apply feedback from franziskuskiefer 2

Author: Parrot7483

libcrux-sha3/src/generic_keccak.rs

@@ -6,7 +6,10 @@ use core::ops::Index;
 use crate::traits::*;
 
 #[cfg(hax)]
-use hax_lib::{constructors::from_bool, forall, implies, int::ToInt};
+use crate::proof_utils::{slices_same_len, valid_rate};
+
+#[cfg(hax)]
+use hax_lib::{constructors::from_bool, int::ToInt};
 
 /// A generic Xof API.
 pub(crate) mod xof;
@@ -99,6 +102,9 @@ impl<const N: usize, T: KeccakItem<N>> KeccakState<N, T> {
         ]
     }
 
+    // Splitting rho and pi into multiple functions is needed for formal verification in F*.
+    // Having to many manipulations of the keccak state in a single function causes the
+    // verification condition explode exponentially and never completes.
     #[inline(always)]
     fn rho_0(&mut self, t: [T; 5]) {
         self.set(0, 0, T::xor(self[(0, 0)], t[0]));
@@ -245,17 +251,10 @@ impl<const N: usize, T: KeccakItem<N>> KeccakState<N, T> {
     #[hax_lib::requires(
       from_bool(
         N != 0 &&
-        RATE <= 200 &&
-        RATE % 8 == 0 &&
-        (RATE % 32 == 8 || RATE % 32 == 16) &&
+        valid_rate(RATE) &&
         start.to_int() + RATE.to_int() <= input[0].len().to_int()
       ).and(
-        forall(|i: usize|
-          implies(
-            i < N,
-            input[0].len() == input[i].len()
-          )
-        )
+        slices_same_len(input)
       )
     )]
     fn absorb_block<const RATE: usize>(&mut self, input: &[&[u8]; N], start: usize)
@@ -273,18 +272,11 @@ impl<const N: usize, T: KeccakItem<N>> KeccakState<N, T> {
     #[hax_lib::requires(
       from_bool(
         N != 0 &&
-        RATE <= 200 &&
-        RATE % 8 == 0 &&
-        (RATE % 32 == 8 || RATE % 32 == 16) &&
+        valid_rate(RATE) &&
         len < RATE &&
         start.to_int() + len.to_int() <= input[0].len().to_int()
       ).and(
-        forall(|i: usize|
-          implies(
-            i < N,
-            input[0].len() == input[i].len()
-          )
-        )
+        slices_same_len(input)
       )
     )]
     pub(crate) fn absorb_final<const RATE: usize, const DELIM: u8>(

libcrux-sha3/src/generic_keccak/portable.rs

@@ -1,14 +1,17 @@
 use super::*;
 
 #[cfg(hax)]
-#[hax_lib::fstar::replace("open Libcrux_sha3.Lemmas")]
+use crate::proof_utils::valid_rate;
+
+#[cfg(hax)]
+#[hax_lib::fstar::replace("open Libcrux_sha3.Proof_utils.Lemmas")]
 const _: () = ();
 
 #[hax_lib::attributes]
 impl KeccakState<1, u64> {
     #[inline(always)]
     #[hax_lib::requires(
-        RATE <= 200 &&
+        valid_rate(RATE) &&
         start.to_int() + RATE.to_int() <= out.len().to_int()
     )]
     #[hax_lib::ensures(|_| future(out).len() == out.len())]
@@ -19,7 +22,7 @@ impl KeccakState<1, u64> {
 
     #[inline(always)]
     #[hax_lib::requires(
-        RATE <= 200 &&
+        valid_rate(RATE) &&
         RATE <= out.len()
     )]
     #[hax_lib::ensures(|_| future(out).len() == out.len())]
@@ -29,7 +32,7 @@ impl KeccakState<1, u64> {
 
     #[inline(always)]
     #[hax_lib::requires(
-        RATE <= 200 &&
+        valid_rate(RATE) &&
         3 * RATE <= out.len()
     )]
     #[hax_lib::ensures(|_| future(out).len() == out.len())]
@@ -45,7 +48,7 @@ impl KeccakState<1, u64> {
 
     #[inline(always)]
     #[hax_lib::requires(
-        RATE <= 200 &&
+        valid_rate(RATE) &&
         5 * RATE <= out.len()
     )]
     #[hax_lib::ensures(|_| future(out).len() == out.len())]
@@ -66,11 +69,7 @@ impl KeccakState<1, u64> {
     }
 }
 
-#[hax_lib::requires(
-    RATE != 0 &&
-    RATE <= 200 &&
-    RATE % 8 == 0
-)]
+#[hax_lib::requires(valid_rate(RATE))]
 #[hax_lib::ensures(|_| future(output).len() == output.len())]
 #[hax_lib::fstar::options("--split_queries always --z3rlimit 300")]
 #[inline]

libcrux-sha3/src/generic_keccak/xof.rs

@@ -6,10 +6,14 @@ use crate::{
 };
 
 #[cfg(hax)]
-#[hax_lib::fstar::replace("open Libcrux_sha3.Lemmas")]
+use crate::proof_utils::valid_rate;
+
+#[cfg(hax)]
+#[hax_lib::fstar::replace("open Libcrux_sha3.Proof_utils.Lemmas")]
 const _: () = ();
 
-// TODO: Should not be needed. Use hax_lib::fstar::options("")
+// TODO: Should not be needed. Use hax_lib::fstar::options("") below.
+// Known bug: https://github.com/cryspen/hax/issues/1698
 #[hax_lib::fstar::before(
     r#"
 #push-options "--split_queries always --z3rlimit 300"
@@ -18,7 +22,6 @@ const _: () = ();
 
 /// The internal keccak state that can also buffer inputs to absorb.
 /// This is used in the general xof APIs.
-#[hax_lib::attributes]
 pub(crate) struct KeccakXofState<
     const PARALLEL_LANES: usize,
     const RATE: usize,
@@ -44,15 +47,11 @@ pub(crate) fn keccak_xof_state_inv<
 >(
     xof: &KeccakXofState<PARALLEL_LANES, RATE, STATE>,
 ) -> bool {
-    RATE != 0
-        && RATE <= 200
-        && RATE % 8 == 0
-        && (RATE % 32 == 8 || RATE % 32 == 16)
-        && xof.buf_len <= RATE
+    valid_rate(RATE) && xof.buf_len <= RATE
 }
 
 #[hax_lib::attributes]
-#[hax_lib::fstar::options("--split_queries always --z3rlimit 300")] // TODO: Has no effect
+#[hax_lib::fstar::options("--split_queries always --z3rlimit 300")] // TODO: Has no effect. See above.
 impl<const PARALLEL_LANES: usize, const RATE: usize, STATE: KeccakItem<PARALLEL_LANES>>
     KeccakXofState<PARALLEL_LANES, RATE, STATE>
 {
@@ -63,10 +62,8 @@ impl<const PARALLEL_LANES: usize, const RATE: usize, STATE: KeccakItem<PARALLEL_
 
     /// Generate a new keccak xof state.
     #[hax_lib::requires(
-        PARALLEL_LANES == 1 && // TODO: Generalize for the parallel case
-        RATE != 0 &&
-        RATE <= 200 &&
-        RATE % 8 == 0
+        PARALLEL_LANES == 1 &&
+        valid_rate(RATE)
     )]
     #[hax_lib::ensures(|result| keccak_xof_state_inv(&result))]
     pub(crate) fn new() -> Self {
@@ -97,7 +94,6 @@ impl<const PARALLEL_LANES: usize, const RATE: usize, STATE: KeccakItem<PARALLEL_
     /// If `consumed > 0` is returned, `self.buf` contains a full block to be
     /// loaded.
     // Note: consciously not inlining this function to avoid using too much stack
-    // #[hax_lib::fstar::options("--fuel 5")]
     #[hax_lib::requires(
         PARALLEL_LANES == 1 &&
         keccak_xof_state_inv(self)
@@ -186,13 +182,11 @@ impl<const PARALLEL_LANES: usize, const RATE: usize, STATE: KeccakItem<PARALLEL_
         let remainder = input_to_consume % RATE;
 
         #[cfg(hax)]
-        let self_buf_len = self.buf_len;
-
-        #[cfg(hax)]
-        let end = consumed + num_blocks * RATE;
-
-        #[cfg(hax)]
-        hax_lib::assert!(end <= inputs[0].len());
+        let (self_buf_len, end) = {
+            let end = consumed + num_blocks * RATE;
+            hax_lib::assert!(end <= inputs[0].len());
+            (self.buf_len, end)
+        };
 
         for i in 0..num_blocks {
             hax_lib::loop_invariant!(|_: usize| self.buf_len == self_buf_len);
@@ -298,54 +292,55 @@ impl<const RATE: usize, STATE: KeccakItem<1>> KeccakXofState<1, RATE, STATE> {
     where
         KeccakState<1, STATE>: Squeeze<STATE>,
     {
+        let out_len = out.len();
+
+        if out_len == 0 {
+            return;
+        }
+
         if self.sponge {
             // If we called `squeeze` before, call f1600 first.
             // We do it this way around so that we don't call f1600 at the end
             // when we don't need it.
             self.inner.keccakf1600();
         }
 
-        let out_len = out.len();
-
-        if out_len > 0 {
-            if out_len <= RATE {
-                self.inner.squeeze::<RATE>(out, 0, out_len);
-            } else {
-                // How many blocks do we need to squeeze out?
-                let blocks = out_len / RATE;
+        if out_len <= RATE {
+            self.inner.squeeze::<RATE>(out, 0, out_len);
+        } else {
+            // How many blocks do we need to squeeze out?
+            let blocks = out_len / RATE;
+            let remaining = out_len % RATE;
 
-                #[cfg(hax)]
-                let self_buf_len = self.buf_len;
+            #[cfg(hax)]
+            let self_buf_len = self.buf_len;
 
-                for i in 0..blocks {
-                    hax_lib::loop_invariant!(
-                        |_: usize| out.len() == out_len && self_buf_len == self.buf_len
-                    );
-                    hax_lib::fstar!("assert (v i * v v_RATE <= v out_len)");
+            for i in 0..blocks {
+                hax_lib::loop_invariant!(
+                    |_: usize| out.len() == out_len && self_buf_len == self.buf_len
+                );
+                hax_lib::assert!(i.to_int() * RATE.to_int() <= out.len().to_int());
 
-                    #[cfg(hax)]
-                    hax_lib::assert!(i.to_int() * RATE.to_int() <= out.len().to_int());
+                // Here we know that we always have full blocks to write out.
+                self.inner.keccakf1600();
+                self.inner.squeeze::<RATE>(out, i * RATE, RATE);
+            }
 
-                    // Here we know that we always have full blocks to write out.
-                    self.inner.keccakf1600();
-                    self.inner.squeeze::<RATE>(out, i * RATE, RATE);
-                }
+            if remaining > 0 {
+                // Squeeze out the last partial block
+                self.inner.keccakf1600();
 
                 // For a and b with b < a
                 // (a / b) * b + a % b = a
+                hax_lib::fstar!("lemma_div_mul_mod out_len v_RATE");
+                hax_lib::assert!(
+                    blocks.to_int() * RATE.to_int() + remaining.to_int() == out.len().to_int()
+                );
 
-                let remaining = out_len % RATE;
-                if remaining > 0 {
-                    // Squeeze out the last partial block
-                    self.inner.keccakf1600();
-
-                    hax_lib::fstar!("lemma_div_mul_mod out_len v_RATE");
-                    hax_lib::fstar!("assert (v blocks * v v_RATE + v remaining == v out_len)");
-
-                    self.inner.squeeze::<RATE>(out, blocks * RATE, remaining);
-                }
+                self.inner.squeeze::<RATE>(out, blocks * RATE, remaining);
             }
-            self.sponge = true;
         }
+
+        self.sponge = true;
     }
 }

libcrux-sha3/src/lemmas.rs

@@ -21,9 +21,9 @@ use hax_lib::int::*;
 
 mod traits;
 
-/// F* verification lemmas
+/// F* verification helper
 #[cfg(hax)]
-pub(crate) mod lemmas;
+pub(crate) mod proof_utils;
 
 /// A SHA3 224 Digest
 pub type Sha3_224Digest = [u8; 28];
@@ -54,10 +54,9 @@ pub enum Algorithm {
     Sha512 = 4,
 }
 
-// TODO: Verification fails because of the panic
+// Verification fails because of the panic
 #[cfg(not(any(hax, eurydice)))]
 impl From<u32> for Algorithm {
-    #[hax_lib::requires(v == 1 || v == 2 || v == 3 || v == 4)]
     fn from(v: u32) -> Algorithm {
         match v {
             1 => Algorithm::Sha224,