instance : should_split_mul_opt := false. - Local Instance : should_split_multiret_opt := false. - Local Instance : widen_carry_opt := false. - Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) - - Let possible_values := prefix_with_carry [machine_wordsize]. - Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. - Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. - Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - Local Existing Instance default_low_level_rewriter_method. - Local Existing Instance AbstractInterpretation.default_Options. - Local Instance : unfold_value_barrier_opt := true. - Local Instance : assembly_hints_lines_opt := []. - Local Instance : ignore_unique_asm_names_opt := false. - Local Existing Instance default_language_naming_conventions. - Local Existing Instance default_documentation_options. - Local Instance : package_name_opt := None. - Local Instance : class_name_opt := None. - Local Existing Instance default_output_options. - - Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat_p25519_" "fiat_p25519_mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (mulmod base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound (n)), (Some (repeat bound n), tt)) - (Some (repeat bound (n))) - (None, (None, tt)) - (None) - : Pipeline.ErrorT _). - - (* - = "Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static void fiat_p25519_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - fiat_p25519_uint1 x34; - uint64_t x35; - fiat_p25519_uint1 x36; - uint64_t x37; - uint64_t x38; - fiat_p25519_uint1 x39; - uint64_t x40; - fiat_p25519_uint1 x41; - uint64_t x42; - fiat_p25519_uint1 x43; - uint64_t x44; - uint64_t x45; - fiat_p25519_uint1 x46; - uint64_t x47; - fiat_p25519_uint1 x48; - uint64_t x49; - fiat_p25519_uint1 x50; - uint64_t x51; - fiat_p25519_uint1 x52; - uint64_t x53; - fiat_p25519_uint1 x54; - uint64_t x55; - uint64_t x56; - fiat_p25519_uint1 x57; - uint64_t x58; - fiat_p25519_uint1 x59; - uint64_t x60; - fiat_p25519_uint1 x61; - uint64_t x62; - fiat_p25519_uint1 x63; - uint64_t x64; - fiat_p25519_uint1 x65; - uint64_t x66; - fiat_p25519_uint1 x67; - uint64_t x68; - fiat_p25519_uint1 x69; - uint64_t x70; - fiat_p25519_uint1 x71; - uint64_t x72; - fiat_p25519_uint1 x73; - uint64_t x74; - fiat_p25519_uint1 x75; - uint64_t x76; - fiat_p25519_uint1 x77; - uint64_t x78; - fiat_p25519_uint1 x79; - uint64_t x80; - fiat_p25519_uint1 x81; - uint64_t x82; - fiat_p25519_uint1 x83; - uint64_t x84; - fiat_p25519_uint1 x85; - uint64_t x86; - fiat_p25519_uint1 x87; - uint64_t x88; - fiat_p25519_uint1 x89; - uint64_t x90; - fiat_p25519_uint1 x91; - uint64_t x92; - fiat_p25519_uint1 x93; - uint64_t x94; - fiat_p25519_uint1 x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - fiat_p25519_uint1 x103; - uint64_t x104; - fiat_p25519_uint1 x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - fiat_p25519_uint1 x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - fiat_p25519_uint1 x114; - uint64_t x115; - fiat_p25519_uint1 x116; - uint64_t x117; - fiat_p25519_uint1 x118; - uint64_t x119; - fiat_p25519_uint1 x120; - uint64_t x121; - uint64_t x122; - uint64_t x123; - uint64_t x124; - fiat_p25519_uint1 x125; - uint64_t x126; - fiat_p25519_uint1 x127; - uint64_t x128; - fiat_p25519_uint1 x129; - uint64_t x130; - fiat_p25519_uint1 x131; - uint64_t x132; - uint64_t x133; - uint64_t x134; - fiat_p25519_uint1 x135; - uint64_t x136; - fiat_p25519_uint1 x137; - uint64_t x138; - fiat_p25519_uint1 x139; - uint64_t x140; - fiat_p25519_uint1 x141; - fiat_p25519_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); - fiat_p25519_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); - fiat_p25519_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); - fiat_p25519_mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); - fiat_p25519_mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); - fiat_p25519_mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); - fiat_p25519_mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); - fiat_p25519_mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); - fiat_p25519_mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); - fiat_p25519_mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); - fiat_p25519_mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); - fiat_p25519_mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); - fiat_p25519_mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); - fiat_p25519_mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); - fiat_p25519_mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); - fiat_p25519_mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - fiat_p25519_addcarryx_u64(&x33, &x34, 0x0, x28, x7); - fiat_p25519_addcarryx_u64(&x35, &x36, x34, x26, x5); - x37 = (x36 + x18); - fiat_p25519_addcarryx_u64(&x38, &x39, 0x0, x33, x13); - fiat_p25519_addcarryx_u64(&x40, &x41, x39, x35, x8); - fiat_p25519_addcarryx_u64(&x42, &x43, x41, x37, 0x0); - x44 = (x43 + x10); - fiat_p25519_addcarryx_u64(&x45, &x46, 0x0, x30, x15); - fiat_p25519_addcarryx_u64(&x47, &x48, x46, x38, x16); - fiat_p25519_addcarryx_u64(&x49, &x50, x48, x40, x11); - fiat_p25519_addcarryx_u64(&x51, &x52, x50, x42, x3); - fiat_p25519_addcarryx_u64(&x53, &x54, x52, x44, 0x0); - x55 = (x54 + x2); - fiat_p25519_addcarryx_u64(&x56, &x57, 0x0, x45, x21); - fiat_p25519_addcarryx_u64(&x58, &x59, x57, x47, x19); - fiat_p25519_addcarryx_u64(&x60, &x61, x59, x49, x14); - fiat_p25519_addcarryx_u64(&x62, &x63, x61, x51, x6); - fiat_p25519_addcarryx_u64(&x64, &x65, x63, x53, 0x0); - fiat_p25519_addcarryx_u64(&x66, &x67, x65, x55, 0x0); - fiat_p25519_addcarryx_u64(&x68, &x69, 0x0, x32, x23); - fiat_p25519_addcarryx_u64(&x70, &x71, x69, x56, x24); - fiat_p25519_addcarryx_u64(&x72, &x73, x71, x58, x22); - fiat_p25519_addcarryx_u64(&x74, &x75, x73, x60, x17); - fiat_p25519_addcarryx_u64(&x76, &x77, x75, x62, x9); - fiat_p25519_addcarryx_u64(&x78, &x79, x77, x64, x1); - fiat_p25519_addcarryx_u64(&x80, &x81, x79, x66, 0x0); - fiat_p25519_addcarryx_u64(&x82, &x83, 0x0, x68, x29); - fiat_p25519_addcarryx_u64(&x84, &x85, x83, x70, x27); - fiat_p25519_addcarryx_u64(&x86, &x87, x85, x72, x25); - fiat_p25519_addcarryx_u64(&x88, &x89, x87, x74, x20); - fiat_p25519_addcarryx_u64(&x90, &x91, x89, x76, x12); - fiat_p25519_addcarryx_u64(&x92, &x93, x91, x78, x4); - fiat_p25519_addcarryx_u64(&x94, &x95, x93, x80, 0x0); - fiat_p25519_mulx_u64(&x96, &x97, UINT8_C(0x26), x92); - fiat_p25519_mulx_u64(&x98, &x99, UINT8_C(0x26), x90); - fiat_p25519_mulx_u64(&x100, &x101, UINT8_C(0x26), x88); - fiat_p25519_addcarryx_u64(&x102, &x103, 0x0, x82, x98); - fiat_p25519_addcarryx_u64(&x104, &x105, x103, x84, x96); - fiat_p25519_mulx_u64(&x106, &x107, UINT8_C(0x26), x94); - fiat_p25519_addcarryx_u64(&x108, &x109, x105, x86, x106); - fiat_p25519_mulx_u64(&x110, &x111, UINT8_C(0x26), x94); - x112 = (x109 + x111); - fiat_p25519_addcarryx_u64(&x113, &x114, 0x0, x31, x100); - fiat_p25519_addcarryx_u64(&x115, &x116, x114, x102, x101); - fiat_p25519_addcarryx_u64(&x117, &x118, x116, x104, x99); - fiat_p25519_addcarryx_u64(&x119, &x120, x118, x108, x97); - x121 = (x120 + x112); - fiat_p25519_mulx_u64(&x122, &x123, UINT8_C(0x26), x121); - fiat_p25519_addcarryx_u64(&x124, &x125, 0x0, x113, x122); - fiat_p25519_addcarryx_u64(&x126, &x127, x125, x115, 0x0); - fiat_p25519_addcarryx_u64(&x128, &x129, x127, x117, 0x0); - fiat_p25519_addcarryx_u64(&x130, &x131, x129, x119, 0x0); - fiat_p25519_mulx_u64(&x132, &x133, UINT8_C(0x26), x131); - fiat_p25519_addcarryx_u64(&x134, &x135, 0x0, x124, x132); - fiat_p25519_addcarryx_u64(&x136, &x137, x135, x126, 0x0); - fiat_p25519_addcarryx_u64(&x138, &x139, x137, x128, 0x0); - fiat_p25519_addcarryx_u64(&x140, &x141, x139, x130, 0x0); - out1[0] = x134; - out1[1] = x136; - out1[2] = x138; - out1[3] = x140; -}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string -Finished transaction in 25.313 secs (25.202u,0.107s) (successful) - *) - - End compile. - *) + (* Strategy -500 [Crypto.Arithmetic.Core.Positional.add_to_nth *) + (* Coq.Init.Datatypes.andb *) + (* Coq.ZArith.BinInt.Z.to_int *) + (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map *) + (* Coq.PArith.BinPos.Pos.to_uint *) + (* Coq.Init.Decimal.revapp *) + (* Coq.Init.Datatypes.nat_rect *) + (* Crypto.Arithmetic.Saturated.Rows.max_column_size *) + (* Crypto.Arithmetic.Saturated.Rows.sum_rows' *) + (* Crypto.Arithmetic.Core.Associational.split *) + (* Coq.PArith.BinPos.Pos.to_little_uint *) + (* Coq.Init.Nat.to_uint *) + (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.mulmod *) + (* Crypto.Arithmetic.ModOps.weight *) + (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce *) + (* Coq.Lists.List.tl *) + (* Crypto.Arithmetic.Saturated.Rows.adjust_s *) + (* Crypto.Arithmetic.Core.Positional.to_associational *) + (* Coq.Init.Nat.to_little_uint *) + (* Crypto.Arithmetic.Saturated.Columns.cons_to_nth *) + (* Crypto.Arithmetic.Saturated.Rows.extract_row *) + (* Crypto.Arithmetic.Saturated.Rows.from_columns *) + (* Crypto.Arithmetic.Saturated.Associational.sat_multerm_const *) + (* Coq.Init.Decimal.rev *) + (* Crypto.Arithmetic.Saturated.Associational.sat_mul *) + (* Crypto.Arithmetic.Saturated.Rows.from_columns' *) + (* Crypto.Arithmetic.Core.Positional.place *) + (* Crypto.Arithmetic.Core.Positional.zeros *) + (* Crypto.Arithmetic.Saturated.Rows.flatten' *) + (* Crypto.Arithmetic.Saturated.Rows.sum_rows *) + (* Crypto.Arithmetic.Saturated.Associational.sat_mul_const *) + (* Coq.Lists.List.hd *) + (* Crypto.Arithmetic.Saturated.Associational.sat_multerm *) + (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by *) + (* Crypto.Arithmetic.Saturated.Columns.nils *) + (* Coq.Init.Decimal.Little.succ *) + (* Crypto.Arithmetic.UniformWeight.uweight *) + (* Crypto.Arithmetic.Saturated.Rows.flatten *) + (* (* Rewriter.Util.LetIn.Let_In *) *) + (* Crypto.Arithmetic.Saturated.Rows.from_associational *) + (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' *) + (* Crypto.Arithmetic.Saturated.Columns.from_associational *) + (* Coq.Init.Decimal.Little.double]. *) + + + (* Section compile. *) + + (* Let s := 2^255. *) + (* Let c := [(1, 19)]. *) + (* Let machine_wordsize := 64. *) + (* Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). *) + (* Let m : nat := 2 * n. *) + (* Let w : nat -> Z := weight machine_wordsize 1. *) + (* Let base : Z := 2 ^ machine_wordsize. *) + + (* Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. *) + (* Let boundsn : list (ZRange.type.option.interp base.type.Z) *) + (* := repeat bound (n). *) + + (* Import Stringification.C.Compilers. *) + (* Import Stringification.C.Compilers.ToString. *) + + (* Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. *) + (* Local Instance : only_signed_opt := false. *) + (* Local Instance : no_select_opt := false. *) + (* Local Instance : static_opt := true. *) + (* Local Instance : internal_static_opt := true. *) + (* Local Instance : inline_opt := true. *) + (* Local Instance : inline_internal_opt := true. *) + (* Local Instance : use_mul_for_cmovznz_opt := false. *) + (* Local Instance : emit_primitives_opt := true. *) + (* Local Instance : should_split_mul_opt := false. *) + (* Local Instance : should_split_multiret_opt := false. *) + (* Local Instance : widen_carry_opt := false. *) + (* Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) *) + + (* Let possible_values := prefix_with_carry [machine_wordsize]. *) + (* Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) *) + (* Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. *) + (* Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. *) + (* Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. *) + + (* Local Existing Instance default_low_level_rewriter_method. *) + (* Local Existing Instance AbstractInterpretation.default_Options. *) + (* Local Instance : unfold_value_barrier_opt := true. *) + (* Local Instance : assembly_hints_lines_opt := []. *) + (* Local Instance : ignore_unique_asm_names_opt := false. *) + (* Local Existing Instance default_language_naming_conventions. *) + (* Local Existing Instance default_documentation_options. *) + (* Local Instance : package_name_opt := None. *) + (* Local Instance : class_name_opt := None. *) + (* Local Existing Instance default_output_options. *) + + (* Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. *) + + (* Time Compute *) + (* Show.show *) + (* (Pipeline.BoundsPipelineToString *) + (* "fiat_p25519_" "fiat_p25519_mul" *) + (* false *) + (* false *) + (* None *) + (* possible_values *) + (* machine_wordsize *) + (* ltac:(let n := (eval cbv in n) in *) + (* let r := Reify (reduce_full base s c n) in *) + (* exact r) *) + (* (fun _ _ => []) *) + (* (Some (repeat bound (2 * n)), tt) *) + (* (Some (repeat bound (n))) *) + (* (None, tt) *) + (* (None) *) + (* : Pipeline.ErrorT _). *) + + (* Time Compute *) + (* Show.show *) + (* (Pipeline.BoundsPipelineToString *) + (* "fiat_p25519_" "fiat_p25519_mul" *) + (* false *) + (* false *) + (* None *) + (* possible_values *) + (* machine_wordsize *) + (* ltac:(let n := (eval cbv in n) in *) + (* let r := Reify (mulmod' base s c n) in *) + (* exact r) *) + (* (fun _ _ => []) *) + (* (Some (repeat bound (n)), (Some (repeat bound n), tt)) *) + (* (Some (repeat bound (n))) *) + (* (None, (None, tt)) *) + (* (None) *) + (* : Pipeline.ErrorT _). *) + + (* End compile. *) End SolinasReduction. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 724c2f337c..4b351ad7f0 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -187,10 +187,10 @@ Section __. None (* fancy *) possible_values (reified_solmul_gen - @GallinaReify.Reify base - @GallinaReify.Reify s - @GallinaReify.Reify c - @GallinaReify.Reify n ) + @ GallinaReify.Reify base + @ GallinaReify.Reify s + @ GallinaReify.Reify c + @ GallinaReify.Reify n ) (Some boundsn, (Some boundsn, tt)) (Some boundsn). diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index b2d63a4cb6..f1ac5b059a 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -1,12 +1,23 @@ (** * Push-Button Synthesis of Solinas Reduction: Reification Cache *) Require Import Coq.QArith.QArith_base Coq.QArith.Qround. +Require Import Coq.Init.Nat. Require Import Coq.ZArith.ZArith. +Require Import Coq.ZArith.BinInt. Require Import Coq.derive.Derive. Require Import Crypto.Arithmetic.Core. Require Import Crypto.Arithmetic.ModOps. Require Import Crypto.Arithmetic.Saturated. Require Import Crypto.Arithmetic.SolinasReduction. Require Import Crypto.PushButtonSynthesis.ReificationCache. + +Require Import Crypto.Language.IdentifierParameters. +Require Import Coq.Strings.String. +Require Import Coq.ZArith.ZArith. +Require Import Crypto.Util.ListUtil Coq.Lists.List. +Require Import Crypto.Util.ZRange. +Require Import Crypto.Util.ZUtil.Definitions. +Require Import Crypto.Language.PreExtra. + Local Open Scope Z_scope. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) @@ -16,62 +27,154 @@ Import Language.Wf.Compilers. Import SolinasReduction.SolinasReduction. -Strategy -500 [Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by - Crypto.Arithmetic.Saturated.Columns.cons_to_nth - Coq.ZArith.BinInt.Z.to_hex_int - Crypto.Arithmetic.Saturated.Rows.extract_row - Crypto.Arithmetic.Saturated.Associational.sat_multerm - Crypto.Arithmetic.Saturated.Rows.flatten' - Coq.Init.Nat.to_hex_uint +(* Set Debug Cbv. *) +(* Eval cbv delta -[ident.literal *) +(* (* ident.comment *) *) +(* (* ident.comment_no_keep *) *) +(* Z.value_barrier *) +(* Nat.succ *) +(* Nat.pred *) +(* Nat.max *) +(* Nat.mul *) +(* Nat.add *) +(* Nat.sub *) +(* Nat.eqb *) +(* (* Datatypes.nil *) *) +(* (* Datatypes.cons *) *) +(* (* Datatypes.tt *) *) +(* (* Datatypes.pair *) *) +(* Datatypes.fst *) +(* Datatypes.snd *) +(* prod_rect_nodep *) +(* Thunked.bool_rect *) +(* bool_rect_nodep *) +(* Thunked.nat_rect *) +(* Thunked.nat_rect *) +(* nat_rect_arrow_nodep *) +(* nat_rect_arrow_nodep *) +(* Thunked.list_rect *) +(* Thunked.list_rect *) +(* list_rect_arrow_nodep *) +(* list_rect_arrow_nodep *) +(* Thunked.list_case *) +(* List.length *) +(* List.seq *) +(* List.firstn *) +(* List.skipn *) +(* repeat *) +(* List.combine *) +(* List.map *) +(* List.app *) +(* List.rev *) +(* List.flat_map *) +(* List.partition *) +(* List.fold_right *) +(* update_nth *) +(* nth_default *) +(* nth_default *) +(* Z.add *) +(* Z.mul *) +(* Z.pow *) +(* Z.sub *) +(* Z.opp *) +(* Z.div *) +(* Z.modulo *) +(* Z.eqb *) +(* Z.leb *) +(* Z.ltb *) +(* Z.geb *) +(* Z.gtb *) +(* Z.log2 *) +(* Z.log2_up *) +(* Z.of_nat *) +(* Z.to_nat *) +(* Z.shiftr *) +(* Z.shiftl *) +(* Z.land *) +(* Z.lor *) +(* Z.min *) +(* Z.max *) +(* Z.mul_split *) +(* Z.mul_high *) +(* Z.add_get_carry_full *) +(* Z.add_with_carry *) +(* Z.add_with_get_carry_full *) +(* Z.sub_get_borrow_full *) +(* Z.sub_with_get_borrow_full *) +(* Z.ltz *) +(* Z.zselect *) +(* Z.add_modulo *) +(* Z.truncating_shiftl *) +(* Z.bneg *) +(* Z.lnot_modulo *) +(* Z.lxor *) +(* Z.rshi *) +(* Z.cc_m *) +(* Z.combine_at_bitwidth *) +(* (* ident.cast *) *) +(* (* ident.cast2 *) *) +(* (* Datatypes.Some *) *) +(* (* Datatypes.None *) *) +(* Thunked.option_rect *) +(* (* ZRange.Build_zrange *) *) +(* ZRange.zrange_rect_nodep *) +(* ident.fancy.add *) +(* ident.fancy.addc *) +(* ident.fancy.sub *) +(* ident.fancy.subb *) +(* ident.fancy.mulll *) +(* ident.fancy.mullh *) +(* ident.fancy.mulhl *) +(* ident.fancy.mulhh *) +(* ident.fancy.rshi *) +(* ident.fancy.selc *) +(* ident.fancy.selm *) +(* ident.fancy.sell *) +(* ident.fancy.addm] in SolinasReduction.mulmod. *) + +Strategy -500 [Crypto.Arithmetic.Core.Positional.add_to_nth + Coq.Init.Datatypes.andb Coq.ZArith.BinInt.Z.to_int - Coq.Init.Nat.to_little_hex_uint - Crypto.Arithmetic.Saturated.Rows.from_columns - Crypto.Arithmetic.Saturated.Rows.adjust_s - Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' - Coq.Init.Nat.to_uint + Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map + Coq.PArith.BinPos.Pos.to_uint + Coq.Init.Decimal.revapp + Coq.Init.Datatypes.nat_rect + Crypto.Arithmetic.Saturated.Rows.max_column_size + Crypto.Arithmetic.Saturated.Rows.sum_rows' Crypto.Arithmetic.Core.Associational.split - Coq.Init.Decimal.rev - Coq.Init.Hexadecimal.revapp - Crypto.Arithmetic.Saturated.Columns.from_associational - Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce - Coq.Init.Datatypes.andb - Coq.PArith.BinPos.Pos.to_little_hex_uint Coq.PArith.BinPos.Pos.to_little_uint + Coq.Init.Nat.to_uint Crypto.Arithmetic.SolinasReduction.SolinasReduction.mulmod - Coq.Init.Decimal.Little.double + Crypto.Arithmetic.ModOps.weight + Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce Coq.Lists.List.tl - Crypto.Arithmetic.Core.Positional.place - Crypto.Arithmetic.Saturated.Rows.sum_rows' - Crypto.Arithmetic.Core.Positional.add_to_nth - Coq.Init.Decimal.Little.succ + Crypto.Arithmetic.Saturated.Rows.adjust_s Crypto.Arithmetic.Core.Positional.to_associational - Coq.Init.Nat.to_num_uint - Coq.Init.Hexadecimal.Little.succ - Coq.Init.Nat.to_num_hex_uint - Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map - Crypto.Arithmetic.Saturated.Rows.from_columns' - Coq.Init.Hexadecimal.Little.double - Crypto.Arithmetic.UniformWeight.uweight - Crypto.Arithmetic.Saturated.Associational.sat_mul - Coq.Init.Datatypes.nat_rect Coq.Init.Nat.to_little_uint + Crypto.Arithmetic.Saturated.Columns.cons_to_nth + Crypto.Arithmetic.Saturated.Rows.extract_row + Crypto.Arithmetic.Saturated.Rows.from_columns Crypto.Arithmetic.Saturated.Associational.sat_multerm_const - Crypto.Arithmetic.Saturated.Columns.nils - Crypto.Arithmetic.Saturated.Rows.max_column_size + Coq.Init.Decimal.rev + Crypto.Arithmetic.Saturated.Associational.sat_mul + Crypto.Arithmetic.Saturated.Rows.from_columns' + Crypto.Arithmetic.Core.Positional.place + Crypto.Arithmetic.Core.Positional.zeros + Crypto.Arithmetic.Saturated.Rows.flatten' Crypto.Arithmetic.Saturated.Rows.sum_rows - Crypto.Arithmetic.ModOps.weight - Coq.Init.Decimal.revapp Crypto.Arithmetic.Saturated.Associational.sat_mul_const Coq.Lists.List.hd - Coq.ZArith.BinInt.Z.to_num_int + Crypto.Arithmetic.Saturated.Associational.sat_multerm + Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by + Crypto.Arithmetic.Saturated.Columns.nils + Coq.Init.Decimal.Little.succ + Crypto.Arithmetic.UniformWeight.uweight + Crypto.Arithmetic.Saturated.Rows.flatten + (* Rewriter.Util.LetIn.Let_In *) Crypto.Arithmetic.Saturated.Rows.from_associational - Coq.PArith.BinPos.Pos.to_uint - Rewriter.Util.LetIn.Let_In - Crypto.Arithmetic.Core.Positional.zeros - Coq.PArith.BinPos.Pos.to_hex_uint - Coq.ZArith.BinInt.Z.to_num_hex_int - Coq.Init.Hexadecimal.rev - Crypto.Arithmetic.Saturated.Rows.flatten]. + Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' + Crypto.Arithmetic.Saturated.Columns.from_associational + Coq.Init.Decimal.Little.double]. Derive reified_solmul_gen SuchThat (is_reification_of reified_solmul_gen mulmod) From 0a3b5d57ace823f9891ab744cb2cfae5496e6f5b Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 25 Aug 2022 16:34:38 -0400 Subject: [PATCH 43/69] restoring rewrite rule that should have been kept --- src/CLI.v | 2 +- src/PushButtonSynthesis/SolinasReduction.v | 21 ++++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/CLI.v b/src/CLI.v index db8b9abc03..b27fa25076 100644 --- a/src/CLI.v +++ b/src/CLI.v @@ -1138,7 +1138,7 @@ Module ForExtraction. Synthesize := fun _ opts '(s, c, requests) comment_header prefix - => SolinasReduction.Synthesize s c comment_header prefix requests + => SolinasReduction.Synthesize s c machine_wordsize comment_header prefix requests }. Definition PipelineMain diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 4b351ad7f0..b01975a88f 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -89,7 +89,7 @@ Section __. {error_on_unused_assembly_functions : error_on_unused_assembly_functions_opt} (s : Z) (c : list (Z * Z)). - Context (machine_wordsize := 64). + Context (machine_wordsize : machine_wordsize_opt). Local Existing Instance widen_bytes. @@ -122,10 +122,11 @@ Section __. (fun v => (true, v)) [((0 0 /\ Associational.eval c > 0 /\ s - Associational.eval c <> 0 /\ + machine_wordsize = 64 /\ base <> 0 /\ Rows.adjust_s weight (S (S n)) s = (weight n, true) /\ weight n / s * Associational.eval c < up_bound. @@ -155,8 +157,9 @@ Section __. prepare_use_curve_good (). { use_curve_good_t. } { use_curve_good_t. } + { use_curve_good_t. } { unfold base. - use_curve_good_t. } + apply Z.pow_nonzero; use_curve_good_t. } { lazymatch goal with | |- ?x = _ => rewrite surjective_pairing with (p:=x) end. @@ -168,11 +171,12 @@ Section __. Qed. Local Notation evalf := (eval weight n). + Local Notation weightf := weight. Local Notation notations_for_docstring := (CorrectnessStringification.dyn_context.cons evalf "evalf" (CorrectnessStringification.dyn_context.cons - weight "weight" + weightf "weightf" CorrectnessStringification.dyn_context.nil))%string. Local Notation "'docstring_with_summary_from_lemma!' summary correctness" := (docstring_with_summary_from_lemma_with_ctx! @@ -215,7 +219,14 @@ Section __. Lemma mulmod_correct res (Hres : mulmod = Success res) : mulmod_correct weight n m boundsn (Interp res). - Proof using curve_good. prove_correctness (). Qed. + Proof using curve_good. + prove_correctness (). + cbv [evalf weightf weight up_bound] in *. + match goal with + | H : machine_wordsize = _ |- _ => rewrite H in * + end. + apply (fun pf => @SolinasReduction.SolinasReduction.mulmod_correct (@wprops _ _ pf)); auto; lia. + Qed. Lemma Wf_mulmod res (Hres : mulmod = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. From 8efdbb72eb78d26e00811cd17bb1aef035f9dc33 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 24 Aug 2022 20:37:29 -0400 Subject: [PATCH 44/69] slight change to account for v8.15's more capable lia --- src/Arithmetic/SolinasReduction.v | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index c7b20a7379..628459acfe 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -1329,9 +1329,7 @@ Module SolinasReduction. push. rewrite <-Z_div_mod_eq_full. reflexivity. - push. - push. - push. + all: push. Qed. Lemma eval_seq_start : forall a b p, From 4814d86b6c8ca23a62c27ccb2a84bd96980854c4 Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Fri, 7 Oct 2022 00:01:48 +0530 Subject: [PATCH 45/69] Fix for rebase --- src/Arithmetic/SolinasReduction.v | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 628459acfe..c2b4acb000 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -1017,7 +1017,7 @@ Module SolinasReduction. specialize (IHl1 ltac:(auto)); specialize (H a ltac:(auto)); repeat multimatch goal with - | H : context[_ =? _] |- _ => rewrite DecidableClass.Decidable_eq_Z_obligation_1 in H + (*| H : context[_ =? _] |- _ => rewrite DecidableClass.Decidable_eq_Z_obligation_1 in H*) | |- context[_ mod _] => rewrite Z.mod_small | _ => rewrite IHl1 | _ => push From 2bff9bdd0843015c80c88c4e7fe5818ff84688d7 Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Thu, 6 Oct 2022 23:55:59 +0530 Subject: [PATCH 46/69] [OPTIONAL] Set Suggest Proof Using --- src/Arithmetic/SolinasReduction.v | 104 +++++++++++++++--------------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index c2b4acb000..2a1c5d01f1 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -115,15 +115,15 @@ Module SolinasReduction. Lemma S_sub_1 : forall (n : nat), (n > 0)%nat -> S (n - 1)%nat = n. - Proof. lia. Qed. + Proof using Type. lia. Qed. Hint Rewrite S_sub_1 using lia : const_simpl. Lemma Sn_sub_n : forall (n : nat), (S n - n)%nat = 1%nat. - Proof. lia. Qed. + Proof using Type. lia. Qed. Hint Rewrite Sn_sub_n : const_simpl. Lemma n2_sub : forall (n : nat), (2 * n - n)%nat = n. - Proof. lia. Qed. + Proof using Type. lia. Qed. Hint Rewrite n2_sub : const_simpl. Ltac const_simpl := autorewrite with const_simpl in *. @@ -172,14 +172,14 @@ Module SolinasReduction. Lemma seq_double : forall n, seq 0 (2 * n) = seq 0 n ++ seq n n. - Proof. + Proof using Type. intros n; replace (2*n)%nat with (n+n)%nat; push; lia. Qed. Hint Rewrite seq_double : push_misc. Lemma map_weight_seq : forall m p, map weight (seq 0 p) = map (fun t => t / (weight m)) (map weight (seq m p)). - Proof. + Proof using wprops. induction m as [| m IHm]; intros; push. erewrite map_ext. eauto. @@ -204,7 +204,7 @@ Module SolinasReduction. Lemma seq_shift_1 : forall len, map S (seq 0 len) = seq 1 len. - Proof. + Proof using Type. intros. apply seq_shift. Qed. @@ -281,7 +281,7 @@ Module SolinasReduction. Lemma canonical_cons n a p: canonical_repr (S n) (a :: p) -> canonical_repr n p. - Proof. + Proof using wprops. intros. rewrite canonical_iff in *. intuition; @@ -299,7 +299,7 @@ Module SolinasReduction. n = (n1 + n2)%nat -> l = l1 ++ l2 -> canonical_repr n1 l1. - Proof. + Proof using wprops. intros. rewrite canonical_iff in *; intuition; repeat multimatch goal with @@ -317,7 +317,7 @@ Module SolinasReduction. n = (n1 + n2)%nat -> l = l1 ++ l2 -> canonical_repr n2 l2. - Proof. + Proof using wprops. intros. rewrite canonical_iff in *; intuition; repeat multimatch goal with @@ -330,7 +330,7 @@ Module SolinasReduction. Lemma fold_right_add : forall l x, fold_right Z.add x l = x + fold_right Z.add 0 l. - Proof. + Proof using Type. intros l x. induction l as [ | l' IHl ]; cbn; try rewrite IHl; lia. Qed. @@ -341,7 +341,7 @@ Module SolinasReduction. Lemma eval_weight_S' : forall p, eval_weight_P p. - Proof. + Proof using Type. apply (ListAux.list_length_induction Z). unfold eval_weight_P. intros l1 H n. @@ -387,7 +387,7 @@ Module SolinasReduction. Lemma eval_weight_S p n: eval (fun i : nat => weight (S i)) n p = (eval weight n p) * weight 1. - Proof. + Proof using Type. cbv [eval to_associational]. rewrite eval_weight_S'. lia. @@ -397,7 +397,7 @@ Module SolinasReduction. Lemma eval_weight_S_gen p a b : Associational.eval (combine (map (fun x0 : nat => weight (S x0)) (seq a b)) p) = weight 1 * Associational.eval (combine (map weight (seq a b)) p). - Proof. + Proof using Type. apply eval_weight_S'. Qed. Hint Rewrite eval_weight_S_gen : push_eval. @@ -405,7 +405,7 @@ Module SolinasReduction. Lemma canonical_eval_bounded n : forall (p : list Z), canonical_repr n p -> eval weight n p < weight n. - Proof. + Proof using wprops. intros p. generalize dependent n. induction p; intros; destruct n; @@ -450,7 +450,7 @@ Module SolinasReduction. canonical_repr n p <-> length p = n /\ is_bounded_by (repeat (0, 2^machine_wordsize-1) n) p = true. - Proof. + Proof using wprops. intros. rewrite canonical_iff. repeat autounfold. @@ -511,7 +511,7 @@ Module SolinasReduction. Lemma eval_is_bounded_by n : forall p, is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> 0 <= eval weight n p < weight n. - Proof. + Proof using wprops. intros. split. apply eval_is_bounded_by_pos; auto. @@ -542,7 +542,7 @@ Module SolinasReduction. Lemma is_bounded_by_cons1 : forall b bounds p' p, is_bounded_by (b :: bounds) (p' :: p) = true -> is_bounded_by bounds p = true. - Proof. + Proof using Type. intros; repeat autounfold in *; match goal with | H : _ |- _ => push' H end. Qed. Hint Resolve is_bounded_by_cons1 : ibb. @@ -550,7 +550,7 @@ Module SolinasReduction. Lemma is_bounded_by_cons2 : forall b bounds p' p, is_bounded_by (b :: bounds) (p' :: p) = true -> fst b <= p' <= snd b. - Proof. + Proof using Type. intros; repeat autounfold in *; match goal with | H : _ |- _ => push' H end. Qed. Hint Resolve is_bounded_by_cons2 : ibb. @@ -559,7 +559,7 @@ Module SolinasReduction. is_bounded_by (b :: bounds) (p' :: p) = true -> is_bounded_by bounds p = true /\ fst b <= p' <= snd b. - Proof. + Proof using Type. intros; repeat autounfold in *; match goal with | H : _ |- _ => push' H end. Qed. Hint Resolve is_bounded_by_cons : ibb. @@ -569,7 +569,7 @@ Module SolinasReduction. (n < length p)%nat -> (n < length bounds)%nat -> fst (nth_default (0,0) bounds n) <= nth_default 0 p n <= snd (nth_default (0,0) bounds n). - Proof. + Proof using Type. intros. generalize dependent n. generalize dependent p. @@ -590,7 +590,7 @@ Module SolinasReduction. is_bounded_by (bound1 ++ bound2) (l1 ++ l2) = true -> length bound1 = length l1 -> is_bounded_by bound1 l1 = true. - Proof. + Proof using Type. intros b1 b2 l1 l2 H H1. generalize dependent b1. generalize dependent b2. @@ -613,7 +613,7 @@ Module SolinasReduction. Lemma fold_right_andb_default : forall d l, fold_right andb d l = true -> d = true. - Proof. + Proof using Type. intros; induction l; repeat multimatch goal with | H : context[fold_right _ _ _] |- _ => push' H @@ -625,7 +625,7 @@ Module SolinasReduction. is_bounded_by (bound1 ++ bound2) (l1 ++ l2) = true -> length bound1 = length l1 -> is_bounded_by bound2 l2 = true. - Proof. + Proof using Type. intros b1 b2 l1 l2 H H1. generalize dependent b1. generalize dependent b2. @@ -650,7 +650,7 @@ Module SolinasReduction. is_bounded_by bound1 l = true -> fold_andb_map' (fun x y => (fst y <=? fst x) && (snd x <=? snd y)) bound1 bound2 = true -> is_bounded_by bound2 l = true. - Proof. + Proof using Type. intros. generalize dependent bound1. generalize dependent bound2. @@ -673,7 +673,7 @@ Module SolinasReduction. Lemma bounds_same : forall b, fold_andb_map' (fun x y => (fst y <=? fst x) && (snd x <=? snd y)) b b = true. - Proof. + Proof using Type. intros. repeat autounfold. induction b; @@ -811,7 +811,7 @@ Module SolinasReduction. Lemma adjust_s_finished' fuel s w (s_nz:s<>0) : Rows.adjust_s weight fuel s = (w, true) -> Rows.adjust_s weight (S fuel) s = (w, true). - Proof. + Proof using Type. cbv [Rows.adjust_s]. rewrite !fold_right_map. replace (rev (seq 0 (S fuel))) with (fuel :: rev (seq 0 fuel)). @@ -829,7 +829,7 @@ Module SolinasReduction. (fuel' > fuel)%nat -> Saturated.Rows.adjust_s weight fuel s = (w, true) -> Saturated.Rows.adjust_s weight fuel' s = (w, true). - Proof. + Proof using Type. induction 1; intros; apply adjust_s_finished'; auto. Qed. @@ -920,7 +920,7 @@ Module SolinasReduction. Lemma reduce1_cps_ok {T} base s c n m (f : list Z -> T) : forall p, reduce1_cps base s c n m p f = f (reduce1 base s c n m p). - Proof. + Proof using Type. intros. cbv [reduce1 reduce1_cps]. break_match; reflexivity. @@ -942,7 +942,7 @@ Module SolinasReduction. Lemma reduce_full_cps_ok {T} base s c n (f : list Z -> T) : forall p, reduce_full_cps base s c n p f = f (reduce_full base s c n p). - Proof. + Proof using Type. intros. cbv [reduce_full reduce_full_cps]. repeat (rewrite reduce1_cps_ok || reflexivity || break_match). @@ -962,7 +962,7 @@ Module SolinasReduction. Lemma mul_no_reduce_cps_ok {T} base n (f : list Z -> T) : forall p q, mul_no_reduce_cps base n p q f = f (mul_no_reduce base n p q). - Proof. + Proof using Type. intros. cbv [mul_no_reduce mul_no_reduce_cps]. break_match; reflexivity. @@ -974,7 +974,7 @@ Module SolinasReduction. Lemma mulmod_cps_ok {T} base s c n (f : list Z -> T) : forall p q, mulmod_cps base s c n p q f = f (mulmod' base s c n p q). - Proof. + Proof using Type. intros. cbv [mulmod' mulmod_cps]. rewrite mul_no_reduce_cps_ok, reduce_full_cps_ok. @@ -987,7 +987,7 @@ Module SolinasReduction. Lemma mulmod_unfold base s c n : forall p q, mulmod' base s c n p q = mulmod_cps base s c n p q id. - Proof. + Proof using Type. intros. rewrite mulmod_cps_ok. reflexivity. @@ -995,7 +995,7 @@ Module SolinasReduction. Lemma mulmod_cps_conv base s c n : forall p q, mulmod base s c n p q = mulmod' base s c n p q. - Proof. + Proof using Type. intros. rewrite mulmod_unfold. reflexivity. @@ -1007,7 +1007,7 @@ Module SolinasReduction. Lemma split_lt w l1 l2: (forall x, In x l1 -> 0 < x < w) -> split w (combine l1 l2) = (combine l1 l2, []). - Proof. + Proof using Type. intros H. generalize dependent l2. induction l1; intros; destruct l2; push; @@ -1031,7 +1031,7 @@ Module SolinasReduction. Lemma split_gt w l1 l2: (forall x, In x l1 -> x mod w = 0) -> split w (combine l1 l2) = ([], combine (map (fun t => t / w) l1) l2). - Proof. + Proof using Type. intros H. generalize dependent l2. induction l1; intros; destruct l2; push; @@ -1054,7 +1054,7 @@ Module SolinasReduction. Lemma weight_mono' x : weight x < weight (S x). - Proof. + Proof using Type. weight_comp. rewrite Zred_factor0 at 1. rewrite Z.mul_comm. @@ -1066,7 +1066,7 @@ Module SolinasReduction. Lemma weight_mono'' x1 x2 : (x2 > 0)%nat -> weight x1 < weight (x2 + x1). - Proof. + Proof using Type. intros H. induction H; repeat match goal with @@ -1079,7 +1079,7 @@ Module SolinasReduction. Lemma weight_mono x1 x2 : (x1 < x2)%nat -> weight x1 < weight x2. - Proof. + Proof using Type. intros. replace x2%nat with ((x2 - x1) + x1)%nat by lia. apply weight_mono''; lia. @@ -1088,7 +1088,7 @@ Module SolinasReduction. Lemma weight_mono_le x1 x2 : (x1 <= x2)%nat -> weight x1 <= weight x2. - Proof. + Proof using Type. intros H. apply le_lt_or_eq in H. intuition. @@ -1099,7 +1099,7 @@ Module SolinasReduction. Lemma map_seq_start : forall a b, map weight (seq a b) = map (fun t => t * weight a) (map weight (seq 0 b)). - Proof. + Proof using Type. intros a b. induction b; repeat multimatch goal with @@ -1117,7 +1117,7 @@ Module SolinasReduction. Lemma weight_dif_mono' : forall n, weight (S n) - weight n < weight (S (S n)) - weight (S n). - Proof. + Proof using Type. intros. induction n. weight_comp; lia. @@ -1133,7 +1133,7 @@ Module SolinasReduction. Lemma weight_dif_mono : forall n m, (n < m)%nat -> weight (S n) - weight n < weight (S m) - weight m. - Proof. + Proof using Type. intros n m H. induction H; repeat multimatch goal with @@ -1202,7 +1202,7 @@ Module SolinasReduction. Theorem length_mul_no_reduce : forall p q, length (mul_no_reduce base n p q) = (2 * n)%nat. - Proof. + Proof using base_nz n_gt_1 wprops. intros; unfold mul_no_reduce; break_match; push. Qed. Hint Rewrite length_mul_no_reduce : push_length. @@ -1264,7 +1264,7 @@ Module SolinasReduction. split (weight n) (combine (map weight (seq 0 m1)) p) = (combine (map weight (seq 0 n)) (firstn n p), (combine (map weight (seq 0 (m1 - n))) (skipn n p))). - Proof. + Proof using n_gt_1 wprops. intros. replace m1 with (n + (m1 - n))%nat at 1 by lia. rewrite <-(firstn_skipn n p) at 1. @@ -1402,7 +1402,7 @@ Module SolinasReduction. length p = (2 * n)%nat -> is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) (2 * n)) p = true-> canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). - Proof. + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. intros p Hlen H. cbv [reduce1 canonical_repr]. rewrite H. @@ -1446,7 +1446,7 @@ Module SolinasReduction. Lemma reduce_second_canonical : forall p, canonical_repr (S n) p -> canonical_repr (S n) (reduce1 base s c (S n) (S n) p). - Proof. + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. intros. cbv [canonical_repr]. push. @@ -1489,7 +1489,7 @@ Module SolinasReduction. let q := reduce1 base s c (S n) (S n) p in (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1) \/ nth_default 0 q n = 0. - Proof. + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. intros. pose proof (reduce_second_canonical p ltac:(auto)) as Hcanonq. fold q in Hcanonq. @@ -1644,7 +1644,7 @@ Module SolinasReduction. let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in let coef := Associational.sat_mul_const base [(1, s'/s)] c in eval weight n q = Associational.eval coef * (nth_default 0 p n) + eval weight n (firstn n p). - Proof. + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. intros p ? ? Hbounds ? ? ?. pose proof (firstn_skipn n p) as Hp; symmetry in Hp. canonical_app p. @@ -1717,7 +1717,7 @@ Module SolinasReduction. nth_default 0 p n = 0) -> (Positional.eval weight (S n) p) mod (s - Associational.eval c) = (Positional.eval weight n q) mod (s - Associational.eval c). - Proof. + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. intros. pose proof (firstn_skipn n p) as Hp; symmetry in Hp. rewrite Hp at 1. @@ -1763,7 +1763,7 @@ Module SolinasReduction. let r := reduce_full base s c n p in (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) = (Positional.eval weight n r) mod (s - Associational.eval c). - Proof. + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. intros; cbv [r reduce_full]; break_match. (* bounds are good *) pose proof (is_bounded_by_nth n _ _ Heqb ltac:(push) ltac:(push)) as Hnth. @@ -1845,7 +1845,7 @@ Module SolinasReduction. Theorem mulmod'_correct : forall p q, Positional.eval weight n (mulmod' base s c n p q) mod (s - Associational.eval c) = (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). - Proof. + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. intros. cbv [mulmod']. rewrite <-reduce_full_correct; push; lia. @@ -1854,7 +1854,7 @@ Module SolinasReduction. Theorem mulmod_correct : forall p q, Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). - Proof. + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. intros. rewrite mulmod_cps_conv. apply mulmod'_correct. From 7c2313571756864725489b40a055a4a7ffe193ad Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Sat, 15 Oct 2022 12:01:13 +0530 Subject: [PATCH 47/69] Remove bad dependencies Fixup requires Fix imports --- src/Arithmetic/SolinasReduction.v | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 2a1c5d01f1..e4c3aaa2ca 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -10,10 +10,15 @@ Require Import Crypto.Arithmetic.ModOps. Require Import Crypto.Arithmetic.Partition. Require Import Crypto.Arithmetic.UniformWeight. Require Import Crypto.Arithmetic.Saturated. +Require Import Crypto.Util.ListUtil.StdlibCompat. +(* Require Crypto.Stringification.C. Require Crypto.Stringification.Go. Require Crypto.Stringification.Java. Require Import Crypto.BoundsPipeline. + *) +Require Coq.btauto.Btauto. +Require Coq.Structures.OrdersEx. Require Import Crypto.Util.ZUtil.ModInv. Require Import Coq.micromega.Lia. @@ -45,13 +50,14 @@ Local Open Scope string_scope. Local Open Scope list_scope. Import ListNotations. Local Open Scope Z_scope. +(* Import AbstractInterpretation.Compilers Language.Compilers Language.API.Compilers. Import Language.API.Compilers.API. - +*) Import Associational Positional. Local Coercion Z.of_nat : nat >-> Z. @@ -1309,7 +1315,7 @@ Module SolinasReduction. push. rewrite <-(firstn_skipn n p) in Heqb. replace m1 with (n + (m1 - n))%nat in Heqb by lia. - rewrite StdlibCompat.List.repeat_app in Heqb. + rewrite List.repeat_app in Heqb. solve_ineq. solve_ibb. solve_ibb. @@ -1418,7 +1424,7 @@ Module SolinasReduction. rewrite <-(firstn_skipn n p) in H. replace (2*n-n)%nat with n by lia. replace (2 * n)%nat with (n + n)%nat in H by lia. - rewrite StdlibCompat.List.repeat_app in H. + rewrite List.repeat_app in H. solve_ineq. solve_ibb. @@ -1806,7 +1812,7 @@ Module SolinasReduction. weight_comp; cbn; break_match; lia. cbn; const_simpl; lia. replace (S n) with (n+1)%nat. - rewrite StdlibCompat.List.repeat_app. + rewrite List.repeat_app. repeat autounfold. push. cbn. From fb31932d6dee0b041f11c153c68e9a89e1faf568 Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Sat, 15 Oct 2022 08:26:22 +0530 Subject: [PATCH 48/69] Update generated files Update generated Adjust generated Regenerate Regenerate --- fiat-bedrock2/src/curve25519_solinas_64.c.tmp | 261 ++++++++++++++++-- fiat-zig/src/curve25519_solinas_64.zig | 1 + 2 files changed, 240 insertions(+), 22 deletions(-) diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c.tmp b/fiat-bedrock2/src/curve25519_solinas_64.c.tmp index 3efd3d1128..f50ff121a1 100644 --- a/fiat-bedrock2/src/curve25519_solinas_64.c.tmp +++ b/fiat-bedrock2/src/curve25519_solinas_64.c.tmp @@ -11,6 +11,17 @@ check_args #include #include +static __attribute__((always_inline)) inline uintptr_t +_br2_mulhuu(uintptr_t a, uintptr_t b) { +#if (UINTPTR_MAX == (1LLU<<31) - 1 + (1LLU<<31)) + return ((uint64_t)a * b) >> 32; +#elif (UINTPTR_MAX == (1LLU<<63) - 1 + (1LLU<<63)) + return ((__uint128_t)a * b) >> 64; +#else +#error "32-bit or 64-bit uintptr_t required" +#endif +} + // We use memcpy to work around -fstrict-aliasing. // A plain memcpy is enough on clang 10, but not on gcc 10, which fails // to infer the bounds on an integer loaded by memcpy. @@ -39,6 +50,212 @@ _br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { In fiat_curve25519_solinas_mulmod: Stringification failed on the syntax tree: +(λ x1 x2, + let x3 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[3])) (* : uint64_t *) in + let x4 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[3])))) (* : uint64_t *) in + let x5 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[2])) (* : uint64_t *) in + let x6 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[2])))) (* : uint64_t *) in + let x7 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[1])) (* : uint64_t *) in + let x8 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[1])))) (* : uint64_t *) in + let x9 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[0])) (* : uint64_t *) in + let x10 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[0])))) (* : uint64_t *) in + let x11 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[3])) (* : uint64_t *) in + let x12 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[3])))) (* : uint64_t *) in + let x13 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[2])) (* : uint64_t *) in + let x14 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[2])))) (* : uint64_t *) in + let x15 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[1])) (* : uint64_t *) in + let x16 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[1])))) (* : uint64_t *) in + let x17 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[0])) (* : uint64_t *) in + let x18 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[0])))) (* : uint64_t *) in + let x19 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[3])) (* : uint64_t *) in + let x20 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[3])))) (* : uint64_t *) in + let x21 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[2])) (* : uint64_t *) in + let x22 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[2])))) (* : uint64_t *) in + let x23 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[1])) (* : uint64_t *) in + let x24 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[1])))) (* : uint64_t *) in + let x25 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[0])) (* : uint64_t *) in + let x26 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[0])))) (* : uint64_t *) in + let x27 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[3])) (* : uint64_t *) in + let x28 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[3])))) (* : uint64_t *) in + let x29 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[2])) (* : uint64_t *) in + let x30 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[2])))) (* : uint64_t *) in + let x31 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[1])) (* : uint64_t *) in + let x32 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[1])))) (* : uint64_t *) in + let x33 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[0])) (* : uint64_t *) in + let x34 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[0])))) (* : uint64_t *) in + let x35 := (uint64_t)((uint64_t)x30 + (uint64_t)x9) (* : uint64_t *) in + let x36 := (uint64_t)(Z.ltz((uint64_t)x35, (uint64_t)x30)) (* : uint64_t *) in + let x37 := (uint64_t)((uint64_t)x36 + (uint64_t)x28) (* : uint64_t *) in + let x38 := (uint64_t)(Z.ltz((uint64_t)x37, (uint64_t)x28)) (* : uint64_t *) in + let x39 := (uint64_t)((uint64_t)x37 + (uint64_t)x7) (* : uint64_t *) in + let x40 := (uint64_t)(Z.ltz((uint64_t)x39, (uint64_t)x7)) (* : uint64_t *) in + let x41 := (uint64_t)((uint64_t)x38 + (uint64_t)x40) (* : uint64_t *) in + let x42 := (uint64_t)((uint64_t)x41 + (uint64_t)x20) (* : uint64_t *) in + let x43 := (uint64_t)((uint64_t)x35 + (uint64_t)x15) (* : uint64_t *) in + let x44 := (uint64_t)(Z.ltz((uint64_t)x43, (uint64_t)x35)) (* : uint64_t *) in + let x45 := (uint64_t)((uint64_t)x44 + (uint64_t)x39) (* : uint64_t *) in + let x46 := (uint64_t)(Z.ltz((uint64_t)x45, (uint64_t)x39)) (* : uint64_t *) in + let x47 := (uint64_t)((uint64_t)x45 + (uint64_t)x10) (* : uint64_t *) in + let x48 := (uint64_t)(Z.ltz((uint64_t)x47, (uint64_t)x10)) (* : uint64_t *) in + let x49 := (uint64_t)((uint64_t)x46 + (uint64_t)x48) (* : uint64_t *) in + let x50 := (uint64_t)((uint64_t)x49 + (uint64_t)x42) (* : uint64_t *) in + let x51 := (uint64_t)(Z.ltz((uint64_t)x50, (uint64_t)x42)) (* : uint64_t *) in + let x52 := (uint64_t)((uint64_t)x51 + (uint64_t)x12) (* : uint64_t *) in + let x53 := (uint64_t)((uint64_t)x32 + (uint64_t)x17) (* : uint64_t *) in + let x54 := (uint64_t)(Z.ltz((uint64_t)x53, (uint64_t)x32)) (* : uint64_t *) in + let x55 := (uint64_t)((uint64_t)x54 + (uint64_t)x43) (* : uint64_t *) in + let x56 := (uint64_t)(Z.ltz((uint64_t)x55, (uint64_t)x43)) (* : uint64_t *) in + let x57 := (uint64_t)((uint64_t)x55 + (uint64_t)x18) (* : uint64_t *) in + let x58 := (uint64_t)(Z.ltz((uint64_t)x57, (uint64_t)x18)) (* : uint64_t *) in + let x59 := (uint64_t)((uint64_t)x56 + (uint64_t)x58) (* : uint64_t *) in + let x60 := (uint64_t)((uint64_t)x59 + (uint64_t)x47) (* : uint64_t *) in + let x61 := (uint64_t)(Z.ltz((uint64_t)x60, (uint64_t)x47)) (* : uint64_t *) in + let x62 := (uint64_t)((uint64_t)x60 + (uint64_t)x13) (* : uint64_t *) in + let x63 := (uint64_t)(Z.ltz((uint64_t)x62, (uint64_t)x13)) (* : uint64_t *) in + let x64 := (uint64_t)((uint64_t)x61 + (uint64_t)x63) (* : uint64_t *) in + let x65 := (uint64_t)((uint64_t)x64 + (uint64_t)x50) (* : uint64_t *) in + let x66 := (uint64_t)(Z.ltz((uint64_t)x65, (uint64_t)x50)) (* : uint64_t *) in + let x67 := (uint64_t)((uint64_t)x65 + (uint64_t)x5) (* : uint64_t *) in + let x68 := (uint64_t)(Z.ltz((uint64_t)x67, (uint64_t)x5)) (* : uint64_t *) in + let x69 := (uint64_t)((uint64_t)x66 + (uint64_t)x68) (* : uint64_t *) in + let x70 := (uint64_t)((uint64_t)x69 + (uint64_t)x52) (* : uint64_t *) in + let x71 := (uint64_t)(Z.ltz((uint64_t)x70, (uint64_t)x52)) (* : uint64_t *) in + let x72 := (uint64_t)((uint64_t)x71 + (uint64_t)x4) (* : uint64_t *) in + let x73 := (uint64_t)((uint64_t)x53 + (uint64_t)x23) (* : uint64_t *) in + let x74 := (uint64_t)(Z.ltz((uint64_t)x73, (uint64_t)x53)) (* : uint64_t *) in + let x75 := (uint64_t)((uint64_t)x74 + (uint64_t)x57) (* : uint64_t *) in + let x76 := (uint64_t)(Z.ltz((uint64_t)x75, (uint64_t)x57)) (* : uint64_t *) in + let x77 := (uint64_t)((uint64_t)x75 + (uint64_t)x21) (* : uint64_t *) in + let x78 := (uint64_t)(Z.ltz((uint64_t)x77, (uint64_t)x21)) (* : uint64_t *) in + let x79 := (uint64_t)((uint64_t)x76 + (uint64_t)x78) (* : uint64_t *) in + let x80 := (uint64_t)((uint64_t)x79 + (uint64_t)x62) (* : uint64_t *) in + let x81 := (uint64_t)(Z.ltz((uint64_t)x80, (uint64_t)x62)) (* : uint64_t *) in + let x82 := (uint64_t)((uint64_t)x80 + (uint64_t)x16) (* : uint64_t *) in + let x83 := (uint64_t)(Z.ltz((uint64_t)x82, (uint64_t)x16)) (* : uint64_t *) in + let x84 := (uint64_t)((uint64_t)x81 + (uint64_t)x83) (* : uint64_t *) in + let x85 := (uint64_t)((uint64_t)x84 + (uint64_t)x67) (* : uint64_t *) in + let x86 := (uint64_t)(Z.ltz((uint64_t)x85, (uint64_t)x67)) (* : uint64_t *) in + let x87 := (uint64_t)((uint64_t)x85 + (uint64_t)x8) (* : uint64_t *) in + let x88 := (uint64_t)(Z.ltz((uint64_t)x87, (uint64_t)x8)) (* : uint64_t *) in + let x89 := (uint64_t)((uint64_t)x86 + (uint64_t)x88) (* : uint64_t *) in + let x90 := (uint64_t)((uint64_t)x89 + (uint64_t)x70) (* : uint64_t *) in + let x91 := (uint64_t)(Z.ltz((uint64_t)x90, (uint64_t)x70)) (* : uint64_t *) in + let x92 := (uint64_t)((uint64_t)x91 + (uint64_t)x72) (* : uint64_t *) in + let x93 := (uint64_t)((uint64_t)x34 + (uint64_t)x25) (* : uint64_t *) in + let x94 := (uint64_t)(Z.ltz((uint64_t)x93, (uint64_t)x34)) (* : uint64_t *) in + let x95 := (uint64_t)((uint64_t)x94 + (uint64_t)x73) (* : uint64_t *) in + let x96 := (uint64_t)(Z.ltz((uint64_t)x95, (uint64_t)x73)) (* : uint64_t *) in + let x97 := (uint64_t)((uint64_t)x95 + (uint64_t)x26) (* : uint64_t *) in + let x98 := (uint64_t)(Z.ltz((uint64_t)x97, (uint64_t)x26)) (* : uint64_t *) in + let x99 := (uint64_t)((uint64_t)x96 + (uint64_t)x98) (* : uint64_t *) in + let x100 := (uint64_t)((uint64_t)x99 + (uint64_t)x77) (* : uint64_t *) in + let x101 := (uint64_t)(Z.ltz((uint64_t)x100, (uint64_t)x77)) (* : uint64_t *) in + let x102 := (uint64_t)((uint64_t)x100 + (uint64_t)x24) (* : uint64_t *) in + let x103 := (uint64_t)(Z.ltz((uint64_t)x102, (uint64_t)x24)) (* : uint64_t *) in + let x104 := (uint64_t)((uint64_t)x101 + (uint64_t)x103) (* : uint64_t *) in + let x105 := (uint64_t)((uint64_t)x104 + (uint64_t)x82) (* : uint64_t *) in + let x106 := (uint64_t)(Z.ltz((uint64_t)x105, (uint64_t)x82)) (* : uint64_t *) in + let x107 := (uint64_t)((uint64_t)x105 + (uint64_t)x19) (* : uint64_t *) in + let x108 := (uint64_t)(Z.ltz((uint64_t)x107, (uint64_t)x19)) (* : uint64_t *) in + let x109 := (uint64_t)((uint64_t)x106 + (uint64_t)x108) (* : uint64_t *) in + let x110 := (uint64_t)((uint64_t)x109 + (uint64_t)x87) (* : uint64_t *) in + let x111 := (uint64_t)(Z.ltz((uint64_t)x110, (uint64_t)x87)) (* : uint64_t *) in + let x112 := (uint64_t)((uint64_t)x110 + (uint64_t)x11) (* : uint64_t *) in + let x113 := (uint64_t)(Z.ltz((uint64_t)x112, (uint64_t)x11)) (* : uint64_t *) in + let x114 := (uint64_t)((uint64_t)x111 + (uint64_t)x113) (* : uint64_t *) in + let x115 := (uint64_t)((uint64_t)x114 + (uint64_t)x90) (* : uint64_t *) in + let x116 := (uint64_t)(Z.ltz((uint64_t)x115, (uint64_t)x90)) (* : uint64_t *) in + let x117 := (uint64_t)((uint64_t)x115 + (uint64_t)x3) (* : uint64_t *) in + let x118 := (uint64_t)(Z.ltz((uint64_t)x117, (uint64_t)x3)) (* : uint64_t *) in + let x119 := (uint64_t)((uint64_t)x116 + (uint64_t)x118) (* : uint64_t *) in + let x120 := (uint64_t)((uint64_t)x119 + (uint64_t)x92) (* : uint64_t *) in + let x121 := (uint64_t)((uint64_t)x93 + (uint64_t)x31) (* : uint64_t *) in + let x122 := (uint64_t)(Z.ltz((uint64_t)x121, (uint64_t)x93)) (* : uint64_t *) in + let x123 := (uint64_t)((uint64_t)x122 + (uint64_t)x97) (* : uint64_t *) in + let x124 := (uint64_t)(Z.ltz((uint64_t)x123, (uint64_t)x97)) (* : uint64_t *) in + let x125 := (uint64_t)((uint64_t)x123 + (uint64_t)x29) (* : uint64_t *) in + let x126 := (uint64_t)(Z.ltz((uint64_t)x125, (uint64_t)x29)) (* : uint64_t *) in + let x127 := (uint64_t)((uint64_t)x124 + (uint64_t)x126) (* : uint64_t *) in + let x128 := (uint64_t)((uint64_t)x127 + (uint64_t)x102) (* : uint64_t *) in + let x129 := (uint64_t)(Z.ltz((uint64_t)x128, (uint64_t)x102)) (* : uint64_t *) in + let x130 := (uint64_t)((uint64_t)x128 + (uint64_t)x27) (* : uint64_t *) in + let x131 := (uint64_t)(Z.ltz((uint64_t)x130, (uint64_t)x27)) (* : uint64_t *) in + let x132 := (uint64_t)((uint64_t)x129 + (uint64_t)x131) (* : uint64_t *) in + let x133 := (uint64_t)((uint64_t)x132 + (uint64_t)x107) (* : uint64_t *) in + let x134 := (uint64_t)(Z.ltz((uint64_t)x133, (uint64_t)x107)) (* : uint64_t *) in + let x135 := (uint64_t)((uint64_t)x133 + (uint64_t)x22) (* : uint64_t *) in + let x136 := (uint64_t)(Z.ltz((uint64_t)x135, (uint64_t)x22)) (* : uint64_t *) in + let x137 := (uint64_t)((uint64_t)x134 + (uint64_t)x136) (* : uint64_t *) in + let x138 := (uint64_t)((uint64_t)x137 + (uint64_t)x112) (* : uint64_t *) in + let x139 := (uint64_t)(Z.ltz((uint64_t)x138, (uint64_t)x112)) (* : uint64_t *) in + let x140 := (uint64_t)((uint64_t)x138 + (uint64_t)x14) (* : uint64_t *) in + let x141 := (uint64_t)(Z.ltz((uint64_t)x140, (uint64_t)x14)) (* : uint64_t *) in + let x142 := (uint64_t)((uint64_t)x139 + (uint64_t)x141) (* : uint64_t *) in + let x143 := (uint64_t)((uint64_t)x142 + (uint64_t)x117) (* : uint64_t *) in + let x144 := (uint64_t)(Z.ltz((uint64_t)x143, (uint64_t)x117)) (* : uint64_t *) in + let x145 := (uint64_t)((uint64_t)x143 + (uint64_t)x6) (* : uint64_t *) in + let x146 := (uint64_t)(Z.ltz((uint64_t)x145, (uint64_t)x6)) (* : uint64_t *) in + let x147 := (uint64_t)((uint64_t)x144 + (uint64_t)x146) (* : uint64_t *) in + let x148 := (uint64_t)((uint64_t)x147 + (uint64_t)x120) (* : uint64_t *) in + let x149 := (uint64_t)(38 * (uint64_t)x145) (* : uint64_t *) in + let x150 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x145))) (* : uint64_t *) in + let x151 := (uint64_t)(38 * (uint64_t)x140) (* : uint64_t *) in + let x152 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x140))) (* : uint64_t *) in + let x153 := (uint64_t)(38 * (uint64_t)x135) (* : uint64_t *) in + let x154 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x135))) (* : uint64_t *) in + let x155 := (uint64_t)((uint64_t)x121 + (uint64_t)x151) (* : uint64_t *) in + let x156 := (uint64_t)(Z.ltz((uint64_t)x155, (uint64_t)x121)) (* : uint64_t *) in + let x157 := (uint64_t)((uint64_t)x156 + (uint64_t)x125) (* : uint64_t *) in + let x158 := (uint64_t)(Z.ltz((uint64_t)x157, (uint64_t)x125)) (* : uint64_t *) in + let x159 := (uint64_t)((uint64_t)x157 + (uint64_t)x149) (* : uint64_t *) in + let x160 := (uint64_t)(Z.ltz((uint64_t)x159, (uint64_t)x149)) (* : uint64_t *) in + let x161 := (uint64_t)((uint64_t)x158 + (uint64_t)x160) (* : uint64_t *) in + let x162 := (uint64_t)(38 * (uint64_t)x148) (* : uint64_t *) in + let x163 := (uint64_t)((uint64_t)x161 + (uint64_t)x130) (* : uint64_t *) in + let x164 := (uint64_t)(Z.ltz((uint64_t)x163, (uint64_t)x130)) (* : uint64_t *) in + let x165 := (uint64_t)((uint64_t)x163 + (uint64_t)x162) (* : uint64_t *) in + let x166 := (uint64_t)(Z.ltz((uint64_t)x165, (uint64_t)x162)) (* : uint64_t *) in + let x167 := (uint64_t)((uint64_t)x164 + (uint64_t)x166) (* : uint64_t *) in + let x168 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x148))) (* : uint64_t *) in + let x169 := (uint64_t)((uint64_t)x167 + (uint64_t)x168) (* : uint64_t *) in + let x170 := (uint64_t)((uint64_t)x33 + (uint64_t)x153) (* : uint64_t *) in + let x171 := (uint64_t)(Z.ltz((uint64_t)x170, (uint64_t)x33)) (* : uint64_t *) in + let x172 := (uint64_t)((uint64_t)x171 + (uint64_t)x155) (* : uint64_t *) in + let x173 := (uint64_t)(Z.ltz((uint64_t)x172, (uint64_t)x155)) (* : uint64_t *) in + let x174 := (uint64_t)((uint64_t)x172 + (uint64_t)x154) (* : uint64_t *) in + let x175 := (uint64_t)(Z.ltz((uint64_t)x174, (uint64_t)x154)) (* : uint64_t *) in + let x176 := (uint64_t)((uint64_t)x173 + (uint64_t)x175) (* : uint64_t *) in + let x177 := (uint64_t)((uint64_t)x176 + (uint64_t)x159) (* : uint64_t *) in + let x178 := (uint64_t)(Z.ltz((uint64_t)x177, (uint64_t)x159)) (* : uint64_t *) in + let x179 := (uint64_t)((uint64_t)x177 + (uint64_t)x152) (* : uint64_t *) in + let x180 := (uint64_t)(Z.ltz((uint64_t)x179, (uint64_t)x152)) (* : uint64_t *) in + let x181 := (uint64_t)((uint64_t)x178 + (uint64_t)x180) (* : uint64_t *) in + let x182 := (uint64_t)((uint64_t)x181 + (uint64_t)x165) (* : uint64_t *) in + let x183 := (uint64_t)(Z.ltz((uint64_t)x182, (uint64_t)x165)) (* : uint64_t *) in + let x184 := (uint64_t)((uint64_t)x182 + (uint64_t)x150) (* : uint64_t *) in + let x185 := (uint64_t)(Z.ltz((uint64_t)x184, (uint64_t)x150)) (* : uint64_t *) in + let x186 := (uint64_t)((uint64_t)x183 + (uint64_t)x185) (* : uint64_t *) in + let x187 := (uint64_t)((uint64_t)x186 + (uint64_t)x169) (* : uint64_t *) in + let x188 := (uint64_t, uint0_t)(Z.mul_split((2^64), (38, (uint64_t)x187))) (* : uint64_t, uint0_t *) in + let x189 := (uint64_t)((uint64_t)x170 + (uint64_t)(uint64_t, uint0_t)x188₁) (* : uint64_t *) in + let x190 := (uint64_t)(Z.ltz((uint64_t)x189, (uint64_t)x170)) (* : uint64_t *) in + let x191 := (uint64_t)((uint64_t)x190 + (uint64_t)x174) (* : uint64_t *) in + let x192 := (uint64_t)(Z.ltz((uint64_t)x191, (uint64_t)x174)) (* : uint64_t *) in + let x193 := (uint64_t)((uint64_t)x192 + (uint64_t)x179) (* : uint64_t *) in + let x194 := (uint64_t)(Z.ltz((uint64_t)x193, (uint64_t)x179)) (* : uint64_t *) in + let x195 := (uint64_t)((uint64_t)x194 + (uint64_t)x184) (* : uint64_t *) in + let x196 := (uint64_t)(Z.ltz((uint64_t)x195, (uint64_t)x184)) (* : uint64_t *) in + let x197 := (uint64_t, uint0_t)(Z.mul_split((2^64), (38, (uint64_t)x196))) (* : uint64_t, uint0_t *) in + let x198 := (uint64_t)((uint64_t)x189 + (uint64_t)(uint64_t, uint0_t)x197₁) (* : uint64_t *) in + let x199 := (uint64_t)(Z.ltz((uint64_t)x198, (uint64_t)x189)) (* : uint64_t *) in + let x200 := (uint64_t)((uint64_t)x199 + (uint64_t)x191) (* : uint64_t *) in + let x201 := (uint64_t)(Z.ltz((uint64_t)x200, (uint64_t)x191)) (* : uint64_t *) in + let x202 := (uint64_t)((uint64_t)x201 + (uint64_t)x193) (* : uint64_t *) in + let x203 := (uint64_t)(Z.ltz((uint64_t)x202, (uint64_t)x193)) (* : uint64_t *) in + let x204 := (uint64_t)((uint64_t)x203 + (uint64_t)x195) (* : uint64_t *) in + (uint64_t)x198 :: (uint64_t)x200 :: (uint64_t)x202 :: (uint64_t)x204 :: [] +) +Which with some casts elided is: (λ x1 x2, let x3 := x1[3] * x2[3] (* : uint64_t *) in let x4 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[3]))) (* : uint64_t *) in @@ -225,7 +442,7 @@ Stringification failed on the syntax tree: let x185 := Z.ltz((uint64_t)x184, (uint64_t)x150) (* : uint64_t *) in let x186 := x183 + x185 (* : uint64_t *) in let x187 := x186 + x169 (* : uint64_t *) in - let x188 := Z.mul_split((2^64), (38, (uint64_t)x187)) in + let x188 := Z.mul_split((2^64), (38, (uint64_t)x187)) (* : uint64_t, uint0_t *) in let x189 := x170 + x188₁ (* : uint64_t *) in let x190 := Z.ltz((uint64_t)x189, (uint64_t)x170) (* : uint64_t *) in let x191 := x190 + x174 (* : uint64_t *) in @@ -234,7 +451,7 @@ Stringification failed on the syntax tree: let x194 := Z.ltz((uint64_t)x193, (uint64_t)x179) (* : uint64_t *) in let x195 := x194 + x184 (* : uint64_t *) in let x196 := Z.ltz((uint64_t)x195, (uint64_t)x184) (* : uint64_t *) in - let x197 := Z.mul_split((2^64), (38, (uint64_t)x196)) in + let x197 := Z.mul_split((2^64), (38, (uint64_t)x196)) (* : uint64_t, uint0_t *) in let x198 := x189 + x197₁ (* : uint64_t *) in let x199 := Z.ltz((uint64_t)x198, (uint64_t)x189) (* : uint64_t *) in let x200 := x199 + x191 (* : uint64_t *) in @@ -266,37 +483,37 @@ void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uint /*skip*/ /*skip*/ x8 = (x3)*(x7); - x9 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x7))>>32 : ((__uint128_t)(x3)*(x7))>>64); + x9 = _br2_mulhuu((x3), (x7)); x10 = (x3)*(x6); - x11 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x6))>>32 : ((__uint128_t)(x3)*(x6))>>64); + x11 = _br2_mulhuu((x3), (x6)); x12 = (x3)*(x5); - x13 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x5))>>32 : ((__uint128_t)(x3)*(x5))>>64); + x13 = _br2_mulhuu((x3), (x5)); x14 = (x3)*(x4); - x15 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x3)*(x4))>>32 : ((__uint128_t)(x3)*(x4))>>64); + x15 = _br2_mulhuu((x3), (x4)); x16 = (x2)*(x7); - x17 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x7))>>32 : ((__uint128_t)(x2)*(x7))>>64); + x17 = _br2_mulhuu((x2), (x7)); x18 = (x2)*(x6); - x19 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x6))>>32 : ((__uint128_t)(x2)*(x6))>>64); + x19 = _br2_mulhuu((x2), (x6)); x20 = (x2)*(x5); - x21 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x5))>>32 : ((__uint128_t)(x2)*(x5))>>64); + x21 = _br2_mulhuu((x2), (x5)); x22 = (x2)*(x4); - x23 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x2)*(x4))>>32 : ((__uint128_t)(x2)*(x4))>>64); + x23 = _br2_mulhuu((x2), (x4)); x24 = (x1)*(x7); - x25 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x7))>>32 : ((__uint128_t)(x1)*(x7))>>64); + x25 = _br2_mulhuu((x1), (x7)); x26 = (x1)*(x6); - x27 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x6))>>32 : ((__uint128_t)(x1)*(x6))>>64); + x27 = _br2_mulhuu((x1), (x6)); x28 = (x1)*(x5); - x29 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x5))>>32 : ((__uint128_t)(x1)*(x5))>>64); + x29 = _br2_mulhuu((x1), (x5)); x30 = (x1)*(x4); - x31 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x1)*(x4))>>32 : ((__uint128_t)(x1)*(x4))>>64); + x31 = _br2_mulhuu((x1), (x4)); x32 = (x0)*(x7); - x33 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x7))>>32 : ((__uint128_t)(x0)*(x7))>>64); + x33 = _br2_mulhuu((x0), (x7)); x34 = (x0)*(x6); - x35 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x6))>>32 : ((__uint128_t)(x0)*(x6))>>64); + x35 = _br2_mulhuu((x0), (x6)); x36 = (x0)*(x5); - x37 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x5))>>32 : ((__uint128_t)(x0)*(x5))>>64); + x37 = _br2_mulhuu((x0), (x5)); x38 = (x0)*(x4); - x39 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)(x0)*(x4))>>32 : ((__uint128_t)(x0)*(x4))>>64); + x39 = _br2_mulhuu((x0), (x4)); x40 = (x35)+(x14); x41 = (uintptr_t)((x40)<(x35)); x42 = (x41)+(x33); @@ -412,11 +629,11 @@ void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uint x152 = (x149)+(x151); x153 = (x152)+(x125); x154 = ((uintptr_t)38ULL)*(x150); - x155 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x150))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x150))>>64); + x155 = _br2_mulhuu(((uintptr_t)38ULL), (x150)); x156 = ((uintptr_t)38ULL)*(x145); - x157 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x145))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x145))>>64); + x157 = _br2_mulhuu(((uintptr_t)38ULL), (x145)); x158 = ((uintptr_t)38ULL)*(x140); - x159 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x140))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x140))>>64); + x159 = _br2_mulhuu(((uintptr_t)38ULL), (x140)); x160 = (x126)+(x156); x161 = (uintptr_t)((x160)<(x126)); x162 = (x161)+(x130); @@ -430,7 +647,7 @@ void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uint x170 = (x168)+(x167); x171 = (uintptr_t)((x170)<(x167)); x172 = (x169)+(x171); - x173 = (uintptr_t)(sizeof(intptr_t) == 4 ? ((uint64_t)((uintptr_t)38ULL)*(x153))>>32 : ((__uint128_t)((uintptr_t)38ULL)*(x153))>>64); + x173 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); x174 = (x172)+(x173); x175 = (x38)+(x158); x176 = (uintptr_t)((x175)<(x38)); diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index 42b4ddc8e3..9b2739dd22 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -11,6 +11,7 @@ const std = @import("std"); const mode = @import("builtin").mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels inline fn cast(comptime DestType: type, target: anytype) DestType { + @setEvalBranchQuota(10000); if (@typeInfo(@TypeOf(target)) == .Int) { const dest = @typeInfo(DestType).Int; const source = @typeInfo(@TypeOf(target)).Int; From dce7e6f6157ee6ea4cfbe09a3bc6ed074cde8f0d Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Thu, 20 Oct 2022 00:41:32 +0530 Subject: [PATCH 49/69] Adjust after rebase on debug-rewriting --- src/PushButtonSynthesis/SolinasReduction.v | 49 ++++++---------------- 1 file changed, 12 insertions(+), 37 deletions(-) diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index b01975a88f..3d452a70e4 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -63,35 +63,16 @@ Local Opaque expr.Interp. Section __. Context {output_language_api : ToString.OutputLanguageAPI} - {language_naming_conventions : language_naming_conventions_opt} - {documentation_options : documentation_options_opt} - {output_options : output_options_opt} - {opts : AbstractInterpretation.Options} - {package_namev : package_name_opt} - {class_namev : class_name_opt} - {static : static_opt} - {internal_static : internal_static_opt} - {inline : inline_opt} - {inline_internal : inline_internal_opt} - {low_level_rewriter_method : low_level_rewriter_method_opt} - {only_signed : only_signed_opt} - {no_select : no_select_opt} - {use_mul_for_cmovznz : use_mul_for_cmovznz_opt} - {emit_primitives : emit_primitives_opt} - {should_split_mul : should_split_mul_opt} - {should_split_multiret : should_split_multiret_opt} - {unfold_value_barrier : unfold_value_barrier_opt} - {assembly_hints_lines : assembly_hints_lines_opt} - {ignore_unique_asm_names : ignore_unique_asm_names_opt} - {widen_carry : widen_carry_opt} - (widen_bytes : widen_bytes_opt := true) (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) - {assembly_conventions : assembly_conventions_opt} - {error_on_unused_assembly_functions : error_on_unused_assembly_functions_opt} + {pipeline_opts : PipelineOptions} + {pipeline_to_string_opts : PipelineToStringOptions} + {synthesis_opts : SynthesisOptions} (s : Z) (c : list (Z * Z)). Context (machine_wordsize : machine_wordsize_opt). - Local Existing Instance widen_bytes. + Local Instance override_pipeline_opts : PipelineOptions + := {| widen_bytes := true (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) + |}. (* We include [0], so that even after bounds relaxation, we can notice where the constant 0s are, and remove them. *) @@ -104,11 +85,10 @@ Section __. Definition up_bound := 2 ^ (machine_wordsize / 4). Definition base : Z := 2 ^ machine_wordsize. - Let possible_values := possible_values_of_machine_wordsize. - Definition bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Definition boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound n. + Local Notation possible_values := possible_values_of_machine_wordsize. + Local Notation boundsn := (saturated_bounds n machine_wordsize). + Local Existing Instance default_translate_to_fancy. Local Instance no_select_size : no_select_size_opt := no_select_size_of_no_select machine_wordsize. Local Instance split_mul_to : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance split_multiret_to : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. @@ -163,11 +143,7 @@ Section __. { lazymatch goal with | |- ?x = _ => rewrite surjective_pairing with (p:=x) end. - repeat match goal with - | H : ?x = _ |- (?x, _) = _ => rewrite H - | H : ?x = _ |- (_, ?x) = _ => rewrite H - end. - auto. } + congruence. } Qed. Local Notation evalf := (eval weight n). @@ -188,7 +164,6 @@ Section __. Definition mulmod := Pipeline.BoundsPipeline false (* subst01 *) - None (* fancy *) possible_values (reified_solmul_gen @ GallinaReify.Reify base @@ -199,7 +174,7 @@ Section __. (Some boundsn). Definition smulmod (prefix : string) - : string * (Pipeline.ErrorT (Pipeline.ExtendedSynthesisResult _)) + : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) := Eval cbv beta in FromPipelineToString! machine_wordsize prefix "mulmod" mulmod @@ -243,7 +218,7 @@ Section __. (** Note: If you change the name or type signature of this function, you will need to update the code in CLI.v *) Definition Synthesize (comment_header : list string) (function_name_prefix : string) (requests : list string) - : list (synthesis_output_kind * string * Pipeline.ErrorT (list string)) + : list (synthesis_output_kind * string * Pipeline.M (list string)) := Primitives.Synthesize machine_wordsize valid_names known_functions (fun _ => nil) all_typedefs! check_args From 7c1696db124bb1ca3e0af17be56d853f8bc5f92f Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Thu, 20 Oct 2022 01:01:57 +0530 Subject: [PATCH 50/69] Adjust SlowPrimeSynthesisExamplesCopy in light of rebase --- src/SlowPrimeSynthesisExamplesCopy.v | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v index 141e02085a..d9ea9c74dc 100644 --- a/src/SlowPrimeSynthesisExamplesCopy.v +++ b/src/SlowPrimeSynthesisExamplesCopy.v @@ -38,18 +38,14 @@ Local Coercion Z.of_nat : nat >-> Z. Local Coercion QArith_base.inject_Z : Z >-> Q. Local Coercion Z.pos : positive >-> Z. -Local Existing Instance default_low_level_rewriter_method. -Local Existing Instance AbstractInterpretation.default_Options. +Local Existing Instance default_translate_to_fancy. +Local Existing Instances + Primitives.Options.default_PipelineOptions + Primitives.Options.default_PipelineToStringOptions + Primitives.Options.default_SynthesisOptions +| 100. Local Instance : unfold_value_barrier_opt := true. -Local Instance : assembly_hints_lines_opt := []. -Local Instance : ignore_unique_asm_names_opt := false. Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. -Local Existing Instance default_language_naming_conventions. -Local Existing Instance default_documentation_options. -Local Instance : package_name_opt := None. -Local Instance : class_name_opt := None. - -Local Existing Instance default_output_options. Module compiling_mul. @@ -95,7 +91,6 @@ Module compiling_mul. "fiat" "mul" false false - None possible_values machine_wordsize ltac:(let n := (eval cbv in n) in @@ -199,12 +194,12 @@ Module compiling_reduce_flatten. red. End single_reduction. - +(* Search Saturated.Rows.sum_rows. Search Partition.partition. Search Partition.partition app. Search Saturated.Rows.flatten. - +*) Let v := (2^64-1). Let p := repeat v (2*n). Let r' := reduce' w base s c n p. @@ -219,7 +214,6 @@ Module compiling_reduce_flatten. "fiat" "mul" false false - None possible_values machine_wordsize ltac:(let n := (eval cbv in n) in @@ -515,7 +509,6 @@ Module compiling_red. "fiat" "mul" false false - None possible_values machine_wordsize ltac:(let n := (eval cbv in n) in From dcedaacab182dde7154bec39cc8b81dccd34d4f1 Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Thu, 20 Oct 2022 01:53:01 +0530 Subject: [PATCH 51/69] Regenerate Regenerate --- fiat-bedrock2/src/curve25519_solinas_64.c | 288 +++++++ fiat-bedrock2/src/curve25519_solinas_64.c.tmp | 702 ------------------ 2 files changed, 288 insertions(+), 702 deletions(-) create mode 100644 fiat-bedrock2/src/curve25519_solinas_64.c delete mode 100644 fiat-bedrock2/src/curve25519_solinas_64.c.tmp diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c b/fiat-bedrock2/src/curve25519_solinas_64.c new file mode 100644 index 0000000000..648bf5b5c7 --- /dev/null +++ b/fiat-bedrock2/src/curve25519_solinas_64.c @@ -0,0 +1,288 @@ +/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mulmod */ +/* curve description: curve25519_solinas */ +/* machine_wordsize = 64 (from "64") */ +/* requested operations: mulmod */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* */ +/* Computed values: */ +/* */ + +#include +#include + +static __attribute__((always_inline)) inline uintptr_t +_br2_mulhuu(uintptr_t a, uintptr_t b) { +#if (UINTPTR_MAX == (1LLU<<31) - 1 + (1LLU<<31)) + return ((uint64_t)a * b) >> 32; +#elif (UINTPTR_MAX == (1LLU<<63) - 1 + (1LLU<<63)) + return ((__uint128_t)a * b) >> 64; +#else +#error "32-bit or 64-bit uintptr_t required" +#endif +} + +// We use memcpy to work around -fstrict-aliasing. +// A plain memcpy is enough on clang 10, but not on gcc 10, which fails +// to infer the bounds on an integer loaded by memcpy. +// Adding a range mask after memcpy in turn makes slower code in clang. +// Loading individual bytes, shifting them together, and or-ing is fast +// on clang and sometimes on GCC, but other times GCC inlines individual +// byte operations without reconstructing wider accesses. +// The little-endian idiom below seems fast in gcc 9+ and clang 10. +static __attribute__((always_inline)) inline uintptr_t +_br2_load(uintptr_t a, uintptr_t sz) { + switch (sz) { + case 1: { uint8_t r = 0; memcpy(&r, (void*)a, 1); return r; } + case 2: { uint16_t r = 0; memcpy(&r, (void*)a, 2); return r; } + case 4: { uint32_t r = 0; memcpy(&r, (void*)a, 4); return r; } + case 8: { uint64_t r = 0; memcpy(&r, (void*)a, 8); return r; } + default: __builtin_unreachable(); + } +} + +static __attribute__((always_inline)) inline void +_br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { + memcpy((void*)a, &v, sz); +} + + +/* + * Input Bounds: + * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * in1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static +void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uintptr_t in1) { + uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x14, x35, x41, x33, x42, x12, x43, x45, x46, x25, x20, x40, x49, x44, x50, x15, x51, x53, x54, x47, x56, x17, x22, x37, x59, x48, x60, x23, x61, x63, x64, x52, x65, x18, x66, x68, x69, x55, x70, x10, x71, x73, x74, x57, x76, x9, x28, x58, x79, x62, x80, x26, x81, x83, x84, x67, x85, x21, x86, x88, x89, x72, x90, x13, x91, x93, x94, x75, x96, x77, x30, x39, x99, x78, x100, x31, x101, x103, x104, x82, x105, x29, x106, x108, x109, x87, x110, x24, x111, x113, x114, x92, x115, x16, x116, x118, x119, x95, x120, x8, x121, x123, x124, x97, x36, x98, x127, x102, x128, x34, x129, x131, x132, x107, x133, x32, x134, x136, x137, x112, x138, x27, x139, x141, x142, x117, x143, x19, x144, x146, x147, x122, x148, x11, x149, x151, x152, x125, x150, x145, x140, x156, x126, x161, x130, x162, x154, x163, x165, x166, x135, x168, x167, x169, x171, x153, x172, x173, x158, x38, x176, x160, x177, x159, x178, x180, x181, x164, x182, x157, x183, x185, x186, x170, x187, x155, x188, x190, x191, x174, x192, x193, x175, x195, x179, x197, x184, x199, x189, x201, x202, x194, x204, x196, x206, x198, x208, x200, x203, x205, x207, x209, x210, x211, x212, x213; + x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + x4 = _br2_load((in1)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x5 = _br2_load((in1)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x6 = _br2_load((in1)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x7 = _br2_load((in1)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + /*skip*/ + x8 = (x3)*(x7); + x9 = _br2_mulhuu((x3), (x7)); + x10 = (x3)*(x6); + x11 = _br2_mulhuu((x3), (x6)); + x12 = (x3)*(x5); + x13 = _br2_mulhuu((x3), (x5)); + x14 = (x3)*(x4); + x15 = _br2_mulhuu((x3), (x4)); + x16 = (x2)*(x7); + x17 = _br2_mulhuu((x2), (x7)); + x18 = (x2)*(x6); + x19 = _br2_mulhuu((x2), (x6)); + x20 = (x2)*(x5); + x21 = _br2_mulhuu((x2), (x5)); + x22 = (x2)*(x4); + x23 = _br2_mulhuu((x2), (x4)); + x24 = (x1)*(x7); + x25 = _br2_mulhuu((x1), (x7)); + x26 = (x1)*(x6); + x27 = _br2_mulhuu((x1), (x6)); + x28 = (x1)*(x5); + x29 = _br2_mulhuu((x1), (x5)); + x30 = (x1)*(x4); + x31 = _br2_mulhuu((x1), (x4)); + x32 = (x0)*(x7); + x33 = _br2_mulhuu((x0), (x7)); + x34 = (x0)*(x6); + x35 = _br2_mulhuu((x0), (x6)); + x36 = (x0)*(x5); + x37 = _br2_mulhuu((x0), (x5)); + x38 = (x0)*(x4); + x39 = _br2_mulhuu((x0), (x4)); + x40 = (x35)+(x14); + x41 = (uintptr_t)((x40)<(x35)); + x42 = (x41)+(x33); + x43 = (uintptr_t)((x42)<(x33)); + x44 = (x42)+(x12); + x45 = (uintptr_t)((x44)<(x12)); + x46 = (x43)+(x45); + x47 = (x46)+(x25); + x48 = (x40)+(x20); + x49 = (uintptr_t)((x48)<(x40)); + x50 = (x49)+(x44); + x51 = (uintptr_t)((x50)<(x44)); + x52 = (x50)+(x15); + x53 = (uintptr_t)((x52)<(x15)); + x54 = (x51)+(x53); + x55 = (x54)+(x47); + x56 = (uintptr_t)((x55)<(x47)); + x57 = (x56)+(x17); + x58 = (x37)+(x22); + x59 = (uintptr_t)((x58)<(x37)); + x60 = (x59)+(x48); + x61 = (uintptr_t)((x60)<(x48)); + x62 = (x60)+(x23); + x63 = (uintptr_t)((x62)<(x23)); + x64 = (x61)+(x63); + x65 = (x64)+(x52); + x66 = (uintptr_t)((x65)<(x52)); + x67 = (x65)+(x18); + x68 = (uintptr_t)((x67)<(x18)); + x69 = (x66)+(x68); + x70 = (x69)+(x55); + x71 = (uintptr_t)((x70)<(x55)); + x72 = (x70)+(x10); + x73 = (uintptr_t)((x72)<(x10)); + x74 = (x71)+(x73); + x75 = (x74)+(x57); + x76 = (uintptr_t)((x75)<(x57)); + x77 = (x76)+(x9); + x78 = (x58)+(x28); + x79 = (uintptr_t)((x78)<(x58)); + x80 = (x79)+(x62); + x81 = (uintptr_t)((x80)<(x62)); + x82 = (x80)+(x26); + x83 = (uintptr_t)((x82)<(x26)); + x84 = (x81)+(x83); + x85 = (x84)+(x67); + x86 = (uintptr_t)((x85)<(x67)); + x87 = (x85)+(x21); + x88 = (uintptr_t)((x87)<(x21)); + x89 = (x86)+(x88); + x90 = (x89)+(x72); + x91 = (uintptr_t)((x90)<(x72)); + x92 = (x90)+(x13); + x93 = (uintptr_t)((x92)<(x13)); + x94 = (x91)+(x93); + x95 = (x94)+(x75); + x96 = (uintptr_t)((x95)<(x75)); + x97 = (x96)+(x77); + x98 = (x39)+(x30); + x99 = (uintptr_t)((x98)<(x39)); + x100 = (x99)+(x78); + x101 = (uintptr_t)((x100)<(x78)); + x102 = (x100)+(x31); + x103 = (uintptr_t)((x102)<(x31)); + x104 = (x101)+(x103); + x105 = (x104)+(x82); + x106 = (uintptr_t)((x105)<(x82)); + x107 = (x105)+(x29); + x108 = (uintptr_t)((x107)<(x29)); + x109 = (x106)+(x108); + x110 = (x109)+(x87); + x111 = (uintptr_t)((x110)<(x87)); + x112 = (x110)+(x24); + x113 = (uintptr_t)((x112)<(x24)); + x114 = (x111)+(x113); + x115 = (x114)+(x92); + x116 = (uintptr_t)((x115)<(x92)); + x117 = (x115)+(x16); + x118 = (uintptr_t)((x117)<(x16)); + x119 = (x116)+(x118); + x120 = (x119)+(x95); + x121 = (uintptr_t)((x120)<(x95)); + x122 = (x120)+(x8); + x123 = (uintptr_t)((x122)<(x8)); + x124 = (x121)+(x123); + x125 = (x124)+(x97); + x126 = (x98)+(x36); + x127 = (uintptr_t)((x126)<(x98)); + x128 = (x127)+(x102); + x129 = (uintptr_t)((x128)<(x102)); + x130 = (x128)+(x34); + x131 = (uintptr_t)((x130)<(x34)); + x132 = (x129)+(x131); + x133 = (x132)+(x107); + x134 = (uintptr_t)((x133)<(x107)); + x135 = (x133)+(x32); + x136 = (uintptr_t)((x135)<(x32)); + x137 = (x134)+(x136); + x138 = (x137)+(x112); + x139 = (uintptr_t)((x138)<(x112)); + x140 = (x138)+(x27); + x141 = (uintptr_t)((x140)<(x27)); + x142 = (x139)+(x141); + x143 = (x142)+(x117); + x144 = (uintptr_t)((x143)<(x117)); + x145 = (x143)+(x19); + x146 = (uintptr_t)((x145)<(x19)); + x147 = (x144)+(x146); + x148 = (x147)+(x122); + x149 = (uintptr_t)((x148)<(x122)); + x150 = (x148)+(x11); + x151 = (uintptr_t)((x150)<(x11)); + x152 = (x149)+(x151); + x153 = (x152)+(x125); + x154 = ((uintptr_t)38ULL)*(x150); + x155 = _br2_mulhuu(((uintptr_t)38ULL), (x150)); + x156 = ((uintptr_t)38ULL)*(x145); + x157 = _br2_mulhuu(((uintptr_t)38ULL), (x145)); + x158 = ((uintptr_t)38ULL)*(x140); + x159 = _br2_mulhuu(((uintptr_t)38ULL), (x140)); + x160 = (x126)+(x156); + x161 = (uintptr_t)((x160)<(x126)); + x162 = (x161)+(x130); + x163 = (uintptr_t)((x162)<(x130)); + x164 = (x162)+(x154); + x165 = (uintptr_t)((x164)<(x154)); + x166 = (x163)+(x165); + x167 = ((uintptr_t)38ULL)*(x153); + x168 = (x166)+(x135); + x169 = (uintptr_t)((x168)<(x135)); + x170 = (x168)+(x167); + x171 = (uintptr_t)((x170)<(x167)); + x172 = (x169)+(x171); + x173 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); + x174 = (x172)+(x173); + x175 = (x38)+(x158); + x176 = (uintptr_t)((x175)<(x38)); + x177 = (x176)+(x160); + x178 = (uintptr_t)((x177)<(x160)); + x179 = (x177)+(x159); + x180 = (uintptr_t)((x179)<(x159)); + x181 = (x178)+(x180); + x182 = (x181)+(x164); + x183 = (uintptr_t)((x182)<(x164)); + x184 = (x182)+(x157); + x185 = (uintptr_t)((x184)<(x157)); + x186 = (x183)+(x185); + x187 = (x186)+(x170); + x188 = (uintptr_t)((x187)<(x170)); + x189 = (x187)+(x155); + x190 = (uintptr_t)((x189)<(x155)); + x191 = (x188)+(x190); + x192 = (x191)+(x174); + x193 = ((uintptr_t)38ULL)*(x192); + x194 = (x175)+(x193); + x195 = (uintptr_t)((x194)<(x175)); + x196 = (x195)+(x179); + x197 = (uintptr_t)((x196)<(x179)); + x198 = (x197)+(x184); + x199 = (uintptr_t)((x198)<(x184)); + x200 = (x199)+(x189); + x201 = (uintptr_t)((x200)<(x189)); + x202 = ((uintptr_t)38ULL)*(x201); + x203 = (x194)+(x202); + x204 = (uintptr_t)((x203)<(x194)); + x205 = (x204)+(x196); + x206 = (uintptr_t)((x205)<(x196)); + x207 = (x206)+(x198); + x208 = (uintptr_t)((x207)<(x198)); + x209 = (x208)+(x200); + x210 = x203; + x211 = x205; + x212 = x207; + x213 = x209; + /*skip*/ + _br2_store((out0)+((uintptr_t)0ULL), x210, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)8ULL), x211, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)16ULL), x212, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)24ULL), x213, sizeof(uintptr_t)); + /*skip*/ + return; +} + +/* NOTE: The following wrapper function is not covered by Coq proofs */ +static void fiat_curve25519_solinas_mulmod(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + internal_fiat_curve25519_solinas_mulmod((uintptr_t)out1, (uintptr_t)arg1, (uintptr_t)arg2); +} diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c.tmp b/fiat-bedrock2/src/curve25519_solinas_64.c.tmp deleted file mode 100644 index f50ff121a1..0000000000 --- a/fiat-bedrock2/src/curve25519_solinas_64.c.tmp +++ /dev/null @@ -1,702 +0,0 @@ -check_args -/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mulmod */ -/* curve description: curve25519_solinas */ -/* machine_wordsize = 64 (from "64") */ -/* requested operations: mulmod */ -/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ -/* */ -/* Computed values: */ -/* */ - -#include -#include - -static __attribute__((always_inline)) inline uintptr_t -_br2_mulhuu(uintptr_t a, uintptr_t b) { -#if (UINTPTR_MAX == (1LLU<<31) - 1 + (1LLU<<31)) - return ((uint64_t)a * b) >> 32; -#elif (UINTPTR_MAX == (1LLU<<63) - 1 + (1LLU<<63)) - return ((__uint128_t)a * b) >> 64; -#else -#error "32-bit or 64-bit uintptr_t required" -#endif -} - -// We use memcpy to work around -fstrict-aliasing. -// A plain memcpy is enough on clang 10, but not on gcc 10, which fails -// to infer the bounds on an integer loaded by memcpy. -// Adding a range mask after memcpy in turn makes slower code in clang. -// Loading individual bytes, shifting them together, and or-ing is fast -// on clang and sometimes on GCC, but other times GCC inlines individual -// byte operations without reconstructing wider accesses. -// The little-endian idiom below seems fast in gcc 9+ and clang 10. -static __attribute__((always_inline)) inline uintptr_t -_br2_load(uintptr_t a, uintptr_t sz) { - switch (sz) { - case 1: { uint8_t r = 0; memcpy(&r, (void*)a, 1); return r; } - case 2: { uint16_t r = 0; memcpy(&r, (void*)a, 2); return r; } - case 4: { uint32_t r = 0; memcpy(&r, (void*)a, 4); return r; } - case 8: { uint64_t r = 0; memcpy(&r, (void*)a, 8); return r; } - default: __builtin_unreachable(); - } -} - -static __attribute__((always_inline)) inline void -_br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { - memcpy((void*)a, &v, sz); -} - - - -In fiat_curve25519_solinas_mulmod: -Stringification failed on the syntax tree: -(λ x1 x2, - let x3 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[3])) (* : uint64_t *) in - let x4 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[3])))) (* : uint64_t *) in - let x5 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[2])) (* : uint64_t *) in - let x6 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[2])))) (* : uint64_t *) in - let x7 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[1])) (* : uint64_t *) in - let x8 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[1])))) (* : uint64_t *) in - let x9 := (uint64_t)((uint64_t)(x1[3]) * (uint64_t)(x2[0])) (* : uint64_t *) in - let x10 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[0])))) (* : uint64_t *) in - let x11 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[3])) (* : uint64_t *) in - let x12 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[3])))) (* : uint64_t *) in - let x13 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[2])) (* : uint64_t *) in - let x14 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[2])))) (* : uint64_t *) in - let x15 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[1])) (* : uint64_t *) in - let x16 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[1])))) (* : uint64_t *) in - let x17 := (uint64_t)((uint64_t)(x1[2]) * (uint64_t)(x2[0])) (* : uint64_t *) in - let x18 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[0])))) (* : uint64_t *) in - let x19 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[3])) (* : uint64_t *) in - let x20 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[3])))) (* : uint64_t *) in - let x21 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[2])) (* : uint64_t *) in - let x22 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[2])))) (* : uint64_t *) in - let x23 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[1])) (* : uint64_t *) in - let x24 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[1])))) (* : uint64_t *) in - let x25 := (uint64_t)((uint64_t)(x1[1]) * (uint64_t)(x2[0])) (* : uint64_t *) in - let x26 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[0])))) (* : uint64_t *) in - let x27 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[3])) (* : uint64_t *) in - let x28 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[3])))) (* : uint64_t *) in - let x29 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[2])) (* : uint64_t *) in - let x30 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[2])))) (* : uint64_t *) in - let x31 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[1])) (* : uint64_t *) in - let x32 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[1])))) (* : uint64_t *) in - let x33 := (uint64_t)((uint64_t)(x1[0]) * (uint64_t)(x2[0])) (* : uint64_t *) in - let x34 := (uint64_t)(Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[0])))) (* : uint64_t *) in - let x35 := (uint64_t)((uint64_t)x30 + (uint64_t)x9) (* : uint64_t *) in - let x36 := (uint64_t)(Z.ltz((uint64_t)x35, (uint64_t)x30)) (* : uint64_t *) in - let x37 := (uint64_t)((uint64_t)x36 + (uint64_t)x28) (* : uint64_t *) in - let x38 := (uint64_t)(Z.ltz((uint64_t)x37, (uint64_t)x28)) (* : uint64_t *) in - let x39 := (uint64_t)((uint64_t)x37 + (uint64_t)x7) (* : uint64_t *) in - let x40 := (uint64_t)(Z.ltz((uint64_t)x39, (uint64_t)x7)) (* : uint64_t *) in - let x41 := (uint64_t)((uint64_t)x38 + (uint64_t)x40) (* : uint64_t *) in - let x42 := (uint64_t)((uint64_t)x41 + (uint64_t)x20) (* : uint64_t *) in - let x43 := (uint64_t)((uint64_t)x35 + (uint64_t)x15) (* : uint64_t *) in - let x44 := (uint64_t)(Z.ltz((uint64_t)x43, (uint64_t)x35)) (* : uint64_t *) in - let x45 := (uint64_t)((uint64_t)x44 + (uint64_t)x39) (* : uint64_t *) in - let x46 := (uint64_t)(Z.ltz((uint64_t)x45, (uint64_t)x39)) (* : uint64_t *) in - let x47 := (uint64_t)((uint64_t)x45 + (uint64_t)x10) (* : uint64_t *) in - let x48 := (uint64_t)(Z.ltz((uint64_t)x47, (uint64_t)x10)) (* : uint64_t *) in - let x49 := (uint64_t)((uint64_t)x46 + (uint64_t)x48) (* : uint64_t *) in - let x50 := (uint64_t)((uint64_t)x49 + (uint64_t)x42) (* : uint64_t *) in - let x51 := (uint64_t)(Z.ltz((uint64_t)x50, (uint64_t)x42)) (* : uint64_t *) in - let x52 := (uint64_t)((uint64_t)x51 + (uint64_t)x12) (* : uint64_t *) in - let x53 := (uint64_t)((uint64_t)x32 + (uint64_t)x17) (* : uint64_t *) in - let x54 := (uint64_t)(Z.ltz((uint64_t)x53, (uint64_t)x32)) (* : uint64_t *) in - let x55 := (uint64_t)((uint64_t)x54 + (uint64_t)x43) (* : uint64_t *) in - let x56 := (uint64_t)(Z.ltz((uint64_t)x55, (uint64_t)x43)) (* : uint64_t *) in - let x57 := (uint64_t)((uint64_t)x55 + (uint64_t)x18) (* : uint64_t *) in - let x58 := (uint64_t)(Z.ltz((uint64_t)x57, (uint64_t)x18)) (* : uint64_t *) in - let x59 := (uint64_t)((uint64_t)x56 + (uint64_t)x58) (* : uint64_t *) in - let x60 := (uint64_t)((uint64_t)x59 + (uint64_t)x47) (* : uint64_t *) in - let x61 := (uint64_t)(Z.ltz((uint64_t)x60, (uint64_t)x47)) (* : uint64_t *) in - let x62 := (uint64_t)((uint64_t)x60 + (uint64_t)x13) (* : uint64_t *) in - let x63 := (uint64_t)(Z.ltz((uint64_t)x62, (uint64_t)x13)) (* : uint64_t *) in - let x64 := (uint64_t)((uint64_t)x61 + (uint64_t)x63) (* : uint64_t *) in - let x65 := (uint64_t)((uint64_t)x64 + (uint64_t)x50) (* : uint64_t *) in - let x66 := (uint64_t)(Z.ltz((uint64_t)x65, (uint64_t)x50)) (* : uint64_t *) in - let x67 := (uint64_t)((uint64_t)x65 + (uint64_t)x5) (* : uint64_t *) in - let x68 := (uint64_t)(Z.ltz((uint64_t)x67, (uint64_t)x5)) (* : uint64_t *) in - let x69 := (uint64_t)((uint64_t)x66 + (uint64_t)x68) (* : uint64_t *) in - let x70 := (uint64_t)((uint64_t)x69 + (uint64_t)x52) (* : uint64_t *) in - let x71 := (uint64_t)(Z.ltz((uint64_t)x70, (uint64_t)x52)) (* : uint64_t *) in - let x72 := (uint64_t)((uint64_t)x71 + (uint64_t)x4) (* : uint64_t *) in - let x73 := (uint64_t)((uint64_t)x53 + (uint64_t)x23) (* : uint64_t *) in - let x74 := (uint64_t)(Z.ltz((uint64_t)x73, (uint64_t)x53)) (* : uint64_t *) in - let x75 := (uint64_t)((uint64_t)x74 + (uint64_t)x57) (* : uint64_t *) in - let x76 := (uint64_t)(Z.ltz((uint64_t)x75, (uint64_t)x57)) (* : uint64_t *) in - let x77 := (uint64_t)((uint64_t)x75 + (uint64_t)x21) (* : uint64_t *) in - let x78 := (uint64_t)(Z.ltz((uint64_t)x77, (uint64_t)x21)) (* : uint64_t *) in - let x79 := (uint64_t)((uint64_t)x76 + (uint64_t)x78) (* : uint64_t *) in - let x80 := (uint64_t)((uint64_t)x79 + (uint64_t)x62) (* : uint64_t *) in - let x81 := (uint64_t)(Z.ltz((uint64_t)x80, (uint64_t)x62)) (* : uint64_t *) in - let x82 := (uint64_t)((uint64_t)x80 + (uint64_t)x16) (* : uint64_t *) in - let x83 := (uint64_t)(Z.ltz((uint64_t)x82, (uint64_t)x16)) (* : uint64_t *) in - let x84 := (uint64_t)((uint64_t)x81 + (uint64_t)x83) (* : uint64_t *) in - let x85 := (uint64_t)((uint64_t)x84 + (uint64_t)x67) (* : uint64_t *) in - let x86 := (uint64_t)(Z.ltz((uint64_t)x85, (uint64_t)x67)) (* : uint64_t *) in - let x87 := (uint64_t)((uint64_t)x85 + (uint64_t)x8) (* : uint64_t *) in - let x88 := (uint64_t)(Z.ltz((uint64_t)x87, (uint64_t)x8)) (* : uint64_t *) in - let x89 := (uint64_t)((uint64_t)x86 + (uint64_t)x88) (* : uint64_t *) in - let x90 := (uint64_t)((uint64_t)x89 + (uint64_t)x70) (* : uint64_t *) in - let x91 := (uint64_t)(Z.ltz((uint64_t)x90, (uint64_t)x70)) (* : uint64_t *) in - let x92 := (uint64_t)((uint64_t)x91 + (uint64_t)x72) (* : uint64_t *) in - let x93 := (uint64_t)((uint64_t)x34 + (uint64_t)x25) (* : uint64_t *) in - let x94 := (uint64_t)(Z.ltz((uint64_t)x93, (uint64_t)x34)) (* : uint64_t *) in - let x95 := (uint64_t)((uint64_t)x94 + (uint64_t)x73) (* : uint64_t *) in - let x96 := (uint64_t)(Z.ltz((uint64_t)x95, (uint64_t)x73)) (* : uint64_t *) in - let x97 := (uint64_t)((uint64_t)x95 + (uint64_t)x26) (* : uint64_t *) in - let x98 := (uint64_t)(Z.ltz((uint64_t)x97, (uint64_t)x26)) (* : uint64_t *) in - let x99 := (uint64_t)((uint64_t)x96 + (uint64_t)x98) (* : uint64_t *) in - let x100 := (uint64_t)((uint64_t)x99 + (uint64_t)x77) (* : uint64_t *) in - let x101 := (uint64_t)(Z.ltz((uint64_t)x100, (uint64_t)x77)) (* : uint64_t *) in - let x102 := (uint64_t)((uint64_t)x100 + (uint64_t)x24) (* : uint64_t *) in - let x103 := (uint64_t)(Z.ltz((uint64_t)x102, (uint64_t)x24)) (* : uint64_t *) in - let x104 := (uint64_t)((uint64_t)x101 + (uint64_t)x103) (* : uint64_t *) in - let x105 := (uint64_t)((uint64_t)x104 + (uint64_t)x82) (* : uint64_t *) in - let x106 := (uint64_t)(Z.ltz((uint64_t)x105, (uint64_t)x82)) (* : uint64_t *) in - let x107 := (uint64_t)((uint64_t)x105 + (uint64_t)x19) (* : uint64_t *) in - let x108 := (uint64_t)(Z.ltz((uint64_t)x107, (uint64_t)x19)) (* : uint64_t *) in - let x109 := (uint64_t)((uint64_t)x106 + (uint64_t)x108) (* : uint64_t *) in - let x110 := (uint64_t)((uint64_t)x109 + (uint64_t)x87) (* : uint64_t *) in - let x111 := (uint64_t)(Z.ltz((uint64_t)x110, (uint64_t)x87)) (* : uint64_t *) in - let x112 := (uint64_t)((uint64_t)x110 + (uint64_t)x11) (* : uint64_t *) in - let x113 := (uint64_t)(Z.ltz((uint64_t)x112, (uint64_t)x11)) (* : uint64_t *) in - let x114 := (uint64_t)((uint64_t)x111 + (uint64_t)x113) (* : uint64_t *) in - let x115 := (uint64_t)((uint64_t)x114 + (uint64_t)x90) (* : uint64_t *) in - let x116 := (uint64_t)(Z.ltz((uint64_t)x115, (uint64_t)x90)) (* : uint64_t *) in - let x117 := (uint64_t)((uint64_t)x115 + (uint64_t)x3) (* : uint64_t *) in - let x118 := (uint64_t)(Z.ltz((uint64_t)x117, (uint64_t)x3)) (* : uint64_t *) in - let x119 := (uint64_t)((uint64_t)x116 + (uint64_t)x118) (* : uint64_t *) in - let x120 := (uint64_t)((uint64_t)x119 + (uint64_t)x92) (* : uint64_t *) in - let x121 := (uint64_t)((uint64_t)x93 + (uint64_t)x31) (* : uint64_t *) in - let x122 := (uint64_t)(Z.ltz((uint64_t)x121, (uint64_t)x93)) (* : uint64_t *) in - let x123 := (uint64_t)((uint64_t)x122 + (uint64_t)x97) (* : uint64_t *) in - let x124 := (uint64_t)(Z.ltz((uint64_t)x123, (uint64_t)x97)) (* : uint64_t *) in - let x125 := (uint64_t)((uint64_t)x123 + (uint64_t)x29) (* : uint64_t *) in - let x126 := (uint64_t)(Z.ltz((uint64_t)x125, (uint64_t)x29)) (* : uint64_t *) in - let x127 := (uint64_t)((uint64_t)x124 + (uint64_t)x126) (* : uint64_t *) in - let x128 := (uint64_t)((uint64_t)x127 + (uint64_t)x102) (* : uint64_t *) in - let x129 := (uint64_t)(Z.ltz((uint64_t)x128, (uint64_t)x102)) (* : uint64_t *) in - let x130 := (uint64_t)((uint64_t)x128 + (uint64_t)x27) (* : uint64_t *) in - let x131 := (uint64_t)(Z.ltz((uint64_t)x130, (uint64_t)x27)) (* : uint64_t *) in - let x132 := (uint64_t)((uint64_t)x129 + (uint64_t)x131) (* : uint64_t *) in - let x133 := (uint64_t)((uint64_t)x132 + (uint64_t)x107) (* : uint64_t *) in - let x134 := (uint64_t)(Z.ltz((uint64_t)x133, (uint64_t)x107)) (* : uint64_t *) in - let x135 := (uint64_t)((uint64_t)x133 + (uint64_t)x22) (* : uint64_t *) in - let x136 := (uint64_t)(Z.ltz((uint64_t)x135, (uint64_t)x22)) (* : uint64_t *) in - let x137 := (uint64_t)((uint64_t)x134 + (uint64_t)x136) (* : uint64_t *) in - let x138 := (uint64_t)((uint64_t)x137 + (uint64_t)x112) (* : uint64_t *) in - let x139 := (uint64_t)(Z.ltz((uint64_t)x138, (uint64_t)x112)) (* : uint64_t *) in - let x140 := (uint64_t)((uint64_t)x138 + (uint64_t)x14) (* : uint64_t *) in - let x141 := (uint64_t)(Z.ltz((uint64_t)x140, (uint64_t)x14)) (* : uint64_t *) in - let x142 := (uint64_t)((uint64_t)x139 + (uint64_t)x141) (* : uint64_t *) in - let x143 := (uint64_t)((uint64_t)x142 + (uint64_t)x117) (* : uint64_t *) in - let x144 := (uint64_t)(Z.ltz((uint64_t)x143, (uint64_t)x117)) (* : uint64_t *) in - let x145 := (uint64_t)((uint64_t)x143 + (uint64_t)x6) (* : uint64_t *) in - let x146 := (uint64_t)(Z.ltz((uint64_t)x145, (uint64_t)x6)) (* : uint64_t *) in - let x147 := (uint64_t)((uint64_t)x144 + (uint64_t)x146) (* : uint64_t *) in - let x148 := (uint64_t)((uint64_t)x147 + (uint64_t)x120) (* : uint64_t *) in - let x149 := (uint64_t)(38 * (uint64_t)x145) (* : uint64_t *) in - let x150 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x145))) (* : uint64_t *) in - let x151 := (uint64_t)(38 * (uint64_t)x140) (* : uint64_t *) in - let x152 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x140))) (* : uint64_t *) in - let x153 := (uint64_t)(38 * (uint64_t)x135) (* : uint64_t *) in - let x154 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x135))) (* : uint64_t *) in - let x155 := (uint64_t)((uint64_t)x121 + (uint64_t)x151) (* : uint64_t *) in - let x156 := (uint64_t)(Z.ltz((uint64_t)x155, (uint64_t)x121)) (* : uint64_t *) in - let x157 := (uint64_t)((uint64_t)x156 + (uint64_t)x125) (* : uint64_t *) in - let x158 := (uint64_t)(Z.ltz((uint64_t)x157, (uint64_t)x125)) (* : uint64_t *) in - let x159 := (uint64_t)((uint64_t)x157 + (uint64_t)x149) (* : uint64_t *) in - let x160 := (uint64_t)(Z.ltz((uint64_t)x159, (uint64_t)x149)) (* : uint64_t *) in - let x161 := (uint64_t)((uint64_t)x158 + (uint64_t)x160) (* : uint64_t *) in - let x162 := (uint64_t)(38 * (uint64_t)x148) (* : uint64_t *) in - let x163 := (uint64_t)((uint64_t)x161 + (uint64_t)x130) (* : uint64_t *) in - let x164 := (uint64_t)(Z.ltz((uint64_t)x163, (uint64_t)x130)) (* : uint64_t *) in - let x165 := (uint64_t)((uint64_t)x163 + (uint64_t)x162) (* : uint64_t *) in - let x166 := (uint64_t)(Z.ltz((uint64_t)x165, (uint64_t)x162)) (* : uint64_t *) in - let x167 := (uint64_t)((uint64_t)x164 + (uint64_t)x166) (* : uint64_t *) in - let x168 := (uint64_t)(Z.mul_high((2^64), (38, (uint64_t)x148))) (* : uint64_t *) in - let x169 := (uint64_t)((uint64_t)x167 + (uint64_t)x168) (* : uint64_t *) in - let x170 := (uint64_t)((uint64_t)x33 + (uint64_t)x153) (* : uint64_t *) in - let x171 := (uint64_t)(Z.ltz((uint64_t)x170, (uint64_t)x33)) (* : uint64_t *) in - let x172 := (uint64_t)((uint64_t)x171 + (uint64_t)x155) (* : uint64_t *) in - let x173 := (uint64_t)(Z.ltz((uint64_t)x172, (uint64_t)x155)) (* : uint64_t *) in - let x174 := (uint64_t)((uint64_t)x172 + (uint64_t)x154) (* : uint64_t *) in - let x175 := (uint64_t)(Z.ltz((uint64_t)x174, (uint64_t)x154)) (* : uint64_t *) in - let x176 := (uint64_t)((uint64_t)x173 + (uint64_t)x175) (* : uint64_t *) in - let x177 := (uint64_t)((uint64_t)x176 + (uint64_t)x159) (* : uint64_t *) in - let x178 := (uint64_t)(Z.ltz((uint64_t)x177, (uint64_t)x159)) (* : uint64_t *) in - let x179 := (uint64_t)((uint64_t)x177 + (uint64_t)x152) (* : uint64_t *) in - let x180 := (uint64_t)(Z.ltz((uint64_t)x179, (uint64_t)x152)) (* : uint64_t *) in - let x181 := (uint64_t)((uint64_t)x178 + (uint64_t)x180) (* : uint64_t *) in - let x182 := (uint64_t)((uint64_t)x181 + (uint64_t)x165) (* : uint64_t *) in - let x183 := (uint64_t)(Z.ltz((uint64_t)x182, (uint64_t)x165)) (* : uint64_t *) in - let x184 := (uint64_t)((uint64_t)x182 + (uint64_t)x150) (* : uint64_t *) in - let x185 := (uint64_t)(Z.ltz((uint64_t)x184, (uint64_t)x150)) (* : uint64_t *) in - let x186 := (uint64_t)((uint64_t)x183 + (uint64_t)x185) (* : uint64_t *) in - let x187 := (uint64_t)((uint64_t)x186 + (uint64_t)x169) (* : uint64_t *) in - let x188 := (uint64_t, uint0_t)(Z.mul_split((2^64), (38, (uint64_t)x187))) (* : uint64_t, uint0_t *) in - let x189 := (uint64_t)((uint64_t)x170 + (uint64_t)(uint64_t, uint0_t)x188₁) (* : uint64_t *) in - let x190 := (uint64_t)(Z.ltz((uint64_t)x189, (uint64_t)x170)) (* : uint64_t *) in - let x191 := (uint64_t)((uint64_t)x190 + (uint64_t)x174) (* : uint64_t *) in - let x192 := (uint64_t)(Z.ltz((uint64_t)x191, (uint64_t)x174)) (* : uint64_t *) in - let x193 := (uint64_t)((uint64_t)x192 + (uint64_t)x179) (* : uint64_t *) in - let x194 := (uint64_t)(Z.ltz((uint64_t)x193, (uint64_t)x179)) (* : uint64_t *) in - let x195 := (uint64_t)((uint64_t)x194 + (uint64_t)x184) (* : uint64_t *) in - let x196 := (uint64_t)(Z.ltz((uint64_t)x195, (uint64_t)x184)) (* : uint64_t *) in - let x197 := (uint64_t, uint0_t)(Z.mul_split((2^64), (38, (uint64_t)x196))) (* : uint64_t, uint0_t *) in - let x198 := (uint64_t)((uint64_t)x189 + (uint64_t)(uint64_t, uint0_t)x197₁) (* : uint64_t *) in - let x199 := (uint64_t)(Z.ltz((uint64_t)x198, (uint64_t)x189)) (* : uint64_t *) in - let x200 := (uint64_t)((uint64_t)x199 + (uint64_t)x191) (* : uint64_t *) in - let x201 := (uint64_t)(Z.ltz((uint64_t)x200, (uint64_t)x191)) (* : uint64_t *) in - let x202 := (uint64_t)((uint64_t)x201 + (uint64_t)x193) (* : uint64_t *) in - let x203 := (uint64_t)(Z.ltz((uint64_t)x202, (uint64_t)x193)) (* : uint64_t *) in - let x204 := (uint64_t)((uint64_t)x203 + (uint64_t)x195) (* : uint64_t *) in - (uint64_t)x198 :: (uint64_t)x200 :: (uint64_t)x202 :: (uint64_t)x204 :: [] -) -Which with some casts elided is: -(λ x1 x2, - let x3 := x1[3] * x2[3] (* : uint64_t *) in - let x4 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[3]))) (* : uint64_t *) in - let x5 := x1[3] * x2[2] (* : uint64_t *) in - let x6 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[2]))) (* : uint64_t *) in - let x7 := x1[3] * x2[1] (* : uint64_t *) in - let x8 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[1]))) (* : uint64_t *) in - let x9 := x1[3] * x2[0] (* : uint64_t *) in - let x10 := Z.mul_high((2^64), ((uint64_t)(x1[3]), (uint64_t)(x2[0]))) (* : uint64_t *) in - let x11 := x1[2] * x2[3] (* : uint64_t *) in - let x12 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[3]))) (* : uint64_t *) in - let x13 := x1[2] * x2[2] (* : uint64_t *) in - let x14 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[2]))) (* : uint64_t *) in - let x15 := x1[2] * x2[1] (* : uint64_t *) in - let x16 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[1]))) (* : uint64_t *) in - let x17 := x1[2] * x2[0] (* : uint64_t *) in - let x18 := Z.mul_high((2^64), ((uint64_t)(x1[2]), (uint64_t)(x2[0]))) (* : uint64_t *) in - let x19 := x1[1] * x2[3] (* : uint64_t *) in - let x20 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[3]))) (* : uint64_t *) in - let x21 := x1[1] * x2[2] (* : uint64_t *) in - let x22 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[2]))) (* : uint64_t *) in - let x23 := x1[1] * x2[1] (* : uint64_t *) in - let x24 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[1]))) (* : uint64_t *) in - let x25 := x1[1] * x2[0] (* : uint64_t *) in - let x26 := Z.mul_high((2^64), ((uint64_t)(x1[1]), (uint64_t)(x2[0]))) (* : uint64_t *) in - let x27 := x1[0] * x2[3] (* : uint64_t *) in - let x28 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[3]))) (* : uint64_t *) in - let x29 := x1[0] * x2[2] (* : uint64_t *) in - let x30 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[2]))) (* : uint64_t *) in - let x31 := x1[0] * x2[1] (* : uint64_t *) in - let x32 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[1]))) (* : uint64_t *) in - let x33 := x1[0] * x2[0] (* : uint64_t *) in - let x34 := Z.mul_high((2^64), ((uint64_t)(x1[0]), (uint64_t)(x2[0]))) (* : uint64_t *) in - let x35 := x30 + x9 (* : uint64_t *) in - let x36 := Z.ltz((uint64_t)x35, (uint64_t)x30) (* : uint64_t *) in - let x37 := x36 + x28 (* : uint64_t *) in - let x38 := Z.ltz((uint64_t)x37, (uint64_t)x28) (* : uint64_t *) in - let x39 := x37 + x7 (* : uint64_t *) in - let x40 := Z.ltz((uint64_t)x39, (uint64_t)x7) (* : uint64_t *) in - let x41 := x38 + x40 (* : uint64_t *) in - let x42 := x41 + x20 (* : uint64_t *) in - let x43 := x35 + x15 (* : uint64_t *) in - let x44 := Z.ltz((uint64_t)x43, (uint64_t)x35) (* : uint64_t *) in - let x45 := x44 + x39 (* : uint64_t *) in - let x46 := Z.ltz((uint64_t)x45, (uint64_t)x39) (* : uint64_t *) in - let x47 := x45 + x10 (* : uint64_t *) in - let x48 := Z.ltz((uint64_t)x47, (uint64_t)x10) (* : uint64_t *) in - let x49 := x46 + x48 (* : uint64_t *) in - let x50 := x49 + x42 (* : uint64_t *) in - let x51 := Z.ltz((uint64_t)x50, (uint64_t)x42) (* : uint64_t *) in - let x52 := x51 + x12 (* : uint64_t *) in - let x53 := x32 + x17 (* : uint64_t *) in - let x54 := Z.ltz((uint64_t)x53, (uint64_t)x32) (* : uint64_t *) in - let x55 := x54 + x43 (* : uint64_t *) in - let x56 := Z.ltz((uint64_t)x55, (uint64_t)x43) (* : uint64_t *) in - let x57 := x55 + x18 (* : uint64_t *) in - let x58 := Z.ltz((uint64_t)x57, (uint64_t)x18) (* : uint64_t *) in - let x59 := x56 + x58 (* : uint64_t *) in - let x60 := x59 + x47 (* : uint64_t *) in - let x61 := Z.ltz((uint64_t)x60, (uint64_t)x47) (* : uint64_t *) in - let x62 := x60 + x13 (* : uint64_t *) in - let x63 := Z.ltz((uint64_t)x62, (uint64_t)x13) (* : uint64_t *) in - let x64 := x61 + x63 (* : uint64_t *) in - let x65 := x64 + x50 (* : uint64_t *) in - let x66 := Z.ltz((uint64_t)x65, (uint64_t)x50) (* : uint64_t *) in - let x67 := x65 + x5 (* : uint64_t *) in - let x68 := Z.ltz((uint64_t)x67, (uint64_t)x5) (* : uint64_t *) in - let x69 := x66 + x68 (* : uint64_t *) in - let x70 := x69 + x52 (* : uint64_t *) in - let x71 := Z.ltz((uint64_t)x70, (uint64_t)x52) (* : uint64_t *) in - let x72 := x71 + x4 (* : uint64_t *) in - let x73 := x53 + x23 (* : uint64_t *) in - let x74 := Z.ltz((uint64_t)x73, (uint64_t)x53) (* : uint64_t *) in - let x75 := x74 + x57 (* : uint64_t *) in - let x76 := Z.ltz((uint64_t)x75, (uint64_t)x57) (* : uint64_t *) in - let x77 := x75 + x21 (* : uint64_t *) in - let x78 := Z.ltz((uint64_t)x77, (uint64_t)x21) (* : uint64_t *) in - let x79 := x76 + x78 (* : uint64_t *) in - let x80 := x79 + x62 (* : uint64_t *) in - let x81 := Z.ltz((uint64_t)x80, (uint64_t)x62) (* : uint64_t *) in - let x82 := x80 + x16 (* : uint64_t *) in - let x83 := Z.ltz((uint64_t)x82, (uint64_t)x16) (* : uint64_t *) in - let x84 := x81 + x83 (* : uint64_t *) in - let x85 := x84 + x67 (* : uint64_t *) in - let x86 := Z.ltz((uint64_t)x85, (uint64_t)x67) (* : uint64_t *) in - let x87 := x85 + x8 (* : uint64_t *) in - let x88 := Z.ltz((uint64_t)x87, (uint64_t)x8) (* : uint64_t *) in - let x89 := x86 + x88 (* : uint64_t *) in - let x90 := x89 + x70 (* : uint64_t *) in - let x91 := Z.ltz((uint64_t)x90, (uint64_t)x70) (* : uint64_t *) in - let x92 := x91 + x72 (* : uint64_t *) in - let x93 := x34 + x25 (* : uint64_t *) in - let x94 := Z.ltz((uint64_t)x93, (uint64_t)x34) (* : uint64_t *) in - let x95 := x94 + x73 (* : uint64_t *) in - let x96 := Z.ltz((uint64_t)x95, (uint64_t)x73) (* : uint64_t *) in - let x97 := x95 + x26 (* : uint64_t *) in - let x98 := Z.ltz((uint64_t)x97, (uint64_t)x26) (* : uint64_t *) in - let x99 := x96 + x98 (* : uint64_t *) in - let x100 := x99 + x77 (* : uint64_t *) in - let x101 := Z.ltz((uint64_t)x100, (uint64_t)x77) (* : uint64_t *) in - let x102 := x100 + x24 (* : uint64_t *) in - let x103 := Z.ltz((uint64_t)x102, (uint64_t)x24) (* : uint64_t *) in - let x104 := x101 + x103 (* : uint64_t *) in - let x105 := x104 + x82 (* : uint64_t *) in - let x106 := Z.ltz((uint64_t)x105, (uint64_t)x82) (* : uint64_t *) in - let x107 := x105 + x19 (* : uint64_t *) in - let x108 := Z.ltz((uint64_t)x107, (uint64_t)x19) (* : uint64_t *) in - let x109 := x106 + x108 (* : uint64_t *) in - let x110 := x109 + x87 (* : uint64_t *) in - let x111 := Z.ltz((uint64_t)x110, (uint64_t)x87) (* : uint64_t *) in - let x112 := x110 + x11 (* : uint64_t *) in - let x113 := Z.ltz((uint64_t)x112, (uint64_t)x11) (* : uint64_t *) in - let x114 := x111 + x113 (* : uint64_t *) in - let x115 := x114 + x90 (* : uint64_t *) in - let x116 := Z.ltz((uint64_t)x115, (uint64_t)x90) (* : uint64_t *) in - let x117 := x115 + x3 (* : uint64_t *) in - let x118 := Z.ltz((uint64_t)x117, (uint64_t)x3) (* : uint64_t *) in - let x119 := x116 + x118 (* : uint64_t *) in - let x120 := x119 + x92 (* : uint64_t *) in - let x121 := x93 + x31 (* : uint64_t *) in - let x122 := Z.ltz((uint64_t)x121, (uint64_t)x93) (* : uint64_t *) in - let x123 := x122 + x97 (* : uint64_t *) in - let x124 := Z.ltz((uint64_t)x123, (uint64_t)x97) (* : uint64_t *) in - let x125 := x123 + x29 (* : uint64_t *) in - let x126 := Z.ltz((uint64_t)x125, (uint64_t)x29) (* : uint64_t *) in - let x127 := x124 + x126 (* : uint64_t *) in - let x128 := x127 + x102 (* : uint64_t *) in - let x129 := Z.ltz((uint64_t)x128, (uint64_t)x102) (* : uint64_t *) in - let x130 := x128 + x27 (* : uint64_t *) in - let x131 := Z.ltz((uint64_t)x130, (uint64_t)x27) (* : uint64_t *) in - let x132 := x129 + x131 (* : uint64_t *) in - let x133 := x132 + x107 (* : uint64_t *) in - let x134 := Z.ltz((uint64_t)x133, (uint64_t)x107) (* : uint64_t *) in - let x135 := x133 + x22 (* : uint64_t *) in - let x136 := Z.ltz((uint64_t)x135, (uint64_t)x22) (* : uint64_t *) in - let x137 := x134 + x136 (* : uint64_t *) in - let x138 := x137 + x112 (* : uint64_t *) in - let x139 := Z.ltz((uint64_t)x138, (uint64_t)x112) (* : uint64_t *) in - let x140 := x138 + x14 (* : uint64_t *) in - let x141 := Z.ltz((uint64_t)x140, (uint64_t)x14) (* : uint64_t *) in - let x142 := x139 + x141 (* : uint64_t *) in - let x143 := x142 + x117 (* : uint64_t *) in - let x144 := Z.ltz((uint64_t)x143, (uint64_t)x117) (* : uint64_t *) in - let x145 := x143 + x6 (* : uint64_t *) in - let x146 := Z.ltz((uint64_t)x145, (uint64_t)x6) (* : uint64_t *) in - let x147 := x144 + x146 (* : uint64_t *) in - let x148 := x147 + x120 (* : uint64_t *) in - let x149 := 38 * x145 (* : uint64_t *) in - let x150 := Z.mul_high((2^64), (38, (uint64_t)x145)) (* : uint64_t *) in - let x151 := 38 * x140 (* : uint64_t *) in - let x152 := Z.mul_high((2^64), (38, (uint64_t)x140)) (* : uint64_t *) in - let x153 := 38 * x135 (* : uint64_t *) in - let x154 := Z.mul_high((2^64), (38, (uint64_t)x135)) (* : uint64_t *) in - let x155 := x121 + x151 (* : uint64_t *) in - let x156 := Z.ltz((uint64_t)x155, (uint64_t)x121) (* : uint64_t *) in - let x157 := x156 + x125 (* : uint64_t *) in - let x158 := Z.ltz((uint64_t)x157, (uint64_t)x125) (* : uint64_t *) in - let x159 := x157 + x149 (* : uint64_t *) in - let x160 := Z.ltz((uint64_t)x159, (uint64_t)x149) (* : uint64_t *) in - let x161 := x158 + x160 (* : uint64_t *) in - let x162 := 38 * x148 (* : uint64_t *) in - let x163 := x161 + x130 (* : uint64_t *) in - let x164 := Z.ltz((uint64_t)x163, (uint64_t)x130) (* : uint64_t *) in - let x165 := x163 + x162 (* : uint64_t *) in - let x166 := Z.ltz((uint64_t)x165, (uint64_t)x162) (* : uint64_t *) in - let x167 := x164 + x166 (* : uint64_t *) in - let x168 := Z.mul_high((2^64), (38, (uint64_t)x148)) (* : uint64_t *) in - let x169 := x167 + x168 (* : uint64_t *) in - let x170 := x33 + x153 (* : uint64_t *) in - let x171 := Z.ltz((uint64_t)x170, (uint64_t)x33) (* : uint64_t *) in - let x172 := x171 + x155 (* : uint64_t *) in - let x173 := Z.ltz((uint64_t)x172, (uint64_t)x155) (* : uint64_t *) in - let x174 := x172 + x154 (* : uint64_t *) in - let x175 := Z.ltz((uint64_t)x174, (uint64_t)x154) (* : uint64_t *) in - let x176 := x173 + x175 (* : uint64_t *) in - let x177 := x176 + x159 (* : uint64_t *) in - let x178 := Z.ltz((uint64_t)x177, (uint64_t)x159) (* : uint64_t *) in - let x179 := x177 + x152 (* : uint64_t *) in - let x180 := Z.ltz((uint64_t)x179, (uint64_t)x152) (* : uint64_t *) in - let x181 := x178 + x180 (* : uint64_t *) in - let x182 := x181 + x165 (* : uint64_t *) in - let x183 := Z.ltz((uint64_t)x182, (uint64_t)x165) (* : uint64_t *) in - let x184 := x182 + x150 (* : uint64_t *) in - let x185 := Z.ltz((uint64_t)x184, (uint64_t)x150) (* : uint64_t *) in - let x186 := x183 + x185 (* : uint64_t *) in - let x187 := x186 + x169 (* : uint64_t *) in - let x188 := Z.mul_split((2^64), (38, (uint64_t)x187)) (* : uint64_t, uint0_t *) in - let x189 := x170 + x188₁ (* : uint64_t *) in - let x190 := Z.ltz((uint64_t)x189, (uint64_t)x170) (* : uint64_t *) in - let x191 := x190 + x174 (* : uint64_t *) in - let x192 := Z.ltz((uint64_t)x191, (uint64_t)x174) (* : uint64_t *) in - let x193 := x192 + x179 (* : uint64_t *) in - let x194 := Z.ltz((uint64_t)x193, (uint64_t)x179) (* : uint64_t *) in - let x195 := x194 + x184 (* : uint64_t *) in - let x196 := Z.ltz((uint64_t)x195, (uint64_t)x184) (* : uint64_t *) in - let x197 := Z.mul_split((2^64), (38, (uint64_t)x196)) (* : uint64_t, uint0_t *) in - let x198 := x189 + x197₁ (* : uint64_t *) in - let x199 := Z.ltz((uint64_t)x198, (uint64_t)x189) (* : uint64_t *) in - let x200 := x199 + x191 (* : uint64_t *) in - let x201 := Z.ltz((uint64_t)x200, (uint64_t)x191) (* : uint64_t *) in - let x202 := x201 + x193 (* : uint64_t *) in - let x203 := Z.ltz((uint64_t)x202, (uint64_t)x193) (* : uint64_t *) in - let x204 := x203 + x195 (* : uint64_t *) in - x198 :: x200 :: x202 :: x204 :: [] -) -ERROR-CONTAINING OUTPUT: -/* - * Input Bounds: - * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * in1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uintptr_t in1) { - uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x14, x35, x41, x33, x42, x12, x43, x45, x46, x25, x20, x40, x49, x44, x50, x15, x51, x53, x54, x47, x56, x17, x22, x37, x59, x48, x60, x23, x61, x63, x64, x52, x65, x18, x66, x68, x69, x55, x70, x10, x71, x73, x74, x57, x76, x9, x28, x58, x79, x62, x80, x26, x81, x83, x84, x67, x85, x21, x86, x88, x89, x72, x90, x13, x91, x93, x94, x75, x96, x77, x30, x39, x99, x78, x100, x31, x101, x103, x104, x82, x105, x29, x106, x108, x109, x87, x110, x24, x111, x113, x114, x92, x115, x16, x116, x118, x119, x95, x120, x8, x121, x123, x124, x97, x36, x98, x127, x102, x128, x34, x129, x131, x132, x107, x133, x32, x134, x136, x137, x112, x138, x27, x139, x141, x142, x117, x143, x19, x144, x146, x147, x122, x148, x11, x149, x151, x152, x125, x150, x145, x140, x156, x126, x161, x130, x162, x154, x163, x165, x166, x135, x168, x167, x169, x171, x153, x172, x173, x158, x38, x176, x160, x177, x159, x178, x180, x181, x164, x182, x157, x183, x185, x186, x170, x187, x155, x188, x190, x192, x191, x174, x193, x194, x175, x196, x179, x198, x184, x200, x202, x189, x203, x204, ERROR, x195, x206, x197, x208, x199, x210, x201, x205, x207, x209, x211, x212, x213, x214, x215; - x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); - /*skip*/ - x4 = _br2_load((in1)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x5 = _br2_load((in1)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x6 = _br2_load((in1)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x7 = _br2_load((in1)+((uintptr_t)24ULL), sizeof(uintptr_t)); - /*skip*/ - /*skip*/ - x8 = (x3)*(x7); - x9 = _br2_mulhuu((x3), (x7)); - x10 = (x3)*(x6); - x11 = _br2_mulhuu((x3), (x6)); - x12 = (x3)*(x5); - x13 = _br2_mulhuu((x3), (x5)); - x14 = (x3)*(x4); - x15 = _br2_mulhuu((x3), (x4)); - x16 = (x2)*(x7); - x17 = _br2_mulhuu((x2), (x7)); - x18 = (x2)*(x6); - x19 = _br2_mulhuu((x2), (x6)); - x20 = (x2)*(x5); - x21 = _br2_mulhuu((x2), (x5)); - x22 = (x2)*(x4); - x23 = _br2_mulhuu((x2), (x4)); - x24 = (x1)*(x7); - x25 = _br2_mulhuu((x1), (x7)); - x26 = (x1)*(x6); - x27 = _br2_mulhuu((x1), (x6)); - x28 = (x1)*(x5); - x29 = _br2_mulhuu((x1), (x5)); - x30 = (x1)*(x4); - x31 = _br2_mulhuu((x1), (x4)); - x32 = (x0)*(x7); - x33 = _br2_mulhuu((x0), (x7)); - x34 = (x0)*(x6); - x35 = _br2_mulhuu((x0), (x6)); - x36 = (x0)*(x5); - x37 = _br2_mulhuu((x0), (x5)); - x38 = (x0)*(x4); - x39 = _br2_mulhuu((x0), (x4)); - x40 = (x35)+(x14); - x41 = (uintptr_t)((x40)<(x35)); - x42 = (x41)+(x33); - x43 = (uintptr_t)((x42)<(x33)); - x44 = (x42)+(x12); - x45 = (uintptr_t)((x44)<(x12)); - x46 = (x43)+(x45); - x47 = (x46)+(x25); - x48 = (x40)+(x20); - x49 = (uintptr_t)((x48)<(x40)); - x50 = (x49)+(x44); - x51 = (uintptr_t)((x50)<(x44)); - x52 = (x50)+(x15); - x53 = (uintptr_t)((x52)<(x15)); - x54 = (x51)+(x53); - x55 = (x54)+(x47); - x56 = (uintptr_t)((x55)<(x47)); - x57 = (x56)+(x17); - x58 = (x37)+(x22); - x59 = (uintptr_t)((x58)<(x37)); - x60 = (x59)+(x48); - x61 = (uintptr_t)((x60)<(x48)); - x62 = (x60)+(x23); - x63 = (uintptr_t)((x62)<(x23)); - x64 = (x61)+(x63); - x65 = (x64)+(x52); - x66 = (uintptr_t)((x65)<(x52)); - x67 = (x65)+(x18); - x68 = (uintptr_t)((x67)<(x18)); - x69 = (x66)+(x68); - x70 = (x69)+(x55); - x71 = (uintptr_t)((x70)<(x55)); - x72 = (x70)+(x10); - x73 = (uintptr_t)((x72)<(x10)); - x74 = (x71)+(x73); - x75 = (x74)+(x57); - x76 = (uintptr_t)((x75)<(x57)); - x77 = (x76)+(x9); - x78 = (x58)+(x28); - x79 = (uintptr_t)((x78)<(x58)); - x80 = (x79)+(x62); - x81 = (uintptr_t)((x80)<(x62)); - x82 = (x80)+(x26); - x83 = (uintptr_t)((x82)<(x26)); - x84 = (x81)+(x83); - x85 = (x84)+(x67); - x86 = (uintptr_t)((x85)<(x67)); - x87 = (x85)+(x21); - x88 = (uintptr_t)((x87)<(x21)); - x89 = (x86)+(x88); - x90 = (x89)+(x72); - x91 = (uintptr_t)((x90)<(x72)); - x92 = (x90)+(x13); - x93 = (uintptr_t)((x92)<(x13)); - x94 = (x91)+(x93); - x95 = (x94)+(x75); - x96 = (uintptr_t)((x95)<(x75)); - x97 = (x96)+(x77); - x98 = (x39)+(x30); - x99 = (uintptr_t)((x98)<(x39)); - x100 = (x99)+(x78); - x101 = (uintptr_t)((x100)<(x78)); - x102 = (x100)+(x31); - x103 = (uintptr_t)((x102)<(x31)); - x104 = (x101)+(x103); - x105 = (x104)+(x82); - x106 = (uintptr_t)((x105)<(x82)); - x107 = (x105)+(x29); - x108 = (uintptr_t)((x107)<(x29)); - x109 = (x106)+(x108); - x110 = (x109)+(x87); - x111 = (uintptr_t)((x110)<(x87)); - x112 = (x110)+(x24); - x113 = (uintptr_t)((x112)<(x24)); - x114 = (x111)+(x113); - x115 = (x114)+(x92); - x116 = (uintptr_t)((x115)<(x92)); - x117 = (x115)+(x16); - x118 = (uintptr_t)((x117)<(x16)); - x119 = (x116)+(x118); - x120 = (x119)+(x95); - x121 = (uintptr_t)((x120)<(x95)); - x122 = (x120)+(x8); - x123 = (uintptr_t)((x122)<(x8)); - x124 = (x121)+(x123); - x125 = (x124)+(x97); - x126 = (x98)+(x36); - x127 = (uintptr_t)((x126)<(x98)); - x128 = (x127)+(x102); - x129 = (uintptr_t)((x128)<(x102)); - x130 = (x128)+(x34); - x131 = (uintptr_t)((x130)<(x34)); - x132 = (x129)+(x131); - x133 = (x132)+(x107); - x134 = (uintptr_t)((x133)<(x107)); - x135 = (x133)+(x32); - x136 = (uintptr_t)((x135)<(x32)); - x137 = (x134)+(x136); - x138 = (x137)+(x112); - x139 = (uintptr_t)((x138)<(x112)); - x140 = (x138)+(x27); - x141 = (uintptr_t)((x140)<(x27)); - x142 = (x139)+(x141); - x143 = (x142)+(x117); - x144 = (uintptr_t)((x143)<(x117)); - x145 = (x143)+(x19); - x146 = (uintptr_t)((x145)<(x19)); - x147 = (x144)+(x146); - x148 = (x147)+(x122); - x149 = (uintptr_t)((x148)<(x122)); - x150 = (x148)+(x11); - x151 = (uintptr_t)((x150)<(x11)); - x152 = (x149)+(x151); - x153 = (x152)+(x125); - x154 = ((uintptr_t)38ULL)*(x150); - x155 = _br2_mulhuu(((uintptr_t)38ULL), (x150)); - x156 = ((uintptr_t)38ULL)*(x145); - x157 = _br2_mulhuu(((uintptr_t)38ULL), (x145)); - x158 = ((uintptr_t)38ULL)*(x140); - x159 = _br2_mulhuu(((uintptr_t)38ULL), (x140)); - x160 = (x126)+(x156); - x161 = (uintptr_t)((x160)<(x126)); - x162 = (x161)+(x130); - x163 = (uintptr_t)((x162)<(x130)); - x164 = (x162)+(x154); - x165 = (uintptr_t)((x164)<(x154)); - x166 = (x163)+(x165); - x167 = ((uintptr_t)38ULL)*(x153); - x168 = (x166)+(x135); - x169 = (uintptr_t)((x168)<(x135)); - x170 = (x168)+(x167); - x171 = (uintptr_t)((x170)<(x167)); - x172 = (x169)+(x171); - x173 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); - x174 = (x172)+(x173); - x175 = (x38)+(x158); - x176 = (uintptr_t)((x175)<(x38)); - x177 = (x176)+(x160); - x178 = (uintptr_t)((x177)<(x160)); - x179 = (x177)+(x159); - x180 = (uintptr_t)((x179)<(x159)); - x181 = (x178)+(x180); - x182 = (x181)+(x164); - x183 = (uintptr_t)((x182)<(x164)); - x184 = (x182)+(x157); - x185 = (uintptr_t)((x184)<(x157)); - x186 = (x183)+(x185); - x187 = (x186)+(x170); - x188 = (uintptr_t)((x187)<(x170)); - x189 = (x187)+(x155); - x190 = (uintptr_t)((x189)<(x155)); - x191 = (x188)+(x190); - x192 = (x191)+(x174); - x193 = ERROR; - x194 = ERROR; - x195 = (x175)+(ERROR); - x196 = (uintptr_t)((x195)<(x175)); - x197 = (x196)+(x179); - x198 = (uintptr_t)((x197)<(x179)); - x199 = (x198)+(x184); - x200 = (uintptr_t)((x199)<(x184)); - x201 = (x200)+(x189); - x202 = (uintptr_t)((x201)<(x189)); - x203 = ERROR; - x204 = ERROR; - x205 = (x195)+(ERROR); - x206 = (uintptr_t)((x205)<(x195)); - x207 = (x206)+(x197); - x208 = (uintptr_t)((x207)<(x197)); - x209 = (x208)+(x199); - x210 = (uintptr_t)((x209)<(x199)); - x211 = (x210)+(x201); - x212 = x205; - x213 = x207; - x214 = x209; - x215 = x211; - /*skip*/ - _br2_store((out0)+((uintptr_t)0ULL), x212, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)8ULL), x213, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)16ULL), x214, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)24ULL), x215, sizeof(uintptr_t)); - /*skip*/ - return; -} - -Error occured during translation to bedrock2. This is likely because a part of the input expression either had unsupported integer types (bedrock2 requires that all integers have the same size) or contained an unsupported operation. From c61d0a3191acf25b505bb53ee55343be82f04760 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 18 Oct 2022 00:49:12 -0400 Subject: [PATCH 52/69] clean up, still need to fix bedrock issues --- Makefile.config | 2 +- Makefile.examples | 4 +- fiat-c/src/curve25519_solinas_64.c | 8 +- .../64/curve25519solinas/curve25519solinas.go | 8 +- fiat-json/src/curve25519_solinas_64.json | 2 +- fiat-rust/src/curve25519_solinas_64.rs | 8 +- fiat-zig/src/curve25519_solinas_64.zig | 8 +- src/Arithmetic/SolinasReduction.v | 151 +---- src/COperationSpecifications.v | 8 +- .../bedrock2_solinas_reduction.v | 3 +- .../with_bedrock2_solinas_reduction.v | 3 +- .../with_bedrock2_solinas_reduction.v | 2 +- src/PushButtonSynthesis/SolinasReduction.v | 30 +- .../SolinasReductionReificationCache.v | 163 +----- src/SlowPrimeSynthesisExamplesCopy.v | 526 ------------------ src/StandaloneOCamlMain.v | 1 - 16 files changed, 52 insertions(+), 875 deletions(-) delete mode 100644 src/SlowPrimeSynthesisExamplesCopy.v diff --git a/Makefile.config b/Makefile.config index 2fc1fb421f..fec9c14604 100644 --- a/Makefile.config +++ b/Makefile.config @@ -50,7 +50,7 @@ else if_SKIP_BEDROCK2 = $(1) endif -BASE_STANDALONE := unsaturated_solinas saturated_solinas solinas_reduction word_by_word_montgomery base_conversion +BASE_STANDALONE := unsaturated_solinas saturated_solinas word_by_word_montgomery base_conversion solinas_reduction BEDROCK2_STANDALONE := $(addprefix bedrock2_,$(BASE_STANDALONE)) $(addprefix with_bedrock2_,$(BASE_STANDALONE)) STANDALONE := $(BASE_STANDALONE) $(call if_SKIP_BEDROCK2,,$(BEDROCK2_STANDALONE) $(WITH_BEDROCK2_STANDALONE)) PERF_STANDALONE := perf_unsaturated_solinas perf_word_by_word_montgomery diff --git a/Makefile.examples b/Makefile.examples index 9bbee201c7..a9431b725a 100644 --- a/Makefile.examples +++ b/Makefile.examples @@ -87,7 +87,7 @@ endef UNSATURATED_SOLINAS_FUNCTIONS := carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax FUNCTIONS_FOR_25519 := $(UNSATURATED_SOLINAS_FUNCTIONS) carry_scmul121666 WORD_BY_WORD_MONTGOMERY_FUNCTIONS := mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp -SOLINAS_REDUCTION_FUNCTIONS := mulmod +SOLINAS_REDUCTION_FUNCTIONS := mul UNSATURATED_SOLINAS := src/ExtractionOCaml/unsaturated_solinas WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/word_by_word_montgomery SOLINAS_REDUCTION := src/ExtractionOCaml/solinas_reduction @@ -364,7 +364,7 @@ test-amd64-files-status only-test-amd64-files-status test-amd64-files-lite-statu .PHONY: test-amd64-files-status only-test-amd64-files-status test-amd64-files-lite-status only-test-amd64-files-lite-status -test-amd64-files test-amd64-files-lite: $(UNSATURATED_SOLINAS) $(WORD_BY_WORD_MONTGOMERY) +test-amd64-files test-amd64-files-lite: $(UNSATURATED_SOLINAS) $(WORD_BY_WORD_MONTGOMERY) $(SOLINAS_REDUCTION) test-amd64-files: test-amd64-files-print-report test-amd64-files-status diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c index b1bef4523a..74d77e0ca7 100644 --- a/fiat-c/src/curve25519_solinas_64.c +++ b/fiat-c/src/curve25519_solinas_64.c @@ -1,7 +1,7 @@ -/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mulmod */ +/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mul */ /* curve description: curve25519_solinas */ /* machine_wordsize = 64 (from "64") */ -/* requested operations: mulmod */ +/* requested operations: mul */ /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* */ /* Computed values: */ @@ -104,7 +104,7 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mulx_u64 } /* - * The function fiat_curve25519_solinas_mulmod multiplies two field elements. + * The function fiat_curve25519_solinas_mul multiplies two field elements. * * Postconditions: * evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 @@ -115,7 +115,7 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mulx_u64 * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mulmod(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { uint64_t x1; uint64_t x2; uint64_t x3; diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go index 279f12b385..4afd90445d 100644 --- a/fiat-go/64/curve25519solinas/curve25519solinas.go +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -1,12 +1,12 @@ // Code generated by Fiat Cryptography. DO NOT EDIT. // -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mulmod +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mul // // curve description (via package name): curve25519solinas // // machine_wordsize = 64 (from "64") // -// requested operations: mulmod +// requested operations: mul // // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // @@ -22,7 +22,7 @@ import "math/bits" type uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 type int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 -// Mulmod multiplies two field elements. +// Mul multiplies two field elements. // // Postconditions: // evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 @@ -32,7 +32,7 @@ type int1 int64 // We use uint64 instead of a more narrow type for performance r // arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] // Output Bounds: // out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func Mulmod(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { +func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { var x1 uint64 var x2 uint64 x2, x1 = bits.Mul64(arg1[3], arg2[3]) diff --git a/fiat-json/src/curve25519_solinas_64.json b/fiat-json/src/curve25519_solinas_64.json index c81d5a3787..0c0e4c1b8b 100644 --- a/fiat-json/src/curve25519_solinas_64.json +++ b/fiat-json/src/curve25519_solinas_64.json @@ -476,7 +476,7 @@ ] }, { - "operation": "fiat_curve25519_solinas_mulmod", + "operation": "fiat_curve25519_solinas_mul", "arguments": [ { "datatype": "u64[4]", diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs index a9f3c32435..959c1da06b 100644 --- a/fiat-rust/src/curve25519_solinas_64.rs +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -1,7 +1,7 @@ -//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mulmod +//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mul //! curve description: curve25519_solinas //! machine_wordsize = 64 (from "64") -//! requested operations: mulmod +//! requested operations: mul //! s-c = 2^255 - [(1, 19)] (from "2^255 - 19") //! //! Computed values: @@ -81,7 +81,7 @@ pub fn fiat_curve25519_solinas_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u6 *out2 = x3; } -/// The function fiat_curve25519_solinas_mulmod multiplies two field elements. +/// The function fiat_curve25519_solinas_mul multiplies two field elements. /// /// Postconditions: /// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 @@ -92,7 +92,7 @@ pub fn fiat_curve25519_solinas_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u6 /// Output Bounds: /// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] #[inline] -pub fn fiat_curve25519_solinas_mulmod(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> () { +pub fn fiat_curve25519_solinas_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> () { let mut x1: u64 = 0; let mut x2: u64 = 0; fiat_curve25519_solinas_mulx_u64(&mut x1, &mut x2, (arg1[3]), (arg2[3])); diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index 9b2739dd22..b2486b4e65 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -1,7 +1,7 @@ -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mulmod +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mul // curve description (via package name): curve25519_solinas // machine_wordsize = 64 (from "64") -// requested operations: mulmod +// requested operations: mul // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // // Computed values: @@ -92,7 +92,7 @@ inline fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) void { out2.* = x3; } -/// The function mulmod multiplies two field elements. +/// The function mul multiplies two field elements. /// /// Postconditions: /// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 @@ -102,7 +102,7 @@ inline fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) void { /// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] /// Output Bounds: /// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -pub fn mulmod(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { +pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { @setRuntimeSafety(mode == .Debug); var x1: u64 = undefined; diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index e4c3aaa2ca..8f6bdf5891 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -10,15 +10,9 @@ Require Import Crypto.Arithmetic.ModOps. Require Import Crypto.Arithmetic.Partition. Require Import Crypto.Arithmetic.UniformWeight. Require Import Crypto.Arithmetic.Saturated. -Require Import Crypto.Util.ListUtil.StdlibCompat. -(* -Require Crypto.Stringification.C. -Require Crypto.Stringification.Go. -Require Crypto.Stringification.Java. -Require Import Crypto.BoundsPipeline. - *) Require Coq.btauto.Btauto. Require Coq.Structures.OrdersEx. +Require Import Crypto.Util.ListUtil.StdlibCompat. Require Import Crypto.Util.ZUtil.ModInv. Require Import Coq.micromega.Lia. @@ -50,14 +44,6 @@ Local Open Scope string_scope. Local Open Scope list_scope. Import ListNotations. Local Open Scope Z_scope. -(* -Import - AbstractInterpretation.Compilers - Language.Compilers - Language.API.Compilers. - -Import Language.API.Compilers.API. -*) Import Associational Positional. Local Coercion Z.of_nat : nat >-> Z. @@ -1869,139 +1855,4 @@ Module SolinasReduction. End __. - (* Strategy -500 [Crypto.Arithmetic.Core.Positional.add_to_nth *) - (* Coq.Init.Datatypes.andb *) - (* Coq.ZArith.BinInt.Z.to_int *) - (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map *) - (* Coq.PArith.BinPos.Pos.to_uint *) - (* Coq.Init.Decimal.revapp *) - (* Coq.Init.Datatypes.nat_rect *) - (* Crypto.Arithmetic.Saturated.Rows.max_column_size *) - (* Crypto.Arithmetic.Saturated.Rows.sum_rows' *) - (* Crypto.Arithmetic.Core.Associational.split *) - (* Coq.PArith.BinPos.Pos.to_little_uint *) - (* Coq.Init.Nat.to_uint *) - (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.mulmod *) - (* Crypto.Arithmetic.ModOps.weight *) - (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce *) - (* Coq.Lists.List.tl *) - (* Crypto.Arithmetic.Saturated.Rows.adjust_s *) - (* Crypto.Arithmetic.Core.Positional.to_associational *) - (* Coq.Init.Nat.to_little_uint *) - (* Crypto.Arithmetic.Saturated.Columns.cons_to_nth *) - (* Crypto.Arithmetic.Saturated.Rows.extract_row *) - (* Crypto.Arithmetic.Saturated.Rows.from_columns *) - (* Crypto.Arithmetic.Saturated.Associational.sat_multerm_const *) - (* Coq.Init.Decimal.rev *) - (* Crypto.Arithmetic.Saturated.Associational.sat_mul *) - (* Crypto.Arithmetic.Saturated.Rows.from_columns' *) - (* Crypto.Arithmetic.Core.Positional.place *) - (* Crypto.Arithmetic.Core.Positional.zeros *) - (* Crypto.Arithmetic.Saturated.Rows.flatten' *) - (* Crypto.Arithmetic.Saturated.Rows.sum_rows *) - (* Crypto.Arithmetic.Saturated.Associational.sat_mul_const *) - (* Coq.Lists.List.hd *) - (* Crypto.Arithmetic.Saturated.Associational.sat_multerm *) - (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by *) - (* Crypto.Arithmetic.Saturated.Columns.nils *) - (* Coq.Init.Decimal.Little.succ *) - (* Crypto.Arithmetic.UniformWeight.uweight *) - (* Crypto.Arithmetic.Saturated.Rows.flatten *) - (* (* Rewriter.Util.LetIn.Let_In *) *) - (* Crypto.Arithmetic.Saturated.Rows.from_associational *) - (* Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' *) - (* Crypto.Arithmetic.Saturated.Columns.from_associational *) - (* Coq.Init.Decimal.Little.double]. *) - - - (* Section compile. *) - - (* Let s := 2^255. *) - (* Let c := [(1, 19)]. *) - (* Let machine_wordsize := 64. *) - (* Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). *) - (* Let m : nat := 2 * n. *) - (* Let w : nat -> Z := weight machine_wordsize 1. *) - (* Let base : Z := 2 ^ machine_wordsize. *) - - (* Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. *) - (* Let boundsn : list (ZRange.type.option.interp base.type.Z) *) - (* := repeat bound (n). *) - - (* Import Stringification.C.Compilers. *) - (* Import Stringification.C.Compilers.ToString. *) - - (* Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. *) - (* Local Instance : only_signed_opt := false. *) - (* Local Instance : no_select_opt := false. *) - (* Local Instance : static_opt := true. *) - (* Local Instance : internal_static_opt := true. *) - (* Local Instance : inline_opt := true. *) - (* Local Instance : inline_internal_opt := true. *) - (* Local Instance : use_mul_for_cmovznz_opt := false. *) - (* Local Instance : emit_primitives_opt := true. *) - (* Local Instance : should_split_mul_opt := false. *) - (* Local Instance : should_split_multiret_opt := false. *) - (* Local Instance : widen_carry_opt := false. *) - (* Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) *) - - (* Let possible_values := prefix_with_carry [machine_wordsize]. *) - (* Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) *) - (* Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. *) - (* Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. *) - (* Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. *) - - (* Local Existing Instance default_low_level_rewriter_method. *) - (* Local Existing Instance AbstractInterpretation.default_Options. *) - (* Local Instance : unfold_value_barrier_opt := true. *) - (* Local Instance : assembly_hints_lines_opt := []. *) - (* Local Instance : ignore_unique_asm_names_opt := false. *) - (* Local Existing Instance default_language_naming_conventions. *) - (* Local Existing Instance default_documentation_options. *) - (* Local Instance : package_name_opt := None. *) - (* Local Instance : class_name_opt := None. *) - (* Local Existing Instance default_output_options. *) - - (* Let bounds := repeat bound n ++ [Some r[0 ~> (2^(machine_wordsize/4) - 1)]%zrange]. *) - - (* Time Compute *) - (* Show.show *) - (* (Pipeline.BoundsPipelineToString *) - (* "fiat_p25519_" "fiat_p25519_mul" *) - (* false *) - (* false *) - (* None *) - (* possible_values *) - (* machine_wordsize *) - (* ltac:(let n := (eval cbv in n) in *) - (* let r := Reify (reduce_full base s c n) in *) - (* exact r) *) - (* (fun _ _ => []) *) - (* (Some (repeat bound (2 * n)), tt) *) - (* (Some (repeat bound (n))) *) - (* (None, tt) *) - (* (None) *) - (* : Pipeline.ErrorT _). *) - - (* Time Compute *) - (* Show.show *) - (* (Pipeline.BoundsPipelineToString *) - (* "fiat_p25519_" "fiat_p25519_mul" *) - (* false *) - (* false *) - (* None *) - (* possible_values *) - (* machine_wordsize *) - (* ltac:(let n := (eval cbv in n) in *) - (* let r := Reify (mulmod' base s c n) in *) - (* exact r) *) - (* (fun _ _ => []) *) - (* (Some (repeat bound (n)), (Some (repeat bound n), tt)) *) - (* (Some (repeat bound (n))) *) - (* (None, (None, tt)) *) - (* (None) *) - (* : Pipeline.ErrorT _). *) - - (* End compile. *) - End SolinasReduction. diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index 4a253326ef..ee59191fe5 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -503,13 +503,13 @@ Module SolinasReduction. (length_saturated_bouns : length saturated_bounds = n). Local Notation eval := (Positional.eval wt n). - Definition mulmod_correct - (mulmod : list Z -> list Z -> list Z) := + Definition mul_correct + (mul : list Z -> list Z -> list Z) := forall x y, list_Z_bounded_by saturated_bounds x -> list_Z_bounded_by saturated_bounds y -> - ((eval (mulmod x y)) mod m = (eval x * eval y) mod m) /\ - (list_Z_bounded_by saturated_bounds (mulmod x y)). + ((eval (mul x y)) mod m = (eval x * eval y) mod m) /\ + (list_Z_bounded_by saturated_bounds (mul x y)). End __. End SolinasReduction. diff --git a/src/ExtractionHaskell/bedrock2_solinas_reduction.v b/src/ExtractionHaskell/bedrock2_solinas_reduction.v index 0c3d6128d3..74f4d1c319 100644 --- a/src/ExtractionHaskell/bedrock2_solinas_reduction.v +++ b/src/ExtractionHaskell/bedrock2_solinas_reduction.v @@ -1,4 +1,5 @@ Require Import Crypto.Bedrock.Standalone.StandaloneHaskellMain. Import Bedrock2First. -Recursive Extraction SolinasReduction.main. +(*Redirect "/tmp/bedrock2_solinas_reduction.hs"*) Recursive Extraction SolinasReduction.main. +(* cat /tmp/bedrock2_solinas_reduction.hs.out | sed -f haskell.sed > ../../bedrock2_solinas_reduction.hs *) diff --git a/src/ExtractionHaskell/with_bedrock2_solinas_reduction.v b/src/ExtractionHaskell/with_bedrock2_solinas_reduction.v index 702f7f1b6e..4bb3d3b585 100644 --- a/src/ExtractionHaskell/with_bedrock2_solinas_reduction.v +++ b/src/ExtractionHaskell/with_bedrock2_solinas_reduction.v @@ -1,4 +1,5 @@ Require Import Crypto.Bedrock.Standalone.StandaloneHaskellMain. Import Bedrock2Later. -Recursive Extraction SolinasReduction.main. +(*Redirect "/tmp/bedrock2_solinas_reduction.hs"*) Recursive Extraction SolinasReduction.main. +(* cat /tmp/bedrock2_solinas_reduction.hs.out | sed -f haskell.sed > ../../bedrock2_solinas_reduction.hs *) diff --git a/src/ExtractionOCaml/with_bedrock2_solinas_reduction.v b/src/ExtractionOCaml/with_bedrock2_solinas_reduction.v index 902958bb0d..44c660ff92 100644 --- a/src/ExtractionOCaml/with_bedrock2_solinas_reduction.v +++ b/src/ExtractionOCaml/with_bedrock2_solinas_reduction.v @@ -1,4 +1,4 @@ Require Import Crypto.Bedrock.Standalone.StandaloneOCamlMain. Import Bedrock2Later. -Extraction "src/ExtractionOCaml/with_bedrock2_solinas_reduction.tmp" SolinasReduction.main. +Extraction "src/ExtractionOCaml/with_bedrock2_solinas_reduction.tmp" SaturatedSolinas.main. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 3d452a70e4..50abb5014a 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -57,7 +57,7 @@ Local Coercion Z.pos : positive >-> Z. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) -Local Opaque reified_solmul_gen. (* needed for making [autorewrite] not take a very long time *) +Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) (* needed for making [autorewrite] with [Set Keyed Unification] fast *) Local Opaque expr.Interp. @@ -161,39 +161,39 @@ Section __. correctness) (only parsing, at level 10, summary at next level, correctness at next level). - Definition mulmod + Definition mul := Pipeline.BoundsPipeline false (* subst01 *) possible_values - (reified_solmul_gen + (reified_mul_gen @ GallinaReify.Reify base @ GallinaReify.Reify s @ GallinaReify.Reify c - @ GallinaReify.Reify n ) + @ GallinaReify.Reify n) (Some boundsn, (Some boundsn, tt)) (Some boundsn). - Definition smulmod (prefix : string) + Definition smul (prefix : string) : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) := Eval cbv beta in FromPipelineToString! - machine_wordsize prefix "mulmod" mulmod + machine_wordsize prefix "mul" mul (docstring_with_summary_from_lemma! (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) - (mulmod_correct weight n m boundsn)). + (mul_correct weight n m boundsn)). Local Ltac solve_extra_bounds_side_conditions := cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. Hint Rewrite (fun pf => @SolinasReduction.SolinasReduction.mulmod_correct (@wprops _ _ pf)) using solve [ auto with zarith | congruence | solve_extra_bounds_side_conditions ] : push_eval. - Hint Unfold mulmod : push_eval. + Hint Unfold mul : push_eval. Local Ltac prove_correctness _ := Primitives.prove_correctness use_curve_good. - Lemma mulmod_correct res - (Hres : mulmod = Success res) - : mulmod_correct weight n m boundsn (Interp res). + Lemma mul_correct res + (Hres : mul = Success res) + : mul_correct weight n m boundsn (Interp res). Proof using curve_good. prove_correctness (). cbv [evalf weightf weight up_bound] in *. @@ -203,7 +203,7 @@ Section __. apply (fun pf => @SolinasReduction.SolinasReduction.mulmod_correct (@wprops _ _ pf)); auto; lia. Qed. - Lemma Wf_mulmod res (Hres : mulmod = Success res) : Wf res. + Lemma Wf_mul res (Hres : mul = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. Section for_stringification. @@ -211,7 +211,7 @@ Section __. Local Open Scope list_scope. Definition known_functions - := [("mulmod", wrap_s smulmod)]. + := [("mul", wrap_s smul)]. Definition valid_names : string := Eval compute in String.concat ", " (List.map (@fst _ _) known_functions). @@ -234,10 +234,10 @@ End __. Module Export Hints. #[global] Hint Opaque - mulmod + mul : wf_op_cache. #[global] Hint Immediate - Wf_mulmod + Wf_mul : wf_op_cache. End Hints. diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index f1ac5b059a..77944c2185 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -27,164 +27,15 @@ Import Language.Wf.Compilers. Import SolinasReduction.SolinasReduction. -(* Set Debug Cbv. *) -(* Eval cbv delta -[ident.literal *) -(* (* ident.comment *) *) -(* (* ident.comment_no_keep *) *) -(* Z.value_barrier *) -(* Nat.succ *) -(* Nat.pred *) -(* Nat.max *) -(* Nat.mul *) -(* Nat.add *) -(* Nat.sub *) -(* Nat.eqb *) -(* (* Datatypes.nil *) *) -(* (* Datatypes.cons *) *) -(* (* Datatypes.tt *) *) -(* (* Datatypes.pair *) *) -(* Datatypes.fst *) -(* Datatypes.snd *) -(* prod_rect_nodep *) -(* Thunked.bool_rect *) -(* bool_rect_nodep *) -(* Thunked.nat_rect *) -(* Thunked.nat_rect *) -(* nat_rect_arrow_nodep *) -(* nat_rect_arrow_nodep *) -(* Thunked.list_rect *) -(* Thunked.list_rect *) -(* list_rect_arrow_nodep *) -(* list_rect_arrow_nodep *) -(* Thunked.list_case *) -(* List.length *) -(* List.seq *) -(* List.firstn *) -(* List.skipn *) -(* repeat *) -(* List.combine *) -(* List.map *) -(* List.app *) -(* List.rev *) -(* List.flat_map *) -(* List.partition *) -(* List.fold_right *) -(* update_nth *) -(* nth_default *) -(* nth_default *) -(* Z.add *) -(* Z.mul *) -(* Z.pow *) -(* Z.sub *) -(* Z.opp *) -(* Z.div *) -(* Z.modulo *) -(* Z.eqb *) -(* Z.leb *) -(* Z.ltb *) -(* Z.geb *) -(* Z.gtb *) -(* Z.log2 *) -(* Z.log2_up *) -(* Z.of_nat *) -(* Z.to_nat *) -(* Z.shiftr *) -(* Z.shiftl *) -(* Z.land *) -(* Z.lor *) -(* Z.min *) -(* Z.max *) -(* Z.mul_split *) -(* Z.mul_high *) -(* Z.add_get_carry_full *) -(* Z.add_with_carry *) -(* Z.add_with_get_carry_full *) -(* Z.sub_get_borrow_full *) -(* Z.sub_with_get_borrow_full *) -(* Z.ltz *) -(* Z.zselect *) -(* Z.add_modulo *) -(* Z.truncating_shiftl *) -(* Z.bneg *) -(* Z.lnot_modulo *) -(* Z.lxor *) -(* Z.rshi *) -(* Z.cc_m *) -(* Z.combine_at_bitwidth *) -(* (* ident.cast *) *) -(* (* ident.cast2 *) *) -(* (* Datatypes.Some *) *) -(* (* Datatypes.None *) *) -(* Thunked.option_rect *) -(* (* ZRange.Build_zrange *) *) -(* ZRange.zrange_rect_nodep *) -(* ident.fancy.add *) -(* ident.fancy.addc *) -(* ident.fancy.sub *) -(* ident.fancy.subb *) -(* ident.fancy.mulll *) -(* ident.fancy.mullh *) -(* ident.fancy.mulhl *) -(* ident.fancy.mulhh *) -(* ident.fancy.rshi *) -(* ident.fancy.selc *) -(* ident.fancy.selm *) -(* ident.fancy.sell *) -(* ident.fancy.addm] in SolinasReduction.mulmod. *) - -Strategy -500 [Crypto.Arithmetic.Core.Positional.add_to_nth - Coq.Init.Datatypes.andb - Coq.ZArith.BinInt.Z.to_int - Crypto.Arithmetic.SolinasReduction.SolinasReduction.dual_map - Coq.PArith.BinPos.Pos.to_uint - Coq.Init.Decimal.revapp - Coq.Init.Datatypes.nat_rect - Crypto.Arithmetic.Saturated.Rows.max_column_size - Crypto.Arithmetic.Saturated.Rows.sum_rows' - Crypto.Arithmetic.Core.Associational.split - Coq.PArith.BinPos.Pos.to_little_uint - Coq.Init.Nat.to_uint - Crypto.Arithmetic.SolinasReduction.SolinasReduction.mulmod - Crypto.Arithmetic.ModOps.weight - Crypto.Arithmetic.SolinasReduction.SolinasReduction.sat_reduce - Coq.Lists.List.tl - Crypto.Arithmetic.Saturated.Rows.adjust_s - Crypto.Arithmetic.Core.Positional.to_associational - Coq.Init.Nat.to_little_uint - Crypto.Arithmetic.Saturated.Columns.cons_to_nth - Crypto.Arithmetic.Saturated.Rows.extract_row - Crypto.Arithmetic.Saturated.Rows.from_columns - Crypto.Arithmetic.Saturated.Associational.sat_multerm_const - Coq.Init.Decimal.rev - Crypto.Arithmetic.Saturated.Associational.sat_mul - Crypto.Arithmetic.Saturated.Rows.from_columns' - Crypto.Arithmetic.Core.Positional.place - Crypto.Arithmetic.Core.Positional.zeros - Crypto.Arithmetic.Saturated.Rows.flatten' - Crypto.Arithmetic.Saturated.Rows.sum_rows - Crypto.Arithmetic.Saturated.Associational.sat_mul_const - Coq.Lists.List.hd - Crypto.Arithmetic.Saturated.Associational.sat_multerm - Crypto.Arithmetic.SolinasReduction.SolinasReduction.is_bounded_by - Crypto.Arithmetic.Saturated.Columns.nils - Coq.Init.Decimal.Little.succ - Crypto.Arithmetic.UniformWeight.uweight - Crypto.Arithmetic.Saturated.Rows.flatten - (* Rewriter.Util.LetIn.Let_In *) - Crypto.Arithmetic.Saturated.Rows.from_associational - Crypto.Arithmetic.SolinasReduction.SolinasReduction.fold_andb_map' - Crypto.Arithmetic.Saturated.Columns.from_associational - Coq.Init.Decimal.Little.double]. - -Derive reified_solmul_gen - SuchThat (is_reification_of reified_solmul_gen mulmod) - As reified_solmul_gen_correct. +Derive reified_mul_gen + SuchThat (is_reification_of reified_mul_gen mulmod) + As reified_mul_gen_correct. Proof. Time cache_reify (). Time Qed. #[global] - Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_solmul_gen) : reify_cache_gen. + Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_mul_gen) : reify_cache_gen. #[global] - Hint Immediate (proj2 reified_solmul_gen_correct) : wf_gen_cache. + Hint Immediate (proj2 reified_mul_gen_correct) : wf_gen_cache. #[global] - Hint Rewrite (proj1 reified_solmul_gen_correct) : interp_gen_cache. -Local Opaque reified_solmul_gen. (* needed for making [autorewrite] not take a very long time *) + Hint Rewrite (proj1 reified_mul_gen_correct) : interp_gen_cache. +Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) diff --git a/src/SlowPrimeSynthesisExamplesCopy.v b/src/SlowPrimeSynthesisExamplesCopy.v deleted file mode 100644 index d9ea9c74dc..0000000000 --- a/src/SlowPrimeSynthesisExamplesCopy.v +++ /dev/null @@ -1,526 +0,0 @@ -Require Import Coq.ZArith.ZArith. -Require Import Coq.QArith.QArith. -Require Import Coq.QArith.Qround. -Require Import Coq.Strings.String. -Require Import Coq.derive.Derive. -Require Import Coq.Lists.List. -Require Import Crypto.Util.ZRange. -Require Import Crypto.Arithmetic.Core. -Require Import Crypto.Arithmetic.ModOps. -Require Import Crypto.Arithmetic.Partition. -Require Import Crypto.PushButtonSynthesis.UnsaturatedSolinas. -Require Import Crypto.UnsaturatedSolinasHeuristics. -Require Crypto.PushButtonSynthesis.SaturatedSolinas. -Require Crypto.PushButtonSynthesis.WordByWordMontgomery. -Require Crypto.Stringification.C. -Require Crypto.Stringification.Go. -Require Crypto.Stringification.Java. -Require Import Crypto.BoundsPipeline. -Require Import Crypto.Util.ZUtil.ModInv. - -Require Import Coq.ZArith.Znat. - -Require Import Crypto.Util.Notations. -Local Open Scope string_scope. -Local Open Scope list_scope. -Import ListNotations. Local Open Scope Z_scope. - -Import - AbstractInterpretation.Compilers - Language.Compilers - Language.API.Compilers. - -Import Language.API.Compilers.API. - -Import Associational Positional. - -Local Coercion Z.of_nat : nat >-> Z. -Local Coercion QArith_base.inject_Z : Z >-> Q. -Local Coercion Z.pos : positive >-> Z. - -Local Existing Instance default_translate_to_fancy. -Local Existing Instances - Primitives.Options.default_PipelineOptions - Primitives.Options.default_PipelineToStringOptions - Primitives.Options.default_SynthesisOptions -| 100. -Local Instance : unfold_value_barrier_opt := true. -Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. - -Module compiling_mul. - - Import Crypto.Arithmetic.Saturated. - Import Stringification.C. - Import Stringification.C.Compilers. - Import Stringification.C.Compilers.ToString. - - Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. - Local Instance : only_signed_opt := false. - Local Instance : no_select_opt := false. - Local Instance : static_opt := true. - Local Instance : internal_static_opt := true. - Local Instance : inline_opt := true. - Local Instance : inline_internal_opt := true. - Local Instance : use_mul_for_cmovznz_opt := false. - Local Instance : emit_primitives_opt := true. - Local Instance : should_split_mul_opt := false. - Local Instance : should_split_multiret_opt := false. - Local Instance : widen_carry_opt := false. - Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) - - Let s := 2^256. - Let c := [(1, 38)]. - Let machine_wordsize := 64. - - Let possible_values := prefix_with_carry [machine_wordsize]. - Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. - Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. - Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := Z.to_nat (2*n). - - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound n. - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let m := (eval cbv in m) in - let r := Reify (@Saturated.Rows.mul (weight machine_wordsize 1) (2^machine_wordsize) n m) in - exact r) - (fun _ _ => []) - (Some boundsn, (Some boundsn, tt)) - (Some boundsn, None) - (None, (None, tt)) - (None, None) - : Pipeline.ErrorT _). - -End compiling_mul. - -Module compiling_reduce_flatten. - - Import PreExtra. - Import Util.LetIn. - Import ZUtil.Definitions. - Import Weight. - - Let s := 2^255. - Let c := [(1, 19)]. - Let machine_wordsize := 64. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let w : nat -> Z := weight machine_wordsize 1. - Let base : Z := 2 ^ machine_wordsize. - - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound (n). - - Import Stringification.C.Compilers. - Import Stringification.C.Compilers.ToString. - - Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. - Local Instance : only_signed_opt := false. - Local Instance : no_select_opt := false. - Local Instance : static_opt := true. - Local Instance : internal_static_opt := true. - Local Instance : inline_opt := true. - Local Instance : inline_internal_opt := true. - Local Instance : use_mul_for_cmovznz_opt := false. - Local Instance : emit_primitives_opt := true. - Local Instance : should_split_mul_opt := false. - Local Instance : should_split_multiret_opt := false. - Local Instance : widen_carry_opt := false. - Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) - - Let possible_values := prefix_with_carry [machine_wordsize]. - Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. - Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. - Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - Section single_reduction. - - Context weight {wprops : @weight_properties weight}. - - Definition sat_reduce base s c n (p : list (Z * Z)) := - let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in - let lo_hi := Associational.split s' p in - let coef := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in - let hi := Saturated.Associational.sat_mul_const base coef (snd lo_hi) in - let r := (fst lo_hi) ++ hi in - r. - - (* n is input width *) - Definition reduce1 base s c n (p : list Z) := - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight n r_a in - let r_flat := Saturated.Rows.flatten weight n r_rows in - fst r_flat. - - Definition reduce base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) p in - let r2 := reduce1 base s c (2*n) (r1) in - let r3 := reduce1 base s c (2*n) (r2) in - r3. - - Definition reduce' base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) p in - let r2 := reduce1 base s c (2*n) (r1) in - let r3 := reduce1 base s c (2*n) (r2) in - r1. - - Definition mul_no_reduce base n (p q : list Z) := - let p_a := Positional.to_associational weight n p in - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in - let pq := Saturated.Rows.flatten weight (2*n) pq_rows in - fst pq. - - Definition mulmod base s c n (p q : list Z) := - let prod := mul_no_reduce base n p q in - let red := reduce base s c n prod in - red. - - End single_reduction. -(* - Search Saturated.Rows.sum_rows. - Search Partition.partition. - Search Partition.partition app. - Search Saturated.Rows.flatten. -*) - Let v := (2^64-1). - Let p := repeat v (2*n). - Let r' := reduce' w base s c n p. - Compute r'. - - Let out_boundsn := (repeat bound n) ++ - [Some r[0~>39]%zrange] ++ - (repeat (Some r[0~>0]%zrange) (n-1)). - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (reduce' w base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some out_boundsn) - (None, tt) - (None) - : Pipeline.ErrorT _). - -(* Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (mulmod w base s c (2*n)) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), (Some (repeat bound (2*n)), tt)) - (None, None) - (None, (None, tt)) - (None, None) - : Pipeline.ErrorT _). *) - - (* - = "Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1], [0x0 ~> 0x0], [0x0 ~> 0x0], [0x0 ~> 0x0]] - */ -static void mul(uint64_t out1[8], const uint64_t arg1[8]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - fiatuint1 x14; - uint64_t x15; - fiatuint1 x16; - uint64_t x17; - fiatuint1 x18; - uint64_t x19; - uint64_t x20; - fiatuint1 x21; - uint64_t x22; - fiatuint1 x23; - uint64_t x24; - fiatuint1 x25; - uint64_t x26; - fiatuint1 x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - fiatuint1 x32; - uint64_t x33; - fiatuint1 x34; - uint64_t x35; - fiatuint1 x36; - uint64_t x37; - fiatuint1 x38; - uint64_t x39; - uint64_t x40; - uint64_t x41; - fiatuint1 x42; - uint64_t x43; - fiatuint1 x44; - uint64_t x45; - fiatuint1 x46; - uint64_t x47; - fiatuint1 x48; - fiatmulx_u64(&x1, &x2, UINT8_C(0x26), (arg1[7])); - fiatmulx_u64(&x3, &x4, UINT8_C(0x26), (arg1[6])); - fiatmulx_u64(&x5, &x6, UINT8_C(0x26), (arg1[5])); - fiatmulx_u64(&x7, &x8, UINT8_C(0x26), (arg1[4])); - x9 = (arg1[3]); - x10 = (arg1[2]); - x11 = (arg1[1]); - x12 = (arg1[0]); - fiataddcarryx_u64(&x13, &x14, 0x0, x11, x5); - fiataddcarryx_u64(&x15, &x16, x14, x10, x3); - fiataddcarryx_u64(&x17, &x18, x16, x9, x1); - x19 = (x18 + x2); - fiataddcarryx_u64(&x20, &x21, 0x0, x12, x7); - fiataddcarryx_u64(&x22, &x23, x21, x13, x8); - fiataddcarryx_u64(&x24, &x25, x23, x15, x6); - fiataddcarryx_u64(&x26, &x27, x25, x17, x4); - x28 = (x27 + x19); - fiatmulx_u64(&x29, &x30, UINT8_C(0x26), x28); - fiataddcarryx_u64(&x31, &x32, 0x0, x20, x29); - fiataddcarryx_u64(&x33, &x34, x32, x22, 0x0); - fiataddcarryx_u64(&x35, &x36, x34, x24, 0x0); - fiataddcarryx_u64(&x37, &x38, x36, x26, 0x0); - fiatmulx_u64(&x39, &x40, UINT8_C(0x26), x38); - fiataddcarryx_u64(&x41, &x42, 0x0, x31, x39); - fiataddcarryx_u64(&x43, &x44, x42, x33, 0x0); - fiataddcarryx_u64(&x45, &x46, x44, x35, 0x0); - fiataddcarryx_u64(&x47, &x48, x46, x37, 0x0); - out1[0] = x41; - out1[1] = x43; - out1[2] = x45; - out1[3] = x47; - out1[4] = x48; - out1[5] = 0x0; - out1[6] = 0x0; - out1[7] = 0x0; -}"", {| bitwidths_used := [uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string -Finished transaction in 4.122 secs (4.07u,0.05s) (successful) -*) - -End compiling_reduce_flatten. - -Module compiling_red. - - Import PreExtra. - Import Util.LetIn. - Import ZUtil.Definitions. - Import Weight. - - Section solinas_reduction. - - Context weight {wprops : @weight_properties weight}. - - Definition sat_reduce base s c n (p : list (Z * Z)) := - let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in - let lo_hi := Associational.split s' p in - let mul_residue := Saturated.Associational.sat_mul base [(1, s'/s)] c in - fst lo_hi ++ (Saturated.Associational.sat_mul_const base mul_residue (snd lo_hi)). - - Definition flatten_to_positional (p : list Z * Z) := - fst p ++ [snd p]. - - Definition sat_reduce' base s c n (p : list (Z * Z)) := - let '(s', _) := Saturated.Rows.adjust_s weight (S (S n)) s in - let lo_hi := Associational.split s' p in - let v := Saturated.Associational.sat_mul base [(1, s'/s)] c in - let hi := Saturated.Associational.sat_mul base v (snd lo_hi) in - let r := fst lo_hi ++ hi in - r. - - Definition mul_no_reduce base n (p q : list Z) := - let p_a := Positional.to_associational weight n p in - let q_a := Positional.to_associational weight n q in - let pq_a := Saturated.Associational.sat_mul base p_a q_a in - let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in - let pq := Saturated.Rows.flatten weight (2*n) pq_rows in - fst pq. - - Definition reduce_flatten base s c n nreductions (p : list Z) := - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce' base s c nreductions p_a in - let r_rows := Saturated.Rows.from_associational weight n r_a in - let r_flat := Saturated.Rows.flatten weight n r_rows in - fst r_flat. - - Definition repeat_reduce_flatten base s c n nreductions (p : list Z) := - fold_right (fun _ q => reduce_flatten base s c n nreductions q) p (seq 0 nreductions). - - Definition reduce_product base s c n m nreductions (p : list Z) := - let r := repeat_reduce_flatten base s c n nreductions p in - let r_a := Positional.to_associational weight n r in - let r_r := Saturated.Rows.from_associational weight m r_a in - let r_f := Saturated.Rows.flatten weight m r_r in - fst r_f. - - Definition mulmod base s c n nreductions (p q : list Z) := - let pq := mul_no_reduce base n p q in - let pq_r := reduce_product base s c (2*n) n nreductions pq in - pq_r. - - End solinas_reduction. - - Section __. - - Let s := 2^255. - Let c := [(1, 19)]. - Let machine_wordsize := 64. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let nreductions : nat := - let i := fold_right Z.max 0 (map (fun t => Z.log2 (fst t) / machine_wordsize) c) in - if Z.of_nat m - i <=? 1 - then n - else Z.to_nat (Qceiling (Z.of_nat m / (Z.of_nat m - i - 1))). - Compute nreductions. - Let w : nat -> Z := weight machine_wordsize 1. - Let base : Z := 2 ^ machine_wordsize. - - Let v := 2^64-1. - Let p := repeat v n. - Let q := repeat v n. - Let pq_nor := mul_no_reduce w base n p q. - Let pq_1 := (reduce_flatten w base s c 8 3 pq_nor). - Let pq_2 := (reduce_flatten w base s c 8 3 pq_1). - Let pq_3 := (reduce_flatten w base s c 8 3 pq_2). - Compute pq_nor. - Compute pq_1. - Compute pq_2. - Compute pq_3. - Let pq_red := (reduce_product w base s c (2*n) n 3 pq_nor). - Compute pq_red. - Let pq := mulmod w base s c n 3 p q. - Compute pq. - - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound (n). - - Import Crypto.Arithmetic.Saturated. - Import Stringification.C. - Import Stringification.C.Compilers. - Import Stringification.C.Compilers.ToString. - - Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. - Local Instance : only_signed_opt := false. - Local Instance : no_select_opt := false. - Local Instance : static_opt := true. - Local Instance : internal_static_opt := true. - Local Instance : inline_opt := true. - Local Instance : inline_internal_opt := true. - Local Instance : use_mul_for_cmovznz_opt := false. - Local Instance : emit_primitives_opt := true. - Local Instance : should_split_mul_opt := false. - Local Instance : should_split_multiret_opt := false. - Local Instance : widen_carry_opt := false. - Local Instance : widen_bytes_opt := true. (* true, because we don't allow byte-sized things anyway, so we should not expect carries to be widened to byte-size when emitting C code *) - - Let possible_values := prefix_with_carry [machine_wordsize]. - Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. - Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. - Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - (* Time Compute *) - (* Show.show *) - (* (Pipeline.BoundsPipelineToString *) - (* "fiat" "mul" *) - (* false (* subst01 *) *) - (* false (* inline *) *) - (* None (* fancy *) *) - (* possible_values *) - (* machine_wordsize *) - (* ltac:(let n := (eval cbv in n) in *) - (* let r := Reify (mulmod w base s c n 5) in *) - (* exact r) *) - (* (fun _ _ => []) *) - (* (Some boundsn, (Some boundsn, tt)) *) - (* (Some boundsn, None) *) - (* (None, (None, tt)) *) - (* (None, None) *) - (* : Pipeline.ErrorT _). *) - - (* Time Compute *) - (* Show.show *) - (* (Pipeline.BoundsPipelineToString *) - (* "fiat" "mul" *) - (* false *) - (* false *) - (* None *) - (* possible_values *) - (* machine_wordsize *) - (* ltac:(let n := (eval cbv in n) in *) - (* let r := Reify (reduce_flatten w base s c (2*n) 3) in *) - (* exact r) *) - (* (fun _ _ => []) *) - (* (Some (repeat bound (2*n)), tt) *) - (* (Some (repeat bound (2*n))) *) - (* (None, tt) *) - (* (None) *) - (* : Pipeline.ErrorT _). *) - - (* compiling standalone reduce *) - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (reduce_product w base s c (2*n) n 3) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some boundsn) - (None, tt) - (None) - : Pipeline.ErrorT _). - - End __. - -End compiling_red. diff --git a/src/StandaloneOCamlMain.v b/src/StandaloneOCamlMain.v index b221fb88ea..795af2a4c8 100644 --- a/src/StandaloneOCamlMain.v +++ b/src/StandaloneOCamlMain.v @@ -15,7 +15,6 @@ Global Unset Extraction Optimize. (** Work around COQBUG(https://github.com/coq/coq/issues/4875) / COQBUG(https://github.com/coq/coq/issues/7954) / COQBUG(https://github.com/coq/coq/issues/7954) / https://discuss.ocaml.org/t/why-wont-ocaml-specialize-weak-type-variables-in-dead-code/7776 *) Extraction Inline Show.ShowLevel_of_Show. -Extraction Inline SolinasReductionReificationCache.reified_solmul_gen. Inductive int : Set := int_O | int_S (x : int). From 654aaf6656bc5e4669e66343fabf9afa839c538a Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 24 Oct 2022 15:31:01 -0400 Subject: [PATCH 53/69] bedrock passes --- .gitignore | 4 ++++ fiat-bedrock2/src/curve25519_solinas_64.c | 10 +++++----- fiat-c/src/curve25519_solinas_64.c | 2 +- fiat-go/64/curve25519solinas/curve25519solinas.go | 2 +- fiat-rust/src/curve25519_solinas_64.rs | 2 +- fiat-zig/src/curve25519_solinas_64.zig | 2 +- src/PushButtonSynthesis/SolinasReduction.v | 6 +++--- 7 files changed, 16 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 76f5bd8b1e..01161b1254 100644 --- a/.gitignore +++ b/.gitignore @@ -159,19 +159,23 @@ third_party/openssl-nistz256/measure third_party/curve25519-donna-c64/measure src/ExtractionHaskell/saturated_solinas src/ExtractionHaskell/unsaturated_solinas +src/ExtractionHaskell/solinas_reduction src/ExtractionHaskell/word_by_word_montgomery src/ExtractionHaskell/base_conversion src/ExtractionHaskell/*.hs src/ExtractionOCaml/saturated_solinas src/ExtractionOCaml/unsaturated_solinas +src/ExtractionOCaml/solinas_reduction src/ExtractionOCaml/word_by_word_montgomery src/ExtractionOCaml/base_conversion src/ExtractionOCaml/bedrock2_saturated_solinas src/ExtractionOCaml/bedrock2_unsaturated_solinas +src/ExtractionOCaml/bedrock2_solinas_reduction src/ExtractionOCaml/bedrock2_word_by_word_montgomery src/ExtractionOCaml/bedrock2_base_conversion src/ExtractionOCaml/with_bedrock2_saturated_solinas src/ExtractionOCaml/with_bedrock2_unsaturated_solinas +src/ExtractionOCaml/with_bedrock2_solinas_reduction src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery src/ExtractionOCaml/with_bedrock2_base_conversion src/ExtractionOCaml/perf_unsaturated_solinas diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c b/fiat-bedrock2/src/curve25519_solinas_64.c index 648bf5b5c7..21bd936cf6 100644 --- a/fiat-bedrock2/src/curve25519_solinas_64.c +++ b/fiat-bedrock2/src/curve25519_solinas_64.c @@ -1,7 +1,7 @@ -/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mulmod */ +/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mul */ /* curve description: curve25519_solinas */ /* machine_wordsize = 64 (from "64") */ -/* requested operations: mulmod */ +/* requested operations: mul */ /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* */ /* Computed values: */ @@ -54,7 +54,7 @@ _br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { * out0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ static -void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uintptr_t in1) { +void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr_t in1) { uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x14, x35, x41, x33, x42, x12, x43, x45, x46, x25, x20, x40, x49, x44, x50, x15, x51, x53, x54, x47, x56, x17, x22, x37, x59, x48, x60, x23, x61, x63, x64, x52, x65, x18, x66, x68, x69, x55, x70, x10, x71, x73, x74, x57, x76, x9, x28, x58, x79, x62, x80, x26, x81, x83, x84, x67, x85, x21, x86, x88, x89, x72, x90, x13, x91, x93, x94, x75, x96, x77, x30, x39, x99, x78, x100, x31, x101, x103, x104, x82, x105, x29, x106, x108, x109, x87, x110, x24, x111, x113, x114, x92, x115, x16, x116, x118, x119, x95, x120, x8, x121, x123, x124, x97, x36, x98, x127, x102, x128, x34, x129, x131, x132, x107, x133, x32, x134, x136, x137, x112, x138, x27, x139, x141, x142, x117, x143, x19, x144, x146, x147, x122, x148, x11, x149, x151, x152, x125, x150, x145, x140, x156, x126, x161, x130, x162, x154, x163, x165, x166, x135, x168, x167, x169, x171, x153, x172, x173, x158, x38, x176, x160, x177, x159, x178, x180, x181, x164, x182, x157, x183, x185, x186, x170, x187, x155, x188, x190, x191, x174, x192, x193, x175, x195, x179, x197, x184, x199, x189, x201, x202, x194, x204, x196, x206, x198, x208, x200, x203, x205, x207, x209, x210, x211, x212, x213; x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); @@ -283,6 +283,6 @@ void internal_fiat_curve25519_solinas_mulmod(uintptr_t out0, uintptr_t in0, uint } /* NOTE: The following wrapper function is not covered by Coq proofs */ -static void fiat_curve25519_solinas_mulmod(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { - internal_fiat_curve25519_solinas_mulmod((uintptr_t)out1, (uintptr_t)arg1, (uintptr_t)arg2); +static void fiat_curve25519_solinas_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + internal_fiat_curve25519_solinas_mul((uintptr_t)out1, (uintptr_t)arg1, (uintptr_t)arg2); } diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c index 74d77e0ca7..0e51316095 100644 --- a/fiat-c/src/curve25519_solinas_64.c +++ b/fiat-c/src/curve25519_solinas_64.c @@ -107,7 +107,7 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mulx_u64 * The function fiat_curve25519_solinas_mul multiplies two field elements. * * Postconditions: - * evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 + * eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 * * Input Bounds: * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go index 4afd90445d..11967afdc8 100644 --- a/fiat-go/64/curve25519solinas/curve25519solinas.go +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -25,7 +25,7 @@ type int1 int64 // We use uint64 instead of a more narrow type for performance r // Mul multiplies two field elements. // // Postconditions: -// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 // // Input Bounds: // arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs index 959c1da06b..5a6acf6a88 100644 --- a/fiat-rust/src/curve25519_solinas_64.rs +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -84,7 +84,7 @@ pub fn fiat_curve25519_solinas_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u6 /// The function fiat_curve25519_solinas_mul multiplies two field elements. /// /// Postconditions: -/// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 /// /// Input Bounds: /// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index b2486b4e65..f81d3716ed 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -95,7 +95,7 @@ inline fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) void { /// The function mul multiplies two field elements. /// /// Postconditions: -/// evalf out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (evalf arg1 * evalf arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 /// /// Input Bounds: /// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 50abb5014a..9a2ca7bf77 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -150,9 +150,9 @@ Section __. Local Notation weightf := weight. Local Notation notations_for_docstring := (CorrectnessStringification.dyn_context.cons - evalf "evalf" + weightf "weight" (CorrectnessStringification.dyn_context.cons - weightf "weightf" + evalf "eval" CorrectnessStringification.dyn_context.nil))%string. Local Notation "'docstring_with_summary_from_lemma!' summary correctness" := (docstring_with_summary_from_lemma_with_ctx! @@ -180,7 +180,7 @@ Section __. machine_wordsize prefix "mul" mul (docstring_with_summary_from_lemma! (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) - (mul_correct weight n m boundsn)). + (mul_correct weightf n m boundsn)). Local Ltac solve_extra_bounds_side_conditions := cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. From 61f79a6cc02ed8b98252f28d7a4533a461279c57 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 26 Oct 2022 13:52:13 -0400 Subject: [PATCH 54/69] intros idents that are explicitly called in the proof --- src/Arithmetic/SolinasReduction.v | 112 +++++++++++++----------------- 1 file changed, 49 insertions(+), 63 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 8f6bdf5891..ce241d3cdc 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -336,7 +336,7 @@ Module SolinasReduction. Proof using Type. apply (ListAux.list_length_induction Z). unfold eval_weight_P. - intros l1 H n. + intros l1 H n b. pose proof (@break_list_last Z l1). cbv [eval_weight_P eval Associational.eval to_associational] in *. intuition; @@ -365,7 +365,10 @@ Module SolinasReduction. autorewrite with push_misc. push. rewrite fold_right_add. - rewrite fold_right_add with (x:=weight (n + Datatypes.length x) * x0). + symmetry. + rewrite fold_right_add. + symmetry. + rewrite fold_right_add. rewrite H. ring_simplify. unfold weight, machine_wordsize. @@ -400,31 +403,19 @@ Module SolinasReduction. Proof using wprops. intros p. generalize dependent n. - induction p; intros; destruct n; - repeat multimatch goal with - | H : canonical_repr _ (_ :: _) |- _ => - let H' := fresh "H" in - assert (H' := H); - pose proof (canonical_bounded _ _ H'); - unfold canonical_repr in H'; - apply canonical_cons in H - | H : context[length _] |- _ => autorewrite with push_length in H; rewrite <-H - | _ => push - | _ => intuition - | _ => ring_simplify - | _ => auto || lia - end. - cbn; lia. + induction p as [| a p IHp]; intros n H; destruct n; push; try lia; + assert (H' := H); unfold canonical_repr in H'; push' H'. + lia. le_lt. etransitivity. solve_ineq. le_lt. - apply H1; auto. - rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r; auto. - le_lt; auto. - ring_simplify. - solve_ineq. - rewrite H2. + eapply canonical_bounded; eauto. + rewrite <-OrdersEx.Z_as_OT.mul_le_mono_pos_r; eauto. + le_lt. + apply IHp. + eapply canonical_app_r with (l1:=[a]); eauto. + all: try lia. weight_comp; lia. Qed. @@ -443,13 +434,15 @@ Module SolinasReduction. length p = n /\ is_bounded_by (repeat (0, 2^machine_wordsize-1) n) p = true. Proof using wprops. - intros. + intros n p. rewrite canonical_iff. repeat autounfold. split. + intros H. + destruct H as [H H1]. intuition. generalize dependent n. - induction p; intros; + induction p as [| a p IHp]; intros; repeat multimatch goal with | H : length _ = ?x |- _ => progress cbn in H; subst x | _ => apply andb_true_intro @@ -481,11 +474,11 @@ Module SolinasReduction. Lemma eval_is_bounded_by_pos n : forall p, is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> 0 <= eval weight n p. - Proof using Type. - intros. + Proof. + intros p. pose proof eval_weight_S as Heval. repeat autounfold with * in *. - generalize dependent n; induction p; intros; destruct n; + generalize dependent n; induction p; intros n; destruct n; repeat multimatch goal with | H : context[fold_right _ _ _] |- _ => cbn in H | H : context[_ && _] |- _ => rewrite andb_true_iff in H @@ -504,12 +497,12 @@ Module SolinasReduction. is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) n) p = true -> 0 <= eval weight n p < weight n. Proof using wprops. - intros. + intros p. split. apply eval_is_bounded_by_pos; auto. pose proof eval_weight_S as Heval. repeat autounfold with * in *. - generalize dependent n; induction p; intros; destruct n; + generalize dependent n; induction p; intros n; destruct n; repeat multimatch goal with | H : context[fold_right _ _ _] |- _ => progress cbn in H | H : context[_ && _] |- _ => rewrite andb_true_iff in H @@ -527,7 +520,7 @@ Module SolinasReduction. apply Z.mul_le_mono_nonneg_r; try lia. le_lt. apply IHp; auto. - weight_comp; unfold machine_wordsize; lia. + weight_comp; lia. Qed. Hint Resolve eval_is_bounded_by : ibb. @@ -562,7 +555,7 @@ Module SolinasReduction. (n < length bounds)%nat -> fst (nth_default (0,0) bounds n) <= nth_default 0 p n <= snd (nth_default (0,0) bounds n). Proof using Type. - intros. + intros p bounds H H0 H1. generalize dependent n. generalize dependent p. induction bounds as [ | b bounds IHbounds ]; @@ -643,7 +636,7 @@ Module SolinasReduction. fold_andb_map' (fun x y => (fst y <=? fst x) && (snd x <=? snd y)) bound1 bound2 = true -> is_bounded_by bound2 l = true. Proof using Type. - intros. + intros l bound1 bound2 H H0 H1. generalize dependent bound1. generalize dependent bound2. repeat autounfold. @@ -666,7 +659,7 @@ Module SolinasReduction. Lemma bounds_same : forall b, fold_andb_map' (fun x y => (fst y <=? fst x) && (snd x <=? snd y)) b b = true. Proof using Type. - intros. + intros b. repeat autounfold. induction b; repeat match goal with @@ -784,7 +777,7 @@ Module SolinasReduction. let lo_hi := Associational.split s' p in Associational.eval (sat_reduce base s c n p) = Associational.eval coef * Associational.eval (snd lo_hi) + Associational.eval (fst lo_hi). - Proof using Type. + Proof. intros; cbv [sat_reduce] in *; cbv [s' lo_hi coef]. autorewrite with push_eval; lia. Qed. @@ -809,7 +802,7 @@ Module SolinasReduction. replace (rev (seq 0 (S fuel))) with (fuel :: rev (seq 0 fuel)). generalize (rev (seq 0 fuel)). cbn in *. - intros. + intros l. induction l; break_match; auto; discriminate. rewrite seq_snoc. @@ -893,10 +886,6 @@ Module SolinasReduction. else f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). - Definition reduce1' base s c n m p := - ltac:(let x := (eval cbv beta delta [reduce1_cps id] in (@reduce1_cps (list Z) base s c n m p id)) in - exact x). - Definition reduce2 base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in let r2 := reduce1 base s c (S n) (S n) r1 in @@ -906,10 +895,6 @@ Module SolinasReduction. (r1 <- reduce1_cps base s c (2*n) (S n) p; reduce1_cps base s c (S n) (S n) r1 f). - Definition reduce2' base s c n p := - ltac:(let x := (eval cbv beta delta [reduce2_cps reduce1_cps id] in (@reduce2_cps (list Z) base s c n p id)) in - exact x). - Lemma reduce1_cps_ok {T} base s c n m (f : list Z -> T) : forall p, reduce1_cps base s c n m p f = f (reduce1 base s c n m p). Proof using Type. @@ -1002,14 +987,13 @@ Module SolinasReduction. Proof using Type. intros H. generalize dependent l2. - induction l1; intros; destruct l2; push; + induction l1 as [| ? ? IHl1]; intros l2; destruct l2; push; match goal with | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by auto end; specialize (IHl1 ltac:(auto)); - specialize (H a ltac:(auto)); + specialize (H _ ltac:(auto)); repeat multimatch goal with - (*| H : context[_ =? _] |- _ => rewrite DecidableClass.Decidable_eq_Z_obligation_1 in H*) | |- context[_ mod _] => rewrite Z.mod_small | _ => rewrite IHl1 | _ => push @@ -1026,7 +1010,7 @@ Module SolinasReduction. Proof using Type. intros H. generalize dependent l2. - induction l1; intros; destruct l2; push; + induction l1 as [| ? ? IHl1]; intros l2; destruct l2; push; match goal with | [ |- context[ ?x :: ?y ] ] => replace (x :: y) with ([x] ++ y) by eauto end; @@ -1060,7 +1044,7 @@ Module SolinasReduction. -> weight x1 < weight (x2 + x1). Proof using Type. intros H. - induction H; + induction H as [| ? ? IHle]; repeat match goal with | _ => apply IHle | _ => apply weight_mono' @@ -1093,7 +1077,7 @@ Module SolinasReduction. map (fun t => t * weight a) (map weight (seq 0 b)). Proof using Type. intros a b. - induction b; + induction b as [| ? IHb]; repeat multimatch goal with | _ => rewrite IHb | _ => rewrite seq_snoc @@ -1110,7 +1094,7 @@ Module SolinasReduction. Lemma weight_dif_mono' : forall n, weight (S n) - weight n < weight (S (S n)) - weight (S n). Proof using Type. - intros. + intros n. induction n. weight_comp; lia. cbv [weight]. @@ -1154,7 +1138,7 @@ Module SolinasReduction. eval weight (2 * n) (mul_no_reduce base n p q) = eval weight n p * Positional.eval weight n q. Proof using base_nz n_gt_1 wprops. - intros. + intros p q. cbv [mul_no_reduce]. break_match. (* properly bounded *) @@ -1181,7 +1165,6 @@ Module SolinasReduction. (* not bounded *) push. - ring_simplify. rewrite <-Z_div_mod_eq. auto. rewrite Z.gt_lt_iff. @@ -1215,7 +1198,7 @@ Module SolinasReduction. split (weight n) (combine (map weight (seq 0 n)) (firstn n p)) = (combine (map weight (seq 0 n)) (firstn n p), []). Proof using wprops. - intros p Hlen. + intros. rewrite split_lt; repeat multimatch goal with | H : _ |- _ => autorewrite with push_misc in H @@ -1236,7 +1219,7 @@ Module SolinasReduction. split (weight n) (combine (map weight (seq n (m1 - n))) (skipn n p)) = ([], combine (map weight (seq 0 (m1 - n))) (skipn n p)). Proof using wprops. - intros p m1 Hlen. + intros. rewrite split_gt; repeat multimatch goal with | H : _ |- _ => autorewrite with push_misc in H @@ -1257,7 +1240,7 @@ Module SolinasReduction. (combine (map weight (seq 0 n)) (firstn n p), (combine (map weight (seq 0 (m1 - n))) (skipn n p))). Proof using n_gt_1 wprops. - intros. + intros m1 p ? ?. replace m1 with (n + (m1 - n))%nat at 1 by lia. rewrite <-(firstn_skipn n p) at 1. push. @@ -1285,6 +1268,7 @@ Module SolinasReduction. eval weight m2 (reduce1 base s c m1 m2 p) = Associational.eval coef * eval weight (m1 - n) (skipn n p) + eval weight n (firstn n p). Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. + intros p m1 m2 H. intros. assert (Rows.adjust_s weight (S (S m1)) s = Rows.adjust_s weight (S (S n)) s) as Hadjust. @@ -1294,7 +1278,8 @@ Module SolinasReduction. eapply adjust_s_finished; try apply solinas_property. lia. lia. } - cbv [s' coef reduce1]; break_match; push. + cbv [s' coef reduce1]. + destruct (is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) m1) p) eqn:Heqb; push. rewrite Hadjust. rewrite solinas_property. cbv [to_associational]. @@ -1328,7 +1313,7 @@ Module SolinasReduction. Associational.eval (combine (map weight (seq a b)) p) = weight a * Associational.eval (combine (map weight (seq 0 b)) p). Proof using n_gt_1 wprops. - intros. + intros a b p. generalize dependent a. generalize dependent b. induction p as [ | x p IHp ]; intros. @@ -1351,7 +1336,7 @@ Module SolinasReduction. (Positional.eval weight m1 p) mod (s - Associational.eval c) = (Positional.eval weight m2 q) mod (s - Associational.eval c). Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros. + intros p m1 m2; intros. cbv [q]. rewrite value_reduce1; try lia. push. @@ -1410,7 +1395,7 @@ Module SolinasReduction. rewrite <-(firstn_skipn n p) in H. replace (2*n-n)%nat with n by lia. replace (2 * n)%nat with (n + n)%nat in H by lia. - rewrite List.repeat_app in H. + rewrite repeat_app in H. solve_ineq. solve_ibb. @@ -1439,7 +1424,7 @@ Module SolinasReduction. canonical_repr (S n) p -> canonical_repr (S n) (reduce1 base s c (S n) (S n) p). Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros. + intros p H. cbv [canonical_repr]. push. assert (Hcanon := H). @@ -1482,7 +1467,7 @@ Module SolinasReduction. (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1) \/ nth_default 0 q n = 0. Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros. + intros p ? ? q. pose proof (reduce_second_canonical p ltac:(auto)) as Hcanonq. fold q in Hcanonq. pose proof (firstn_skipn n p) as Hp; symmetry in Hp. @@ -1710,6 +1695,7 @@ Module SolinasReduction. (Positional.eval weight (S n) p) mod (s - Associational.eval c) = (Positional.eval weight n q) mod (s - Associational.eval c). Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + intros p. intros. pose proof (firstn_skipn n p) as Hp; symmetry in Hp. rewrite Hp at 1. @@ -1756,7 +1742,7 @@ Module SolinasReduction. (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) = (Positional.eval weight n r) mod (s - Associational.eval c). Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros; cbv [r reduce_full]; break_match. + intros p ? r; cbv [r reduce_full]; break_match. (* bounds are good *) pose proof (is_bounded_by_nth n _ _ Heqb ltac:(push) ltac:(push)) as Hnth. repeat match goal with From e89b77de273917f1d86cd82c9efe523c23ad83bd Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 1 Nov 2022 07:33:58 -0400 Subject: [PATCH 55/69] implement reduce3, intended to be cmovz --- src/Arithmetic/SolinasReduction.v | 245 ++++++++++++++---------------- src/SlowPrimeSynthesisExamples.v | 104 +++++++++++++ 2 files changed, 219 insertions(+), 130 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index ce241d3cdc..be5c3e0153 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -860,13 +860,27 @@ Module SolinasReduction. else add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat). + (* S n -> n limbs *) + Definition reduce3 base s c n (p : list Z) := + let bound := (0, 2^machine_wordsize-1) in + let bounds := (repeat bound n) ++ [(0, 1)] in + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let coef := Associational.eval coef_a in + if (is_bounded_by bounds p) then + let hi := Z.zselect (nth_default 0 p n) 0 coef in + add_to_nth 0 hi (firstn n p) + else + let hi := coef * (nth_default 0 p n) in + add_to_nth 0 hi (firstn n p). + Definition reduce_full base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in let bound := (0, 2^machine_wordsize - 1) in let bounds := repeat bound n ++ [(0, up_bound-1)] in if (is_bounded_by bounds r1) then let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce1 base s c (S n) (n) r2 in + let r3 := reduce3 base s c n r2 in r3 else add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1). @@ -886,15 +900,6 @@ Module SolinasReduction. else f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). - Definition reduce2 base s c n (p : list Z) := - let r1 := reduce1 base s c (2*n) (S n) p in - let r2 := reduce1 base s c (S n) (S n) r1 in - r2. - - Definition reduce2_cps {T} base s c n (p : list Z) (f : list Z -> T):= - (r1 <- reduce1_cps base s c (2*n) (S n) p; - reduce1_cps base s c (S n) (S n) r1 f). - Lemma reduce1_cps_ok {T} base s c n m (f : list Z -> T) : forall p, reduce1_cps base s c n m p f = f (reduce1 base s c n m p). Proof using Type. @@ -903,18 +908,39 @@ Module SolinasReduction. break_match; reflexivity. Qed. + Definition reduce3_cps {T} base s c n (p : list Z) (f : list Z -> T) := + let bound := (0, 2^machine_wordsize-1) in + let bounds := (repeat bound n) ++ [(0, 1)] in + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let coef := Associational.eval coef_a in + if (is_bounded_by bounds p) then + let hi := Z.zselect (nth_default 0 p n) 0 coef in + f (add_to_nth 0 hi (firstn n p)) + else + let hi := coef * (nth_default 0 p n) in + f (add_to_nth 0 hi (firstn n p)). + + Lemma reduce3_cps_ok {T} base s c n (f : list Z -> T) : forall p, + reduce3_cps base s c n p f = f (reduce3 base s c n p). + Proof. + intros. + cbv [reduce3 reduce3_cps]. + break_match; reflexivity. + Qed. + Definition reduce_full_cps {T} base s c n (p : list Z) (f : list Z -> T):= (r1 <- reduce1_cps base s c (2*n) (S n) p; (let bound := (0, 2^machine_wordsize - 1) in let bounds := repeat bound n ++ [(0, up_bound-1)] in if (is_bounded_by bounds r1) then (r2 <- reduce1_cps base s c (S n) (S n) r1; - reduce1_cps base s c (S n) n r2 f) + reduce3_cps base s c n r2 f) else f (add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1)))). Definition reduce_full' base s c n p := - ltac:(let x := (eval cbv beta delta [reduce_full_cps reduce1_cps id] in (@reduce_full_cps (list Z) base s c n p id)) in + ltac:(let x := (eval cbv beta delta [reduce_full_cps reduce1_cps reduce3_cps id] in (@reduce_full_cps (list Z) base s c n p id)) in exact x). Lemma reduce_full_cps_ok {T} base s c n (f : list Z -> T) : forall p, @@ -922,7 +948,10 @@ Module SolinasReduction. Proof using Type. intros. cbv [reduce_full reduce_full_cps]. - repeat (rewrite reduce1_cps_ok || reflexivity || break_match). + repeat (rewrite reduce1_cps_ok || + rewrite reduce3_cps_ok || + reflexivity || + break_match). Qed. Definition mul_no_reduce_cps {T} base n (p q : list Z) (f : list Z -> T):= @@ -1373,6 +1402,68 @@ Module SolinasReduction. (* END SECTION REDUCE1 *) + (* SECTION REDUCE3 *) + + Lemma eval_reduce3 : forall p m, + (m = n)%nat -> + length p = S m -> + let q := reduce3 base s c m p in + (Positional.eval weight (S m) p) mod (s - Associational.eval c) + = (Positional.eval weight m q) mod (s - Associational.eval c). + Proof. + intros p m H. + intros. + rewrite eval_reduce1 with (m2:=m%nat). + rewrite value_reduce1. + rewrite solinas_property. + rewrite H. + push. + const_simpl. + rewrite skipn_nth_default with (d:=0) by lia. + rewrite skipn_all by lia. + cbv [q reduce3]. + break_match. + + push. + match goal with + | H : context[is_bounded_by _ _] |- _ => pose proof (is_bounded_by_nth m _ _ H) as Hnth + end. + push' Hnth. + specialize (Hnth ltac:(lia) ltac:(lia)). + rewrite nth_default_app in Hnth. + push' Hnth. + destruct lt_dec eqn:E. + lia. + simpl in Hnth. + rewrite H in Hnth. + rewrite H. + assert (nth_default 0 p n = 0 \/ nth_default 0 p n = 1) by lia. + intuition. + rewrite H4. + push. + rewrite H4. + push. + cbv [Z.zselect]. + simpl. + rewrite solinas_property. + push. + push; lia. + push; lia. + + rewrite H. + rewrite solinas_property. + push. + push; lia. + push; lia. + all: try lia. + admit. (* up_bound * weight (S m - n) + weight n < weight m *) + (* needs stricter restraints for value_reduce1 *) + admit. (* up_bound * weight (S m - n) + weight n < weight m *) + (* needs stricter restraints for value_reduce1 *) + Admitted. + + (* END SECTION REDUCE3 *) + (* SECTION REDUCE_FIRST *) Lemma reduce_first_canonical : forall p, @@ -1612,125 +1703,20 @@ Module SolinasReduction. (* SECTION REDUCE_THIRD *) - Lemma value_reduce_third : forall p, - canonical_repr (S n) p -> - let q := reduce1 base s c (S n) n p in - ((nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1) \/ - nth_default 0 p n = 0) -> - let r := reduce1 base s c (S n) n q in - let s' := fst (Saturated.Rows.adjust_s weight (S (S (S n))) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight n q = Associational.eval coef * (nth_default 0 p n) + eval weight n (firstn n p). - Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros p ? ? Hbounds ? ? ?. - pose proof (firstn_skipn n p) as Hp; symmetry in Hp. - canonical_app p. - push' Hcanon_l. - push' Hcanon_r. - replace (length p) with (S n) in * by (solve_length p). - rewrite min_l in Hcanon_l; [| lia]. - const_simpl. - pose proof (firstn_succ 0 (n - 1) p ltac:(solve_length p)) as Hpfirst. - const_simpl. - canonical_app (firstn n p). - push' Hcanon_l0. - push' Hcanon_r0. - rewrite min_l in Hcanon_l0; [| solve_length p]. - cbv [q s' coef reduce1]; push. - erewrite adjust_s_finished'; try apply solinas_property; try lia. - push. - cbv [to_associational]. - rewrite split_p; [| lia | solve_length p]. - const_simpl. - cbn [seq]. - push. - rewrite skipn_nth_default with (d:=0); [| solve_length p]. - rewrite skipn_all; [| solve_length p]. - push. - break_match; push. - apply Z.mod_small. - cbv [eval to_associational]. - destruct Hbounds as [ Hbounds | Hbounds ]. - destruct Hbounds as [ Hbounds1 Hbounds2 ]. - replace n with (S (n-1))%nat at 3 4 7 8 by lia. - rewrite firstn_succ with (d:=0). - rewrite seq_snoc. - rewrite Hbounds1. - rewrite Hbounds2. - push. - solve_ineq. - apply canonical_pos; auto. - etransitivity. - solve_ineq. - eauto. - apply canonical_eval_bounded; auto. - rewrite Z.lt_add_lt_sub_r. - replace n with (S (n-1))%nat at 1 by lia. - etransitivity; [| apply (weight_dif_mono 0)]. - weight_comp; cbn; lia. - lia. - push. - rewrite min_l; solve_length p. - solve_length p. - rewrite Hbounds. - push. - solve_ineq. - apply canonical_pos; auto. - apply canonical_eval_bounded; auto. - - (* not bounded *) - rewrite <-Z_div_mod_eq_full. - auto. - push. - push. - lia. - push. - Qed. - - Lemma eval_reduce_third : forall p, + Lemma eval_reduce_third' : forall p, (canonical_repr (S n) p) -> - let q := reduce1 base s c (S n) n p in + let q := reduce3 base s c n p in ((nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1) \/ nth_default 0 p n = 0) -> (Positional.eval weight (S n) p) mod (s - Associational.eval c) = (Positional.eval weight n q) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros p. - intros. - pose proof (firstn_skipn n p) as Hp; symmetry in Hp. - rewrite Hp at 1. - unfold eval at 1. - unfold to_associational. - rewrite seq_snoc. - rewrite skipn_nth_default with (d:=0) by (solve_length p). - rewrite skipn_all by (solve_length p). + Proof. + intros p ? q ?. cbv [q]. - rewrite value_reduce_third; auto. - erewrite adjust_s_finished'; try apply solinas_property; [| lia]. - push. - match goal with - | |- context[_ mod (_ - ?c)] => - repeat multimatch goal with - | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia - | |- context[?c * _ + ?x] => rewrite (Z.add_comm _ x) - end - end. - rewrite <-reduction_rule; [| lia]. - apply Z.elim_mod. - unfold eval, to_associational at 1. - rewrite Z.add_cancel_l. - rewrite Z.mul_assoc. - rewrite <-Z_div_exact_2. - const_simpl. + rewrite eval_reduce3. lia. lia. - pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hinv. - rewrite solinas_property in Hinv. - cbn [fst] in Hinv. - apply Hinv. - push. - rewrite min_l by (solve_length p). - lia. + solve_length p. Qed. (* END SECTION REDUCE_THIRD *) @@ -1741,9 +1727,8 @@ Module SolinasReduction. let r := reduce_full base s c n p in (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) = (Positional.eval weight n r) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + Proof. intros p ? r; cbv [r reduce_full]; break_match. - (* bounds are good *) pose proof (is_bounded_by_nth n _ _ Heqb ltac:(push) ltac:(push)) as Hnth. repeat match goal with | H : context[nth_default _ (_ ++ _) _] |- _ => rewrite nth_default_app in H @@ -1757,7 +1742,7 @@ Module SolinasReduction. assert (canonical_repr (S n) (reduce1 base s c (2*n) (S n) p)). rewrite canonical_is_bounded_by. intuition; push. - rewrite <-eval_reduce_third. + rewrite <-eval_reduce3. rewrite <-eval_reduce1. rewrite <-eval_reduce1. auto. @@ -1782,10 +1767,9 @@ Module SolinasReduction. rewrite Z.lt_add_lt_sub_r. etransitivity; [| apply (weight_dif_mono 1); lia]. weight_comp; cbn; break_match; lia. - cbn; const_simpl; lia. + autounfold. replace (S n) with (n+1)%nat. - rewrite List.repeat_app. - repeat autounfold. + rewrite repeat_app. push. cbn. apply bounds_same. @@ -1817,6 +1801,7 @@ Module SolinasReduction. apply Z.pow_pos_nonneg; cbn; break_match; lia. cbn; lia. Qed. + (* END SECTION REDUCE_FULL *) (* SECTION MULMOD *) diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index e4da917536..fc3dff8199 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -5,7 +5,10 @@ Require Import Coq.Strings.String. Require Import Coq.derive.Derive. Require Import Coq.Lists.List. Require Import Crypto.Util.ZRange. +Require Import Crypto.Util.ZUtil.Zselect. +Require Import Crypto.Util.ZUtil.Definitions. Require Import Crypto.Arithmetic.Core. +Require Import Crypto.Arithmetic.SolinasReduction. Require Import Crypto.Arithmetic.ModOps. Require Import Crypto.Arithmetic.Partition. Require Import Crypto.PushButtonSynthesis.UnsaturatedSolinas. @@ -46,6 +49,107 @@ Local Existing Instances Local Instance : unfold_value_barrier_opt := true. Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. +Module debugging_solinas_reduction. + + Section __. + + Context (machine_wordsize := 64) + (weight := UniformWeight.uweight machine_wordsize) + (up_bound := 2 ^ (machine_wordsize / 4)) + {wprops : @weight_properties weight}. + + Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := + map (fun x => (f (fst x) (snd x))) (combine l1 l2). + Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := + fold_right andb true (dual_map f ls1 ls2). + Definition is_bounded_by bounds ls := + fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + + Definition reduce3 weight base s c n (p : list Z) := + let bound := (0, 2^machine_wordsize-1) in + let bounds := (repeat bound n) ++ [(0, 1)] in + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let coef := Associational.eval coef_a in + if (is_bounded_by bounds p) then + let hi := Z.zselect (nth_default 0 p n) 0 coef in + add_to_nth 0 hi (firstn n p) + else + let hi := coef * (nth_default 0 p n) in + add_to_nth 0 hi (firstn n p). + + End __. + + Section compile. + + Let s := 2^255. + Let c := [(1, 19)]. + Let machine_wordsize := 64. + Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). + Let m : nat := 2 * n. + Let w : nat -> Z := weight machine_wordsize 1. + Let base : Z := 2 ^ machine_wordsize. + + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. + Let bound' := Some r[0 ~> (2^machine_wordsize +39)]%zrange. + Let boundsn : list (ZRange.type.option.interp base.type.Z) + := repeat bound (n). + + Import Stringification.C.Compilers. + Import Stringification.C.Compilers.ToString. + + Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. + + Let possible_values := prefix_with_carry [machine_wordsize]. + Local Instance : use_mul_for_cmovznz_opt := false. + Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) + Local Instance : no_select_size_opt := None. + Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. + Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. + + Let bounds := repeat bound n ++ [Some r[0 ~> 1]%zrange]. + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (reduce3 w base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (n) ++ [Some r[0~>1]%zrange]), tt) + (Some (repeat bound' n)) + (None, tt) + (None) + : Pipeline.ErrorT _). + + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + None + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (reduce1 base s c (2*n) (S n)) in + exact r) + (fun _ _ => []) + (Some (repeat bound (2*n)), tt) + (Some bounds) + (None, tt) + (None) + : Pipeline.ErrorT _). + + End compile. + +End debugging_solinas_reduction. + Module debugging_go_bits_add. Import Stringification.Go. Section __. From 6208f027433d3f6dbfe7dd927c19884b4daf8634 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 1 Nov 2022 20:46:25 -0400 Subject: [PATCH 56/69] fix duplicated multiplication, need to push reduce3 through bounds inference --- src/Arithmetic/SolinasReduction.v | 39 +++-- src/SlowPrimeSynthesisExamples.v | 264 ++++++++++++++++++++++++++---- 2 files changed, 257 insertions(+), 46 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index be5c3e0153..3edbfc381a 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -844,8 +844,11 @@ Module SolinasReduction. let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in let pq := Saturated.Rows.flatten weight (2*n) pq_rows in let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then - fst pq + if (is_bounded_by (repeat bound n) p) then + if (is_bounded_by (repeat bound n) q) then + fst pq + else + add_to_nth 0 (weight (2 * n) * snd pq) (fst pq) else add_to_nth 0 (weight (2 * n) * snd pq) (fst pq). @@ -867,8 +870,8 @@ Module SolinasReduction. let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in let coef := Associational.eval coef_a in + dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in if (is_bounded_by bounds p) then - let hi := Z.zselect (nth_default 0 p n) 0 coef in add_to_nth 0 hi (firstn n p) else let hi := coef * (nth_default 0 p n) in @@ -914,8 +917,8 @@ Module SolinasReduction. let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in let coef := Associational.eval coef_a in + dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in if (is_bounded_by bounds p) then - let hi := Z.zselect (nth_default 0 p n) 0 coef in f (add_to_nth 0 hi (firstn n p)) else let hi := coef * (nth_default 0 p n) in @@ -961,8 +964,11 @@ Module SolinasReduction. let pq_rows := Saturated.Rows.from_associational weight (2*n) pq_a in let pq := Saturated.Rows.flatten weight (2*n) pq_rows in let bound := (0, 2^machine_wordsize - 1) in - if (is_bounded_by (repeat bound n) p && is_bounded_by (repeat bound n) q) then - f (fst pq) + if (is_bounded_by (repeat bound n) p) then + if (is_bounded_by (repeat bound n) q) then + f (fst pq) + else + f (add_to_nth 0 (weight (2 * n) * snd pq) (fst pq)) else f (add_to_nth 0 (weight (2 * n) * snd pq) (fst pq)). @@ -988,7 +994,7 @@ Module SolinasReduction. Qed. Definition mulmod base s c n (p q : list Z) := - ltac:(let x := (eval cbv beta delta [mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps id] in (@mulmod_cps (list Z) base s c n p q id)) in + ltac:(let x := (eval cbv beta delta [mulmod_cps mul_no_reduce_cps reduce_full_cps reduce1_cps reduce3_cps id] in (@mulmod_cps (list Z) base s c n p q id)) in exact x). Lemma mulmod_unfold base s c n : forall p q, @@ -1201,6 +1207,15 @@ Module SolinasReduction. push. lia. push. + + push. + rewrite <-Z_div_mod_eq. + auto. + rewrite Z.gt_lt_iff. + auto. + push. + lia. + push. Qed. Hint Rewrite eval_mul_no_reduce : push_eval. @@ -1421,7 +1436,7 @@ Module SolinasReduction. const_simpl. rewrite skipn_nth_default with (d:=0) by lia. rewrite skipn_all by lia. - cbv [q reduce3]. + cbv [q reduce3 Let_In]. break_match. push. @@ -1439,9 +1454,13 @@ Module SolinasReduction. rewrite H. assert (nth_default 0 p n = 0 \/ nth_default 0 p n = 1) by lia. intuition. - rewrite H4. + match goal with + | H : nth_default _ _ _ = _ |- _ => rewrite H + end. push. - rewrite H4. + match goal with + | H : nth_default _ _ _ = _ |- _ => rewrite H + end. push. cbv [Z.zselect]. simpl. diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index fc3dff8199..a8fe4dedc0 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -4,6 +4,7 @@ Require Import Coq.QArith.Qround. Require Import Coq.Strings.String. Require Import Coq.derive.Derive. Require Import Coq.Lists.List. +Require Import Crypto.Util.LetIn. Require Import Crypto.Util.ZRange. Require Import Crypto.Util.ZUtil.Zselect. Require Import Crypto.Util.ZUtil.Definitions. @@ -51,6 +52,8 @@ Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fract Module debugging_solinas_reduction. + Import SolinasReduction.SolinasReduction. + Section __. Context (machine_wordsize := 64) @@ -65,19 +68,6 @@ Module debugging_solinas_reduction. Definition is_bounded_by bounds ls := fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. - Definition reduce3 weight base s c n (p : list Z) := - let bound := (0, 2^machine_wordsize-1) in - let bounds := (repeat bound n) ++ [(0, 1)] in - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in - let coef := Associational.eval coef_a in - if (is_bounded_by bounds p) then - let hi := Z.zselect (nth_default 0 p n) 0 coef in - add_to_nth 0 hi (firstn n p) - else - let hi := coef * (nth_default 0 p n) in - add_to_nth 0 hi (firstn n p). - End __. Section compile. @@ -103,11 +93,12 @@ Module debugging_solinas_reduction. Let possible_values := prefix_with_carry [machine_wordsize]. Local Instance : use_mul_for_cmovznz_opt := false. Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := None. + Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. Let bounds := repeat bound n ++ [Some r[0 ~> 1]%zrange]. + Let bound1 := Some r[0~>1]%zrange. Time Compute Show.show @@ -118,33 +109,234 @@ Module debugging_solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (reduce3 w base s c n) in + let r := Reify (mulmod base s c n) in exact r) (fun _ _ => []) - (Some (repeat bound (n) ++ [Some r[0~>1]%zrange]), tt) - (Some (repeat bound' n)) - (None, tt) + (Some (repeat bound (n)), (Some (repeat bound (n)), tt)) + (Some (repeat bound (n))) + (None, (None, tt)) (None) : Pipeline.ErrorT _). +(* +/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: None + */ +void f(uint128 out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint1 x34; + uint64_t x35; + uint1 x36; + uint64_t x37; + uint64_t x38; + uint1 x39; + uint64_t x40; + uint1 x41; + uint64_t x42; + uint1 x43; + uint64_t x44; + uint64_t x45; + uint1 x46; + uint64_t x47; + uint1 x48; + uint64_t x49; + uint1 x50; + uint64_t x51; + uint1 x52; + uint64_t x53; + uint1 x54; + uint64_t x55; + uint64_t x56; + uint1 x57; + uint64_t x58; + uint1 x59; + uint64_t x60; + uint1 x61; + uint64_t x62; + uint1 x63; + uint64_t x64; + uint1 x65; + uint64_t x66; + uint1 x67; + uint64_t x68; + uint1 x69; + uint64_t x70; + uint1 x71; + uint64_t x72; + uint1 x73; + uint64_t x74; + uint1 x75; + uint64_t x76; + uint1 x77; + uint64_t x78; + uint1 x79; + uint64_t x80; + uint1 x81; + uint64_t x82; + uint1 x83; + uint64_t x84; + uint1 x85; + uint64_t x86; + uint1 x87; + uint64_t x88; + uint1 x89; + uint64_t x90; + uint1 x91; + uint64_t x92; + uint1 x93; + uint64_t x94; + uint1 x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint1 x105; + uint64_t x106; + uint1 x107; + uint64_t x108; + uint1 x109; + uint8_t x110; + uint64_t x111; + uint1 x112; + uint64_t x113; + uint1 x114; + uint64_t x115; + uint1 x116; + uint64_t x117; + uint1 x118; + uint8_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint1 x123; + uint64_t x124; + uint1 x125; + uint64_t x126; + uint1 x127; + uint64_t x128; + uint1 x129; + uint8_t x130; + uint128 x131; + mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + addcarryx_u64(&x33, &x34, 0x0, x28, x7); + addcarryx_u64(&x35, &x36, x34, x26, x5); + x37 = (x36 + x18); + addcarryx_u64(&x38, &x39, 0x0, x33, x13); + addcarryx_u64(&x40, &x41, x39, x35, x8); + addcarryx_u64(&x42, &x43, x41, x37, 0x0); + x44 = (x43 + x10); + addcarryx_u64(&x45, &x46, 0x0, x30, x15); + addcarryx_u64(&x47, &x48, x46, x38, x16); + addcarryx_u64(&x49, &x50, x48, x40, x11); + addcarryx_u64(&x51, &x52, x50, x42, x3); + addcarryx_u64(&x53, &x54, x52, x44, 0x0); + x55 = (x54 + x2); + addcarryx_u64(&x56, &x57, 0x0, x45, x21); + addcarryx_u64(&x58, &x59, x57, x47, x19); + addcarryx_u64(&x60, &x61, x59, x49, x14); + addcarryx_u64(&x62, &x63, x61, x51, x6); + addcarryx_u64(&x64, &x65, x63, x53, 0x0); + addcarryx_u64(&x66, &x67, x65, x55, 0x0); + addcarryx_u64(&x68, &x69, 0x0, x32, x23); + addcarryx_u64(&x70, &x71, x69, x56, x24); + addcarryx_u64(&x72, &x73, x71, x58, x22); + addcarryx_u64(&x74, &x75, x73, x60, x17); + addcarryx_u64(&x76, &x77, x75, x62, x9); + addcarryx_u64(&x78, &x79, x77, x64, x1); + addcarryx_u64(&x80, &x81, x79, x66, 0x0); + addcarryx_u64(&x82, &x83, 0x0, x68, x29); + addcarryx_u64(&x84, &x85, x83, x70, x27); + addcarryx_u64(&x86, &x87, x85, x72, x25); + addcarryx_u64(&x88, &x89, x87, x74, x20); + addcarryx_u64(&x90, &x91, x89, x76, x12); + addcarryx_u64(&x92, &x93, x91, x78, x4); + addcarryx_u64(&x94, &x95, x93, x80, 0x0); + mulx_u64(&x96, &x97, UINT8_C(0x26), x94); + mulx_u64(&x98, &x99, UINT8_C(0x26), x92); + mulx_u64(&x100, &x101, UINT8_C(0x26), x90); + mulx_u64(&x102, &x103, UINT8_C(0x26), x88); + addcarryx_u64(&x104, &x105, 0x0, x82, x100); + addcarryx_u64(&x106, &x107, x105, x84, x98); + addcarryx_u64(&x108, &x109, x107, x86, x96); + x110 = (uint8_t)(x109 + (uint8_t)x97); + addcarryx_u64(&x111, &x112, 0x0, x31, x102); + addcarryx_u64(&x113, &x114, x112, x104, (uint8_t)x103); + addcarryx_u64(&x115, &x116, x114, x106, (uint8_t)x101); + addcarryx_u64(&x117, &x118, x116, x108, (uint8_t)x99); + x119 = (uint8_t)(x118 + x110); + mulx_u64(&x120, &x121, UINT8_C(0x26), x119); + addcarryx_u64(&x122, &x123, 0x0, x111, (uint16_t)x120); + addcarryx_u64(&x124, &x125, x123, x113, 0x0); + addcarryx_u64(&x126, &x127, x125, x115, 0x0); + addcarryx_u64(&x128, &x129, x127, x117, 0x0); + cmovznz_u8(&x130, x129, 0x0, UINT8_C(0x26)); + x131 = (x130 + (uint128)x122); + out1[0] = x131; + out1[1] = x124; + out1[2] = x126; + out1[3] = x128; +} - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - None - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (reduce1 base s c (2*n) (S n)) in - exact r) - (fun _ _ => []) - (Some (repeat bound (2*n)), tt) - (Some bounds) - (None, tt) - (None) - : Pipeline.ErrorT _). +with input bounds (Some [Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff]], Some [Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff]]). +" + : string +Finished transaction in 8.123 secs (7.909u,0.142s) (successful) +*) End compile. From d1d13d4e67f63ab627251697421ef6f3ab1385e3 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 2 Nov 2022 17:50:16 -0400 Subject: [PATCH 57/69] add_get_carry in reduce3 to pass bounds, need to add bounds information in template for proofs --- src/Arithmetic/SolinasReduction.v | 204 +++++++++++++++++++++++++++--- src/SlowPrimeSynthesisExamples.v | 18 +++ 2 files changed, 201 insertions(+), 21 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 3edbfc381a..26f7c8b1fb 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -871,11 +871,12 @@ Module SolinasReduction. let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in let coef := Associational.eval coef_a in dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in - if (is_bounded_by bounds p) then - add_to_nth 0 hi (firstn n p) - else - let hi := coef * (nth_default 0 p n) in - add_to_nth 0 hi (firstn n p). + let lo := Z.add_get_carry machine_wordsize hi (nth_default 0 p 0) in + if (is_bounded_by bounds p) then + [fst lo] ++ (skipn 1 (firstn n p)) + else + let hi' := coef * (nth_default 0 p n) in + add_to_nth 0 hi' (firstn n p). Definition reduce_full base s c n (p : list Z) := let r1 := reduce1 base s c (2*n) (S n) p in @@ -918,11 +919,12 @@ Module SolinasReduction. let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in let coef := Associational.eval coef_a in dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in - if (is_bounded_by bounds p) then - f (add_to_nth 0 hi (firstn n p)) - else - let hi := coef * (nth_default 0 p n) in - f (add_to_nth 0 hi (firstn n p)). + let lo := Z.add_get_carry machine_wordsize hi (nth_default 0 p 0) in + if (is_bounded_by bounds p) then + f ([fst lo] ++ (skipn 1 (firstn n p))) + else + let hi' := coef * (nth_default 0 p n) in + f (add_to_nth 0 hi' (firstn n p)). Lemma reduce3_cps_ok {T} base s c n (f : list Z -> T) : forall p, reduce3_cps base s c n p f = f (reduce3 base s c n p). @@ -1330,7 +1332,7 @@ Module SolinasReduction. push. rewrite <-(firstn_skipn n p) in Heqb. replace m1 with (n + (m1 - n))%nat in Heqb by lia. - rewrite List.repeat_app in Heqb. + rewrite repeat_app in Heqb. solve_ineq. solve_ibb. solve_ibb. @@ -1419,6 +1421,125 @@ Module SolinasReduction. (* SECTION REDUCE3 *) + Lemma value_reduce1' : forall p m, + m = n -> + length p = S m -> + nth_default 0 p n <= 1 -> + weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight m (reduce1 base s c (S m) m p) = + Associational.eval coef * nth_default 0 p n + eval weight n (firstn n p). + Proof. + intros p m H H1 H2 H3. + cbv [reduce1]. + rewrite H. + push. + erewrite adjust_s_finished'; try apply solinas_property. + rewrite solinas_property. + cbv [to_associational]. + push. + const_simpl. + rewrite skipn_nth_default with (d:=0) by lia. + rewrite skipn_all. + cbn [seq map]. + push. + + break_match. + push. + rewrite Z.mod_small. + reflexivity. + solve_ineq. + apply is_bounded_by_nth with (n:=n) in Heqb. + etransitivity. + 2: apply Heqb. + rewrite nth_default_repeat. + break_match; try lia. + reflexivity. + lia. + push. + rewrite <-firstn_skipn with (l:=p) (n:=n) in Heqb. + replace (S n) with (n + 1)%nat in Heqb by lia. + rewrite repeat_app in Heqb. + solve_ibb. + le_lt. + etransitivity. + solve_ineq. + apply Z.mul_le_mono_nonneg_l. + solve_ineq. + eauto. + apply Z.le_refl. + le_lt. + push. + + push. + rewrite <-Z_div_mod_eq_full. + all: push; lia. + Qed. + + Lemma eval_reduce1' : forall p m, + m = n -> + length p = S m -> + nth_default 0 p n <= 1 -> + weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + let q := reduce1 base s c (S m) m p in + (Positional.eval weight (S m) p) mod (s - Associational.eval c) + = (Positional.eval weight m q) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + intros p m H H1 H2 H3 s' coef q. + cbv [q]. + rewrite value_reduce1'; try lia. + push. + rewrite solinas_property. + cbn [fst snd]. + match goal with + | |- context[_ mod (_ - ?c)] => + lazymatch goal with + | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia + end + end. + rewrite Z.add_comm. + rewrite <-reduction_rule. + apply Z.elim_mod. + rewrite <-(firstn_skipn n p) at 1. + replace (S m) with (m+1)%nat by lia. + cbv [eval to_associational]. + push. + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + rewrite H. + rewrite Z.add_cancel_l. + const_simpl. + rewrite eval_seq_start. + f_equal. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + cbn. + break_match; lia. + + lia. + lia. + lia. + pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hadj. + rewrite solinas_property in Hadj. + intuition. + push; lia. + lia. + Qed. + + Lemma firstn_nth_default_0 : forall p, + length p > 0 -> + firstn 1 p = [nth_default 0 p 0]. + Proof. + intros p H. + induction p as [| a p IHp]. + push' H. + lia. + push. + Qed. + Lemma eval_reduce3 : forall p m, (m = n)%nat -> length p = S m -> @@ -1428,18 +1549,19 @@ Module SolinasReduction. Proof. intros p m H. intros. - rewrite eval_reduce1 with (m2:=m%nat). - rewrite value_reduce1. + rewrite eval_reduce1' with (m:=m%nat). + rewrite value_reduce1'. rewrite solinas_property. rewrite H. push. const_simpl. - rewrite skipn_nth_default with (d:=0) by lia. - rewrite skipn_all by lia. cbv [q reduce3 Let_In]. break_match. push. + cbv [Z.add_get_carry Z.add_with_get_carry Z.add_with_carry Z.get_carry Let_In]. + push. + match goal with | H : context[is_bounded_by _ _] |- _ => pose proof (is_bounded_by_nth m _ _ H) as Hnth end. @@ -1452,33 +1574,73 @@ Module SolinasReduction. simpl in Hnth. rewrite H in Hnth. rewrite H. + + rewrite <-firstn_skipn with (l:=(firstn n p)) (n:=1%nat) at 1. + rewrite firstn_firstn. + rewrite firstn_nth_default_0. + repeat f_equal. + apply is_bounded_by_nth with (n:=0%nat) in Heqb. + rewrite nth_default_app in Heqb. + rewrite nth_default_repeat in Heqb. + push' Heqb. + destruct (lt_dec); try lia. + destruct dec; try lia. + push' Heqb. + assert (nth_default 0 p n = 0 \/ nth_default 0 p n = 1) by lia. intuition. match goal with | H : nth_default _ _ _ = _ |- _ => rewrite H end. push. + repeat f_equal. + rewrite Z.mod_small; lia. + match goal with | H : nth_default _ _ _ = _ |- _ => rewrite H end. push. cbv [Z.zselect]. - simpl. + destruct (1 =? 0) eqn:E1. + lia. rewrite solinas_property. push. + unfold weight. + erewrite uweight_eval_app with (n:=1%nat). + erewrite uweight_eval_app with (n:=1%nat). + fold weight. + push. + rewrite min_l; try lia. + rewrite Z.add_assoc. + f_equal. + rewrite Z.mod_small. + lia. + admit. + lia. + push. push; lia. + lia. + push. push; lia. + lia. + push; lia. + lia. + lia. rewrite H. rewrite solinas_property. push. push; lia. push; lia. - all: try lia. - admit. (* up_bound * weight (S m - n) + weight n < weight m *) - (* needs stricter restraints for value_reduce1 *) - admit. (* up_bound * weight (S m - n) + weight n < weight m *) - (* needs stricter restraints for value_reduce1 *) + + lia. + lia. + admit. + admit. + lia. + lia. + admit. + admit. Admitted. (* END SECTION REDUCE3 *) diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index a8fe4dedc0..f3f6d49e24 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -100,6 +100,24 @@ Module debugging_solinas_reduction. Let bounds := repeat bound n ++ [Some r[0 ~> 1]%zrange]. Let bound1 := Some r[0~>1]%zrange. + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul" + false + false + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (reduce3 base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound (n) ++ [bound1]), tt) + (Some (repeat bound (n))) + (None, tt) + (None) + : Pipeline.ErrorT _). + Time Compute Show.show (Pipeline.BoundsPipelineToString From dfe2b27360203f12eab1720ff55cf306cc0e9770 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 3 Nov 2022 13:13:52 -0400 Subject: [PATCH 58/69] implementation of square_no_reduce --- src/SlowPrimeSynthesisExamples.v | 219 ++++++++++++++++++++++++++++++- 1 file changed, 216 insertions(+), 3 deletions(-) diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index f3f6d49e24..03fded2a28 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -68,6 +68,43 @@ Module debugging_solinas_reduction. Definition is_bounded_by bounds ls := fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. + Import Associational. + Import Positional. + + Definition sqr_indiv' base (state : list (Z * Z)) (p : list (Z * Z)) := + fold_right (fun a b => b ++ Saturated.Associational.sat_mul base [a] [a]) state p. + + Definition sqr_indiv base (p : list (Z * Z)) := + sqr_indiv' base [] p. + + Definition square_no_reduce base (p : list Z) := + let p_a := Positional.to_associational weight 4 p in + (* a0 * [a1, a2, a3] *) + let prod0 := Saturated.Associational.sat_mul base (firstn 1 p_a) (skipn 1 p_a) in + (* a3 * [a1, a2] *) + let prod1 := Saturated.Associational.sat_mul base (skipn 3 p_a) (firstn 2 (skipn 1 p_a)) in + (* first carry chain *) + let carry1_a := prod0 ++ prod1 in + let carry1_rows := Saturated.Rows.from_associational weight 7 carry1_a in + let carry1 := Saturated.Rows.flatten weight 7 carry1_rows in + (* a1 * [a2], second carry chain *) + let prod2 := Saturated.Associational.sat_mul base (firstn 1 (skipn 1 p_a)) (firstn 1 (skipn 2 p_a)) in + let carry2_rows := Saturated.Rows.from_associational weight 7 prod2 in + let carry2 := Saturated.Rows.flatten' weight carry1 carry2_rows in + (* doubling, third carry chain *) + let carry2 := (fst carry2) ++ [snd carry2] in + let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in + (* squaring, fourth carry chain *) + let square_a := sqr_indiv base p_a in + let square_rows := Saturated.Rows.from_associational weight 8 square_a in + let square := Saturated.Rows.flatten weight 8 square_rows in + fst square. + + Definition squaremod base s c (n : Z) (p : list Z) := + let sqr := square_no_reduce base p in + let r := reduce_full' base s c 4 sqr in + r. + End __. Section compile. @@ -80,6 +117,10 @@ Module debugging_solinas_reduction. Let w : nat -> Z := weight machine_wordsize 1. Let base : Z := 2 ^ machine_wordsize. + Let p := [2^64-1; 2^64-1; 2^64-1; 2^64-1]. + Compute (square_no_reduce base p). + Compute (mul_no_reduce base 4 p p). + Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Let bound' := Some r[0 ~> (2^machine_wordsize +39)]%zrange. Let boundsn : list (ZRange.type.option.interp base.type.Z) @@ -109,15 +150,187 @@ Module debugging_solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (reduce3 base s c n) in + let r := Reify (squaremod base s c n) in exact r) (fun _ _ => []) - (Some (repeat bound (n) ++ [bound1]), tt) - (Some (repeat bound (n))) + (Some (repeat bound (4)), tt) + (Some (repeat bound (4))) (None, tt) (None) : Pipeline.ErrorT _). +(* +"Success (""/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +void mul(uint64_t out1[4], const uint64_t arg1[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + fiatuint1 x12; + uint64_t x13; + fiatuint1 x14; + uint64_t x15; + fiatuint1 x16; + uint64_t x17; + fiatuint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + fiatuint1 x23; + uint64_t x24; + fiatuint1 x25; + uint64_t x26; + fiatuint1 x27; + uint64_t x28; + fiatuint1 x29; + uint64_t x30; + fiatuint1 x31; + uint64_t x32; + fiatuint1 x33; + uint64_t x34; + fiatuint1 x35; + uint64_t x36; + fiatuint1 x37; + uint64_t x38; + fiatuint1 x39; + uint64_t x40; + fiatuint1 x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + fiatuint1 x52; + uint64_t x53; + fiatuint1 x54; + uint64_t x55; + fiatuint1 x56; + uint64_t x57; + fiatuint1 x58; + uint64_t x59; + fiatuint1 x60; + uint64_t x61; + fiatuint1 x62; + uint64_t x63; + fiatuint1 x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + fiatuint1 x74; + uint64_t x75; + fiatuint1 x76; + uint64_t x77; + fiatuint1 x78; + uint64_t x79; + uint64_t x80; + fiatuint1 x81; + uint64_t x82; + fiatuint1 x83; + uint64_t x84; + fiatuint1 x85; + uint64_t x86; + fiatuint1 x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + fiatuint1 x92; + uint64_t x93; + fiatuint1 x94; + uint64_t x95; + fiatuint1 x96; + uint64_t x97; + fiatuint1 x98; + uint64_t x99; + fiatuint128 x100; + uint64_t x101; + fiatmulx_u64(&x1, &x2, (arg1[0]), (arg1[3])); + fiatmulx_u64(&x3, &x4, (arg1[0]), (arg1[2])); + fiatmulx_u64(&x5, &x6, (arg1[0]), (arg1[1])); + fiatmulx_u64(&x7, &x8, (arg1[3]), (arg1[2])); + fiatmulx_u64(&x9, &x10, (arg1[3]), (arg1[1])); + fiataddcarryx_u64(&x11, &x12, 0x0, x6, x3); + fiataddcarryx_u64(&x13, &x14, x12, x4, x1); + fiataddcarryx_u64(&x15, &x16, x14, x2, x9); + fiataddcarryx_u64(&x17, &x18, x16, x10, x7); + x19 = (x18 + x8); + fiatmulx_u64(&x20, &x21, (arg1[1]), (arg1[2])); + fiataddcarryx_u64(&x22, &x23, 0x0, x13, x20); + fiataddcarryx_u64(&x24, &x25, x23, x15, x21); + fiataddcarryx_u64(&x26, &x27, x25, x17, 0x0); + fiataddcarryx_u64(&x28, &x29, x27, x19, 0x0); + fiataddcarryx_u64(&x30, &x31, 0x0, x5, x5); + fiataddcarryx_u64(&x32, &x33, x31, x11, x11); + fiataddcarryx_u64(&x34, &x35, x33, x22, x22); + fiataddcarryx_u64(&x36, &x37, x35, x24, x24); + fiataddcarryx_u64(&x38, &x39, x37, x26, x26); + fiataddcarryx_u64(&x40, &x41, x39, x28, x28); + x42 = (((uint64_t)x41 + x29) + (uint64_t)x29); + fiatmulx_u64(&x43, &x44, (arg1[3]), (arg1[3])); + fiatmulx_u64(&x45, &x46, (arg1[2]), (arg1[2])); + fiatmulx_u64(&x47, &x48, (arg1[1]), (arg1[1])); + fiatmulx_u64(&x49, &x50, (arg1[0]), (arg1[0])); + fiataddcarryx_u64(&x51, &x52, 0x0, x50, x30); + fiataddcarryx_u64(&x53, &x54, x52, x47, x32); + fiataddcarryx_u64(&x55, &x56, x54, x48, x34); + fiataddcarryx_u64(&x57, &x58, x56, x45, x36); + fiataddcarryx_u64(&x59, &x60, x58, x46, x38); + fiataddcarryx_u64(&x61, &x62, x60, x43, x40); + fiataddcarryx_u64(&x63, &x64, x62, x44, x42); + fiatmulx_u64(&x65, &x66, UINT8_C(0x26), x63); + fiatmulx_u64(&x67, &x68, UINT8_C(0x26), x61); + fiatmulx_u64(&x69, &x70, UINT8_C(0x26), x59); + fiatmulx_u64(&x71, &x72, UINT8_C(0x26), x57); + fiataddcarryx_u64(&x73, &x74, 0x0, x51, x69); + fiataddcarryx_u64(&x75, &x76, x74, x53, x67); + fiataddcarryx_u64(&x77, &x78, x76, x55, x65); + x79 = (x78 + x66); + fiataddcarryx_u64(&x80, &x81, 0x0, x49, x71); + fiataddcarryx_u64(&x82, &x83, x81, x73, x72); + fiataddcarryx_u64(&x84, &x85, x83, x75, x70); + fiataddcarryx_u64(&x86, &x87, x85, x77, x68); + x88 = (x87 + x79); + fiatmulx_u64(&x89, &x90, UINT8_C(0x26), x88); + fiataddcarryx_u64(&x91, &x92, 0x0, x80, x89); + fiataddcarryx_u64(&x93, &x94, x92, x82, 0x0); + fiataddcarryx_u64(&x95, &x96, x94, x84, 0x0); + fiataddcarryx_u64(&x97, &x98, x96, x86, 0x0); + fiatcmovznz_u64(&x99, x98, 0x0, UINT8_C(0x26)); + x100 = ((fiatuint128)x99 + x91); + x101 = (uint64_t)(x100 & UINT64_C(0xffffffffffffffff)); + out1[0] = x101; + out1[1] = x93; + out1[2] = x95; + out1[3] = x97; +}"", {| bitwidths_used := [uint128, uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [uint64] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" + : string +Finished transaction in 4.494 secs (4.41u,0.066s) (successful) +*) + Time Compute Show.show (Pipeline.BoundsPipelineToString From 1bd64342c739d176eb954d4cb575283ef91182bc Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Thu, 3 Nov 2022 22:49:17 -0400 Subject: [PATCH 59/69] generated unverified squaremod + mulmod --- Makefile.examples | 2 +- fiat-c/src/curve25519_solinas_64.c | 279 +- .../64/curve25519solinas/curve25519solinas.go | 248 +- fiat-json/src/curve25519_solinas_64.json | 3040 +++++++++++++++-- fiat-rust/src/curve25519_solinas_64.rs | 261 +- fiat-zig/src/curve25519_solinas_64.zig | 263 +- src/Arithmetic/SolinasReduction.v | 70 + src/COperationSpecifications.v | 8 + src/PushButtonSynthesis/SolinasReduction.v | 48 +- .../SolinasReductionReificationCache.v | 13 + src/SlowPrimeSynthesisExamples.v | 426 +-- 11 files changed, 3844 insertions(+), 814 deletions(-) diff --git a/Makefile.examples b/Makefile.examples index a9431b725a..44adbe3865 100644 --- a/Makefile.examples +++ b/Makefile.examples @@ -87,7 +87,7 @@ endef UNSATURATED_SOLINAS_FUNCTIONS := carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax FUNCTIONS_FOR_25519 := $(UNSATURATED_SOLINAS_FUNCTIONS) carry_scmul121666 WORD_BY_WORD_MONTGOMERY_FUNCTIONS := mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp -SOLINAS_REDUCTION_FUNCTIONS := mul +SOLINAS_REDUCTION_FUNCTIONS := mul square UNSATURATED_SOLINAS := src/ExtractionOCaml/unsaturated_solinas WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/word_by_word_montgomery SOLINAS_REDUCTION := src/ExtractionOCaml/solinas_reduction diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c index 0e51316095..8fb77232a9 100644 --- a/fiat-c/src/curve25519_solinas_64.c +++ b/fiat-c/src/curve25519_solinas_64.c @@ -1,7 +1,7 @@ -/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mul */ +/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mul square */ /* curve description: curve25519_solinas */ /* machine_wordsize = 64 (from "64") */ -/* requested operations: mul */ +/* requested operations: mul, square */ /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* */ /* Computed values: */ @@ -25,6 +25,15 @@ FIAT_CURVE25519_SOLINAS_FIAT_EXTENSION typedef unsigned __int128 fiat_curve25519 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_CURVE25519_SOLINAS_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t fiat_curve25519_solinas_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_curve25519_solinas_value_barrier_u64(x) (x) +#endif + /* * The function fiat_curve25519_solinas_addcarryx_u64 is an addition with carry. @@ -103,6 +112,29 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mulx_u64 *out2 = x3; } +/* + * The function fiat_curve25519_solinas_cmovznz_u64 is a single-word conditional move. + * + * Postconditions: + * out1 = (if arg1 = 0 then arg2 else arg3) + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + */ +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_cmovznz_u64(uint64_t* out1, fiat_curve25519_solinas_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_curve25519_solinas_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_curve25519_solinas_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_curve25519_solinas_value_barrier_u64(x2) & arg3) | (fiat_curve25519_solinas_value_barrier_u64((~x2)) & arg2)); + *out1 = x3; +} + /* * The function fiat_curve25519_solinas_mul multiplies two field elements. * @@ -218,16 +250,16 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint uint64_t x100; uint64_t x101; uint64_t x102; - fiat_curve25519_solinas_uint1 x103; + uint64_t x103; uint64_t x104; fiat_curve25519_solinas_uint1 x105; uint64_t x106; - uint64_t x107; + fiat_curve25519_solinas_uint1 x107; uint64_t x108; fiat_curve25519_solinas_uint1 x109; uint64_t x110; uint64_t x111; - uint64_t x112; + fiat_curve25519_solinas_uint1 x112; uint64_t x113; fiat_curve25519_solinas_uint1 x114; uint64_t x115; @@ -235,10 +267,10 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint uint64_t x117; fiat_curve25519_solinas_uint1 x118; uint64_t x119; - fiat_curve25519_solinas_uint1 x120; + uint64_t x120; uint64_t x121; uint64_t x122; - uint64_t x123; + fiat_curve25519_solinas_uint1 x123; uint64_t x124; fiat_curve25519_solinas_uint1 x125; uint64_t x126; @@ -246,17 +278,8 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint uint64_t x128; fiat_curve25519_solinas_uint1 x129; uint64_t x130; - fiat_curve25519_solinas_uint1 x131; + fiat_curve25519_solinas_uint128 x131; uint64_t x132; - uint64_t x133; - uint64_t x134; - fiat_curve25519_solinas_uint1 x135; - uint64_t x136; - fiat_curve25519_solinas_uint1 x137; - uint64_t x138; - fiat_curve25519_solinas_uint1 x139; - uint64_t x140; - fiat_curve25519_solinas_uint1 x141; fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); @@ -306,32 +329,202 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint fiat_curve25519_solinas_addcarryx_u64(&x90, &x91, x89, x76, x12); fiat_curve25519_solinas_addcarryx_u64(&x92, &x93, x91, x78, x4); fiat_curve25519_solinas_addcarryx_u64(&x94, &x95, x93, x80, 0x0); - fiat_curve25519_solinas_mulx_u64(&x96, &x97, UINT8_C(0x26), x92); - fiat_curve25519_solinas_mulx_u64(&x98, &x99, UINT8_C(0x26), x90); - fiat_curve25519_solinas_mulx_u64(&x100, &x101, UINT8_C(0x26), x88); - fiat_curve25519_solinas_addcarryx_u64(&x102, &x103, 0x0, x82, x98); - fiat_curve25519_solinas_addcarryx_u64(&x104, &x105, x103, x84, x96); - fiat_curve25519_solinas_mulx_u64(&x106, &x107, UINT8_C(0x26), x94); - fiat_curve25519_solinas_addcarryx_u64(&x108, &x109, x105, x86, x106); - fiat_curve25519_solinas_mulx_u64(&x110, &x111, UINT8_C(0x26), x94); - x112 = (x109 + x111); - fiat_curve25519_solinas_addcarryx_u64(&x113, &x114, 0x0, x31, x100); - fiat_curve25519_solinas_addcarryx_u64(&x115, &x116, x114, x102, x101); - fiat_curve25519_solinas_addcarryx_u64(&x117, &x118, x116, x104, x99); - fiat_curve25519_solinas_addcarryx_u64(&x119, &x120, x118, x108, x97); - x121 = (x120 + x112); - fiat_curve25519_solinas_mulx_u64(&x122, &x123, UINT8_C(0x26), x121); - fiat_curve25519_solinas_addcarryx_u64(&x124, &x125, 0x0, x113, x122); + fiat_curve25519_solinas_mulx_u64(&x96, &x97, UINT8_C(0x26), x94); + fiat_curve25519_solinas_mulx_u64(&x98, &x99, UINT8_C(0x26), x92); + fiat_curve25519_solinas_mulx_u64(&x100, &x101, UINT8_C(0x26), x90); + fiat_curve25519_solinas_mulx_u64(&x102, &x103, UINT8_C(0x26), x88); + fiat_curve25519_solinas_addcarryx_u64(&x104, &x105, 0x0, x82, x100); + fiat_curve25519_solinas_addcarryx_u64(&x106, &x107, x105, x84, x98); + fiat_curve25519_solinas_addcarryx_u64(&x108, &x109, x107, x86, x96); + x110 = (x109 + x97); + fiat_curve25519_solinas_addcarryx_u64(&x111, &x112, 0x0, x31, x102); + fiat_curve25519_solinas_addcarryx_u64(&x113, &x114, x112, x104, x103); + fiat_curve25519_solinas_addcarryx_u64(&x115, &x116, x114, x106, x101); + fiat_curve25519_solinas_addcarryx_u64(&x117, &x118, x116, x108, x99); + x119 = (x118 + x110); + fiat_curve25519_solinas_mulx_u64(&x120, &x121, UINT8_C(0x26), x119); + fiat_curve25519_solinas_addcarryx_u64(&x122, &x123, 0x0, x111, x120); + fiat_curve25519_solinas_addcarryx_u64(&x124, &x125, x123, x113, 0x0); fiat_curve25519_solinas_addcarryx_u64(&x126, &x127, x125, x115, 0x0); fiat_curve25519_solinas_addcarryx_u64(&x128, &x129, x127, x117, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x130, &x131, x129, x119, 0x0); - fiat_curve25519_solinas_mulx_u64(&x132, &x133, UINT8_C(0x26), x131); - fiat_curve25519_solinas_addcarryx_u64(&x134, &x135, 0x0, x124, x132); - fiat_curve25519_solinas_addcarryx_u64(&x136, &x137, x135, x126, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x138, &x139, x137, x128, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x140, &x141, x139, x130, 0x0); - out1[0] = x134; - out1[1] = x136; - out1[2] = x138; - out1[3] = x140; + fiat_curve25519_solinas_cmovznz_u64(&x130, x129, 0x0, UINT8_C(0x26)); + x131 = ((fiat_curve25519_solinas_uint128)x130 + x122); + x132 = (uint64_t)(x131 & UINT64_C(0xffffffffffffffff)); + out1[0] = x132; + out1[1] = x124; + out1[2] = x126; + out1[3] = x128; +} + +/* + * The function fiat_curve25519_solinas_square squares a field element. + * + * Postconditions: + * eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 + * + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_square(uint64_t out1[4], const uint64_t arg1[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + fiat_curve25519_solinas_uint1 x12; + uint64_t x13; + fiat_curve25519_solinas_uint1 x14; + uint64_t x15; + fiat_curve25519_solinas_uint1 x16; + uint64_t x17; + fiat_curve25519_solinas_uint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + fiat_curve25519_solinas_uint1 x23; + uint64_t x24; + fiat_curve25519_solinas_uint1 x25; + uint64_t x26; + fiat_curve25519_solinas_uint1 x27; + uint64_t x28; + fiat_curve25519_solinas_uint1 x29; + uint64_t x30; + fiat_curve25519_solinas_uint1 x31; + uint64_t x32; + fiat_curve25519_solinas_uint1 x33; + uint64_t x34; + fiat_curve25519_solinas_uint1 x35; + uint64_t x36; + fiat_curve25519_solinas_uint1 x37; + uint64_t x38; + fiat_curve25519_solinas_uint1 x39; + uint64_t x40; + fiat_curve25519_solinas_uint1 x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + fiat_curve25519_solinas_uint1 x52; + uint64_t x53; + fiat_curve25519_solinas_uint1 x54; + uint64_t x55; + fiat_curve25519_solinas_uint1 x56; + uint64_t x57; + fiat_curve25519_solinas_uint1 x58; + uint64_t x59; + fiat_curve25519_solinas_uint1 x60; + uint64_t x61; + fiat_curve25519_solinas_uint1 x62; + uint64_t x63; + fiat_curve25519_solinas_uint1 x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + fiat_curve25519_solinas_uint1 x74; + uint64_t x75; + fiat_curve25519_solinas_uint1 x76; + uint64_t x77; + fiat_curve25519_solinas_uint1 x78; + uint64_t x79; + uint64_t x80; + fiat_curve25519_solinas_uint1 x81; + uint64_t x82; + fiat_curve25519_solinas_uint1 x83; + uint64_t x84; + fiat_curve25519_solinas_uint1 x85; + uint64_t x86; + fiat_curve25519_solinas_uint1 x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + fiat_curve25519_solinas_uint1 x92; + uint64_t x93; + fiat_curve25519_solinas_uint1 x94; + uint64_t x95; + fiat_curve25519_solinas_uint1 x96; + uint64_t x97; + fiat_curve25519_solinas_uint1 x98; + uint64_t x99; + fiat_curve25519_solinas_uint128 x100; + uint64_t x101; + fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[0]), (arg1[3])); + fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[0]), (arg1[2])); + fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[0]), (arg1[1])); + fiat_curve25519_solinas_mulx_u64(&x7, &x8, (arg1[3]), (arg1[2])); + fiat_curve25519_solinas_mulx_u64(&x9, &x10, (arg1[3]), (arg1[1])); + fiat_curve25519_solinas_addcarryx_u64(&x11, &x12, 0x0, x6, x3); + fiat_curve25519_solinas_addcarryx_u64(&x13, &x14, x12, x4, x1); + fiat_curve25519_solinas_addcarryx_u64(&x15, &x16, x14, x2, x9); + fiat_curve25519_solinas_addcarryx_u64(&x17, &x18, x16, x10, x7); + x19 = (x18 + x8); + fiat_curve25519_solinas_mulx_u64(&x20, &x21, (arg1[1]), (arg1[2])); + fiat_curve25519_solinas_addcarryx_u64(&x22, &x23, 0x0, x13, x20); + fiat_curve25519_solinas_addcarryx_u64(&x24, &x25, x23, x15, x21); + fiat_curve25519_solinas_addcarryx_u64(&x26, &x27, x25, x17, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x28, &x29, x27, x19, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x30, &x31, 0x0, x5, x5); + fiat_curve25519_solinas_addcarryx_u64(&x32, &x33, x31, x11, x11); + fiat_curve25519_solinas_addcarryx_u64(&x34, &x35, x33, x22, x22); + fiat_curve25519_solinas_addcarryx_u64(&x36, &x37, x35, x24, x24); + fiat_curve25519_solinas_addcarryx_u64(&x38, &x39, x37, x26, x26); + fiat_curve25519_solinas_addcarryx_u64(&x40, &x41, x39, x28, x28); + x42 = (((uint64_t)x41 + x29) + (uint64_t)x29); + fiat_curve25519_solinas_mulx_u64(&x43, &x44, (arg1[3]), (arg1[3])); + fiat_curve25519_solinas_mulx_u64(&x45, &x46, (arg1[2]), (arg1[2])); + fiat_curve25519_solinas_mulx_u64(&x47, &x48, (arg1[1]), (arg1[1])); + fiat_curve25519_solinas_mulx_u64(&x49, &x50, (arg1[0]), (arg1[0])); + fiat_curve25519_solinas_addcarryx_u64(&x51, &x52, 0x0, x30, x50); + fiat_curve25519_solinas_addcarryx_u64(&x53, &x54, x52, x32, x47); + fiat_curve25519_solinas_addcarryx_u64(&x55, &x56, x54, x34, x48); + fiat_curve25519_solinas_addcarryx_u64(&x57, &x58, x56, x36, x45); + fiat_curve25519_solinas_addcarryx_u64(&x59, &x60, x58, x38, x46); + fiat_curve25519_solinas_addcarryx_u64(&x61, &x62, x60, x40, x43); + fiat_curve25519_solinas_addcarryx_u64(&x63, &x64, x62, x42, x44); + fiat_curve25519_solinas_mulx_u64(&x65, &x66, UINT8_C(0x26), x63); + fiat_curve25519_solinas_mulx_u64(&x67, &x68, UINT8_C(0x26), x61); + fiat_curve25519_solinas_mulx_u64(&x69, &x70, UINT8_C(0x26), x59); + fiat_curve25519_solinas_mulx_u64(&x71, &x72, UINT8_C(0x26), x57); + fiat_curve25519_solinas_addcarryx_u64(&x73, &x74, 0x0, x51, x69); + fiat_curve25519_solinas_addcarryx_u64(&x75, &x76, x74, x53, x67); + fiat_curve25519_solinas_addcarryx_u64(&x77, &x78, x76, x55, x65); + x79 = (x78 + x66); + fiat_curve25519_solinas_addcarryx_u64(&x80, &x81, 0x0, x49, x71); + fiat_curve25519_solinas_addcarryx_u64(&x82, &x83, x81, x73, x72); + fiat_curve25519_solinas_addcarryx_u64(&x84, &x85, x83, x75, x70); + fiat_curve25519_solinas_addcarryx_u64(&x86, &x87, x85, x77, x68); + x88 = (x87 + x79); + fiat_curve25519_solinas_mulx_u64(&x89, &x90, UINT8_C(0x26), x88); + fiat_curve25519_solinas_addcarryx_u64(&x91, &x92, 0x0, x80, x89); + fiat_curve25519_solinas_addcarryx_u64(&x93, &x94, x92, x82, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x95, &x96, x94, x84, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x97, &x98, x96, x86, 0x0); + fiat_curve25519_solinas_cmovznz_u64(&x99, x98, 0x0, UINT8_C(0x26)); + x100 = ((fiat_curve25519_solinas_uint128)x99 + x91); + x101 = (uint64_t)(x100 & UINT64_C(0xffffffffffffffff)); + out1[0] = x101; + out1[1] = x93; + out1[2] = x95; + out1[3] = x97; } diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go index 11967afdc8..57c1fe6d35 100644 --- a/fiat-go/64/curve25519solinas/curve25519solinas.go +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -1,12 +1,12 @@ // Code generated by Fiat Cryptography. DO NOT EDIT. // -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mul +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mul square // // curve description (via package name): curve25519solinas // // machine_wordsize = 64 (from "64") // -// requested operations: mul +// requested operations: mul, square // // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // @@ -22,6 +22,25 @@ import "math/bits" type uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 type int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 +var _ = error_Go_output_does_not_support_128_bit_integers___instead_use_rewriting_rules_for_removing_128_bit_integers + +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] +func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 +} + // Mul multiplies two field elements. // // Postconditions: @@ -173,45 +192,47 @@ func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { x94, _ = bits.Add64(x80, uint64(0x0), uint64(uint1(x93))) var x96 uint64 var x97 uint64 - x97, x96 = bits.Mul64(0x26, x92) + x97, x96 = bits.Mul64(0x26, x94) var x98 uint64 var x99 uint64 - x99, x98 = bits.Mul64(0x26, x90) + x99, x98 = bits.Mul64(0x26, x92) var x100 uint64 var x101 uint64 - x101, x100 = bits.Mul64(0x26, x88) + x101, x100 = bits.Mul64(0x26, x90) var x102 uint64 var x103 uint64 - x102, x103 = bits.Add64(x82, x98, uint64(0x0)) + x103, x102 = bits.Mul64(0x26, x88) var x104 uint64 var x105 uint64 - x104, x105 = bits.Add64(x84, x96, uint64(uint1(x103))) + x104, x105 = bits.Add64(x82, x100, uint64(0x0)) var x106 uint64 - _, x106 = bits.Mul64(0x26, x94) + var x107 uint64 + x106, x107 = bits.Add64(x84, x98, uint64(uint1(x105))) var x108 uint64 var x109 uint64 - x108, x109 = bits.Add64(x86, x106, uint64(uint1(x105))) + x108, x109 = bits.Add64(x86, x96, uint64(uint1(x107))) + x110 := (uint64(uint1(x109)) + x97) var x111 uint64 - x111, _ = bits.Mul64(0x26, x94) - x112 := (uint64(uint1(x109)) + x111) + var x112 uint64 + x111, x112 = bits.Add64(x31, x102, uint64(0x0)) var x113 uint64 var x114 uint64 - x113, x114 = bits.Add64(x31, x100, uint64(0x0)) + x113, x114 = bits.Add64(x104, x103, uint64(uint1(x112))) var x115 uint64 var x116 uint64 - x115, x116 = bits.Add64(x102, x101, uint64(uint1(x114))) + x115, x116 = bits.Add64(x106, x101, uint64(uint1(x114))) var x117 uint64 var x118 uint64 - x117, x118 = bits.Add64(x104, x99, uint64(uint1(x116))) - var x119 uint64 + x117, x118 = bits.Add64(x108, x99, uint64(uint1(x116))) + x119 := (uint64(uint1(x118)) + x110) var x120 uint64 - x119, x120 = bits.Add64(x108, x97, uint64(uint1(x118))) - x121 := (uint64(uint1(x120)) + x112) + _, x120 = bits.Mul64(0x26, x119) var x122 uint64 - _, x122 = bits.Mul64(0x26, x121) + var x123 uint64 + x122, x123 = bits.Add64(x111, x120, uint64(0x0)) var x124 uint64 var x125 uint64 - x124, x125 = bits.Add64(x113, x122, uint64(0x0)) + x124, x125 = bits.Add64(x113, uint64(0x0), uint64(uint1(x123))) var x126 uint64 var x127 uint64 x126, x127 = bits.Add64(x115, uint64(0x0), uint64(uint1(x125))) @@ -219,23 +240,174 @@ func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { var x129 uint64 x128, x129 = bits.Add64(x117, uint64(0x0), uint64(uint1(x127))) var x130 uint64 - var x131 uint64 - x130, x131 = bits.Add64(x119, uint64(0x0), uint64(uint1(x129))) - var x132 uint64 - _, x132 = bits.Mul64(0x26, uint1(x131)) - var x134 uint64 - var x135 uint64 - x134, x135 = bits.Add64(x124, x132, uint64(0x0)) - var x136 uint64 - var x137 uint64 - x136, x137 = bits.Add64(x126, uint64(0x0), uint64(uint1(x135))) - var x138 uint64 - var x139 uint64 - x138, x139 = bits.Add64(x128, uint64(0x0), uint64(uint1(x137))) - var x140 uint64 - x140, _ = bits.Add64(x130, uint64(0x0), uint64(uint1(x139))) - out1[0] = x134 - out1[1] = x136 - out1[2] = x138 - out1[3] = x140 + cmovznzU64(&x130, uint1(x129), uint64(0x0), 0x26) + x131 := (uint128(x130) + uint128(x122)) + x132 := (uint64(x131) & 0xffffffffffffffff) + out1[0] = x132 + out1[1] = x124 + out1[2] = x126 + out1[3] = x128 +} + +// Square squares a field element. +// +// Postconditions: +// eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +func Square(out1 *[4]uint64, arg1 *[4]uint64) { + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(arg1[0], arg1[3]) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(arg1[0], arg1[2]) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[0], arg1[1]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[3], arg1[2]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[3], arg1[1]) + var x11 uint64 + var x12 uint64 + x11, x12 = bits.Add64(x6, x3, uint64(0x0)) + var x13 uint64 + var x14 uint64 + x13, x14 = bits.Add64(x4, x1, uint64(uint1(x12))) + var x15 uint64 + var x16 uint64 + x15, x16 = bits.Add64(x2, x9, uint64(uint1(x14))) + var x17 uint64 + var x18 uint64 + x17, x18 = bits.Add64(x10, x7, uint64(uint1(x16))) + x19 := (uint64(uint1(x18)) + x8) + var x20 uint64 + var x21 uint64 + x21, x20 = bits.Mul64(arg1[1], arg1[2]) + var x22 uint64 + var x23 uint64 + x22, x23 = bits.Add64(x13, x20, uint64(0x0)) + var x24 uint64 + var x25 uint64 + x24, x25 = bits.Add64(x15, x21, uint64(uint1(x23))) + var x26 uint64 + var x27 uint64 + x26, x27 = bits.Add64(x17, uint64(0x0), uint64(uint1(x25))) + var x28 uint64 + var x29 uint64 + x28, x29 = bits.Add64(x19, uint64(0x0), uint64(uint1(x27))) + var x30 uint64 + var x31 uint64 + x30, x31 = bits.Add64(x5, x5, uint64(0x0)) + var x32 uint64 + var x33 uint64 + x32, x33 = bits.Add64(x11, x11, uint64(uint1(x31))) + var x34 uint64 + var x35 uint64 + x34, x35 = bits.Add64(x22, x22, uint64(uint1(x33))) + var x36 uint64 + var x37 uint64 + x36, x37 = bits.Add64(x24, x24, uint64(uint1(x35))) + var x38 uint64 + var x39 uint64 + x38, x39 = bits.Add64(x26, x26, uint64(uint1(x37))) + var x40 uint64 + var x41 uint64 + x40, x41 = bits.Add64(x28, x28, uint64(uint1(x39))) + x42 := ((uint64(uint1(x41)) + uint64(uint1(x29))) + uint64(uint1(x29))) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(arg1[3], arg1[3]) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(arg1[2], arg1[2]) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(arg1[1], arg1[1]) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(arg1[0], arg1[0]) + var x51 uint64 + var x52 uint64 + x51, x52 = bits.Add64(x30, x50, uint64(0x0)) + var x53 uint64 + var x54 uint64 + x53, x54 = bits.Add64(x32, x47, uint64(uint1(x52))) + var x55 uint64 + var x56 uint64 + x55, x56 = bits.Add64(x34, x48, uint64(uint1(x54))) + var x57 uint64 + var x58 uint64 + x57, x58 = bits.Add64(x36, x45, uint64(uint1(x56))) + var x59 uint64 + var x60 uint64 + x59, x60 = bits.Add64(x38, x46, uint64(uint1(x58))) + var x61 uint64 + var x62 uint64 + x61, x62 = bits.Add64(x40, x43, uint64(uint1(x60))) + var x63 uint64 + x63, _ = bits.Add64(x42, x44, uint64(uint1(x62))) + var x65 uint64 + var x66 uint64 + x66, x65 = bits.Mul64(0x26, x63) + var x67 uint64 + var x68 uint64 + x68, x67 = bits.Mul64(0x26, x61) + var x69 uint64 + var x70 uint64 + x70, x69 = bits.Mul64(0x26, x59) + var x71 uint64 + var x72 uint64 + x72, x71 = bits.Mul64(0x26, x57) + var x73 uint64 + var x74 uint64 + x73, x74 = bits.Add64(x51, x69, uint64(0x0)) + var x75 uint64 + var x76 uint64 + x75, x76 = bits.Add64(x53, x67, uint64(uint1(x74))) + var x77 uint64 + var x78 uint64 + x77, x78 = bits.Add64(x55, x65, uint64(uint1(x76))) + x79 := (uint64(uint1(x78)) + x66) + var x80 uint64 + var x81 uint64 + x80, x81 = bits.Add64(x49, x71, uint64(0x0)) + var x82 uint64 + var x83 uint64 + x82, x83 = bits.Add64(x73, x72, uint64(uint1(x81))) + var x84 uint64 + var x85 uint64 + x84, x85 = bits.Add64(x75, x70, uint64(uint1(x83))) + var x86 uint64 + var x87 uint64 + x86, x87 = bits.Add64(x77, x68, uint64(uint1(x85))) + x88 := (uint64(uint1(x87)) + x79) + var x89 uint64 + _, x89 = bits.Mul64(0x26, x88) + var x91 uint64 + var x92 uint64 + x91, x92 = bits.Add64(x80, x89, uint64(0x0)) + var x93 uint64 + var x94 uint64 + x93, x94 = bits.Add64(x82, uint64(0x0), uint64(uint1(x92))) + var x95 uint64 + var x96 uint64 + x95, x96 = bits.Add64(x84, uint64(0x0), uint64(uint1(x94))) + var x97 uint64 + var x98 uint64 + x97, x98 = bits.Add64(x86, uint64(0x0), uint64(uint1(x96))) + var x99 uint64 + cmovznzU64(&x99, uint1(x98), uint64(0x0), 0x26) + x100 := (uint128(x99) + uint128(x91)) + x101 := (uint64(x100) & 0xffffffffffffffff) + out1[0] = x101 + out1[1] = x93 + out1[2] = x95 + out1[3] = x97 } diff --git a/fiat-json/src/curve25519_solinas_64.json b/fiat-json/src/curve25519_solinas_64.json index 0c0e4c1b8b..96a4aabfb5 100644 --- a/fiat-json/src/curve25519_solinas_64.json +++ b/fiat-json/src/curve25519_solinas_64.json @@ -475,6 +475,217 @@ } ] }, + { + "operation": "fiat_curve25519_solinas_cmovznz_u64", + "arguments": [ + { + "datatype": "u1", + "name": "arg1", + "lbound": "0x0", + "ubound": "0x1" + }, + { + "datatype": "u64", + "name": "arg2", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + }, + { + "datatype": "u64", + "name": "arg3", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + } + ], + "returns": [ + { + "datatype": "u64", + "name": "out1", + "lbound": "0x0", + "ubound": "0xffffffffffffffff" + } + ], + "body": [ + { + "datatype": "u1", + "name": [ + "x1" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "!", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "!", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1" + ] + } + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x2" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "i1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "i1", + "name": [], + "operation": "-", + "arguments": [ + "0x0", + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + } + ] + } + ] + }, + "0xffffffffffffffff" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x3" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "|", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x2" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "~", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x2" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2" + ] + } + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1" + ], + "operation": "static_cast", + "arguments": [ + "x3" + ] + } + ] + }, { "operation": "fiat_curve25519_solinas_mul", "arguments": [ @@ -2705,7 +2916,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x92" + "x94" ] } ] @@ -2734,7 +2945,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x90" + "x92" ] } ] @@ -2763,7 +2974,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x88" + "x90" ] } ] @@ -2776,6 +2987,35 @@ "x102", "x103" ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x88" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x104", + "x105" + ], "operation": "addcarryx", "parameters": { "size": 64 @@ -2807,7 +3047,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x98" + "x100" ] } ] @@ -2817,8 +3057,8 @@ { "datatype": "(auto)", "name": [ - "x104", - "x105" + "x106", + "x107" ], "operation": "addcarryx", "parameters": { @@ -2835,7 +3075,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x103" + "x105" ] } ] @@ -2865,7 +3105,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x96" + "x98" ] } ] @@ -2875,15 +3115,29 @@ { "datatype": "(auto)", "name": [ - "x106", - "_" + "x108", + "x109" ], - "operation": "mulx", + "operation": "addcarryx", "parameters": { "size": 64 }, "arguments": [ - "0x26", + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x107" + ] + } + ] + }, { "datatype": "u64", "name": [], @@ -2894,18 +3148,2206 @@ "name": [], "operation": "static_cast", "arguments": [ - "x94" + "x86" ] } ] - } - ] - }, - { + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x96" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x110" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x109" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x97" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x111", + "x112" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x31" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x102" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x113", + "x114" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x112" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x104" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x103" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x115", + "x116" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x114" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x106" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x101" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x117", + "x118" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x116" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x108" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x99" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x119" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x118" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x110" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x120", + "_" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x119" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x122", + "x123" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x111" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x120" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x124", + "x125" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x123" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x113" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x126", + "x127" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x125" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x115" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x128", + "x129" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x127" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x117" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x130" + ], + "operation": "cmovznz", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x129" + ] + } + ] + }, + "0x0", + "0x26" + ] + }, + { + "datatype": "u128", + "name": [ + "x131" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x130" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x122" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x132" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x131" + ] + }, + "0xffffffffffffffff" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[0]" + ], + "operation": "static_cast", + "arguments": [ + "x132" + ] + }, + { + "datatype": "u64", + "name": [ + "out1[1]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x124" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[2]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x126" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[3]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x128" + ] + } + ] + } + ] + }, + { + "operation": "fiat_curve25519_solinas_square", + "arguments": [ + { + "datatype": "u64[4]", + "name": "arg1", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + } + ], + "returns": [ + { + "datatype": "u64[4]", + "name": "out1", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + } + ], + "body": [ + { + "datatype": "(auto)", + "name": [ + "x1", + "x2" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x3", + "x4" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x5", + "x6" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x7", + "x8" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x9", + "x10" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x11", + "x12" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x6" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x3" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x13", + "x14" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x12" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x4" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x15", + "x16" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x14" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x2" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x9" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x17", + "x18" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x16" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x10" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x7" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x19" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x18" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x8" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x20", + "x21" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x22", + "x23" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x13" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x20" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x24", + "x25" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x23" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x15" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x21" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x26", + "x27" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x25" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x17" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x28", + "x29" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x27" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x19" + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x30", + "x31" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x5" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x5" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x32", + "x33" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x31" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x11" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x11" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x34", + "x35" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x33" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x22" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x22" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x36", + "x37" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x35" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x24" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x24" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x38", + "x39" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x37" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x26" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x26" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x40", + "x41" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x39" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x28" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x28" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x42" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x41" + ] + } + ] + }, + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x29" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x29" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x43", + "x44" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x45", + "x46" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x47", + "x48" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x49", + "x50" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x51", + "x52" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x30" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x50" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x53", + "x54" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x52" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x32" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x47" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x55", + "x56" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x54" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x34" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x48" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x57", + "x58" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x56" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x36" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x45" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x59", + "x60" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x58" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x38" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x46" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x61", + "x62" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x60" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x40" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x43" + ] + } + ] + } + ] + }, + { "datatype": "(auto)", "name": [ - "x108", - "x109" + "x63", + "_" ], "operation": "addcarryx", "parameters": { @@ -2922,22 +5364,276 @@ "name": [], "operation": "static_cast", "arguments": [ - "x105" + "x62" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x42" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x44" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x65", + "x66" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x63" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x67", + "x68" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x61" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x69", + "x70" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x59" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x71", + "x72" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x57" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x73", + "x74" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x51" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x69" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x75", + "x76" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x74" ] } ] }, { - "datatype": "u64", + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x53" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x67" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x77", + "x78" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", "name": [], "operation": "static_cast", "arguments": [ { - "datatype": "u64", + "datatype": "u1", "name": [], "operation": "static_cast", "arguments": [ - "x86" + "x76" ] } ] @@ -2952,25 +5648,11 @@ "name": [], "operation": "static_cast", "arguments": [ - "x106" + "x55" ] } ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "_", - "x111" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", + }, { "datatype": "u64", "name": [], @@ -2981,7 +5663,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x94" + "x65" ] } ] @@ -2991,7 +5673,7 @@ { "datatype": "u64", "name": [ - "x112" + "x79" ], "operation": "static_cast", "arguments": [ @@ -3010,7 +5692,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x109" + "x78" ] } ] @@ -3025,7 +5707,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x111" + "x66" ] } ] @@ -3037,8 +5719,8 @@ { "datatype": "(auto)", "name": [ - "x113", - "x114" + "x80", + "x81" ], "operation": "addcarryx", "parameters": { @@ -3056,7 +5738,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x31" + "x49" ] } ] @@ -3071,7 +5753,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x100" + "x71" ] } ] @@ -3081,8 +5763,8 @@ { "datatype": "(auto)", "name": [ - "x115", - "x116" + "x82", + "x83" ], "operation": "addcarryx", "parameters": { @@ -3099,7 +5781,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x114" + "x81" ] } ] @@ -3114,7 +5796,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x102" + "x73" ] } ] @@ -3129,7 +5811,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x101" + "x72" ] } ] @@ -3139,8 +5821,8 @@ { "datatype": "(auto)", "name": [ - "x117", - "x118" + "x84", + "x85" ], "operation": "addcarryx", "parameters": { @@ -3157,7 +5839,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x116" + "x83" ] } ] @@ -3172,7 +5854,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x104" + "x75" ] } ] @@ -3187,7 +5869,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x99" + "x70" ] } ] @@ -3197,8 +5879,8 @@ { "datatype": "(auto)", "name": [ - "x119", - "x120" + "x86", + "x87" ], "operation": "addcarryx", "parameters": { @@ -3215,7 +5897,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x118" + "x85" ] } ] @@ -3230,7 +5912,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x108" + "x77" ] } ] @@ -3245,7 +5927,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x97" + "x68" ] } ] @@ -3255,7 +5937,7 @@ { "datatype": "u64", "name": [ - "x121" + "x88" ], "operation": "static_cast", "arguments": [ @@ -3274,7 +5956,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x120" + "x87" ] } ] @@ -3284,7 +5966,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x112" + "x79" ] } ] @@ -3294,7 +5976,7 @@ { "datatype": "(auto)", "name": [ - "x122", + "x89", "_" ], "operation": "mulx", @@ -3308,7 +5990,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x121" + "x88" ] } ] @@ -3316,8 +5998,8 @@ { "datatype": "(auto)", "name": [ - "x124", - "x125" + "x91", + "x92" ], "operation": "addcarryx", "parameters": { @@ -3335,7 +6017,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x113" + "x80" ] } ] @@ -3350,7 +6032,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x122" + "x89" ] } ] @@ -3360,8 +6042,8 @@ { "datatype": "(auto)", "name": [ - "x126", - "x127" + "x93", + "x94" ], "operation": "addcarryx", "parameters": { @@ -3378,7 +6060,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x125" + "x92" ] } ] @@ -3393,7 +6075,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x115" + "x82" ] } ] @@ -3404,8 +6086,8 @@ { "datatype": "(auto)", "name": [ - "x128", - "x129" + "x95", + "x96" ], "operation": "addcarryx", "parameters": { @@ -3422,7 +6104,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x127" + "x94" ] } ] @@ -3437,7 +6119,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x117" + "x84" ] } ] @@ -3448,8 +6130,8 @@ { "datatype": "(auto)", "name": [ - "x130", - "x131" + "x97", + "x98" ], "operation": "addcarryx", "parameters": { @@ -3466,7 +6148,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x129" + "x96" ] } ] @@ -3481,7 +6163,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x119" + "x86" ] } ] @@ -3490,17 +6172,12 @@ ] }, { - "datatype": "(auto)", + "datatype": "u64", "name": [ - "x132", - "_" + "x99" ], - "operation": "mulx", - "parameters": { - "size": 64 - }, + "operation": "cmovznz", "arguments": [ - "0x26", { "datatype": "u1", "name": [], @@ -3511,187 +6188,77 @@ "name": [], "operation": "static_cast", "arguments": [ - "x131" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x134", - "x135" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x124" + "x98" ] } ] }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x132" - ] - } - ] - } + "0x0", + "0x26" ] }, { - "datatype": "(auto)", + "datatype": "u128", "name": [ - "x136", - "x137" + "x100" ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, + "operation": "static_cast", "arguments": [ { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x135" - ] - } - ] - }, - { - "datatype": "u64", + "datatype": "u128", "name": [], - "operation": "static_cast", + "operation": "+", "arguments": [ { "datatype": "u64", "name": [], "operation": "static_cast", "arguments": [ - "x126" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x138", - "x139" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x137" + "x99" ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ + }, { "datatype": "u64", "name": [], "operation": "static_cast", "arguments": [ - "x128" + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x91" + ] + } ] } ] - }, - "0x0" + } ] }, { - "datatype": "(auto)", + "datatype": "u64", "name": [ - "x140", - "_" + "x101" ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, + "operation": "static_cast", "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x139" - ] - } - ] - }, { "datatype": "u64", "name": [], - "operation": "static_cast", + "operation": "&", "arguments": [ { - "datatype": "u64", + "datatype": "u128", "name": [], "operation": "static_cast", "arguments": [ - "x130" + "x100" ] - } + }, + "0xffffffffffffffff" ] - }, - "0x0" + } ] }, { @@ -3701,14 +6268,7 @@ ], "operation": "static_cast", "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x134" - ] - } + "x101" ] }, { @@ -3723,7 +6283,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x136" + "x93" ] } ] @@ -3740,7 +6300,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x138" + "x95" ] } ] @@ -3757,7 +6317,7 @@ "name": [], "operation": "static_cast", "arguments": [ - "x140" + "x97" ] } ] diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs index 5a6acf6a88..566b7134b2 100644 --- a/fiat-rust/src/curve25519_solinas_64.rs +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -1,7 +1,7 @@ -//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mul +//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mul square //! curve description: curve25519_solinas //! machine_wordsize = 64 (from "64") -//! requested operations: mul +//! requested operations: mul, square //! s-c = 2^255 - [(1, 19)] (from "2^255 - 19") //! //! Computed values: @@ -81,6 +81,25 @@ pub fn fiat_curve25519_solinas_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u6 *out2 = x3; } +/// The function fiat_curve25519_solinas_cmovznz_u64 is a single-word conditional move. +/// +/// Postconditions: +/// out1 = (if arg1 = 0 then arg2 else arg3) +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0x1] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// arg3: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +#[inline] +pub fn fiat_curve25519_solinas_cmovznz_u64(out1: &mut u64, arg1: fiat_curve25519_solinas_u1, arg2: u64, arg3: u64) -> () { + let x1: fiat_curve25519_solinas_u1 = (!(!arg1)); + let x2: u64 = ((((((0x0 as fiat_curve25519_solinas_i2) - (x1 as fiat_curve25519_solinas_i2)) as fiat_curve25519_solinas_i1) as i128) & (0xffffffffffffffff as i128)) as u64); + let x3: u64 = ((x2 & arg3) | ((!x2) & arg2)); + *out1 = x3; +} + /// The function fiat_curve25519_solinas_mul multiplies two field elements. /// /// Postconditions: @@ -236,48 +255,48 @@ pub fn fiat_curve25519_solinas_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: & fiat_curve25519_solinas_addcarryx_u64(&mut x94, &mut x95, x93, x80, (0x0 as u64)); let mut x96: u64 = 0; let mut x97: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x96, &mut x97, 0x26, x92); + fiat_curve25519_solinas_mulx_u64(&mut x96, &mut x97, 0x26, x94); let mut x98: u64 = 0; let mut x99: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x98, &mut x99, 0x26, x90); + fiat_curve25519_solinas_mulx_u64(&mut x98, &mut x99, 0x26, x92); let mut x100: u64 = 0; let mut x101: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x100, &mut x101, 0x26, x88); + fiat_curve25519_solinas_mulx_u64(&mut x100, &mut x101, 0x26, x90); let mut x102: u64 = 0; - let mut x103: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x102, &mut x103, 0x0, x82, x98); + let mut x103: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x102, &mut x103, 0x26, x88); let mut x104: u64 = 0; let mut x105: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x104, &mut x105, x103, x84, x96); + fiat_curve25519_solinas_addcarryx_u64(&mut x104, &mut x105, 0x0, x82, x100); let mut x106: u64 = 0; - let mut x107: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x106, &mut x107, 0x26, x94); + let mut x107: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x106, &mut x107, x105, x84, x98); let mut x108: u64 = 0; let mut x109: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x108, &mut x109, x105, x86, x106); - let mut x110: u64 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x108, &mut x109, x107, x86, x96); + let x110: u64 = ((x109 as u64) + x97); let mut x111: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x110, &mut x111, 0x26, x94); - let x112: u64 = ((x109 as u64) + x111); + let mut x112: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x111, &mut x112, 0x0, x31, x102); let mut x113: u64 = 0; let mut x114: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x113, &mut x114, 0x0, x31, x100); + fiat_curve25519_solinas_addcarryx_u64(&mut x113, &mut x114, x112, x104, x103); let mut x115: u64 = 0; let mut x116: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x115, &mut x116, x114, x102, x101); + fiat_curve25519_solinas_addcarryx_u64(&mut x115, &mut x116, x114, x106, x101); let mut x117: u64 = 0; let mut x118: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x117, &mut x118, x116, x104, x99); - let mut x119: u64 = 0; - let mut x120: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x119, &mut x120, x118, x108, x97); - let x121: u64 = ((x120 as u64) + x112); + fiat_curve25519_solinas_addcarryx_u64(&mut x117, &mut x118, x116, x108, x99); + let x119: u64 = ((x118 as u64) + x110); + let mut x120: u64 = 0; + let mut x121: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x120, &mut x121, 0x26, x119); let mut x122: u64 = 0; - let mut x123: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x122, &mut x123, 0x26, x121); + let mut x123: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x122, &mut x123, 0x0, x111, x120); let mut x124: u64 = 0; let mut x125: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x124, &mut x125, 0x0, x113, x122); + fiat_curve25519_solinas_addcarryx_u64(&mut x124, &mut x125, x123, x113, (0x0 as u64)); let mut x126: u64 = 0; let mut x127: fiat_curve25519_solinas_u1 = 0; fiat_curve25519_solinas_addcarryx_u64(&mut x126, &mut x127, x125, x115, (0x0 as u64)); @@ -285,25 +304,177 @@ pub fn fiat_curve25519_solinas_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: & let mut x129: fiat_curve25519_solinas_u1 = 0; fiat_curve25519_solinas_addcarryx_u64(&mut x128, &mut x129, x127, x117, (0x0 as u64)); let mut x130: u64 = 0; - let mut x131: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x130, &mut x131, x129, x119, (0x0 as u64)); - let mut x132: u64 = 0; - let mut x133: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x132, &mut x133, 0x26, x131); - let mut x134: u64 = 0; - let mut x135: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x134, &mut x135, 0x0, x124, x132); - let mut x136: u64 = 0; - let mut x137: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x136, &mut x137, x135, x126, (0x0 as u64)); - let mut x138: u64 = 0; - let mut x139: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x138, &mut x139, x137, x128, (0x0 as u64)); - let mut x140: u64 = 0; - let mut x141: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x140, &mut x141, x139, x130, (0x0 as u64)); - out1[0] = x134; - out1[1] = x136; - out1[2] = x138; - out1[3] = x140; + fiat_curve25519_solinas_cmovznz_u64(&mut x130, x129, (0x0 as u64), 0x26); + let x131: u128 = ((x130 as u128) + (x122 as u128)); + let x132: u64 = ((x131 & (0xffffffffffffffff as u128)) as u64); + out1[0] = x132; + out1[1] = x124; + out1[2] = x126; + out1[3] = x128; +} + +/// The function fiat_curve25519_solinas_square squares a field element. +/// +/// Postconditions: +/// eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// +/// Input Bounds: +/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// Output Bounds: +/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +#[inline] +pub fn fiat_curve25519_solinas_square(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { + let mut x1: u64 = 0; + let mut x2: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x1, &mut x2, (arg1[0]), (arg1[3])); + let mut x3: u64 = 0; + let mut x4: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x3, &mut x4, (arg1[0]), (arg1[2])); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x5, &mut x6, (arg1[0]), (arg1[1])); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x7, &mut x8, (arg1[3]), (arg1[2])); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x9, &mut x10, (arg1[3]), (arg1[1])); + let mut x11: u64 = 0; + let mut x12: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x11, &mut x12, 0x0, x6, x3); + let mut x13: u64 = 0; + let mut x14: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x13, &mut x14, x12, x4, x1); + let mut x15: u64 = 0; + let mut x16: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x15, &mut x16, x14, x2, x9); + let mut x17: u64 = 0; + let mut x18: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x17, &mut x18, x16, x10, x7); + let x19: u64 = ((x18 as u64) + x8); + let mut x20: u64 = 0; + let mut x21: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x20, &mut x21, (arg1[1]), (arg1[2])); + let mut x22: u64 = 0; + let mut x23: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x22, &mut x23, 0x0, x13, x20); + let mut x24: u64 = 0; + let mut x25: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x24, &mut x25, x23, x15, x21); + let mut x26: u64 = 0; + let mut x27: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x26, &mut x27, x25, x17, (0x0 as u64)); + let mut x28: u64 = 0; + let mut x29: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x28, &mut x29, x27, x19, (0x0 as u64)); + let mut x30: u64 = 0; + let mut x31: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x30, &mut x31, 0x0, x5, x5); + let mut x32: u64 = 0; + let mut x33: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x32, &mut x33, x31, x11, x11); + let mut x34: u64 = 0; + let mut x35: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x34, &mut x35, x33, x22, x22); + let mut x36: u64 = 0; + let mut x37: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x36, &mut x37, x35, x24, x24); + let mut x38: u64 = 0; + let mut x39: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x38, &mut x39, x37, x26, x26); + let mut x40: u64 = 0; + let mut x41: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x40, &mut x41, x39, x28, x28); + let x42: u64 = (((x41 as u64) + (x29 as u64)) + (x29 as u64)); + let mut x43: u64 = 0; + let mut x44: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x43, &mut x44, (arg1[3]), (arg1[3])); + let mut x45: u64 = 0; + let mut x46: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x45, &mut x46, (arg1[2]), (arg1[2])); + let mut x47: u64 = 0; + let mut x48: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x47, &mut x48, (arg1[1]), (arg1[1])); + let mut x49: u64 = 0; + let mut x50: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x49, &mut x50, (arg1[0]), (arg1[0])); + let mut x51: u64 = 0; + let mut x52: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x51, &mut x52, 0x0, x30, x50); + let mut x53: u64 = 0; + let mut x54: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x53, &mut x54, x52, x32, x47); + let mut x55: u64 = 0; + let mut x56: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x55, &mut x56, x54, x34, x48); + let mut x57: u64 = 0; + let mut x58: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x57, &mut x58, x56, x36, x45); + let mut x59: u64 = 0; + let mut x60: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x59, &mut x60, x58, x38, x46); + let mut x61: u64 = 0; + let mut x62: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x61, &mut x62, x60, x40, x43); + let mut x63: u64 = 0; + let mut x64: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x63, &mut x64, x62, x42, x44); + let mut x65: u64 = 0; + let mut x66: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x65, &mut x66, 0x26, x63); + let mut x67: u64 = 0; + let mut x68: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x67, &mut x68, 0x26, x61); + let mut x69: u64 = 0; + let mut x70: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x69, &mut x70, 0x26, x59); + let mut x71: u64 = 0; + let mut x72: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x71, &mut x72, 0x26, x57); + let mut x73: u64 = 0; + let mut x74: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x73, &mut x74, 0x0, x51, x69); + let mut x75: u64 = 0; + let mut x76: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x75, &mut x76, x74, x53, x67); + let mut x77: u64 = 0; + let mut x78: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x77, &mut x78, x76, x55, x65); + let x79: u64 = ((x78 as u64) + x66); + let mut x80: u64 = 0; + let mut x81: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x80, &mut x81, 0x0, x49, x71); + let mut x82: u64 = 0; + let mut x83: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x82, &mut x83, x81, x73, x72); + let mut x84: u64 = 0; + let mut x85: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x84, &mut x85, x83, x75, x70); + let mut x86: u64 = 0; + let mut x87: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x86, &mut x87, x85, x77, x68); + let x88: u64 = ((x87 as u64) + x79); + let mut x89: u64 = 0; + let mut x90: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x89, &mut x90, 0x26, x88); + let mut x91: u64 = 0; + let mut x92: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x91, &mut x92, 0x0, x80, x89); + let mut x93: u64 = 0; + let mut x94: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x93, &mut x94, x92, x82, (0x0 as u64)); + let mut x95: u64 = 0; + let mut x96: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x95, &mut x96, x94, x84, (0x0 as u64)); + let mut x97: u64 = 0; + let mut x98: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x97, &mut x98, x96, x86, (0x0 as u64)); + let mut x99: u64 = 0; + fiat_curve25519_solinas_cmovznz_u64(&mut x99, x98, (0x0 as u64), 0x26); + let x100: u128 = ((x99 as u128) + (x91 as u128)); + let x101: u64 = ((x100 & (0xffffffffffffffff as u128)) as u64); + out1[0] = x101; + out1[1] = x93; + out1[2] = x95; + out1[3] = x97; } diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index f81d3716ed..69d211f896 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -1,7 +1,7 @@ -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mul +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mul square // curve description (via package name): curve25519_solinas // machine_wordsize = 64 (from "64") -// requested operations: mul +// requested operations: mul, square // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // // Computed values: @@ -92,6 +92,26 @@ inline fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) void { out2.* = x3; } +/// The function cmovznzU64 is a single-word conditional move. +/// +/// Postconditions: +/// out1 = (if arg1 = 0 then arg2 else arg3) +/// +/// Input Bounds: +/// arg1: [0x0 ~> 0x1] +/// arg2: [0x0 ~> 0xffffffffffffffff] +/// arg3: [0x0 ~> 0xffffffffffffffff] +/// Output Bounds: +/// out1: [0x0 ~> 0xffffffffffffffff] +inline fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) void { + @setRuntimeSafety(mode == .Debug); + + const x1 = (~(~arg1)); + const x2 = cast(u64, (cast(i128, cast(i1, (cast(i2, 0x0) - cast(i2, x1)))) & cast(i128, 0xffffffffffffffff))); + const x3 = ((x2 & arg3) | ((~x2) & arg2)); + out1.* = x3; +} + /// The function mul multiplies two field elements. /// /// Postconditions: @@ -248,48 +268,48 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { addcarryxU64(&x94, &x95, x93, x80, cast(u64, 0x0)); var x96: u64 = undefined; var x97: u64 = undefined; - mulxU64(&x96, &x97, 0x26, x92); + mulxU64(&x96, &x97, 0x26, x94); var x98: u64 = undefined; var x99: u64 = undefined; - mulxU64(&x98, &x99, 0x26, x90); + mulxU64(&x98, &x99, 0x26, x92); var x100: u64 = undefined; var x101: u64 = undefined; - mulxU64(&x100, &x101, 0x26, x88); + mulxU64(&x100, &x101, 0x26, x90); var x102: u64 = undefined; - var x103: u1 = undefined; - addcarryxU64(&x102, &x103, 0x0, x82, x98); + var x103: u64 = undefined; + mulxU64(&x102, &x103, 0x26, x88); var x104: u64 = undefined; var x105: u1 = undefined; - addcarryxU64(&x104, &x105, x103, x84, x96); + addcarryxU64(&x104, &x105, 0x0, x82, x100); var x106: u64 = undefined; - var x107: u64 = undefined; - mulxU64(&x106, &x107, 0x26, x94); + var x107: u1 = undefined; + addcarryxU64(&x106, &x107, x105, x84, x98); var x108: u64 = undefined; var x109: u1 = undefined; - addcarryxU64(&x108, &x109, x105, x86, x106); - var x110: u64 = undefined; + addcarryxU64(&x108, &x109, x107, x86, x96); + const x110 = (cast(u64, x109) + x97); var x111: u64 = undefined; - mulxU64(&x110, &x111, 0x26, x94); - const x112 = (cast(u64, x109) + x111); + var x112: u1 = undefined; + addcarryxU64(&x111, &x112, 0x0, x31, x102); var x113: u64 = undefined; var x114: u1 = undefined; - addcarryxU64(&x113, &x114, 0x0, x31, x100); + addcarryxU64(&x113, &x114, x112, x104, x103); var x115: u64 = undefined; var x116: u1 = undefined; - addcarryxU64(&x115, &x116, x114, x102, x101); + addcarryxU64(&x115, &x116, x114, x106, x101); var x117: u64 = undefined; var x118: u1 = undefined; - addcarryxU64(&x117, &x118, x116, x104, x99); - var x119: u64 = undefined; - var x120: u1 = undefined; - addcarryxU64(&x119, &x120, x118, x108, x97); - const x121 = (cast(u64, x120) + x112); + addcarryxU64(&x117, &x118, x116, x108, x99); + const x119 = (cast(u64, x118) + x110); + var x120: u64 = undefined; + var x121: u64 = undefined; + mulxU64(&x120, &x121, 0x26, x119); var x122: u64 = undefined; - var x123: u64 = undefined; - mulxU64(&x122, &x123, 0x26, x121); + var x123: u1 = undefined; + addcarryxU64(&x122, &x123, 0x0, x111, x120); var x124: u64 = undefined; var x125: u1 = undefined; - addcarryxU64(&x124, &x125, 0x0, x113, x122); + addcarryxU64(&x124, &x125, x123, x113, cast(u64, 0x0)); var x126: u64 = undefined; var x127: u1 = undefined; addcarryxU64(&x126, &x127, x125, x115, cast(u64, 0x0)); @@ -297,25 +317,178 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { var x129: u1 = undefined; addcarryxU64(&x128, &x129, x127, x117, cast(u64, 0x0)); var x130: u64 = undefined; - var x131: u1 = undefined; - addcarryxU64(&x130, &x131, x129, x119, cast(u64, 0x0)); - var x132: u64 = undefined; - var x133: u64 = undefined; - mulxU64(&x132, &x133, 0x26, x131); - var x134: u64 = undefined; - var x135: u1 = undefined; - addcarryxU64(&x134, &x135, 0x0, x124, x132); - var x136: u64 = undefined; - var x137: u1 = undefined; - addcarryxU64(&x136, &x137, x135, x126, cast(u64, 0x0)); - var x138: u64 = undefined; - var x139: u1 = undefined; - addcarryxU64(&x138, &x139, x137, x128, cast(u64, 0x0)); - var x140: u64 = undefined; - var x141: u1 = undefined; - addcarryxU64(&x140, &x141, x139, x130, cast(u64, 0x0)); - out1[0] = x134; - out1[1] = x136; - out1[2] = x138; - out1[3] = x140; + cmovznzU64(&x130, x129, cast(u64, 0x0), 0x26); + const x131 = (cast(u128, x130) + cast(u128, x122)); + const x132 = cast(u64, (x131 & cast(u128, 0xffffffffffffffff))); + out1[0] = x132; + out1[1] = x124; + out1[2] = x126; + out1[3] = x128; +} + +/// The function square squares a field element. +/// +/// Postconditions: +/// eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// +/// Input Bounds: +/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// Output Bounds: +/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +pub fn square(out1: *[4]u64, arg1: [4]u64) void { + @setRuntimeSafety(mode == .Debug); + + var x1: u64 = undefined; + var x2: u64 = undefined; + mulxU64(&x1, &x2, (arg1[0]), (arg1[3])); + var x3: u64 = undefined; + var x4: u64 = undefined; + mulxU64(&x3, &x4, (arg1[0]), (arg1[2])); + var x5: u64 = undefined; + var x6: u64 = undefined; + mulxU64(&x5, &x6, (arg1[0]), (arg1[1])); + var x7: u64 = undefined; + var x8: u64 = undefined; + mulxU64(&x7, &x8, (arg1[3]), (arg1[2])); + var x9: u64 = undefined; + var x10: u64 = undefined; + mulxU64(&x9, &x10, (arg1[3]), (arg1[1])); + var x11: u64 = undefined; + var x12: u1 = undefined; + addcarryxU64(&x11, &x12, 0x0, x6, x3); + var x13: u64 = undefined; + var x14: u1 = undefined; + addcarryxU64(&x13, &x14, x12, x4, x1); + var x15: u64 = undefined; + var x16: u1 = undefined; + addcarryxU64(&x15, &x16, x14, x2, x9); + var x17: u64 = undefined; + var x18: u1 = undefined; + addcarryxU64(&x17, &x18, x16, x10, x7); + const x19 = (cast(u64, x18) + x8); + var x20: u64 = undefined; + var x21: u64 = undefined; + mulxU64(&x20, &x21, (arg1[1]), (arg1[2])); + var x22: u64 = undefined; + var x23: u1 = undefined; + addcarryxU64(&x22, &x23, 0x0, x13, x20); + var x24: u64 = undefined; + var x25: u1 = undefined; + addcarryxU64(&x24, &x25, x23, x15, x21); + var x26: u64 = undefined; + var x27: u1 = undefined; + addcarryxU64(&x26, &x27, x25, x17, cast(u64, 0x0)); + var x28: u64 = undefined; + var x29: u1 = undefined; + addcarryxU64(&x28, &x29, x27, x19, cast(u64, 0x0)); + var x30: u64 = undefined; + var x31: u1 = undefined; + addcarryxU64(&x30, &x31, 0x0, x5, x5); + var x32: u64 = undefined; + var x33: u1 = undefined; + addcarryxU64(&x32, &x33, x31, x11, x11); + var x34: u64 = undefined; + var x35: u1 = undefined; + addcarryxU64(&x34, &x35, x33, x22, x22); + var x36: u64 = undefined; + var x37: u1 = undefined; + addcarryxU64(&x36, &x37, x35, x24, x24); + var x38: u64 = undefined; + var x39: u1 = undefined; + addcarryxU64(&x38, &x39, x37, x26, x26); + var x40: u64 = undefined; + var x41: u1 = undefined; + addcarryxU64(&x40, &x41, x39, x28, x28); + const x42 = ((cast(u64, x41) + cast(u64, x29)) + cast(u64, x29)); + var x43: u64 = undefined; + var x44: u64 = undefined; + mulxU64(&x43, &x44, (arg1[3]), (arg1[3])); + var x45: u64 = undefined; + var x46: u64 = undefined; + mulxU64(&x45, &x46, (arg1[2]), (arg1[2])); + var x47: u64 = undefined; + var x48: u64 = undefined; + mulxU64(&x47, &x48, (arg1[1]), (arg1[1])); + var x49: u64 = undefined; + var x50: u64 = undefined; + mulxU64(&x49, &x50, (arg1[0]), (arg1[0])); + var x51: u64 = undefined; + var x52: u1 = undefined; + addcarryxU64(&x51, &x52, 0x0, x30, x50); + var x53: u64 = undefined; + var x54: u1 = undefined; + addcarryxU64(&x53, &x54, x52, x32, x47); + var x55: u64 = undefined; + var x56: u1 = undefined; + addcarryxU64(&x55, &x56, x54, x34, x48); + var x57: u64 = undefined; + var x58: u1 = undefined; + addcarryxU64(&x57, &x58, x56, x36, x45); + var x59: u64 = undefined; + var x60: u1 = undefined; + addcarryxU64(&x59, &x60, x58, x38, x46); + var x61: u64 = undefined; + var x62: u1 = undefined; + addcarryxU64(&x61, &x62, x60, x40, x43); + var x63: u64 = undefined; + var x64: u1 = undefined; + addcarryxU64(&x63, &x64, x62, x42, x44); + var x65: u64 = undefined; + var x66: u64 = undefined; + mulxU64(&x65, &x66, 0x26, x63); + var x67: u64 = undefined; + var x68: u64 = undefined; + mulxU64(&x67, &x68, 0x26, x61); + var x69: u64 = undefined; + var x70: u64 = undefined; + mulxU64(&x69, &x70, 0x26, x59); + var x71: u64 = undefined; + var x72: u64 = undefined; + mulxU64(&x71, &x72, 0x26, x57); + var x73: u64 = undefined; + var x74: u1 = undefined; + addcarryxU64(&x73, &x74, 0x0, x51, x69); + var x75: u64 = undefined; + var x76: u1 = undefined; + addcarryxU64(&x75, &x76, x74, x53, x67); + var x77: u64 = undefined; + var x78: u1 = undefined; + addcarryxU64(&x77, &x78, x76, x55, x65); + const x79 = (cast(u64, x78) + x66); + var x80: u64 = undefined; + var x81: u1 = undefined; + addcarryxU64(&x80, &x81, 0x0, x49, x71); + var x82: u64 = undefined; + var x83: u1 = undefined; + addcarryxU64(&x82, &x83, x81, x73, x72); + var x84: u64 = undefined; + var x85: u1 = undefined; + addcarryxU64(&x84, &x85, x83, x75, x70); + var x86: u64 = undefined; + var x87: u1 = undefined; + addcarryxU64(&x86, &x87, x85, x77, x68); + const x88 = (cast(u64, x87) + x79); + var x89: u64 = undefined; + var x90: u64 = undefined; + mulxU64(&x89, &x90, 0x26, x88); + var x91: u64 = undefined; + var x92: u1 = undefined; + addcarryxU64(&x91, &x92, 0x0, x80, x89); + var x93: u64 = undefined; + var x94: u1 = undefined; + addcarryxU64(&x93, &x94, x92, x82, cast(u64, 0x0)); + var x95: u64 = undefined; + var x96: u1 = undefined; + addcarryxU64(&x95, &x96, x94, x84, cast(u64, 0x0)); + var x97: u64 = undefined; + var x98: u1 = undefined; + addcarryxU64(&x97, &x98, x96, x86, cast(u64, 0x0)); + var x99: u64 = undefined; + cmovznzU64(&x99, x98, cast(u64, 0x0), 0x26); + const x100 = (cast(u128, x99) + cast(u128, x91)); + const x101 = cast(u64, (x100 & cast(u128, 0xffffffffffffffff))); + out1[0] = x101; + out1[1] = x93; + out1[2] = x95; + out1[3] = x97; } diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 26f7c8b1fb..a6ec0c1fb0 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -2005,6 +2005,76 @@ Module SolinasReduction. Qed. (* END SECTION MULMOD *) + Section squaremod. + + Definition sqr_indiv' base (state : list (Z * Z)) (p : list (Z * Z)) := + fold_right (fun a b => b ++ Associational.sat_mul base [a] [a]) state p. + + Definition sqr_indiv base (p : list (Z * Z)) := + sqr_indiv' base [] p. + + Definition square_no_reduce base (p : list Z) := + let p_a := Positional.to_associational weight 4 p in + (* a0 * [a1, a2, a3] *) + let prod0 := Saturated.Associational.sat_mul base (firstn 1 p_a) (skipn 1 p_a) in + (* a3 * [a1, a2] *) + let prod1 := Saturated.Associational.sat_mul base (skipn 3 p_a) (firstn 2 (skipn 1 p_a)) in + (* first carry chain *) + let carry1_a := prod0 ++ prod1 in + let carry1_rows := Saturated.Rows.from_associational weight 8 carry1_a in + let carry1 := Saturated.Rows.flatten weight 8 carry1_rows in + (* a1 * [a2], second carry chain *) + let prod2 := Saturated.Associational.sat_mul base (firstn 1 (skipn 1 p_a)) (firstn 1 (skipn 2 p_a)) in + let carry2_rows := Saturated.Rows.from_associational weight 8 prod2 in + let carry2 := Saturated.Rows.flatten' weight carry1 carry2_rows in + (* doubling, third carry chain *) + let carry2 := (fst carry2) ++ [snd carry2] in + let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in + (* squaring, fourth carry chain *) + let square_a := sqr_indiv base p_a in + let square_rows := Saturated.Rows.from_associational weight 8 square_a in + let square := Saturated.Rows.flatten' weight double square_rows in + fst square. + + Definition squaremod base s c (p : list Z) := + let sqr := square_no_reduce base p in + let r := reduce_full' base s c 4 sqr in + r. + + Lemma sat_mul_comm (p q : list (Z * Z)) : + Associational.eval (Associational.sat_mul s p q) = + Associational.eval (Associational.sat_mul s q p). + Proof using n_gt_1 s_pos. push; lia. Qed. + + Lemma sat_mul_distr (p q1 q2 : list (Z * Z)) : + Associational.eval (Associational.sat_mul s p (q1 ++ q2)) = + Associational.eval (Associational.sat_mul s p q1) + + Associational.eval (Associational.sat_mul s p q2). + Proof. push; lia. Qed. + + Definition slice' (state p : list (Z*Z)) (inds : list nat) := + fold_right (fun a b => [nth_default (0,0) p a] ++ b) state inds. + + Definition slice (a b : nat) (p : list (Z*Z)) := + let inds := seq a b in + slice' [] p inds. + + Lemma skipn_firstn_decomp (p : list (Z*Z)) (a b : nat) : + firstn b (skipn a p) = slice a (a + b) p. + Proof. + induction p. + rewrite skipn_nil. + rewrite firstn_nil. + Admitted. + + Theorem square_no_reduce_correct (p : list Z) : + eval weight 4 (square_no_reduce base p) = (eval weight 4 p) * (eval weight 4 p). + Proof. + cbv [square_no_reduce]. + Admitted. + + End squaremod. + End __. End SolinasReduction. diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index ee59191fe5..b1d26974c2 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -502,6 +502,7 @@ Module SolinasReduction. (saturated_bounds : list (option zrange)) (length_saturated_bouns : length saturated_bounds = n). Local Notation eval := (Positional.eval wt n). + Local Notation eval4 := (Positional.eval wt 4). Definition mul_correct (mul : list Z -> list Z -> list Z) := @@ -511,6 +512,13 @@ Module SolinasReduction. ((eval (mul x y)) mod m = (eval x * eval y) mod m) /\ (list_Z_bounded_by saturated_bounds (mul x y)). + Definition square_correct + (square : list Z -> list Z) := + forall x, + list_Z_bounded_by saturated_bounds x -> + ((eval4 (square x)) mod m = (eval4 x * eval4 x) mod m) /\ + (list_Z_bounded_by saturated_bounds (square x)). + End __. End SolinasReduction. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 9a2ca7bf77..5919e39c24 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -146,14 +146,17 @@ Section __. congruence. } Qed. + Local Notation eval4f := (eval weight 4). Local Notation evalf := (eval weight n). Local Notation weightf := weight. Local Notation notations_for_docstring := (CorrectnessStringification.dyn_context.cons - weightf "weight" + eval4f "eval4" (CorrectnessStringification.dyn_context.cons - evalf "eval" - CorrectnessStringification.dyn_context.nil))%string. + weightf "weight" + (CorrectnessStringification.dyn_context.cons + evalf "eval" + CorrectnessStringification.dyn_context.nil)))%string. Local Notation "'docstring_with_summary_from_lemma!' summary correctness" := (docstring_with_summary_from_lemma_with_ctx! notations_for_docstring @@ -173,6 +176,17 @@ Section __. (Some boundsn, (Some boundsn, tt)) (Some boundsn). + Definition square + := Pipeline.BoundsPipeline + false (* subst01 *) + possible_values + (reified_square_gen + @ GallinaReify.Reify base + @ GallinaReify.Reify s + @ GallinaReify.Reify c) + (Some boundsn, tt) + (Some boundsn). + Definition smul (prefix : string) : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) := Eval cbv beta in @@ -182,6 +196,15 @@ Section __. (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) (mul_correct weightf n m boundsn)). + Definition ssquare (prefix : string) + : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) + := Eval cbv beta in + FromPipelineToString! + machine_wordsize prefix "square" square + (docstring_with_summary_from_lemma! + (fun fname : string => [text_before_function_name ++ fname ++ " squares a field element."]%string) + (square_correct weightf m boundsn)). + Local Ltac solve_extra_bounds_side_conditions := cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. @@ -206,12 +229,20 @@ Section __. Lemma Wf_mul res (Hres : mul = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. + Lemma square_correct res + (Hres : square = Success res) + : square_correct weight m boundsn (Interp res). + Proof. Admitted. + + Lemma Wf_square res (Hres : square = Success res) : Wf res. + Proof using Type. prove_pipeline_wf (). Qed. + Section for_stringification. Local Open Scope string_scope. Local Open Scope list_scope. Definition known_functions - := [("mul", wrap_s smul)]. + := [("mul", wrap_s smul); ("square", wrap_s ssquare)]. Definition valid_names : string := Eval compute in String.concat ", " (List.map (@fst _ _) known_functions). @@ -240,4 +271,13 @@ Module Export Hints. Hint Immediate Wf_mul : wf_op_cache. + +#[global] + Hint Opaque + square + : wf_op_cache. +#[global] + Hint Immediate + Wf_square + : wf_op_cache. End Hints. diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index 77944c2185..afe302b6df 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -32,6 +32,11 @@ Derive reified_mul_gen As reified_mul_gen_correct. Proof. Time cache_reify (). Time Qed. +Derive reified_square_gen + SuchThat (is_reification_of reified_square_gen squaremod) + As reified_square_gen_correct. +Proof. Time cache_reify (). Time Qed. + #[global] Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_mul_gen) : reify_cache_gen. #[global] @@ -39,3 +44,11 @@ Proof. Time cache_reify (). Time Qed. #[global] Hint Rewrite (proj1 reified_mul_gen_correct) : interp_gen_cache. Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) + +#[global] + Hint Extern 1 (_ = _) => apply_cached_reification squaremod (proj1 reified_square_gen) : reify_cache_gen. +#[global] + Hint Immediate (proj2 reified_square_gen_correct) : wf_gen_cache. +#[global] + Hint Rewrite (proj1 reified_square_gen_correct) : interp_gen_cache. +Local Opaque reified_square_gen. (* needed for making [autorewrite] not take a very long time *) diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index 03fded2a28..468af07e54 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -85,11 +85,11 @@ Module debugging_solinas_reduction. let prod1 := Saturated.Associational.sat_mul base (skipn 3 p_a) (firstn 2 (skipn 1 p_a)) in (* first carry chain *) let carry1_a := prod0 ++ prod1 in - let carry1_rows := Saturated.Rows.from_associational weight 7 carry1_a in - let carry1 := Saturated.Rows.flatten weight 7 carry1_rows in + let carry1_rows := Saturated.Rows.from_associational weight 8 carry1_a in + let carry1 := Saturated.Rows.flatten weight 8 carry1_rows in (* a1 * [a2], second carry chain *) let prod2 := Saturated.Associational.sat_mul base (firstn 1 (skipn 1 p_a)) (firstn 1 (skipn 2 p_a)) in - let carry2_rows := Saturated.Rows.from_associational weight 7 prod2 in + let carry2_rows := Saturated.Rows.from_associational weight 8 prod2 in let carry2 := Saturated.Rows.flatten' weight carry1 carry2_rows in (* doubling, third carry chain *) let carry2 := (fst carry2) ++ [snd carry2] in @@ -97,7 +97,7 @@ Module debugging_solinas_reduction. (* squaring, fourth carry chain *) let square_a := sqr_indiv base p_a in let square_rows := Saturated.Rows.from_associational weight 8 square_a in - let square := Saturated.Rows.flatten weight 8 square_rows in + let square := Saturated.Rows.flatten' weight double square_rows in fst square. Definition squaremod base s c (n : Z) (p : list Z) := @@ -105,6 +105,25 @@ Module debugging_solinas_reduction. let r := reduce_full' base s c 4 sqr in r. + Print Z.add_with_get_carry. + Print Z.add_with_carry. + Print Z.get_carry. + + Definition reduce3 base s c n (p : list Z) := + let bound := (0, 2^machine_wordsize-1) in + let bounds := (repeat bound n) ++ [(0, 1)] in + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in + let coef := Associational.eval coef_a in + dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in + let lo := Z.add_get_carry machine_wordsize hi (nth_default 0 p 0) in + if (is_bounded_by bounds p) then + [fst lo] ++ (skipn 1 (firstn n p)) + else + let hi' := coef * (nth_default 0 p n) in + add_to_nth 0 hi' (firstn n p). + + End __. Section compile. @@ -120,6 +139,9 @@ Module debugging_solinas_reduction. Let p := [2^64-1; 2^64-1; 2^64-1; 2^64-1]. Compute (square_no_reduce base p). Compute (mul_no_reduce base 4 p p). + Let p' := [100; 200; 300; 400]. + Compute (square_no_reduce base p'). + Compute (mul_no_reduce base 4 p' p'). Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Let bound' := Some r[0 ~> (2^machine_wordsize +39)]%zrange. @@ -150,187 +172,15 @@ Module debugging_solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (squaremod base s c n) in + let r := Reify (square_no_reduce base) in exact r) (fun _ _ => []) (Some (repeat bound (4)), tt) - (Some (repeat bound (4))) + (Some (repeat bound (8))) (None, tt) (None) : Pipeline.ErrorT _). -(* -"Success (""/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -void mul(uint64_t out1[4], const uint64_t arg1[4]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - fiatuint1 x12; - uint64_t x13; - fiatuint1 x14; - uint64_t x15; - fiatuint1 x16; - uint64_t x17; - fiatuint1 x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - fiatuint1 x23; - uint64_t x24; - fiatuint1 x25; - uint64_t x26; - fiatuint1 x27; - uint64_t x28; - fiatuint1 x29; - uint64_t x30; - fiatuint1 x31; - uint64_t x32; - fiatuint1 x33; - uint64_t x34; - fiatuint1 x35; - uint64_t x36; - fiatuint1 x37; - uint64_t x38; - fiatuint1 x39; - uint64_t x40; - fiatuint1 x41; - uint64_t x42; - uint64_t x43; - uint64_t x44; - uint64_t x45; - uint64_t x46; - uint64_t x47; - uint64_t x48; - uint64_t x49; - uint64_t x50; - uint64_t x51; - fiatuint1 x52; - uint64_t x53; - fiatuint1 x54; - uint64_t x55; - fiatuint1 x56; - uint64_t x57; - fiatuint1 x58; - uint64_t x59; - fiatuint1 x60; - uint64_t x61; - fiatuint1 x62; - uint64_t x63; - fiatuint1 x64; - uint64_t x65; - uint64_t x66; - uint64_t x67; - uint64_t x68; - uint64_t x69; - uint64_t x70; - uint64_t x71; - uint64_t x72; - uint64_t x73; - fiatuint1 x74; - uint64_t x75; - fiatuint1 x76; - uint64_t x77; - fiatuint1 x78; - uint64_t x79; - uint64_t x80; - fiatuint1 x81; - uint64_t x82; - fiatuint1 x83; - uint64_t x84; - fiatuint1 x85; - uint64_t x86; - fiatuint1 x87; - uint64_t x88; - uint64_t x89; - uint64_t x90; - uint64_t x91; - fiatuint1 x92; - uint64_t x93; - fiatuint1 x94; - uint64_t x95; - fiatuint1 x96; - uint64_t x97; - fiatuint1 x98; - uint64_t x99; - fiatuint128 x100; - uint64_t x101; - fiatmulx_u64(&x1, &x2, (arg1[0]), (arg1[3])); - fiatmulx_u64(&x3, &x4, (arg1[0]), (arg1[2])); - fiatmulx_u64(&x5, &x6, (arg1[0]), (arg1[1])); - fiatmulx_u64(&x7, &x8, (arg1[3]), (arg1[2])); - fiatmulx_u64(&x9, &x10, (arg1[3]), (arg1[1])); - fiataddcarryx_u64(&x11, &x12, 0x0, x6, x3); - fiataddcarryx_u64(&x13, &x14, x12, x4, x1); - fiataddcarryx_u64(&x15, &x16, x14, x2, x9); - fiataddcarryx_u64(&x17, &x18, x16, x10, x7); - x19 = (x18 + x8); - fiatmulx_u64(&x20, &x21, (arg1[1]), (arg1[2])); - fiataddcarryx_u64(&x22, &x23, 0x0, x13, x20); - fiataddcarryx_u64(&x24, &x25, x23, x15, x21); - fiataddcarryx_u64(&x26, &x27, x25, x17, 0x0); - fiataddcarryx_u64(&x28, &x29, x27, x19, 0x0); - fiataddcarryx_u64(&x30, &x31, 0x0, x5, x5); - fiataddcarryx_u64(&x32, &x33, x31, x11, x11); - fiataddcarryx_u64(&x34, &x35, x33, x22, x22); - fiataddcarryx_u64(&x36, &x37, x35, x24, x24); - fiataddcarryx_u64(&x38, &x39, x37, x26, x26); - fiataddcarryx_u64(&x40, &x41, x39, x28, x28); - x42 = (((uint64_t)x41 + x29) + (uint64_t)x29); - fiatmulx_u64(&x43, &x44, (arg1[3]), (arg1[3])); - fiatmulx_u64(&x45, &x46, (arg1[2]), (arg1[2])); - fiatmulx_u64(&x47, &x48, (arg1[1]), (arg1[1])); - fiatmulx_u64(&x49, &x50, (arg1[0]), (arg1[0])); - fiataddcarryx_u64(&x51, &x52, 0x0, x50, x30); - fiataddcarryx_u64(&x53, &x54, x52, x47, x32); - fiataddcarryx_u64(&x55, &x56, x54, x48, x34); - fiataddcarryx_u64(&x57, &x58, x56, x45, x36); - fiataddcarryx_u64(&x59, &x60, x58, x46, x38); - fiataddcarryx_u64(&x61, &x62, x60, x43, x40); - fiataddcarryx_u64(&x63, &x64, x62, x44, x42); - fiatmulx_u64(&x65, &x66, UINT8_C(0x26), x63); - fiatmulx_u64(&x67, &x68, UINT8_C(0x26), x61); - fiatmulx_u64(&x69, &x70, UINT8_C(0x26), x59); - fiatmulx_u64(&x71, &x72, UINT8_C(0x26), x57); - fiataddcarryx_u64(&x73, &x74, 0x0, x51, x69); - fiataddcarryx_u64(&x75, &x76, x74, x53, x67); - fiataddcarryx_u64(&x77, &x78, x76, x55, x65); - x79 = (x78 + x66); - fiataddcarryx_u64(&x80, &x81, 0x0, x49, x71); - fiataddcarryx_u64(&x82, &x83, x81, x73, x72); - fiataddcarryx_u64(&x84, &x85, x83, x75, x70); - fiataddcarryx_u64(&x86, &x87, x85, x77, x68); - x88 = (x87 + x79); - fiatmulx_u64(&x89, &x90, UINT8_C(0x26), x88); - fiataddcarryx_u64(&x91, &x92, 0x0, x80, x89); - fiataddcarryx_u64(&x93, &x94, x92, x82, 0x0); - fiataddcarryx_u64(&x95, &x96, x94, x84, 0x0); - fiataddcarryx_u64(&x97, &x98, x96, x86, 0x0); - fiatcmovznz_u64(&x99, x98, 0x0, UINT8_C(0x26)); - x100 = ((fiatuint128)x99 + x91); - x101 = (uint64_t)(x100 & UINT64_C(0xffffffffffffffff)); - out1[0] = x101; - out1[1] = x93; - out1[2] = x95; - out1[3] = x97; -}"", {| bitwidths_used := [uint128, uint1, uint64] ; addcarryx_lg_splits := [64] ; mulx_lg_splits := [64] ; cmovznz_bitwidths := [uint64] ; value_barrier_bitwidths := [] ; typedefs_used := [] |})" - : string -Finished transaction in 4.494 secs (4.41u,0.066s) (successful) -*) - Time Compute Show.show (Pipeline.BoundsPipelineToString @@ -348,226 +198,6 @@ Finished transaction in 4.494 secs (4.41u,0.066s) (successful) (None, (None, tt)) (None) : Pipeline.ErrorT _). -(* -/* - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: None - */ -void f(uint128 out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - uint1 x34; - uint64_t x35; - uint1 x36; - uint64_t x37; - uint64_t x38; - uint1 x39; - uint64_t x40; - uint1 x41; - uint64_t x42; - uint1 x43; - uint64_t x44; - uint64_t x45; - uint1 x46; - uint64_t x47; - uint1 x48; - uint64_t x49; - uint1 x50; - uint64_t x51; - uint1 x52; - uint64_t x53; - uint1 x54; - uint64_t x55; - uint64_t x56; - uint1 x57; - uint64_t x58; - uint1 x59; - uint64_t x60; - uint1 x61; - uint64_t x62; - uint1 x63; - uint64_t x64; - uint1 x65; - uint64_t x66; - uint1 x67; - uint64_t x68; - uint1 x69; - uint64_t x70; - uint1 x71; - uint64_t x72; - uint1 x73; - uint64_t x74; - uint1 x75; - uint64_t x76; - uint1 x77; - uint64_t x78; - uint1 x79; - uint64_t x80; - uint1 x81; - uint64_t x82; - uint1 x83; - uint64_t x84; - uint1 x85; - uint64_t x86; - uint1 x87; - uint64_t x88; - uint1 x89; - uint64_t x90; - uint1 x91; - uint64_t x92; - uint1 x93; - uint64_t x94; - uint1 x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - uint64_t x104; - uint1 x105; - uint64_t x106; - uint1 x107; - uint64_t x108; - uint1 x109; - uint8_t x110; - uint64_t x111; - uint1 x112; - uint64_t x113; - uint1 x114; - uint64_t x115; - uint1 x116; - uint64_t x117; - uint1 x118; - uint8_t x119; - uint64_t x120; - uint64_t x121; - uint64_t x122; - uint1 x123; - uint64_t x124; - uint1 x125; - uint64_t x126; - uint1 x127; - uint64_t x128; - uint1 x129; - uint8_t x130; - uint128 x131; - mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); - mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); - mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); - mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); - mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); - mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); - mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); - mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); - mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); - mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); - mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); - mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); - mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); - mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); - mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); - mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - addcarryx_u64(&x33, &x34, 0x0, x28, x7); - addcarryx_u64(&x35, &x36, x34, x26, x5); - x37 = (x36 + x18); - addcarryx_u64(&x38, &x39, 0x0, x33, x13); - addcarryx_u64(&x40, &x41, x39, x35, x8); - addcarryx_u64(&x42, &x43, x41, x37, 0x0); - x44 = (x43 + x10); - addcarryx_u64(&x45, &x46, 0x0, x30, x15); - addcarryx_u64(&x47, &x48, x46, x38, x16); - addcarryx_u64(&x49, &x50, x48, x40, x11); - addcarryx_u64(&x51, &x52, x50, x42, x3); - addcarryx_u64(&x53, &x54, x52, x44, 0x0); - x55 = (x54 + x2); - addcarryx_u64(&x56, &x57, 0x0, x45, x21); - addcarryx_u64(&x58, &x59, x57, x47, x19); - addcarryx_u64(&x60, &x61, x59, x49, x14); - addcarryx_u64(&x62, &x63, x61, x51, x6); - addcarryx_u64(&x64, &x65, x63, x53, 0x0); - addcarryx_u64(&x66, &x67, x65, x55, 0x0); - addcarryx_u64(&x68, &x69, 0x0, x32, x23); - addcarryx_u64(&x70, &x71, x69, x56, x24); - addcarryx_u64(&x72, &x73, x71, x58, x22); - addcarryx_u64(&x74, &x75, x73, x60, x17); - addcarryx_u64(&x76, &x77, x75, x62, x9); - addcarryx_u64(&x78, &x79, x77, x64, x1); - addcarryx_u64(&x80, &x81, x79, x66, 0x0); - addcarryx_u64(&x82, &x83, 0x0, x68, x29); - addcarryx_u64(&x84, &x85, x83, x70, x27); - addcarryx_u64(&x86, &x87, x85, x72, x25); - addcarryx_u64(&x88, &x89, x87, x74, x20); - addcarryx_u64(&x90, &x91, x89, x76, x12); - addcarryx_u64(&x92, &x93, x91, x78, x4); - addcarryx_u64(&x94, &x95, x93, x80, 0x0); - mulx_u64(&x96, &x97, UINT8_C(0x26), x94); - mulx_u64(&x98, &x99, UINT8_C(0x26), x92); - mulx_u64(&x100, &x101, UINT8_C(0x26), x90); - mulx_u64(&x102, &x103, UINT8_C(0x26), x88); - addcarryx_u64(&x104, &x105, 0x0, x82, x100); - addcarryx_u64(&x106, &x107, x105, x84, x98); - addcarryx_u64(&x108, &x109, x107, x86, x96); - x110 = (uint8_t)(x109 + (uint8_t)x97); - addcarryx_u64(&x111, &x112, 0x0, x31, x102); - addcarryx_u64(&x113, &x114, x112, x104, (uint8_t)x103); - addcarryx_u64(&x115, &x116, x114, x106, (uint8_t)x101); - addcarryx_u64(&x117, &x118, x116, x108, (uint8_t)x99); - x119 = (uint8_t)(x118 + x110); - mulx_u64(&x120, &x121, UINT8_C(0x26), x119); - addcarryx_u64(&x122, &x123, 0x0, x111, (uint16_t)x120); - addcarryx_u64(&x124, &x125, x123, x113, 0x0); - addcarryx_u64(&x126, &x127, x125, x115, 0x0); - addcarryx_u64(&x128, &x129, x127, x117, 0x0); - cmovznz_u8(&x130, x129, 0x0, UINT8_C(0x26)); - x131 = (x130 + (uint128)x122); - out1[0] = x131; - out1[1] = x124; - out1[2] = x126; - out1[3] = x128; -} - -with input bounds (Some [Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff]], Some [Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff], Some [0x0 ~> 0xffffffffffffffff]]). -" - : string -Finished transaction in 8.123 secs (7.909u,0.142s) (successful) -*) End compile. From c52d554b77dde50ecab615248cd52398c2c44083 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 6 Nov 2022 02:50:05 -0500 Subject: [PATCH 60/69] finish proof of correctness for square_no_reduce --- src/Arithmetic/SolinasReduction.v | 2165 ++++++++++++-------- src/COperationSpecifications.v | 8 +- src/PushButtonSynthesis/SolinasReduction.v | 28 +- src/SlowPrimeSynthesisExamples.v | 61 +- 4 files changed, 1337 insertions(+), 925 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index a6ec0c1fb0..a5d7d24341 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -1128,6 +1128,24 @@ Module SolinasReduction. rewrite Z.pow_add_r; lia. Qed. + Lemma eval_seq_start : forall a b p, + Associational.eval (combine (map weight (seq a b)) p) = + weight a * Associational.eval (combine (map weight (seq 0 b)) p). + Proof using wprops. + intros a b p. + generalize dependent a. + generalize dependent b. + induction p as [ | x p IHp ]; intros. + push. + destruct b. + push. + cbn [seq]. + rewrite <-seq_shift. + push. + rewrite IHp. + lia. + Qed. + Lemma weight_dif_mono' : forall n, weight (S n) - weight n < weight (S (S n)) - weight (S n). Proof using Type. @@ -1156,854 +1174,840 @@ Module SolinasReduction. end. Qed. - Context (base : Z) - (s : Z) - (c : list (Z * Z)) - (n : nat). - - Context (n_gt_1 : (n > 1)%nat) - (s_pos : s > 0) - (c_pos : Associational.eval c > 0) - (mod_nz : s - Associational.eval c <> 0) - (base_nz : base <> 0) - (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) - (coef_small : weight n / s * Associational.eval c < up_bound). - - (* SECTION MUL_NO_REDUCE *) - - Theorem eval_mul_no_reduce : forall p q, - eval weight (2 * n) (mul_no_reduce base n p q) = - eval weight n p * Positional.eval weight n q. - Proof using base_nz n_gt_1 wprops. - intros p q. - cbv [mul_no_reduce]. - break_match. - (* properly bounded *) - push. - apply Z.mod_small. - repeat match goal with - | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb - | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H - | _ => progress intuition - | _ => solve_ineq - end. - le_lt. - etransitivity. - apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. - le_lt. - replace (weight (2 * n)) with (weight n * weight n). - solve_ineq. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - f_equal. - lia. - lia. - lia. - - (* not bounded *) - push. - rewrite <-Z_div_mod_eq. - auto. - rewrite Z.gt_lt_iff. - auto. - push. - lia. - push. - - push. - rewrite <-Z_div_mod_eq. - auto. - rewrite Z.gt_lt_iff. - auto. - push. - lia. - push. - Qed. - Hint Rewrite eval_mul_no_reduce : push_eval. - - Theorem length_mul_no_reduce : forall p q, - length (mul_no_reduce base n p q) = (2 * n)%nat. - Proof using base_nz n_gt_1 wprops. - intros; unfold mul_no_reduce; break_match; push. - Qed. - Hint Rewrite length_mul_no_reduce : push_length. - - (* END SECTION MUL_NO_REDUCE *) - - (* SECTION REDUCE1 *) - - Lemma reduce1_length : forall p m1 m2, - length (reduce1 base s c m1 m2 p) = m2. - Proof using wprops. - intros; cbv [reduce1]; break_match; push. - Qed. - Hint Rewrite reduce1_length : push_length. - - Lemma split_p_firstn : forall p, - n <= length p -> - split (weight n) (combine (map weight (seq 0 n)) (firstn n p)) = - (combine (map weight (seq 0 n)) (firstn n p), []). - Proof using wprops. - intros. - rewrite split_lt; - repeat multimatch goal with - | H : _ |- _ => autorewrite with push_misc in H - | H : _ |- _ => rewrite in_seq in H - | _ => rewrite min_l - | H : context[exists _, _] |- _ => destruct H - | H : _ = ?x |- context[?x] => rewrite <-H - | _ => push - | _ => apply weight_mono - | _ => intuition - | _ => auto || lia + Section mulmod. + + Context (base : Z) + (s : Z) + (c : list (Z * Z)) + (n : nat). + + Context (n_gt_1 : (n > 1)%nat) + (s_pos : s > 0) + (c_pos : Associational.eval c > 0) + (mod_nz : s - Associational.eval c <> 0) + (base_nz : base <> 0) + (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) + (coef_small : weight n / s * Associational.eval c < up_bound). + + (* SECTION MUL_NO_REDUCE *) + + Theorem eval_mul_no_reduce : forall p q, + eval weight (2 * n) (mul_no_reduce base n p q) = + eval weight n p * Positional.eval weight n q. + Proof using base_nz n_gt_1 wprops. + intros p q. + cbv [mul_no_reduce]. + break_match. + (* properly bounded *) + push. + apply Z.mod_small. + repeat match goal with + | H : context[_ && _] |- _ => rewrite andb_true_iff in Heqb + | H : is_bounded_by _ _ = true |- _ => apply eval_is_bounded_by in H + | _ => progress intuition + | _ => solve_ineq end. - Qed. - Hint Rewrite split_p_firstn : push_misc. + le_lt. + etransitivity. + apply OrdersEx.Z_as_OT.mul_le_mono_nonneg; eauto; rewrite Le.Z.le_sub_1_iff; eauto. + le_lt. + replace (weight (2 * n)) with (weight n * weight n). + solve_ineq. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + f_equal. + lia. + lia. + lia. - Lemma split_p_skipn : forall p m1, - n <= length p -> - split (weight n) (combine (map weight (seq n (m1 - n))) (skipn n p)) = - ([], combine (map weight (seq 0 (m1 - n))) (skipn n p)). - Proof using wprops. - intros. - rewrite split_gt; - repeat multimatch goal with - | H : _ |- _ => autorewrite with push_misc in H - | H : _ |- _ => rewrite in_seq in H - | _ => apply Weight.weight_multiples_full - | H : context[exists _, _] |- _ => destruct H - | H : _ = ?x |- context[?x] => rewrite <-H - | _ => push - | _ => intuition - end. - Qed. - Hint Rewrite split_p_skipn : push_misc. - - Lemma split_p : forall m1 p, - (m1 >= n)%nat -> - n <= length p -> - split (weight n) (combine (map weight (seq 0 m1)) p) = - (combine (map weight (seq 0 n)) (firstn n p), - (combine (map weight (seq 0 (m1 - n))) (skipn n p))). - Proof using n_gt_1 wprops. - intros m1 p ? ?. - replace m1 with (n + (m1 - n))%nat at 1 by lia. - rewrite <-(firstn_skipn n p) at 1. - push. - push. - lia. - Qed. - Hint Rewrite split_p : push_misc. + (* not bounded *) + push. + rewrite <-Z_div_mod_eq. + auto. + rewrite Z.gt_lt_iff. + auto. + push. + lia. + push. - Hint Rewrite repeat_length : push_length. + push. + rewrite <-Z_div_mod_eq. + auto. + rewrite Z.gt_lt_iff. + auto. + push. + lia. + push. + Qed. + Hint Rewrite eval_mul_no_reduce : push_eval. + + Theorem length_mul_no_reduce : forall p q, + length (mul_no_reduce base n p q) = (2 * n)%nat. + Proof using base_nz n_gt_1 wprops. + intros; unfold mul_no_reduce; break_match; push. + Qed. + Hint Rewrite length_mul_no_reduce : push_length. + + (* END SECTION MUL_NO_REDUCE *) + + (* SECTION REDUCE1 *) + + Lemma reduce1_length : forall p m1 m2, + length (reduce1 base s c m1 m2 p) = m2. + Proof using wprops. + intros; cbv [reduce1]; break_match; push. + Qed. + Hint Rewrite reduce1_length : push_length. + + Lemma split_p_firstn : forall p, + n <= length p -> + split (weight n) (combine (map weight (seq 0 n)) (firstn n p)) = + (combine (map weight (seq 0 n)) (firstn n p), []). + Proof using wprops. + intros. + rewrite split_lt; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_misc in H + | H : _ |- _ => rewrite in_seq in H + | _ => rewrite min_l + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- context[?x] => rewrite <-H + | _ => push + | _ => apply weight_mono + | _ => intuition + | _ => auto || lia + end. + Qed. + Hint Rewrite split_p_firstn : push_misc. + + Lemma split_p_skipn : forall p m1, + n <= length p -> + split (weight n) (combine (map weight (seq n (m1 - n))) (skipn n p)) = + ([], combine (map weight (seq 0 (m1 - n))) (skipn n p)). + Proof using wprops. + intros. + rewrite split_gt; + repeat multimatch goal with + | H : _ |- _ => autorewrite with push_misc in H + | H : _ |- _ => rewrite in_seq in H + | _ => apply Weight.weight_multiples_full + | H : context[exists _, _] |- _ => destruct H + | H : _ = ?x |- context[?x] => rewrite <-H + | _ => push + | _ => intuition + end. + Qed. + Hint Rewrite split_p_skipn : push_misc. + + Lemma split_p : forall m1 p, + (m1 >= n)%nat -> + n <= length p -> + split (weight n) (combine (map weight (seq 0 m1)) p) = + (combine (map weight (seq 0 n)) (firstn n p), + (combine (map weight (seq 0 (m1 - n))) (skipn n p))). + Proof using n_gt_1 wprops. + intros m1 p ? ?. + replace m1 with (n + (m1 - n))%nat at 1 by lia. + rewrite <-(firstn_skipn n p) at 1. + push. + push. + lia. + Qed. + Hint Rewrite split_p : push_misc. - Ltac solve_ibb := + Hint Rewrite repeat_length : push_length. + + Ltac solve_ibb := apply eval_is_bounded_by; match goal with | |- context [firstn _ _] => eapply is_bounded_by_app_l | |- context [skipn _ _] => eapply is_bounded_by_app_r end; eauto; push; try lia. - Lemma value_reduce1 : forall p m1 m2, - (m1 >= n)%nat -> - (m2 > 0)%nat -> - n <= length p -> - up_bound * weight (m1 - n) + weight n < weight m2 -> - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight m2 (reduce1 base s c m1 m2 p) = - Associational.eval coef * eval weight (m1 - n) (skipn n p) + eval weight n (firstn n p). - Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros p m1 m2 H. - intros. - assert (Rows.adjust_s weight (S (S m1)) s = - Rows.adjust_s weight (S (S n)) s) as Hadjust. - { destruct H. - auto. + Lemma value_reduce1 : forall p m1 m2, + (m1 >= n)%nat -> + (m2 > 0)%nat -> + n <= length p -> + up_bound * weight (m1 - n) + weight n < weight m2 -> + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight m2 (reduce1 base s c m1 m2 p) = + Associational.eval coef * eval weight (m1 - n) (skipn n p) + eval weight n (firstn n p). + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. + intros p m1 m2 H. + intros. + assert (Rows.adjust_s weight (S (S m1)) s = + Rows.adjust_s weight (S (S n)) s) as Hadjust. + { destruct H. + auto. + rewrite solinas_property. + eapply adjust_s_finished; try apply solinas_property. + lia. + lia. } + cbv [s' coef reduce1]. + destruct (is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) m1) p) eqn:Heqb; push. + rewrite Hadjust. rewrite solinas_property. - eapply adjust_s_finished; try apply solinas_property. - lia. - lia. } - cbv [s' coef reduce1]. - destruct (is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) m1) p) eqn:Heqb; push. - rewrite Hadjust. - rewrite solinas_property. - cbv [to_associational]. - push. - rewrite <-(firstn_skipn n p) in Heqb. - replace m1 with (n + (m1 - n))%nat in Heqb by lia. - rewrite repeat_app in Heqb. - solve_ineq. - solve_ibb. - solve_ibb. - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - solve_ibb. - solve_ibb. - solve_ibb. - lia. - - rewrite Hadjust. - rewrite solinas_property. - cbv [to_associational]. - push. - rewrite <-Z_div_mod_eq_full. - reflexivity. - all: push. - Qed. - - Lemma eval_seq_start : forall a b p, - Associational.eval (combine (map weight (seq a b)) p) = - weight a * Associational.eval (combine (map weight (seq 0 b)) p). - Proof using n_gt_1 wprops. - intros a b p. - generalize dependent a. - generalize dependent b. - induction p as [ | x p IHp ]; intros. - push. - destruct b. - push. - cbn [seq]. - rewrite <-seq_shift. - push. - rewrite IHp. - lia. - Qed. - - Lemma eval_reduce1 : forall p m1 m2, - (m1 >= n)%nat -> - (m2 > 0)%nat -> - n <= length p -> - up_bound * weight (m1 - n) + weight n < weight m2 -> - let q := reduce1 base s c m1 m2 p in - (Positional.eval weight m1 p) mod (s - Associational.eval c) - = (Positional.eval weight m2 q) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros p m1 m2; intros. - cbv [q]. - rewrite value_reduce1; try lia. - push. - rewrite solinas_property. - cbn [fst snd]. - match goal with - | |- context[_ mod (_ - ?c)] => - lazymatch goal with - | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia - end - end. - rewrite Z.add_comm. - rewrite <-reduction_rule. - apply Z.elim_mod. - rewrite <-(firstn_skipn n p) at 1. - replace m1 with (n + (m1 - n))%nat by lia. - cbv [eval to_associational]. - push. - rewrite Z.mul_assoc. - rewrite <-Z_div_exact_2. - rewrite Z.add_cancel_l. - cbn. - replace (n + (m1 - n) - n)%nat with (m1 - n)%nat by lia. - rewrite eval_seq_start. - lia. - lia. - pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hadj. - rewrite solinas_property in Hadj. - intuition. - push. - lia. - lia. - Qed. - - (* END SECTION REDUCE1 *) - - (* SECTION REDUCE3 *) - - Lemma value_reduce1' : forall p m, - m = n -> - length p = S m -> - nth_default 0 p n <= 1 -> - weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - eval weight m (reduce1 base s c (S m) m p) = - Associational.eval coef * nth_default 0 p n + eval weight n (firstn n p). - Proof. - intros p m H H1 H2 H3. - cbv [reduce1]. - rewrite H. - push. - erewrite adjust_s_finished'; try apply solinas_property. - rewrite solinas_property. - cbv [to_associational]. - push. - const_simpl. - rewrite skipn_nth_default with (d:=0) by lia. - rewrite skipn_all. - cbn [seq map]. - push. - - break_match. - push. - rewrite Z.mod_small. - reflexivity. - solve_ineq. - apply is_bounded_by_nth with (n:=n) in Heqb. - etransitivity. - 2: apply Heqb. - rewrite nth_default_repeat. - break_match; try lia. - reflexivity. - lia. - push. - rewrite <-firstn_skipn with (l:=p) (n:=n) in Heqb. - replace (S n) with (n + 1)%nat in Heqb by lia. - rewrite repeat_app in Heqb. - solve_ibb. - le_lt. - etransitivity. - solve_ineq. - apply Z.mul_le_mono_nonneg_l. - solve_ineq. - eauto. - apply Z.le_refl. - le_lt. - push. - - push. - rewrite <-Z_div_mod_eq_full. - all: push; lia. - Qed. - - Lemma eval_reduce1' : forall p m, - m = n -> - length p = S m -> - nth_default 0 p n <= 1 -> - weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let coef := Associational.sat_mul_const base [(1, s'/s)] c in - let q := reduce1 base s c (S m) m p in - (Positional.eval weight (S m) p) mod (s - Associational.eval c) - = (Positional.eval weight m q) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros p m H H1 H2 H3 s' coef q. - cbv [q]. - rewrite value_reduce1'; try lia. - push. - rewrite solinas_property. - cbn [fst snd]. - match goal with - | |- context[_ mod (_ - ?c)] => - lazymatch goal with - | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia - end - end. - rewrite Z.add_comm. - rewrite <-reduction_rule. - apply Z.elim_mod. - rewrite <-(firstn_skipn n p) at 1. - replace (S m) with (m+1)%nat by lia. - cbv [eval to_associational]. - push. - rewrite Z.mul_assoc. - rewrite <-Z_div_exact_2. - rewrite H. - rewrite Z.add_cancel_l. - const_simpl. - rewrite eval_seq_start. - f_equal. - rewrite skipn_nth_default with (d:=0). - rewrite skipn_all. - cbn. - break_match; lia. - - lia. - lia. - lia. - pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hadj. - rewrite solinas_property in Hadj. - intuition. - push; lia. - lia. - Qed. - - Lemma firstn_nth_default_0 : forall p, - length p > 0 -> - firstn 1 p = [nth_default 0 p 0]. - Proof. - intros p H. - induction p as [| a p IHp]. - push' H. - lia. - push. - Qed. - - Lemma eval_reduce3 : forall p m, - (m = n)%nat -> - length p = S m -> - let q := reduce3 base s c m p in - (Positional.eval weight (S m) p) mod (s - Associational.eval c) - = (Positional.eval weight m q) mod (s - Associational.eval c). - Proof. - intros p m H. - intros. - rewrite eval_reduce1' with (m:=m%nat). - rewrite value_reduce1'. - rewrite solinas_property. - rewrite H. - push. - const_simpl. - cbv [q reduce3 Let_In]. - break_match. - - push. - cbv [Z.add_get_carry Z.add_with_get_carry Z.add_with_carry Z.get_carry Let_In]. - push. - - match goal with - | H : context[is_bounded_by _ _] |- _ => pose proof (is_bounded_by_nth m _ _ H) as Hnth - end. - push' Hnth. - specialize (Hnth ltac:(lia) ltac:(lia)). - rewrite nth_default_app in Hnth. - push' Hnth. - destruct lt_dec eqn:E. - lia. - simpl in Hnth. - rewrite H in Hnth. - rewrite H. - - rewrite <-firstn_skipn with (l:=(firstn n p)) (n:=1%nat) at 1. - rewrite firstn_firstn. - rewrite firstn_nth_default_0. - repeat f_equal. - apply is_bounded_by_nth with (n:=0%nat) in Heqb. - rewrite nth_default_app in Heqb. - rewrite nth_default_repeat in Heqb. - push' Heqb. - destruct (lt_dec); try lia. - destruct dec; try lia. - push' Heqb. - - assert (nth_default 0 p n = 0 \/ nth_default 0 p n = 1) by lia. - intuition. - match goal with - | H : nth_default _ _ _ = _ |- _ => rewrite H - end. - push. - repeat f_equal. - rewrite Z.mod_small; lia. - - match goal with - | H : nth_default _ _ _ = _ |- _ => rewrite H - end. - push. - cbv [Z.zselect]. - destruct (1 =? 0) eqn:E1. - lia. - rewrite solinas_property. - push. - unfold weight. - erewrite uweight_eval_app with (n:=1%nat). - erewrite uweight_eval_app with (n:=1%nat). - fold weight. - push. - rewrite min_l; try lia. - rewrite Z.add_assoc. - f_equal. - rewrite Z.mod_small. - lia. - admit. - lia. - push. - push; lia. - lia. - push. - push; lia. - lia. - push; lia. - lia. - lia. + cbv [to_associational]. + push. + rewrite <-(firstn_skipn n p) in Heqb. + replace m1 with (n + (m1 - n))%nat in Heqb by lia. + rewrite repeat_app in Heqb. + solve_ineq. + solve_ibb. + solve_ibb. + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + solve_ibb. + solve_ibb. + solve_ibb. + lia. - rewrite H. - rewrite solinas_property. - push. - push; lia. - push; lia. + rewrite Hadjust. + rewrite solinas_property. + cbv [to_associational]. + push. + rewrite <-Z_div_mod_eq_full. + reflexivity. + all: push. + Qed. + + Lemma eval_reduce1 : forall p m1 m2, + (m1 >= n)%nat -> + (m2 > 0)%nat -> + n <= length p -> + up_bound * weight (m1 - n) + weight n < weight m2 -> + let q := reduce1 base s c m1 m2 p in + (Positional.eval weight m1 p) mod (s - Associational.eval c) + = (Positional.eval weight m2 q) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + intros p m1 m2; intros. + cbv [q]. + rewrite value_reduce1; try lia. + push. + rewrite solinas_property. + cbn [fst snd]. + match goal with + | |- context[_ mod (_ - ?c)] => + lazymatch goal with + | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia + end + end. + rewrite Z.add_comm. + rewrite <-reduction_rule. + apply Z.elim_mod. + rewrite <-(firstn_skipn n p) at 1. + replace m1 with (n + (m1 - n))%nat by lia. + cbv [eval to_associational]. + push. + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + rewrite Z.add_cancel_l. + cbn. + replace (n + (m1 - n) - n)%nat with (m1 - n)%nat by lia. + rewrite eval_seq_start. + lia. + lia. + pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hadj. + rewrite solinas_property in Hadj. + intuition. + push. + lia. + lia. + Qed. - lia. - lia. - admit. - admit. - lia. - lia. - admit. - admit. - Admitted. + (* END SECTION REDUCE1 *) - (* END SECTION REDUCE3 *) + (* SECTION REDUCE3 *) - (* SECTION REDUCE_FIRST *) + Lemma value_reduce1' : forall p m, + m = n -> + length p = S m -> + nth_default 0 p n <= 1 -> + weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + eval weight m (reduce1 base s c (S m) m p) = + Associational.eval coef * nth_default 0 p n + eval weight n (firstn n p). + Proof. + intros p m H H1 H2 H3. + cbv [reduce1]. + rewrite H. + push. + erewrite adjust_s_finished'; try apply solinas_property. + rewrite solinas_property. + cbv [to_associational]. + push. + const_simpl. + rewrite skipn_nth_default with (d:=0) by lia. + rewrite skipn_all. + cbn [seq map]. + push. + + break_match. + push. + rewrite Z.mod_small. + reflexivity. + solve_ineq. + apply is_bounded_by_nth with (n:=n) in Heqb. + etransitivity. + 2: apply Heqb. + rewrite nth_default_repeat. + break_match; try lia. + reflexivity. + lia. + push. + rewrite <-firstn_skipn with (l:=p) (n:=n) in Heqb. + replace (S n) with (n + 1)%nat in Heqb by lia. + rewrite repeat_app in Heqb. + solve_ibb. + le_lt. + etransitivity. + solve_ineq. + apply Z.mul_le_mono_nonneg_l. + solve_ineq. + eauto. + apply Z.le_refl. + le_lt. + push. + + push. + rewrite <-Z_div_mod_eq_full. + all: push; lia. + Qed. + + Lemma eval_reduce1' : forall p m, + m = n -> + length p = S m -> + nth_default 0 p n <= 1 -> + weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> + let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in + let coef := Associational.sat_mul_const base [(1, s'/s)] c in + let q := reduce1 base s c (S m) m p in + (Positional.eval weight (S m) p) mod (s - Associational.eval c) + = (Positional.eval weight m q) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + intros p m H H1 H2 H3 s' coef q. + cbv [q]. + rewrite value_reduce1'; try lia. + push. + rewrite solinas_property. + cbn [fst snd]. + match goal with + | |- context[_ mod (_ - ?c)] => + lazymatch goal with + | |- context[?x * ?c * ?y] => replace (x * c * y) with (c * (x * y)) by lia + end + end. + rewrite Z.add_comm. + rewrite <-reduction_rule. + apply Z.elim_mod. + rewrite <-(firstn_skipn n p) at 1. + replace (S m) with (m+1)%nat by lia. + cbv [eval to_associational]. + push. + rewrite Z.mul_assoc. + rewrite <-Z_div_exact_2. + rewrite H. + rewrite Z.add_cancel_l. + const_simpl. + rewrite eval_seq_start. + f_equal. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + cbn. + break_match; lia. - Lemma reduce_first_canonical : forall p, - length p = (2 * n)%nat -> - is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) (2 * n)) p = true-> - canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). - Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros p Hlen H. - cbv [reduce1 canonical_repr]. - rewrite H. - push. - intuition. - erewrite adjust_s_finished; try apply solinas_property; try lia. - push. - f_equal. - rewrite Z.mod_small. - reflexivity. - cbv [to_associational]. - push. - rewrite <-(firstn_skipn n p) in H. - replace (2*n-n)%nat with n by lia. - replace (2 * n)%nat with (n + n)%nat in H by lia. - rewrite repeat_app in H. - solve_ineq. + lia. + lia. + lia. + pose proof (adjust_s_invariant (S (S n)) s ltac:(lia)) as Hadj. + rewrite solinas_property in Hadj. + intuition. + push; lia. + lia. + Qed. - solve_ibb. - solve_ibb. - etransitivity. - solve_ineq. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - solve_ibb. - solve_ibb. - solve_ibb. - cbv [up_bound machine_wordsize]. - weight_comp. - rewrite <-Z.mul_succ_l. - apply Zmult_lt_compat_r. - apply Z.pow_pos_nonneg; lia. - all: cbn; break_match; lia. - Qed. + Lemma firstn_nth_default_0 : forall p, + length p > 0 -> + firstn 1 p = [nth_default 0 p 0]. + Proof. + intros p H. + induction p as [| a p IHp]. + push' H. + lia. + push. + Qed. + + Lemma eval_reduce3 : forall p m, + (m = n)%nat -> + length p = S m -> + let q := reduce3 base s c m p in + (Positional.eval weight (S m) p) mod (s - Associational.eval c) + = (Positional.eval weight m q) mod (s - Associational.eval c). + Proof. + intros p m H. + intros. + rewrite eval_reduce1' with (m:=m%nat). + rewrite value_reduce1'. + rewrite solinas_property. + rewrite H. + push. + const_simpl. + cbv [q reduce3 Let_In]. + break_match. - (* END SECTION REDUCE_FIRST *) + push. + cbv [Z.add_get_carry Z.add_with_get_carry Z.add_with_carry Z.get_carry Let_In]. + push. - (* SECTION REDUCE_SECOND *) + match goal with + | H : context[is_bounded_by _ _] |- _ => pose proof (is_bounded_by_nth m _ _ H) as Hnth + end. + push' Hnth. + specialize (Hnth ltac:(lia) ltac:(lia)). + rewrite nth_default_app in Hnth. + push' Hnth. + destruct lt_dec eqn:E. + lia. + simpl in Hnth. + rewrite H in Hnth. + rewrite H. + + rewrite <-firstn_skipn with (l:=(firstn n p)) (n:=1%nat) at 1. + rewrite firstn_firstn. + rewrite firstn_nth_default_0. + repeat f_equal. + apply is_bounded_by_nth with (n:=0%nat) in Heqb. + rewrite nth_default_app in Heqb. + rewrite nth_default_repeat in Heqb. + push' Heqb. + destruct (lt_dec); try lia. + destruct dec; try lia. + push' Heqb. + + assert (nth_default 0 p n = 0 \/ nth_default 0 p n = 1) by lia. + intuition. + match goal with + | H : nth_default _ _ _ = _ |- _ => rewrite H + end. + push. + repeat f_equal. + rewrite Z.mod_small; lia. - Lemma reduce_second_canonical : forall p, - canonical_repr (S n) p -> - canonical_repr (S n) (reduce1 base s c (S n) (S n) p). - Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros p H. - cbv [canonical_repr]. - push. - assert (Hcanon := H). - cbv [canonical_repr] in H. - intuition. - rewrite value_reduce1. - rewrite solinas_property. - push. - cbv [reduce1]. - break_match. - push. - erewrite adjust_s_finished'; try eapply solinas_property. - cbv [to_associational]. - rewrite split_p. - push. - lia. - lia. - lia. + match goal with + | H : nth_default _ _ _ = _ |- _ => rewrite H + end. + push. + cbv [Z.zselect]. + destruct (1 =? 0) eqn:E1. + lia. + rewrite solinas_property. + push. + unfold weight. + erewrite uweight_eval_app with (n:=1%nat). + erewrite uweight_eval_app with (n:=1%nat). + fold weight. + push. + rewrite min_l; try lia. + rewrite Z.add_assoc. + f_equal. + rewrite Z.mod_small. + lia. + admit. + lia. + push. + push; lia. + lia. + push. + push; lia. + lia. + push; lia. + lia. + lia. - rewrite canonical_is_bounded_by in Hcanon. - intuition. - match goal with - | H : ?x = true, H1 : ?x = false |- _ => rewrite H in H1; discriminate - end. - lia. - lia. - lia. - replace (S n - n)%nat with 1%nat by lia. - cbv [up_bound machine_wordsize]. - rewrite Z.lt_add_lt_sub_r. - etransitivity; [ | apply weight_dif_mono with (n:=1%nat); lia ]. - weight_comp; cbn; lia. - Qed. + rewrite H. + rewrite solinas_property. + push. + push; lia. + push; lia. - Hint Rewrite nth_default_partition : push_misc. - Lemma reduce_second_bounds : forall p, - canonical_repr (S n) p -> - (nth_default 0 p n) < up_bound -> - let q := reduce1 base s c (S n) (S n) p in - (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1) \/ - nth_default 0 q n = 0. - Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. - intros p ? ? q. - pose proof (reduce_second_canonical p ltac:(auto)) as Hcanonq. - fold q in Hcanonq. - pose proof (firstn_skipn n p) as Hp; symmetry in Hp. - pose proof (firstn_skipn n q) as Hq; symmetry in Hq. - canonical_app p. - push' Hcanon_l. - push' Hcanon_r. - canonical_app q; push' Hcanon_l0; push' Hcanon_r0. - replace (length p) with (S n) in * by (solve_length p). - replace (length q) with (S n) in * by (solve_length q). - rewrite min_l in *; [| lia | solve_length q]. - const_simpl. - - assert (0 <= nth_default 0 q n < 2). - assert (Hcanonq' := Hcanonq). - cbv [canonical_repr] in Hcanonq'. - destruct Hcanonq as [ _ Hpartq ]. - rewrite Hpartq. - push. - solve_ineq; auto. - rewrite Z.mod_small. - cbv [q]. - rewrite value_reduce1. - const_simpl. - rewrite solinas_property. - push. - rewrite <-Zplus_diag_eq_mult_2. - solve_ineq. - etransitivity. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - apply canonical_pos; auto. - rewrite skipn_nth_default with (d:=0). - rewrite skipn_all. - push; eauto. - solve_length p. - solve_length p. - cbv [up_bound machine_wordsize]. - weight_comp. - rewrite <-OrdersEx.Z_as_OT.pow_mul_r. - apply Z.pow_lt_mono_r; cbn; break_match; lia. - cbn; lia. - lia. - apply canonical_eval_bounded; auto. - lia. - lia. - solve_length p. - const_simpl. - cbv [up_bound machine_wordsize]. - rewrite Z.lt_add_lt_sub_r. - etransitivity; [ | apply weight_dif_mono with (n:=1%nat); lia ]. - weight_comp; cbn; lia. - solve_ineq; [apply canonical_pos | apply canonical_eval_bounded]; auto. - - assert (Hnth : nth_default 0 q n = 0 \/ nth_default 0 q n = 1) by lia. - destruct Hnth as [Hnth1 | Hnth2]. - intuition. - left. - intuition. - assert (Hcanonq' := Hcanonq). - destruct Hcanonq' as [_ Hpart]. - rewrite Hpart. - push. - assert (H' : Associational.eval (combine (map weight (seq 0 n)) (firstn n q)) = eval weight (S n) q - weight n). - rewrite Hq at 2. - cbv [eval to_associational]. - rewrite seq_snoc. - push. - rewrite skipn_nth_default with (d:=0). - rewrite skipn_all. - const_simpl. - cbn [seq]. - push. - lia. - solve_length q. - solve_length q. - push. - rewrite min_l; [lia | solve_length q]. - rewrite <-Z.add_move_l in H'. - rewrite <-H'. - const_simpl. - rewrite Zplus_mod, Z.mod_same, Z.add_0_l, Z.mod_mod. - rewrite Z.add_move_l in H'. - apply Z.div_small. - rewrite Z.mod_small. - solve_ineq. - apply canonical_pos; auto. - rewrite H'. - rewrite Z.lt_sub_lt_add_l. - cbv [q]. - rewrite value_reduce1. - rewrite solinas_property. - push. - const_simpl. - rewrite Z.add_comm. - solve_ineq. - apply canonical_eval_bounded; auto. - rewrite skipn_nth_default with (d:=0). - rewrite skipn_all. - push. - etransitivity. - apply Z.mul_lt_mono_nonneg. - solve_ineq. - eauto. - apply (canonical_bounded (S n) p). - auto. - rewrite Hp at 2. - apply in_or_app. - right. - rewrite skipn_nth_default with (d:=0). - rewrite skipn_all. - push. - solve_length p. - solve_length p. - eauto. - cbv [up_bound machine_wordsize]. - rewrite <-Le.Z.le_sub_1_iff. - etransitivity; [| rewrite <-Z.sub_le_mono_r; apply (weight_mono_le 1)]. - weight_comp; cbn; lia. - lia. - solve_length p. - solve_length p. - lia. - lia. - solve_length p. - const_simpl. - cbv [up_bound machine_wordsize]. - rewrite Z.lt_add_lt_sub_r. - etransitivity; [| apply (weight_dif_mono 1)]. - weight_comp; cbn; lia. - lia. - solve_ineq. - apply canonical_pos; auto. - apply canonical_eval_bounded; auto. - auto. - auto. - lia. - Qed. + lia. + lia. + admit. + admit. + lia. + lia. + admit. + admit. + Admitted. - (* END SECTION REDUCE_SECOND *) + (* END SECTION REDUCE3 *) + + (* SECTION REDUCE_FIRST *) + + Lemma reduce_first_canonical : forall p, + length p = (2 * n)%nat -> + is_bounded_by (repeat (0, 2 ^ machine_wordsize - 1) (2 * n)) p = true-> + canonical_repr (S n) (reduce1 base s c (2*n) (S n) p). + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. + intros p Hlen H. + cbv [reduce1 canonical_repr]. + rewrite H. + push. + intuition. + erewrite adjust_s_finished; try apply solinas_property; try lia. + push. + f_equal. + rewrite Z.mod_small. + reflexivity. + cbv [to_associational]. + push. + rewrite <-(firstn_skipn n p) in H. + replace (2*n-n)%nat with n by lia. + replace (2 * n)%nat with (n + n)%nat in H by lia. + rewrite repeat_app in H. + solve_ineq. + + solve_ibb. + solve_ibb. + etransitivity. + solve_ineq. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + solve_ibb. + solve_ibb. + solve_ibb. + cbv [up_bound machine_wordsize]. + weight_comp. + rewrite <-Z.mul_succ_l. + apply Zmult_lt_compat_r. + apply Z.pow_pos_nonneg; lia. + all: cbn; break_match; lia. + Qed. + + (* END SECTION REDUCE_FIRST *) + + (* SECTION REDUCE_SECOND *) + + Lemma reduce_second_canonical : forall p, + canonical_repr (S n) p -> + canonical_repr (S n) (reduce1 base s c (S n) (S n) p). + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. + intros p H. + cbv [canonical_repr]. + push. + assert (Hcanon := H). + cbv [canonical_repr] in H. + intuition. + rewrite value_reduce1. + rewrite solinas_property. + push. + cbv [reduce1]. + break_match. + push. + erewrite adjust_s_finished'; try eapply solinas_property. + cbv [to_associational]. + rewrite split_p. + push. + lia. + lia. + lia. - (* SECTION REDUCE_THIRD *) + rewrite canonical_is_bounded_by in Hcanon. + intuition. + match goal with + | H : ?x = true, H1 : ?x = false |- _ => rewrite H in H1; discriminate + end. + lia. + lia. + lia. + replace (S n - n)%nat with 1%nat by lia. + cbv [up_bound machine_wordsize]. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [ | apply weight_dif_mono with (n:=1%nat); lia ]. + weight_comp; cbn; lia. + Qed. + + Hint Rewrite nth_default_partition : push_misc. + Lemma reduce_second_bounds : forall p, + canonical_repr (S n) p -> + (nth_default 0 p n) < up_bound -> + let q := reduce1 base s c (S n) (S n) p in + (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1) \/ + nth_default 0 q n = 0. + Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. + intros p ? ? q. + pose proof (reduce_second_canonical p ltac:(auto)) as Hcanonq. + fold q in Hcanonq. + pose proof (firstn_skipn n p) as Hp; symmetry in Hp. + pose proof (firstn_skipn n q) as Hq; symmetry in Hq. + canonical_app p. + push' Hcanon_l. + push' Hcanon_r. + canonical_app q; push' Hcanon_l0; push' Hcanon_r0. + replace (length p) with (S n) in * by (solve_length p). + replace (length q) with (S n) in * by (solve_length q). + rewrite min_l in *; [| lia | solve_length q]. + const_simpl. + + assert (0 <= nth_default 0 q n < 2). + assert (Hcanonq' := Hcanonq). + cbv [canonical_repr] in Hcanonq'. + destruct Hcanonq as [ _ Hpartq ]. + rewrite Hpartq. + push. + solve_ineq; auto. + rewrite Z.mod_small. + cbv [q]. + rewrite value_reduce1. + const_simpl. + rewrite solinas_property. + push. + rewrite <-Zplus_diag_eq_mult_2. + solve_ineq. + etransitivity. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply canonical_pos; auto. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push; eauto. + solve_length p. + solve_length p. + cbv [up_bound machine_wordsize]. + weight_comp. + rewrite <-OrdersEx.Z_as_OT.pow_mul_r. + apply Z.pow_lt_mono_r; cbn; break_match; lia. + cbn; lia. + lia. + apply canonical_eval_bounded; auto. + lia. + lia. + solve_length p. + const_simpl. + cbv [up_bound machine_wordsize]. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [ | apply weight_dif_mono with (n:=1%nat); lia ]. + weight_comp; cbn; lia. + solve_ineq; [apply canonical_pos | apply canonical_eval_bounded]; auto. + + assert (Hnth : nth_default 0 q n = 0 \/ nth_default 0 q n = 1) by lia. + destruct Hnth as [Hnth1 | Hnth2]. + intuition. + left. + intuition. + assert (Hcanonq' := Hcanonq). + destruct Hcanonq' as [_ Hpart]. + rewrite Hpart. + push. + assert (H' : Associational.eval (combine (map weight (seq 0 n)) (firstn n q)) = eval weight (S n) q - weight n). + rewrite Hq at 2. + cbv [eval to_associational]. + rewrite seq_snoc. + push. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + const_simpl. + cbn [seq]. + push. + lia. + solve_length q. + solve_length q. + push. + rewrite min_l; [lia | solve_length q]. + rewrite <-Z.add_move_l in H'. + rewrite <-H'. + const_simpl. + rewrite Zplus_mod, Z.mod_same, Z.add_0_l, Z.mod_mod. + rewrite Z.add_move_l in H'. + apply Z.div_small. + rewrite Z.mod_small. + solve_ineq. + apply canonical_pos; auto. + rewrite H'. + rewrite Z.lt_sub_lt_add_l. + cbv [q]. + rewrite value_reduce1. + rewrite solinas_property. + push. + const_simpl. + rewrite Z.add_comm. + solve_ineq. + apply canonical_eval_bounded; auto. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push. + etransitivity. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + apply (canonical_bounded (S n) p). + auto. + rewrite Hp at 2. + apply in_or_app. + right. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push. + solve_length p. + solve_length p. + eauto. + cbv [up_bound machine_wordsize]. + rewrite <-Le.Z.le_sub_1_iff. + etransitivity; [| rewrite <-Z.sub_le_mono_r; apply (weight_mono_le 1)]. + weight_comp; cbn; lia. + lia. + solve_length p. + solve_length p. + lia. + lia. + solve_length p. + const_simpl. + cbv [up_bound machine_wordsize]. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [| apply (weight_dif_mono 1)]. + weight_comp; cbn; lia. + lia. + solve_ineq. + apply canonical_pos; auto. + apply canonical_eval_bounded; auto. + auto. + auto. + lia. + Qed. - Lemma eval_reduce_third' : forall p, - (canonical_repr (S n) p) -> - let q := reduce3 base s c n p in - ((nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1) \/ - nth_default 0 p n = 0) -> - (Positional.eval weight (S n) p) mod (s - Associational.eval c) - = (Positional.eval weight n q) mod (s - Associational.eval c). - Proof. - intros p ? q ?. - cbv [q]. - rewrite eval_reduce3. - lia. - lia. - solve_length p. - Qed. + (* END SECTION REDUCE_SECOND *) - (* END SECTION REDUCE_THIRD *) + (* SECTION REDUCE_THIRD *) - (* SECTION REDUCE_FULL] *) - Theorem reduce_full_correct : forall (p : list Z), - n <= length p -> - let r := reduce_full base s c n p in - (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) - = (Positional.eval weight n r) mod (s - Associational.eval c). - Proof. - intros p ? r; cbv [r reduce_full]; break_match. - pose proof (is_bounded_by_nth n _ _ Heqb ltac:(push) ltac:(push)) as Hnth. - repeat match goal with - | H : context[nth_default _ (_ ++ _) _] |- _ => rewrite nth_default_app in H - | H : context[snd (nth_default _ _ _)] |- _ => progress cbn in H - | H : _ |- _ => progress push' H - | _ => progress destruct lt_dec - | _ => progress intuition - | _ => lia - end. - apply is_bounded_by_loosen with (bound2:=repeat (0, 2^machine_wordsize-1) (S n)) in Heqb. - assert (canonical_repr (S n) (reduce1 base s c (2*n) (S n) p)). - rewrite canonical_is_bounded_by. - intuition; push. - rewrite <-eval_reduce3. - rewrite <-eval_reduce1. - rewrite <-eval_reduce1. - auto. - pose proof (firstn_skipn n p) as Hp; symmetry in Hp. + Lemma eval_reduce_third' : forall p, + (canonical_repr (S n) p) -> + let q := reduce3 base s c n p in + ((nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1) \/ + nth_default 0 p n = 0) -> + (Positional.eval weight (S n) p) mod (s - Associational.eval c) + = (Positional.eval weight n q) mod (s - Associational.eval c). + Proof. + intros p ? q ?. + cbv [q]. + rewrite eval_reduce3. + lia. + lia. + solve_length p. + Qed. - all: - repeat multimatch goal with - | _ => apply reduce_second_canonical - | _ => apply reduce_second_bounds - | _ => solve_length p - | _ => const_simpl - | _ => cbv [up_bound] - | _ => push - | _ => auto - | _ => lia - end. - weight_comp; try lia. - rewrite <-Z.mul_succ_l. - apply Zmult_lt_compat_r. - apply Z.pow_pos_nonneg; cbn; break_match; lia. - cbn; lia. - rewrite Z.lt_add_lt_sub_r. - etransitivity; [| apply (weight_dif_mono 1); lia]. - weight_comp; cbn; break_match; lia. - autounfold. - replace (S n) with (n+1)%nat. - rewrite repeat_app. - push. - cbn. - apply bounds_same. - lia. + (* END SECTION REDUCE_THIRD *) - (* not canonical *) - rewrite eval_reduce1 with (m2:=S n). - rewrite <-(firstn_skipn n (reduce1 base s c (2 * n) (S n) p)) at 1. - unfold eval at 1. - unfold to_associational. - rewrite seq_snoc. - rewrite skipn_nth_default with (d:=0). - rewrite skipn_all. - push. - apply Z.elim_mod. - const_simpl. - rewrite Z.add_comm at 1. - auto. - all: - repeat multimatch goal with - | _ => push + (* SECTION REDUCE_FULL] *) + Theorem reduce_full_correct : forall (p : list Z), + n <= length p -> + let r := reduce_full base s c n p in + (Positional.eval weight (2 * n) p) mod (s - Associational.eval c) + = (Positional.eval weight n r) mod (s - Associational.eval c). + Proof. + intros p ? r; cbv [r reduce_full]; break_match. + pose proof (is_bounded_by_nth n _ _ Heqb ltac:(push) ltac:(push)) as Hnth. + repeat match goal with + | H : context[nth_default _ (_ ++ _) _] |- _ => rewrite nth_default_app in H + | H : context[snd (nth_default _ _ _)] |- _ => progress cbn in H + | H : _ |- _ => progress push' H + | _ => progress destruct lt_dec + | _ => progress intuition | _ => lia end. - const_simpl. - cbv [up_bound]. - weight_comp; try lia. - rewrite <-Z.mul_succ_l. - apply Zmult_lt_compat_r. - apply Z.pow_pos_nonneg; cbn; break_match; lia. - cbn; lia. - Qed. - - (* END SECTION REDUCE_FULL *) - - (* SECTION MULMOD *) - Theorem mulmod'_correct : forall p q, - Positional.eval weight n (mulmod' base s c n p q) mod (s - Associational.eval c) = - (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros. - cbv [mulmod']. - rewrite <-reduce_full_correct; push; lia. - Qed. + apply is_bounded_by_loosen with (bound2:=repeat (0, 2^machine_wordsize-1) (S n)) in Heqb. + assert (canonical_repr (S n) (reduce1 base s c (2*n) (S n) p)). + rewrite canonical_is_bounded_by. + intuition; push. + rewrite <-eval_reduce3. + rewrite <-eval_reduce1. + rewrite <-eval_reduce1. + auto. + pose proof (firstn_skipn n p) as Hp; symmetry in Hp. + + all: + repeat multimatch goal with + | _ => apply reduce_second_canonical + | _ => apply reduce_second_bounds + | _ => solve_length p + | _ => const_simpl + | _ => cbv [up_bound] + | _ => push + | _ => auto + | _ => lia + end. + weight_comp; try lia. + rewrite <-Z.mul_succ_l. + apply Zmult_lt_compat_r. + apply Z.pow_pos_nonneg; cbn; break_match; lia. + cbn; lia. + rewrite Z.lt_add_lt_sub_r. + etransitivity; [| apply (weight_dif_mono 1); lia]. + weight_comp; cbn; break_match; lia. + autounfold. + replace (S n) with (n+1)%nat. + rewrite repeat_app. + push. + cbn. + apply bounds_same. + lia. - Theorem mulmod_correct : forall p q, - Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = - (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. - intros. - rewrite mulmod_cps_conv. - apply mulmod'_correct. - Qed. - (* END SECTION MULMOD *) + (* not canonical *) + rewrite eval_reduce1 with (m2:=S n). + rewrite <-(firstn_skipn n (reduce1 base s c (2 * n) (S n) p)) at 1. + unfold eval at 1. + unfold to_associational. + rewrite seq_snoc. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + push. + apply Z.elim_mod. + const_simpl. + rewrite Z.add_comm at 1. + auto. + all: + repeat multimatch goal with + | _ => push + | _ => lia + end. + const_simpl. + cbv [up_bound]. + weight_comp; try lia. + rewrite <-Z.mul_succ_l. + apply Zmult_lt_compat_r. + apply Z.pow_pos_nonneg; cbn; break_match; lia. + cbn; lia. + Qed. + + (* END SECTION REDUCE_FULL *) + + (* SECTION MULMOD *) + Theorem mulmod'_correct : forall p q, + Positional.eval weight n (mulmod' base s c n p q) mod (s - Associational.eval c) = + (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + intros. + cbv [mulmod']. + rewrite <-reduce_full_correct; push; lia. + Qed. + + Theorem mulmod_correct : forall p q, + Positional.eval weight n (mulmod base s c n p q) mod (s - Associational.eval c) = + (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. + intros. + rewrite mulmod_cps_conv. + apply mulmod'_correct. + Qed. + (* END SECTION MULMOD *) + + End mulmod. Section squaremod. @@ -2013,65 +2017,506 @@ Module SolinasReduction. Definition sqr_indiv base (p : list (Z * Z)) := sqr_indiv' base [] p. - Definition square_no_reduce base (p : list Z) := - let p_a := Positional.to_associational weight 4 p in - (* a0 * [a1, a2, a3] *) - let prod0 := Saturated.Associational.sat_mul base (firstn 1 p_a) (skipn 1 p_a) in - (* a3 * [a1, a2] *) - let prod1 := Saturated.Associational.sat_mul base (skipn 3 p_a) (firstn 2 (skipn 1 p_a)) in - (* first carry chain *) - let carry1_a := prod0 ++ prod1 in - let carry1_rows := Saturated.Rows.from_associational weight 8 carry1_a in - let carry1 := Saturated.Rows.flatten weight 8 carry1_rows in - (* a1 * [a2], second carry chain *) - let prod2 := Saturated.Associational.sat_mul base (firstn 1 (skipn 1 p_a)) (firstn 1 (skipn 2 p_a)) in - let carry2_rows := Saturated.Rows.from_associational weight 8 prod2 in + Definition square1 base (p : list (Z * Z)) := + let prod0 := Saturated.Associational.sat_mul base (firstn 1 p) (skipn 1 p) in + let prod1 := Saturated.Associational.sat_mul base (skipn 3 p) (firstn 2 (skipn 1 p)) in + let carry1_a := prod0 ++ prod1 in + let carry1_rows := Saturated.Rows.from_associational weight 7 carry1_a in + let carry1 := Saturated.Rows.flatten weight 7 carry1_rows in + let prod2 := Saturated.Associational.sat_mul base (firstn 1 (skipn 1 p)) (firstn 1 (skipn 2 p)) in + let carry2_rows := Saturated.Rows.from_associational weight 7 prod2 in let carry2 := Saturated.Rows.flatten' weight carry1 carry2_rows in - (* doubling, third carry chain *) let carry2 := (fst carry2) ++ [snd carry2] in - let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in - (* squaring, fourth carry chain *) - let square_a := sqr_indiv base p_a in - let square_rows := Saturated.Rows.from_associational weight 8 square_a in - let square := Saturated.Rows.flatten' weight double square_rows in - fst square. + carry2. - Definition squaremod base s c (p : list Z) := + Definition square_no_reduce base (p : list Z) := + if ((length p =? 4)%nat) then + let bound := (0, 2^machine_wordsize-1) in + if (is_bounded_by (repeat bound 4) p) then + let p_a := Positional.to_associational weight 4 p in + let carry2 := square1 base p_a in + let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in + let square_a := sqr_indiv base p_a in + let square_rows := Saturated.Rows.from_associational weight 8 square_a in + let square := Saturated.Rows.flatten' weight double square_rows in + fst square + else + let e := eval weight 4 p in + [e * e; 0; 0; 0; 0; 0; 0; 0] + else + let e := eval weight 4 p in + [e * e; 0; 0; 0; 0; 0; 0; 0]. + + Definition square_no_reduce_cps {T} base (p : list Z) (f : list Z -> T) := + if ((length p =? 4)%nat) then + let bound := (0, 2^machine_wordsize-1) in + if (is_bounded_by (repeat bound 4) p) then + let p_a := Positional.to_associational weight 4 p in + let carry2 := square1 base p_a in + let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in + let square_a := sqr_indiv base p_a in + let square_rows := Saturated.Rows.from_associational weight 8 square_a in + let square := Saturated.Rows.flatten' weight double square_rows in + f (fst square) + else + let e := eval weight 4 p in + f ([e * e; 0; 0; 0; 0; 0; 0; 0]) + else + let e := eval weight 4 p in + f ([e * e; 0; 0; 0; 0; 0; 0; 0]). + + Definition squaremod' base s c (p : list Z) := let sqr := square_no_reduce base p in - let r := reduce_full' base s c 4 sqr in + let r := reduce_full base s c 4 sqr in r. + Definition squaremod_cps {T} base s c (p : list Z) (f : list Z -> T) := + (sqr <- square_no_reduce_cps base p; + reduce_full_cps base s c 4 sqr f). + + Definition squaremod base s c (p : list Z) := + ltac:(let x := (eval cbv beta delta [squaremod_cps reduce_full_cps reduce1_cps reduce3_cps id] in (@squaremod_cps (list Z) base s c p id)) in + exact x). + + Context (base : Z) + (s : Z) + (c : list (Z * Z)). + + Context (s_pos : s > 0) + (c_pos : Associational.eval c > 0) + (base_nz : base <> 0). + Lemma sat_mul_comm (p q : list (Z * Z)) : - Associational.eval (Associational.sat_mul s p q) = - Associational.eval (Associational.sat_mul s q p). - Proof using n_gt_1 s_pos. push; lia. Qed. + Associational.eval (Associational.sat_mul base p q) = + Associational.eval (Associational.sat_mul base q p). + Proof using base_nz. push; lia. Qed. Lemma sat_mul_distr (p q1 q2 : list (Z * Z)) : - Associational.eval (Associational.sat_mul s p (q1 ++ q2)) = - Associational.eval (Associational.sat_mul s p q1) + - Associational.eval (Associational.sat_mul s p q2). - Proof. push; lia. Qed. + Associational.eval (Associational.sat_mul base p (q1 ++ q2)) = + Associational.eval (Associational.sat_mul base p q1) + + Associational.eval (Associational.sat_mul base p q2). + Proof using base_nz. push; lia. Qed. + + Lemma cons_to_app {A} a (p : list A) : + a :: p = [a] ++ p. + Proof. reflexivity. Qed. + + Lemma flatten'_mod state (inp : list (list Z)) (n : nat) : + inp <> [] -> + Datatypes.length (fst state) = n -> + (forall row : list Z, In row inp -> Datatypes.length row = n) -> + eval weight n (fst (Rows.flatten' weight state inp)) = + (Rows.eval weight n inp + eval weight n (fst state) + weight n * snd state) mod weight n. + Proof using wprops. + intros. + rewrite Rows.flatten'_correct with (n:=n) by auto. + push. + f_equal. + lia. + Qed. + + Hint Rewrite Nat.sub_diag : const_simpl. + Hint Rewrite Z.sub_diag : const_simpl. + + Lemma eval_done n p : + (n <= length p)%nat -> + eval weight n p = eval weight n (firstn n p). + Proof using wprops. + intros. + generalize dependent n. + induction p; intros n H. + rewrite firstn_nil. + push. + destruct n. + push. + push' H. + cbv [eval to_associational]. + rewrite firstn_cons. + cbn [seq map combine]. + rewrite Associational.eval_cons. + rewrite Associational.eval_cons. + rewrite !eval_seq_start with (a:=1%nat). + cbv [eval to_associational] in IHp. + rewrite IHp. + lia. + lia. + Qed. + + Lemma sum_one x : + sum [x] = x. + Proof. cbn; lia. Qed. + + Lemma square_indiv_cons (p : list (Z * Z)) (a : Z * Z) : + Associational.eval (sqr_indiv base (a :: p)) = + Associational.eval (sqr_indiv base [a]) + + Associational.eval (sqr_indiv base p). + Proof using base_nz. + cbv [sqr_indiv sqr_indiv']. + cbn [fold_right]. + push. + lia. + Qed. + + Lemma square_indiv_app (p q : list (Z * Z)) : + Associational.eval (sqr_indiv base (p ++ q)) = + Associational.eval (sqr_indiv base p) + Associational.eval (sqr_indiv base q). + Proof using base_nz. + generalize dependent q. + induction p as [| a p IHp] using rev_ind; intros q. + push. + rewrite <-app_assoc. + rewrite !IHp. + rewrite <-cons_to_app. + rewrite square_indiv_cons. + lia. + Qed. + + Lemma eval_square_indiv (p : list Z) : forall x x0 x1 x2 q, + p = x :: x0 :: x1 :: x2 :: q -> + Associational.eval (sqr_indiv base (to_associational weight 4 p)) = (Associational.eval (sat_mul base [(weight 0, x)] [(weight 0, x)]) + + (Associational.eval (sat_mul base [(weight 1, x0)] [(weight 1, x0)]) + + (Associational.eval (sat_mul base [(weight 2, x1)] [(weight 2, x1)]) + + Associational.eval (sat_mul base [(weight 3, x2)] [(weight 3, x2)])))). + Proof using base_nz wprops. + intros x x0 x1 x2 q H. + rewrite H. + cbv [to_associational]. + cbn [seq map weight combine]. + repeat multimatch goal with + | |- _ => rewrite app_comm_cons + | |- context[?x :: ?y :: ?z] => + rewrite cons_to_app with (a:=x) (p:=y::z) + | |- context[?x ++ ?y :: ?z] => + rewrite cons_to_app with (a:=y) (p:=z); + rewrite app_nil_r + end. + rewrite !square_indiv_app. + cbv [sqr_indiv sqr_indiv']. + cbn [fold_right]. + push. + Qed. + + Lemma length_square1 (p : list Z) : forall x x0 x1 x2 q, + p = x :: x0 :: x1 :: x2 :: q -> + length (square1 base (to_associational weight 4 p)) = 8%nat. + Proof using base_nz wprops. + intros x x0 x1 x2 q H. + cbv [square1]. + push. + rewrite Rows.flatten'_correct with (n:=7%nat). + push. + auto. + push. + intros. + eapply Rows.length_from_associational. + eauto. + apply Rows.from_associational_nonnil. + lia. + rewrite H. + discriminate. + Qed. + + Lemma eval_square1 (p : list Z) : forall x x0 x1 x2 q, + let bound := (0, 2^machine_wordsize-1) in + is_bounded_by (repeat bound 4) p = true -> + p = x :: x0 :: x1 :: x2 :: q -> + eval weight 8 (square1 base (Positional.to_associational weight 4 p)) = + Associational.eval (sat_mul base [(weight 1, x0)] [(weight 2, x1)]) + + (Associational.eval (sat_mul base [(weight 0, x)] [(weight 1, x0)]) + + (Associational.eval (sat_mul base [(weight 0, x)] [(weight 2, x1)]) + + Associational.eval (sat_mul base [(weight 0, x)] [(weight 3, x2)])) + + (Associational.eval (sat_mul base [(weight 3, x2)] [(weight 1, x0)]) + + Associational.eval (sat_mul base [(weight 3, x2)] [(weight 2, x1)]))). + Proof using base_nz wprops. + intros x x0 x1 x2 q bound H H1. + rewrite H1. + cbv [to_associational]. + cbn [seq map combine]. + cbv [square1]. + cbn [firstn skipn]. + + rewrite H1 in H. + cbv [is_bounded_by fold_andb_map' dual_map bound] in H. + cbn [repeat combine map fold_right fst snd] in H. + repeat match goal with + | H : _ && _ = true |- _ => apply andb_prop in H + | H : _ /\ _ |- _ => destruct H + | H : _ <=? _ = true |- _ => rewrite Z.leb_le in H + end. - Definition slice' (state p : list (Z*Z)) (inds : list nat) := - fold_right (fun a b => [nth_default (0,0) p a] ++ b) state inds. + repeat multimatch goal with + | |- _ => rewrite app_comm_cons + | |- context[?x :: ?y :: ?z] => + rewrite cons_to_app with (a:=x) (p:=y::z) by discriminate + end. + repeat multimatch goal with + | _ => rewrite eval_snoc_S + | _ => rewrite Rows.flatten_mod + | _ => rewrite flatten'_mod + | _ => rewrite Rows.flatten'_correct with (n:=7%nat); cbn [snd] + | _ => rewrite Rows.flatten_correct; cbn [snd] + | _ => rewrite Rows.eval_from_associational + | _ => rewrite eval_app + | _ => rewrite sat_mul_distr + | _ => cbn [fst] + end. + all: repeat match goal with + | _ => assumption + | _ => lia + | |- Rows.from_associational _ _ _ <> [] => + apply Rows.from_associational_nonnil + | |- context[length (Partition.partition _ _ _)] => + autorewrite with push_length + | |- forall _ : _, In _ _ -> _ => + intros; eapply Rows.length_from_associational; eassumption + | _ => discriminate + end. + + repeat rewrite Z.div_small. + all: repeat match goal with + | |- context[_ mod _] => rewrite Z.mod_small + end. + all: const_simpl; try lia. + all: push; solve_ineq; le_lt; replace x with (weight 0 * x) by (weight_comp; lia); etransitivity; [ + repeat match goal with + | |- _ + _ <= _ => apply OrdersEx.Z_as_DT.add_le_mono + | |- _ * _ * _ <= _ => apply Z.mul_le_mono_nonneg + | |- _ * _ <= _ => apply OrdersEx.Z_as_DT.mul_le_mono_nonneg_l + | |- 0 <= _ => solve_ineq + | H : ?x <= _ |- ?x <= _ => eassumption + end | (weight_comp; lia) ]. + Qed. + + Lemma eval_square1_bounded (p : list Z) : forall x x0 x1 x2 q, + let bound := (0, 2^machine_wordsize-1) in + is_bounded_by (repeat bound 4) p = true -> + p = x :: x0 :: x1 :: x2 :: q -> + 0 <= eval weight 8 (square1 base (to_associational weight 4 p)) < weight 7. + Proof using base_nz wprops. + intros x x0 x1 x2 q bound H H0. + erewrite eval_square1; [| eauto | eauto]. + rewrite H0 in H. + cbv [is_bounded_by fold_andb_map' dual_map bound] in H. + cbn [repeat combine map fold_right fst snd] in H. + repeat match goal with + | H : _ && _ = true |- _ => apply andb_prop in H + | H : _ /\ _ |- _ => destruct H + | H : _ <=? _ = true |- _ => rewrite Z.leb_le in H + end. + push; solve_ineq; le_lt; replace x with (weight 0 * x) by (weight_comp; lia); etransitivity; + [repeat match goal with + | |- _ + _ <= _ => apply OrdersEx.Z_as_DT.add_le_mono + | |- _ * _ * _ <= _ => apply Z.mul_le_mono_nonneg + | |- _ * _ <= _ => apply OrdersEx.Z_as_DT.mul_le_mono_nonneg_l + | |- 0 <= _ => solve_ineq + | H : ?x <= _ |- ?x <= _ => eassumption + end | (weight_comp; lia) ]. + Qed. + + Theorem eval_square_no_reduce (p : list Z) : + eval weight 8 (square_no_reduce base p) = (eval weight 4 p) * (eval weight 4 p). + Proof using base_nz wprops. + rewrite <-eval_mul_no_reduce with (base:=base) by lia. + cbv [square_no_reduce]. + break_match. + + assert (exists p1 p2 p3 p4, p = p1 :: p2 :: p3 :: p4 :: nil). + { rewrite Nat.eqb_eq in Heqb. + repeat (destruct p; [cbn in Heqb; lia|]). + destruct p; [| cbn in Heqb; lia]. + eauto. } + destruct H; destruct H; destruct H; destruct H. + + pose proof (eval_square1_bounded p x x0 x1 x2 nil ltac:(auto) ltac:(auto)). + + rewrite flatten'_mod. + rewrite Rows.flatten_mod. + rewrite Rows.eval_from_associational. + + rewrite Zplus_mod. + rewrite PullPush.Z.mul_mod_full. + rewrite Z.mod_same. + const_simpl. + rewrite Zmod_mod. + rewrite Zplus_mod. + rewrite Zmod_mod. + rewrite <-Zplus_mod. + + rewrite Rows.eval_cons. + cbv [Rows.eval map]. + rewrite sum_one. + erewrite eval_square1; try eapply H. + erewrite eval_square_indiv; try eapply H. + + rewrite H. + cbv [mul_no_reduce]. + break_match. + replace (2*4)%nat with 8%nat by lia. + cbv [to_associational]. + rewrite combine_firstn_l. + cbn [seq map length]. + cbn [firstn seq map combine]. + repeat multimatch goal with + | |- _ => rewrite app_comm_cons + | |- context[?x :: ?y :: ?z] => + rewrite cons_to_app with (a:=x) (p:=y::z) + end. + rewrite Rows.flatten_mod. + rewrite Rows.eval_from_associational. + rewrite !sat_mul_distr. + repeat multimatch goal with + | |- context[sat_mul _ (?y ++ ?z) ?x] => rewrite sat_mul_comm with (p:=(y ++ z)) (q:=x) + end. + rewrite !sat_mul_distr. + push. + f_equal. + lia. + auto. + lia. + auto. - Definition slice (a b : nat) (p : list (Z*Z)) := - let inds := seq a b in - slice' [] p inds. + all: repeat match goal with + | |- forall _ : _, In _ _ -> _ => + intros; eapply Rows.length_from_associational; eassumption + | _ => auto + end. + rewrite H in Heqb0. + rewrite Heqb0 in Heqb1. + lia. + repeat match goal with + | H : In _ (_ :: _) |- _ => + apply in_inv in H + | H : In _ [] |- _ => apply in_nil in H; lia + | H : _ = ?x |- length ?x = _ => rewrite <-H + | _ => eapply length_square1; eauto + | _ => intuition + end. + apply Rows.from_associational_nonnil. + lia. + rewrite H. + discriminate. + push. + repeat match goal with + | H : In _ (_ :: _) |- _ => + apply in_inv in H + | H : In _ [] |- _ => apply in_nil in H; lia + | H : _ = ?x |- length ?x = _ => rewrite <-H + | _ => eapply length_square1; eauto + | _ => intuition + end. - Lemma skipn_firstn_decomp (p : list (Z*Z)) (a b : nat) : - firstn b (skipn a p) = slice a (a + b) p. + + push. + rewrite eval_mul_no_reduce. + lia. + lia. + lia. + push. + rewrite eval_mul_no_reduce. + lia. + lia. + lia. + Qed. + + Theorem length_square_no_reduce (p : list Z): + length (square_no_reduce base p) = 8%nat. + Proof using base_nz wprops. + cbv [square_no_reduce]. + break_match. + assert (exists p1 p2 p3 p4, p = p1 :: p2 :: p3 :: p4 :: nil). + { rewrite Nat.eqb_eq in Heqb. + repeat (destruct p; [cbn in Heqb; lia|]). + destruct p; [| cbn in Heqb; lia]. + eauto. } + destruct H; destruct H; destruct H; destruct H. + rewrite Rows.flatten'_correct with (n:=8%nat). + push. + repeat match goal with + | H : In _ (_ :: _) |- _ => + apply in_inv in H + | H : In _ [] |- _ => apply in_nil in H; lia + | H : _ = ?x |- length ?x = _ => rewrite <-H + | _ => eapply length_square1; eauto + | _ => intuition + end. + auto. + push. + repeat match goal with + | H : In _ (_ :: _) |- _ => + apply in_inv in H + | H : In _ [] |- _ => apply in_nil in H; lia + | H : _ = ?x |- length ?x = _ => rewrite <-H + | _ => eapply length_square1; eauto + | _ => intuition + end. + intros; eapply Rows.length_from_associational; eauto. + apply Rows.from_associational_nonnil. + lia. + rewrite H. + discriminate. + push. + push. + Qed. + + Context (mod_nz : s - Associational.eval c <> 0) + (solinas_property : Rows.adjust_s weight (S (S 4)) s = (weight 4, true)) + (coef_small : weight 4 / s * Associational.eval c < up_bound). + + Lemma square_no_reduce_cps_ok {T} (f : list Z -> T) : forall p, + square_no_reduce_cps base p f = f (square_no_reduce base p). Proof. - induction p. - rewrite skipn_nil. - rewrite firstn_nil. - Admitted. + intros. + cbv [square_no_reduce square_no_reduce_cps]. + break_match; reflexivity. + Qed. - Theorem square_no_reduce_correct (p : list Z) : - eval weight 4 (square_no_reduce base p) = (eval weight 4 p) * (eval weight 4 p). + Lemma squaremod_cps_ok : forall {T} p (f : list Z -> T), + squaremod_cps base s c p f = f (squaremod' base s c p). Proof. - cbv [square_no_reduce]. - Admitted. + intros. + cbv [squaremod' squaremod_cps]. + rewrite square_no_reduce_cps_ok, reduce_full_cps_ok. + reflexivity. + Qed. + + Lemma squaremod_unfold : forall p, + squaremod' base s c p = squaremod_cps base s c p id. + Proof. + intros. + rewrite squaremod_cps_ok. + reflexivity. + Qed. + + Lemma squaremod_cps_conv : forall p, + squaremod base s c p = squaremod' base s c p. + Proof. + intros. + rewrite squaremod_unfold. + reflexivity. + Qed. + + Lemma squaremod'_correct : forall p, + Positional.eval weight 4 (squaremod' base s c p) mod (s - Associational.eval c) = + (Positional.eval weight 4 p * Positional.eval weight 4 p) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz s_pos solinas_property wprops. + intros. + cbv [squaremod']. + rewrite <-reduce_full_correct. + rewrite eval_square_no_reduce. + all: try lia. + assumption. + rewrite length_square_no_reduce. + lia. + Qed. + + Theorem squaremod_correct : forall p , + Positional.eval weight 4 (squaremod base s c p) mod (s - Associational.eval c) = + (Positional.eval weight 4 p * Positional.eval weight 4 p) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz s_pos solinas_property wprops. + intros. + rewrite squaremod_cps_conv. + apply squaremod'_correct. + Qed. End squaremod. diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index b1d26974c2..a141129214 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -500,7 +500,9 @@ Module SolinasReduction. (n : nat) (m : Z) (saturated_bounds : list (option zrange)) - (length_saturated_bouns : length saturated_bounds = n). + (length_saturated_bounds : length saturated_bounds = n) + (saturated_bounds4 : list (option zrange)) + (length_saturated_bounds4 : length saturated_bounds = 4%nat). Local Notation eval := (Positional.eval wt n). Local Notation eval4 := (Positional.eval wt 4). @@ -515,9 +517,9 @@ Module SolinasReduction. Definition square_correct (square : list Z -> list Z) := forall x, - list_Z_bounded_by saturated_bounds x -> + list_Z_bounded_by saturated_bounds4 x -> ((eval4 (square x)) mod m = (eval4 x * eval4 x) mod m) /\ - (list_Z_bounded_by saturated_bounds (square x)). + (list_Z_bounded_by saturated_bounds4 (square x)). End __. End SolinasReduction. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 5919e39c24..3565874107 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -87,6 +87,7 @@ Section __. Local Notation possible_values := possible_values_of_machine_wordsize. Local Notation boundsn := (saturated_bounds n machine_wordsize). + Local Notation bounds4 := (saturated_bounds 4 machine_wordsize). Local Existing Instance default_translate_to_fancy. Local Instance no_select_size : no_select_size_opt := no_select_size_of_no_select machine_wordsize. @@ -111,6 +112,9 @@ Section __. ; (fst (Rows.adjust_s weight (S (S n)) s) =? weight n, Pipeline.Values_not_provably_equalZ "fst (Rows.adjust_s weight (S (S n)) s) = weight n" (fst (Rows.adjust_s weight (S (S n)) s)) (weight n)) ; (snd (Rows.adjust_s weight (S (S n)) s), Pipeline.Invalid_argument "tmp") ; (weight n / s * Associational.eval c 0 /\ Rows.adjust_s weight (S (S n)) s = (weight n, true) /\ - weight n / s * Associational.eval c < up_bound. + weight n / s * Associational.eval c < up_bound /\ + Rows.adjust_s weight (S (S 4)) s = (weight 4, true) /\ + weight 4 / s * Associational.eval c < up_bound. Proof using curve_good. prepare_use_curve_good (). { use_curve_good_t. } @@ -144,6 +150,10 @@ Section __. | |- ?x = _ => rewrite surjective_pairing with (p:=x) end. congruence. } + { lazymatch goal with + | |- ?x = _ => rewrite surjective_pairing with (p:=x) + end. + congruence. } Qed. Local Notation eval4f := (eval weight 4). @@ -184,8 +194,8 @@ Section __. @ GallinaReify.Reify base @ GallinaReify.Reify s @ GallinaReify.Reify c) - (Some boundsn, tt) - (Some boundsn). + (Some bounds4, tt) + (Some bounds4). Definition smul (prefix : string) : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) @@ -203,7 +213,7 @@ Section __. machine_wordsize prefix "square" square (docstring_with_summary_from_lemma! (fun fname : string => [text_before_function_name ++ fname ++ " squares a field element."]%string) - (square_correct weightf m boundsn)). + (square_correct weightf m bounds4)). Local Ltac solve_extra_bounds_side_conditions := cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. @@ -232,7 +242,15 @@ Section __. Lemma square_correct res (Hres : square = Success res) : square_correct weight m boundsn (Interp res). - Proof. Admitted. + Proof using curve_good. + + prove_correctness (). + cbv [evalf weightf eval4f weight up_bound] in *. + match goal with + | H : machine_wordsize = _ |- _ => rewrite H in * + end. + apply (fun pf => @SolinasReduction.SolinasReduction.squaremod_correct (@wprops _ _ pf)); auto; lia. + Admitted. Lemma Wf_square res (Hres : square = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index 468af07e54..af924f79cd 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -71,59 +71,6 @@ Module debugging_solinas_reduction. Import Associational. Import Positional. - Definition sqr_indiv' base (state : list (Z * Z)) (p : list (Z * Z)) := - fold_right (fun a b => b ++ Saturated.Associational.sat_mul base [a] [a]) state p. - - Definition sqr_indiv base (p : list (Z * Z)) := - sqr_indiv' base [] p. - - Definition square_no_reduce base (p : list Z) := - let p_a := Positional.to_associational weight 4 p in - (* a0 * [a1, a2, a3] *) - let prod0 := Saturated.Associational.sat_mul base (firstn 1 p_a) (skipn 1 p_a) in - (* a3 * [a1, a2] *) - let prod1 := Saturated.Associational.sat_mul base (skipn 3 p_a) (firstn 2 (skipn 1 p_a)) in - (* first carry chain *) - let carry1_a := prod0 ++ prod1 in - let carry1_rows := Saturated.Rows.from_associational weight 8 carry1_a in - let carry1 := Saturated.Rows.flatten weight 8 carry1_rows in - (* a1 * [a2], second carry chain *) - let prod2 := Saturated.Associational.sat_mul base (firstn 1 (skipn 1 p_a)) (firstn 1 (skipn 2 p_a)) in - let carry2_rows := Saturated.Rows.from_associational weight 8 prod2 in - let carry2 := Saturated.Rows.flatten' weight carry1 carry2_rows in - (* doubling, third carry chain *) - let carry2 := (fst carry2) ++ [snd carry2] in - let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in - (* squaring, fourth carry chain *) - let square_a := sqr_indiv base p_a in - let square_rows := Saturated.Rows.from_associational weight 8 square_a in - let square := Saturated.Rows.flatten' weight double square_rows in - fst square. - - Definition squaremod base s c (n : Z) (p : list Z) := - let sqr := square_no_reduce base p in - let r := reduce_full' base s c 4 sqr in - r. - - Print Z.add_with_get_carry. - Print Z.add_with_carry. - Print Z.get_carry. - - Definition reduce3 base s c n (p : list Z) := - let bound := (0, 2^machine_wordsize-1) in - let bounds := (repeat bound n) ++ [(0, 1)] in - let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in - let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in - let coef := Associational.eval coef_a in - dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in - let lo := Z.add_get_carry machine_wordsize hi (nth_default 0 p 0) in - if (is_bounded_by bounds p) then - [fst lo] ++ (skipn 1 (firstn n p)) - else - let hi' := coef * (nth_default 0 p n) in - add_to_nth 0 hi' (firstn n p). - - End __. Section compile. @@ -190,12 +137,12 @@ Module debugging_solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (mulmod base s c n) in + let r := Reify (squaremod base s c) in exact r) (fun _ _ => []) - (Some (repeat bound (n)), (Some (repeat bound (n)), tt)) - (Some (repeat bound (n))) - (None, (None, tt)) + (Some (repeat bound n), tt) + (Some (repeat bound n)) + (None, tt) (None) : Pipeline.ErrorT _). From 38778967e50a8d08aad42bf18071919530636906 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Sun, 6 Nov 2022 18:51:46 -0500 Subject: [PATCH 61/69] push squaremod through CLI --- fiat-c/src/curve25519_solinas_64.c | 2 +- .../64/curve25519solinas/curve25519solinas.go | 2 +- fiat-rust/src/curve25519_solinas_64.rs | 2 +- fiat-zig/src/curve25519_solinas_64.zig | 2 +- src/Arithmetic/SolinasReduction.v | 364 ++++++++++-------- src/COperationSpecifications.v | 15 +- src/PushButtonSynthesis/SolinasReduction.v | 37 +- src/SlowPrimeSynthesisExamples.v | 20 +- 8 files changed, 227 insertions(+), 217 deletions(-) diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c index 8fb77232a9..b56ef7cf3f 100644 --- a/fiat-c/src/curve25519_solinas_64.c +++ b/fiat-c/src/curve25519_solinas_64.c @@ -360,7 +360,7 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint * The function fiat_curve25519_solinas_square squares a field element. * * Postconditions: - * eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 + * eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 * * Input Bounds: * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go index 57c1fe6d35..1bf385b9cd 100644 --- a/fiat-go/64/curve25519solinas/curve25519solinas.go +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -252,7 +252,7 @@ func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { // Square squares a field element. // // Postconditions: -// eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 // // Input Bounds: // arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs index 566b7134b2..6f0de7a949 100644 --- a/fiat-rust/src/curve25519_solinas_64.rs +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -316,7 +316,7 @@ pub fn fiat_curve25519_solinas_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: & /// The function fiat_curve25519_solinas_square squares a field element. /// /// Postconditions: -/// eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 /// /// Input Bounds: /// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index 69d211f896..320fc1eb41 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -329,7 +329,7 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { /// The function square squares a field element. /// /// Postconditions: -/// eval4 out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval4 arg1 * eval4 arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg1) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 /// /// Input Bounds: /// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index a5d7d24341..cef7d77854 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -853,14 +853,18 @@ Module SolinasReduction. add_to_nth 0 (weight (2 * n) * snd pq) (fst pq). Definition reduce1 base s c n m (p : list Z) := - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight m r_a in - let r_flat := Saturated.Rows.flatten weight m r_rows in let bound := (0, 2^machine_wordsize - 1) in if (is_bounded_by (repeat bound n) p) then + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in fst r_flat else + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat). (* S n -> n limbs *) @@ -882,10 +886,9 @@ Module SolinasReduction. let r1 := reduce1 base s c (2*n) (S n) p in let bound := (0, 2^machine_wordsize - 1) in let bounds := repeat bound n ++ [(0, up_bound-1)] in - if (is_bounded_by bounds r1) then - let r2 := reduce1 base s c (S n) (S n) r1 in - let r3 := reduce3 base s c n r2 in - r3 + let r2 := reduce1 base s c (S n) (S n) r1 in + let r3 := reduce3 base s c n r2 in + if (is_bounded_by bounds r1) then r3 else add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1). Definition mulmod' base s c n (p q : list Z) := @@ -894,14 +897,18 @@ Module SolinasReduction. red. Definition reduce1_cps {T} base s c n m (p : list Z) (f : list Z -> T) := - let p_a := Positional.to_associational weight n p in - let r_a := sat_reduce base s c n p_a in - let r_rows := Saturated.Rows.from_associational weight m r_a in - let r_flat := Saturated.Rows.flatten weight m r_rows in let bound := (0, 2^machine_wordsize - 1) in if (is_bounded_by (repeat bound n) p) then + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in f (fst r_flat) else + let p_a := Positional.to_associational weight n p in + let r_a := sat_reduce base s c n p_a in + let r_rows := Saturated.Rows.from_associational weight m r_a in + let r_flat := Saturated.Rows.flatten weight m r_rows in f (add_to_nth 0 (weight (m) * snd r_flat) (fst r_flat)). Lemma reduce1_cps_ok {T} base s c n m (f : list Z -> T) : forall p, @@ -938,11 +945,11 @@ Module SolinasReduction. (r1 <- reduce1_cps base s c (2*n) (S n) p; (let bound := (0, 2^machine_wordsize - 1) in let bounds := repeat bound n ++ [(0, up_bound-1)] in - if (is_bounded_by bounds r1) then - (r2 <- reduce1_cps base s c (S n) (S n) r1; - reduce3_cps base s c n r2 f) - else - f (add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1)))). + r2 <- reduce1_cps base s c (S n) (S n) r1; + (if (is_bounded_by bounds r1) then + reduce3_cps base s c n r2 f + else + f (add_to_nth 0 (weight n * nth_default 0 r1 n) (firstn n r1))))). Definition reduce_full' base s c n p := ltac:(let x := (eval cbv beta delta [reduce_full_cps reduce1_cps reduce3_cps id] in (@reduce_full_cps (list Z) base s c n p id)) in @@ -1617,6 +1624,10 @@ Module SolinasReduction. f_equal. rewrite Z.mod_small. lia. + (* solve_ineq. *) + (* etransitivity. *) + (* Search (_ + _ < _). *) + admit. lia. push. @@ -1738,7 +1749,7 @@ Module SolinasReduction. canonical_repr (S n) p -> (nth_default 0 p n) < up_bound -> let q := reduce1 base s c (S n) (S n) p in - (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1) \/ + (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1 (* /\ nth_default 0 q 0 < up_bound *)) \/ nth_default 0 q n = 0. Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. intros p ? ? q. @@ -1801,6 +1812,7 @@ Module SolinasReduction. destruct Hnth as [Hnth1 | Hnth2]. intuition. left. + intuition. assert (Hcanonq' := Hcanonq). destruct Hcanonq' as [_ Hpart]. @@ -1880,6 +1892,48 @@ Module SolinasReduction. auto. auto. lia. + + (* destruct Hcanonq as [ _ Hpartq]. *) + (* rewrite Hpartq. *) + (* push. *) + (* cbv [q]. *) + (* rewrite value_reduce1. *) + (* rewrite solinas_property. *) + (* push. *) + (* const_simpl. *) + + (* assert *) + (* assert (H' : eval weight (S n) q - weight n < up_bound * up_bound + 1). *) + (* cbv [q]. *) + (* rewrite value_reduce1. *) + (* rewrite solinas_property. *) + (* push. *) + (* const_simpl. *) + (* rewrite skipn_nth_default with (d:=0). *) + (* rewrite skipn_all. *) + (* etransitivity. *) + (* apply Z.add_lt_mono_r. *) + (* apply OrdersEx.Z_as_DT.add_lt_mono. *) + (* cbv [eval to_associational]. *) + (* cbn [seq map combine]. *) + (* apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. *) + (* solve_ineq. *) + (* eauto. *) + (* push. *) + (* admit. *) + (* push. *) + (* eauto. *) + (* apply canonical_eval_bounded; auto. *) + (* rewrite <-Z.add_assoc. *) + (* rewrite Z.add_opp_diag_r. *) + (* all: try lia. *) + (* all: try (solve_length p). *) + (* const_simpl. *) + (* admit. *) + + (* destruct Hcanonq as [_ Hqpart]. *) + (* rewrite Hqpart in H'. *) + (* push' H'. *) Qed. (* END SECTION REDUCE_SECOND *) @@ -2029,87 +2083,131 @@ Module SolinasReduction. let carry2 := (fst carry2) ++ [snd carry2] in carry2. - Definition square_no_reduce base (p : list Z) := - if ((length p =? 4)%nat) then - let bound := (0, 2^machine_wordsize-1) in - if (is_bounded_by (repeat bound 4) p) then - let p_a := Positional.to_associational weight 4 p in - let carry2 := square1 base p_a in - let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in - let square_a := sqr_indiv base p_a in - let square_rows := Saturated.Rows.from_associational weight 8 square_a in - let square := Saturated.Rows.flatten' weight double square_rows in - fst square + Definition square_no_reduce base n (p : list Z) := + let p_a := Positional.to_associational weight 4 p in + let carry2 := square1 base p_a in + let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in + let square_a := sqr_indiv base p_a in + let square_rows := Saturated.Rows.from_associational weight 8 square_a in + let square := Saturated.Rows.flatten' weight double square_rows in + let bound := (0, 2^machine_wordsize-1) in + if ((n =? 4)%nat) then + if ((length p =? 4)%nat) then + if (is_bounded_by (repeat bound 4) p) then + fst square + else + mul_no_reduce base n p p else - let e := eval weight 4 p in - [e * e; 0; 0; 0; 0; 0; 0; 0] + mul_no_reduce base n p p else - let e := eval weight 4 p in - [e * e; 0; 0; 0; 0; 0; 0; 0]. - - Definition square_no_reduce_cps {T} base (p : list Z) (f : list Z -> T) := - if ((length p =? 4)%nat) then - let bound := (0, 2^machine_wordsize-1) in - if (is_bounded_by (repeat bound 4) p) then - let p_a := Positional.to_associational weight 4 p in - let carry2 := square1 base p_a in - let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in - let square_a := sqr_indiv base p_a in - let square_rows := Saturated.Rows.from_associational weight 8 square_a in - let square := Saturated.Rows.flatten' weight double square_rows in - f (fst square) + mul_no_reduce base n p p. + + Definition square_no_reduce_cps {T} base n (p : list Z) (f : list Z -> T) := + let p_a := Positional.to_associational weight 4 p in + let carry2 := square1 base p_a in + let double := Saturated.Rows.flatten weight 8 [carry2; carry2] in + let square_a := sqr_indiv base p_a in + let square_rows := Saturated.Rows.from_associational weight 8 square_a in + let square := Saturated.Rows.flatten' weight double square_rows in + let bound := (0, 2^machine_wordsize-1) in + if ((n =? 4)%nat) then + if ((length p =? 4)%nat) then + if (is_bounded_by (repeat bound 4) p) then + f (fst square) + else + mul_no_reduce_cps base n p p f else - let e := eval weight 4 p in - f ([e * e; 0; 0; 0; 0; 0; 0; 0]) + mul_no_reduce_cps base n p p f else - let e := eval weight 4 p in - f ([e * e; 0; 0; 0; 0; 0; 0; 0]). + mul_no_reduce_cps base n p p f. - Definition squaremod' base s c (p : list Z) := - let sqr := square_no_reduce base p in - let r := reduce_full base s c 4 sqr in + Definition squaremod' base s c n (p : list Z) := + let sqr := square_no_reduce base n p in + let r := reduce_full base s c n sqr in r. - Definition squaremod_cps {T} base s c (p : list Z) (f : list Z -> T) := - (sqr <- square_no_reduce_cps base p; - reduce_full_cps base s c 4 sqr f). + Definition squaremod_cps {T} base s c n (p : list Z) (f : list Z -> T) := + (sqr <- square_no_reduce_cps base n p; + reduce_full_cps base s c n sqr f). - Definition squaremod base s c (p : list Z) := - ltac:(let x := (eval cbv beta delta [squaremod_cps reduce_full_cps reduce1_cps reduce3_cps id] in (@squaremod_cps (list Z) base s c p id)) in + Definition squaremod base s c n (p : list Z) := + ltac:(let x := (eval cbv beta delta [squaremod_cps square_no_reduce_cps mul_no_reduce_cps reduce_full_cps reduce1_cps reduce3_cps id] in (@squaremod_cps (list Z) base s c n p id)) in exact x). Context (base : Z) (s : Z) - (c : list (Z * Z)). + (c : list (Z * Z)) + (n : nat). - Context (s_pos : s > 0) + Context (n_gt_1 : (n > 1)%nat) + (s_pos : s > 0) (c_pos : Associational.eval c > 0) - (base_nz : base <> 0). + (mod_nz : s - Associational.eval c <> 0) + (base_nz : base <> 0) + (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) + (coef_small : weight n / s * Associational.eval c < up_bound). + + Lemma square_no_reduce_cps_ok {T} (f : list Z -> T) : forall p, + square_no_reduce_cps base n p f = f (square_no_reduce base n p). + Proof. + intros. + cbv [square_no_reduce square_no_reduce_cps]. + break_match. + reflexivity. + apply mul_no_reduce_cps_ok. + apply mul_no_reduce_cps_ok. + apply mul_no_reduce_cps_ok. + Qed. + + Lemma squaremod_cps_ok : forall {T} p (f : list Z -> T), + squaremod_cps base s c n p f = f (squaremod' base s c n p). + Proof. + intros. + cbv [squaremod' squaremod_cps]. + rewrite square_no_reduce_cps_ok, reduce_full_cps_ok. + reflexivity. + Qed. + + Lemma squaremod_unfold : forall p, + squaremod' base s c n p = squaremod_cps base s c n p id. + Proof. + intros. + rewrite squaremod_cps_ok. + reflexivity. + Qed. + + Lemma squaremod_cps_conv : forall p, + squaremod base s c n p = squaremod' base s c n p. + Proof. + intros. + rewrite squaremod_unfold. + reflexivity. + Qed. Lemma sat_mul_comm (p q : list (Z * Z)) : Associational.eval (Associational.sat_mul base p q) = Associational.eval (Associational.sat_mul base q p). - Proof using base_nz. push; lia. Qed. + Proof using base_nz n_gt_1. push; lia. Qed. Lemma sat_mul_distr (p q1 q2 : list (Z * Z)) : Associational.eval (Associational.sat_mul base p (q1 ++ q2)) = Associational.eval (Associational.sat_mul base p q1) + Associational.eval (Associational.sat_mul base p q2). - Proof using base_nz. push; lia. Qed. + Proof using base_nz n_gt_1. push; lia. Qed. Lemma cons_to_app {A} a (p : list A) : a :: p = [a] ++ p. Proof. reflexivity. Qed. - Lemma flatten'_mod state (inp : list (list Z)) (n : nat) : + Lemma flatten'_mod state (inp : list (list Z)) (m : nat) : inp <> [] -> - Datatypes.length (fst state) = n -> - (forall row : list Z, In row inp -> Datatypes.length row = n) -> - eval weight n (fst (Rows.flatten' weight state inp)) = - (Rows.eval weight n inp + eval weight n (fst state) + weight n * snd state) mod weight n. - Proof using wprops. + Datatypes.length (fst state) = m -> + (forall row : list Z, In row inp -> Datatypes.length row = m) -> + eval weight m (fst (Rows.flatten' weight state inp)) = + (Rows.eval weight m inp + eval weight m (fst state) + weight m * snd state) mod weight m. + Proof using n_gt_1 wprops. intros. - rewrite Rows.flatten'_correct with (n:=n) by auto. + rewrite Rows.flatten'_correct with (n:=m) by auto. push. f_equal. lia. @@ -2118,30 +2216,6 @@ Module SolinasReduction. Hint Rewrite Nat.sub_diag : const_simpl. Hint Rewrite Z.sub_diag : const_simpl. - Lemma eval_done n p : - (n <= length p)%nat -> - eval weight n p = eval weight n (firstn n p). - Proof using wprops. - intros. - generalize dependent n. - induction p; intros n H. - rewrite firstn_nil. - push. - destruct n. - push. - push' H. - cbv [eval to_associational]. - rewrite firstn_cons. - cbn [seq map combine]. - rewrite Associational.eval_cons. - rewrite Associational.eval_cons. - rewrite !eval_seq_start with (a:=1%nat). - cbv [eval to_associational] in IHp. - rewrite IHp. - lia. - lia. - Qed. - Lemma sum_one x : sum [x] = x. Proof. cbn; lia. Qed. @@ -2150,7 +2224,7 @@ Module SolinasReduction. Associational.eval (sqr_indiv base (a :: p)) = Associational.eval (sqr_indiv base [a]) + Associational.eval (sqr_indiv base p). - Proof using base_nz. + Proof using base_nz n_gt_1. cbv [sqr_indiv sqr_indiv']. cbn [fold_right]. push. @@ -2160,7 +2234,7 @@ Module SolinasReduction. Lemma square_indiv_app (p q : list (Z * Z)) : Associational.eval (sqr_indiv base (p ++ q)) = Associational.eval (sqr_indiv base p) + Associational.eval (sqr_indiv base q). - Proof using base_nz. + Proof using base_nz n_gt_1. generalize dependent q. induction p as [| a p IHp] using rev_ind; intros q. push. @@ -2177,7 +2251,7 @@ Module SolinasReduction. (Associational.eval (sat_mul base [(weight 1, x0)] [(weight 1, x0)]) + (Associational.eval (sat_mul base [(weight 2, x1)] [(weight 2, x1)]) + Associational.eval (sat_mul base [(weight 3, x2)] [(weight 3, x2)])))). - Proof using base_nz wprops. + Proof using base_nz wprops n_gt_1. intros x x0 x1 x2 q H. rewrite H. cbv [to_associational]. @@ -2199,7 +2273,7 @@ Module SolinasReduction. Lemma length_square1 (p : list Z) : forall x x0 x1 x2 q, p = x :: x0 :: x1 :: x2 :: q -> length (square1 base (to_associational weight 4 p)) = 8%nat. - Proof using base_nz wprops. + Proof using base_nz wprops n_gt_1. intros x x0 x1 x2 q H. cbv [square1]. push. @@ -2227,7 +2301,7 @@ Module SolinasReduction. Associational.eval (sat_mul base [(weight 0, x)] [(weight 3, x2)])) + (Associational.eval (sat_mul base [(weight 3, x2)] [(weight 1, x0)]) + Associational.eval (sat_mul base [(weight 3, x2)] [(weight 2, x1)]))). - Proof using base_nz wprops. + Proof using base_nz wprops n_gt_1. intros x x0 x1 x2 q bound H H1. rewrite H1. cbv [to_associational]. @@ -2292,7 +2366,7 @@ Module SolinasReduction. is_bounded_by (repeat bound 4) p = true -> p = x :: x0 :: x1 :: x2 :: q -> 0 <= eval weight 8 (square1 base (to_associational weight 4 p)) < weight 7. - Proof using base_nz wprops. + Proof using base_nz wprops n_gt_1. intros x x0 x1 x2 q bound H H0. erewrite eval_square1; [| eauto | eauto]. rewrite H0 in H. @@ -2314,16 +2388,17 @@ Module SolinasReduction. Qed. Theorem eval_square_no_reduce (p : list Z) : - eval weight 8 (square_no_reduce base p) = (eval weight 4 p) * (eval weight 4 p). - Proof using base_nz wprops. + eval weight (2 * n) (square_no_reduce base n p) = (eval weight n p) * (eval weight n p). + Proof using base_nz wprops n_gt_1. rewrite <-eval_mul_no_reduce with (base:=base) by lia. cbv [square_no_reduce]. break_match. + rewrite Nat.eqb_eq in Heqb. + rewrite Heqb. assert (exists p1 p2 p3 p4, p = p1 :: p2 :: p3 :: p4 :: nil). - { rewrite Nat.eqb_eq in Heqb. - repeat (destruct p; [cbn in Heqb; lia|]). - destruct p; [| cbn in Heqb; lia]. + { repeat (destruct p; [cbn in Heqb0; lia|]). + destruct p; [| cbn in Heqb0; lia]. eauto. } destruct H; destruct H; destruct H; destruct H. @@ -2380,8 +2455,8 @@ Module SolinasReduction. intros; eapply Rows.length_from_associational; eassumption | _ => auto end. - rewrite H in Heqb0. - rewrite Heqb0 in Heqb1. + rewrite H in Heqb1. + rewrite Heqb1 in Heqb2. lia. repeat match goal with | H : In _ (_ :: _) |- _ => @@ -2404,33 +2479,22 @@ Module SolinasReduction. | _ => eapply length_square1; eauto | _ => intuition end. - - - push. - rewrite eval_mul_no_reduce. - lia. - lia. - lia. - push. - rewrite eval_mul_no_reduce. - lia. - lia. - lia. Qed. Theorem length_square_no_reduce (p : list Z): - length (square_no_reduce base p) = 8%nat. - Proof using base_nz wprops. + length (square_no_reduce base n p) = (2 * n)%nat. + Proof using base_nz wprops n_gt_1. cbv [square_no_reduce]. break_match. + rewrite Nat.eqb_eq in Heqb. assert (exists p1 p2 p3 p4, p = p1 :: p2 :: p3 :: p4 :: nil). - { rewrite Nat.eqb_eq in Heqb. - repeat (destruct p; [cbn in Heqb; lia|]). - destruct p; [| cbn in Heqb; lia]. + { repeat (destruct p; [cbn in Heqb0; lia|]). + destruct p; [| cbn in Heqb0; lia]. eauto. } destruct H; destruct H; destruct H; destruct H. rewrite Rows.flatten'_correct with (n:=8%nat). push. + lia. repeat match goal with | H : In _ (_ :: _) |- _ => apply in_inv in H @@ -2454,51 +2518,15 @@ Module SolinasReduction. lia. rewrite H. discriminate. - push. - push. - Qed. - - Context (mod_nz : s - Associational.eval c <> 0) - (solinas_property : Rows.adjust_s weight (S (S 4)) s = (weight 4, true)) - (coef_small : weight 4 / s * Associational.eval c < up_bound). - - Lemma square_no_reduce_cps_ok {T} (f : list Z -> T) : forall p, - square_no_reduce_cps base p f = f (square_no_reduce base p). - Proof. - intros. - cbv [square_no_reduce square_no_reduce_cps]. - break_match; reflexivity. - Qed. - - Lemma squaremod_cps_ok : forall {T} p (f : list Z -> T), - squaremod_cps base s c p f = f (squaremod' base s c p). - Proof. - intros. - cbv [squaremod' squaremod_cps]. - rewrite square_no_reduce_cps_ok, reduce_full_cps_ok. - reflexivity. - Qed. - - Lemma squaremod_unfold : forall p, - squaremod' base s c p = squaremod_cps base s c p id. - Proof. - intros. - rewrite squaremod_cps_ok. - reflexivity. - Qed. - - Lemma squaremod_cps_conv : forall p, - squaremod base s c p = squaremod' base s c p. - Proof. - intros. - rewrite squaremod_unfold. - reflexivity. + apply length_mul_no_reduce; auto. + apply length_mul_no_reduce; auto. + apply length_mul_no_reduce; auto. Qed. Lemma squaremod'_correct : forall p, - Positional.eval weight 4 (squaremod' base s c p) mod (s - Associational.eval c) = - (Positional.eval weight 4 p * Positional.eval weight 4 p) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz s_pos solinas_property wprops. + Positional.eval weight n (squaremod' base s c n p) mod (s - Associational.eval c) = + (Positional.eval weight n p * Positional.eval weight n p) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. intros. cbv [squaremod']. rewrite <-reduce_full_correct. @@ -2510,9 +2538,9 @@ Module SolinasReduction. Qed. Theorem squaremod_correct : forall p , - Positional.eval weight 4 (squaremod base s c p) mod (s - Associational.eval c) = - (Positional.eval weight 4 p * Positional.eval weight 4 p) mod (s - Associational.eval c). - Proof using base_nz c_pos coef_small mod_nz s_pos solinas_property wprops. + Positional.eval weight n (squaremod base s c n p) mod (s - Associational.eval c) = + (Positional.eval weight n p * Positional.eval weight n p) mod (s - Associational.eval c). + Proof using base_nz c_pos coef_small mod_nz n_gt_1 s_pos solinas_property wprops. intros. rewrite squaremod_cps_conv. apply squaremod'_correct. diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index a141129214..fb8223ef12 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -500,11 +500,8 @@ Module SolinasReduction. (n : nat) (m : Z) (saturated_bounds : list (option zrange)) - (length_saturated_bounds : length saturated_bounds = n) - (saturated_bounds4 : list (option zrange)) - (length_saturated_bounds4 : length saturated_bounds = 4%nat). + (length_saturated_bounds : length saturated_bounds = n). Local Notation eval := (Positional.eval wt n). - Local Notation eval4 := (Positional.eval wt 4). Definition mul_correct (mul : list Z -> list Z -> list Z) := @@ -514,12 +511,12 @@ Module SolinasReduction. ((eval (mul x y)) mod m = (eval x * eval y) mod m) /\ (list_Z_bounded_by saturated_bounds (mul x y)). - Definition square_correct - (square : list Z -> list Z) := + Definition sqr_correct + (sqr : list Z -> list Z) := forall x, - list_Z_bounded_by saturated_bounds4 x -> - ((eval4 (square x)) mod m = (eval4 x * eval4 x) mod m) /\ - (list_Z_bounded_by saturated_bounds4 (square x)). + list_Z_bounded_by saturated_bounds x -> + ((eval (sqr x)) mod m = (eval x * eval x) mod m) /\ + (list_Z_bounded_by saturated_bounds (sqr x)). End __. End SolinasReduction. diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 3565874107..75d9427ff7 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -58,6 +58,7 @@ Local Coercion Z.pos : positive >-> Z. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) +Local Opaque reified_square_gen. (* needed for making [autorewrite] with [Set Keyed Unification] fast *) Local Opaque expr.Interp. @@ -106,15 +107,13 @@ Section __. ; ((0 0 /\ Rows.adjust_s weight (S (S n)) s = (weight n, true) /\ - weight n / s * Associational.eval c < up_bound /\ - Rows.adjust_s weight (S (S 4)) s = (weight 4, true) /\ - weight 4 / s * Associational.eval c < up_bound. + weight n / s * Associational.eval c < up_bound. Proof using curve_good. prepare_use_curve_good (). { use_curve_good_t. } @@ -150,23 +147,16 @@ Section __. | |- ?x = _ => rewrite surjective_pairing with (p:=x) end. congruence. } - { lazymatch goal with - | |- ?x = _ => rewrite surjective_pairing with (p:=x) - end. - congruence. } Qed. - Local Notation eval4f := (eval weight 4). Local Notation evalf := (eval weight n). Local Notation weightf := weight. Local Notation notations_for_docstring := (CorrectnessStringification.dyn_context.cons - eval4f "eval4" + weightf "weight" (CorrectnessStringification.dyn_context.cons - weightf "weight" - (CorrectnessStringification.dyn_context.cons - evalf "eval" - CorrectnessStringification.dyn_context.nil)))%string. + evalf "eval" + CorrectnessStringification.dyn_context.nil))%string. Local Notation "'docstring_with_summary_from_lemma!' summary correctness" := (docstring_with_summary_from_lemma_with_ctx! notations_for_docstring @@ -193,9 +183,10 @@ Section __. (reified_square_gen @ GallinaReify.Reify base @ GallinaReify.Reify s - @ GallinaReify.Reify c) - (Some bounds4, tt) - (Some bounds4). + @ GallinaReify.Reify c + @ GallinaReify.Reify n) + (Some boundsn, tt) + (Some boundsn). Definition smul (prefix : string) : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) @@ -213,7 +204,7 @@ Section __. machine_wordsize prefix "square" square (docstring_with_summary_from_lemma! (fun fname : string => [text_before_function_name ++ fname ++ " squares a field element."]%string) - (square_correct weightf m bounds4)). + (sqr_correct weightf n m boundsn)). Local Ltac solve_extra_bounds_side_conditions := cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. @@ -241,16 +232,16 @@ Section __. Lemma square_correct res (Hres : square = Success res) - : square_correct weight m boundsn (Interp res). + : sqr_correct weight n m boundsn (Interp res). Proof using curve_good. prove_correctness (). - cbv [evalf weightf eval4f weight up_bound] in *. + cbv [evalf weightf weight up_bound] in *. match goal with | H : machine_wordsize = _ |- _ => rewrite H in * end. apply (fun pf => @SolinasReduction.SolinasReduction.squaremod_correct (@wprops _ _ pf)); auto; lia. - Admitted. + Qed. Lemma Wf_square res (Hres : square = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index af924f79cd..be48114656 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -70,6 +70,7 @@ Module debugging_solinas_reduction. Import Associational. Import Positional. + Import SolinasReduction. End __. @@ -83,13 +84,6 @@ Module debugging_solinas_reduction. Let w : nat -> Z := weight machine_wordsize 1. Let base : Z := 2 ^ machine_wordsize. - Let p := [2^64-1; 2^64-1; 2^64-1; 2^64-1]. - Compute (square_no_reduce base p). - Compute (mul_no_reduce base 4 p p). - Let p' := [100; 200; 300; 400]. - Compute (square_no_reduce base p'). - Compute (mul_no_reduce base 4 p' p'). - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. Let bound' := Some r[0 ~> (2^machine_wordsize +39)]%zrange. Let boundsn : list (ZRange.type.option.interp base.type.Z) @@ -119,25 +113,25 @@ Module debugging_solinas_reduction. possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (square_no_reduce base) in + let r := Reify (SolinasReduction.mulmod base s c n) in exact r) (fun _ _ => []) - (Some (repeat bound (4)), tt) - (Some (repeat bound (8))) - (None, tt) + (Some (repeat bound n), (Some (repeat bound n), tt)) + (Some (repeat bound n)) + (None, (None, tt)) (None) : Pipeline.ErrorT _). Time Compute Show.show (Pipeline.BoundsPipelineToString - "fiat" "mul" + "fiat" "sqr" false false possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (squaremod base s c) in + let r := Reify (SolinasReduction.squaremod base s c n) in exact r) (fun _ _ => []) (Some (repeat bound n), tt) From 621bae46beffc979d715ca7bd527873f1e6d3bba Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 7 Nov 2022 15:47:15 -0500 Subject: [PATCH 62/69] finish proof of reduce3 --- src/Arithmetic/SolinasReduction.v | 504 +++++++++++++++++++++--------- 1 file changed, 355 insertions(+), 149 deletions(-) diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index cef7d77854..80cfcb39f0 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -1181,6 +1181,19 @@ Module SolinasReduction. end. Qed. + Lemma weight_dif_lt : forall n m a, + (n < m)%nat -> + a < weight (S n) - weight n -> + a < weight (S m) - weight m. + Proof. + intros n m a H H0. + induction H. + etransitivity; [| apply weight_dif_mono']. + auto. + etransitivity; [| apply weight_dif_mono']. + auto. + Qed. + Section mulmod. Context (base : Z) @@ -1434,7 +1447,7 @@ Module SolinasReduction. m = n -> length p = S m -> nth_default 0 p n <= 1 -> - weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> + (weight n / s * Associational.eval c) * (nth_default 0 p n) + eval weight n (firstn n p) < weight n -> let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let coef := Associational.sat_mul_const base [(1, s'/s)] c in eval weight m (reduce1 base s c (S m) m p) = @@ -1455,10 +1468,7 @@ Module SolinasReduction. push. break_match. - push. - rewrite Z.mod_small. - reflexivity. - solve_ineq. + assert (0 <= nth_default 0 p n). apply is_bounded_by_nth with (n:=n) in Heqb. etransitivity. 2: apply Heqb. @@ -1467,20 +1477,16 @@ Module SolinasReduction. reflexivity. lia. push. + + push. + rewrite Z.mod_small. + reflexivity. + solve_ineq. rewrite <-firstn_skipn with (l:=p) (n:=n) in Heqb. replace (S n) with (n + 1)%nat in Heqb by lia. rewrite repeat_app in Heqb. solve_ibb. - le_lt. - etransitivity. - solve_ineq. - apply Z.mul_le_mono_nonneg_l. - solve_ineq. - eauto. - apply Z.le_refl. - le_lt. - push. - + auto. push. rewrite <-Z_div_mod_eq_full. all: push; lia. @@ -1490,7 +1496,7 @@ Module SolinasReduction. m = n -> length p = S m -> nth_default 0 p n <= 1 -> - weight n / s * Associational.eval c + eval weight n (firstn n p) < weight n -> + (weight n / s * Associational.eval c) * (nth_default 0 p n) + eval weight n (firstn n p) < weight n -> let s' := fst (Saturated.Rows.adjust_s weight (S (S n)) s) in let coef := Associational.sat_mul_const base [(1, s'/s)] c in let q := reduce1 base s c (S m) m p in @@ -1549,112 +1555,209 @@ Module SolinasReduction. push. Qed. - Lemma eval_reduce3 : forall p m, - (m = n)%nat -> - length p = S m -> - let q := reduce3 base s c m p in - (Positional.eval weight (S m) p) mod (s - Associational.eval c) - = (Positional.eval weight m q) mod (s - Associational.eval c). + Lemma eval_reduce3 : forall p, + canonical_repr (S n) p -> + (nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1 /\ nth_default 0 p 0 < up_bound * up_bound + 1) \/ nth_default 0 p n = 0 -> + let q := reduce3 base s c n p in + (Positional.eval weight (S n) p) mod (s - Associational.eval c) + = (Positional.eval weight n q) mod (s - Associational.eval c). Proof. - intros p m H. intros. - rewrite eval_reduce1' with (m:=m%nat). + rewrite eval_reduce1'. rewrite value_reduce1'. rewrite solinas_property. - rewrite H. push. const_simpl. cbv [q reduce3 Let_In]. + assert (Hcanon := H). + unfold canonical_repr in Hcanon. + destruct Hcanon. break_match. - push. - cbv [Z.add_get_carry Z.add_with_get_carry Z.add_with_carry Z.get_carry Let_In]. - push. - - match goal with - | H : context[is_bounded_by _ _] |- _ => pose proof (is_bounded_by_nth m _ _ H) as Hnth - end. - push' Hnth. - specialize (Hnth ltac:(lia) ltac:(lia)). - rewrite nth_default_app in Hnth. - push' Hnth. - destruct lt_dec eqn:E. - lia. - simpl in Hnth. - rewrite H in Hnth. - rewrite H. + (* bounded *) + pose proof (is_bounded_by_nth 0 _ _ Heqb ltac:(lia)) . + specialize (H3 ltac:(push; try lia)). + rewrite nth_default_app in H3. + destruct (lt_dec 0 (Datatypes.length (repeat (0, 2 ^ machine_wordsize - 1) n))). + rewrite nth_default_repeat in H3. + destruct (dec (0 < n)%nat). + push' H3. + cbv [Z.add_get_carry Z.add_with_get_carry Z.add_with_carry Z.get_carry Let_In Z.zselect]. + rewrite solinas_property. + push. rewrite <-firstn_skipn with (l:=(firstn n p)) (n:=1%nat) at 1. rewrite firstn_firstn. rewrite firstn_nth_default_0. - repeat f_equal. - apply is_bounded_by_nth with (n:=0%nat) in Heqb. - rewrite nth_default_app in Heqb. - rewrite nth_default_repeat in Heqb. - push' Heqb. - destruct (lt_dec); try lia. - destruct dec; try lia. - push' Heqb. - - assert (nth_default 0 p n = 0 \/ nth_default 0 p n = 1) by lia. intuition. - match goal with - | H : nth_default _ _ _ = _ |- _ => rewrite H - end. + (* nth_default 0 p n = 1 *) + rewrite H3. + break_match; [lia|]. push. - repeat f_equal. - rewrite Z.mod_small; lia. - match goal with - | H : nth_default _ _ _ = _ |- _ => rewrite H - end. - push. - cbv [Z.zselect]. - destruct (1 =? 0) eqn:E1. + f_equal. + rewrite Z.mod_small. + cbv [eval to_associational]. + destruct n eqn:E1. lia. - rewrite solinas_property. + cbn [seq map]. + replace (weight 0 :: map weight (seq 1 n0)) with ([weight 0] ++ map weight (seq 1 n0)) by auto. + rewrite !combine_app_samelength. + cbn [combine]. + rewrite !eval_app. push. - unfold weight. - erewrite uweight_eval_app with (n:=1%nat). - erewrite uweight_eval_app with (n:=1%nat). - fold weight. + lia. + cbn; lia. + cbn; lia. + solve_ineq. + etransitivity. + apply Z.add_lt_mono. + eauto. + eauto. + cbv [up_bound]; weight_comp; simpl; lia. + + (* nth_default 0 p n = 0 *) + rewrite H3. + break_match; [| lia]. push. - rewrite min_l; try lia. - rewrite Z.add_assoc. f_equal. rewrite Z.mod_small. lia. - (* solve_ineq. *) - (* etransitivity. *) - (* Search (_ + _ < _). *) - - admit. + solve_ineq. lia. - push. - push; lia. lia. - push. - push; lia. lia. - push; lia. + intuition. + push' n0. lia. + push' n0. lia. - rewrite H. + (* not bounded *) rewrite solinas_property. push. push; lia. push; lia. - lia. + solve_length p. lia. - admit. - admit. + + intuition. + { rewrite H1. + rewrite <-firstn_skipn with (n:=(n-1)%nat) (l:=firstn n p). + rewrite firstn_firstn by lia. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + rewrite nth_default_firstn. + destruct le_dec. + destruct lt_dec; [| lia]. + rewrite H0. + cbv [eval to_associational]. + destruct n eqn:E; [lia|]. + rewrite seq_snoc. + rewrite map_app, combine_app_samelength. + rewrite eval_app. + push. + pose proof (firstn_skipn n0 p). + symmetry in H2. + canonical_app p. + push' Hcanon_l. + rewrite min_l in Hcanon_l by lia. + pose proof (canonical_eval_bounded n0 (firstn n0 p) ltac:(auto)). + etransitivity. + cbv [eval to_associational] in H4. + replace (S n0 - 1)%nat with (n0) by lia. + apply Z.add_lt_le_mono. + eauto. + le_lt; eauto. + cbv [up_bound]. + rewrite Z.add_sub_assoc. + rewrite Z.add_sub_swap. + rewrite Z.lt_add_lt_sub_r. + apply weight_dif_lt with (n:=0%nat). + lia. + weight_comp; simpl; lia. + push. + lia. + push. + intuition. + exfalso. + apply n0. + unfold canonical_repr in H. + lia. + push. + lia. + push. + unfold canonical_repr in H. + lia. } + rewrite H1. + ring_simplify. + pose proof (firstn_skipn n p). + symmetry in H0. + canonical_app p. + push' Hcanon_l. + rewrite min_l in Hcanon_l; [|solve_length p]. + apply canonical_eval_bounded; auto. lia. + solve_length p. lia. - admit. - admit. - Admitted. + intuition. + { rewrite H1. + rewrite <-firstn_skipn with (n:=(n-1)%nat) (l:=firstn n p). + rewrite firstn_firstn by lia. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + rewrite nth_default_firstn. + destruct le_dec. + destruct lt_dec; [| lia]. + rewrite H0. + cbv [eval to_associational]. + destruct n eqn:E; [lia|]. + rewrite seq_snoc. + rewrite map_app, combine_app_samelength. + rewrite eval_app. + push. + pose proof (firstn_skipn n0 p). + symmetry in H2. + canonical_app p. + push' Hcanon_l. + rewrite min_l in Hcanon_l by lia. + pose proof (canonical_eval_bounded n0 (firstn n0 p) ltac:(auto)). + etransitivity. + cbv [eval to_associational] in H4. + replace (S n0 - 1)%nat with (n0) by lia. + apply Z.add_lt_le_mono. + eauto. + le_lt; eauto. + cbv [up_bound]. + rewrite Z.add_sub_assoc. + rewrite Z.add_sub_swap. + rewrite Z.lt_add_lt_sub_r. + apply weight_dif_lt with (n:=0%nat). + lia. + weight_comp; simpl; lia. + push. + lia. + push. + intuition. + exfalso. + apply n0. + unfold canonical_repr in H. + lia. + push. + lia. + push. + unfold canonical_repr in H. + lia. } + rewrite H1. + ring_simplify. + pose proof (firstn_skipn n p). + symmetry in H0. + canonical_app p. + push' Hcanon_l. + rewrite min_l in Hcanon_l; [|solve_length p]. + apply canonical_eval_bounded; auto. + Qed. (* END SECTION REDUCE3 *) @@ -1744,12 +1847,26 @@ Module SolinasReduction. weight_comp; cbn; lia. Qed. + Lemma up_bound_weight1 : forall m, + (m > 1)%nat -> + up_bound * weight 1 < weight (S m) - weight m. + Proof. + intros m H. + induction H. + cbv [up_bound]. + weight_comp; try lia. + simpl; break_match; lia. + etransitivity. + 2: apply weight_dif_mono'. + auto. + Qed. + Hint Rewrite nth_default_partition : push_misc. Lemma reduce_second_bounds : forall p, canonical_repr (S n) p -> (nth_default 0 p n) < up_bound -> let q := reduce1 base s c (S n) (S n) p in - (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1 (* /\ nth_default 0 q 0 < up_bound *)) \/ + (nth_default 0 q (n-1) = 0 /\ nth_default 0 q n = 1 /\ nth_default 0 q 0 < up_bound * up_bound + 1) \/ nth_default 0 q n = 0. Proof using base_nz c_pos coef_small n_gt_1 s_pos solinas_property wprops. intros p ? ? q. @@ -1893,70 +2010,149 @@ Module SolinasReduction. auto. lia. - (* destruct Hcanonq as [ _ Hpartq]. *) - (* rewrite Hpartq. *) - (* push. *) - (* cbv [q]. *) - (* rewrite value_reduce1. *) - (* rewrite solinas_property. *) - (* push. *) - (* const_simpl. *) - - (* assert *) - (* assert (H' : eval weight (S n) q - weight n < up_bound * up_bound + 1). *) - (* cbv [q]. *) - (* rewrite value_reduce1. *) - (* rewrite solinas_property. *) - (* push. *) - (* const_simpl. *) - (* rewrite skipn_nth_default with (d:=0). *) - (* rewrite skipn_all. *) - (* etransitivity. *) - (* apply Z.add_lt_mono_r. *) - (* apply OrdersEx.Z_as_DT.add_lt_mono. *) - (* cbv [eval to_associational]. *) - (* cbn [seq map combine]. *) - (* apply OrdersEx.Z_as_OT.mul_lt_mono_nonneg. *) - (* solve_ineq. *) - (* eauto. *) - (* push. *) - (* admit. *) - (* push. *) - (* eauto. *) - (* apply canonical_eval_bounded; auto. *) - (* rewrite <-Z.add_assoc. *) - (* rewrite Z.add_opp_diag_r. *) - (* all: try lia. *) - (* all: try (solve_length p). *) - (* const_simpl. *) - (* admit. *) - - (* destruct Hcanonq as [_ Hqpart]. *) - (* rewrite Hqpart in H'. *) - (* push' H'. *) - Qed. - - (* END SECTION REDUCE_SECOND *) - - (* SECTION REDUCE_THIRD *) - - Lemma eval_reduce_third' : forall p, - (canonical_repr (S n) p) -> - let q := reduce3 base s c n p in - ((nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1) \/ - nth_default 0 p n = 0) -> - (Positional.eval weight (S n) p) mod (s - Associational.eval c) - = (Positional.eval weight n q) mod (s - Associational.eval c). - Proof. - intros p ? q ?. - cbv [q]. - rewrite eval_reduce3. + assert (Hcanonq' := Hcanonq). + destruct Hcanonq as [ _ Hpartq]. + rewrite Hpartq. + rewrite nth_default_partition. + rewrite weight_0. + rewrite Z.div_1_r. + assert (eval weight (S n) q = eval weight n (firstn n q) + weight n). + { rewrite Hq at 1. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + rewrite eval_snoc_S. + lia. + push. + rewrite min_l. + lia. + solve_length q. + solve_length q. + solve_length q. } + assert (eval weight (S n) q = weight n / s * Associational.eval c * nth_default 0 p n + eval weight n (firstn n p)). + { unfold q at 1. + rewrite value_reduce1. + rewrite solinas_property. + push. + const_simpl. + unfold eval at 1. + unfold to_associational at 1. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + cbn [seq map combine]. + push. + solve_length p. + solve_length p. + lia. + lia. + solve_length p. + const_simpl. + rewrite Z.lt_add_lt_sub_r. + apply up_bound_weight1; lia. } + rewrite H1 in H4. + apply LinearSubstitute.Z.move_R_pX in H4. + rewrite H1. + rewrite PullPush.Z.add_mod_r. + rewrite Weight.weight_multiples_full. + const_simpl. + rewrite Z.mod_small. + rewrite H4. + etransitivity. + apply Z.add_lt_mono_r. + apply Z.add_lt_mono. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + eapply canonical_bounded with (n:=S n) (p:=p). + auto. + rewrite Hp. + rewrite nth_default_app. + break_match. + push' H5. + rewrite min_l in H5. + lia. + lia. + push. + rewrite min_l. + rewrite Nat.sub_diag. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + apply in_or_app. + right. + push. + solve_length p. + solve_length p. + solve_length p. + eauto. + apply canonical_eval_bounded. + eauto. + lia. + solve_ineq. + apply canonical_pos; auto. + rewrite H4. + etransitivity. + apply Z.add_lt_mono_r. + apply Z.add_lt_mono. + apply Z.mul_lt_mono_nonneg. + solve_ineq. + eauto. + eapply canonical_bounded with (n:=S n) (p:=p). + auto. + rewrite Hp. + rewrite nth_default_app. + break_match. + push' H5. + rewrite min_l in H5. lia. lia. + push. + rewrite min_l. + rewrite Nat.sub_diag. + rewrite skipn_nth_default with (d:=0). + rewrite skipn_all. + apply in_or_app. + right. + push. solve_length p. + solve_length p. + solve_length p. + eauto. + apply canonical_eval_bounded. + eauto. + rewrite <-Z.add_assoc. + rewrite Z.add_opp_diag_r. + const_simpl. + cbv [up_bound]. + weight_comp. + simpl; break_match; lia. + lia. + lia. + auto. + auto. + lia. + auto. + lia. Qed. - (* END SECTION REDUCE_THIRD *) + (* END SECTION REDUCE_SECOND *) + + (* (* SECTION REDUCE_THIRD *) *) + + (* Lemma eval_reduce_third' : forall p, *) + (* (canonical_repr (S n) p) -> *) + (* let q := reduce3 base s c n p in *) + (* ((nth_default 0 p (n-1) = 0 /\ nth_default 0 q n = 1 /\ nth_default 0 q 0 < up_bound * up_bound + 1) \/ nth_default 0 q n = 0) -> *) + (* (Positional.eval weight (S n) p) mod (s - Associational.eval c) *) + (* = (Positional.eval weight n q) mod (s - Associational.eval c). *) + (* Proof. *) + (* intros p ? q ?. *) + (* cbv [q]. *) + (* rewrite eval_reduce3. *) + (* lia. *) + (* lia. *) + (* solve_length p. *) + (* Qed. *) + + (* (* END SECTION REDUCE_THIRD *) *) (* SECTION REDUCE_FULL] *) Theorem reduce_full_correct : forall (p : list Z), @@ -2006,11 +2202,21 @@ Module SolinasReduction. weight_comp; cbn; break_match; lia. autounfold. replace (S n) with (n+1)%nat. - rewrite repeat_app. - push. cbn. - apply bounds_same. + const_simpl. + replace (n+1)%nat with (S n) by lia. + lia. lia. + cbv [fold_andb_map' dual_map]. + cbn [repeat]. + rewrite repeat_cons. + rewrite combine_app_samelength. + rewrite map_app. + rewrite fold_right_app. + cbn. + pose proof (bounds_same (repeat (0, 18446744073709551615) n)). + auto. + auto. (* not canonical *) rewrite eval_reduce1 with (m2:=S n). From 97c7898bed589ee0cd7f3a4166e64cb1f3dec87b Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Mon, 7 Nov 2022 18:51:37 -0500 Subject: [PATCH 63/69] generate assembly for parallel multiplication, still need to feed proofs through CLI --- Makefile.examples | 2 +- fiat-c/src/curve25519_solinas_64.c | 438 +- .../64/curve25519solinas/curve25519solinas.go | 412 +- fiat-json/src/curve25519_solinas_64.json | 6296 +++++++++++++++++ fiat-rust/src/curve25519_solinas_64.rs | 423 +- fiat-zig/src/curve25519_solinas_64.zig | 424 +- src/Arithmetic/SolinasReduction.v | 53 + src/COperationSpecifications.v | 10 + src/PushButtonSynthesis/SolinasReduction.v | 37 +- .../SolinasReductionReificationCache.v | 67 +- src/SlowPrimeSynthesisExamples.v | 18 + 11 files changed, 8141 insertions(+), 39 deletions(-) diff --git a/Makefile.examples b/Makefile.examples index 44adbe3865..9abc81759a 100644 --- a/Makefile.examples +++ b/Makefile.examples @@ -87,7 +87,7 @@ endef UNSATURATED_SOLINAS_FUNCTIONS := carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax FUNCTIONS_FOR_25519 := $(UNSATURATED_SOLINAS_FUNCTIONS) carry_scmul121666 WORD_BY_WORD_MONTGOMERY_FUNCTIONS := mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp -SOLINAS_REDUCTION_FUNCTIONS := mul square +SOLINAS_REDUCTION_FUNCTIONS := mul mul2 square UNSATURATED_SOLINAS := src/ExtractionOCaml/unsaturated_solinas WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/word_by_word_montgomery SOLINAS_REDUCTION := src/ExtractionOCaml/solinas_reduction diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c index b56ef7cf3f..824bd80b78 100644 --- a/fiat-c/src/curve25519_solinas_64.c +++ b/fiat-c/src/curve25519_solinas_64.c @@ -1,7 +1,7 @@ -/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mul square */ +/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mul mul2 square */ /* curve description: curve25519_solinas */ /* machine_wordsize = 64 (from "64") */ -/* requested operations: mul, square */ +/* requested operations: mul, mul2, square */ /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* */ /* Computed values: */ @@ -356,6 +356,440 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint out1[3] = x128; } +/* + * The function fiat_curve25519_solinas_mul2 multiplies two field elements. + * + * Postconditions: + * eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 + * eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 + * + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul2(uint64_t out1[4], uint64_t out2[4], const uint64_t arg1[4], const uint64_t arg2[4], const uint64_t arg3[4], const uint64_t arg4[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + fiat_curve25519_solinas_uint1 x34; + uint64_t x35; + fiat_curve25519_solinas_uint1 x36; + uint64_t x37; + uint64_t x38; + fiat_curve25519_solinas_uint1 x39; + uint64_t x40; + fiat_curve25519_solinas_uint1 x41; + uint64_t x42; + fiat_curve25519_solinas_uint1 x43; + uint64_t x44; + uint64_t x45; + fiat_curve25519_solinas_uint1 x46; + uint64_t x47; + fiat_curve25519_solinas_uint1 x48; + uint64_t x49; + fiat_curve25519_solinas_uint1 x50; + uint64_t x51; + fiat_curve25519_solinas_uint1 x52; + uint64_t x53; + fiat_curve25519_solinas_uint1 x54; + uint64_t x55; + uint64_t x56; + fiat_curve25519_solinas_uint1 x57; + uint64_t x58; + fiat_curve25519_solinas_uint1 x59; + uint64_t x60; + fiat_curve25519_solinas_uint1 x61; + uint64_t x62; + fiat_curve25519_solinas_uint1 x63; + uint64_t x64; + fiat_curve25519_solinas_uint1 x65; + uint64_t x66; + fiat_curve25519_solinas_uint1 x67; + uint64_t x68; + fiat_curve25519_solinas_uint1 x69; + uint64_t x70; + fiat_curve25519_solinas_uint1 x71; + uint64_t x72; + fiat_curve25519_solinas_uint1 x73; + uint64_t x74; + fiat_curve25519_solinas_uint1 x75; + uint64_t x76; + fiat_curve25519_solinas_uint1 x77; + uint64_t x78; + fiat_curve25519_solinas_uint1 x79; + uint64_t x80; + fiat_curve25519_solinas_uint1 x81; + uint64_t x82; + fiat_curve25519_solinas_uint1 x83; + uint64_t x84; + fiat_curve25519_solinas_uint1 x85; + uint64_t x86; + fiat_curve25519_solinas_uint1 x87; + uint64_t x88; + fiat_curve25519_solinas_uint1 x89; + uint64_t x90; + fiat_curve25519_solinas_uint1 x91; + uint64_t x92; + fiat_curve25519_solinas_uint1 x93; + uint64_t x94; + fiat_curve25519_solinas_uint1 x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + uint64_t x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint64_t x115; + uint64_t x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + uint64_t x126; + uint64_t x127; + uint64_t x128; + fiat_curve25519_solinas_uint1 x129; + uint64_t x130; + fiat_curve25519_solinas_uint1 x131; + uint64_t x132; + uint64_t x133; + fiat_curve25519_solinas_uint1 x134; + uint64_t x135; + fiat_curve25519_solinas_uint1 x136; + uint64_t x137; + fiat_curve25519_solinas_uint1 x138; + uint64_t x139; + uint64_t x140; + fiat_curve25519_solinas_uint1 x141; + uint64_t x142; + fiat_curve25519_solinas_uint1 x143; + uint64_t x144; + fiat_curve25519_solinas_uint1 x145; + uint64_t x146; + fiat_curve25519_solinas_uint1 x147; + uint64_t x148; + fiat_curve25519_solinas_uint1 x149; + uint64_t x150; + uint64_t x151; + fiat_curve25519_solinas_uint1 x152; + uint64_t x153; + fiat_curve25519_solinas_uint1 x154; + uint64_t x155; + fiat_curve25519_solinas_uint1 x156; + uint64_t x157; + fiat_curve25519_solinas_uint1 x158; + uint64_t x159; + fiat_curve25519_solinas_uint1 x160; + uint64_t x161; + fiat_curve25519_solinas_uint1 x162; + uint64_t x163; + fiat_curve25519_solinas_uint1 x164; + uint64_t x165; + fiat_curve25519_solinas_uint1 x166; + uint64_t x167; + fiat_curve25519_solinas_uint1 x168; + uint64_t x169; + fiat_curve25519_solinas_uint1 x170; + uint64_t x171; + fiat_curve25519_solinas_uint1 x172; + uint64_t x173; + fiat_curve25519_solinas_uint1 x174; + uint64_t x175; + fiat_curve25519_solinas_uint1 x176; + uint64_t x177; + fiat_curve25519_solinas_uint1 x178; + uint64_t x179; + fiat_curve25519_solinas_uint1 x180; + uint64_t x181; + fiat_curve25519_solinas_uint1 x182; + uint64_t x183; + fiat_curve25519_solinas_uint1 x184; + uint64_t x185; + fiat_curve25519_solinas_uint1 x186; + uint64_t x187; + fiat_curve25519_solinas_uint1 x188; + uint64_t x189; + fiat_curve25519_solinas_uint1 x190; + uint64_t x191; + uint64_t x192; + uint64_t x193; + uint64_t x194; + uint64_t x195; + uint64_t x196; + uint64_t x197; + fiat_curve25519_solinas_uint1 x198; + uint64_t x199; + fiat_curve25519_solinas_uint1 x200; + uint64_t x201; + uint64_t x202; + uint64_t x203; + fiat_curve25519_solinas_uint1 x204; + uint64_t x205; + uint64_t x206; + uint64_t x207; + uint64_t x208; + fiat_curve25519_solinas_uint1 x209; + uint64_t x210; + fiat_curve25519_solinas_uint1 x211; + uint64_t x212; + fiat_curve25519_solinas_uint1 x213; + uint64_t x214; + fiat_curve25519_solinas_uint1 x215; + uint64_t x216; + uint64_t x217; + uint64_t x218; + uint64_t x219; + fiat_curve25519_solinas_uint1 x220; + uint64_t x221; + fiat_curve25519_solinas_uint1 x222; + uint64_t x223; + fiat_curve25519_solinas_uint1 x224; + uint64_t x225; + fiat_curve25519_solinas_uint1 x226; + uint64_t x227; + fiat_curve25519_solinas_uint128 x228; + uint64_t x229; + uint64_t x230; + uint64_t x231; + uint64_t x232; + uint64_t x233; + uint64_t x234; + uint64_t x235; + uint64_t x236; + uint64_t x237; + uint64_t x238; + fiat_curve25519_solinas_uint1 x239; + uint64_t x240; + fiat_curve25519_solinas_uint1 x241; + uint64_t x242; + fiat_curve25519_solinas_uint1 x243; + uint64_t x244; + uint64_t x245; + fiat_curve25519_solinas_uint1 x246; + uint64_t x247; + fiat_curve25519_solinas_uint1 x248; + uint64_t x249; + fiat_curve25519_solinas_uint1 x250; + uint64_t x251; + fiat_curve25519_solinas_uint1 x252; + uint64_t x253; + uint64_t x254; + uint64_t x255; + uint64_t x256; + fiat_curve25519_solinas_uint1 x257; + uint64_t x258; + fiat_curve25519_solinas_uint1 x259; + uint64_t x260; + fiat_curve25519_solinas_uint1 x261; + uint64_t x262; + fiat_curve25519_solinas_uint1 x263; + uint64_t x264; + fiat_curve25519_solinas_uint128 x265; + uint64_t x266; + fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); + fiat_curve25519_solinas_mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); + fiat_curve25519_solinas_mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); + fiat_curve25519_solinas_mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); + fiat_curve25519_solinas_mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); + fiat_curve25519_solinas_mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); + fiat_curve25519_solinas_mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); + fiat_curve25519_solinas_addcarryx_u64(&x33, &x34, 0x0, x28, x7); + fiat_curve25519_solinas_addcarryx_u64(&x35, &x36, x34, x26, x5); + x37 = (x36 + x18); + fiat_curve25519_solinas_addcarryx_u64(&x38, &x39, 0x0, x33, x13); + fiat_curve25519_solinas_addcarryx_u64(&x40, &x41, x39, x35, x8); + fiat_curve25519_solinas_addcarryx_u64(&x42, &x43, x41, x37, 0x0); + x44 = (x43 + x10); + fiat_curve25519_solinas_addcarryx_u64(&x45, &x46, 0x0, x30, x15); + fiat_curve25519_solinas_addcarryx_u64(&x47, &x48, x46, x38, x16); + fiat_curve25519_solinas_addcarryx_u64(&x49, &x50, x48, x40, x11); + fiat_curve25519_solinas_addcarryx_u64(&x51, &x52, x50, x42, x3); + fiat_curve25519_solinas_addcarryx_u64(&x53, &x54, x52, x44, 0x0); + x55 = (x54 + x2); + fiat_curve25519_solinas_addcarryx_u64(&x56, &x57, 0x0, x45, x21); + fiat_curve25519_solinas_addcarryx_u64(&x58, &x59, x57, x47, x19); + fiat_curve25519_solinas_addcarryx_u64(&x60, &x61, x59, x49, x14); + fiat_curve25519_solinas_addcarryx_u64(&x62, &x63, x61, x51, x6); + fiat_curve25519_solinas_addcarryx_u64(&x64, &x65, x63, x53, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x66, &x67, x65, x55, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x68, &x69, 0x0, x32, x23); + fiat_curve25519_solinas_addcarryx_u64(&x70, &x71, x69, x56, x24); + fiat_curve25519_solinas_addcarryx_u64(&x72, &x73, x71, x58, x22); + fiat_curve25519_solinas_addcarryx_u64(&x74, &x75, x73, x60, x17); + fiat_curve25519_solinas_addcarryx_u64(&x76, &x77, x75, x62, x9); + fiat_curve25519_solinas_addcarryx_u64(&x78, &x79, x77, x64, x1); + fiat_curve25519_solinas_addcarryx_u64(&x80, &x81, x79, x66, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x82, &x83, 0x0, x68, x29); + fiat_curve25519_solinas_addcarryx_u64(&x84, &x85, x83, x70, x27); + fiat_curve25519_solinas_addcarryx_u64(&x86, &x87, x85, x72, x25); + fiat_curve25519_solinas_addcarryx_u64(&x88, &x89, x87, x74, x20); + fiat_curve25519_solinas_addcarryx_u64(&x90, &x91, x89, x76, x12); + fiat_curve25519_solinas_addcarryx_u64(&x92, &x93, x91, x78, x4); + fiat_curve25519_solinas_addcarryx_u64(&x94, &x95, x93, x80, 0x0); + fiat_curve25519_solinas_mulx_u64(&x96, &x97, (arg3[3]), (arg4[3])); + fiat_curve25519_solinas_mulx_u64(&x98, &x99, (arg3[3]), (arg4[2])); + fiat_curve25519_solinas_mulx_u64(&x100, &x101, (arg3[3]), (arg4[1])); + fiat_curve25519_solinas_mulx_u64(&x102, &x103, (arg3[3]), (arg4[0])); + fiat_curve25519_solinas_mulx_u64(&x104, &x105, (arg3[2]), (arg4[3])); + fiat_curve25519_solinas_mulx_u64(&x106, &x107, (arg3[2]), (arg4[2])); + fiat_curve25519_solinas_mulx_u64(&x108, &x109, (arg3[2]), (arg4[1])); + fiat_curve25519_solinas_mulx_u64(&x110, &x111, (arg3[2]), (arg4[0])); + fiat_curve25519_solinas_mulx_u64(&x112, &x113, (arg3[1]), (arg4[3])); + fiat_curve25519_solinas_mulx_u64(&x114, &x115, (arg3[1]), (arg4[2])); + fiat_curve25519_solinas_mulx_u64(&x116, &x117, (arg3[1]), (arg4[1])); + fiat_curve25519_solinas_mulx_u64(&x118, &x119, (arg3[1]), (arg4[0])); + fiat_curve25519_solinas_mulx_u64(&x120, &x121, (arg3[0]), (arg4[3])); + fiat_curve25519_solinas_mulx_u64(&x122, &x123, (arg3[0]), (arg4[2])); + fiat_curve25519_solinas_mulx_u64(&x124, &x125, (arg3[0]), (arg4[1])); + fiat_curve25519_solinas_mulx_u64(&x126, &x127, (arg3[0]), (arg4[0])); + fiat_curve25519_solinas_addcarryx_u64(&x128, &x129, 0x0, x123, x102); + fiat_curve25519_solinas_addcarryx_u64(&x130, &x131, x129, x121, x100); + x132 = (x131 + x113); + fiat_curve25519_solinas_addcarryx_u64(&x133, &x134, 0x0, x128, x108); + fiat_curve25519_solinas_addcarryx_u64(&x135, &x136, x134, x130, x103); + fiat_curve25519_solinas_addcarryx_u64(&x137, &x138, x136, x132, 0x0); + x139 = (x138 + x105); + fiat_curve25519_solinas_addcarryx_u64(&x140, &x141, 0x0, x125, x110); + fiat_curve25519_solinas_addcarryx_u64(&x142, &x143, x141, x133, x111); + fiat_curve25519_solinas_addcarryx_u64(&x144, &x145, x143, x135, x106); + fiat_curve25519_solinas_addcarryx_u64(&x146, &x147, x145, x137, x98); + fiat_curve25519_solinas_addcarryx_u64(&x148, &x149, x147, x139, 0x0); + x150 = (x149 + x97); + fiat_curve25519_solinas_addcarryx_u64(&x151, &x152, 0x0, x140, x116); + fiat_curve25519_solinas_addcarryx_u64(&x153, &x154, x152, x142, x114); + fiat_curve25519_solinas_addcarryx_u64(&x155, &x156, x154, x144, x109); + fiat_curve25519_solinas_addcarryx_u64(&x157, &x158, x156, x146, x101); + fiat_curve25519_solinas_addcarryx_u64(&x159, &x160, x158, x148, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x161, &x162, x160, x150, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x163, &x164, 0x0, x127, x118); + fiat_curve25519_solinas_addcarryx_u64(&x165, &x166, x164, x151, x119); + fiat_curve25519_solinas_addcarryx_u64(&x167, &x168, x166, x153, x117); + fiat_curve25519_solinas_addcarryx_u64(&x169, &x170, x168, x155, x112); + fiat_curve25519_solinas_addcarryx_u64(&x171, &x172, x170, x157, x104); + fiat_curve25519_solinas_addcarryx_u64(&x173, &x174, x172, x159, x96); + fiat_curve25519_solinas_addcarryx_u64(&x175, &x176, x174, x161, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x177, &x178, 0x0, x163, x124); + fiat_curve25519_solinas_addcarryx_u64(&x179, &x180, x178, x165, x122); + fiat_curve25519_solinas_addcarryx_u64(&x181, &x182, x180, x167, x120); + fiat_curve25519_solinas_addcarryx_u64(&x183, &x184, x182, x169, x115); + fiat_curve25519_solinas_addcarryx_u64(&x185, &x186, x184, x171, x107); + fiat_curve25519_solinas_addcarryx_u64(&x187, &x188, x186, x173, x99); + fiat_curve25519_solinas_addcarryx_u64(&x189, &x190, x188, x175, 0x0); + fiat_curve25519_solinas_mulx_u64(&x191, &x192, UINT8_C(0x26), x92); + fiat_curve25519_solinas_mulx_u64(&x193, &x194, UINT8_C(0x26), x90); + fiat_curve25519_solinas_mulx_u64(&x195, &x196, UINT8_C(0x26), x88); + fiat_curve25519_solinas_addcarryx_u64(&x197, &x198, 0x0, x82, x193); + fiat_curve25519_solinas_addcarryx_u64(&x199, &x200, x198, x84, x191); + fiat_curve25519_solinas_mulx_u64(&x201, &x202, UINT8_C(0x26), x94); + fiat_curve25519_solinas_addcarryx_u64(&x203, &x204, x200, x86, x201); + fiat_curve25519_solinas_mulx_u64(&x205, &x206, UINT8_C(0x26), x94); + x207 = (x204 + x206); + fiat_curve25519_solinas_addcarryx_u64(&x208, &x209, 0x0, x31, x195); + fiat_curve25519_solinas_addcarryx_u64(&x210, &x211, x209, x197, x196); + fiat_curve25519_solinas_addcarryx_u64(&x212, &x213, x211, x199, x194); + fiat_curve25519_solinas_addcarryx_u64(&x214, &x215, x213, x203, x192); + x216 = (x215 + x207); + fiat_curve25519_solinas_mulx_u64(&x217, &x218, UINT8_C(0x26), x216); + fiat_curve25519_solinas_addcarryx_u64(&x219, &x220, 0x0, x208, x217); + fiat_curve25519_solinas_addcarryx_u64(&x221, &x222, x220, x210, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x223, &x224, x222, x212, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x225, &x226, x224, x214, 0x0); + fiat_curve25519_solinas_cmovznz_u64(&x227, x226, 0x0, UINT8_C(0x26)); + x228 = ((fiat_curve25519_solinas_uint128)x227 + x219); + x229 = (uint64_t)(x228 & UINT64_C(0xffffffffffffffff)); + fiat_curve25519_solinas_mulx_u64(&x230, &x231, UINT8_C(0x26), x189); + fiat_curve25519_solinas_mulx_u64(&x232, &x233, UINT8_C(0x26), x187); + fiat_curve25519_solinas_mulx_u64(&x234, &x235, UINT8_C(0x26), x185); + fiat_curve25519_solinas_mulx_u64(&x236, &x237, UINT8_C(0x26), x183); + fiat_curve25519_solinas_addcarryx_u64(&x238, &x239, 0x0, x177, x234); + fiat_curve25519_solinas_addcarryx_u64(&x240, &x241, x239, x179, x232); + fiat_curve25519_solinas_addcarryx_u64(&x242, &x243, x241, x181, x230); + x244 = (x243 + x231); + fiat_curve25519_solinas_addcarryx_u64(&x245, &x246, 0x0, x126, x236); + fiat_curve25519_solinas_addcarryx_u64(&x247, &x248, x246, x238, x237); + fiat_curve25519_solinas_addcarryx_u64(&x249, &x250, x248, x240, x235); + fiat_curve25519_solinas_addcarryx_u64(&x251, &x252, x250, x242, x233); + x253 = (x252 + x244); + fiat_curve25519_solinas_mulx_u64(&x254, &x255, UINT8_C(0x26), x253); + fiat_curve25519_solinas_addcarryx_u64(&x256, &x257, 0x0, x245, x254); + fiat_curve25519_solinas_addcarryx_u64(&x258, &x259, x257, x247, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x260, &x261, x259, x249, 0x0); + fiat_curve25519_solinas_addcarryx_u64(&x262, &x263, x261, x251, 0x0); + fiat_curve25519_solinas_cmovznz_u64(&x264, x263, 0x0, UINT8_C(0x26)); + x265 = ((fiat_curve25519_solinas_uint128)x264 + x256); + x266 = (uint64_t)(x265 & UINT64_C(0xffffffffffffffff)); + out1[0] = x229; + out1[1] = x221; + out1[2] = x223; + out1[3] = x225; + out2[0] = x266; + out2[1] = x258; + out2[2] = x260; + out2[3] = x262; +} + /* * The function fiat_curve25519_solinas_square squares a field element. * diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go index 1bf385b9cd..779664580c 100644 --- a/fiat-go/64/curve25519solinas/curve25519solinas.go +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -1,12 +1,12 @@ // Code generated by Fiat Cryptography. DO NOT EDIT. // -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mul square +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mul mul2 square // // curve description (via package name): curve25519solinas // // machine_wordsize = 64 (from "64") // -// requested operations: mul, square +// requested operations: mul, mul2, square // // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // @@ -249,6 +249,414 @@ func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { out1[3] = x128 } +// Mul2 multiplies two field elements. +// +// Postconditions: +// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +// eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +func Mul2(out1 *[4]uint64, out2 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64, arg3 *[4]uint64, arg4 *[4]uint64) { + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(arg1[3], arg2[3]) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(arg1[3], arg2[2]) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[3], arg2[1]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[3], arg2[0]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[2], arg2[3]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[2], arg2[2]) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[2], arg2[1]) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[2], arg2[0]) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[1], arg2[3]) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(arg1[1], arg2[2]) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(arg1[1], arg2[1]) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(arg1[1], arg2[0]) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(arg1[0], arg2[3]) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(arg1[0], arg2[2]) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(arg1[0], arg2[1]) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(arg1[0], arg2[0]) + var x33 uint64 + var x34 uint64 + x33, x34 = bits.Add64(x28, x7, uint64(0x0)) + var x35 uint64 + var x36 uint64 + x35, x36 = bits.Add64(x26, x5, uint64(uint1(x34))) + x37 := (uint64(uint1(x36)) + x18) + var x38 uint64 + var x39 uint64 + x38, x39 = bits.Add64(x33, x13, uint64(0x0)) + var x40 uint64 + var x41 uint64 + x40, x41 = bits.Add64(x35, x8, uint64(uint1(x39))) + var x42 uint64 + var x43 uint64 + x42, x43 = bits.Add64(x37, uint64(0x0), uint64(uint1(x41))) + x44 := (uint64(uint1(x43)) + x10) + var x45 uint64 + var x46 uint64 + x45, x46 = bits.Add64(x30, x15, uint64(0x0)) + var x47 uint64 + var x48 uint64 + x47, x48 = bits.Add64(x38, x16, uint64(uint1(x46))) + var x49 uint64 + var x50 uint64 + x49, x50 = bits.Add64(x40, x11, uint64(uint1(x48))) + var x51 uint64 + var x52 uint64 + x51, x52 = bits.Add64(x42, x3, uint64(uint1(x50))) + var x53 uint64 + var x54 uint64 + x53, x54 = bits.Add64(x44, uint64(0x0), uint64(uint1(x52))) + x55 := (uint64(uint1(x54)) + x2) + var x56 uint64 + var x57 uint64 + x56, x57 = bits.Add64(x45, x21, uint64(0x0)) + var x58 uint64 + var x59 uint64 + x58, x59 = bits.Add64(x47, x19, uint64(uint1(x57))) + var x60 uint64 + var x61 uint64 + x60, x61 = bits.Add64(x49, x14, uint64(uint1(x59))) + var x62 uint64 + var x63 uint64 + x62, x63 = bits.Add64(x51, x6, uint64(uint1(x61))) + var x64 uint64 + var x65 uint64 + x64, x65 = bits.Add64(x53, uint64(0x0), uint64(uint1(x63))) + var x66 uint64 + x66, _ = bits.Add64(x55, uint64(0x0), uint64(uint1(x65))) + var x68 uint64 + var x69 uint64 + x68, x69 = bits.Add64(x32, x23, uint64(0x0)) + var x70 uint64 + var x71 uint64 + x70, x71 = bits.Add64(x56, x24, uint64(uint1(x69))) + var x72 uint64 + var x73 uint64 + x72, x73 = bits.Add64(x58, x22, uint64(uint1(x71))) + var x74 uint64 + var x75 uint64 + x74, x75 = bits.Add64(x60, x17, uint64(uint1(x73))) + var x76 uint64 + var x77 uint64 + x76, x77 = bits.Add64(x62, x9, uint64(uint1(x75))) + var x78 uint64 + var x79 uint64 + x78, x79 = bits.Add64(x64, x1, uint64(uint1(x77))) + var x80 uint64 + x80, _ = bits.Add64(x66, uint64(0x0), uint64(uint1(x79))) + var x82 uint64 + var x83 uint64 + x82, x83 = bits.Add64(x68, x29, uint64(0x0)) + var x84 uint64 + var x85 uint64 + x84, x85 = bits.Add64(x70, x27, uint64(uint1(x83))) + var x86 uint64 + var x87 uint64 + x86, x87 = bits.Add64(x72, x25, uint64(uint1(x85))) + var x88 uint64 + var x89 uint64 + x88, x89 = bits.Add64(x74, x20, uint64(uint1(x87))) + var x90 uint64 + var x91 uint64 + x90, x91 = bits.Add64(x76, x12, uint64(uint1(x89))) + var x92 uint64 + var x93 uint64 + x92, x93 = bits.Add64(x78, x4, uint64(uint1(x91))) + var x94 uint64 + x94, _ = bits.Add64(x80, uint64(0x0), uint64(uint1(x93))) + var x96 uint64 + var x97 uint64 + x97, x96 = bits.Mul64(arg3[3], arg4[3]) + var x98 uint64 + var x99 uint64 + x99, x98 = bits.Mul64(arg3[3], arg4[2]) + var x100 uint64 + var x101 uint64 + x101, x100 = bits.Mul64(arg3[3], arg4[1]) + var x102 uint64 + var x103 uint64 + x103, x102 = bits.Mul64(arg3[3], arg4[0]) + var x104 uint64 + var x105 uint64 + x105, x104 = bits.Mul64(arg3[2], arg4[3]) + var x106 uint64 + var x107 uint64 + x107, x106 = bits.Mul64(arg3[2], arg4[2]) + var x108 uint64 + var x109 uint64 + x109, x108 = bits.Mul64(arg3[2], arg4[1]) + var x110 uint64 + var x111 uint64 + x111, x110 = bits.Mul64(arg3[2], arg4[0]) + var x112 uint64 + var x113 uint64 + x113, x112 = bits.Mul64(arg3[1], arg4[3]) + var x114 uint64 + var x115 uint64 + x115, x114 = bits.Mul64(arg3[1], arg4[2]) + var x116 uint64 + var x117 uint64 + x117, x116 = bits.Mul64(arg3[1], arg4[1]) + var x118 uint64 + var x119 uint64 + x119, x118 = bits.Mul64(arg3[1], arg4[0]) + var x120 uint64 + var x121 uint64 + x121, x120 = bits.Mul64(arg3[0], arg4[3]) + var x122 uint64 + var x123 uint64 + x123, x122 = bits.Mul64(arg3[0], arg4[2]) + var x124 uint64 + var x125 uint64 + x125, x124 = bits.Mul64(arg3[0], arg4[1]) + var x126 uint64 + var x127 uint64 + x127, x126 = bits.Mul64(arg3[0], arg4[0]) + var x128 uint64 + var x129 uint64 + x128, x129 = bits.Add64(x123, x102, uint64(0x0)) + var x130 uint64 + var x131 uint64 + x130, x131 = bits.Add64(x121, x100, uint64(uint1(x129))) + x132 := (uint64(uint1(x131)) + x113) + var x133 uint64 + var x134 uint64 + x133, x134 = bits.Add64(x128, x108, uint64(0x0)) + var x135 uint64 + var x136 uint64 + x135, x136 = bits.Add64(x130, x103, uint64(uint1(x134))) + var x137 uint64 + var x138 uint64 + x137, x138 = bits.Add64(x132, uint64(0x0), uint64(uint1(x136))) + x139 := (uint64(uint1(x138)) + x105) + var x140 uint64 + var x141 uint64 + x140, x141 = bits.Add64(x125, x110, uint64(0x0)) + var x142 uint64 + var x143 uint64 + x142, x143 = bits.Add64(x133, x111, uint64(uint1(x141))) + var x144 uint64 + var x145 uint64 + x144, x145 = bits.Add64(x135, x106, uint64(uint1(x143))) + var x146 uint64 + var x147 uint64 + x146, x147 = bits.Add64(x137, x98, uint64(uint1(x145))) + var x148 uint64 + var x149 uint64 + x148, x149 = bits.Add64(x139, uint64(0x0), uint64(uint1(x147))) + x150 := (uint64(uint1(x149)) + x97) + var x151 uint64 + var x152 uint64 + x151, x152 = bits.Add64(x140, x116, uint64(0x0)) + var x153 uint64 + var x154 uint64 + x153, x154 = bits.Add64(x142, x114, uint64(uint1(x152))) + var x155 uint64 + var x156 uint64 + x155, x156 = bits.Add64(x144, x109, uint64(uint1(x154))) + var x157 uint64 + var x158 uint64 + x157, x158 = bits.Add64(x146, x101, uint64(uint1(x156))) + var x159 uint64 + var x160 uint64 + x159, x160 = bits.Add64(x148, uint64(0x0), uint64(uint1(x158))) + var x161 uint64 + x161, _ = bits.Add64(x150, uint64(0x0), uint64(uint1(x160))) + var x163 uint64 + var x164 uint64 + x163, x164 = bits.Add64(x127, x118, uint64(0x0)) + var x165 uint64 + var x166 uint64 + x165, x166 = bits.Add64(x151, x119, uint64(uint1(x164))) + var x167 uint64 + var x168 uint64 + x167, x168 = bits.Add64(x153, x117, uint64(uint1(x166))) + var x169 uint64 + var x170 uint64 + x169, x170 = bits.Add64(x155, x112, uint64(uint1(x168))) + var x171 uint64 + var x172 uint64 + x171, x172 = bits.Add64(x157, x104, uint64(uint1(x170))) + var x173 uint64 + var x174 uint64 + x173, x174 = bits.Add64(x159, x96, uint64(uint1(x172))) + var x175 uint64 + x175, _ = bits.Add64(x161, uint64(0x0), uint64(uint1(x174))) + var x177 uint64 + var x178 uint64 + x177, x178 = bits.Add64(x163, x124, uint64(0x0)) + var x179 uint64 + var x180 uint64 + x179, x180 = bits.Add64(x165, x122, uint64(uint1(x178))) + var x181 uint64 + var x182 uint64 + x181, x182 = bits.Add64(x167, x120, uint64(uint1(x180))) + var x183 uint64 + var x184 uint64 + x183, x184 = bits.Add64(x169, x115, uint64(uint1(x182))) + var x185 uint64 + var x186 uint64 + x185, x186 = bits.Add64(x171, x107, uint64(uint1(x184))) + var x187 uint64 + var x188 uint64 + x187, x188 = bits.Add64(x173, x99, uint64(uint1(x186))) + var x189 uint64 + x189, _ = bits.Add64(x175, uint64(0x0), uint64(uint1(x188))) + var x191 uint64 + var x192 uint64 + x192, x191 = bits.Mul64(0x26, x92) + var x193 uint64 + var x194 uint64 + x194, x193 = bits.Mul64(0x26, x90) + var x195 uint64 + var x196 uint64 + x196, x195 = bits.Mul64(0x26, x88) + var x197 uint64 + var x198 uint64 + x197, x198 = bits.Add64(x82, x193, uint64(0x0)) + var x199 uint64 + var x200 uint64 + x199, x200 = bits.Add64(x84, x191, uint64(uint1(x198))) + var x201 uint64 + _, x201 = bits.Mul64(0x26, x94) + var x203 uint64 + var x204 uint64 + x203, x204 = bits.Add64(x86, x201, uint64(uint1(x200))) + var x206 uint64 + x206, _ = bits.Mul64(0x26, x94) + x207 := (uint64(uint1(x204)) + x206) + var x208 uint64 + var x209 uint64 + x208, x209 = bits.Add64(x31, x195, uint64(0x0)) + var x210 uint64 + var x211 uint64 + x210, x211 = bits.Add64(x197, x196, uint64(uint1(x209))) + var x212 uint64 + var x213 uint64 + x212, x213 = bits.Add64(x199, x194, uint64(uint1(x211))) + var x214 uint64 + var x215 uint64 + x214, x215 = bits.Add64(x203, x192, uint64(uint1(x213))) + x216 := (uint64(uint1(x215)) + x207) + var x217 uint64 + _, x217 = bits.Mul64(0x26, x216) + var x219 uint64 + var x220 uint64 + x219, x220 = bits.Add64(x208, x217, uint64(0x0)) + var x221 uint64 + var x222 uint64 + x221, x222 = bits.Add64(x210, uint64(0x0), uint64(uint1(x220))) + var x223 uint64 + var x224 uint64 + x223, x224 = bits.Add64(x212, uint64(0x0), uint64(uint1(x222))) + var x225 uint64 + var x226 uint64 + x225, x226 = bits.Add64(x214, uint64(0x0), uint64(uint1(x224))) + var x227 uint64 + cmovznzU64(&x227, uint1(x226), uint64(0x0), 0x26) + x228 := (uint128(x227) + uint128(x219)) + x229 := (uint64(x228) & 0xffffffffffffffff) + var x230 uint64 + var x231 uint64 + x231, x230 = bits.Mul64(0x26, x189) + var x232 uint64 + var x233 uint64 + x233, x232 = bits.Mul64(0x26, x187) + var x234 uint64 + var x235 uint64 + x235, x234 = bits.Mul64(0x26, x185) + var x236 uint64 + var x237 uint64 + x237, x236 = bits.Mul64(0x26, x183) + var x238 uint64 + var x239 uint64 + x238, x239 = bits.Add64(x177, x234, uint64(0x0)) + var x240 uint64 + var x241 uint64 + x240, x241 = bits.Add64(x179, x232, uint64(uint1(x239))) + var x242 uint64 + var x243 uint64 + x242, x243 = bits.Add64(x181, x230, uint64(uint1(x241))) + x244 := (uint64(uint1(x243)) + x231) + var x245 uint64 + var x246 uint64 + x245, x246 = bits.Add64(x126, x236, uint64(0x0)) + var x247 uint64 + var x248 uint64 + x247, x248 = bits.Add64(x238, x237, uint64(uint1(x246))) + var x249 uint64 + var x250 uint64 + x249, x250 = bits.Add64(x240, x235, uint64(uint1(x248))) + var x251 uint64 + var x252 uint64 + x251, x252 = bits.Add64(x242, x233, uint64(uint1(x250))) + x253 := (uint64(uint1(x252)) + x244) + var x254 uint64 + _, x254 = bits.Mul64(0x26, x253) + var x256 uint64 + var x257 uint64 + x256, x257 = bits.Add64(x245, x254, uint64(0x0)) + var x258 uint64 + var x259 uint64 + x258, x259 = bits.Add64(x247, uint64(0x0), uint64(uint1(x257))) + var x260 uint64 + var x261 uint64 + x260, x261 = bits.Add64(x249, uint64(0x0), uint64(uint1(x259))) + var x262 uint64 + var x263 uint64 + x262, x263 = bits.Add64(x251, uint64(0x0), uint64(uint1(x261))) + var x264 uint64 + cmovznzU64(&x264, uint1(x263), uint64(0x0), 0x26) + x265 := (uint128(x264) + uint128(x256)) + x266 := (uint64(x265) & 0xffffffffffffffff) + out1[0] = x229 + out1[1] = x221 + out1[2] = x223 + out1[3] = x225 + out2[0] = x266 + out2[1] = x258 + out2[2] = x260 + out2[3] = x262 +} + // Square squares a field element. // // Postconditions: diff --git a/fiat-json/src/curve25519_solinas_64.json b/fiat-json/src/curve25519_solinas_64.json index 96a4aabfb5..d476629867 100644 --- a/fiat-json/src/curve25519_solinas_64.json +++ b/fiat-json/src/curve25519_solinas_64.json @@ -3824,6 +3824,6302 @@ } ] }, + { + "operation": "fiat_curve25519_solinas_mul2", + "arguments": [ + { + "datatype": "u64[4]", + "name": "arg1", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + }, + { + "datatype": "u64[4]", + "name": "arg2", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + }, + { + "datatype": "u64[4]", + "name": "arg3", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + }, + { + "datatype": "u64[4]", + "name": "arg4", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + } + ], + "returns": [ + { + "datatype": "u64[4]", + "name": "out1", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + }, + { + "datatype": "u64[4]", + "name": "out2", + "lbound": [ + "0x0", + "0x0", + "0x0", + "0x0" + ], + "ubound": [ + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff", + "0xffffffffffffffff" + ] + } + ], + "body": [ + { + "datatype": "(auto)", + "name": [ + "x1", + "x2" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x3", + "x4" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x5", + "x6" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x7", + "x8" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x9", + "x10" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x11", + "x12" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x13", + "x14" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x15", + "x16" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x17", + "x18" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x19", + "x20" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x21", + "x22" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x23", + "x24" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x25", + "x26" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x27", + "x28" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x29", + "x30" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x31", + "x32" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg1[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg2[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x33", + "x34" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x28" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x7" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x35", + "x36" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x34" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x26" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x5" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x37" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x36" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x18" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x38", + "x39" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x33" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x13" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x40", + "x41" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x39" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x35" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x8" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x42", + "x43" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x41" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x37" + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x44" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x43" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x10" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x45", + "x46" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x30" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x15" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x47", + "x48" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x46" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x38" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x16" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x49", + "x50" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x48" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x40" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x11" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x51", + "x52" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x50" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x42" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x3" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x53", + "x54" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x52" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x44" + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x55" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x54" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x2" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x56", + "x57" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x45" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x21" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x58", + "x59" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x57" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x47" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x19" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x60", + "x61" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x59" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x49" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x14" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x62", + "x63" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x61" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x51" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x6" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x64", + "x65" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x63" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x53" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x66", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x65" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x55" + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x68", + "x69" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x32" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x23" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x70", + "x71" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x69" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x56" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x24" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x72", + "x73" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x71" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x58" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x22" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x74", + "x75" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x73" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x60" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x17" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x76", + "x77" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x75" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x62" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x9" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x78", + "x79" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x77" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x64" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x1" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x80", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x79" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x66" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x82", + "x83" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x68" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x29" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x84", + "x85" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x83" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x70" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x27" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x86", + "x87" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x85" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x72" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x25" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x88", + "x89" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x87" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x74" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x20" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x90", + "x91" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x89" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x76" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x12" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x92", + "x93" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x91" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x78" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x4" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x94", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x93" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x80" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x96", + "x97" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x98", + "x99" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x100", + "x101" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x102", + "x103" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[3]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x104", + "x105" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x106", + "x107" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x108", + "x109" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x110", + "x111" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[2]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x112", + "x113" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x114", + "x115" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x116", + "x117" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x118", + "x119" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[1]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x120", + "x121" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[3]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x122", + "x123" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[2]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x124", + "x125" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[1]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x126", + "x127" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg3[0]" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "arg4[0]" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x128", + "x129" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x123" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x102" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x130", + "x131" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x129" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x121" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x100" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x132" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x131" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x113" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x133", + "x134" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x128" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x108" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x135", + "x136" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x134" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x130" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x103" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x137", + "x138" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x136" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x132" + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x139" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x138" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x105" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x140", + "x141" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x125" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x110" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x142", + "x143" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x141" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x133" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x111" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x144", + "x145" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x143" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x135" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x106" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x146", + "x147" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x145" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x137" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x98" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x148", + "x149" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x147" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x139" + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x150" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x149" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x97" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x151", + "x152" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x140" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x116" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x153", + "x154" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x152" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x142" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x114" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x155", + "x156" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x154" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x144" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x109" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x157", + "x158" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x156" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x146" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x101" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x159", + "x160" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x158" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x148" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x161", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x160" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x150" + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x163", + "x164" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x127" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x118" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x165", + "x166" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x164" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x151" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x119" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x167", + "x168" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x166" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x153" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x117" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x169", + "x170" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x168" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x155" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x112" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x171", + "x172" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x170" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x157" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x104" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x173", + "x174" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x172" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x159" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x96" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x175", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x174" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x161" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x177", + "x178" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x163" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x124" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x179", + "x180" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x178" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x165" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x122" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x181", + "x182" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x180" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x167" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x120" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x183", + "x184" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x182" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x169" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x115" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x185", + "x186" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x184" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x171" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x107" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x187", + "x188" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x186" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x173" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x99" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x189", + "_" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x188" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x175" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x191", + "x192" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x92" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x193", + "x194" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x90" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x195", + "x196" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x88" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x197", + "x198" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x82" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x193" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x199", + "x200" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x198" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x84" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x191" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x201", + "_" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x94" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x203", + "x204" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x200" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x86" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x201" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "_", + "x206" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x94" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x207" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x204" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x206" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x208", + "x209" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x31" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x195" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x210", + "x211" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x209" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x197" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x196" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x212", + "x213" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x211" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x199" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x194" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x214", + "x215" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x213" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x203" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x192" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x216" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x215" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x207" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x217", + "_" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x216" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x219", + "x220" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x208" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x217" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x221", + "x222" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x220" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x210" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x223", + "x224" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x222" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x212" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x225", + "x226" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x224" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x214" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x227" + ], + "operation": "cmovznz", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x226" + ] + } + ] + }, + "0x0", + "0x26" + ] + }, + { + "datatype": "u128", + "name": [ + "x228" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x227" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x219" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x229" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x228" + ] + }, + "0xffffffffffffffff" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x230", + "x231" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x189" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x232", + "x233" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x187" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x234", + "x235" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x185" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x236", + "x237" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x183" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x238", + "x239" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x177" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x234" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x240", + "x241" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x239" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x179" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x232" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x242", + "x243" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x241" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x181" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x230" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x244" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x243" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x231" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x245", + "x246" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x126" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x236" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x247", + "x248" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x246" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x238" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x237" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x249", + "x250" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x248" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x240" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x235" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x251", + "x252" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x250" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x242" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x233" + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x253" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x252" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x244" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x254", + "_" + ], + "operation": "mulx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x26", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x253" + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x256", + "x257" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + "0x0", + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x245" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x254" + ] + } + ] + } + ] + }, + { + "datatype": "(auto)", + "name": [ + "x258", + "x259" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x257" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x247" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x260", + "x261" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x259" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x249" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "(auto)", + "name": [ + "x262", + "x263" + ], + "operation": "addcarryx", + "parameters": { + "size": 64 + }, + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x261" + ] + } + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x251" + ] + } + ] + }, + "0x0" + ] + }, + { + "datatype": "u64", + "name": [ + "x264" + ], + "operation": "cmovznz", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u1", + "name": [], + "operation": "static_cast", + "arguments": [ + "x263" + ] + } + ] + }, + "0x0", + "0x26" + ] + }, + { + "datatype": "u128", + "name": [ + "x265" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "+", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x264" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x256" + ] + } + ] + } + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "x266" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "&", + "arguments": [ + { + "datatype": "u128", + "name": [], + "operation": "static_cast", + "arguments": [ + "x265" + ] + }, + "0xffffffffffffffff" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[0]" + ], + "operation": "static_cast", + "arguments": [ + "x229" + ] + }, + { + "datatype": "u64", + "name": [ + "out1[1]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x221" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[2]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x223" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out1[3]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x225" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out2[0]" + ], + "operation": "static_cast", + "arguments": [ + "x266" + ] + }, + { + "datatype": "u64", + "name": [ + "out2[1]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x258" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out2[2]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x260" + ] + } + ] + }, + { + "datatype": "u64", + "name": [ + "out2[3]" + ], + "operation": "static_cast", + "arguments": [ + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x262" + ] + } + ] + } + ] + }, { "operation": "fiat_curve25519_solinas_square", "arguments": [ diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs index 6f0de7a949..db20aa803e 100644 --- a/fiat-rust/src/curve25519_solinas_64.rs +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -1,7 +1,7 @@ -//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mul square +//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mul mul2 square //! curve description: curve25519_solinas //! machine_wordsize = 64 (from "64") -//! requested operations: mul, square +//! requested operations: mul, mul2, square //! s-c = 2^255 - [(1, 19)] (from "2^255 - 19") //! //! Computed values: @@ -313,6 +313,425 @@ pub fn fiat_curve25519_solinas_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: & out1[3] = x128; } +/// The function fiat_curve25519_solinas_mul2 multiplies two field elements. +/// +/// Postconditions: +/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// +/// Input Bounds: +/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// Output Bounds: +/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +#[inline] +pub fn fiat_curve25519_solinas_mul2(out1: &mut [u64; 4], out2: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4], arg3: &[u64; 4], arg4: &[u64; 4]) -> () { + let mut x1: u64 = 0; + let mut x2: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x1, &mut x2, (arg1[3]), (arg2[3])); + let mut x3: u64 = 0; + let mut x4: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x3, &mut x4, (arg1[3]), (arg2[2])); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x5, &mut x6, (arg1[3]), (arg2[1])); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x7, &mut x8, (arg1[3]), (arg2[0])); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x9, &mut x10, (arg1[2]), (arg2[3])); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x11, &mut x12, (arg1[2]), (arg2[2])); + let mut x13: u64 = 0; + let mut x14: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x13, &mut x14, (arg1[2]), (arg2[1])); + let mut x15: u64 = 0; + let mut x16: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x15, &mut x16, (arg1[2]), (arg2[0])); + let mut x17: u64 = 0; + let mut x18: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x17, &mut x18, (arg1[1]), (arg2[3])); + let mut x19: u64 = 0; + let mut x20: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x19, &mut x20, (arg1[1]), (arg2[2])); + let mut x21: u64 = 0; + let mut x22: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x21, &mut x22, (arg1[1]), (arg2[1])); + let mut x23: u64 = 0; + let mut x24: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x23, &mut x24, (arg1[1]), (arg2[0])); + let mut x25: u64 = 0; + let mut x26: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x25, &mut x26, (arg1[0]), (arg2[3])); + let mut x27: u64 = 0; + let mut x28: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x27, &mut x28, (arg1[0]), (arg2[2])); + let mut x29: u64 = 0; + let mut x30: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x29, &mut x30, (arg1[0]), (arg2[1])); + let mut x31: u64 = 0; + let mut x32: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x31, &mut x32, (arg1[0]), (arg2[0])); + let mut x33: u64 = 0; + let mut x34: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x33, &mut x34, 0x0, x28, x7); + let mut x35: u64 = 0; + let mut x36: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x35, &mut x36, x34, x26, x5); + let x37: u64 = ((x36 as u64) + x18); + let mut x38: u64 = 0; + let mut x39: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x38, &mut x39, 0x0, x33, x13); + let mut x40: u64 = 0; + let mut x41: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x40, &mut x41, x39, x35, x8); + let mut x42: u64 = 0; + let mut x43: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x42, &mut x43, x41, x37, (0x0 as u64)); + let x44: u64 = ((x43 as u64) + x10); + let mut x45: u64 = 0; + let mut x46: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x45, &mut x46, 0x0, x30, x15); + let mut x47: u64 = 0; + let mut x48: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x47, &mut x48, x46, x38, x16); + let mut x49: u64 = 0; + let mut x50: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x49, &mut x50, x48, x40, x11); + let mut x51: u64 = 0; + let mut x52: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x51, &mut x52, x50, x42, x3); + let mut x53: u64 = 0; + let mut x54: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x53, &mut x54, x52, x44, (0x0 as u64)); + let x55: u64 = ((x54 as u64) + x2); + let mut x56: u64 = 0; + let mut x57: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x56, &mut x57, 0x0, x45, x21); + let mut x58: u64 = 0; + let mut x59: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x58, &mut x59, x57, x47, x19); + let mut x60: u64 = 0; + let mut x61: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x60, &mut x61, x59, x49, x14); + let mut x62: u64 = 0; + let mut x63: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x62, &mut x63, x61, x51, x6); + let mut x64: u64 = 0; + let mut x65: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x64, &mut x65, x63, x53, (0x0 as u64)); + let mut x66: u64 = 0; + let mut x67: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x66, &mut x67, x65, x55, (0x0 as u64)); + let mut x68: u64 = 0; + let mut x69: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x68, &mut x69, 0x0, x32, x23); + let mut x70: u64 = 0; + let mut x71: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x70, &mut x71, x69, x56, x24); + let mut x72: u64 = 0; + let mut x73: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x72, &mut x73, x71, x58, x22); + let mut x74: u64 = 0; + let mut x75: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x74, &mut x75, x73, x60, x17); + let mut x76: u64 = 0; + let mut x77: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x76, &mut x77, x75, x62, x9); + let mut x78: u64 = 0; + let mut x79: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x78, &mut x79, x77, x64, x1); + let mut x80: u64 = 0; + let mut x81: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x80, &mut x81, x79, x66, (0x0 as u64)); + let mut x82: u64 = 0; + let mut x83: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x82, &mut x83, 0x0, x68, x29); + let mut x84: u64 = 0; + let mut x85: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x84, &mut x85, x83, x70, x27); + let mut x86: u64 = 0; + let mut x87: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x86, &mut x87, x85, x72, x25); + let mut x88: u64 = 0; + let mut x89: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x88, &mut x89, x87, x74, x20); + let mut x90: u64 = 0; + let mut x91: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x90, &mut x91, x89, x76, x12); + let mut x92: u64 = 0; + let mut x93: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x92, &mut x93, x91, x78, x4); + let mut x94: u64 = 0; + let mut x95: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x94, &mut x95, x93, x80, (0x0 as u64)); + let mut x96: u64 = 0; + let mut x97: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x96, &mut x97, (arg3[3]), (arg4[3])); + let mut x98: u64 = 0; + let mut x99: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x98, &mut x99, (arg3[3]), (arg4[2])); + let mut x100: u64 = 0; + let mut x101: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x100, &mut x101, (arg3[3]), (arg4[1])); + let mut x102: u64 = 0; + let mut x103: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x102, &mut x103, (arg3[3]), (arg4[0])); + let mut x104: u64 = 0; + let mut x105: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x104, &mut x105, (arg3[2]), (arg4[3])); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x106, &mut x107, (arg3[2]), (arg4[2])); + let mut x108: u64 = 0; + let mut x109: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x108, &mut x109, (arg3[2]), (arg4[1])); + let mut x110: u64 = 0; + let mut x111: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x110, &mut x111, (arg3[2]), (arg4[0])); + let mut x112: u64 = 0; + let mut x113: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x112, &mut x113, (arg3[1]), (arg4[3])); + let mut x114: u64 = 0; + let mut x115: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x114, &mut x115, (arg3[1]), (arg4[2])); + let mut x116: u64 = 0; + let mut x117: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x116, &mut x117, (arg3[1]), (arg4[1])); + let mut x118: u64 = 0; + let mut x119: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x118, &mut x119, (arg3[1]), (arg4[0])); + let mut x120: u64 = 0; + let mut x121: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x120, &mut x121, (arg3[0]), (arg4[3])); + let mut x122: u64 = 0; + let mut x123: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x122, &mut x123, (arg3[0]), (arg4[2])); + let mut x124: u64 = 0; + let mut x125: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x124, &mut x125, (arg3[0]), (arg4[1])); + let mut x126: u64 = 0; + let mut x127: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x126, &mut x127, (arg3[0]), (arg4[0])); + let mut x128: u64 = 0; + let mut x129: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x128, &mut x129, 0x0, x123, x102); + let mut x130: u64 = 0; + let mut x131: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x130, &mut x131, x129, x121, x100); + let x132: u64 = ((x131 as u64) + x113); + let mut x133: u64 = 0; + let mut x134: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x133, &mut x134, 0x0, x128, x108); + let mut x135: u64 = 0; + let mut x136: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x135, &mut x136, x134, x130, x103); + let mut x137: u64 = 0; + let mut x138: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x137, &mut x138, x136, x132, (0x0 as u64)); + let x139: u64 = ((x138 as u64) + x105); + let mut x140: u64 = 0; + let mut x141: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x140, &mut x141, 0x0, x125, x110); + let mut x142: u64 = 0; + let mut x143: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x142, &mut x143, x141, x133, x111); + let mut x144: u64 = 0; + let mut x145: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x144, &mut x145, x143, x135, x106); + let mut x146: u64 = 0; + let mut x147: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x146, &mut x147, x145, x137, x98); + let mut x148: u64 = 0; + let mut x149: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x148, &mut x149, x147, x139, (0x0 as u64)); + let x150: u64 = ((x149 as u64) + x97); + let mut x151: u64 = 0; + let mut x152: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x151, &mut x152, 0x0, x140, x116); + let mut x153: u64 = 0; + let mut x154: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x153, &mut x154, x152, x142, x114); + let mut x155: u64 = 0; + let mut x156: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x155, &mut x156, x154, x144, x109); + let mut x157: u64 = 0; + let mut x158: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x157, &mut x158, x156, x146, x101); + let mut x159: u64 = 0; + let mut x160: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x159, &mut x160, x158, x148, (0x0 as u64)); + let mut x161: u64 = 0; + let mut x162: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x161, &mut x162, x160, x150, (0x0 as u64)); + let mut x163: u64 = 0; + let mut x164: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x163, &mut x164, 0x0, x127, x118); + let mut x165: u64 = 0; + let mut x166: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x165, &mut x166, x164, x151, x119); + let mut x167: u64 = 0; + let mut x168: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x167, &mut x168, x166, x153, x117); + let mut x169: u64 = 0; + let mut x170: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x169, &mut x170, x168, x155, x112); + let mut x171: u64 = 0; + let mut x172: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x171, &mut x172, x170, x157, x104); + let mut x173: u64 = 0; + let mut x174: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x173, &mut x174, x172, x159, x96); + let mut x175: u64 = 0; + let mut x176: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x175, &mut x176, x174, x161, (0x0 as u64)); + let mut x177: u64 = 0; + let mut x178: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x177, &mut x178, 0x0, x163, x124); + let mut x179: u64 = 0; + let mut x180: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x179, &mut x180, x178, x165, x122); + let mut x181: u64 = 0; + let mut x182: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x181, &mut x182, x180, x167, x120); + let mut x183: u64 = 0; + let mut x184: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x183, &mut x184, x182, x169, x115); + let mut x185: u64 = 0; + let mut x186: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x185, &mut x186, x184, x171, x107); + let mut x187: u64 = 0; + let mut x188: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x187, &mut x188, x186, x173, x99); + let mut x189: u64 = 0; + let mut x190: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x189, &mut x190, x188, x175, (0x0 as u64)); + let mut x191: u64 = 0; + let mut x192: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x191, &mut x192, 0x26, x92); + let mut x193: u64 = 0; + let mut x194: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x193, &mut x194, 0x26, x90); + let mut x195: u64 = 0; + let mut x196: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x195, &mut x196, 0x26, x88); + let mut x197: u64 = 0; + let mut x198: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x197, &mut x198, 0x0, x82, x193); + let mut x199: u64 = 0; + let mut x200: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x199, &mut x200, x198, x84, x191); + let mut x201: u64 = 0; + let mut x202: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x201, &mut x202, 0x26, x94); + let mut x203: u64 = 0; + let mut x204: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x203, &mut x204, x200, x86, x201); + let mut x205: u64 = 0; + let mut x206: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x205, &mut x206, 0x26, x94); + let x207: u64 = ((x204 as u64) + x206); + let mut x208: u64 = 0; + let mut x209: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x208, &mut x209, 0x0, x31, x195); + let mut x210: u64 = 0; + let mut x211: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x210, &mut x211, x209, x197, x196); + let mut x212: u64 = 0; + let mut x213: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x212, &mut x213, x211, x199, x194); + let mut x214: u64 = 0; + let mut x215: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x214, &mut x215, x213, x203, x192); + let x216: u64 = ((x215 as u64) + x207); + let mut x217: u64 = 0; + let mut x218: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x217, &mut x218, 0x26, x216); + let mut x219: u64 = 0; + let mut x220: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x219, &mut x220, 0x0, x208, x217); + let mut x221: u64 = 0; + let mut x222: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x221, &mut x222, x220, x210, (0x0 as u64)); + let mut x223: u64 = 0; + let mut x224: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x223, &mut x224, x222, x212, (0x0 as u64)); + let mut x225: u64 = 0; + let mut x226: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x225, &mut x226, x224, x214, (0x0 as u64)); + let mut x227: u64 = 0; + fiat_curve25519_solinas_cmovznz_u64(&mut x227, x226, (0x0 as u64), 0x26); + let x228: u128 = ((x227 as u128) + (x219 as u128)); + let x229: u64 = ((x228 & (0xffffffffffffffff as u128)) as u64); + let mut x230: u64 = 0; + let mut x231: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x230, &mut x231, 0x26, x189); + let mut x232: u64 = 0; + let mut x233: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x232, &mut x233, 0x26, x187); + let mut x234: u64 = 0; + let mut x235: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x234, &mut x235, 0x26, x185); + let mut x236: u64 = 0; + let mut x237: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x236, &mut x237, 0x26, x183); + let mut x238: u64 = 0; + let mut x239: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x238, &mut x239, 0x0, x177, x234); + let mut x240: u64 = 0; + let mut x241: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x240, &mut x241, x239, x179, x232); + let mut x242: u64 = 0; + let mut x243: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x242, &mut x243, x241, x181, x230); + let x244: u64 = ((x243 as u64) + x231); + let mut x245: u64 = 0; + let mut x246: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x245, &mut x246, 0x0, x126, x236); + let mut x247: u64 = 0; + let mut x248: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x247, &mut x248, x246, x238, x237); + let mut x249: u64 = 0; + let mut x250: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x249, &mut x250, x248, x240, x235); + let mut x251: u64 = 0; + let mut x252: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x251, &mut x252, x250, x242, x233); + let x253: u64 = ((x252 as u64) + x244); + let mut x254: u64 = 0; + let mut x255: u64 = 0; + fiat_curve25519_solinas_mulx_u64(&mut x254, &mut x255, 0x26, x253); + let mut x256: u64 = 0; + let mut x257: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x256, &mut x257, 0x0, x245, x254); + let mut x258: u64 = 0; + let mut x259: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x258, &mut x259, x257, x247, (0x0 as u64)); + let mut x260: u64 = 0; + let mut x261: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x260, &mut x261, x259, x249, (0x0 as u64)); + let mut x262: u64 = 0; + let mut x263: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x262, &mut x263, x261, x251, (0x0 as u64)); + let mut x264: u64 = 0; + fiat_curve25519_solinas_cmovznz_u64(&mut x264, x263, (0x0 as u64), 0x26); + let x265: u128 = ((x264 as u128) + (x256 as u128)); + let x266: u64 = ((x265 & (0xffffffffffffffff as u128)) as u64); + out1[0] = x229; + out1[1] = x221; + out1[2] = x223; + out1[3] = x225; + out2[0] = x266; + out2[1] = x258; + out2[2] = x260; + out2[3] = x262; +} + /// The function fiat_curve25519_solinas_square squares a field element. /// /// Postconditions: diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index 320fc1eb41..3c15b6b9e4 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -1,7 +1,7 @@ -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mul square +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mul mul2 square // curve description (via package name): curve25519_solinas // machine_wordsize = 64 (from "64") -// requested operations: mul, square +// requested operations: mul, mul2, square // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // // Computed values: @@ -326,6 +326,426 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { out1[3] = x128; } +/// The function mul2 multiplies two field elements. +/// +/// Postconditions: +/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 +/// +/// Input Bounds: +/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// Output Bounds: +/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +/// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +pub fn mul2(out1: *[4]u64, out2: *[4]u64, arg1: [4]u64, arg2: [4]u64, arg3: [4]u64, arg4: [4]u64) void { + @setRuntimeSafety(mode == .Debug); + + var x1: u64 = undefined; + var x2: u64 = undefined; + mulxU64(&x1, &x2, (arg1[3]), (arg2[3])); + var x3: u64 = undefined; + var x4: u64 = undefined; + mulxU64(&x3, &x4, (arg1[3]), (arg2[2])); + var x5: u64 = undefined; + var x6: u64 = undefined; + mulxU64(&x5, &x6, (arg1[3]), (arg2[1])); + var x7: u64 = undefined; + var x8: u64 = undefined; + mulxU64(&x7, &x8, (arg1[3]), (arg2[0])); + var x9: u64 = undefined; + var x10: u64 = undefined; + mulxU64(&x9, &x10, (arg1[2]), (arg2[3])); + var x11: u64 = undefined; + var x12: u64 = undefined; + mulxU64(&x11, &x12, (arg1[2]), (arg2[2])); + var x13: u64 = undefined; + var x14: u64 = undefined; + mulxU64(&x13, &x14, (arg1[2]), (arg2[1])); + var x15: u64 = undefined; + var x16: u64 = undefined; + mulxU64(&x15, &x16, (arg1[2]), (arg2[0])); + var x17: u64 = undefined; + var x18: u64 = undefined; + mulxU64(&x17, &x18, (arg1[1]), (arg2[3])); + var x19: u64 = undefined; + var x20: u64 = undefined; + mulxU64(&x19, &x20, (arg1[1]), (arg2[2])); + var x21: u64 = undefined; + var x22: u64 = undefined; + mulxU64(&x21, &x22, (arg1[1]), (arg2[1])); + var x23: u64 = undefined; + var x24: u64 = undefined; + mulxU64(&x23, &x24, (arg1[1]), (arg2[0])); + var x25: u64 = undefined; + var x26: u64 = undefined; + mulxU64(&x25, &x26, (arg1[0]), (arg2[3])); + var x27: u64 = undefined; + var x28: u64 = undefined; + mulxU64(&x27, &x28, (arg1[0]), (arg2[2])); + var x29: u64 = undefined; + var x30: u64 = undefined; + mulxU64(&x29, &x30, (arg1[0]), (arg2[1])); + var x31: u64 = undefined; + var x32: u64 = undefined; + mulxU64(&x31, &x32, (arg1[0]), (arg2[0])); + var x33: u64 = undefined; + var x34: u1 = undefined; + addcarryxU64(&x33, &x34, 0x0, x28, x7); + var x35: u64 = undefined; + var x36: u1 = undefined; + addcarryxU64(&x35, &x36, x34, x26, x5); + const x37 = (cast(u64, x36) + x18); + var x38: u64 = undefined; + var x39: u1 = undefined; + addcarryxU64(&x38, &x39, 0x0, x33, x13); + var x40: u64 = undefined; + var x41: u1 = undefined; + addcarryxU64(&x40, &x41, x39, x35, x8); + var x42: u64 = undefined; + var x43: u1 = undefined; + addcarryxU64(&x42, &x43, x41, x37, cast(u64, 0x0)); + const x44 = (cast(u64, x43) + x10); + var x45: u64 = undefined; + var x46: u1 = undefined; + addcarryxU64(&x45, &x46, 0x0, x30, x15); + var x47: u64 = undefined; + var x48: u1 = undefined; + addcarryxU64(&x47, &x48, x46, x38, x16); + var x49: u64 = undefined; + var x50: u1 = undefined; + addcarryxU64(&x49, &x50, x48, x40, x11); + var x51: u64 = undefined; + var x52: u1 = undefined; + addcarryxU64(&x51, &x52, x50, x42, x3); + var x53: u64 = undefined; + var x54: u1 = undefined; + addcarryxU64(&x53, &x54, x52, x44, cast(u64, 0x0)); + const x55 = (cast(u64, x54) + x2); + var x56: u64 = undefined; + var x57: u1 = undefined; + addcarryxU64(&x56, &x57, 0x0, x45, x21); + var x58: u64 = undefined; + var x59: u1 = undefined; + addcarryxU64(&x58, &x59, x57, x47, x19); + var x60: u64 = undefined; + var x61: u1 = undefined; + addcarryxU64(&x60, &x61, x59, x49, x14); + var x62: u64 = undefined; + var x63: u1 = undefined; + addcarryxU64(&x62, &x63, x61, x51, x6); + var x64: u64 = undefined; + var x65: u1 = undefined; + addcarryxU64(&x64, &x65, x63, x53, cast(u64, 0x0)); + var x66: u64 = undefined; + var x67: u1 = undefined; + addcarryxU64(&x66, &x67, x65, x55, cast(u64, 0x0)); + var x68: u64 = undefined; + var x69: u1 = undefined; + addcarryxU64(&x68, &x69, 0x0, x32, x23); + var x70: u64 = undefined; + var x71: u1 = undefined; + addcarryxU64(&x70, &x71, x69, x56, x24); + var x72: u64 = undefined; + var x73: u1 = undefined; + addcarryxU64(&x72, &x73, x71, x58, x22); + var x74: u64 = undefined; + var x75: u1 = undefined; + addcarryxU64(&x74, &x75, x73, x60, x17); + var x76: u64 = undefined; + var x77: u1 = undefined; + addcarryxU64(&x76, &x77, x75, x62, x9); + var x78: u64 = undefined; + var x79: u1 = undefined; + addcarryxU64(&x78, &x79, x77, x64, x1); + var x80: u64 = undefined; + var x81: u1 = undefined; + addcarryxU64(&x80, &x81, x79, x66, cast(u64, 0x0)); + var x82: u64 = undefined; + var x83: u1 = undefined; + addcarryxU64(&x82, &x83, 0x0, x68, x29); + var x84: u64 = undefined; + var x85: u1 = undefined; + addcarryxU64(&x84, &x85, x83, x70, x27); + var x86: u64 = undefined; + var x87: u1 = undefined; + addcarryxU64(&x86, &x87, x85, x72, x25); + var x88: u64 = undefined; + var x89: u1 = undefined; + addcarryxU64(&x88, &x89, x87, x74, x20); + var x90: u64 = undefined; + var x91: u1 = undefined; + addcarryxU64(&x90, &x91, x89, x76, x12); + var x92: u64 = undefined; + var x93: u1 = undefined; + addcarryxU64(&x92, &x93, x91, x78, x4); + var x94: u64 = undefined; + var x95: u1 = undefined; + addcarryxU64(&x94, &x95, x93, x80, cast(u64, 0x0)); + var x96: u64 = undefined; + var x97: u64 = undefined; + mulxU64(&x96, &x97, (arg3[3]), (arg4[3])); + var x98: u64 = undefined; + var x99: u64 = undefined; + mulxU64(&x98, &x99, (arg3[3]), (arg4[2])); + var x100: u64 = undefined; + var x101: u64 = undefined; + mulxU64(&x100, &x101, (arg3[3]), (arg4[1])); + var x102: u64 = undefined; + var x103: u64 = undefined; + mulxU64(&x102, &x103, (arg3[3]), (arg4[0])); + var x104: u64 = undefined; + var x105: u64 = undefined; + mulxU64(&x104, &x105, (arg3[2]), (arg4[3])); + var x106: u64 = undefined; + var x107: u64 = undefined; + mulxU64(&x106, &x107, (arg3[2]), (arg4[2])); + var x108: u64 = undefined; + var x109: u64 = undefined; + mulxU64(&x108, &x109, (arg3[2]), (arg4[1])); + var x110: u64 = undefined; + var x111: u64 = undefined; + mulxU64(&x110, &x111, (arg3[2]), (arg4[0])); + var x112: u64 = undefined; + var x113: u64 = undefined; + mulxU64(&x112, &x113, (arg3[1]), (arg4[3])); + var x114: u64 = undefined; + var x115: u64 = undefined; + mulxU64(&x114, &x115, (arg3[1]), (arg4[2])); + var x116: u64 = undefined; + var x117: u64 = undefined; + mulxU64(&x116, &x117, (arg3[1]), (arg4[1])); + var x118: u64 = undefined; + var x119: u64 = undefined; + mulxU64(&x118, &x119, (arg3[1]), (arg4[0])); + var x120: u64 = undefined; + var x121: u64 = undefined; + mulxU64(&x120, &x121, (arg3[0]), (arg4[3])); + var x122: u64 = undefined; + var x123: u64 = undefined; + mulxU64(&x122, &x123, (arg3[0]), (arg4[2])); + var x124: u64 = undefined; + var x125: u64 = undefined; + mulxU64(&x124, &x125, (arg3[0]), (arg4[1])); + var x126: u64 = undefined; + var x127: u64 = undefined; + mulxU64(&x126, &x127, (arg3[0]), (arg4[0])); + var x128: u64 = undefined; + var x129: u1 = undefined; + addcarryxU64(&x128, &x129, 0x0, x123, x102); + var x130: u64 = undefined; + var x131: u1 = undefined; + addcarryxU64(&x130, &x131, x129, x121, x100); + const x132 = (cast(u64, x131) + x113); + var x133: u64 = undefined; + var x134: u1 = undefined; + addcarryxU64(&x133, &x134, 0x0, x128, x108); + var x135: u64 = undefined; + var x136: u1 = undefined; + addcarryxU64(&x135, &x136, x134, x130, x103); + var x137: u64 = undefined; + var x138: u1 = undefined; + addcarryxU64(&x137, &x138, x136, x132, cast(u64, 0x0)); + const x139 = (cast(u64, x138) + x105); + var x140: u64 = undefined; + var x141: u1 = undefined; + addcarryxU64(&x140, &x141, 0x0, x125, x110); + var x142: u64 = undefined; + var x143: u1 = undefined; + addcarryxU64(&x142, &x143, x141, x133, x111); + var x144: u64 = undefined; + var x145: u1 = undefined; + addcarryxU64(&x144, &x145, x143, x135, x106); + var x146: u64 = undefined; + var x147: u1 = undefined; + addcarryxU64(&x146, &x147, x145, x137, x98); + var x148: u64 = undefined; + var x149: u1 = undefined; + addcarryxU64(&x148, &x149, x147, x139, cast(u64, 0x0)); + const x150 = (cast(u64, x149) + x97); + var x151: u64 = undefined; + var x152: u1 = undefined; + addcarryxU64(&x151, &x152, 0x0, x140, x116); + var x153: u64 = undefined; + var x154: u1 = undefined; + addcarryxU64(&x153, &x154, x152, x142, x114); + var x155: u64 = undefined; + var x156: u1 = undefined; + addcarryxU64(&x155, &x156, x154, x144, x109); + var x157: u64 = undefined; + var x158: u1 = undefined; + addcarryxU64(&x157, &x158, x156, x146, x101); + var x159: u64 = undefined; + var x160: u1 = undefined; + addcarryxU64(&x159, &x160, x158, x148, cast(u64, 0x0)); + var x161: u64 = undefined; + var x162: u1 = undefined; + addcarryxU64(&x161, &x162, x160, x150, cast(u64, 0x0)); + var x163: u64 = undefined; + var x164: u1 = undefined; + addcarryxU64(&x163, &x164, 0x0, x127, x118); + var x165: u64 = undefined; + var x166: u1 = undefined; + addcarryxU64(&x165, &x166, x164, x151, x119); + var x167: u64 = undefined; + var x168: u1 = undefined; + addcarryxU64(&x167, &x168, x166, x153, x117); + var x169: u64 = undefined; + var x170: u1 = undefined; + addcarryxU64(&x169, &x170, x168, x155, x112); + var x171: u64 = undefined; + var x172: u1 = undefined; + addcarryxU64(&x171, &x172, x170, x157, x104); + var x173: u64 = undefined; + var x174: u1 = undefined; + addcarryxU64(&x173, &x174, x172, x159, x96); + var x175: u64 = undefined; + var x176: u1 = undefined; + addcarryxU64(&x175, &x176, x174, x161, cast(u64, 0x0)); + var x177: u64 = undefined; + var x178: u1 = undefined; + addcarryxU64(&x177, &x178, 0x0, x163, x124); + var x179: u64 = undefined; + var x180: u1 = undefined; + addcarryxU64(&x179, &x180, x178, x165, x122); + var x181: u64 = undefined; + var x182: u1 = undefined; + addcarryxU64(&x181, &x182, x180, x167, x120); + var x183: u64 = undefined; + var x184: u1 = undefined; + addcarryxU64(&x183, &x184, x182, x169, x115); + var x185: u64 = undefined; + var x186: u1 = undefined; + addcarryxU64(&x185, &x186, x184, x171, x107); + var x187: u64 = undefined; + var x188: u1 = undefined; + addcarryxU64(&x187, &x188, x186, x173, x99); + var x189: u64 = undefined; + var x190: u1 = undefined; + addcarryxU64(&x189, &x190, x188, x175, cast(u64, 0x0)); + var x191: u64 = undefined; + var x192: u64 = undefined; + mulxU64(&x191, &x192, 0x26, x92); + var x193: u64 = undefined; + var x194: u64 = undefined; + mulxU64(&x193, &x194, 0x26, x90); + var x195: u64 = undefined; + var x196: u64 = undefined; + mulxU64(&x195, &x196, 0x26, x88); + var x197: u64 = undefined; + var x198: u1 = undefined; + addcarryxU64(&x197, &x198, 0x0, x82, x193); + var x199: u64 = undefined; + var x200: u1 = undefined; + addcarryxU64(&x199, &x200, x198, x84, x191); + var x201: u64 = undefined; + var x202: u64 = undefined; + mulxU64(&x201, &x202, 0x26, x94); + var x203: u64 = undefined; + var x204: u1 = undefined; + addcarryxU64(&x203, &x204, x200, x86, x201); + var x205: u64 = undefined; + var x206: u64 = undefined; + mulxU64(&x205, &x206, 0x26, x94); + const x207 = (cast(u64, x204) + x206); + var x208: u64 = undefined; + var x209: u1 = undefined; + addcarryxU64(&x208, &x209, 0x0, x31, x195); + var x210: u64 = undefined; + var x211: u1 = undefined; + addcarryxU64(&x210, &x211, x209, x197, x196); + var x212: u64 = undefined; + var x213: u1 = undefined; + addcarryxU64(&x212, &x213, x211, x199, x194); + var x214: u64 = undefined; + var x215: u1 = undefined; + addcarryxU64(&x214, &x215, x213, x203, x192); + const x216 = (cast(u64, x215) + x207); + var x217: u64 = undefined; + var x218: u64 = undefined; + mulxU64(&x217, &x218, 0x26, x216); + var x219: u64 = undefined; + var x220: u1 = undefined; + addcarryxU64(&x219, &x220, 0x0, x208, x217); + var x221: u64 = undefined; + var x222: u1 = undefined; + addcarryxU64(&x221, &x222, x220, x210, cast(u64, 0x0)); + var x223: u64 = undefined; + var x224: u1 = undefined; + addcarryxU64(&x223, &x224, x222, x212, cast(u64, 0x0)); + var x225: u64 = undefined; + var x226: u1 = undefined; + addcarryxU64(&x225, &x226, x224, x214, cast(u64, 0x0)); + var x227: u64 = undefined; + cmovznzU64(&x227, x226, cast(u64, 0x0), 0x26); + const x228 = (cast(u128, x227) + cast(u128, x219)); + const x229 = cast(u64, (x228 & cast(u128, 0xffffffffffffffff))); + var x230: u64 = undefined; + var x231: u64 = undefined; + mulxU64(&x230, &x231, 0x26, x189); + var x232: u64 = undefined; + var x233: u64 = undefined; + mulxU64(&x232, &x233, 0x26, x187); + var x234: u64 = undefined; + var x235: u64 = undefined; + mulxU64(&x234, &x235, 0x26, x185); + var x236: u64 = undefined; + var x237: u64 = undefined; + mulxU64(&x236, &x237, 0x26, x183); + var x238: u64 = undefined; + var x239: u1 = undefined; + addcarryxU64(&x238, &x239, 0x0, x177, x234); + var x240: u64 = undefined; + var x241: u1 = undefined; + addcarryxU64(&x240, &x241, x239, x179, x232); + var x242: u64 = undefined; + var x243: u1 = undefined; + addcarryxU64(&x242, &x243, x241, x181, x230); + const x244 = (cast(u64, x243) + x231); + var x245: u64 = undefined; + var x246: u1 = undefined; + addcarryxU64(&x245, &x246, 0x0, x126, x236); + var x247: u64 = undefined; + var x248: u1 = undefined; + addcarryxU64(&x247, &x248, x246, x238, x237); + var x249: u64 = undefined; + var x250: u1 = undefined; + addcarryxU64(&x249, &x250, x248, x240, x235); + var x251: u64 = undefined; + var x252: u1 = undefined; + addcarryxU64(&x251, &x252, x250, x242, x233); + const x253 = (cast(u64, x252) + x244); + var x254: u64 = undefined; + var x255: u64 = undefined; + mulxU64(&x254, &x255, 0x26, x253); + var x256: u64 = undefined; + var x257: u1 = undefined; + addcarryxU64(&x256, &x257, 0x0, x245, x254); + var x258: u64 = undefined; + var x259: u1 = undefined; + addcarryxU64(&x258, &x259, x257, x247, cast(u64, 0x0)); + var x260: u64 = undefined; + var x261: u1 = undefined; + addcarryxU64(&x260, &x261, x259, x249, cast(u64, 0x0)); + var x262: u64 = undefined; + var x263: u1 = undefined; + addcarryxU64(&x262, &x263, x261, x251, cast(u64, 0x0)); + var x264: u64 = undefined; + cmovznzU64(&x264, x263, cast(u64, 0x0), 0x26); + const x265 = (cast(u128, x264) + cast(u128, x256)); + const x266 = cast(u64, (x265 & cast(u128, 0xffffffffffffffff))); + out1[0] = x229; + out1[1] = x221; + out1[2] = x223; + out1[3] = x225; + out2[0] = x266; + out2[1] = x258; + out2[2] = x260; + out2[3] = x262; +} + /// The function square squares a field element. /// /// Postconditions: diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index 80cfcb39f0..a0da9ea123 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -2754,6 +2754,59 @@ Module SolinasReduction. End squaremod. + Section mulmod2. + + Definition mulmod2 base s c n (p q x y : list Z) := + let ans1 := mulmod base s c n p q in + let ans2 := mulmod base s c n x y in + (ans1, ans2). + + Context (base : Z) + (s : Z) + (c : list (Z * Z)) + (n : nat). + + Context (n_gt_1 : (n > 1)%nat) + (s_pos : s > 0) + (c_pos : Associational.eval c > 0) + (mod_nz : s - Associational.eval c <> 0) + (base_nz : base <> 0) + (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) + (coef_small : weight n / s * Associational.eval c < up_bound). + + Lemma fst_mulmod2 (p q x y : list Z) : + fst (mulmod2 base s c n p q x y) = mulmod base s c n p q. + Proof. + cbv [mulmod2]. + cbn. + reflexivity. + Qed. + + Lemma snd_mulmod2 (p q x y : list Z) : + snd (mulmod2 base s c n p q x y) = mulmod base s c n x y. + Proof. + cbv [mulmod2]. + cbn. + reflexivity. + Qed. + + Theorem mulmod2_correct (p q x y : list Z) : + let m := mulmod2 base s c n p q x y in + Positional.eval weight n (fst m) mod (s - Associational.eval c) = + (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c) /\ + Positional.eval weight n (snd m) mod (s - Associational.eval c) = + (Positional.eval weight n x * Positional.eval weight n y) mod (s - Associational.eval c). + Proof. + intros m. + cbv [m]. + rewrite fst_mulmod2, snd_mulmod2. + intuition. + apply mulmod_correct; auto. + apply mulmod_correct; auto. + Qed. + + End mulmod2. + End __. End SolinasReduction. diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index fb8223ef12..e33f8ebcb6 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -511,6 +511,16 @@ Module SolinasReduction. ((eval (mul x y)) mod m = (eval x * eval y) mod m) /\ (list_Z_bounded_by saturated_bounds (mul x y)). + Definition mul2_correct + (mul2 : list Z -> list Z -> list Z -> list Z -> ((list Z) * (list Z))) := + forall x y z w, + list_Z_bounded_by saturated_bounds x -> + list_Z_bounded_by saturated_bounds y -> + list_Z_bounded_by saturated_bounds z -> + list_Z_bounded_by saturated_bounds w -> + ((eval (fst (mul2 x y z w))) mod m = (eval x * eval y) mod m) /\ + ((eval (snd (mul2 x y z w))) mod m = (eval z * eval w) mod m). + Definition sqr_correct (sqr : list Z -> list Z) := forall x, diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 75d9427ff7..7bff6e6a16 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -58,6 +58,7 @@ Local Coercion Z.pos : positive >-> Z. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) +Local Opaque reified_mul2_gen. Local Opaque reified_square_gen. (* needed for making [autorewrite] with [Set Keyed Unification] fast *) Local Opaque expr.Interp. @@ -176,6 +177,18 @@ Section __. (Some boundsn, (Some boundsn, tt)) (Some boundsn). + Definition mul2 + := Pipeline.BoundsPipeline + false (* subst01 *) + possible_values + (reified_mul2_gen + @ GallinaReify.Reify base + @ GallinaReify.Reify s + @ GallinaReify.Reify c + @ GallinaReify.Reify n) + (Some boundsn, (Some boundsn, (Some boundsn, (Some boundsn, tt)))) + (Some boundsn, Some boundsn). + Definition square := Pipeline.BoundsPipeline false (* subst01 *) @@ -197,6 +210,15 @@ Section __. (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) (mul_correct weightf n m boundsn)). + Definition smul2 (prefix : string) + : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) + := Eval cbv beta in + FromPipelineToString! + machine_wordsize prefix "mul2" mul2 + (docstring_with_summary_from_lemma! + (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) + (mul2_correct weightf n m boundsn)). + Definition ssquare (prefix : string) : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) := Eval cbv beta in @@ -209,10 +231,6 @@ Section __. Local Ltac solve_extra_bounds_side_conditions := cbn [lower upper fst snd] in *; Bool.split_andb; Z.ltb_to_lt; lia. - Hint Rewrite - (fun pf => @SolinasReduction.SolinasReduction.mulmod_correct (@wprops _ _ pf)) using solve [ auto with zarith | congruence | solve_extra_bounds_side_conditions ] : push_eval. - Hint Unfold mul : push_eval. - Local Ltac prove_correctness _ := Primitives.prove_correctness use_curve_good. Lemma mul_correct res @@ -230,6 +248,15 @@ Section __. Lemma Wf_mul res (Hres : mul = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. + Lemma mul2_correct res + (Hres : mul2 = Success res) + : mul2_correct weight n m boundsn (Interp res). + Proof using curve_good. + Admitted. + + Lemma Wf_mul2 res (Hres : mul2 = Success res) : Wf res. + Proof using Type. prove_pipeline_wf (). Qed. + Lemma square_correct res (Hres : square = Success res) : sqr_correct weight n m boundsn (Interp res). @@ -251,7 +278,7 @@ Section __. Local Open Scope list_scope. Definition known_functions - := [("mul", wrap_s smul); ("square", wrap_s ssquare)]. + := [("mul", wrap_s smul); ("mul2", wrap_s smul2); ("square", wrap_s ssquare)]. Definition valid_names : string := Eval compute in String.concat ", " (List.map (@fst _ _) known_functions). diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index afe302b6df..dacf2442fe 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -27,28 +27,45 @@ Import Language.Wf.Compilers. Import SolinasReduction.SolinasReduction. -Derive reified_mul_gen - SuchThat (is_reification_of reified_mul_gen mulmod) - As reified_mul_gen_correct. -Proof. Time cache_reify (). Time Qed. - -Derive reified_square_gen - SuchThat (is_reification_of reified_square_gen squaremod) - As reified_square_gen_correct. -Proof. Time cache_reify (). Time Qed. - -#[global] - Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_mul_gen) : reify_cache_gen. -#[global] - Hint Immediate (proj2 reified_mul_gen_correct) : wf_gen_cache. -#[global] - Hint Rewrite (proj1 reified_mul_gen_correct) : interp_gen_cache. -Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) - -#[global] - Hint Extern 1 (_ = _) => apply_cached_reification squaremod (proj1 reified_square_gen) : reify_cache_gen. -#[global] - Hint Immediate (proj2 reified_square_gen_correct) : wf_gen_cache. -#[global] - Hint Rewrite (proj1 reified_square_gen_correct) : interp_gen_cache. -Local Opaque reified_square_gen. (* needed for making [autorewrite] not take a very long time *) +Module Export SolinasReduction. + + Derive reified_mul_gen + SuchThat (is_reification_of reified_mul_gen mulmod) + As reified_mul_gen_correct. + Proof. Time cache_reify (). Time Qed. + + Derive reified_mul2_gen + SuchThat (is_reification_of reified_mul2_gen mulmod2) + As reified_mul2_gen_correct. + Proof. Time cache_reify (). Time Qed. + + Derive reified_square_gen + SuchThat (is_reification_of reified_square_gen squaremod) + As reified_square_gen_correct. + Proof. Time cache_reify (). Time Qed. + + #[global] + Hint Extern 1 (_ = _) => apply_cached_reification mulmod (proj1 reified_mul_gen) : reify_cache_gen. + #[global] + Hint Immediate (proj2 reified_mul_gen_correct) : wf_gen_cache. + #[global] + Hint Rewrite (proj1 reified_mul_gen_correct) : interp_gen_cache. + Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) + + #[global] + Hint Extern 1 (_ = _) => apply_cached_reification mulmod2 (proj1 reified_mul2_gen) : reify_cache_gen. + #[global] + Hint Immediate (proj2 reified_mul2_gen_correct) : wf_gen_cache. + #[global] + Hint Rewrite (proj1 reified_mul2_gen_correct) : interp_gen_cache. + Local Opaque reified_mul2_gen. (* needed for making [autorewrite] not take a very long time *) + + #[global] + Hint Extern 1 (_ = _) => apply_cached_reification squaremod (proj1 reified_square_gen) : reify_cache_gen. + #[global] + Hint Immediate (proj2 reified_square_gen_correct) : wf_gen_cache. + #[global] + Hint Rewrite (proj1 reified_square_gen_correct) : interp_gen_cache. + Local Opaque reified_square_gen. (* needed for making [autorewrite] not take a very long time *) + +End SolinasReduction. diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index be48114656..c01558d6d9 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -104,6 +104,24 @@ Module debugging_solinas_reduction. Let bounds := repeat bound n ++ [Some r[0 ~> 1]%zrange]. Let bound1 := Some r[0~>1]%zrange. + Time Compute + Show.show + (Pipeline.BoundsPipelineToString + "fiat" "mul2" + false + false + possible_values + machine_wordsize + ltac:(let n := (eval cbv in n) in + let r := Reify (mulmod2 base s c n) in + exact r) + (fun _ _ => []) + (Some (repeat bound n), (Some (repeat bound n), (Some (repeat bound n), (Some (repeat bound n), tt)))) + (Some (repeat bound n), Some (repeat bound n)) + (None, (None, (None, (None, tt)))) + (None, None) + : Pipeline.ErrorT _). + Time Compute Show.show (Pipeline.BoundsPipelineToString From 8ce3cdb200d0f69c7f8e260b843117e106a29094 Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 8 Nov 2022 21:27:06 -0500 Subject: [PATCH 64/69] use addx in solinas reduction instead of 128-bit addition followed by mod --- fiat-bedrock2/src/curve25519_solinas_64.c | 753 ++++++++++++++++-- fiat-c/src/curve25519_solinas_64.c | 36 +- .../64/curve25519solinas/curve25519solinas.go | 26 +- fiat-json/src/curve25519_solinas_64.json | 260 +++--- fiat-rust/src/curve25519_solinas_64.rs | 28 +- fiat-zig/src/curve25519_solinas_64.zig | 28 +- src/Arithmetic/SolinasReduction.v | 51 +- src/SlowPrimeSynthesisExamples.v | 12 +- 8 files changed, 903 insertions(+), 291 deletions(-) diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c b/fiat-bedrock2/src/curve25519_solinas_64.c index 21bd936cf6..407ab9173b 100644 --- a/fiat-bedrock2/src/curve25519_solinas_64.c +++ b/fiat-bedrock2/src/curve25519_solinas_64.c @@ -1,7 +1,7 @@ -/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mul */ +/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mul mul2 square */ /* curve description: curve25519_solinas */ /* machine_wordsize = 64 (from "64") */ -/* requested operations: mul */ +/* requested operations: mul, mul2, square */ /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* */ /* Computed values: */ @@ -55,7 +55,7 @@ _br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { */ static void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr_t in1) { - uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x14, x35, x41, x33, x42, x12, x43, x45, x46, x25, x20, x40, x49, x44, x50, x15, x51, x53, x54, x47, x56, x17, x22, x37, x59, x48, x60, x23, x61, x63, x64, x52, x65, x18, x66, x68, x69, x55, x70, x10, x71, x73, x74, x57, x76, x9, x28, x58, x79, x62, x80, x26, x81, x83, x84, x67, x85, x21, x86, x88, x89, x72, x90, x13, x91, x93, x94, x75, x96, x77, x30, x39, x99, x78, x100, x31, x101, x103, x104, x82, x105, x29, x106, x108, x109, x87, x110, x24, x111, x113, x114, x92, x115, x16, x116, x118, x119, x95, x120, x8, x121, x123, x124, x97, x36, x98, x127, x102, x128, x34, x129, x131, x132, x107, x133, x32, x134, x136, x137, x112, x138, x27, x139, x141, x142, x117, x143, x19, x144, x146, x147, x122, x148, x11, x149, x151, x152, x125, x150, x145, x140, x156, x126, x161, x130, x162, x154, x163, x165, x166, x135, x168, x167, x169, x171, x153, x172, x173, x158, x38, x176, x160, x177, x159, x178, x180, x181, x164, x182, x157, x183, x185, x186, x170, x187, x155, x188, x190, x191, x174, x192, x193, x175, x195, x179, x197, x184, x199, x189, x201, x202, x194, x204, x196, x206, x198, x208, x200, x203, x205, x207, x209, x210, x211, x212, x213; + uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x14, x35, x41, x33, x42, x12, x43, x45, x46, x25, x20, x40, x49, x44, x50, x15, x51, x53, x54, x47, x56, x17, x22, x37, x59, x48, x60, x23, x61, x63, x64, x52, x65, x18, x66, x68, x69, x55, x70, x10, x71, x73, x74, x57, x76, x9, x28, x58, x79, x62, x80, x26, x81, x83, x84, x67, x85, x21, x86, x88, x89, x72, x90, x13, x91, x93, x94, x75, x96, x77, x30, x39, x99, x78, x100, x31, x101, x103, x104, x82, x105, x29, x106, x108, x109, x87, x110, x24, x111, x113, x114, x92, x115, x16, x116, x118, x119, x95, x120, x8, x121, x123, x124, x97, x36, x98, x127, x102, x128, x34, x129, x131, x132, x107, x133, x32, x134, x136, x137, x112, x138, x27, x139, x141, x142, x117, x143, x19, x144, x146, x147, x122, x148, x11, x149, x151, x152, x125, x153, x150, x145, x140, x158, x126, x163, x130, x164, x156, x165, x167, x168, x135, x169, x154, x170, x172, x173, x155, x160, x38, x176, x162, x177, x161, x178, x180, x181, x166, x182, x159, x183, x185, x186, x171, x187, x157, x188, x190, x191, x174, x192, x193, x175, x195, x179, x197, x184, x199, x189, x201, x202, x203, x204, x194, x205, x196, x198, x200, x206, x207, x208, x209; x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); @@ -213,43 +213,43 @@ void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr x151 = (uintptr_t)((x150)<(x11)); x152 = (x149)+(x151); x153 = (x152)+(x125); - x154 = ((uintptr_t)38ULL)*(x150); - x155 = _br2_mulhuu(((uintptr_t)38ULL), (x150)); - x156 = ((uintptr_t)38ULL)*(x145); - x157 = _br2_mulhuu(((uintptr_t)38ULL), (x145)); - x158 = ((uintptr_t)38ULL)*(x140); - x159 = _br2_mulhuu(((uintptr_t)38ULL), (x140)); - x160 = (x126)+(x156); - x161 = (uintptr_t)((x160)<(x126)); - x162 = (x161)+(x130); - x163 = (uintptr_t)((x162)<(x130)); - x164 = (x162)+(x154); - x165 = (uintptr_t)((x164)<(x154)); - x166 = (x163)+(x165); - x167 = ((uintptr_t)38ULL)*(x153); - x168 = (x166)+(x135); - x169 = (uintptr_t)((x168)<(x135)); - x170 = (x168)+(x167); - x171 = (uintptr_t)((x170)<(x167)); - x172 = (x169)+(x171); - x173 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); - x174 = (x172)+(x173); - x175 = (x38)+(x158); + x154 = ((uintptr_t)38ULL)*(x153); + x155 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); + x156 = ((uintptr_t)38ULL)*(x150); + x157 = _br2_mulhuu(((uintptr_t)38ULL), (x150)); + x158 = ((uintptr_t)38ULL)*(x145); + x159 = _br2_mulhuu(((uintptr_t)38ULL), (x145)); + x160 = ((uintptr_t)38ULL)*(x140); + x161 = _br2_mulhuu(((uintptr_t)38ULL), (x140)); + x162 = (x126)+(x158); + x163 = (uintptr_t)((x162)<(x126)); + x164 = (x163)+(x130); + x165 = (uintptr_t)((x164)<(x130)); + x166 = (x164)+(x156); + x167 = (uintptr_t)((x166)<(x156)); + x168 = (x165)+(x167); + x169 = (x168)+(x135); + x170 = (uintptr_t)((x169)<(x135)); + x171 = (x169)+(x154); + x172 = (uintptr_t)((x171)<(x154)); + x173 = (x170)+(x172); + x174 = (x173)+(x155); + x175 = (x38)+(x160); x176 = (uintptr_t)((x175)<(x38)); - x177 = (x176)+(x160); - x178 = (uintptr_t)((x177)<(x160)); - x179 = (x177)+(x159); - x180 = (uintptr_t)((x179)<(x159)); + x177 = (x176)+(x162); + x178 = (uintptr_t)((x177)<(x162)); + x179 = (x177)+(x161); + x180 = (uintptr_t)((x179)<(x161)); x181 = (x178)+(x180); - x182 = (x181)+(x164); - x183 = (uintptr_t)((x182)<(x164)); - x184 = (x182)+(x157); - x185 = (uintptr_t)((x184)<(x157)); + x182 = (x181)+(x166); + x183 = (uintptr_t)((x182)<(x166)); + x184 = (x182)+(x159); + x185 = (uintptr_t)((x184)<(x159)); x186 = (x183)+(x185); - x187 = (x186)+(x170); - x188 = (uintptr_t)((x187)<(x170)); - x189 = (x187)+(x155); - x190 = (uintptr_t)((x189)<(x155)); + x187 = (x186)+(x171); + x188 = (uintptr_t)((x187)<(x171)); + x189 = (x187)+(x157); + x190 = (uintptr_t)((x189)<(x157)); x191 = (x188)+(x190); x192 = (x191)+(x174); x193 = ((uintptr_t)38ULL)*(x192); @@ -261,23 +261,19 @@ void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr x199 = (uintptr_t)((x198)<(x184)); x200 = (x199)+(x189); x201 = (uintptr_t)((x200)<(x189)); - x202 = ((uintptr_t)38ULL)*(x201); - x203 = (x194)+(x202); - x204 = (uintptr_t)((x203)<(x194)); - x205 = (x204)+(x196); - x206 = (uintptr_t)((x205)<(x196)); - x207 = (x206)+(x198); - x208 = (uintptr_t)((x207)<(x198)); - x209 = (x208)+(x200); - x210 = x203; - x211 = x205; - x212 = x207; - x213 = x209; + x202 = ((uintptr_t)-1ULL)+((uintptr_t)((x201)==((uintptr_t)0ULL))); + x203 = (x202)^((uintptr_t)18446744073709551615ULL); + x204 = (((uintptr_t)38ULL)&(x202))|(((uintptr_t)0ULL)&(x203)); + x205 = (x204)+(x194); + x206 = x205; + x207 = x196; + x208 = x198; + x209 = x200; /*skip*/ - _br2_store((out0)+((uintptr_t)0ULL), x210, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)8ULL), x211, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)16ULL), x212, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)24ULL), x213, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)0ULL), x206, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)8ULL), x207, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)16ULL), x208, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)24ULL), x209, sizeof(uintptr_t)); /*skip*/ return; } @@ -286,3 +282,654 @@ void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr static void fiat_curve25519_solinas_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { internal_fiat_curve25519_solinas_mul((uintptr_t)out1, (uintptr_t)arg1, (uintptr_t)arg2); } + + +/* + * Input Bounds: + * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * in1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * in2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * in3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static +void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintptr_t in0, uintptr_t in1, uintptr_t in2, uintptr_t in3) { + uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x22, x43, x49, x41, x50, x20, x51, x53, x54, x33, x28, x48, x57, x52, x58, x23, x59, x61, x62, x55, x64, x25, x30, x45, x67, x56, x68, x31, x69, x71, x72, x60, x73, x26, x74, x76, x77, x63, x78, x18, x79, x81, x82, x65, x84, x17, x36, x66, x87, x70, x88, x34, x89, x91, x92, x75, x93, x29, x94, x96, x97, x80, x98, x21, x99, x101, x102, x83, x104, x85, x38, x47, x107, x86, x108, x39, x109, x111, x112, x90, x113, x37, x114, x116, x117, x95, x118, x32, x119, x121, x122, x100, x123, x24, x124, x126, x127, x103, x128, x16, x129, x131, x132, x105, x44, x106, x135, x110, x136, x42, x137, x139, x140, x115, x141, x40, x142, x144, x145, x120, x146, x35, x147, x149, x150, x125, x151, x27, x152, x154, x155, x130, x156, x19, x157, x159, x160, x133, x11, x10, x9, x15, x14, x13, x8, x12, x168, x189, x195, x187, x196, x166, x197, x199, x200, x179, x174, x194, x203, x198, x204, x169, x205, x207, x208, x201, x210, x171, x176, x191, x213, x202, x214, x177, x215, x217, x218, x206, x219, x172, x220, x222, x223, x209, x224, x164, x225, x227, x228, x211, x230, x163, x182, x212, x233, x216, x234, x180, x235, x237, x238, x221, x239, x175, x240, x242, x243, x226, x244, x167, x245, x247, x248, x229, x250, x231, x184, x193, x253, x232, x254, x185, x255, x257, x258, x236, x259, x183, x260, x262, x263, x241, x264, x178, x265, x267, x268, x246, x269, x170, x270, x272, x273, x249, x274, x162, x275, x277, x278, x251, x190, x252, x281, x256, x282, x188, x283, x285, x286, x261, x287, x186, x288, x290, x291, x266, x292, x181, x293, x295, x296, x271, x297, x173, x298, x300, x301, x276, x302, x165, x303, x305, x306, x279, x158, x153, x148, x310, x134, x315, x138, x316, x308, x317, x319, x320, x143, x322, x321, x323, x325, x161, x326, x327, x312, x46, x330, x314, x331, x313, x332, x334, x335, x318, x336, x311, x337, x339, x340, x324, x341, x309, x342, x344, x345, x328, x346, x347, x329, x349, x333, x351, x338, x353, x343, x355, x356, x357, x358, x348, x307, x304, x299, x294, x364, x280, x369, x284, x370, x362, x371, x373, x374, x289, x375, x360, x376, x378, x379, x361, x366, x192, x382, x368, x383, x367, x384, x386, x387, x372, x388, x365, x389, x391, x392, x377, x393, x363, x394, x396, x397, x380, x398, x399, x381, x401, x385, x403, x390, x405, x395, x407, x408, x409, x410, x400, x359, x350, x352, x354, x411, x402, x404, x406, x412, x413, x414, x415, x416, x417, x418, x419; + x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + x4 = _br2_load((in1)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x5 = _br2_load((in1)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x6 = _br2_load((in1)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x7 = _br2_load((in1)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + x8 = _br2_load((in2)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x9 = _br2_load((in2)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x10 = _br2_load((in2)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x11 = _br2_load((in2)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + x12 = _br2_load((in3)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x13 = _br2_load((in3)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x14 = _br2_load((in3)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x15 = _br2_load((in3)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + /*skip*/ + x16 = (x3)*(x7); + x17 = _br2_mulhuu((x3), (x7)); + x18 = (x3)*(x6); + x19 = _br2_mulhuu((x3), (x6)); + x20 = (x3)*(x5); + x21 = _br2_mulhuu((x3), (x5)); + x22 = (x3)*(x4); + x23 = _br2_mulhuu((x3), (x4)); + x24 = (x2)*(x7); + x25 = _br2_mulhuu((x2), (x7)); + x26 = (x2)*(x6); + x27 = _br2_mulhuu((x2), (x6)); + x28 = (x2)*(x5); + x29 = _br2_mulhuu((x2), (x5)); + x30 = (x2)*(x4); + x31 = _br2_mulhuu((x2), (x4)); + x32 = (x1)*(x7); + x33 = _br2_mulhuu((x1), (x7)); + x34 = (x1)*(x6); + x35 = _br2_mulhuu((x1), (x6)); + x36 = (x1)*(x5); + x37 = _br2_mulhuu((x1), (x5)); + x38 = (x1)*(x4); + x39 = _br2_mulhuu((x1), (x4)); + x40 = (x0)*(x7); + x41 = _br2_mulhuu((x0), (x7)); + x42 = (x0)*(x6); + x43 = _br2_mulhuu((x0), (x6)); + x44 = (x0)*(x5); + x45 = _br2_mulhuu((x0), (x5)); + x46 = (x0)*(x4); + x47 = _br2_mulhuu((x0), (x4)); + x48 = (x43)+(x22); + x49 = (uintptr_t)((x48)<(x43)); + x50 = (x49)+(x41); + x51 = (uintptr_t)((x50)<(x41)); + x52 = (x50)+(x20); + x53 = (uintptr_t)((x52)<(x20)); + x54 = (x51)+(x53); + x55 = (x54)+(x33); + x56 = (x48)+(x28); + x57 = (uintptr_t)((x56)<(x48)); + x58 = (x57)+(x52); + x59 = (uintptr_t)((x58)<(x52)); + x60 = (x58)+(x23); + x61 = (uintptr_t)((x60)<(x23)); + x62 = (x59)+(x61); + x63 = (x62)+(x55); + x64 = (uintptr_t)((x63)<(x55)); + x65 = (x64)+(x25); + x66 = (x45)+(x30); + x67 = (uintptr_t)((x66)<(x45)); + x68 = (x67)+(x56); + x69 = (uintptr_t)((x68)<(x56)); + x70 = (x68)+(x31); + x71 = (uintptr_t)((x70)<(x31)); + x72 = (x69)+(x71); + x73 = (x72)+(x60); + x74 = (uintptr_t)((x73)<(x60)); + x75 = (x73)+(x26); + x76 = (uintptr_t)((x75)<(x26)); + x77 = (x74)+(x76); + x78 = (x77)+(x63); + x79 = (uintptr_t)((x78)<(x63)); + x80 = (x78)+(x18); + x81 = (uintptr_t)((x80)<(x18)); + x82 = (x79)+(x81); + x83 = (x82)+(x65); + x84 = (uintptr_t)((x83)<(x65)); + x85 = (x84)+(x17); + x86 = (x66)+(x36); + x87 = (uintptr_t)((x86)<(x66)); + x88 = (x87)+(x70); + x89 = (uintptr_t)((x88)<(x70)); + x90 = (x88)+(x34); + x91 = (uintptr_t)((x90)<(x34)); + x92 = (x89)+(x91); + x93 = (x92)+(x75); + x94 = (uintptr_t)((x93)<(x75)); + x95 = (x93)+(x29); + x96 = (uintptr_t)((x95)<(x29)); + x97 = (x94)+(x96); + x98 = (x97)+(x80); + x99 = (uintptr_t)((x98)<(x80)); + x100 = (x98)+(x21); + x101 = (uintptr_t)((x100)<(x21)); + x102 = (x99)+(x101); + x103 = (x102)+(x83); + x104 = (uintptr_t)((x103)<(x83)); + x105 = (x104)+(x85); + x106 = (x47)+(x38); + x107 = (uintptr_t)((x106)<(x47)); + x108 = (x107)+(x86); + x109 = (uintptr_t)((x108)<(x86)); + x110 = (x108)+(x39); + x111 = (uintptr_t)((x110)<(x39)); + x112 = (x109)+(x111); + x113 = (x112)+(x90); + x114 = (uintptr_t)((x113)<(x90)); + x115 = (x113)+(x37); + x116 = (uintptr_t)((x115)<(x37)); + x117 = (x114)+(x116); + x118 = (x117)+(x95); + x119 = (uintptr_t)((x118)<(x95)); + x120 = (x118)+(x32); + x121 = (uintptr_t)((x120)<(x32)); + x122 = (x119)+(x121); + x123 = (x122)+(x100); + x124 = (uintptr_t)((x123)<(x100)); + x125 = (x123)+(x24); + x126 = (uintptr_t)((x125)<(x24)); + x127 = (x124)+(x126); + x128 = (x127)+(x103); + x129 = (uintptr_t)((x128)<(x103)); + x130 = (x128)+(x16); + x131 = (uintptr_t)((x130)<(x16)); + x132 = (x129)+(x131); + x133 = (x132)+(x105); + x134 = (x106)+(x44); + x135 = (uintptr_t)((x134)<(x106)); + x136 = (x135)+(x110); + x137 = (uintptr_t)((x136)<(x110)); + x138 = (x136)+(x42); + x139 = (uintptr_t)((x138)<(x42)); + x140 = (x137)+(x139); + x141 = (x140)+(x115); + x142 = (uintptr_t)((x141)<(x115)); + x143 = (x141)+(x40); + x144 = (uintptr_t)((x143)<(x40)); + x145 = (x142)+(x144); + x146 = (x145)+(x120); + x147 = (uintptr_t)((x146)<(x120)); + x148 = (x146)+(x35); + x149 = (uintptr_t)((x148)<(x35)); + x150 = (x147)+(x149); + x151 = (x150)+(x125); + x152 = (uintptr_t)((x151)<(x125)); + x153 = (x151)+(x27); + x154 = (uintptr_t)((x153)<(x27)); + x155 = (x152)+(x154); + x156 = (x155)+(x130); + x157 = (uintptr_t)((x156)<(x130)); + x158 = (x156)+(x19); + x159 = (uintptr_t)((x158)<(x19)); + x160 = (x157)+(x159); + x161 = (x160)+(x133); + x162 = (x11)*(x15); + x163 = _br2_mulhuu((x11), (x15)); + x164 = (x11)*(x14); + x165 = _br2_mulhuu((x11), (x14)); + x166 = (x11)*(x13); + x167 = _br2_mulhuu((x11), (x13)); + x168 = (x11)*(x12); + x169 = _br2_mulhuu((x11), (x12)); + x170 = (x10)*(x15); + x171 = _br2_mulhuu((x10), (x15)); + x172 = (x10)*(x14); + x173 = _br2_mulhuu((x10), (x14)); + x174 = (x10)*(x13); + x175 = _br2_mulhuu((x10), (x13)); + x176 = (x10)*(x12); + x177 = _br2_mulhuu((x10), (x12)); + x178 = (x9)*(x15); + x179 = _br2_mulhuu((x9), (x15)); + x180 = (x9)*(x14); + x181 = _br2_mulhuu((x9), (x14)); + x182 = (x9)*(x13); + x183 = _br2_mulhuu((x9), (x13)); + x184 = (x9)*(x12); + x185 = _br2_mulhuu((x9), (x12)); + x186 = (x8)*(x15); + x187 = _br2_mulhuu((x8), (x15)); + x188 = (x8)*(x14); + x189 = _br2_mulhuu((x8), (x14)); + x190 = (x8)*(x13); + x191 = _br2_mulhuu((x8), (x13)); + x192 = (x8)*(x12); + x193 = _br2_mulhuu((x8), (x12)); + x194 = (x189)+(x168); + x195 = (uintptr_t)((x194)<(x189)); + x196 = (x195)+(x187); + x197 = (uintptr_t)((x196)<(x187)); + x198 = (x196)+(x166); + x199 = (uintptr_t)((x198)<(x166)); + x200 = (x197)+(x199); + x201 = (x200)+(x179); + x202 = (x194)+(x174); + x203 = (uintptr_t)((x202)<(x194)); + x204 = (x203)+(x198); + x205 = (uintptr_t)((x204)<(x198)); + x206 = (x204)+(x169); + x207 = (uintptr_t)((x206)<(x169)); + x208 = (x205)+(x207); + x209 = (x208)+(x201); + x210 = (uintptr_t)((x209)<(x201)); + x211 = (x210)+(x171); + x212 = (x191)+(x176); + x213 = (uintptr_t)((x212)<(x191)); + x214 = (x213)+(x202); + x215 = (uintptr_t)((x214)<(x202)); + x216 = (x214)+(x177); + x217 = (uintptr_t)((x216)<(x177)); + x218 = (x215)+(x217); + x219 = (x218)+(x206); + x220 = (uintptr_t)((x219)<(x206)); + x221 = (x219)+(x172); + x222 = (uintptr_t)((x221)<(x172)); + x223 = (x220)+(x222); + x224 = (x223)+(x209); + x225 = (uintptr_t)((x224)<(x209)); + x226 = (x224)+(x164); + x227 = (uintptr_t)((x226)<(x164)); + x228 = (x225)+(x227); + x229 = (x228)+(x211); + x230 = (uintptr_t)((x229)<(x211)); + x231 = (x230)+(x163); + x232 = (x212)+(x182); + x233 = (uintptr_t)((x232)<(x212)); + x234 = (x233)+(x216); + x235 = (uintptr_t)((x234)<(x216)); + x236 = (x234)+(x180); + x237 = (uintptr_t)((x236)<(x180)); + x238 = (x235)+(x237); + x239 = (x238)+(x221); + x240 = (uintptr_t)((x239)<(x221)); + x241 = (x239)+(x175); + x242 = (uintptr_t)((x241)<(x175)); + x243 = (x240)+(x242); + x244 = (x243)+(x226); + x245 = (uintptr_t)((x244)<(x226)); + x246 = (x244)+(x167); + x247 = (uintptr_t)((x246)<(x167)); + x248 = (x245)+(x247); + x249 = (x248)+(x229); + x250 = (uintptr_t)((x249)<(x229)); + x251 = (x250)+(x231); + x252 = (x193)+(x184); + x253 = (uintptr_t)((x252)<(x193)); + x254 = (x253)+(x232); + x255 = (uintptr_t)((x254)<(x232)); + x256 = (x254)+(x185); + x257 = (uintptr_t)((x256)<(x185)); + x258 = (x255)+(x257); + x259 = (x258)+(x236); + x260 = (uintptr_t)((x259)<(x236)); + x261 = (x259)+(x183); + x262 = (uintptr_t)((x261)<(x183)); + x263 = (x260)+(x262); + x264 = (x263)+(x241); + x265 = (uintptr_t)((x264)<(x241)); + x266 = (x264)+(x178); + x267 = (uintptr_t)((x266)<(x178)); + x268 = (x265)+(x267); + x269 = (x268)+(x246); + x270 = (uintptr_t)((x269)<(x246)); + x271 = (x269)+(x170); + x272 = (uintptr_t)((x271)<(x170)); + x273 = (x270)+(x272); + x274 = (x273)+(x249); + x275 = (uintptr_t)((x274)<(x249)); + x276 = (x274)+(x162); + x277 = (uintptr_t)((x276)<(x162)); + x278 = (x275)+(x277); + x279 = (x278)+(x251); + x280 = (x252)+(x190); + x281 = (uintptr_t)((x280)<(x252)); + x282 = (x281)+(x256); + x283 = (uintptr_t)((x282)<(x256)); + x284 = (x282)+(x188); + x285 = (uintptr_t)((x284)<(x188)); + x286 = (x283)+(x285); + x287 = (x286)+(x261); + x288 = (uintptr_t)((x287)<(x261)); + x289 = (x287)+(x186); + x290 = (uintptr_t)((x289)<(x186)); + x291 = (x288)+(x290); + x292 = (x291)+(x266); + x293 = (uintptr_t)((x292)<(x266)); + x294 = (x292)+(x181); + x295 = (uintptr_t)((x294)<(x181)); + x296 = (x293)+(x295); + x297 = (x296)+(x271); + x298 = (uintptr_t)((x297)<(x271)); + x299 = (x297)+(x173); + x300 = (uintptr_t)((x299)<(x173)); + x301 = (x298)+(x300); + x302 = (x301)+(x276); + x303 = (uintptr_t)((x302)<(x276)); + x304 = (x302)+(x165); + x305 = (uintptr_t)((x304)<(x165)); + x306 = (x303)+(x305); + x307 = (x306)+(x279); + x308 = ((uintptr_t)38ULL)*(x158); + x309 = _br2_mulhuu(((uintptr_t)38ULL), (x158)); + x310 = ((uintptr_t)38ULL)*(x153); + x311 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); + x312 = ((uintptr_t)38ULL)*(x148); + x313 = _br2_mulhuu(((uintptr_t)38ULL), (x148)); + x314 = (x134)+(x310); + x315 = (uintptr_t)((x314)<(x134)); + x316 = (x315)+(x138); + x317 = (uintptr_t)((x316)<(x138)); + x318 = (x316)+(x308); + x319 = (uintptr_t)((x318)<(x308)); + x320 = (x317)+(x319); + x321 = ((uintptr_t)38ULL)*(x161); + x322 = (x320)+(x143); + x323 = (uintptr_t)((x322)<(x143)); + x324 = (x322)+(x321); + x325 = (uintptr_t)((x324)<(x321)); + x326 = (x323)+(x325); + x327 = _br2_mulhuu(((uintptr_t)38ULL), (x161)); + x328 = (x326)+(x327); + x329 = (x46)+(x312); + x330 = (uintptr_t)((x329)<(x46)); + x331 = (x330)+(x314); + x332 = (uintptr_t)((x331)<(x314)); + x333 = (x331)+(x313); + x334 = (uintptr_t)((x333)<(x313)); + x335 = (x332)+(x334); + x336 = (x335)+(x318); + x337 = (uintptr_t)((x336)<(x318)); + x338 = (x336)+(x311); + x339 = (uintptr_t)((x338)<(x311)); + x340 = (x337)+(x339); + x341 = (x340)+(x324); + x342 = (uintptr_t)((x341)<(x324)); + x343 = (x341)+(x309); + x344 = (uintptr_t)((x343)<(x309)); + x345 = (x342)+(x344); + x346 = (x345)+(x328); + x347 = ((uintptr_t)38ULL)*(x346); + x348 = (x329)+(x347); + x349 = (uintptr_t)((x348)<(x329)); + x350 = (x349)+(x333); + x351 = (uintptr_t)((x350)<(x333)); + x352 = (x351)+(x338); + x353 = (uintptr_t)((x352)<(x338)); + x354 = (x353)+(x343); + x355 = (uintptr_t)((x354)<(x343)); + x356 = ((uintptr_t)-1ULL)+((uintptr_t)((x355)==((uintptr_t)0ULL))); + x357 = (x356)^((uintptr_t)18446744073709551615ULL); + x358 = (((uintptr_t)38ULL)&(x356))|(((uintptr_t)0ULL)&(x357)); + x359 = (x358)+(x348); + x360 = ((uintptr_t)38ULL)*(x307); + x361 = _br2_mulhuu(((uintptr_t)38ULL), (x307)); + x362 = ((uintptr_t)38ULL)*(x304); + x363 = _br2_mulhuu(((uintptr_t)38ULL), (x304)); + x364 = ((uintptr_t)38ULL)*(x299); + x365 = _br2_mulhuu(((uintptr_t)38ULL), (x299)); + x366 = ((uintptr_t)38ULL)*(x294); + x367 = _br2_mulhuu(((uintptr_t)38ULL), (x294)); + x368 = (x280)+(x364); + x369 = (uintptr_t)((x368)<(x280)); + x370 = (x369)+(x284); + x371 = (uintptr_t)((x370)<(x284)); + x372 = (x370)+(x362); + x373 = (uintptr_t)((x372)<(x362)); + x374 = (x371)+(x373); + x375 = (x374)+(x289); + x376 = (uintptr_t)((x375)<(x289)); + x377 = (x375)+(x360); + x378 = (uintptr_t)((x377)<(x360)); + x379 = (x376)+(x378); + x380 = (x379)+(x361); + x381 = (x192)+(x366); + x382 = (uintptr_t)((x381)<(x192)); + x383 = (x382)+(x368); + x384 = (uintptr_t)((x383)<(x368)); + x385 = (x383)+(x367); + x386 = (uintptr_t)((x385)<(x367)); + x387 = (x384)+(x386); + x388 = (x387)+(x372); + x389 = (uintptr_t)((x388)<(x372)); + x390 = (x388)+(x365); + x391 = (uintptr_t)((x390)<(x365)); + x392 = (x389)+(x391); + x393 = (x392)+(x377); + x394 = (uintptr_t)((x393)<(x377)); + x395 = (x393)+(x363); + x396 = (uintptr_t)((x395)<(x363)); + x397 = (x394)+(x396); + x398 = (x397)+(x380); + x399 = ((uintptr_t)38ULL)*(x398); + x400 = (x381)+(x399); + x401 = (uintptr_t)((x400)<(x381)); + x402 = (x401)+(x385); + x403 = (uintptr_t)((x402)<(x385)); + x404 = (x403)+(x390); + x405 = (uintptr_t)((x404)<(x390)); + x406 = (x405)+(x395); + x407 = (uintptr_t)((x406)<(x395)); + x408 = ((uintptr_t)-1ULL)+((uintptr_t)((x407)==((uintptr_t)0ULL))); + x409 = (x408)^((uintptr_t)18446744073709551615ULL); + x410 = (((uintptr_t)38ULL)&(x408))|(((uintptr_t)0ULL)&(x409)); + x411 = (x410)+(x400); + x412 = x359; + x413 = x350; + x414 = x352; + x415 = x354; + /*skip*/ + x416 = x411; + x417 = x402; + x418 = x404; + x419 = x406; + /*skip*/ + _br2_store((out0)+((uintptr_t)0ULL), x412, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)8ULL), x413, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)16ULL), x414, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)24ULL), x415, sizeof(uintptr_t)); + /*skip*/ + _br2_store((out1)+((uintptr_t)0ULL), x416, sizeof(uintptr_t)); + _br2_store((out1)+((uintptr_t)8ULL), x417, sizeof(uintptr_t)); + _br2_store((out1)+((uintptr_t)16ULL), x418, sizeof(uintptr_t)); + _br2_store((out1)+((uintptr_t)24ULL), x419, sizeof(uintptr_t)); + /*skip*/ + return; +} + +/* NOTE: The following wrapper function is not covered by Coq proofs */ +static void fiat_curve25519_solinas_mul2(uint64_t out1[4], uint64_t out2[4], const uint64_t arg1[4], const uint64_t arg2[4], const uint64_t arg3[4], const uint64_t arg4[4]) { + internal_fiat_curve25519_solinas_mul2((uintptr_t)out1, (uintptr_t)out2, (uintptr_t)arg1, (uintptr_t)arg2, (uintptr_t)arg3, (uintptr_t)arg4); +} + + +/* + * Input Bounds: + * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static +void internal_fiat_curve25519_solinas_square(uintptr_t out0, uintptr_t in0) { + uintptr_t x6, x9, x15, x7, x16, x4, x17, x19, x20, x5, x21, x12, x22, x24, x25, x13, x26, x10, x27, x29, x30, x11, x32, x18, x35, x23, x36, x33, x37, x39, x40, x28, x42, x31, x8, x46, x47, x14, x48, x50, x51, x52, x34, x53, x55, x56, x57, x38, x58, x60, x61, x62, x41, x63, x65, x66, x67, x43, x68, x70, x71, x44, x3, x2, x1, x0, x80, x45, x82, x49, x83, x77, x84, x86, x87, x54, x88, x78, x89, x91, x92, x59, x93, x75, x94, x96, x97, x64, x98, x76, x99, x101, x102, x69, x103, x73, x104, x106, x107, x72, x108, x74, x109, x105, x100, x95, x114, x81, x119, x85, x120, x112, x121, x123, x124, x90, x125, x110, x126, x128, x129, x111, x116, x79, x132, x118, x133, x117, x134, x136, x137, x122, x138, x115, x139, x141, x142, x127, x143, x113, x144, x146, x147, x130, x148, x149, x131, x151, x135, x153, x140, x155, x145, x157, x158, x159, x160, x150, x161, x152, x154, x156, x162, x163, x164, x165; + x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); + x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); + x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); + x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); + /*skip*/ + /*skip*/ + x4 = (x0)*(x3); + x5 = _br2_mulhuu((x0), (x3)); + x6 = (x0)*(x2); + x7 = _br2_mulhuu((x0), (x2)); + x8 = (x0)*(x1); + x9 = _br2_mulhuu((x0), (x1)); + x10 = (x3)*(x2); + x11 = _br2_mulhuu((x3), (x2)); + x12 = (x3)*(x1); + x13 = _br2_mulhuu((x3), (x1)); + x14 = (x9)+(x6); + x15 = (uintptr_t)((x14)<(x9)); + x16 = (x15)+(x7); + x17 = (uintptr_t)((x16)<(x7)); + x18 = (x16)+(x4); + x19 = (uintptr_t)((x18)<(x4)); + x20 = (x17)+(x19); + x21 = (x20)+(x5); + x22 = (uintptr_t)((x21)<(x5)); + x23 = (x21)+(x12); + x24 = (uintptr_t)((x23)<(x12)); + x25 = (x22)+(x24); + x26 = (x25)+(x13); + x27 = (uintptr_t)((x26)<(x13)); + x28 = (x26)+(x10); + x29 = (uintptr_t)((x28)<(x10)); + x30 = (x27)+(x29); + x31 = (x30)+(x11); + x32 = (x1)*(x2); + x33 = _br2_mulhuu((x1), (x2)); + x34 = (x18)+(x32); + x35 = (uintptr_t)((x34)<(x18)); + x36 = (x35)+(x23); + x37 = (uintptr_t)((x36)<(x23)); + x38 = (x36)+(x33); + x39 = (uintptr_t)((x38)<(x33)); + x40 = (x37)+(x39); + x41 = (x40)+(x28); + x42 = (uintptr_t)((x41)<(x28)); + x43 = (x42)+(x31); + x44 = (uintptr_t)((x43)<(x31)); + x45 = (x8)+(x8); + x46 = (uintptr_t)((x45)<(x8)); + x47 = (x46)+(x14); + x48 = (uintptr_t)((x47)<(x14)); + x49 = (x47)+(x14); + x50 = (uintptr_t)((x49)<(x14)); + x51 = (x48)+(x50); + x52 = (x51)+(x34); + x53 = (uintptr_t)((x52)<(x34)); + x54 = (x52)+(x34); + x55 = (uintptr_t)((x54)<(x34)); + x56 = (x53)+(x55); + x57 = (x56)+(x38); + x58 = (uintptr_t)((x57)<(x38)); + x59 = (x57)+(x38); + x60 = (uintptr_t)((x59)<(x38)); + x61 = (x58)+(x60); + x62 = (x61)+(x41); + x63 = (uintptr_t)((x62)<(x41)); + x64 = (x62)+(x41); + x65 = (uintptr_t)((x64)<(x41)); + x66 = (x63)+(x65); + x67 = (x66)+(x43); + x68 = (uintptr_t)((x67)<(x43)); + x69 = (x67)+(x43); + x70 = (uintptr_t)((x69)<(x43)); + x71 = (x68)+(x70); + x72 = ((x71)+(x44))+(x44); + x73 = (x3)*(x3); + x74 = _br2_mulhuu((x3), (x3)); + x75 = (x2)*(x2); + x76 = _br2_mulhuu((x2), (x2)); + x77 = (x1)*(x1); + x78 = _br2_mulhuu((x1), (x1)); + x79 = (x0)*(x0); + x80 = _br2_mulhuu((x0), (x0)); + x81 = (x45)+(x80); + x82 = (uintptr_t)((x81)<(x45)); + x83 = (x82)+(x49); + x84 = (uintptr_t)((x83)<(x49)); + x85 = (x83)+(x77); + x86 = (uintptr_t)((x85)<(x77)); + x87 = (x84)+(x86); + x88 = (x87)+(x54); + x89 = (uintptr_t)((x88)<(x54)); + x90 = (x88)+(x78); + x91 = (uintptr_t)((x90)<(x78)); + x92 = (x89)+(x91); + x93 = (x92)+(x59); + x94 = (uintptr_t)((x93)<(x59)); + x95 = (x93)+(x75); + x96 = (uintptr_t)((x95)<(x75)); + x97 = (x94)+(x96); + x98 = (x97)+(x64); + x99 = (uintptr_t)((x98)<(x64)); + x100 = (x98)+(x76); + x101 = (uintptr_t)((x100)<(x76)); + x102 = (x99)+(x101); + x103 = (x102)+(x69); + x104 = (uintptr_t)((x103)<(x69)); + x105 = (x103)+(x73); + x106 = (uintptr_t)((x105)<(x73)); + x107 = (x104)+(x106); + x108 = (x107)+(x72); + x109 = (x108)+(x74); + x110 = ((uintptr_t)38ULL)*(x109); + x111 = _br2_mulhuu(((uintptr_t)38ULL), (x109)); + x112 = ((uintptr_t)38ULL)*(x105); + x113 = _br2_mulhuu(((uintptr_t)38ULL), (x105)); + x114 = ((uintptr_t)38ULL)*(x100); + x115 = _br2_mulhuu(((uintptr_t)38ULL), (x100)); + x116 = ((uintptr_t)38ULL)*(x95); + x117 = _br2_mulhuu(((uintptr_t)38ULL), (x95)); + x118 = (x81)+(x114); + x119 = (uintptr_t)((x118)<(x81)); + x120 = (x119)+(x85); + x121 = (uintptr_t)((x120)<(x85)); + x122 = (x120)+(x112); + x123 = (uintptr_t)((x122)<(x112)); + x124 = (x121)+(x123); + x125 = (x124)+(x90); + x126 = (uintptr_t)((x125)<(x90)); + x127 = (x125)+(x110); + x128 = (uintptr_t)((x127)<(x110)); + x129 = (x126)+(x128); + x130 = (x129)+(x111); + x131 = (x79)+(x116); + x132 = (uintptr_t)((x131)<(x79)); + x133 = (x132)+(x118); + x134 = (uintptr_t)((x133)<(x118)); + x135 = (x133)+(x117); + x136 = (uintptr_t)((x135)<(x117)); + x137 = (x134)+(x136); + x138 = (x137)+(x122); + x139 = (uintptr_t)((x138)<(x122)); + x140 = (x138)+(x115); + x141 = (uintptr_t)((x140)<(x115)); + x142 = (x139)+(x141); + x143 = (x142)+(x127); + x144 = (uintptr_t)((x143)<(x127)); + x145 = (x143)+(x113); + x146 = (uintptr_t)((x145)<(x113)); + x147 = (x144)+(x146); + x148 = (x147)+(x130); + x149 = ((uintptr_t)38ULL)*(x148); + x150 = (x131)+(x149); + x151 = (uintptr_t)((x150)<(x131)); + x152 = (x151)+(x135); + x153 = (uintptr_t)((x152)<(x135)); + x154 = (x153)+(x140); + x155 = (uintptr_t)((x154)<(x140)); + x156 = (x155)+(x145); + x157 = (uintptr_t)((x156)<(x145)); + x158 = ((uintptr_t)-1ULL)+((uintptr_t)((x157)==((uintptr_t)0ULL))); + x159 = (x158)^((uintptr_t)18446744073709551615ULL); + x160 = (((uintptr_t)38ULL)&(x158))|(((uintptr_t)0ULL)&(x159)); + x161 = (x160)+(x150); + x162 = x161; + x163 = x152; + x164 = x154; + x165 = x156; + /*skip*/ + _br2_store((out0)+((uintptr_t)0ULL), x162, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)8ULL), x163, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)16ULL), x164, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)24ULL), x165, sizeof(uintptr_t)); + /*skip*/ + return; +} + +/* NOTE: The following wrapper function is not covered by Coq proofs */ +static void fiat_curve25519_solinas_square(uint64_t out1[4], const uint64_t arg1[4]) { + internal_fiat_curve25519_solinas_square((uintptr_t)out1, (uintptr_t)arg1); +} diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c index 824bd80b78..26ab9c5e90 100644 --- a/fiat-c/src/curve25519_solinas_64.c +++ b/fiat-c/src/curve25519_solinas_64.c @@ -278,8 +278,8 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint uint64_t x128; fiat_curve25519_solinas_uint1 x129; uint64_t x130; - fiat_curve25519_solinas_uint128 x131; - uint64_t x132; + uint64_t x131; + fiat_curve25519_solinas_uint1 x132; fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); @@ -348,9 +348,8 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint fiat_curve25519_solinas_addcarryx_u64(&x126, &x127, x125, x115, 0x0); fiat_curve25519_solinas_addcarryx_u64(&x128, &x129, x127, x117, 0x0); fiat_curve25519_solinas_cmovznz_u64(&x130, x129, 0x0, UINT8_C(0x26)); - x131 = ((fiat_curve25519_solinas_uint128)x130 + x122); - x132 = (uint64_t)(x131 & UINT64_C(0xffffffffffffffff)); - out1[0] = x132; + fiat_curve25519_solinas_addcarryx_u64(&x131, &x132, 0x0, x130, x122); + out1[0] = x131; out1[1] = x124; out1[2] = x126; out1[3] = x128; @@ -600,8 +599,8 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul2(uin uint64_t x225; fiat_curve25519_solinas_uint1 x226; uint64_t x227; - fiat_curve25519_solinas_uint128 x228; - uint64_t x229; + uint64_t x228; + fiat_curve25519_solinas_uint1 x229; uint64_t x230; uint64_t x231; uint64_t x232; @@ -637,8 +636,8 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul2(uin uint64_t x262; fiat_curve25519_solinas_uint1 x263; uint64_t x264; - fiat_curve25519_solinas_uint128 x265; - uint64_t x266; + uint64_t x265; + fiat_curve25519_solinas_uint1 x266; fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); @@ -757,8 +756,7 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul2(uin fiat_curve25519_solinas_addcarryx_u64(&x223, &x224, x222, x212, 0x0); fiat_curve25519_solinas_addcarryx_u64(&x225, &x226, x224, x214, 0x0); fiat_curve25519_solinas_cmovznz_u64(&x227, x226, 0x0, UINT8_C(0x26)); - x228 = ((fiat_curve25519_solinas_uint128)x227 + x219); - x229 = (uint64_t)(x228 & UINT64_C(0xffffffffffffffff)); + fiat_curve25519_solinas_addcarryx_u64(&x228, &x229, 0x0, x227, x219); fiat_curve25519_solinas_mulx_u64(&x230, &x231, UINT8_C(0x26), x189); fiat_curve25519_solinas_mulx_u64(&x232, &x233, UINT8_C(0x26), x187); fiat_curve25519_solinas_mulx_u64(&x234, &x235, UINT8_C(0x26), x185); @@ -778,13 +776,12 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul2(uin fiat_curve25519_solinas_addcarryx_u64(&x260, &x261, x259, x249, 0x0); fiat_curve25519_solinas_addcarryx_u64(&x262, &x263, x261, x251, 0x0); fiat_curve25519_solinas_cmovznz_u64(&x264, x263, 0x0, UINT8_C(0x26)); - x265 = ((fiat_curve25519_solinas_uint128)x264 + x256); - x266 = (uint64_t)(x265 & UINT64_C(0xffffffffffffffff)); - out1[0] = x229; + fiat_curve25519_solinas_addcarryx_u64(&x265, &x266, 0x0, x264, x256); + out1[0] = x228; out1[1] = x221; out1[2] = x223; out1[3] = x225; - out2[0] = x266; + out2[0] = x265; out2[1] = x258; out2[2] = x260; out2[3] = x262; @@ -901,8 +898,8 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_square(u uint64_t x97; fiat_curve25519_solinas_uint1 x98; uint64_t x99; - fiat_curve25519_solinas_uint128 x100; - uint64_t x101; + uint64_t x100; + fiat_curve25519_solinas_uint1 x101; fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[0]), (arg1[3])); fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[0]), (arg1[2])); fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[0]), (arg1[1])); @@ -955,9 +952,8 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_square(u fiat_curve25519_solinas_addcarryx_u64(&x95, &x96, x94, x84, 0x0); fiat_curve25519_solinas_addcarryx_u64(&x97, &x98, x96, x86, 0x0); fiat_curve25519_solinas_cmovznz_u64(&x99, x98, 0x0, UINT8_C(0x26)); - x100 = ((fiat_curve25519_solinas_uint128)x99 + x91); - x101 = (uint64_t)(x100 & UINT64_C(0xffffffffffffffff)); - out1[0] = x101; + fiat_curve25519_solinas_addcarryx_u64(&x100, &x101, 0x0, x99, x91); + out1[0] = x100; out1[1] = x93; out1[2] = x95; out1[3] = x97; diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go index 779664580c..61514696bd 100644 --- a/fiat-go/64/curve25519solinas/curve25519solinas.go +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -22,8 +22,6 @@ import "math/bits" type uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 type int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 -var _ = error_Go_output_does_not_support_128_bit_integers___instead_use_rewriting_rules_for_removing_128_bit_integers - // cmovznzU64 is a single-word conditional move. // // Postconditions: @@ -241,9 +239,9 @@ func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { x128, x129 = bits.Add64(x117, uint64(0x0), uint64(uint1(x127))) var x130 uint64 cmovznzU64(&x130, uint1(x129), uint64(0x0), 0x26) - x131 := (uint128(x130) + uint128(x122)) - x132 := (uint64(x131) & 0xffffffffffffffff) - out1[0] = x132 + var x131 uint64 + x131, _ = bits.Add64(x130, x122, uint64(0x0)) + out1[0] = x131 out1[1] = x124 out1[2] = x126 out1[3] = x128 @@ -592,8 +590,8 @@ func Mul2(out1 *[4]uint64, out2 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64, ar x225, x226 = bits.Add64(x214, uint64(0x0), uint64(uint1(x224))) var x227 uint64 cmovznzU64(&x227, uint1(x226), uint64(0x0), 0x26) - x228 := (uint128(x227) + uint128(x219)) - x229 := (uint64(x228) & 0xffffffffffffffff) + var x228 uint64 + x228, _ = bits.Add64(x227, x219, uint64(0x0)) var x230 uint64 var x231 uint64 x231, x230 = bits.Mul64(0x26, x189) @@ -645,13 +643,13 @@ func Mul2(out1 *[4]uint64, out2 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64, ar x262, x263 = bits.Add64(x251, uint64(0x0), uint64(uint1(x261))) var x264 uint64 cmovznzU64(&x264, uint1(x263), uint64(0x0), 0x26) - x265 := (uint128(x264) + uint128(x256)) - x266 := (uint64(x265) & 0xffffffffffffffff) - out1[0] = x229 + var x265 uint64 + x265, _ = bits.Add64(x264, x256, uint64(0x0)) + out1[0] = x228 out1[1] = x221 out1[2] = x223 out1[3] = x225 - out2[0] = x266 + out2[0] = x265 out2[1] = x258 out2[2] = x260 out2[3] = x262 @@ -812,9 +810,9 @@ func Square(out1 *[4]uint64, arg1 *[4]uint64) { x97, x98 = bits.Add64(x86, uint64(0x0), uint64(uint1(x96))) var x99 uint64 cmovznzU64(&x99, uint1(x98), uint64(0x0), 0x26) - x100 := (uint128(x99) + uint128(x91)) - x101 := (uint64(x100) & 0xffffffffffffffff) - out1[0] = x101 + var x100 uint64 + x100, _ = bits.Add64(x99, x91, uint64(0x0)) + out1[0] = x100 out1[1] = x93 out1[2] = x95 out1[3] = x97 diff --git a/fiat-json/src/curve25519_solinas_64.json b/fiat-json/src/curve25519_solinas_64.json index d476629867..8b30fea6d6 100644 --- a/fiat-json/src/curve25519_solinas_64.json +++ b/fiat-json/src/curve25519_solinas_64.json @@ -3698,38 +3698,36 @@ ] }, { - "datatype": "u128", + "datatype": "(auto)", "name": [ - "x131" + "x131", + "_" ], - "operation": "static_cast", + "operation": "addcarryx", + "parameters": { + "size": 64 + }, "arguments": [ + "0x0", { - "datatype": "u128", + "datatype": "u64", "name": [], - "operation": "+", + "operation": "static_cast", + "arguments": [ + "x130" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", "arguments": [ { "datatype": "u64", "name": [], "operation": "static_cast", "arguments": [ - "x130" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x122" - ] - } + "x122" ] } ] @@ -3739,38 +3737,20 @@ { "datatype": "u64", "name": [ - "x132" + "out1[0]" ], "operation": "static_cast", "arguments": [ { "datatype": "u64", "name": [], - "operation": "&", + "operation": "static_cast", "arguments": [ - { - "datatype": "u128", - "name": [], - "operation": "static_cast", - "arguments": [ - "x131" - ] - }, - "0xffffffffffffffff" + "x131" ] } ] }, - { - "datatype": "u64", - "name": [ - "out1[0]" - ], - "operation": "static_cast", - "arguments": [ - "x132" - ] - }, { "datatype": "u64", "name": [ @@ -9066,65 +9046,38 @@ ] }, { - "datatype": "u128", + "datatype": "(auto)", "name": [ - "x228" + "x228", + "_" ], - "operation": "static_cast", + "operation": "addcarryx", + "parameters": { + "size": 64 + }, "arguments": [ + "0x0", { - "datatype": "u128", + "datatype": "u64", "name": [], - "operation": "+", + "operation": "static_cast", "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x227" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x219" - ] - } - ] - } + "x227" ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "x229" - ], - "operation": "static_cast", - "arguments": [ + }, { "datatype": "u64", "name": [], - "operation": "&", + "operation": "static_cast", "arguments": [ { - "datatype": "u128", + "datatype": "u64", "name": [], "operation": "static_cast", "arguments": [ - "x228" + "x219" ] - }, - "0xffffffffffffffff" + } ] } ] @@ -9933,38 +9886,36 @@ ] }, { - "datatype": "u128", + "datatype": "(auto)", "name": [ - "x265" + "x265", + "_" ], - "operation": "static_cast", + "operation": "addcarryx", + "parameters": { + "size": 64 + }, "arguments": [ + "0x0", { - "datatype": "u128", + "datatype": "u64", "name": [], - "operation": "+", + "operation": "static_cast", + "arguments": [ + "x264" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", "arguments": [ { "datatype": "u64", "name": [], "operation": "static_cast", "arguments": [ - "x264" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x256" - ] - } + "x256" ] } ] @@ -9974,38 +9925,20 @@ { "datatype": "u64", "name": [ - "x266" + "out1[0]" ], "operation": "static_cast", "arguments": [ { "datatype": "u64", "name": [], - "operation": "&", + "operation": "static_cast", "arguments": [ - { - "datatype": "u128", - "name": [], - "operation": "static_cast", - "arguments": [ - "x265" - ] - }, - "0xffffffffffffffff" + "x228" ] } ] }, - { - "datatype": "u64", - "name": [ - "out1[0]" - ], - "operation": "static_cast", - "arguments": [ - "x229" - ] - }, { "datatype": "u64", "name": [ @@ -10064,7 +9997,14 @@ ], "operation": "static_cast", "arguments": [ - "x266" + { + "datatype": "u64", + "name": [], + "operation": "static_cast", + "arguments": [ + "x265" + ] + } ] }, { @@ -12494,38 +12434,36 @@ ] }, { - "datatype": "u128", + "datatype": "(auto)", "name": [ - "x100" + "x100", + "_" ], - "operation": "static_cast", + "operation": "addcarryx", + "parameters": { + "size": 64 + }, "arguments": [ + "0x0", { - "datatype": "u128", + "datatype": "u64", "name": [], - "operation": "+", + "operation": "static_cast", + "arguments": [ + "x99" + ] + }, + { + "datatype": "u64", + "name": [], + "operation": "static_cast", "arguments": [ { "datatype": "u64", "name": [], "operation": "static_cast", "arguments": [ - "x99" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x91" - ] - } + "x91" ] } ] @@ -12535,38 +12473,20 @@ { "datatype": "u64", "name": [ - "x101" + "out1[0]" ], "operation": "static_cast", "arguments": [ { "datatype": "u64", "name": [], - "operation": "&", + "operation": "static_cast", "arguments": [ - { - "datatype": "u128", - "name": [], - "operation": "static_cast", - "arguments": [ - "x100" - ] - }, - "0xffffffffffffffff" + "x100" ] } ] }, - { - "datatype": "u64", - "name": [ - "out1[0]" - ], - "operation": "static_cast", - "arguments": [ - "x101" - ] - }, { "datatype": "u64", "name": [ diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs index db20aa803e..444b29fbf1 100644 --- a/fiat-rust/src/curve25519_solinas_64.rs +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -305,9 +305,10 @@ pub fn fiat_curve25519_solinas_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: & fiat_curve25519_solinas_addcarryx_u64(&mut x128, &mut x129, x127, x117, (0x0 as u64)); let mut x130: u64 = 0; fiat_curve25519_solinas_cmovznz_u64(&mut x130, x129, (0x0 as u64), 0x26); - let x131: u128 = ((x130 as u128) + (x122 as u128)); - let x132: u64 = ((x131 & (0xffffffffffffffff as u128)) as u64); - out1[0] = x132; + let mut x131: u64 = 0; + let mut x132: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x131, &mut x132, 0x0, x130, x122); + out1[0] = x131; out1[1] = x124; out1[2] = x126; out1[3] = x128; @@ -666,8 +667,9 @@ pub fn fiat_curve25519_solinas_mul2(out1: &mut [u64; 4], out2: &mut [u64; 4], ar fiat_curve25519_solinas_addcarryx_u64(&mut x225, &mut x226, x224, x214, (0x0 as u64)); let mut x227: u64 = 0; fiat_curve25519_solinas_cmovznz_u64(&mut x227, x226, (0x0 as u64), 0x26); - let x228: u128 = ((x227 as u128) + (x219 as u128)); - let x229: u64 = ((x228 & (0xffffffffffffffff as u128)) as u64); + let mut x228: u64 = 0; + let mut x229: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x228, &mut x229, 0x0, x227, x219); let mut x230: u64 = 0; let mut x231: u64 = 0; fiat_curve25519_solinas_mulx_u64(&mut x230, &mut x231, 0x26, x189); @@ -720,13 +722,14 @@ pub fn fiat_curve25519_solinas_mul2(out1: &mut [u64; 4], out2: &mut [u64; 4], ar fiat_curve25519_solinas_addcarryx_u64(&mut x262, &mut x263, x261, x251, (0x0 as u64)); let mut x264: u64 = 0; fiat_curve25519_solinas_cmovznz_u64(&mut x264, x263, (0x0 as u64), 0x26); - let x265: u128 = ((x264 as u128) + (x256 as u128)); - let x266: u64 = ((x265 & (0xffffffffffffffff as u128)) as u64); - out1[0] = x229; + let mut x265: u64 = 0; + let mut x266: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x265, &mut x266, 0x0, x264, x256); + out1[0] = x228; out1[1] = x221; out1[2] = x223; out1[3] = x225; - out2[0] = x266; + out2[0] = x265; out2[1] = x258; out2[2] = x260; out2[3] = x262; @@ -890,9 +893,10 @@ pub fn fiat_curve25519_solinas_square(out1: &mut [u64; 4], arg1: &[u64; 4]) -> ( fiat_curve25519_solinas_addcarryx_u64(&mut x97, &mut x98, x96, x86, (0x0 as u64)); let mut x99: u64 = 0; fiat_curve25519_solinas_cmovznz_u64(&mut x99, x98, (0x0 as u64), 0x26); - let x100: u128 = ((x99 as u128) + (x91 as u128)); - let x101: u64 = ((x100 & (0xffffffffffffffff as u128)) as u64); - out1[0] = x101; + let mut x100: u64 = 0; + let mut x101: fiat_curve25519_solinas_u1 = 0; + fiat_curve25519_solinas_addcarryx_u64(&mut x100, &mut x101, 0x0, x99, x91); + out1[0] = x100; out1[1] = x93; out1[2] = x95; out1[3] = x97; diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index 3c15b6b9e4..249c384b74 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -318,9 +318,10 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { addcarryxU64(&x128, &x129, x127, x117, cast(u64, 0x0)); var x130: u64 = undefined; cmovznzU64(&x130, x129, cast(u64, 0x0), 0x26); - const x131 = (cast(u128, x130) + cast(u128, x122)); - const x132 = cast(u64, (x131 & cast(u128, 0xffffffffffffffff))); - out1[0] = x132; + var x131: u64 = undefined; + var x132: u1 = undefined; + addcarryxU64(&x131, &x132, 0x0, x130, x122); + out1[0] = x131; out1[1] = x124; out1[2] = x126; out1[3] = x128; @@ -680,8 +681,9 @@ pub fn mul2(out1: *[4]u64, out2: *[4]u64, arg1: [4]u64, arg2: [4]u64, arg3: [4]u addcarryxU64(&x225, &x226, x224, x214, cast(u64, 0x0)); var x227: u64 = undefined; cmovznzU64(&x227, x226, cast(u64, 0x0), 0x26); - const x228 = (cast(u128, x227) + cast(u128, x219)); - const x229 = cast(u64, (x228 & cast(u128, 0xffffffffffffffff))); + var x228: u64 = undefined; + var x229: u1 = undefined; + addcarryxU64(&x228, &x229, 0x0, x227, x219); var x230: u64 = undefined; var x231: u64 = undefined; mulxU64(&x230, &x231, 0x26, x189); @@ -734,13 +736,14 @@ pub fn mul2(out1: *[4]u64, out2: *[4]u64, arg1: [4]u64, arg2: [4]u64, arg3: [4]u addcarryxU64(&x262, &x263, x261, x251, cast(u64, 0x0)); var x264: u64 = undefined; cmovznzU64(&x264, x263, cast(u64, 0x0), 0x26); - const x265 = (cast(u128, x264) + cast(u128, x256)); - const x266 = cast(u64, (x265 & cast(u128, 0xffffffffffffffff))); - out1[0] = x229; + var x265: u64 = undefined; + var x266: u1 = undefined; + addcarryxU64(&x265, &x266, 0x0, x264, x256); + out1[0] = x228; out1[1] = x221; out1[2] = x223; out1[3] = x225; - out2[0] = x266; + out2[0] = x265; out2[1] = x258; out2[2] = x260; out2[3] = x262; @@ -905,9 +908,10 @@ pub fn square(out1: *[4]u64, arg1: [4]u64) void { addcarryxU64(&x97, &x98, x96, x86, cast(u64, 0x0)); var x99: u64 = undefined; cmovznzU64(&x99, x98, cast(u64, 0x0), 0x26); - const x100 = (cast(u128, x99) + cast(u128, x91)); - const x101 = cast(u64, (x100 & cast(u128, 0xffffffffffffffff))); - out1[0] = x101; + var x100: u64 = undefined; + var x101: u1 = undefined; + addcarryxU64(&x100, &x101, 0x0, x99, x91); + out1[0] = x100; out1[1] = x93; out1[2] = x95; out1[3] = x97; diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index a0da9ea123..f2e0027202 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -875,9 +875,9 @@ Module SolinasReduction. let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in let coef := Associational.eval coef_a in dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in - let lo := Z.add_get_carry machine_wordsize hi (nth_default 0 p 0) in + let lo := Saturated.Rows.flatten weight 1 [ [hi]; [nth_default 0 p 0] ] in if (is_bounded_by bounds p) then - [fst lo] ++ (skipn 1 (firstn n p)) + (fst lo) ++ (skipn 1 (firstn n p)) else let hi' := coef * (nth_default 0 p n) in add_to_nth 0 hi' (firstn n p). @@ -926,9 +926,9 @@ Module SolinasReduction. let coef_a := Saturated.Associational.sat_mul_const base [(1, s'/s)] c in let coef := Associational.eval coef_a in dlet_nd hi := Z.zselect (nth_default 0 p n) 0 coef in - let lo := Z.add_get_carry machine_wordsize hi (nth_default 0 p 0) in + let lo := Saturated.Rows.flatten weight 1 [ [hi]; [nth_default 0 p 0] ] in if (is_bounded_by bounds p) then - f ([fst lo] ++ (skipn 1 (firstn n p))) + f ((fst lo) ++ (skipn 1 (firstn n p))) else let hi' := coef * (nth_default 0 p n) in f (add_to_nth 0 hi' (firstn n p)). @@ -1555,6 +1555,27 @@ Module SolinasReduction. push. Qed. + Lemma eval_smaller m p : + (length p <= m)%nat -> + eval weight m p = eval weight (length p) p. + Proof. + intros H. + destruct p using rev_ind. + push. + unfold eval at 1. + cbv [to_associational]. + replace m with ((length (p ++ [x])) + (m - length (p ++ [x])))%nat. + rewrite seq_app. + rewrite map_app. + rewrite combine_truncate_l. + rewrite firstn_app_inleft. + rewrite firstn_all. + reflexivity. + push. + push. + lia. + Qed. + Lemma eval_reduce3 : forall p, canonical_repr (S n) p -> (nth_default 0 p (n-1) = 0 /\ nth_default 0 p n = 1 /\ nth_default 0 p 0 < up_bound * up_bound + 1) \/ nth_default 0 p n = 0 -> @@ -1583,6 +1604,28 @@ Module SolinasReduction. destruct (dec (0 < n)%nat). push' H3. + match goal with + | |- context[fst (Rows.flatten weight 1 [ [?x]; [?y] ])] => + assert (fst (Rows.flatten weight 1 [ [x]; [y] ]) = + [fst (Z.add_get_carry machine_wordsize x y)]) + end. + { cbv [Z.add_get_carry Z.add_with_get_carry Z.add_with_carry Z.get_carry Let_In]. + rewrite solinas_property. + push. + rewrite !Rows.eval_cons. + rewrite Rows.eval_nil. + push. + rewrite Partition.partition_step. + push. + intros. + cbn in H4. + intuition. + rewrite <-H7; push. + rewrite <-H4; push. + rewrite <-H0; push. + rewrite <-H4; push. } + rewrite H4. + cbv [Z.add_get_carry Z.add_with_get_carry Z.add_with_carry Z.get_carry Let_In Z.zselect]. rewrite solinas_property. push. diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index c01558d6d9..fd08b2fd38 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -107,19 +107,19 @@ Module debugging_solinas_reduction. Time Compute Show.show (Pipeline.BoundsPipelineToString - "fiat" "mul2" + "fiat" "mul" false false possible_values machine_wordsize ltac:(let n := (eval cbv in n) in - let r := Reify (mulmod2 base s c n) in + let r := Reify (SolinasReduction.reduce3 base s c n) in exact r) (fun _ _ => []) - (Some (repeat bound n), (Some (repeat bound n), (Some (repeat bound n), (Some (repeat bound n), tt)))) - (Some (repeat bound n), Some (repeat bound n)) - (None, (None, (None, (None, tt)))) - (None, None) + (Some (repeat bound n ++ [bound1]), tt) + (Some (repeat bound n)) + (None, tt) + (None) : Pipeline.ErrorT _). Time Compute From bf21773a86d8fad84941cc2a1558b405b241164e Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Tue, 8 Nov 2022 23:24:38 -0500 Subject: [PATCH 65/69] new bedrock2 c for saturated solinas --- fiat-bedrock2/src/curve25519_solinas_64.c | 235 ++++++++++++---------- 1 file changed, 130 insertions(+), 105 deletions(-) diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c b/fiat-bedrock2/src/curve25519_solinas_64.c index 407ab9173b..6e997642ec 100644 --- a/fiat-bedrock2/src/curve25519_solinas_64.c +++ b/fiat-bedrock2/src/curve25519_solinas_64.c @@ -9,16 +9,13 @@ #include #include +#include -static __attribute__((always_inline)) inline uintptr_t -_br2_mulhuu(uintptr_t a, uintptr_t b) { -#if (UINTPTR_MAX == (1LLU<<31) - 1 + (1LLU<<31)) - return ((uint64_t)a * b) >> 32; -#elif (UINTPTR_MAX == (1LLU<<63) - 1 + (1LLU<<63)) - return ((__uint128_t)a * b) >> 64; -#else -#error "32-bit or 64-bit uintptr_t required" -#endif +static __attribute__((constructor)) void _br2_preconditions(void) { + static_assert(~(intptr_t)0 == -(intptr_t)1, "two's complement"); + assert(((void)"two's complement", ~(intptr_t)0 == -(intptr_t)1)); + assert(((void)"little-endian", 1 == *(unsigned char *)&(const uintptr_t){1})); + assert(((void)"little-endian", 1 == *(unsigned char *)&(const intptr_t){1})); } // We use memcpy to work around -fstrict-aliasing. @@ -29,8 +26,8 @@ _br2_mulhuu(uintptr_t a, uintptr_t b) { // on clang and sometimes on GCC, but other times GCC inlines individual // byte operations without reconstructing wider accesses. // The little-endian idiom below seems fast in gcc 9+ and clang 10. -static __attribute__((always_inline)) inline uintptr_t -_br2_load(uintptr_t a, uintptr_t sz) { +static inline __attribute__((always_inline, unused)) +uintptr_t _br2_load(uintptr_t a, uintptr_t sz) { switch (sz) { case 1: { uint8_t r = 0; memcpy(&r, (void*)a, 1); return r; } case 2: { uint16_t r = 0; memcpy(&r, (void*)a, 2); return r; } @@ -40,11 +37,39 @@ _br2_load(uintptr_t a, uintptr_t sz) { } } -static __attribute__((always_inline)) inline void -_br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { +static inline __attribute__((always_inline, unused)) +void _br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { memcpy((void*)a, &v, sz); } +static inline __attribute__((always_inline, unused)) +uintptr_t _br2_mulhuu(uintptr_t a, uintptr_t b) { + #if (UINTPTR_MAX == (UINTMAX_C(1)<<31) - 1 + (UINTMAX_C(1)<<31)) + return ((uint64_t)a * b) >> 32; + #elif (UINTPTR_MAX == (UINTMAX_C(1)<<63) - 1 + (UINTMAX_C(1)<<63)) + return ((unsigned __int128)a * b) >> 64; + #else + #error "32-bit or 64-bit uintptr_t required" + #endif +} + +static inline __attribute__((always_inline, unused)) +uintptr_t _br2_divu(uintptr_t a, uintptr_t b) { + if (!b) return -1; + return a/b; +} + +static inline __attribute__((always_inline, unused)) +uintptr_t _br2_remu(uintptr_t a, uintptr_t b) { + if (!b) return a; + return a%b; +} + +static inline __attribute__((always_inline, unused)) +uintptr_t _br2_shamt(uintptr_t a) { + return a&(sizeof(uintptr_t)*8-1); +} + /* * Input Bounds: @@ -56,15 +81,15 @@ _br2_store(uintptr_t a, uintptr_t v, uintptr_t sz) { static void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr_t in1) { uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x14, x35, x41, x33, x42, x12, x43, x45, x46, x25, x20, x40, x49, x44, x50, x15, x51, x53, x54, x47, x56, x17, x22, x37, x59, x48, x60, x23, x61, x63, x64, x52, x65, x18, x66, x68, x69, x55, x70, x10, x71, x73, x74, x57, x76, x9, x28, x58, x79, x62, x80, x26, x81, x83, x84, x67, x85, x21, x86, x88, x89, x72, x90, x13, x91, x93, x94, x75, x96, x77, x30, x39, x99, x78, x100, x31, x101, x103, x104, x82, x105, x29, x106, x108, x109, x87, x110, x24, x111, x113, x114, x92, x115, x16, x116, x118, x119, x95, x120, x8, x121, x123, x124, x97, x36, x98, x127, x102, x128, x34, x129, x131, x132, x107, x133, x32, x134, x136, x137, x112, x138, x27, x139, x141, x142, x117, x143, x19, x144, x146, x147, x122, x148, x11, x149, x151, x152, x125, x153, x150, x145, x140, x158, x126, x163, x130, x164, x156, x165, x167, x168, x135, x169, x154, x170, x172, x173, x155, x160, x38, x176, x162, x177, x161, x178, x180, x181, x166, x182, x159, x183, x185, x186, x171, x187, x157, x188, x190, x191, x174, x192, x193, x175, x195, x179, x197, x184, x199, x189, x201, x202, x203, x204, x194, x205, x196, x198, x200, x206, x207, x208, x209; - x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); + x0 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); + x1 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); + x2 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); + x3 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); /*skip*/ - x4 = _br2_load((in1)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x5 = _br2_load((in1)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x6 = _br2_load((in1)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x7 = _br2_load((in1)+((uintptr_t)24ULL), sizeof(uintptr_t)); + x4 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); + x5 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); + x6 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); + x7 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); /*skip*/ /*skip*/ x8 = (x3)*(x7); @@ -213,14 +238,14 @@ void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr x151 = (uintptr_t)((x150)<(x11)); x152 = (x149)+(x151); x153 = (x152)+(x125); - x154 = ((uintptr_t)38ULL)*(x153); - x155 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); - x156 = ((uintptr_t)38ULL)*(x150); - x157 = _br2_mulhuu(((uintptr_t)38ULL), (x150)); - x158 = ((uintptr_t)38ULL)*(x145); - x159 = _br2_mulhuu(((uintptr_t)38ULL), (x145)); - x160 = ((uintptr_t)38ULL)*(x140); - x161 = _br2_mulhuu(((uintptr_t)38ULL), (x140)); + x154 = ((uintptr_t)(UINTMAX_C(38)))*(x153); + x155 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x153)); + x156 = ((uintptr_t)(UINTMAX_C(38)))*(x150); + x157 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x150)); + x158 = ((uintptr_t)(UINTMAX_C(38)))*(x145); + x159 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x145)); + x160 = ((uintptr_t)(UINTMAX_C(38)))*(x140); + x161 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x140)); x162 = (x126)+(x158); x163 = (uintptr_t)((x162)<(x126)); x164 = (x163)+(x130); @@ -252,7 +277,7 @@ void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr x190 = (uintptr_t)((x189)<(x157)); x191 = (x188)+(x190); x192 = (x191)+(x174); - x193 = ((uintptr_t)38ULL)*(x192); + x193 = ((uintptr_t)(UINTMAX_C(38)))*(x192); x194 = (x175)+(x193); x195 = (uintptr_t)((x194)<(x175)); x196 = (x195)+(x179); @@ -261,19 +286,19 @@ void internal_fiat_curve25519_solinas_mul(uintptr_t out0, uintptr_t in0, uintptr x199 = (uintptr_t)((x198)<(x184)); x200 = (x199)+(x189); x201 = (uintptr_t)((x200)<(x189)); - x202 = ((uintptr_t)-1ULL)+((uintptr_t)((x201)==((uintptr_t)0ULL))); - x203 = (x202)^((uintptr_t)18446744073709551615ULL); - x204 = (((uintptr_t)38ULL)&(x202))|(((uintptr_t)0ULL)&(x203)); + x202 = ((uintptr_t)(UINTMAX_C(-1)))+((uintptr_t)((x201)==((uintptr_t)(UINTMAX_C(0))))); + x203 = (x202)^((uintptr_t)(UINTMAX_C(18446744073709551615))); + x204 = (((uintptr_t)(UINTMAX_C(38)))&(x202))|(((uintptr_t)(UINTMAX_C(0)))&(x203)); x205 = (x204)+(x194); x206 = x205; x207 = x196; x208 = x198; x209 = x200; /*skip*/ - _br2_store((out0)+((uintptr_t)0ULL), x206, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)8ULL), x207, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)16ULL), x208, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)24ULL), x209, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(0))), x206, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(8))), x207, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(16))), x208, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(24))), x209, sizeof(uintptr_t)); /*skip*/ return; } @@ -297,25 +322,25 @@ static void fiat_curve25519_solinas_mul(uint64_t out1[4], const uint64_t arg1[4] static void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintptr_t in0, uintptr_t in1, uintptr_t in2, uintptr_t in3) { uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x22, x43, x49, x41, x50, x20, x51, x53, x54, x33, x28, x48, x57, x52, x58, x23, x59, x61, x62, x55, x64, x25, x30, x45, x67, x56, x68, x31, x69, x71, x72, x60, x73, x26, x74, x76, x77, x63, x78, x18, x79, x81, x82, x65, x84, x17, x36, x66, x87, x70, x88, x34, x89, x91, x92, x75, x93, x29, x94, x96, x97, x80, x98, x21, x99, x101, x102, x83, x104, x85, x38, x47, x107, x86, x108, x39, x109, x111, x112, x90, x113, x37, x114, x116, x117, x95, x118, x32, x119, x121, x122, x100, x123, x24, x124, x126, x127, x103, x128, x16, x129, x131, x132, x105, x44, x106, x135, x110, x136, x42, x137, x139, x140, x115, x141, x40, x142, x144, x145, x120, x146, x35, x147, x149, x150, x125, x151, x27, x152, x154, x155, x130, x156, x19, x157, x159, x160, x133, x11, x10, x9, x15, x14, x13, x8, x12, x168, x189, x195, x187, x196, x166, x197, x199, x200, x179, x174, x194, x203, x198, x204, x169, x205, x207, x208, x201, x210, x171, x176, x191, x213, x202, x214, x177, x215, x217, x218, x206, x219, x172, x220, x222, x223, x209, x224, x164, x225, x227, x228, x211, x230, x163, x182, x212, x233, x216, x234, x180, x235, x237, x238, x221, x239, x175, x240, x242, x243, x226, x244, x167, x245, x247, x248, x229, x250, x231, x184, x193, x253, x232, x254, x185, x255, x257, x258, x236, x259, x183, x260, x262, x263, x241, x264, x178, x265, x267, x268, x246, x269, x170, x270, x272, x273, x249, x274, x162, x275, x277, x278, x251, x190, x252, x281, x256, x282, x188, x283, x285, x286, x261, x287, x186, x288, x290, x291, x266, x292, x181, x293, x295, x296, x271, x297, x173, x298, x300, x301, x276, x302, x165, x303, x305, x306, x279, x158, x153, x148, x310, x134, x315, x138, x316, x308, x317, x319, x320, x143, x322, x321, x323, x325, x161, x326, x327, x312, x46, x330, x314, x331, x313, x332, x334, x335, x318, x336, x311, x337, x339, x340, x324, x341, x309, x342, x344, x345, x328, x346, x347, x329, x349, x333, x351, x338, x353, x343, x355, x356, x357, x358, x348, x307, x304, x299, x294, x364, x280, x369, x284, x370, x362, x371, x373, x374, x289, x375, x360, x376, x378, x379, x361, x366, x192, x382, x368, x383, x367, x384, x386, x387, x372, x388, x365, x389, x391, x392, x377, x393, x363, x394, x396, x397, x380, x398, x399, x381, x401, x385, x403, x390, x405, x395, x407, x408, x409, x410, x400, x359, x350, x352, x354, x411, x402, x404, x406, x412, x413, x414, x415, x416, x417, x418, x419; - x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); + x0 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); + x1 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); + x2 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); + x3 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); /*skip*/ - x4 = _br2_load((in1)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x5 = _br2_load((in1)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x6 = _br2_load((in1)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x7 = _br2_load((in1)+((uintptr_t)24ULL), sizeof(uintptr_t)); + x4 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); + x5 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); + x6 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); + x7 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); /*skip*/ - x8 = _br2_load((in2)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x9 = _br2_load((in2)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x10 = _br2_load((in2)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x11 = _br2_load((in2)+((uintptr_t)24ULL), sizeof(uintptr_t)); + x8 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); + x9 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); + x10 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); + x11 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); /*skip*/ - x12 = _br2_load((in3)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x13 = _br2_load((in3)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x14 = _br2_load((in3)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x15 = _br2_load((in3)+((uintptr_t)24ULL), sizeof(uintptr_t)); + x12 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); + x13 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); + x14 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); + x15 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); /*skip*/ /*skip*/ x16 = (x3)*(x7); @@ -610,12 +635,12 @@ void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintp x305 = (uintptr_t)((x304)<(x165)); x306 = (x303)+(x305); x307 = (x306)+(x279); - x308 = ((uintptr_t)38ULL)*(x158); - x309 = _br2_mulhuu(((uintptr_t)38ULL), (x158)); - x310 = ((uintptr_t)38ULL)*(x153); - x311 = _br2_mulhuu(((uintptr_t)38ULL), (x153)); - x312 = ((uintptr_t)38ULL)*(x148); - x313 = _br2_mulhuu(((uintptr_t)38ULL), (x148)); + x308 = ((uintptr_t)(UINTMAX_C(38)))*(x158); + x309 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x158)); + x310 = ((uintptr_t)(UINTMAX_C(38)))*(x153); + x311 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x153)); + x312 = ((uintptr_t)(UINTMAX_C(38)))*(x148); + x313 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x148)); x314 = (x134)+(x310); x315 = (uintptr_t)((x314)<(x134)); x316 = (x315)+(x138); @@ -623,13 +648,13 @@ void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintp x318 = (x316)+(x308); x319 = (uintptr_t)((x318)<(x308)); x320 = (x317)+(x319); - x321 = ((uintptr_t)38ULL)*(x161); + x321 = ((uintptr_t)(UINTMAX_C(38)))*(x161); x322 = (x320)+(x143); x323 = (uintptr_t)((x322)<(x143)); x324 = (x322)+(x321); x325 = (uintptr_t)((x324)<(x321)); x326 = (x323)+(x325); - x327 = _br2_mulhuu(((uintptr_t)38ULL), (x161)); + x327 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x161)); x328 = (x326)+(x327); x329 = (x46)+(x312); x330 = (uintptr_t)((x329)<(x46)); @@ -649,7 +674,7 @@ void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintp x344 = (uintptr_t)((x343)<(x309)); x345 = (x342)+(x344); x346 = (x345)+(x328); - x347 = ((uintptr_t)38ULL)*(x346); + x347 = ((uintptr_t)(UINTMAX_C(38)))*(x346); x348 = (x329)+(x347); x349 = (uintptr_t)((x348)<(x329)); x350 = (x349)+(x333); @@ -658,18 +683,18 @@ void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintp x353 = (uintptr_t)((x352)<(x338)); x354 = (x353)+(x343); x355 = (uintptr_t)((x354)<(x343)); - x356 = ((uintptr_t)-1ULL)+((uintptr_t)((x355)==((uintptr_t)0ULL))); - x357 = (x356)^((uintptr_t)18446744073709551615ULL); - x358 = (((uintptr_t)38ULL)&(x356))|(((uintptr_t)0ULL)&(x357)); + x356 = ((uintptr_t)(UINTMAX_C(-1)))+((uintptr_t)((x355)==((uintptr_t)(UINTMAX_C(0))))); + x357 = (x356)^((uintptr_t)(UINTMAX_C(18446744073709551615))); + x358 = (((uintptr_t)(UINTMAX_C(38)))&(x356))|(((uintptr_t)(UINTMAX_C(0)))&(x357)); x359 = (x358)+(x348); - x360 = ((uintptr_t)38ULL)*(x307); - x361 = _br2_mulhuu(((uintptr_t)38ULL), (x307)); - x362 = ((uintptr_t)38ULL)*(x304); - x363 = _br2_mulhuu(((uintptr_t)38ULL), (x304)); - x364 = ((uintptr_t)38ULL)*(x299); - x365 = _br2_mulhuu(((uintptr_t)38ULL), (x299)); - x366 = ((uintptr_t)38ULL)*(x294); - x367 = _br2_mulhuu(((uintptr_t)38ULL), (x294)); + x360 = ((uintptr_t)(UINTMAX_C(38)))*(x307); + x361 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x307)); + x362 = ((uintptr_t)(UINTMAX_C(38)))*(x304); + x363 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x304)); + x364 = ((uintptr_t)(UINTMAX_C(38)))*(x299); + x365 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x299)); + x366 = ((uintptr_t)(UINTMAX_C(38)))*(x294); + x367 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x294)); x368 = (x280)+(x364); x369 = (uintptr_t)((x368)<(x280)); x370 = (x369)+(x284); @@ -701,7 +726,7 @@ void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintp x396 = (uintptr_t)((x395)<(x363)); x397 = (x394)+(x396); x398 = (x397)+(x380); - x399 = ((uintptr_t)38ULL)*(x398); + x399 = ((uintptr_t)(UINTMAX_C(38)))*(x398); x400 = (x381)+(x399); x401 = (uintptr_t)((x400)<(x381)); x402 = (x401)+(x385); @@ -710,9 +735,9 @@ void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintp x405 = (uintptr_t)((x404)<(x390)); x406 = (x405)+(x395); x407 = (uintptr_t)((x406)<(x395)); - x408 = ((uintptr_t)-1ULL)+((uintptr_t)((x407)==((uintptr_t)0ULL))); - x409 = (x408)^((uintptr_t)18446744073709551615ULL); - x410 = (((uintptr_t)38ULL)&(x408))|(((uintptr_t)0ULL)&(x409)); + x408 = ((uintptr_t)(UINTMAX_C(-1)))+((uintptr_t)((x407)==((uintptr_t)(UINTMAX_C(0))))); + x409 = (x408)^((uintptr_t)(UINTMAX_C(18446744073709551615))); + x410 = (((uintptr_t)(UINTMAX_C(38)))&(x408))|(((uintptr_t)(UINTMAX_C(0)))&(x409)); x411 = (x410)+(x400); x412 = x359; x413 = x350; @@ -724,15 +749,15 @@ void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintp x418 = x404; x419 = x406; /*skip*/ - _br2_store((out0)+((uintptr_t)0ULL), x412, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)8ULL), x413, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)16ULL), x414, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)24ULL), x415, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(0))), x412, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(8))), x413, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(16))), x414, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(24))), x415, sizeof(uintptr_t)); /*skip*/ - _br2_store((out1)+((uintptr_t)0ULL), x416, sizeof(uintptr_t)); - _br2_store((out1)+((uintptr_t)8ULL), x417, sizeof(uintptr_t)); - _br2_store((out1)+((uintptr_t)16ULL), x418, sizeof(uintptr_t)); - _br2_store((out1)+((uintptr_t)24ULL), x419, sizeof(uintptr_t)); + _br2_store((out1)+((uintptr_t)(UINTMAX_C(0))), x416, sizeof(uintptr_t)); + _br2_store((out1)+((uintptr_t)(UINTMAX_C(8))), x417, sizeof(uintptr_t)); + _br2_store((out1)+((uintptr_t)(UINTMAX_C(16))), x418, sizeof(uintptr_t)); + _br2_store((out1)+((uintptr_t)(UINTMAX_C(24))), x419, sizeof(uintptr_t)); /*skip*/ return; } @@ -752,10 +777,10 @@ static void fiat_curve25519_solinas_mul2(uint64_t out1[4], uint64_t out2[4], con static void internal_fiat_curve25519_solinas_square(uintptr_t out0, uintptr_t in0) { uintptr_t x6, x9, x15, x7, x16, x4, x17, x19, x20, x5, x21, x12, x22, x24, x25, x13, x26, x10, x27, x29, x30, x11, x32, x18, x35, x23, x36, x33, x37, x39, x40, x28, x42, x31, x8, x46, x47, x14, x48, x50, x51, x52, x34, x53, x55, x56, x57, x38, x58, x60, x61, x62, x41, x63, x65, x66, x67, x43, x68, x70, x71, x44, x3, x2, x1, x0, x80, x45, x82, x49, x83, x77, x84, x86, x87, x54, x88, x78, x89, x91, x92, x59, x93, x75, x94, x96, x97, x64, x98, x76, x99, x101, x102, x69, x103, x73, x104, x106, x107, x72, x108, x74, x109, x105, x100, x95, x114, x81, x119, x85, x120, x112, x121, x123, x124, x90, x125, x110, x126, x128, x129, x111, x116, x79, x132, x118, x133, x117, x134, x136, x137, x122, x138, x115, x139, x141, x142, x127, x143, x113, x144, x146, x147, x130, x148, x149, x131, x151, x135, x153, x140, x155, x145, x157, x158, x159, x160, x150, x161, x152, x154, x156, x162, x163, x164, x165; - x0 = _br2_load((in0)+((uintptr_t)0ULL), sizeof(uintptr_t)); - x1 = _br2_load((in0)+((uintptr_t)8ULL), sizeof(uintptr_t)); - x2 = _br2_load((in0)+((uintptr_t)16ULL), sizeof(uintptr_t)); - x3 = _br2_load((in0)+((uintptr_t)24ULL), sizeof(uintptr_t)); + x0 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); + x1 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); + x2 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); + x3 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); /*skip*/ /*skip*/ x4 = (x0)*(x3); @@ -864,14 +889,14 @@ void internal_fiat_curve25519_solinas_square(uintptr_t out0, uintptr_t in0) { x107 = (x104)+(x106); x108 = (x107)+(x72); x109 = (x108)+(x74); - x110 = ((uintptr_t)38ULL)*(x109); - x111 = _br2_mulhuu(((uintptr_t)38ULL), (x109)); - x112 = ((uintptr_t)38ULL)*(x105); - x113 = _br2_mulhuu(((uintptr_t)38ULL), (x105)); - x114 = ((uintptr_t)38ULL)*(x100); - x115 = _br2_mulhuu(((uintptr_t)38ULL), (x100)); - x116 = ((uintptr_t)38ULL)*(x95); - x117 = _br2_mulhuu(((uintptr_t)38ULL), (x95)); + x110 = ((uintptr_t)(UINTMAX_C(38)))*(x109); + x111 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x109)); + x112 = ((uintptr_t)(UINTMAX_C(38)))*(x105); + x113 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x105)); + x114 = ((uintptr_t)(UINTMAX_C(38)))*(x100); + x115 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x100)); + x116 = ((uintptr_t)(UINTMAX_C(38)))*(x95); + x117 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x95)); x118 = (x81)+(x114); x119 = (uintptr_t)((x118)<(x81)); x120 = (x119)+(x85); @@ -903,7 +928,7 @@ void internal_fiat_curve25519_solinas_square(uintptr_t out0, uintptr_t in0) { x146 = (uintptr_t)((x145)<(x113)); x147 = (x144)+(x146); x148 = (x147)+(x130); - x149 = ((uintptr_t)38ULL)*(x148); + x149 = ((uintptr_t)(UINTMAX_C(38)))*(x148); x150 = (x131)+(x149); x151 = (uintptr_t)((x150)<(x131)); x152 = (x151)+(x135); @@ -912,19 +937,19 @@ void internal_fiat_curve25519_solinas_square(uintptr_t out0, uintptr_t in0) { x155 = (uintptr_t)((x154)<(x140)); x156 = (x155)+(x145); x157 = (uintptr_t)((x156)<(x145)); - x158 = ((uintptr_t)-1ULL)+((uintptr_t)((x157)==((uintptr_t)0ULL))); - x159 = (x158)^((uintptr_t)18446744073709551615ULL); - x160 = (((uintptr_t)38ULL)&(x158))|(((uintptr_t)0ULL)&(x159)); + x158 = ((uintptr_t)(UINTMAX_C(-1)))+((uintptr_t)((x157)==((uintptr_t)(UINTMAX_C(0))))); + x159 = (x158)^((uintptr_t)(UINTMAX_C(18446744073709551615))); + x160 = (((uintptr_t)(UINTMAX_C(38)))&(x158))|(((uintptr_t)(UINTMAX_C(0)))&(x159)); x161 = (x160)+(x150); x162 = x161; x163 = x152; x164 = x154; x165 = x156; /*skip*/ - _br2_store((out0)+((uintptr_t)0ULL), x162, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)8ULL), x163, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)16ULL), x164, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)24ULL), x165, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(0))), x162, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(8))), x163, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(16))), x164, sizeof(uintptr_t)); + _br2_store((out0)+((uintptr_t)(UINTMAX_C(24))), x165, sizeof(uintptr_t)); /*skip*/ return; } From 03a7e18d0a8d3eaf78dda7198a5244a34b51ce0f Mon Sep 17 00:00:00 2001 From: Samuel Tian Date: Wed, 9 Nov 2022 18:14:38 -0500 Subject: [PATCH 66/69] remove mul2 for pr --- Makefile.examples | 2 +- fiat-bedrock2/src/curve25519_solinas_64.c | 463 +- fiat-c/src/curve25519_solinas_64.c | 436 +- .../64/curve25519solinas/curve25519solinas.go | 412 +- fiat-json/src/curve25519_solinas_64.json | 6256 ----------------- fiat-rust/src/curve25519_solinas_64.rs | 425 +- fiat-zig/src/curve25519_solinas_64.zig | 426 +- src/Arithmetic/SolinasReduction.v | 53 - src/COperationSpecifications.v | 10 - src/PushButtonSynthesis/SolinasReduction.v | 33 +- .../SolinasReductionReificationCache.v | 13 - src/SlowPrimeSynthesisExamples.v | 112 - 12 files changed, 12 insertions(+), 8629 deletions(-) diff --git a/Makefile.examples b/Makefile.examples index 9abc81759a..44adbe3865 100644 --- a/Makefile.examples +++ b/Makefile.examples @@ -87,7 +87,7 @@ endef UNSATURATED_SOLINAS_FUNCTIONS := carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax FUNCTIONS_FOR_25519 := $(UNSATURATED_SOLINAS_FUNCTIONS) carry_scmul121666 WORD_BY_WORD_MONTGOMERY_FUNCTIONS := mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp -SOLINAS_REDUCTION_FUNCTIONS := mul mul2 square +SOLINAS_REDUCTION_FUNCTIONS := mul square UNSATURATED_SOLINAS := src/ExtractionOCaml/unsaturated_solinas WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/word_by_word_montgomery SOLINAS_REDUCTION := src/ExtractionOCaml/solinas_reduction diff --git a/fiat-bedrock2/src/curve25519_solinas_64.c b/fiat-bedrock2/src/curve25519_solinas_64.c index 6e997642ec..aa2992a056 100644 --- a/fiat-bedrock2/src/curve25519_solinas_64.c +++ b/fiat-bedrock2/src/curve25519_solinas_64.c @@ -1,7 +1,7 @@ -/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mul mul2 square */ +/* Autogenerated: 'src/ExtractionOCaml/bedrock2_solinas_reduction' --lang bedrock2 --static --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select --no-field-element-typedefs curve25519_solinas 64 '2^255 - 19' mul square */ /* curve description: curve25519_solinas */ /* machine_wordsize = 64 (from "64") */ -/* requested operations: mul, mul2, square */ +/* requested operations: mul, square */ /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* */ /* Computed values: */ @@ -309,465 +309,6 @@ static void fiat_curve25519_solinas_mul(uint64_t out1[4], const uint64_t arg1[4] } -/* - * Input Bounds: - * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * in1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * in2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * in3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static -void internal_fiat_curve25519_solinas_mul2(uintptr_t out0, uintptr_t out1, uintptr_t in0, uintptr_t in1, uintptr_t in2, uintptr_t in3) { - uintptr_t x3, x2, x1, x7, x6, x5, x0, x4, x22, x43, x49, x41, x50, x20, x51, x53, x54, x33, x28, x48, x57, x52, x58, x23, x59, x61, x62, x55, x64, x25, x30, x45, x67, x56, x68, x31, x69, x71, x72, x60, x73, x26, x74, x76, x77, x63, x78, x18, x79, x81, x82, x65, x84, x17, x36, x66, x87, x70, x88, x34, x89, x91, x92, x75, x93, x29, x94, x96, x97, x80, x98, x21, x99, x101, x102, x83, x104, x85, x38, x47, x107, x86, x108, x39, x109, x111, x112, x90, x113, x37, x114, x116, x117, x95, x118, x32, x119, x121, x122, x100, x123, x24, x124, x126, x127, x103, x128, x16, x129, x131, x132, x105, x44, x106, x135, x110, x136, x42, x137, x139, x140, x115, x141, x40, x142, x144, x145, x120, x146, x35, x147, x149, x150, x125, x151, x27, x152, x154, x155, x130, x156, x19, x157, x159, x160, x133, x11, x10, x9, x15, x14, x13, x8, x12, x168, x189, x195, x187, x196, x166, x197, x199, x200, x179, x174, x194, x203, x198, x204, x169, x205, x207, x208, x201, x210, x171, x176, x191, x213, x202, x214, x177, x215, x217, x218, x206, x219, x172, x220, x222, x223, x209, x224, x164, x225, x227, x228, x211, x230, x163, x182, x212, x233, x216, x234, x180, x235, x237, x238, x221, x239, x175, x240, x242, x243, x226, x244, x167, x245, x247, x248, x229, x250, x231, x184, x193, x253, x232, x254, x185, x255, x257, x258, x236, x259, x183, x260, x262, x263, x241, x264, x178, x265, x267, x268, x246, x269, x170, x270, x272, x273, x249, x274, x162, x275, x277, x278, x251, x190, x252, x281, x256, x282, x188, x283, x285, x286, x261, x287, x186, x288, x290, x291, x266, x292, x181, x293, x295, x296, x271, x297, x173, x298, x300, x301, x276, x302, x165, x303, x305, x306, x279, x158, x153, x148, x310, x134, x315, x138, x316, x308, x317, x319, x320, x143, x322, x321, x323, x325, x161, x326, x327, x312, x46, x330, x314, x331, x313, x332, x334, x335, x318, x336, x311, x337, x339, x340, x324, x341, x309, x342, x344, x345, x328, x346, x347, x329, x349, x333, x351, x338, x353, x343, x355, x356, x357, x358, x348, x307, x304, x299, x294, x364, x280, x369, x284, x370, x362, x371, x373, x374, x289, x375, x360, x376, x378, x379, x361, x366, x192, x382, x368, x383, x367, x384, x386, x387, x372, x388, x365, x389, x391, x392, x377, x393, x363, x394, x396, x397, x380, x398, x399, x381, x401, x385, x403, x390, x405, x395, x407, x408, x409, x410, x400, x359, x350, x352, x354, x411, x402, x404, x406, x412, x413, x414, x415, x416, x417, x418, x419; - x0 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); - x1 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); - x2 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); - x3 = _br2_load((in0)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); - /*skip*/ - x4 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); - x5 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); - x6 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); - x7 = _br2_load((in1)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); - /*skip*/ - x8 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); - x9 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); - x10 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); - x11 = _br2_load((in2)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); - /*skip*/ - x12 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(0))), sizeof(uintptr_t)); - x13 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(8))), sizeof(uintptr_t)); - x14 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(16))), sizeof(uintptr_t)); - x15 = _br2_load((in3)+((uintptr_t)(UINTMAX_C(24))), sizeof(uintptr_t)); - /*skip*/ - /*skip*/ - x16 = (x3)*(x7); - x17 = _br2_mulhuu((x3), (x7)); - x18 = (x3)*(x6); - x19 = _br2_mulhuu((x3), (x6)); - x20 = (x3)*(x5); - x21 = _br2_mulhuu((x3), (x5)); - x22 = (x3)*(x4); - x23 = _br2_mulhuu((x3), (x4)); - x24 = (x2)*(x7); - x25 = _br2_mulhuu((x2), (x7)); - x26 = (x2)*(x6); - x27 = _br2_mulhuu((x2), (x6)); - x28 = (x2)*(x5); - x29 = _br2_mulhuu((x2), (x5)); - x30 = (x2)*(x4); - x31 = _br2_mulhuu((x2), (x4)); - x32 = (x1)*(x7); - x33 = _br2_mulhuu((x1), (x7)); - x34 = (x1)*(x6); - x35 = _br2_mulhuu((x1), (x6)); - x36 = (x1)*(x5); - x37 = _br2_mulhuu((x1), (x5)); - x38 = (x1)*(x4); - x39 = _br2_mulhuu((x1), (x4)); - x40 = (x0)*(x7); - x41 = _br2_mulhuu((x0), (x7)); - x42 = (x0)*(x6); - x43 = _br2_mulhuu((x0), (x6)); - x44 = (x0)*(x5); - x45 = _br2_mulhuu((x0), (x5)); - x46 = (x0)*(x4); - x47 = _br2_mulhuu((x0), (x4)); - x48 = (x43)+(x22); - x49 = (uintptr_t)((x48)<(x43)); - x50 = (x49)+(x41); - x51 = (uintptr_t)((x50)<(x41)); - x52 = (x50)+(x20); - x53 = (uintptr_t)((x52)<(x20)); - x54 = (x51)+(x53); - x55 = (x54)+(x33); - x56 = (x48)+(x28); - x57 = (uintptr_t)((x56)<(x48)); - x58 = (x57)+(x52); - x59 = (uintptr_t)((x58)<(x52)); - x60 = (x58)+(x23); - x61 = (uintptr_t)((x60)<(x23)); - x62 = (x59)+(x61); - x63 = (x62)+(x55); - x64 = (uintptr_t)((x63)<(x55)); - x65 = (x64)+(x25); - x66 = (x45)+(x30); - x67 = (uintptr_t)((x66)<(x45)); - x68 = (x67)+(x56); - x69 = (uintptr_t)((x68)<(x56)); - x70 = (x68)+(x31); - x71 = (uintptr_t)((x70)<(x31)); - x72 = (x69)+(x71); - x73 = (x72)+(x60); - x74 = (uintptr_t)((x73)<(x60)); - x75 = (x73)+(x26); - x76 = (uintptr_t)((x75)<(x26)); - x77 = (x74)+(x76); - x78 = (x77)+(x63); - x79 = (uintptr_t)((x78)<(x63)); - x80 = (x78)+(x18); - x81 = (uintptr_t)((x80)<(x18)); - x82 = (x79)+(x81); - x83 = (x82)+(x65); - x84 = (uintptr_t)((x83)<(x65)); - x85 = (x84)+(x17); - x86 = (x66)+(x36); - x87 = (uintptr_t)((x86)<(x66)); - x88 = (x87)+(x70); - x89 = (uintptr_t)((x88)<(x70)); - x90 = (x88)+(x34); - x91 = (uintptr_t)((x90)<(x34)); - x92 = (x89)+(x91); - x93 = (x92)+(x75); - x94 = (uintptr_t)((x93)<(x75)); - x95 = (x93)+(x29); - x96 = (uintptr_t)((x95)<(x29)); - x97 = (x94)+(x96); - x98 = (x97)+(x80); - x99 = (uintptr_t)((x98)<(x80)); - x100 = (x98)+(x21); - x101 = (uintptr_t)((x100)<(x21)); - x102 = (x99)+(x101); - x103 = (x102)+(x83); - x104 = (uintptr_t)((x103)<(x83)); - x105 = (x104)+(x85); - x106 = (x47)+(x38); - x107 = (uintptr_t)((x106)<(x47)); - x108 = (x107)+(x86); - x109 = (uintptr_t)((x108)<(x86)); - x110 = (x108)+(x39); - x111 = (uintptr_t)((x110)<(x39)); - x112 = (x109)+(x111); - x113 = (x112)+(x90); - x114 = (uintptr_t)((x113)<(x90)); - x115 = (x113)+(x37); - x116 = (uintptr_t)((x115)<(x37)); - x117 = (x114)+(x116); - x118 = (x117)+(x95); - x119 = (uintptr_t)((x118)<(x95)); - x120 = (x118)+(x32); - x121 = (uintptr_t)((x120)<(x32)); - x122 = (x119)+(x121); - x123 = (x122)+(x100); - x124 = (uintptr_t)((x123)<(x100)); - x125 = (x123)+(x24); - x126 = (uintptr_t)((x125)<(x24)); - x127 = (x124)+(x126); - x128 = (x127)+(x103); - x129 = (uintptr_t)((x128)<(x103)); - x130 = (x128)+(x16); - x131 = (uintptr_t)((x130)<(x16)); - x132 = (x129)+(x131); - x133 = (x132)+(x105); - x134 = (x106)+(x44); - x135 = (uintptr_t)((x134)<(x106)); - x136 = (x135)+(x110); - x137 = (uintptr_t)((x136)<(x110)); - x138 = (x136)+(x42); - x139 = (uintptr_t)((x138)<(x42)); - x140 = (x137)+(x139); - x141 = (x140)+(x115); - x142 = (uintptr_t)((x141)<(x115)); - x143 = (x141)+(x40); - x144 = (uintptr_t)((x143)<(x40)); - x145 = (x142)+(x144); - x146 = (x145)+(x120); - x147 = (uintptr_t)((x146)<(x120)); - x148 = (x146)+(x35); - x149 = (uintptr_t)((x148)<(x35)); - x150 = (x147)+(x149); - x151 = (x150)+(x125); - x152 = (uintptr_t)((x151)<(x125)); - x153 = (x151)+(x27); - x154 = (uintptr_t)((x153)<(x27)); - x155 = (x152)+(x154); - x156 = (x155)+(x130); - x157 = (uintptr_t)((x156)<(x130)); - x158 = (x156)+(x19); - x159 = (uintptr_t)((x158)<(x19)); - x160 = (x157)+(x159); - x161 = (x160)+(x133); - x162 = (x11)*(x15); - x163 = _br2_mulhuu((x11), (x15)); - x164 = (x11)*(x14); - x165 = _br2_mulhuu((x11), (x14)); - x166 = (x11)*(x13); - x167 = _br2_mulhuu((x11), (x13)); - x168 = (x11)*(x12); - x169 = _br2_mulhuu((x11), (x12)); - x170 = (x10)*(x15); - x171 = _br2_mulhuu((x10), (x15)); - x172 = (x10)*(x14); - x173 = _br2_mulhuu((x10), (x14)); - x174 = (x10)*(x13); - x175 = _br2_mulhuu((x10), (x13)); - x176 = (x10)*(x12); - x177 = _br2_mulhuu((x10), (x12)); - x178 = (x9)*(x15); - x179 = _br2_mulhuu((x9), (x15)); - x180 = (x9)*(x14); - x181 = _br2_mulhuu((x9), (x14)); - x182 = (x9)*(x13); - x183 = _br2_mulhuu((x9), (x13)); - x184 = (x9)*(x12); - x185 = _br2_mulhuu((x9), (x12)); - x186 = (x8)*(x15); - x187 = _br2_mulhuu((x8), (x15)); - x188 = (x8)*(x14); - x189 = _br2_mulhuu((x8), (x14)); - x190 = (x8)*(x13); - x191 = _br2_mulhuu((x8), (x13)); - x192 = (x8)*(x12); - x193 = _br2_mulhuu((x8), (x12)); - x194 = (x189)+(x168); - x195 = (uintptr_t)((x194)<(x189)); - x196 = (x195)+(x187); - x197 = (uintptr_t)((x196)<(x187)); - x198 = (x196)+(x166); - x199 = (uintptr_t)((x198)<(x166)); - x200 = (x197)+(x199); - x201 = (x200)+(x179); - x202 = (x194)+(x174); - x203 = (uintptr_t)((x202)<(x194)); - x204 = (x203)+(x198); - x205 = (uintptr_t)((x204)<(x198)); - x206 = (x204)+(x169); - x207 = (uintptr_t)((x206)<(x169)); - x208 = (x205)+(x207); - x209 = (x208)+(x201); - x210 = (uintptr_t)((x209)<(x201)); - x211 = (x210)+(x171); - x212 = (x191)+(x176); - x213 = (uintptr_t)((x212)<(x191)); - x214 = (x213)+(x202); - x215 = (uintptr_t)((x214)<(x202)); - x216 = (x214)+(x177); - x217 = (uintptr_t)((x216)<(x177)); - x218 = (x215)+(x217); - x219 = (x218)+(x206); - x220 = (uintptr_t)((x219)<(x206)); - x221 = (x219)+(x172); - x222 = (uintptr_t)((x221)<(x172)); - x223 = (x220)+(x222); - x224 = (x223)+(x209); - x225 = (uintptr_t)((x224)<(x209)); - x226 = (x224)+(x164); - x227 = (uintptr_t)((x226)<(x164)); - x228 = (x225)+(x227); - x229 = (x228)+(x211); - x230 = (uintptr_t)((x229)<(x211)); - x231 = (x230)+(x163); - x232 = (x212)+(x182); - x233 = (uintptr_t)((x232)<(x212)); - x234 = (x233)+(x216); - x235 = (uintptr_t)((x234)<(x216)); - x236 = (x234)+(x180); - x237 = (uintptr_t)((x236)<(x180)); - x238 = (x235)+(x237); - x239 = (x238)+(x221); - x240 = (uintptr_t)((x239)<(x221)); - x241 = (x239)+(x175); - x242 = (uintptr_t)((x241)<(x175)); - x243 = (x240)+(x242); - x244 = (x243)+(x226); - x245 = (uintptr_t)((x244)<(x226)); - x246 = (x244)+(x167); - x247 = (uintptr_t)((x246)<(x167)); - x248 = (x245)+(x247); - x249 = (x248)+(x229); - x250 = (uintptr_t)((x249)<(x229)); - x251 = (x250)+(x231); - x252 = (x193)+(x184); - x253 = (uintptr_t)((x252)<(x193)); - x254 = (x253)+(x232); - x255 = (uintptr_t)((x254)<(x232)); - x256 = (x254)+(x185); - x257 = (uintptr_t)((x256)<(x185)); - x258 = (x255)+(x257); - x259 = (x258)+(x236); - x260 = (uintptr_t)((x259)<(x236)); - x261 = (x259)+(x183); - x262 = (uintptr_t)((x261)<(x183)); - x263 = (x260)+(x262); - x264 = (x263)+(x241); - x265 = (uintptr_t)((x264)<(x241)); - x266 = (x264)+(x178); - x267 = (uintptr_t)((x266)<(x178)); - x268 = (x265)+(x267); - x269 = (x268)+(x246); - x270 = (uintptr_t)((x269)<(x246)); - x271 = (x269)+(x170); - x272 = (uintptr_t)((x271)<(x170)); - x273 = (x270)+(x272); - x274 = (x273)+(x249); - x275 = (uintptr_t)((x274)<(x249)); - x276 = (x274)+(x162); - x277 = (uintptr_t)((x276)<(x162)); - x278 = (x275)+(x277); - x279 = (x278)+(x251); - x280 = (x252)+(x190); - x281 = (uintptr_t)((x280)<(x252)); - x282 = (x281)+(x256); - x283 = (uintptr_t)((x282)<(x256)); - x284 = (x282)+(x188); - x285 = (uintptr_t)((x284)<(x188)); - x286 = (x283)+(x285); - x287 = (x286)+(x261); - x288 = (uintptr_t)((x287)<(x261)); - x289 = (x287)+(x186); - x290 = (uintptr_t)((x289)<(x186)); - x291 = (x288)+(x290); - x292 = (x291)+(x266); - x293 = (uintptr_t)((x292)<(x266)); - x294 = (x292)+(x181); - x295 = (uintptr_t)((x294)<(x181)); - x296 = (x293)+(x295); - x297 = (x296)+(x271); - x298 = (uintptr_t)((x297)<(x271)); - x299 = (x297)+(x173); - x300 = (uintptr_t)((x299)<(x173)); - x301 = (x298)+(x300); - x302 = (x301)+(x276); - x303 = (uintptr_t)((x302)<(x276)); - x304 = (x302)+(x165); - x305 = (uintptr_t)((x304)<(x165)); - x306 = (x303)+(x305); - x307 = (x306)+(x279); - x308 = ((uintptr_t)(UINTMAX_C(38)))*(x158); - x309 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x158)); - x310 = ((uintptr_t)(UINTMAX_C(38)))*(x153); - x311 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x153)); - x312 = ((uintptr_t)(UINTMAX_C(38)))*(x148); - x313 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x148)); - x314 = (x134)+(x310); - x315 = (uintptr_t)((x314)<(x134)); - x316 = (x315)+(x138); - x317 = (uintptr_t)((x316)<(x138)); - x318 = (x316)+(x308); - x319 = (uintptr_t)((x318)<(x308)); - x320 = (x317)+(x319); - x321 = ((uintptr_t)(UINTMAX_C(38)))*(x161); - x322 = (x320)+(x143); - x323 = (uintptr_t)((x322)<(x143)); - x324 = (x322)+(x321); - x325 = (uintptr_t)((x324)<(x321)); - x326 = (x323)+(x325); - x327 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x161)); - x328 = (x326)+(x327); - x329 = (x46)+(x312); - x330 = (uintptr_t)((x329)<(x46)); - x331 = (x330)+(x314); - x332 = (uintptr_t)((x331)<(x314)); - x333 = (x331)+(x313); - x334 = (uintptr_t)((x333)<(x313)); - x335 = (x332)+(x334); - x336 = (x335)+(x318); - x337 = (uintptr_t)((x336)<(x318)); - x338 = (x336)+(x311); - x339 = (uintptr_t)((x338)<(x311)); - x340 = (x337)+(x339); - x341 = (x340)+(x324); - x342 = (uintptr_t)((x341)<(x324)); - x343 = (x341)+(x309); - x344 = (uintptr_t)((x343)<(x309)); - x345 = (x342)+(x344); - x346 = (x345)+(x328); - x347 = ((uintptr_t)(UINTMAX_C(38)))*(x346); - x348 = (x329)+(x347); - x349 = (uintptr_t)((x348)<(x329)); - x350 = (x349)+(x333); - x351 = (uintptr_t)((x350)<(x333)); - x352 = (x351)+(x338); - x353 = (uintptr_t)((x352)<(x338)); - x354 = (x353)+(x343); - x355 = (uintptr_t)((x354)<(x343)); - x356 = ((uintptr_t)(UINTMAX_C(-1)))+((uintptr_t)((x355)==((uintptr_t)(UINTMAX_C(0))))); - x357 = (x356)^((uintptr_t)(UINTMAX_C(18446744073709551615))); - x358 = (((uintptr_t)(UINTMAX_C(38)))&(x356))|(((uintptr_t)(UINTMAX_C(0)))&(x357)); - x359 = (x358)+(x348); - x360 = ((uintptr_t)(UINTMAX_C(38)))*(x307); - x361 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x307)); - x362 = ((uintptr_t)(UINTMAX_C(38)))*(x304); - x363 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x304)); - x364 = ((uintptr_t)(UINTMAX_C(38)))*(x299); - x365 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x299)); - x366 = ((uintptr_t)(UINTMAX_C(38)))*(x294); - x367 = _br2_mulhuu(((uintptr_t)(UINTMAX_C(38))), (x294)); - x368 = (x280)+(x364); - x369 = (uintptr_t)((x368)<(x280)); - x370 = (x369)+(x284); - x371 = (uintptr_t)((x370)<(x284)); - x372 = (x370)+(x362); - x373 = (uintptr_t)((x372)<(x362)); - x374 = (x371)+(x373); - x375 = (x374)+(x289); - x376 = (uintptr_t)((x375)<(x289)); - x377 = (x375)+(x360); - x378 = (uintptr_t)((x377)<(x360)); - x379 = (x376)+(x378); - x380 = (x379)+(x361); - x381 = (x192)+(x366); - x382 = (uintptr_t)((x381)<(x192)); - x383 = (x382)+(x368); - x384 = (uintptr_t)((x383)<(x368)); - x385 = (x383)+(x367); - x386 = (uintptr_t)((x385)<(x367)); - x387 = (x384)+(x386); - x388 = (x387)+(x372); - x389 = (uintptr_t)((x388)<(x372)); - x390 = (x388)+(x365); - x391 = (uintptr_t)((x390)<(x365)); - x392 = (x389)+(x391); - x393 = (x392)+(x377); - x394 = (uintptr_t)((x393)<(x377)); - x395 = (x393)+(x363); - x396 = (uintptr_t)((x395)<(x363)); - x397 = (x394)+(x396); - x398 = (x397)+(x380); - x399 = ((uintptr_t)(UINTMAX_C(38)))*(x398); - x400 = (x381)+(x399); - x401 = (uintptr_t)((x400)<(x381)); - x402 = (x401)+(x385); - x403 = (uintptr_t)((x402)<(x385)); - x404 = (x403)+(x390); - x405 = (uintptr_t)((x404)<(x390)); - x406 = (x405)+(x395); - x407 = (uintptr_t)((x406)<(x395)); - x408 = ((uintptr_t)(UINTMAX_C(-1)))+((uintptr_t)((x407)==((uintptr_t)(UINTMAX_C(0))))); - x409 = (x408)^((uintptr_t)(UINTMAX_C(18446744073709551615))); - x410 = (((uintptr_t)(UINTMAX_C(38)))&(x408))|(((uintptr_t)(UINTMAX_C(0)))&(x409)); - x411 = (x410)+(x400); - x412 = x359; - x413 = x350; - x414 = x352; - x415 = x354; - /*skip*/ - x416 = x411; - x417 = x402; - x418 = x404; - x419 = x406; - /*skip*/ - _br2_store((out0)+((uintptr_t)(UINTMAX_C(0))), x412, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)(UINTMAX_C(8))), x413, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)(UINTMAX_C(16))), x414, sizeof(uintptr_t)); - _br2_store((out0)+((uintptr_t)(UINTMAX_C(24))), x415, sizeof(uintptr_t)); - /*skip*/ - _br2_store((out1)+((uintptr_t)(UINTMAX_C(0))), x416, sizeof(uintptr_t)); - _br2_store((out1)+((uintptr_t)(UINTMAX_C(8))), x417, sizeof(uintptr_t)); - _br2_store((out1)+((uintptr_t)(UINTMAX_C(16))), x418, sizeof(uintptr_t)); - _br2_store((out1)+((uintptr_t)(UINTMAX_C(24))), x419, sizeof(uintptr_t)); - /*skip*/ - return; -} - -/* NOTE: The following wrapper function is not covered by Coq proofs */ -static void fiat_curve25519_solinas_mul2(uint64_t out1[4], uint64_t out2[4], const uint64_t arg1[4], const uint64_t arg2[4], const uint64_t arg3[4], const uint64_t arg4[4]) { - internal_fiat_curve25519_solinas_mul2((uintptr_t)out1, (uintptr_t)out2, (uintptr_t)arg1, (uintptr_t)arg2, (uintptr_t)arg3, (uintptr_t)arg4); -} - - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] diff --git a/fiat-c/src/curve25519_solinas_64.c b/fiat-c/src/curve25519_solinas_64.c index 26ab9c5e90..3448f17d51 100644 --- a/fiat-c/src/curve25519_solinas_64.c +++ b/fiat-c/src/curve25519_solinas_64.c @@ -1,7 +1,7 @@ -/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mul mul2 square */ +/* Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --inline --static --use-value-barrier curve25519_solinas 64 '2^255 - 19' mul square */ /* curve description: curve25519_solinas */ /* machine_wordsize = 64 (from "64") */ -/* requested operations: mul, mul2, square */ +/* requested operations: mul, square */ /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* */ /* Computed values: */ @@ -355,438 +355,6 @@ static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul(uint out1[3] = x128; } -/* - * The function fiat_curve25519_solinas_mul2 multiplies two field elements. - * - * Postconditions: - * eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 - * eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -static FIAT_CURVE25519_SOLINAS_FIAT_INLINE void fiat_curve25519_solinas_mul2(uint64_t out1[4], uint64_t out2[4], const uint64_t arg1[4], const uint64_t arg2[4], const uint64_t arg3[4], const uint64_t arg4[4]) { - uint64_t x1; - uint64_t x2; - uint64_t x3; - uint64_t x4; - uint64_t x5; - uint64_t x6; - uint64_t x7; - uint64_t x8; - uint64_t x9; - uint64_t x10; - uint64_t x11; - uint64_t x12; - uint64_t x13; - uint64_t x14; - uint64_t x15; - uint64_t x16; - uint64_t x17; - uint64_t x18; - uint64_t x19; - uint64_t x20; - uint64_t x21; - uint64_t x22; - uint64_t x23; - uint64_t x24; - uint64_t x25; - uint64_t x26; - uint64_t x27; - uint64_t x28; - uint64_t x29; - uint64_t x30; - uint64_t x31; - uint64_t x32; - uint64_t x33; - fiat_curve25519_solinas_uint1 x34; - uint64_t x35; - fiat_curve25519_solinas_uint1 x36; - uint64_t x37; - uint64_t x38; - fiat_curve25519_solinas_uint1 x39; - uint64_t x40; - fiat_curve25519_solinas_uint1 x41; - uint64_t x42; - fiat_curve25519_solinas_uint1 x43; - uint64_t x44; - uint64_t x45; - fiat_curve25519_solinas_uint1 x46; - uint64_t x47; - fiat_curve25519_solinas_uint1 x48; - uint64_t x49; - fiat_curve25519_solinas_uint1 x50; - uint64_t x51; - fiat_curve25519_solinas_uint1 x52; - uint64_t x53; - fiat_curve25519_solinas_uint1 x54; - uint64_t x55; - uint64_t x56; - fiat_curve25519_solinas_uint1 x57; - uint64_t x58; - fiat_curve25519_solinas_uint1 x59; - uint64_t x60; - fiat_curve25519_solinas_uint1 x61; - uint64_t x62; - fiat_curve25519_solinas_uint1 x63; - uint64_t x64; - fiat_curve25519_solinas_uint1 x65; - uint64_t x66; - fiat_curve25519_solinas_uint1 x67; - uint64_t x68; - fiat_curve25519_solinas_uint1 x69; - uint64_t x70; - fiat_curve25519_solinas_uint1 x71; - uint64_t x72; - fiat_curve25519_solinas_uint1 x73; - uint64_t x74; - fiat_curve25519_solinas_uint1 x75; - uint64_t x76; - fiat_curve25519_solinas_uint1 x77; - uint64_t x78; - fiat_curve25519_solinas_uint1 x79; - uint64_t x80; - fiat_curve25519_solinas_uint1 x81; - uint64_t x82; - fiat_curve25519_solinas_uint1 x83; - uint64_t x84; - fiat_curve25519_solinas_uint1 x85; - uint64_t x86; - fiat_curve25519_solinas_uint1 x87; - uint64_t x88; - fiat_curve25519_solinas_uint1 x89; - uint64_t x90; - fiat_curve25519_solinas_uint1 x91; - uint64_t x92; - fiat_curve25519_solinas_uint1 x93; - uint64_t x94; - fiat_curve25519_solinas_uint1 x95; - uint64_t x96; - uint64_t x97; - uint64_t x98; - uint64_t x99; - uint64_t x100; - uint64_t x101; - uint64_t x102; - uint64_t x103; - uint64_t x104; - uint64_t x105; - uint64_t x106; - uint64_t x107; - uint64_t x108; - uint64_t x109; - uint64_t x110; - uint64_t x111; - uint64_t x112; - uint64_t x113; - uint64_t x114; - uint64_t x115; - uint64_t x116; - uint64_t x117; - uint64_t x118; - uint64_t x119; - uint64_t x120; - uint64_t x121; - uint64_t x122; - uint64_t x123; - uint64_t x124; - uint64_t x125; - uint64_t x126; - uint64_t x127; - uint64_t x128; - fiat_curve25519_solinas_uint1 x129; - uint64_t x130; - fiat_curve25519_solinas_uint1 x131; - uint64_t x132; - uint64_t x133; - fiat_curve25519_solinas_uint1 x134; - uint64_t x135; - fiat_curve25519_solinas_uint1 x136; - uint64_t x137; - fiat_curve25519_solinas_uint1 x138; - uint64_t x139; - uint64_t x140; - fiat_curve25519_solinas_uint1 x141; - uint64_t x142; - fiat_curve25519_solinas_uint1 x143; - uint64_t x144; - fiat_curve25519_solinas_uint1 x145; - uint64_t x146; - fiat_curve25519_solinas_uint1 x147; - uint64_t x148; - fiat_curve25519_solinas_uint1 x149; - uint64_t x150; - uint64_t x151; - fiat_curve25519_solinas_uint1 x152; - uint64_t x153; - fiat_curve25519_solinas_uint1 x154; - uint64_t x155; - fiat_curve25519_solinas_uint1 x156; - uint64_t x157; - fiat_curve25519_solinas_uint1 x158; - uint64_t x159; - fiat_curve25519_solinas_uint1 x160; - uint64_t x161; - fiat_curve25519_solinas_uint1 x162; - uint64_t x163; - fiat_curve25519_solinas_uint1 x164; - uint64_t x165; - fiat_curve25519_solinas_uint1 x166; - uint64_t x167; - fiat_curve25519_solinas_uint1 x168; - uint64_t x169; - fiat_curve25519_solinas_uint1 x170; - uint64_t x171; - fiat_curve25519_solinas_uint1 x172; - uint64_t x173; - fiat_curve25519_solinas_uint1 x174; - uint64_t x175; - fiat_curve25519_solinas_uint1 x176; - uint64_t x177; - fiat_curve25519_solinas_uint1 x178; - uint64_t x179; - fiat_curve25519_solinas_uint1 x180; - uint64_t x181; - fiat_curve25519_solinas_uint1 x182; - uint64_t x183; - fiat_curve25519_solinas_uint1 x184; - uint64_t x185; - fiat_curve25519_solinas_uint1 x186; - uint64_t x187; - fiat_curve25519_solinas_uint1 x188; - uint64_t x189; - fiat_curve25519_solinas_uint1 x190; - uint64_t x191; - uint64_t x192; - uint64_t x193; - uint64_t x194; - uint64_t x195; - uint64_t x196; - uint64_t x197; - fiat_curve25519_solinas_uint1 x198; - uint64_t x199; - fiat_curve25519_solinas_uint1 x200; - uint64_t x201; - uint64_t x202; - uint64_t x203; - fiat_curve25519_solinas_uint1 x204; - uint64_t x205; - uint64_t x206; - uint64_t x207; - uint64_t x208; - fiat_curve25519_solinas_uint1 x209; - uint64_t x210; - fiat_curve25519_solinas_uint1 x211; - uint64_t x212; - fiat_curve25519_solinas_uint1 x213; - uint64_t x214; - fiat_curve25519_solinas_uint1 x215; - uint64_t x216; - uint64_t x217; - uint64_t x218; - uint64_t x219; - fiat_curve25519_solinas_uint1 x220; - uint64_t x221; - fiat_curve25519_solinas_uint1 x222; - uint64_t x223; - fiat_curve25519_solinas_uint1 x224; - uint64_t x225; - fiat_curve25519_solinas_uint1 x226; - uint64_t x227; - uint64_t x228; - fiat_curve25519_solinas_uint1 x229; - uint64_t x230; - uint64_t x231; - uint64_t x232; - uint64_t x233; - uint64_t x234; - uint64_t x235; - uint64_t x236; - uint64_t x237; - uint64_t x238; - fiat_curve25519_solinas_uint1 x239; - uint64_t x240; - fiat_curve25519_solinas_uint1 x241; - uint64_t x242; - fiat_curve25519_solinas_uint1 x243; - uint64_t x244; - uint64_t x245; - fiat_curve25519_solinas_uint1 x246; - uint64_t x247; - fiat_curve25519_solinas_uint1 x248; - uint64_t x249; - fiat_curve25519_solinas_uint1 x250; - uint64_t x251; - fiat_curve25519_solinas_uint1 x252; - uint64_t x253; - uint64_t x254; - uint64_t x255; - uint64_t x256; - fiat_curve25519_solinas_uint1 x257; - uint64_t x258; - fiat_curve25519_solinas_uint1 x259; - uint64_t x260; - fiat_curve25519_solinas_uint1 x261; - uint64_t x262; - fiat_curve25519_solinas_uint1 x263; - uint64_t x264; - uint64_t x265; - fiat_curve25519_solinas_uint1 x266; - fiat_curve25519_solinas_mulx_u64(&x1, &x2, (arg1[3]), (arg2[3])); - fiat_curve25519_solinas_mulx_u64(&x3, &x4, (arg1[3]), (arg2[2])); - fiat_curve25519_solinas_mulx_u64(&x5, &x6, (arg1[3]), (arg2[1])); - fiat_curve25519_solinas_mulx_u64(&x7, &x8, (arg1[3]), (arg2[0])); - fiat_curve25519_solinas_mulx_u64(&x9, &x10, (arg1[2]), (arg2[3])); - fiat_curve25519_solinas_mulx_u64(&x11, &x12, (arg1[2]), (arg2[2])); - fiat_curve25519_solinas_mulx_u64(&x13, &x14, (arg1[2]), (arg2[1])); - fiat_curve25519_solinas_mulx_u64(&x15, &x16, (arg1[2]), (arg2[0])); - fiat_curve25519_solinas_mulx_u64(&x17, &x18, (arg1[1]), (arg2[3])); - fiat_curve25519_solinas_mulx_u64(&x19, &x20, (arg1[1]), (arg2[2])); - fiat_curve25519_solinas_mulx_u64(&x21, &x22, (arg1[1]), (arg2[1])); - fiat_curve25519_solinas_mulx_u64(&x23, &x24, (arg1[1]), (arg2[0])); - fiat_curve25519_solinas_mulx_u64(&x25, &x26, (arg1[0]), (arg2[3])); - fiat_curve25519_solinas_mulx_u64(&x27, &x28, (arg1[0]), (arg2[2])); - fiat_curve25519_solinas_mulx_u64(&x29, &x30, (arg1[0]), (arg2[1])); - fiat_curve25519_solinas_mulx_u64(&x31, &x32, (arg1[0]), (arg2[0])); - fiat_curve25519_solinas_addcarryx_u64(&x33, &x34, 0x0, x28, x7); - fiat_curve25519_solinas_addcarryx_u64(&x35, &x36, x34, x26, x5); - x37 = (x36 + x18); - fiat_curve25519_solinas_addcarryx_u64(&x38, &x39, 0x0, x33, x13); - fiat_curve25519_solinas_addcarryx_u64(&x40, &x41, x39, x35, x8); - fiat_curve25519_solinas_addcarryx_u64(&x42, &x43, x41, x37, 0x0); - x44 = (x43 + x10); - fiat_curve25519_solinas_addcarryx_u64(&x45, &x46, 0x0, x30, x15); - fiat_curve25519_solinas_addcarryx_u64(&x47, &x48, x46, x38, x16); - fiat_curve25519_solinas_addcarryx_u64(&x49, &x50, x48, x40, x11); - fiat_curve25519_solinas_addcarryx_u64(&x51, &x52, x50, x42, x3); - fiat_curve25519_solinas_addcarryx_u64(&x53, &x54, x52, x44, 0x0); - x55 = (x54 + x2); - fiat_curve25519_solinas_addcarryx_u64(&x56, &x57, 0x0, x45, x21); - fiat_curve25519_solinas_addcarryx_u64(&x58, &x59, x57, x47, x19); - fiat_curve25519_solinas_addcarryx_u64(&x60, &x61, x59, x49, x14); - fiat_curve25519_solinas_addcarryx_u64(&x62, &x63, x61, x51, x6); - fiat_curve25519_solinas_addcarryx_u64(&x64, &x65, x63, x53, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x66, &x67, x65, x55, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x68, &x69, 0x0, x32, x23); - fiat_curve25519_solinas_addcarryx_u64(&x70, &x71, x69, x56, x24); - fiat_curve25519_solinas_addcarryx_u64(&x72, &x73, x71, x58, x22); - fiat_curve25519_solinas_addcarryx_u64(&x74, &x75, x73, x60, x17); - fiat_curve25519_solinas_addcarryx_u64(&x76, &x77, x75, x62, x9); - fiat_curve25519_solinas_addcarryx_u64(&x78, &x79, x77, x64, x1); - fiat_curve25519_solinas_addcarryx_u64(&x80, &x81, x79, x66, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x82, &x83, 0x0, x68, x29); - fiat_curve25519_solinas_addcarryx_u64(&x84, &x85, x83, x70, x27); - fiat_curve25519_solinas_addcarryx_u64(&x86, &x87, x85, x72, x25); - fiat_curve25519_solinas_addcarryx_u64(&x88, &x89, x87, x74, x20); - fiat_curve25519_solinas_addcarryx_u64(&x90, &x91, x89, x76, x12); - fiat_curve25519_solinas_addcarryx_u64(&x92, &x93, x91, x78, x4); - fiat_curve25519_solinas_addcarryx_u64(&x94, &x95, x93, x80, 0x0); - fiat_curve25519_solinas_mulx_u64(&x96, &x97, (arg3[3]), (arg4[3])); - fiat_curve25519_solinas_mulx_u64(&x98, &x99, (arg3[3]), (arg4[2])); - fiat_curve25519_solinas_mulx_u64(&x100, &x101, (arg3[3]), (arg4[1])); - fiat_curve25519_solinas_mulx_u64(&x102, &x103, (arg3[3]), (arg4[0])); - fiat_curve25519_solinas_mulx_u64(&x104, &x105, (arg3[2]), (arg4[3])); - fiat_curve25519_solinas_mulx_u64(&x106, &x107, (arg3[2]), (arg4[2])); - fiat_curve25519_solinas_mulx_u64(&x108, &x109, (arg3[2]), (arg4[1])); - fiat_curve25519_solinas_mulx_u64(&x110, &x111, (arg3[2]), (arg4[0])); - fiat_curve25519_solinas_mulx_u64(&x112, &x113, (arg3[1]), (arg4[3])); - fiat_curve25519_solinas_mulx_u64(&x114, &x115, (arg3[1]), (arg4[2])); - fiat_curve25519_solinas_mulx_u64(&x116, &x117, (arg3[1]), (arg4[1])); - fiat_curve25519_solinas_mulx_u64(&x118, &x119, (arg3[1]), (arg4[0])); - fiat_curve25519_solinas_mulx_u64(&x120, &x121, (arg3[0]), (arg4[3])); - fiat_curve25519_solinas_mulx_u64(&x122, &x123, (arg3[0]), (arg4[2])); - fiat_curve25519_solinas_mulx_u64(&x124, &x125, (arg3[0]), (arg4[1])); - fiat_curve25519_solinas_mulx_u64(&x126, &x127, (arg3[0]), (arg4[0])); - fiat_curve25519_solinas_addcarryx_u64(&x128, &x129, 0x0, x123, x102); - fiat_curve25519_solinas_addcarryx_u64(&x130, &x131, x129, x121, x100); - x132 = (x131 + x113); - fiat_curve25519_solinas_addcarryx_u64(&x133, &x134, 0x0, x128, x108); - fiat_curve25519_solinas_addcarryx_u64(&x135, &x136, x134, x130, x103); - fiat_curve25519_solinas_addcarryx_u64(&x137, &x138, x136, x132, 0x0); - x139 = (x138 + x105); - fiat_curve25519_solinas_addcarryx_u64(&x140, &x141, 0x0, x125, x110); - fiat_curve25519_solinas_addcarryx_u64(&x142, &x143, x141, x133, x111); - fiat_curve25519_solinas_addcarryx_u64(&x144, &x145, x143, x135, x106); - fiat_curve25519_solinas_addcarryx_u64(&x146, &x147, x145, x137, x98); - fiat_curve25519_solinas_addcarryx_u64(&x148, &x149, x147, x139, 0x0); - x150 = (x149 + x97); - fiat_curve25519_solinas_addcarryx_u64(&x151, &x152, 0x0, x140, x116); - fiat_curve25519_solinas_addcarryx_u64(&x153, &x154, x152, x142, x114); - fiat_curve25519_solinas_addcarryx_u64(&x155, &x156, x154, x144, x109); - fiat_curve25519_solinas_addcarryx_u64(&x157, &x158, x156, x146, x101); - fiat_curve25519_solinas_addcarryx_u64(&x159, &x160, x158, x148, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x161, &x162, x160, x150, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x163, &x164, 0x0, x127, x118); - fiat_curve25519_solinas_addcarryx_u64(&x165, &x166, x164, x151, x119); - fiat_curve25519_solinas_addcarryx_u64(&x167, &x168, x166, x153, x117); - fiat_curve25519_solinas_addcarryx_u64(&x169, &x170, x168, x155, x112); - fiat_curve25519_solinas_addcarryx_u64(&x171, &x172, x170, x157, x104); - fiat_curve25519_solinas_addcarryx_u64(&x173, &x174, x172, x159, x96); - fiat_curve25519_solinas_addcarryx_u64(&x175, &x176, x174, x161, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x177, &x178, 0x0, x163, x124); - fiat_curve25519_solinas_addcarryx_u64(&x179, &x180, x178, x165, x122); - fiat_curve25519_solinas_addcarryx_u64(&x181, &x182, x180, x167, x120); - fiat_curve25519_solinas_addcarryx_u64(&x183, &x184, x182, x169, x115); - fiat_curve25519_solinas_addcarryx_u64(&x185, &x186, x184, x171, x107); - fiat_curve25519_solinas_addcarryx_u64(&x187, &x188, x186, x173, x99); - fiat_curve25519_solinas_addcarryx_u64(&x189, &x190, x188, x175, 0x0); - fiat_curve25519_solinas_mulx_u64(&x191, &x192, UINT8_C(0x26), x92); - fiat_curve25519_solinas_mulx_u64(&x193, &x194, UINT8_C(0x26), x90); - fiat_curve25519_solinas_mulx_u64(&x195, &x196, UINT8_C(0x26), x88); - fiat_curve25519_solinas_addcarryx_u64(&x197, &x198, 0x0, x82, x193); - fiat_curve25519_solinas_addcarryx_u64(&x199, &x200, x198, x84, x191); - fiat_curve25519_solinas_mulx_u64(&x201, &x202, UINT8_C(0x26), x94); - fiat_curve25519_solinas_addcarryx_u64(&x203, &x204, x200, x86, x201); - fiat_curve25519_solinas_mulx_u64(&x205, &x206, UINT8_C(0x26), x94); - x207 = (x204 + x206); - fiat_curve25519_solinas_addcarryx_u64(&x208, &x209, 0x0, x31, x195); - fiat_curve25519_solinas_addcarryx_u64(&x210, &x211, x209, x197, x196); - fiat_curve25519_solinas_addcarryx_u64(&x212, &x213, x211, x199, x194); - fiat_curve25519_solinas_addcarryx_u64(&x214, &x215, x213, x203, x192); - x216 = (x215 + x207); - fiat_curve25519_solinas_mulx_u64(&x217, &x218, UINT8_C(0x26), x216); - fiat_curve25519_solinas_addcarryx_u64(&x219, &x220, 0x0, x208, x217); - fiat_curve25519_solinas_addcarryx_u64(&x221, &x222, x220, x210, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x223, &x224, x222, x212, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x225, &x226, x224, x214, 0x0); - fiat_curve25519_solinas_cmovznz_u64(&x227, x226, 0x0, UINT8_C(0x26)); - fiat_curve25519_solinas_addcarryx_u64(&x228, &x229, 0x0, x227, x219); - fiat_curve25519_solinas_mulx_u64(&x230, &x231, UINT8_C(0x26), x189); - fiat_curve25519_solinas_mulx_u64(&x232, &x233, UINT8_C(0x26), x187); - fiat_curve25519_solinas_mulx_u64(&x234, &x235, UINT8_C(0x26), x185); - fiat_curve25519_solinas_mulx_u64(&x236, &x237, UINT8_C(0x26), x183); - fiat_curve25519_solinas_addcarryx_u64(&x238, &x239, 0x0, x177, x234); - fiat_curve25519_solinas_addcarryx_u64(&x240, &x241, x239, x179, x232); - fiat_curve25519_solinas_addcarryx_u64(&x242, &x243, x241, x181, x230); - x244 = (x243 + x231); - fiat_curve25519_solinas_addcarryx_u64(&x245, &x246, 0x0, x126, x236); - fiat_curve25519_solinas_addcarryx_u64(&x247, &x248, x246, x238, x237); - fiat_curve25519_solinas_addcarryx_u64(&x249, &x250, x248, x240, x235); - fiat_curve25519_solinas_addcarryx_u64(&x251, &x252, x250, x242, x233); - x253 = (x252 + x244); - fiat_curve25519_solinas_mulx_u64(&x254, &x255, UINT8_C(0x26), x253); - fiat_curve25519_solinas_addcarryx_u64(&x256, &x257, 0x0, x245, x254); - fiat_curve25519_solinas_addcarryx_u64(&x258, &x259, x257, x247, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x260, &x261, x259, x249, 0x0); - fiat_curve25519_solinas_addcarryx_u64(&x262, &x263, x261, x251, 0x0); - fiat_curve25519_solinas_cmovznz_u64(&x264, x263, 0x0, UINT8_C(0x26)); - fiat_curve25519_solinas_addcarryx_u64(&x265, &x266, 0x0, x264, x256); - out1[0] = x228; - out1[1] = x221; - out1[2] = x223; - out1[3] = x225; - out2[0] = x265; - out2[1] = x258; - out2[2] = x260; - out2[3] = x262; -} - /* * The function fiat_curve25519_solinas_square squares a field element. * diff --git a/fiat-go/64/curve25519solinas/curve25519solinas.go b/fiat-go/64/curve25519solinas/curve25519solinas.go index 61514696bd..4bab5cc64d 100644 --- a/fiat-go/64/curve25519solinas/curve25519solinas.go +++ b/fiat-go/64/curve25519solinas/curve25519solinas.go @@ -1,12 +1,12 @@ // Code generated by Fiat Cryptography. DO NOT EDIT. // -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mul mul2 square +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --doc-text-before-type-name '' --package-name curve25519solinas '' 64 '2^255 - 19' mul square // // curve description (via package name): curve25519solinas // // machine_wordsize = 64 (from "64") // -// requested operations: mul, mul2, square +// requested operations: mul, square // // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // @@ -247,414 +247,6 @@ func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { out1[3] = x128 } -// Mul2 multiplies two field elements. -// -// Postconditions: -// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 -// eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 -// -// Input Bounds: -// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// Output Bounds: -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func Mul2(out1 *[4]uint64, out2 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64, arg3 *[4]uint64, arg4 *[4]uint64) { - var x1 uint64 - var x2 uint64 - x2, x1 = bits.Mul64(arg1[3], arg2[3]) - var x3 uint64 - var x4 uint64 - x4, x3 = bits.Mul64(arg1[3], arg2[2]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(arg1[3], arg2[1]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(arg1[3], arg2[0]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(arg1[2], arg2[3]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(arg1[2], arg2[2]) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(arg1[2], arg2[1]) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64(arg1[2], arg2[0]) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64(arg1[1], arg2[3]) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64(arg1[1], arg2[2]) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64(arg1[1], arg2[1]) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64(arg1[1], arg2[0]) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64(arg1[0], arg2[3]) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64(arg1[0], arg2[2]) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64(arg1[0], arg2[1]) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64(arg1[0], arg2[0]) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x28, x7, uint64(0x0)) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x26, x5, uint64(uint1(x34))) - x37 := (uint64(uint1(x36)) + x18) - var x38 uint64 - var x39 uint64 - x38, x39 = bits.Add64(x33, x13, uint64(0x0)) - var x40 uint64 - var x41 uint64 - x40, x41 = bits.Add64(x35, x8, uint64(uint1(x39))) - var x42 uint64 - var x43 uint64 - x42, x43 = bits.Add64(x37, uint64(0x0), uint64(uint1(x41))) - x44 := (uint64(uint1(x43)) + x10) - var x45 uint64 - var x46 uint64 - x45, x46 = bits.Add64(x30, x15, uint64(0x0)) - var x47 uint64 - var x48 uint64 - x47, x48 = bits.Add64(x38, x16, uint64(uint1(x46))) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x40, x11, uint64(uint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x42, x3, uint64(uint1(x50))) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x44, uint64(0x0), uint64(uint1(x52))) - x55 := (uint64(uint1(x54)) + x2) - var x56 uint64 - var x57 uint64 - x56, x57 = bits.Add64(x45, x21, uint64(0x0)) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x47, x19, uint64(uint1(x57))) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x49, x14, uint64(uint1(x59))) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(x51, x6, uint64(uint1(x61))) - var x64 uint64 - var x65 uint64 - x64, x65 = bits.Add64(x53, uint64(0x0), uint64(uint1(x63))) - var x66 uint64 - x66, _ = bits.Add64(x55, uint64(0x0), uint64(uint1(x65))) - var x68 uint64 - var x69 uint64 - x68, x69 = bits.Add64(x32, x23, uint64(0x0)) - var x70 uint64 - var x71 uint64 - x70, x71 = bits.Add64(x56, x24, uint64(uint1(x69))) - var x72 uint64 - var x73 uint64 - x72, x73 = bits.Add64(x58, x22, uint64(uint1(x71))) - var x74 uint64 - var x75 uint64 - x74, x75 = bits.Add64(x60, x17, uint64(uint1(x73))) - var x76 uint64 - var x77 uint64 - x76, x77 = bits.Add64(x62, x9, uint64(uint1(x75))) - var x78 uint64 - var x79 uint64 - x78, x79 = bits.Add64(x64, x1, uint64(uint1(x77))) - var x80 uint64 - x80, _ = bits.Add64(x66, uint64(0x0), uint64(uint1(x79))) - var x82 uint64 - var x83 uint64 - x82, x83 = bits.Add64(x68, x29, uint64(0x0)) - var x84 uint64 - var x85 uint64 - x84, x85 = bits.Add64(x70, x27, uint64(uint1(x83))) - var x86 uint64 - var x87 uint64 - x86, x87 = bits.Add64(x72, x25, uint64(uint1(x85))) - var x88 uint64 - var x89 uint64 - x88, x89 = bits.Add64(x74, x20, uint64(uint1(x87))) - var x90 uint64 - var x91 uint64 - x90, x91 = bits.Add64(x76, x12, uint64(uint1(x89))) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x78, x4, uint64(uint1(x91))) - var x94 uint64 - x94, _ = bits.Add64(x80, uint64(0x0), uint64(uint1(x93))) - var x96 uint64 - var x97 uint64 - x97, x96 = bits.Mul64(arg3[3], arg4[3]) - var x98 uint64 - var x99 uint64 - x99, x98 = bits.Mul64(arg3[3], arg4[2]) - var x100 uint64 - var x101 uint64 - x101, x100 = bits.Mul64(arg3[3], arg4[1]) - var x102 uint64 - var x103 uint64 - x103, x102 = bits.Mul64(arg3[3], arg4[0]) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64(arg3[2], arg4[3]) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(arg3[2], arg4[2]) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(arg3[2], arg4[1]) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(arg3[2], arg4[0]) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(arg3[1], arg4[3]) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(arg3[1], arg4[2]) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(arg3[1], arg4[1]) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64(arg3[1], arg4[0]) - var x120 uint64 - var x121 uint64 - x121, x120 = bits.Mul64(arg3[0], arg4[3]) - var x122 uint64 - var x123 uint64 - x123, x122 = bits.Mul64(arg3[0], arg4[2]) - var x124 uint64 - var x125 uint64 - x125, x124 = bits.Mul64(arg3[0], arg4[1]) - var x126 uint64 - var x127 uint64 - x127, x126 = bits.Mul64(arg3[0], arg4[0]) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x123, x102, uint64(0x0)) - var x130 uint64 - var x131 uint64 - x130, x131 = bits.Add64(x121, x100, uint64(uint1(x129))) - x132 := (uint64(uint1(x131)) + x113) - var x133 uint64 - var x134 uint64 - x133, x134 = bits.Add64(x128, x108, uint64(0x0)) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x130, x103, uint64(uint1(x134))) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x132, uint64(0x0), uint64(uint1(x136))) - x139 := (uint64(uint1(x138)) + x105) - var x140 uint64 - var x141 uint64 - x140, x141 = bits.Add64(x125, x110, uint64(0x0)) - var x142 uint64 - var x143 uint64 - x142, x143 = bits.Add64(x133, x111, uint64(uint1(x141))) - var x144 uint64 - var x145 uint64 - x144, x145 = bits.Add64(x135, x106, uint64(uint1(x143))) - var x146 uint64 - var x147 uint64 - x146, x147 = bits.Add64(x137, x98, uint64(uint1(x145))) - var x148 uint64 - var x149 uint64 - x148, x149 = bits.Add64(x139, uint64(0x0), uint64(uint1(x147))) - x150 := (uint64(uint1(x149)) + x97) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x140, x116, uint64(0x0)) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(x142, x114, uint64(uint1(x152))) - var x155 uint64 - var x156 uint64 - x155, x156 = bits.Add64(x144, x109, uint64(uint1(x154))) - var x157 uint64 - var x158 uint64 - x157, x158 = bits.Add64(x146, x101, uint64(uint1(x156))) - var x159 uint64 - var x160 uint64 - x159, x160 = bits.Add64(x148, uint64(0x0), uint64(uint1(x158))) - var x161 uint64 - x161, _ = bits.Add64(x150, uint64(0x0), uint64(uint1(x160))) - var x163 uint64 - var x164 uint64 - x163, x164 = bits.Add64(x127, x118, uint64(0x0)) - var x165 uint64 - var x166 uint64 - x165, x166 = bits.Add64(x151, x119, uint64(uint1(x164))) - var x167 uint64 - var x168 uint64 - x167, x168 = bits.Add64(x153, x117, uint64(uint1(x166))) - var x169 uint64 - var x170 uint64 - x169, x170 = bits.Add64(x155, x112, uint64(uint1(x168))) - var x171 uint64 - var x172 uint64 - x171, x172 = bits.Add64(x157, x104, uint64(uint1(x170))) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x159, x96, uint64(uint1(x172))) - var x175 uint64 - x175, _ = bits.Add64(x161, uint64(0x0), uint64(uint1(x174))) - var x177 uint64 - var x178 uint64 - x177, x178 = bits.Add64(x163, x124, uint64(0x0)) - var x179 uint64 - var x180 uint64 - x179, x180 = bits.Add64(x165, x122, uint64(uint1(x178))) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x167, x120, uint64(uint1(x180))) - var x183 uint64 - var x184 uint64 - x183, x184 = bits.Add64(x169, x115, uint64(uint1(x182))) - var x185 uint64 - var x186 uint64 - x185, x186 = bits.Add64(x171, x107, uint64(uint1(x184))) - var x187 uint64 - var x188 uint64 - x187, x188 = bits.Add64(x173, x99, uint64(uint1(x186))) - var x189 uint64 - x189, _ = bits.Add64(x175, uint64(0x0), uint64(uint1(x188))) - var x191 uint64 - var x192 uint64 - x192, x191 = bits.Mul64(0x26, x92) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64(0x26, x90) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(0x26, x88) - var x197 uint64 - var x198 uint64 - x197, x198 = bits.Add64(x82, x193, uint64(0x0)) - var x199 uint64 - var x200 uint64 - x199, x200 = bits.Add64(x84, x191, uint64(uint1(x198))) - var x201 uint64 - _, x201 = bits.Mul64(0x26, x94) - var x203 uint64 - var x204 uint64 - x203, x204 = bits.Add64(x86, x201, uint64(uint1(x200))) - var x206 uint64 - x206, _ = bits.Mul64(0x26, x94) - x207 := (uint64(uint1(x204)) + x206) - var x208 uint64 - var x209 uint64 - x208, x209 = bits.Add64(x31, x195, uint64(0x0)) - var x210 uint64 - var x211 uint64 - x210, x211 = bits.Add64(x197, x196, uint64(uint1(x209))) - var x212 uint64 - var x213 uint64 - x212, x213 = bits.Add64(x199, x194, uint64(uint1(x211))) - var x214 uint64 - var x215 uint64 - x214, x215 = bits.Add64(x203, x192, uint64(uint1(x213))) - x216 := (uint64(uint1(x215)) + x207) - var x217 uint64 - _, x217 = bits.Mul64(0x26, x216) - var x219 uint64 - var x220 uint64 - x219, x220 = bits.Add64(x208, x217, uint64(0x0)) - var x221 uint64 - var x222 uint64 - x221, x222 = bits.Add64(x210, uint64(0x0), uint64(uint1(x220))) - var x223 uint64 - var x224 uint64 - x223, x224 = bits.Add64(x212, uint64(0x0), uint64(uint1(x222))) - var x225 uint64 - var x226 uint64 - x225, x226 = bits.Add64(x214, uint64(0x0), uint64(uint1(x224))) - var x227 uint64 - cmovznzU64(&x227, uint1(x226), uint64(0x0), 0x26) - var x228 uint64 - x228, _ = bits.Add64(x227, x219, uint64(0x0)) - var x230 uint64 - var x231 uint64 - x231, x230 = bits.Mul64(0x26, x189) - var x232 uint64 - var x233 uint64 - x233, x232 = bits.Mul64(0x26, x187) - var x234 uint64 - var x235 uint64 - x235, x234 = bits.Mul64(0x26, x185) - var x236 uint64 - var x237 uint64 - x237, x236 = bits.Mul64(0x26, x183) - var x238 uint64 - var x239 uint64 - x238, x239 = bits.Add64(x177, x234, uint64(0x0)) - var x240 uint64 - var x241 uint64 - x240, x241 = bits.Add64(x179, x232, uint64(uint1(x239))) - var x242 uint64 - var x243 uint64 - x242, x243 = bits.Add64(x181, x230, uint64(uint1(x241))) - x244 := (uint64(uint1(x243)) + x231) - var x245 uint64 - var x246 uint64 - x245, x246 = bits.Add64(x126, x236, uint64(0x0)) - var x247 uint64 - var x248 uint64 - x247, x248 = bits.Add64(x238, x237, uint64(uint1(x246))) - var x249 uint64 - var x250 uint64 - x249, x250 = bits.Add64(x240, x235, uint64(uint1(x248))) - var x251 uint64 - var x252 uint64 - x251, x252 = bits.Add64(x242, x233, uint64(uint1(x250))) - x253 := (uint64(uint1(x252)) + x244) - var x254 uint64 - _, x254 = bits.Mul64(0x26, x253) - var x256 uint64 - var x257 uint64 - x256, x257 = bits.Add64(x245, x254, uint64(0x0)) - var x258 uint64 - var x259 uint64 - x258, x259 = bits.Add64(x247, uint64(0x0), uint64(uint1(x257))) - var x260 uint64 - var x261 uint64 - x260, x261 = bits.Add64(x249, uint64(0x0), uint64(uint1(x259))) - var x262 uint64 - var x263 uint64 - x262, x263 = bits.Add64(x251, uint64(0x0), uint64(uint1(x261))) - var x264 uint64 - cmovznzU64(&x264, uint1(x263), uint64(0x0), 0x26) - var x265 uint64 - x265, _ = bits.Add64(x264, x256, uint64(0x0)) - out1[0] = x228 - out1[1] = x221 - out1[2] = x223 - out1[3] = x225 - out2[0] = x265 - out2[1] = x258 - out2[2] = x260 - out2[3] = x262 -} - // Square squares a field element. // // Postconditions: diff --git a/fiat-json/src/curve25519_solinas_64.json b/fiat-json/src/curve25519_solinas_64.json index 8b30fea6d6..ca853b7dd8 100644 --- a/fiat-json/src/curve25519_solinas_64.json +++ b/fiat-json/src/curve25519_solinas_64.json @@ -3804,6262 +3804,6 @@ } ] }, - { - "operation": "fiat_curve25519_solinas_mul2", - "arguments": [ - { - "datatype": "u64[4]", - "name": "arg1", - "lbound": [ - "0x0", - "0x0", - "0x0", - "0x0" - ], - "ubound": [ - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff" - ] - }, - { - "datatype": "u64[4]", - "name": "arg2", - "lbound": [ - "0x0", - "0x0", - "0x0", - "0x0" - ], - "ubound": [ - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff" - ] - }, - { - "datatype": "u64[4]", - "name": "arg3", - "lbound": [ - "0x0", - "0x0", - "0x0", - "0x0" - ], - "ubound": [ - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff" - ] - }, - { - "datatype": "u64[4]", - "name": "arg4", - "lbound": [ - "0x0", - "0x0", - "0x0", - "0x0" - ], - "ubound": [ - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff" - ] - } - ], - "returns": [ - { - "datatype": "u64[4]", - "name": "out1", - "lbound": [ - "0x0", - "0x0", - "0x0", - "0x0" - ], - "ubound": [ - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff" - ] - }, - { - "datatype": "u64[4]", - "name": "out2", - "lbound": [ - "0x0", - "0x0", - "0x0", - "0x0" - ], - "ubound": [ - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff", - "0xffffffffffffffff" - ] - } - ], - "body": [ - { - "datatype": "(auto)", - "name": [ - "x1", - "x2" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x3", - "x4" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x5", - "x6" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x7", - "x8" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x9", - "x10" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x11", - "x12" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x13", - "x14" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x15", - "x16" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x17", - "x18" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x19", - "x20" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x21", - "x22" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x23", - "x24" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x25", - "x26" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x27", - "x28" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x29", - "x30" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x31", - "x32" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg1[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg2[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x33", - "x34" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x28" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x7" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x35", - "x36" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x34" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x26" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x5" - ] - } - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "x37" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x36" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x18" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x38", - "x39" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x33" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x13" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x40", - "x41" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x39" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x35" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x8" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x42", - "x43" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x41" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x37" - ] - }, - "0x0" - ] - }, - { - "datatype": "u64", - "name": [ - "x44" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x43" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x10" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x45", - "x46" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x30" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x15" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x47", - "x48" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x46" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x38" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x16" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x49", - "x50" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x48" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x40" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x11" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x51", - "x52" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x50" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x42" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x3" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x53", - "x54" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x52" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x44" - ] - }, - "0x0" - ] - }, - { - "datatype": "u64", - "name": [ - "x55" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x54" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x2" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x56", - "x57" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x45" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x21" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x58", - "x59" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x57" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x47" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x19" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x60", - "x61" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x59" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x49" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x14" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x62", - "x63" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x61" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x51" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x6" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x64", - "x65" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x63" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x53" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x66", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x65" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x55" - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x68", - "x69" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x32" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x23" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x70", - "x71" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x69" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x56" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x24" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x72", - "x73" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x71" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x58" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x22" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x74", - "x75" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x73" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x60" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x17" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x76", - "x77" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x75" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x62" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x9" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x78", - "x79" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x77" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x64" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x1" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x80", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x79" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x66" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x82", - "x83" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x68" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x29" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x84", - "x85" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x83" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x70" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x27" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x86", - "x87" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x85" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x72" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x25" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x88", - "x89" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x87" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x74" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x20" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x90", - "x91" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x89" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x76" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x12" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x92", - "x93" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x91" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x78" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x4" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x94", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x93" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x80" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x96", - "x97" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x98", - "x99" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x100", - "x101" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x102", - "x103" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[3]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x104", - "x105" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x106", - "x107" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x108", - "x109" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x110", - "x111" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[2]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x112", - "x113" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x114", - "x115" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x116", - "x117" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x118", - "x119" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[1]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x120", - "x121" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[3]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x122", - "x123" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[2]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x124", - "x125" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[1]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x126", - "x127" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg3[0]" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "arg4[0]" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x128", - "x129" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x123" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x102" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x130", - "x131" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x129" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x121" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x100" - ] - } - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "x132" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x131" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x113" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x133", - "x134" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x128" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x108" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x135", - "x136" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x134" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x130" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x103" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x137", - "x138" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x136" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x132" - ] - }, - "0x0" - ] - }, - { - "datatype": "u64", - "name": [ - "x139" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x138" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x105" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x140", - "x141" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x125" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x110" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x142", - "x143" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x141" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x133" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x111" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x144", - "x145" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x143" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x135" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x106" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x146", - "x147" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x145" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x137" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x98" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x148", - "x149" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x147" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x139" - ] - }, - "0x0" - ] - }, - { - "datatype": "u64", - "name": [ - "x150" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x149" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x97" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x151", - "x152" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x140" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x116" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x153", - "x154" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x152" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x142" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x114" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x155", - "x156" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x154" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x144" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x109" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x157", - "x158" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x156" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x146" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x101" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x159", - "x160" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x158" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x148" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x161", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x160" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x150" - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x163", - "x164" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x127" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x118" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x165", - "x166" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x164" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x151" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x119" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x167", - "x168" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x166" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x153" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x117" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x169", - "x170" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x168" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x155" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x112" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x171", - "x172" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x170" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x157" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x104" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x173", - "x174" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x172" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x159" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x96" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x175", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x174" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x161" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x177", - "x178" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x163" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x124" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x179", - "x180" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x178" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x165" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x122" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x181", - "x182" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x180" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x167" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x120" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x183", - "x184" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x182" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x169" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x115" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x185", - "x186" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x184" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x171" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x107" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x187", - "x188" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x186" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x173" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x99" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x189", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x188" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x175" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x191", - "x192" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x92" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x193", - "x194" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x90" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x195", - "x196" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x88" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x197", - "x198" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x82" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x193" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x199", - "x200" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x198" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x84" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x191" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x201", - "_" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x94" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x203", - "x204" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x200" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x86" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x201" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "_", - "x206" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x94" - ] - } - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "x207" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x204" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x206" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x208", - "x209" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x31" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x195" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x210", - "x211" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x209" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x197" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x196" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x212", - "x213" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x211" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x199" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x194" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x214", - "x215" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x213" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x203" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x192" - ] - } - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "x216" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x215" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x207" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x217", - "_" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x216" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x219", - "x220" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x208" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x217" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x221", - "x222" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x220" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x210" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x223", - "x224" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x222" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x212" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x225", - "x226" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x224" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x214" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "u64", - "name": [ - "x227" - ], - "operation": "cmovznz", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x226" - ] - } - ] - }, - "0x0", - "0x26" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x228", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x227" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x219" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x230", - "x231" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x189" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x232", - "x233" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x187" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x234", - "x235" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x185" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x236", - "x237" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x183" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x238", - "x239" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x177" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x234" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x240", - "x241" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x239" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x179" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x232" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x242", - "x243" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x241" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x181" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x230" - ] - } - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "x244" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x243" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x231" - ] - } - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x245", - "x246" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x126" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x236" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x247", - "x248" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x246" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x238" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x237" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x249", - "x250" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x248" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x240" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x235" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x251", - "x252" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x250" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x242" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x233" - ] - } - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "x253" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "+", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x252" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x244" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x254", - "_" - ], - "operation": "mulx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x26", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x253" - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x256", - "x257" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x245" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x254" - ] - } - ] - } - ] - }, - { - "datatype": "(auto)", - "name": [ - "x258", - "x259" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x257" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x247" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x260", - "x261" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x259" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x249" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x262", - "x263" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x261" - ] - } - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x251" - ] - } - ] - }, - "0x0" - ] - }, - { - "datatype": "u64", - "name": [ - "x264" - ], - "operation": "cmovznz", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u1", - "name": [], - "operation": "static_cast", - "arguments": [ - "x263" - ] - } - ] - }, - "0x0", - "0x26" - ] - }, - { - "datatype": "(auto)", - "name": [ - "x265", - "_" - ], - "operation": "addcarryx", - "parameters": { - "size": 64 - }, - "arguments": [ - "0x0", - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x264" - ] - }, - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x256" - ] - } - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out1[0]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x228" - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out1[1]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x221" - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out1[2]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x223" - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out1[3]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x225" - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out2[0]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x265" - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out2[1]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x258" - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out2[2]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x260" - ] - } - ] - }, - { - "datatype": "u64", - "name": [ - "out2[3]" - ], - "operation": "static_cast", - "arguments": [ - { - "datatype": "u64", - "name": [], - "operation": "static_cast", - "arguments": [ - "x262" - ] - } - ] - } - ] - }, { "operation": "fiat_curve25519_solinas_square", "arguments": [ diff --git a/fiat-rust/src/curve25519_solinas_64.rs b/fiat-rust/src/curve25519_solinas_64.rs index 444b29fbf1..edda9bb439 100644 --- a/fiat-rust/src/curve25519_solinas_64.rs +++ b/fiat-rust/src/curve25519_solinas_64.rs @@ -1,7 +1,7 @@ -//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mul mul2 square +//! Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Rust --inline curve25519_solinas 64 '2^255 - 19' mul square //! curve description: curve25519_solinas //! machine_wordsize = 64 (from "64") -//! requested operations: mul, mul2, square +//! requested operations: mul, square //! s-c = 2^255 - [(1, 19)] (from "2^255 - 19") //! //! Computed values: @@ -314,427 +314,6 @@ pub fn fiat_curve25519_solinas_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: & out1[3] = x128; } -/// The function fiat_curve25519_solinas_mul2 multiplies two field elements. -/// -/// Postconditions: -/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 -/// eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 -/// -/// Input Bounds: -/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// Output Bounds: -/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -#[inline] -pub fn fiat_curve25519_solinas_mul2(out1: &mut [u64; 4], out2: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4], arg3: &[u64; 4], arg4: &[u64; 4]) -> () { - let mut x1: u64 = 0; - let mut x2: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x1, &mut x2, (arg1[3]), (arg2[3])); - let mut x3: u64 = 0; - let mut x4: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x3, &mut x4, (arg1[3]), (arg2[2])); - let mut x5: u64 = 0; - let mut x6: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x5, &mut x6, (arg1[3]), (arg2[1])); - let mut x7: u64 = 0; - let mut x8: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x7, &mut x8, (arg1[3]), (arg2[0])); - let mut x9: u64 = 0; - let mut x10: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x9, &mut x10, (arg1[2]), (arg2[3])); - let mut x11: u64 = 0; - let mut x12: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x11, &mut x12, (arg1[2]), (arg2[2])); - let mut x13: u64 = 0; - let mut x14: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x13, &mut x14, (arg1[2]), (arg2[1])); - let mut x15: u64 = 0; - let mut x16: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x15, &mut x16, (arg1[2]), (arg2[0])); - let mut x17: u64 = 0; - let mut x18: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x17, &mut x18, (arg1[1]), (arg2[3])); - let mut x19: u64 = 0; - let mut x20: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x19, &mut x20, (arg1[1]), (arg2[2])); - let mut x21: u64 = 0; - let mut x22: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x21, &mut x22, (arg1[1]), (arg2[1])); - let mut x23: u64 = 0; - let mut x24: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x23, &mut x24, (arg1[1]), (arg2[0])); - let mut x25: u64 = 0; - let mut x26: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x25, &mut x26, (arg1[0]), (arg2[3])); - let mut x27: u64 = 0; - let mut x28: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x27, &mut x28, (arg1[0]), (arg2[2])); - let mut x29: u64 = 0; - let mut x30: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x29, &mut x30, (arg1[0]), (arg2[1])); - let mut x31: u64 = 0; - let mut x32: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x31, &mut x32, (arg1[0]), (arg2[0])); - let mut x33: u64 = 0; - let mut x34: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x33, &mut x34, 0x0, x28, x7); - let mut x35: u64 = 0; - let mut x36: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x35, &mut x36, x34, x26, x5); - let x37: u64 = ((x36 as u64) + x18); - let mut x38: u64 = 0; - let mut x39: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x38, &mut x39, 0x0, x33, x13); - let mut x40: u64 = 0; - let mut x41: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x40, &mut x41, x39, x35, x8); - let mut x42: u64 = 0; - let mut x43: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x42, &mut x43, x41, x37, (0x0 as u64)); - let x44: u64 = ((x43 as u64) + x10); - let mut x45: u64 = 0; - let mut x46: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x45, &mut x46, 0x0, x30, x15); - let mut x47: u64 = 0; - let mut x48: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x47, &mut x48, x46, x38, x16); - let mut x49: u64 = 0; - let mut x50: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x49, &mut x50, x48, x40, x11); - let mut x51: u64 = 0; - let mut x52: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x51, &mut x52, x50, x42, x3); - let mut x53: u64 = 0; - let mut x54: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x53, &mut x54, x52, x44, (0x0 as u64)); - let x55: u64 = ((x54 as u64) + x2); - let mut x56: u64 = 0; - let mut x57: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x56, &mut x57, 0x0, x45, x21); - let mut x58: u64 = 0; - let mut x59: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x58, &mut x59, x57, x47, x19); - let mut x60: u64 = 0; - let mut x61: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x60, &mut x61, x59, x49, x14); - let mut x62: u64 = 0; - let mut x63: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x62, &mut x63, x61, x51, x6); - let mut x64: u64 = 0; - let mut x65: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x64, &mut x65, x63, x53, (0x0 as u64)); - let mut x66: u64 = 0; - let mut x67: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x66, &mut x67, x65, x55, (0x0 as u64)); - let mut x68: u64 = 0; - let mut x69: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x68, &mut x69, 0x0, x32, x23); - let mut x70: u64 = 0; - let mut x71: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x70, &mut x71, x69, x56, x24); - let mut x72: u64 = 0; - let mut x73: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x72, &mut x73, x71, x58, x22); - let mut x74: u64 = 0; - let mut x75: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x74, &mut x75, x73, x60, x17); - let mut x76: u64 = 0; - let mut x77: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x76, &mut x77, x75, x62, x9); - let mut x78: u64 = 0; - let mut x79: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x78, &mut x79, x77, x64, x1); - let mut x80: u64 = 0; - let mut x81: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x80, &mut x81, x79, x66, (0x0 as u64)); - let mut x82: u64 = 0; - let mut x83: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x82, &mut x83, 0x0, x68, x29); - let mut x84: u64 = 0; - let mut x85: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x84, &mut x85, x83, x70, x27); - let mut x86: u64 = 0; - let mut x87: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x86, &mut x87, x85, x72, x25); - let mut x88: u64 = 0; - let mut x89: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x88, &mut x89, x87, x74, x20); - let mut x90: u64 = 0; - let mut x91: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x90, &mut x91, x89, x76, x12); - let mut x92: u64 = 0; - let mut x93: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x92, &mut x93, x91, x78, x4); - let mut x94: u64 = 0; - let mut x95: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x94, &mut x95, x93, x80, (0x0 as u64)); - let mut x96: u64 = 0; - let mut x97: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x96, &mut x97, (arg3[3]), (arg4[3])); - let mut x98: u64 = 0; - let mut x99: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x98, &mut x99, (arg3[3]), (arg4[2])); - let mut x100: u64 = 0; - let mut x101: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x100, &mut x101, (arg3[3]), (arg4[1])); - let mut x102: u64 = 0; - let mut x103: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x102, &mut x103, (arg3[3]), (arg4[0])); - let mut x104: u64 = 0; - let mut x105: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x104, &mut x105, (arg3[2]), (arg4[3])); - let mut x106: u64 = 0; - let mut x107: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x106, &mut x107, (arg3[2]), (arg4[2])); - let mut x108: u64 = 0; - let mut x109: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x108, &mut x109, (arg3[2]), (arg4[1])); - let mut x110: u64 = 0; - let mut x111: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x110, &mut x111, (arg3[2]), (arg4[0])); - let mut x112: u64 = 0; - let mut x113: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x112, &mut x113, (arg3[1]), (arg4[3])); - let mut x114: u64 = 0; - let mut x115: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x114, &mut x115, (arg3[1]), (arg4[2])); - let mut x116: u64 = 0; - let mut x117: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x116, &mut x117, (arg3[1]), (arg4[1])); - let mut x118: u64 = 0; - let mut x119: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x118, &mut x119, (arg3[1]), (arg4[0])); - let mut x120: u64 = 0; - let mut x121: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x120, &mut x121, (arg3[0]), (arg4[3])); - let mut x122: u64 = 0; - let mut x123: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x122, &mut x123, (arg3[0]), (arg4[2])); - let mut x124: u64 = 0; - let mut x125: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x124, &mut x125, (arg3[0]), (arg4[1])); - let mut x126: u64 = 0; - let mut x127: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x126, &mut x127, (arg3[0]), (arg4[0])); - let mut x128: u64 = 0; - let mut x129: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x128, &mut x129, 0x0, x123, x102); - let mut x130: u64 = 0; - let mut x131: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x130, &mut x131, x129, x121, x100); - let x132: u64 = ((x131 as u64) + x113); - let mut x133: u64 = 0; - let mut x134: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x133, &mut x134, 0x0, x128, x108); - let mut x135: u64 = 0; - let mut x136: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x135, &mut x136, x134, x130, x103); - let mut x137: u64 = 0; - let mut x138: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x137, &mut x138, x136, x132, (0x0 as u64)); - let x139: u64 = ((x138 as u64) + x105); - let mut x140: u64 = 0; - let mut x141: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x140, &mut x141, 0x0, x125, x110); - let mut x142: u64 = 0; - let mut x143: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x142, &mut x143, x141, x133, x111); - let mut x144: u64 = 0; - let mut x145: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x144, &mut x145, x143, x135, x106); - let mut x146: u64 = 0; - let mut x147: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x146, &mut x147, x145, x137, x98); - let mut x148: u64 = 0; - let mut x149: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x148, &mut x149, x147, x139, (0x0 as u64)); - let x150: u64 = ((x149 as u64) + x97); - let mut x151: u64 = 0; - let mut x152: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x151, &mut x152, 0x0, x140, x116); - let mut x153: u64 = 0; - let mut x154: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x153, &mut x154, x152, x142, x114); - let mut x155: u64 = 0; - let mut x156: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x155, &mut x156, x154, x144, x109); - let mut x157: u64 = 0; - let mut x158: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x157, &mut x158, x156, x146, x101); - let mut x159: u64 = 0; - let mut x160: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x159, &mut x160, x158, x148, (0x0 as u64)); - let mut x161: u64 = 0; - let mut x162: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x161, &mut x162, x160, x150, (0x0 as u64)); - let mut x163: u64 = 0; - let mut x164: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x163, &mut x164, 0x0, x127, x118); - let mut x165: u64 = 0; - let mut x166: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x165, &mut x166, x164, x151, x119); - let mut x167: u64 = 0; - let mut x168: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x167, &mut x168, x166, x153, x117); - let mut x169: u64 = 0; - let mut x170: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x169, &mut x170, x168, x155, x112); - let mut x171: u64 = 0; - let mut x172: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x171, &mut x172, x170, x157, x104); - let mut x173: u64 = 0; - let mut x174: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x173, &mut x174, x172, x159, x96); - let mut x175: u64 = 0; - let mut x176: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x175, &mut x176, x174, x161, (0x0 as u64)); - let mut x177: u64 = 0; - let mut x178: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x177, &mut x178, 0x0, x163, x124); - let mut x179: u64 = 0; - let mut x180: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x179, &mut x180, x178, x165, x122); - let mut x181: u64 = 0; - let mut x182: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x181, &mut x182, x180, x167, x120); - let mut x183: u64 = 0; - let mut x184: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x183, &mut x184, x182, x169, x115); - let mut x185: u64 = 0; - let mut x186: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x185, &mut x186, x184, x171, x107); - let mut x187: u64 = 0; - let mut x188: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x187, &mut x188, x186, x173, x99); - let mut x189: u64 = 0; - let mut x190: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x189, &mut x190, x188, x175, (0x0 as u64)); - let mut x191: u64 = 0; - let mut x192: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x191, &mut x192, 0x26, x92); - let mut x193: u64 = 0; - let mut x194: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x193, &mut x194, 0x26, x90); - let mut x195: u64 = 0; - let mut x196: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x195, &mut x196, 0x26, x88); - let mut x197: u64 = 0; - let mut x198: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x197, &mut x198, 0x0, x82, x193); - let mut x199: u64 = 0; - let mut x200: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x199, &mut x200, x198, x84, x191); - let mut x201: u64 = 0; - let mut x202: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x201, &mut x202, 0x26, x94); - let mut x203: u64 = 0; - let mut x204: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x203, &mut x204, x200, x86, x201); - let mut x205: u64 = 0; - let mut x206: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x205, &mut x206, 0x26, x94); - let x207: u64 = ((x204 as u64) + x206); - let mut x208: u64 = 0; - let mut x209: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x208, &mut x209, 0x0, x31, x195); - let mut x210: u64 = 0; - let mut x211: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x210, &mut x211, x209, x197, x196); - let mut x212: u64 = 0; - let mut x213: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x212, &mut x213, x211, x199, x194); - let mut x214: u64 = 0; - let mut x215: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x214, &mut x215, x213, x203, x192); - let x216: u64 = ((x215 as u64) + x207); - let mut x217: u64 = 0; - let mut x218: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x217, &mut x218, 0x26, x216); - let mut x219: u64 = 0; - let mut x220: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x219, &mut x220, 0x0, x208, x217); - let mut x221: u64 = 0; - let mut x222: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x221, &mut x222, x220, x210, (0x0 as u64)); - let mut x223: u64 = 0; - let mut x224: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x223, &mut x224, x222, x212, (0x0 as u64)); - let mut x225: u64 = 0; - let mut x226: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x225, &mut x226, x224, x214, (0x0 as u64)); - let mut x227: u64 = 0; - fiat_curve25519_solinas_cmovznz_u64(&mut x227, x226, (0x0 as u64), 0x26); - let mut x228: u64 = 0; - let mut x229: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x228, &mut x229, 0x0, x227, x219); - let mut x230: u64 = 0; - let mut x231: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x230, &mut x231, 0x26, x189); - let mut x232: u64 = 0; - let mut x233: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x232, &mut x233, 0x26, x187); - let mut x234: u64 = 0; - let mut x235: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x234, &mut x235, 0x26, x185); - let mut x236: u64 = 0; - let mut x237: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x236, &mut x237, 0x26, x183); - let mut x238: u64 = 0; - let mut x239: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x238, &mut x239, 0x0, x177, x234); - let mut x240: u64 = 0; - let mut x241: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x240, &mut x241, x239, x179, x232); - let mut x242: u64 = 0; - let mut x243: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x242, &mut x243, x241, x181, x230); - let x244: u64 = ((x243 as u64) + x231); - let mut x245: u64 = 0; - let mut x246: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x245, &mut x246, 0x0, x126, x236); - let mut x247: u64 = 0; - let mut x248: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x247, &mut x248, x246, x238, x237); - let mut x249: u64 = 0; - let mut x250: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x249, &mut x250, x248, x240, x235); - let mut x251: u64 = 0; - let mut x252: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x251, &mut x252, x250, x242, x233); - let x253: u64 = ((x252 as u64) + x244); - let mut x254: u64 = 0; - let mut x255: u64 = 0; - fiat_curve25519_solinas_mulx_u64(&mut x254, &mut x255, 0x26, x253); - let mut x256: u64 = 0; - let mut x257: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x256, &mut x257, 0x0, x245, x254); - let mut x258: u64 = 0; - let mut x259: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x258, &mut x259, x257, x247, (0x0 as u64)); - let mut x260: u64 = 0; - let mut x261: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x260, &mut x261, x259, x249, (0x0 as u64)); - let mut x262: u64 = 0; - let mut x263: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x262, &mut x263, x261, x251, (0x0 as u64)); - let mut x264: u64 = 0; - fiat_curve25519_solinas_cmovznz_u64(&mut x264, x263, (0x0 as u64), 0x26); - let mut x265: u64 = 0; - let mut x266: fiat_curve25519_solinas_u1 = 0; - fiat_curve25519_solinas_addcarryx_u64(&mut x265, &mut x266, 0x0, x264, x256); - out1[0] = x228; - out1[1] = x221; - out1[2] = x223; - out1[3] = x225; - out2[0] = x265; - out2[1] = x258; - out2[2] = x260; - out2[3] = x262; -} - /// The function fiat_curve25519_solinas_square squares a field element. /// /// Postconditions: diff --git a/fiat-zig/src/curve25519_solinas_64.zig b/fiat-zig/src/curve25519_solinas_64.zig index 249c384b74..c011a0a857 100644 --- a/fiat-zig/src/curve25519_solinas_64.zig +++ b/fiat-zig/src/curve25519_solinas_64.zig @@ -1,7 +1,7 @@ -// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mul mul2 square +// Autogenerated: 'src/ExtractionOCaml/solinas_reduction' --lang Zig --internal-static --public-function-case camelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case UpperCamelCase --no-prefix-fiat --package-name curve25519_solinas '' 64 '2^255 - 19' mul square // curve description (via package name): curve25519_solinas // machine_wordsize = 64 (from "64") -// requested operations: mul, mul2, square +// requested operations: mul, square // s-c = 2^255 - [(1, 19)] (from "2^255 - 19") // // Computed values: @@ -327,428 +327,6 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { out1[3] = x128; } -/// The function mul2 multiplies two field elements. -/// -/// Postconditions: -/// eval out1 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg1 * eval arg2) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 -/// eval out2 mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 = (eval arg3 * eval arg4) mod 57896044618658097711785492504343953926634992332820282019728792003956564819949 -/// -/// Input Bounds: -/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// Output Bounds: -/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -/// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -pub fn mul2(out1: *[4]u64, out2: *[4]u64, arg1: [4]u64, arg2: [4]u64, arg3: [4]u64, arg4: [4]u64) void { - @setRuntimeSafety(mode == .Debug); - - var x1: u64 = undefined; - var x2: u64 = undefined; - mulxU64(&x1, &x2, (arg1[3]), (arg2[3])); - var x3: u64 = undefined; - var x4: u64 = undefined; - mulxU64(&x3, &x4, (arg1[3]), (arg2[2])); - var x5: u64 = undefined; - var x6: u64 = undefined; - mulxU64(&x5, &x6, (arg1[3]), (arg2[1])); - var x7: u64 = undefined; - var x8: u64 = undefined; - mulxU64(&x7, &x8, (arg1[3]), (arg2[0])); - var x9: u64 = undefined; - var x10: u64 = undefined; - mulxU64(&x9, &x10, (arg1[2]), (arg2[3])); - var x11: u64 = undefined; - var x12: u64 = undefined; - mulxU64(&x11, &x12, (arg1[2]), (arg2[2])); - var x13: u64 = undefined; - var x14: u64 = undefined; - mulxU64(&x13, &x14, (arg1[2]), (arg2[1])); - var x15: u64 = undefined; - var x16: u64 = undefined; - mulxU64(&x15, &x16, (arg1[2]), (arg2[0])); - var x17: u64 = undefined; - var x18: u64 = undefined; - mulxU64(&x17, &x18, (arg1[1]), (arg2[3])); - var x19: u64 = undefined; - var x20: u64 = undefined; - mulxU64(&x19, &x20, (arg1[1]), (arg2[2])); - var x21: u64 = undefined; - var x22: u64 = undefined; - mulxU64(&x21, &x22, (arg1[1]), (arg2[1])); - var x23: u64 = undefined; - var x24: u64 = undefined; - mulxU64(&x23, &x24, (arg1[1]), (arg2[0])); - var x25: u64 = undefined; - var x26: u64 = undefined; - mulxU64(&x25, &x26, (arg1[0]), (arg2[3])); - var x27: u64 = undefined; - var x28: u64 = undefined; - mulxU64(&x27, &x28, (arg1[0]), (arg2[2])); - var x29: u64 = undefined; - var x30: u64 = undefined; - mulxU64(&x29, &x30, (arg1[0]), (arg2[1])); - var x31: u64 = undefined; - var x32: u64 = undefined; - mulxU64(&x31, &x32, (arg1[0]), (arg2[0])); - var x33: u64 = undefined; - var x34: u1 = undefined; - addcarryxU64(&x33, &x34, 0x0, x28, x7); - var x35: u64 = undefined; - var x36: u1 = undefined; - addcarryxU64(&x35, &x36, x34, x26, x5); - const x37 = (cast(u64, x36) + x18); - var x38: u64 = undefined; - var x39: u1 = undefined; - addcarryxU64(&x38, &x39, 0x0, x33, x13); - var x40: u64 = undefined; - var x41: u1 = undefined; - addcarryxU64(&x40, &x41, x39, x35, x8); - var x42: u64 = undefined; - var x43: u1 = undefined; - addcarryxU64(&x42, &x43, x41, x37, cast(u64, 0x0)); - const x44 = (cast(u64, x43) + x10); - var x45: u64 = undefined; - var x46: u1 = undefined; - addcarryxU64(&x45, &x46, 0x0, x30, x15); - var x47: u64 = undefined; - var x48: u1 = undefined; - addcarryxU64(&x47, &x48, x46, x38, x16); - var x49: u64 = undefined; - var x50: u1 = undefined; - addcarryxU64(&x49, &x50, x48, x40, x11); - var x51: u64 = undefined; - var x52: u1 = undefined; - addcarryxU64(&x51, &x52, x50, x42, x3); - var x53: u64 = undefined; - var x54: u1 = undefined; - addcarryxU64(&x53, &x54, x52, x44, cast(u64, 0x0)); - const x55 = (cast(u64, x54) + x2); - var x56: u64 = undefined; - var x57: u1 = undefined; - addcarryxU64(&x56, &x57, 0x0, x45, x21); - var x58: u64 = undefined; - var x59: u1 = undefined; - addcarryxU64(&x58, &x59, x57, x47, x19); - var x60: u64 = undefined; - var x61: u1 = undefined; - addcarryxU64(&x60, &x61, x59, x49, x14); - var x62: u64 = undefined; - var x63: u1 = undefined; - addcarryxU64(&x62, &x63, x61, x51, x6); - var x64: u64 = undefined; - var x65: u1 = undefined; - addcarryxU64(&x64, &x65, x63, x53, cast(u64, 0x0)); - var x66: u64 = undefined; - var x67: u1 = undefined; - addcarryxU64(&x66, &x67, x65, x55, cast(u64, 0x0)); - var x68: u64 = undefined; - var x69: u1 = undefined; - addcarryxU64(&x68, &x69, 0x0, x32, x23); - var x70: u64 = undefined; - var x71: u1 = undefined; - addcarryxU64(&x70, &x71, x69, x56, x24); - var x72: u64 = undefined; - var x73: u1 = undefined; - addcarryxU64(&x72, &x73, x71, x58, x22); - var x74: u64 = undefined; - var x75: u1 = undefined; - addcarryxU64(&x74, &x75, x73, x60, x17); - var x76: u64 = undefined; - var x77: u1 = undefined; - addcarryxU64(&x76, &x77, x75, x62, x9); - var x78: u64 = undefined; - var x79: u1 = undefined; - addcarryxU64(&x78, &x79, x77, x64, x1); - var x80: u64 = undefined; - var x81: u1 = undefined; - addcarryxU64(&x80, &x81, x79, x66, cast(u64, 0x0)); - var x82: u64 = undefined; - var x83: u1 = undefined; - addcarryxU64(&x82, &x83, 0x0, x68, x29); - var x84: u64 = undefined; - var x85: u1 = undefined; - addcarryxU64(&x84, &x85, x83, x70, x27); - var x86: u64 = undefined; - var x87: u1 = undefined; - addcarryxU64(&x86, &x87, x85, x72, x25); - var x88: u64 = undefined; - var x89: u1 = undefined; - addcarryxU64(&x88, &x89, x87, x74, x20); - var x90: u64 = undefined; - var x91: u1 = undefined; - addcarryxU64(&x90, &x91, x89, x76, x12); - var x92: u64 = undefined; - var x93: u1 = undefined; - addcarryxU64(&x92, &x93, x91, x78, x4); - var x94: u64 = undefined; - var x95: u1 = undefined; - addcarryxU64(&x94, &x95, x93, x80, cast(u64, 0x0)); - var x96: u64 = undefined; - var x97: u64 = undefined; - mulxU64(&x96, &x97, (arg3[3]), (arg4[3])); - var x98: u64 = undefined; - var x99: u64 = undefined; - mulxU64(&x98, &x99, (arg3[3]), (arg4[2])); - var x100: u64 = undefined; - var x101: u64 = undefined; - mulxU64(&x100, &x101, (arg3[3]), (arg4[1])); - var x102: u64 = undefined; - var x103: u64 = undefined; - mulxU64(&x102, &x103, (arg3[3]), (arg4[0])); - var x104: u64 = undefined; - var x105: u64 = undefined; - mulxU64(&x104, &x105, (arg3[2]), (arg4[3])); - var x106: u64 = undefined; - var x107: u64 = undefined; - mulxU64(&x106, &x107, (arg3[2]), (arg4[2])); - var x108: u64 = undefined; - var x109: u64 = undefined; - mulxU64(&x108, &x109, (arg3[2]), (arg4[1])); - var x110: u64 = undefined; - var x111: u64 = undefined; - mulxU64(&x110, &x111, (arg3[2]), (arg4[0])); - var x112: u64 = undefined; - var x113: u64 = undefined; - mulxU64(&x112, &x113, (arg3[1]), (arg4[3])); - var x114: u64 = undefined; - var x115: u64 = undefined; - mulxU64(&x114, &x115, (arg3[1]), (arg4[2])); - var x116: u64 = undefined; - var x117: u64 = undefined; - mulxU64(&x116, &x117, (arg3[1]), (arg4[1])); - var x118: u64 = undefined; - var x119: u64 = undefined; - mulxU64(&x118, &x119, (arg3[1]), (arg4[0])); - var x120: u64 = undefined; - var x121: u64 = undefined; - mulxU64(&x120, &x121, (arg3[0]), (arg4[3])); - var x122: u64 = undefined; - var x123: u64 = undefined; - mulxU64(&x122, &x123, (arg3[0]), (arg4[2])); - var x124: u64 = undefined; - var x125: u64 = undefined; - mulxU64(&x124, &x125, (arg3[0]), (arg4[1])); - var x126: u64 = undefined; - var x127: u64 = undefined; - mulxU64(&x126, &x127, (arg3[0]), (arg4[0])); - var x128: u64 = undefined; - var x129: u1 = undefined; - addcarryxU64(&x128, &x129, 0x0, x123, x102); - var x130: u64 = undefined; - var x131: u1 = undefined; - addcarryxU64(&x130, &x131, x129, x121, x100); - const x132 = (cast(u64, x131) + x113); - var x133: u64 = undefined; - var x134: u1 = undefined; - addcarryxU64(&x133, &x134, 0x0, x128, x108); - var x135: u64 = undefined; - var x136: u1 = undefined; - addcarryxU64(&x135, &x136, x134, x130, x103); - var x137: u64 = undefined; - var x138: u1 = undefined; - addcarryxU64(&x137, &x138, x136, x132, cast(u64, 0x0)); - const x139 = (cast(u64, x138) + x105); - var x140: u64 = undefined; - var x141: u1 = undefined; - addcarryxU64(&x140, &x141, 0x0, x125, x110); - var x142: u64 = undefined; - var x143: u1 = undefined; - addcarryxU64(&x142, &x143, x141, x133, x111); - var x144: u64 = undefined; - var x145: u1 = undefined; - addcarryxU64(&x144, &x145, x143, x135, x106); - var x146: u64 = undefined; - var x147: u1 = undefined; - addcarryxU64(&x146, &x147, x145, x137, x98); - var x148: u64 = undefined; - var x149: u1 = undefined; - addcarryxU64(&x148, &x149, x147, x139, cast(u64, 0x0)); - const x150 = (cast(u64, x149) + x97); - var x151: u64 = undefined; - var x152: u1 = undefined; - addcarryxU64(&x151, &x152, 0x0, x140, x116); - var x153: u64 = undefined; - var x154: u1 = undefined; - addcarryxU64(&x153, &x154, x152, x142, x114); - var x155: u64 = undefined; - var x156: u1 = undefined; - addcarryxU64(&x155, &x156, x154, x144, x109); - var x157: u64 = undefined; - var x158: u1 = undefined; - addcarryxU64(&x157, &x158, x156, x146, x101); - var x159: u64 = undefined; - var x160: u1 = undefined; - addcarryxU64(&x159, &x160, x158, x148, cast(u64, 0x0)); - var x161: u64 = undefined; - var x162: u1 = undefined; - addcarryxU64(&x161, &x162, x160, x150, cast(u64, 0x0)); - var x163: u64 = undefined; - var x164: u1 = undefined; - addcarryxU64(&x163, &x164, 0x0, x127, x118); - var x165: u64 = undefined; - var x166: u1 = undefined; - addcarryxU64(&x165, &x166, x164, x151, x119); - var x167: u64 = undefined; - var x168: u1 = undefined; - addcarryxU64(&x167, &x168, x166, x153, x117); - var x169: u64 = undefined; - var x170: u1 = undefined; - addcarryxU64(&x169, &x170, x168, x155, x112); - var x171: u64 = undefined; - var x172: u1 = undefined; - addcarryxU64(&x171, &x172, x170, x157, x104); - var x173: u64 = undefined; - var x174: u1 = undefined; - addcarryxU64(&x173, &x174, x172, x159, x96); - var x175: u64 = undefined; - var x176: u1 = undefined; - addcarryxU64(&x175, &x176, x174, x161, cast(u64, 0x0)); - var x177: u64 = undefined; - var x178: u1 = undefined; - addcarryxU64(&x177, &x178, 0x0, x163, x124); - var x179: u64 = undefined; - var x180: u1 = undefined; - addcarryxU64(&x179, &x180, x178, x165, x122); - var x181: u64 = undefined; - var x182: u1 = undefined; - addcarryxU64(&x181, &x182, x180, x167, x120); - var x183: u64 = undefined; - var x184: u1 = undefined; - addcarryxU64(&x183, &x184, x182, x169, x115); - var x185: u64 = undefined; - var x186: u1 = undefined; - addcarryxU64(&x185, &x186, x184, x171, x107); - var x187: u64 = undefined; - var x188: u1 = undefined; - addcarryxU64(&x187, &x188, x186, x173, x99); - var x189: u64 = undefined; - var x190: u1 = undefined; - addcarryxU64(&x189, &x190, x188, x175, cast(u64, 0x0)); - var x191: u64 = undefined; - var x192: u64 = undefined; - mulxU64(&x191, &x192, 0x26, x92); - var x193: u64 = undefined; - var x194: u64 = undefined; - mulxU64(&x193, &x194, 0x26, x90); - var x195: u64 = undefined; - var x196: u64 = undefined; - mulxU64(&x195, &x196, 0x26, x88); - var x197: u64 = undefined; - var x198: u1 = undefined; - addcarryxU64(&x197, &x198, 0x0, x82, x193); - var x199: u64 = undefined; - var x200: u1 = undefined; - addcarryxU64(&x199, &x200, x198, x84, x191); - var x201: u64 = undefined; - var x202: u64 = undefined; - mulxU64(&x201, &x202, 0x26, x94); - var x203: u64 = undefined; - var x204: u1 = undefined; - addcarryxU64(&x203, &x204, x200, x86, x201); - var x205: u64 = undefined; - var x206: u64 = undefined; - mulxU64(&x205, &x206, 0x26, x94); - const x207 = (cast(u64, x204) + x206); - var x208: u64 = undefined; - var x209: u1 = undefined; - addcarryxU64(&x208, &x209, 0x0, x31, x195); - var x210: u64 = undefined; - var x211: u1 = undefined; - addcarryxU64(&x210, &x211, x209, x197, x196); - var x212: u64 = undefined; - var x213: u1 = undefined; - addcarryxU64(&x212, &x213, x211, x199, x194); - var x214: u64 = undefined; - var x215: u1 = undefined; - addcarryxU64(&x214, &x215, x213, x203, x192); - const x216 = (cast(u64, x215) + x207); - var x217: u64 = undefined; - var x218: u64 = undefined; - mulxU64(&x217, &x218, 0x26, x216); - var x219: u64 = undefined; - var x220: u1 = undefined; - addcarryxU64(&x219, &x220, 0x0, x208, x217); - var x221: u64 = undefined; - var x222: u1 = undefined; - addcarryxU64(&x221, &x222, x220, x210, cast(u64, 0x0)); - var x223: u64 = undefined; - var x224: u1 = undefined; - addcarryxU64(&x223, &x224, x222, x212, cast(u64, 0x0)); - var x225: u64 = undefined; - var x226: u1 = undefined; - addcarryxU64(&x225, &x226, x224, x214, cast(u64, 0x0)); - var x227: u64 = undefined; - cmovznzU64(&x227, x226, cast(u64, 0x0), 0x26); - var x228: u64 = undefined; - var x229: u1 = undefined; - addcarryxU64(&x228, &x229, 0x0, x227, x219); - var x230: u64 = undefined; - var x231: u64 = undefined; - mulxU64(&x230, &x231, 0x26, x189); - var x232: u64 = undefined; - var x233: u64 = undefined; - mulxU64(&x232, &x233, 0x26, x187); - var x234: u64 = undefined; - var x235: u64 = undefined; - mulxU64(&x234, &x235, 0x26, x185); - var x236: u64 = undefined; - var x237: u64 = undefined; - mulxU64(&x236, &x237, 0x26, x183); - var x238: u64 = undefined; - var x239: u1 = undefined; - addcarryxU64(&x238, &x239, 0x0, x177, x234); - var x240: u64 = undefined; - var x241: u1 = undefined; - addcarryxU64(&x240, &x241, x239, x179, x232); - var x242: u64 = undefined; - var x243: u1 = undefined; - addcarryxU64(&x242, &x243, x241, x181, x230); - const x244 = (cast(u64, x243) + x231); - var x245: u64 = undefined; - var x246: u1 = undefined; - addcarryxU64(&x245, &x246, 0x0, x126, x236); - var x247: u64 = undefined; - var x248: u1 = undefined; - addcarryxU64(&x247, &x248, x246, x238, x237); - var x249: u64 = undefined; - var x250: u1 = undefined; - addcarryxU64(&x249, &x250, x248, x240, x235); - var x251: u64 = undefined; - var x252: u1 = undefined; - addcarryxU64(&x251, &x252, x250, x242, x233); - const x253 = (cast(u64, x252) + x244); - var x254: u64 = undefined; - var x255: u64 = undefined; - mulxU64(&x254, &x255, 0x26, x253); - var x256: u64 = undefined; - var x257: u1 = undefined; - addcarryxU64(&x256, &x257, 0x0, x245, x254); - var x258: u64 = undefined; - var x259: u1 = undefined; - addcarryxU64(&x258, &x259, x257, x247, cast(u64, 0x0)); - var x260: u64 = undefined; - var x261: u1 = undefined; - addcarryxU64(&x260, &x261, x259, x249, cast(u64, 0x0)); - var x262: u64 = undefined; - var x263: u1 = undefined; - addcarryxU64(&x262, &x263, x261, x251, cast(u64, 0x0)); - var x264: u64 = undefined; - cmovznzU64(&x264, x263, cast(u64, 0x0), 0x26); - var x265: u64 = undefined; - var x266: u1 = undefined; - addcarryxU64(&x265, &x266, 0x0, x264, x256); - out1[0] = x228; - out1[1] = x221; - out1[2] = x223; - out1[3] = x225; - out2[0] = x265; - out2[1] = x258; - out2[2] = x260; - out2[3] = x262; -} - /// The function square squares a field element. /// /// Postconditions: diff --git a/src/Arithmetic/SolinasReduction.v b/src/Arithmetic/SolinasReduction.v index f2e0027202..993dd8125e 100644 --- a/src/Arithmetic/SolinasReduction.v +++ b/src/Arithmetic/SolinasReduction.v @@ -2797,59 +2797,6 @@ Module SolinasReduction. End squaremod. - Section mulmod2. - - Definition mulmod2 base s c n (p q x y : list Z) := - let ans1 := mulmod base s c n p q in - let ans2 := mulmod base s c n x y in - (ans1, ans2). - - Context (base : Z) - (s : Z) - (c : list (Z * Z)) - (n : nat). - - Context (n_gt_1 : (n > 1)%nat) - (s_pos : s > 0) - (c_pos : Associational.eval c > 0) - (mod_nz : s - Associational.eval c <> 0) - (base_nz : base <> 0) - (solinas_property : Rows.adjust_s weight (S (S n)) s = (weight n, true)) - (coef_small : weight n / s * Associational.eval c < up_bound). - - Lemma fst_mulmod2 (p q x y : list Z) : - fst (mulmod2 base s c n p q x y) = mulmod base s c n p q. - Proof. - cbv [mulmod2]. - cbn. - reflexivity. - Qed. - - Lemma snd_mulmod2 (p q x y : list Z) : - snd (mulmod2 base s c n p q x y) = mulmod base s c n x y. - Proof. - cbv [mulmod2]. - cbn. - reflexivity. - Qed. - - Theorem mulmod2_correct (p q x y : list Z) : - let m := mulmod2 base s c n p q x y in - Positional.eval weight n (fst m) mod (s - Associational.eval c) = - (Positional.eval weight n p * Positional.eval weight n q) mod (s - Associational.eval c) /\ - Positional.eval weight n (snd m) mod (s - Associational.eval c) = - (Positional.eval weight n x * Positional.eval weight n y) mod (s - Associational.eval c). - Proof. - intros m. - cbv [m]. - rewrite fst_mulmod2, snd_mulmod2. - intuition. - apply mulmod_correct; auto. - apply mulmod_correct; auto. - Qed. - - End mulmod2. - End __. End SolinasReduction. diff --git a/src/COperationSpecifications.v b/src/COperationSpecifications.v index e33f8ebcb6..fb8223ef12 100644 --- a/src/COperationSpecifications.v +++ b/src/COperationSpecifications.v @@ -511,16 +511,6 @@ Module SolinasReduction. ((eval (mul x y)) mod m = (eval x * eval y) mod m) /\ (list_Z_bounded_by saturated_bounds (mul x y)). - Definition mul2_correct - (mul2 : list Z -> list Z -> list Z -> list Z -> ((list Z) * (list Z))) := - forall x y z w, - list_Z_bounded_by saturated_bounds x -> - list_Z_bounded_by saturated_bounds y -> - list_Z_bounded_by saturated_bounds z -> - list_Z_bounded_by saturated_bounds w -> - ((eval (fst (mul2 x y z w))) mod m = (eval x * eval y) mod m) /\ - ((eval (snd (mul2 x y z w))) mod m = (eval z * eval w) mod m). - Definition sqr_correct (sqr : list Z -> list Z) := forall x, diff --git a/src/PushButtonSynthesis/SolinasReduction.v b/src/PushButtonSynthesis/SolinasReduction.v index 7bff6e6a16..3066dbe357 100644 --- a/src/PushButtonSynthesis/SolinasReduction.v +++ b/src/PushButtonSynthesis/SolinasReduction.v @@ -58,7 +58,6 @@ Local Coercion Z.pos : positive >-> Z. Local Set Keyed Unification. (* needed for making [autorewrite] fast, c.f. COQBUG(https://github.com/coq/coq/issues/9283) *) Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) -Local Opaque reified_mul2_gen. Local Opaque reified_square_gen. (* needed for making [autorewrite] with [Set Keyed Unification] fast *) Local Opaque expr.Interp. @@ -177,18 +176,6 @@ Section __. (Some boundsn, (Some boundsn, tt)) (Some boundsn). - Definition mul2 - := Pipeline.BoundsPipeline - false (* subst01 *) - possible_values - (reified_mul2_gen - @ GallinaReify.Reify base - @ GallinaReify.Reify s - @ GallinaReify.Reify c - @ GallinaReify.Reify n) - (Some boundsn, (Some boundsn, (Some boundsn, (Some boundsn, tt)))) - (Some boundsn, Some boundsn). - Definition square := Pipeline.BoundsPipeline false (* subst01 *) @@ -210,15 +197,6 @@ Section __. (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) (mul_correct weightf n m boundsn)). - Definition smul2 (prefix : string) - : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) - := Eval cbv beta in - FromPipelineToString! - machine_wordsize prefix "mul2" mul2 - (docstring_with_summary_from_lemma! - (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) - (mul2_correct weightf n m boundsn)). - Definition ssquare (prefix : string) : string * (Pipeline.M (Pipeline.ExtendedSynthesisResult _)) := Eval cbv beta in @@ -248,15 +226,6 @@ Section __. Lemma Wf_mul res (Hres : mul = Success res) : Wf res. Proof using Type. prove_pipeline_wf (). Qed. - Lemma mul2_correct res - (Hres : mul2 = Success res) - : mul2_correct weight n m boundsn (Interp res). - Proof using curve_good. - Admitted. - - Lemma Wf_mul2 res (Hres : mul2 = Success res) : Wf res. - Proof using Type. prove_pipeline_wf (). Qed. - Lemma square_correct res (Hres : square = Success res) : sqr_correct weight n m boundsn (Interp res). @@ -278,7 +247,7 @@ Section __. Local Open Scope list_scope. Definition known_functions - := [("mul", wrap_s smul); ("mul2", wrap_s smul2); ("square", wrap_s ssquare)]. + := [("mul", wrap_s smul); ("square", wrap_s ssquare)]. Definition valid_names : string := Eval compute in String.concat ", " (List.map (@fst _ _) known_functions). diff --git a/src/PushButtonSynthesis/SolinasReductionReificationCache.v b/src/PushButtonSynthesis/SolinasReductionReificationCache.v index dacf2442fe..f956c54381 100644 --- a/src/PushButtonSynthesis/SolinasReductionReificationCache.v +++ b/src/PushButtonSynthesis/SolinasReductionReificationCache.v @@ -34,11 +34,6 @@ Module Export SolinasReduction. As reified_mul_gen_correct. Proof. Time cache_reify (). Time Qed. - Derive reified_mul2_gen - SuchThat (is_reification_of reified_mul2_gen mulmod2) - As reified_mul2_gen_correct. - Proof. Time cache_reify (). Time Qed. - Derive reified_square_gen SuchThat (is_reification_of reified_square_gen squaremod) As reified_square_gen_correct. @@ -52,14 +47,6 @@ Module Export SolinasReduction. Hint Rewrite (proj1 reified_mul_gen_correct) : interp_gen_cache. Local Opaque reified_mul_gen. (* needed for making [autorewrite] not take a very long time *) - #[global] - Hint Extern 1 (_ = _) => apply_cached_reification mulmod2 (proj1 reified_mul2_gen) : reify_cache_gen. - #[global] - Hint Immediate (proj2 reified_mul2_gen_correct) : wf_gen_cache. - #[global] - Hint Rewrite (proj1 reified_mul2_gen_correct) : interp_gen_cache. - Local Opaque reified_mul2_gen. (* needed for making [autorewrite] not take a very long time *) - #[global] Hint Extern 1 (_ = _) => apply_cached_reification squaremod (proj1 reified_square_gen) : reify_cache_gen. #[global] diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index fd08b2fd38..a38603e14f 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -50,118 +50,6 @@ Local Existing Instances Local Instance : unfold_value_barrier_opt := true. Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. -Module debugging_solinas_reduction. - - Import SolinasReduction.SolinasReduction. - - Section __. - - Context (machine_wordsize := 64) - (weight := UniformWeight.uweight machine_wordsize) - (up_bound := 2 ^ (machine_wordsize / 4)) - {wprops : @weight_properties weight}. - - Definition dual_map {A B : Type} (f : A -> B -> bool) (l1 : list A) (l2 : list B) := - map (fun x => (f (fst x) (snd x))) (combine l1 l2). - Definition fold_andb_map' {A B : Type} (f : A -> B -> bool) (ls1 : list A) (ls2 : list B) := - fold_right andb true (dual_map f ls1 ls2). - Definition is_bounded_by bounds ls := - fold_andb_map' (fun r v'' => (fst r <=? v'') && (v'' <=? snd r)) bounds ls. - - Import Associational. - Import Positional. - Import SolinasReduction. - - End __. - - Section compile. - - Let s := 2^255. - Let c := [(1, 19)]. - Let machine_wordsize := 64. - Let n : nat := Z.to_nat (Qceiling (Z.log2_up s / machine_wordsize)). - Let m : nat := 2 * n. - Let w : nat -> Z := weight machine_wordsize 1. - Let base : Z := 2 ^ machine_wordsize. - - Let bound := Some r[0 ~> (2^machine_wordsize - 1)]%zrange. - Let bound' := Some r[0 ~> (2^machine_wordsize +39)]%zrange. - Let boundsn : list (ZRange.type.option.interp base.type.Z) - := repeat bound (n). - - Import Stringification.C.Compilers. - Import Stringification.C.Compilers.ToString. - - Local Existing Instances ToString.C.OutputCAPI Pipeline.show_ErrorMessage. - - Let possible_values := prefix_with_carry [machine_wordsize]. - Local Instance : use_mul_for_cmovznz_opt := false. - Local Instance : machine_wordsize_opt := machine_wordsize. (* for show *) - Local Instance : no_select_size_opt := no_select_size_of_no_select machine_wordsize. - Local Instance : split_mul_to_opt := split_mul_to_of_should_split_mul machine_wordsize possible_values. - Local Instance : split_multiret_to_opt := split_multiret_to_of_should_split_multiret machine_wordsize possible_values. - - Let bounds := repeat bound n ++ [Some r[0 ~> 1]%zrange]. - Let bound1 := Some r[0~>1]%zrange. - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (SolinasReduction.reduce3 base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound n ++ [bound1]), tt) - (Some (repeat bound n)) - (None, tt) - (None) - : Pipeline.ErrorT _). - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "mul" - false - false - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (SolinasReduction.mulmod base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound n), (Some (repeat bound n), tt)) - (Some (repeat bound n)) - (None, (None, tt)) - (None) - : Pipeline.ErrorT _). - - Time Compute - Show.show - (Pipeline.BoundsPipelineToString - "fiat" "sqr" - false - false - possible_values - machine_wordsize - ltac:(let n := (eval cbv in n) in - let r := Reify (SolinasReduction.squaremod base s c n) in - exact r) - (fun _ _ => []) - (Some (repeat bound n), tt) - (Some (repeat bound n)) - (None, tt) - (None) - : Pipeline.ErrorT _). - - End compile. - -End debugging_solinas_reduction. - Module debugging_go_bits_add. Import Stringification.Go. Section __. From 7a682188cef9da564f9a35a9dc541448360afd6d Mon Sep 17 00:00:00 2001 From: Andres Erbsen Date: Thu, 10 Nov 2022 12:13:17 -0500 Subject: [PATCH 67/69] fix proofs --- src/Assembly/Symbolic.v | 4 +++- src/Assembly/WithBedrock/SymbolicProofs.v | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Assembly/Symbolic.v b/src/Assembly/Symbolic.v index 42135519f2..3985f58bfb 100644 --- a/src/Assembly/Symbolic.v +++ b/src/Assembly/Symbolic.v @@ -3296,8 +3296,10 @@ Definition SymexNormalInstruction {descr:description} (instr : NormalInstruction SetOperand a vb | cmovc, [dst; src] | cmovb, [dst; src] + | cmovo, [dst; src] => - v <- Symeval (selectznz@(CF, dst, src)); + let flag := match instr.(Syntax.op) with cmovo => OF | _ => CF end in + v <- Symeval (selectznz@(flag, dst, src)); SetOperand dst v | cmovnz, [dst; src] => v <- Symeval (selectznz@(ZF, src, dst)); diff --git a/src/Assembly/WithBedrock/SymbolicProofs.v b/src/Assembly/WithBedrock/SymbolicProofs.v index 8621e3d8c9..8ea807a1d9 100644 --- a/src/Assembly/WithBedrock/SymbolicProofs.v +++ b/src/Assembly/WithBedrock/SymbolicProofs.v @@ -1266,7 +1266,7 @@ Proof using Type. Unshelve. all : match goal with H : context[Syntax.cmovc] |- _ => idtac | H : context[Syntax.cmovb] |- _ => idtac | H : context[Syntax.cmovo] |- _=> idtac | _ => shelve end. (* cmovc / cmovb / cmovo *) - all: destruct vCF; cbn [negb Z.b2z Z.eqb] in *; eauto 9; []. + all: (destruct vCF||destruct vOF); cbn [negb Z.b2z Z.eqb] in *; eauto 9; []. all: enough (m = m0) by (subst; eauto 9). all: clear -Hm0 Hv frame G ; eauto using SetOperand_same. all: fail. From 49b71dd44565ab489c9b0026e5827b319d2a54b2 Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Fri, 11 Nov 2022 12:50:10 -0500 Subject: [PATCH 68/69] Empty timing commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Timing Diff

``` Time | Peak Mem | File Name ---------------------------------------------------------------------------------------------------------------------------------------- 223m54.67s | 4379108 ko | Total Time / Peak Mem ---------------------------------------------------------------------------------------------------------------------------------------- 10m08.34s | 2582048 ko | Bedrock/End2End/X25519/GarageDoor.vo 7m09.75s | 2070516 ko | Curves/Weierstrass/AffineProofs.vo 5m30.49s | 2649632 ko | Bedrock/Field/Synthesis/Examples/p224_64_new.vo 4m48.99s | 1586816 ko | Curves/EdwardsMontgomery.vo 4m36.54s | 1013768 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb.vo 4m29.40s | 2077784 ko | Rewriter/Passes/ArithWithCasts.vo 4m22.77s | 970992 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeByExtension.vo 4m17.69s | 2500784 ko | Assembly/WithBedrock/Proofs.vo 3m08.47s | 780968 ko | rupicola/bedrock2/compiler/src/compiler/FlattenExpr.vo 3m06.05s | 2930324 ko | rupicola/bedrock2/compiler/src/compiler/FlatToRiscvFunctions.vo 3m02.11s | 1448680 ko | Curves/Weierstrass/Projective.vo 2m54.94s | 1445232 ko | Curves/Montgomery/XZProofs.vo 2m44.66s | 1443324 ko | Curves/Montgomery/AffineProofs.vo 2m40.83s | 1603160 ko | Rewriter/Passes/NBE.vo 2m40.62s | 1069136 ko | Fancy/Compiler.vo 2m13.11s | 1561880 ko | Rewriter/Passes/ToFancyWithCasts.vo 2m11.63s | 1144924 ko | Rewriter/Rewriter/Wf.vo 2m02.81s | 2751688 ko | rupicola/bedrock2/compiler/src/compiler/FlatToRiscvMetric.vo 1m57.91s | 2007840 ko | fiat-json/src/p384_scalar_32.json 1m57.88s | 1680860 ko | fiat-go/32/p384scalar/p384scalar.go 1m56.73s | 2140160 ko | fiat-rust/src/p384_scalar_32.rs 1m56.65s | 2139664 ko | fiat-java/src/FiatP384Scalar.java 1m56.19s | 2056320 ko | fiat-go/32/p384/p384.go 1m56.18s | 2088112 ko | fiat-c/src/p384_scalar_32.c 1m55.95s | 884680 ko | AbstractInterpretation/Wf.vo 1m55.70s | 1945140 ko | fiat-java/src/FiatP384.java 1m55.44s | 1749364 ko | fiat-rust/src/p384_32.rs 1m54.84s | 1994324 ko | fiat-json/src/p384_32.json 1m54.34s | 1931692 ko | fiat-c/src/p384_32.c 1m53.74s | 1741664 ko | fiat-bedrock2/src/p384_32.c 1m53.63s | 1834064 ko | fiat-zig/src/p384_scalar_32.zig 1m53.28s | 1586932 ko | Bedrock/End2End/X25519/Field25519.vo 1m52.79s | 1742840 ko | fiat-bedrock2/src/p384_scalar_32.c 1m49.62s | 2252340 ko | Fancy/Barrett256.vo 1m45.15s | 1816008 ko | fiat-zig/src/p384_32.zig 1m36.51s | 1510616 ko | Assembly/EquivalenceProofs.vo 1m35.50s | 840840 ko | Util/FSets/FMapTrie.vo 1m32.59s | 809000 ko | Arithmetic/SolinasReduction.vo 1m30.01s | 2053492 ko | SlowPrimeSynthesisExamples.vo 1m26.40s | 435088 ko | Spec/Test/X25519.vo 1m24.29s | 1026512 ko | PushButtonSynthesis/SolinasReductionReificationCache.vo 1m23.78s | 742088 ko | rupicola/bedrock2/compiler/src/compiler/MMIO.vo 1m21.78s | 599592 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/insertionsort.vo 1m19.33s | 1571340 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeI.vo 1m18.92s | 1122476 ko | UnsaturatedSolinasHeuristics/Tests.vo 1m11.40s | 807828 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/LAN9250.vo 1m11.12s | 1416740 ko | Assembly/WithBedrock/SymbolicProofs.vo 1m04.96s | 965848 ko | Curves/Weierstrass/Jacobian.vo 1m04.87s | 1221644 ko | Bedrock/Field/Synthesis/New/WordByWordMontgomery.vo 1m02.78s | 728256 ko | Rewriter/Language/UnderLetsProofs.vo 1m02.21s | 4379108 ko | Bedrock/End2End/RupicolaCrypto/Derive.vo 1m01.99s | 870756 ko | AbstractInterpretation/ZRangeProofs.vo 1m00.43s | 730664 ko | Rewriter/RulesProofs.vo 1m00.38s | 664996 ko | rupicola/bedrock2/compiler/src/compiler/Spilling.vo 0m59.63s | 1043980 ko | Rewriter/Passes/MultiRetSplit.vo 0m59.09s | 727676 ko | AbstractInterpretation/Proofs.vo 0m57.66s | 996136 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/VerifyDecode.vo 0m57.31s | 1389412 ko | Rewriter/Rewriter/Examples/PerfTesting/SieveOfEratosthenes.vo 0m55.85s | 1057492 ko | Rewriter/Rewriter/Examples.vo 0m54.88s | 1092944 ko | Rewriter/Rewriter/Examples/PerfTesting/LiftLetsMap.vo 0m54.21s | 854656 ko | PushButtonSynthesis/WordByWordMontgomeryReificationCache.vo 0m53.54s | 897764 ko | Rewriter/Rewriter/InterpProofs.vo 0m52.75s | 935288 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeCSR.vo 0m52.46s | 648952 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/EncodeDecode.vo 0m49.65s | 796280 ko | Rewriter/Rewriter/ProofsCommon.vo 0m49.20s | 999708 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/swap.vo 0m48.76s | 1084892 ko | Bedrock/Field/Translation/Proofs/ValidComputable/Expr.vo 0m48.36s | 1111268 ko | Rewriter/Passes/Arith.vo 0m47.69s | 1723940 ko | Fancy/Montgomery256.vo 0m46.91s | 570392 ko | Demo.vo 0m44.54s | 2147880 ko | ExtractionOCaml/bedrock2_solinas_reduction 0m44.27s | 713180 ko | PushButtonSynthesis/UnsaturatedSolinasReificationCache.vo 0m43.08s | 2147548 ko | ExtractionOCaml/solinas_reduction 0m42.88s | 581672 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricSane.vo 0m42.72s | 1020292 ko | Bedrock/Group/ScalarMult/MontgomeryLadder.vo 0m42.31s | 2088052 ko | ExtractionOCaml/bedrock2_word_by_word_montgomery 0m41.95s | 1788048 ko | ExtractionOCaml/bedrock2_unsaturated_solinas 0m41.92s | 2084496 ko | ExtractionOCaml/with_bedrock2_word_by_word_montgomery 0m41.06s | 1788148 ko | ExtractionOCaml/with_bedrock2_unsaturated_solinas 0m39.68s | 2147996 ko | ExtractionOCaml/word_by_word_montgomery 0m38.01s | 1416928 ko | ExtractionOCaml/with_bedrock2_solinas_reduction 0m37.74s | 1687236 ko | ExtractionOCaml/unsaturated_solinas 0m36.95s | 1272952 ko | Bedrock/End2End/X25519/MontgomeryLadder.vo 0m36.93s | 1416800 ko | ExtractionOCaml/with_bedrock2_saturated_solinas 0m36.69s | 1416964 ko | ExtractionOCaml/bedrock2_saturated_solinas 0m36.57s | 1417076 ko | ExtractionOCaml/bedrock2_base_conversion 0m36.49s | 1416904 ko | ExtractionOCaml/with_bedrock2_base_conversion 0m35.26s | 882792 ko | Rewriter/Passes/MulSplit.vo 0m34.95s | 1415852 ko | ExtractionOCaml/saturated_solinas 0m34.76s | 1415940 ko | ExtractionOCaml/base_conversion 0m34.38s | 2216436 ko | ExtractionOCaml/bedrock2_solinas_reduction.ml 0m33.70s | 2199600 ko | ExtractionOCaml/with_bedrock2_word_by_word_montgomery.ml 0m33.05s | 1327872 ko | Assembly/Symbolic.vo 0m32.69s | 2199516 ko | ExtractionOCaml/bedrock2_word_by_word_montgomery.ml 0m32.10s | 2130396 ko | ExtractionOCaml/solinas_reduction.ml 0m31.79s | 2095372 ko | ExtractionOCaml/word_by_word_montgomery.ml 0m31.49s | 607596 ko | rupicola/bedrock2/compiler/src/compiler/FlatToRiscvLiterals.vo 0m31.26s | 531452 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/EncodeBound.vo 0m30.93s | 925064 ko | Rewriter/Rewriter/Examples/PrefixSums.vo 0m30.75s | 2091876 ko | ExtractionOCaml/bedrock2_unsaturated_solinas.ml 0m30.57s | 1232184 ko | ExtractionOCaml/perf_word_by_word_montgomery 0m29.60s | 2092128 ko | ExtractionOCaml/with_bedrock2_unsaturated_solinas.ml 0m29.49s | 1487228 ko | StandaloneDebuggingExamples.vo 0m29.43s | 1232428 ko | ExtractionOCaml/perf_unsaturated_solinas 0m29.27s | 2003852 ko | ExtractionOCaml/unsaturated_solinas.ml 0m28.97s | 652808 ko | rupicola/src/Rupicola/Examples/Utf8/Utf8.vo 0m28.40s | 680816 ko | Rewriter/Language/Wf.vo 0m26.55s | 2033624 ko | ExtractionOCaml/with_bedrock2_base_conversion.ml 0m26.50s | 2033204 ko | ExtractionOCaml/bedrock2_base_conversion.ml 0m26.41s | 2007792 ko | ExtractionOCaml/with_bedrock2_saturated_solinas.ml 0m26.37s | 494160 ko | Arithmetic/Saturated.vo 0m25.97s | 2007684 ko | ExtractionOCaml/with_bedrock2_solinas_reduction.ml 0m25.92s | 2007728 ko | ExtractionOCaml/bedrock2_saturated_solinas.ml 0m25.21s | 1175276 ko | PushButtonSynthesis/WordByWordMontgomery.vo 0m25.07s | 1139080 ko | PushButtonSynthesis/UnsaturatedSolinas.vo 0m24.69s | 1888216 ko | ExtractionOCaml/base_conversion.ml 0m24.41s | 1874588 ko | ExtractionOCaml/saturated_solinas.ml 0m24.35s | 882748 ko | Rewriter/Rewriter/Examples/PerfTesting/Plus0Tree.vo 0m23.83s | 1355992 ko | Bedrock/End2End/RupicolaCrypto/Low.vo 0m23.11s | 802276 ko | Bedrock/Field/Translation/Proofs/Expr.vo 0m22.27s | 671072 ko | rupicola/bedrock2/compiler/src/compiler/FlatImp.vo 0m20.87s | 690696 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/memmove.vo 0m20.34s | 628972 ko | Util/FSets/FMapBool.vo 0m19.74s | 1796028 ko | ExtractionOCaml/perf_unsaturated_solinas.ml 0m19.66s | 742400 ko | Bedrock/Field/Translation/Proofs/LoadStoreList.vo 0m19.31s | 1849080 ko | ExtractionOCaml/perf_word_by_word_montgomery.ml 0m19.25s | 1098836 ko | Bedrock/Field/Translation/Proofs/Func.vo 0m19.12s | 258200 ko | fiat-go/64/p434/p434.go 0m19.01s | 245656 ko | fiat-zig/src/p434_64.zig 0m18.88s | 265704 ko | fiat-json/src/p434_64.json 0m18.77s | 290856 ko | fiat-rust/src/p434_64.rs 0m18.64s | 623532 ko | Util/FSets/FMapProd.vo 0m18.64s | 250952 ko | fiat-c/src/p434_64.c 0m18.62s | 1127392 ko | Bedrock/Field/Translation/Proofs/Cmd.vo 0m18.39s | 290164 ko | fiat-bedrock2/src/p434_64.c 0m18.25s | 575408 ko | Rewriter/Language/Inversion.vo 0m18.09s | 545544 ko | rupicola/src/Rupicola/Examples/KVStore/Manual.vo 0m17.88s | 1106800 ko | Bedrock/End2End/Poly1305/Field1305.vo 0m17.83s | 454516 ko | fiat-json/src/p256_scalar_32.json 0m17.81s | 407012 ko | fiat-bedrock2/src/p256_scalar_32.c 0m17.80s | 382988 ko | fiat-json/src/secp256k1_32.json 0m17.76s | 336704 ko | fiat-rust/src/p256_scalar_32.rs 0m17.74s | 432476 ko | fiat-go/32/p256scalar/p256scalar.go 0m17.72s | 456556 ko | fiat-bedrock2/src/secp256k1_scalar_32.c 0m17.70s | 422504 ko | fiat-java/src/FiatP256Scalar.java 0m17.69s | 434652 ko | fiat-java/src/FiatSecp256K1Scalar.java 0m17.62s | 420016 ko | fiat-zig/src/secp256k1_32.zig 0m17.56s | 1169404 ko | Bedrock/Field/Synthesis/New/Signature.vo 0m17.56s | 361956 ko | fiat-java/src/FiatSecp256K1.java 0m17.48s | 530324 ko | Arithmetic/WordByWordMontgomery.vo 0m17.48s | 561708 ko | Util/FSets/FMapSum.vo 0m17.48s | 348852 ko | fiat-c/src/p256_scalar_32.c 0m17.43s | 323304 ko | fiat-rust/src/secp256k1_32.rs 0m17.40s | 420248 ko | fiat-go/32/secp256k1/secp256k1.go 0m17.39s | 321492 ko | fiat-go/32/curve25519scalar/curve25519scalar.go 0m17.38s | 342832 ko | fiat-zig/src/secp256k1_scalar_32.zig 0m17.36s | 819248 ko | Curves/Edwards/XYZT/Basic.vo 0m17.36s | 404864 ko | fiat-java/src/FiatCurve25519Scalar.java 0m17.35s | 384716 ko | fiat-bedrock2/src/secp256k1_32.c 0m17.23s | 400796 ko | fiat-bedrock2/src/curve25519_scalar_32.c 0m17.23s | 403696 ko | fiat-json/src/curve25519_scalar_32.json 0m17.22s | 320720 ko | fiat-c/src/secp256k1_scalar_32.c 0m17.15s | 341052 ko | fiat-rust/src/curve25519_scalar_32.rs 0m17.11s | 454308 ko | fiat-json/src/secp256k1_scalar_32.json 0m17.06s | 2026296 ko | ExtractionHaskell/with_bedrock2_word_by_word_montgomery.hs 0m17.04s | 613948 ko | Util/ZUtil/ArithmeticShiftr.vo 0m17.01s | 2026308 ko | ExtractionHaskell/bedrock2_word_by_word_montgomery.hs 0m16.97s | 354652 ko | fiat-zig/src/curve25519_scalar_32.zig 0m16.94s | 332876 ko | fiat-c/src/curve25519_scalar_32.c 0m16.91s | 423796 ko | fiat-go/32/secp256k1scalar/secp256k1scalar.go 0m16.87s | 352580 ko | fiat-zig/src/p256_scalar_32.zig 0m16.79s | 450500 ko | fiat-json/src/p256_32.json 0m16.79s | 330388 ko | fiat-zig/src/p256_32.zig 0m16.77s | 440428 ko | fiat-rust/src/secp256k1_scalar_32.rs 0m16.76s | 511056 ko | Arithmetic/BarrettReduction.vo 0m16.71s | 439168 ko | fiat-c/src/secp256k1_32.c 0m16.71s | 360764 ko | fiat-rust/src/p256_32.rs 0m16.66s | 353720 ko | fiat-java/src/FiatP256.java 0m16.60s | 2106956 ko | ExtractionHaskell/with_bedrock2_solinas_reduction.hs 0m16.57s | 735396 ko | Rewriter/Rewriter/Examples/PerfTesting/UnderLetsPlus0.vo 0m16.41s | 492428 ko | rupicola/bedrock2/compiler/src/compiler/RunInstruction.vo 0m16.37s | 1118888 ko | Assembly/Parse/TestAsm.vo 0m16.34s | 2106988 ko | ExtractionHaskell/bedrock2_solinas_reduction.hs 0m16.34s | 434828 ko | fiat-bedrock2/src/p256_32.c 0m16.24s | 760004 ko | Language/IdentifiersGENERATED.vo 0m16.20s | 322092 ko | fiat-c/src/p256_32.c 0m16.17s | 577768 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_SB.vo 0m15.94s | 340072 ko | fiat-go/32/p256/p256.go 0m15.90s | 1976128 ko | ExtractionHaskell/bedrock2_unsaturated_solinas.hs 0m15.84s | 2009512 ko | ExtractionHaskell/solinas_reduction.hs 0m15.74s | 1974264 ko | ExtractionHaskell/word_by_word_montgomery.hs 0m15.72s | 725096 ko | Curves/Edwards/AffineProofs.vo 0m15.62s | 422036 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/TestGoals.vo 0m15.28s | 1976164 ko | ExtractionHaskell/with_bedrock2_unsaturated_solinas.hs 0m15.19s | 511856 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_shift_66.vo 0m14.99s | 563848 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeA.vo 0m14.93s | 1883236 ko | ExtractionHaskell/unsaturated_solinas.hs 0m14.93s | 1895872 ko | ExtractionHaskell/with_bedrock2_base_conversion.hs 0m14.92s | 561872 ko | Util/FSets/FMapOption.vo 0m14.91s | 1895908 ko | ExtractionHaskell/bedrock2_base_conversion.hs 0m14.85s | 524792 ko | rupicola/src/Rupicola/Examples/Net/IPChecksum/IPChecksum.vo 0m14.82s | 1887564 ko | ExtractionHaskell/with_bedrock2_saturated_solinas.hs 0m14.75s | 1887676 ko | ExtractionHaskell/bedrock2_saturated_solinas.hs 0m14.69s | 457720 ko | Algebra/Field.vo 0m14.57s | 482100 ko | Arithmetic/Core.vo 0m14.49s | 591056 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeI64.vo 0m14.41s | 485848 ko | rupicola/src/Rupicola/Examples/Arrays.vo 0m14.30s | 458060 ko | Util/Structures/Orders/Prod.vo 0m14.29s | 494260 ko | rupicola/src/Rupicola/Examples/CMove/CMove.vo 0m14.23s | 591172 ko | Language/IdentifiersGENERATEDProofs.vo 0m14.21s | 1801532 ko | ExtractionHaskell/base_conversion.hs 0m14.18s | 591752 ko | Bedrock/Field/Common/Util.vo 0m14.16s | 672328 ko | Bedrock/Group/AdditionChains.vo 0m14.14s | 595068 ko | Util/ZRange/LandLorBounds.vo 0m14.00s | 488028 ko | rupicola/src/Rupicola/Examples/Loops.vo 0m13.82s | 664304 ko | Bedrock/Group/ScalarMult/LadderStep.vo 0m13.81s | 1782532 ko | ExtractionHaskell/saturated_solinas.hs 0m13.47s | 1005948 ko | BoundsPipeline.vo 0m13.47s | 537168 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeA64.vo 0m13.38s | 479352 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/SepAutoArrayTests.vo 0m12.85s | 480036 ko | rupicola/bedrock2/compiler/src/compiler/FlatToRiscvCommon.vo 0m12.36s | 637692 ko | Rewriter/Demo.vo 0m11.44s | 185744 ko | fiat-json/src/p384_scalar_64.json 0m11.39s | 162784 ko | fiat-go/64/p384scalar/p384scalar.go 0m11.36s | 146508 ko | fiat-rust/src/p384_scalar_64.rs 0m11.26s | 143700 ko | fiat-zig/src/p384_scalar_64.zig 0m11.26s | 541144 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeM.vo 0m11.22s | 650112 ko | rupicola/bedrock2/compiler/src/compiler/SpillingMapGoals.vo 0m11.14s | 212092 ko | fiat-bedrock2/src/p384_scalar_64.c 0m11.12s | 165616 ko | fiat-c/src/p384_scalar_64.c 0m11.08s | 727260 ko | Assembly/Syntax.vo 0m10.79s | 473528 ko | Primitives/MxDHRepChange.vo 0m10.78s | 505320 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_UJ.vo 0m10.72s | 1301088 ko | Bedrock/End2End/X25519/MontgomeryLadderProperties.vo 0m10.69s | 608996 ko | Bedrock/Field/Translation/Proofs/Flatten.vo 0m10.57s | 456848 ko | Util/Structures/Orders/List.vo 0m10.21s | 548816 ko | rupicola/bedrock2/compiler/src/compiler/ToplevelLoop.vo 0m10.15s | 590472 ko | Stringification/IR.vo 0m10.12s | 445140 ko | Algebra/Ring.vo 0m09.97s | 561144 ko | PushButtonSynthesis/BarrettReductionReificationCache.vo 0m09.90s | 577068 ko | PushButtonSynthesis/BYInversionReificationCache.vo 0m09.87s | 182216 ko | fiat-json/src/p384_64.json 0m09.77s | 144620 ko | fiat-rust/src/p384_64.rs 0m09.67s | 651068 ko | Bedrock/Group/ScalarMult/CSwap.vo 0m09.66s | 171076 ko | fiat-go/64/p384/p384.go 0m09.65s | 232968 ko | fiat-json/src/p224_32.json 0m09.58s | 190272 ko | fiat-bedrock2/src/p384_64.c 0m09.57s | 271980 ko | fiat-bedrock2/src/p224_32.c 0m09.57s | 268048 ko | fiat-java/src/FiatP224.java 0m09.50s | 497584 ko | Arithmetic/BarrettReduction/Generalized.vo 0m09.50s | 145592 ko | fiat-c/src/p384_64.c 0m09.47s | 241408 ko | fiat-go/32/p224/p224.go 0m09.43s | 237956 ko | fiat-rust/src/p224_32.rs 0m09.42s | 1001348 ko | PushButtonSynthesis/BaseConversion.vo 0m09.41s | 240824 ko | fiat-zig/src/p224_32.zig 0m09.28s | 484352 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/SPI.vo 0m09.27s | 156572 ko | fiat-zig/src/p384_64.zig 0m09.24s | 505220 ko | Rewriter/Language/IdentifiersLibraryProofs.vo 0m09.24s | 230944 ko | fiat-c/src/p224_32.c 0m09.15s | 865632 ko | Assembly/Parse/Examples/fiat_p256_mul_optimised_seed12.vo 0m08.85s | 1014208 ko | PushButtonSynthesis/Primitives.vo 0m08.81s | 595964 ko | Language/IdentifiersBasicGENERATED.vo 0m08.57s | 975520 ko | PushButtonSynthesis/SmallExamples.vo 0m08.56s | 587356 ko | Rewriter/Passes/RelaxBitwidthAdcSbb.vo 0m08.52s | 461004 ko | rupicola/src/Rupicola/Examples/KVStore/Automated.vo 0m08.44s | 654016 ko | Util/FSets/FMapTrieEx.vo 0m08.40s | 123160 ko | fiat-json/src/p448_solinas_32.json 0m08.36s | 58732 ko | fiat-zig/src/p448_solinas_32.zig 0m08.26s | 533352 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/FE310CompilerDemo.vo 0m08.19s | 55508 ko | fiat-c/src/p448_solinas_32.c 0m08.17s | 451996 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/indirect_add.vo 0m08.06s | 907564 ko | Bedrock/Field/Translation/Proofs/EquivalenceProperties.vo 0m08.05s | 781392 ko | Assembly/Parse/Examples/fiat_p256_square_optimised_seed6.vo 0m08.03s | 58020 ko | fiat-rust/src/p448_solinas_32.rs 0m07.99s | 486472 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/uint128_32.vo 0m07.76s | 457688 ko | Util/ZRange/CornersMonotoneBounds.vo 0m07.61s | 1007904 ko | PushButtonSynthesis/SolinasReduction.vo 0m07.53s | 469576 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_S.vo 0m07.42s | 478380 ko | Util/ZUtil/Modulo.vo 0m07.14s | 480144 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/bsearch.vo 0m07.01s | 470068 ko | rupicola/src/Rupicola/Examples/L64X128.vo 0m06.96s | 462888 ko | Arithmetic/FancyMontgomeryReduction.vo 0m06.96s | 456468 ko | rupicola/src/Rupicola/Examples/Expr.vo 0m06.95s | 437528 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Minimal.vo 0m06.90s | 545996 ko | PushButtonSynthesis/FancyMontgomeryReductionReificationCache.vo 0m06.84s | 458692 ko | Util/ListUtil.vo 0m06.82s | 566836 ko | Rewriter/Passes/NoSelect.vo 0m06.65s | 475248 ko | rupicola/bedrock2/compiler/src/compiler/RegAlloc.vo 0m06.57s | 1012620 ko | PushButtonSynthesis/BarrettReduction.vo 0m06.48s | 702508 ko | Assembly/Parse/Examples/fiat_p256_mul_optimised_seed4.vo 0m06.41s | 456860 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_Fence.vo 0m06.34s | 501936 ko | Arithmetic/BYInv.vo 0m06.34s | 453232 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_R_atomic.vo 0m06.32s | 470800 ko | rupicola/src/Rupicola/Examples/CapitalizeThird/Properties.vo 0m06.26s | 1069348 ko | Bedrock/Field/Synthesis/New/UnsaturatedSolinas.vo 0m06.24s | 456556 ko | Rewriter/Util/ListUtil.vo 0m06.11s | 833424 ko | Bedrock/Field/Translation/Proofs/UsedVarnames.vo 0m06.03s | 451592 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.vo 0m06.01s | 459440 ko | Util/MSets/MSetSum.vo 0m05.92s | 670884 ko | Assembly/Parse/Examples/fiat_p256_mul_optimised_seed11.vo 0m05.74s | 663564 ko | Assembly/Parse/Examples/fiat_p256_square_optimised_seed103.vo 0m05.74s | 543944 ko | PushButtonSynthesis/SaturatedSolinasReificationCache.vo 0m05.71s | 483288 ko | rupicola/bedrock2/compiler/src/compiler/EmitsValid.vo 0m05.69s | 570388 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Properties.vo 0m05.64s | 466132 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeM64.vo 0m05.63s | 446872 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/indirect_add_heapletwise.vo 0m05.61s | 527400 ko | Fancy/Prod.vo 0m05.57s | 457960 ko | rupicola/bedrock2/compiler/src/compiler/ExprImp.vo 0m05.46s | 620840 ko | Bedrock/End2End/RupicolaCrypto/Broadcast.vo 0m05.18s | 469248 ko | rupicola/src/Rupicola/Lib/Loops.vo 0m05.10s | 485516 ko | COperationSpecifications.vo 0m05.07s | 1089376 ko | CLI.vo 0m05.07s | 430212 ko | Spec/Curve25519.vo 0m05.00s | 459216 ko | Util/FsatzAutoLemmas.vo 0m04.98s | 552116 ko | Language/InversionExtra.vo 0m04.86s | 429220 ko | Arithmetic/MontgomeryReduction/Proofs.vo 0m04.85s | 458196 ko | rupicola/src/Rupicola/Examples/CRC32/CRC32.vo 0m04.81s | 1035264 ko | Bedrock/Field/Translation/Proofs/ValidComputable/Cmd.vo 0m04.79s | 499612 ko | Curves/Edwards/Pre.vo 0m04.72s | 453940 ko | Util/FSets/FMapIso.vo 0m04.59s | 1006668 ko | PushButtonSynthesis/SaturatedSolinas.vo 0m04.49s | 458620 ko | Util/FSets/FMapSect.vo 0m04.47s | 456664 ko | Util/ZRange/BasicLemmas.vo 0m04.40s | 440836 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_shift_57.vo 0m04.40s | 440420 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_R.vo 0m04.33s | 548708 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRFile.vo 0m04.30s | 441508 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_FenceI.vo 0m04.28s | 441568 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I.vo 0m04.27s | 473332 ko | Algebra/Field_test.vo 0m04.18s | 469344 ko | Rewriter/Language/IdentifiersBasicLibrary.vo 0m04.14s | 457676 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/memequal.vo 0m04.09s | 48280 ko | fiat-go/64/p521/p521.go 0m04.09s | 470496 ko | rupicola/bedrock2/compiler/src/compiler/LowerPipeline.vo 0m04.03s | 1017112 ko | PushButtonSynthesis/FancyMontgomeryReduction.vo 0m04.03s | 452672 ko | UnsaturatedSolinasHeuristics.vo 0m04.03s | 437088 ko | rupicola/src/Rupicola/Examples/Cells/IndirectAdd.vo 0m03.93s | 925744 ko | Assembly/Equivalence.vo 0m03.91s | 438236 ko | Arithmetic/BarrettReduction/HAC.vo 0m03.87s | 559152 ko | Assembly/Parse/Examples/fiat_p256_square_optimised_seed46.vo 0m03.85s | 587408 ko | Bedrock/Field/Synthesis/Generic/Bignum.vo 0m03.82s | 484084 ko | Curves/Montgomery/Affine.vo 0m03.82s | 446584 ko | rupicola/src/Rupicola/Examples/Uppercase.vo 0m03.73s | 412312 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SlowGoals.vo 0m03.70s | 433816 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalNoMul.vo 0m03.63s | 548328 ko | PushButtonSynthesis/BaseConversionReificationCache.vo 0m03.60s | 445268 ko | Util/ZUtil/LandLorBounds.vo 0m03.59s | 449900 ko | CastLemmas.vo 0m03.58s | 452724 ko | Arithmetic/UniformWeight.vo 0m03.58s | 432984 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/List.vo 0m03.44s | 450780 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/memswap.vo 0m03.41s | 392536 ko | Algebra/Group.vo 0m03.41s | 438548 ko | Util/ZUtil/LandLorShiftBounds.vo 0m03.39s | 447824 ko | rupicola/src/Rupicola/Examples/Arithmetic.vo 0m03.36s | 440192 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO.vo 0m03.34s | 977212 ko | Bedrock/Field/Translation/Cmd.vo 0m03.33s | 64488 ko | fiat-bedrock2/src/p521_64.c 0m03.31s | 35896 ko | fiat-zig/src/p521_64.zig 0m03.26s | 431384 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_system.vo 0m03.23s | 35984 ko | fiat-c/src/p521_64.c 0m03.22s | 1049516 ko | Rewriter/PerfTesting/Core.vo 0m03.16s | 447700 ko | Util/Structures/Orders.vo 0m03.12s | 975480 ko | Bedrock/Field/Translation/Func.vo 0m03.09s | 443304 ko | rupicola/src/Rupicola/Examples/RevComp.vo 0m03.06s | 52104 ko | fiat-json/src/p521_64.json 0m03.01s | 465404 ko | MiscCompilerPassesProofs.vo 0m02.98s | 1029916 ko | Bedrock/Field/Stringification/Stringification.vo 0m02.98s | 516032 ko | Rewriter/Passes/Test.vo 0m02.96s | 672772 ko | Bedrock/Group/ScalarMult/ScalarMult.vo 0m02.95s | 426060 ko | Util/Structures/Orders/Option.vo 0m02.92s | 431560 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Properties.vo 0m02.91s | 36476 ko | fiat-rust/src/p521_64.rs 0m02.91s | 461000 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/SPI_live.vo 0m02.90s | 69480 ko | fiat-json/src/secp256k1_scalar_64.json 0m02.86s | 1109636 ko | Bedrock/Standalone/StandaloneOCamlMain.vo 0m02.86s | 425960 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_U.vo 0m02.85s | 68116 ko | fiat-json/src/p256_scalar_64.json 0m02.84s | 1095340 ko | Rewriter/PerfTesting/StandaloneOCamlMain.vo 0m02.83s | 80152 ko | fiat-bedrock2/src/p256_scalar_64.c 0m02.83s | 82428 ko | fiat-bedrock2/src/secp256k1_scalar_64.c 0m02.83s | 61796 ko | fiat-go/64/secp256k1scalar/secp256k1scalar.go 0m02.83s | 64628 ko | fiat-rust/src/secp256k1_scalar_64.rs 0m02.82s | 1109584 ko | Bedrock/Standalone/StandaloneHaskellMain.vo 0m02.81s | 437188 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/ipow.vo 0m02.80s | 533348 ko | Rewriter/Passes/AddAssocLeft.vo 0m02.79s | 61916 ko | fiat-go/64/p256scalar/p256scalar.go 0m02.79s | 57040 ko | fiat-zig/src/secp256k1_scalar_64.zig 0m02.78s | 618176 ko | Bedrock/Field/Interface/Compilation2.vo 0m02.78s | 419620 ko | Util/ZUtil/ZSimplify/Autogenerated.vo 0m02.78s | 61580 ko | fiat-c/src/secp256k1_scalar_64.c 0m02.77s | 1036080 ko | Bedrock/Field/Translation/Proofs/ValidComputable/Func.vo 0m02.75s | 66080 ko | fiat-rust/src/p256_scalar_64.rs 0m02.74s | 65276 ko | fiat-zig/src/p256_scalar_64.zig 0m02.73s | 1087060 ko | StandaloneHaskellMain.vo 0m02.73s | 51028 ko | fiat-go/64/p448solinas/p448solinas.go 0m02.72s | 1043504 ko | Bedrock/Field/Synthesis/New/ComputedOp.vo 0m02.72s | 441916 ko | rupicola/src/Rupicola/Examples/IO/Echo.vo 0m02.71s | 1014788 ko | Bedrock/Field/Translation/Parameters/Defaults32.vo 0m02.69s | 57920 ko | fiat-c/src/p256_scalar_64.c 0m02.67s | 1014832 ko | Bedrock/Field/Translation/Parameters/FE310.vo 0m02.67s | 444800 ko | rupicola/src/Rupicola/Lib/Core.vo 0m02.66s | 434936 ko | Arithmetic/Primitives.vo 0m02.66s | 1013208 ko | Bedrock/Field/Translation/Parameters/Defaults.vo 0m02.65s | 1014772 ko | Bedrock/Field/Translation/Parameters/Defaults64.vo 0m02.62s | 434460 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.vo 0m02.61s | 61464 ko | fiat-go/64/secp256k1/secp256k1.go 0m02.61s | 71640 ko | fiat-json/src/secp256k1_64.json 0m02.57s | 57284 ko | fiat-zig/src/secp256k1_64.zig 0m02.56s | 535356 ko | Rewriter/Passes/FlattenThunkedRects.vo 0m02.56s | 423052 ko | Util/Bool/Reflect.vo 0m02.56s | 448424 ko | Util/MSets/MSetIso.vo 0m02.54s | 461540 ko | Util/ZUtil/Morphisms.vo 0m02.51s | 82292 ko | fiat-bedrock2/src/secp256k1_64.c 0m02.50s | 441396 ko | rupicola/src/Rupicola/Examples/DownTo.vo 0m02.49s | 458600 ko | rupicola/bedrock2/compiler/src/compiler/Pipeline.vo 0m02.48s | 423292 ko | Rewriter/Util/Bool/Reflect.vo 0m02.48s | 1087696 ko | StandaloneOCamlMain.vo 0m02.48s | 65244 ko | fiat-rust/src/secp256k1_64.rs 0m02.45s | 59392 ko | fiat-c/src/secp256k1_64.c 0m02.44s | 546608 ko | Util/FSets/FMapTrie/ShapeEx.vo 0m02.43s | 442484 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepAutoArray.vo 0m02.41s | 75912 ko | fiat-bedrock2/src/curve25519_scalar_64.c 0m02.40s | 435224 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/rpmul.vo 0m02.40s | 446160 ko | rupicola/src/Rupicola/Examples/LinkedList/Find.vo 0m02.39s | 535012 ko | Bedrock/Field/Translation/Expr.vo 0m02.39s | 66076 ko | fiat-json/src/curve25519_scalar_64.json 0m02.38s | 59920 ko | fiat-go/64/curve25519scalar/curve25519scalar.go 0m02.37s | 459840 ko | Spec/MontgomeryCurve.vo 0m02.37s | 64404 ko | fiat-zig/src/curve25519_scalar_64.zig 0m02.34s | 58552 ko | fiat-c/src/curve25519_scalar_64.c 0m02.33s | 56092 ko | fiat-rust/src/curve25519_scalar_64.rs 0m02.32s | 434792 ko | Util/ZUtil/Shift.vo 0m02.26s | 456844 ko | rupicola/bedrock2/compiler/src/compiler/load_save_regs_correct.vo 0m02.25s | 426600 ko | Util/ZUtil/TwosComplement.vo 0m02.20s | 454240 ko | Arithmetic/Freeze.vo 0m02.19s | 428520 ko | rupicola/bedrock2/bedrock2/src/bedrock2/HeapletwiseHyps.vo 0m02.18s | 427732 ko | Arithmetic/BarrettReduction/RidiculousFish.vo 0m02.18s | 590100 ko | Bedrock/Field/Common/Arrays/MakeAccessSizes.vo 0m02.18s | 35508 ko | fiat-go/32/curve25519/curve25519.go 0m02.15s | 64268 ko | fiat-bedrock2/src/p448_solinas_64.c 0m02.13s | 50712 ko | fiat-json/src/p448_solinas_64.json 0m02.06s | 431904 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc.vo 0m02.05s | 65788 ko | fiat-json/src/p224_64.json 0m02.05s | 413412 ko | rupicola/bedrock2/bedrock2/src/bedrock2/AbsintWordToZ.vo 0m02.03s | 457560 ko | Curves/TableMult/TableMult.vo 0m02.03s | 440536 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/memconst.vo 0m02.02s | 35540 ko | fiat-zig/src/p448_solinas_64.zig 0m02.00s | 453680 ko | Arithmetic/BaseConversion.vo 0m02.00s | 535712 ko | Stringification/Language.vo 0m02.00s | 387284 ko | Util/Wf2.vo 0m01.99s | 66020 ko | fiat-json/src/p256_64.json 0m01.98s | 34404 ko | fiat-c/src/p448_solinas_64.c 0m01.97s | 77388 ko | fiat-bedrock2/src/p224_64.c 0m01.97s | 438116 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponder_live.vo 0m01.95s | 64120 ko | fiat-bedrock2/src/curve25519_32.c 0m01.94s | 68608 ko | fiat-go/64/p224/p224.go 0m01.94s | 61524 ko | fiat-go/64/p256/p256.go 0m01.93s | 422680 ko | Util/ZUtil/Div.vo 0m01.93s | 34080 ko | fiat-rust/src/p448_solinas_64.rs 0m01.93s | 56008 ko | fiat-zig/src/p224_64.zig 0m01.92s | 451976 ko | Arithmetic/ModOps.vo 0m01.91s | 426552 ko | Util/ZUtil/ModInv.vo 0m01.91s | 47816 ko | fiat-json/src/curve25519_32.json 0m01.91s | 60988 ko | fiat-rust/src/p224_64.rs 0m01.90s | 635300 ko | Bedrock/Group/ScalarMult/MontgomeryEquivalence.vo 0m01.89s | 451984 ko | rupicola/src/Rupicola/Lib/Arrays.vo 0m01.88s | 427804 ko | Util/ZUtil/Testbit.vo 0m01.88s | 63312 ko | fiat-c/src/p224_64.c 0m01.87s | 536584 ko | Rewriter/Passes/StripLiteralCasts.vo 0m01.87s | 78056 ko | fiat-bedrock2/src/p256_64.c 0m01.86s | 32868 ko | fiat-zig/src/curve25519_32.zig 0m01.86s | 56196 ko | fiat-zig/src/p256_64.zig 0m01.86s | 454364 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics_deep_records_orderchanging_dexpr_bool3.vo 0m01.84s | 55088 ko | fiat-c/src/p256_64.c 0m01.83s | 534764 ko | Rewriter/Passes/UnfoldValueBarrier.vo 0m01.83s | 56696 ko | fiat-rust/src/p256_64.rs 0m01.82s | 34620 ko | fiat-java/src/FiatCurve25519.java 0m01.81s | 410988 ko | Util/ListUtil/Forall.vo 0m01.81s | 33720 ko | fiat-rust/src/curve25519_32.rs 0m01.80s | 33848 ko | fiat-c/src/curve25519_32.c 0m01.78s | 436944 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.vo 0m01.77s | 423704 ko | rupicola/bedrock2/bedrock2/src/bedrock2/WeakestPreconditionProperties.vo 0m01.68s | 440128 ko | Arithmetic/ModularArithmeticTheorems.vo 0m01.68s | 531660 ko | Rewriter/Passes/ToFancy.vo 0m01.67s | 446724 ko | rupicola/bedrock2/compiler/src/compiler/GoFlatToRiscv.vo 0m01.65s | 429628 ko | rupicola/bedrock2/compiler/src/compiler/SeparationLogic.vo 0m01.64s | 427448 ko | Util/Tuple.vo 0m01.63s | 473056 ko | Assembly/Parse.vo 0m01.63s | 443304 ko | Util/FSets/FMapFacts.vo 0m01.61s | 601012 ko | Bedrock/Field/Common/Names/MakeNames.vo 0m01.61s | 586992 ko | CompilersTestCases.vo 0m01.59s | 433876 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Loops.vo 0m01.58s | 510244 ko | AbstractInterpretation/AbstractInterpretation.vo 0m01.57s | 424384 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ZnWordsTests.vo 0m01.55s | 459704 ko | Util/FSets/FMapUnit.vo 0m01.54s | 428896 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Semantics.vo 0m01.52s | 438912 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics_ARP_shallow.vo 0m01.51s | 444304 ko | rupicola/src/Rupicola/Examples/Nondeterminism/StackAlloc.vo 0m01.50s | 409828 ko | Rewriter/Util/ListUtil/Forall.vo 0m01.50s | 450292 ko | rupicola/bedrock2/compiler/src/compiler/FitsStack.vo 0m01.50s | 427756 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/Fib.vo 0m01.48s | 460416 ko | rupicola/bedrock2/compiler/src/compiler/CompilerInvariant.vo 0m01.47s | 436320 ko | rupicola/src/Rupicola/Lib/ControlFlow/DownTo.vo 0m01.45s | 512504 ko | AbstractInterpretation/ZRange.vo 0m01.44s | 437196 ko | rupicola/src/Rupicola/Examples/Net/IPChecksum/Impl.vo 0m01.42s | 537004 ko | Stringification/Go.vo 0m01.42s | 424680 ko | rupicola/bedrock2/bedrock2/src/bedrock2/FrameRule.vo 0m01.40s | 439208 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponderProofs.vo 0m01.40s | 433716 ko | rupicola/src/Rupicola/Examples/Conditionals.vo 0m01.40s | 435564 ko | rupicola/src/Rupicola/Lib/InlineTables.vo 0m01.39s | 450120 ko | Assembly/Parse/Examples/fiat_25519_carry_square_optimised_seed20.vo 0m01.37s | 454528 ko | Assembly/Parse/Examples/fiat_25519_carry_square_optimised.vo 0m01.35s | 435204 ko | Spec/WeierstrassCurve.vo 0m01.34s | 412804 ko | Algebra/ScalarMult.vo 0m01.34s | 454380 ko | Assembly/Parse/Examples/fiat_25519_carry_square_optimised_seed10.vo 0m01.33s | 412752 ko | Util/ZUtil/Rshi.vo 0m01.33s | 410284 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/MapEauto.vo 0m01.32s | 414076 ko | Util/ListUtil/StdlibCompat.vo 0m01.32s | 436484 ko | rupicola/src/Rupicola/Lib/Compiler.vo 0m01.31s | 442244 ko | Util/ZRange/SplitRangeBounds.vo 0m01.31s | 427116 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Scalars.vo 0m01.28s | 428044 ko | Util/ZUtil/Pow2Mod.vo 0m01.28s | 452580 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics.vo 0m01.27s | 409452 ko | Rewriter/Rewriter/Examples/PerfTesting/Harness.vo 0m01.26s | 467076 ko | Rewriter/Language/IdentifiersLibrary.vo 0m01.26s | 431856 ko | Util/ZUtil/Bitwise.vo 0m01.26s | 428308 ko | Util/ZUtil/TruncatingShiftl.vo 0m01.24s | 423068 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/InstructionSetOrder.vo 0m01.23s | 411700 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Map/SeparationLogic.vo 0m01.19s | 621420 ko | Bedrock/Specs/Field.vo 0m01.19s | 431548 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/swap.vo 0m01.18s | 437072 ko | Util/ZRange/SplitBounds.vo 0m01.17s | 429424 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalMMIO.vo 0m01.13s | 440480 ko | rupicola/src/Rupicola/Lib/ControlFlow/CondSwap.vo 0m01.11s | 443516 ko | Arithmetic/Partition.vo 0m01.11s | 466400 ko | Arithmetic/PrimeFieldTheorems.vo 0m01.11s | 431752 ko | Util/ZUtil/Quot.vo 0m01.11s | 411060 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ident_of_string.vo 0m01.11s | 416120 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/LittleEndianList.vo 0m01.10s | 533156 ko | Stringification/JSON.vo 0m01.09s | 358288 ko | Util/Wf1.vo 0m01.09s | 413464 ko | Util/ZUtil/AddGetCarry.vo 0m01.07s | 438716 ko | Curves/Edwards/XYZT/Precomputed.vo 0m01.07s | 431700 ko | rupicola/src/Rupicola/Examples/Cells/Swap.vo 0m01.05s | 465832 ko | Rewriter/Rewriter/Rewriter.vo 0m01.04s | 447204 ko | Fancy/Spec.vo 0m01.04s | 406976 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/PropSet.vo 0m01.03s | 591508 ko | Bedrock/Field/Common/Arrays/ByteBounds.vo 0m01.02s | 598272 ko | Bedrock/Field/Common/Arrays/MaxBounds.vo 0m01.02s | 475984 ko | Rewriter/Rewriter/Reify.vo 0m01.02s | 424556 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ZWordMem.vo 0m01.01s | 440704 ko | rupicola/src/Rupicola/Examples/LinkedList/LinkedList.vo 0m00.98s | 518504 ko | Bedrock/Field/Translation/LoadStoreList.vo 0m00.98s | 615940 ko | Bedrock/Group/Point.vo 0m00.98s | 537240 ko | Stringification/C.vo 0m00.98s | 423808 ko | Util/ZUtil/OnesFrom.vo 0m00.97s | 412468 ko | Util/NatUtil.vo 0m00.97s | 433816 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/ArrayLoadStore.vo 0m00.97s | 441492 ko | rupicola/src/Rupicola/Examples/Nondeterminism/Peek.vo 0m00.95s | 412568 ko | Rewriter/Util/NatUtil.vo 0m00.94s | 532124 ko | Stringification/Java.vo 0m00.94s | 425616 ko | Util/ZUtil/Ones.vo 0m00.92s | 445056 ko | Rewriter/Language/Language.vo 0m00.92s | 532144 ko | Stringification/Rust.vo 0m00.92s | 423228 ko | Util/Strings/ParseArithmetic.vo 0m00.91s | 532788 ko | Stringification/Zig.vo 0m00.90s | 518168 ko | Bedrock/Field/Translation/Proofs/Equivalence.vo 0m00.89s | 383112 ko | rupicola/bedrock2/bedrock2/src/bedrock2/StringdumpDemo.vo 0m00.88s | 424112 ko | Curves/Montgomery/AffineInstances.vo 0m00.87s | 432160 ko | Util/Structures/Orders/Sum.vo 0m00.87s | 426356 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ArrayCasts.vo 0m00.86s | 588120 ko | Bedrock/Field/Common/Tactics.vo 0m00.86s | 541560 ko | Bedrock/Field/Stringification/FlattenVarData.vo 0m00.86s | 418252 ko | Util/Strings/String_as_OT.vo 0m00.86s | 415436 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/bverify.vo 0m00.85s | 431716 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalNoMul.vo 0m00.84s | 489300 ko | Rewriter/Rewriter/AllTactics.vo 0m00.83s | 554196 ko | Util/FSets/FMapZ.vo 0m00.83s | 420624 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ptsto_bytes.vo 0m00.82s | 613876 ko | Bedrock/Field/Interface/Representation.vo 0m00.82s | 421440 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ListIndexNotations.vo 0m00.81s | 517684 ko | Bedrock/Field/Common/Types.vo 0m00.78s | 441120 ko | rupicola/src/Rupicola/Examples/IO/Stdout.vo 0m00.78s | 441024 ko | rupicola/src/Rupicola/Examples/Tree/Tree.vo 0m00.76s | 408548 ko | Rewriter/Rewriter/Examples/PerfTesting/Sample.vo 0m00.75s | 413208 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/BigEndian.vo 0m00.74s | 448904 ko | Assembly/Equality.vo 0m00.74s | 518704 ko | Bedrock/Field/Common/Arrays/MakeListLengths.vo 0m00.74s | 514092 ko | Bedrock/Field/Translation/Proofs/VarnameSet.vo 0m00.74s | 503908 ko | Language/APINotations.vo 0m00.74s | 431688 ko | rupicola/src/Rupicola/Examples/Cells/Incr.vo 0m00.74s | 442876 ko | rupicola/src/Rupicola/Lib/ExprCompiler.vo 0m00.72s | 536632 ko | Bedrock/Field/Stringification/LoadStoreListVarData.vo 0m00.72s | 545644 ko | Rewriter/All.vo 0m00.72s | 420896 ko | Util/ErrorT/List.vo 0m00.71s | 419428 ko | Algebra/IntegralDomain.vo 0m00.71s | 379908 ko | Util/Decidable.vo 0m00.71s | 432584 ko | Util/NumTheoryUtil.vo 0m00.69s | 504144 ko | AbstractInterpretation/WfExtra.vo 0m00.69s | 426892 ko | Arithmetic/BarrettReduction/Wikipedia.vo 0m00.69s | 453752 ko | Util/FSets/FMapFlip.vo 0m00.69s | 416144 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/LittleEndian.vo 0m00.69s | 440988 ko | rupicola/src/Rupicola/Examples/IO/IO.vo 0m00.68s | 499632 ko | Language/UnderLetsProofsExtra.vo 0m00.68s | 437016 ko | Rewriter/Rules.vo 0m00.68s | 379664 ko | Rewriter/Util/Decidable.vo 0m00.68s | 324896 ko | Util/PartiallyReifiedProp.vo 0m00.67s | 513532 ko | Language/API.vo 0m00.66s | 514092 ko | Bedrock/Field/Translation/Flatten.vo 0m00.66s | 499680 ko | Rewriter/AllTacticsExtra.vo 0m00.66s | 524736 ko | Util/FSets/FMapN.vo 0m00.65s | 499672 ko | Language/WfExtra.vo 0m00.65s | 501172 ko | MiscCompilerPassesProofsExtra.vo 0m00.65s | 428744 ko | Util/Arg.vo 0m00.65s | 414908 ko | Util/Strings/ParseArithmeticToTaps.vo 0m00.64s | 499988 ko | Util/Strings/ParseDebugOptions.vo 0m00.63s | 421048 ko | Util/CPSUtil.vo 0m00.63s | 457784 ko | Util/FSets/FMapEmpty.vo 0m00.63s | 436620 ko | Util/ZRange/OperationsBounds.vo 0m00.62s | 510912 ko | PushButtonSynthesis/ReificationCache.vo 0m00.62s | 443140 ko | Util/Structures/OrdersEx.vo 0m00.62s | 31380 ko | fiat-go/64/curve25519/curve25519.go 0m00.62s | 411704 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/BitOps.vo 0m00.61s | 434324 ko | Util/FSets/FMapTrie/Shape.vo 0m00.61s | 419160 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfListWord.vo 0m00.60s | 417272 ko | Algebra/SubsetoidRing.vo 0m00.59s | 450704 ko | Bedrock/Group/Loops.vo 0m00.59s | 122984 ko | ExtractionOCaml/bedrock2_base_conversion.cmi 0m00.59s | 471624 ko | Rewriter/Rewriter/ProofsCommonTactics.vo 0m00.59s | 420172 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Array.vo 0m00.59s | 442000 ko | rupicola/bedrock2/compiler/src/compiler/RiscvEventLoop.vo 0m00.59s | 441124 ko | rupicola/src/Rupicola/Examples/KVStore/Properties.vo 0m00.58s | 122004 ko | ExtractionOCaml/bedrock2_word_by_word_montgomery.cmi 0m00.58s | 457264 ko | Rewriter/Language/IdentifiersGenerate.vo 0m00.58s | 479420 ko | Rewriter/Util/plugins/RewriterBuildRegistryImports.vo 0m00.58s | 425744 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/Trace.vo 0m00.58s | 440748 ko | rupicola/src/Rupicola/Lib/ExprReflection.vo 0m00.57s | 122244 ko | ExtractionOCaml/with_bedrock2_saturated_solinas.cmi 0m00.57s | 457932 ko | Rewriter/Language/IdentifiersGenerateProofs.vo 0m00.57s | 482732 ko | Rewriter/Rewriter/Examples/PerfTesting/Settings.vo 0m00.57s | 480856 ko | Rewriter/Util/plugins/RewriterBuild.vo 0m00.57s | 425340 ko | Util/ZUtil/CC.vo 0m00.57s | 417464 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Map/DisjointUnion.vo 0m00.57s | 408880 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedList.vo 0m00.57s | 424536 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/SMTVerif.vo 0m00.57s | 435764 ko | rupicola/src/Rupicola/Lib/NoExprReflection.vo 0m00.56s | 458768 ko | ArithmeticCPS/Freeze.vo 0m00.56s | 122260 ko | ExtractionOCaml/with_bedrock2_solinas_reduction.cmi 0m00.56s | 439688 ko | Util/MSets/MSetN.vo 0m00.56s | 405288 ko | Util/OptionList.vo 0m00.56s | 405564 ko | Util/ZUtil/Modulo/PullPush.vo 0m00.56s | 32448 ko | fiat-json/src/curve25519_64.json 0m00.56s | 409388 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ToCString.vo 0m00.56s | 428132 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalCSRs.vo 0m00.55s | 122248 ko | ExtractionOCaml/bedrock2_unsaturated_solinas.cmi 0m00.55s | 122028 ko | ExtractionOCaml/with_bedrock2_word_by_word_montgomery.cmi 0m00.55s | 410112 ko | rupicola/bedrock2/compiler/src/compiler/ZLemmas.vo 0m00.54s | 120012 ko | ExtractionOCaml/solinas_reduction.cmi 0m00.54s | 123048 ko | ExtractionOCaml/with_bedrock2_base_conversion.cmi 0m00.54s | 413428 ko | Util/Structures/Orders/Bool.vo 0m00.54s | 426664 ko | Util/ZUtil/Stabilization.vo 0m00.54s | 392528 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/Example64Literal.vo 0m00.54s | 432352 ko | rupicola/src/Rupicola/Examples/Swap/Properties.vo 0m00.54s | 440120 ko | rupicola/src/Rupicola/Lib/SepLocals.vo 0m00.53s | 458728 ko | ArithmeticCPS/BaseConversion.vo 0m00.53s | 119376 ko | ExtractionOCaml/base_conversion.cmi 0m00.53s | 122272 ko | ExtractionOCaml/bedrock2_saturated_solinas.cmi 0m00.53s | 122276 ko | ExtractionOCaml/with_bedrock2_unsaturated_solinas.cmi 0m00.53s | 436524 ko | Util/QUtil.vo 0m00.53s | 409380 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/bitblast.vo 0m00.52s | 461896 ko | ArithmeticCPS/WordByWordMontgomery.vo 0m00.52s | 451088 ko | Bedrock/Specs/Group.vo 0m00.52s | 121880 ko | ExtractionOCaml/bedrock2_solinas_reduction.cmi 0m00.52s | 119472 ko | ExtractionOCaml/saturated_solinas.cmi 0m00.52s | 120588 ko | ExtractionOCaml/word_by_word_montgomery.cmi 0m00.52s | 413020 ko | Util/Structures/Orders/Flip.vo 0m00.52s | 414560 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.vo 0m00.51s | 455984 ko | MiscCompilerPasses.vo 0m00.50s | 466224 ko | Assembly/WithBedrock/Semantics.vo 0m00.50s | 121004 ko | ExtractionOCaml/unsaturated_solinas.cmi 0m00.50s | 26700 ko | fiat-rust/src/curve25519_64.rs 0m00.50s | 413264 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/OperatorOverloading.vo 0m00.50s | 440416 ko | rupicola/src/Rupicola/Examples/Cells/Cells.vo 0m00.50s | 433476 ko | rupicola/src/Rupicola/Lib/SepReflection.vo 0m00.49s | 473488 ko | Bedrock/End2End/RupicolaCrypto/Spec.vo 0m00.49s | 480468 ko | Rewriter/Util/plugins/RewriterBuildRegistry.vo 0m00.49s | 37520 ko | fiat-bedrock2/src/curve25519_64.c 0m00.49s | 25756 ko | fiat-zig/src/curve25519_64.zig 0m00.49s | 422104 ko | rupicola/bedrock2/bedrock2/src/bedrock2/FE310CSemantics.vo 0m00.49s | 413684 ko | rupicola/bedrock2/compiler/src/compiler/DivisibleBy4.vo 0m00.48s | 421692 ko | Util/Decidable/Decidable2Bool.vo 0m00.48s | 408240 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ListSet.vo 0m00.48s | 440664 ko | rupicola/src/Rupicola/Examples/KVStore/KVStore.vo 0m00.47s | 466916 ko | Arithmetic/FLia.vo 0m00.47s | 25732 ko | fiat-c/src/curve25519_64.c 0m00.47s | 417008 ko | rupicola/bedrock2/compiler/src/compiler/Registers.vo 0m00.46s | 448988 ko | ArithmeticCPS/Saturated.vo 0m00.46s | 427300 ko | Util/MSets/MSetString.vo 0m00.46s | 357916 ko | Util/Wf.vo 0m00.45s | 446932 ko | ArithmeticCPS/Core.vo 0m00.45s | 441532 ko | Rewriter/Language/IdentifiersBasicGenerate.vo 0m00.45s | 450664 ko | Util/MSets/MSetPositive/Show.vo 0m00.45s | 411720 ko | rupicola/bedrock2/compiler/src/compiler/NaiveRiscvWordProperties.vo 0m00.45s | 402540 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/PushPullMod.vo 0m00.45s | 418920 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRGetSet.vo 0m00.45s | 435640 ko | rupicola/src/Rupicola/Lib/Alloc.vo 0m00.44s | 453776 ko | ArithmeticCPS/ModOps.vo 0m00.44s | 416376 ko | Util/FSets/FMapString.vo 0m00.44s | 411136 ko | Util/ZUtil/Ltz.vo 0m00.44s | 37204 ko | fiat-json/src/curve25519_solinas_64.json 0m00.44s | 36136 ko | fiat-zig/src/curve25519_solinas_64.zig 0m00.44s | 417172 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Map/sep_inj_experiments.vo 0m00.44s | 431608 ko | rupicola/bedrock2/compiler/src/compiler/FlatImpSepLog.vo 0m00.44s | 440036 ko | rupicola/bedrock2/compiler/src/compiler/ForeverSafe.vo 0m00.44s | 416584 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeProver.vo 0m00.44s | 441324 ko | rupicola/src/Rupicola/Examples/IO/Writer.vo 0m00.44s | 434864 ko | rupicola/src/Rupicola/Examples/Net/IPChecksum/Spec.vo 0m00.43s | 421176 ko | Curves/Weierstrass/Affine.vo 0m00.43s | 381692 ko | Rewriter/Util/Sum.vo 0m00.43s | 409592 ko | Util/ListUtil/SetoidListFlatMap.vo 0m00.43s | 404468 ko | Util/Loops.vo 0m00.43s | 381388 ko | Util/Sum.vo 0m00.43s | 419960 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Memory.vo 0m00.43s | 428556 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepCalls.vo 0m00.43s | 457484 ko | rupicola/bedrock2/compiler/src/compiler/ExprImpEventLoopSpec.vo 0m00.43s | 441936 ko | rupicola/src/Rupicola/Examples/Utf8/Utils.vo 0m00.42s | 418500 ko | Util/Structures/Equalities/List.vo 0m00.42s | 424196 ko | Util/ZBounded.vo 0m00.42s | 428796 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponder.vo 0m00.42s | 414144 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/Demos.vo 0m00.42s | 428944 ko | rupicola/bedrock2/compiler/src/compiler/FlatImpUniqueSepLog.vo 0m00.42s | 424132 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Sane.vo 0m00.42s | 418612 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteI.vo 0m00.42s | 436596 ko | rupicola/src/Rupicola/Lib/Conditionals.vo 0m00.41s | 409640 ko | Language/IdentifierParameters.vo 0m00.41s | 433092 ko | Rewriter/Language/Reify.vo 0m00.41s | 427740 ko | Util/Strings/NamingConventions.vo 0m00.41s | 429136 ko | Util/ZUtil/SignBit.vo 0m00.41s | 41728 ko | fiat-bedrock2/src/curve25519_solinas_64.c 0m00.41s | 36248 ko | fiat-c/src/curve25519_solinas_64.c 0m00.41s | 36404 ko | fiat-go/64/curve25519solinas/curve25519solinas.go 0m00.41s | 35876 ko | fiat-rust/src/curve25519_solinas_64.rs 0m00.41s | 390016 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ident_to_string.vo 0m00.41s | 408168 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Naive.vo 0m00.41s | 427356 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO_Post.vo 0m00.41s | 419404 ko | rupicola/src/Rupicola/Examples/KVStore/kv.vo 0m00.41s | 409040 ko | rupicola/src/Rupicola/Lib/ToCString.vo 0m00.40s | 389540 ko | Assembly/Parse/Examples/boringssl_nasm_full_mul_p256.vo 0m00.40s | 428312 ko | Util/ZUtil/Lxor.vo 0m00.40s | 399836 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepAutoExports.vo 0m00.40s | 412596 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfFunc.vo 0m00.40s | 403932 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/ZLib.vo 0m00.40s | 424536 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/MetricPrimitives.vo 0m00.40s | 423052 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Primitives.vo 0m00.39s | 422608 ko | Util/ZUtil/Divide.vo 0m00.39s | 425316 ko | Util/ZUtil/Land.vo 0m00.39s | 420408 ko | rupicola/bedrock2/compiler/src/compiler/StringNameGen.vo 0m00.39s | 423804 ko | rupicola/bedrock2/compiler/src/compiler/UniqueSepLog.vo 0m00.39s | 411200 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ZList.vo 0m00.38s | 399464 ko | Rewriter/TestRules.vo 0m00.38s | 407988 ko | Util/ZUtil/CPS.vo 0m00.38s | 420504 ko | Util/ZUtil/Log2.vo 0m00.38s | 433680 ko | rupicola/bedrock2/compiler/src/compiler/FlatToRiscvDef.vo 0m00.37s | 390432 ko | Language/PreExtra.vo 0m00.37s | 372016 ko | Util/MSets/MSetPositive/Facts.vo 0m00.37s | 405224 ko | Util/Strings/String.vo 0m00.37s | 348680 ko | Util/ZUtil/Tactics/SolveRange.vo 0m00.37s | 426492 ko | rupicola/bedrock2/bedrock2/src/bedrock2/OperatorOverloading.vo 0m00.37s | 425116 ko | rupicola/bedrock2/bedrock2/src/bedrock2/TransferSepsOrder.vo 0m00.37s | 409528 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/prove_Zeq_bitwise.vo 0m00.37s | 398292 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalCSRsDet.vo 0m00.37s | 402444 ko | rupicola/src/Rupicola/Examples/CRC32/Table.vo 0m00.37s | 394532 ko | rupicola/src/Rupicola/Examples/Net/IPChecksum/SpecExtraction.vo 0m00.36s | 428560 ko | Arithmetic/ModularArithmeticPre.vo 0m00.36s | 419448 ko | Util/HList.vo 0m00.36s | 421028 ko | Util/Level.vo 0m00.35s | 411836 ko | Rewriter/Util/Strings/ParseArithmetic.vo 0m00.35s | 426780 ko | Util/Strings/Show.vo 0m00.35s | 419152 ko | rupicola/bedrock2/compiler/src/compiler/util/Result.vo 0m00.35s | 409312 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/MapKeys.vo 0m00.35s | 373732 ko | rupicola/src/Rupicola/Examples/KVStore/Tactics.vo 0m00.34s | 346200 ko | Util/ListUtil/SetoidList.vo 0m00.34s | 358348 ko | Util/ZRange/Operations.vo 0m00.34s | 345528 ko | Util/ZUtil/Tactics/SolveTestbit.vo 0m00.34s | 426044 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/chacha20.vo 0m00.34s | 348012 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc_empty_post.vo 0m00.34s | 418220 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Memory.vo 0m00.34s | 369996 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteCSR.vo 0m00.34s | 365632 ko | rupicola/src/Rupicola/Lib/Api.vo 0m00.34s | 418952 ko | rupicola/src/Rupicola/Lib/Monads.vo 0m00.34s | 361416 ko | rupicola/src/Rupicola/Lib/Tactics.vo 0m00.33s | 382656 ko | Algebra/Monoid.vo 0m00.33s | 405564 ko | Util/ListUtil/GroupAllBy.vo 0m00.33s | 423680 ko | Util/ZRange.vo 0m00.33s | 382532 ko | Util/ZUtil/EquivModulo.vo 0m00.33s | 340596 ko | Util/ZUtil/Tactics/Ztestbit.vo 0m00.33s | 369860 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepAuto.vo 0m00.33s | 344676 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/FE310ExtSpec.vo 0m00.33s | 338412 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/LogInstructionTrace.vo 0m00.33s | 403924 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Decode.vo 0m00.33s | 441504 ko | rupicola/src/Rupicola/Examples/Nondeterminism/NonDeterminism.vo 0m00.33s | 354564 ko | rupicola/src/Rupicola/Lib/WordNotations.vo 0m00.32s | 361120 ko | Rewriter/TestRulesProofs.vo 0m00.32s | 380584 ko | Util/Structures/Equalities/Sum.vo 0m00.32s | 348880 ko | Util/ZUtil/Land/Fold.vo 0m00.32s | 358004 ko | Util/ZUtil/Pow.vo 0m00.32s | 347604 ko | rupicola/bedrock2/bedrock2/src/bedrock2/BasicC32Semantics.vo 0m00.32s | 418280 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Map/Cancelling.vo 0m00.32s | 354216 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalLogging.vo 0m00.32s | 350208 ko | rupicola/src/Rupicola/Examples/CapitalizeThird/CapitalizeThird.vo 0m00.31s | 372452 ko | Util/Strings/Sorting.vo 0m00.31s | 391008 ko | Util/Strings/String_as_OT_old.vo 0m00.31s | 314716 ko | Util/ZUtil/Tactics.vo 0m00.31s | 25360 ko | fiat-go/32/poly1305/poly1305.go 0m00.31s | 343408 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ProgramLogic.vo 0m00.31s | 338772 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepCallsExports.vo 0m00.31s | 349528 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/AtomicMinimal.vo 0m00.30s | 371856 ko | Rewriter/Util/MSetPositive/Facts.vo 0m00.30s | 336796 ko | Util/Structures/Orders/Iso.vo 0m00.30s | 381132 ko | Util/ZUtil/Divide/Bool.vo 0m00.30s | 354540 ko | rupicola/bedrock2/bedrock2/src/bedrock2/autorew.vo 0m00.30s | 335444 ko | rupicola/bedrock2/compiler/src/compiler/FlatImpConstraints.vo 0m00.30s | 371828 ko | rupicola/bedrock2/compiler/src/compiler/FlattenExprDef.vo 0m00.30s | 364072 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimal.vo 0m00.30s | 375348 ko | rupicola/src/Rupicola/Lib/Invariants.vo 0m00.30s | 374520 ko | rupicola/src/Rupicola/Lib/Notations.vo 0m00.29s | 324276 ko | Arithmetic/MontgomeryReduction/Definition.vo 0m00.29s | 363316 ko | Curves/Montgomery/XZ.vo 0m00.29s | 420316 ko | Spec/CompleteEdwardsCurve.vo 0m00.29s | 354204 ko | Util/AdditionChainExponentiation.vo 0m00.29s | 370872 ko | Util/Listable.vo 0m00.29s | 359900 ko | Util/Structures/Orders/Empty.vo 0m00.29s | 374392 ko | Util/Structures/Orders/Unit.vo 0m00.29s | 371560 ko | Util/ZUtil.vo 0m00.29s | 350508 ko | Util/ZUtil/Lor.vo 0m00.29s | 289052 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ToCStringStackallocLoopTest.vo 0m00.28s | 345468 ko | Rewriter/Util/ListUtil/SetoidList.vo 0m00.28s | 328888 ko | Spec/ModularArithmetic.vo 0m00.28s | 316752 ko | Util/ErrorT/Show.vo 0m00.28s | 337180 ko | Util/NUtil/WithoutReferenceToZ.vo 0m00.28s | 347708 ko | Util/Structures/Equalities/Prod.vo 0m00.28s | 349212 ko | rupicola/bedrock2/bedrock2/src/bedrock2/BasicC64Semantics.vo 0m00.28s | 373132 ko | rupicola/bedrock2/compiler/src/compiler/MemoryLayout.vo 0m00.28s | 309000 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/SoftmulInsts.vo 0m00.28s | 372856 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Encode.vo 0m00.27s | 332664 ko | Util/ZUtil/Combine.vo 0m00.27s | 316724 ko | Util/ZUtil/Tactics/SimplifyFractionsLe.vo 0m00.27s | 349144 ko | rupicola/bedrock2/bedrock2/src/bedrock2/WeakestPrecondition.vo 0m00.27s | 297132 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Run.vo 0m00.26s | 332368 ko | Util/ListUtil/Permutation.vo 0m00.26s | 262120 ko | Util/Strings/StringMap.vo 0m00.26s | 315196 ko | Util/ZRange/Show.vo 0m00.26s | 263292 ko | Util/ZUtil/Tactics/PullPush/Modulo.vo 0m00.26s | 312608 ko | Util/ZUtil/Tactics/RewriteModDivide.vo 0m00.26s | 32108 ko | fiat-bedrock2/src/poly1305_32.c 0m00.26s | 29020 ko | fiat-json/src/poly1305_32.json 0m00.26s | 374480 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteA.vo 0m00.25s | 307676 ko | Rewriter/Language/PreLemmas.vo 0m00.25s | 389012 ko | Rewriter/Language/UnderLets.vo 0m00.25s | 314132 ko | Rewriter/Util/Option.vo 0m00.25s | 299760 ko | Util/ZUtil/ZSimplify/Simple.vo 0m00.25s | 389508 ko | rupicola/bedrock2/bedrock2/src/bedrock2/footpr.vo 0m00.25s | 306340 ko | rupicola/bedrock2/compiler/src/compiler/RiscvWordProperties.vo 0m00.25s | 311092 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteI64.vo 0m00.25s | 334944 ko | rupicola/src/Rupicola/Examples/Swap/Swap.vo 0m00.24s | 323572 ko | Rewriter/Language/UnderLetsCacheProofs.vo 0m00.24s | 336028 ko | Util/MSets/MSetPositive/Equality.vo 0m00.24s | 330388 ko | Util/ZUtil/Le.vo 0m00.24s | 269100 ko | Util/ZUtil/Sorting.vo 0m00.24s | 311724 ko | Util/ZUtil/Tactics/LtbToLt.vo 0m00.24s | 309744 ko | rupicola/bedrock2/bedrock2/src/bedrock2/PurifySep.vo 0m00.24s | 284120 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepBulletPoints.vo 0m00.24s | 318736 ko | rupicola/bedrock2/compiler/src/compiler/ZNameGen.vo 0m00.24s | 296316 ko | rupicola/bedrock2/compiler/src/compiler/util/Common.vo 0m00.24s | 325324 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/DebugWordEq.vo 0m00.24s | 334240 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/RiscvMachine.vo 0m00.24s | 372840 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteA64.vo 0m00.23s | 311304 ko | Algebra/Nsatz.vo 0m00.23s | 336372 ko | Rewriter/Util/MSetPositive/Equality.vo 0m00.23s | 367988 ko | Rewriter/Util/Strings/String.vo 0m00.23s | 288688 ko | Util/SideConditions/ModInvPackage.vo 0m00.23s | 260584 ko | Util/ZUtil/Div/Bootstrap.vo 0m00.23s | 294972 ko | Util/ZUtil/Nat2Z.vo 0m00.23s | 280816 ko | Util/ZUtil/Odd.vo 0m00.23s | 328344 ko | Util/ZUtil/Peano.vo 0m00.23s | 24052 ko | fiat-rust/src/poly1305_32.rs 0m00.23s | 328144 ko | rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.vo 0m00.23s | 333028 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepLogAddrArith.vo 0m00.23s | 284624 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ToCStringExprTypecheckingTest.vo 0m00.23s | 340288 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb_spec.vo 0m00.23s | 321108 ko | rupicola/bedrock2/compiler/src/compiler/mod4_0.vo 0m00.23s | 326608 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListWord.vo 0m00.23s | 378508 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/SimplWordExpr.vo 0m00.23s | 311448 ko | rupicola/src/Rupicola/Examples/Assoc/Assoc.vo 0m00.22s | 294108 ko | Bedrock/Field/Common/Names/VarnameGenerator.vo 0m00.22s | 296732 ko | Util/ListUtil/FoldBool.vo 0m00.22s | 284900 ko | Util/ZUtil/Definitions.vo 0m00.22s | 266036 ko | Util/ZUtil/LnotModulo.vo 0m00.22s | 276192 ko | Util/ZUtil/Sgn.vo 0m00.22s | 262164 ko | Util/ZUtil/Tactics/ReplaceNegWithPos.vo 0m00.22s | 275240 ko | Util/ZUtil/Zselect.vo 0m00.22s | 23924 ko | fiat-zig/src/poly1305_32.zig 0m00.22s | 309184 ko | rupicola/bedrock2/compiler/src/compiler/regs_initialized.vo 0m00.22s | 324760 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/String.vo 0m00.22s | 279272 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfOptionListZ.vo 0m00.22s | 258808 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Simp.vo 0m00.22s | 257576 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth32.vo 0m00.22s | 276368 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRSpec.vo 0m00.22s | 304432 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteM.vo 0m00.22s | 320904 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Machine.vo 0m00.22s | 292848 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/DefaultMemImpl32.vo 0m00.22s | 267160 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/nat_div_mod_to_quot_rem.vo 0m00.21s | 277056 ko | TAPSort.vo 0m00.21s | 313056 ko | Util/IdfunWithAlt.vo 0m00.21s | 275060 ko | Util/ListUtil/SetoidListRev.vo 0m00.21s | 317460 ko | Util/MSets/Show.vo 0m00.21s | 259632 ko | Util/NUtil/Sorting.vo 0m00.21s | 313520 ko | Util/Option.vo 0m00.21s | 266180 ko | Util/ZUtil/AddModulo.vo 0m00.21s | 271728 ko | Util/ZUtil/DistrIf.vo 0m00.21s | 260452 ko | Util/ZUtil/Hints/Core.vo 0m00.21s | 264884 ko | Util/ZUtil/Hints/PullPush.vo 0m00.21s | 260332 ko | Util/ZUtil/Hints/ZArith.vo 0m00.21s | 266236 ko | Util/ZUtil/ModExp.vo 0m00.21s | 287372 ko | Util/ZUtil/N2Z.vo 0m00.21s | 277828 ko | Util/ZUtil/Pow2.vo 0m00.21s | 277536 ko | Util/ZUtil/Tactics/LinearSubstitute.vo 0m00.21s | 257940 ko | Util/ZUtil/Tactics/SplitMinMax.vo 0m00.21s | 314112 ko | Util/ZUtil/Tactics/ZeroBounds.vo 0m00.21s | 23840 ko | fiat-c/src/poly1305_32.c 0m00.21s | 24428 ko | fiat-java/src/FiatPoly1305.java 0m00.21s | 297080 ko | rupicola/bedrock2/bedrock2/src/bedrock2/SepClause.vo 0m00.21s | 311892 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Byte.vo 0m00.21s | 275952 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_word_hints.vo 0m00.21s | 331220 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MaterializeRiscvProgram.vo 0m00.21s | 287232 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricRiscvMachine.vo 0m00.21s | 297244 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncode.vo 0m00.21s | 273136 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Execute.vo 0m00.21s | 260228 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/VirtualMemory.vo 0m00.21s | 290844 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Utility.vo 0m00.20s | 247620 ko | Algebra/Hierarchy.vo 0m00.20s | 61376 ko | ExtractionOCaml/perf_unsaturated_solinas.cmi 0m00.20s | 259380 ko | Util/FSets/FMapInterface.vo 0m00.20s | 302632 ko | Util/MSets/FMapPositive/Equality.vo 0m00.20s | 262120 ko | Util/SideConditions/RingPackage.vo 0m00.20s | 251328 ko | Util/Strings/Decimal.vo 0m00.20s | 288376 ko | Util/Strings/Parse/Common.vo 0m00.20s | 261752 ko | Util/ZUtil/Hints.vo 0m00.20s | 258500 ko | Util/ZUtil/Hints/Ztestbit.vo 0m00.20s | 261208 ko | Util/ZUtil/Lnot.vo 0m00.20s | 262868 ko | Util/ZUtil/Opp.vo 0m00.20s | 256800 ko | Util/ZUtil/Tactics/CompareToSgn.vo 0m00.20s | 308184 ko | Util/ZUtil/Tactics/RewriteModSmall.vo 0m00.20s | 303740 ko | Util/ZUtil/Z2Nat.vo 0m00.20s | 261756 ko | Util/ZUtil/ZSimplify/Core.vo 0m00.20s | 313064 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Map/split_alt.vo 0m00.20s | 338804 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ZnWords.vo 0m00.20s | 287656 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Interface.vo 0m00.20s | 285236 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Z_keyed_SortedListMap.vo 0m00.20s | 278652 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Sorting/OrderToPermutation.vo 0m00.20s | 284984 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/InstructionNotations.vo 0m00.20s | 299972 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.vo 0m00.20s | 313496 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RecordSetters.vo 0m00.20s | 268736 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RegisterNames.vo 0m00.19s | 261304 ko | PushButtonSynthesis/InvertHighLow.vo 0m00.19s | 267584 ko | Rewriter/Util/Strings/Parse/Common.vo 0m00.19s | 278632 ko | Util/ListUtil/Filter.vo 0m00.19s | 278804 ko | Util/ZUtil/Ge.vo 0m00.19s | 258900 ko | Util/ZUtil/Mul.vo 0m00.19s | 294588 ko | Util/ZUtil/MulSplit.vo 0m00.19s | 231652 ko | Util/ZUtil/Tactics/PullPush.vo 0m00.19s | 247164 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Map/Separation.vo 0m00.19s | 246756 ko | rupicola/bedrock2/bedrock2/src/bedrock2/MetricLogging.vo 0m00.19s | 249384 ko | rupicola/bedrock2/bedrock2/src/bedrock2/WordSimpl.vo 0m00.19s | 291600 ko | rupicola/bedrock2/bedrock2/src/bedrock2/div10.vo 0m00.19s | 271424 ko | rupicola/bedrock2/bedrock2/src/bedrock2/groundcbv.vo 0m00.19s | 244576 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Inhabited.vo 0m00.19s | 265824 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ToConversion.vo 0m00.19s | 252140 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Empty_set_keyed_map.vo 0m00.19s | 277576 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Funext.vo 0m00.19s | 271384 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Solver.vo 0m00.19s | 244076 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListString.vo 0m00.19s | 263084 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd.vo 0m00.19s | 257344 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/Lia.vo 0m00.19s | 286464 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/AtomicRiscvMachine.vo 0m00.19s | 293124 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSR.vo 0m00.19s | 277152 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/PseudoInstructions.vo 0m00.18s | 302728 ko | Rewriter/Util/FMapPositive/Equality.vo 0m00.18s | 263620 ko | Rewriter/Util/Prod.vo 0m00.18s | 251660 ko | Rewriter/Util/Strings/Decimal.vo 0m00.18s | 265124 ko | Util/SideConditions/Autosolve.vo 0m00.18s | 271700 ko | Util/ZUtil/Modulo/Bootstrap.vo 0m00.18s | 257260 ko | Util/ZUtil/Tactics/DivideExistsMul.vo 0m00.18s | 259488 ko | Util/ZUtil/Tactics/PeelLe.vo 0m00.18s | 236620 ko | Util/ZUtil/ZSimplify.vo 0m00.18s | 25240 ko | fiat-go/64/poly1305/poly1305.go 0m00.18s | 235908 ko | rupicola/bedrock2/compiler/src/compiler/NameGen.vo 0m00.18s | 306972 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Interface.vo 0m00.18s | 267048 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRField.vo 0m00.18s | 293600 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/DefaultMemImpl64.vo 0m00.18s | 255104 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/InstructionCoercions.vo 0m00.17s | 61300 ko | ExtractionOCaml/perf_word_by_word_montgomery.cmi 0m00.17s | 257188 ko | Rewriter/Util/OptionList.vo 0m00.17s | 232660 ko | Util/Decidable/Bool2Prop.vo 0m00.17s | 210192 ko | Util/Strings/Ascii.vo 0m00.17s | 256688 ko | Util/Strings/Superscript.vo 0m00.17s | 242624 ko | Util/Structures/Equalities/Option.vo 0m00.17s | 227180 ko | Util/ZUtil/Tactics/PrimeBound.vo 0m00.17s | 234400 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Structs.vo 0m00.17s | 251276 ko | rupicola/bedrock2/compiler/src/compiler/Symbols.vo 0m00.17s | 272432 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListString_test.vo 0m00.17s | 239740 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/SafeSimpl.vo 0m00.17s | 257532 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth.vo 0m00.17s | 297976 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteM64.vo 0m00.17s | 259092 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Words32Naive.vo 0m00.16s | 278464 ko | Util/Factorize.vo 0m00.16s | 206500 ko | Util/ListUtil/NthExt.vo 0m00.16s | 249592 ko | Util/ListUtil/Partition.vo 0m00.16s | 275440 ko | Util/NUtil/Testbit.vo 0m00.16s | 311976 ko | Util/PointedProp.vo 0m00.16s | 330216 ko | Util/Sorting/Sorted/Proper.vo 0m00.16s | 259964 ko | Util/ZUtil/Tactics/DivModToQuotRem.vo 0m00.16s | 199788 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/string_to_ident.vo 0m00.16s | 267944 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Decidable.vo 0m00.16s | 238624 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_list_hints.vo 0m00.16s | 259188 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/rewr.vo 0m00.16s | 245904 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricLogging.vo 0m00.16s | 301696 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RecordSettersUsingExistingGetters.vo 0m00.16s | 259120 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Words64Naive.vo 0m00.15s | 267252 ko | Util/Prod.vo 0m00.15s | 217692 ko | Util/Relations.vo 0m00.15s | 244812 ko | Util/Strings/Subscript.vo 0m00.15s | 26324 ko | fiat-json/src/poly1305_64.json 0m00.15s | 277488 ko | rupicola/bedrock2/bedrock2/src/bedrock2/HeapletwiseHypsWithSigma.vo 0m00.15s | 198920 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Stringdump.vo 0m00.15s | 213132 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Syntax.vo 0m00.15s | 195624 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/ident_to_string.vo 0m00.15s | 261488 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Tactics.vo 0m00.15s | 194760 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/reference_to_string.vo 0m00.15s | 223204 ko | rupicola/src/Rupicola/Lib/IdentParsing.vo 0m00.14s | 209324 ko | Rewriter/Util/Strings/Ascii.vo 0m00.14s | 189108 ko | Util/SideConditions/ReductionPackages.vo 0m00.14s | 22748 ko | fiat-zig/src/poly1305_64.zig 0m00.14s | 189976 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Variables.vo 0m00.14s | 214252 ko | rupicola/bedrock2/bedrock2/src/bedrock2Examples/MultipleReturnValues.vo 0m00.14s | 230512 ko | rupicola/bedrock2/compiler/src/compiler/MetricsToRiscv.vo 0m00.14s | 209828 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/WithQualName.vo 0m00.14s | 186908 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_arith_hints.vo 0m00.14s | 246056 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_map_hints.vo 0m00.13s | 212556 ko | Spec/MxDH.vo 0m00.13s | 239236 ko | Util/LetInMonad.vo 0m00.13s | 28200 ko | fiat-bedrock2/src/poly1305_64.c 0m00.13s | 22936 ko | fiat-c/src/poly1305_64.c 0m00.13s | 190756 ko | rupicola/bedrock2/bedrock2/src/bedrock2/PrintString.vo 0m00.13s | 273344 ko | rupicola/bedrock2/bedrock2/src/bedrock2/TracePredicate.vo 0m00.13s | 197100 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/WithBaseName.vo 0m00.12s | 151520 ko | Util/Bool.vo 0m00.12s | 204544 ko | Util/DebugMonad.vo 0m00.12s | 186184 ko | Util/ParseTaps.vo 0m00.12s | 121436 ko | Util/Tactics.vo 0m00.12s | 176104 ko | Util/ZUtil/Notations.vo 0m00.12s | 195256 ko | rupicola/bedrock2/bedrock2/src/bedrock2/PrintListByte.vo 0m00.12s | 210060 ko | rupicola/bedrock2/bedrock2/src/bedrock2/TacticError.vo 0m00.12s | 243808 ko | rupicola/bedrock2/bedrock2/src/bedrock2/find_hyp.vo 0m00.12s | 257612 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth64.vo 0m00.11s | 237000 ko | Util/Structures/Equalities.vo 0m00.11s | 113012 ko | Util/TagList.vo 0m00.11s | 245504 ko | Util/Telescope/Equality.vo 0m00.11s | 23260 ko | fiat-rust/src/poly1305_64.rs 0m00.11s | 147568 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/HList.vo 0m00.11s | 214580 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_core.vo 0m00.11s | 181152 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/div_mod_to_equations.vo 0m00.11s | 173232 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Z/div_to_equations.vo 0m00.11s | 185404 ko | rupicola/src/Rupicola/Lib/Gensym.vo 0m00.10s | 131800 ko | Rewriter/Rewriter/Examples/PerfTesting/ListRectInstances.vo 0m00.10s | 220436 ko | Rewriter/Util/Sigma.vo 0m00.10s | 102220 ko | Util/LetIn.vo 0m00.10s | 174024 ko | Util/ListUtil/IndexOf.vo 0m00.10s | 177032 ko | Util/ListUtil/PermutationCompat.vo 0m00.10s | 158668 ko | Util/PrimitiveSigma.vo 0m00.10s | 224792 ko | Util/Sigma.vo 0m00.10s | 137204 ko | Util/Structures/Equalities/Bool.vo 0m00.10s | 151896 ko | Util/Structures/Equalities/Iso.vo 0m00.10s | 114816 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ListPushPullIf.vo 0m00.10s | 200688 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ident_to_string.vo 0m00.09s | 115048 ko | Rewriter/Language/Pre.vo 0m00.09s | 188764 ko | Rewriter/Util/PrimitiveProd.vo 0m00.09s | 26848 ko | Rewriter/Util/plugins/rewriter_build_plugin.cmx 0m00.09s | 129720 ko | Util/ErrorT.vo 0m00.09s | 105060 ko | Util/ListUtil/RemoveN.vo 0m00.09s | 117568 ko | Util/Structures/Equalities/Empty.vo 0m00.09s | 105404 ko | Util/Tactics/AllInstances.vo 0m00.09s | 105200 ko | Util/Tactics/AllSuccesses.vo 0m00.09s | 192708 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/destr.vo 0m00.08s | 112092 ko | Rewriter/Util/PrimitiveHList.vo 0m00.08s | 110592 ko | Util/ListUtil/FoldMap.vo 0m00.08s | 111052 ko | Util/ListUtil/Split.vo 0m00.08s | 88852 ko | Util/Notations.vo 0m00.08s | 111740 ko | Util/PrimitiveHList.vo 0m00.08s | 193200 ko | Util/PrimitiveProd.vo 0m00.08s | 118960 ko | Util/Sigma/Related.vo 0m00.08s | 87280 ko | Util/Tactics/GeneralizeOverHoles.vo 0m00.08s | 101652 ko | Util/Telescope/Core.vo 0m00.07s | 153996 ko | Rewriter/Util/PrimitiveSigma.vo 0m00.07s | 77564 ko | Rewriter/Util/Tactics2/Char.vo 0m00.07s | 77628 ko | Rewriter/Util/Tactics2/DestConstructor.vo 0m00.07s | 77540 ko | Rewriter/Util/Tactics2/DestVar.vo 0m00.07s | 77788 ko | Rewriter/Util/Tactics2/Head.vo 0m00.07s | 106476 ko | Util/DynList.vo 0m00.07s | 71684 ko | Util/FueledLUB.vo 0m00.07s | 107912 ko | Util/ListUtil/Concat.vo 0m00.07s | 172944 ko | Util/ListUtil/ForallIn.vo 0m00.07s | 104116 ko | Util/Logic/ExistsEqAnd.vo 0m00.07s | 121152 ko | Util/Structures/Equalities/Unit.vo 0m00.07s | 91956 ko | Util/Tactics/InHypUnderBindersDo.vo 0m00.06s | 136516 ko | Rewriter/Util/Equality.vo 0m00.06s | 76888 ko | Rewriter/Util/FixCoqMistakes.vo 0m00.06s | 66884 ko | Rewriter/Util/Tactics/ConstrFail.vo 0m00.06s | 75880 ko | Rewriter/Util/Tactics/DebugPrint.vo 0m00.06s | 67124 ko | Rewriter/Util/Tactics/PrintGoal.vo 0m00.06s | 77544 ko | Rewriter/Util/Tactics2/Constr/Unsafe/MakeAbbreviations.vo 0m00.06s | 77656 ko | Rewriter/Util/Tactics2/DestCase.vo 0m00.06s | 77596 ko | Rewriter/Util/Tactics2/DestFix.vo 0m00.06s | 77632 ko | Rewriter/Util/Tactics2/DestInd.vo 0m00.06s | 77712 ko | Rewriter/Util/Tactics2/DestLetIn.vo 0m00.06s | 77692 ko | Rewriter/Util/Tactics2/DestRel.vo 0m00.06s | 77756 ko | Rewriter/Util/Tactics2/DestSort.vo 0m00.06s | 77612 ko | Rewriter/Util/Tactics2/InFreshContext.vo 0m00.06s | 77632 ko | Rewriter/Util/Tactics2/Option.vo 0m00.06s | 87356 ko | Util/AutoRewrite.vo 0m00.06s | 141012 ko | Util/Equality.vo 0m00.06s | 90244 ko | Util/Logic.vo 0m00.06s | 80568 ko | Util/Logic/Forall.vo 0m00.06s | 78616 ko | Util/Logic/ImplAnd.vo 0m00.06s | 91572 ko | Util/Pointed.vo 0m00.06s | 72412 ko | Util/Pos.vo 0m00.06s | 88952 ko | Util/Sigma/Lift.vo 0m00.06s | 93260 ko | Util/Sumbool.vo 0m00.06s | 76552 ko | Util/Tactics/DestructHyps.vo 0m00.06s | 71088 ko | Util/Tactics/OnSubterms.vo 0m00.06s | 182508 ko | Util/Telescope/Instances.vo 0m00.06s | 81156 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Hexdump.vo 0m00.06s | 109892 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Sorting/Permutation.vo 0m00.05s | 112684 ko | Rewriter/Language/PreCommon.vo 0m00.05s | 96016 ko | Rewriter/Util/HProp.vo 0m00.05s | 82576 ko | Rewriter/Util/Notations.vo 0m00.05s | 114448 ko | Rewriter/Util/Sigma/Related.vo 0m00.05s | 66884 ko | Rewriter/Util/Tactics/EvarNormalize.vo 0m00.05s | 66828 ko | Rewriter/Util/Tactics/GetGoal.vo 0m00.05s | 66816 ko | Rewriter/Util/Tactics/Not.vo 0m00.05s | 71168 ko | Rewriter/Util/Tactics/SpecializeAllWays.vo 0m00.05s | 78024 ko | Rewriter/Util/Tactics2/Constr.vo 0m00.05s | 77584 ko | Rewriter/Util/Tactics2/DestCoFix.vo 0m00.05s | 77660 ko | Rewriter/Util/Tactics2/DestLambda.vo 0m00.05s | 77532 ko | Rewriter/Util/Tactics2/DestMeta.vo 0m00.05s | 77588 ko | Rewriter/Util/Tactics2/Ident.vo 0m00.05s | 77528 ko | Rewriter/Util/Tactics2/List.vo 0m00.05s | 77472 ko | Rewriter/Util/Tactics2/Ltac1.vo 0m00.05s | 77656 ko | Rewriter/Util/Tactics2/Notations.vo 0m00.05s | 77492 ko | Rewriter/Util/Tactics2/Proj.vo 0m00.05s | 68912 ko | Rewriter/Util/TypeList.vo 0m00.05s | 66988 ko | Rewriter/Util/plugins/StrategyTactic.vo 0m00.05s | 21388 ko | Rewriter/Util/plugins/rewriter_build_plugin.cmxs 0m00.05s | 74300 ko | Util/Curry.vo 0m00.05s | 78624 ko | Util/Tactics/Beta1.vo 0m00.05s | 78676 ko | Util/Tactics/BreakMatch.vo 0m00.05s | 73120 ko | Util/Tactics/CPSId.vo 0m00.05s | 73656 ko | Util/Tactics/CacheTerm.vo 0m00.05s | 71324 ko | Util/Tactics/ClearFree.vo 0m00.05s | 82416 ko | Util/Tactics/DestructHead.vo 0m00.05s | 70872 ko | Util/Tactics/HasBody.vo 0m00.05s | 75352 ko | Util/Tactics/RunTacticAsConstr.vo 0m00.05s | 93516 ko | Util/Tactics/SpecializeUnderBindersBy.vo 0m00.05s | 76500 ko | Util/Tactics/SplitInContext.vo 0m00.05s | 117632 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Lift1Prop.vo 0m00.05s | 102212 ko | rupicola/bedrock2/bedrock2/src/bedrock2/ReversedListNotations.vo 0m00.05s | 93280 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Prod.vo 0m00.05s | 61444 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/subst.vo 0m00.05s | 72180 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/symmetry.vo 0m00.05s | 116312 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Records.vo 0m00.05s | 66600 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/autoforward.vo 0m00.05s | 75996 ko | rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/runsToNonDet.vo 0m00.04s | 129760 ko | Rewriter/Util/Bool.vo 0m00.04s | 85932 ko | Rewriter/Util/IffT.vo 0m00.04s | 99724 ko | Rewriter/Util/Logic/ExistsEqAnd.vo 0m00.04s | 87556 ko | Rewriter/Util/Pointed.vo 0m00.04s | 69304 ko | Rewriter/Util/Tactics/CacheTerm.vo 0m00.04s | 90336 ko | Rewriter/Util/Tactics/RewriteHyp.vo 0m00.04s | 71012 ko | Rewriter/Util/Tactics/RunTacticAsConstr.vo 0m00.04s | 68004 ko | Rewriter/Util/Tactics/SetoidSubst.vo 0m00.04s | 78168 ko | Rewriter/Util/Tactics2/DecomposeLambda.vo 0m00.04s | 77636 ko | Rewriter/Util/Tactics2/DestApp.vo 0m00.04s | 77624 ko | Rewriter/Util/Tactics2/DestCast.vo 0m00.04s | 77536 ko | Rewriter/Util/Tactics2/DestEvar.vo 0m00.04s | 77692 ko | Rewriter/Util/Tactics2/DestProd.vo 0m00.04s | 77636 ko | Rewriter/Util/Tactics2/DestProj.vo 0m00.04s | 77668 ko | Rewriter/Util/Tactics2/InstantiateEvar.vo 0m00.04s | 77472 ko | Rewriter/Util/Tactics2/Iterate.vo 0m00.04s | 77540 ko | Rewriter/Util/Tactics2/Message.vo 0m00.04s | 78216 ko | Rewriter/Util/Tactics2/ReplaceByPattern.vo 0m00.04s | 77756 ko | Rewriter/Util/Tactics2/String.vo 0m00.04s | 26596 ko | Rewriter/Util/plugins/definition_by_tactic.cmx 0m00.04s | 52900 ko | Rewriter/Util/plugins/definition_by_tactic_plugin.cmxa 0m00.04s | 28820 ko | Rewriter/Util/plugins/inductive_from_elim.cmx 0m00.04s | 52872 ko | Rewriter/Util/plugins/inductive_from_elim_plugin.cmxa 0m00.04s | 19616 ko | Rewriter/Util/plugins/ltac2_extra_plugin.cmxs 0m00.04s | 79884 ko | Util/Bool/Equality.vo 0m00.04s | 82264 ko | Util/CPSNotations.vo 0m00.04s | 103260 ko | Util/Compose.vo 0m00.04s | 81056 ko | Util/FixCoqMistakes.vo 0m00.04s | 99956 ko | Util/HProp.vo 0m00.04s | 90000 ko | Util/IffT.vo 0m00.04s | 106296 ko | Util/ListUtil/CombineExtend.vo 0m00.04s | 88628 ko | Util/Logic/ProdForall.vo 0m00.04s | 79252 ko | Util/SideConditions/CorePackages.vo 0m00.04s | 72832 ko | Util/Sigma/MapProjections.vo 0m00.04s | 102900 ko | Util/Structures/Equalities/Project.vo 0m00.04s | 71268 ko | Util/Tactics/ChangeInAll.vo 0m00.04s | 71300 ko | Util/Tactics/ClearDuplicates.vo 0m00.04s | 71072 ko | Util/Tactics/ClearbodyAll.vo 0m00.04s | 79852 ko | Util/Tactics/DebugPrint.vo 0m00.04s | 71368 ko | Util/Tactics/DestructTrivial.vo 0m00.04s | 75432 ko | Util/Tactics/DoWithHyp.vo 0m00.04s | 70860 ko | Util/Tactics/ESpecialize.vo 0m00.04s | 70988 ko | Util/Tactics/EvarExists.vo 0m00.04s | 71232 ko | Util/Tactics/EvarNormalize.vo 0m00.04s | 70852 ko | Util/Tactics/GetGoal.vo 0m00.04s | 75484 ko | Util/Tactics/HeadConstrEq.vo 0m00.04s | 83624 ko | Util/Tactics/MoveLetIn.vo 0m00.04s | 71136 ko | Util/Tactics/Not.vo 0m00.04s | 71224 ko | Util/Tactics/PoseTermWithName.vo 0m00.04s | 71096 ko | Util/Tactics/PrintContext.vo 0m00.04s | 71140 ko | Util/Tactics/Revert.vo 0m00.04s | 70796 ko | Util/Tactics/Test.vo 0m00.04s | 71448 ko | Util/Tactics/UnfoldArg.vo 0m00.04s | 76208 ko | Util/Tactics/UniquePose.vo 0m00.04s | 71572 ko | Util/Tactics/WarnIfGoalsRemain.vo 0m00.04s | 80848 ko | rupicola/bedrock2/compiler/src/compiler/GenericForeverSafe.vo 0m00.04s | 73932 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ParamRecords.vo 0m00.04s | 62340 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/eabstract.vo 0m00.04s | 78264 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/eplace.vo 0m00.04s | 66344 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/forward.vo 0m00.04s | 63384 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/simpl_rewrite.vo 0m00.04s | 64224 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/syntactic_unify.vo 0m00.03s | 77828 ko | Rewriter/Util/CPSNotations.vo 0m00.03s | 78684 ko | Rewriter/Util/Comparison.vo 0m00.03s | 66416 ko | Rewriter/Util/GlobalSettings.vo 0m00.03s | 70140 ko | Rewriter/Util/InductiveHList.vo 0m00.03s | 67936 ko | Rewriter/Util/Isomorphism.vo 0m00.03s | 98472 ko | Rewriter/Util/LetIn.vo 0m00.03s | 84368 ko | Rewriter/Util/Logic/ProdForall.vo 0m00.03s | 70924 ko | Rewriter/Util/Tactics/AssertSucceedsPreserveError.vo 0m00.03s | 74180 ko | Rewriter/Util/Tactics/BreakMatch.vo 0m00.03s | 67104 ko | Rewriter/Util/Tactics/ClearFree.vo 0m00.03s | 72180 ko | Rewriter/Util/Tactics/DestructHyps.vo 0m00.03s | 71296 ko | Rewriter/Util/Tactics/DoWithHyp.vo 0m00.03s | 70708 ko | Rewriter/Util/Tactics/Head.vo 0m00.03s | 71316 ko | Rewriter/Util/Tactics/HeadUnderBinders.vo 0m00.03s | 66780 ko | Rewriter/Util/Tactics/SubstEvars.vo 0m00.03s | 67728 ko | Rewriter/Util/Tactics/TransparentAssert.vo 0m00.03s | 67132 ko | Rewriter/Util/Tactics/WarnIfGoalsRemain.vo 0m00.03s | 77632 ko | Rewriter/Util/Tactics2/Array.vo 0m00.03s | 77748 ko | Rewriter/Util/Tactics2/DestConstant.vo 0m00.03s | 78908 ko | Rewriter/Util/Tactics2/FixNotationsForPerformance.vo 0m00.03s | 77216 ko | Rewriter/Util/plugins/Ltac2Extra.vo 0m00.03s | 20400 ko | Rewriter/Util/plugins/definition_by_tactic.cmi 0m00.03s | 25472 ko | Rewriter/Util/plugins/definition_by_tactic_plugin.cmx 0m00.03s | 19648 ko | Rewriter/Util/plugins/inductive_from_elim_plugin.cmxs 0m00.03s | 22724 ko | Rewriter/Util/plugins/ltac2_extra.cmx 0m00.03s | 30648 ko | Rewriter/Util/plugins/rewriter_build.cmx 0m00.03s | 53360 ko | Rewriter/Util/plugins/rewriter_build_plugin.cmxa 0m00.03s | 52788 ko | Rewriter/Util/plugins/strategy_tactic_plugin.cmxa 0m00.03s | 72776 ko | Util/Bool/IsTrue.vo 0m00.03s | 70464 ko | Util/GlobalSettings.vo 0m00.03s | 72016 ko | Util/Isomorphism.vo 0m00.03s | 78516 ko | Util/Logic/Exists.vo 0m00.03s | 79008 ko | Util/PER.vo 0m00.03s | 75148 ko | Util/Tactics/AppendUnderscores.vo 0m00.03s | 75508 ko | Util/Tactics/ClearHead.vo 0m00.03s | 71140 ko | Util/Tactics/Contains.vo 0m00.03s | 71600 ko | Util/Tactics/ConvoyDestruct.vo 0m00.03s | 75220 ko | Util/Tactics/Delta1.vo 0m00.03s | 74752 ko | Util/Tactics/ETransitivity.vo 0m00.03s | 75312 ko | Util/Tactics/FindHyp.vo 0m00.03s | 71428 ko | Util/Tactics/Forward.vo 0m00.03s | 75224 ko | Util/Tactics/Head.vo 0m00.03s | 75528 ko | Util/Tactics/HeadUnderBinders.vo 0m00.03s | 71404 ko | Util/Tactics/NormalizeCommutativeIdentifier.vo 0m00.03s | 71508 ko | Util/Tactics/PrintGoal.vo 0m00.03s | 75004 ko | Util/Tactics/RevertUntil.vo 0m00.03s | 94540 ko | Util/Tactics/RewriteHyp.vo 0m00.03s | 71328 ko | Util/Tactics/SimplifyRepeatedIfs.vo 0m00.03s | 75672 ko | Util/Tactics/SpecializeAllWays.vo 0m00.03s | 76020 ko | Util/Tactics/SpecializeBy.vo 0m00.03s | 70936 ko | Util/Tactics/SubstEvars.vo 0m00.03s | 71008 ko | Util/Tactics/SubstLet.vo 0m00.03s | 72196 ko | Util/Tactics/UnifyAbstractReflexivity.vo 0m00.03s | 71644 ko | Util/Tactics/VM.vo 0m00.03s | 78208 ko | Util/Tactics/Zeta1.vo 0m00.03s | 87028 ko | Util/Tower.vo 0m00.03s | 72144 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Constr.vo 0m00.03s | 71340 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Log.vo 0m00.03s | 61940 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/unique.vo 0m00.03s | 62352 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/sanity.vo 0m00.02s | 75656 ko | Rewriter/Util/Bool/Equality.vo 0m00.02s | 77660 ko | Rewriter/Util/Tactics/DestructHead.vo 0m00.02s | 71100 ko | Rewriter/Util/Tactics/FindHyp.vo 0m00.02s | 71740 ko | Rewriter/Util/Tactics/SpecializeBy.vo 0m00.02s | 66868 ko | Rewriter/Util/Tactics/Test.vo 0m00.02s | 71840 ko | Rewriter/Util/Tactics/UniquePose.vo 0m00.02s | 77852 ko | Rewriter/Util/Tactics2/HeadReference.vo 0m00.02s | 19896 ko | Rewriter/Util/plugins/definition_by_tactic_plugin.cmxs 0m00.02s | 20324 ko | Rewriter/Util/plugins/inductive_from_elim.cmi 0m00.02s | 24052 ko | Rewriter/Util/plugins/inductive_from_elim_plugin.cmx 0m00.02s | 20200 ko | Rewriter/Util/plugins/ltac2_extra_plugin.cmx 0m00.02s | 18988 ko | Rewriter/Util/plugins/strategy_tactic.cmi 0m00.02s | 22508 ko | Rewriter/Util/plugins/strategy_tactic.cmx 0m00.02s | 19144 ko | Rewriter/Util/plugins/strategy_tactic_plugin.cmxs 0m00.02s | 80136 ko | Util/Bool/LeCompat.vo 0m00.02s | 82664 ko | Util/Comparison.vo 0m00.02s | 71160 ko | Util/DefaultedTypes.vo 0m00.02s | 73344 ko | Util/Sigma/Associativity.vo 0m00.02s | 71192 ko | Util/Tactics/ClearAll.vo 0m00.02s | 75620 ko | Util/Tactics/CountBinders.vo 0m00.02s | 70800 ko | Util/Tactics/SetEvars.vo 0m00.02s | 71144 ko | Util/Tactics/SideConditionsBeforeToAfter.vo 0m00.02s | 71780 ko | Util/Tactics/SimplifyProjections.vo 0m00.02s | 64040 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Markers.vo 0m00.02s | 62732 ko | rupicola/bedrock2/bedrock2/src/bedrock2/Notations.vo 0m00.02s | 107180 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Option.vo 0m00.02s | 71228 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Msg.vo 0m00.01s | 68952 ko | Rewriter/Util/Tactics/CPSId.vo 0m00.01s | 67040 ko | Rewriter/Util/Tactics/PrintContext.vo 0m00.01s | 66852 ko | Rewriter/Util/Tactics/SetEvars.vo 0m00.01s | 17308 ko | Rewriter/Util/plugins/ltac2_extra.cmi 0m00.01s | 52884 ko | Rewriter/Util/plugins/ltac2_extra_plugin.cmxa 0m00.01s | 19384 ko | Rewriter/Util/plugins/rewriter_build.cmi 0m00.01s | 23244 ko | Rewriter/Util/plugins/strategy_tactic_plugin.cmx 0m00.01s | 71008 ko | Util/Tactics/ConstrFail.vo 0m00.01s | 73868 ko | Util/Tactics/SetoidSubst.vo 0m00.01s | 71844 ko | Util/Tactics/TransparentAssert.vo 0m00.01s | 76344 ko | Util/Unit.vo 0m00.01s | 62880 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/letexists.vo 0m00.01s | 62380 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/rdelta.vo 0m00.01s | 62000 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/dlet.vo 0m00.00s | 67116 ko | Rewriter/Util/Tactics/Contains.vo 0m00.00s | 72120 ko | Rewriter/Util/Tactics/SplitInContext.vo 0m00.00s | 63688 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/PrimitivePair.vo 0m00.00s | 63888 ko | rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ltac_list_ops.vo ```

Full Build Log

``` COQ_MAKEFILE -f _CoqProject > Makefile.coq Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_Coqprime_coqutil_Rupicola_bedrock2_bedrock2Examples_compiler_riscv_Rewriter_Crypto Makefile:154: warning: overriding recipe for target 'all' Makefile.coq:386: warning: ignoring old recipe for target 'all' Makefile:489: warning: overriding recipe for target 'validate' Makefile.coq:514: warning: ignoring old recipe for target 'validate' make --no-print-directory -C rewriter make --no-print-directory -C rupicola/bedrock2/deps/coqutil make --no-print-directory -C coqprime src/Coqprime/PrimalityTest/Zp.vo src/Coqprime/PrimalityTest/PocklingtonCertificat.vo printf -- '-R /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/ coqutil\n-arg -w -arg unsupported-attributes\n' > _CoqProject Generating Makefile.coq.all make -f Makefile.coq.all make[1]: 'src/Coqprime/PrimalityTest/Zp.vo' is up to date. make[1]: 'src/Coqprime/PrimalityTest/PocklingtonCertificat.vo' is up to date. sed 's?@META@??g' _CoqProject.in > _CoqProject echo $COQ_VERSION_INFO (8.15.0) > .coq-version COQ_MAKEFILE -f _CoqProject > Makefile.coq COQ_MAKEFILE -f _CoqProject > Makefile.coq COQDEP VFILES COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/subst.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/subst.vo (real: 0.05, user: 0.05, sys: 0.00, mem: 61444 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/dlet.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/dlet.vo (real: 0.05, user: 0.01, sys: 0.03, mem: 62000 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/sanity.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/sanity.vo (real: 0.05, user: 0.03, sys: 0.02, mem: 62352 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/unique.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/unique.vo (real: 0.05, user: 0.03, sys: 0.02, mem: 61940 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/forward.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/forward.vo (real: 0.05, user: 0.04, sys: 0.01, mem: 66344 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/PrimitivePair.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/PrimitivePair.vo (real: 0.05, user: 0.00, sys: 0.04, mem: 63688 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Byte.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Byte.vo (real: 0.36, user: 0.21, sys: 0.11, mem: 311892 ko) CP src/Rewriter/Util/plugins/RewriterBuildRegistry.v{.v815,} COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Interface.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Interface.vo (real: 0.27, user: 0.18, sys: 0.09, mem: 306972 ko) CP src/Rewriter/Util/plugins/RewriterBuild.v{.v815,} CP src/Rewriter/Util/plugins/StrategyTactic.v{.v815,} CP src/Rewriter/Util/plugins/Ltac2Extra.v{.v815,} CP src/Rewriter/Util/plugins/definition_by_tactic.ml{.v815,} CP src/Rewriter/Util/plugins/definition_by_tactic.mli{.v815,} CP src/Rewriter/Util/plugins/definition_by_tactic_plugin.mlg{.v815,} CP src/Rewriter/Util/plugins/definition_by_tactic_plugin.mllib{.v815,} CP src/Rewriter/Util/plugins/inductive_from_elim.ml{.v815,} CP src/Rewriter/Util/plugins/inductive_from_elim.mli{.v815,} CP src/Rewriter/Util/plugins/inductive_from_elim_plugin.mlg{.v815,} CP src/Rewriter/Util/plugins/inductive_from_elim_plugin.mllib{.v815,} CP src/Rewriter/Util/plugins/rewriter_build.ml{.v815,} CP src/Rewriter/Util/plugins/rewriter_build.mli{.v815,} CP src/Rewriter/Util/plugins/rewriter_build_plugin.mlg{.v815,} CP src/Rewriter/Util/plugins/rewriter_build_plugin.mllib{.v815,} CP src/Rewriter/Util/plugins/strategy_tactic.ml{.v815,} CP src/Rewriter/Util/plugins/strategy_tactic.mli{.v815,} CP src/Rewriter/Util/plugins/strategy_tactic_plugin.mlg{.v815,} CP src/Rewriter/Util/plugins/strategy_tactic_plugin.mllib{.v815,} CP src/Rewriter/Util/plugins/ltac2_extra.ml{.v815,} CP src/Rewriter/Util/plugins/ltac2_extra.mli{.v815,} CP src/Rewriter/Util/plugins/ltac2_extra_plugin.mlg{.v815,} CP src/Rewriter/Util/plugins/ltac2_extra_plugin.mllib{.v815,} COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Option.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Option.vo (real: 0.09, user: 0.02, sys: 0.06, mem: 107180 ko) COQPP src/Rewriter/Util/plugins/definition_by_tactic_plugin.mlg COQPP src/Rewriter/Util/plugins/inductive_from_elim_plugin.mlg COQPP src/Rewriter/Util/plugins/rewriter_build_plugin.mlg COQPP src/Rewriter/Util/plugins/strategy_tactic_plugin.mlg COQPP src/Rewriter/Util/plugins/ltac2_extra_plugin.mlg COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Sorting/Permutation.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Sorting/Permutation.vo (real: 0.11, user: 0.06, sys: 0.05, mem: 109892 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/Lia.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/Lia.vo (real: 0.27, user: 0.19, sys: 0.07, mem: 257344 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Prod.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Prod.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 93280 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ident_to_string.v Finished transaction in 0.17 secs (0.17u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ident_to_string.vo (real: 0.61, user: 0.41, sys: 0.14, mem: 390016 ko) COQDEP VFILES COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/autoforward.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/autoforward.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 66600 ko) CAMLDEP src/Rewriter/Util/plugins/ltac2_extra.mli CAMLDEP src/Rewriter/Util/plugins/strategy_tactic.mli CAMLDEP src/Rewriter/Util/plugins/rewriter_build.mli CAMLDEP src/Rewriter/Util/plugins/inductive_from_elim.mli CAMLDEP src/Rewriter/Util/plugins/definition_by_tactic.mli OCAMLLIBDEP src/Rewriter/Util/plugins/ltac2_extra_plugin.mllib COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_arith_hints.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_arith_hints.vo (real: 0.19, user: 0.14, sys: 0.04, mem: 186908 ko) OCAMLLIBDEP src/Rewriter/Util/plugins/strategy_tactic_plugin.mllib OCAMLLIBDEP src/Rewriter/Util/plugins/rewriter_build_plugin.mllib OCAMLLIBDEP src/Rewriter/Util/plugins/inductive_from_elim_plugin.mllib OCAMLLIBDEP src/Rewriter/Util/plugins/definition_by_tactic_plugin.mllib CAMLDEP src/Rewriter/Util/plugins/ltac2_extra.ml CAMLDEP src/Rewriter/Util/plugins/strategy_tactic.ml COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ToConversion.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ToConversion.vo (real: 0.27, user: 0.19, sys: 0.07, mem: 265824 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/div_mod_to_equations.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/div_mod_to_equations.vo (real: 0.18, user: 0.11, sys: 0.06, mem: 181152 ko) CAMLDEP src/Rewriter/Util/plugins/rewriter_build.ml CAMLDEP src/Rewriter/Util/plugins/inductive_from_elim.ml COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/syntactic_unify.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/syntactic_unify.vo (real: 0.05, user: 0.04, sys: 0.01, mem: 64224 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Msg.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Msg.vo (real: 0.06, user: 0.02, sys: 0.03, mem: 71228 ko) CAMLDEP src/Rewriter/Util/plugins/definition_by_tactic.ml CAMLDEP src/Rewriter/Util/plugins/ltac2_extra_plugin.ml CAMLDEP src/Rewriter/Util/plugins/strategy_tactic_plugin.ml CAMLDEP src/Rewriter/Util/plugins/rewriter_build_plugin.ml COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Constr.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Constr.vo (real: 0.06, user: 0.03, sys: 0.03, mem: 72144 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/eplace.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/eplace.vo (real: 0.06, user: 0.04, sys: 0.01, mem: 78264 ko) CAMLDEP src/Rewriter/Util/plugins/inductive_from_elim_plugin.ml CAMLDEP src/Rewriter/Util/plugins/definition_by_tactic_plugin.ml COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ltac_list_ops.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ltac_list_ops.vo (real: 0.05, user: 0.00, sys: 0.04, mem: 63888 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/eabstract.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/eabstract.vo (real: 0.05, user: 0.04, sys: 0.01, mem: 62340 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/simpl_rewrite.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/simpl_rewrite.vo (real: 0.05, user: 0.04, sys: 0.00, mem: 63384 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/rdelta.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/rdelta.vo (real: 0.05, user: 0.01, sys: 0.03, mem: 62380 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Simp.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Simp.vo (real: 0.28, user: 0.22, sys: 0.06, mem: 258808 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/letexists.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/letexists.vo (real: 0.05, user: 0.01, sys: 0.03, mem: 62880 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/PushPullMod.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/PushPullMod.vo (real: 0.58, user: 0.45, sys: 0.12, mem: 402540 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/bitblast.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/bitblast.vo (real: 0.63, user: 0.53, sys: 0.08, mem: 409380 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Log.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Ltac2Lib/Log.vo (real: 0.06, user: 0.03, sys: 0.02, mem: 71340 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth.vo (real: 0.26, user: 0.17, sys: 0.08, mem: 257532 ko) echo $COQ_VERSION_INFO (8.15.0) > .coq-version-short echo $COQ_VERSION_INFO (8.15.0, compiled with) > .coq-version-short-date echo $COQ_VERSION_INFO (8.15.0, OCaml 4.14.0) > .coq-version-compilation-date COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/symmetry.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/symmetry.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 72180 ko) echo $COQ_VERSION_INFO (8.15.0, 4.14.0) > .coq-version-ocaml-version echo $COQ_VERSION_INFO (8.15.0, ) > .coq-version-config COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/div_to_equations.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/div_to_equations.vo (real: 0.18, user: 0.11, sys: 0.07, mem: 173232 ko) echo $COQ_VERSION_INFO (8.15.0, ) > .coq-version-ocaml-config etc/machine.sh > .machine COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/reference_to_string.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/reference_to_string.vo (real: 0.20, user: 0.15, sys: 0.05, mem: 194760 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/ident_to_string.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/ident_to_string.v", line 10, characters 0-85: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/ident_to_string.vo (real: 0.20, user: 0.15, sys: 0.05, mem: 195624 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/ZLib.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/ZLib.vo (real: 0.56, user: 0.40, sys: 0.15, mem: 403932 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ParamRecords.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ParamRecords.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 73932 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/HList.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/HList.vo (real: 0.15, user: 0.11, sys: 0.04, mem: 147568 ko) etc/machine-extended.sh > .machine-extended etc/machine-extended.sh: line 16: lsb_release: command not found COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Decidable.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Decidable.vo (real: 0.27, user: 0.16, sys: 0.10, mem: 267944 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth64.vo (real: 0.27, user: 0.12, sys: 0.15, mem: 257612 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth32.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Bitwidth32.vo (real: 0.28, user: 0.22, sys: 0.06, mem: 257576 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/WithQualName.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/WithQualName.vo (real: 0.21, user: 0.14, sys: 0.06, mem: 209828 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ident_of_string.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/ident_of_string.vo (real: 1.19, user: 1.11, sys: 0.06, mem: 411060 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/WithBaseName.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Macros/WithBaseName.vo (real: 0.20, user: 0.13, sys: 0.06, mem: 197100 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/destr.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/destr.vo (real: 0.19, user: 0.09, sys: 0.09, mem: 192708 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/String.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/String.vo (real: 0.30, user: 0.22, sys: 0.08, mem: 324760 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Records.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Records.vo (real: 0.12, user: 0.05, sys: 0.06, mem: 116312 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/BitOps.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/BitOps.vo (real: 0.80, user: 0.62, sys: 0.18, mem: 411704 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_core.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_core.vo (real: 0.21, user: 0.11, sys: 0.09, mem: 214580 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Tactics.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/Tactics.vo (real: 0.28, user: 0.15, sys: 0.13, mem: 261488 ko) COQC src/Rewriter/Util/GlobalSettings.v src/Rewriter/Util/GlobalSettings.vo (real: 0.06, user: 0.03, sys: 0.03, mem: 66416 ko) COQC src/Rewriter/Util/IffT.v src/Rewriter/Util/IffT.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 85932 ko) COQC src/Rewriter/Util/Isomorphism.v src/Rewriter/Util/Isomorphism.vo (real: 0.05, user: 0.03, sys: 0.01, mem: 67936 ko) COQC src/Rewriter/Util/HProp.v src/Rewriter/Util/HProp.vo (real: 0.08, user: 0.05, sys: 0.02, mem: 96016 ko) COQC src/Rewriter/Util/InductiveHList.v src/Rewriter/Util/InductiveHList.vo (real: 0.06, user: 0.03, sys: 0.02, mem: 70140 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/prove_Zeq_bitwise.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Z/prove_Zeq_bitwise.vo (real: 0.50, user: 0.37, sys: 0.13, mem: 409528 ko) COQC src/Rewriter/Util/Bool.v src/Rewriter/Util/Bool.vo (real: 0.12, user: 0.04, sys: 0.08, mem: 129760 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/SafeSimpl.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/SafeSimpl.vo (real: 0.25, user: 0.17, sys: 0.08, mem: 239740 ko) COQC src/Rewriter/Util/Pointed.v src/Rewriter/Util/Pointed.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 87556 ko) COQC src/Rewriter/Util/Tactics/Test.v src/Rewriter/Util/Tactics/Test.vo (real: 0.06, user: 0.02, sys: 0.03, mem: 66868 ko) COQC src/Rewriter/Util/Tactics/ConstrFail.v src/Rewriter/Util/Tactics/ConstrFail.vo (real: 0.06, user: 0.06, sys: 0.00, mem: 66884 ko) COQC src/Rewriter/Util/Tactics/GetGoal.v src/Rewriter/Util/Tactics/GetGoal.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 66828 ko) COQC src/Rewriter/Util/Tactics/Contains.v src/Rewriter/Util/Tactics/Contains.vo (real: 0.06, user: 0.00, sys: 0.05, mem: 67116 ko) COQC src/Rewriter/Util/Comparison.v src/Rewriter/Util/Comparison.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 78684 ko) COQC src/Rewriter/Util/Tactics/DebugPrint.v src/Rewriter/Util/Tactics/DebugPrint.vo (real: 0.07, user: 0.06, sys: 0.01, mem: 75880 ko) CAMLC -c src/Rewriter/Util/plugins/ltac2_extra.mli src/Rewriter/Util/plugins/ltac2_extra.cmi (real: 0.05, user: 0.01, sys: 0.01, mem: 17308 ko) CAMLOPT -c src/Rewriter/Util/plugins/ltac2_extra_plugin.ml src/Rewriter/Util/plugins/ltac2_extra_plugin.cmx (real: 0.03, user: 0.02, sys: 0.01, mem: 20200 ko) COQC src/Rewriter/Util/TypeList.v src/Rewriter/Util/TypeList.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 68912 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/PropSet.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/PropSet.vo (real: 1.22, user: 1.04, sys: 0.18, mem: 406976 ko) COQC src/Rewriter/Util/Tactics/PrintContext.v src/Rewriter/Util/Tactics/PrintContext.vo (real: 0.06, user: 0.01, sys: 0.05, mem: 67040 ko) COQC src/Rewriter/Util/Tactics/EvarNormalize.v src/Rewriter/Util/Tactics/EvarNormalize.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 66884 ko) COQC src/Rewriter/Util/Tactics/ClearFree.v src/Rewriter/Util/Tactics/ClearFree.vo (real: 0.06, user: 0.03, sys: 0.03, mem: 67104 ko) COQC src/Rewriter/Util/Tactics/CPSId.v src/Rewriter/Util/Tactics/CPSId.vo (real: 0.06, user: 0.01, sys: 0.04, mem: 68952 ko) COQC src/Rewriter/Util/Bool/Equality.v src/Rewriter/Util/Bool/Equality.vo (real: 0.06, user: 0.02, sys: 0.03, mem: 75656 ko) COQC src/Rewriter/Util/NatUtil.v src/Rewriter/Util/NatUtil.vo (real: 1.07, user: 0.95, sys: 0.10, mem: 412568 ko) COQC src/Rewriter/Util/Sigma/Related.v src/Rewriter/Util/Sigma/Related.vo (real: 0.10, user: 0.05, sys: 0.04, mem: 114448 ko) COQC src/Rewriter/Util/Tactics/SetEvars.v src/Rewriter/Util/Tactics/SetEvars.vo (real: 0.06, user: 0.01, sys: 0.04, mem: 66852 ko) COQC src/Rewriter/Util/Tactics/SubstEvars.v src/Rewriter/Util/Tactics/SubstEvars.vo (real: 0.06, user: 0.03, sys: 0.03, mem: 66780 ko) CAMLC -c src/Rewriter/Util/plugins/strategy_tactic.mli src/Rewriter/Util/plugins/strategy_tactic.cmi (real: 0.03, user: 0.02, sys: 0.00, mem: 18988 ko) CAMLC -c src/Rewriter/Util/plugins/definition_by_tactic.mli src/Rewriter/Util/plugins/definition_by_tactic.cmi (real: 0.03, user: 0.03, sys: 0.00, mem: 20400 ko) COQC src/Rewriter/Util/Tactics/TransparentAssert.v src/Rewriter/Util/Tactics/TransparentAssert.vo (real: 0.06, user: 0.03, sys: 0.03, mem: 67728 ko) CAMLC -c src/Rewriter/Util/plugins/inductive_from_elim.mli src/Rewriter/Util/plugins/inductive_from_elim.cmi (real: 0.03, user: 0.02, sys: 0.00, mem: 20324 ko) CAMLC -c src/Rewriter/Util/plugins/rewriter_build.mli src/Rewriter/Util/plugins/rewriter_build.cmi (real: 0.03, user: 0.01, sys: 0.01, mem: 19384 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/ListRectInstances.v src/Rewriter/Rewriter/Examples/PerfTesting/ListRectInstances.vo (real: 0.14, user: 0.10, sys: 0.04, mem: 131800 ko) COQC src/Rewriter/Util/FixCoqMistakes.v src/Rewriter/Util/FixCoqMistakes.vo (real: 0.07, user: 0.06, sys: 0.01, mem: 76888 ko) COQC src/Rewriter/Util/Strings/Decimal.v src/Rewriter/Util/Strings/Decimal.vo (real: 0.27, user: 0.18, sys: 0.08, mem: 251660 ko) COQC src/Rewriter/Util/Tactics/Head.v src/Rewriter/Util/Tactics/Head.vo (real: 0.06, user: 0.03, sys: 0.02, mem: 70708 ko) COQC src/Rewriter/Util/Equality.v src/Rewriter/Util/Equality.vo (real: 0.13, user: 0.06, sys: 0.07, mem: 136516 ko) COQC src/Rewriter/Util/Tactics/DestructHyps.v src/Rewriter/Util/Tactics/DestructHyps.vo (real: 0.06, user: 0.03, sys: 0.02, mem: 72180 ko) COQC src/Rewriter/Util/Tactics/SpecializeBy.v src/Rewriter/Util/Tactics/SpecializeBy.vo (real: 0.06, user: 0.02, sys: 0.04, mem: 71740 ko) COQC src/Rewriter/Util/Tactics/Not.v src/Rewriter/Util/Tactics/Not.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 66816 ko) COQC src/Rewriter/Util/Tactics/SplitInContext.v src/Rewriter/Util/Tactics/SplitInContext.vo (real: 0.06, user: 0.00, sys: 0.05, mem: 72120 ko) COQC src/Rewriter/Util/Tactics/SetoidSubst.v src/Rewriter/Util/Tactics/SetoidSubst.vo (real: 0.06, user: 0.04, sys: 0.01, mem: 68004 ko) COQC src/Rewriter/Util/Tactics/RunTacticAsConstr.v src/Rewriter/Util/Tactics/RunTacticAsConstr.vo (real: 0.06, user: 0.04, sys: 0.01, mem: 71012 ko) COQC src/Rewriter/Util/Tactics2/List.v src/Rewriter/Util/Tactics2/List.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 77528 ko) COQC src/Rewriter/Util/Tactics2/Ltac1.v File "./src/Rewriter/Util/Tactics2/Ltac1.v", line 15, characters 93-106: Warning: Ltac2 definition get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] src/Rewriter/Util/Tactics2/Ltac1.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 77472 ko) COQC src/Rewriter/Util/Tactics2/Message.v src/Rewriter/Util/Tactics2/Message.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 77540 ko) COQC src/Rewriter/Util/Tactics2/Ident.v src/Rewriter/Util/Tactics2/Ident.vo (real: 0.08, user: 0.05, sys: 0.02, mem: 77588 ko) COQC src/Rewriter/Util/Tactics2/Char.v src/Rewriter/Util/Tactics2/Char.vo (real: 0.08, user: 0.07, sys: 0.01, mem: 77564 ko) COQC src/Rewriter/Util/Tactics2/Array.v src/Rewriter/Util/Tactics2/Array.vo (real: 0.08, user: 0.03, sys: 0.05, mem: 77632 ko) COQC src/Rewriter/Util/Tactics2/Proj.v src/Rewriter/Util/Tactics2/Proj.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 77492 ko) COQC src/Rewriter/Util/Tactics2/Option.v src/Rewriter/Util/Tactics2/Option.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77632 ko) COQC src/Rewriter/Util/Tactics2/Iterate.v src/Rewriter/Util/Tactics2/Iterate.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 77472 ko) CAMLOPT -c src/Rewriter/Util/plugins/ltac2_extra.ml src/Rewriter/Util/plugins/ltac2_extra.cmx (real: 0.04, user: 0.03, sys: 0.00, mem: 22724 ko) COQC src/Rewriter/Util/Tactics2/DestEvar.v src/Rewriter/Util/Tactics2/DestEvar.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 77536 ko) COQC src/Rewriter/Util/Tactics2/InstantiateEvar.v src/Rewriter/Util/Tactics2/InstantiateEvar.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 77668 ko) COQC src/Rewriter/Util/Tactics2/Constr/Unsafe/MakeAbbreviations.v src/Rewriter/Util/Tactics2/Constr/Unsafe/MakeAbbreviations.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77544 ko) COQC src/Rewriter/Util/Tactics2/FixNotationsForPerformance.v src/Rewriter/Util/Tactics2/FixNotationsForPerformance.vo (real: 0.08, user: 0.03, sys: 0.04, mem: 78908 ko) COQC src/Rewriter/Util/Tactics/FindHyp.v src/Rewriter/Util/Tactics/FindHyp.vo (real: 0.06, user: 0.02, sys: 0.03, mem: 71100 ko) COQC src/Rewriter/Util/Tactics/HeadUnderBinders.v src/Rewriter/Util/Tactics/HeadUnderBinders.vo (real: 0.06, user: 0.03, sys: 0.02, mem: 71316 ko) COQC src/Rewriter/Util/Tactics/PrintGoal.v src/Rewriter/Util/Tactics/PrintGoal.vo (real: 0.06, user: 0.06, sys: 0.00, mem: 67124 ko) COQC src/Rewriter/Util/Tactics/CacheTerm.v src/Rewriter/Util/Tactics/CacheTerm.vo (real: 0.06, user: 0.04, sys: 0.01, mem: 69304 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/Harness.v File "./src/Rewriter/Rewriter/Examples/PerfTesting/Harness.v", line 35, characters 0-147: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] File "./src/Rewriter/Rewriter/Examples/PerfTesting/Harness.v", line 38, characters 0-371: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] src/Rewriter/Rewriter/Examples/PerfTesting/Harness.vo (real: 1.41, user: 1.27, sys: 0.12, mem: 409452 ko) COQC src/Rewriter/Util/Tactics2/Notations.v src/Rewriter/Util/Tactics2/Notations.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 77656 ko) COQC src/Rewriter/Util/Logic/ProdForall.v src/Rewriter/Util/Logic/ProdForall.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 84368 ko) COQC src/Rewriter/Util/Tactics/WarnIfGoalsRemain.v src/Rewriter/Util/Tactics/WarnIfGoalsRemain.vo (real: 0.06, user: 0.03, sys: 0.03, mem: 67132 ko) COQC src/Rewriter/Util/Tactics2/Head.v src/Rewriter/Util/Tactics2/Head.vo (real: 0.08, user: 0.07, sys: 0.01, mem: 77788 ko) COQC src/Rewriter/Util/Tactics2/InFreshContext.v src/Rewriter/Util/Tactics2/InFreshContext.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77612 ko) CAMLOPT -c src/Rewriter/Util/plugins/strategy_tactic.ml src/Rewriter/Util/plugins/strategy_tactic.cmx (real: 0.03, user: 0.02, sys: 0.01, mem: 22508 ko) CAMLOPT -c src/Rewriter/Util/plugins/definition_by_tactic.ml src/Rewriter/Util/plugins/definition_by_tactic.cmx (real: 0.05, user: 0.04, sys: 0.00, mem: 26596 ko) CAMLOPT -c src/Rewriter/Util/plugins/inductive_from_elim.ml src/Rewriter/Util/plugins/inductive_from_elim.cmx (real: 0.06, user: 0.04, sys: 0.01, mem: 28820 ko) COQC src/Rewriter/Util/Tactics/AssertSucceedsPreserveError.v src/Rewriter/Util/Tactics/AssertSucceedsPreserveError.vo (real: 0.06, user: 0.03, sys: 0.02, mem: 70924 ko) COQC src/Rewriter/Util/Tactics2/DestApp.v src/Rewriter/Util/Tactics2/DestApp.vo (real: 0.07, user: 0.04, sys: 0.02, mem: 77636 ko) COQC src/Rewriter/Util/Tactics2/DestCase.v src/Rewriter/Util/Tactics2/DestCase.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77656 ko) COQC src/Rewriter/Util/Tactics2/DestCast.v src/Rewriter/Util/Tactics2/DestCast.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 77624 ko) COQC src/Rewriter/Util/Tactics2/DestCoFix.v src/Rewriter/Util/Tactics2/DestCoFix.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 77584 ko) COQC src/Rewriter/Util/Tactics2/DestConstant.v src/Rewriter/Util/Tactics2/DestConstant.vo (real: 0.08, user: 0.03, sys: 0.04, mem: 77748 ko) COQC src/Rewriter/Util/Tactics2/DestConstructor.v src/Rewriter/Util/Tactics2/DestConstructor.vo (real: 0.08, user: 0.07, sys: 0.01, mem: 77628 ko) COQC src/Rewriter/Util/Tactics2/DestFix.v src/Rewriter/Util/Tactics2/DestFix.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77596 ko) COQC src/Rewriter/Util/Tactics2/DestInd.v src/Rewriter/Util/Tactics2/DestInd.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77632 ko) COQC src/Rewriter/Util/Tactics2/DestLambda.v src/Rewriter/Util/Tactics2/DestLambda.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 77660 ko) COQC src/Rewriter/Util/Tactics2/DestLetIn.v src/Rewriter/Util/Tactics2/DestLetIn.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77712 ko) COQC src/Rewriter/Util/Tactics2/DestMeta.v src/Rewriter/Util/Tactics2/DestMeta.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 77532 ko) COQC src/Rewriter/Util/Tactics2/DestProd.v src/Rewriter/Util/Tactics2/DestProd.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 77692 ko) COQC src/Rewriter/Util/Tactics2/DestProj.v src/Rewriter/Util/Tactics2/DestProj.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 77636 ko) COQC src/Rewriter/Util/Tactics2/DestRel.v src/Rewriter/Util/Tactics2/DestRel.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77692 ko) COQC src/Rewriter/Util/Tactics2/DestSort.v src/Rewriter/Util/Tactics2/DestSort.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 77756 ko) CAMLOPT -c src/Rewriter/Util/plugins/definition_by_tactic_plugin.ml src/Rewriter/Util/plugins/definition_by_tactic_plugin.cmx (real: 0.05, user: 0.03, sys: 0.01, mem: 25472 ko) COQC src/Rewriter/Util/Tactics2/DestVar.v src/Rewriter/Util/Tactics2/DestVar.vo (real: 0.08, user: 0.07, sys: 0.01, mem: 77540 ko) CAMLOPT -c src/Rewriter/Util/plugins/inductive_from_elim_plugin.ml src/Rewriter/Util/plugins/inductive_from_elim_plugin.cmx (real: 0.04, user: 0.02, sys: 0.01, mem: 24052 ko) COQC src/Rewriter/Util/Notations.v src/Rewriter/Util/Notations.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 82576 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/List.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/List.vo (real: 3.74, user: 3.58, sys: 0.15, mem: 432984 ko) COQC src/Rewriter/Util/PrimitiveProd.v src/Rewriter/Util/PrimitiveProd.vo (real: 0.16, user: 0.09, sys: 0.07, mem: 188764 ko) COQC src/Rewriter/Util/Tactics/BreakMatch.v src/Rewriter/Util/Tactics/BreakMatch.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 74180 ko) COQC src/Rewriter/Util/Prod.v src/Rewriter/Util/Prod.vo (real: 0.24, user: 0.18, sys: 0.06, mem: 263620 ko) COQC src/Rewriter/Util/Sigma.v src/Rewriter/Util/Sigma.vo (real: 0.21, user: 0.10, sys: 0.10, mem: 220436 ko) COQC src/Rewriter/Util/Tactics/DoWithHyp.v src/Rewriter/Util/Tactics/DoWithHyp.vo (real: 0.06, user: 0.03, sys: 0.02, mem: 71296 ko) COQC src/Rewriter/Util/Tactics/DestructHead.v src/Rewriter/Util/Tactics/DestructHead.vo (real: 0.07, user: 0.02, sys: 0.04, mem: 77660 ko) COQC src/Rewriter/Util/LetIn.v src/Rewriter/Util/LetIn.vo (real: 0.09, user: 0.03, sys: 0.05, mem: 98472 ko) COQC src/Rewriter/Util/CPSNotations.v src/Rewriter/Util/CPSNotations.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 77828 ko) COQC src/Rewriter/Util/Tactics2/String.v src/Rewriter/Util/Tactics2/String.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 77756 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Interface.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Interface.vo (real: 0.30, user: 0.20, sys: 0.10, mem: 287656 ko) COQC src/Rewriter/Util/Tactics/UniquePose.v src/Rewriter/Util/Tactics/UniquePose.vo (real: 0.06, user: 0.02, sys: 0.03, mem: 71840 ko) COQC src/Rewriter/Util/Logic/ExistsEqAnd.v src/Rewriter/Util/Logic/ExistsEqAnd.vo (real: 0.10, user: 0.04, sys: 0.04, mem: 99724 ko) COQC src/Rewriter/Util/PrimitiveSigma.v src/Rewriter/Util/PrimitiveSigma.vo (real: 0.15, user: 0.07, sys: 0.06, mem: 153996 ko) CAMLOPT -c src/Rewriter/Util/plugins/strategy_tactic_plugin.ml src/Rewriter/Util/plugins/strategy_tactic_plugin.cmx (real: 0.03, user: 0.01, sys: 0.01, mem: 23244 ko) CAMLOPT -a -o src/Rewriter/Util/plugins/ltac2_extra_plugin.cmxa src/Rewriter/Util/plugins/ltac2_extra_plugin.cmxa (real: 0.23, user: 0.01, sys: 0.06, mem: 52884 ko) COQC src/Rewriter/Util/Tactics2/HeadReference.v src/Rewriter/Util/Tactics2/HeadReference.vo (real: 0.08, user: 0.02, sys: 0.06, mem: 77852 ko) CAMLOPT -c src/Rewriter/Util/plugins/rewriter_build.ml File "src/Rewriter/Util/plugins/rewriter_build.ml", line 141, characters 69-104: 141 | let evaluable_head v = Tacred.evaluable_of_global_reference env (Patternops.head_of_constr_reference sigma (head sigma v)) in ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Alert deprecated: Patternops.head_of_constr_reference use [EConstr.destRef] src/Rewriter/Util/plugins/rewriter_build.cmx (real: 0.10, user: 0.03, sys: 0.06, mem: 30648 ko) CAMLOPT -a -o src/Rewriter/Util/plugins/definition_by_tactic_plugin.cmxa src/Rewriter/Util/plugins/definition_by_tactic_plugin.cmxa (real: 0.06, user: 0.04, sys: 0.01, mem: 52900 ko) CAMLOPT -a -o src/Rewriter/Util/plugins/inductive_from_elim_plugin.cmxa src/Rewriter/Util/plugins/inductive_from_elim_plugin.cmxa (real: 0.06, user: 0.04, sys: 0.01, mem: 52872 ko) COQC src/Rewriter/Util/Strings/Ascii.v src/Rewriter/Util/Strings/Ascii.vo (real: 0.22, user: 0.14, sys: 0.07, mem: 209324 ko) COQC src/Rewriter/Util/PrimitiveHList.v src/Rewriter/Util/PrimitiveHList.vo (real: 0.12, user: 0.08, sys: 0.03, mem: 112092 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ListSet.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ListSet.vo (real: 0.60, user: 0.48, sys: 0.12, mem: 408240 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/rewr.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/rewr.vo (real: 0.27, user: 0.16, sys: 0.11, mem: 259188 ko) COQC src/Rewriter/Util/Option.v src/Rewriter/Util/Option.vo (real: 0.35, user: 0.25, sys: 0.09, mem: 314132 ko) COQC src/Rewriter/Util/Tactics/RewriteHyp.v src/Rewriter/Util/Tactics/RewriteHyp.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 90336 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_list_hints.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_list_hints.vo (real: 0.26, user: 0.16, sys: 0.09, mem: 238624 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/Sample.v File "./src/Rewriter/Rewriter/Examples/PerfTesting/Sample.v", line 365, characters 0-136: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] File "./src/Rewriter/Rewriter/Examples/PerfTesting/Sample.v", line 368, characters 0-136: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] File "./src/Rewriter/Rewriter/Examples/PerfTesting/Sample.v", line 376, characters 0-136: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] File "./src/Rewriter/Rewriter/Examples/PerfTesting/Sample.v", line 379, characters 0-136: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] src/Rewriter/Rewriter/Examples/PerfTesting/Sample.vo (real: 0.94, user: 0.76, sys: 0.17, mem: 408548 ko) COQC src/Rewriter/Util/Decidable.v src/Rewriter/Util/Decidable.vo (real: 0.80, user: 0.68, sys: 0.12, mem: 379664 ko) COQC src/Rewriter/Util/OptionList.v src/Rewriter/Util/OptionList.vo (real: 0.25, user: 0.17, sys: 0.08, mem: 257188 ko) CAMLOPT -shared -o src/Rewriter/Util/plugins/ltac2_extra_plugin.cmxs src/Rewriter/Util/plugins/ltac2_extra_plugin.cmxs (real: 0.04, user: 0.04, sys: 0.00, mem: 19616 ko) COQC src/Rewriter/Util/Tactics/SpecializeAllWays.v src/Rewriter/Util/Tactics/SpecializeAllWays.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 71168 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Properties.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Properties.vo (real: 5.97, user: 5.69, sys: 0.26, mem: 570388 ko) COQC src/Rewriter/Util/ListUtil/SetoidList.v src/Rewriter/Util/ListUtil/SetoidList.vo (real: 0.36, user: 0.28, sys: 0.08, mem: 345468 ko) COQC src/Rewriter/Util/FMapPositive/Equality.v src/Rewriter/Util/FMapPositive/Equality.vo (real: 0.31, user: 0.18, sys: 0.13, mem: 302728 ko) CAMLOPT -a -o src/Rewriter/Util/plugins/strategy_tactic_plugin.cmxa src/Rewriter/Util/plugins/strategy_tactic_plugin.cmxa (real: 0.06, user: 0.03, sys: 0.02, mem: 52788 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Funext.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Funext.vo (real: 0.28, user: 0.19, sys: 0.08, mem: 277576 ko) CAMLOPT -c src/Rewriter/Util/plugins/rewriter_build_plugin.ml src/Rewriter/Util/plugins/rewriter_build_plugin.cmx (real: 0.10, user: 0.09, sys: 0.00, mem: 26848 ko) COQC src/Rewriter/Util/MSetPositive/Equality.v src/Rewriter/Util/MSetPositive/Equality.vo (real: 0.38, user: 0.23, sys: 0.14, mem: 336372 ko) CAMLOPT -shared -o src/Rewriter/Util/plugins/definition_by_tactic_plugin.cmxs src/Rewriter/Util/plugins/definition_by_tactic_plugin.cmxs (real: 0.05, user: 0.02, sys: 0.02, mem: 19896 ko) CAMLOPT -shared -o src/Rewriter/Util/plugins/inductive_from_elim_plugin.cmxs src/Rewriter/Util/plugins/inductive_from_elim_plugin.cmxs (real: 0.05, user: 0.03, sys: 0.01, mem: 19648 ko) COQC src/Rewriter/Util/Strings/String.v src/Rewriter/Util/Strings/String.vo (real: 0.38, user: 0.23, sys: 0.15, mem: 367988 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Empty_set_keyed_map.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Empty_set_keyed_map.vo (real: 0.26, user: 0.19, sys: 0.06, mem: 252140 ko) COQC src/Rewriter/Language/PreCommon.v src/Rewriter/Language/PreCommon.vo (real: 0.13, user: 0.05, sys: 0.06, mem: 112684 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedList.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedList.vo (real: 0.66, user: 0.57, sys: 0.08, mem: 408880 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Sorting/OrderToPermutation.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Sorting/OrderToPermutation.vo (real: 0.29, user: 0.20, sys: 0.09, mem: 278652 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Inhabited.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/Inhabited.vo (real: 0.26, user: 0.19, sys: 0.06, mem: 244576 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_word_hints.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_word_hints.vo (real: 0.30, user: 0.21, sys: 0.09, mem: 275952 ko) COQC src/Rewriter/Util/ListUtil/Forall.v src/Rewriter/Util/ListUtil/Forall.vo (real: 1.64, user: 1.50, sys: 0.12, mem: 409828 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/DebugWordEq.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/DebugWordEq.vo (real: 0.34, user: 0.24, sys: 0.10, mem: 325324 ko) COQC src/Rewriter/Util/Sum.v src/Rewriter/Util/Sum.vo (real: 0.53, user: 0.43, sys: 0.10, mem: 381692 ko) COQC src/Rewriter/Util/plugins/Ltac2Extra.v File "./src/Rewriter/Util/plugins/Ltac2Extra.v", line 9, characters 2-13: Warning: Trying to mask the absolute name "Ltac2.Constr"! [masking-absolute-name,deprecated] File "./src/Rewriter/Util/plugins/Ltac2Extra.v", line 10, characters 0-10: Warning: Trying to mask the absolute name "Ltac2.Constr"! [masking-absolute-name,deprecated] src/Rewriter/Util/plugins/Ltac2Extra.vo (real: 0.08, user: 0.03, sys: 0.04, mem: 77216 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Naive.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/Naive.vo (real: 0.55, user: 0.41, sys: 0.13, mem: 408168 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/SimplWordExpr.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/SimplWordExpr.vo (real: 0.39, user: 0.23, sys: 0.15, mem: 378508 ko) COQC src/Rewriter/Util/MSetPositive/Facts.v src/Rewriter/Util/MSetPositive/Facts.vo (real: 0.44, user: 0.30, sys: 0.14, mem: 371856 ko) CAMLOPT -shared -o src/Rewriter/Util/plugins/strategy_tactic_plugin.cmxs src/Rewriter/Util/plugins/strategy_tactic_plugin.cmxs (real: 0.04, user: 0.02, sys: 0.01, mem: 19144 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/LittleEndianList.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/LittleEndianList.vo (real: 1.24, user: 1.11, sys: 0.13, mem: 416120 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Properties.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Properties.vo (real: 3.12, user: 2.92, sys: 0.20, mem: 431560 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListString.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListString.vo (real: 0.26, user: 0.19, sys: 0.07, mem: 244076 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Z_keyed_SortedListMap.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Z_keyed_SortedListMap.vo (real: 0.31, user: 0.20, sys: 0.10, mem: 285236 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListWord.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListWord.vo (real: 0.33, user: 0.23, sys: 0.10, mem: 326608 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ZList.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/ZList.vo (real: 0.52, user: 0.39, sys: 0.13, mem: 411200 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/BigEndian.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/BigEndian.vo (real: 0.86, user: 0.75, sys: 0.10, mem: 413208 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_map_hints.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd_map_hints.vo (real: 0.26, user: 0.14, sys: 0.10, mem: 246056 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/OperatorOverloading.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Datatypes/OperatorOverloading.vo (real: 0.64, user: 0.50, sys: 0.13, mem: 413264 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Solver.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/Solver.vo (real: 0.29, user: 0.19, sys: 0.10, mem: 271384 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListString_test.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SortedListString_test.vo (real: 0.28, user: 0.17, sys: 0.11, mem: 272432 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Tactics/fwd.vo (real: 0.28, user: 0.19, sys: 0.08, mem: 263084 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/MapKeys.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/MapKeys.vo (real: 0.44, user: 0.35, sys: 0.08, mem: 409312 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/LittleEndian.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/LittleEndian.vo (real: 0.88, user: 0.69, sys: 0.19, mem: 416144 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 11, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 11, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 15, characters 9-29: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 21, characters 47-67: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 25, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 25, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 29, characters 9-29: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 35, characters 47-67: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 39, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 39, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 43, characters 9-29: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 49, characters 47-67: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 53, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 53, characters 41-61: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 57, characters 9-29: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 63, characters 47-67: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 82, characters 4-24: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 82, characters 43-63: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 83, characters 4-24: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 83, characters 43-63: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 84, characters 4-24: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 84, characters 43-63: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 85, characters 4-24: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.v", line 85, characters 43-63: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Word/ZifyLittleEndian.vo (real: 0.60, user: 0.52, sys: 0.07, mem: 414560 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfFunc.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfFunc.vo (real: 0.52, user: 0.40, sys: 0.11, mem: 412596 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/MapEauto.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/MapEauto.vo (real: 1.52, user: 1.33, sys: 0.17, mem: 410284 ko) CAMLOPT -a -o src/Rewriter/Util/plugins/rewriter_build_plugin.cmxa src/Rewriter/Util/plugins/rewriter_build_plugin.cmxa (real: 0.07, user: 0.03, sys: 0.03, mem: 53360 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfOptionListZ.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfOptionListZ.vo (real: 0.31, user: 0.22, sys: 0.09, mem: 279272 ko) COQC src/Rewriter/Util/Strings/Parse/Common.v src/Rewriter/Util/Strings/Parse/Common.vo (real: 0.29, user: 0.19, sys: 0.09, mem: 267584 ko) COQC src/Rewriter/Language/Pre.v src/Rewriter/Language/Pre.vo (real: 0.15, user: 0.09, sys: 0.06, mem: 115048 ko) COQC src/Rewriter/Util/Tactics2/Constr.v src/Rewriter/Util/Tactics2/Constr.vo (real: 0.08, user: 0.05, sys: 0.02, mem: 78024 ko) COQC src/Rewriter/Util/plugins/StrategyTactic.v src/Rewriter/Util/plugins/StrategyTactic.vo (real: 0.06, user: 0.05, sys: 0.01, mem: 66988 ko) CAMLOPT -shared -o src/Rewriter/Util/plugins/rewriter_build_plugin.cmxs src/Rewriter/Util/plugins/rewriter_build_plugin.cmxs (real: 0.08, user: 0.05, sys: 0.03, mem: 21388 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfListWord.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/OfListWord.vo (real: 0.72, user: 0.61, sys: 0.11, mem: 419160 ko) COQC src/Rewriter/Util/Strings/ParseArithmetic.v src/Rewriter/Util/Strings/ParseArithmetic.vo (real: 0.49, user: 0.35, sys: 0.12, mem: 411836 ko) COQC src/Rewriter/Util/Tactics2/DecomposeLambda.v src/Rewriter/Util/Tactics2/DecomposeLambda.vo (real: 0.09, user: 0.04, sys: 0.04, mem: 78168 ko) COQC src/Rewriter/Util/Tactics2/ReplaceByPattern.v src/Rewriter/Util/Tactics2/ReplaceByPattern.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 78216 ko) COQC src/Rewriter/Util/ListUtil.v src/Rewriter/Util/ListUtil.vo (real: 6.44, user: 6.24, sys: 0.19, mem: 456556 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SlowGoals.v Finished transaction in 3.494 secs (3.463u,0.028s) (successful) Finished transaction in 0.015 secs (0.015u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/SlowGoals.vo (real: 3.83, user: 3.73, sys: 0.10, mem: 412312 ko) COQC src/Rewriter/Language/PreLemmas.v src/Rewriter/Language/PreLemmas.vo (real: 0.32, user: 0.25, sys: 0.06, mem: 307676 ko) COQC src/Rewriter/Util/Bool/Reflect.v src/Rewriter/Util/Bool/Reflect.vo (real: 2.61, user: 2.48, sys: 0.12, mem: 423292 ko) COQC src/Rewriter/Language/Language.v src/Rewriter/Language/Language.vo (real: 1.05, user: 0.92, sys: 0.12, mem: 445056 ko) COQC src/Rewriter/Language/UnderLets.v src/Rewriter/Language/UnderLets.vo (real: 0.40, user: 0.25, sys: 0.15, mem: 389012 ko) COQC src/Rewriter/Language/UnderLetsCacheProofs.v src/Rewriter/Language/UnderLetsCacheProofs.vo (real: 0.33, user: 0.24, sys: 0.09, mem: 323572 ko) COQC src/Rewriter/Language/Reify.v File "./src/Rewriter/Language/Reify.v", line 66, characters 4-14: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] File "./src/Rewriter/Language/Reify.v", line 67, characters 2-12: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] File "./src/Rewriter/Language/Reify.v", line 309, characters 153-172: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 309, characters 98-117: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 309, characters 67-80: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 352, characters 132-151: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 352, characters 101-114: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 352, characters 58-77: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 389, characters 134-153: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 389, characters 103-116: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 389, characters 60-79: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 602, characters 42-55: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1038, characters 58-71: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1040, characters 202-221: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1040, characters 170-189: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1040, characters 102-121: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1040, characters 58-77: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1045, characters 58-71: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1047, characters 171-190: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1047, characters 103-122: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1047, characters 59-78: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1052, characters 58-71: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1054, characters 197-216: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1054, characters 149-168: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1054, characters 81-100: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/Reify.v", line 1054, characters 37-56: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] src/Rewriter/Language/Reify.vo (real: 0.56, user: 0.41, sys: 0.15, mem: 433092 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/TestGoals.v Finished transaction in 0.025 secs (0.013u,0.011s) (successful) Finished transaction in 0.055 secs (0.027u,0.028s) (successful) Part 1a: Small goals (originally took <5s each) Finished transaction in 0.089 secs (0.079u,0.009s) (successful) Finished transaction in 0.1 secs (0.1u,0.s) (successful) Finished transaction in 0.797 secs (0.796u,0.s) (successful) Finished transaction in 1.403 secs (1.402u,0.s) (successful) Finished transaction in 1.091 secs (1.091u,0.s) (successful) Finished transaction in 0.755 secs (0.754u,0.s) (successful) Finished transaction in 0.803 secs (0.802u,0.s) (successful) Finished transaction in 0.673 secs (0.673u,0.s) (successful) Finished transaction in 0.091 secs (0.091u,0.s) (successful) Part 1b: Medium goals (originally took >5s each) Finished transaction in 0.577 secs (0.576u,0.s) (successful) Finished transaction in 1.425 secs (1.424u,0.s) (successful) Finished transaction in 1.21 secs (1.209u,0.s) (successful) Finished transaction in 0.809 secs (0.799u,0.009s) (successful) Finished transaction in 0.806 secs (0.805u,0.s) (successful) Finished transaction in 1.379 secs (1.378u,0.s) (successful) Finished transaction in 1.372 secs (1.371u,0.s) (successful) Part 1c: Large goals (originally took >50s each) Finished transaction in 1.919 secs (1.917u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil/Map/TestGoals.vo (real: 15.81, user: 15.62, sys: 0.16, mem: 422036 ko) make --no-print-directory -C rupicola/bedrock2 bedrock2_ex make -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil Generating Makefile.coq.all make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. make -C /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2 noex printf -- '-Q src/bedrock2 bedrock2\n-Q src/bedrock2Examples bedrock2Examples\n-Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil\n' > _CoqProject Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex COQDEP VFILES COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Notations.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Notations.vo (real: 0.05, user: 0.02, sys: 0.03, mem: 62732 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Lift1Prop.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Lift1Prop.vo (real: 0.10, user: 0.05, sys: 0.04, mem: 117632 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Syntax.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Syntax.vo (real: 0.22, user: 0.15, sys: 0.07, mem: 213132 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/MetricLogging.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/MetricLogging.v", line 60, characters 0-40: Warning: Declaring a scope implicitly is deprecated; use in advance an explicit "Declare Scope MetricH_scope.". [undeclared-scope,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/MetricLogging.vo (real: 0.27, user: 0.19, sys: 0.07, mem: 246756 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/groundcbv.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/groundcbv.vo (real: 0.29, user: 0.19, sys: 0.10, mem: 271424 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/TacticError.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/TacticError.vo (real: 0.21, user: 0.12, sys: 0.09, mem: 210060 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Structs.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Structs.vo (real: 0.24, user: 0.17, sys: 0.06, mem: 234400 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Hexdump.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Hexdump.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 81156 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Stringdump.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Stringdump.vo (real: 0.21, user: 0.15, sys: 0.06, mem: 198920 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ListPushPullIf.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ListPushPullIf.vo (real: 0.12, user: 0.10, sys: 0.02, mem: 114816 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/DisjointUnion.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/DisjointUnion.vo (real: 0.73, user: 0.57, sys: 0.16, mem: 417464 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ZnWords.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ZnWords.vo (real: 0.37, user: 0.20, sys: 0.16, mem: 338804 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ident_to_string.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ident_to_string.vo (real: 0.21, user: 0.10, sys: 0.10, mem: 200688 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Markers.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Markers.v", line 19, characters 2-71: Warning: Declaring a scope implicitly is deprecated; use in advance an explicit "Declare Scope hide_markers.". [undeclared-scope,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Markers.vo (real: 0.06, user: 0.02, sys: 0.02, mem: 64040 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Variables.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Variables.vo (real: 0.20, user: 0.14, sys: 0.06, mem: 189976 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/find_hyp.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/find_hyp.vo (real: 0.20, user: 0.12, sys: 0.07, mem: 243808 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/PrintListByte.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/PrintListByte.vo (real: 0.20, user: 0.12, sys: 0.08, mem: 195256 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.v", line 83, characters 0-206: Warning: This notation contains Ltac expressions: it will not be used for printing. [non-reversible-notation,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.v", line 131, characters 0-148: Warning: This notation contains Ltac expressions: it will not be used for printing. [non-reversible-notation,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.v", line 148, characters 16-83: Warning: The format modifier is irrelevant for only-parsing rules. [irrelevant-format-only-parsing,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.v", line 151, characters 16-87: Warning: The format modifier is irrelevant for only-parsing rules. [irrelevant-format-only-parsing,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.v", line 154, characters 16-83: Warning: The format modifier is irrelevant for only-parsing rules. [irrelevant-format-only-parsing,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.v", line 157, characters 16-87: Warning: The format modifier is irrelevant for only-parsing rules. [irrelevant-format-only-parsing,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/NotationsCustomEntry.vo (real: 0.33, user: 0.23, sys: 0.10, mem: 328144 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/sep_inj_experiments.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/sep_inj_experiments.v", line 104, characters 2-36: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] HP: P1 h HSp3: forall h1' : map, map.split h0 h1' h -> R h1' -> h1' = h1 /\ h = h2 /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/sep_inj_experiments.vo (real: 0.60, user: 0.44, sys: 0.15, mem: 417172 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/StringdumpDemo.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/StringdumpDemo.vo (real: 0.95, user: 0.89, sys: 0.04, mem: 383112 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ReversedListNotations.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ReversedListNotations.vo (real: 0.11, user: 0.05, sys: 0.06, mem: 102212 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/div10.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/div10.vo (real: 0.30, user: 0.19, sys: 0.10, mem: 291600 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/PrintString.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/PrintString.vo (real: 0.20, user: 0.13, sys: 0.06, mem: 190756 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/Separation.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/Separation.vo (real: 0.26, user: 0.19, sys: 0.06, mem: 247164 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/WordSimpl.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/WordSimpl.vo (real: 0.28, user: 0.19, sys: 0.09, mem: 249384 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Memory.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Memory.vo (real: 0.57, user: 0.43, sys: 0.14, mem: 419960 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ZnWordsTests.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ZnWordsTests.vo (real: 1.68, user: 1.57, sys: 0.09, mem: 424384 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/PurifySep.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/PurifySep.vo (real: 0.33, user: 0.24, sys: 0.07, mem: 309744 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/TracePredicate.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/TracePredicate.vo (real: 0.25, user: 0.13, sys: 0.11, mem: 273344 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ToCString.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ToCString.vo (real: 0.64, user: 0.56, sys: 0.08, mem: 409388 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/AbsintWordToZ.v H11 H13 H13 /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/AbsintWordToZ.vo (real: 2.14, user: 2.05, sys: 0.08, mem: 413412 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/split_alt.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/split_alt.vo (real: 0.32, user: 0.20, sys: 0.12, mem: 313064 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ListIndexNotations.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ListIndexNotations.vo (real: 0.93, user: 0.82, sys: 0.10, mem: 421440 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ToCStringExprTypecheckingTest.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ToCStringExprTypecheckingTest.vo (real: 0.37, user: 0.23, sys: 0.14, mem: 284624 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ToCStringStackallocLoopTest.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ToCStringStackallocLoopTest.vo (real: 0.37, user: 0.29, sys: 0.07, mem: 289052 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/SeparationLogic.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/SeparationLogic.v", line 212, characters 27-64: Warning: Notation "_ ++ _" was already used in scope list_scope. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/SeparationLogic.vo (real: 1.39, user: 1.23, sys: 0.14, mem: 411700 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepClause.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepClause.vo (real: 0.32, user: 0.21, sys: 0.11, mem: 297080 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Semantics.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Semantics.vo (real: 1.70, user: 1.54, sys: 0.14, mem: 428896 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/footpr.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/footpr.vo (real: 0.41, user: 0.25, sys: 0.15, mem: 389508 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Array.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Array.vo (real: 0.76, user: 0.59, sys: 0.16, mem: 420172 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepBulletPoints.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepBulletPoints.vo (real: 0.30, user: 0.24, sys: 0.06, mem: 284120 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ZWordMem.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ZWordMem.vo (real: 1.21, user: 1.02, sys: 0.19, mem: 424556 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/Cancelling.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Map/Cancelling.vo (real: 0.49, user: 0.32, sys: 0.17, mem: 418280 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/HeapletwiseHypsWithSigma.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/HeapletwiseHypsWithSigma.vo (real: 0.31, user: 0.15, sys: 0.15, mem: 277488 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/BasicC32Semantics.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/BasicC32Semantics.vo (real: 0.42, user: 0.32, sys: 0.10, mem: 347604 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/BasicC64Semantics.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/BasicC64Semantics.vo (real: 0.42, user: 0.28, sys: 0.14, mem: 349212 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/WeakestPrecondition.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/WeakestPrecondition.vo (real: 0.39, user: 0.27, sys: 0.12, mem: 349144 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ptsto_bytes.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ptsto_bytes.v", line 19, characters 2-38: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ptsto_bytes.vo (real: 0.94, user: 0.83, sys: 0.09, mem: 420624 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/FE310CSemantics.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/FE310CSemantics.vo (real: 0.64, user: 0.49, sys: 0.13, mem: 422104 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/HeapletwiseHyps.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/HeapletwiseHyps.vo (real: 2.34, user: 2.19, sys: 0.14, mem: 428520 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Scalars.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Scalars.v", line 242, characters 2-38: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Scalars.vo (real: 1.48, user: 1.31, sys: 0.16, mem: 427116 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/FrameRule.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/FrameRule.vo (real: 1.56, user: 1.42, sys: 0.13, mem: 424680 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/WeakestPreconditionProperties.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/WeakestPreconditionProperties.vo (real: 1.94, user: 1.77, sys: 0.17, mem: 423704 ko) COQC src/Rewriter/Language/Inversion.v src/Rewriter/Language/Inversion.vo (real: 18.45, user: 18.25, sys: 0.16, mem: 575408 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/TransferSepsOrder.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/TransferSepsOrder.vo (real: 0.51, user: 0.37, sys: 0.13, mem: 425116 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepCalls.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepCalls.vo (real: 0.58, user: 0.43, sys: 0.15, mem: 428556 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/OperatorOverloading.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/OperatorOverloading.vo (real: 0.53, user: 0.37, sys: 0.15, mem: 426492 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepLogAddrArith.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepLogAddrArith.vo (real: 0.39, user: 0.23, sys: 0.16, mem: 333028 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepAuto.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepAuto.vo (real: 0.46, user: 0.33, sys: 0.13, mem: 369860 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ArrayCasts.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ArrayCasts.vo (real: 0.99, user: 0.87, sys: 0.12, mem: 426356 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepCallsExports.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepCallsExports.vo (real: 0.44, user: 0.31, sys: 0.13, mem: 338772 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepAutoExports.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepAutoExports.vo (real: 0.50, user: 0.40, sys: 0.10, mem: 399836 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 26, characters 2-67: Warning: Notation "_ /\ _" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 81, characters 2-14: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 81, characters 2-14: Warning: Notation "{ _ & _ }" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 81, characters 2-14: Warning: Notation "{ ' _ & _ }" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 81, characters 2-14: Warning: Notation "{ _ : _ & _ }" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 81, characters 2-14: Warning: Notation "{ ' _ : _ & _ }" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 81, characters 2-14: Warning: Notation "( _ , _ , .. , _ )" was already used in scope core_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.v", line 443, characters 2-49: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/Loops.vo (real: 1.76, user: 1.59, sys: 0.15, mem: 433876 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ProgramLogic.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/ProgramLogic.vo (real: 0.46, user: 0.31, sys: 0.14, mem: 343408 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepAutoArray.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/SepAutoArray.vo (real: 2.59, user: 2.43, sys: 0.16, mem: 442484 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/autorew.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2/autorew.vo (real: 0.46, user: 0.30, sys: 0.15, mem: 354540 ko) make -C /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2 Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex Generating Makefile.coq.ex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil make[4]: Nothing to be done for 'real-all'. rm -f .coqdeps.d make -f Makefile.coq.ex COQDEP VFILES COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2.PrintListByte.allBytes > special/BytedumpTest.out.tmp hexdump < /dev/null && \ hexdump -C special/BytedumpTest.golden.bin > special/BytedumpTest.golden.hex && \ hexdump -C special/BytedumpTest.out.tmp > special/BytedumpTest.out.hex && \ diff -u special/BytedumpTest.golden.hex special/BytedumpTest.out.hex && \ rm special/BytedumpTest.golden.hex special/BytedumpTest.out.hex || true diff -u special/BytedumpTest.golden.bin special/BytedumpTest.out.tmp mv special/BytedumpTest.out.tmp special/BytedumpTest.out COQC src/Rewriter/Language/IdentifiersBasicLibrary.v src/Rewriter/Language/IdentifiersBasicLibrary.vo (real: 4.39, user: 4.18, sys: 0.19, mem: 469344 ko) COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2.ToCStringExprTypecheckingTest.test > special/TypecheckExprToCString.c cc -fsyntax-only special/TypecheckExprToCString.c COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb_spec.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb_spec.vo (real: 0.36, user: 0.23, sys: 0.12, mem: 340288 ko) COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2.ToCStringStackallocLoopTest.main_cbytes > special/stackloop.c COQC src/Rewriter/Language/IdentifiersBasicGenerate.v File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 39, characters 2-25: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 537, characters 220-239: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 537, characters 156-175: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 537, characters 108-127: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 537, characters 74-93: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 544, characters 40-59: Warning: Tactic reify_base_via_list is deprecated since 8.15. Use Ltac2 reify_base_via_list instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 544, characters 8-28: Warning: Tactic Compilers.base.reify is deprecated since 8.15. Use Ltac2 base.reify instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 549, characters 35-59: Warning: Tactic reify_base_type_via_list is deprecated since 8.15. Use Ltac2 reify_base_type_via_list instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 549, characters 8-28: Warning: Tactic Compilers.type.reify is deprecated since 8.15. Use Ltac2 type.reify instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 554, characters 48-67: Warning: Tactic reify_base_via_list is deprecated since 8.15. Use Ltac2 reify_base_via_list instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 554, characters 8-36: Warning: Tactic Compilers.pattern.base.reify is deprecated since 8.15. Use Ltac2 pattern.base.reify instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 559, characters 35-67: Warning: Tactic reify_pattern_base_type_via_list is deprecated since 8.15. Use Ltac2 reify_pattern_base_type_via_list instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 559, characters 8-28: Warning: Tactic Compilers.type.reify is deprecated since 8.15. Use Ltac2 type.reify instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 596, characters 36-63: Warning: Tactic reify_pattern_type_via_list is deprecated since 8.15. Use Ltac2 reify_pattern_type_via_list instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 595, characters 37-56: Warning: Tactic reify_type_via_list is deprecated since 8.15. Use Ltac2 reify_type_via_list instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1306, characters 324-343: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1306, characters 271-290: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1306, characters 205-224: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1306, characters 141-160: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1306, characters 93-112: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1306, characters 59-78: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1319, characters 66-85: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1356, characters 127-146: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1356, characters 83-102: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1361, characters 132-151: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1361, characters 88-107: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1366, characters 127-146: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1366, characters 83-102: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1371, characters 115-134: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1371, characters 68-87: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1404, characters 69-88: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1409, characters 64-83: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1688, characters 40-72: Warning: Tactic Tactics.reify_package_of_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1690, characters 43-79: Warning: Tactic Tactics.reify_base_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1692, characters 48-89: Warning: Tactic Tactics.reify_base_type_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1694, characters 43-79: Warning: Tactic Tactics.reify_type_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1696, characters 44-81: Warning: Tactic Tactics.reify_ident_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1698, characters 55-103: Warning: Tactic Tactics.base_type_reified_hint_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1700, characters 50-93: Warning: Tactic Tactics.expr_reified_hint_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Language/IdentifiersBasicGenerate.v", line 1750, characters 27-47: Warning: Tactic reify_ident_via_list is deprecated since 8.15. Use Ltac2 reify_ident_via_list_opt instead. [deprecated-tactic,deprecated] src/Rewriter/Language/IdentifiersBasicGenerate.vo (real: 0.60, user: 0.45, sys: 0.14, mem: 441532 ko) COQC src/Rewriter/Language/IdentifiersLibrary.v src/Rewriter/Language/IdentifiersLibrary.vo (real: 1.45, user: 1.26, sys: 0.18, mem: 467076 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc.v", line 37, characters 2-59: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc.v", line 108, characters 2-55: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc.vo (real: 2.21, user: 2.06, sys: 0.14, mem: 431904 ko) cc -O0 special/stackloop.c -o special/stackloop special/stackloop COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponder_live.v dummy_len (foo_packet f) : Z 0 6 12 14 5 13 [?e1; a; b; ?e1; c; d; ?e2] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponder_live.vo (real: 2.11, user: 1.97, sys: 0.13, mem: 438116 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/string_to_ident.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/string_to_ident.vo (real: 0.20, user: 0.16, sys: 0.04, mem: 199788 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/chacha20.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/chacha20.v", line 9, characters 2-161: Warning: This notation contains Ltac expressions: it will not be used for printing. [non-reversible-notation,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/chacha20.v", line 10, characters 2-172: Warning: This notation contains Ltac expressions: it will not be used for printing. [non-reversible-notation,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/chacha20.v", line 11, characters 2-172: Warning: This notation contains Ltac expressions: it will not be used for printing. [non-reversible-notation,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/chacha20.v", line 20, characters 2-240: Warning: This notation contains Ltac expressions: it will not be used for printing. [non-reversible-notation,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/chacha20.vo (real: 0.52, user: 0.34, sys: 0.17, mem: 426044 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponder.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponder.vo (real: 0.56, user: 0.42, sys: 0.14, mem: 428796 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.v", line 208, characters 6-110: Warning: Notation "_ + _" was already defined with a different format. [notation-incompatible-format,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.v", line 214, characters 6-65: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.v", line 416, characters 2-435: Warning: Casts are ignored in patterns [cast-in-pattern,automation] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.v", line 493, characters 4-24: Warning: Cannot remove bs0. [cannot-remove-as-expected,tactics] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.v", line 531, characters 4-30: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.v", line 531, characters 4-30: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] Finished transaction in 0.442 secs (0.442u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FlatConstMem.vo (real: 6.18, user: 6.03, sys: 0.13, mem: 451592 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ArrayLoadStore.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ArrayLoadStore.v", line 31, characters 4-40: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ArrayLoadStore.vo (real: 1.10, user: 0.97, sys: 0.11, mem: 433816 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/Demos.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/Demos.vo (real: 0.51, user: 0.42, sys: 0.09, mem: 414144 ko) COQC src/Rewriter/Language/IdentifiersLibraryProofs.v Finished transaction in 0.99 secs (0.988u,0.s) (successful) Finished transaction in 0.723 secs (0.722u,0.s) (successful) Finished transaction in 0.091 secs (0.091u,0.s) (successful) Finished transaction in 0.823 secs (0.821u,0.s) (successful) src/Rewriter/Language/IdentifiersLibraryProofs.vo (real: 9.43, user: 9.24, sys: 0.15, mem: 505220 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/SPI.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/SPI.vo (real: 9.45, user: 9.28, sys: 0.15, mem: 484352 ko) COQC src/Rewriter/Rewriter/Rewriter.v src/Rewriter/Rewriter/Rewriter.vo (real: 1.20, user: 1.05, sys: 0.15, mem: 465832 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memequal.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memequal.v", line 46, characters 2-64: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memequal.vo (real: 4.28, user: 4.14, sys: 0.12, mem: 457676 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/Trace.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/Trace.v", line 220, characters 4-26: Warning: Trying to mask the absolute name "word"! [masking-absolute-name,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/Trace.vo (real: 0.74, user: 0.58, sys: 0.16, mem: 425744 ko) COQC src/Rewriter/Language/IdentifiersGenerate.v src/Rewriter/Language/IdentifiersGenerate.vo (real: 0.73, user: 0.58, sys: 0.14, mem: 457264 ko) COQC src/Rewriter/Rewriter/Reify.v File "./src/Rewriter/Rewriter/Reify.v", line 45, characters 2-34: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 48, characters 2-44: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 960, characters 39-58: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 961, characters 55-68: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 962, characters 46-65: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 963, characters 50-69: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 964, characters 62-81: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 965, characters 40-59: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 967, characters 41-60: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 968, characters 51-70: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 969, characters 68-87: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 970, characters 56-75: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 971, characters 66-85: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 972, characters 53-72: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 973, characters 38-57: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 974, characters 47-66: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 975, characters 50-69: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 976, characters 38-57: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 994, characters 39-58: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 995, characters 55-68: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 996, characters 46-65: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 997, characters 50-69: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 998, characters 62-81: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 999, characters 40-59: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1001, characters 41-60: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1002, characters 51-70: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1003, characters 68-87: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1004, characters 56-75: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1005, characters 66-85: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1006, characters 53-72: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1007, characters 47-66: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1008, characters 50-69: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1009, characters 38-57: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1036, characters 39-58: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1037, characters 55-68: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1038, characters 46-65: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1039, characters 50-69: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1040, characters 62-81: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1041, characters 40-59: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1043, characters 41-60: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1044, characters 51-70: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1045, characters 68-87: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1046, characters 56-75: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1047, characters 66-85: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1048, characters 53-72: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1049, characters 38-57: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1050, characters 47-66: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1051, characters 39-58: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1068, characters 39-58: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1069, characters 55-68: Warning: Ltac2 definition Ltac1.apply_c is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1070, characters 46-65: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1071, characters 50-69: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1072, characters 62-81: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1073, characters 40-59: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1075, characters 41-60: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1076, characters 51-70: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1077, characters 68-87: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1078, characters 56-75: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1079, characters 66-85: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1080, characters 53-72: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1081, characters 47-66: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1082, characters 39-58: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1468, characters 353-372: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1468, characters 299-318: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1468, characters 239-258: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1468, characters 207-226: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1468, characters 155-174: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1468, characters 113-132: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] File "./src/Rewriter/Rewriter/Reify.v", line 1468, characters 61-80: Warning: Ltac2 definition Ltac1.get_to_constr is deprecated since 8.15. Use Ltac2 instead. [deprecated-ltac2-definition,deprecated] src/Rewriter/Rewriter/Reify.vo (real: 1.15, user: 1.02, sys: 0.12, mem: 475984 ko) COQC src/Rewriter/Language/IdentifiersGenerateProofs.v src/Rewriter/Language/IdentifiersGenerateProofs.vo (real: 0.70, user: 0.57, sys: 0.12, mem: 457932 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/SepAutoArrayTests.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/SepAutoArrayTests.v", line 8, characters 0-82: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/SepAutoArrayTests.vo (real: 13.57, user: 13.38, sys: 0.17, mem: 479352 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memswap.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memswap.v", line 49, characters 2-64: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memswap.vo (real: 3.68, user: 3.44, sys: 0.23, mem: 450780 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/indirect_add_heapletwise.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/indirect_add_heapletwise.vo (real: 5.81, user: 5.63, sys: 0.16, mem: 446872 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponderProofs.v H /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ARPResponderProofs.vo (real: 1.52, user: 1.40, sys: 0.10, mem: 439208 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ipow.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/ipow.vo (real: 2.94, user: 2.81, sys: 0.13, mem: 437188 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memconst.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memconst.v", line 41, characters 2-64: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memconst.vo (real: 2.18, user: 2.03, sys: 0.13, mem: 440536 ko) COQC src/Rewriter/Language/Wf.v Finished transaction in 4.123 secs (4.098u,0.02s) (successful) Finished transaction in 2.954 secs (2.922u,0.029s) (successful) src/Rewriter/Language/Wf.vo (real: 28.61, user: 28.40, sys: 0.17, mem: 680816 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/SPI_live.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/SPI_live.vo (real: 3.10, user: 2.91, sys: 0.18, mem: 461000 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/indirect_add.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/indirect_add.vo (real: 8.37, user: 8.17, sys: 0.17, mem: 451996 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/swap.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/swap.v", line 56, characters 2-37: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/swap.vo (real: 1.33, user: 1.19, sys: 0.14, mem: 431548 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/bsearch.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/bsearch.vo (real: 7.31, user: 7.14, sys: 0.16, mem: 480144 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/uint128_32.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/uint128_32.vo (real: 8.19, user: 7.99, sys: 0.17, mem: 486472 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/MultipleReturnValues.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/MultipleReturnValues.vo (real: 0.25, user: 0.14, sys: 0.10, mem: 214252 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/rpmul.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/rpmul.vo (real: 2.56, user: 2.40, sys: 0.15, mem: 435224 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc_empty_post.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/stackalloc_empty_post.vo (real: 0.47, user: 0.34, sys: 0.12, mem: 348012 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FE310CompilerDemo.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/FE310CompilerDemo.vo (real: 8.46, user: 8.26, sys: 0.17, mem: 533352 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics.vo (real: 1.44, user: 1.28, sys: 0.15, mem: 452580 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics_ARP_shallow.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics_ARP_shallow.vo (real: 1.69, user: 1.52, sys: 0.17, mem: 438912 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics_deep_records_orderchanging_dexpr_bool3.v /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/ZSemantics_deep_records_orderchanging_dexpr_bool3.vo (real: 2.05, user: 1.86, sys: 0.18, mem: 454364 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memmove.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memmove.v", line 60, characters 2-64: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memmove.v", line 376, characters 2-41: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memmove.v", line 377, characters 2-101: Warning: Notation "_ $@ _" was already used. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/memmove.vo (real: 21.13, user: 20.87, sys: 0.23, mem: 690696 ko) COQC src/Rewriter/Language/UnderLetsProofs.v src/Rewriter/Language/UnderLetsProofs.vo (real: 63.06, user: 62.78, sys: 0.23, mem: 728256 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/swap.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/swap.v", line 28, characters 0-44: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/swap.v", line 1707, characters 2-42: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/swap.v", line 1708, characters 2-46: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/swap.v", line 1751, characters 0-47: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] test : forall a b : word, foo a b = foo b a test is not universe polymorphic Arguments test a b test is opaque Expands to: Constant bedrock2Examples.LiveVerif.swap.LiveVerif.test test : forall {word : word 32}, word.ok word -> forall a b : word, foo a b = foo b a test is not universe polymorphic Arguments test {word word_ok} a b test is opaque Expands to: Constant bedrock2Examples.LiveVerif.swap.test /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LiveVerif/swap.vo (real: 49.68, user: 49.20, sys: 0.36, mem: 999708 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/insertionsort.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/insertionsort.v", line 218, characters 26-62: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] Finished transaction in 3.456 secs (3.453u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/insertionsort.vo (real: 82.06, user: 81.78, sys: 0.21, mem: 599592 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LAN9250.v Finished transaction in 0.051 secs (0.051u,0.s) (successful) File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LAN9250.v", line 769, characters 2-34: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/LAN9250.vo (real: 71.78, user: 71.40, sys: 0.26, mem: 807828 ko) COQC src/Rewriter/Rewriter/ProofsCommon.v src/Rewriter/Rewriter/ProofsCommon.vo (real: 49.95, user: 49.65, sys: 0.25, mem: 796280 ko) COQC src/Rewriter/Rewriter/ProofsCommonTactics.v src/Rewriter/Rewriter/ProofsCommonTactics.vo (real: 0.75, user: 0.59, sys: 0.15, mem: 471624 ko) COQC src/Rewriter/Rewriter/InterpProofs.v src/Rewriter/Rewriter/InterpProofs.vo (real: 53.88, user: 53.54, sys: 0.28, mem: 897764 ko) COQC src/Rewriter/Rewriter/Wf.v Finished transaction in 20.059 secs (20.045u,0.s) (successful) src/Rewriter/Rewriter/Wf.vo (real: 132.15, user: 131.63, sys: 0.42, mem: 1144924 ko) COQC src/Rewriter/Rewriter/AllTactics.v File "./src/Rewriter/Rewriter/AllTactics.v", line 27, characters 2-44: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] File "./src/Rewriter/Rewriter/AllTactics.v", line 148, characters 27-64: Warning: Tactic Basic.Tactic.reify_package_of_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Rewriter/AllTactics.v", line 286, characters 40-88: Warning: Tactic Basic.Tactic.expr_reified_hint_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Rewriter/Rewriter/AllTactics.v", line 351, characters 44-85: Warning: Tactic Basic.Tactic.reify_type_via_reify_package is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] src/Rewriter/Rewriter/AllTactics.vo (real: 0.99, user: 0.84, sys: 0.14, mem: 489300 ko) COQC src/Rewriter/Util/plugins/RewriterBuildRegistryImports.v File "./src/Rewriter/Util/plugins/RewriterBuildRegistryImports.v", line 7, characters 0-42: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] src/Rewriter/Util/plugins/RewriterBuildRegistryImports.vo (real: 0.71, user: 0.58, sys: 0.12, mem: 479420 ko) COQC src/Rewriter/Util/plugins/RewriterBuildRegistry.v File "./src/Rewriter/Util/plugins/RewriterBuildRegistry.v", line 1, characters 0-66: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] src/Rewriter/Util/plugins/RewriterBuildRegistry.vo (real: 0.68, user: 0.49, sys: 0.18, mem: 480468 ko) COQC src/Rewriter/Util/plugins/RewriterBuild.v File "./src/Rewriter/Util/plugins/RewriterBuild.v", line 1, characters 0-59: Warning: Trying to mask the absolute name "Ltac2.Ident"! [masking-absolute-name,deprecated] src/Rewriter/Util/plugins/RewriterBuild.vo (real: 0.70, user: 0.57, sys: 0.13, mem: 480856 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/Settings.v src/Rewriter/Rewriter/Examples/PerfTesting/Settings.vo (real: 0.71, user: 0.57, sys: 0.14, mem: 482732 ko) COQC src/Rewriter/Demo.v OrdersEx.Nat_as_OT.add_0_r: forall n : nat, n + 0 = n OrdersEx.Nat_as_DT.add_0_r: forall n : nat, n + 0 = n Nat.add_0_r: forall n : nat, n + 0 = n NPeano.Nat.add_0_r: forall n : nat, n + 0 = n Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.273 secs (0.273u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.167 secs (0.157u,0.009s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.015 secs (0.015u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.01 secs (0.01u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.597 secs (0.586u,0.009s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.095 secs (1.094u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.017 secs (0.017u,0.s) (success) Tactic call ran for 0.003 secs (0.003u,0.s) (success) Tactic call ran for 0.02 secs (0.02u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.007 secs (0.007u,0.s) (success) Tactic call ran for 0.072 secs (0.072u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.113 secs (0.113u,0.s) (success) Tactic call ran for 0.001 secs (0.001u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Demo.vo (real: 12.63, user: 12.36, sys: 0.25, mem: 637692 ko) COQC src/Rewriter/Rewriter/Examples/PrefixSums.v Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.329 secs (0.329u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.207 secs (0.207u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.02 secs (0.02u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.011 secs (0.011u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.669 secs (0.668u,0.s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.245 secs (1.245u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.194 secs (0.194u,0.s) (success) Tactic call ran for 0.784 secs (0.754u,0.029s) (success) Tactic call ran for 0.114 secs (0.114u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.174 secs (0.174u,0.s) (success) Tactic call ran for 1.46 secs (1.459u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 1.619 secs (1.619u,0.s) (success) Tactic call ran for 1.159 secs (1.158u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Rewriter/Examples/PrefixSums.vo (real: 31.18, user: 30.93, sys: 0.22, mem: 925064 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/Plus0Tree.v Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.27 secs (0.259u,0.009s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.182 secs (0.182u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.012 secs (0.012u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.01 secs (0.01u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.622 secs (0.622u,0.s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.122 secs (1.121u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.053 secs (0.053u,0.s) (success) Tactic call ran for 0.028 secs (0.028u,0.s) (success) Tactic call ran for 0.043 secs (0.043u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.021 secs (0.021u,0.s) (success) Tactic call ran for 0.326 secs (0.326u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.29 secs (0.29u,0.s) (success) Tactic call ran for 0.141 secs (0.141u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... Finished transaction in 13.466 secs (13.388u,0.069s) (successful) File "./src/Rewriter/Rewriter/Examples/PerfTesting/Plus0Tree.v", line 187, characters 0-621: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] native_compute: Conversion to native code done in 0.04428 native_compute: Compilation done in 4.91491 Profiling to file ./native_compute_profile_d3ffc0.data native_compute: Evaluation done in 0.00531 native_compute: Reification done in 1.21602 Finished transaction in 7.329 secs (2.504u,0.02s) (successful) native_compute: Conversion to native code done in 0.09309 native_compute: Compilation done in 0.21548 Profiling to file ./native_compute_profile_733025.data native_compute: Evaluation done in 0.00026 native_compute: Reification done in 0.57406 Finished transaction in 2.489 secs (2.249u,0.02s) (successful) src/Rewriter/Rewriter/Examples/PerfTesting/Plus0Tree.vo (real: 24.88, user: 24.35, sys: 0.50, mem: 882748 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/UnderLetsPlus0.v Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.275 secs (0.254u,0.019s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.178 secs (0.177u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.012 secs (0.012u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.01 secs (0.01u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.615 secs (0.614u,0.s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.119 secs (1.107u,0.009s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.053 secs (0.053u,0.s) (success) Tactic call ran for 0.027 secs (0.027u,0.s) (success) Tactic call ran for 0.043 secs (0.043u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.022 secs (0.021u,0.s) (success) Tactic call ran for 0.329 secs (0.319u,0.009s) (success) Proving Rewriter_Interp... Tactic call ran for 0.297 secs (0.297u,0.s) (success) Tactic call ran for 0.144 secs (0.143u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... Finished transaction in 13.437 secs (13.324u,0.089s) (successful) File "./src/Rewriter/Rewriter/Examples/PerfTesting/UnderLetsPlus0.v", line 54, characters 0-440: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] native_compute: Conversion to native code done in 0.00546 native_compute: Compilation done in 0.86203 Profiling to file ./native_compute_profile_1f01e2.data native_compute: Evaluation done in 0.00077 native_compute: Reification done in 0.42771 Finished transaction in 1.497 secs (0.65u,0.s) (successful) native_compute: Conversion to native code done in 0.02596 native_compute: Compilation done in 0.15717 Profiling to file ./native_compute_profile_900aa3.data native_compute: Evaluation done in 0.00032 native_compute: Reification done in 0.25181 Finished transaction in 0.834 secs (0.642u,0.029s) (successful) src/Rewriter/Rewriter/Examples/PerfTesting/UnderLetsPlus0.vo (real: 17.04, user: 16.57, sys: 0.43, mem: 735396 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/LiftLetsMap.v Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.277 secs (0.277u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.178 secs (0.168u,0.009s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.018 secs (0.018u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.01 secs (0.01u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.646 secs (0.635u,0.01s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.134 secs (1.123u,0.009s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.117 secs (0.117u,0.s) (success) Tactic call ran for 0.084 secs (0.084u,0.s) (success) Tactic call ran for 0.085 secs (0.085u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.062 secs (0.062u,0.s) (success) Tactic call ran for 0.737 secs (0.736u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.635 secs (0.624u,0.009s) (success) Tactic call ran for 0.464 secs (0.463u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... Finished transaction in 17.922 secs (17.815u,0.079s) (successful) File "./src/Rewriter/Rewriter/Examples/PerfTesting/LiftLetsMap.v", line 120, characters 0-917: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] native_compute: Conversion to native code done in 0.03211 native_compute: Compilation done in 3.48544 Profiling to file ./native_compute_profile_bf49aa.data native_compute: Evaluation done in 0.00485 native_compute: Reification done in 24.47574 Finished transaction in 29.367 secs (25.936u,0.009s) (successful) native_compute: Conversion to native code done in 0.11773 native_compute: Compilation done in 0.24160 Profiling to file ./native_compute_profile_cbf650.data native_compute: Evaluation done in 0.00027 native_compute: Reification done in 2.13783 Finished transaction in 6.605 secs (6.329u,0.029s) (successful) src/Rewriter/Rewriter/Examples/PerfTesting/LiftLetsMap.vo (real: 55.41, user: 54.88, sys: 0.46, mem: 1092944 ko) COQC src/Rewriter/Rewriter/Examples.v Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.248 secs (0.248u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.178 secs (0.177u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.009 secs (0.009u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.009 secs (0.009u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.587 secs (0.587u,0.s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.103 secs (1.102u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.005 secs (0.005u,0.s) (success) Tactic call ran for 0. secs (0.u,0.s) (success) Tactic call ran for 0.017 secs (0.016u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.004 secs (0.004u,0.s) (success) Tactic call ran for 0. secs (0.u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.051 secs (0.051u,0.s) (success) Tactic call ran for 0. secs (0.u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... Finished transaction in 9.747 secs (9.709u,0.03s) (successful) Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.327 secs (0.327u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.213 secs (0.213u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.019 secs (0.019u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.011 secs (0.011u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.703 secs (0.703u,0.s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.305 secs (1.304u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.113 secs (0.113u,0.s) (success) Tactic call ran for 0.13 secs (0.129u,0.s) (success) Tactic call ran for 0.076 secs (0.076u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.08 secs (0.08u,0.s) (success) Tactic call ran for 0.886 secs (0.886u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.847 secs (0.847u,0.s) (success) Tactic call ran for 0.568 secs (0.557u,0.009s) (success) Assembling verified rewriter... Refining with verified rewriter... Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.33 secs (0.33u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.204 secs (0.204u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.022 secs (0.022u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.011 secs (0.011u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.689 secs (0.689u,0.s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.276 secs (1.275u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.113 secs (0.113u,0.s) (success) Tactic call ran for 0.123 secs (0.122u,0.s) (success) Tactic call ran for 0.076 secs (0.076u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.102 secs (0.102u,0.s) (success) Tactic call ran for 0.929 secs (0.928u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.85 secs (0.849u,0.s) (success) Tactic call ran for 0.56 secs (0.56u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... Finished transaction in 20.808 secs (20.774u,0.02s) (successful) Success: (dlet y0 : Z := e1 + e2 in [y; y + 1; y + 2; y + y0; y + (y0 + 1)]) Success: [x1; x1; x1; x2; x2; x2; x3; x3; x3] src/Rewriter/Rewriter/Examples.vo (real: 56.20, user: 55.85, sys: 0.30, mem: 1057492 ko) COQC src/Rewriter/Rewriter/Examples/PerfTesting/SieveOfEratosthenes.v Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Proving is_simple_correct0... Tactic call ran for 0.474 secs (0.473u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.247 secs (0.246u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.054 secs (0.054u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.014 secs (0.014u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 0.722 secs (0.702u,0.019s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0. secs (0.u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.279 secs (1.278u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.262 secs (0.262u,0.s) (success) Tactic call ran for 2.436 secs (2.395u,0.039s) (success) Tactic call ran for 0.127 secs (0.127u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.335 secs (0.334u,0.s) (success) Tactic call ran for 1.524 secs (1.493u,0.029s) (success) Proving Rewriter_Interp... Tactic call ran for 4.016 secs (4.013u,0.s) (success) Tactic call ran for 0.862 secs (0.861u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... Finished transaction in 53.406 secs (53.103u,0.259s) (successful) File "./src/Rewriter/Rewriter/Examples/PerfTesting/SieveOfEratosthenes.v", line 100, characters 0-407: Warning: grammar entry "ident" permitted "_" in addition to proper identifiers; this use is deprecated and its meaning will change in the future; use "name" instead. [deprecated-ident-entry,deprecated] native_compute: Conversion to native code done in 0.00551 native_compute: Compilation done in 0.85197 Profiling to file ./native_compute_profile_9bb5df.data native_compute: Evaluation done in 0.00079 native_compute: Reification done in 0.64777 Finished transaction in 1.942 secs (1.1u,0.s) (successful) native_compute: Conversion to native code done in 0.04055 native_compute: Compilation done in 0.15848 Profiling to file ./native_compute_profile_5d0693.data native_compute: Evaluation done in 0.00020 native_compute: Reification done in 0.38419 Finished transaction in 1.346 secs (1.184u,0.s) (successful) src/Rewriter/Rewriter/Examples/PerfTesting/SieveOfEratosthenes.vo (real: 57.91, user: 57.31, sys: 0.54, mem: 1389412 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb.v", line 93, characters 2-40: Warning: Notation "_ * _" was already used in scope type_scope. [notation-overridden,parsing] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb.v", line 156, characters 2-40: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb.v", line 368, characters 2-34: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] File "/home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb.v", line 369, characters 2-57: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2/src/bedrock2Examples/lightbulb.vo (real: 277.60, user: 276.54, sys: 0.57, mem: 1013768 ko) COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2Examples.stackalloc.stacknondet_c > special/stacknondet.c cc special/stacknondet.c -o special/stacknondet special/stacknondet make --no-print-directory -C rupicola/bedrock2 compiler_noex make -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil make NO_TEST=1 -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coq-record-update Generating Makefile.coq.all make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. make[4]: Nothing to be done for 'real-all'. make -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq all make -C /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2 noex Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex Generating Makefile.coq.all Warning: /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil (used in -R or -Q) is not a subdirectory of the current directory Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_coqutil_RecordUpdate_riscv rm -f .coqdeps.d make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricLogging.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricLogging.v", line 56, characters 0-40: Warning: Declaring a scope implicitly is deprecated; use in advance an explicit "Declare Scope MetricL_scope.". [undeclared-scope,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricLogging.vo (real: 0.26, user: 0.16, sys: 0.09, mem: 245904 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Words32Naive.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Words32Naive.vo (real: 0.27, user: 0.17, sys: 0.09, mem: 259092 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Words64Naive.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Words64Naive.vo (real: 0.27, user: 0.16, sys: 0.10, mem: 259120 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/nat_div_mod_to_quot_rem.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/nat_div_mod_to_quot_rem.vo (real: 0.28, user: 0.22, sys: 0.06, mem: 267160 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Utility.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Utility.vo (real: 0.31, user: 0.21, sys: 0.08, mem: 290844 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/runsToNonDet.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/runsToNonDet.vo (real: 0.06, user: 0.05, sys: 0.00, mem: 75996 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RecordSettersUsingExistingGetters.v fun b : bool => { testFoo b with fieldC := false } : bool -> foo nat 2 fun b : bool => {! fieldC := false; fieldC := true } (testFoo b) : bool -> foo nat 2 fun b : bool => {! fieldC := false; fieldC := true; fieldA ::= Nat.add 2 } (testFoo b) : bool -> foo nat 2 /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RecordSettersUsingExistingGetters.vo (real: 0.26, user: 0.16, sys: 0.09, mem: 301696 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RecordSetters.v fun b : bool => {! fieldC := false } (testFoo b) : bool -> foo nat 2 fun b : bool => {! fieldC := false; fieldC := true } (testFoo b) : bool -> foo nat 2 fun b : bool => {! fieldC := false; fieldC := true; fieldA ::= Nat.add 2 } (testFoo b) : bool -> foo nat 2 /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RecordSetters.vo (real: 0.30, user: 0.20, sys: 0.10, mem: 313496 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/DefaultMemImpl32.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/DefaultMemImpl32.vo (real: 0.32, user: 0.22, sys: 0.10, mem: 292848 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/DefaultMemImpl64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/DefaultMemImpl64.vo (real: 0.32, user: 0.18, sys: 0.13, mem: 293600 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRField.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRField.vo (real: 0.28, user: 0.18, sys: 0.09, mem: 267048 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSR.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSR.vo (real: 0.32, user: 0.19, sys: 0.12, mem: 293124 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 22, characters 18-23: Warning: Notation split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 23, characters 18-23: Warning: Notation split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 24, characters 18-23: Warning: Notation split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 25, characters 18-23: Warning: Notation split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 26, characters 30-37: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 27, characters 30-37: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 28, characters 30-37: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 29, characters 30-37: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 30, characters 44-51: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 31, characters 44-51: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 32, characters 44-51: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.v", line 33, characters 44-51: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/MkMachineWidth.vo (real: 0.31, user: 0.20, sys: 0.10, mem: 299972 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Decode.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Decode.vo (real: 0.46, user: 0.33, sys: 0.11, mem: 403924 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Memory.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Memory.vo (real: 0.47, user: 0.34, sys: 0.12, mem: 418220 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/InstructionCoercions.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/InstructionCoercions.vo (real: 0.27, user: 0.18, sys: 0.07, mem: 255104 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RegisterNames.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/RegisterNames.vo (real: 0.29, user: 0.20, sys: 0.08, mem: 268736 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Machine.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Machine.vo (real: 0.34, user: 0.22, sys: 0.12, mem: 320904 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Encode.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/Encode.vo (real: 0.39, user: 0.28, sys: 0.10, mem: 372856 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/InstructionNotations.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/InstructionNotations.vo (real: 0.29, user: 0.20, sys: 0.08, mem: 284984 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/RiscvMachine.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/RiscvMachine.v", line 179, characters 51-69: Warning: Notation split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/RiscvMachine.vo (real: 0.36, user: 0.24, sys: 0.11, mem: 334240 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MaterializeRiscvProgram.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MaterializeRiscvProgram.vo (real: 0.34, user: 0.21, sys: 0.12, mem: 331220 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRFile.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRFile.vo (real: 4.56, user: 4.33, sys: 0.21, mem: 548708 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I.vo (real: 4.38, user: 4.28, sys: 0.09, mem: 441568 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_R.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_R.vo (real: 4.56, user: 4.40, sys: 0.15, mem: 440420 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_R_atomic.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_R_atomic.vo (real: 6.54, user: 6.34, sys: 0.18, mem: 453232 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_system.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_system.vo (real: 3.37, user: 3.26, sys: 0.10, mem: 431384 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_shift_57.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_shift_57.vo (real: 4.57, user: 4.40, sys: 0.16, mem: 440836 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_U.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_U.vo (real: 3.00, user: 2.86, sys: 0.14, mem: 425960 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_S.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_S.vo (real: 7.71, user: 7.53, sys: 0.15, mem: 469576 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_shift_66.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_I_shift_66.vo (real: 15.46, user: 15.19, sys: 0.23, mem: 511856 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_Fence.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_Fence.vo (real: 6.59, user: 6.41, sys: 0.16, mem: 456860 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_UJ.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_UJ.vo (real: 10.96, user: 10.78, sys: 0.16, mem: 505320 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/InstructionSetOrder.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/InstructionSetOrder.vo (real: 1.37, user: 1.24, sys: 0.12, mem: 423068 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRGetSet.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRGetSet.vo (real: 0.58, user: 0.45, sys: 0.12, mem: 418920 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/VirtualMemory.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/VirtualMemory.vo (real: 0.29, user: 0.21, sys: 0.07, mem: 260228 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_SB.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_SB.vo (real: 16.38, user: 16.17, sys: 0.17, mem: 577768 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_FenceI.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/invert_encode_FenceI.vo (real: 4.42, user: 4.30, sys: 0.10, mem: 441508 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteM64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteM64.vo (real: 0.32, user: 0.17, sys: 0.14, mem: 297976 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteM.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteM.vo (real: 0.33, user: 0.22, sys: 0.10, mem: 304432 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricRiscvMachine.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricRiscvMachine.vo (real: 0.32, user: 0.21, sys: 0.11, mem: 287232 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/PseudoInstructions.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/PseudoInstructions.vo (real: 0.30, user: 0.19, sys: 0.10, mem: 277152 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Primitives.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Primitives.vo (real: 0.54, user: 0.40, sys: 0.13, mem: 423052 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/AtomicRiscvMachine.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/AtomicRiscvMachine.vo (real: 0.33, user: 0.19, sys: 0.12, mem: 286464 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/bverify.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Utility/bverify.vo (real: 1.03, user: 0.86, sys: 0.17, mem: 415436 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalCSRs.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalCSRs.vo (real: 0.65, user: 0.56, sys: 0.09, mem: 428132 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeProver.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeProver.vo (real: 0.61, user: 0.44, sys: 0.15, mem: 416584 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/SoftmulInsts.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/SoftmulInsts.vo (real: 0.36, user: 0.28, sys: 0.08, mem: 309000 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRSpec.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/CSRSpec.vo (real: 0.30, user: 0.22, sys: 0.07, mem: 276368 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteA64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteA64.vo (real: 0.40, user: 0.24, sys: 0.16, mem: 372840 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteA.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteA.vo (real: 0.40, user: 0.26, sys: 0.13, mem: 374480 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteI64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteI64.vo (real: 0.33, user: 0.25, sys: 0.07, mem: 311092 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteI.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteI.vo (real: 0.55, user: 0.42, sys: 0.11, mem: 418612 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/LogInstructionTrace.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/LogInstructionTrace.v", line 52, characters 27-47: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/LogInstructionTrace.vo (real: 0.37, user: 0.33, sys: 0.04, mem: 338412 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/MetricPrimitives.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/MetricPrimitives.vo (real: 0.55, user: 0.40, sys: 0.14, mem: 424536 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeA64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeA64.vo (real: 13.68, user: 13.47, sys: 0.17, mem: 537168 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeA.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeA.vo (real: 15.15, user: 14.99, sys: 0.13, mem: 563848 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/EncodeBound.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/EncodeBound.vo (real: 31.53, user: 31.26, sys: 0.23, mem: 531452 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeI64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeI64.vo (real: 14.80, user: 14.49, sys: 0.26, mem: 591056 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeM64.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeM64.vo (real: 5.83, user: 5.64, sys: 0.18, mem: 466132 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteCSR.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteCSR.v", line 152, characters 6-10: Warning: Unused variable inst catches more than one case. [unused-pattern-matching-variable,pattern-matching] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/ExecuteCSR.vo (real: 0.44, user: 0.34, sys: 0.10, mem: 369996 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Execute.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Spec/Execute.vo (real: 0.30, user: 0.21, sys: 0.08, mem: 273136 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Run.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Run.v", line 25, characters 26-33: Warning: Notation combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Run.vo (real: 0.36, user: 0.27, sys: 0.08, mem: 297132 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/SMTVerif.v (declare-const regs (Array Int (_ BitVec 32))) (assert (not (= (store (store regs 28 (bvadd (_ bv0 32) (_ bv31 32))) 6 (bvmul (select (store regs 28 (bvadd (_ bv0 32) (_ bv31 32))) 7) (select (store regs 28 (bvadd (_ bv0 32) (_ bv31 32))) 28))) (store (store (store regs 6 (bvshl (select regs 7) (_ bv5 32))) 6 (bvsub (select (store regs 6 (bvshl (select regs 7) (_ bv5 32))) 6) (select (store regs 6 (bvshl (select regs 7) (_ bv5 32))) 7))) 28 (bvadd (_ bv0 32) (_ bv31 32)))))) (check-sat) /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/SMTVerif.vo (real: 0.72, user: 0.57, sys: 0.15, mem: 424536 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 593, characters 30-50: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 593, characters 54-72: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 593, characters 30-50: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 593, characters 54-72: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 598, characters 27-47: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 598, characters 51-69: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 599, characters 27-47: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 599, characters 51-69: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 599, characters 27-47: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 599, characters 51-69: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 680, characters 63-83: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 682, characters 49-69: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 684, characters 35-53: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.v", line 789, characters 0-74: Warning: Notation "= _ _" was already used. [notation-overridden,parsing] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/WMMFree.vo (real: 1.97, user: 1.78, sys: 0.17, mem: 436944 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Sane.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Sane.vo (real: 0.50, user: 0.42, sys: 0.07, mem: 424132 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeM.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeM.vo (real: 11.46, user: 11.26, sys: 0.18, mem: 541144 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalCSRsDet.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalCSRsDet.vo (real: 0.52, user: 0.37, sys: 0.15, mem: 398292 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO_Post.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO_Post.v", line 37, characters 51-71: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO_Post.vo (real: 0.55, user: 0.41, sys: 0.13, mem: 427356 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.v", line 50, characters 65-83: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.v", line 51, characters 60-78: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.v", line 97, characters 75-93: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.v", line 101, characters 11-29: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.v", line 105, characters 11-29: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/MulTrapHandler.vo (real: 2.77, user: 2.62, sys: 0.14, mem: 434460 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Minimal.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/Minimal.vo (real: 7.14, user: 6.95, sys: 0.18, mem: 437528 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeCSR.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeCSR.vo (real: 53.12, user: 52.75, sys: 0.28, mem: 935288 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO.v", line 42, characters 51-71: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalMMIO.vo (real: 3.51, user: 3.36, sys: 0.15, mem: 440192 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimal.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimal.vo (real: 0.48, user: 0.30, sys: 0.17, mem: 364072 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalLogging.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalLogging.vo (real: 0.45, user: 0.32, sys: 0.12, mem: 354216 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/AtomicMinimal.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/AtomicMinimal.vo (real: 0.44, user: 0.31, sys: 0.12, mem: 349528 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/FE310ExtSpec.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/FE310ExtSpec.vo (real: 0.45, user: 0.33, sys: 0.11, mem: 344676 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalNoMul.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalNoMul.v", line 103, characters 37-57: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MinimalNoMul.vo (real: 3.85, user: 3.70, sys: 0.13, mem: 433816 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalMMIO.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalMMIO.v", line 70, characters 2-46: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalMMIO.vo (real: 1.31, user: 1.17, sys: 0.14, mem: 429424 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/Example64Literal.v = {| unsigned := 1073745919; _unsigned_in_range := eq_refl |} : word64 /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/Example64Literal.vo (real: 0.65, user: 0.54, sys: 0.10, mem: 392528 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalNoMul.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalNoMul.v", line 68, characters 2-46: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricMinimalNoMul.vo (real: 0.96, user: 0.85, sys: 0.10, mem: 431716 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/Fib.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Examples/Fib.vo (real: 1.65, user: 1.50, sys: 0.13, mem: 427756 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricSane.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Platform/MetricSane.vo (real: 43.13, user: 42.88, sys: 0.21, mem: 581672 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeI.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncodeI.vo (real: 79.92, user: 79.33, sys: 0.51, mem: 1571340 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncode.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeEncode.vo (real: 0.31, user: 0.21, sys: 0.10, mem: 297244 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeByExtension.v Finished transaction in 249.789 secs (249.547u,0.079s) (successful) /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/DecodeByExtension.vo (real: 263.33, user: 262.77, sys: 0.37, mem: 970992 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/EncodeDecode.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/EncodeDecode.vo (real: 52.78, user: 52.46, sys: 0.22, mem: 648952 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/VerifyDecode.v /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq/src/riscv/Proofs/VerifyDecode.vo (real: 57.96, user: 57.66, sys: 0.23, mem: 996136 ko) make -C /home/jgross/fiat-crypto/rupicola/bedrock2/compiler noex Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_compiler_compilerExamples_bedrock2_bedrock2Examples_coqutil_riscv rm -f .coqdeps.d make -f Makefile.coq.noex COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/NameGen.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/NameGen.vo (real: 0.25, user: 0.18, sys: 0.06, mem: 235908 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/util/Result.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/util/Result.vo (real: 0.53, user: 0.35, sys: 0.17, mem: 419152 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Registers.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Registers.vo (real: 0.60, user: 0.47, sys: 0.13, mem: 417008 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/mod4_0.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/mod4_0.vo (real: 0.36, user: 0.23, sys: 0.12, mem: 321108 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RiscvWordProperties.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RiscvWordProperties.vo (real: 0.34, user: 0.25, sys: 0.08, mem: 306340 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MetricsToRiscv.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MetricsToRiscv.vo (real: 0.24, user: 0.14, sys: 0.09, mem: 230512 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/regs_initialized.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/regs_initialized.vo (real: 0.35, user: 0.22, sys: 0.13, mem: 309184 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ZLemmas.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ZLemmas.vo (real: 0.66, user: 0.55, sys: 0.10, mem: 410112 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/GenericForeverSafe.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/GenericForeverSafe.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 80848 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/NaiveRiscvWordProperties.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/NaiveRiscvWordProperties.vo (real: 0.60, user: 0.45, sys: 0.13, mem: 411720 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Symbols.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Symbols.vo (real: 0.27, user: 0.17, sys: 0.10, mem: 251276 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/UniqueSepLog.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/UniqueSepLog.v", line 369, characters 16-34: Warning: Notation split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/UniqueSepLog.vo (real: 0.57, user: 0.39, sys: 0.18, mem: 423804 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/SeparationLogic.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/SeparationLogic.vo (real: 1.82, user: 1.65, sys: 0.15, mem: 429628 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/util/Common.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/util/Common.vo (real: 0.33, user: 0.24, sys: 0.08, mem: 296316 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/DivisibleBy4.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/DivisibleBy4.vo (real: 0.63, user: 0.49, sys: 0.13, mem: 413684 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MemoryLayout.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MemoryLayout.vo (real: 0.46, user: 0.28, sys: 0.18, mem: 373132 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ZNameGen.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ZNameGen.vo (real: 0.35, user: 0.24, sys: 0.11, mem: 318736 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/StringNameGen.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/StringNameGen.vo (real: 0.55, user: 0.39, sys: 0.15, mem: 420408 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/GoFlatToRiscv.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/GoFlatToRiscv.vo (real: 1.84, user: 1.67, sys: 0.15, mem: 446724 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ForeverSafe.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ForeverSafe.vo (real: 0.54, user: 0.44, sys: 0.10, mem: 440036 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ExprImp.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ExprImp.vo (real: 5.75, user: 5.57, sys: 0.16, mem: 457960 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/SpillingMapGoals.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/SpillingMapGoals.vo (real: 11.45, user: 11.22, sys: 0.21, mem: 650112 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RunInstruction.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RunInstruction.v", line 226, characters 49-69: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RunInstruction.v", line 253, characters 36-54: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RunInstruction.vo (real: 16.61, user: 16.41, sys: 0.16, mem: 492428 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RiscvEventLoop.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RiscvEventLoop.vo (real: 0.78, user: 0.59, sys: 0.18, mem: 442000 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImp.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImp.vo (real: 22.54, user: 22.27, sys: 0.24, mem: 671072 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImpConstraints.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImpConstraints.vo (real: 0.40, user: 0.30, sys: 0.09, mem: 335444 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlattenExprDef.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlattenExprDef.vo (real: 0.45, user: 0.30, sys: 0.13, mem: 371828 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImpUniqueSepLog.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImpUniqueSepLog.vo (real: 0.58, user: 0.42, sys: 0.15, mem: 428944 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImpSepLog.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatImpSepLog.vo (real: 0.60, user: 0.44, sys: 0.16, mem: 431608 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvDef.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvDef.v", line 209, characters 24-44: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvDef.vo (real: 0.54, user: 0.38, sys: 0.14, mem: 433680 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RegAlloc.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/RegAlloc.vo (real: 6.82, user: 6.65, sys: 0.16, mem: 475248 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/EmitsValid.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/EmitsValid.vo (real: 5.92, user: 5.71, sys: 0.20, mem: 483288 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvCommon.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvCommon.vo (real: 13.06, user: 12.85, sys: 0.17, mem: 480036 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/load_save_regs_correct.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/load_save_regs_correct.vo (real: 2.40, user: 2.26, sys: 0.14, mem: 456844 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvLiterals.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvLiterals.vo (real: 31.81, user: 31.49, sys: 0.28, mem: 607596 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Spilling.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Spilling.vo (real: 60.88, user: 60.38, sys: 0.27, mem: 664996 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvMetric.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvMetric.vo (real: 123.98, user: 122.81, sys: 0.94, mem: 2751688 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlattenExpr.v FlattenExpr: Entering slow lemmas section FlattenExpr: flattenExpr_correct_aux done FlattenExpr: flattenExprs_correct done FlattenExpr: flattenBooleanExpr_correct_aux done FlattenExpr: flattenStmt_correct_aux done End of FlattenExpr.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlattenExpr.vo (real: 189.04, user: 188.47, sys: 0.24, mem: 780968 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvFunctions.v Case compile_stmt_correct/SInteract Case compile_stmt_correct/SCall Case compile_stmt_correct/SLoad Case compile_stmt_correct/SStore Case compile_stmt_correct/SInlinetable Case compile_stmt_correct/SStackalloc Case compile_stmt_correct/SLit Case compile_stmt_correct/SOp Case compile_stmt_correct/SSet Case compile_stmt_correct/SIf/Then Case compile_stmt_correct/SIf/Else Case compile_stmt_correct/SLoop Case compile_stmt_correct/SSeq Case compile_stmt_correct/SSkip /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FlatToRiscvFunctions.vo (real: 187.18, user: 186.05, sys: 0.99, mem: 2930324 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FitsStack.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/FitsStack.vo (real: 1.64, user: 1.50, sys: 0.13, mem: 450292 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/LowerPipeline.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/LowerPipeline.v", line 704, characters 61-79: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/LowerPipeline.v", line 704, characters 61-79: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/LowerPipeline.vo (real: 4.26, user: 4.09, sys: 0.15, mem: 470496 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Pipeline.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Pipeline.v", line 494, characters 54-72: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/Pipeline.vo (real: 2.64, user: 2.49, sys: 0.13, mem: 458600 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ExprImpEventLoopSpec.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ExprImpEventLoopSpec.vo (real: 0.58, user: 0.43, sys: 0.15, mem: 457484 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ToplevelLoop.v /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/ToplevelLoop.vo (real: 10.42, user: 10.21, sys: 0.19, mem: 548816 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/CompilerInvariant.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/CompilerInvariant.v", line 65, characters 27-45: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/CompilerInvariant.vo (real: 1.62, user: 1.48, sys: 0.13, mem: 460416 ko) COQC /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MMIO.v File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MMIO.v", line 188, characters 2-46: Warning: Notation LittleEndian.combine is deprecated. Use coqutil.Word.LittleEndianList.le_combine. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MMIO.v", line 190, characters 2-44: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] Tactic call ran for 0.085 secs (0.084u,0.s) (success) Finished transaction in 0.251 secs (0.251u,0.s) (successful) File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MMIO.v", line 495, characters 23-41: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] File "/home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MMIO.v", line 495, characters 23-41: Warning: Notation LittleEndian.split is deprecated. Use coqutil.Word.LittleEndianList.le_split. [deprecated-syntactic-definition,deprecated] Finished transaction in 70.973 secs (70.896u,0.03s) (successful) /home/jgross/fiat-crypto/rupicola/bedrock2/compiler/src/compiler/MMIO.vo (real: 84.13, user: 83.78, sys: 0.28, mem: 742088 ko) make --no-print-directory -C rupicola all make --no-print-directory -C bedrock2/deps/coqutil Generating Makefile.coq.all make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. make --no-print-directory -C bedrock2/bedrock2 noex Generating Makefile.coq Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_coqutil_bedrock2_Rupicola Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex make[4]: Nothing to be done for 'real-all'. rm -f .coqdeps.d make -f Makefile.coq COQDEP VFILES COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Gensym.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Gensym.vo (real: 0.19, user: 0.11, sys: 0.07, mem: 185404 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/IdentParsing.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/IdentParsing.vo (real: 0.24, user: 0.15, sys: 0.09, mem: 223204 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Assoc/Assoc.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Assoc/Assoc.vo (real: 0.33, user: 0.23, sys: 0.08, mem: 311448 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ToCString.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ToCString.vo (real: 0.55, user: 0.41, sys: 0.13, mem: 409040 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CapitalizeThird/CapitalizeThird.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CapitalizeThird/CapitalizeThird.vo (real: 0.42, user: 0.32, sys: 0.09, mem: 350208 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Swap/Swap.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Swap/Swap.vo (real: 0.42, user: 0.25, sys: 0.15, mem: 334944 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CRC32/Table.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CRC32/Table.vo (real: 0.52, user: 0.37, sys: 0.14, mem: 402444 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/kv.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/kv.vo (real: 0.57, user: 0.41, sys: 0.14, mem: 419404 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Swap/Properties.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Swap/Properties.vo (real: 0.65, user: 0.54, sys: 0.11, mem: 432352 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Core.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Core.vo (real: 2.88, user: 2.67, sys: 0.20, mem: 444800 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/WordNotations.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/WordNotations.vo (real: 0.45, user: 0.33, sys: 0.11, mem: 354564 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Tactics.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Tactics.vo (real: 0.45, user: 0.34, sys: 0.11, mem: 361416 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Monads.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Monads.vo (real: 0.49, user: 0.34, sys: 0.15, mem: 418952 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/SepReflection.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/SepReflection.vo (real: 0.60, user: 0.50, sys: 0.10, mem: 433476 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Notations.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Notations.vo (real: 0.43, user: 0.30, sys: 0.12, mem: 374520 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/Spec.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/Spec.vo (real: 0.59, user: 0.44, sys: 0.15, mem: 434864 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ExprCompiler.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ExprCompiler.vo (real: 0.86, user: 0.74, sys: 0.12, mem: 442876 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/NoExprReflection.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/NoExprReflection.vo (real: 0.75, user: 0.57, sys: 0.18, mem: 435764 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Alloc.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Alloc.vo (real: 0.56, user: 0.45, sys: 0.10, mem: 435640 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Compiler.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Compiler.vo (real: 1.46, user: 1.32, sys: 0.12, mem: 436484 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/InlineTables.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/InlineTables.vo (real: 1.52, user: 1.40, sys: 0.11, mem: 435564 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ExprReflection.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ExprReflection.vo (real: 0.71, user: 0.58, sys: 0.13, mem: 440748 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Invariants.v (rp ptr a' ⋆ R, #{ "ptr" => ptr }#) : (mem -> Prop) * locals (pred, #{ "v" => v' }#) : (mem -> Prop) * locals (pred, #{ "x" => x; "y" => y }#) : (mem -> Prop) * locals (rp ptr (P2.car \< a', v', y \>) ⋆ R, #{ "v" => P2.car (P2.cdr \< a', v', y \>); "ptr" => ptr; "y" => P2.cdr (P2.cdr \< a', v', y \>) }#) : (mem -> Prop) * locals /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Invariants.vo (real: 0.44, user: 0.30, sys: 0.13, mem: 375348 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Conditionals.v fun (args : \<< A, word, word \>>) (tr' : Semantics.trace) (mem' : mem) (locals' : locals) => tr' = tr /\ locals' = #{ "v" => P2.car (P2.cdr args); "ptr" => ptr; "y" => P2.cdr (P2.cdr args) }# /\ (rp ptr (P2.car args) ⋆ R) mem' : \<< A, word, word \>> -> Semantics.trace -> mem -> locals -> Prop /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Conditionals.vo (real: 0.55, user: 0.42, sys: 0.12, mem: 436596 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Api.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Api.vo (real: 0.47, user: 0.34, sys: 0.13, mem: 365632 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CapitalizeThird/Properties.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CapitalizeThird/Properties.vo (real: 6.50, user: 6.32, sys: 0.16, mem: 470800 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ControlFlow/DownTo.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ControlFlow/DownTo.vo (real: 1.62, user: 1.47, sys: 0.15, mem: 436320 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/SepLocals.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/SepLocals.vo (real: 0.71, user: 0.54, sys: 0.16, mem: 440120 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/Cells.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/Cells.vo (real: 0.63, user: 0.50, sys: 0.11, mem: 440416 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ControlFlow/CondSwap.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/ControlFlow/CondSwap.vo (real: 1.24, user: 1.13, sys: 0.11, mem: 440480 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/Writer.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/Writer.vo (real: 0.55, user: 0.44, sys: 0.09, mem: 441324 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Utf8/Utils.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Utf8/Utils.vo (real: 0.62, user: 0.43, sys: 0.18, mem: 441936 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Nondeterminism/NonDeterminism.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Nondeterminism/NonDeterminism.vo (real: 0.54, user: 0.33, sys: 0.21, mem: 441504 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Tree/Tree.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Tree/Tree.vo (real: 0.95, user: 0.78, sys: 0.17, mem: 441024 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/LinkedList/LinkedList.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/LinkedList/LinkedList.vo (real: 1.16, user: 1.01, sys: 0.15, mem: 440704 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/KVStore.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/KVStore.vo (real: 0.58, user: 0.48, sys: 0.09, mem: 440664 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/Swap.v = (["c1"; "c2"], [], bedrock_func_body:( $"v1" = load($"c1"); $"v2" = load($"c2"); store($"c1", $"v2"); store($"c2", $"v1"))) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/Swap.vo (real: 1.23, user: 1.07, sys: 0.16, mem: 431700 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Conditionals.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Conditionals.vo (real: 1.60, user: 1.40, sys: 0.18, mem: 433716 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Loops.v fun (idx : word) (args : \<< A, word \>>) (tr' : Semantics.trace) (mem' : mem) (locals' : locals) => tr' = tr /\ locals' = #{ "v" => P2.cdr args; "from" => idx; "ptr" => ptr }# /\ (rp ptr (P2.car args) ⋆ R) mem' : word -> \<< A, word \>> -> Semantics.trace -> mem -> locals -> Prop /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Loops.vo (real: 5.30, user: 5.18, sys: 0.12, mem: 469248 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/Incr.v = (["c"], [], bedrock_func_body:( $"v" = load($"c"); $"one" = $1; $"v" = $"v" + $1; store($"c", $"v"))) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/Incr.vo (real: 0.88, user: 0.74, sys: 0.13, mem: 431688 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/IO.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/IO.vo (real: 0.82, user: 0.69, sys: 0.13, mem: 440988 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/Stdout.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/Stdout.vo (real: 0.92, user: 0.78, sys: 0.12, mem: 441120 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Nondeterminism/Peek.v = (["b"], ["out"], bedrock_func_body:( $"x" = load($"b"); $"y" = load($"b"); $"out" = $"x" + $"y")) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Nondeterminism/Peek.vo (real: 1.12, user: 0.97, sys: 0.14, mem: 441492 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Properties.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Properties.vo (real: 0.72, user: 0.59, sys: 0.13, mem: 441124 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/IndirectAdd.v = (["out"; "a"; "b"; "c"], [], cmd.stackalloc "v" size_in_bytes (cmd.seq (cmd.call [] "indirect_add" ["v"; "a"; "b"]) (cmd.call [] "indirect_add" ["out"; "v"; "c"]))) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Cells/IndirectAdd.vo (real: 4.17, user: 4.03, sys: 0.13, mem: 437088 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/LinkedList/Find.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/LinkedList/Find.vo (real: 2.59, user: 2.40, sys: 0.18, mem: 446160 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Tactics.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Tactics.vo (real: 0.48, user: 0.35, sys: 0.13, mem: 373732 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Expr.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Expr.vo (real: 7.11, user: 6.96, sys: 0.14, mem: 456468 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Arrays.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Lib/Arrays.vo (real: 2.08, user: 1.89, sys: 0.18, mem: 451984 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/Echo.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/IO/Echo.vo (real: 2.82, user: 2.72, sys: 0.10, mem: 441916 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Arithmetic.v = (["data"; "len"], ["hash"], bedrock_func_body:( $"p" = $16777619; $"hash" = $2166136261; $"from" = $0; $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"b" = load1($"data" + $1 * $"_gs_from0"); $"hash" = ($"hash" ^ $"b") * $16777619; $(cmd.unset "b")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func = (["data"; "len"], ["hash"], bedrock_func_body:( $"p" = $1099511628211; $"hash" = $14695981039346656037; $"from" = $0; $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"b" = load1($"data" + $1 * $"_gs_from0"); $"hash" = ($"hash" ^ $"b") * $1099511628211; $(cmd.unset "b")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Arithmetic.vo (real: 3.51, user: 3.39, sys: 0.11, mem: 447824 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/Impl.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/Impl.vo (real: 1.54, user: 1.44, sys: 0.09, mem: 437196 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Automated.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Automated.vo (real: 8.65, user: 8.52, sys: 0.13, mem: 461004 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CMove/CMove.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CMove/CMove.vo (real: 14.48, user: 14.29, sys: 0.15, mem: 494260 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Loops.v Finished transaction in 2.674 secs (2.67u,0.s) (successful) = [11; 10; 9; 8; 7; 6; 5; 4; 3; 2; 1; 0] : list Z Finished transaction in 0.001 secs (0.001u,0.s) (successful) = [{| Naive.unsigned := 11; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 10; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 9; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 8; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 7; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 6; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 5; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 4; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 3; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 2; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 1; Naive._unsigned_in_range := eq_refl |}; {| Naive.unsigned := 0; Naive._unsigned_in_range := eq_refl |}] : list word Finished transaction in 0.003 secs (0.003u,0.s) (successful) = (["len"; "a1"; "a2"], [], bedrock_func_body:( $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"v" = load($"a1" + $8 * $"_gs_from0"); store($"a2" + $8 * $"_gs_from0", $"v"); $(cmd.unset "v")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func = (["len"; "a1"; "a2"], [], bedrock_func_body:( $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"v" = load($"a1" + $8 * $"_gs_from0"); store($"a2" + $8 * $"_gs_from0", $"v"); $(cmd.unset "v")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func = (["len"; "a1"; "a2"], [], bedrock_func_body:( $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" .< $"_gs_to0" { {$"v" = load($"a1" + $8 * $"_gs_from0"); store($"a2" + $8 * $"_gs_from0", $"v"); $(cmd.unset "v")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Loops.vo (real: 14.23, user: 14.00, sys: 0.19, mem: 488028 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Nondeterminism/StackAlloc.v = (["w"], ["out"], bedrock_func_body:( stackalloc 8 as $"bs"; $"idx" = $0; $"undef" = load1($"bs" + $1 * $0); $"out" = $"w"; $"out" = $"undef" ^ $"out"; $"out" = $"undef" ^ $"out")) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Nondeterminism/StackAlloc.vo (real: 1.65, user: 1.51, sys: 0.13, mem: 444304 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Manual.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/KVStore/Manual.vo (real: 18.24, user: 18.09, sys: 0.13, mem: 545544 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CRC32/CRC32.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/CRC32/CRC32.vo (real: 5.08, user: 4.85, sys: 0.21, mem: 458196 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/RevComp.v = "YAPIGOLT" : string Finished transaction in 2.31 secs (2.306u,0.s) (successful) Finished transaction in 0.2 secs (0.2u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/RevComp.vo (real: 3.24, user: 3.09, sys: 0.13, mem: 443304 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Uppercase.v = "RUPICOLA" : string Finished transaction in 2.959 secs (2.932u,0.021s) (successful) Finished transaction in 0.37 secs (0.369u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Uppercase.vo (real: 3.97, user: 3.82, sys: 0.13, mem: 446584 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/DownTo.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/DownTo.vo (real: 2.63, user: 2.50, sys: 0.12, mem: 441396 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Arrays.v Finished transaction in 2.265 secs (2.261u,0.s) (successful) Finished transaction in 1.664 secs (1.653u,0.009s) (successful) Finished transaction in 1.955 secs (1.953u,0.s) (successful) Finished transaction in 1.718 secs (1.717u,0.s) (successful) = (["p"], [], bedrock_func_body:( $"ttl" = load($"p" + $8 * $1); $"ttl" = $"ttl" + $18446744073709551615; store($"p" + $8 * $1, $"ttl"))) : func = (["bs"; "len"; "mask"], [], bedrock_func_body:( $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"_gs_tmp0" = load1($"bs" + $1 * $"_gs_from0"); $"_gs_tmp0" = $"mask" & $"_gs_tmp0"; store1($"bs" + $1 * $"_gs_from0", $"_gs_tmp0"); $(cmd.unset "_gs_tmp0")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func = (["bs"; "len"], ["r"], bedrock_func_body:( $"r" = $0; $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"_gs_tmp0" = load1($"bs" + $1 * $"_gs_from0"); $"r" = $"r" ^ $"_gs_tmp0"; $(cmd.unset "_gs_tmp0")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func = (["ws"; "len"], [], bedrock_func_body:( $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"_gs_tmp0" = load($"ws" + $8 * $"_gs_from0"); $"_gs_tmp0" = $1 + $"_gs_tmp0"; store($"ws" + $8 * $"_gs_from0", $"_gs_tmp0"); $(cmd.unset "_gs_tmp0")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func = (["ws"; "len"], ["r"], bedrock_func_body:( $"r" = $0; $"_gs_from0" = $0; $"_gs_to0" = $"len"; while $"_gs_from0" < $"_gs_to0" { {$"_gs_tmp0" = load($"ws" + $8 * $"_gs_from0"); $"r" = $"r" + $"_gs_tmp0"; $(cmd.unset "_gs_tmp0")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func = (["data"; "len"; "needle"], ["r"], bedrock_func_body:( $"r" = $0; $"_gs_from0" = $0; $"_gs_to0" = $(expr.op bopname.divu "len" 8); while $"_gs_from0" < $"_gs_to0" { {$"_gs_tmp0" = load($"data" + $8 * $"_gs_from0"); $"hit" = $"_gs_tmp0" == $"needle"; $"r" = $"r" + $"hit"; /*skip*/; $(cmd.unset "_gs_tmp0"); $(cmd.unset "hit")}; $"_gs_from0" = $"_gs_from0" + $1 })) : func /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Arrays.vo (real: 14.61, user: 14.41, sys: 0.17, mem: 485848 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/L64X128.v /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/L64X128.vo (real: 7.16, user: 7.01, sys: 0.13, mem: 470068 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Utf8/Utf8.v Finished transaction in 26.404 secs (26.345u,0.039s) (successful) Finished transaction in 2.06 secs (2.049u,0.009s) (successful) /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Utf8/Utf8.vo (real: 29.15, user: 28.97, sys: 0.15, mem: 652808 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/IPChecksum.v Finished transaction in 12.959 secs (12.891u,0.049s) (successful) Finished transaction in 1.597 secs (1.596u,0.s) (successful) /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/IPChecksum.vo (real: 15.09, user: 14.85, sys: 0.21, mem: 524792 ko) COQC /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/SpecExtraction.v (** val length : 'a1 list -> int **) let rec length = function | [] -> 0 | _ :: l' -> Pervasives.succ (length l') (** val app : 'a1 list -> 'a1 list -> 'a1 list **) let rec app l m = match l with | [] -> m | a :: l1 -> a :: (app l1 m) module Nat = struct (** val ltb : int -> int -> bool **) let ltb n0 m = (<=) (Pervasives.succ n0) m end module Pos = struct (** val succ : int -> int **) let rec succ = Pervasives.succ (** val add : int -> int -> int **) let rec add = (+) (** val add_carry : int -> int -> int **) and add_carry x y = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q -> (fun p->1+2*p) (add_carry p q)) (fun q -> (fun p->2*p) (add_carry p q)) (fun _ -> (fun p->1+2*p) (succ p)) y) (fun p -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q -> (fun p->2*p) (add_carry p q)) (fun q -> (fun p->1+2*p) (add p q)) (fun _ -> (fun p->2*p) (succ p)) y) (fun _ -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q -> (fun p->1+2*p) (succ q)) (fun q -> (fun p->2*p) (succ q)) (fun _ -> (fun p->1+2*p) 1) y) x (** val pred_double : int -> int **) let rec pred_double x = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p -> (fun p->1+2*p) ((fun p->2*p) p)) (fun p -> (fun p->1+2*p) (pred_double p)) (fun _ -> 1) x (** val pred_N : int -> int **) let pred_N x = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p -> ((fun p->2*p) p)) (fun p -> (pred_double p)) (fun _ -> 0) x (** val mul : int -> int -> int **) let rec mul = ( * ) (** val iter : ('a1 -> 'a1) -> 'a1 -> int -> 'a1 **) let rec iter f x n0 = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun n' -> f (iter f (iter f x n') n')) (fun n' -> iter f (iter f x n') n') (fun _ -> f x) n0 (** val div2 : int -> int **) let div2 p = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p0 -> p0) (fun p0 -> p0) (fun _ -> 1) p (** val div2_up : int -> int **) let div2_up p = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p0 -> succ p0) (fun p0 -> p0) (fun _ -> 1) p (** val coq_Nsucc_double : int -> int **) let coq_Nsucc_double x = (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> 1) (fun p -> ((fun p->1+2*p) p)) x (** val coq_Ndouble : int -> int **) let coq_Ndouble n0 = (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> 0) (fun p -> ((fun p->2*p) p)) n0 (** val coq_lor : int -> int -> int **) let rec coq_lor p q = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p0 -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q0 -> (fun p->1+2*p) (coq_lor p0 q0)) (fun q0 -> (fun p->1+2*p) (coq_lor p0 q0)) (fun _ -> p) q) (fun p0 -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q0 -> (fun p->1+2*p) (coq_lor p0 q0)) (fun q0 -> (fun p->2*p) (coq_lor p0 q0)) (fun _ -> (fun p->1+2*p) p0) q) (fun _ -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun _ -> q) (fun q0 -> (fun p->1+2*p) q0) (fun _ -> q) q) p (** val coq_land : int -> int -> int **) let rec coq_land p q = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p0 -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q0 -> coq_Nsucc_double (coq_land p0 q0)) (fun q0 -> coq_Ndouble (coq_land p0 q0)) (fun _ -> 1) q) (fun p0 -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q0 -> coq_Ndouble (coq_land p0 q0)) (fun q0 -> coq_Ndouble (coq_land p0 q0)) (fun _ -> 0) q) (fun _ -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun _ -> 1) (fun _ -> 0) (fun _ -> 1) q) p (** val ldiff : int -> int -> int **) let rec ldiff p q = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p0 -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q0 -> coq_Ndouble (ldiff p0 q0)) (fun q0 -> coq_Nsucc_double (ldiff p0 q0)) (fun _ -> ((fun p->2*p) p0)) q) (fun p0 -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q0 -> coq_Ndouble (ldiff p0 q0)) (fun q0 -> coq_Ndouble (ldiff p0 q0)) (fun _ -> p) q) (fun _ -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun _ -> 0) (fun _ -> 1) (fun _ -> 0) q) p end module N = struct (** val succ_pos : int -> int **) let succ_pos n0 = (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> 1) (fun p -> Pos.succ p) n0 (** val coq_lor : int -> int -> int **) let coq_lor n0 m = (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> m) (fun p -> (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> n0) (fun q -> (Pos.coq_lor p q)) m) n0 (** val coq_land : int -> int -> int **) let coq_land n0 m = (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> 0) (fun p -> (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> 0) (fun q -> Pos.coq_land p q) m) n0 (** val ldiff : int -> int -> int **) let ldiff n0 m = (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> 0) (fun p -> (fun f0 fp n -> if n=0 then f0 () else fp n) (fun _ -> n0) (fun q -> Pos.ldiff p q) m) n0 end (** val map : ('a1 -> 'a2) -> 'a1 list -> 'a2 list **) let rec map f = function | [] -> [] | a :: t -> (f a) :: (map f t) (** val fold_left : ('a1 -> 'a2 -> 'a1) -> 'a2 list -> 'a1 -> 'a1 **) let rec fold_left f l a0 = match l with | [] -> a0 | b :: t -> fold_left f t (f a0 b) module Z = struct (** val double : int -> int **) let double x = (fun f0 fp fn z -> if z=0 then f0 () else if z>0 then fp z else fn (-z)) (fun _ -> 0) (fun p -> ((fun p->2*p) p)) (fun p -> (~-) ((fun p->2*p) p)) x (** val succ_double : int -> int **) let succ_double x = (fun f0 fp fn z -> if z=0 then f0 () else if z>0 then fp z else fn (-z)) (fun _ -> 1) (fun p -> ((fun p->1+2*p) p)) (fun p -> (~-) (Pos.pred_double p)) x (** val pred_double : int -> int **) let pred_double x = (fun f0 fp fn z -> if z=0 then f0 () else if z>0 then fp z else fn (-z)) (fun _ -> (~-) 1) (fun p -> (Pos.pred_double p)) (fun p -> (~-) ((fun p->1+2*p) p)) x (** val pos_sub : int -> int -> int **) let rec pos_sub x y = (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun p -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q -> double (pos_sub p q)) (fun q -> succ_double (pos_sub p q)) (fun _ -> ((fun p->2*p) p)) y) (fun p -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q -> pred_double (pos_sub p q)) (fun q -> double (pos_sub p q)) (fun _ -> (Pos.pred_double p)) y) (fun _ -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun q -> (~-) ((fun p->2*p) q)) (fun q -> (~-) (Pos.pred_double q)) (fun _ -> 0) y) x (** val add : int -> int -> int **) let add = (+) (** val opp : int -> int **) let opp = (~-) (** val pred : int -> int **) let pred = Pervasives.pred (** val mul : int -> int -> int **) let mul = ( * ) (** val of_N : int -> int **) let of_N = fun p -> p (** val div2 : int -> int **) let div2 z0 = (fun f0 fp fn z -> if z=0 then f0 () else if z>0 then fp z else fn (-z)) (fun _ -> 0) (fun p -> (fun f2p1 f2p f1 p -> if p<=1 then f1 () else if p mod 2 = 0 then f2p (p/2) else f2p1 (p/2)) (fun _ -> (Pos.div2 p)) (fun _ -> (Pos.div2 p)) (fun _ -> 0) p) (fun p -> (~-) (Pos.div2_up p)) z0 (** val lnot : int -> int **) let lnot a = pred (opp a) end (** val chunk' : int -> 'a1 list -> 'a1 list -> 'a1 list list **) let rec chunk' k bs ck = match bs with | [] -> (match ck with | [] -> [] | _ :: _ -> ck :: []) | b :: bs0 -> let ck0 = app ck (b :: []) in if Nat.ltb (length ck0) k then chunk' k bs0 ck0 else ck0 :: (chunk' k bs0 []) (** val chunk : int -> 'a1 list -> 'a1 list list **) let chunk k bs = chunk' k bs [] module Coq_byte = struct (** val unsigned : char -> int **) let unsigned b = Z.of_N (Char.code b) end (** val le_combine : char list -> int **) let rec le_combine = function | [] -> 0 | h :: t -> (lor) (Coq_byte.unsigned h) (Int.shift_left (le_combine t) ((fun p->2*p) ((fun p->2*p) ((fun p->2*p) 1)))) (** val onec_add16 : int -> int -> int **) let onec_add16 z1 z2 = let sum = Z.add z1 z2 in Z.add ((land) sum ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) 1)))))))))))))))) (Int.shift_right sum ((fun p->2*p) ((fun p->2*p) ((fun p->2*p) ((fun p->2*p) 1))))) (** val ip_checksum : char list -> int **) let ip_checksum bs = let chk = fold_left onec_add16 (map le_combine (chunk (Pervasives.succ (Pervasives.succ 0)) bs)) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) 1))))))))))))))) in (land) (Z.lnot chk) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) ((fun p->1+2*p) 1))))))))))))))) let list_char_of_string s = List.init (String.length s) (String.get s) let () = Callback.register "ip_checksum" ip_checksum; Callback.register "list_char_of_string" list_char_of_string /home/jgross/fiat-crypto/rupicola/src/Rupicola/Examples/Net/IPChecksum/SpecExtraction.vo (real: 0.49, user: 0.37, sys: 0.11, mem: 394532 ko) COQDEP VFILES Makefile:154: warning: overriding recipe for target 'all' Makefile.coq:386: warning: ignoring old recipe for target 'all' Makefile:489: warning: overriding recipe for target 'validate' Makefile.coq:514: warning: ignoring old recipe for target 'validate' make --no-print-directory -C rewriter make --no-print-directory -C rupicola/bedrock2/deps/coqutil make --no-print-directory -C coqprime src/Coqprime/PrimalityTest/Zp.vo src/Coqprime/PrimalityTest/PocklingtonCertificat.vo Generating Makefile.coq.all make -f Makefile.coq.all make[1]: 'src/Coqprime/PrimalityTest/Zp.vo' is up to date. make[1]: 'src/Coqprime/PrimalityTest/PocklingtonCertificat.vo' is up to date. make[3]: Nothing to be done for 'real-all'. make --no-print-directory -C rupicola/bedrock2 bedrock2_ex make -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil Generating Makefile.coq.all make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. echo $COQ_VERSION_INFO (8.15.0) > .coq-version-short echo $COQ_VERSION_INFO (8.15.0, compiled with) > .coq-version-short-date echo $COQ_VERSION_INFO (8.15.0, OCaml 4.14.0) > .coq-version-compilation-date echo $COQ_VERSION_INFO (8.15.0, 4.14.0) > .coq-version-ocaml-version make -C /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2 noex echo $COQ_VERSION_INFO (8.15.0, ) > .coq-version-ocaml-config echo $COQ_VERSION_INFO (8.15.0, ) > .coq-version-config Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex etc/machine.sh > .machine make[4]: Nothing to be done for 'real-all'. etc/machine-extended.sh > .machine-extended etc/machine-extended.sh: line 16: lsb_release: command not found make -C /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2 Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex Generating Makefile.coq.ex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil make[4]: Nothing to be done for 'real-all'. rm -f .coqdeps.d make -f Makefile.coq.ex make[4]: Nothing to be done for 'real-all'. COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2.PrintListByte.allBytes > special/BytedumpTest.out.tmp hexdump < /dev/null && \ hexdump -C special/BytedumpTest.golden.bin > special/BytedumpTest.golden.hex && \ hexdump -C special/BytedumpTest.out.tmp > special/BytedumpTest.out.hex && \ diff -u special/BytedumpTest.golden.hex special/BytedumpTest.out.hex && \ rm special/BytedumpTest.golden.hex special/BytedumpTest.out.hex || true diff -u special/BytedumpTest.golden.bin special/BytedumpTest.out.tmp mv special/BytedumpTest.out.tmp special/BytedumpTest.out COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2.ToCStringStackallocLoopTest.main_cbytes > special/stackloop.c COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2.ToCStringExprTypecheckingTest.test > special/TypecheckExprToCString.c cc -O0 special/stackloop.c -o special/stackloop cc -fsyntax-only special/TypecheckExprToCString.c special/stackloop make[2]: Nothing to be done for 'real-all'. COQFLAGS="-Q src/bedrock2 bedrock2 -Q src/bedrock2Examples bedrock2Examples -Q /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil coqutil " ../etc/bytedump.py bedrock2Examples.stackalloc.stacknondet_c > special/stacknondet.c cc special/stacknondet.c -o special/stacknondet special/stacknondet make --no-print-directory -C rupicola/bedrock2 compiler_noex make -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil make NO_TEST=1 -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coq-record-update Generating Makefile.coq.all make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. make[4]: Nothing to be done for 'real-all'. make -C /home/jgross/fiat-crypto/rupicola/bedrock2/deps/riscv-coq all make -C /home/jgross/fiat-crypto/rupicola/bedrock2/bedrock2 noex Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex Generating Makefile.coq.all Warning: /home/jgross/fiat-crypto/rupicola/bedrock2/deps/coqutil/src/coqutil (used in -R or -Q) is not a subdirectory of the current directory Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_coqutil_RecordUpdate_riscv rm -f .coqdeps.d make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. make[4]: Nothing to be done for 'real-all'. make -C /home/jgross/fiat-crypto/rupicola/bedrock2/compiler noex Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_compiler_compilerExamples_bedrock2_bedrock2Examples_coqutil_riscv rm -f .coqdeps.d make -f Makefile.coq.noex make[4]: Nothing to be done for 'real-all'. make --no-print-directory -C rupicola all make --no-print-directory -C bedrock2/deps/coqutil Generating Makefile.coq.all make -f Makefile.coq.all make[4]: Nothing to be done for 'real-all'. make --no-print-directory -C bedrock2/bedrock2 noex Generating Makefile.coq Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_coqutil_bedrock2_Rupicola Generating Makefile.coq.noex Warning: No common logical root. Warning: In this case the -docroot option should be given. Warning: Otherwise the install-doc target is going to install files Warning: in orphan_bedrock2_bedrock2Examples_coqutil rm -f .coqdeps.d make -f Makefile.coq.noex make[4]: Nothing to be done for 'real-all'. rm -f .coqdeps.d make -f Makefile.coq COQDEP VFILES make[3]: Nothing to be done for 'real-all'. COQC src/Util/GlobalSettings.v src/Util/GlobalSettings.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 70464 ko) COQC src/Util/Isomorphism.v src/Util/Isomorphism.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 72016 ko) COQC src/Util/IffT.v src/Util/IffT.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 90000 ko) COQC src/Util/HProp.v src/Util/HProp.vo (real: 0.09, user: 0.04, sys: 0.04, mem: 99956 ko) COQC src/Util/Tactics/Test.v src/Util/Tactics/Test.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 70796 ko) COQC src/Util/Tactics/ConstrFail.v src/Util/Tactics/ConstrFail.vo (real: 0.07, user: 0.01, sys: 0.05, mem: 71008 ko) COQC src/Util/Pointed.v src/Util/Pointed.vo (real: 0.09, user: 0.06, sys: 0.03, mem: 91572 ko) COQC src/Util/Tactics/Contains.v src/Util/Tactics/Contains.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 71140 ko) COQC src/Util/Comparison.v src/Util/Comparison.vo (real: 0.08, user: 0.02, sys: 0.06, mem: 82664 ko) COQC src/Util/Tactics/GetGoal.v src/Util/Tactics/GetGoal.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 70852 ko) COQC src/Util/ListUtil/NthExt.v src/Util/ListUtil/NthExt.vo (real: 0.23, user: 0.16, sys: 0.05, mem: 206500 ko) COQC src/Util/Strings/Decimal.v src/Util/Strings/Decimal.vo (real: 0.28, user: 0.20, sys: 0.08, mem: 251328 ko) COQC src/Util/ZUtil/Hints/Core.v src/Util/ZUtil/Hints/Core.vo (real: 0.29, user: 0.21, sys: 0.07, mem: 260452 ko) COQC src/Util/ZUtil/Lnot.v src/Util/ZUtil/Lnot.vo (real: 0.30, user: 0.20, sys: 0.09, mem: 261208 ko) COQC src/Util/ZUtil/Tactics/CompareToSgn.v src/Util/ZUtil/Tactics/CompareToSgn.vo (real: 0.29, user: 0.20, sys: 0.08, mem: 256800 ko) COQC src/Util/Bool/LeCompat.v src/Util/Bool/LeCompat.vo (real: 0.08, user: 0.02, sys: 0.05, mem: 80136 ko) COQC src/Util/ZUtil/Tactics/PrimeBound.v src/Util/ZUtil/Tactics/PrimeBound.vo (real: 0.25, user: 0.17, sys: 0.08, mem: 227180 ko) COQC src/Util/ListUtil/FoldMap.v src/Util/ListUtil/FoldMap.vo (real: 0.13, user: 0.08, sys: 0.05, mem: 110592 ko) COQC src/Util/ListUtil/PermutationCompat.v src/Util/ListUtil/PermutationCompat.vo (real: 0.19, user: 0.10, sys: 0.09, mem: 177032 ko) COQC src/Util/Unit.v src/Util/Unit.vo (real: 0.08, user: 0.01, sys: 0.07, mem: 76344 ko) COQC src/Util/ZUtil/Pow2.v src/Util/ZUtil/Pow2.vo (real: 0.31, user: 0.21, sys: 0.09, mem: 277828 ko) COQC src/Util/Tactics/SetEvars.v src/Util/Tactics/SetEvars.vo (real: 0.07, user: 0.02, sys: 0.04, mem: 70800 ko) COQC src/Util/NUtil/Sorting.v src/Util/NUtil/Sorting.vo (real: 0.29, user: 0.21, sys: 0.08, mem: 259632 ko) COQC src/Util/NatUtil.v src/Util/NatUtil.vo (real: 1.05, user: 0.97, sys: 0.08, mem: 412468 ko) COQC src/Util/NUtil/Testbit.v src/Util/NUtil/Testbit.vo (real: 0.30, user: 0.16, sys: 0.13, mem: 275440 ko) COQC src/Util/Tactics/SubstEvars.v src/Util/Tactics/SubstEvars.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 70936 ko) COQC src/Util/Tactics/PrintContext.v src/Util/Tactics/PrintContext.vo (real: 0.07, user: 0.04, sys: 0.02, mem: 71096 ko) COQC src/Util/ListUtil/SetoidListRev.v src/Util/ListUtil/SetoidListRev.vo (real: 0.30, user: 0.21, sys: 0.09, mem: 275060 ko) COQC src/Util/ZUtil/Tactics/PeelLe.v src/Util/ZUtil/Tactics/PeelLe.vo (real: 0.29, user: 0.18, sys: 0.10, mem: 259488 ko) COQC src/Util/ZUtil/Tactics/ReplaceNegWithPos.v src/Util/ZUtil/Tactics/ReplaceNegWithPos.vo (real: 0.29, user: 0.22, sys: 0.06, mem: 262164 ko) COQC src/Util/ZUtil/Tactics/SplitMinMax.v src/Util/ZUtil/Tactics/SplitMinMax.vo (real: 0.29, user: 0.21, sys: 0.08, mem: 257940 ko) COQC src/Util/ZUtil/N2Z.v src/Util/ZUtil/N2Z.vo (real: 0.32, user: 0.21, sys: 0.11, mem: 287372 ko) COQC src/Util/Tactics/DebugPrint.v src/Util/Tactics/DebugPrint.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 79852 ko) COQC src/Util/Bool/Equality.v src/Util/Bool/Equality.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 79884 ko) COQC src/Util/Tactics/HasBody.v src/Util/Tactics/HasBody.vo (real: 0.07, user: 0.05, sys: 0.02, mem: 70872 ko) COQC src/Util/ListUtil/RemoveN.v src/Util/ListUtil/RemoveN.vo (real: 0.12, user: 0.09, sys: 0.02, mem: 105060 ko) COQC src/Util/ZUtil/Tactics/DivideExistsMul.v src/Util/ZUtil/Tactics/DivideExistsMul.vo (real: 0.29, user: 0.18, sys: 0.10, mem: 257260 ko) COQC src/Util/Tactics/OnSubterms.v src/Util/Tactics/OnSubterms.vo (real: 0.07, user: 0.06, sys: 0.01, mem: 71088 ko) COQC src/Util/Tactics/Revert.v src/Util/Tactics/Revert.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 71140 ko) COQC src/Util/Tactics/NormalizeCommutativeIdentifier.v src/Util/Tactics/NormalizeCommutativeIdentifier.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 71404 ko) COQC src/Util/PER.v src/Util/PER.vo (real: 0.08, user: 0.03, sys: 0.05, mem: 79008 ko) COQC src/Util/ZUtil/Odd.v src/Util/ZUtil/Odd.vo (real: 0.31, user: 0.23, sys: 0.07, mem: 280816 ko) COQC src/Algebra/Nsatz.v src/Algebra/Nsatz.vo (real: 0.35, user: 0.23, sys: 0.12, mem: 311304 ko) COQC src/Util/Decidable/Bool2Prop.v src/Util/Decidable/Bool2Prop.vo (real: 0.26, user: 0.17, sys: 0.09, mem: 232660 ko) COQC src/Util/FueledLUB.v src/Util/FueledLUB.vo (real: 0.07, user: 0.07, sys: 0.00, mem: 71684 ko) COQC src/Util/Factorize.v src/Util/Factorize.vo (real: 0.31, user: 0.16, sys: 0.14, mem: 278464 ko) COQC src/Util/Tactics/SimplifyRepeatedIfs.v src/Util/Tactics/SimplifyRepeatedIfs.vo (real: 0.08, user: 0.03, sys: 0.05, mem: 71328 ko) COQC src/Util/Tactics/ETransitivity.v src/Util/Tactics/ETransitivity.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 74752 ko) COQC src/Util/Tactics/SubstLet.v src/Util/Tactics/SubstLet.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 71008 ko) COQC src/TAPSort.v src/TAPSort.vo (real: 0.31, user: 0.21, sys: 0.10, mem: 277056 ko) COQC src/Util/ZUtil/ModExp.v src/Util/ZUtil/ModExp.vo (real: 0.30, user: 0.21, sys: 0.07, mem: 266236 ko) COQC src/Util/ZUtil/Z2Nat.v src/Util/ZUtil/Z2Nat.vo (real: 0.33, user: 0.20, sys: 0.13, mem: 303740 ko) COQC src/Assembly/Parse/Examples/fiat_25519_carry_square_optimised_seed10.v src/Assembly/Parse/Examples/fiat_25519_carry_square_optimised_seed10.vo (real: 1.53, user: 1.34, sys: 0.18, mem: 454380 ko) COQC src/Assembly/Parse/Examples/fiat_25519_carry_square_optimised.v src/Assembly/Parse/Examples/fiat_25519_carry_square_optimised.vo (real: 1.53, user: 1.37, sys: 0.15, mem: 454528 ko) COQC src/Assembly/Parse/Examples/fiat_25519_carry_square_optimised_seed20.v src/Assembly/Parse/Examples/fiat_25519_carry_square_optimised_seed20.vo (real: 1.51, user: 1.39, sys: 0.12, mem: 450120 ko) COQC src/Assembly/Parse/Examples/fiat_p256_square_optimised_seed46.v src/Assembly/Parse/Examples/fiat_p256_square_optimised_seed46.vo (real: 4.08, user: 3.87, sys: 0.20, mem: 559152 ko) COQC src/Assembly/Parse/Examples/fiat_p256_mul_optimised_seed11.v src/Assembly/Parse/Examples/fiat_p256_mul_optimised_seed11.vo (real: 6.17, user: 5.92, sys: 0.24, mem: 670884 ko) COQC src/Assembly/Parse/Examples/boringssl_nasm_full_mul_p256.v src/Assembly/Parse/Examples/boringssl_nasm_full_mul_p256.vo (real: 0.52, user: 0.40, sys: 0.11, mem: 389540 ko) COQC src/Assembly/Parse/Examples/fiat_p256_square_optimised_seed103.v src/Assembly/Parse/Examples/fiat_p256_square_optimised_seed103.vo (real: 5.96, user: 5.74, sys: 0.21, mem: 663564 ko) COQC src/Util/Loops.v src/Util/Loops.vo (real: 0.58, user: 0.43, sys: 0.14, mem: 404468 ko) COQC src/Util/Tactics/ChangeInAll.v src/Util/Tactics/ChangeInAll.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 71268 ko) COQC src/Util/DefaultedTypes.v src/Util/DefaultedTypes.vo (real: 0.07, user: 0.02, sys: 0.05, mem: 71160 ko) COQC src/Util/Pos.v src/Util/Pos.vo (real: 0.07, user: 0.06, sys: 0.01, mem: 72412 ko) COQC src/PushButtonSynthesis/InvertHighLow.v src/PushButtonSynthesis/InvertHighLow.vo (real: 0.29, user: 0.19, sys: 0.09, mem: 261304 ko) COQC src/Util/Tactics/CPSId.v src/Util/Tactics/CPSId.vo (real: 0.07, user: 0.05, sys: 0.01, mem: 73120 ko) COQC src/Util/Sumbool.v src/Util/Sumbool.vo (real: 0.09, user: 0.06, sys: 0.03, mem: 93260 ko) COQC src/Util/Tactics/EvarNormalize.v src/Util/Tactics/EvarNormalize.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 71232 ko) COQC src/Util/Tactics/ClearFree.v src/Util/Tactics/ClearFree.vo (real: 0.07, user: 0.05, sys: 0.02, mem: 71324 ko) COQC src/Util/Tactics/ClearAll.v src/Util/Tactics/ClearAll.vo (real: 0.07, user: 0.02, sys: 0.05, mem: 71192 ko) COQC src/Util/Tactics/ClearDuplicates.v src/Util/Tactics/ClearDuplicates.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 71300 ko) COQC src/Util/Tactics/ClearbodyAll.v src/Util/Tactics/ClearbodyAll.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 71072 ko) COQC src/Util/Tactics/ConvoyDestruct.v src/Util/Tactics/ConvoyDestruct.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 71600 ko) COQC src/Util/Tactics/ESpecialize.v src/Util/Tactics/ESpecialize.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 70860 ko) COQC src/Util/Tactics/DestructTrivial.v src/Util/Tactics/DestructTrivial.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 71368 ko) COQC src/Assembly/Parse/Examples/fiat_p256_mul_optimised_seed4.v src/Assembly/Parse/Examples/fiat_p256_mul_optimised_seed4.vo (real: 6.71, user: 6.48, sys: 0.21, mem: 702508 ko) COQC src/Util/Tactics/EvarExists.v src/Util/Tactics/EvarExists.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 70988 ko) COQC src/Util/Tactics/Forward.v src/Util/Tactics/Forward.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 71428 ko) COQC src/Util/Tactics/PoseTermWithName.v src/Util/Tactics/PoseTermWithName.vo (real: 0.07, user: 0.04, sys: 0.02, mem: 71224 ko) COQC src/Util/Tactics/SideConditionsBeforeToAfter.v src/Util/Tactics/SideConditionsBeforeToAfter.vo (real: 0.07, user: 0.02, sys: 0.04, mem: 71144 ko) COQC src/Util/Tactics/SimplifyProjections.v src/Util/Tactics/SimplifyProjections.vo (real: 0.07, user: 0.02, sys: 0.04, mem: 71780 ko) COQC src/Util/Tactics/TransparentAssert.v src/Util/Tactics/TransparentAssert.vo (real: 0.07, user: 0.01, sys: 0.05, mem: 71844 ko) COQC src/Util/Tactics/UnfoldArg.v src/Util/Tactics/UnfoldArg.vo (real: 0.07, user: 0.04, sys: 0.02, mem: 71448 ko) COQC src/Util/Tactics/UnifyAbstractReflexivity.v src/Util/Tactics/UnifyAbstractReflexivity.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 72196 ko) COQC src/Util/Tactics/VM.v src/Util/Tactics/VM.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 71644 ko) COQC src/Util/Bool/IsTrue.v src/Util/Bool/IsTrue.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 72776 ko) COQC src/Util/ZUtil/DistrIf.v src/Util/ZUtil/DistrIf.vo (real: 0.31, user: 0.21, sys: 0.10, mem: 271728 ko) COQC src/Util/ZUtil/Ge.v src/Util/ZUtil/Ge.vo (real: 0.31, user: 0.19, sys: 0.11, mem: 278804 ko) COQC src/Util/ZUtil/Mul.v src/Util/ZUtil/Mul.vo (real: 0.30, user: 0.19, sys: 0.10, mem: 258900 ko) COQC src/Util/SideConditions/CorePackages.v src/Util/SideConditions/CorePackages.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 79252 ko) COQC src/Util/Logic/ImplAnd.v src/Util/Logic/ImplAnd.vo (real: 0.08, user: 0.06, sys: 0.00, mem: 78616 ko) COQC src/Util/ZUtil/Sgn.v src/Util/ZUtil/Sgn.vo (real: 0.32, user: 0.22, sys: 0.09, mem: 276192 ko) COQC src/Util/Sigma/Associativity.v src/Util/Sigma/Associativity.vo (real: 0.08, user: 0.02, sys: 0.04, mem: 73344 ko) COQC src/Util/ZUtil/Sorting.v src/Util/ZUtil/Sorting.vo (real: 0.31, user: 0.24, sys: 0.07, mem: 269100 ko) COQC src/Util/Sigma/MapProjections.v src/Util/Sigma/MapProjections.vo (real: 0.07, user: 0.04, sys: 0.02, mem: 72832 ko) cp -f AUTHORS fiat-rust/AUTHORS cp -f CONTRIBUTORS fiat-rust/CONTRIBUTORS cp -f COPYRIGHT fiat-rust/COPYRIGHT cp -f LICENSE-MIT fiat-rust/LICENSE-MIT cp -f LICENSE-APACHE fiat-rust/LICENSE-APACHE cp -f LICENSE-BSD-1 fiat-rust/LICENSE-BSD-1 cp -f AUTHORS fiat-go/AUTHORS cp -f CONTRIBUTORS fiat-go/CONTRIBUTORS cp -f COPYRIGHT fiat-go/COPYRIGHT cp -f LICENSE-MIT fiat-go/LICENSE-MIT cp -f LICENSE-APACHE fiat-go/LICENSE-APACHE cp -f LICENSE-BSD-1 fiat-go/LICENSE-BSD-1 COQC src/Util/Sigma/Lift.v src/Util/Sigma/Lift.vo (real: 0.09, user: 0.06, sys: 0.02, mem: 88952 ko) COQC src/Util/Sigma/Related.v src/Util/Sigma/Related.vo (real: 0.12, user: 0.08, sys: 0.04, mem: 118960 ko) COQC src/Util/FixCoqMistakes.v src/Util/FixCoqMistakes.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 81056 ko) COQC src/Util/Tactics/Not.v src/Util/Tactics/Not.vo (real: 0.07, user: 0.04, sys: 0.03, mem: 71136 ko) COQC src/Util/Equality.v src/Util/Equality.vo (real: 0.15, user: 0.06, sys: 0.07, mem: 141012 ko) COQC src/Util/Tactics/SetoidSubst.v src/Util/Tactics/SetoidSubst.vo (real: 0.07, user: 0.01, sys: 0.05, mem: 73868 ko) COQC src/Util/ListUtil/Partition.v src/Util/ListUtil/Partition.vo (real: 0.25, user: 0.16, sys: 0.09, mem: 249592 ko) COQC src/Assembly/Parse/Examples/fiat_p256_mul_optimised_seed12.v src/Assembly/Parse/Examples/fiat_p256_mul_optimised_seed12.vo (real: 9.41, user: 9.15, sys: 0.24, mem: 865632 ko) COQC src/Util/ZUtil/ZSimplify/Core.v src/Util/ZUtil/ZSimplify/Core.vo (real: 0.30, user: 0.20, sys: 0.10, mem: 261756 ko) COQC src/Util/ZUtil/Hints/ZArith.v src/Util/ZUtil/Hints/ZArith.vo (real: 0.30, user: 0.21, sys: 0.09, mem: 260332 ko) COQC src/Util/ZUtil/Hints/Ztestbit.v src/Util/ZUtil/Hints/Ztestbit.vo (real: 0.30, user: 0.20, sys: 0.10, mem: 258500 ko) COQC src/Util/ZUtil/Hints/PullPush.v src/Util/ZUtil/Hints/PullPush.vo (real: 0.30, user: 0.21, sys: 0.08, mem: 264884 ko) COQC src/Util/ZUtil/Div/Bootstrap.v src/Util/ZUtil/Div/Bootstrap.vo (real: 0.31, user: 0.23, sys: 0.07, mem: 260584 ko) COQC src/Util/ZUtil/Modulo/Bootstrap.v src/Util/ZUtil/Modulo/Bootstrap.vo (real: 0.31, user: 0.18, sys: 0.12, mem: 271700 ko) COQC src/Util/Tactics/FindHyp.v src/Util/Tactics/FindHyp.vo (real: 0.09, user: 0.03, sys: 0.06, mem: 75312 ko) COQC src/Util/ZUtil/ZSimplify/Simple.v src/Util/ZUtil/ZSimplify/Simple.vo (real: 0.35, user: 0.25, sys: 0.09, mem: 299760 ko) COQC src/Util/ListUtil/Concat.v src/Util/ListUtil/Concat.vo (real: 0.13, user: 0.07, sys: 0.06, mem: 107912 ko) COQC src/Util/Structures/Equalities.v src/Util/Structures/Equalities.vo (real: 0.21, user: 0.11, sys: 0.10, mem: 237000 ko) COQC src/Util/Structures/Equalities/Iso.v src/Util/Structures/Equalities/Iso.vo (real: 0.18, user: 0.10, sys: 0.06, mem: 151896 ko) COQC src/Util/Logic/Forall.v src/Util/Logic/Forall.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 80568 ko) COQC src/Util/Logic/Exists.v src/Util/Logic/Exists.vo (real: 0.08, user: 0.03, sys: 0.04, mem: 78516 ko) COQC src/Util/Logic.v src/Util/Logic.vo (real: 0.09, user: 0.06, sys: 0.03, mem: 90244 ko) COQC src/Util/Structures/Equalities/Unit.v src/Util/Structures/Equalities/Unit.vo (real: 0.13, user: 0.07, sys: 0.06, mem: 121152 ko) COQC src/Util/Tactics/PrintGoal.v src/Util/Tactics/PrintGoal.vo (real: 0.07, user: 0.03, sys: 0.04, mem: 71508 ko) COQC src/Util/ListUtil/Filter.v src/Util/ListUtil/Filter.vo (real: 0.31, user: 0.19, sys: 0.11, mem: 278632 ko) COQC src/Util/ListUtil/StdlibCompat.v src/Util/ListUtil/StdlibCompat.vo (real: 1.46, user: 1.32, sys: 0.13, mem: 414076 ko) COQC src/Util/Tactics/RunTacticAsConstr.v src/Util/Tactics/RunTacticAsConstr.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 75352 ko) COQC src/Util/ListUtil/CombineExtend.v src/Util/ListUtil/CombineExtend.vo (real: 0.13, user: 0.04, sys: 0.08, mem: 106296 ko) COQC src/Util/ZUtil/Tactics/LinearSubstitute.v src/Util/ZUtil/Tactics/LinearSubstitute.vo (real: 0.33, user: 0.21, sys: 0.10, mem: 277536 ko) COQC src/Util/DynList.v src/Util/DynList.vo (real: 0.13, user: 0.07, sys: 0.05, mem: 106476 ko) COQC src/Util/Tactics/CountBinders.v src/Util/Tactics/CountBinders.vo (real: 0.08, user: 0.02, sys: 0.06, mem: 75620 ko) COQC src/Util/Tactics/AppendUnderscores.v src/Util/Tactics/AppendUnderscores.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 75148 ko) COQC src/Util/Logic/ProdForall.v src/Util/Logic/ProdForall.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 88628 ko) COQC src/Util/FSets/FMapString.v src/Util/FSets/FMapString.vo (real: 0.56, user: 0.44, sys: 0.09, mem: 416376 ko) COQC src/Util/MSets/MSetString.v src/Util/MSets/MSetString.vo (real: 0.59, user: 0.46, sys: 0.11, mem: 427300 ko) COQC src/Util/ZUtil/Opp.v src/Util/ZUtil/Opp.vo (real: 0.29, user: 0.20, sys: 0.08, mem: 262868 ko) COQC src/Util/Telescope/Core.v src/Util/Telescope/Core.vo (real: 0.11, user: 0.08, sys: 0.03, mem: 101652 ko) COQC src/Util/Tactics/RevertUntil.v src/Util/Tactics/RevertUntil.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 75004 ko) COQC src/Util/Curry.v src/Util/Curry.vo (real: 0.07, user: 0.05, sys: 0.01, mem: 74300 ko) COQC src/Util/ListUtil/Split.v src/Util/ListUtil/Split.vo (real: 0.12, user: 0.08, sys: 0.03, mem: 111052 ko) COQC src/Util/ZUtil/Nat2Z.v src/Util/ZUtil/Nat2Z.vo (real: 0.33, user: 0.23, sys: 0.10, mem: 294972 ko) COQC src/Util/Tactics/CacheTerm.v src/Util/Tactics/CacheTerm.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 73656 ko) COQC src/Util/Tactics/Delta1.v src/Util/Tactics/Delta1.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 75220 ko) COQC src/Util/Tactics/HeadUnderBinders.v src/Util/Tactics/HeadUnderBinders.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 75528 ko) COQC src/Util/Tower.v src/Util/Tower.vo (real: 0.08, user: 0.03, sys: 0.04, mem: 87028 ko) COQC src/Util/Structures/Equalities/Empty.v src/Util/Structures/Equalities/Empty.vo (real: 0.13, user: 0.09, sys: 0.03, mem: 117568 ko) COQC src/Util/Notations.v src/Util/Notations.vo (real: 0.09, user: 0.08, sys: 0.01, mem: 88852 ko) COQC src/Util/Tactics/Head.v src/Util/Tactics/Head.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 75224 ko) COQC src/Util/Tactics/DestructHyps.v src/Util/Tactics/DestructHyps.vo (real: 0.08, user: 0.06, sys: 0.02, mem: 76552 ko) COQC src/Util/Strings/String_as_OT_old.v src/Util/Strings/String_as_OT_old.vo (real: 0.51, user: 0.31, sys: 0.19, mem: 391008 ko) COQC src/Util/Wf.v src/Util/Wf.vo (real: 0.61, user: 0.46, sys: 0.14, mem: 357916 ko) COQC src/Util/Tactics/SpecializeBy.v src/Util/Tactics/SpecializeBy.vo (real: 0.08, user: 0.03, sys: 0.05, mem: 76020 ko) COQC src/Util/Prod.v src/Util/Prod.vo (real: 0.25, user: 0.15, sys: 0.10, mem: 267252 ko) COQC src/Util/Tactics/DoWithHyp.v src/Util/Tactics/DoWithHyp.vo (real: 0.07, user: 0.04, sys: 0.02, mem: 75432 ko) COQC src/Util/Tactics/SplitInContext.v src/Util/Tactics/SplitInContext.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 76500 ko) COQC src/Util/Sigma.v File "./src/Util/Sigma.v", line 376, characters 0-52: Warning: The Ltac name inversion_sigma may be unusable because of a conflict with a notation. [unusable-identifier,parsing] src/Util/Sigma.vo (real: 0.22, user: 0.10, sys: 0.12, mem: 224792 ko) COQC src/Util/Bool.v src/Util/Bool.vo (real: 0.15, user: 0.12, sys: 0.03, mem: 151520 ko) COQC src/Util/PrimitiveProd.v src/Util/PrimitiveProd.vo (real: 0.17, user: 0.08, sys: 0.09, mem: 193200 ko) COQC src/Util/Strings/String_as_OT.v src/Util/Strings/String_as_OT.vo (real: 0.98, user: 0.86, sys: 0.12, mem: 418252 ko) COQC src/Util/LetIn.v src/Util/LetIn.vo (real: 0.11, user: 0.10, sys: 0.01, mem: 102220 ko) COQC src/Util/ZUtil/Notations.v src/Util/ZUtil/Notations.vo (real: 0.20, user: 0.12, sys: 0.08, mem: 176104 ko) COQC src/Util/ErrorT.v src/Util/ErrorT.vo (real: 0.12, user: 0.09, sys: 0.02, mem: 129720 ko) COQC src/Util/ListUtil/GroupAllBy.v src/Util/ListUtil/GroupAllBy.vo (real: 0.48, user: 0.33, sys: 0.14, mem: 405564 ko) COQC src/Util/ZUtil/Hints.v src/Util/ZUtil/Hints.vo (real: 0.29, user: 0.20, sys: 0.08, mem: 261752 ko) COQC src/Util/ZUtil/Tactics/DivModToQuotRem.v src/Util/ZUtil/Tactics/DivModToQuotRem.vo (real: 0.29, user: 0.16, sys: 0.12, mem: 259964 ko) COQC src/Util/Tactics/UniquePose.v src/Util/Tactics/UniquePose.vo (real: 0.08, user: 0.04, sys: 0.04, mem: 76208 ko) COQC src/Util/Structures/Equalities/Project.v src/Util/Structures/Equalities/Project.vo (real: 0.11, user: 0.04, sys: 0.07, mem: 102900 ko) COQC src/Util/Compose.v src/Util/Compose.vo (real: 0.11, user: 0.04, sys: 0.07, mem: 103260 ko) COQC src/Util/ZUtil/Tactics/LtbToLt.v src/Util/ZUtil/Tactics/LtbToLt.vo (real: 0.34, user: 0.24, sys: 0.09, mem: 311724 ko) COQC src/Util/Tactics/Zeta1.v src/Util/Tactics/Zeta1.vo (real: 0.08, user: 0.03, sys: 0.04, mem: 78208 ko) COQC src/Util/Relations.v src/Util/Relations.vo (real: 0.20, user: 0.15, sys: 0.05, mem: 217692 ko) COQC src/Util/ZUtil/Modulo/PullPush.v src/Util/ZUtil/Modulo/PullPush.vo (real: 0.69, user: 0.56, sys: 0.13, mem: 405564 ko) COQC src/Util/Tactics/WarnIfGoalsRemain.v src/Util/Tactics/WarnIfGoalsRemain.vo (real: 0.07, user: 0.04, sys: 0.02, mem: 71572 ko) COQC src/Util/Sorting/Sorted/Proper.v src/Util/Sorting/Sorted/Proper.vo (real: 0.31, user: 0.16, sys: 0.13, mem: 330216 ko) COQC src/Util/PrimitiveHList.v src/Util/PrimitiveHList.vo (real: 0.13, user: 0.08, sys: 0.05, mem: 111740 ko) COQC src/Util/ZUtil/Tactics/RewriteModSmall.v src/Util/ZUtil/Tactics/RewriteModSmall.vo (real: 0.34, user: 0.20, sys: 0.13, mem: 308184 ko) COQC src/Util/CPSNotations.v src/Util/CPSNotations.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 82264 ko) COQC src/Util/PointedProp.v src/Util/PointedProp.vo (real: 0.30, user: 0.16, sys: 0.13, mem: 311976 ko) COQC src/Util/Tactics/AllSuccesses.v src/Util/Tactics/AllSuccesses.vo (real: 0.12, user: 0.09, sys: 0.03, mem: 105200 ko) COQC src/Util/DebugMonad.v src/Util/DebugMonad.vo (real: 0.23, user: 0.12, sys: 0.10, mem: 204544 ko) COQC src/Util/ListUtil/FoldBool.v src/Util/ListUtil/FoldBool.vo (real: 0.29, user: 0.22, sys: 0.07, mem: 296732 ko) COQC src/Util/Tactics/ClearHead.v src/Util/Tactics/ClearHead.vo (real: 0.07, user: 0.03, sys: 0.03, mem: 75508 ko) COQC src/Util/Telescope/Instances.v src/Util/Telescope/Instances.vo (real: 0.17, user: 0.06, sys: 0.10, mem: 182508 ko) COQC src/Assembly/Parse/Examples/fiat_p256_square_optimised_seed6.v src/Assembly/Parse/Examples/fiat_p256_square_optimised_seed6.vo (real: 8.34, user: 8.05, sys: 0.27, mem: 781392 ko) COQC src/Util/AutoRewrite.v src/Util/AutoRewrite.vo (real: 0.09, user: 0.06, sys: 0.02, mem: 87356 ko) COQC src/Util/LetInMonad.v src/Util/LetInMonad.vo (real: 0.24, user: 0.13, sys: 0.11, mem: 239236 ko) COQC src/Util/PrimitiveSigma.v File "./src/Util/PrimitiveSigma.v", line 225, characters 0-52: Warning: The Ltac name inversion_sigma may be unusable because of a conflict with a notation. [unusable-identifier,parsing] src/Util/PrimitiveSigma.vo (real: 0.16, user: 0.10, sys: 0.06, mem: 158668 ko) COQC src/Util/ParseTaps.v src/Util/ParseTaps.vo (real: 0.21, user: 0.12, sys: 0.09, mem: 186184 ko) COQC src/Util/Tactics/HeadConstrEq.v src/Util/Tactics/HeadConstrEq.vo (real: 0.08, user: 0.04, sys: 0.03, mem: 75484 ko) COQC src/Util/Tactics/Beta1.v src/Util/Tactics/Beta1.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 78624 ko) COQC src/Util/Tactics/MoveLetIn.v src/Util/Tactics/MoveLetIn.vo (real: 0.09, user: 0.04, sys: 0.05, mem: 83624 ko) COQC src/Util/TagList.v src/Util/TagList.vo (real: 0.14, user: 0.11, sys: 0.03, mem: 113012 ko) COQC src/Util/Structures/Equalities/Bool.v src/Util/Structures/Equalities/Bool.vo (real: 0.15, user: 0.10, sys: 0.05, mem: 137204 ko) COQC src/Util/SideConditions/RingPackage.v src/Util/SideConditions/RingPackage.vo (real: 0.30, user: 0.20, sys: 0.10, mem: 262120 ko) COQC src/Util/Strings/StringMap.v src/Util/Strings/StringMap.vo (real: 0.33, user: 0.26, sys: 0.05, mem: 262120 ko) COQC src/Util/Tactics/BreakMatch.v src/Util/Tactics/BreakMatch.vo (real: 0.08, user: 0.05, sys: 0.03, mem: 78676 ko) COQC src/Util/Strings/Sorting.v src/Util/Strings/Sorting.vo (real: 0.45, user: 0.31, sys: 0.13, mem: 372452 ko) COQC src/Util/Strings/Ascii.v src/Util/Strings/Ascii.vo (real: 0.24, user: 0.17, sys: 0.07, mem: 210192 ko) COQC src/Util/Tactics/DestructHead.v src/Util/Tactics/DestructHead.vo (real: 0.09, user: 0.05, sys: 0.04, mem: 82416 ko) COQC src/Util/Tactics/RewriteHyp.v src/Util/Tactics/RewriteHyp.vo (real: 0.09, user: 0.03, sys: 0.06, mem: 94540 ko) COQC src/Util/ZUtil/Tactics/PullPush/Modulo.v src/Util/ZUtil/Tactics/PullPush/Modulo.vo (real: 0.30, user: 0.26, sys: 0.04, mem: 263292 ko) COQC src/Util/ZUtil/Le.v src/Util/ZUtil/Le.vo (real: 0.36, user: 0.24, sys: 0.12, mem: 330388 ko) COQC src/Util/Tactics/SpecializeAllWays.v src/Util/Tactics/SpecializeAllWays.vo (real: 0.09, user: 0.03, sys: 0.06, mem: 75672 ko) COQC src/Util/Decidable.v src/Util/Decidable.vo (real: 0.81, user: 0.71, sys: 0.09, mem: 379908 ko) COQC src/Util/Structures/Equalities/Prod.v src/Util/Structures/Equalities/Prod.vo (real: 0.37, user: 0.28, sys: 0.08, mem: 347708 ko) COQC src/Util/ListUtil/Permutation.v src/Util/ListUtil/Permutation.vo (real: 0.38, user: 0.26, sys: 0.12, mem: 332368 ko) COQC src/Util/Tactics/GeneralizeOverHoles.v src/Util/Tactics/GeneralizeOverHoles.vo (real: 0.10, user: 0.08, sys: 0.02, mem: 87280 ko) COQC src/Algebra/Hierarchy.v src/Algebra/Hierarchy.vo (real: 0.27, user: 0.20, sys: 0.06, mem: 247620 ko) COQC src/Util/NUtil/WithoutReferenceToZ.v src/Util/NUtil/WithoutReferenceToZ.vo (real: 0.36, user: 0.28, sys: 0.07, mem: 337180 ko) COQC src/Util/ZUtil/Peano.v src/Util/ZUtil/Peano.vo (real: 0.35, user: 0.23, sys: 0.12, mem: 328344 ko) COQC src/Arithmetic/BarrettReduction/RidiculousFish.v src/Arithmetic/BarrettReduction/RidiculousFish.vo (real: 2.36, user: 2.18, sys: 0.17, mem: 427732 ko) COQC src/Util/Tactics/AllInstances.v src/Util/Tactics/AllInstances.vo (real: 0.14, user: 0.09, sys: 0.05, mem: 105404 ko) COQC src/Util/ListUtil/ForallIn.v src/Util/ListUtil/ForallIn.vo (real: 0.18, user: 0.07, sys: 0.10, mem: 172944 ko) COQC src/Util/Telescope/Equality.v src/Util/Telescope/Equality.vo (real: 0.21, user: 0.11, sys: 0.09, mem: 245504 ko) COQC src/Util/ZUtil/Tactics/PullPush.v src/Util/ZUtil/Tactics/PullPush.vo (real: 0.26, user: 0.19, sys: 0.07, mem: 231652 ko) COQC src/Spec/MxDH.v src/Spec/MxDH.vo (real: 0.24, user: 0.13, sys: 0.11, mem: 212556 ko) COQC src/Util/Logic/ExistsEqAnd.v src/Util/Logic/ExistsEqAnd.vo (real: 0.11, user: 0.07, sys: 0.03, mem: 104116 ko) COQC src/Util/ZUtil/ZSimplify/Autogenerated.v src/Util/ZUtil/ZSimplify/Autogenerated.vo (real: 2.96, user: 2.78, sys: 0.16, mem: 419620 ko) COQC src/Util/SideConditions/ReductionPackages.v src/Util/SideConditions/ReductionPackages.vo (real: 0.22, user: 0.14, sys: 0.06, mem: 189108 ko) COQC src/Util/MSets/FMapPositive/Equality.v src/Util/MSets/FMapPositive/Equality.vo (real: 0.32, user: 0.20, sys: 0.11, mem: 302632 ko) COQC src/Util/MSets/MSetPositive/Equality.v src/Util/MSets/MSetPositive/Equality.vo (real: 0.40, user: 0.24, sys: 0.15, mem: 336028 ko) COQC src/Util/Option.v src/Util/Option.vo (real: 0.36, user: 0.21, sys: 0.15, mem: 313520 ko) COQC src/Util/Strings/String.v src/Util/Strings/String.vo (real: 0.46, user: 0.37, sys: 0.09, mem: 405224 ko) COQC src/Util/PartiallyReifiedProp.v src/Util/PartiallyReifiedProp.vo (real: 0.82, user: 0.68, sys: 0.13, mem: 324896 ko) COQC src/Util/ZUtil/Definitions.v src/Util/ZUtil/Definitions.vo (real: 0.33, user: 0.22, sys: 0.10, mem: 284900 ko) COQC src/Util/Structures/Equalities/Option.v src/Util/Structures/Equalities/Option.vo (real: 0.24, user: 0.17, sys: 0.06, mem: 242624 ko) COQC src/Util/ListUtil/IndexOf.v src/Util/ListUtil/IndexOf.vo (real: 0.18, user: 0.10, sys: 0.07, mem: 174024 ko) COQC src/Util/Sum.v src/Util/Sum.vo (real: 0.55, user: 0.43, sys: 0.11, mem: 381388 ko) COQC src/Util/Tactics/SpecializeUnderBindersBy.v src/Util/Tactics/SpecializeUnderBindersBy.vo (real: 0.10, user: 0.05, sys: 0.04, mem: 93516 ko) COQC src/Util/Tactics/InHypUnderBindersDo.v src/Util/Tactics/InHypUnderBindersDo.vo (real: 0.10, user: 0.07, sys: 0.03, mem: 91956 ko) COQC src/Util/ZUtil/MulSplit.v src/Util/ZUtil/MulSplit.vo (real: 0.33, user: 0.19, sys: 0.13, mem: 294588 ko) COQC src/Util/ZUtil/Zselect.v src/Util/ZUtil/Zselect.vo (real: 0.31, user: 0.22, sys: 0.09, mem: 275240 ko) COQC src/Algebra/Monoid.v src/Algebra/Monoid.vo (real: 0.42, user: 0.33, sys: 0.08, mem: 382656 ko) COQC src/Util/ZUtil/ZSimplify.v src/Util/ZUtil/ZSimplify.vo (real: 0.27, user: 0.18, sys: 0.09, mem: 236620 ko) COQC src/Util/ZUtil/AddModulo.v src/Util/ZUtil/AddModulo.vo (real: 0.30, user: 0.21, sys: 0.08, mem: 266180 ko) COQC src/Util/ZUtil/Ltz.v src/Util/ZUtil/Ltz.vo (real: 0.58, user: 0.44, sys: 0.13, mem: 411136 ko) COQC src/Util/ZUtil/Combine.v src/Util/ZUtil/Combine.vo (real: 0.36, user: 0.27, sys: 0.09, mem: 332664 ko) COQC src/Bedrock/Field/Common/Names/VarnameGenerator.v src/Bedrock/Field/Common/Names/VarnameGenerator.vo (real: 0.34, user: 0.22, sys: 0.11, mem: 294108 ko) COQC src/Util/ZUtil/LnotModulo.v src/Util/ZUtil/LnotModulo.vo (real: 0.30, user: 0.22, sys: 0.07, mem: 266036 ko) COQC src/Util/Tactics.v src/Util/Tactics.vo (real: 0.17, user: 0.12, sys: 0.05, mem: 121436 ko) COQC src/Util/Strings/Superscript.v src/Util/Strings/Superscript.vo (real: 0.28, user: 0.17, sys: 0.10, mem: 256688 ko) COQC src/Util/ZUtil/CPS.v src/Util/ZUtil/CPS.vo (real: 0.50, user: 0.38, sys: 0.11, mem: 407988 ko) COQC src/Util/ListUtil/Forall.v src/Util/ListUtil/Forall.vo (real: 1.94, user: 1.81, sys: 0.11, mem: 410988 ko) COQC src/Util/Wf1.v src/Util/Wf1.vo (real: 1.17, user: 1.09, sys: 0.07, mem: 358288 ko) COQC src/Util/Strings/Subscript.v src/Util/Strings/Subscript.vo (real: 0.27, user: 0.15, sys: 0.11, mem: 244812 ko) COQC src/Util/ListUtil/SetoidList.v src/Util/ListUtil/SetoidList.vo (real: 0.40, user: 0.34, sys: 0.06, mem: 346200 ko) COQC src/Util/OptionList.v src/Util/OptionList.vo (real: 0.69, user: 0.56, sys: 0.13, mem: 405288 ko) COQC src/Util/Structures/Equalities/Sum.v src/Util/Structures/Equalities/Sum.vo (real: 0.42, user: 0.32, sys: 0.10, mem: 380584 ko) COQC src/Util/ListUtil/SetoidListFlatMap.v src/Util/ListUtil/SetoidListFlatMap.vo (real: 0.62, user: 0.43, sys: 0.18, mem: 409592 ko) COQC src/Util/Structures/Orders.v src/Util/Structures/Orders.vo (real: 3.35, user: 3.16, sys: 0.18, mem: 447700 ko) COQC src/Util/ZUtil/AddGetCarry.v src/Util/ZUtil/AddGetCarry.vo (real: 1.19, user: 1.09, sys: 0.09, mem: 413464 ko) COQC src/Util/ZUtil/Rshi.v src/Util/ZUtil/Rshi.vo (real: 1.48, user: 1.33, sys: 0.13, mem: 412752 ko) COQC src/Util/Structures/Orders/Bool.v src/Util/Structures/Orders/Bool.vo (real: 0.66, user: 0.54, sys: 0.11, mem: 413428 ko) COQC src/Util/ZUtil/ModInv.v src/Util/ZUtil/ModInv.vo (real: 2.09, user: 1.91, sys: 0.17, mem: 426552 ko) COQC src/Util/Structures/Orders/Empty.v src/Util/Structures/Orders/Empty.vo (real: 0.43, user: 0.29, sys: 0.13, mem: 359900 ko) COQC src/Util/MSets/MSetPositive/Facts.v src/Util/MSets/MSetPositive/Facts.vo (real: 0.45, user: 0.37, sys: 0.07, mem: 372016 ko) COQC src/Util/SideConditions/ModInvPackage.v src/Util/SideConditions/ModInvPackage.vo (real: 0.34, user: 0.23, sys: 0.11, mem: 288688 ko) COQC src/Util/Strings/Parse/Common.v src/Util/Strings/Parse/Common.vo (real: 0.33, user: 0.20, sys: 0.13, mem: 288376 ko) COQC src/Util/Wf2.v src/Util/Wf2.vo (real: 2.17, user: 2.00, sys: 0.15, mem: 387284 ko) COQC src/Algebra/Group.v src/Algebra/Group.vo (real: 3.55, user: 3.41, sys: 0.12, mem: 392536 ko) COQC src/Util/Structures/Orders/Iso.v src/Util/Structures/Orders/Iso.vo (real: 0.40, user: 0.30, sys: 0.09, mem: 336796 ko) COQC src/Util/Structures/Orders/Flip.v src/Util/Structures/Orders/Flip.vo (real: 0.69, user: 0.52, sys: 0.16, mem: 413020 ko) COQC src/Util/Structures/Orders/Sum.v src/Util/Structures/Orders/Sum.vo (real: 1.01, user: 0.87, sys: 0.13, mem: 432160 ko) COQC src/Util/FSets/FMapInterface.v src/Util/FSets/FMapInterface.vo (real: 0.30, user: 0.20, sys: 0.10, mem: 259380 ko) COQC src/Util/Structures/Orders/Unit.v src/Util/Structures/Orders/Unit.vo (real: 0.47, user: 0.29, sys: 0.18, mem: 374392 ko) COQC src/Util/ListUtil.v src/Util/ListUtil.vo (real: 7.03, user: 6.84, sys: 0.17, mem: 458692 ko) COQC src/Algebra/ScalarMult.v src/Algebra/ScalarMult.vo (real: 1.52, user: 1.34, sys: 0.16, mem: 412804 ko) COQC src/Util/Structures/Orders/Option.v src/Util/Structures/Orders/Option.vo (real: 3.08, user: 2.95, sys: 0.12, mem: 426060 ko) COQC src/Util/FSets/FMapFacts.v src/Util/FSets/FMapFacts.vo (real: 1.81, user: 1.63, sys: 0.18, mem: 443304 ko) COQC src/Util/AdditionChainExponentiation.v src/Util/AdditionChainExponentiation.vo (real: 0.38, user: 0.29, sys: 0.09, mem: 354204 ko) COQC src/MiscCompilerPasses.v src/MiscCompilerPasses.vo (real: 0.73, user: 0.51, sys: 0.21, mem: 455984 ko) COQC src/Bedrock/Group/Loops.v src/Bedrock/Group/Loops.vo (real: 0.75, user: 0.59, sys: 0.15, mem: 450704 ko) COQC src/Util/SideConditions/Autosolve.v src/Util/SideConditions/Autosolve.vo (real: 0.30, user: 0.18, sys: 0.12, mem: 265124 ko) COQC src/Util/FSets/FMapEmpty.v src/Util/FSets/FMapEmpty.vo (real: 0.82, user: 0.63, sys: 0.18, mem: 457784 ko) COQC src/Util/Strings/ParseArithmetic.v src/Util/Strings/ParseArithmetic.vo (real: 1.05, user: 0.92, sys: 0.12, mem: 423228 ko) COQC src/Util/Tuple.v src/Util/Tuple.vo (real: 1.79, user: 1.64, sys: 0.14, mem: 427448 ko) COQC src/Util/ZUtil/Pow.v src/Util/ZUtil/Pow.vo (real: 0.43, user: 0.32, sys: 0.11, mem: 358004 ko) COQC src/Util/Structures/OrdersEx.v src/Util/Structures/OrdersEx.vo (real: 0.76, user: 0.62, sys: 0.14, mem: 443140 ko) COQC src/Util/Bool/Reflect.v src/Util/Bool/Reflect.vo (real: 2.74, user: 2.56, sys: 0.17, mem: 423052 ko) COQC src/Util/FSets/FMapFlip.v src/Util/FSets/FMapFlip.vo (real: 0.86, user: 0.69, sys: 0.17, mem: 453752 ko) COQC src/Util/FSets/FMapUnit.v src/Util/FSets/FMapUnit.vo (real: 1.74, user: 1.55, sys: 0.18, mem: 459704 ko) COQC src/Util/Structures/Equalities/List.v src/Util/Structures/Equalities/List.vo (real: 0.54, user: 0.42, sys: 0.10, mem: 418500 ko) COQC src/Util/FSets/FMapTrie/Shape.v src/Util/FSets/FMapTrie/Shape.vo (real: 0.74, user: 0.61, sys: 0.11, mem: 434324 ko) COQC src/Util/FSets/FMapIso.v src/Util/FSets/FMapIso.vo (real: 4.93, user: 4.72, sys: 0.19, mem: 453940 ko) COQC src/Util/MSets/MSetIso.v src/Util/MSets/MSetIso.vo (real: 2.71, user: 2.56, sys: 0.15, mem: 448424 ko) COQC src/Util/ZRange.v src/Util/ZRange.vo (real: 0.55, user: 0.33, sys: 0.20, mem: 423680 ko) COQC src/Util/FSets/FMapSect.v src/Util/FSets/FMapSect.vo (real: 4.68, user: 4.49, sys: 0.17, mem: 458620 ko) COQC src/Util/ErrorT/List.v src/Util/ErrorT/List.vo (real: 0.84, user: 0.72, sys: 0.12, mem: 420896 ko) COQC src/Algebra/Ring.v src/Algebra/Ring.vo (real: 10.32, user: 10.12, sys: 0.17, mem: 445140 ko) COQC src/Util/Strings/ParseArithmeticToTaps.v src/Util/Strings/ParseArithmeticToTaps.vo (real: 0.75, user: 0.65, sys: 0.10, mem: 414908 ko) COQC src/Util/ZUtil/Divide/Bool.v src/Util/ZUtil/Divide/Bool.vo (real: 0.40, user: 0.30, sys: 0.09, mem: 381132 ko) COQC src/Algebra/SubsetoidRing.v src/Algebra/SubsetoidRing.vo (real: 0.74, user: 0.60, sys: 0.14, mem: 417272 ko) COQC src/Util/IdfunWithAlt.v src/Util/IdfunWithAlt.vo (real: 0.36, user: 0.21, sys: 0.15, mem: 313056 ko) COQC src/Util/Structures/Orders/Prod.v src/Util/Structures/Orders/Prod.vo (real: 14.47, user: 14.30, sys: 0.15, mem: 458060 ko) COQC src/Util/HList.v src/Util/HList.vo (real: 0.53, user: 0.36, sys: 0.16, mem: 419448 ko) COQC src/Util/ZBounded.v src/Util/ZBounded.vo (real: 0.55, user: 0.42, sys: 0.13, mem: 424196 ko) COQC src/Util/Decidable/Decidable2Bool.v src/Util/Decidable/Decidable2Bool.vo (real: 0.61, user: 0.48, sys: 0.12, mem: 421692 ko) COQC src/Fancy/Spec.v src/Fancy/Spec.vo (real: 1.23, user: 1.04, sys: 0.18, mem: 447204 ko) COQC src/Util/Level.v src/Util/Level.vo (real: 0.52, user: 0.36, sys: 0.15, mem: 421028 ko) COQC src/Util/Listable.v src/Util/Listable.vo (real: 0.42, user: 0.29, sys: 0.12, mem: 370872 ko) COQC src/MiscCompilerPassesProofs.v src/MiscCompilerPassesProofs.vo (real: 3.20, user: 3.01, sys: 0.18, mem: 465404 ko) COQC src/Util/ZUtil/Log2.v src/Util/ZUtil/Log2.vo (real: 0.53, user: 0.38, sys: 0.15, mem: 420504 ko) COQC src/Util/MSets/MSetSum.v src/Util/MSets/MSetSum.vo (real: 6.13, user: 6.01, sys: 0.10, mem: 459440 ko) COQC src/Util/ZUtil/Div.v src/Util/ZUtil/Div.vo (real: 2.06, user: 1.93, sys: 0.12, mem: 422680 ko) COQC src/Assembly/Syntax.v src/Assembly/Syntax.vo (real: 11.35, user: 11.08, sys: 0.23, mem: 727260 ko) COQC src/Util/FSets/FMapOption.v src/Util/FSets/FMapOption.vo (real: 15.18, user: 14.92, sys: 0.24, mem: 561872 ko) COQC src/Util/MSets/MSetN.v src/Util/MSets/MSetN.vo (real: 0.72, user: 0.56, sys: 0.16, mem: 439688 ko) COQC src/Util/ZUtil/Divide.v src/Util/ZUtil/Divide.vo (real: 0.55, user: 0.39, sys: 0.16, mem: 422608 ko) COQC src/Util/ZRange/Operations.v src/Util/ZRange/Operations.vo (real: 0.43, user: 0.34, sys: 0.09, mem: 358348 ko) COQC src/Algebra/IntegralDomain.v src/Algebra/IntegralDomain.vo (real: 0.81, user: 0.71, sys: 0.09, mem: 419428 ko) COQC src/Util/ZUtil/Tactics/RewriteModDivide.v src/Util/ZUtil/Tactics/RewriteModDivide.vo (real: 0.38, user: 0.26, sys: 0.11, mem: 312608 ko) COQC src/Util/CPSUtil.v src/Util/CPSUtil.vo (real: 0.77, user: 0.63, sys: 0.13, mem: 421048 ko) COQC src/Util/FSets/FMapBool.v src/Util/FSets/FMapBool.vo (real: 20.62, user: 20.34, sys: 0.26, mem: 628972 ko) COQC src/Util/FSets/FMapSum.v src/Util/FSets/FMapSum.vo (real: 17.78, user: 17.48, sys: 0.28, mem: 561708 ko) COQC src/Assembly/WithBedrock/Semantics.v src/Assembly/WithBedrock/Semantics.vo (real: 0.67, user: 0.50, sys: 0.16, mem: 466224 ko) COQC src/Util/Strings/Show.v src/Util/Strings/Show.vo (real: 0.54, user: 0.35, sys: 0.19, mem: 426780 ko) COQC src/Assembly/Equality.v src/Assembly/Equality.vo (real: 0.90, user: 0.74, sys: 0.15, mem: 448904 ko) COQC src/Util/ZUtil/Tactics/ZeroBounds.v src/Util/ZUtil/Tactics/ZeroBounds.vo (real: 0.37, user: 0.21, sys: 0.16, mem: 314112 ko) COQC src/Util/FSets/FMapProd.v src/Util/FSets/FMapProd.vo (real: 18.93, user: 18.64, sys: 0.24, mem: 623532 ko) COQC src/Util/FSets/FMapN.v src/Util/FSets/FMapN.vo (real: 0.89, user: 0.66, sys: 0.23, mem: 524736 ko) COQC src/Util/Structures/Orders/List.v src/Util/Structures/Orders/List.vo (real: 10.75, user: 10.57, sys: 0.16, mem: 456848 ko) COQC src/Util/ZRange/Show.v src/Util/ZRange/Show.vo (real: 0.35, user: 0.26, sys: 0.08, mem: 315196 ko) COQC src/Language/PreExtra.v src/Language/PreExtra.vo (real: 0.53, user: 0.37, sys: 0.16, mem: 390432 ko) COQC src/Util/Strings/NamingConventions.v src/Util/Strings/NamingConventions.vo (real: 0.58, user: 0.41, sys: 0.17, mem: 427740 ko) COQC src/Util/MSets/Show.v src/Util/MSets/Show.vo (real: 0.37, user: 0.21, sys: 0.14, mem: 317460 ko) COQC src/Util/ErrorT/Show.v src/Util/ErrorT/Show.vo (real: 0.36, user: 0.28, sys: 0.08, mem: 316752 ko) COQC src/Util/Strings/ParseDebugOptions.v src/Util/Strings/ParseDebugOptions.vo (real: 0.77, user: 0.64, sys: 0.13, mem: 499988 ko) COQC src/Util/ZUtil/CC.v src/Util/ZUtil/CC.vo (real: 0.69, user: 0.57, sys: 0.12, mem: 425340 ko) COQC src/Rewriter/Rules.v src/Rewriter/Rules.vo (real: 0.87, user: 0.68, sys: 0.17, mem: 437016 ko) COQC src/Util/ZUtil/Tactics/SimplifyFractionsLe.v src/Util/ZUtil/Tactics/SimplifyFractionsLe.vo (real: 0.37, user: 0.27, sys: 0.09, mem: 316724 ko) COQC src/Util/Arg.v src/Util/Arg.vo (real: 0.76, user: 0.65, sys: 0.11, mem: 428744 ko) COQC src/Rewriter/TestRules.v src/Rewriter/TestRules.vo (real: 0.52, user: 0.38, sys: 0.13, mem: 399464 ko) COQC src/Util/ZRange/BasicLemmas.v src/Util/ZRange/BasicLemmas.vo (real: 4.67, user: 4.47, sys: 0.18, mem: 456664 ko) COQC src/Assembly/Parse.v src/Assembly/Parse.vo (real: 1.85, user: 1.63, sys: 0.20, mem: 473056 ko) COQC src/Util/ZUtil/Testbit.v src/Util/ZUtil/Testbit.vo (real: 2.06, user: 1.88, sys: 0.16, mem: 427804 ko) COQC src/Util/ZUtil/Ones.v src/Util/ZUtil/Ones.vo (real: 1.11, user: 0.94, sys: 0.16, mem: 425616 ko) COQC src/Util/FSets/FMapZ.v src/Util/FSets/FMapZ.vo (real: 1.03, user: 0.83, sys: 0.18, mem: 554196 ko) COQC src/Util/ZUtil/Lxor.v src/Util/ZUtil/Lxor.vo (real: 0.54, user: 0.40, sys: 0.13, mem: 428312 ko) COQC src/Util/ZUtil/Stabilization.v src/Util/ZUtil/Stabilization.vo (real: 0.65, user: 0.54, sys: 0.10, mem: 426664 ko) COQC src/Util/ZUtil/Modulo.v src/Util/ZUtil/Modulo.vo (real: 7.61, user: 7.42, sys: 0.17, mem: 478380 ko) COQC src/Language/IdentifierParameters.v src/Language/IdentifierParameters.vo (real: 0.53, user: 0.41, sys: 0.11, mem: 409640 ko) COQC src/Util/MSets/MSetPositive/Show.v src/Util/MSets/MSetPositive/Show.vo (real: 0.63, user: 0.45, sys: 0.18, mem: 450664 ko) COQC src/Util/NumTheoryUtil.v src/Util/NumTheoryUtil.vo (real: 0.82, user: 0.71, sys: 0.09, mem: 432584 ko) COQC src/Util/ZUtil/EquivModulo.v src/Util/ZUtil/EquivModulo.vo (real: 0.44, user: 0.33, sys: 0.10, mem: 382532 ko) COQC src/Util/ZUtil/Tactics/SolveTestbit.v src/Util/ZUtil/Tactics/SolveTestbit.vo (real: 0.46, user: 0.34, sys: 0.12, mem: 345528 ko) COQC src/Util/ZUtil/Lor.v src/Util/ZUtil/Lor.vo (real: 0.47, user: 0.29, sys: 0.16, mem: 350508 ko) COQC src/Util/ZUtil/LandLorShiftBounds.v src/Util/ZUtil/LandLorShiftBounds.vo (real: 3.59, user: 3.41, sys: 0.17, mem: 438548 ko) COQC src/Util/ZUtil/Pow2Mod.v src/Util/ZUtil/Pow2Mod.vo (real: 1.47, user: 1.28, sys: 0.19, mem: 428044 ko) COQC src/Util/ZRange/SplitBounds.v src/Util/ZRange/SplitBounds.vo (real: 1.31, user: 1.18, sys: 0.11, mem: 437072 ko) COQC src/Util/ZUtil/OnesFrom.v src/Util/ZUtil/OnesFrom.vo (real: 1.14, user: 0.98, sys: 0.16, mem: 423808 ko) COQC src/Arithmetic/MontgomeryReduction/Definition.v src/Arithmetic/MontgomeryReduction/Definition.vo (real: 0.39, user: 0.29, sys: 0.10, mem: 324276 ko) COQC src/CastLemmas.v src/CastLemmas.vo (real: 3.79, user: 3.59, sys: 0.18, mem: 449900 ko) COQC src/Util/ZUtil/TwosComplement.v src/Util/ZUtil/TwosComplement.vo (real: 2.42, user: 2.25, sys: 0.15, mem: 426600 ko) COQC src/Arithmetic/BarrettReduction/Wikipedia.v src/Arithmetic/BarrettReduction/Wikipedia.vo (real: 0.86, user: 0.69, sys: 0.16, mem: 426892 ko) COQC src/Algebra/Field.v src/Algebra/Field.vo (real: 14.85, user: 14.69, sys: 0.13, mem: 457720 ko) COQC src/Rewriter/TestRulesProofs.v src/Rewriter/TestRulesProofs.vo (real: 0.46, user: 0.32, sys: 0.13, mem: 361120 ko) COQC src/Arithmetic/BarrettReduction/HAC.v src/Arithmetic/BarrettReduction/HAC.vo (real: 4.03, user: 3.91, sys: 0.10, mem: 438236 ko) COQC src/Util/ZUtil/Tactics/Ztestbit.v src/Util/ZUtil/Tactics/Ztestbit.vo (real: 0.44, user: 0.33, sys: 0.10, mem: 340596 ko) COQC src/Util/ZUtil/Quot.v src/Util/ZUtil/Quot.vo (real: 1.31, user: 1.11, sys: 0.19, mem: 431752 ko) COQC src/Util/ZRange/SplitRangeBounds.v src/Util/ZRange/SplitRangeBounds.vo (real: 1.51, user: 1.31, sys: 0.18, mem: 442244 ko) COQC src/Util/ZUtil/Bitwise.v src/Util/ZUtil/Bitwise.vo (real: 1.45, user: 1.26, sys: 0.17, mem: 431856 ko) COQC src/Util/ZUtil/Land.v src/Util/ZUtil/Land.vo (real: 0.54, user: 0.39, sys: 0.14, mem: 425316 ko) COQC src/Arithmetic/BarrettReduction/Generalized.v src/Arithmetic/BarrettReduction/Generalized.vo (real: 9.69, user: 9.50, sys: 0.18, mem: 497584 ko) COQC src/Util/FSets/FMapTrie/ShapeEx.v src/Util/FSets/FMapTrie/ShapeEx.vo (real: 2.68, user: 2.44, sys: 0.23, mem: 546608 ko) COQC src/Arithmetic/ModularArithmeticPre.v src/Arithmetic/ModularArithmeticPre.vo (real: 0.55, user: 0.36, sys: 0.18, mem: 428560 ko) COQC src/Util/ZUtil/TruncatingShiftl.v src/Util/ZUtil/TruncatingShiftl.vo (real: 1.42, user: 1.26, sys: 0.15, mem: 428308 ko) COQC src/Util/ZUtil/Shift.v src/Util/ZUtil/Shift.vo (real: 2.49, user: 2.32, sys: 0.16, mem: 434792 ko) COQC src/Util/ZUtil/Tactics/SolveRange.v src/Util/ZUtil/Tactics/SolveRange.vo (real: 0.47, user: 0.37, sys: 0.10, mem: 348680 ko) COQC src/Util/ZRange/CornersMonotoneBounds.v src/Util/ZRange/CornersMonotoneBounds.vo (real: 7.90, user: 7.76, sys: 0.13, mem: 457688 ko) COQC src/Language/IdentifiersBasicGENERATED.v Building index_of_base... Building base_type_list... Building eta_base_cps_gen... Building eta_base_cps... Building base_interp... Building all_base... Building all_base_and_interp... Building index_of_ident... Building ident_interp... Building base_eq_dec... Building base_beq_and_reflect... Building base_beq... Building reflect_base_beq... Building baseHasNatAndCorrect... Building baseHasNat... Building baseHasNatCorrect... Building base_interp_beq... Building reflect_base_interp_beq... Building try_make_base_transport_cps... Building try_make_base_transport_cps_correct... Building all_idents... Building all_ident_and_interp... Building buildEagerIdentAndInterpCorrect... Building buildEagerIdent... Building buildInterpEagerIdentCorrect... Building toRestrictedIdentAndCorrect... Building toRestrictedIdent... Building toFromRestrictedIdent... Building buildIdentAndInterpCorrect... Building buildIdent... Building buildInterpIdentCorrect... Building ident_is_var_like... Building eqv_Reflexive_Proper... Building ident_interp_Proper... Building invertIdent... Building buildInvertIdentCorrect... Building base_default... Building package... src/Language/IdentifiersBasicGENERATED.vo (real: 9.07, user: 8.81, sys: 0.25, mem: 595964 ko) COQC src/Assembly/Parse/TestAsm.v Finished transaction in 2.772 secs (0.522u,0.03s) (successful) Finished transaction in 0.535 secs (0.475u,0.009s) (successful) Finished transaction in 0.391 secs (0.337u,0.s) (successful) Finished transaction in 0.669 secs (0.619u,0.s) (successful) Finished transaction in 0.964 secs (0.912u,0.s) (successful) Finished transaction in 0.969 secs (0.919u,0.s) (successful) Finished transaction in 0.974 secs (0.922u,0.s) (successful) Finished transaction in 1.366 secs (1.285u,0.029s) (successful) Finished transaction in 1.283 secs (1.227u,0.s) (successful) Finished transaction in 0.494 secs (0.45u,0.s) (successful) src/Assembly/Parse/TestAsm.vo (real: 16.94, user: 16.37, sys: 0.53, mem: 1118888 ko) COQC src/Algebra/Field_test.v src/Algebra/Field_test.vo (real: 4.40, user: 4.27, sys: 0.11, mem: 473332 ko) COQC src/Arithmetic/MontgomeryReduction/Proofs.v src/Arithmetic/MontgomeryReduction/Proofs.vo (real: 5.04, user: 4.86, sys: 0.16, mem: 429220 ko) COQC src/Spec/WeierstrassCurve.v src/Spec/WeierstrassCurve.vo (real: 1.55, user: 1.35, sys: 0.20, mem: 435204 ko) COQC src/Spec/MontgomeryCurve.v src/Spec/MontgomeryCurve.vo (real: 2.56, user: 2.37, sys: 0.17, mem: 459840 ko) COQC src/Util/ZUtil/Land/Fold.v src/Util/ZUtil/Land/Fold.vo (real: 0.46, user: 0.32, sys: 0.13, mem: 348880 ko) COQC src/Util/ZUtil/Tactics.v src/Util/ZUtil/Tactics.vo (real: 0.42, user: 0.31, sys: 0.11, mem: 314716 ko) COQC src/Curves/Edwards/Pre.v src/Curves/Edwards/Pre.vo (real: 4.95, user: 4.79, sys: 0.16, mem: 499612 ko) COQC src/Util/FsatzAutoLemmas.v src/Util/FsatzAutoLemmas.vo (real: 5.17, user: 5.00, sys: 0.15, mem: 459216 ko) COQC src/Spec/ModularArithmetic.v src/Spec/ModularArithmetic.vo (real: 0.43, user: 0.28, sys: 0.15, mem: 328888 ko) COQC src/Language/APINotations.v File "./src/Language/APINotations.v", line 196, characters 46-56: Warning: Tactic reify_base is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Language/APINotations.v", line 197, characters 41-56: Warning: Tactic reify_base_type is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Language/APINotations.v", line 198, characters 78-88: Warning: Tactic reify_base is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Language/APINotations.v", line 199, characters 73-88: Warning: Tactic reify_base_type is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Language/APINotations.v", line 212, characters 27-47: Warning: Tactic Compilers.reify_base is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Language/APINotations.v", line 214, characters 22-47: Warning: Tactic Compilers.reify_base_type is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Language/APINotations.v", line 216, characters 27-47: Warning: Tactic Compilers.reify_type is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] File "./src/Language/APINotations.v", line 340, characters 19-40: Warning: Tactic Compilers.reify_ident is deprecated since 8.15. Use Ltac2 instead. [deprecated-tactic,deprecated] src/Language/APINotations.vo (real: 0.97, user: 0.74, sys: 0.22, mem: 503908 ko) COQC src/Util/ZUtil/LandLorBounds.v src/Util/ZUtil/LandLorBounds.vo (real: 3.79, user: 3.60, sys: 0.17, mem: 445268 ko) COQC src/Util/ZUtil/SignBit.v src/Util/ZUtil/SignBit.vo (real: 0.54, user: 0.41, sys: 0.11, mem: 429136 ko) COQC src/Arithmetic/Primitives.v src/Arithmetic/Primitives.vo (real: 2.81, user: 2.66, sys: 0.14, mem: 434936 ko) COQC src/Spec/Curve25519.v Finished transaction in 1.154 secs (1.079u,0.s) (successful) src/Spec/Curve25519.vo (real: 5.43, user: 5.07, sys: 0.34, mem: 430212 ko) COQC src/Primitives/MxDHRepChange.v src/Primitives/MxDHRepChange.vo (real: 10.95, user: 10.79, sys: 0.14, mem: 473528 ko) COQC src/Curves/Weierstrass/Affine.v src/Curves/Weierstrass/Affine.vo (real: 0.50, user: 0.43, sys: 0.07, mem: 421176 ko) COQC src/Spec/CompleteEdwardsCurve.v src/Spec/CompleteEdwardsCurve.vo (real: 0.47, user: 0.29, sys: 0.18, mem: 420316 ko) COQC src/Curves/Montgomery/Affine.v src/Curves/Montgomery/Affine.vo (real: 3.97, user: 3.82, sys: 0.14, mem: 484084 ko) COQC src/Curves/TableMult/TableMult.v Transparent constants: Z.to_nat : Z -> nat Pos.to_nat : positive -> nat Z.testbit : Z -> Z -> bool Pos.testbit : positive -> N -> bool N.testbit : N -> N -> bool table_multicomb_positify : forall P : Type, (P -> P -> P) -> (P -> P) -> (P -> P) -> (Z -> P -> P) -> P -> P -> Z -> Z -> Z -> Z -> Z -> Z -> P table_lookup : forall P : Type, (P -> P -> P) -> (P -> P) -> (Z -> P -> P) -> P -> P -> Z -> Z -> Z -> Z -> P table_entry : forall P : Type, (P -> P -> P) -> (Z -> P -> P) -> P -> P -> Z -> Z -> Z -> Z -> P table_comb_positify : forall P : Type, (P -> P -> P) -> (P -> P) -> (Z -> P -> P) -> P -> P -> Z -> Z -> Z -> Z -> Z -> Z -> Z -> P Z.succ_double : Z -> Z Pos.succ : positive -> positive Z.sub : Z -> Z -> Z seq : nat -> nat -> list nat Z.pred_double : Z -> Z Pos.pred_double : positive -> positive Pos.pred_N : positive -> N Z.pow_pos : Z -> positive -> Z Z.pow : Z -> Z -> Z positify : Z -> Z -> Z -> Z Z.pos_sub : positive -> positive -> Z Z.pos_div_eucl : positive -> Z -> Z * Z Z.opp : Z -> Z Pos.of_succ_nat : nat -> positive Z.of_nat : nat -> Z oddify : Z -> Z -> Z Z.odd : Z -> bool negb : bool -> bool Z.mul : Z -> Z -> Z Pos.mul : positive -> positive -> positive Z.modulo : Z -> Z -> Z map : forall A B : Type, (A -> B) -> list A -> list B Z.ltb : Z -> Z -> bool Z.leb : Z -> Z -> bool Pos.iter_op : forall A : Type, (A -> A -> A) -> positive -> A -> A Pos.iter : forall A : Type, (A -> A) -> A -> positive -> A fold_right : forall A B : Type, (B -> A -> A) -> A -> list B -> A extract_bits_positify : Z -> Z -> Z -> Z -> Z -> Z -> Z Z.double : Z -> Z Z.div_eucl : Z -> Z -> Z * Z Z.div : Z -> Z -> Z Pos.compare_cont : comparison -> positive -> positive -> comparison Z.compare : Z -> Z -> comparison Pos.compare : positive -> positive -> comparison Z.b2z : bool -> Z Z.add : Z -> Z -> Z Pos.add : positive -> positive -> positive Init.Nat.add : nat -> nat -> nat ZtoP : forall P : Type, (Z -> P -> P) -> P -> Z -> P Zseq : Z -> Z -> list Z CompOpp : comparison -> comparison File "./src/Curves/TableMult/TableMult.v", line 1308, characters 2-40: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] = exist (fun z : Z => z = z mod 101) 8 (ModularArithmeticPre.Z_mod_mod 8 101) : P table_entry = fun (P : Type) (addP : P -> P -> P) (mulP : Z -> P -> P) (O B : P) (s t bnum d : Z) => fold_right addP O (map (fun x : Z => ZtoP P mulP B ((2 * Z.b2z (Z.testbit d (x - t * bnum)) - 1) * 2 ^ (s * x))) (Zseq (t * bnum) t)) : forall P : Type, (P -> P -> P) -> (Z -> P -> P) -> P -> P -> Z -> Z -> Z -> Z -> P Arguments table_entry P%type_scope (addP mulP)%function_scope O B (s t bnum d)%Z_scope = exist (fun z : Z => z = z mod 101) 63 (ModularArithmeticPre.Z_mod_mod 63 101) : P extract_bits = fun s t D offset e : Z => fold_right Z.add 0 (map (fun x : Z => sbit' D e (x * s + offset) * 2 ^ x) (Zseq 0 t)) : Z -> Z -> Z -> Z -> Z -> Z Arguments extract_bits (s t D offset e)%Z_scope = 4 : Z table_comb = fun (P : Type) (addP : P -> P -> P) (negP : P -> P) (mulP : Z -> P -> P) (O B : P) (s t n D offset e : Z) => fold_right addP O (map (fun x : Z => table_lookup P addP negP mulP O B s t x (extract_bits s t D (offset + x * s * t) e)) (Zseq 0 n)) : forall P : Type, (P -> P -> P) -> (P -> P) -> (Z -> P -> P) -> P -> P -> Z -> Z -> Z -> Z -> Z -> Z -> P Arguments table_comb P%type_scope (addP negP mulP)%function_scope O B (s t n D offset e)%Z_scope = exist (fun z : Z => z = z mod 101) 22 (ModularArithmeticPre.Z_mod_mod 22 101) : P table_multicomb = fun (P : Type) (addP : P -> P -> P) (doubleP negP : P -> P) (mulP : Z -> P -> P) (O B : P) (s t n D e : Z) => fold_right (fun x y : P => addP x (doubleP y)) O (map (fun x : Z => table_comb P addP negP mulP O B s t n D x e) (Zseq 0 s)) : forall P : Type, (P -> P -> P) -> (P -> P) -> (P -> P) -> (Z -> P -> P) -> P -> P -> Z -> Z -> Z -> Z -> Z -> P Arguments table_multicomb P%type_scope (addP doubleP negP mulP)%function_scope O B (s t n D e)%Z_scope = exist (fun z : Z => z = z mod 101) 87 (ModularArithmeticPre.Z_mod_mod 87 101) : P src/Curves/TableMult/TableMult.vo (real: 2.22, user: 2.03, sys: 0.19, mem: 457560 ko) COQC src/Language/IdentifiersGENERATED.v Building all_base... Building all_idents... Building ident_index... Building eta_ident_cps_gen... Building eta_ident_cps_gen_expand_literal... Building eta_ident_cps... Building simple_idents... Building all_raw_idents... Building raw_ident_index... Building raw_ident_index_idempotent... Building eta_raw_ident_cps_gen... Building raw_ident_to_ident... Building raw_ident_infos_of... Building split_raw_ident_gen... Building invert_bind_args... Building invert_bind_args_unknown... Building all_pattern_idents... Building eta_pattern_ident_cps_gen... Building eta_pattern_ident_cps_gen_expand_literal... Building split_types... Building add_types_from_raw_sig... Building to_type_split_types_subst_default_eq... Building projT1_add_types_from_raw_sig_eq... Building arg_types_unfolded... Building type_of_list_arg_types_beq_unfolded... Building to_typed_unfolded... Building of_typed_ident_unfolded... Building arg_types_of_typed_ident_unfolded... Building unify... Building unify_unknown... Building final ident package... Finished transaction in 15.159 secs (15.051u,0.099s) (successful) src/Language/IdentifiersGENERATED.vo (real: 16.61, user: 16.24, sys: 0.35, mem: 760004 ko) COQC src/Util/ZUtil/Morphisms.v src/Util/ZUtil/Morphisms.vo (real: 2.71, user: 2.54, sys: 0.16, mem: 461540 ko) COQC src/Language/API.v src/Language/API.vo (real: 0.82, user: 0.67, sys: 0.14, mem: 513532 ko) COQC src/Arithmetic/ModularArithmeticTheorems.v src/Arithmetic/ModularArithmeticTheorems.vo (real: 1.80, user: 1.68, sys: 0.12, mem: 440128 ko) COQC src/Util/QUtil.v src/Util/QUtil.vo (real: 0.68, user: 0.53, sys: 0.14, mem: 436524 ko) COQC src/Language/WfExtra.v src/Language/WfExtra.vo (real: 0.86, user: 0.65, sys: 0.20, mem: 499672 ko) COQC src/Language/IdentifiersGENERATEDProofs.v Proving is_simple_correct0... Tactic call ran for 1.192 secs (1.191u,0.s) (success) Proving invert_bind_args_raw_to_typed... Tactic call ran for 0.682 secs (0.681u,0.s) (success) Proving fold_invert_bind_args... Tactic call ran for 0.632 secs (0.631u,0.s) (success) Proving split_ident_to_ident... Tactic call ran for 0.036 secs (0.036u,0.s) (success) Proving eq_indep_types_of_eq_types... Tactic call ran for 1.175 secs (1.154u,0.019s) (success) Proving fold_eta_ident_cps... Tactic call ran for 0.001 secs (0.001u,0.s) (success) Proving fold_unify... Tactic call ran for 0. secs (0.u,0.s) (success) Proving to_typed_of_typed_ident... Tactic call ran for 1.703 secs (1.702u,0.s) (success) Proving eq_invert_bind_args_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) Proving eq_unify_unknown... Tactic call ran for 0. secs (0.u,0.s) (success) src/Language/IdentifiersGENERATEDProofs.vo (real: 14.42, user: 14.23, sys: 0.17, mem: 591172 ko) COQC src/Arithmetic/PrimeFieldTheorems.v src/Arithmetic/PrimeFieldTheorems.vo (real: 1.28, user: 1.11, sys: 0.13, mem: 466400 ko) COQC src/Util/ZUtil/ArithmeticShiftr.v src/Util/ZUtil/ArithmeticShiftr.vo (real: 17.28, user: 17.04, sys: 0.20, mem: 613948 ko) COQC src/PushButtonSynthesis/ReificationCache.v src/PushButtonSynthesis/ReificationCache.vo (real: 0.78, user: 0.62, sys: 0.14, mem: 510912 ko) COQC src/Bedrock/Field/Common/Types.v src/Bedrock/Field/Common/Types.vo (real: 0.97, user: 0.81, sys: 0.15, mem: 517684 ko) COQC src/ArithmeticCPS/Core.v src/ArithmeticCPS/Core.vo (real: 0.59, user: 0.45, sys: 0.14, mem: 446932 ko) COQC src/Util/FSets/FMapTrie.v src/Util/FSets/FMapTrie.vo (real: 96.28, user: 95.50, sys: 0.53, mem: 840840 ko) COQC src/Arithmetic/FLia.v src/Arithmetic/FLia.vo (real: 0.64, user: 0.47, sys: 0.16, mem: 466916 ko) COQC src/Bedrock/End2End/RupicolaCrypto/Spec.v src/Bedrock/End2End/RupicolaCrypto/Spec.vo (real: 0.68, user: 0.49, sys: 0.17, mem: 473488 ko) COQC src/Curves/Montgomery/XZ.v src/Curves/Montgomery/XZ.vo (real: 0.43, user: 0.29, sys: 0.12, mem: 363316 ko) COQC src/Curves/Weierstrass/Jacobian.v Finished transaction in 14.831 secs (14.799u,0.01s) (successful) Finished transaction in 5.057 secs (5.03u,0.019s) (successful) Finished transaction in 1.321 secs (1.319u,0.s) (successful) src/Curves/Weierstrass/Jacobian.vo (real: 65.41, user: 64.96, sys: 0.34, mem: 965848 ko) COQC src/Bedrock/Specs/Group.v src/Bedrock/Specs/Group.vo (real: 0.69, user: 0.52, sys: 0.16, mem: 451088 ko) COQC src/Curves/Edwards/AffineProofs.v src/Curves/Edwards/AffineProofs.vo (real: 17.50, user: 15.72, sys: 0.24, mem: 725096 ko) COQC src/Spec/Test/X25519.v src/Spec/Test/X25519.vo (real: 88.58, user: 86.40, sys: 0.14, mem: 435088 ko) COQC src/Util/ZUtil.v src/Util/ZUtil.vo (real: 0.49, user: 0.29, sys: 0.19, mem: 371560 ko) COQC src/Util/FSets/FMapTrieEx.v src/Util/FSets/FMapTrieEx.vo (real: 8.75, user: 8.44, sys: 0.29, mem: 654016 ko) COQC src/Demo.v src/Demo.vo (real: 48.96, user: 46.91, sys: 0.19, mem: 570392 ko) COQC src/AbstractInterpretation/ZRange.v File "./src/AbstractInterpretation/ZRange.v", line 224, characters 17-18: Warning: Unused variable t catches more than one case. [unused-pattern-matching-variable,pattern-matching] src/AbstractInterpretation/ZRange.vo (real: 1.64, user: 1.45, sys: 0.19, mem: 512504 ko) COQC src/Language/InversionExtra.v src/Language/InversionExtra.vo (real: 5.14, user: 4.98, sys: 0.14, mem: 552116 ko) COQC src/Util/ZRange/LandLorBounds.v src/Util/ZRange/LandLorBounds.vo (real: 14.40, user: 14.14, sys: 0.23, mem: 595068 ko) COQC src/Language/UnderLetsProofsExtra.v src/Language/UnderLetsProofsExtra.vo (real: 0.85, user: 0.68, sys: 0.16, mem: 499632 ko) COQC src/MiscCompilerPassesProofsExtra.v src/MiscCompilerPassesProofsExtra.vo (real: 0.86, user: 0.65, sys: 0.20, mem: 501172 ko) COQC src/Rewriter/AllTacticsExtra.v src/Rewriter/AllTacticsExtra.vo (real: 0.84, user: 0.66, sys: 0.16, mem: 499680 ko) COQC src/Util/ZRange/OperationsBounds.v src/Util/ZRange/OperationsBounds.vo (real: 0.77, user: 0.63, sys: 0.12, mem: 436620 ko) COQC src/Arithmetic/Core.v src/Arithmetic/Core.vo (real: 14.71, user: 14.57, sys: 0.12, mem: 482100 ko) COQC src/Bedrock/Field/Translation/Proofs/Equivalence.v src/Bedrock/Field/Translation/Proofs/Equivalence.vo (real: 1.08, user: 0.90, sys: 0.18, mem: 518168 ko) COQC src/Bedrock/Field/Translation/Proofs/VarnameSet.v src/Bedrock/Field/Translation/Proofs/VarnameSet.vo (real: 0.87, user: 0.74, sys: 0.12, mem: 514092 ko) COQC src/Bedrock/Field/Translation/Flatten.v src/Bedrock/Field/Translation/Flatten.vo (real: 0.89, user: 0.66, sys: 0.22, mem: 514092 ko) COQC src/Bedrock/Field/Translation/LoadStoreList.v src/Bedrock/Field/Translation/LoadStoreList.vo (real: 1.14, user: 0.98, sys: 0.15, mem: 518504 ko) COQC src/Bedrock/Field/Translation/Expr.v src/Bedrock/Field/Translation/Expr.vo (real: 2.63, user: 2.39, sys: 0.23, mem: 535012 ko) COQC src/ArithmeticCPS/ModOps.v src/ArithmeticCPS/ModOps.vo (real: 0.59, user: 0.44, sys: 0.15, mem: 453776 ko) COQC src/Curves/Weierstrass/Projective.v Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] src/Curves/Weierstrass/Projective.vo (real: 130.43, user: 182.11, sys: 2.20, mem: 1448680 ko) COQC src/Curves/Edwards/XYZT/Basic.v Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] src/Curves/Edwards/XYZT/Basic.vo (real: 16.61, user: 17.36, sys: 0.73, mem: 819248 ko) COQC src/Rewriter/Passes/Test.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.015 secs (0.015u,0.s) (success) Tactic call ran for 0.152 secs (0.152u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.526 secs (0.526u,0.s) (success) Tactic call ran for 0.057 secs (0.057u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/Test.vo (real: 3.18, user: 2.98, sys: 0.19, mem: 516032 ko) COQC src/AbstractInterpretation/ZRangeProofs.v Finished transaction in 17.639 secs (17.372u,0.s) (successful) Finished transaction in 13.538 secs (13.507u,0.019s) (successful) src/AbstractInterpretation/ZRangeProofs.vo (real: 62.64, user: 61.99, sys: 0.32, mem: 870756 ko) COQC src/Stringification/Language.v src/Stringification/Language.vo (real: 2.21, user: 2.00, sys: 0.21, mem: 535712 ko) COQC src/AbstractInterpretation/AbstractInterpretation.v src/AbstractInterpretation/AbstractInterpretation.vo (real: 1.82, user: 1.58, sys: 0.22, mem: 510244 ko) COQC src/Assembly/Symbolic.v src/Assembly/Symbolic.vo (real: 33.81, user: 33.05, sys: 0.59, mem: 1327872 ko) COQC src/Arithmetic/Partition.v src/Arithmetic/Partition.vo (real: 1.27, user: 1.11, sys: 0.14, mem: 443516 ko) COQC src/Arithmetic/ModOps.v src/Arithmetic/ModOps.vo (real: 2.09, user: 1.92, sys: 0.16, mem: 451976 ko) COQC src/Fancy/Compiler.v File "./src/Fancy/Compiler.v", line 973, characters 6-512: Warning: The proof has remaining shelved goals [remaining-shelved-goals,tactics] src/Fancy/Compiler.vo (real: 161.34, user: 160.62, sys: 0.34, mem: 1069136 ko) COQC src/Rewriter/RulesProofs.v Finished transaction in 0.281 secs (0.281u,0.s) (successful) Finished transaction in 0.016 secs (0.016u,0.s) (successful) Finished transaction in 13.138 secs (13.048u,0.029s) (successful) Finished transaction in 0.122 secs (0.122u,0.s) (successful) src/Rewriter/RulesProofs.vo (real: 61.06, user: 60.43, sys: 0.37, mem: 730664 ko) COQC src/Arithmetic/UniformWeight.v src/Arithmetic/UniformWeight.vo (real: 3.74, user: 3.58, sys: 0.15, mem: 452724 ko) COQC src/UnsaturatedSolinasHeuristics.v src/UnsaturatedSolinasHeuristics.vo (real: 4.17, user: 4.03, sys: 0.12, mem: 452672 ko) COQC src/Bedrock/Field/Common/Arrays/MakeListLengths.v src/Bedrock/Field/Common/Arrays/MakeListLengths.vo (real: 0.96, user: 0.74, sys: 0.21, mem: 518704 ko) COQC src/Bedrock/Field/Stringification/LoadStoreListVarData.v src/Bedrock/Field/Stringification/LoadStoreListVarData.vo (real: 0.94, user: 0.72, sys: 0.22, mem: 536632 ko) COQC src/ArithmeticCPS/Saturated.v src/ArithmeticCPS/Saturated.vo (real: 0.64, user: 0.46, sys: 0.18, mem: 448988 ko) COQC src/Curves/Edwards/XYZT/Precomputed.v src/Curves/Edwards/XYZT/Precomputed.vo (real: 1.21, user: 1.07, sys: 0.13, mem: 438716 ko) COQC src/Stringification/IR.v src/Stringification/IR.vo (real: 10.36, user: 10.15, sys: 0.19, mem: 590472 ko) COQC src/Fancy/Prod.v src/Fancy/Prod.vo (real: 5.77, user: 5.61, sys: 0.15, mem: 527400 ko) COQC src/Assembly/Equivalence.v src/Assembly/Equivalence.vo (real: 4.29, user: 3.93, sys: 0.33, mem: 925744 ko) COQC src/Arithmetic/Saturated.v src/Arithmetic/Saturated.vo (real: 26.62, user: 26.37, sys: 0.22, mem: 494160 ko) COQC src/AbstractInterpretation/Wf.v src/AbstractInterpretation/Wf.vo (real: 116.35, user: 115.95, sys: 0.31, mem: 884680 ko) COQC src/Rewriter/Passes/AddAssocLeft.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.031 secs (0.031u,0.s) (success) Tactic call ran for 0.009 secs (0.009u,0.s) (success) Tactic call ran for 0.052 secs (0.052u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.011 secs (0.011u,0.s) (success) Tactic call ran for 0.187 secs (0.178u,0.008s) (success) Proving Rewriter_Interp... Tactic call ran for 0.425 secs (0.424u,0.s) (success) Tactic call ran for 0.073 secs (0.073u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/AddAssocLeft.vo (real: 3.02, user: 2.80, sys: 0.22, mem: 533348 ko) COQC src/Curves/Weierstrass/AffineProofs.v Finished transaction in 1.583 secs (1.51u,0.069s) (successful) Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Finished transaction in 217.216 secs (43.436u,0.52s) (successful) Finished transaction in 43.94 secs (43.887u,0.039s) (successful) src/Curves/Weierstrass/AffineProofs.vo (real: 263.36, user: 429.75, sys: 2.33, mem: 2070516 ko) COQC src/UnsaturatedSolinasHeuristics/Tests.v native_compute: Conversion to native code done in 0.00702 native_compute: Compilation done in 1.10454 Profiling to file ./native_compute_profile_ab2a4e.data native_compute: Evaluation done in 41.74072 native_compute: Reification done in 0.27481 Finished transaction in 43.18 secs (41.745u,0.001s) (successful) native_compute: Conversion to native code done in 0.00506 native_compute: Compilation done in 0.29031 Profiling to file ./native_compute_profile_81d89c.data native_compute: Evaluation done in 23.26009 native_compute: Reification done in 2.43943 Finished transaction in 31.664 secs (31.019u,0.069s) (successful) src/UnsaturatedSolinasHeuristics/Tests.vo (real: 79.80, user: 78.92, sys: 0.88, mem: 1122476 ko) COQC src/Rewriter/Passes/StripLiteralCasts.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.03 secs (0.03u,0.s) (success) Tactic call ran for 0.006 secs (0.006u,0.s) (success) Tactic call ran for 0.045 secs (0.045u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.008 secs (0.008u,0.s) (success) Tactic call ran for 0.012 secs (0.012u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.239 secs (0.239u,0.s) (success) Tactic call ran for 0.002 secs (0.002u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/StripLiteralCasts.vo (real: 2.05, user: 1.87, sys: 0.18, mem: 536584 ko) COQC src/Rewriter/Passes/FlattenThunkedRects.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.029 secs (0.029u,0.s) (success) Tactic call ran for 0.008 secs (0.008u,0.s) (success) Tactic call ran for 0.048 secs (0.048u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.01 secs (0.01u,0.s) (success) Tactic call ran for 0.096 secs (0.096u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.222 secs (0.222u,0.s) (success) Tactic call ran for 0.035 secs (0.035u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/FlattenThunkedRects.vo (real: 2.76, user: 2.56, sys: 0.18, mem: 535356 ko) COQC src/Rewriter/Passes/Arith.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.631 secs (0.631u,0.s) (success) Tactic call ran for 18.789 secs (18.6u,0.169s) (success) Tactic call ran for 0.148 secs (0.148u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.785 secs (0.784u,0.s) (success) Tactic call ran for 3.202 secs (3.2u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 5.097 secs (5.093u,0.s) (success) Tactic call ran for 1.061 secs (1.06u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/Arith.vo (real: 48.81, user: 48.36, sys: 0.41, mem: 1111268 ko) COQC src/Rewriter/Passes/MulSplit.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.203 secs (0.203u,0.s) (success) Tactic call ran for 0.539 secs (0.539u,0.s) (success) Tactic call ran for 0.086 secs (0.086u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.314 secs (0.293u,0.02s) (success) Tactic call ran for 2.794 secs (2.782u,0.01s) (success) Proving Rewriter_Interp... Tactic call ran for 7.42 secs (7.385u,0.029s) (success) Tactic call ran for 3.234 secs (3.231u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/MulSplit.vo (real: 35.61, user: 35.26, sys: 0.31, mem: 882792 ko) COQC src/Rewriter/Passes/NoSelect.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.091 secs (0.091u,0.s) (success) Tactic call ran for 0.015 secs (0.015u,0.s) (success) Tactic call ran for 0.059 secs (0.059u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.028 secs (0.028u,0.s) (success) Tactic call ran for 0.48 secs (0.48u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 1.059 secs (1.059u,0.s) (success) Tactic call ran for 0.595 secs (0.594u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/NoSelect.vo (real: 7.01, user: 6.82, sys: 0.17, mem: 566836 ko) COQC src/Rewriter/Passes/RelaxBitwidthAdcSbb.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.093 secs (0.093u,0.s) (success) Tactic call ran for 0.042 secs (0.042u,0.s) (success) Tactic call ran for 0.071 secs (0.071u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.06 secs (0.06u,0.s) (success) Tactic call ran for 0.581 secs (0.581u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 1.541 secs (1.53u,0.009s) (success) Tactic call ran for 0.486 secs (0.476u,0.009s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/RelaxBitwidthAdcSbb.vo (real: 8.78, user: 8.56, sys: 0.20, mem: 587356 ko) COQC src/Rewriter/Passes/ToFancy.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.017 secs (0.016u,0.001s) (success) Tactic call ran for 0.005 secs (0.005u,0.s) (success) Tactic call ran for 0.048 secs (0.048u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.006 secs (0.006u,0.s) (success) Tactic call ran for 0. secs (0.u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.169 secs (0.169u,0.s) (success) Tactic call ran for 0. secs (0.u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/ToFancy.vo (real: 1.87, user: 1.68, sys: 0.19, mem: 531660 ko) COQC src/Rewriter/Passes/MultiRetSplit.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.266 secs (0.256u,0.01s) (success) Tactic call ran for 1.775 secs (1.774u,0.s) (success) Tactic call ran for 0.108 secs (0.108u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.506 secs (0.505u,0.s) (success) Tactic call ran for 5.108 secs (5.104u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 11.385 secs (11.377u,0.s) (success) Tactic call ran for 6.163 secs (6.139u,0.019s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/MultiRetSplit.vo (real: 60.06, user: 59.63, sys: 0.38, mem: 1043980 ko) COQC src/Rewriter/Passes/UnfoldValueBarrier.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 0.026 secs (0.015u,0.01s) (success) Tactic call ran for 0.005 secs (0.005u,0.s) (success) Tactic call ran for 0.057 secs (0.056u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 0.007 secs (0.007u,0.s) (success) Tactic call ran for 0.025 secs (0.025u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 0.216 secs (0.216u,0.s) (success) Tactic call ran for 0. secs (0.u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/UnfoldValueBarrier.vo (real: 2.03, user: 1.83, sys: 0.19, mem: 534764 ko) COQC src/AbstractInterpretation/WfExtra.v src/AbstractInterpretation/WfExtra.vo (real: 0.88, user: 0.69, sys: 0.17, mem: 504144 ko) COQC src/Curves/EdwardsMontgomery.v Evars: 26035 -> 6 Evars: 25194 -> 4 Evars: 24820 -> 3 Evars: 26652 -> 21 Evars: 130793 -> 16 Evars: 22473 -> 13 Evars: 6774 -> 11 Evars: 33648 -> 7 Evars: 12103 -> 6 Evars: 81864 -> 5 Evars: 70184 -> 4 Evars: 14155 -> 4 Evars: 74237 -> 3 Evars: 40053 -> 2 src/Curves/EdwardsMontgomery.vo (real: 291.06, user: 288.99, sys: 0.97, mem: 1586816 ko) COQC src/Arithmetic/BaseConversion.v src/Arithmetic/BaseConversion.vo (real: 2.17, user: 2.00, sys: 0.17, mem: 453680 ko) COQC src/PushButtonSynthesis/SaturatedSolinasReificationCache.v Finished transaction in 3.008 secs (2.974u,0.022s) (successful) Finished transaction in 1.638 secs (1.632u,0.s) (successful) src/PushButtonSynthesis/SaturatedSolinasReificationCache.vo (real: 6.02, user: 5.74, sys: 0.25, mem: 543944 ko) COQC src/PushButtonSynthesis/BaseConversionReificationCache.v Finished transaction in 1.394 secs (1.382u,0.008s) (successful) Finished transaction in 1.083 secs (1.071u,0.01s) (successful) src/PushButtonSynthesis/BaseConversionReificationCache.vo (real: 3.83, user: 3.63, sys: 0.18, mem: 548328 ko) COQC src/Rewriter/Passes/NBE.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 1.687 secs (1.685u,0.s) (success) Tactic call ran for 104.523 secs (104.255u,0.139s) (success) Tactic call ran for 0.348 secs (0.348u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 1.957 secs (1.954u,0.s) (success) Tactic call ran for 2.746 secs (2.742u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 7.145 secs (7.135u,0.s) (success) Tactic call ran for 4.042 secs (4.036u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/NBE.vo (real: 161.56, user: 160.83, sys: 0.51, mem: 1603160 ko) COQC src/Stringification/C.v src/Stringification/C.vo (real: 1.23, user: 0.98, sys: 0.24, mem: 537240 ko) COQC src/Stringification/Rust.v src/Stringification/Rust.vo (real: 1.13, user: 0.92, sys: 0.20, mem: 532144 ko) COQC src/Stringification/Go.v src/Stringification/Go.vo (real: 1.64, user: 1.42, sys: 0.21, mem: 537004 ko) COQC src/Stringification/Java.v src/Stringification/Java.vo (real: 1.12, user: 0.94, sys: 0.17, mem: 532124 ko) COQC src/Stringification/JSON.v src/Stringification/JSON.vo (real: 1.29, user: 1.10, sys: 0.19, mem: 533156 ko) COQC src/Stringification/Zig.v src/Stringification/Zig.vo (real: 1.15, user: 0.91, sys: 0.24, mem: 532788 ko) COQC src/Bedrock/Field/Stringification/FlattenVarData.v src/Bedrock/Field/Stringification/FlattenVarData.vo (real: 1.00, user: 0.86, sys: 0.13, mem: 541560 ko) COQC src/ArithmeticCPS/BaseConversion.v src/ArithmeticCPS/BaseConversion.vo (real: 0.65, user: 0.53, sys: 0.12, mem: 458728 ko) COQC src/AbstractInterpretation/Proofs.v src/AbstractInterpretation/Proofs.vo (real: 59.32, user: 59.09, sys: 0.18, mem: 727676 ko) COQC src/Arithmetic/BarrettReduction.v src/Arithmetic/BarrettReduction.vo (real: 16.95, user: 16.76, sys: 0.16, mem: 511056 ko) COQC src/Arithmetic/FancyMontgomeryReduction.v src/Arithmetic/FancyMontgomeryReduction.vo (real: 7.11, user: 6.96, sys: 0.13, mem: 462888 ko) COQC src/Arithmetic/SolinasReduction.v src/Arithmetic/SolinasReduction.vo (real: 93.23, user: 92.59, sys: 0.43, mem: 809000 ko) COQC src/Rewriter/Passes/ToFancyWithCasts.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 1.147 secs (1.146u,0.s) (success) Tactic call ran for 39.38 secs (39.285u,0.069s) (success) Tactic call ran for 0.242 secs (0.242u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 1.599 secs (1.598u,0.s) (success) Tactic call ran for 6.687 secs (6.682u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 20.382 secs (20.368u,0.s) (success) Tactic call ran for 5.493 secs (5.488u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/ToFancyWithCasts.vo (real: 133.73, user: 133.11, sys: 0.51, mem: 1561880 ko) COQC src/PushButtonSynthesis/BarrettReductionReificationCache.v Finished transaction in 4.837 secs (4.794u,0.039s) (successful) Finished transaction in 2.72 secs (2.718u,0.s) (successful) src/PushButtonSynthesis/BarrettReductionReificationCache.vo (real: 10.24, user: 9.97, sys: 0.25, mem: 561144 ko) COQC src/PushButtonSynthesis/FancyMontgomeryReductionReificationCache.v Finished transaction in 3.991 secs (3.977u,0.01s) (successful) Finished transaction in 1.851 secs (1.849u,0.s) (successful) src/PushButtonSynthesis/FancyMontgomeryReductionReificationCache.vo (real: 7.12, user: 6.90, sys: 0.21, mem: 545996 ko) COQC src/Arithmetic/Freeze.v src/Arithmetic/Freeze.vo (real: 2.42, user: 2.20, sys: 0.20, mem: 454240 ko) COQC src/Assembly/WithBedrock/SymbolicProofs.v src/Assembly/WithBedrock/SymbolicProofs.vo (real: 71.69, user: 71.12, sys: 0.49, mem: 1416740 ko) COQC src/ArithmeticCPS/Freeze.v src/ArithmeticCPS/Freeze.vo (real: 0.69, user: 0.56, sys: 0.13, mem: 458768 ko) COQC src/Arithmetic/WordByWordMontgomery.v src/Arithmetic/WordByWordMontgomery.vo (real: 17.66, user: 17.48, sys: 0.16, mem: 530324 ko) COQC src/Assembly/EquivalenceProofs.v src/Assembly/EquivalenceProofs.vo (real: 97.15, user: 96.51, sys: 0.55, mem: 1510616 ko) COQC src/Rewriter/Passes/ArithWithCasts.v Reifying... Compiling decision tree... Splitting rewrite rules... Assembling rewrite_head... Reducing rewrite_head... Tactic call ran for 1.504 secs (1.493u,0.009s) (success) Tactic call ran for 159.595 secs (159.318u,0.179s) (success) Tactic call ran for 0.292 secs (0.292u,0.s) (success) Assembling rewrite_head_no_dtree... Reducing rewrite_head_no_dtree... Proving Rewriter_Wf... Tactic call ran for 2.573 secs (2.571u,0.s) (success) Tactic call ran for 7.844 secs (7.838u,0.s) (success) Proving Rewriter_Interp... Tactic call ran for 19.654 secs (19.642u,0.s) (success) Tactic call ran for 7.374 secs (7.369u,0.s) (success) Assembling verified rewriter... Refining with verified rewriter... src/Rewriter/Passes/ArithWithCasts.vo (real: 270.19, user: 269.40, sys: 0.61, mem: 2077784 ko) COQC src/ArithmeticCPS/WordByWordMontgomery.v src/ArithmeticCPS/WordByWordMontgomery.vo (real: 0.74, user: 0.52, sys: 0.21, mem: 461896 ko) COQC src/PushButtonSynthesis/UnsaturatedSolinasReificationCache.v Finished transaction in 1.94 secs (1.938u,0.s) (successful) Finished transaction in 1.149 secs (1.148u,0.s) (successful) Finished transaction in 2.231 secs (2.229u,0.s) (successful) Finished transaction in 1.552 secs (1.551u,0.s) (successful) Finished transaction in 1.727 secs (1.726u,0.s) (successful) Finished transaction in 1.218 secs (1.217u,0.s) (successful) Finished transaction in 1.127 secs (1.126u,0.s) (successful) Finished transaction in 0.816 secs (0.815u,0.s) (successful) Finished transaction in 1.195 secs (1.184u,0.009s) (successful) Finished transaction in 0.792 secs (0.789u,0.s) (successful) Finished transaction in 0.415 secs (0.414u,0.s) (successful) Finished transaction in 0.299 secs (0.299u,0.s) (successful) Finished transaction in 0.603 secs (0.602u,0.s) (successful) Finished transaction in 0.456 secs (0.456u,0.s) (successful) Finished transaction in 0.666 secs (0.666u,0.s) (successful) Finished transaction in 0.448 secs (0.448u,0.s) (successful) Finished transaction in 1.152 secs (1.141u,0.009s) (successful) Finished transaction in 0.983 secs (0.982u,0.s) (successful) Finished transaction in 1.332 secs (1.331u,0.s) (successful) Finished transaction in 1.216 secs (1.215u,0.s) (successful) Finished transaction in 1.669 secs (1.667u,0.s) (successful) Finished transaction in 1.144 secs (1.143u,0.s) (successful) Finished transaction in 1.075 secs (1.074u,0.s) (successful) Finished transaction in 0.698 secs (0.697u,0.s) (successful) Finished transaction in 1.13 secs (1.128u,0.s) (successful) Finished transaction in 0.682 secs (0.681u,0.s) (successful) Finished transaction in 1.124 secs (1.123u,0.s) (successful) Finished transaction in 0.724 secs (0.723u,0.s) (successful) Finished transaction in 0.174 secs (0.174u,0.s) (successful) Finished transaction in 0.11 secs (0.11u,0.s) (successful) Finished transaction in 0.2 secs (0.199u,0.s) (successful) Finished transaction in 0.097 secs (0.097u,0.s) (successful) Finished transaction in 2.686 secs (2.683u,0.s) (successful) Finished transaction in 1.408 secs (1.407u,0.s) (successful) Finished transaction in 1.062 secs (1.06u,0.s) (successful) Finished transaction in 0.66 secs (0.65u,0.009s) (successful) src/PushButtonSynthesis/UnsaturatedSolinasReificationCache.vo (real: 44.53, user: 44.27, sys: 0.20, mem: 713180 ko) COQC src/Rewriter/All.v src/Rewriter/All.vo (real: 0.88, user: 0.72, sys: 0.14, mem: 545644 ko) COQC src/Curves/Montgomery/AffineProofs.v Finished transaction in 0.728 secs (0.727u,0.s) (successful) Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Finished transaction in 82.976 secs (11.067u,0.287s) (successful) src/Curves/Montgomery/AffineProofs.vo (real: 95.38, user: 164.66, sys: 1.50, mem: 1443324 ko) COQC src/CompilersTestCases.v src/CompilersTestCases.vo (real: 1.84, user: 1.61, sys: 0.22, mem: 586992 ko) COQC src/Curves/Montgomery/AffineInstances.v src/Curves/Montgomery/AffineInstances.vo (real: 1.05, user: 0.88, sys: 0.16, mem: 424112 ko) COQC src/Arithmetic/BYInv.v src/Arithmetic/BYInv.vo (real: 6.51, user: 6.34, sys: 0.15, mem: 501936 ko) COQC src/PushButtonSynthesis/WordByWordMontgomeryReificationCache.v Finished transaction in 5.166 secs (5.153u,0.01s) (successful) Finished transaction in 2.521 secs (2.519u,0.s) (successful) Finished transaction in 1.222 secs (1.221u,0.s) (successful) Finished transaction in 0.696 secs (0.695u,0.s) (successful) Finished transaction in 1. secs (0.999u,0.s) (successful) Finished transaction in 0.654 secs (0.653u,0.s) (successful) Finished transaction in 1.047 secs (1.026u,0.019s) (successful) Finished transaction in 0.646 secs (0.646u,0.s) (successful) Finished transaction in 1.258 secs (1.258u,0.s) (successful) Finished transaction in 0.685 secs (0.685u,0.s) (successful) Finished transaction in 1.041 secs (1.04u,0.s) (successful) Finished transaction in 0.732 secs (0.732u,0.s) (successful) Finished transaction in 0.036 secs (0.036u,0.s) (successful) Finished transaction in 0.015 secs (0.015u,0.s) (successful) Finished transaction in 0.199 secs (0.199u,0.s) (successful) Finished transaction in 0.123 secs (0.123u,0.s) (successful) Finished transaction in 0.226 secs (0.225u,0.s) (successful) Finished transaction in 0.12 secs (0.12u,0.s) (successful) Finished transaction in 4.215 secs (4.193u,0.019s) (successful) Finished transaction in 2.327 secs (2.326u,0.s) (successful) Finished transaction in 4.911 secs (4.878u,0.029s) (successful) Finished transaction in 2.198 secs (2.197u,0.s) (successful) Finished transaction in 4.635 secs (4.632u,0.s) (successful) Finished transaction in 2.139 secs (2.138u,0.s) (successful) Finished transaction in 4.803 secs (4.79u,0.009s) (successful) Finished transaction in 2.408 secs (2.397u,0.009s) (successful) Finished transaction in 0.04 secs (0.04u,0.s) (successful) Finished transaction in 0.012 secs (0.012u,0.s) (successful) Finished transaction in 4.572 secs (4.559u,0.009s) (successful) Finished transaction in 2.224 secs (2.223u,0.s) (successful) src/PushButtonSynthesis/WordByWordMontgomeryReificationCache.vo (real: 54.56, user: 54.21, sys: 0.31, mem: 854656 ko) COQC src/PushButtonSynthesis/SolinasReductionReificationCache.v Finished transaction in 14.231 secs (14.16u,0.06s) (successful) Finished transaction in 7.094 secs (7.069u,0.019s) (successful) Finished transaction in 40.932 secs (40.832u,0.069s) (successful) Finished transaction in 17.964 secs (17.953u,0.s) (successful) src/PushButtonSynthesis/SolinasReductionReificationCache.vo (real: 84.68, user: 84.29, sys: 0.32, mem: 1026512 ko) COQC src/COperationSpecifications.v src/COperationSpecifications.vo (real: 5.30, user: 5.10, sys: 0.19, mem: 485516 ko) COQC src/BoundsPipeline.v src/BoundsPipeline.vo (real: 13.83, user: 13.47, sys: 0.34, mem: 1005948 ko) COQC src/PushButtonSynthesis/BYInversionReificationCache.v Finished transaction in 3.48 secs (3.445u,0.03s) (successful) Finished transaction in 2.316 secs (2.315u,0.s) (successful) Finished transaction in 0.127 secs (0.127u,0.s) (successful) Finished transaction in 0.075 secs (0.075u,0.s) (successful) Finished transaction in 0.281 secs (0.28u,0.s) (successful) Finished transaction in 0.164 secs (0.164u,0.s) (successful) src/PushButtonSynthesis/BYInversionReificationCache.vo (real: 10.13, user: 9.90, sys: 0.21, mem: 577068 ko) COQC src/PushButtonSynthesis/Primitives.v Finished transaction in 0.022 secs (0.022u,0.s) (successful) Finished transaction in 0.006 secs (0.006u,0.s) (successful) Finished transaction in 0.311 secs (0.31u,0.s) (successful) Finished transaction in 0.032 secs (0.032u,0.s) (successful) Finished transaction in 0.254 secs (0.254u,0.s) (successful) Finished transaction in 0.146 secs (0.146u,0.s) (successful) Finished transaction in 0.063 secs (0.063u,0.s) (successful) Finished transaction in 0.04 secs (0.04u,0.s) (successful) Finished transaction in 0.073 secs (0.073u,0.s) (successful) Finished transaction in 0.042 secs (0.041u,0.s) (successful) Finished transaction in 0.045 secs (0.044u,0.s) (successful) Finished transaction in 0.003 secs (0.003u,0.s) (successful) Finished transaction in 0.151 secs (0.151u,0.s) (successful) Finished transaction in 0.066 secs (0.066u,0.s) (successful) Finished transaction in 0.104 secs (0.104u,0.s) (successful) Finished transaction in 0.301 secs (0.3u,0.s) (successful) src/PushButtonSynthesis/Primitives.vo (real: 9.23, user: 8.85, sys: 0.35, mem: 1014208 ko) COQC src/Bedrock/Field/Translation/Cmd.v src/Bedrock/Field/Translation/Cmd.vo (real: 3.67, user: 3.34, sys: 0.31, mem: 977212 ko) COQC src/Bedrock/Field/Common/Util.v src/Bedrock/Field/Common/Util.vo (real: 14.47, user: 14.18, sys: 0.27, mem: 591752 ko) COQC src/PushButtonSynthesis/SaturatedSolinas.v src/PushButtonSynthesis/SaturatedSolinas.vo (real: 4.96, user: 4.59, sys: 0.35, mem: 1006668 ko) COQC src/PushButtonSynthesis/SmallExamples.v Finished transaction in 1.831 secs (1.817u,0.01s) (successful) Finished transaction in 2.006 secs (2.001u,0.s) (successful) Finished transaction in 0.106 secs (0.104u,0.s) (successful) Finished transaction in 0.408 secs (0.405u,0.s) (successful) Finished transaction in 1.658 secs (1.634u,0.019s) (successful) Finished transaction in 0.143 secs (0.142u,0.s) (successful) Finished transaction in 0.067 secs (0.066u,0.s) (successful) Finished transaction in 0.066 secs (0.065u,0.s) (successful) Finished transaction in 0.081 secs (0.08u,0.s) (successful) Finished transaction in 0.076 secs (0.074u,0.s) (successful) Finished transaction in 0.104 secs (0.103u,0.s) (successful) src/PushButtonSynthesis/SmallExamples.vo (real: 8.95, user: 8.57, sys: 0.34, mem: 975520 ko) COQC src/PushButtonSynthesis/BaseConversion.v src/PushButtonSynthesis/BaseConversion.vo (real: 9.80, user: 9.42, sys: 0.36, mem: 1001348 ko) COQC src/PushButtonSynthesis/SolinasReduction.v src/PushButtonSynthesis/SolinasReduction.vo (real: 7.93, user: 7.61, sys: 0.30, mem: 1007904 ko) COQC src/Bedrock/Field/Common/Tactics.v src/Bedrock/Field/Common/Tactics.vo (real: 1.05, user: 0.86, sys: 0.17, mem: 588120 ko) COQC src/PushButtonSynthesis/UnsaturatedSolinas.v src/PushButtonSynthesis/UnsaturatedSolinas.vo (real: 25.59, user: 25.07, sys: 0.49, mem: 1139080 ko) COQC src/Bedrock/Field/Translation/Parameters/Defaults.v src/Bedrock/Field/Translation/Parameters/Defaults.vo (real: 3.01, user: 2.66, sys: 0.34, mem: 1013208 ko) COQC src/PushButtonSynthesis/WordByWordMontgomery.v src/PushButtonSynthesis/WordByWordMontgomery.vo (real: 25.68, user: 25.21, sys: 0.44, mem: 1175276 ko) COQC src/Bedrock/Field/Common/Arrays/ByteBounds.v src/Bedrock/Field/Common/Arrays/ByteBounds.vo (real: 1.25, user: 1.03, sys: 0.22, mem: 591508 ko) COQC src/Bedrock/Field/Translation/Func.v src/Bedrock/Field/Translation/Func.vo (real: 3.40, user: 3.12, sys: 0.27, mem: 975480 ko) COQC src/Bedrock/Field/Translation/Parameters/Defaults32.v src/Bedrock/Field/Translation/Parameters/Defaults32.vo (real: 3.01, user: 2.71, sys: 0.29, mem: 1014788 ko) COQC src/Bedrock/Field/Translation/Parameters/FE310.v src/Bedrock/Field/Translation/Parameters/FE310.vo (real: 2.98, user: 2.67, sys: 0.29, mem: 1014832 ko) COQC src/Bedrock/End2End/RupicolaCrypto/Broadcast.v src/Bedrock/End2End/RupicolaCrypto/Broadcast.vo (real: 5.68, user: 5.46, sys: 0.21, mem: 620840 ko) COQC src/Bedrock/Field/Translation/Parameters/Defaults64.v src/Bedrock/Field/Translation/Parameters/Defaults64.vo (real: 2.99, user: 2.65, sys: 0.32, mem: 1014772 ko) COQC src/PushButtonSynthesis/BarrettReduction.v src/PushButtonSynthesis/BarrettReduction.vo (real: 6.91, user: 6.57, sys: 0.32, mem: 1012620 ko) COQC src/PushButtonSynthesis/FancyMontgomeryReduction.v src/PushButtonSynthesis/FancyMontgomeryReduction.vo (real: 4.44, user: 4.03, sys: 0.39, mem: 1017112 ko) COQC src/CLI.v src/CLI.vo (real: 5.41, user: 5.07, sys: 0.32, mem: 1089376 ko) COQC src/Rewriter/PerfTesting/Core.v Finished transaction in 0. secs (0.u,0.s) (successful) Finished transaction in 0. secs (0.u,0.s) (successful) src/Rewriter/PerfTesting/Core.vo (real: 3.60, user: 3.22, sys: 0.37, mem: 1049516 ko) COQC src/Bedrock/Field/Translation/Proofs/UsedVarnames.v src/Bedrock/Field/Translation/Proofs/UsedVarnames.vo (real: 6.37, user: 6.11, sys: 0.24, mem: 833424 ko) COQC src/StandaloneHaskellMain.v src/StandaloneHaskellMain.vo (real: 3.09, user: 2.73, sys: 0.34, mem: 1087060 ko) COQC src/Fancy/Montgomery256.v Finished transaction in 7.947 secs (7.901u,0.04s) (successful) src/Fancy/Montgomery256.vo (real: 48.25, user: 47.69, sys: 0.51, mem: 1723940 ko) COQC src/ExtractionHaskell/unsaturated_solinas.v > src/ExtractionHaskell/unsaturated_solinas.hs File "./src/ExtractionHaskell/unsaturated_solinas.v", line 3, characters 43-88: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/unsaturated_solinas.v", line 3, characters 43-88: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/unsaturated_solinas.v", line 3, characters 43-88: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/unsaturated_solinas.v", line 3, characters 43-88: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/unsaturated_solinas.v", line 3, characters 43-88: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/unsaturated_solinas.v", line 3, characters 43-88: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/unsaturated_solinas.hs (real: 15.51, user: 14.93, sys: 0.56, mem: 1883236 ko) COQC src/ExtractionHaskell/saturated_solinas.v > src/ExtractionHaskell/saturated_solinas.hs File "./src/ExtractionHaskell/saturated_solinas.v", line 3, characters 41-84: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/saturated_solinas.v", line 3, characters 41-84: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/saturated_solinas.v", line 3, characters 41-84: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/saturated_solinas.v", line 3, characters 41-84: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/saturated_solinas.v", line 3, characters 41-84: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/saturated_solinas.v", line 3, characters 41-84: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/saturated_solinas.hs (real: 14.38, user: 13.81, sys: 0.55, mem: 1782532 ko) COQC src/SlowPrimeSynthesisExamples.v Finished transaction in 3.33 secs (3.325u,0.s) (successful) Finished transaction in 3.422 secs (3.417u,0.s) (successful) Finished transaction in 3.846 secs (3.831u,0.009s) (successful) Finished transaction in 6.301 secs (6.263u,0.029s) (successful) Finished transaction in 6.385 secs (6.357u,0.019s) (successful) Finished transaction in 2.163 secs (2.16u,0.s) (successful) Finished transaction in 4.036 secs (4.03u,0.s) (successful) Finished transaction in 8.224 secs (8.212u,0.s) (successful) Finished transaction in 3.797 secs (3.792u,0.s) (successful) Finished transaction in 2.511 secs (2.507u,0.s) (successful) Finished transaction in 1.908 secs (1.896u,0.009s) (successful) Finished transaction in 2.447 secs (2.433u,0.009s) (successful) src/SlowPrimeSynthesisExamples.vo (real: 90.74, user: 90.01, sys: 0.59, mem: 2053492 ko) COQC src/Curves/Montgomery/XZProofs.v Finished transaction in 11.086 secs (11.05u,0.019s) (successful) Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Warning: The native-compiler option is deprecated. To compile native files ahead of time, use the coqnative binary instead. [deprecated-native-compiler-option,deprecated] Finished transaction in 21.904 secs (5.507u,0.539s) (successful) Finished transaction in 3.072 secs (3.061u,0.01s) (successful) src/Curves/Montgomery/XZProofs.vo (real: 160.64, user: 174.94, sys: 1.62, mem: 1445232 ko) COQC src/ExtractionHaskell/word_by_word_montgomery.v > src/ExtractionHaskell/word_by_word_montgomery.hs File "./src/ExtractionHaskell/word_by_word_montgomery.v", line 3, characters 47-94: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/word_by_word_montgomery.v", line 3, characters 47-94: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/word_by_word_montgomery.v", line 3, characters 47-94: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/word_by_word_montgomery.v", line 3, characters 47-94: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/word_by_word_montgomery.v", line 3, characters 47-94: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/word_by_word_montgomery.v", line 3, characters 47-94: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/word_by_word_montgomery.hs (real: 16.34, user: 15.74, sys: 0.58, mem: 1974264 ko) COQC src/StandaloneOCamlMain.v src/StandaloneOCamlMain.vo (real: 2.84, user: 2.48, sys: 0.34, mem: 1087696 ko) COQC src/ExtractionHaskell/base_conversion.v > src/ExtractionHaskell/base_conversion.hs File "./src/ExtractionHaskell/base_conversion.v", line 3, characters 39-80: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/base_conversion.v", line 3, characters 39-80: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/base_conversion.v", line 3, characters 39-80: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/base_conversion.v", line 3, characters 39-80: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/base_conversion.v", line 3, characters 39-80: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/base_conversion.v", line 3, characters 39-80: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/base_conversion.hs (real: 14.75, user: 14.21, sys: 0.51, mem: 1801532 ko) COQC src/Rewriter/PerfTesting/StandaloneOCamlMain.v src/Rewriter/PerfTesting/StandaloneOCamlMain.vo (real: 3.22, user: 2.84, sys: 0.36, mem: 1095340 ko) COQC src/Bedrock/Field/Translation/Proofs/EquivalenceProperties.v src/Bedrock/Field/Translation/Proofs/EquivalenceProperties.vo (real: 8.44, user: 8.06, sys: 0.36, mem: 907564 ko) COQC src/ExtractionHaskell/solinas_reduction.v > src/ExtractionHaskell/solinas_reduction.hs File "./src/ExtractionHaskell/solinas_reduction.v", line 3, characters 0-43: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/solinas_reduction.v", line 3, characters 0-43: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/solinas_reduction.v", line 3, characters 0-43: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/solinas_reduction.v", line 3, characters 0-43: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/solinas_reduction.v", line 3, characters 0-43: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/solinas_reduction.v", line 3, characters 0-43: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/solinas_reduction.hs (real: 16.47, user: 15.84, sys: 0.61, mem: 2009512 ko) COQC src/Fancy/Barrett256.v Finished transaction in 23.125 secs (22.878u,0.199s) (successful) src/Fancy/Barrett256.vo (real: 110.75, user: 109.62, sys: 0.91, mem: 2252340 ko) COQC src/ExtractionOCaml/saturated_solinas.v File "./src/ExtractionOCaml/saturated_solinas.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/saturated_solinas.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/saturated_solinas.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/saturated_solinas.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/saturated_solinas.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/saturated_solinas.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/saturated_solinas.ml (real: 25.21, user: 24.41, sys: 0.77, mem: 1874588 ko) COQC src/StandaloneDebuggingExamples.v src/StandaloneDebuggingExamples.vo (real: 30.01, user: 29.49, sys: 0.47, mem: 1487228 ko) COQC src/ExtractionOCaml/unsaturated_solinas.v File "./src/ExtractionOCaml/unsaturated_solinas.v", line 3, characters 0-81: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/unsaturated_solinas.v", line 3, characters 0-81: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/unsaturated_solinas.v", line 3, characters 0-81: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/unsaturated_solinas.v", line 3, characters 0-81: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/unsaturated_solinas.v", line 3, characters 0-81: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/unsaturated_solinas.v", line 3, characters 0-81: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/unsaturated_solinas.ml (real: 29.82, user: 29.27, sys: 0.52, mem: 2003852 ko) COQC src/ExtractionOCaml/word_by_word_montgomery.v File "./src/ExtractionOCaml/word_by_word_montgomery.v", line 3, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/word_by_word_montgomery.v", line 3, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/word_by_word_montgomery.v", line 3, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/word_by_word_montgomery.v", line 3, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/word_by_word_montgomery.v", line 3, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/word_by_word_montgomery.v", line 3, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/word_by_word_montgomery.ml (real: 32.49, user: 31.79, sys: 0.62, mem: 2095372 ko) COQC src/Bedrock/Field/Translation/Proofs/Flatten.v src/Bedrock/Field/Translation/Proofs/Flatten.vo (real: 10.93, user: 10.69, sys: 0.21, mem: 608996 ko) COQC src/Assembly/WithBedrock/Proofs.v build_inputs start build_inputs end build_merge_base_addresses start build_merge_base_addresses end build_merge_base_addresses start build_merge_base_addresses end build_merge_stack_placeholders start build_merge_stack_placeholders end get callee_saved_registers start get callee_saved_registers end get callee_saved_registers start SymexLines start SymexLines end get callee_saved_registers start get callee_saved_registers end LoadArray start LoadArray end LoadOutputs start LoadOutputs end LoadOutputs start LoadOutputs end Finished transaction in 14.074 secs (14.025u,0.039s) (successful) src/Assembly/WithBedrock/Proofs.vo (real: 258.77, user: 257.69, sys: 0.88, mem: 2500784 ko) COQC src/ExtractionOCaml/base_conversion.v File "./src/ExtractionOCaml/base_conversion.v", line 3, characters 0-73: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/base_conversion.v", line 3, characters 0-73: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/base_conversion.v", line 3, characters 0-73: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/base_conversion.v", line 3, characters 0-73: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/base_conversion.v", line 3, characters 0-73: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/base_conversion.v", line 3, characters 0-73: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/base_conversion.ml (real: 25.27, user: 24.69, sys: 0.55, mem: 1888216 ko) OCAMLOPT src/ExtractionOCaml/unsaturated_solinas.mli src/ExtractionOCaml/unsaturated_solinas.cmi (real: 0.54, user: 0.50, sys: 0.03, mem: 121004 ko) OCAMLOPT src/ExtractionOCaml/saturated_solinas.mli src/ExtractionOCaml/saturated_solinas.cmi (real: 0.55, user: 0.52, sys: 0.02, mem: 119472 ko) OCAMLOPT src/ExtractionOCaml/word_by_word_montgomery.mli src/ExtractionOCaml/word_by_word_montgomery.cmi (real: 0.54, user: 0.52, sys: 0.01, mem: 120588 ko) OCAMLOPT src/ExtractionOCaml/base_conversion.mli src/ExtractionOCaml/base_conversion.cmi (real: 0.55, user: 0.53, sys: 0.02, mem: 119376 ko) COQC src/ExtractionOCaml/perf_unsaturated_solinas.v src/ExtractionOCaml/perf_unsaturated_solinas.ml (real: 20.28, user: 19.74, sys: 0.52, mem: 1796028 ko) COQC src/Bedrock/Field/Common/Names/MakeNames.v src/Bedrock/Field/Common/Names/MakeNames.vo (real: 1.81, user: 1.61, sys: 0.19, mem: 601012 ko) OCAMLOPT src/ExtractionOCaml/perf_unsaturated_solinas.mli src/ExtractionOCaml/perf_unsaturated_solinas.cmi (real: 0.21, user: 0.20, sys: 0.00, mem: 61376 ko) COQC src/ExtractionOCaml/solinas_reduction.v File "./src/ExtractionOCaml/solinas_reduction.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/solinas_reduction.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/solinas_reduction.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/solinas_reduction.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/solinas_reduction.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/solinas_reduction.v", line 3, characters 0-77: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/solinas_reduction.ml (real: 32.82, user: 32.10, sys: 0.68, mem: 2130396 ko) COQC src/ExtractionOCaml/perf_word_by_word_montgomery.v src/ExtractionOCaml/perf_word_by_word_montgomery.ml (real: 20.02, user: 19.31, sys: 0.67, mem: 1849080 ko) COQC src/Bedrock/Field/Translation/Proofs/Expr.v src/Bedrock/Field/Translation/Proofs/Expr.vo (real: 23.40, user: 23.11, sys: 0.24, mem: 802276 ko) COQC src/Bedrock/Field/Translation/Proofs/LoadStoreList.v src/Bedrock/Field/Translation/Proofs/LoadStoreList.vo (real: 19.95, user: 19.66, sys: 0.26, mem: 742400 ko) OCAMLOPT src/ExtractionOCaml/solinas_reduction.mli src/ExtractionOCaml/solinas_reduction.cmi (real: 0.56, user: 0.54, sys: 0.01, mem: 120012 ko) COQC src/Bedrock/Field/Common/Arrays/MakeAccessSizes.v src/Bedrock/Field/Common/Arrays/MakeAccessSizes.vo (real: 2.38, user: 2.18, sys: 0.18, mem: 590100 ko) OCAMLOPT src/ExtractionOCaml/saturated_solinas.ml -o src/ExtractionOCaml/saturated_solinas File "src/ExtractionOCaml/saturated_solinas.ml", line 655016, characters 10-25: 655016 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/saturated_solinas (real: 36.24, user: 34.95, sys: 1.25, mem: 1415852 ko) OCAMLOPT src/ExtractionOCaml/perf_word_by_word_montgomery.mli src/ExtractionOCaml/perf_word_by_word_montgomery.cmi (real: 0.20, user: 0.17, sys: 0.03, mem: 61300 ko) COQC src/Bedrock/Field/Common/Arrays/MaxBounds.v src/Bedrock/Field/Common/Arrays/MaxBounds.vo (real: 1.20, user: 1.02, sys: 0.17, mem: 598272 ko) OCAMLOPT src/ExtractionOCaml/unsaturated_solinas.ml -o src/ExtractionOCaml/unsaturated_solinas File "src/ExtractionOCaml/unsaturated_solinas.ml", line 728822, characters 10-25: 728822 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/unsaturated_solinas (real: 38.87, user: 37.74, sys: 1.09, mem: 1687236 ko) OCAMLOPT src/ExtractionOCaml/word_by_word_montgomery.ml -o src/ExtractionOCaml/word_by_word_montgomery File "src/ExtractionOCaml/word_by_word_montgomery.ml", line 802795, characters 10-25: 802795 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/word_by_word_montgomery (real: 41.20, user: 39.68, sys: 1.45, mem: 2147996 ko) SYNTHESIZE > fiat-c/src/curve25519_64.c fiat-c/src/curve25519_64.c (real: 0.49, user: 0.47, sys: 0.02, mem: 25732 ko) SYNTHESIZE > fiat-c/src/curve25519_32.c fiat-c/src/curve25519_32.c (real: 1.83, user: 1.80, sys: 0.03, mem: 33848 ko) SYNTHESIZE > fiat-c/src/poly1305_64.c fiat-c/src/poly1305_64.c (real: 0.15, user: 0.13, sys: 0.02, mem: 22936 ko) SYNTHESIZE > fiat-c/src/poly1305_32.c fiat-c/src/poly1305_32.c (real: 0.23, user: 0.21, sys: 0.01, mem: 23840 ko) OCAMLOPT src/ExtractionOCaml/perf_unsaturated_solinas.ml -o src/ExtractionOCaml/perf_unsaturated_solinas File "src/ExtractionOCaml/perf_unsaturated_solinas.ml", line 72173, characters 10-25: 72173 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/perf_unsaturated_solinas (real: 30.44, user: 29.43, sys: 0.98, mem: 1232428 ko) SYNTHESIZE > fiat-c/src/p521_64.c fiat-c/src/p521_64.c (real: 3.29, user: 3.23, sys: 0.04, mem: 35984 ko) OCAMLOPT src/ExtractionOCaml/base_conversion.ml -o src/ExtractionOCaml/base_conversion File "src/ExtractionOCaml/base_conversion.ml", line 649087, characters 10-25: 649087 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/base_conversion (real: 35.98, user: 34.76, sys: 1.17, mem: 1415940 ko) SYNTHESIZE > fiat-c/src/p448_solinas_64.c fiat-c/src/p448_solinas_64.c (real: 2.02, user: 1.98, sys: 0.04, mem: 34404 ko) SYNTHESIZE > fiat-c/src/p256_64.c fiat-c/src/p256_64.c (real: 1.89, user: 1.84, sys: 0.04, mem: 55088 ko) SYNTHESIZE > fiat-c/src/secp256k1_64.c fiat-c/src/secp256k1_64.c (real: 2.52, user: 2.45, sys: 0.05, mem: 59392 ko) COQC src/Bedrock/Field/Translation/Proofs/Cmd.v src/Bedrock/Field/Translation/Proofs/Cmd.vo (real: 19.11, user: 18.62, sys: 0.47, mem: 1127392 ko) SYNTHESIZE > fiat-c/src/p448_solinas_32.c fiat-c/src/p448_solinas_32.c (real: 8.29, user: 8.19, sys: 0.08, mem: 55508 ko) SYNTHESIZE > fiat-c/src/p256_32.c fiat-c/src/p256_32.c (real: 16.39, user: 16.20, sys: 0.15, mem: 322092 ko) SYNTHESIZE > fiat-c/src/p384_64.c fiat-c/src/p384_64.c (real: 9.62, user: 9.50, sys: 0.10, mem: 145592 ko) SYNTHESIZE > fiat-c/src/p224_64.c fiat-c/src/p224_64.c (real: 1.93, user: 1.88, sys: 0.05, mem: 63312 ko) SYNTHESIZE > fiat-c/src/secp256k1_32.c fiat-c/src/secp256k1_32.c (real: 16.98, user: 16.71, sys: 0.25, mem: 439168 ko) SYNTHESIZE > fiat-c/src/curve25519_scalar_64.c fiat-c/src/curve25519_scalar_64.c (real: 2.40, user: 2.34, sys: 0.06, mem: 58552 ko) SYNTHESIZE > fiat-c/src/p224_32.c fiat-c/src/p224_32.c (real: 9.46, user: 9.24, sys: 0.19, mem: 230944 ko) SYNTHESIZE > fiat-c/src/p256_scalar_64.c fiat-c/src/p256_scalar_64.c (real: 2.78, user: 2.69, sys: 0.07, mem: 57920 ko) SYNTHESIZE > fiat-c/src/p434_64.c fiat-c/src/p434_64.c (real: 18.80, user: 18.64, sys: 0.13, mem: 250952 ko) COQC src/Bedrock/Field/Translation/Proofs/ValidComputable/Expr.v src/Bedrock/Field/Translation/Proofs/ValidComputable/Expr.vo (real: 49.21, user: 48.76, sys: 0.38, mem: 1084892 ko) SYNTHESIZE > fiat-c/src/curve25519_scalar_32.c fiat-c/src/curve25519_scalar_32.c (real: 17.19, user: 16.94, sys: 0.22, mem: 332876 ko) SYNTHESIZE > fiat-c/src/secp256k1_scalar_64.c fiat-c/src/secp256k1_scalar_64.c (real: 2.87, user: 2.78, sys: 0.07, mem: 61580 ko) SYNTHESIZE > fiat-c/src/p256_scalar_32.c fiat-c/src/p256_scalar_32.c (real: 17.70, user: 17.48, sys: 0.19, mem: 348852 ko) SYNTHESIZE > fiat-rust/src/curve25519_64.rs fiat-rust/src/curve25519_64.rs (real: 0.51, user: 0.50, sys: 0.01, mem: 26700 ko) SYNTHESIZE > fiat-c/src/p384_scalar_64.c fiat-c/src/p384_scalar_64.c (real: 11.25, user: 11.12, sys: 0.13, mem: 165616 ko) SYNTHESIZE > fiat-rust/src/poly1305_64.rs fiat-rust/src/poly1305_64.rs (real: 0.14, user: 0.11, sys: 0.01, mem: 23260 ko) SYNTHESIZE > fiat-rust/src/poly1305_32.rs fiat-rust/src/poly1305_32.rs (real: 0.24, user: 0.23, sys: 0.01, mem: 24052 ko) SYNTHESIZE > fiat-rust/src/curve25519_32.rs fiat-rust/src/curve25519_32.rs (real: 1.84, user: 1.81, sys: 0.03, mem: 33720 ko) SYNTHESIZE > fiat-rust/src/p521_64.rs fiat-rust/src/p521_64.rs (real: 2.96, user: 2.91, sys: 0.03, mem: 36476 ko) SYNTHESIZE > fiat-rust/src/p448_solinas_64.rs fiat-rust/src/p448_solinas_64.rs (real: 1.97, user: 1.93, sys: 0.03, mem: 34080 ko) SYNTHESIZE > fiat-rust/src/p256_64.rs fiat-rust/src/p256_64.rs (real: 1.90, user: 1.83, sys: 0.06, mem: 56696 ko) SYNTHESIZE > fiat-rust/src/p448_solinas_32.rs fiat-rust/src/p448_solinas_32.rs (real: 8.11, user: 8.03, sys: 0.06, mem: 58020 ko) SYNTHESIZE > fiat-c/src/secp256k1_scalar_32.c fiat-c/src/secp256k1_scalar_32.c (real: 17.51, user: 17.22, sys: 0.25, mem: 320720 ko) SYNTHESIZE > fiat-rust/src/secp256k1_64.rs fiat-rust/src/secp256k1_64.rs (real: 2.54, user: 2.48, sys: 0.05, mem: 65244 ko) SYNTHESIZE > fiat-rust/src/p256_32.rs fiat-rust/src/p256_32.rs (real: 16.90, user: 16.71, sys: 0.17, mem: 360764 ko) SYNTHESIZE > fiat-rust/src/p384_64.rs fiat-rust/src/p384_64.rs (real: 9.93, user: 9.77, sys: 0.13, mem: 144620 ko) SYNTHESIZE > fiat-rust/src/p224_64.rs fiat-rust/src/p224_64.rs (real: 1.99, user: 1.91, sys: 0.07, mem: 60988 ko) SYNTHESIZE > fiat-rust/src/secp256k1_32.rs fiat-rust/src/secp256k1_32.rs (real: 17.75, user: 17.43, sys: 0.28, mem: 323304 ko) SYNTHESIZE > fiat-rust/src/p224_32.rs fiat-rust/src/p224_32.rs (real: 9.63, user: 9.43, sys: 0.18, mem: 237956 ko) SYNTHESIZE > fiat-rust/src/curve25519_scalar_64.rs fiat-rust/src/curve25519_scalar_64.rs (real: 2.41, user: 2.33, sys: 0.08, mem: 56092 ko) SYNTHESIZE > fiat-rust/src/p434_64.rs fiat-rust/src/p434_64.rs (real: 19.04, user: 18.77, sys: 0.25, mem: 290856 ko) SYNTHESIZE > fiat-rust/src/p256_scalar_64.rs fiat-rust/src/p256_scalar_64.rs (real: 2.87, user: 2.75, sys: 0.12, mem: 66080 ko) SYNTHESIZE > fiat-rust/src/curve25519_scalar_32.rs fiat-rust/src/curve25519_scalar_32.rs (real: 17.50, user: 17.15, sys: 0.31, mem: 341052 ko) SYNTHESIZE > fiat-rust/src/p384_scalar_64.rs fiat-rust/src/p384_scalar_64.rs (real: 11.53, user: 11.36, sys: 0.15, mem: 146508 ko) SYNTHESIZE > fiat-rust/src/p256_scalar_32.rs fiat-rust/src/p256_scalar_32.rs (real: 18.06, user: 17.76, sys: 0.26, mem: 336704 ko) SYNTHESIZE > fiat-rust/src/secp256k1_scalar_64.rs fiat-rust/src/secp256k1_scalar_64.rs (real: 2.92, user: 2.83, sys: 0.07, mem: 64628 ko) SYNTHESIZE > fiat-c/src/p384_32.c fiat-c/src/p384_32.c (real: 115.23, user: 114.34, sys: 0.81, mem: 1931692 ko) SYNTHESIZE > fiat-go/32/curve25519/curve25519.go fiat-go/32/curve25519/curve25519.go (real: 2.23, user: 2.18, sys: 0.03, mem: 35508 ko) SYNTHESIZE > fiat-go/32/poly1305/poly1305.go fiat-go/32/poly1305/poly1305.go (real: 0.32, user: 0.31, sys: 0.00, mem: 25360 ko) SYNTHESIZE > fiat-rust/src/secp256k1_scalar_32.rs fiat-rust/src/secp256k1_scalar_32.rs (real: 17.13, user: 16.77, sys: 0.32, mem: 440428 ko) SYNTHESIZE > fiat-go/32/p256/p256.go fiat-go/32/p256/p256.go (real: 16.15, user: 15.94, sys: 0.19, mem: 340072 ko) SYNTHESIZE > fiat-c/src/p384_scalar_32.c fiat-c/src/p384_scalar_32.c (real: 117.23, user: 116.18, sys: 0.97, mem: 2088112 ko) SYNTHESIZE > fiat-go/32/secp256k1/secp256k1.go fiat-go/32/secp256k1/secp256k1.go (real: 17.69, user: 17.40, sys: 0.25, mem: 420248 ko) SYNTHESIZE > fiat-go/32/p224/p224.go fiat-go/32/p224/p224.go (real: 9.65, user: 9.47, sys: 0.16, mem: 241408 ko) SYNTHESIZE > fiat-go/32/curve25519scalar/curve25519scalar.go fiat-go/32/curve25519scalar/curve25519scalar.go (real: 17.55, user: 17.39, sys: 0.14, mem: 321492 ko) SYNTHESIZE > fiat-go/32/p256scalar/p256scalar.go fiat-go/32/p256scalar/p256scalar.go (real: 18.02, user: 17.74, sys: 0.26, mem: 432476 ko) SYNTHESIZE > fiat-rust/src/p384_32.rs fiat-rust/src/p384_32.rs (real: 116.30, user: 115.44, sys: 0.77, mem: 1749364 ko) SYNTHESIZE > fiat-go/64/curve25519/curve25519.go fiat-go/64/curve25519/curve25519.go (real: 0.66, user: 0.62, sys: 0.03, mem: 31380 ko) SYNTHESIZE > fiat-go/64/poly1305/poly1305.go fiat-go/64/poly1305/poly1305.go (real: 0.19, user: 0.18, sys: 0.01, mem: 25240 ko) SYNTHESIZE > fiat-go/64/p521/p521.go fiat-go/64/p521/p521.go (real: 4.13, user: 4.09, sys: 0.04, mem: 48280 ko) SYNTHESIZE > fiat-go/64/p448solinas/p448solinas.go fiat-go/64/p448solinas/p448solinas.go (real: 2.76, user: 2.73, sys: 0.02, mem: 51028 ko) SYNTHESIZE > fiat-go/64/p256/p256.go fiat-go/64/p256/p256.go (real: 2.01, user: 1.94, sys: 0.05, mem: 61524 ko) SYNTHESIZE > fiat-go/64/secp256k1/secp256k1.go fiat-go/64/secp256k1/secp256k1.go (real: 2.65, user: 2.61, sys: 0.03, mem: 61464 ko) SYNTHESIZE > fiat-go/32/secp256k1scalar/secp256k1scalar.go fiat-go/32/secp256k1scalar/secp256k1scalar.go (real: 17.16, user: 16.91, sys: 0.23, mem: 423796 ko) SYNTHESIZE > fiat-go/64/p224/p224.go fiat-go/64/p224/p224.go (real: 2.01, user: 1.94, sys: 0.05, mem: 68608 ko) SYNTHESIZE > fiat-go/64/p384/p384.go fiat-go/64/p384/p384.go (real: 9.81, user: 9.66, sys: 0.13, mem: 171076 ko) SYNTHESIZE > fiat-go/64/curve25519scalar/curve25519scalar.go fiat-go/64/curve25519scalar/curve25519scalar.go (real: 2.45, user: 2.38, sys: 0.06, mem: 59920 ko) SYNTHESIZE > fiat-go/64/p256scalar/p256scalar.go fiat-go/64/p256scalar/p256scalar.go (real: 2.88, user: 2.79, sys: 0.08, mem: 61916 ko) SYNTHESIZE > fiat-go/64/p434/p434.go fiat-go/64/p434/p434.go (real: 19.32, user: 19.12, sys: 0.18, mem: 258200 ko) SYNTHESIZE > fiat-go/64/secp256k1scalar/secp256k1scalar.go fiat-go/64/secp256k1scalar/secp256k1scalar.go (real: 2.89, user: 2.83, sys: 0.05, mem: 61796 ko) SYNTHESIZE > fiat-json/src/curve25519_64.json fiat-json/src/curve25519_64.json (real: 0.61, user: 0.56, sys: 0.04, mem: 32448 ko) SYNTHESIZE > fiat-go/64/p384scalar/p384scalar.go fiat-go/64/p384scalar/p384scalar.go (real: 11.54, user: 11.39, sys: 0.12, mem: 162784 ko) SYNTHESIZE > fiat-json/src/poly1305_64.json fiat-json/src/poly1305_64.json (real: 0.18, user: 0.15, sys: 0.03, mem: 26324 ko) SYNTHESIZE > fiat-json/src/poly1305_32.json fiat-json/src/poly1305_32.json (real: 0.32, user: 0.26, sys: 0.06, mem: 29020 ko) SYNTHESIZE > fiat-json/src/curve25519_32.json fiat-json/src/curve25519_32.json (real: 2.14, user: 1.91, sys: 0.16, mem: 47816 ko) SYNTHESIZE > fiat-json/src/p448_solinas_64.json fiat-json/src/p448_solinas_64.json (real: 2.28, user: 2.13, sys: 0.14, mem: 50712 ko) SYNTHESIZE > fiat-json/src/p521_64.json fiat-json/src/p521_64.json (real: 3.39, user: 3.06, sys: 0.20, mem: 52104 ko) SYNTHESIZE > fiat-json/src/p256_64.json fiat-json/src/p256_64.json (real: 2.14, user: 1.99, sys: 0.14, mem: 66020 ko) SYNTHESIZE > fiat-rust/src/p384_scalar_32.rs fiat-rust/src/p384_scalar_32.rs (real: 118.13, user: 116.73, sys: 1.24, mem: 2140160 ko) SYNTHESIZE > fiat-json/src/secp256k1_64.json fiat-json/src/secp256k1_64.json (real: 2.79, user: 2.61, sys: 0.18, mem: 71640 ko) SYNTHESIZE > fiat-json/src/p448_solinas_32.json fiat-json/src/p448_solinas_32.json (real: 8.97, user: 8.40, sys: 0.56, mem: 123160 ko) SYNTHESIZE > fiat-json/src/p384_64.json fiat-json/src/p384_64.json (real: 10.24, user: 9.87, sys: 0.35, mem: 182216 ko) SYNTHESIZE > fiat-json/src/p256_32.json fiat-json/src/p256_32.json (real: 17.35, user: 16.79, sys: 0.51, mem: 450500 ko) SYNTHESIZE > fiat-json/src/p224_64.json fiat-json/src/p224_64.json (real: 2.22, user: 2.05, sys: 0.16, mem: 65788 ko) SYNTHESIZE > fiat-json/src/secp256k1_32.json fiat-json/src/secp256k1_32.json (real: 18.42, user: 17.80, sys: 0.51, mem: 382988 ko) SYNTHESIZE > fiat-go/32/p384/p384.go fiat-go/32/p384/p384.go (real: 117.41, user: 116.19, sys: 1.03, mem: 2056320 ko) SYNTHESIZE > fiat-json/src/p224_32.json fiat-json/src/p224_32.json (real: 10.05, user: 9.65, sys: 0.30, mem: 232968 ko) SYNTHESIZE > fiat-json/src/curve25519_scalar_64.json fiat-json/src/curve25519_scalar_64.json (real: 2.84, user: 2.39, sys: 0.26, mem: 66076 ko) SYNTHESIZE > fiat-json/src/p256_scalar_64.json fiat-json/src/p256_scalar_64.json (real: 3.04, user: 2.85, sys: 0.18, mem: 68116 ko) SYNTHESIZE > fiat-json/src/p434_64.json fiat-json/src/p434_64.json (real: 19.35, user: 18.88, sys: 0.43, mem: 265704 ko) SYNTHESIZE > fiat-json/src/curve25519_scalar_32.json fiat-json/src/curve25519_scalar_32.json (real: 17.81, user: 17.23, sys: 0.54, mem: 403696 ko) SYNTHESIZE > fiat-json/src/p256_scalar_32.json fiat-json/src/p256_scalar_32.json (real: 18.38, user: 17.83, sys: 0.53, mem: 454516 ko) SYNTHESIZE > fiat-json/src/p384_scalar_64.json fiat-json/src/p384_scalar_64.json (real: 11.77, user: 11.44, sys: 0.31, mem: 185744 ko) SYNTHESIZE > fiat-json/src/secp256k1_scalar_64.json fiat-json/src/secp256k1_scalar_64.json (real: 3.09, user: 2.90, sys: 0.17, mem: 69480 ko) SYNTHESIZE > fiat-java/src/FiatCurve25519.java fiat-java/src/FiatCurve25519.java (real: 1.88, user: 1.82, sys: 0.04, mem: 34620 ko) SYNTHESIZE > fiat-java/src/FiatPoly1305.java fiat-java/src/FiatPoly1305.java (real: 0.25, user: 0.21, sys: 0.03, mem: 24428 ko) SYNTHESIZE > fiat-go/32/p384scalar/p384scalar.go fiat-go/32/p384scalar/p384scalar.go (real: 118.79, user: 117.88, sys: 0.83, mem: 1680860 ko) SYNTHESIZE > fiat-json/src/secp256k1_scalar_32.json fiat-json/src/secp256k1_scalar_32.json (real: 17.74, user: 17.11, sys: 0.61, mem: 454308 ko) SYNTHESIZE > fiat-java/src/FiatP256.java fiat-java/src/FiatP256.java (real: 16.90, user: 16.66, sys: 0.22, mem: 353720 ko) SYNTHESIZE > fiat-java/src/FiatSecp256K1.java fiat-java/src/FiatSecp256K1.java (real: 17.89, user: 17.56, sys: 0.30, mem: 361956 ko) SYNTHESIZE > fiat-java/src/FiatP224.java fiat-java/src/FiatP224.java (real: 9.77, user: 9.57, sys: 0.19, mem: 268048 ko) SYNTHESIZE > fiat-java/src/FiatCurve25519Scalar.java fiat-java/src/FiatCurve25519Scalar.java (real: 17.65, user: 17.36, sys: 0.25, mem: 404864 ko) SYNTHESIZE > fiat-java/src/FiatP256Scalar.java fiat-java/src/FiatP256Scalar.java (real: 18.06, user: 17.70, sys: 0.33, mem: 422504 ko) SYNTHESIZE > fiat-java/src/FiatSecp256K1Scalar.java fiat-java/src/FiatSecp256K1Scalar.java (real: 18.05, user: 17.69, sys: 0.33, mem: 434652 ko) SYNTHESIZE > fiat-zig/src/curve25519_64.zig fiat-zig/src/curve25519_64.zig (real: 0.51, user: 0.49, sys: 0.01, mem: 25756 ko) SYNTHESIZE > fiat-zig/src/curve25519_32.zig fiat-zig/src/curve25519_32.zig (real: 1.88, user: 1.86, sys: 0.01, mem: 32868 ko) SYNTHESIZE > fiat-zig/src/poly1305_64.zig fiat-zig/src/poly1305_64.zig (real: 0.15, user: 0.14, sys: 0.01, mem: 22748 ko) SYNTHESIZE > fiat-zig/src/poly1305_32.zig fiat-zig/src/poly1305_32.zig (real: 0.24, user: 0.22, sys: 0.01, mem: 23924 ko) SYNTHESIZE > fiat-zig/src/p521_64.zig fiat-zig/src/p521_64.zig (real: 3.34, user: 3.31, sys: 0.02, mem: 35896 ko) SYNTHESIZE > fiat-zig/src/p448_solinas_64.zig fiat-zig/src/p448_solinas_64.zig (real: 2.07, user: 2.02, sys: 0.03, mem: 35540 ko) SYNTHESIZE > fiat-json/src/p384_32.json fiat-json/src/p384_32.json (real: 116.79, user: 114.84, sys: 1.65, mem: 1994324 ko) SYNTHESIZE > fiat-zig/src/p256_64.zig fiat-zig/src/p256_64.zig (real: 1.93, user: 1.86, sys: 0.05, mem: 56196 ko) SYNTHESIZE > fiat-zig/src/p448_solinas_32.zig fiat-zig/src/p448_solinas_32.zig (real: 8.45, user: 8.36, sys: 0.07, mem: 58732 ko) SYNTHESIZE > fiat-zig/src/secp256k1_64.zig fiat-zig/src/secp256k1_64.zig (real: 2.62, user: 2.57, sys: 0.05, mem: 57284 ko) SYNTHESIZE > fiat-zig/src/p256_32.zig fiat-zig/src/p256_32.zig (real: 16.95, user: 16.79, sys: 0.14, mem: 330388 ko) SYNTHESIZE > fiat-zig/src/secp256k1_32.zig fiat-zig/src/secp256k1_32.zig (real: 17.93, user: 17.62, sys: 0.27, mem: 420016 ko) SYNTHESIZE > fiat-zig/src/p384_64.zig fiat-zig/src/p384_64.zig (real: 9.42, user: 9.27, sys: 0.14, mem: 156572 ko) SYNTHESIZE > fiat-zig/src/p224_64.zig fiat-zig/src/p224_64.zig (real: 1.98, user: 1.93, sys: 0.04, mem: 56008 ko) SYNTHESIZE > fiat-json/src/p384_scalar_32.json fiat-json/src/p384_scalar_32.json (real: 119.82, user: 117.91, sys: 1.64, mem: 2007840 ko) SYNTHESIZE > fiat-zig/src/p224_32.zig fiat-zig/src/p224_32.zig (real: 9.61, user: 9.41, sys: 0.18, mem: 240824 ko) SYNTHESIZE > fiat-zig/src/curve25519_scalar_64.zig fiat-zig/src/curve25519_scalar_64.zig (real: 2.45, user: 2.37, sys: 0.07, mem: 64404 ko) SYNTHESIZE > fiat-zig/src/p434_64.zig fiat-zig/src/p434_64.zig (real: 19.21, user: 19.01, sys: 0.17, mem: 245656 ko) SYNTHESIZE > fiat-java/src/FiatP384.java fiat-java/src/FiatP384.java (real: 117.04, user: 115.70, sys: 1.26, mem: 1945140 ko) SYNTHESIZE > fiat-zig/src/p256_scalar_64.zig fiat-zig/src/p256_scalar_64.zig (real: 2.80, user: 2.74, sys: 0.05, mem: 65276 ko) SYNTHESIZE > fiat-zig/src/curve25519_scalar_32.zig fiat-zig/src/curve25519_scalar_32.zig (real: 17.22, user: 16.97, sys: 0.23, mem: 354652 ko) SYNTHESIZE > fiat-zig/src/p384_scalar_64.zig fiat-zig/src/p384_scalar_64.zig (real: 11.41, user: 11.26, sys: 0.13, mem: 143700 ko) SYNTHESIZE > fiat-zig/src/secp256k1_scalar_64.zig fiat-zig/src/secp256k1_scalar_64.zig (real: 2.86, user: 2.79, sys: 0.05, mem: 57040 ko) SYNTHESIZE > fiat-zig/src/p256_scalar_32.zig fiat-zig/src/p256_scalar_32.zig (real: 17.12, user: 16.87, sys: 0.23, mem: 352580 ko) SYNTHESIZE > fiat-java/src/FiatP384Scalar.java fiat-java/src/FiatP384Scalar.java (real: 118.10, user: 116.65, sys: 1.37, mem: 2139664 ko) COQC src/Bedrock/Field/Stringification/Stringification.v src/Bedrock/Field/Stringification/Stringification.vo (real: 3.33, user: 2.98, sys: 0.33, mem: 1029916 ko) SYNTHESIZE > fiat-zig/src/secp256k1_scalar_32.zig fiat-zig/src/secp256k1_scalar_32.zig (real: 17.72, user: 17.38, sys: 0.29, mem: 342832 ko) COQC src/Bedrock/Field/Synthesis/Generic/Bignum.v src/Bedrock/Field/Synthesis/Generic/Bignum.vo (real: 4.04, user: 3.85, sys: 0.18, mem: 587408 ko) COQC src/Bedrock/Field/Translation/Proofs/Func.v src/Bedrock/Field/Translation/Proofs/Func.vo (real: 19.73, user: 19.25, sys: 0.39, mem: 1098836 ko) OCAMLOPT src/ExtractionOCaml/perf_word_by_word_montgomery.ml -o src/ExtractionOCaml/perf_word_by_word_montgomery File "src/ExtractionOCaml/perf_word_by_word_montgomery.ml", line 71884, characters 10-25: 71884 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/perf_word_by_word_montgomery (real: 31.67, user: 30.57, sys: 1.07, mem: 1232184 ko) OCAMLOPT src/ExtractionOCaml/solinas_reduction.ml -o src/ExtractionOCaml/solinas_reduction File "src/ExtractionOCaml/solinas_reduction.ml", line 824341, characters 10-25: 824341 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/solinas_reduction (real: 44.65, user: 43.08, sys: 1.53, mem: 2147548 ko) COQC src/Bedrock/Field/Translation/Proofs/ValidComputable/Cmd.v src/Bedrock/Field/Translation/Proofs/ValidComputable/Cmd.vo (real: 5.19, user: 4.81, sys: 0.37, mem: 1035264 ko) COQC src/Bedrock/Specs/Field.v src/Bedrock/Specs/Field.vo (real: 1.41, user: 1.19, sys: 0.21, mem: 621420 ko) COQC src/Bedrock/Standalone/StandaloneHaskellMain.v src/Bedrock/Standalone/StandaloneHaskellMain.vo (real: 3.26, user: 2.82, sys: 0.43, mem: 1109584 ko) COQC src/Bedrock/Standalone/StandaloneOCamlMain.v src/Bedrock/Standalone/StandaloneOCamlMain.vo (real: 3.23, user: 2.86, sys: 0.35, mem: 1109636 ko) COQC src/Bedrock/Group/Point.v src/Bedrock/Group/Point.vo (real: 1.16, user: 0.98, sys: 0.18, mem: 615940 ko) COQC src/Bedrock/Field/Translation/Proofs/ValidComputable/Func.v src/Bedrock/Field/Translation/Proofs/ValidComputable/Func.vo (real: 3.14, user: 2.77, sys: 0.37, mem: 1036080 ko) COQC src/Bedrock/Field/Interface/Compilation2.v src/Bedrock/Field/Interface/Compilation2.vo (real: 3.04, user: 2.78, sys: 0.24, mem: 618176 ko) SYNTHESIZE > fiat-zig/src/p384_32.zig fiat-zig/src/p384_32.zig (real: 106.03, user: 105.15, sys: 0.74, mem: 1816008 ko) COQC src/ExtractionHaskell/bedrock2_saturated_solinas.v > src/ExtractionHaskell/bedrock2_saturated_solinas.hs File "./src/ExtractionHaskell/bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/bedrock2_saturated_solinas.hs (real: 15.37, user: 14.75, sys: 0.60, mem: 1887676 ko) COQC src/ExtractionHaskell/bedrock2_unsaturated_solinas.v > src/ExtractionHaskell/bedrock2_unsaturated_solinas.hs File "./src/ExtractionHaskell/bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/bedrock2_unsaturated_solinas.hs (real: 16.61, user: 15.90, sys: 0.67, mem: 1976128 ko) COQC src/ExtractionHaskell/bedrock2_word_by_word_montgomery.v > src/ExtractionHaskell/bedrock2_word_by_word_montgomery.hs File "./src/ExtractionHaskell/bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/bedrock2_word_by_word_montgomery.hs (real: 17.61, user: 17.01, sys: 0.58, mem: 2026308 ko) COQC src/ExtractionHaskell/bedrock2_base_conversion.v > src/ExtractionHaskell/bedrock2_base_conversion.hs File "./src/ExtractionHaskell/bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/bedrock2_base_conversion.hs (real: 15.50, user: 14.91, sys: 0.56, mem: 1895908 ko) COQC src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.v > src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.hs File "./src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.v", line 4, characters 52-97: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/with_bedrock2_unsaturated_solinas.hs (real: 15.87, user: 15.28, sys: 0.55, mem: 1976164 ko) COQC src/ExtractionHaskell/bedrock2_solinas_reduction.v > src/ExtractionHaskell/bedrock2_solinas_reduction.hs File "./src/ExtractionHaskell/bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/bedrock2_solinas_reduction.hs (real: 17.01, user: 16.34, sys: 0.65, mem: 2106988 ko) COQC src/ExtractionHaskell/with_bedrock2_saturated_solinas.v > src/ExtractionHaskell/with_bedrock2_saturated_solinas.hs File "./src/ExtractionHaskell/with_bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_saturated_solinas.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/with_bedrock2_saturated_solinas.hs (real: 15.47, user: 14.82, sys: 0.62, mem: 1887564 ko) SYNTHESIZE > fiat-c/src/curve25519_solinas_64.c fiat-c/src/curve25519_solinas_64.c (real: 0.42, user: 0.41, sys: 0.00, mem: 36248 ko) SYNTHESIZE > fiat-rust/src/curve25519_solinas_64.rs fiat-rust/src/curve25519_solinas_64.rs (real: 0.43, user: 0.41, sys: 0.02, mem: 35876 ko) SYNTHESIZE > fiat-go/64/curve25519solinas/curve25519solinas.go fiat-go/64/curve25519solinas/curve25519solinas.go (real: 0.43, user: 0.41, sys: 0.01, mem: 36404 ko) SYNTHESIZE > fiat-json/src/curve25519_solinas_64.json fiat-json/src/curve25519_solinas_64.json (real: 0.49, user: 0.44, sys: 0.05, mem: 37204 ko) SYNTHESIZE > fiat-zig/src/curve25519_solinas_64.zig fiat-zig/src/curve25519_solinas_64.zig (real: 0.48, user: 0.44, sys: 0.02, mem: 36136 ko) COQC src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.v > src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.hs File "./src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.v", line 4, characters 56-103: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/with_bedrock2_word_by_word_montgomery.hs (real: 17.65, user: 17.06, sys: 0.55, mem: 2026296 ko) COQC src/ExtractionHaskell/with_bedrock2_base_conversion.v > src/ExtractionHaskell/with_bedrock2_base_conversion.hs File "./src/ExtractionHaskell/with_bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_base_conversion.v", line 4, characters 48-89: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/with_bedrock2_base_conversion.hs (real: 15.43, user: 14.93, sys: 0.46, mem: 1895872 ko) COQC src/ExtractionHaskell/with_bedrock2_solinas_reduction.v > src/ExtractionHaskell/with_bedrock2_solinas_reduction.hs File "./src/ExtractionHaskell/with_bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionHaskell/with_bedrock2_solinas_reduction.v", line 4, characters 50-93: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionHaskell/with_bedrock2_solinas_reduction.hs (real: 17.22, user: 16.60, sys: 0.60, mem: 2106956 ko) SYNTHESIZE > fiat-zig/src/p384_scalar_32.zig fiat-zig/src/p384_scalar_32.zig (real: 114.71, user: 113.63, sys: 1.00, mem: 1834064 ko) COQC src/ExtractionOCaml/bedrock2_saturated_solinas.v File "./src/ExtractionOCaml/bedrock2_saturated_solinas.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_saturated_solinas.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_saturated_solinas.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_saturated_solinas.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_saturated_solinas.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_saturated_solinas.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/bedrock2_saturated_solinas.ml (real: 26.51, user: 25.92, sys: 0.56, mem: 2007728 ko) COQC src/ExtractionOCaml/bedrock2_unsaturated_solinas.v File "./src/ExtractionOCaml/bedrock2_unsaturated_solinas.v", line 4, characters 0-90: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_unsaturated_solinas.v", line 4, characters 0-90: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_unsaturated_solinas.v", line 4, characters 0-90: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_unsaturated_solinas.v", line 4, characters 0-90: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_unsaturated_solinas.v", line 4, characters 0-90: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_unsaturated_solinas.v", line 4, characters 0-90: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/bedrock2_unsaturated_solinas.ml (real: 31.41, user: 30.75, sys: 0.63, mem: 2091876 ko) COQC src/ExtractionOCaml/bedrock2_base_conversion.v File "./src/ExtractionOCaml/bedrock2_base_conversion.v", line 4, characters 0-82: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_base_conversion.v", line 4, characters 0-82: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_base_conversion.v", line 4, characters 0-82: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_base_conversion.v", line 4, characters 0-82: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_base_conversion.v", line 4, characters 0-82: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_base_conversion.v", line 4, characters 0-82: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/bedrock2_base_conversion.ml (real: 27.23, user: 26.50, sys: 0.70, mem: 2033204 ko) COQC src/ExtractionOCaml/bedrock2_word_by_word_montgomery.v File "./src/ExtractionOCaml/bedrock2_word_by_word_montgomery.v", line 4, characters 0-96: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_word_by_word_montgomery.v", line 4, characters 0-96: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_word_by_word_montgomery.v", line 4, characters 0-96: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_word_by_word_montgomery.v", line 4, characters 0-96: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_word_by_word_montgomery.v", line 4, characters 0-96: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_word_by_word_montgomery.v", line 4, characters 0-96: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/bedrock2_word_by_word_montgomery.ml (real: 33.41, user: 32.69, sys: 0.65, mem: 2199516 ko) COQC src/ExtractionOCaml/bedrock2_solinas_reduction.v File "./src/ExtractionOCaml/bedrock2_solinas_reduction.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_solinas_reduction.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_solinas_reduction.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_solinas_reduction.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_solinas_reduction.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/bedrock2_solinas_reduction.v", line 4, characters 0-86: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/bedrock2_solinas_reduction.ml (real: 35.14, user: 34.38, sys: 0.71, mem: 2216436 ko) COQC src/ExtractionOCaml/with_bedrock2_saturated_solinas.v File "./src/ExtractionOCaml/with_bedrock2_saturated_solinas.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_saturated_solinas.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_saturated_solinas.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_saturated_solinas.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_saturated_solinas.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_saturated_solinas.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/with_bedrock2_saturated_solinas.ml (real: 27.06, user: 26.41, sys: 0.62, mem: 2007792 ko) COQC src/Bedrock/Field/Interface/Representation.v src/Bedrock/Field/Interface/Representation.vo (real: 1.00, user: 0.82, sys: 0.17, mem: 613876 ko) COQC src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.v File "./src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.v", line 4, characters 0-95: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.v", line 4, characters 0-95: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.v", line 4, characters 0-95: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.v", line 4, characters 0-95: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.v", line 4, characters 0-95: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.v", line 4, characters 0-95: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.ml (real: 30.28, user: 29.60, sys: 0.64, mem: 2092128 ko) COQC src/ExtractionOCaml/with_bedrock2_base_conversion.v File "./src/ExtractionOCaml/with_bedrock2_base_conversion.v", line 4, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_base_conversion.v", line 4, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_base_conversion.v", line 4, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_base_conversion.v", line 4, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_base_conversion.v", line 4, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_base_conversion.v", line 4, characters 0-87: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/with_bedrock2_base_conversion.ml (real: 27.19, user: 26.55, sys: 0.62, mem: 2033624 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_unsaturated_solinas.mli src/ExtractionOCaml/bedrock2_unsaturated_solinas.cmi (real: 0.57, user: 0.55, sys: 0.01, mem: 122248 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_saturated_solinas.mli src/ExtractionOCaml/bedrock2_saturated_solinas.cmi (real: 0.55, user: 0.53, sys: 0.02, mem: 122272 ko) COQC src/Bedrock/Group/AdditionChains.v Section Variables: field_parameters : FieldParameters Section Variables: word : Interface.word width width : Z field_parameters : FieldParameters File "./src/Bedrock/Group/AdditionChains.v", line 474, characters 6-44: Warning: Use of “Require” inside a section is fragile. It is not recommended to use this functionality in finished proof scripts. [require-in-section,fragile] src/Bedrock/Group/AdditionChains.vo (real: 14.44, user: 14.16, sys: 0.26, mem: 672328 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_word_by_word_montgomery.mli src/ExtractionOCaml/bedrock2_word_by_word_montgomery.cmi (real: 0.59, user: 0.58, sys: 0.00, mem: 122004 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_base_conversion.mli src/ExtractionOCaml/bedrock2_base_conversion.cmi (real: 0.60, user: 0.59, sys: 0.00, mem: 122984 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_solinas_reduction.mli src/ExtractionOCaml/bedrock2_solinas_reduction.cmi (real: 0.57, user: 0.52, sys: 0.04, mem: 121880 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.mli src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.cmi (real: 0.61, user: 0.53, sys: 0.06, mem: 122276 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_saturated_solinas.mli src/ExtractionOCaml/with_bedrock2_saturated_solinas.cmi (real: 0.59, user: 0.57, sys: 0.01, mem: 122244 ko) COQC src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.v File "./src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.v", line 4, characters 0-101: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.v", line 4, characters 0-101: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.v", line 4, characters 0-101: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.v", line 4, characters 0-101: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.v", line 4, characters 0-101: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.v", line 4, characters 0-101: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.ml (real: 34.38, user: 33.70, sys: 0.65, mem: 2199600 ko) COQC src/Bedrock/Group/ScalarMult/LadderStep.v src/Bedrock/Group/ScalarMult/LadderStep.vo (real: 14.05, user: 13.82, sys: 0.20, mem: 664304 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_base_conversion.mli src/ExtractionOCaml/with_bedrock2_base_conversion.cmi (real: 0.58, user: 0.54, sys: 0.04, mem: 123048 ko) COQC src/ExtractionOCaml/with_bedrock2_solinas_reduction.v File "./src/ExtractionOCaml/with_bedrock2_solinas_reduction.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_solinas_reduction.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_solinas_reduction.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_solinas_reduction.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_solinas_reduction.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] File "./src/ExtractionOCaml/with_bedrock2_solinas_reduction.v", line 4, characters 0-91: Warning: The identifier __ contains __ which is reserved for the extraction [extraction-reserved-identifier,extraction] src/ExtractionOCaml/with_bedrock2_solinas_reduction.ml (real: 26.67, user: 25.97, sys: 0.65, mem: 2007684 ko) COQC src/Bedrock/Field/Synthesis/New/Signature.v src/Bedrock/Field/Synthesis/New/Signature.vo (real: 17.98, user: 17.56, sys: 0.38, mem: 1169404 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_saturated_solinas.ml -o src/ExtractionOCaml/bedrock2_saturated_solinas File "src/ExtractionOCaml/bedrock2_saturated_solinas.ml", line 655448, characters 10-25: 655448 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/bedrock2_saturated_solinas (real: 37.96, user: 36.69, sys: 1.23, mem: 1416964 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_base_conversion.ml -o src/ExtractionOCaml/bedrock2_base_conversion File "src/ExtractionOCaml/bedrock2_base_conversion.ml", line 649519, characters 10-25: 649519 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/bedrock2_base_conversion (real: 37.79, user: 36.57, sys: 1.15, mem: 1417076 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_unsaturated_solinas.ml -o src/ExtractionOCaml/bedrock2_unsaturated_solinas File "src/ExtractionOCaml/bedrock2_unsaturated_solinas.ml", line 729254, characters 10-25: 729254 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/bedrock2_unsaturated_solinas (real: 43.11, user: 41.95, sys: 1.12, mem: 1788048 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.mli src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.cmi (real: 0.60, user: 0.55, sys: 0.04, mem: 122028 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_word_by_word_montgomery.ml -o src/ExtractionOCaml/bedrock2_word_by_word_montgomery File "src/ExtractionOCaml/bedrock2_word_by_word_montgomery.ml", line 803227, characters 10-25: 803227 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/bedrock2_word_by_word_montgomery (real: 43.57, user: 42.31, sys: 1.22, mem: 2088052 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_solinas_reduction.mli src/ExtractionOCaml/with_bedrock2_solinas_reduction.cmi (real: 0.58, user: 0.56, sys: 0.02, mem: 122260 ko) COQC src/Bedrock/Field/Synthesis/New/ComputedOp.v src/Bedrock/Field/Synthesis/New/ComputedOp.vo (real: 3.04, user: 2.72, sys: 0.32, mem: 1043504 ko) COQC src/Bedrock/Group/ScalarMult/CSwap.v Compilation incomplete. You may need to add new compilation lemmas using `Hint Extern 1 => simple eapply … : compiler` or to tell Rupicola about your custom bindings using `Hint Extern 2 (IsRupicolaBinding (xlet (A := ?A) ?vars _ _)) => exact (RupicolaBinding A vars) : typeclass_instances`. src/Bedrock/Group/ScalarMult/CSwap.vo (real: 9.90, user: 9.67, sys: 0.21, mem: 651068 ko) OCAMLOPT src/ExtractionOCaml/bedrock2_solinas_reduction.ml -o src/ExtractionOCaml/bedrock2_solinas_reduction File "src/ExtractionOCaml/bedrock2_solinas_reduction.ml", line 824773, characters 10-25: 824773 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/bedrock2_solinas_reduction (real: 45.94, user: 44.54, sys: 1.33, mem: 2147880 ko) SYNTHESIZE > fiat-bedrock2/src/curve25519_64.c fiat-bedrock2/src/curve25519_64.c (real: 0.56, user: 0.49, sys: 0.05, mem: 37520 ko) SYNTHESIZE > fiat-bedrock2/src/curve25519_32.c fiat-bedrock2/src/curve25519_32.c (real: 2.07, user: 1.95, sys: 0.11, mem: 64120 ko) SYNTHESIZE > fiat-bedrock2/src/poly1305_64.c fiat-bedrock2/src/poly1305_64.c (real: 0.15, user: 0.13, sys: 0.01, mem: 28200 ko) SYNTHESIZE > fiat-bedrock2/src/poly1305_32.c fiat-bedrock2/src/poly1305_32.c (real: 0.29, user: 0.26, sys: 0.02, mem: 32108 ko) SYNTHESIZE > fiat-bedrock2/src/p521_64.c fiat-bedrock2/src/p521_64.c (real: 3.40, user: 3.33, sys: 0.06, mem: 64488 ko) SYNTHESIZE > fiat-bedrock2/src/p448_solinas_64.c fiat-bedrock2/src/p448_solinas_64.c (real: 2.21, user: 2.15, sys: 0.05, mem: 64268 ko) SYNTHESIZE > fiat-bedrock2/src/p256_64.c fiat-bedrock2/src/p256_64.c (real: 1.94, user: 1.87, sys: 0.07, mem: 78056 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_saturated_solinas.ml -o src/ExtractionOCaml/with_bedrock2_saturated_solinas File "src/ExtractionOCaml/with_bedrock2_saturated_solinas.ml", line 655448, characters 10-25: 655448 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/with_bedrock2_saturated_solinas (real: 38.11, user: 36.93, sys: 1.15, mem: 1416800 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.ml -o src/ExtractionOCaml/with_bedrock2_unsaturated_solinas File "src/ExtractionOCaml/with_bedrock2_unsaturated_solinas.ml", line 729254, characters 10-25: 729254 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/with_bedrock2_unsaturated_solinas (real: 42.32, user: 41.06, sys: 1.19, mem: 1788148 ko) SYNTHESIZE > fiat-bedrock2/src/secp256k1_64.c fiat-bedrock2/src/secp256k1_64.c (real: 2.61, user: 2.51, sys: 0.09, mem: 82292 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_base_conversion.ml -o src/ExtractionOCaml/with_bedrock2_base_conversion File "src/ExtractionOCaml/with_bedrock2_base_conversion.ml", line 649519, characters 10-25: 649519 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/with_bedrock2_base_conversion (real: 37.92, user: 36.49, sys: 1.40, mem: 1416904 ko) SYNTHESIZE > fiat-bedrock2/src/p384_64.c fiat-bedrock2/src/p384_64.c (real: 9.80, user: 9.58, sys: 0.21, mem: 190272 ko) SYNTHESIZE > fiat-bedrock2/src/p256_32.c fiat-bedrock2/src/p256_32.c (real: 16.62, user: 16.34, sys: 0.25, mem: 434828 ko) SYNTHESIZE > fiat-bedrock2/src/p224_64.c fiat-bedrock2/src/p224_64.c (real: 2.03, user: 1.97, sys: 0.05, mem: 77388 ko) SYNTHESIZE > fiat-bedrock2/src/secp256k1_32.c fiat-bedrock2/src/secp256k1_32.c (real: 17.66, user: 17.35, sys: 0.27, mem: 384716 ko) SYNTHESIZE > fiat-bedrock2/src/curve25519_scalar_64.c fiat-bedrock2/src/curve25519_scalar_64.c (real: 2.49, user: 2.41, sys: 0.07, mem: 75912 ko) SYNTHESIZE > fiat-bedrock2/src/p224_32.c fiat-bedrock2/src/p224_32.c (real: 9.80, user: 9.57, sys: 0.21, mem: 271980 ko) SYNTHESIZE > fiat-bedrock2/src/p256_scalar_64.c fiat-bedrock2/src/p256_scalar_64.c (real: 2.88, user: 2.83, sys: 0.05, mem: 80152 ko) SYNTHESIZE > fiat-bedrock2/src/p434_64.c fiat-bedrock2/src/p434_64.c (real: 18.63, user: 18.39, sys: 0.21, mem: 290164 ko) SYNTHESIZE > fiat-bedrock2/src/curve25519_scalar_32.c fiat-bedrock2/src/curve25519_scalar_32.c (real: 17.54, user: 17.23, sys: 0.27, mem: 400796 ko) SYNTHESIZE > fiat-bedrock2/src/p256_scalar_32.c fiat-bedrock2/src/p256_scalar_32.c (real: 18.12, user: 17.81, sys: 0.29, mem: 407012 ko) SYNTHESIZE > fiat-bedrock2/src/p384_scalar_64.c fiat-bedrock2/src/p384_scalar_64.c (real: 11.39, user: 11.14, sys: 0.23, mem: 212092 ko) COQC src/Bedrock/Field/Synthesis/New/WordByWordMontgomery.v src/Bedrock/Field/Synthesis/New/WordByWordMontgomery.vo (real: 65.94, user: 64.87, sys: 0.96, mem: 1221644 ko) SYNTHESIZE > fiat-bedrock2/src/curve25519_solinas_64.c fiat-bedrock2/src/curve25519_solinas_64.c (real: 0.46, user: 0.41, sys: 0.04, mem: 41728 ko) SYNTHESIZE > fiat-bedrock2/src/secp256k1_scalar_64.c fiat-bedrock2/src/secp256k1_scalar_64.c (real: 2.90, user: 2.83, sys: 0.06, mem: 82428 ko) SYNTHESIZE > fiat-bedrock2/src/secp256k1_scalar_32.c fiat-bedrock2/src/secp256k1_scalar_32.c (real: 18.00, user: 17.72, sys: 0.26, mem: 456556 ko) COQC src/Bedrock/Field/Synthesis/New/UnsaturatedSolinas.v src/Bedrock/Field/Synthesis/New/UnsaturatedSolinas.vo (real: 6.63, user: 6.26, sys: 0.36, mem: 1069348 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_solinas_reduction.ml -o src/ExtractionOCaml/with_bedrock2_solinas_reduction File "src/ExtractionOCaml/with_bedrock2_solinas_reduction.ml", line 655448, characters 10-25: 655448 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/with_bedrock2_solinas_reduction (real: 39.21, user: 38.01, sys: 1.16, mem: 1416928 ko) OCAMLOPT src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.ml -o src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery File "src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery.ml", line 803227, characters 10-25: 803227 | | S x' -> Pervasives.succ (int_of_nat x') ^^^^^^^^^^^^^^^ Alert deprecated: module Stdlib.Pervasives Use Stdlib instead. If you need to stay compatible with OCaml < 4.07, you can use the stdlib-shims library: https://github.com/ocaml/stdlib-shims src/ExtractionOCaml/with_bedrock2_word_by_word_montgomery (real: 43.25, user: 41.92, sys: 1.27, mem: 2084496 ko) COQC src/Bedrock/End2End/Poly1305/Field1305.v Finished transaction in 4.888 secs (4.885u,0.s) (successful) Finished transaction in 0.338 secs (0.328u,0.009s) (successful) Finished transaction in 0.473 secs (0.472u,0.s) (successful) Finished transaction in 1. secs (0.999u,0.s) (successful) Finished transaction in 0.833 secs (0.823u,0.009s) (successful) Finished transaction in 0.276 secs (0.276u,0.s) (successful) Finished transaction in 0.368 secs (0.367u,0.s) (successful) src/Bedrock/End2End/Poly1305/Field1305.vo (real: 18.29, user: 17.88, sys: 0.39, mem: 1106800 ko) COQC src/Bedrock/Group/ScalarMult/MontgomeryLadder.v src/Bedrock/Group/ScalarMult/MontgomeryLadder.vo (real: 43.00, user: 42.72, sys: 0.25, mem: 1020292 ko) SYNTHESIZE > fiat-bedrock2/src/p384_32.c fiat-bedrock2/src/p384_32.c (real: 114.70, user: 113.74, sys: 0.88, mem: 1741664 ko) COQC src/Bedrock/Group/ScalarMult/MontgomeryEquivalence.v src/Bedrock/Group/ScalarMult/MontgomeryEquivalence.vo (real: 2.10, user: 1.90, sys: 0.19, mem: 635300 ko) DIFF Crypto.Fancy.Montgomery256.Prod.MontRed256 DIFF Crypto.Fancy.Montgomery256.prod_montred256_correct DIFF Crypto.Fancy.Montgomery256.prod_montred256_correct.Assumptions DIFF Crypto.Fancy.Montgomery256.montred256 DIFF Crypto.Fancy.Barrett256.Prod.MulMod DIFF Crypto.Fancy.Barrett256.prod_barrett_red256_correct DIFF Crypto.Fancy.Barrett256.prod_barrett_red256_correct.Assumptions DIFF Crypto.Fancy.Barrett256.barrett_red256 DIFF Crypto.UnsaturatedSolinasHeuristics.Tests.get_possible_limbs DIFF Crypto.UnsaturatedSolinasHeuristics.Tests.get_balances DIFF Crypto.Bedrock.Group.ScalarMult.LadderStep.ladderstep_body DIFF Crypto.Bedrock.Group.ScalarMult.MontgomeryLadder.montladder_body COQC src/Bedrock/Group/ScalarMult/ScalarMult.v src/Bedrock/Group/ScalarMult/ScalarMult.vo (real: 3.19, user: 2.96, sys: 0.21, mem: 672772 ko) COQC src/Bedrock/End2End/RupicolaCrypto/Low.v Compilation incomplete. You may need to add new compilation lemmas using `Hint Extern 1 => simple eapply … : compiler` or to tell Rupicola about your custom bindings using `Hint Extern 2 (IsRupicolaBinding (xlet (A := ?A) ?vars _ _)) => exact (RupicolaBinding A vars) : typeclass_instances`. src/Bedrock/End2End/RupicolaCrypto/Low.vo (real: 24.29, user: 23.83, sys: 0.43, mem: 1355992 ko) SYNTHESIZE > fiat-bedrock2/src/p384_scalar_32.c fiat-bedrock2/src/p384_scalar_32.c (real: 114.19, user: 112.79, sys: 1.19, mem: 1742840 ko) COQC src/Bedrock/End2End/RupicolaCrypto/Derive.v src/Bedrock/End2End/RupicolaCrypto/Derive.vo (real: 63.45, user: 62.21, sys: 1.19, mem: 4379108 ko) COQC src/Bedrock/End2End/X25519/Field25519.v Finished transaction in 18.323 secs (18.283u,0.029s) (successful) Finished transaction in 2.195 secs (2.193u,0.s) (successful) Finished transaction in 2.876 secs (2.875u,0.s) (successful) Finished transaction in 13.854 secs (13.825u,0.019s) (successful) Finished transaction in 3.105 secs (3.103u,0.s) (successful) Finished transaction in 6.801 secs (6.787u,0.009s) (successful) Finished transaction in 5.231 secs (5.209u,0.019s) (successful) Finished transaction in 2.656 secs (2.655u,0.s) (successful) Finished transaction in 3.417 secs (3.416u,0.s) (successful) Finished transaction in 6.518 secs (6.505u,0.009s) (successful) src/Bedrock/End2End/X25519/Field25519.vo (real: 113.86, user: 113.28, sys: 0.50, mem: 1586932 ko) COQC src/Bedrock/End2End/X25519/MontgomeryLadder.v src/Bedrock/End2End/X25519/MontgomeryLadder.vo (real: 37.34, user: 36.95, sys: 0.36, mem: 1272952 ko) COQC src/Bedrock/End2End/X25519/MontgomeryLadderProperties.v src/Bedrock/End2End/X25519/MontgomeryLadderProperties.vo (real: 11.19, user: 10.72, sys: 0.46, mem: 1301088 ko) COQC src/Bedrock/Field/Synthesis/Examples/p224_64_new.v Finished transaction in 67.554 secs (67.29u,0.179s) (successful) Finished transaction in 1.954 secs (1.952u,0.s) (successful) Finished transaction in 0.372 secs (0.371u,0.s) (successful) Finished transaction in 29.737 secs (29.702u,0.s) (successful) Finished transaction in 29.904 secs (29.806u,0.059s) (successful) Finished transaction in 0.214 secs (0.213u,0.s) (successful) Finished transaction in 0.171 secs (0.171u,0.s) (successful) src/Bedrock/Field/Synthesis/Examples/p224_64_new.vo (real: 331.64, user: 330.49, sys: 0.73, mem: 2649632 ko) COQC src/Bedrock/End2End/X25519/GarageDoor.v Evars: 71969 -> 11 Evars: 37492 -> 19 Evars: 23310 -> 19 Evars: 8013 -> 19 Evars: 12981 -> 19 Evars: 6905 -> 19 Evars: 8784 -> 19 src/Bedrock/End2End/X25519/GarageDoor.vo (real: 609.46, user: 608.34, sys: 0.73, mem: 2582048 ko) ```

From 623676f388ce5dfd0cec356b96c224234bcef021 Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Fri, 11 Nov 2022 15:28:01 -0500 Subject: [PATCH 69/69] Double available stack when compiling OCaml binaries for saturated solinas --- etc/ensure_stack_limit.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/ensure_stack_limit.sh b/etc/ensure_stack_limit.sh index 846e071bb3..c654d70a03 100755 --- a/etc/ensure_stack_limit.sh +++ b/etc/ensure_stack_limit.sh @@ -2,7 +2,7 @@ set -eu -recstacksize=32768 +recstacksize=65536 if command -v ulimit >/dev/null 2>/dev/null; then hardstacksize="$(ulimit -H -s || true)" (