avx2/commitment: F* proofs #874
Conversation
libcrux-ml-dsa/Cargo.toml
Outdated
| @@ -20,7 +20,8 @@ libcrux-sha3 = { version = "0.0.2-beta.3", path = "../libcrux-sha3" } | |||
| libcrux-intrinsics = { version = "0.0.2-beta.3", path = "../libcrux-intrinsics" } | |||
| libcrux-platform = { version = "0.0.2-beta.3", path = "../sys/platform" } | |||
| libcrux-macros = { version = "0.0.2-beta.3", path = "../macros" } | |||
| hax-lib = { version = "0.1.0", git = "https://github.com/hacspec/hax/"} | |||
| hax-lib = { version = "0.1.0", git = "https://github.com/hacspec/hax/", branch = "replace-body-temp"} | |||
| minicore = { path = "../fstar-helpers/minicore" } | |||
There was a problem hiding this comment.
So this requires releasing the minicore and actually making it releasable.
There was a problem hiding this comment.
Ideally, I'd like to kill that Rust dependency. I have a plan for that but I need to experiment a little: that will require some more rewriting in F*.
There was a problem hiding this comment.
So: this dependency is not needed in libcrux-intrsinsics, but I still need those in ml-dsa, but only on specs
There was a problem hiding this comment.
Well, it's a dependency, so it needs to be released. path doesn't work for that.
W95Psp
force-pushed
the
minicore-commitment-proof
branch
2 times, most recently
from
0dde429 to
a3768df
Compare
|
I have a regression in my proof somewhere, I need to fix that. |
|
I fixed my proof on ML-DSA, but the proof is pretty slow. Now it's going through. Debugging is a bit long, I have to wait for F* to normalize terms before seeing actual errors. I have some ideas to speed up the proof, but I need to investigate more. |
libcrux-ml-dsa/hax.sh
Outdated
There was a problem hiding this comment.
Why does this need to be rewritten and what does it now?
There was a problem hiding this comment.
Quoting the commit that introduces this:
@W95Psp
hax: intro hax.sh
c3c24c3This commit introduces a
hax.shscript, that aims at replacing the python script.The script does a little more: it is fixing up core names into minicore names.
The union of modules between our hax
coremodel (proof-libs in hax) and minicore is not empty. This is a big issue for F*.
The script thus replace references to every core module provided by minicore into a reference to the corresponding minicore module.
libcrux-ml-dsa/Cargo.toml
Outdated
| @@ -20,7 +20,8 @@ libcrux-sha3 = { version = "0.0.2-beta.3", path = "../libcrux-sha3" } | |||
| libcrux-intrinsics = { version = "0.0.2-beta.3", path = "../libcrux-intrinsics" } | |||
| libcrux-platform = { version = "0.0.2-beta.3", path = "../sys/platform" } | |||
| libcrux-macros = { version = "0.0.2-beta.3", path = "../macros" } | |||
| hax-lib = { version = "0.1.0", git = "https://github.com/hacspec/hax/"} | |||
| hax-lib = { version = "0.1.0", git = "https://github.com/hacspec/hax/", branch = "replace-body-temp"} | |||
| minicore = { path = "../fstar-helpers/minicore" } | |||
There was a problem hiding this comment.
Well, it's a dependency, so it needs to be released. path doesn't work for that.
| #[inline(always)] | ||
| fn serialize_4(simd_unit: &Vec256) -> Vec128 { |
There was a problem hiding this comment.
Did you check that this doesn't impact performance?
There was a problem hiding this comment.
No. I am taking a look now then
There was a problem hiding this comment.
Ran cargo criterion before and after applying my diff to that one file commitment.rs.
I got the following very surprising results:
Seems like the benchs are a bit flaky (as disucssed on gchat with Jonas).
Shall I inverstigate more? (if yes, how?)
There was a problem hiding this comment.
Running cargo bench --bench manual65:
(seems fine, right?)
Without commitment.rs patch
(libcrux) KeyGen 65 portable: 132 μs
(libcrux) Sign 65 portable: 395 μs
(libcrux) Verify 65 portable: 123 μs
(libcrux) KeyGen 65 simd256: 130 μs
(libcrux) Sign 65 simd256: 145 μs
(libcrux) Verify 65 simd256: 53 μs
(pqclean) KeyGen 65: 41 μs
(pqclean) Sign 65: 116 μs
(pqclean) Verify 65: 45 μs
With commitment.rs patch
(libcrux) KeyGen 65 portable: 133 μs
(libcrux) Sign 65 portable: 402 μs
(libcrux) Verify 65 portable: 124 μs
(libcrux) KeyGen 65 simd256: 130 μs
(libcrux) Sign 65 simd256: 144 μs
(libcrux) Verify 65 simd256: 54 μs
(pqclean) KeyGen 65: 42 μs
(pqclean) Sign 65: 116 μs
(pqclean) Verify 65: 46 μs
Second run:
(libcrux) KeyGen 65 portable: 136 μs
(libcrux) Sign 65 portable: 394 μs
(libcrux) Verify 65 portable: 123 μs
(libcrux) KeyGen 65 simd256: 130 μs
(libcrux) Sign 65 simd256: 145 μs
(libcrux) Verify 65 simd256: 53 μs
(pqclean) KeyGen 65: 41 μs
(pqclean) Sign 65: 114 μs
(pqclean) Verify 65: 45 μs
On main branch
(libcrux) KeyGen 65 portable: 133 μs
(libcrux) Sign 65 portable: 421 μs
(libcrux) Verify 65 portable: 122 μs
(libcrux) KeyGen 65 simd256: 128 μs
(libcrux) Sign 65 simd256: 143 μs
(libcrux) Verify 65 simd256: 53 μs
(pqclean) KeyGen 65: 41 μs
(pqclean) Sign 65: 115 μs
(pqclean) Verify 65: 45 μs
This is required so that we can have a hax postcondition to `bits` stating it's a non-zero integer.
`core::arch` is actually `core::core_arch` in Rust's `core`.
This commit introduces a new abstraction: functional arrays. This is an abstraction that provides finite maps: this is useful isntead of sequences, as fun arrays extract to `->^` restricted arrows in F*. That's particularly handy for normalization in F*.
This commit introduces a `hax.sh` script, that aims at replacing the python script. The script does a little more: it is fixing up core names into minicore names. The union of modules between our hax `core` model (proof-libs in hax) and minicore is not empty. This is a big issue for F*. The script thus replace references to every core module provided by minicore into a reference to the corresponding minicore module.
W95Psp
force-pushed
the
minicore-commitment-proof
branch
from
8f106cd to
af26ce9
Compare
libcrux-intrinsics is extracted in two different ways, depending on wether we are extracting ml-kem or ml-dsa. Thus having F* files checked in the git repo will cause troubles.
This PR adds proofs by normalization for one avx2 serialization function.
Fixes #886.
We'll need to file a follow up for the proof of
serialize_6.What does this PR fixes:
serialize_4Missing:
serialize_6This following hax PRs were created while working on this libcrux PR:
Lemmas hax#1355int!hax#1354f_TryIntohax#1353