From 52178f67f153cfcdbf0440e8f5fadc0ba0872152 Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 4 Dec 2024 11:05:08 +0100
Subject: [PATCH 01/23] F* update

---
 .../extraction/Libcrux_ml_kem.Polynomial.fst  | 230 ++++++++----
 .../extraction/Libcrux_ml_kem.Polynomial.fsti |  68 +++-
 .../fstar/extraction/Libcrux_ml_kem.Types.fst | 155 --------
 .../extraction/Libcrux_ml_kem.Types.fsti      | 141 ++++++-
 libcrux-ml-kem/src/polynomial.rs              | 352 ++++++++++--------
 5 files changed, 556 insertions(+), 390 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
index 4dcc55b91..266113065 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
@@ -14,37 +14,37 @@ let get_zeta (i: usize) =
   let _:Prims.unit = admit () (* Panic freedom *) in
   result
 
-let impl_2__add_error_reduce
+let add_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self error: t_PolynomialRingElement v_Vector)
+      (myself error: t_PolynomialRingElement v_Vector)
      =
   let _:Prims.unit = admit () in
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self j ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself j ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let j:usize = j in
           let coefficient_normal_form:v_Vector =
             Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              (self.f_coefficients.[ j ] <: v_Vector)
+              (myself.f_coefficients.[ j ] <: v_Vector)
               1441s
           in
-          let self:t_PolynomialRingElement v_Vector =
+          let myself:t_PolynomialRingElement v_Vector =
             {
-              self with
+              myself with
               f_coefficients
               =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
                 j
                 (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
                     #FStar.Tactics.Typeclasses.solve
@@ -60,17 +60,27 @@ let impl_2__add_error_reduce
             <:
             t_PolynomialRingElement v_Vector
           in
-          self)
+          myself)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
-  self
+  myself
 
-let impl_2__add_message_error_reduce
+let impl_2__add_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self message result: t_PolynomialRingElement v_Vector)
+      (self error: t_PolynomialRingElement v_Vector)
+     =
+  let self:t_PolynomialRingElement v_Vector = add_error_reduce #v_Vector self error in
+  self
+
+let add_message_error_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself message result: t_PolynomialRingElement v_Vector)
      =
   let _:Prims.unit = admit () in
   let result:t_PolynomialRingElement v_Vector =
@@ -93,7 +103,7 @@ let impl_2__add_message_error_reduce
           let tmp:v_Vector =
             Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              (self.f_coefficients.[ i ] <: v_Vector)
+              (myself.f_coefficients.[ i ] <: v_Vector)
               (message.f_coefficients.[ i ] <: v_Vector)
           in
           let tmp:v_Vector =
@@ -122,35 +132,43 @@ let impl_2__add_message_error_reduce
   in
   result
 
-let impl_2__add_standard_error_reduce
+let impl_2__add_message_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self error: t_PolynomialRingElement v_Vector)
+      (self message result: t_PolynomialRingElement v_Vector)
+     = add_message_error_reduce #v_Vector self message result
+
+let add_standard_error_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself error: t_PolynomialRingElement v_Vector)
      =
   let _:Prims.unit = admit () in
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self j ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself j ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let j:usize = j in
           let coefficient_normal_form:v_Vector =
             Libcrux_ml_kem.Vector.Traits.to_standard_domain #v_Vector
-              (self.f_coefficients.[ j ] <: v_Vector)
+              (myself.f_coefficients.[ j ] <: v_Vector)
           in
-          let self:t_PolynomialRingElement v_Vector =
+          let myself:t_PolynomialRingElement v_Vector =
             {
-              self with
+              myself with
               f_coefficients
               =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
                 j
                 (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
                     #FStar.Tactics.Typeclasses.solve
@@ -166,39 +184,49 @@ let impl_2__add_standard_error_reduce
             <:
             t_PolynomialRingElement v_Vector
           in
-          self)
+          myself)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
-  self
+  myself
 
-let impl_2__poly_barrett_reduce
+let impl_2__add_standard_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_PolynomialRingElement v_Vector)
+      (self error: t_PolynomialRingElement v_Vector)
+     =
+  let self:t_PolynomialRingElement v_Vector = add_standard_error_reduce #v_Vector self error in
+  self
+
+let poly_barrett_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself: t_PolynomialRingElement v_Vector)
      =
   let _:Prims.unit = admit () in
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self i ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself i ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let i:usize = i in
           {
-            self with
+            myself with
             f_coefficients
             =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
               i
               (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
                   #FStar.Tactics.Typeclasses.solve
-                  (self.f_coefficients.[ i ] <: v_Vector)
+                  (myself.f_coefficients.[ i ] <: v_Vector)
                 <:
                 v_Vector)
             <:
@@ -208,14 +236,24 @@ let impl_2__poly_barrett_reduce
           t_PolynomialRingElement v_Vector)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
-  self
+  myself
 
-let impl_2__subtract_reduce
+let impl_2__poly_barrett_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self b: t_PolynomialRingElement v_Vector)
+      (self: t_PolynomialRingElement v_Vector)
+     =
+  let self:t_PolynomialRingElement v_Vector = poly_barrett_reduce #v_Vector self in
+  self
+
+let subtract_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself b: t_PolynomialRingElement v_Vector)
      =
   let _:Prims.unit = admit () in
   let b:t_PolynomialRingElement v_Vector =
@@ -246,7 +284,7 @@ let impl_2__subtract_reduce
                     #FStar.Tactics.Typeclasses.solve
                     (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector
                         #FStar.Tactics.Typeclasses.solve
-                        (self.f_coefficients.[ i ] <: v_Vector)
+                        (myself.f_coefficients.[ i ] <: v_Vector)
                         coefficient_normal_form
                       <:
                       v_Vector)
@@ -260,6 +298,14 @@ let impl_2__subtract_reduce
   in
   b
 
+let impl_2__subtract_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self b: t_PolynomialRingElement v_Vector)
+     = subtract_reduce #v_Vector self b
+
 let impl_2__ZERO
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -280,14 +326,34 @@ let impl_2__ZERO
   <:
   t_PolynomialRingElement v_Vector
 
-let impl_2__from_i16_array
+let v_ZERO
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (_: Prims.unit)
+     =
+  {
+    f_coefficients
+    =
+    Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
+          #FStar.Tactics.Typeclasses.solve
+          ()
+        <:
+        v_Vector)
+      (sz 16)
+  }
+  <:
+  t_PolynomialRingElement v_Vector
+
+let from_i16_array
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (a: t_Slice i16)
      =
-  let result:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in
+  let result:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in
   let result:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -325,15 +391,23 @@ let impl_2__from_i16_array
   in
   result
 
-let impl_2__ntt_multiply
+let impl_2__from_i16_array
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self rhs: t_PolynomialRingElement v_Vector)
+      (a: t_Slice i16)
+     = from_i16_array #v_Vector a
+
+let ntt_multiply
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself rhs: t_PolynomialRingElement v_Vector)
      =
   let _:Prims.unit = admit () in
-  let out:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in
+  let out:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in
   let out:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -353,7 +427,7 @@ let impl_2__ntt_multiply
               i
               (Libcrux_ml_kem.Vector.Traits.f_ntt_multiply #v_Vector
                   #FStar.Tactics.Typeclasses.solve
-                  (self.f_coefficients.[ i ] <: v_Vector)
+                  (myself.f_coefficients.[ i ] <: v_Vector)
                   (rhs.f_coefficients.[ i ] <: v_Vector)
                   (get_zeta (sz 64 +! (sz 4 *! i <: usize) <: usize) <: i16)
                   (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 <: usize) <: i16)
@@ -369,35 +443,42 @@ let impl_2__ntt_multiply
   in
   out
 
-let impl_2__add_to_ring_element
+let impl_2__ntt_multiply
       (#v_Vector: Type0)
-      (v_K: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (self rhs: t_PolynomialRingElement v_Vector)
+     = ntt_multiply #v_Vector self rhs
+
+let add_to_ring_element
+      (#v_Vector: Type0)
+      (v_K: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself rhs: t_PolynomialRingElement v_Vector)
      =
-  let _:Prims.unit = admit () in
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize)
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      (Core.Slice.impl__len #v_Vector (myself.f_coefficients <: t_Slice v_Vector) <: usize)
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self i ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself i ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let i:usize = i in
           {
-            self with
+            myself with
             f_coefficients
             =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
               i
               (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
                   #FStar.Tactics.Typeclasses.solve
-                  (self.f_coefficients.[ i ] <: v_Vector)
+                  (myself.f_coefficients.[ i ] <: v_Vector)
                   (rhs.f_coefficients.[ i ] <: v_Vector)
                 <:
                 v_Vector)
@@ -407,5 +488,18 @@ let impl_2__add_to_ring_element
           <:
           t_PolynomialRingElement v_Vector)
   in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  let result:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
+  myself
+
+let impl_2__add_to_ring_element
+      (#v_Vector: Type0)
+      (v_K: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self rhs: t_PolynomialRingElement v_Vector)
+     =
+  let self:t_PolynomialRingElement v_Vector = add_to_ring_element #v_Vector v_K self rhs in
   self
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
index 6ad4d7a0b..1d0346253 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
@@ -44,7 +44,9 @@ type t_PolynomialRingElement
 let to_spec_poly_t (#v_Vector: Type0)
     {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
     (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial =
-    admit()
+    createi (sz 256) (fun i -> Spec.MLKEM.Math.to_spec_fe 
+                                (Seq.index (i2._super_8706949974463268012.f_repr 
+                                    (Seq.index p.f_coefficients (v i / 16))) (v i % 16)))
 
 let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
     {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -60,30 +62,60 @@ let v_VECTORS_IN_RING_ELEMENT: usize =
   Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /!
   Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
 
+val add_error_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself error: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 val impl_2__add_error_reduce
       (#v_Vector: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self error: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+val add_message_error_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself message result: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 val impl_2__add_message_error_reduce
       (#v_Vector: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self message result: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+val add_standard_error_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself error: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 val impl_2__add_standard_error_reduce
       (#v_Vector: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self error: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+val poly_barrett_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 val impl_2__poly_barrett_reduce
       (#v_Vector: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+val subtract_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself b: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 val impl_2__subtract_reduce
       (#v_Vector: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -96,6 +128,21 @@ val impl_2__ZERO:
     Prims.unit
   -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+val v_ZERO:
+    #v_Vector: Type0 ->
+    {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
+    Prims.unit
+  -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val from_i16_array
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (a: t_Slice i16)
+    : Prims.Pure (t_PolynomialRingElement v_Vector)
+      (requires
+        (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize))
+      (fun _ -> Prims.l_True)
+
 val impl_2__from_i16_array
       (#v_Vector: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -107,7 +154,7 @@ val impl_2__from_i16_array
 
 /// Given two `KyberPolynomialRingElement`s in their NTT representations,
 /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
-/// the `iᵗʰ` coefficient of the product `k\u{302}` is determined by the calculation:
+/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
 /// ```plaintext
 /// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1))
 /// ```
@@ -121,16 +168,31 @@ val impl_2__from_i16_array
 /// end for
 /// return ĥ
 /// ```
-/// We say \"almost\" because the coefficients of the ring element output by
+/// We say "almost" because the coefficients of the ring element output by
 /// this function are in the Montgomery domain.
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
+val ntt_multiply
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself rhs: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 val impl_2__ntt_multiply
       (#v_Vector: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self rhs: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+/// sum of their constituent coefficients.
+val add_to_ring_element
+      (#v_Vector: Type0)
+      (v_K: usize)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself rhs: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
 /// sum of their constituent coefficients.
 val impl_2__add_to_ring_element
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
index 3a598d127..5748d2562 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
@@ -9,103 +9,10 @@ let impl_13__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
 
 let impl_20__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
 
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemCiphertext v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post
-    =
-    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
-  }
-
 let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value
 
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemPrivateKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post
-    =
-    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
-  }
-
 let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value
 
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemPublicKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post
-    =
-    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
-  }
-
 let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value
 
 let impl_21__from
@@ -178,65 +85,3 @@ let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private
   <:
   (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
 
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
-    f_as_ref_post
-    =
-    (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
-    f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
-    f_as_ref_post
-    =
-    (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
-    f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
-    f_as_ref_post
-    =
-    (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
-    f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
-  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti
index 4f76c2ffc..1947307c5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti
@@ -19,13 +19,35 @@ val impl_20__len: v_SIZE: usize -> Prims.unit
 type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE)
+let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemCiphertext v_SIZE
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE)
+let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE)
+let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
+  }
 
 /// A reference to the raw byte slice.
 val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
@@ -40,13 +62,35 @@ val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
 type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE)
+let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemPrivateKey v_SIZE
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE)
+let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE)
+let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
+  }
 
 /// A reference to the raw byte slice.
 val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
@@ -61,13 +105,35 @@ val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
 type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE)
+let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemPublicKey v_SIZE
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE)
+let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE)
+let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
+  }
 
 /// A reference to the raw byte slice.
 val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE)
@@ -169,22 +235,67 @@ val unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private
             v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE)
+let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE)
+let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE)
+let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8)
+let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8)
+let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8)
+let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
+  }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 let impl_3 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index 9460a0cba..3d1c3b06e 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -53,7 +53,9 @@ pub(crate) const VECTORS_IN_RING_ELEMENT: usize =
         "let to_spec_poly_t (#v_Vector: Type0)
     {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
     (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial =
-    admit()"
+    createi (sz 256) (fun i -> Spec.MLKEM.Math.to_spec_fe 
+                                (Seq.index (i2._super_8706949974463268012.f_repr 
+                                    (Seq.index p.f_coefficients (v i / 16))) (v i % 16)))"
     )
 )]
 // XXX: We don't want to copy this. But for eurydice we have to have this.
@@ -62,6 +64,194 @@ pub(crate) struct PolynomialRingElement<Vector: Operations> {
     pub(crate) coefficients: [Vector; VECTORS_IN_RING_ELEMENT],
 }
 
+
+#[allow(non_snake_case)]
+pub(crate) fn ZERO<Vector: Operations>() -> PolynomialRingElement<Vector> {
+    PolynomialRingElement {
+        // FIXME:  The THIR body of item DefId(0:415 ~ libcrux_ml_kem[9000]::polynomial::{impl#0}::ZERO::{constant#0}) was stolen.
+        coefficients: [Vector::ZERO(); 16],
+    }
+}
+
+#[inline(always)]
+#[hax_lib::requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())]
+pub(crate) fn from_i16_array<Vector: Operations>(a: &[i16]) -> PolynomialRingElement<Vector> {
+    let mut result = ZERO();
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        result.coefficients[i] = Vector::from_i16_array(&a[i * 16..(i + 1) * 16]);
+    }
+    result
+}
+
+/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+/// sum of their constituent coefficients.
+#[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+pub(crate) fn add_to_ring_element<Vector: Operations, const K: usize>(myself: &mut PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) {
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for i in 0..myself.coefficients.len() {
+        myself.coefficients[i] = Vector::add(myself.coefficients[i], &rhs.coefficients[i]);
+    }
+    ()
+}
+
+#[inline(always)]
+pub fn poly_barrett_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>) {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    hax_lib::fstar!("admit ()");
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        myself.coefficients[i] = Vector::barrett_reduce(myself.coefficients[i]);
+    }
+    ()
+}
+
+#[inline(always)]
+pub(crate) fn subtract_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, mut b: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    hax_lib::fstar!("admit ()");
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        let coefficient_normal_form =
+            Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441);
+        b.coefficients[i] =
+            Vector::barrett_reduce(Vector::sub(myself.coefficients[i], &coefficient_normal_form));
+    }
+    b
+}
+
+#[inline(always)]
+pub(crate) fn add_message_error_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, message: &PolynomialRingElement<Vector>, mut result: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    hax_lib::fstar!("admit ()");
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        let coefficient_normal_form =
+            Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441);
+
+        // FIXME: Eurydice crashes with:
+        //
+        // Warning 11: in top-level declaration libcrux_ml_kem.polynomial.{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}.add_message_error_reduce__libcrux_ml_kem_libcrux_polynomials_PortableVector: this expression is not Low*; the enclosing function cannot be translated into C*: let mutable ret(Mark.Present,(Mark.AtMost 2), ): int16_t[16size_t] = $any in
+        // libcrux_ml_kem.libcrux_polynomials.{(libcrux_ml_kem::libcrux_polynomials::libcrux_traits::Operations␣for␣libcrux_ml_kem::libcrux_polynomials::PortableVector)}.add ((@9: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:int16_t[16size_t][16size_t])[@4] &(((@8: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t])[@4]) @0;
+        // @0
+        // Warning 11 is fatal, exiting.
+        //
+        // On the following code:
+
+        // ```rust
+        // result.coefficients[i] = Vector::barrett_reduce(Vector::add(
+        //     coefficient_normal_form,
+        //     &Vector::add(myself.coefficients[i], &message.coefficients[i]),
+        // ));
+        // ```
+
+        let tmp = Vector::add(myself.coefficients[i], &message.coefficients[i]);
+        let tmp = Vector::add(coefficient_normal_form, &tmp);
+        result.coefficients[i] = Vector::barrett_reduce(tmp);
+    }
+    result
+}
+
+#[inline(always)]
+pub(crate) fn add_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    hax_lib::fstar!("admit ()");
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for j in 0..VECTORS_IN_RING_ELEMENT {
+        let coefficient_normal_form =
+            Vector::montgomery_multiply_by_constant(myself.coefficients[j], 1441);
+
+        myself.coefficients[j] = Vector::barrett_reduce(Vector::add(
+            coefficient_normal_form,
+            &error.coefficients[j],
+        ));
+    }
+    ()
+}
+
+#[inline(always)]
+pub(crate) fn add_standard_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    hax_lib::fstar!("admit ()");
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for j in 0..VECTORS_IN_RING_ELEMENT {
+        // The coefficients are of the form aR^{-1} mod q, which means
+        // calling to_montgomery_domain() on them should return a mod q.
+        let coefficient_normal_form = to_standard_domain::<Vector>(myself.coefficients[j]);
+
+        myself.coefficients[j] = Vector::barrett_reduce(Vector::add(
+            coefficient_normal_form,
+            &error.coefficients[j],
+        ));
+    }
+    ()
+}
+
+/// Given two `KyberPolynomialRingElement`s in their NTT representations,
+/// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
+/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
+///
+/// ```plaintext
+/// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1))
+/// ```
+///
+/// This function almost implements <strong>Algorithm 10</strong> of the
+/// NIST FIPS 203 standard, which is reproduced below:
+///
+/// ```plaintext
+/// Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
+/// Output: An array ĥ ∈ ℤq.
+///
+/// for(i ← 0; i < 128; i++)
+///     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], ζ^(2·BitRev₇(i) + 1))
+/// end for
+/// return ĥ
+/// ```
+/// We say "almost" because the coefficients of the ring element output by
+/// this function are in the Montgomery domain.
+///
+/// The NIST FIPS 203 standard can be found at
+/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
+// TODO: Remove or replace with something that works and is useful for the proof.
+// #[cfg_attr(hax, hax_lib::requires(
+//     hax_lib::forall(|i:usize|
+//         hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, ||
+//             (lhs.coefficients[i] >= 0 && lhs.coefficients[i] < 4096) &&
+//             (rhs.coefficients[i].abs() <= FIELD_MODULUS)
+
+// ))))]
+// #[cfg_attr(hax, hax_lib::ensures(|result|
+//     hax_lib::forall(|i:usize|
+//         hax_lib::implies(i < result.coefficients.len(), ||
+//                 result.coefficients[i].abs() <= FIELD_MODULUS
+// ))))]
+#[inline(always)]
+pub(crate) fn ntt_multiply<Vector: Operations>(myself: &PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    hax_lib::fstar!("admit ()");
+    // hax_debug_debug_assert!(lhs
+    //     .coefficients
+    //     .into_iter()
+    //     .all(|coefficient| coefficient >= 0 && coefficient < 4096));
+
+    let mut out = ZERO();
+
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        out.coefficients[i] = Vector::ntt_multiply(
+            &myself.coefficients[i],
+            &rhs.coefficients[i],
+            get_zeta(64 + 4 * i),
+            get_zeta(64 + 4 * i + 1),
+            get_zeta(64 + 4 * i + 2),
+            get_zeta(64 + 4 * i + 3),
+        );
+    }
+
+    out
+}
+
 #[hax_lib::attributes]
 impl<Vector: Operations> PolynomialRingElement<Vector> {
     #[allow(non_snake_case)]
@@ -75,179 +265,43 @@ impl<Vector: Operations> PolynomialRingElement<Vector> {
     #[inline(always)]
     #[requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())]
     pub(crate) fn from_i16_array(a: &[i16]) -> Self {
-        let mut result = PolynomialRingElement::ZERO();
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            result.coefficients[i] = Vector::from_i16_array(&a[i * 16..(i + 1) * 16]);
-        }
-        result
+        from_i16_array(a)
     }
 
     /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
     /// sum of their constituent coefficients.
     #[inline(always)]
     pub(crate) fn add_to_ring_element<const K: usize>(&mut self, rhs: &Self) {
-        hax_lib::fstar!("admit ()");
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for i in 0..self.coefficients.len() {
-            self.coefficients[i] = Vector::add(self.coefficients[i], &rhs.coefficients[i]);
-        }
-        ()
+        add_to_ring_element::<Vector,K>(self, rhs);
     }
 
     #[inline(always)]
     pub fn poly_barrett_reduce(&mut self) {
-        // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-        hax_lib::fstar!("admit ()");
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            self.coefficients[i] = Vector::barrett_reduce(self.coefficients[i]);
-        }
-        ()
+        poly_barrett_reduce(self);
     }
 
     #[inline(always)]
-    pub(crate) fn subtract_reduce(&self, mut b: Self) -> Self {
-        // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-        hax_lib::fstar!("admit ()");
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            let coefficient_normal_form =
-                Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441);
-            b.coefficients[i] =
-                Vector::barrett_reduce(Vector::sub(self.coefficients[i], &coefficient_normal_form));
-        }
-        b
+    pub(crate) fn subtract_reduce(&self, b: Self) -> Self {
+        subtract_reduce(self, b)
     }
 
     #[inline(always)]
-    pub(crate) fn add_message_error_reduce(&self, message: &Self, mut result: Self) -> Self {
-        // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-        hax_lib::fstar!("admit ()");
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            let coefficient_normal_form =
-                Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441);
-
-            // FIXME: Eurydice crashes with:
-            //
-            // Warning 11: in top-level declaration libcrux_ml_kem.polynomial.{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}.add_message_error_reduce__libcrux_ml_kem_libcrux_polynomials_PortableVector: this expression is not Low*; the enclosing function cannot be translated into C*: let mutable ret(Mark.Present,(Mark.AtMost 2), ): int16_t[16size_t] = $any in
-            // libcrux_ml_kem.libcrux_polynomials.{(libcrux_ml_kem::libcrux_polynomials::libcrux_traits::Operations␣for␣libcrux_ml_kem::libcrux_polynomials::PortableVector)}.add ((@9: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:int16_t[16size_t][16size_t])[@4] &(((@8: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t])[@4]) @0;
-            // @0
-            // Warning 11 is fatal, exiting.
-            //
-            // On the following code:
-
-            // ```rust
-            // result.coefficients[i] = Vector::barrett_reduce(Vector::add(
-            //     coefficient_normal_form,
-            //     &Vector::add(self.coefficients[i], &message.coefficients[i]),
-            // ));
-            // ```
-
-            let tmp = Vector::add(self.coefficients[i], &message.coefficients[i]);
-            let tmp = Vector::add(coefficient_normal_form, &tmp);
-            result.coefficients[i] = Vector::barrett_reduce(tmp);
-        }
-        result
+    pub(crate) fn add_message_error_reduce(&self, message: &Self, result: Self) -> Self {
+        add_message_error_reduce(self, message, result)
     }
 
     #[inline(always)]
     pub(crate) fn add_error_reduce(&mut self, error: &Self) {
-        // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-        hax_lib::fstar!("admit ()");
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for j in 0..VECTORS_IN_RING_ELEMENT {
-            let coefficient_normal_form =
-                Vector::montgomery_multiply_by_constant(self.coefficients[j], 1441);
-
-            self.coefficients[j] = Vector::barrett_reduce(Vector::add(
-                coefficient_normal_form,
-                &error.coefficients[j],
-            ));
-        }
-        ()
+        add_error_reduce(self, error);
     }
 
     #[inline(always)]
     pub(crate) fn add_standard_error_reduce(&mut self, error: &Self) {
-        // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-        hax_lib::fstar!("admit ()");
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for j in 0..VECTORS_IN_RING_ELEMENT {
-            // The coefficients are of the form aR^{-1} mod q, which means
-            // calling to_montgomery_domain() on them should return a mod q.
-            let coefficient_normal_form = to_standard_domain::<Vector>(self.coefficients[j]);
-
-            self.coefficients[j] = Vector::barrett_reduce(Vector::add(
-                coefficient_normal_form,
-                &error.coefficients[j],
-            ));
-        }
-        ()
-    }
-
-    /// Given two `KyberPolynomialRingElement`s in their NTT representations,
-    /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
-    /// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
-    ///
-    /// ```plaintext
-    /// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1))
-    /// ```
-    ///
-    /// This function almost implements <strong>Algorithm 10</strong> of the
-    /// NIST FIPS 203 standard, which is reproduced below:
-    ///
-    /// ```plaintext
-    /// Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
-    /// Output: An array ĥ ∈ ℤq.
-    ///
-    /// for(i ← 0; i < 128; i++)
-    ///     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], ζ^(2·BitRev₇(i) + 1))
-    /// end for
-    /// return ĥ
-    /// ```
-    /// We say "almost" because the coefficients of the ring element output by
-    /// this function are in the Montgomery domain.
-    ///
-    /// The NIST FIPS 203 standard can be found at
-    /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-    // TODO: Remove or replace with something that works and is useful for the proof.
-    // #[cfg_attr(hax, hax_lib::requires(
-    //     hax_lib::forall(|i:usize|
-    //         hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, ||
-    //             (lhs.coefficients[i] >= 0 && lhs.coefficients[i] < 4096) &&
-    //             (rhs.coefficients[i].abs() <= FIELD_MODULUS)
-
-    // ))))]
-    // #[cfg_attr(hax, hax_lib::ensures(|result|
-    //     hax_lib::forall(|i:usize|
-    //         hax_lib::implies(i < result.coefficients.len(), ||
-    //                 result.coefficients[i].abs() <= FIELD_MODULUS
-    // ))))]
+        add_standard_error_reduce(self, error);
+    }
+
     #[inline(always)]
     pub(crate) fn ntt_multiply(&self, rhs: &Self) -> Self {
-        // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-        hax_lib::fstar!("admit ()");
-        // hax_debug_debug_assert!(lhs
-        //     .coefficients
-        //     .into_iter()
-        //     .all(|coefficient| coefficient >= 0 && coefficient < 4096));
-
-        let mut out = PolynomialRingElement::ZERO();
-
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            out.coefficients[i] = Vector::ntt_multiply(
-                &self.coefficients[i],
-                &rhs.coefficients[i],
-                get_zeta(64 + 4 * i),
-                get_zeta(64 + 4 * i + 1),
-                get_zeta(64 + 4 * i + 2),
-                get_zeta(64 + 4 * i + 3),
-            );
-        }
-
-        out
+        ntt_multiply(self, rhs)
     }
 }

From 18c6c50d3bfd31d3c6b30ea28f10ebadcfb09d5c Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 4 Dec 2024 15:56:44 +0100
Subject: [PATCH 02/23] f* refresh\

---
 .../extraction/Libcrux_ml_kem.Polynomial.fst  | 38 +++++++++++++----
 .../fstar/spec/Spec.MLKEM.Instances.fst       |  1 +
 libcrux-ml-kem/src/polynomial.rs              | 41 ++++++++-----------
 3 files changed, 47 insertions(+), 33 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
index 266113065..b09d2b7d2 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
@@ -14,6 +14,8 @@ let get_zeta (i: usize) =
   let _:Prims.unit = admit () (* Panic freedom *) in
   result
 
+#push-options "--admit_smt_queries true"
+
 let add_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -21,7 +23,6 @@ let add_error_reduce
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (myself error: t_PolynomialRingElement v_Vector)
      =
-  let _:Prims.unit = admit () in
   let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -65,6 +66,8 @@ let add_error_reduce
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   myself
 
+#pop-options
+
 let impl_2__add_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -75,6 +78,8 @@ let impl_2__add_error_reduce
   let self:t_PolynomialRingElement v_Vector = add_error_reduce #v_Vector self error in
   self
 
+#push-options "--admit_smt_queries true"
+
 let add_message_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -82,7 +87,6 @@ let add_message_error_reduce
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (myself message result: t_PolynomialRingElement v_Vector)
      =
-  let _:Prims.unit = admit () in
   let result:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -132,6 +136,8 @@ let add_message_error_reduce
   in
   result
 
+#pop-options
+
 let impl_2__add_message_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -140,6 +146,8 @@ let impl_2__add_message_error_reduce
       (self message result: t_PolynomialRingElement v_Vector)
      = add_message_error_reduce #v_Vector self message result
 
+#push-options "--admit_smt_queries true"
+
 let add_standard_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -147,7 +155,6 @@ let add_standard_error_reduce
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (myself error: t_PolynomialRingElement v_Vector)
      =
-  let _:Prims.unit = admit () in
   let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -189,6 +196,8 @@ let add_standard_error_reduce
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   myself
 
+#pop-options
+
 let impl_2__add_standard_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -199,6 +208,8 @@ let impl_2__add_standard_error_reduce
   let self:t_PolynomialRingElement v_Vector = add_standard_error_reduce #v_Vector self error in
   self
 
+#push-options "--admit_smt_queries true"
+
 let poly_barrett_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -206,7 +217,6 @@ let poly_barrett_reduce
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (myself: t_PolynomialRingElement v_Vector)
      =
-  let _:Prims.unit = admit () in
   let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -238,6 +248,8 @@ let poly_barrett_reduce
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   myself
 
+#pop-options
+
 let impl_2__poly_barrett_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -248,6 +260,8 @@ let impl_2__poly_barrett_reduce
   let self:t_PolynomialRingElement v_Vector = poly_barrett_reduce #v_Vector self in
   self
 
+#push-options "--admit_smt_queries true"
+
 let subtract_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -255,7 +269,6 @@ let subtract_reduce
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (myself b: t_PolynomialRingElement v_Vector)
      =
-  let _:Prims.unit = admit () in
   let b:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -298,6 +311,8 @@ let subtract_reduce
   in
   b
 
+#pop-options
+
 let impl_2__subtract_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -399,6 +414,8 @@ let impl_2__from_i16_array
       (a: t_Slice i16)
      = from_i16_array #v_Vector a
 
+#push-options "--admit_smt_queries true"
+
 let ntt_multiply
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -406,7 +423,6 @@ let ntt_multiply
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (myself rhs: t_PolynomialRingElement v_Vector)
      =
-  let _:Prims.unit = admit () in
   let out:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in
   let out:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -443,6 +459,8 @@ let ntt_multiply
   in
   out
 
+#pop-options
+
 let impl_2__ntt_multiply
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -451,6 +469,8 @@ let impl_2__ntt_multiply
       (self rhs: t_PolynomialRingElement v_Vector)
      = ntt_multiply #v_Vector self rhs
 
+#push-options "--admit_smt_queries true"
+
 let add_to_ring_element
       (#v_Vector: Type0)
       (v_K: usize)
@@ -488,11 +508,11 @@ let add_to_ring_element
           <:
           t_PolynomialRingElement v_Vector)
   in
-  let result:Prims.unit = () <: Prims.unit in
-  let _:Prims.unit = admit () (* Panic freedom *) in
-  let hax_temp_output:Prims.unit = result in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   myself
 
+#pop-options
+
 let impl_2__add_to_ring_element
       (#v_Vector: Type0)
       (v_K: usize)
diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst
index f598ee0ff..b5a7ff8c5 100644
--- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst
+++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst
@@ -18,6 +18,7 @@ let mlkem768_generate_keypair (randomness:t_Array u8 (sz 64)):
 
 let mlkem768_encapsulate (public_key: t_Array u8 (sz 1184)) (randomness: t_Array u8 (sz 32)):
                          (t_Array u8 (sz 1088) & t_Array u8 (sz 32)) & bool =
+    assert (v_CPA_CIPHERTEXT_SIZE mlkem768_rank == sz 1088); 
     ind_cca_encapsulate mlkem768_rank public_key randomness
 
 let mlkem768_decapsulate (secret_key: t_Array u8 (sz 2400)) (ciphertext: t_Array u8 (sz 1088)):
diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index 3d1c3b06e..ec0e013d6 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -66,7 +66,7 @@ pub(crate) struct PolynomialRingElement<Vector: Operations> {
 
 
 #[allow(non_snake_case)]
-pub(crate) fn ZERO<Vector: Operations>() -> PolynomialRingElement<Vector> {
+fn ZERO<Vector: Operations>() -> PolynomialRingElement<Vector> {
     PolynomialRingElement {
         // FIXME:  The THIR body of item DefId(0:415 ~ libcrux_ml_kem[9000]::polynomial::{impl#0}::ZERO::{constant#0}) was stolen.
         coefficients: [Vector::ZERO(); 16],
@@ -75,7 +75,7 @@ pub(crate) fn ZERO<Vector: Operations>() -> PolynomialRingElement<Vector> {
 
 #[inline(always)]
 #[hax_lib::requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())]
-pub(crate) fn from_i16_array<Vector: Operations>(a: &[i16]) -> PolynomialRingElement<Vector> {
+fn from_i16_array<Vector: Operations>(a: &[i16]) -> PolynomialRingElement<Vector> {
     let mut result = ZERO();
     for i in 0..VECTORS_IN_RING_ELEMENT {
         result.coefficients[i] = Vector::from_i16_array(&a[i * 16..(i + 1) * 16]);
@@ -86,8 +86,8 @@ pub(crate) fn from_i16_array<Vector: Operations>(a: &[i16]) -> PolynomialRingEle
 /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
 /// sum of their constituent coefficients.
 #[inline(always)]
-#[hax_lib::fstar::verification_status(panic_free)]
-pub(crate) fn add_to_ring_element<Vector: Operations, const K: usize>(myself: &mut PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) {
+#[hax_lib::fstar::verification_status(lax)]
+fn add_to_ring_element<Vector: Operations, const K: usize>(myself: &mut PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) {
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for i in 0..myself.coefficients.len() {
@@ -97,9 +97,9 @@ pub(crate) fn add_to_ring_element<Vector: Operations, const K: usize>(myself: &m
 }
 
 #[inline(always)]
-pub fn poly_barrett_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>) {
+#[hax_lib::fstar::verification_status(lax)]
+fn poly_barrett_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>) {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-    hax_lib::fstar!("admit ()");
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for i in 0..VECTORS_IN_RING_ELEMENT {
@@ -109,9 +109,9 @@ pub fn poly_barrett_reduce<Vector: Operations>(myself: &mut PolynomialRingElemen
 }
 
 #[inline(always)]
-pub(crate) fn subtract_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, mut b: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+#[hax_lib::fstar::verification_status(lax)]
+fn subtract_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, mut b: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-    hax_lib::fstar!("admit ()");
     for i in 0..VECTORS_IN_RING_ELEMENT {
         let coefficient_normal_form =
             Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441);
@@ -122,9 +122,9 @@ pub(crate) fn subtract_reduce<Vector: Operations>(myself: &PolynomialRingElement
 }
 
 #[inline(always)]
-pub(crate) fn add_message_error_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, message: &PolynomialRingElement<Vector>, mut result: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+#[hax_lib::fstar::verification_status(lax)]
+fn add_message_error_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, message: &PolynomialRingElement<Vector>, mut result: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-    hax_lib::fstar!("admit ()");
     for i in 0..VECTORS_IN_RING_ELEMENT {
         let coefficient_normal_form =
             Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441);
@@ -153,9 +153,9 @@ pub(crate) fn add_message_error_reduce<Vector: Operations>(myself: &PolynomialRi
 }
 
 #[inline(always)]
-pub(crate) fn add_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
+#[hax_lib::fstar::verification_status(lax)]
+fn add_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-    hax_lib::fstar!("admit ()");
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for j in 0..VECTORS_IN_RING_ELEMENT {
@@ -171,9 +171,9 @@ pub(crate) fn add_error_reduce<Vector: Operations>(myself: &mut PolynomialRingEl
 }
 
 #[inline(always)]
-pub(crate) fn add_standard_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
+#[hax_lib::fstar::verification_status(lax)]
+fn add_standard_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-    hax_lib::fstar!("admit ()");
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for j in 0..VECTORS_IN_RING_ELEMENT {
@@ -228,14 +228,8 @@ pub(crate) fn add_standard_error_reduce<Vector: Operations>(myself: &mut Polynom
 //                 result.coefficients[i].abs() <= FIELD_MODULUS
 // ))))]
 #[inline(always)]
-pub(crate) fn ntt_multiply<Vector: Operations>(myself: &PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
-    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
-    hax_lib::fstar!("admit ()");
-    // hax_debug_debug_assert!(lhs
-    //     .coefficients
-    //     .into_iter()
-    //     .all(|coefficient| coefficient >= 0 && coefficient < 4096));
-
+#[hax_lib::fstar::verification_status(lax)]
+fn ntt_multiply<Vector: Operations>(myself: &PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
     let mut out = ZERO();
 
     for i in 0..VECTORS_IN_RING_ELEMENT {
@@ -257,7 +251,6 @@ impl<Vector: Operations> PolynomialRingElement<Vector> {
     #[allow(non_snake_case)]
     pub(crate) fn ZERO() -> Self {
         Self {
-            // FIXME:  The THIR body of item DefId(0:415 ~ libcrux_ml_kem[9000]::polynomial::{impl#0}::ZERO::{constant#0}) was stolen.
             coefficients: [Vector::ZERO(); 16],
         }
     }
@@ -276,7 +269,7 @@ impl<Vector: Operations> PolynomialRingElement<Vector> {
     }
 
     #[inline(always)]
-    pub fn poly_barrett_reduce(&mut self) {
+    pub(crate) fn poly_barrett_reduce(&mut self) {
         poly_barrett_reduce(self);
     }
 

From bcca5409deb61aaed96219c46d12d1ba2b6dfb7c Mon Sep 17 00:00:00 2001
From: karthikbhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 4 Dec 2024 15:11:26 +0000
Subject: [PATCH 03/23] bitveveq

---
 fstar-helpers/fstar-bitvec/BitVecEq.fsti | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fsti b/fstar-helpers/fstar-bitvec/BitVecEq.fsti
index c370f28bf..6792f2b29 100644
--- a/fstar-helpers/fstar-bitvec/BitVecEq.fsti
+++ b/fstar-helpers/fstar-bitvec/BitVecEq.fsti
@@ -1,5 +1,5 @@
 module BitVecEq
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
 open Core
 open FStar.Mul
 open MkSeq
@@ -72,7 +72,7 @@ let int_t_array_bitwise_eq
 //                                 else get_bit_nat (pow2 (bits n) + v x) (v nth))
 //     with get_bit_intro #n x nth
 
-#push-options "--fuel 0 --ifuel 0 --z3rlimit 80"
+#push-options "--fuel 0 --ifuel 0 --z3rlimit 150"
 /// Rewrite a `bit_vec_of_int_t_array (Seq.slice arr ...)` into a `bit_vec_sub ...`
 let int_t_seq_slice_to_bv_sub_lemma #t #n 
   (arr: t_Array (int_t t) n)

From 4ac64bcaafdda062b617d491b4bd7bc65dd94a24 Mon Sep 17 00:00:00 2001
From: karthikbhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 4 Dec 2024 20:28:28 +0000
Subject: [PATCH 04/23] status

---
 .../proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst    | 2 +-
 .../extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst  | 2 +-
 .../extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst   | 1 +
 .../Libcrux_ml_kem.Vector.Portable.Arithmetic.fst         | 2 +-
 libcrux-ml-kem/src/polynomial.rs                          | 8 ++++----
 5 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
index ee9e56c50..a6ffee609 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
@@ -235,7 +235,7 @@ let serialize_kem_secret_key
 
 #pop-options
 
-#push-options "--z3rlimit 300 --ext context_pruning --split_queries always"
+#push-options "--z3rlimit 300"
 
 let encapsulate
       (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
index cba0ea581..6f960e706 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
@@ -184,7 +184,7 @@ let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
 
 #pop-options
 
-#push-options "--z3rlimit 250"
+#push-options "--z3rlimit 200"
 
 let montgomery_multiply_by_constant
       (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
index 00fb6832a..b0c197583 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
@@ -38,6 +38,7 @@ let deserialize_1_ (bytes: t_Slice u8) =
   deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8)
 
 [@@"opaque_to_smt"]
+
 let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) =
   let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b7 b7 b6 b6 b5 b5 b4 b4 b3 b3 b2 b2 b1 b1 b0 b0
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
index f400f5ccd..9f607fddd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
@@ -28,7 +28,7 @@ let get_n_least_significant_bits (n: u8) (value: u32) =
 
 #pop-options
 
-#push-options "--z3rlimit 200"
+#push-options "--z3rlimit 150"
 
 let barrett_reduce_element (value: i16) =
   let t:i32 =
diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index 050269f8e..f4e8ca204 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -237,10 +237,10 @@ fn ntt_multiply<Vector: Operations>(myself: &PolynomialRingElement<Vector>, rhs:
         out.coefficients[i] = Vector::ntt_multiply(
             &myself.coefficients[i],
             &rhs.coefficients[i],
-            get_zeta(64 + 4 * i),
-            get_zeta(64 + 4 * i + 1),
-            get_zeta(64 + 4 * i + 2),
-            get_zeta(64 + 4 * i + 3),
+            zeta(64 + 4 * i),
+            zeta(64 + 4 * i + 1),
+            zeta(64 + 4 * i + 2),
+            zeta(64 + 4 * i + 3),
         );
     }
 

From 0d5c258fdd7bbd0ebbb9f116707e61c7a33d686e Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Thu, 5 Dec 2024 12:09:08 +0100
Subject: [PATCH 05/23] rlimit

---
 libcrux-ml-kem/hax.py                         |   2 +-
 .../extraction/Libcrux_ml_kem.Ind_cpa.fst     |   2 +-
 .../fstar/extraction/Libcrux_ml_kem.Types.fst | 357 +++++++++++++++-
 .../extraction/Libcrux_ml_kem.Types.fsti      | 391 ------------------
 4 files changed, 345 insertions(+), 407 deletions(-)
 delete mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti

diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py
index 4855a507b..d7bbc38aa 100755
--- a/libcrux-ml-kem/hax.py
+++ b/libcrux-ml-kem/hax.py
@@ -85,7 +85,7 @@ def __call__(self, parser, args, values, option_string=None) -> None:
             "+:libcrux_ml_kem::hash_functions::*::*",
         ]
         include_str = " ".join(includes)
-        interface_include = "+**"
+        interface_include = "+** -libcrux_ml_kem::types"
         cargo_hax_into = [
             "cargo",
             "hax",
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
index 073e16e7d..25428a076 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
@@ -12,7 +12,7 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-#push-options "--ext context_pruning"
+#push-options "--z3rlimit 120 --ext context_pruning"
 
 let deserialize_secret_key
       (v_K: usize)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
index 5748d2562..d4dea7527 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
@@ -3,37 +3,178 @@ module Libcrux_ml_kem.Types
 open Core
 open FStar.Mul
 
-let impl_6__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+/// The number of bytes
+let impl_6__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
 
-let impl_13__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+/// The number of bytes
+let impl_13__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
 
-let impl_20__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+/// The number of bytes
+let impl_20__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
 
-let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value
+///An ML-KEM Ciphertext
+type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
-let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemCiphertext v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
+  }
+
+/// A reference to the raw byte slice.
+let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
+    : Prims.Pure (t_Array u8 v_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_SIZE = result in
+          result == self.f_value) = self.f_value
+
+///An ML-KEM Private key
+type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemPrivateKey v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value
+  }
 
-let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
+  }
+
+/// A reference to the raw byte slice.
+let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
+    : Prims.Pure (t_Array u8 v_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_SIZE = result in
+          result == self.f_value) = self.f_value
+
+///An ML-KEM Public key
+type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemPublicKey v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
+  }
+
+/// A reference to the raw byte slice.
+let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE)
+    : Prims.Pure (t_Array u8 v_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_SIZE = result in
+          result == self.f_value) = self.f_value
+
+/// An ML-KEM key pair
+type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = {
+  f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE;
+  f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE
+}
+
+/// Create a new [`MlKemKeyPair`] from the secret and public key.
 let impl_21__from
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
       (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-     = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
+    : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in
+          result.f_sk == sk /\ result.f_pk == pk) =
+  { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
 
+/// Separate this key into the public and private key.
 let impl_21__into_parts
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     =
+    : (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) =
   self.f_sk, self.f_pk
   <:
   (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
 
+/// Creates a new [`MlKemKeyPair`].
 let impl_21__new
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (sk: t_Array u8 v_PRIVATE_KEY_SIZE)
       (pk: t_Array u8 v_PUBLIC_KEY_SIZE)
-     =
+    : t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE =
   {
     f_sk
     =
@@ -51,27 +192,60 @@ let impl_21__new
   <:
   t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
 
+/// Get a reference to the raw public key bytes.
 let impl_21__pk
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk
+    : t_Array u8 v_PUBLIC_KEY_SIZE = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk
 
+/// Get a reference to the [`MlKemPrivateKey<PRIVATE_KEY_SIZE>`].
 let impl_21__private_key
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = self.f_sk
+    : t_MlKemPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk
 
+/// Get a reference to the [`MlKemPublicKey<PUBLIC_KEY_SIZE>`].
 let impl_21__public_key
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = self.f_pk
+    : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk
 
+/// Get a reference to the raw private key bytes.
 let impl_21__sk
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk
+    : t_Array u8 v_PRIVATE_KEY_SIZE = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk
 
-let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8) =
+/// Unpack an incoming private key into it\'s different parts.
+/// We have this here in types to extract into a common core for C.
+let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8)
+    : Prims.Pure (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
+      (requires
+        Seq.length private_key >=
+        v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)
+      (ensures
+        fun result ->
+          let result:(t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) = result in
+          let ind_cpa_secret_key_s, rest = split private_key v_CPA_SECRET_KEY_SIZE in
+          let ind_cpa_public_key_s, rest = split rest v_PUBLIC_KEY_SIZE in
+          let ind_cpa_public_key_hash_s, implicit_rejection_value_s =
+            split rest Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
+          in
+          let
+          ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value
+          =
+            result
+          in
+          ind_cpa_secret_key_s == ind_cpa_secret_key /\ ind_cpa_public_key_s == ind_cpa_public_key /\
+          ind_cpa_public_key_hash_s == ind_cpa_public_key_hash /\
+          implicit_rejection_value_s == implicit_rejection_value /\
+          Seq.length ind_cpa_secret_key == v v_CPA_SECRET_KEY_SIZE /\
+          Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE /\
+          Seq.length ind_cpa_public_key_hash == v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE /\
+          Seq.length implicit_rejection_value ==
+          Seq.length private_key -
+          (v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE +
+            v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)) =
   let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) =
     Core.Slice.impl__split_at #u8 private_key v_CPA_SECRET_KEY_SIZE
   in
@@ -85,3 +259,158 @@ let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private
   <:
   (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_3 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
+  {
+    f_Error = Core.Array.t_TryFromSliceError;
+    f_try_from_pre = (fun (value: t_Slice u8) -> true);
+    f_try_from_post
+    =
+    (fun
+        (value: t_Slice u8)
+        (out: Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError)
+        ->
+        true);
+    f_try_from
+    =
+    fun (value: t_Slice u8) ->
+      match
+        Core.Convert.f_try_into #(t_Slice u8)
+          #(t_Array u8 v_SIZE)
+          #FStar.Tactics.Typeclasses.solve
+          value
+      with
+      | Core.Result.Result_Ok value ->
+        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemCiphertext v_SIZE)
+        <:
+        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
+      | Core.Result.Result_Err e ->
+        Core.Result.Result_Err e
+        <:
+        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
+  {
+    f_Error = Core.Array.t_TryFromSliceError;
+    f_try_from_pre = (fun (value: t_Slice u8) -> true);
+    f_try_from_post
+    =
+    (fun
+        (value: t_Slice u8)
+        (out: Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError)
+        ->
+        true);
+    f_try_from
+    =
+    fun (value: t_Slice u8) ->
+      match
+        Core.Convert.f_try_into #(t_Slice u8)
+          #(t_Array u8 v_SIZE)
+          #FStar.Tactics.Typeclasses.solve
+          value
+      with
+      | Core.Result.Result_Ok value ->
+        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPrivateKey v_SIZE)
+        <:
+        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
+      | Core.Result.Result_Err e ->
+        Core.Result.Result_Err e
+        <:
+        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_17 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
+  {
+    f_Error = Core.Array.t_TryFromSliceError;
+    f_try_from_pre = (fun (value: t_Slice u8) -> true);
+    f_try_from_post
+    =
+    (fun
+        (value: t_Slice u8)
+        (out: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError)
+        ->
+        true);
+    f_try_from
+    =
+    fun (value: t_Slice u8) ->
+      match
+        Core.Convert.f_try_into #(t_Slice u8)
+          #(t_Array u8 v_SIZE)
+          #FStar.Tactics.Typeclasses.solve
+          value
+      with
+      | Core.Result.Result_Ok value ->
+        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPublicKey v_SIZE)
+        <:
+        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
+      | Core.Result.Result_Err e ->
+        Core.Result.Result_Err e
+        <:
+        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
+  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti
deleted file mode 100644
index 1947307c5..000000000
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti
+++ /dev/null
@@ -1,391 +0,0 @@
-module Libcrux_ml_kem.Types
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
-open Core
-open FStar.Mul
-
-/// The number of bytes
-val impl_6__len: v_SIZE: usize -> Prims.unit
-  -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-/// The number of bytes
-val impl_13__len: v_SIZE: usize -> Prims.unit
-  -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-/// The number of bytes
-val impl_20__len: v_SIZE: usize -> Prims.unit
-  -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-///An ML-KEM Ciphertext
-type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemCiphertext v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post
-    =
-    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
-  }
-
-/// A reference to the raw byte slice.
-val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
-    : Prims.Pure (t_Array u8 v_SIZE)
-      Prims.l_True
-      (ensures
-        fun result ->
-          let result:t_Array u8 v_SIZE = result in
-          result == self.f_value)
-
-///An ML-KEM Private key
-type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemPrivateKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post
-    =
-    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
-  }
-
-/// A reference to the raw byte slice.
-val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
-    : Prims.Pure (t_Array u8 v_SIZE)
-      Prims.l_True
-      (ensures
-        fun result ->
-          let result:t_Array u8 v_SIZE = result in
-          result == self.f_value)
-
-///An ML-KEM Public key
-type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemPublicKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post
-    =
-    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
-  }
-
-/// A reference to the raw byte slice.
-val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE)
-    : Prims.Pure (t_Array u8 v_SIZE)
-      Prims.l_True
-      (ensures
-        fun result ->
-          let result:t_Array u8 v_SIZE = result in
-          result == self.f_value)
-
-/// An ML-KEM key pair
-type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = {
-  f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE;
-  f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE
-}
-
-/// Create a new [`MlKemKeyPair`] from the secret and public key.
-val impl_21__from
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
-      (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (ensures
-        fun result ->
-          let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in
-          result.f_sk == sk /\ result.f_pk == pk)
-
-/// Separate this key into the public and private key.
-val impl_21__into_parts
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Creates a new [`MlKemKeyPair`].
-val impl_21__new
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (sk: t_Array u8 v_PRIVATE_KEY_SIZE)
-      (pk: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get a reference to the raw public key bytes.
-val impl_21__pk
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get a reference to the [`MlKemPrivateKey<PRIVATE_KEY_SIZE>`].
-val impl_21__private_key
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get a reference to the [`MlKemPublicKey<PUBLIC_KEY_SIZE>`].
-val impl_21__public_key
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get a reference to the raw private key bytes.
-val impl_21__sk
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Unpack an incoming private key into it\'s different parts.
-/// We have this here in types to extract into a common core for C.
-val unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8)
-    : Prims.Pure (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
-      (requires
-        Seq.length private_key >=
-        v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)
-      (ensures
-        fun result ->
-          let result:(t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) = result in
-          let ind_cpa_secret_key_s, rest = split private_key v_CPA_SECRET_KEY_SIZE in
-          let ind_cpa_public_key_s, rest = split rest v_PUBLIC_KEY_SIZE in
-          let ind_cpa_public_key_hash_s, implicit_rejection_value_s =
-            split rest Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
-          in
-          let
-          ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value
-          =
-            result
-          in
-          ind_cpa_secret_key_s == ind_cpa_secret_key /\ ind_cpa_public_key_s == ind_cpa_public_key /\
-          ind_cpa_public_key_hash_s == ind_cpa_public_key_hash /\
-          implicit_rejection_value_s == implicit_rejection_value /\
-          Seq.length ind_cpa_secret_key == v v_CPA_SECRET_KEY_SIZE /\
-          Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE /\
-          Seq.length ind_cpa_public_key_hash == v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE /\
-          Seq.length implicit_rejection_value ==
-          Seq.length private_key -
-          (v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE +
-            v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
-    f_as_ref_post
-    =
-    (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
-    f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
-    f_as_ref_post
-    =
-    (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
-    f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
-    f_as_ref_post
-    =
-    (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
-    f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_3 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
-  {
-    f_Error = Core.Array.t_TryFromSliceError;
-    f_try_from_pre = (fun (value: t_Slice u8) -> true);
-    f_try_from_post
-    =
-    (fun
-        (value: t_Slice u8)
-        (out: Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError)
-        ->
-        true);
-    f_try_from
-    =
-    fun (value: t_Slice u8) ->
-      match
-        Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_SIZE)
-          #FStar.Tactics.Typeclasses.solve
-          value
-      with
-      | Core.Result.Result_Ok value ->
-        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemCiphertext v_SIZE)
-        <:
-        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
-      | Core.Result.Result_Err e ->
-        Core.Result.Result_Err e
-        <:
-        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
-  {
-    f_Error = Core.Array.t_TryFromSliceError;
-    f_try_from_pre = (fun (value: t_Slice u8) -> true);
-    f_try_from_post
-    =
-    (fun
-        (value: t_Slice u8)
-        (out: Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError)
-        ->
-        true);
-    f_try_from
-    =
-    fun (value: t_Slice u8) ->
-      match
-        Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_SIZE)
-          #FStar.Tactics.Typeclasses.solve
-          value
-      with
-      | Core.Result.Result_Ok value ->
-        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPrivateKey v_SIZE)
-        <:
-        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
-      | Core.Result.Result_Err e ->
-        Core.Result.Result_Err e
-        <:
-        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_17 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
-  {
-    f_Error = Core.Array.t_TryFromSliceError;
-    f_try_from_pre = (fun (value: t_Slice u8) -> true);
-    f_try_from_post
-    =
-    (fun
-        (value: t_Slice u8)
-        (out: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError)
-        ->
-        true);
-    f_try_from
-    =
-    fun (value: t_Slice u8) ->
-      match
-        Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_SIZE)
-          #FStar.Tactics.Typeclasses.solve
-          value
-      with
-      | Core.Result.Result_Ok value ->
-        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPublicKey v_SIZE)
-        <:
-        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
-      | Core.Result.Result_Err e ->
-        Core.Result.Result_Err e
-        <:
-        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
-  }

From 4fe679b931de6d3277233a9a22b67a64cb38e8e0 Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Fri, 6 Dec 2024 15:15:59 +0000
Subject: [PATCH 06/23] Fix verification

---
 .../Libcrux_ml_kem.Ind_cca.Unpacked.fst       |  2 +-
 .../extraction/Libcrux_ml_kem.Ind_cpa.fst     | 91 +++++++++++++------
 libcrux-ml-kem/src/ind_cca.rs                 |  2 +-
 libcrux-ml-kem/src/ind_cpa.rs                 | 78 +++++++++++++---
 4 files changed, 128 insertions(+), 45 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
index 5e641a876..e726f4578 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
@@ -647,7 +647,7 @@ let impl_4__serialized_public_key
     v_PUBLIC_KEY_SIZE
     self.f_public_key
 
-#push-options "--z3rlimit 800 --ext context_pruning"
+#push-options "--z3rlimit 1500 --ext context_pruning --z3refresh"
 
 let generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
index 25428a076..2c73c49b7 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
@@ -12,7 +12,7 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-#push-options "--z3rlimit 120 --ext context_pruning"
+#push-options "--z3rlimit 800 --ext context_pruning"
 
 let deserialize_secret_key
       (v_K: usize)
@@ -163,6 +163,57 @@ let build_unpacked_public_key
   in
   unpacked_public_key
 
+let sample_ring_element_cbd_helper_1
+      (v_K: usize)
+      (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma 
+        (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
+          (forall (i: nat). i < v v_K ==>
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
+            Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
+        (ensures prf_inputs == createi v_K
+          (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    let lemma_aux (i: nat{i < v v_K}) : Lemma
+        (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
+          (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
+      Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
+        (Seq.append (Seq.slice prf_input 0 32)
+          (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
+    in
+    Classical.forall_intro lemma_aux;
+    Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
+      (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+
+let sample_ring_element_cbd_helper_2
+      (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma
+        (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+          v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+          v domain_separator < 2 * v v_K /\ 
+          (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE
+            (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+              (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
+          forall (i: nat). i < v v_K ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] ==
+            Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ]))
+        (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 ==
+          (Spec.MLKEM.sample_vector_cbd2 #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) 
+    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))
+
 #push-options "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
 
 let sample_ring_element_cbd
@@ -194,26 +245,7 @@ let sample_ring_element_cbd
   let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = tmp0 in
   let domain_separator:u8 = out in
   let _:Prims.unit =
-    let lemma_aux (i: nat{i < v v_K})
-        : Lemma
-        (prf_inputs.[ sz i ] ==
-          (Seq.append (Seq.slice prf_input 0 32)
-              (Seq.create 1
-                  (mk_int #u8_inttype (v (v__domain_separator_init +! (mk_int #u8_inttype i))))))) =
-      Lib.Sequence.eq_intro #u8
-        #33
-        prf_inputs.[ sz i ]
-        (Seq.append (Seq.slice prf_input 0 32)
-            (Seq.create 1 (mk_int #u8_inttype (v v__domain_separator_init + i))))
-    in
-    Classical.forall_intro lemma_aux;
-    Lib.Sequence.eq_intro #(t_Array u8 (sz 33))
-      #(v v_K)
-      prf_inputs
-      (createi v_K
-          (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
-              (Seq.slice prf_input 0 32)
-              (sz (v v__domain_separator_init))))
+    sample_ring_element_cbd_helper_1 v_K prf_inputs prf_input v__domain_separator_init
   in
   let (prf_outputs: t_Array (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K):t_Array
     (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K =
@@ -253,12 +285,13 @@ let sample_ring_element_cbd
           error_1_)
   in
   let _:Prims.unit =
-    Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial)
-      #(v v_K)
-      (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1_)
-      (Spec.MLKEM.sample_vector_cbd2 #v_K
-          (Seq.slice prf_input 0 32)
-          (sz (v v__domain_separator_init)))
+    sample_ring_element_cbd_helper_2 v_K
+      v_ETA2
+      v_ETA2_RANDOMNESS_SIZE
+      #v_Vector
+      error_1_
+      prf_input
+      v__domain_separator_init
   in
   error_1_, domain_separator
   <:
@@ -319,7 +352,7 @@ let sample_vector_cbd_then_ntt_helper_2
       (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
         (Seq.slice prf_input 0 32) (sz (v domain_separator)))
 
-#push-options "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
+#push-options "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always"
 
 let sample_vector_cbd_then_ntt
       (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
@@ -991,7 +1024,7 @@ let decrypt
     secret_key_unpacked
     ciphertext
 
-#push-options "--z3rlimit 200 --ext context_pruning --z3refresh"
+#push-options "--z3rlimit 1000 --ext context_pruning --z3refresh"
 
 let serialize_secret_key
       (v_K v_OUT_LEN: usize)
diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs
index 18ae0db4a..bc7c45428 100644
--- a/libcrux-ml-kem/src/ind_cca.rs
+++ b/libcrux-ml-kem/src/ind_cca.rs
@@ -861,7 +861,7 @@ pub(crate) mod unpacked {
 
     /// Generate Unpacked Keys
     #[inline(always)]
-    #[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")]
+    #[hax_lib::fstar::options("--z3rlimit 1500 --ext context_pruning --z3refresh")]
     #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
         $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
         $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs
index b40bd07ae..144e79e48 100644
--- a/libcrux-ml-kem/src/ind_cpa.rs
+++ b/libcrux-ml-kem/src/ind_cpa.rs
@@ -128,7 +128,7 @@ pub(crate) fn serialize_public_key_mut<
 
 /// Call [`serialize_uncompressed_ring_element`] for each ring element.
 #[inline(always)]
-#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning --z3refresh")]
+#[hax_lib::fstar::options("--z3rlimit 1000 --ext context_pruning --z3refresh")]
 #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
     $OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     (forall (i:nat). i < v $K ==>
@@ -178,6 +178,60 @@ pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector:
 #[hax_lib::fstar::options(
     "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
 )]
+#[cfg_attr(hax, hax_lib::fstar::before("let sample_ring_element_cbd_helper_2
+      (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma
+        (requires Spec.MLKEM.is_rank v_K /\\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\\
+          v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\\
+          v domain_separator < 2 * v v_K /\\ 
+          (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE
+            (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+              (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
+          forall (i: nat). i < v v_K ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] ==
+            Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ]))
+        (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 ==
+          (Spec.MLKEM.sample_vector_cbd2 #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) 
+    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::before(
+        "let sample_ring_element_cbd_helper_1
+      (v_K: usize)
+      (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma 
+        (requires Spec.MLKEM.is_rank v_K /\\ v domain_separator < 2 * v v_K /\\
+          (forall (i: nat). i < v v_K ==>
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\\
+            Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
+        (ensures prf_inputs == createi v_K
+          (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    let lemma_aux (i: nat{i < v v_K}) : Lemma
+        (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
+          (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
+      Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
+        (Seq.append (Seq.slice prf_input 0 32)
+          (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
+    in
+    Classical.forall_intro lemma_aux;
+    Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
+      (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))"
+    )
+)]
 #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
     $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
     $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
@@ -203,14 +257,9 @@ fn sample_ring_element_cbd<
     // See https://github.com/hacspec/hax/issues/1167
     let _domain_separator_init = domain_separator;
     domain_separator = prf_input_inc::<K>(&mut prf_inputs, domain_separator);
-    hax_lib::fstar!("let lemma_aux (i:nat{ i < v $K }) : Lemma (${prf_inputs}.[sz i] == (Seq.append (Seq.slice $prf_input 0 32) 
-        (Seq.create 1 (mk_int #u8_inttype (v ($_domain_separator_init +! (mk_int #u8_inttype i))))))) =
-        Lib.Sequence.eq_intro #u8 #33 ${prf_inputs}.[sz i] (Seq.append (Seq.slice $prf_input 0 32) 
-        (Seq.create 1 (mk_int #u8_inttype (v $_domain_separator_init + i)))) in
-
-    Classical.forall_intro lemma_aux;
-    Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v $K) $prf_inputs 
-        (createi $K (Spec.MLKEM.sample_vector_cbd2_prf_input #$K (Seq.slice $prf_input 0 32) (sz (v $_domain_separator_init))))");
+    hax_lib::fstar!(
+        "sample_ring_element_cbd_helper_1 $K $prf_inputs $prf_input $_domain_separator_init"
+    );
     let prf_outputs: [[u8; ETA2_RANDOMNESS_SIZE]; K] = Hasher::PRFxN(&prf_inputs);
     for i in 0..K {
         hax_lib::loop_invariant!(|i: usize| {
@@ -222,9 +271,10 @@ fn sample_ring_element_cbd<
         });
         error_1[i] = sample_from_binomial_distribution::<ETA2, Vector>(&prf_outputs[i]);
     }
-    hax_lib::fstar!("Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v $K)
-    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $error_1) 
-    (Spec.MLKEM.sample_vector_cbd2 #$K (Seq.slice $prf_input 0 32) (sz (v $_domain_separator_init)))");
+    hax_lib::fstar!(
+        "sample_ring_element_cbd_helper_2
+        $K $ETA2 $ETA2_RANDOMNESS_SIZE #$:Vector error_1_ $prf_input $_domain_separator_init"
+    );
     (error_1, domain_separator)
 }
 
@@ -232,7 +282,7 @@ fn sample_ring_element_cbd<
 /// convert them into their NTT representations.
 #[inline(always)]
 #[hax_lib::fstar::options(
-    "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
+    "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always"
 )]
 #[cfg_attr(hax, hax_lib::fstar::before("let sample_vector_cbd_then_ntt_helper_2
       (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
@@ -962,7 +1012,7 @@ fn deserialize_then_decompress_u<
 
 /// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
 #[inline(always)]
-#[hax_lib::fstar::options("--ext context_pruning")]
+#[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")]
 #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
     length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     v (${secret_key.len()}) / v $BYTES_PER_RING_ELEMENT <= v $K"))]

From 0972f988faf05f2e5fbe0d3722347c007f574f2f Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Fri, 6 Dec 2024 15:56:21 +0000
Subject: [PATCH 07/23] Fix verification

---
 .../fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst  | 2 +-
 libcrux-ml-kem/src/vector/avx2/arithmetic.rs                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
index 6f960e706..a80c67948 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
@@ -184,7 +184,7 @@ let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
 
 #pop-options
 
-#push-options "--z3rlimit 200"
+#push-options "--z3rlimit 100 --ext context_pruning"
 
 let montgomery_multiply_by_constant
       (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
index 8c9f3ae9a..38cc0f4cd 100644
--- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
+++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
@@ -165,7 +165,7 @@ pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 {
 }
 
 #[inline(always)]
-#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))]
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100 --ext context_pruning"))]
 #[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 constant")))]
 #[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\
                 (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 

From 6fe932415944b5482309c403c820975b15e6122d Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Fri, 6 Dec 2024 16:35:09 +0000
Subject: [PATCH 08/23] make verification

---
 .../fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 4 ++++
 libcrux-ml-kem/src/vector/avx2/serialize.rs                   | 1 +
 2 files changed, 5 insertions(+)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
index b0c197583..87cf7addd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
@@ -12,6 +12,8 @@ let _ =
 
 [@@"opaque_to_smt"]
 
+#push-options "--ext context_pruning"
+
 let deserialize_1___deserialize_1_i16s (a b: i16) =
   let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a
@@ -27,6 +29,8 @@ let deserialize_1___deserialize_1_i16s (a b: i16) =
   in
   Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb
 
+#pop-options
+
 [@@"opaque_to_smt"]
 
 let deserialize_1___deserialize_1_u8s (a b: u8) =
diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs
index 693bb1bf8..7c3f0b500 100644
--- a/libcrux-ml-kem/src/vector/avx2/serialize.rs
+++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs
@@ -109,6 +109,7 @@ pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 {
 "#
     ))]
     #[inline(always)]
+    #[hax_lib::fstar::options("--ext context_pruning")]
     #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)]
     pub(crate) fn deserialize_1_i16s(a: i16, b: i16) -> Vec256 {
         // We need to take each bit from the 2 bytes of input and put them

From adbf4827f77a826702dc823d7211aab169159565 Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Fri, 6 Dec 2024 16:55:05 +0000
Subject: [PATCH 09/23] fix verification

---
 .../extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst    | 2 +-
 libcrux-ml-kem/src/vector/portable/arithmetic.rs                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
index 9f607fddd..46f0a37be 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
@@ -28,7 +28,7 @@ let get_n_least_significant_bits (n: u8) (value: u32) =
 
 #pop-options
 
-#push-options "--z3rlimit 150"
+#push-options "--z3rlimit 150 --ext context_pruning"
 
 let barrett_reduce_element (value: i16) =
   let t:i32 =
diff --git a/libcrux-ml-kem/src/vector/portable/arithmetic.rs b/libcrux-ml-kem/src/vector/portable/arithmetic.rs
index 1eacc5285..64b92baed 100644
--- a/libcrux-ml-kem/src/vector/portable/arithmetic.rs
+++ b/libcrux-ml-kem/src/vector/portable/arithmetic.rs
@@ -193,7 +193,7 @@ pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector {
 ///
 /// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS
 ///
-#[hax_lib::fstar::options("--z3rlimit 150")]
+#[hax_lib::fstar::options("--z3rlimit 150 --ext context_pruning")]
 #[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 28296 value")))]
 #[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\
                 v result % 3329 == v value % 3329")))]

From d1a299af9c8ccea396dad45a9890f69ad5e0d2ec Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Mon, 9 Dec 2024 09:33:18 +0100
Subject: [PATCH 10/23] verif status

---
 libcrux-ml-kem/proofs/verification_status.md | 35 ++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 libcrux-ml-kem/proofs/verification_status.md

diff --git a/libcrux-ml-kem/proofs/verification_status.md b/libcrux-ml-kem/proofs/verification_status.md
new file mode 100644
index 000000000..5ce7aa0a8
--- /dev/null
+++ b/libcrux-ml-kem/proofs/verification_status.md
@@ -0,0 +1,35 @@
+# ML-KEM Verification Status
+
+This file keeps track of the current verification status of the modules in the ML-KEM implementation.
+
+## Generic modules
+* constant_time_ops: Verified
+* hash_functions: Verified
+* ind_cca: Verified 
+* ind_cpa: Verified
+* ind_cca/instaniations: Verified
+* ind_cca/instaniations/avx2: Verified
+* ind_cca/multiplexing: Verified
+
+* invert_ntt: Panic Free, Not linked to spec
+* ntt: Panic Free, Not linked to spec
+* mlkem*: Panic Free, Not linked to spec
+
+* matrix: Needs proofs
+* sampling: Needs proofs
+* polynomial: Needs proofs
+* serialize: Needs proofs
+
+## Portable modules
+* arithmetic: Verified
+* compress: Verified
+* ntt: Verified
+* serialize: Verified
+* sampling: Needs proofs
+
+## AVX2 modules
+* arithmetic: Verified
+* serialize: Verified
+* compress: Panic Free
+* ntt: Needs proofs
+* sampling: Needs proofs

From 4d93aa650826db49d66a848c5973002444c747c0 Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Tue, 10 Dec 2024 11:12:55 +0000
Subject: [PATCH 11/23] Update Makefile

---
 libcrux-ml-kem/proofs/fstar/extraction/Makefile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
index 1aa982aae..6ea6fa381 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
@@ -1,9 +1,7 @@
 SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst
 
-ADMIT_MODULES = Libcrux_ml_kem.Vector.Avx2.fsti \
-              Libcrux_ml_kem.Vector.Avx2.fst \
+ADMIT_MODULES = Libcrux_ml_kem.Vector.Avx2.fst \
               Libcrux_ml_kem.Vector.Avx2.Ntt.fst \
-              Libcrux_ml_kem.Vector.Avx2.Sampling.fst \
               Libcrux_ml_kem.Vector.Rej_sample_table.fsti \
               Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \
               Libcrux_ml_kem.Vector.Neon.Compress.fst \

From c70eb875ca047b22973a1a0a620c57e54386b8de Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Tue, 10 Dec 2024 11:31:29 +0000
Subject: [PATCH 12/23] Remove AVX2 modules from ADMIT_MODULES

---
 .../fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst   | 4 ++++
 .../fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst       | 8 ++++++++
 libcrux-ml-kem/proofs/fstar/extraction/Makefile           | 4 +---
 libcrux-ml-kem/src/vector/avx2.rs                         | 8 ++++++++
 libcrux-ml-kem/src/vector/avx2/ntt.rs                     | 1 +
 5 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
index 504a87112..6d1f1794f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
@@ -155,6 +155,8 @@ let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i
   in
   Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients
 
+#push-options "--admit_smt_queries true"
+
 let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) =
   let shuffle_with:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y
@@ -245,3 +247,5 @@ let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta
     Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right
   in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 170l products_left products_right
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
index 29d63bae8..81f5dc7a5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
@@ -458,6 +458,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_serialize_1_
     =
     (fun (vector: t_SIMD256Vector) ->
+        let _:Prims.unit = admit () in
         Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements);
     f_deserialize_1_pre
     =
@@ -469,6 +470,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_deserialize_1_
     =
     (fun (bytes: t_Slice u8) ->
+        let _:Prims.unit = admit () in
         { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes }
         <:
         t_SIMD256Vector);
@@ -483,6 +485,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_serialize_4_
     =
     (fun (vector: t_SIMD256Vector) ->
+        let _:Prims.unit = admit () in
         Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements);
     f_deserialize_4_pre
     =
@@ -494,6 +497,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_deserialize_4_
     =
     (fun (bytes: t_Slice u8) ->
+        let _:Prims.unit = admit () in
         { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes }
         <:
         t_SIMD256Vector);
@@ -526,6 +530,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_serialize_10_
     =
     (fun (vector: t_SIMD256Vector) ->
+        let _:Prims.unit = admit () in
         Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements);
     f_deserialize_10_pre
     =
@@ -537,6 +542,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_deserialize_10_
     =
     (fun (bytes: t_Slice u8) ->
+        let _:Prims.unit = admit () in
         { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_10_ bytes }
         <:
         t_SIMD256Vector);
@@ -567,6 +573,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_serialize_12_
     =
     (fun (vector: t_SIMD256Vector) ->
+        let _:Prims.unit = admit () in
         Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements);
     f_deserialize_12_pre
     =
@@ -578,6 +585,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_deserialize_12_
     =
     (fun (bytes: t_Slice u8) ->
+        let _:Prims.unit = admit () in
         { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes }
         <:
         t_SIMD256Vector);
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
index 6ea6fa381..4b9b03c26 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
@@ -1,8 +1,6 @@
 SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst
 
-ADMIT_MODULES = Libcrux_ml_kem.Vector.Avx2.fst \
-              Libcrux_ml_kem.Vector.Avx2.Ntt.fst \
-              Libcrux_ml_kem.Vector.Rej_sample_table.fsti \
+ADMIT_MODULES = Libcrux_ml_kem.Vector.Rej_sample_table.fsti \
               Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \
               Libcrux_ml_kem.Vector.Neon.Compress.fst \
               Libcrux_ml_kem.Vector.Neon.fsti \
diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs
index 61c7ae159..eb15300b6 100644
--- a/libcrux-ml-kem/src/vector/avx2.rs
+++ b/libcrux-ml-kem/src/vector/avx2.rs
@@ -288,6 +288,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_1(vector: Self) -> [u8; 2] {
+        hax_lib::fstar!("admit ()");
         serialize::serialize_1(vector.elements)
     }
 
@@ -295,6 +296,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_1(bytes: &[u8]) -> Self {
+        hax_lib::fstar!("admit ()");
         Self {
             elements: serialize::deserialize_1(bytes),
         }
@@ -304,6 +306,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_4(vector: Self) -> [u8; 8] {
+        hax_lib::fstar!("admit ()");
         serialize::serialize_4(vector.elements)
     }
 
@@ -311,6 +314,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_4(bytes: &[u8]) -> Self {
+        hax_lib::fstar!("admit ()");
         Self {
             elements: serialize::deserialize_4(bytes),
         }
@@ -335,6 +339,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_10(vector: Self) -> [u8; 20] {
+        hax_lib::fstar!("admit ()");
         serialize::serialize_10(vector.elements)
     }
 
@@ -342,6 +347,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_10(bytes: &[u8]) -> Self {
+        hax_lib::fstar!("admit ()");
         Self {
             elements: serialize::deserialize_10(bytes),
         }
@@ -364,6 +370,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_12(vector: Self) -> [u8; 24] {
+        hax_lib::fstar!("admit ()");
         serialize::serialize_12(vector.elements)
     }
 
@@ -371,6 +378,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_12(bytes: &[u8]) -> Self {
+        hax_lib::fstar!("admit ()");
         Self {
             elements: serialize::deserialize_12(bytes),
         }
diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs
index 437c6a473..eedc0a1fd 100644
--- a/libcrux-ml-kem/src/vector/avx2/ntt.rs
+++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs
@@ -127,6 +127,7 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
 #[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))]
 pub(crate) fn ntt_multiply(
     lhs: Vec256,

From 2f140ae799e0509b12d6ed8b1f454f1d828bab75 Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Tue, 10 Dec 2024 19:55:34 +0000
Subject: [PATCH 13/23] Remove admits from vector/avx2.rs

---
 .../extraction/Libcrux_ml_kem.Vector.Avx2.fst | 327 ++++++++++--------
 .../Libcrux_ml_kem.Vector.Avx2.fsti           | 171 +++++++++
 libcrux-ml-kem/src/vector/avx2.rs             | 290 ++++++++++++----
 3 files changed, 582 insertions(+), 206 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
index 81f5dc7a5..a352090e8 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
@@ -9,6 +9,27 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+#push-options "--admit_smt_queries true"
+
+let deserialize_1_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let deserialize_4_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_1_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements
+
+#pop-options
+
 let vec_from_i16_array (array: t_Slice i16) =
   let result:t_SIMD256Vector =
     { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector
@@ -23,6 +44,141 @@ let vec_zero (_: Prims.unit) =
   let _:Prims.unit = admit () (* Panic freedom *) in
   result
 
+#push-options "--admit_smt_queries true"
+
+let compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS
+      vector.f_elements
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let compress_1_ (vector: t_SIMD256Vector) =
+  {
+    f_elements = Libcrux_ml_kem.Vector.Avx2.Compress.compress_message_coefficient vector.f_elements
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let cond_subtract_3329_ (vector: t_SIMD256Vector) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1 }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_multiply lhs.f_elements
+      rhs.f_elements
+      zeta0
+      zeta1
+      zeta2
+      zeta3
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_10_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_12_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_4_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements
+
+#pop-options
+
 let vec_to_i16_array (v: t_SIMD256Vector) =
   let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in
   let output:t_Array i16 (sz 16) =
@@ -42,6 +198,20 @@ let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector =
     f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x
   }
 
+#push-options "--admit_smt_queries true"
+
+let deserialize_10_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_10_ bytes } <: t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let deserialize_12_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes } <: t_SIMD256Vector
+
+#pop-options
+
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
   {
@@ -163,13 +333,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) ->
         impl.f_repr out ==
         Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr vector));
-    f_cond_subtract_3329_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements }
-        <:
-        t_SIMD256Vector);
+    f_cond_subtract_3329_ = (fun (vector: t_SIMD256Vector) -> cond_subtract_3329_ vector);
     f_barrett_reduce_pre
     =
     (fun (vector: t_SIMD256Vector) -> Spec.Utils.is_i16b_array 28296 (impl.f_repr vector));
@@ -207,17 +371,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     =
     (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) ->
         forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1);
-    f_compress_1_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Compress.compress_message_coefficient vector.f_elements
-        }
-        <:
-        t_SIMD256Vector);
+    f_compress_1_ = (fun (vector: t_SIMD256Vector) -> compress_1_ vector);
     f_compress_pre
     =
     (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
@@ -236,16 +390,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     );
     f_compress
     =
-    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS
-            vector.f_elements
-        }
-        <:
-        t_SIMD256Vector);
+    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> compress v_COEFFICIENT_BITS vector);
     f_decompress_ciphertext_coefficient_pre
     =
     (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
@@ -289,14 +434,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_ntt_layer_1_step
     =
     (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
-        let _:Prims.unit = admit () in
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
-        }
-        <:
-        t_SIMD256Vector);
+        ntt_layer_1_step vector zeta0 zeta1 zeta2 zeta3);
     f_ntt_layer_2_step_pre
     =
     (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
@@ -308,13 +446,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
         Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr out));
     f_ntt_layer_2_step
     =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
-        let _:Prims.unit = admit () in
-        {
-          f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1
-        }
-        <:
-        t_SIMD256Vector);
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> ntt_layer_2_step vector zeta0 zeta1);
     f_ntt_layer_3_step_pre
     =
     (fun (vector: t_SIMD256Vector) (zeta: i16) ->
@@ -324,13 +456,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     =
     (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) ->
         Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr out));
-    f_ntt_layer_3_step
-    =
-    (fun (vector: t_SIMD256Vector) (zeta: i16) ->
-        let _:Prims.unit = admit () in
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta }
-        <:
-        t_SIMD256Vector);
+    f_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> ntt_layer_3_step vector zeta);
     f_inv_ntt_layer_1_step_pre
     =
     (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
@@ -351,18 +477,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_inv_ntt_layer_1_step
     =
     (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
-        let _:Prims.unit = admit () in
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements
-            zeta0
-            zeta1
-            zeta2
-            zeta3
-        }
-        <:
-        t_SIMD256Vector);
+        inv_ntt_layer_1_step vector zeta0 zeta1 zeta2 zeta3);
     f_inv_ntt_layer_2_step_pre
     =
     (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
@@ -375,14 +490,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_inv_ntt_layer_2_step
     =
     (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
-        let _:Prims.unit = admit () in
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1
-        }
-        <:
-        t_SIMD256Vector);
+        inv_ntt_layer_2_step vector zeta0 zeta1);
     f_inv_ntt_layer_3_step_pre
     =
     (fun (vector: t_SIMD256Vector) (zeta: i16) ->
@@ -393,11 +501,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
         Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
     f_inv_ntt_layer_3_step
     =
-    (fun (vector: t_SIMD256Vector) (zeta: i16) ->
-        let _:Prims.unit = admit () in
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta }
-        <:
-        t_SIMD256Vector);
+    (fun (vector: t_SIMD256Vector) (zeta: i16) -> inv_ntt_layer_3_step vector zeta);
     f_ntt_multiply_pre
     =
     (fun
@@ -434,19 +538,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
         (zeta2: i16)
         (zeta3: i16)
         ->
-        let _:Prims.unit = admit () in
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_multiply lhs.f_elements
-            rhs.f_elements
-            zeta0
-            zeta1
-            zeta2
-            zeta3
-        }
-        <:
-        t_SIMD256Vector);
+        ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3);
     f_serialize_1_pre
     =
     (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 1 (impl.f_repr vector));
@@ -455,11 +547,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 2)) ->
         Spec.MLKEM.serialize_pre 1 (impl.f_repr vector) ==>
         Spec.MLKEM.serialize_post 1 (impl.f_repr vector) out);
-    f_serialize_1_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements);
+    f_serialize_1_ = (fun (vector: t_SIMD256Vector) -> serialize_1_ vector);
     f_deserialize_1_pre
     =
     (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2);
@@ -467,13 +555,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     =
     (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
         sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (impl.f_repr out));
-    f_deserialize_1_
-    =
-    (fun (bytes: t_Slice u8) ->
-        let _:Prims.unit = admit () in
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes }
-        <:
-        t_SIMD256Vector);
+    f_deserialize_1_ = (fun (bytes: t_Slice u8) -> deserialize_1_ bytes);
     f_serialize_4_pre
     =
     (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 4 (impl.f_repr vector));
@@ -482,11 +564,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 8)) ->
         Spec.MLKEM.serialize_pre 4 (impl.f_repr vector) ==>
         Spec.MLKEM.serialize_post 4 (impl.f_repr vector) out);
-    f_serialize_4_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements);
+    f_serialize_4_ = (fun (vector: t_SIMD256Vector) -> serialize_4_ vector);
     f_deserialize_4_pre
     =
     (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8);
@@ -494,19 +572,12 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     =
     (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
         sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (impl.f_repr out));
-    f_deserialize_4_
-    =
-    (fun (bytes: t_Slice u8) ->
-        let _:Prims.unit = admit () in
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes }
-        <:
-        t_SIMD256Vector);
+    f_deserialize_4_ = (fun (bytes: t_Slice u8) -> deserialize_4_ bytes);
     f_serialize_5_pre = (fun (vector: t_SIMD256Vector) -> true);
     f_serialize_5_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 10)) -> true);
     f_serialize_5_
     =
     (fun (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
         Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_5_ vector.f_elements);
     f_deserialize_5_pre
     =
@@ -515,7 +586,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     f_deserialize_5_
     =
     (fun (bytes: t_Slice u8) ->
-        let _:Prims.unit = admit () in
+        let _:Prims.unit = assert (v (Core.Slice.impl__len bytes) == Seq.length bytes) in
         { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_5_ bytes }
         <:
         t_SIMD256Vector);
@@ -527,11 +598,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 20)) ->
         Spec.MLKEM.serialize_pre 10 (impl.f_repr vector) ==>
         Spec.MLKEM.serialize_post 10 (impl.f_repr vector) out);
-    f_serialize_10_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements);
+    f_serialize_10_ = (fun (vector: t_SIMD256Vector) -> serialize_10_ vector);
     f_deserialize_10_pre
     =
     (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20);
@@ -539,13 +606,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     =
     (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
         sz (Seq.length bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 bytes (impl.f_repr out));
-    f_deserialize_10_
-    =
-    (fun (bytes: t_Slice u8) ->
-        let _:Prims.unit = admit () in
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_10_ bytes }
-        <:
-        t_SIMD256Vector);
+    f_deserialize_10_ = (fun (bytes: t_Slice u8) -> deserialize_10_ bytes);
     f_serialize_11_pre = (fun (vector: t_SIMD256Vector) -> true);
     f_serialize_11_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 22)) -> true);
     f_serialize_11_
@@ -570,11 +631,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 24)) ->
         Spec.MLKEM.serialize_pre 12 (impl.f_repr vector) ==>
         Spec.MLKEM.serialize_post 12 (impl.f_repr vector) out);
-    f_serialize_12_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        let _:Prims.unit = admit () in
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements);
+    f_serialize_12_ = (fun (vector: t_SIMD256Vector) -> serialize_12_ vector);
     f_deserialize_12_pre
     =
     (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24);
@@ -582,13 +639,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
     =
     (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
         sz (Seq.length bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 bytes (impl.f_repr out));
-    f_deserialize_12_
-    =
-    (fun (bytes: t_Slice u8) ->
-        let _:Prims.unit = admit () in
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes }
-        <:
-        t_SIMD256Vector);
+    f_deserialize_12_ = (fun (bytes: t_Slice u8) -> deserialize_12_ bytes);
     f_rej_sample_pre
     =
     (fun (input: t_Slice u8) (output: t_Slice i16) ->
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
index 5d955b9ab..952ee56eb 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
@@ -15,6 +15,31 @@ type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 }
 
 let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements
 
+val deserialize_1_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (repr out))
+
+val deserialize_4_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (repr out))
+
+val serialize_1_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 2))
+      (requires Spec.MLKEM.serialize_pre 1 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 2) = out in
+          Spec.MLKEM.serialize_pre 1 (repr vector) ==> Spec.MLKEM.serialize_post 1 (repr vector) out
+      )
+
 val vec_from_i16_array (array: t_Slice i16)
     : Prims.Pure t_SIMD256Vector
       Prims.l_True
@@ -31,6 +56,136 @@ val vec_zero: Prims.unit
           let result:t_SIMD256Vector = result in
           repr result == Seq.create 16 0s)
 
+val compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+            v v_COEFFICIENT_BITS == 11) ==>
+          (forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) (v v_COEFFICIENT_BITS)))
+
+val compress_1_ (vector: t_SIMD256Vector)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        forall (i: nat).
+          i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) 1)
+
+val cond_subtract_3329_ (vector: t_SIMD256Vector)
+    : Prims.Pure t_SIMD256Vector
+      (requires Spec.Utils.is_i16b_array (pow2 12 - 1) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          repr out ==
+          Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr vector))
+
+val inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (4 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+val inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array 3328 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+val inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+val ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array (11207 + 6 * 3328) (repr out))
+
+val ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr out))
+
+val ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr out))
+
+val ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array 3328 (repr lhs) /\ Spec.Utils.is_i16b_array 3328 (repr rhs))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+val serialize_10_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 20))
+      (requires Spec.MLKEM.serialize_pre 10 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 20) = out in
+          Spec.MLKEM.serialize_pre 10 (repr vector) ==>
+          Spec.MLKEM.serialize_post 10 (repr vector) out)
+
+val serialize_12_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 24))
+      (requires Spec.MLKEM.serialize_pre 12 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 24) = out in
+          Spec.MLKEM.serialize_pre 12 (repr vector) ==>
+          Spec.MLKEM.serialize_post 12 (repr vector) out)
+
+val serialize_4_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 8))
+      (requires Spec.MLKEM.serialize_pre 4 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 8) = out in
+          Spec.MLKEM.serialize_pre 4 (repr vector) ==> Spec.MLKEM.serialize_post 4 (repr vector) out
+      )
+
 val vec_to_i16_array (v: t_SIMD256Vector)
     : Prims.Pure (t_Array i16 (sz 16))
       Prims.l_True
@@ -42,5 +197,21 @@ val vec_to_i16_array (v: t_SIMD256Vector)
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl:Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector
 
+val deserialize_10_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 bytes (repr out))
+
+val deserialize_12_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 bytes (repr out))
+
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl_3:Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector
diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs
index eb15300b6..045d2a4e7 100644
--- a/libcrux-ml-kem/src/vector/avx2.rs
+++ b/libcrux-ml-kem/src/vector/avx2.rs
@@ -42,6 +42,208 @@ fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector {
     }
 }
 
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (repr $vector)"))]
+#[hax_lib::ensures(|out| fstar!("repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr $vector)"))]
+fn cond_subtract_3329(vector: SIMD256Vector) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: arithmetic::cond_subtract_3329(vector.elements),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\\
+    v (Seq.index (repr $vector) i) < 3329"))]
+#[hax_lib::ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) 1"))]
+fn compress_1(vector: SIMD256Vector) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: compress::compress_message_coefficient(vector.elements),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    v $COEFFICIENT_BITS == 5 \\/
+    v $COEFFICIENT_BITS == 10 \\/
+    v $COEFFICIENT_BITS == 11) /\\
+    (forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\\
+    v (Seq.index (repr $vector) i) < 3329)"))]
+#[hax_lib::ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    v $COEFFICIENT_BITS == 5 \\/
+    v $COEFFICIENT_BITS == 10 \\/
+    v $COEFFICIENT_BITS == 11) ==>
+        (forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) (v $COEFFICIENT_BITS))"))]
+fn compress<const COEFFICIENT_BITS: i32>(vector: SIMD256Vector) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: compress::compress_ciphertext_coefficient::<COEFFICIENT_BITS>(
+            vector.elements,
+        ),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+                    Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
+                    Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector})"))]
+#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (repr $out)"))]
+fn ntt_layer_1_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                    Spec.Utils.is_i16b_array (11207+4*3328) (repr ${vector})"))]
+#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (repr $out)"))]
+fn ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
+                    Spec.Utils.is_i16b_array (11207+3*3328) (repr ${vector})"))]
+#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (repr $out)"))]
+fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_layer_3_step(vector.elements, zeta),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+                    Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3  /\\
+                    Spec.Utils.is_i16b_array (4*3328) (repr ${vector})"))]
+#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+fn inv_ntt_layer_1_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"))]
+#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+fn inv_ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
+                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"))]
+#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                    Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
+                    Spec.Utils.is_i16b_array 3328 (repr ${lhs}) /\\
+                    Spec.Utils.is_i16b_array 3328 (repr ${rhs})"))]
+#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+fn ntt_multiply(
+    lhs: &SIMD256Vector,
+    rhs: &SIMD256Vector,
+    zeta0: i16,
+    zeta1: i16,
+    zeta2: i16,
+    zeta3: i16,
+) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 1 (repr $vector)"))]
+#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (repr $vector) ==> Spec.MLKEM.serialize_post 1 (repr $vector) $out"))]
+fn serialize_1(vector: SIMD256Vector) -> [u8; 2] {
+    serialize::serialize_1(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 2)]
+#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (repr $out)"))]
+fn deserialize_1(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_1(bytes),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 4 (repr $vector)"))]
+#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (repr $vector) ==> Spec.MLKEM.serialize_post 4 (repr $vector) $out"))]
+fn serialize_4(vector: SIMD256Vector) -> [u8; 8] {
+    serialize::serialize_4(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 8)]
+#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (repr $out)"))]
+fn deserialize_4(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_4(bytes),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 10 (repr $vector)"))]
+#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (repr $vector) ==> Spec.MLKEM.serialize_post 10 (repr $vector) $out"))]
+fn serialize_10(vector: SIMD256Vector) -> [u8; 20] {
+    serialize::serialize_10(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 20)]
+#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (repr $out)"))]
+fn deserialize_10(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_10(bytes),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 12 (repr $vector)"))]
+#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (repr $vector) ==> Spec.MLKEM.serialize_post 12 (repr $vector) $out"))]
+fn serialize_12(vector: SIMD256Vector) -> [u8; 24] {
+    serialize::serialize_12(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 24)]
+#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (repr $out)"))]
+fn deserialize_12(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_12(bytes),
+    }
+}
+
 #[cfg(hax)]
 impl crate::vector::traits::Repr for SIMD256Vector {
     fn repr(x: Self) -> [i16; 16] {
@@ -127,10 +329,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"))]
     #[inline(always)]
     fn cond_subtract_3329(vector: Self) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: arithmetic::cond_subtract_3329(vector.elements),
-        }
+        cond_subtract_3329(vector)
     }
 
     #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vector})"))]
@@ -154,10 +353,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))]
     #[inline(always)]
     fn compress_1(vector: Self) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: compress::compress_message_coefficient(vector.elements),
-        }
+        compress_1(vector)
     }
 
     #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
@@ -173,12 +369,7 @@ impl Operations for SIMD256Vector {
                 (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))]
     #[inline(always)]
     fn compress<const COEFFICIENT_BITS: i32>(vector: Self) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: compress::compress_ciphertext_coefficient::<COEFFICIENT_BITS>(
-                vector.elements,
-            ),
-        }
+        compress::<COEFFICIENT_BITS>(vector)
     }
 
     #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
@@ -202,10 +393,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))]
     #[inline(always)]
     fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
-        }
+        ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
     #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
@@ -213,10 +401,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))]
     #[inline(always)]
     fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1),
-        }
+        ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
     #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
@@ -224,10 +409,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))]
     #[inline(always)]
     fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: ntt::ntt_layer_3_step(vector.elements, zeta),
-        }
+        ntt_layer_3_step(vector, zeta)
     }
 
     #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
@@ -236,10 +418,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
     #[inline(always)]
     fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
-        }
+        inv_ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
     #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
@@ -247,10 +426,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
     #[inline(always)]
     fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1),
-        }
+        inv_ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
     #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
@@ -258,10 +434,7 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
     #[inline(always)]
     fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta),
-        }
+        inv_ntt_layer_3_step(vector, zeta)
     }
 
     #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
@@ -278,58 +451,47 @@ impl Operations for SIMD256Vector {
         zeta2: i16,
         zeta3: i16,
     ) -> Self {
-        hax_lib::fstar!("admit()");
-        Self {
-            elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3),
-        }
+        ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3)
     }
 
     #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector)"))]
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_1(vector: Self) -> [u8; 2] {
-        hax_lib::fstar!("admit ()");
-        serialize::serialize_1(vector.elements)
+        serialize_1(vector)
     }
 
     #[requires(bytes.len() == 2)]
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_1(bytes: &[u8]) -> Self {
-        hax_lib::fstar!("admit ()");
-        Self {
-            elements: serialize::deserialize_1(bytes),
-        }
+        deserialize_1(bytes)
     }
 
     #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector)"))]
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_4(vector: Self) -> [u8; 8] {
-        hax_lib::fstar!("admit ()");
-        serialize::serialize_4(vector.elements)
+        serialize_4(vector)
     }
 
     #[requires(bytes.len() == 8)]
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_4(bytes: &[u8]) -> Self {
-        hax_lib::fstar!("admit ()");
-        Self {
-            elements: serialize::deserialize_4(bytes),
-        }
+        deserialize_4(bytes)
     }
 
     #[inline(always)]
     fn serialize_5(vector: Self) -> [u8; 10] {
-        hax_lib::fstar!("admit()");
         serialize::serialize_5(vector.elements)
     }
 
     #[requires(bytes.len() == 10)]
     #[inline(always)]
     fn deserialize_5(bytes: &[u8]) -> Self {
-        hax_lib::fstar!("admit()");
+        hax_lib::fstar!(
+            "assert (v (Core.Slice.impl__len $bytes) == Seq.length $bytes)");
         Self {
             elements: serialize::deserialize_5(bytes),
         }
@@ -339,18 +501,14 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_10(vector: Self) -> [u8; 20] {
-        hax_lib::fstar!("admit ()");
-        serialize::serialize_10(vector.elements)
+        serialize_10(vector)
     }
 
     #[requires(bytes.len() == 20)]
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_10(bytes: &[u8]) -> Self {
-        hax_lib::fstar!("admit ()");
-        Self {
-            elements: serialize::deserialize_10(bytes),
-        }
+        deserialize_10(bytes)
     }
 
     #[inline(always)]
@@ -370,18 +528,14 @@ impl Operations for SIMD256Vector {
     #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"))]
     #[inline(always)]
     fn serialize_12(vector: Self) -> [u8; 24] {
-        hax_lib::fstar!("admit ()");
-        serialize::serialize_12(vector.elements)
+        serialize_12(vector)
     }
 
     #[requires(bytes.len() == 24)]
     #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"))]
     #[inline(always)]
     fn deserialize_12(bytes: &[u8]) -> Self {
-        hax_lib::fstar!("admit ()");
-        Self {
-            elements: serialize::deserialize_12(bytes),
-        }
+        deserialize_12(bytes)
     }
 
     #[requires(input.len() == 24 && output.len() == 16)]

From ce63901837146a16be532034bc8cf7e7aa1edcd3 Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 07:39:56 +0100
Subject: [PATCH 14/23] updated verification status

---
 libcrux-ml-kem/proofs/verification_status.md | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libcrux-ml-kem/proofs/verification_status.md b/libcrux-ml-kem/proofs/verification_status.md
index 5ce7aa0a8..9fe4f928b 100644
--- a/libcrux-ml-kem/proofs/verification_status.md
+++ b/libcrux-ml-kem/proofs/verification_status.md
@@ -11,9 +11,9 @@ This file keeps track of the current verification status of the modules in the M
 * ind_cca/instaniations/avx2: Verified
 * ind_cca/multiplexing: Verified
 
-* invert_ntt: Panic Free, Not linked to spec
-* ntt: Panic Free, Not linked to spec
-* mlkem*: Panic Free, Not linked to spec
+* invert_ntt: Panic Free
+* ntt: Panic Free
+* mlkem*: Panic Free
 
 * matrix: Needs proofs
 * sampling: Needs proofs
@@ -33,3 +33,10 @@ This file keeps track of the current verification status of the modules in the M
 * compress: Panic Free
 * ntt: Needs proofs
 * sampling: Needs proofs
+
+## Neon modules
+* arithmetic: Not verified
+* serialize: Not verified
+* compress: Not verified
+* ntt: Needs Not verified
+* sampling: Not verified

From a197c4d7286246d59e3044d437b3da9119cd5de8 Mon Sep 17 00:00:00 2001
From: karthikbhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 06:54:20 +0000
Subject: [PATCH 15/23] fmt

---
 libcrux-ml-kem/src/ind_cpa.rs     |  9 ++++--
 libcrux-ml-kem/src/polynomial.rs  | 52 ++++++++++++++++++++-----------
 libcrux-ml-kem/src/vector/avx2.rs | 23 +++++++++-----
 3 files changed, 57 insertions(+), 27 deletions(-)

diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs
index 144e79e48..e05db7edf 100644
--- a/libcrux-ml-kem/src/ind_cpa.rs
+++ b/libcrux-ml-kem/src/ind_cpa.rs
@@ -178,7 +178,10 @@ pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector:
 #[hax_lib::fstar::options(
     "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
 )]
-#[cfg_attr(hax, hax_lib::fstar::before("let sample_ring_element_cbd_helper_2
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::before(
+        "let sample_ring_element_cbd_helper_2
       (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -202,7 +205,9 @@ pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector:
     =
     Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
     (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) 
-    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))"))]
+    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))"
+    )
+)]
 #[cfg_attr(
     hax,
     hax_lib::fstar::before(
diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index f4e8ca204..0df5e0f6f 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -65,7 +65,6 @@ pub(crate) struct PolynomialRingElement<Vector: Operations> {
     pub(crate) coefficients: [Vector; VECTORS_IN_RING_ELEMENT],
 }
 
-
 #[allow(non_snake_case)]
 fn ZERO<Vector: Operations>() -> PolynomialRingElement<Vector> {
     PolynomialRingElement {
@@ -88,7 +87,10 @@ fn from_i16_array<Vector: Operations>(a: &[i16]) -> PolynomialRingElement<Vector
 /// sum of their constituent coefficients.
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-fn add_to_ring_element<Vector: Operations, const K: usize>(myself: &mut PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) {
+fn add_to_ring_element<Vector: Operations, const K: usize>(
+    myself: &mut PolynomialRingElement<Vector>,
+    rhs: &PolynomialRingElement<Vector>,
+) {
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for i in 0..myself.coefficients.len() {
@@ -111,20 +113,29 @@ fn poly_barrett_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Ve
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-fn subtract_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, mut b: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+fn subtract_reduce<Vector: Operations>(
+    myself: &PolynomialRingElement<Vector>,
+    mut b: PolynomialRingElement<Vector>,
+) -> PolynomialRingElement<Vector> {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
     for i in 0..VECTORS_IN_RING_ELEMENT {
         let coefficient_normal_form =
             Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441);
-        b.coefficients[i] =
-            Vector::barrett_reduce(Vector::sub(myself.coefficients[i], &coefficient_normal_form));
+        b.coefficients[i] = Vector::barrett_reduce(Vector::sub(
+            myself.coefficients[i],
+            &coefficient_normal_form,
+        ));
     }
     b
 }
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-fn add_message_error_reduce<Vector: Operations>(myself: &PolynomialRingElement<Vector>, message: &PolynomialRingElement<Vector>, mut result: PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+fn add_message_error_reduce<Vector: Operations>(
+    myself: &PolynomialRingElement<Vector>,
+    message: &PolynomialRingElement<Vector>,
+    mut result: PolynomialRingElement<Vector>,
+) -> PolynomialRingElement<Vector> {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
     for i in 0..VECTORS_IN_RING_ELEMENT {
         let coefficient_normal_form =
@@ -155,7 +166,10 @@ fn add_message_error_reduce<Vector: Operations>(myself: &PolynomialRingElement<V
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-fn add_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
+fn add_error_reduce<Vector: Operations>(
+    myself: &mut PolynomialRingElement<Vector>,
+    error: &PolynomialRingElement<Vector>,
+) {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
@@ -163,17 +177,18 @@ fn add_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vecto
         let coefficient_normal_form =
             Vector::montgomery_multiply_by_constant(myself.coefficients[j], 1441);
 
-        myself.coefficients[j] = Vector::barrett_reduce(Vector::add(
-            coefficient_normal_form,
-            &error.coefficients[j],
-        ));
+        myself.coefficients[j] =
+            Vector::barrett_reduce(Vector::add(coefficient_normal_form, &error.coefficients[j]));
     }
     ()
 }
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-fn add_standard_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>, error: &PolynomialRingElement<Vector>) {
+fn add_standard_error_reduce<Vector: Operations>(
+    myself: &mut PolynomialRingElement<Vector>,
+    error: &PolynomialRingElement<Vector>,
+) {
     // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
@@ -182,10 +197,8 @@ fn add_standard_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElem
         // calling to_montgomery_domain() on them should return a mod q.
         let coefficient_normal_form = to_standard_domain::<Vector>(myself.coefficients[j]);
 
-        myself.coefficients[j] = Vector::barrett_reduce(Vector::add(
-            coefficient_normal_form,
-            &error.coefficients[j],
-        ));
+        myself.coefficients[j] =
+            Vector::barrett_reduce(Vector::add(coefficient_normal_form, &error.coefficients[j]));
     }
     ()
 }
@@ -230,7 +243,10 @@ fn add_standard_error_reduce<Vector: Operations>(myself: &mut PolynomialRingElem
 // ))))]
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-fn ntt_multiply<Vector: Operations>(myself: &PolynomialRingElement<Vector>, rhs: &PolynomialRingElement<Vector>) -> PolynomialRingElement<Vector> {
+fn ntt_multiply<Vector: Operations>(
+    myself: &PolynomialRingElement<Vector>,
+    rhs: &PolynomialRingElement<Vector>,
+) -> PolynomialRingElement<Vector> {
     let mut out = ZERO();
 
     for i in 0..VECTORS_IN_RING_ELEMENT {
@@ -266,7 +282,7 @@ impl<Vector: Operations> PolynomialRingElement<Vector> {
     /// sum of their constituent coefficients.
     #[inline(always)]
     pub(crate) fn add_to_ring_element<const K: usize>(&mut self, rhs: &Self) {
-        add_to_ring_element::<Vector,K>(self, rhs);
+        add_to_ring_element::<Vector, K>(self, rhs);
     }
 
     #[inline(always)]
diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs
index 045d2a4e7..31ff6debe 100644
--- a/libcrux-ml-kem/src/vector/avx2.rs
+++ b/libcrux-ml-kem/src/vector/avx2.rs
@@ -78,9 +78,7 @@ fn compress_1(vector: SIMD256Vector) -> SIMD256Vector {
         (forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) (v $COEFFICIENT_BITS))"))]
 fn compress<const COEFFICIENT_BITS: i32>(vector: SIMD256Vector) -> SIMD256Vector {
     SIMD256Vector {
-        elements: compress::compress_ciphertext_coefficient::<COEFFICIENT_BITS>(
-            vector.elements,
-        ),
+        elements: compress::compress_ciphertext_coefficient::<COEFFICIENT_BITS>(vector.elements),
     }
 }
 
@@ -90,7 +88,13 @@ fn compress<const COEFFICIENT_BITS: i32>(vector: SIMD256Vector) -> SIMD256Vector
                     Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
                     Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector})"))]
 #[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (repr $out)"))]
-fn ntt_layer_1_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> SIMD256Vector {
+fn ntt_layer_1_step(
+    vector: SIMD256Vector,
+    zeta0: i16,
+    zeta1: i16,
+    zeta2: i16,
+    zeta3: i16,
+) -> SIMD256Vector {
     SIMD256Vector {
         elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
     }
@@ -124,7 +128,13 @@ fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
                     Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3  /\\
                     Spec.Utils.is_i16b_array (4*3328) (repr ${vector})"))]
 #[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
-fn inv_ntt_layer_1_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> SIMD256Vector {
+fn inv_ntt_layer_1_step(
+    vector: SIMD256Vector,
+    zeta0: i16,
+    zeta1: i16,
+    zeta2: i16,
+    zeta3: i16,
+) -> SIMD256Vector {
     SIMD256Vector {
         elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
     }
@@ -490,8 +500,7 @@ impl Operations for SIMD256Vector {
     #[requires(bytes.len() == 10)]
     #[inline(always)]
     fn deserialize_5(bytes: &[u8]) -> Self {
-        hax_lib::fstar!(
-            "assert (v (Core.Slice.impl__len $bytes) == Seq.length $bytes)");
+        hax_lib::fstar!("assert (v (Core.Slice.impl__len $bytes) == Seq.length $bytes)");
         Self {
             elements: serialize::deserialize_5(bytes),
         }

From d3bc8684ad2c457f2e7f80d06059b75b32bc4620 Mon Sep 17 00:00:00 2001
From: karthikbhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 07:01:24 +0000
Subject: [PATCH 16/23] c code refresh

---
 libcrux-ml-kem/c/code_gen.txt                 |   4 +-
 libcrux-ml-kem/c/internal/libcrux_core.h      |   4 +-
 .../c/internal/libcrux_mlkem_avx2.h           |   4 +-
 .../c/internal/libcrux_mlkem_portable.h       |   4 +-
 libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h |   4 +-
 .../c/internal/libcrux_sha3_internal.h        |   4 +-
 libcrux-ml-kem/c/libcrux_core.c               |   4 +-
 libcrux-ml-kem/c/libcrux_core.h               |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem1024.h          |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c     |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h     |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_portable.c |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_portable.h |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem512.h           |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem512_avx2.c      |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem512_avx2.h      |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem512_portable.c  |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem512_portable.h  |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem768.h           |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem768_avx2.c      |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem768_avx2.h      |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem768_portable.c  |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem768_portable.h  |   4 +-
 libcrux-ml-kem/c/libcrux_mlkem_avx2.c         | 530 ++++++++++++++----
 libcrux-ml-kem/c/libcrux_mlkem_avx2.h         |  48 +-
 libcrux-ml-kem/c/libcrux_mlkem_portable.c     | 359 +++++++++---
 libcrux-ml-kem/c/libcrux_mlkem_portable.h     |   4 +-
 libcrux-ml-kem/c/libcrux_sha3.h               |   4 +-
 libcrux-ml-kem/c/libcrux_sha3_avx2.c          |   4 +-
 libcrux-ml-kem/c/libcrux_sha3_avx2.h          |   4 +-
 libcrux-ml-kem/c/libcrux_sha3_internal.h      |   4 +-
 libcrux-ml-kem/c/libcrux_sha3_neon.c          |   4 +-
 libcrux-ml-kem/c/libcrux_sha3_neon.h          |   4 +-
 libcrux-ml-kem/cg/code_gen.txt                |   4 +-
 libcrux-ml-kem/cg/libcrux_core.h              |   4 +-
 libcrux-ml-kem/cg/libcrux_ct_ops.h            |   4 +-
 libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h     | 516 +++++++++++++----
 libcrux-ml-kem/cg/libcrux_mlkem768_portable.h | 299 +++++++---
 libcrux-ml-kem/cg/libcrux_sha3_avx2.h         |   4 +-
 libcrux-ml-kem/cg/libcrux_sha3_portable.h     |   4 +-
 40 files changed, 1457 insertions(+), 435 deletions(-)

diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt
index 54242b657..58904651b 100644
--- a/libcrux-ml-kem/c/code_gen.txt
+++ b/libcrux-ml-kem/c/code_gen.txt
@@ -2,5 +2,5 @@ This code was generated with the following revisions:
 Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
 Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
 Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
-F*: 5643e656b989aca7629723653a2570c7df6252b9
-Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h
index fe89acd19..3121e91fc 100644
--- a/libcrux-ml-kem/c/internal/libcrux_core.h
+++ b/libcrux-ml-kem/c/internal/libcrux_core.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __internal_libcrux_core_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
index 466ef3ba0..ba22d8dbc 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __internal_libcrux_mlkem_avx2_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
index f108fb1a3..6df01c224 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __internal_libcrux_mlkem_portable_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
index 67b2d4675..03ab5a18f 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __internal_libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
index 342c481f4..4117b2667 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __internal_libcrux_sha3_internal_H
diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c
index e69d41843..860a9abb3 100644
--- a/libcrux-ml-kem/c/libcrux_core.c
+++ b/libcrux-ml-kem/c/libcrux_core.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "internal/libcrux_core.h"
diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h
index 9097eceda..86e741589 100644
--- a/libcrux-ml-kem/c/libcrux_core.h
+++ b/libcrux-ml-kem/c/libcrux_core.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_core_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h
index 041b2ec09..d05dee7ab 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem1024_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
index 5fec937b0..d8e105da4 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "libcrux_mlkem1024_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
index 96971f755..4c44dfb75 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem1024_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
index c63594eaa..841680613 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "libcrux_mlkem1024_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
index f951149be..7f0a1cb23 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem1024_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h
index 0e850ae5d..9c8ae2dab 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem512_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
index 7971b5c4f..18034cf3a 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "libcrux_mlkem512_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
index 3c4030f73..e387bdb26 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem512_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
index b8f6fd756..ca40f04a5 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "libcrux_mlkem512_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
index 7766250f2..0873a8a54 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem512_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h
index f2c7db21a..a392c09ab 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem768_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
index d30955e8a..3382a2d48 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "libcrux_mlkem768_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
index ea29365da..d478855a0 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
index 1cdebda61..25cad4008 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "libcrux_mlkem768_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
index 6c512c865..bc4256238 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem768_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
index 7cd2d548f..f96a0f3ca 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "internal/libcrux_mlkem_avx2.h"
@@ -149,13 +149,18 @@ libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) {
   return mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+  return libcrux_ml_kem_vector_avx2_cond_subtract_3329(vector);
 }
 
 /**
@@ -227,14 +232,18 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
   return mm256_srli_epi16((int32_t)15, shifted_to_positive_in_range, __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_compress_1(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_compress_1_09(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
-      vector);
+  return libcrux_ml_kem_vector_avx2_compress_1(vector);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(
@@ -277,6 +286,13 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(
   return mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -284,8 +300,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
-                                                         zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                     zeta2, zeta3);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(
@@ -301,13 +317,18 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(
   return mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09(
     __m256i vector, int16_t zeta0, int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_MUSTINLINE __m128i
@@ -339,13 +360,18 @@ libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) {
                                 __m256i);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09(__m256i vector, int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
@@ -369,6 +395,13 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
   return mm256_blend_epi16((int32_t)204, sum, sum_times_zetas, __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
+      vector, zeta0, zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -376,8 +409,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
-      vector, zeta0, zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(
@@ -399,14 +432,19 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(
   return mm256_blend_epi16((int32_t)240, sum, sum_times_zetas, __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
+                                                             zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09(
     __m256i vector, int16_t zeta0, int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
-                                                             zeta1);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(
@@ -423,13 +461,18 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(
                                 __m256i);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09(
     __m256i vector, int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_MUSTINLINE __m256i
@@ -504,6 +547,13 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(
                            __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply(
+    __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
+                                                     zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -511,8 +561,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_09(
     __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
-                                                     zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2,
+                                                 zeta3);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1(
@@ -526,13 +576,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1(
   memcpy(ret, result, (size_t)2U * sizeof(uint8_t));
 }
 
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1(__m256i vector,
+                                                            uint8_t ret[2U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_09(
     __m256i vector, uint8_t ret[2U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_1(vector, ret);
 }
 
 KRML_MUSTINLINE __m256i
@@ -565,13 +620,18 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) {
       Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *));
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_1(bytes);
 }
 
 /**
@@ -621,13 +681,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4(
   memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t));
 }
 
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4(__m256i vector,
+                                                            uint8_t ret[8U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_09(
     __m256i vector, uint8_t ret[8U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_4(vector, ret);
 }
 
 KRML_MUSTINLINE __m256i
@@ -672,13 +737,18 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) {
       Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *));
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_4_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_4(bytes);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5(
@@ -850,13 +920,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
   memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t));
 }
 
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10(__m256i vector,
+                                                             uint8_t ret[20U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_09(
     __m256i vector, uint8_t ret[20U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_10(vector, ret);
 }
 
 KRML_MUSTINLINE __m256i
@@ -894,13 +969,18 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) {
       mm_loadu_si128(lower_coefficients), mm_loadu_si128(upper_coefficients));
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_10_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_10(bytes);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11(
@@ -995,13 +1075,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
   memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t));
 }
 
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12(__m256i vector,
+                                                             uint8_t ret[24U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_09(
     __m256i vector, uint8_t ret[24U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_12(vector, ret);
 }
 
 KRML_MUSTINLINE __m256i
@@ -1039,13 +1124,18 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) {
       lower_coefficients, upper_coefficients);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_12_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_12(bytes);
 }
 
 KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample(
@@ -1856,19 +1946,41 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
 */
+static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_61(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  return lit;
+}
+
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-from_i16_array_ef_61(Eurydice_slice a) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_61();
+from_i16_array_61(Eurydice_slice a) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_61();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
@@ -1879,6 +1991,22 @@ from_i16_array_ef_61(Eurydice_slice a) {
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+from_i16_array_ef_61(Eurydice_slice a) {
+  return from_i16_array_61(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -2311,6 +2439,22 @@ static KRML_MUSTINLINE void ntt_at_layer_1_61(
       zeta_i[0U] = zeta_i[0U] + (size_t)3U;);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE void poly_barrett_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    myself->coefficients[i0] =
+        libcrux_ml_kem_vector_avx2_barrett_reduce_09(myself->coefficients[i0]);
+  }
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
@@ -2324,12 +2468,7 @@ with const generics
 */
 static KRML_MUSTINLINE void poly_barrett_reduce_ef_61(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) {
-  for (size_t i = (size_t)0U;
-       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
-    size_t i0 = i;
-    self->coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_barrett_reduce_09(self->coefficients[i0]);
-  }
+  poly_barrett_reduce_61(self);
 }
 
 /**
@@ -2428,25 +2567,47 @@ static KRML_MUSTINLINE tuple_23 sample_vector_cbd_then_ntt_out_b41(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+ Given two `KyberPolynomialRingElement`s in their NTT representations,
+ compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
+ the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
+
+ ```plaintext
+ ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X²
+ - ζ^(2·BitRev₇(i) + 1))
+ ```
+
+ This function almost implements <strong>Algorithm 10</strong> of the
+ NIST FIPS 203 standard, which is reproduced below:
+
+ ```plaintext
+ Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
+ Output: An array ĥ ∈ ℤq.
+
+ for(i ← 0; i < 128; i++)
+     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1],
+ ζ^(2·BitRev₇(i) + 1)) end for return ĥ
+ ```
+ We say "almost" because the coefficients of the ring element output by
+ this function are in the Montgomery domain.
+
+ The NIST FIPS 203 standard can be found at
+ <https://csrc.nist.gov/pubs/fips/203/ipd>.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-ntt_multiply_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
-                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_ef_61();
+ntt_multiply_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
+                libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_61();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_09(
-        &self->coefficients[i0], &rhs->coefficients[i0],
+        &myself->coefficients[i0], &rhs->coefficients[i0],
         libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
         libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
                                        (size_t)1U),
@@ -2464,25 +2625,58 @@ This function found in impl
 TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+ntt_multiply_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  return ntt_multiply_61(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
 */
-static KRML_MUSTINLINE void add_to_ring_element_ef_ab(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_to_ring_element_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  add_to_ring_element_ab(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.vector.traits.to_standard_domain
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
@@ -2494,6 +2688,26 @@ static KRML_MUSTINLINE __m256i to_standard_domain_61(__m256i v) {
       v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_standard_error_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
+    size_t j = i;
+    __m256i coefficient_normal_form =
+        to_standard_domain_61(myself->coefficients[j]);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
+        libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form,
+                                          &error->coefficients[j]));
+  }
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
@@ -2508,15 +2722,7 @@ with const generics
 static KRML_MUSTINLINE void add_standard_error_reduce_ef_61(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
-  for (size_t i = (size_t)0U;
-       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
-    size_t j = i;
-    __m256i coefficient_normal_form =
-        to_standard_domain_61(self->coefficients[j]);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
-        libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form,
-                                          &error->coefficients[j]));
-  }
+  add_standard_error_reduce_61(self, error);
 }
 
 /**
@@ -3088,31 +3294,43 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_ab(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
-static KRML_MUSTINLINE void add_error_reduce_ef_61(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_error_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     __m256i coefficient_normal_form =
         libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(
-            self->coefficients[j], (int16_t)1441);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
+            myself->coefficients[j], (int16_t)1441);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
         libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form,
                                           &error->coefficients[j]));
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_error_reduce_ef_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  add_error_reduce_61(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -3194,19 +3412,14 @@ deserialize_then_decompress_message_61(uint8_t serialized[32U]) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-add_message_error_reduce_ef_61(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+add_message_error_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
   for (size_t i = (size_t)0U;
@@ -3215,7 +3428,7 @@ add_message_error_reduce_ef_61(
     __m256i coefficient_normal_form =
         libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(
             result.coefficients[i0], (int16_t)1441);
-    __m256i tmp = libcrux_ml_kem_vector_avx2_add_09(self->coefficients[i0],
+    __m256i tmp = libcrux_ml_kem_vector_avx2_add_09(myself->coefficients[i0],
                                                     &message->coefficients[i0]);
     __m256i tmp0 =
         libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &tmp);
@@ -3225,6 +3438,25 @@ add_message_error_reduce_ef_61(
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+add_message_error_reduce_ef_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
+  return add_message_error_reduce_61(self, message, result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -3295,6 +3527,15 @@ compress_ciphertext_coefficient_ef(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 10
+*/
+static KRML_MUSTINLINE __m256i compress_ef(__m256i vector) {
+  return compress_ciphertext_coefficient_ef(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -3305,7 +3546,7 @@ with const generics
 - COEFFICIENT_BITS= 10
 */
 static KRML_MUSTINLINE __m256i compress_09_ef(__m256i vector) {
-  return compress_ciphertext_coefficient_ef(vector);
+  return compress_ef(vector);
 }
 
 /**
@@ -3377,6 +3618,15 @@ compress_ciphertext_coefficient_c4(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 11
+*/
+static KRML_MUSTINLINE __m256i compress_c4(__m256i vector) {
+  return compress_ciphertext_coefficient_c4(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -3387,7 +3637,7 @@ with const generics
 - COEFFICIENT_BITS= 11
 */
 static KRML_MUSTINLINE __m256i compress_09_c4(__m256i vector) {
-  return compress_ciphertext_coefficient_c4(vector);
+  return compress_c4(vector);
 }
 
 /**
@@ -3483,6 +3733,15 @@ compress_ciphertext_coefficient_d1(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 4
+*/
+static KRML_MUSTINLINE __m256i compress_d1(__m256i vector) {
+  return compress_ciphertext_coefficient_d1(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -3493,7 +3752,7 @@ with const generics
 - COEFFICIENT_BITS= 4
 */
 static KRML_MUSTINLINE __m256i compress_09_d1(__m256i vector) {
-  return compress_ciphertext_coefficient_d1(vector);
+  return compress_d1(vector);
 }
 
 /**
@@ -3564,6 +3823,15 @@ compress_ciphertext_coefficient_f4(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 5
+*/
+static KRML_MUSTINLINE __m256i compress_f4(__m256i vector) {
+  return compress_ciphertext_coefficient_f4(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -3574,7 +3842,7 @@ with const generics
 - COEFFICIENT_BITS= 5
 */
 static KRML_MUSTINLINE __m256i compress_09_f4(__m256i vector) {
-  return compress_ciphertext_coefficient_f4(vector);
+  return compress_f4(vector);
 }
 
 /**
@@ -4298,19 +4566,14 @@ deserialize_then_decompress_ring_element_v_ed(Eurydice_slice serialized) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-subtract_reduce_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
-                      libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
+subtract_reduce_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
@@ -4318,12 +4581,29 @@ subtract_reduce_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
         libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(
             b.coefficients[i0], (int16_t)1441);
     b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
-        libcrux_ml_kem_vector_avx2_sub_09(self->coefficients[i0],
+        libcrux_ml_kem_vector_avx2_sub_09(myself->coefficients[i0],
                                           &coefficient_normal_form));
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+subtract_reduce_ef_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+                      libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
+  return subtract_reduce_61(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -5432,30 +5712,46 @@ static KRML_MUSTINLINE tuple_dd sample_vector_cbd_then_ntt_out_b4(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 4
 */
-static KRML_MUSTINLINE void add_to_ring_element_ef_42(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_to_ring_element_42(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 4
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_42(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  add_to_ring_element_42(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -7471,30 +7767,46 @@ static KRML_MUSTINLINE tuple_40 sample_vector_cbd_then_ntt_out_b40(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 2
 */
-static KRML_MUSTINLINE void add_to_ring_element_ef_89(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_to_ring_element_89(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 2
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_89(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  add_to_ring_element_89(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
index 95dad8cf8..4c3f089a8 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem_avx2_H
@@ -93,6 +93,8 @@ __m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09(
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(
     __m256i vector);
 
+__m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -127,6 +129,8 @@ __m256i libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(
 __m256i libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
     __m256i vector);
 
+__m256i libcrux_ml_kem_vector_avx2_compress_1(__m256i vector);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -142,6 +146,9 @@ __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants(
 __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -153,6 +160,10 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(__m256i vector,
                                                         int16_t zeta0,
                                                         int16_t zeta1);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step(__m256i vector,
+                                                    int16_t zeta0,
+                                                    int16_t zeta1);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -168,6 +179,9 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants(
 __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector,
                                                         int16_t zeta);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector,
+                                                    int16_t zeta);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -178,6 +192,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09(__m256i vector,
 __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -189,6 +206,10 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector,
                                                             int16_t zeta0,
                                                             int16_t zeta1);
 
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(__m256i vector,
+                                                        int16_t zeta0,
+                                                        int16_t zeta1);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -200,6 +221,9 @@ __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09(__m256i vector,
 __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector,
                                                             int16_t zeta);
 
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector,
+                                                        int16_t zeta);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -216,6 +240,10 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(__m256i lhs, __m256i rhs,
                                                     int16_t zeta2,
                                                     int16_t zeta3);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_multiply(__m256i *lhs, __m256i *rhs,
+                                                int16_t zeta0, int16_t zeta1,
+                                                int16_t zeta2, int16_t zeta3);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -228,6 +256,8 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_09(__m256i *lhs, __m256i *rhs,
 void libcrux_ml_kem_vector_avx2_serialize_serialize_1(__m256i vector,
                                                       uint8_t ret[2U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_1(__m256i vector, uint8_t ret[2U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -243,6 +273,8 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s(
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -261,6 +293,8 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n,
 void libcrux_ml_kem_vector_avx2_serialize_serialize_4(__m256i vector,
                                                       uint8_t ret[8U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_4(__m256i vector, uint8_t ret[8U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -278,6 +312,8 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s(
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -327,6 +363,8 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(
 void libcrux_ml_kem_vector_avx2_serialize_serialize_10(__m256i vector,
                                                        uint8_t ret[20U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_10(__m256i vector, uint8_t ret[20U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -340,6 +378,8 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec(
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -372,6 +412,8 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec(
 void libcrux_ml_kem_vector_avx2_serialize_serialize_12(__m256i vector,
                                                        uint8_t ret[24U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_12(__m256i vector, uint8_t ret[24U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -385,6 +427,8 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec(
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
index 1d3a317a8..f2a82731e 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "internal/libcrux_mlkem_portable.h"
@@ -3143,19 +3143,41 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
 */
+static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_8c(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  return lit;
+}
+
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-from_i16_array_ef_8c(Eurydice_slice a) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_8c();
+from_i16_array_8c(Eurydice_slice a) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_8c();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
@@ -3168,6 +3190,22 @@ from_i16_array_ef_8c(Eurydice_slice a) {
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+from_i16_array_ef_8c(Eurydice_slice a) {
+  return from_i16_array_8c(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -3601,6 +3639,24 @@ static KRML_MUSTINLINE void ntt_at_layer_1_8c(
       zeta_i[0U] = zeta_i[0U] + (size_t)3U;);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void poly_barrett_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
+        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
+            myself->coefficients[i0]);
+    myself->coefficients[i0] = uu____0;
+  }
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
@@ -3614,14 +3670,7 @@ with const generics
 */
 static KRML_MUSTINLINE void poly_barrett_reduce_ef_8c(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) {
-  for (size_t i = (size_t)0U;
-       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
-    size_t i0 = i;
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            self->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
-  }
+  poly_barrett_reduce_8c(self);
 }
 
 /**
@@ -3722,26 +3771,48 @@ static KRML_MUSTINLINE tuple_dd0 sample_vector_cbd_then_ntt_out_3b(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+ Given two `KyberPolynomialRingElement`s in their NTT representations,
+ compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
+ the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
+
+ ```plaintext
+ ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X²
+ - ζ^(2·BitRev₇(i) + 1))
+ ```
+
+ This function almost implements <strong>Algorithm 10</strong> of the
+ NIST FIPS 203 standard, which is reproduced below:
+
+ ```plaintext
+ Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
+ Output: An array ĥ ∈ ℤq.
+
+ for(i ← 0; i < 128; i++)
+     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1],
+ ζ^(2·BitRev₇(i) + 1)) end for return ĥ
+ ```
+ We say "almost" because the coefficients of the ring element output by
+ this function are in the Montgomery domain.
+
+ The NIST FIPS 203 standard can be found at
+ <https://csrc.nist.gov/pubs/fips/203/ipd>.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-ntt_multiply_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
-                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = ZERO_ef_8c();
+ntt_multiply_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
+                libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = ZERO_8c();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_ntt_multiply_0d(
-            &self->coefficients[i0], &rhs->coefficients[i0],
+            &myself->coefficients[i0], &rhs->coefficients[i0],
             libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
             libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
                                            (size_t)1U),
@@ -3760,29 +3831,62 @@ This function found in impl
 TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+ntt_multiply_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  return ntt_multiply_8c(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 4
 */
-static KRML_MUSTINLINE void add_to_ring_element_ef_d0(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_to_ring_element_d0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_0d(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 4
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_d0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  add_to_ring_element_d0(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.vector.traits.to_standard_domain
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
@@ -3797,32 +3901,45 @@ to_standard_domain_8c(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void add_standard_error_reduce_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_standard_error_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
-        coefficient_normal_form = to_standard_domain_8c(self->coefficients[j]);
+        coefficient_normal_form =
+            to_standard_domain_8c(myself->coefficients[j]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
             libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_standard_error_reduce_ef_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  add_standard_error_reduce_8c(self, error);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -4403,18 +4520,13 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_d0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void add_error_reduce_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_error_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
@@ -4422,15 +4534,32 @@ static KRML_MUSTINLINE void add_error_reduce_ef_8c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
             libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
-                self->coefficients[j], (int16_t)1441);
+                myself->coefficients[j], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
             libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_error_reduce_ef_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  add_error_reduce_8c(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -4520,19 +4649,14 @@ deserialize_then_decompress_message_8c(uint8_t serialized[32U]) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-add_message_error_reduce_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+add_message_error_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
   for (size_t i = (size_t)0U;
@@ -4543,7 +4667,7 @@ add_message_error_reduce_ef_8c(
             libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
                 result.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_0d(myself->coefficients[i0],
                                               &message->coefficients[i0]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp0 =
         libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form, &tmp);
@@ -4554,6 +4678,25 @@ add_message_error_reduce_ef_8c(
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+add_message_error_reduce_ef_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
+  return add_message_error_reduce_8c(self, message, result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -5464,19 +5607,14 @@ deserialize_then_decompress_ring_element_v_ff(Eurydice_slice serialized) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-subtract_reduce_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
-                      libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
+subtract_reduce_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
@@ -5486,13 +5624,30 @@ subtract_reduce_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
                 b.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_sub_0d(self->coefficients[i0],
+            libcrux_ml_kem_vector_portable_sub_0d(myself->coefficients[i0],
                                                   &coefficient_normal_form));
     b.coefficients[i0] = uu____0;
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+subtract_reduce_ef_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+                      libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
+  return subtract_reduce_8c(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -6570,34 +6725,50 @@ static KRML_MUSTINLINE tuple_400 sample_vector_cbd_then_ntt_out_3b0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 2
 */
-static KRML_MUSTINLINE void add_to_ring_element_ef_a0(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_to_ring_element_a0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_0d(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 2
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_a0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  add_to_ring_element_a0(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -8634,34 +8805,50 @@ static KRML_MUSTINLINE tuple_230 sample_vector_cbd_then_ntt_out_3b1(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
 */
-static KRML_MUSTINLINE void add_to_ring_element_ef_1b(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_to_ring_element_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_0d(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  add_to_ring_element_1b(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
index ccb5a6654..97e8167f3 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h
index 393be1f15..82d68203f 100644
--- a/libcrux-ml-kem/c/libcrux_sha3.h
+++ b/libcrux-ml-kem/c/libcrux_sha3.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_sha3_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
index 3274dc64a..280ba2a2a 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "internal/libcrux_sha3_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
index eaa8d8c25..8af351595 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h
index c68ee5802..d6f138fc7 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_sha3_internal_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c
index 8c9edc379..6631b288a 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #include "libcrux_sha3_neon.h"
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h
index c51c09cc5..4eab9beb0 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_sha3_neon_H
diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt
index 54242b657..58904651b 100644
--- a/libcrux-ml-kem/cg/code_gen.txt
+++ b/libcrux-ml-kem/cg/code_gen.txt
@@ -2,5 +2,5 @@ This code was generated with the following revisions:
 Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
 Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
 Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
-F*: 5643e656b989aca7629723653a2570c7df6252b9
-Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h
index b8e2354f8..5f5c8417b 100644
--- a/libcrux-ml-kem/cg/libcrux_core.h
+++ b/libcrux-ml-kem/cg/libcrux_core.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_core_H
diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h
index cf4a616ac..f21831f4f 100644
--- a/libcrux-ml-kem/cg/libcrux_ct_ops.h
+++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_ct_ops_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
index f6933bc18..f6e41fd2a 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
@@ -180,6 +180,12 @@ libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) {
                                                  conditional_add_field_modulus);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -187,7 +193,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+  return libcrux_ml_kem_vector_avx2_cond_subtract_3329(vector);
 }
 
 #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \
@@ -279,6 +285,13 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
       (int32_t)15, shifted_to_positive_in_range, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_1(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -286,8 +299,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_compress_1_09(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
-      vector);
+  return libcrux_ml_kem_vector_avx2_compress_1(vector);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -339,6 +351,14 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(
   return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -347,8 +367,8 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
-                                                         zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                     zeta2, zeta3);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -367,6 +387,12 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(
   return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -374,7 +400,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09(
     __m256i vector, int16_t zeta0, int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -411,6 +437,12 @@ libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) {
       (int32_t)1, combined, upper_coefficients, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -418,7 +450,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09(__m256i vector, int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -450,6 +482,14 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(__m256i vector,
                                                    sum_times_zetas, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
+      vector, zeta0, zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -460,8 +500,8 @@ libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09(__m256i vector,
                                                    int16_t zeta0, int16_t zeta1,
                                                    int16_t zeta2,
                                                    int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
-      vector, zeta0, zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -490,6 +530,13 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector,
                                                    sum_times_zetas, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
+                                                             zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -499,8 +546,7 @@ static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09(__m256i vector,
                                                    int16_t zeta0,
                                                    int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
-                                                             zeta1);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -521,6 +567,12 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector,
       (int32_t)1, combined, upper_coefficients0, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -529,7 +581,7 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09(__m256i vector,
                                                    int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -619,6 +671,14 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(
                                                    products_right1, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply(
+    __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
+                                                     zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -627,8 +687,8 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_09(
     __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
-                                                     zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2,
+                                                 zeta3);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -645,6 +705,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1(
   memcpy(ret, result, (size_t)2U * sizeof(uint8_t));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1(
+    __m256i vector, uint8_t ret[2U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -652,7 +718,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_09(
     __m256i vector, uint8_t ret[2U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_1(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -689,6 +755,12 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) {
       Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -696,7 +768,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_1(bytes);
 }
 
 /**
@@ -748,6 +820,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4(
   memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4(
+    __m256i vector, uint8_t ret[8U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -755,7 +833,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_09(
     __m256i vector, uint8_t ret[8U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_4(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -804,6 +882,12 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) {
       Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -811,7 +895,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_4_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_4(bytes);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -1003,6 +1087,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
   memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10(
+    __m256i vector, uint8_t ret[20U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -1010,7 +1100,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_09(
     __m256i vector, uint8_t ret[20U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_10(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -1055,6 +1145,12 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) {
       libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -1062,7 +1158,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_10_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_10(bytes);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -1165,6 +1261,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
   memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12(
+    __m256i vector, uint8_t ret[24U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -1172,7 +1274,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_09(
     __m256i vector, uint8_t ret[24U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_12(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -1216,6 +1318,12 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) {
       lower_coefficients, upper_coefficients);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -1223,7 +1331,7 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_deserialize_12_09(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
+  return libcrux_ml_kem_vector_avx2_deserialize_12(bytes);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -1745,6 +1853,23 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_61(
   }
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    myself->coefficients[i0] =
+        libcrux_ml_kem_vector_avx2_barrett_reduce_09(myself->coefficients[i0]);
+  }
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
@@ -1759,12 +1884,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_61(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) {
-  for (size_t i = (size_t)0U;
-       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
-    size_t i0 = i;
-    self->coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_barrett_reduce_09(self->coefficients[i0]);
-  }
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_61(self);
 }
 
 /**
@@ -2039,28 +2159,79 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
 */
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_ZERO_61(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_09();
+  return lit;
+}
+
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+ Given two `KyberPolynomialRingElement`s in their NTT representations,
+ compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
+ the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
+
+ ```plaintext
+ ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X²
+ - ζ^(2·BitRev₇(i) + 1))
+ ```
+
+ This function almost implements <strong>Algorithm 10</strong> of the
+ NIST FIPS 203 standard, which is reproduced below:
+
+ ```plaintext
+ Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
+ Output: An array ĥ ∈ ℤq.
+
+ for(i ← 0; i < 128; i++)
+     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1],
+ ζ^(2·BitRev₇(i) + 1)) end for return ĥ
+ ```
+ We say "almost" because the coefficients of the ring element output by
+ this function are in the Montgomery domain.
+
+ The NIST FIPS 203 standard can be found at
+ <https://csrc.nist.gov/pubs/fips/203/ipd>.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_ntt_multiply_ef_61(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_ntt_multiply_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out =
-      libcrux_ml_kem_polynomial_ZERO_ef_61();
+      libcrux_ml_kem_polynomial_ZERO_61();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_09(
-        &self->coefficients[i0], &rhs->coefficients[i0],
+        &myself->coefficients[i0], &rhs->coefficients[i0],
         libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
         libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
                                        (size_t)1U),
@@ -2078,26 +2249,62 @@ This function found in impl
 TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
-- K= 3
+
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_ntt_multiply_ef_61(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  return libcrux_ml_kem_polynomial_ntt_multiply_61(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  libcrux_ml_kem_polynomial_add_to_ring_element_ab(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_1
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
@@ -2241,20 +2448,15 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_subtract_reduce_ef_61(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_subtract_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
@@ -2263,12 +2465,31 @@ libcrux_ml_kem_polynomial_subtract_reduce_ef_61(
         libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(
             b.coefficients[i0], (int16_t)1441);
     b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
-        libcrux_ml_kem_vector_avx2_sub_09(self->coefficients[i0],
+        libcrux_ml_kem_vector_avx2_sub_09(myself->coefficients[i0],
                                           &coefficient_normal_form));
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_subtract_reduce_ef_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
+  return libcrux_ml_kem_polynomial_subtract_reduce_61(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -2932,21 +3153,16 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_from_i16_array_ef_61(Eurydice_slice a) {
+libcrux_ml_kem_polynomial_from_i16_array_61(Eurydice_slice a) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result =
-      libcrux_ml_kem_polynomial_ZERO_ef_61();
+      libcrux_ml_kem_polynomial_ZERO_61();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
@@ -2957,6 +3173,23 @@ libcrux_ml_kem_polynomial_from_i16_array_ef_61(Eurydice_slice a) {
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_from_i16_array_ef_61(Eurydice_slice a) {
+  return libcrux_ml_kem_polynomial_from_i16_array_61(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -3576,32 +3809,45 @@ libcrux_ml_kem_matrix_compute_vector_u_closure_ab(size_t _i) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_61(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     __m256i coefficient_normal_form =
         libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(
-            self->coefficients[j], (int16_t)1441);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
+            myself->coefficients[j], (int16_t)1441);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
         libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form,
                                           &error->coefficients[j]));
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  libcrux_ml_kem_polynomial_add_error_reduce_61(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -3692,20 +3938,15 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message_61(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_add_message_error_reduce_ef_61(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_add_message_error_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
   for (size_t i = (size_t)0U;
@@ -3714,7 +3955,7 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_ef_61(
     __m256i coefficient_normal_form =
         libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(
             result.coefficients[i0], (int16_t)1441);
-    __m256i tmp = libcrux_ml_kem_vector_avx2_add_09(self->coefficients[i0],
+    __m256i tmp = libcrux_ml_kem_vector_avx2_add_09(myself->coefficients[i0],
                                                     &message->coefficients[i0]);
     __m256i tmp0 =
         libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &tmp);
@@ -3724,6 +3965,27 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_ef_61(
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_add_message_error_reduce_ef_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
+  return libcrux_ml_kem_polynomial_add_message_error_reduce_61(self, message,
+                                                               result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -3808,6 +4070,18 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 10
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_ef(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -3820,8 +4094,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_compress_09_ef(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef(
-      vector);
+  return libcrux_ml_kem_vector_avx2_compress_ef(vector);
 }
 
 /**
@@ -3904,6 +4177,18 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 11
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_c4(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -3916,8 +4201,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_compress_09_c4(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4(
-      vector);
+  return libcrux_ml_kem_vector_avx2_compress_c4(vector);
 }
 
 /**
@@ -4052,6 +4336,18 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_d1(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -4064,8 +4360,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_compress_09_d1(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1(
-      vector);
+  return libcrux_ml_kem_vector_avx2_compress_d1(vector);
 }
 
 /**
@@ -4147,6 +4442,18 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_f4(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
 libcrux_ml_kem::vector::avx2::SIMD256Vector)#2}
@@ -4159,8 +4466,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_compress_09_f4(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4(
-      vector);
+  return libcrux_ml_kem_vector_avx2_compress_f4(vector);
 }
 
 /**
@@ -4791,33 +5097,47 @@ libcrux_ml_kem_vector_traits_to_standard_domain_61(__m256i v) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_61(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_add_standard_error_reduce_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     __m256i coefficient_normal_form =
         libcrux_ml_kem_vector_traits_to_standard_domain_61(
-            self->coefficients[j]);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
+            myself->coefficients[j]);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09(
         libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form,
                                           &error->coefficients[j]));
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_61(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  libcrux_ml_kem_polynomial_add_standard_error_reduce_61(self, error);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
index 8f0de6a3e..b0546b2ea 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_mlkem768_portable_H
@@ -2960,6 +2960,24 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_8c(
   }
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
+        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
+            myself->coefficients[i0]);
+    myself->coefficients[i0] = uu____0;
+  }
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
@@ -2973,14 +2991,7 @@ with const generics
 */
 static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_8c(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) {
-  for (size_t i = (size_t)0U;
-       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
-    size_t i0 = i;
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            self->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
-  }
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_8c(self);
 }
 
 /**
@@ -3198,28 +3209,78 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
 */
+static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_ZERO_8c(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  return lit;
+}
+
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+ Given two `KyberPolynomialRingElement`s in their NTT representations,
+ compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
+ the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
+
+ ```plaintext
+ ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X²
+ - ζ^(2·BitRev₇(i) + 1))
+ ```
+
+ This function almost implements <strong>Algorithm 10</strong> of the
+ NIST FIPS 203 standard, which is reproduced below:
+
+ ```plaintext
+ Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
+ Output: An array ĥ ∈ ℤq.
+
+ for(i ← 0; i < 128; i++)
+     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1],
+ ζ^(2·BitRev₇(i) + 1)) end for return ĥ
+ ```
+ We say "almost" because the coefficients of the ring element output by
+ this function are in the Montgomery domain.
+
+ The NIST FIPS 203 standard can be found at
+ <https://csrc.nist.gov/pubs/fips/203/ipd>.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_ntt_multiply_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_ntt_multiply_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d out =
-      libcrux_ml_kem_polynomial_ZERO_ef_8c();
+      libcrux_ml_kem_polynomial_ZERO_8c();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_ntt_multiply_0d(
-            &self->coefficients[i0], &rhs->coefficients[i0],
+            &myself->coefficients[i0], &rhs->coefficients[i0],
             libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
             libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
                                            (size_t)1U),
@@ -3238,29 +3299,63 @@ This function found in impl
 TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
-- K= 3
+
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_ntt_multiply_ef_8c(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  return libcrux_ml_kem_polynomial_ntt_multiply_8c(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_0d(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  libcrux_ml_kem_polynomial_add_to_ring_element_1b(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_1
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
@@ -3403,19 +3498,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_subtract_reduce_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_subtract_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
@@ -3426,13 +3516,31 @@ libcrux_ml_kem_polynomial_subtract_reduce_ef_8c(
                 b.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_sub_0d(self->coefficients[i0],
+            libcrux_ml_kem_vector_portable_sub_0d(myself->coefficients[i0],
                                                   &coefficient_normal_form));
     b.coefficients[i0] = uu____0;
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_subtract_reduce_ef_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
+  return libcrux_ml_kem_polynomial_subtract_reduce_8c(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -4087,20 +4195,15 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_from_i16_array_ef_8c(Eurydice_slice a) {
+libcrux_ml_kem_polynomial_from_i16_array_8c(Eurydice_slice a) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result =
-      libcrux_ml_kem_polynomial_ZERO_ef_8c();
+      libcrux_ml_kem_polynomial_ZERO_8c();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
@@ -4113,6 +4216,22 @@ libcrux_ml_kem_polynomial_from_i16_array_ef_8c(Eurydice_slice a) {
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_from_i16_array_ef_8c(Eurydice_slice a) {
+  return libcrux_ml_kem_polynomial_from_i16_array_8c(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -4708,18 +4827,13 @@ libcrux_ml_kem_matrix_compute_vector_u_closure_1b(size_t _i) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
@@ -4727,15 +4841,32 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_8c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
             libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
-                self->coefficients[j], (int16_t)1441);
+                myself->coefficients[j], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
             libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  libcrux_ml_kem_polynomial_add_error_reduce_8c(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -4831,19 +4962,14 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message_8c(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_add_message_error_reduce_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_add_message_error_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
   for (size_t i = (size_t)0U;
@@ -4854,7 +4980,7 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_ef_8c(
             libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
                 result.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_0d(myself->coefficients[i0],
                                               &message->coefficients[i0]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp0 =
         libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form, &tmp);
@@ -4865,6 +4991,26 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_ef_8c(
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_add_message_error_reduce_ef_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
+  return libcrux_ml_kem_polynomial_add_message_error_reduce_8c(self, message,
+                                                               result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -5722,19 +5868,14 @@ libcrux_ml_kem_vector_traits_to_standard_domain_8c(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_add_standard_error_reduce_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
@@ -5742,15 +5883,33 @@ libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_8c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
             libcrux_ml_kem_vector_traits_to_standard_domain_8c(
-                self->coefficients[j]);
+                myself->coefficients[j]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
             libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_8c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  libcrux_ml_kem_polynomial_add_standard_error_reduce_8c(self, error);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
index 7a519bf7c..3b4e28d82 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
index a606f5f71..115e3a6be 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
@@ -7,8 +7,8 @@
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9
- * Libcrux: fbef3649fa222b800fc7dcc349855bcd7de48e36
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: a197c4d7286246d59e3044d437b3da9119cd5de8
  */
 
 #ifndef __libcrux_sha3_portable_H

From b0ff2c5564db3c3edfbd9db2015c7e0e17649da5 Mon Sep 17 00:00:00 2001
From: mamonet <maamoun.tk@gmail.com>
Date: Wed, 11 Dec 2024 07:54:56 +0000
Subject: [PATCH 17/23] Put Vector.Rej_sample_table in SLOW_MODULES

---
 libcrux-ml-kem/proofs/fstar/extraction/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
index 4b9b03c26..7865c6d43 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
@@ -1,7 +1,7 @@
-SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst
+SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst \
+                Libcrux_ml_kem.Vector.Rej_sample_table.fsti
 
-ADMIT_MODULES = Libcrux_ml_kem.Vector.Rej_sample_table.fsti \
-              Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \
+ADMIT_MODULES = Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \
               Libcrux_ml_kem.Vector.Neon.Compress.fst \
               Libcrux_ml_kem.Vector.Neon.fsti \
               Libcrux_ml_kem.Vector.Neon.fst \

From d1cba6527e846ccd3ae64a53045fad388d29dd15 Mon Sep 17 00:00:00 2001
From: karthikbhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 14:49:30 +0000
Subject: [PATCH 18/23] table for verification status

---
 libcrux-ml-kem/proofs/verification_status.md | 76 +++++++++++---------
 1 file changed, 42 insertions(+), 34 deletions(-)

diff --git a/libcrux-ml-kem/proofs/verification_status.md b/libcrux-ml-kem/proofs/verification_status.md
index 9fe4f928b..90c045d85 100644
--- a/libcrux-ml-kem/proofs/verification_status.md
+++ b/libcrux-ml-kem/proofs/verification_status.md
@@ -2,41 +2,49 @@
 
 This file keeps track of the current verification status of the modules in the ML-KEM implementation.
 
-## Generic modules
-* constant_time_ops: Verified
-* hash_functions: Verified
-* ind_cca: Verified 
-* ind_cpa: Verified
-* ind_cca/instaniations: Verified
-* ind_cca/instaniations/avx2: Verified
-* ind_cca/multiplexing: Verified
+Lax Checking means that the module translates to typed code in F* which passes the F* lax checker.
+Runtime Safety means that the module has been proved to be free of panics, that it obeys all the preconditions
+set by the Rust standard library (e.g. arrays are accessed in bounds, arithmetic operations do not overflow, etc)
+as well as the pre-conditions set by all the modules this module depends on (e.g. range preconditions on inputs).
+Correctness means that the module has been formally verified for correctness against a high-level mathematical
+specifiction of its input-output behavior.
 
-* invert_ntt: Panic Free
-* ntt: Panic Free
-* mlkem*: Panic Free
+We write "yes" when the module is fully proven to satisfy one of these conditions, and "needs proofs" when some
+functions in the modules still need some proofs in that category.
 
-* matrix: Needs proofs
-* sampling: Needs proofs
-* polynomial: Needs proofs
-* serialize: Needs proofs
 
-## Portable modules
-* arithmetic: Verified
-* compress: Verified
-* ntt: Verified
-* serialize: Verified
-* sampling: Needs proofs
+| Category | File              | Lax Checking | Runtime Safety | Correctness  |
+| -------- | ----------------- | ------------ | -------------- | ------------ |
+| Generic  | constant_time_ops | yes          | yes            | yes          |    
+|          | hash_functions    | yes          | yes            | yes          |    
+|          | ind_cpa           | yes          | yes            | yes          |    
+|          | ind_cca           | yes          | yes            | yes          |    
+|          | instantiations    | yes          | yes            | yes          |    
+|          | multiplexing      | yes          | yes            | yes          |    
+|          | mlkem*            | yes          | yes            | needs proofs |    
+|          | invert_ntt        | yes          | yes            | needs proofs |    
+|          | ntt               | yes          | yes            | needs proofs |    
+|          | matrix            | yes          | needs proofs   | needs proofs |    
+|          | sampling          | yes          | needs proofs   | needs proofs |    
+|          | polynomial        | yes          | needs proofs   | needs proofs |    
+|          | serialize         | yes          | needs proofs   | needs proofs |    
+| -------- | ----------------- | ------------ | -------------- | ------------ |
+| Portable | arithmetic        | yes          | yes            | yes          |
+|          | ntt               | yes          | yes            | yes          |
+|          | compress          | yes          | yes            | yes          |
+|          | serialize         | yes          | yes            | yes          |
+|          | sampling          | yes          | needs proofs   | needs proofs |
+| -------- | ----------------- | ------------ | -------------- | ------------ |
+| avx2     | arithmetic        | yes          | yes            | yes          |
+|          | ntt               | yes          | yes            | yes          |
+|          | compress          | yes          | yes            | needs proofs |
+|          | serialize         | yes          | needs proofs   | needs proofs |
+|          | sampling          | yes          | needs proofs   | needs proofs |
+| -------- | ----------------- | ------------ | -------------- | ------------ |
+| neon     | arithmetic        | yes          | needs proofs   | needs proofs |
+|          | ntt               | yes          | needs proofs   | needs proofs |
+|          | compress          | yes          | needs proofs   | needs proofs |
+|          | serialize         | yes          | needs proofs   | needs proofs |
+|          | sampling          | yes          | needs proofs   | needs proofs |
+| -------- | ----------------- | ------------ | -------------- | ------------ |
 
-## AVX2 modules
-* arithmetic: Verified
-* serialize: Verified
-* compress: Panic Free
-* ntt: Needs proofs
-* sampling: Needs proofs
-
-## Neon modules
-* arithmetic: Not verified
-* serialize: Not verified
-* compress: Not verified
-* ntt: Needs Not verified
-* sampling: Not verified

From d8a1a29469a043a6d05124e6eb9419b393fd3e92 Mon Sep 17 00:00:00 2001
From: karthikbhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 14:55:45 +0000
Subject: [PATCH 19/23] linked issue

---
 libcrux-ml-kem/src/polynomial.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index 0df5e0f6f..541322227 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -68,6 +68,7 @@ pub(crate) struct PolynomialRingElement<Vector: Operations> {
 #[allow(non_snake_case)]
 fn ZERO<Vector: Operations>() -> PolynomialRingElement<Vector> {
     PolynomialRingElement {
+        // https://github.com/hacspec/hax/issues/27
         // FIXME:  The THIR body of item DefId(0:415 ~ libcrux_ml_kem[9000]::polynomial::{impl#0}::ZERO::{constant#0}) was stolen.
         coefficients: [Vector::ZERO(); 16],
     }

From 38cc1db9bab68ae1fdb52277f2d1b020de1a1ed7 Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 17:24:41 +0100
Subject: [PATCH 20/23] verif status

---
 libcrux-ml-kem/proofs/verification_status.md | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/libcrux-ml-kem/proofs/verification_status.md b/libcrux-ml-kem/proofs/verification_status.md
index 90c045d85..71f373679 100644
--- a/libcrux-ml-kem/proofs/verification_status.md
+++ b/libcrux-ml-kem/proofs/verification_status.md
@@ -15,7 +15,7 @@ functions in the modules still need some proofs in that category.
 
 | Category | File              | Lax Checking | Runtime Safety | Correctness  |
 | -------- | ----------------- | ------------ | -------------- | ------------ |
-| Generic  | constant_time_ops | yes          | yes            | yes          |    
+| _Generic_  | constant_time_ops | yes          | yes            | yes          |    
 |          | hash_functions    | yes          | yes            | yes          |    
 |          | ind_cpa           | yes          | yes            | yes          |    
 |          | ind_cca           | yes          | yes            | yes          |    
@@ -28,23 +28,22 @@ functions in the modules still need some proofs in that category.
 |          | sampling          | yes          | needs proofs   | needs proofs |    
 |          | polynomial        | yes          | needs proofs   | needs proofs |    
 |          | serialize         | yes          | needs proofs   | needs proofs |    
-| -------- | ----------------- | ------------ | -------------- | ------------ |
-| Portable | arithmetic        | yes          | yes            | yes          |
+| 	   |                   |              |                |              |
+| _Portable_ | arithmetic        | yes          | yes            | yes          |
 |          | ntt               | yes          | yes            | yes          |
 |          | compress          | yes          | yes            | yes          |
 |          | serialize         | yes          | yes            | yes          |
 |          | sampling          | yes          | needs proofs   | needs proofs |
-| -------- | ----------------- | ------------ | -------------- | ------------ |
-| avx2     | arithmetic        | yes          | yes            | yes          |
+|          |                   |              |                |              |
+| _Avx2_     | arithmetic        | yes          | yes            | yes          |
 |          | ntt               | yes          | yes            | yes          |
 |          | compress          | yes          | yes            | needs proofs |
 |          | serialize         | yes          | needs proofs   | needs proofs |
 |          | sampling          | yes          | needs proofs   | needs proofs |
-| -------- | ----------------- | ------------ | -------------- | ------------ |
-| neon     | arithmetic        | yes          | needs proofs   | needs proofs |
+|          |                   |              |                |              |
+| _Neon_     | arithmetic        | yes          | needs proofs   | needs proofs |
 |          | ntt               | yes          | needs proofs   | needs proofs |
 |          | compress          | yes          | needs proofs   | needs proofs |
 |          | serialize         | yes          | needs proofs   | needs proofs |
 |          | sampling          | yes          | needs proofs   | needs proofs |
-| -------- | ----------------- | ------------ | -------------- | ------------ |
 

From 578d7f6dbe55b38980626130478d44e5203b3976 Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 18:08:59 +0100
Subject: [PATCH 21/23] raw strings

---
 libcrux-ml-kem/src/constant_time_ops.rs       |  60 +--
 libcrux-ml-kem/src/hash_functions.rs          |  92 ++---
 libcrux-ml-kem/src/ind_cca.rs                 | 194 +++++----
 libcrux-ml-kem/src/ind_cca/instantiations.rs  |  44 +-
 .../src/ind_cca/instantiations/avx2.rs        | 308 +++++++-------
 libcrux-ml-kem/src/ind_cca/multiplexing.rs    |  20 +-
 libcrux-ml-kem/src/ind_cpa.rs                 | 382 +++++++++---------
 libcrux-ml-kem/src/invert_ntt.rs              | 100 ++---
 libcrux-ml-kem/src/matrix.rs                  |  30 +-
 libcrux-ml-kem/src/mlkem1024.rs               |  24 +-
 libcrux-ml-kem/src/mlkem512.rs                |  24 +-
 libcrux-ml-kem/src/mlkem768.rs                |  24 +-
 libcrux-ml-kem/src/ntt.rs                     | 148 +++----
 libcrux-ml-kem/src/polynomial.rs              |   4 +-
 libcrux-ml-kem/src/sampling.rs                |  20 +-
 libcrux-ml-kem/src/serialize.rs               | 130 +++---
 libcrux-ml-kem/src/types.rs                   |  16 +-
 libcrux-ml-kem/src/utils.rs                   |  24 +-
 libcrux-ml-kem/src/variant.rs                 |  16 +-
 libcrux-ml-kem/src/vector/avx2.rs             | 220 +++++-----
 libcrux-ml-kem/src/vector/avx2/arithmetic.rs  | 226 ++++++-----
 libcrux-ml-kem/src/vector/avx2/compress.rs    |   6 +-
 libcrux-ml-kem/src/vector/avx2/ntt.rs         |  14 +-
 libcrux-ml-kem/src/vector/avx2/serialize.rs   |  18 +-
 libcrux-ml-kem/src/vector/neon.rs             |   6 +-
 libcrux-ml-kem/src/vector/portable.rs         | 186 ++++-----
 .../src/vector/portable/arithmetic.rs         | 176 ++++----
 .../src/vector/portable/compress.rs           |  76 ++--
 libcrux-ml-kem/src/vector/portable/ntt.rs     | 206 +++++-----
 .../src/vector/portable/sampling.rs           |   2 +-
 .../src/vector/portable/vector_type.rs        |   6 +-
 libcrux-ml-kem/src/vector/traits.rs           | 156 +++----
 32 files changed, 1554 insertions(+), 1404 deletions(-)

diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs
index 7c2a9323e..33c7c858f 100644
--- a/libcrux-ml-kem/src/constant_time_ops.rs
+++ b/libcrux-ml-kem/src/constant_time_ops.rs
@@ -11,14 +11,15 @@ use crate::constants::SHARED_SECRET_SIZE;
 // XXX: We have to disable this for C extraction for now. See eurydice/issues#37
 
 /// Return 1 if `value` is not zero and 0 otherwise.
-#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\
-    ($value =!= 0uy ==> $result == 1uy)"))]
+#[hax_lib::ensures(|result| fstar!(r#"($value == 0uy ==> $result == 0uy) /\
+    ($value =!= 0uy ==> $result == 1uy)"#))]
 fn inz(value: u8) -> u8 {
     let _orig_value = value;
     let value = value as u16;
     let result = ((!value).wrapping_add(1) >> 8) as u8;
     let res = result & 1;
-    hax_lib::fstar!("if v $_orig_value = 0 then  (
+    hax_lib::fstar!(
+        r#"if v $_orig_value = 0 then  (
         assert($value == zero);
         lognot_lemma $value;
         assert((~.$value +. 1us) == zero);
@@ -42,13 +43,14 @@ fn inz(value: u8) -> u8 {
         assert (v ((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) >>! 8l) = pow2 8 - 1);
         assert ($result = ones);
         logand_lemma 1uy $result;
-        assert ($res = 1uy))");
+        assert ($res = 1uy))"#
+    );
     res
 }
 
 #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out.
-#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\
-    ($value =!= 0uy ==> $result == 1uy)"))]
+#[hax_lib::ensures(|result| fstar!(r#"($value == 0uy ==> $result == 0uy) /\
+    ($value =!= 0uy ==> $result == 1uy)"#))]
 fn is_non_zero(value: u8) -> u8 {
     #[cfg(eurydice)]
     return inz(value);
@@ -60,21 +62,22 @@ fn is_non_zero(value: u8) -> u8 {
 /// Return 1 if the bytes of `lhs` and `rhs` do not exactly
 /// match and 0 otherwise.
 #[hax_lib::requires(lhs.len() == rhs.len())]
-#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\
-    ($lhs =!= $rhs ==> $result == 1uy)"))]
+#[hax_lib::ensures(|result| fstar!(r#"($lhs == $rhs ==> $result == 0uy) /\
+    ($lhs =!= $rhs ==> $result == 1uy)"#))]
 fn compare(lhs: &[u8], rhs: &[u8]) -> u8 {
     let mut r: u8 = 0;
     for i in 0..lhs.len() {
         hax_lib::loop_invariant!(|i: usize| {
             fstar!(
-                "v $i <= Seq.length $lhs /\\
+                "v $i <= Seq.length $lhs /\
             (if (Seq.slice $lhs 0 (v $i) = Seq.slice $rhs 0 (v $i)) then
                 $r == 0uy
                 else ~ ($r == 0uy))"
             )
         });
         let nr = r | (lhs[i] ^ rhs[i]);
-        hax_lib::fstar!("if $r =. 0uy then (
+        hax_lib::fstar!(
+            r#"if $r =. 0uy then (
             if (Seq.index $lhs (v $i) = Seq.index $rhs (v $i)) then (
                logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i));
                assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) = zero);
@@ -101,7 +104,8 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 {
               (assert (forall j. j < (v $i) + 1 ==> Seq.index (Seq.slice $lhs 0 ((v $i)+1)) j == Seq.index (Seq.slice $rhs 0 ((v $i)+1)) j);
                eq_intro (Seq.slice $lhs 0 (v $i)) (Seq.slice $rhs 0 (v $i));
                assert(False))
-          )");
+          )"#
+        );
         r = nr;
     }
 
@@ -114,8 +118,8 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 {
     lhs.len() == rhs.len() &&
     lhs.len() == SHARED_SECRET_SIZE
 )]
-#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\
-        ($selector =!= 0uy ==> $result == $rhs)"))]
+#[hax_lib::ensures(|result| fstar!(r#"($selector == 0uy ==> $result == $lhs) /\
+        ($selector =!= 0uy ==> $result == $rhs)"#))]
 #[hax_lib::fstar::options("--ifuel 0 --z3rlimit 50")]
 fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] {
     let mask = is_non_zero(selector).wrapping_sub(1);
@@ -128,13 +132,16 @@ fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] {
 
     for i in 0..SHARED_SECRET_SIZE {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("v $i <= v $SHARED_SECRET_SIZE /\\
-            (forall j. j < v $i ==> (if ($selector =. 0uy) then Seq.index $out j == Seq.index $lhs j else Seq.index $out j == Seq.index $rhs j)) /\\
-            (forall j. j >= v $i ==> Seq.index $out j == 0uy)")
+            fstar!(
+                r#"v $i <= v $SHARED_SECRET_SIZE /\
+            (forall j. j < v $i ==> (if ($selector =. 0uy) then Seq.index $out j == Seq.index $lhs j else Seq.index $out j == Seq.index $rhs j)) /\
+            (forall j. j >= v $i ==> Seq.index $out j == 0uy)"#
+            )
         });
-        hax_lib::fstar!("assert ((${out}.[ $i ] <: u8) = 0uy)");
+        hax_lib::fstar!(r#"assert ((${out}.[ $i ] <: u8) = 0uy)"#);
         let outi = (lhs[i] & mask) | (rhs[i] & !mask);
-        hax_lib::fstar!("if ($selector = 0uy) then (
+        hax_lib::fstar!(
+            r#"if ($selector = 0uy) then (
             logand_lemma (${lhs}.[ $i ] <: u8) $mask;
             assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == (${lhs}.[ $i ] <: u8));
             logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask);
@@ -156,7 +163,8 @@ fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] {
             logor_lemma (${out}.[ $i ] <: u8) (${rhs}.[ $i ] <: u8);
             assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${rhs}.[ $i ] <: u8));
             assert ($outi = (${rhs}.[ $i ] <: u8))
-          )");
+          )"#
+        );
         out[i] = outi;
     }
 
@@ -173,8 +181,8 @@ fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] {
 
 #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out.
 #[hax_lib::requires(lhs.len() == rhs.len())]
-#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\
-    ($lhs =!= $rhs ==> $result == 1uy)"))]
+#[hax_lib::ensures(|result| fstar!(r#"($lhs == $rhs ==> $result == 0uy) /\
+    ($lhs =!= $rhs ==> $result == 1uy)"#))]
 pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 {
     #[cfg(eurydice)]
     return compare(lhs, rhs);
@@ -188,8 +196,8 @@ pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8
     lhs.len() == rhs.len() &&
     lhs.len() == SHARED_SECRET_SIZE
 )]
-#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\
-       ($selector =!= 0uy ==> $result == $rhs)"))]
+#[hax_lib::ensures(|result| fstar!(r#"($selector == 0uy ==> $result == $lhs) /\
+       ($selector =!= 0uy ==> $result == $rhs)"#))]
 pub(crate) fn select_shared_secret_in_constant_time(
     lhs: &[u8],
     rhs: &[u8],
@@ -207,9 +215,9 @@ pub(crate) fn select_shared_secret_in_constant_time(
     lhs_s.len() == rhs_s.len() &&
     lhs_s.len() == SHARED_SECRET_SIZE
 )]
-#[hax_lib::ensures(|result| fstar!("let selector = if $lhs_c =. $rhs_c then 0uy else 1uy in
-    ((selector == 0uy ==> $result == $lhs_s) /\\
-     (selector =!= 0uy ==> $result == $rhs_s))"))]
+#[hax_lib::ensures(|result| fstar!(r#"let selector = if $lhs_c =. $rhs_c then 0uy else 1uy in
+    ((selector == 0uy ==> $result == $lhs_s) /\
+     (selector =!= 0uy ==> $result == $rhs_s))"#))]
 pub(crate) fn compare_ciphertexts_select_shared_secret_in_constant_time(
     lhs_c: &[u8],
     rhs_c: &[u8],
diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs
index 17d34fdc2..f76ad4c8f 100644
--- a/libcrux-ml-kem/src/hash_functions.rs
+++ b/libcrux-ml-kem/src/hash_functions.rs
@@ -28,31 +28,31 @@ pub(crate) trait Hash<const K: usize> {
     /// G aka SHA3 512
     #[requires(true)]
     #[ensures(|result|
-        fstar!("$result == Spec.Utils.v_G $input"))
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
     ]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE];
 
     /// H aka SHA3 256
     #[requires(true)]
     #[ensures(|result|
-        fstar!("$result == Spec.Utils.v_H $input"))
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
     ]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE];
 
     /// PRF aka SHAKE256
-    #[requires(fstar!("v $LEN < pow2 32"))]
+    #[requires(fstar!(r#"v $LEN < pow2 32"#))]
     #[ensures(|result|
         // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-        fstar!("v $LEN < pow2 32 ==> $result == Spec.Utils.v_PRF $LEN $input"))
+        fstar!(r#"v $LEN < pow2 32 ==> $result == Spec.Utils.v_PRF $LEN $input"#))
     ]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN];
 
     /// PRFxN aka N SHAKE256
-    #[requires(fstar!("v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"))]
+    #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
     #[ensures(|result|
         // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-        fstar!("(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
-            $result == Spec.Utils.v_PRFxN $K $LEN $input"))
+        fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+            $result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
     fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K];
 
@@ -84,7 +84,7 @@ pub(crate) mod portable {
     }
 
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_G $input"))
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
     ]
     #[inline(always)]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
@@ -94,7 +94,7 @@ pub(crate) mod portable {
     }
 
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_H $input"))
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
     ]
     #[inline(always)]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
@@ -103,9 +103,9 @@ pub(crate) mod portable {
         digest
     }
 
-    #[hax_lib::requires(fstar!("v $LEN < pow2 32"))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))]
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_PRF $LEN $input"))
+        fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#))
     ]
     #[inline(always)]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
@@ -114,9 +114,9 @@ pub(crate) mod portable {
         digest
     }
 
-    #[hax_lib::requires(fstar!("v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_PRFxN $K $LEN $input"))
+        fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
     #[inline(always)]
     fn PRFxN<const K: usize, const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
@@ -172,7 +172,7 @@ pub(crate) mod portable {
     #[hax_lib::attributes]
     impl<const K: usize> Hash<K> for PortableHash<K> {
         #[ensures(|out|
-            fstar!("$out == Spec.Utils.v_G $input"))
+            fstar!(r#"$out == Spec.Utils.v_G $input"#))
         ]
         #[inline(always)]
         fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
@@ -180,27 +180,27 @@ pub(crate) mod portable {
         }
 
         #[ensures(|out|
-            fstar!("$out == Spec.Utils.v_H $input"))
+            fstar!(r#"$out == Spec.Utils.v_H $input"#))
         ]
         #[inline(always)]
         fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
             H(input)
         }
 
-        #[requires(fstar!("v $LEN < pow2 32"))]
+        #[requires(fstar!(r#"v $LEN < pow2 32"#))]
         #[ensures(|out|
             // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-            fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"))
+            fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#))
         ]
         #[inline(always)]
         fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
             PRF::<LEN>(input)
         }
 
-        #[requires(fstar!("v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"))]
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
         #[ensures(|out|
-            fstar!("(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
-                $out == Spec.Utils.v_PRFxN $K $LEN $input"))
+            fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+                $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
         ]
         #[inline(always)]
         fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
@@ -243,7 +243,7 @@ pub(crate) mod avx2 {
     }
 
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_G $input"))
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
     ]
     #[inline(always)]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
@@ -253,7 +253,7 @@ pub(crate) mod avx2 {
     }
 
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_H $input"))
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
     ]
     #[inline(always)]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
@@ -262,9 +262,9 @@ pub(crate) mod avx2 {
         digest
     }
 
-    #[hax_lib::requires(fstar!("v $LEN < pow2 32"))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))]
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_PRF $LEN $input"))
+        fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#))
     ]
     #[inline(always)]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
@@ -273,9 +273,9 @@ pub(crate) mod avx2 {
         digest
     }
 
-    #[hax_lib::requires(fstar!("v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_PRFxN $K $LEN $input"))
+        fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
     #[inline(always)]
     fn PRFxN<const K: usize, const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
@@ -425,7 +425,7 @@ pub(crate) mod avx2 {
     #[hax_lib::attributes]
     impl<const K: usize> Hash<K> for Simd256Hash {
         #[ensures(|out|
-            fstar!("$out == Spec.Utils.v_G $input"))
+            fstar!(r#"$out == Spec.Utils.v_G $input"#))
         ]
         #[inline(always)]
         fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
@@ -433,27 +433,27 @@ pub(crate) mod avx2 {
         }
 
         #[ensures(|out|
-            fstar!("$out == Spec.Utils.v_H $input"))
+            fstar!(r#"$out == Spec.Utils.v_H $input"#))
         ]
         #[inline(always)]
         fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
             H(input)
         }
 
-        #[requires(fstar!("v $LEN < pow2 32"))]
+        #[requires(fstar!(r#"v $LEN < pow2 32"#))]
         #[hax_lib::ensures(|out|
             // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-            fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"))
+            fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#))
         ]
         #[inline(always)]
         fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
             PRF::<LEN>(input)
         }
 
-        #[requires(fstar!("v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"))]
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
         #[ensures(|out|
-            fstar!("(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
-                $out == Spec.Utils.v_PRFxN $K $LEN $input"))
+            fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+                $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
         ]
         #[inline(always)]
         fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
@@ -493,7 +493,7 @@ pub(crate) mod neon {
     }
 
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_G $input"))
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
     ]
     #[inline(always)]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
@@ -503,7 +503,7 @@ pub(crate) mod neon {
     }
 
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_H $input"))
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
     ]
     #[inline(always)]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
@@ -512,9 +512,9 @@ pub(crate) mod neon {
         digest
     }
 
-    #[hax_lib::requires(fstar!("v $LEN < pow2 32"))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))]
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_PRF $LEN $input"))
+        fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#))
     ]
     #[inline(always)]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
@@ -524,9 +524,9 @@ pub(crate) mod neon {
         digest
     }
 
-    #[hax_lib::requires(fstar!("v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
     #[hax_lib::ensures(|result|
-        fstar!("$result == Spec.Utils.v_PRFxN $K $LEN $input"))
+        fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
     #[inline(always)]
     fn PRFxN<const K: usize, const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
@@ -703,7 +703,7 @@ pub(crate) mod neon {
     #[hax_lib::attributes]
     impl<const K: usize> Hash<K> for Simd128Hash {
         #[ensures(|out|
-            fstar!("$out == Spec.Utils.v_G $input"))
+            fstar!(r#"$out == Spec.Utils.v_G $input"#))
         ]
         #[inline(always)]
         fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
@@ -711,28 +711,28 @@ pub(crate) mod neon {
         }
 
         #[ensures(|out|
-            fstar!("$out == Spec.Utils.v_H $input"))
+            fstar!(r#"$out == Spec.Utils.v_H $input"#))
         ]
         #[inline(always)]
         fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
             H(input)
         }
 
-        #[requires(fstar!("v $LEN < pow2 32"))]
+        #[requires(fstar!(r#"v $LEN < pow2 32"#))]
         #[ensures(|out|
             // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-            fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"))
+            fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#))
         ]
         #[inline(always)]
         fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
             PRF::<LEN>(input)
         }
 
-        #[requires(fstar!("v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"))]
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
         #[ensures(|out|
             // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-            fstar!("(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
-                $out == Spec.Utils.v_PRFxN $K $LEN $input"))
+            fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+                $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
         ]
         #[inline(always)]
         fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs
index bc7c45428..843d347f2 100644
--- a/libcrux-ml-kem/src/ind_cca.rs
+++ b/libcrux-ml-kem/src/ind_cca.rs
@@ -37,15 +37,15 @@ pub(crate) mod instantiations;
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 150")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
     ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"))]
-#[hax_lib::ensures(|result| fstar!("${serialized}_future == Seq.append $private_key (
+    ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"${serialized}_future == Seq.append $private_key (
                                               Seq.append $public_key (
                                               Seq.append (Spec.Utils.v_H $public_key) 
-                                                  $implicit_rejection_value))"))]
+                                                  $implicit_rejection_value))"#))]
 fn serialize_kem_secret_key_mut<
     const K: usize,
     const SERIALIZED_KEY_LEN: usize,
@@ -66,7 +66,8 @@ fn serialize_kem_secret_key_mut<
     serialized[pointer..pointer + implicit_rejection_value.len()]
         .copy_from_slice(implicit_rejection_value);
 
-    hax_lib::fstar!("let open Spec.Utils in
+    hax_lib::fstar!(
+        r#"let open Spec.Utils in
     assert (Seq.slice serialized 0 (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K)) `Seq.equal` $private_key);
     assert (Seq.slice serialized (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K))
                             (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K)) `Seq.equal` $public_key);
@@ -84,20 +85,21 @@ fn serialize_kem_secret_key_mut<
                                             Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE +!
                                             Spec.MLKEM.v_SHARED_SECRET_SIZE))
             == $implicit_rejection_value);
-    lemma_slice_append_4 serialized $private_key $public_key (Libcrux_ml_kem.Hash_functions.f_H #$:Hasher #$K $public_key) $implicit_rejection_value");
+    lemma_slice_append_4 serialized $private_key $public_key (Libcrux_ml_kem.Hash_functions.f_H #$:Hasher #$K $public_key) $implicit_rejection_value"#
+    );
 }
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 150")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
     ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"))]
-#[hax_lib::ensures(|result| fstar!("$result == Seq.append $private_key (
+    ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"$result == Seq.append $private_key (
                                               Seq.append $public_key (
                                               Seq.append (Spec.Utils.v_H $public_key) 
-                                                  $implicit_rejection_value))"))]
+                                                  $implicit_rejection_value))"#))]
 fn serialize_kem_secret_key<const K: usize, const SERIALIZED_KEY_LEN: usize, Hasher: Hash<K>>(
     private_key: &[u8],
     public_key: &[u8],
@@ -120,9 +122,9 @@ fn serialize_kem_secret_key<const K: usize, const SERIALIZED_KEY_LEN: usize, Has
 /// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the
 /// `public_key` type.
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))]
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 fn validate_public_key<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -150,9 +152,9 @@ fn validate_public_key<
 /// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types.
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 300")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 fn validate_private_key<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -170,8 +172,8 @@ fn validate_private_key<
 /// This implements the Hash check in 7.3 3.
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 300")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"#))]
 fn validate_private_key_only<const K: usize, const SECRET_KEY_SIZE: usize, Hasher: Hash<K>>(
     private_key: &MlKemPrivateKey<SECRET_KEY_SIZE>,
 ) -> bool {
@@ -190,15 +192,15 @@ fn validate_private_key_only<const K: usize, const SECRET_KEY_SIZE: usize, Hashe
 /// Depending on the `Vector` and `Hasher` used, this requires different hardware
 /// features
 #[hax_lib::fstar::options("--z3rlimit 300")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
     $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
     $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))]
-#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_generate_keypair $K $randomness in
-                                    valid ==> (${result}.f_sk.f_value, ${result}.f_pk.f_value) == expected"))]
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cca_generate_keypair $K $randomness in
+                                    valid ==> (${result}.f_sk.f_value, ${result}.f_pk.f_value) == expected"#))]
 #[inline(always)]
 fn generate_keypair<
     const K: usize,
@@ -241,7 +243,7 @@ fn generate_keypair<
 }
 
 #[hax_lib::fstar::options("--z3rlimit 300")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
     $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
@@ -253,9 +255,9 @@ fn generate_keypair<
     $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
     $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))]
-#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_encapsulate $K ${public_key}.f_value $randomness in
-                                    valid ==> (${result}._1.f_value, ${result}._2) == expected"))]
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cca_encapsulate $K ${public_key}.f_value $randomness in
+                                    valid ==> (${result}._1.f_value, ${result}._2) == expected"#))]
 #[inline(always)]
 fn encapsulate<
     const K: usize,
@@ -280,7 +282,7 @@ fn encapsulate<
 ) -> (MlKemCiphertext<CIPHERTEXT_SIZE>, MlKemSharedSecret) {
     let randomness = Scheme::entropy_preprocess::<K, Hasher>(&randomness);
     let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness);
-    hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $randomness");
+    hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $randomness"#);
     to_hash[H_DIGEST_SIZE..].copy_from_slice(&Hasher::H(public_key.as_slice()));
     hax_lib::fstar!(
         "assert (Seq.slice to_hash 0 (v $H_DIGEST_SIZE) == $randomness);
@@ -314,7 +316,7 @@ fn encapsulate<
 
 /// This code verifies on some machines, runs out of memory on others
 #[hax_lib::fstar::options("--z3rlimit 500")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
     $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
@@ -329,9 +331,9 @@ fn encapsulate<
     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
     $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
     $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
-#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_decapsulate $K ${private_key}.f_value ${ciphertext}.f_value in
-                                    valid ==> $result == expected"))]
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cca_decapsulate $K ${private_key}.f_value ${ciphertext}.f_value in
+                                    valid ==> $result == expected"#))]
 #[inline(always)]
 pub(crate) fn decapsulate<
     const K: usize,
@@ -357,16 +359,20 @@ pub(crate) fn decapsulate<
     private_key: &MlKemPrivateKey<SECRET_KEY_SIZE>,
     ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
 ) -> MlKemSharedSecret {
-    hax_lib::fstar!("assert (v $CIPHERTEXT_SIZE == v $IMPLICIT_REJECTION_HASH_INPUT_SIZE - v $SHARED_SECRET_SIZE)");
+    hax_lib::fstar!(
+        r#"assert (v $CIPHERTEXT_SIZE == v $IMPLICIT_REJECTION_HASH_INPUT_SIZE - v $SHARED_SECRET_SIZE)"#
+    );
     let (ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value) =
         unpack_private_key::<CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE>(&private_key.value);
 
-    hax_lib::fstar!("assert ($ind_cpa_secret_key == slice ${private_key}.f_value (sz 0) $CPA_SECRET_KEY_SIZE);
+    hax_lib::fstar!(
+        r#"assert ($ind_cpa_secret_key == slice ${private_key}.f_value (sz 0) $CPA_SECRET_KEY_SIZE);
         assert ($ind_cpa_public_key == slice ${private_key}.f_value $CPA_SECRET_KEY_SIZE ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE));
         assert ($ind_cpa_public_key_hash == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE)
             ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE));
         assert ($implicit_rejection_value == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)
-            (length ${private_key}.f_value))");
+            (length ${private_key}.f_value))"#
+    );
     let decrypted = crate::ind_cpa::decrypt::<
         K,
         CIPHERTEXT_SIZE,
@@ -377,22 +383,26 @@ pub(crate) fn decapsulate<
     >(ind_cpa_secret_key, &ciphertext.value);
 
     let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted);
-    hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $decrypted");
+    hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $decrypted"#);
     to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash);
 
-    hax_lib::fstar!("lemma_slice_append to_hash $decrypted $ind_cpa_public_key_hash;
+    hax_lib::fstar!(
+        r#"lemma_slice_append to_hash $decrypted $ind_cpa_public_key_hash;
         assert ($decrypted == Spec.MLKEM.ind_cpa_decrypt $K $ind_cpa_secret_key ${ciphertext}.f_value);
-        assert ($to_hash == concat $decrypted $ind_cpa_public_key_hash)");
+        assert ($to_hash == concat $decrypted $ind_cpa_public_key_hash)"#
+    );
     let hashed = Hasher::G(&to_hash);
     let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
 
-    hax_lib::fstar!("assert (($shared_secret , $pseudorandomness) == split $hashed $SHARED_SECRET_SIZE);
+    hax_lib::fstar!(
+        r#"assert (($shared_secret , $pseudorandomness) == split $hashed $SHARED_SECRET_SIZE);
         assert (length $implicit_rejection_value = $SECRET_KEY_SIZE -! $CPA_SECRET_KEY_SIZE -! $PUBLIC_KEY_SIZE -! $H_DIGEST_SIZE);
         assert (length $implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE);
-        assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K)");
+        assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K)"#
+    );
     let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] =
         into_padded_array(implicit_rejection_value);
-    hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $implicit_rejection_value");
+    hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $implicit_rejection_value"#);
     to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref());
     hax_lib::fstar!(
         "assert_norm (pow2 32 == 0x100000000);
@@ -473,17 +483,17 @@ pub(crate) mod unpacked {
 
     /// Generate an unpacked key from a serialized key.
     #[hax_lib::requires(
-        fstar!("Spec.MLKEM.is_rank $K /\\
+        fstar!(r#"Spec.MLKEM.is_rank $K /\\
         $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K")
+        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
     )]
     #[hax_lib::ensures(|result|
-        fstar!("let (public_key_hash, (seed, (deserialized_pk, (matrix_A, valid)))) =
+        fstar!(r#"let (public_key_hash, (seed, (deserialized_pk, (matrix_A, valid)))) =
             Spec.MLKEM.ind_cca_unpack_public_key $K ${public_key}.f_value in (valid ==>
             Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${unpacked_public_key}_future.f_ind_cpa_public_key.f_A == matrix_A) /\\
         Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${unpacked_public_key}_future.f_ind_cpa_public_key.f_t_as_ntt == deserialized_pk /\\
         ${unpacked_public_key}_future.f_ind_cpa_public_key.f_seed_for_A == seed /\\
-        ${unpacked_public_key}_future.f_public_key_hash == public_key_hash"))
+        ${unpacked_public_key}_future.f_public_key_hash == public_key_hash"#))
     ]
     #[inline(always)]
     pub(crate) fn unpack_public_key<
@@ -501,10 +511,12 @@ pub(crate) mod unpacked {
             &public_key.value[..T_AS_NTT_ENCODED_SIZE],
             &mut unpacked_public_key.ind_cpa_public_key.t_as_ntt,
         );
-        hax_lib::fstar!("let (_, seed) = split ${public_key}.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K) in
+        hax_lib::fstar!(
+            r#"let (_, seed) = split ${public_key}.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K) in
             Lib.Sequence.eq_intro #u8 #32 (Libcrux_ml_kem.Utils.into_padded_array (sz 32) seed) seed;
             Lib.Sequence.eq_intro #u8 #32
-                (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32) seed");
+                (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32) seed"#
+        );
         unpacked_public_key.ind_cpa_public_key.seed_for_A =
             into_padded_array(&public_key.value[T_AS_NTT_ENCODED_SIZE..]);
         sample_matrix_A::<K, Vector, Hasher>(
@@ -519,18 +531,18 @@ pub(crate) mod unpacked {
     impl<const K: usize, Vector: Operations> MlKemPublicKeyUnpacked<K, Vector> {
         /// Get the serialized public key.
         #[inline(always)]
-        #[requires(fstar!("Spec.MLKEM.is_rank $K /\\
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
             $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
             $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
             (forall (i:nat). i < v $K ==>
                 Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                    self.f_ind_cpa_public_key.f_t_as_ntt i))"))]
+                    self.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
         #[ensures(|_|
-            fstar!("${serialized}_future.f_value == 
+            fstar!(r#"${serialized}_future.f_value == 
                 Seq.append (Spec.MLKEM.vector_encode_12 #$K
                     (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
                         self.f_ind_cpa_public_key.f_t_as_ntt))
-                self.f_ind_cpa_public_key.f_seed_for_A)")
+                self.f_ind_cpa_public_key.f_seed_for_A)"#)
         )]
         pub fn serialized_mut<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -548,17 +560,17 @@ pub(crate) mod unpacked {
 
         /// Get the serialized public key.
         #[inline(always)]
-        #[requires(fstar!("Spec.MLKEM.is_rank $K /\\
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
             $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
             $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
             (forall (i:nat). i < v $K ==>
                 Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index
-                    self.f_ind_cpa_public_key.f_t_as_ntt i))"))]
+                    self.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
         #[ensures(|res|
-            fstar!("${res}.f_value == Seq.append (Spec.MLKEM.vector_encode_12 #$K
+            fstar!(r#"${res}.f_value == Seq.append (Spec.MLKEM.vector_encode_12 #$K
                             (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
                                 self.f_ind_cpa_public_key.f_t_as_ntt))
-                        self.f_ind_cpa_public_key.f_seed_for_A)")
+                        self.f_ind_cpa_public_key.f_seed_for_A)"#)
         )]
         pub fn serialized<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -590,12 +602,12 @@ pub(crate) mod unpacked {
 
     /// Take a serialized private key and generate an unpacked key pair from it.
     #[inline(always)]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
            v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\\
            v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\\
            v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\\
            v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\\
-           v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"))]
+           v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))]
     pub fn keys_from_private_key<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
@@ -654,12 +666,12 @@ pub(crate) mod unpacked {
 
         /// Take a serialized private key and generate an unpacked key pair from it.
         #[inline(always)]
-        #[requires(fstar!("Spec.MLKEM.is_rank $K /\\
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
            v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\\
            v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\\
            v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\\
            v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\\
-           v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"))]
+           v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#))]
         pub fn from_private_key<
             const SECRET_KEY_SIZE: usize,
             const CPA_SECRET_KEY_SIZE: usize,
@@ -684,18 +696,18 @@ pub(crate) mod unpacked {
 
         /// Get the serialized public key.
         #[inline(always)]
-        #[requires(fstar!("Spec.MLKEM.is_rank $K /\\
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
             $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
             $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
             (forall (i:nat). i < v $K ==>
                 Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"))]
+                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
         #[ensures(|_|
-            fstar!("${serialized}_future.f_value == 
+            fstar!(r#"${serialized}_future.f_value == 
                 Seq.append (Spec.MLKEM.vector_encode_12 #$K
                     (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
                         self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
-                self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)")
+                self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)"#)
         )]
         pub fn serialized_public_key_mut<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -710,17 +722,17 @@ pub(crate) mod unpacked {
 
         /// Get the serialized public key.
         #[inline(always)]
-        #[requires(fstar!("Spec.MLKEM.is_rank $K /\\
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
             $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
             $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
             (forall (i:nat). i < v $K ==>
                 Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index
-                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"))]
+                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
         #[ensures(|res|
-            fstar!("${res}.f_value == Seq.append (Spec.MLKEM.vector_encode_12 #$K
+            fstar!(r#"${res}.f_value == Seq.append (Spec.MLKEM.vector_encode_12 #$K
                             (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
                                 self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
-                        self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)")
+                        self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)"#)
         )]
         pub fn serialized_public_key<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -746,11 +758,11 @@ pub(crate) mod unpacked {
 
         /// Get the serialized private key.
         #[inline(always)]
-        #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+        #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
             $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
             $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
             $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K"))]
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K"#))]
         pub fn serialized_private_key_mut<
             const CPA_PRIVATE_KEY_SIZE: usize,
             const PRIVATE_KEY_SIZE: usize,
@@ -781,11 +793,11 @@ pub(crate) mod unpacked {
 
         /// Get the serialized private key.
         #[inline(always)]
-        #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+        #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
             $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
             $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
             $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K"))]
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K"#))]
         pub fn serialized_private_key<
             const CPA_PRIVATE_KEY_SIZE: usize,
             const PRIVATE_KEY_SIZE: usize,
@@ -815,10 +827,10 @@ pub(crate) mod unpacked {
 
     #[hax_lib::fstar::options("--z3rlimit 200")]
     #[hax_lib::ensures(|result|
-        fstar!("forall (i: nat). i < v $K ==>
+        fstar!(r#"forall (i: nat). i < v $K ==>
             (forall (j: nat). j < v $K ==>
                 Seq.index (Seq.index $result i) j ==
-                    Seq.index (Seq.index $ind_cpa_a j) i)"))
+                    Seq.index (Seq.index $ind_cpa_a j) i)"#))
     ]
     fn transpose_a<const K: usize, Vector: Operations>(
         ind_cpa_a: [[PolynomialRingElement<Vector>; K]; K],
@@ -862,18 +874,18 @@ pub(crate) mod unpacked {
     /// Generate Unpacked Keys
     #[inline(always)]
     #[hax_lib::fstar::options("--z3rlimit 1500 --ext context_pruning --z3refresh")]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
         $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
         $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
         $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"))]
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
     #[hax_lib::ensures(|result|
-        fstar!("let ((m_A, public_key_hash), implicit_rejection_value), valid =
+        fstar!(r#"let ((m_A, public_key_hash), implicit_rejection_value), valid =
             Spec.MLKEM.ind_cca_unpack_generate_keypair $K $randomness in
         valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector
             ${out}_future.f_public_key.f_ind_cpa_public_key.f_A == m_A /\\
         ${out}_future.f_public_key.f_public_key_hash == public_key_hash /\\
-        ${out}_future.f_private_key.f_implicit_rejection_value == implicit_rejection_value"))
+        ${out}_future.f_private_key.f_implicit_rejection_value == implicit_rejection_value"#))
     ]
     pub(crate) fn generate_keypair<
         const K: usize,
@@ -901,7 +913,8 @@ pub(crate) mod unpacked {
 
         #[allow(non_snake_case)]
         let A = transpose_a::<K, Vector>(out.public_key.ind_cpa_public_key.A);
-        hax_lib::fstar!("let (ind_cpa_keypair_randomness, _) = split $randomness Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE in
+        hax_lib::fstar!(
+            r#"let (ind_cpa_keypair_randomness, _) = split $randomness Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE in
         let ((((_, _), matrix_A_as_ntt), _), sufficient_randomness) =
             Spec.MLKEM.ind_cpa_generate_keypair_unpacked $K ind_cpa_keypair_randomness in
         let m_v_A = Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector $A in
@@ -919,7 +932,8 @@ pub(crate) mod unpacked {
         in
         Classical.forall_intro lemma_aux;
         if sufficient_randomness then
-            Lib.Sequence.eq_intro #(Spec.MLKEM.vector $K) #(v $K) m_A m_v_A");
+            Lib.Sequence.eq_intro #(Spec.MLKEM.vector $K) #(v $K) m_A m_v_A"#
+        );
         out.public_key.ind_cpa_public_key.A = A;
 
         let pk_serialized =
@@ -933,7 +947,7 @@ pub(crate) mod unpacked {
 
     // Encapsulate with Unpacked Public Key
     #[inline(always)]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
         $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
         $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
         $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
@@ -943,15 +957,15 @@ pub(crate) mod unpacked {
         $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
         $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
         $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
     #[hax_lib::ensures(|(ciphertext_result, shared_secret_array)|
-        fstar!("let (ciphertext, shared_secret) =
+        fstar!(r#"let (ciphertext, shared_secret) =
             Spec.MLKEM.ind_cca_unpack_encapsulate $K ${public_key}.f_public_key_hash
             (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}.f_ind_cpa_public_key.f_t_as_ntt)
             (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}.f_ind_cpa_public_key.f_A)
             $randomness in
         ${ciphertext_result}.f_value == ciphertext /\\
-        $shared_secret_array == shared_secret"))
+        $shared_secret_array == shared_secret"#))
     ]
     pub(crate) fn encapsulate<
         const K: usize,
@@ -1011,7 +1025,7 @@ pub(crate) mod unpacked {
     // Decapsulate with Unpacked Private Key
     #[inline(always)]
     #[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning --z3refresh")]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
         $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
         $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
         $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
@@ -1022,15 +1036,15 @@ pub(crate) mod unpacked {
         $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
         $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
         $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
     #[hax_lib::ensures(|result|
-        fstar!("$result ==
+        fstar!(r#"$result ==
             Spec.MLKEM.ind_cca_unpack_decapsulate $K ${key_pair}.f_public_key.f_public_key_hash
             ${key_pair}.f_private_key.f_implicit_rejection_value
             ${ciphertext}.f_value
             (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${key_pair}.f_private_key.f_ind_cpa_private_key.f_secret_as_ntt)
             (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt)
-            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${key_pair}.f_public_key.f_ind_cpa_public_key.f_A)"))
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${key_pair}.f_public_key.f_ind_cpa_public_key.f_A)"#))
     ]
     pub(crate) fn decapsulate<
         const K: usize,
@@ -1055,11 +1069,13 @@ pub(crate) mod unpacked {
         key_pair: &MlKemKeyPairUnpacked<K, Vector>,
         ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
     ) -> MlKemSharedSecret {
-        hax_lib::fstar!("assert (v $IMPLICIT_REJECTION_HASH_INPUT_SIZE == 32 + v (Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K));
+        hax_lib::fstar!(
+            r#"assert (v $IMPLICIT_REJECTION_HASH_INPUT_SIZE == 32 + v (Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K));
         assert (v (Spec.MLKEM.v_C1_SIZE $K +! Spec.MLKEM.v_C2_SIZE $K) == v (Spec.MLKEM.v_C1_SIZE $K) + v (Spec.MLKEM.v_C2_SIZE $K));
         assert (v (Spec.MLKEM.v_C1_SIZE $K) == v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) * v $K);
         assert (v (Spec.MLKEM.v_C1_BLOCK_SIZE $K)  == 32 * v (Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K));
-        assert (v (Spec.MLKEM.v_C2_SIZE $K) == 32 * v (Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K))");
+        assert (v (Spec.MLKEM.v_C2_SIZE $K) == 32 * v (Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K))"#
+        );
         let decrypted = ind_cpa::decrypt_unpacked::<
             K,
             CIPHERTEXT_SIZE,
@@ -1070,9 +1086,11 @@ pub(crate) mod unpacked {
         >(&key_pair.private_key.ind_cpa_private_key, &ciphertext.value);
 
         let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted);
-        hax_lib::fstar!("Lib.Sequence.eq_intro #u8 #32 (Seq.slice $to_hash 0 32) $decrypted");
+        hax_lib::fstar!(r#"Lib.Sequence.eq_intro #u8 #32 (Seq.slice $to_hash 0 32) $decrypted"#);
         to_hash[SHARED_SECRET_SIZE..].copy_from_slice(&key_pair.public_key.public_key_hash);
-        hax_lib::fstar!("Lib.Sequence.lemma_concat2 32 $decrypted 32 ${key_pair}.f_public_key.f_public_key_hash $to_hash");
+        hax_lib::fstar!(
+            r#"Lib.Sequence.lemma_concat2 32 $decrypted 32 ${key_pair}.f_public_key.f_public_key_hash $to_hash"#
+        );
 
         let hashed = Hasher::G(&to_hash);
         let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
diff --git a/libcrux-ml-kem/src/ind_cca/instantiations.rs b/libcrux-ml-kem/src/ind_cca/instantiations.rs
index 3126b25db..b9c6f7ff6 100644
--- a/libcrux-ml-kem/src/ind_cca/instantiations.rs
+++ b/libcrux-ml-kem/src/ind_cca/instantiations.rs
@@ -7,13 +7,13 @@ macro_rules! instantiate {
             };
 
             /// Portable generate key pair.
-            #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                 $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
                 $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
                 $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
                 $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
                 $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))]
+                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
             pub(crate) fn generate_keypair<
                 const K: usize,
                 const CPA_PRIVATE_KEY_SIZE: usize,
@@ -67,9 +67,9 @@ macro_rules! instantiate {
 
             /// Public key validation
             #[inline(always)]
-            #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                 $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))]
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
             pub(crate) fn validate_public_key<
                 const K: usize,
                 const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -87,9 +87,9 @@ macro_rules! instantiate {
 
             /// Private key validation
             #[inline(always)]
-            #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                 $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
             pub(crate) fn validate_private_key<
                 const K: usize,
                 const SECRET_KEY_SIZE: usize,
@@ -106,8 +106,8 @@ macro_rules! instantiate {
 
             /// Private key validation
             #[inline(always)]
-            #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"))]
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"#))]
             pub(crate) fn validate_private_key_only<
                 const K: usize,
                 const SECRET_KEY_SIZE: usize,
@@ -157,7 +157,7 @@ macro_rules! instantiate {
                 >(public_key, randomness)
             }
 
-            #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                 $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
                 $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
                 $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
@@ -169,7 +169,7 @@ macro_rules! instantiate {
                 $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
                 $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
                 $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-                $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))]
+                $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
             pub(crate) fn encapsulate<
                 const K: usize,
                 const CIPHERTEXT_SIZE: usize,
@@ -255,7 +255,7 @@ macro_rules! instantiate {
             }
 
             /// Portable decapsulate
-            #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                 $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
                 $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
                 $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
@@ -270,7 +270,7 @@ macro_rules! instantiate {
                 $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
                 $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
                 $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-                $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+                $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
             pub fn decapsulate<
                 const K: usize,
                 const SECRET_KEY_SIZE: usize,
@@ -326,9 +326,9 @@ macro_rules! instantiate {
 
                 /// Get the unpacked public key.
                 #[hax_lib::requires(
-                    fstar!("Spec.MLKEM.is_rank $K /\\
+                    fstar!(r#"Spec.MLKEM.is_rank $K /\\
                     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K")
+                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
                 )]
                 #[inline(always)]
                 pub(crate) fn unpack_public_key<
@@ -353,12 +353,12 @@ macro_rules! instantiate {
                 /// Take a serialized private key and generate an unpacked key pair from it.
                 #[inline(always)]
                 #[hax_lib::requires(
-                    fstar!("Spec.MLKEM.is_rank $K /\\
+                    fstar!(r#"Spec.MLKEM.is_rank $K /\\
                             v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\\
                             v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\\
                             v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\\
                             v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\\
-                            v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"))]
+                            v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))]
                 pub(crate) fn keypair_from_private_key<
                     const K: usize,
                     const SECRET_KEY_SIZE: usize,
@@ -382,13 +382,13 @@ macro_rules! instantiate {
                 }
 
                 /// Generate a key pair
-                #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                     $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
                     $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
                     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
                     $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
                     $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))]
+                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn generate_keypair<
                     const K: usize,
@@ -417,7 +417,7 @@ macro_rules! instantiate {
                 }
 
                 /// Unpacked encapsulate
-                #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                     $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
                     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
                     $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
@@ -429,7 +429,7 @@ macro_rules! instantiate {
                     $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
                     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
                     $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-                    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))]
+                    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn encapsulate<
                     const K: usize,
@@ -469,7 +469,7 @@ macro_rules! instantiate {
                 }
 
                 /// Unpacked decapsulate
-                #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                     $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
                     $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
                     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
@@ -484,7 +484,7 @@ macro_rules! instantiate {
                     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
                     $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
                     $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-                    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+                    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn decapsulate<
                     const K: usize,
diff --git a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
index b13ce52e4..94e59d1a6 100644
--- a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
+++ b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
@@ -6,13 +6,13 @@ use crate::{
 #[allow(unsafe_code)]
 /// Portable generate key pair.
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
 unsafe fn generate_keypair_avx2<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
@@ -39,13 +39,13 @@ unsafe fn generate_keypair_avx2<
 }
 
 #[allow(unsafe_code)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn generate_keypair<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
@@ -126,9 +126,9 @@ pub(crate) fn kyber_generate_keypair<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 unsafe fn validate_public_key_avx2<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -145,9 +145,9 @@ unsafe fn validate_public_key_avx2<
 }
 
 #[allow(unsafe_code)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 pub(crate) fn validate_public_key<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -162,9 +162,9 @@ pub(crate) fn validate_public_key<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 unsafe fn validate_private_key_avx2<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -182,9 +182,9 @@ unsafe fn validate_private_key_avx2<
 }
 
 #[allow(unsafe_code)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 pub(crate) fn validate_private_key<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -200,8 +200,8 @@ pub(crate) fn validate_private_key<
 
 /// Private key validation
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"#))]
 pub(crate) fn validate_private_key_only<const K: usize, const SECRET_KEY_SIZE: usize>(
     private_key: &MlKemPrivateKey<SECRET_KEY_SIZE>,
 ) -> bool {
@@ -294,19 +294,19 @@ pub(crate) fn kyber_encapsulate<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
 unsafe fn encapsulate_avx2<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -346,19 +346,19 @@ unsafe fn encapsulate_avx2<
 }
 
 #[allow(unsafe_code)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn encapsulate<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -490,22 +490,22 @@ pub fn kyber_decapsulate<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
 unsafe fn decapsulate_avx2<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -551,22 +551,22 @@ unsafe fn decapsulate_avx2<
 }
 
 #[allow(unsafe_code)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
 pub fn decapsulate<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -623,9 +623,9 @@ pub(crate) mod unpacked {
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     #[hax_lib::requires(
-        fstar!("Spec.MLKEM.is_rank $K /\\
-        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K")
+        fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
     )]
     unsafe fn unpack_public_key_avx2<
         const K: usize,
@@ -649,9 +649,9 @@ pub(crate) mod unpacked {
     /// Get the unpacked public key.
     #[allow(unsafe_code)]
     #[hax_lib::requires(
-        fstar!("Spec.MLKEM.is_rank $K /\\
-        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K")
+        fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
     )]
     pub(crate) fn unpack_public_key<
         const K: usize,
@@ -675,12 +675,12 @@ pub(crate) mod unpacked {
     /// Take a serialized private key and generate an unpacked key pair from it.
     #[inline(always)]
     #[hax_lib::requires(
-        fstar!("Spec.MLKEM.is_rank $K /\\
-                v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\\
-                v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\\
-                v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\\
-                v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\\
-                v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"))]
+        fstar!(r#"Spec.MLKEM.is_rank $K /\
+                v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+                v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+                v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+                v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+                v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))]
     pub(crate) fn keypair_from_private_key<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
@@ -705,11 +705,11 @@ pub(crate) mod unpacked {
 
     #[allow(unsafe_code)]
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-        $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-        $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
     unsafe fn generate_keypair_avx2<
         const K: usize,
         const CPA_PRIVATE_KEY_SIZE: usize,
@@ -738,11 +738,11 @@ pub(crate) mod unpacked {
 
     /// Generate a key pair
     #[allow(unsafe_code)]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-        $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-        $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
     pub(crate) fn generate_keypair<
         const K: usize,
         const CPA_PRIVATE_KEY_SIZE: usize,
@@ -770,17 +770,17 @@ pub(crate) mod unpacked {
 
     #[allow(unsafe_code)]
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-        $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-        $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-        $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
     unsafe fn encapsulate_avx2<
         const K: usize,
         const CIPHERTEXT_SIZE: usize,
@@ -820,17 +820,17 @@ pub(crate) mod unpacked {
 
     /// Unpacked encapsulate
     #[allow(unsafe_code)]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-        $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-        $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-        $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
     pub(crate) fn encapsulate<
         const K: usize,
         const CIPHERTEXT_SIZE: usize,
@@ -870,18 +870,18 @@ pub(crate) mod unpacked {
 
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-        $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-        $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-        $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
     unsafe fn decapsulate_avx2<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
@@ -927,18 +927,18 @@ pub(crate) mod unpacked {
 
     /// Unpacked decapsulate
     #[allow(unsafe_code)]
-    #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-        $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-        $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-        $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
     pub(crate) fn decapsulate<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
diff --git a/libcrux-ml-kem/src/ind_cca/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/multiplexing.rs
index 4a78a567b..d0ae1d7a9 100644
--- a/libcrux-ml-kem/src/ind_cca/multiplexing.rs
+++ b/libcrux-ml-kem/src/ind_cca/multiplexing.rs
@@ -52,9 +52,9 @@ use instantiations::portable::{
     kyber_generate_keypair as kyber_generate_keypair_neon,
 };
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))]
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 #[inline(always)]
 pub(crate) fn validate_public_key<
     const K: usize,
@@ -69,9 +69,9 @@ pub(crate) fn validate_public_key<
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
                 $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))]
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 pub(crate) fn validate_private_key<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -132,13 +132,13 @@ pub(crate) fn kyber_generate_keypair<
     }
 }
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
     $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
     $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))]
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn generate_keypair<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
@@ -254,7 +254,7 @@ pub(crate) fn kyber_encapsulate<
     }
 }
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
     $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
@@ -266,7 +266,7 @@ pub(crate) fn kyber_encapsulate<
     $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
     $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))]
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn encapsulate<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -418,7 +418,7 @@ pub(crate) fn kyber_decapsulate<
     }
 }
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
     $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
     $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
@@ -433,7 +433,7 @@ pub(crate) fn kyber_decapsulate<
     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
     $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
     $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))]
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
 pub(crate) fn decapsulate<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs
index e05db7edf..5dc48d300 100644
--- a/libcrux-ml-kem/src/ind_cpa.rs
+++ b/libcrux-ml-kem/src/ind_cpa.rs
@@ -60,16 +60,16 @@ use unpacked::*;
 
 /// Concatenate `t` and `ρ` into the public key.
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    length $seed_for_a == sz 32 /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    length $seed_for_a == sz 32 /\
     (forall (i:nat). i < v $K ==>
-        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"))]
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"#))]
 #[hax_lib::ensures(|res|
-    fstar!("$res == Seq.append (Spec.MLKEM.vector_encode_12 #$K
+    fstar!(r#"$res == Seq.append (Spec.MLKEM.vector_encode_12 #$K
                             (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt))
-                        $seed_for_a)")
+                        $seed_for_a)"#)
 )]
 pub(crate) fn serialize_public_key<
     const K: usize,
@@ -91,17 +91,17 @@ pub(crate) fn serialize_public_key<
 
 /// Concatenate `t` and `ρ` into the public key.
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    length $seed_for_a == sz 32 /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    length $seed_for_a == sz 32 /\
     (forall (i:nat). i < v $K ==>
-        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"))]
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"#))]
 #[hax_lib::ensures(|res|
-    fstar!("${serialized}_future == 
+    fstar!(r#"${serialized}_future == 
                         Seq.append (Spec.MLKEM.vector_encode_12 #$K
                             (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt))
-                        $seed_for_a)")
+                        $seed_for_a)"#)
 )]
 pub(crate) fn serialize_public_key_mut<
     const K: usize,
@@ -129,47 +129,49 @@ pub(crate) fn serialize_public_key_mut<
 /// Call [`serialize_uncompressed_ring_element`] for each ring element.
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 1000 --ext context_pruning --z3refresh")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
     (forall (i:nat). i < v $K ==>
-        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key i))"))]
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key i))"#))]
 #[hax_lib::ensures(|res|
-    fstar!("$res == Spec.MLKEM.vector_encode_12 #$K
-                    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key)")
+    fstar!(r#"$res == Spec.MLKEM.vector_encode_12 #$K
+                    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key)"#)
 )]
 pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector: Operations>(
     key: &[PolynomialRingElement<Vector>; K],
 ) -> [u8; OUT_LEN] {
-    hax_lib::fstar!("assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)");
+    hax_lib::fstar!(r#"assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)"#);
     let mut out = [0u8; OUT_LEN];
 
     cloop! {
         for (i, re) in key.into_iter().enumerate() {
-            hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < v $K ==>
-                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key (v $i))) /\\
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"(v $i < v $K ==>
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key (v $i))) /\
                 (forall (j: nat). j < v $i ==>
-                (j + 1) * v $BYTES_PER_RING_ELEMENT <= Seq.length $out /\\
+                (j + 1) * v $BYTES_PER_RING_ELEMENT <= Seq.length $out /\
                 (Seq.slice $out (j * v $BYTES_PER_RING_ELEMENT) ((j + 1) * v $BYTES_PER_RING_ELEMENT) ==
-                    Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $key j))))") });
+                    Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $key j))))"#) });
             out[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT]
             .copy_from_slice(&serialize_uncompressed_ring_element(&re));
-            hax_lib::fstar!("let lemma_aux (j: nat{ j < v $i }) : Lemma
+            hax_lib::fstar!(r#"let lemma_aux (j: nat{ j < v $i }) : Lemma
                 (Seq.slice out (j * v $BYTES_PER_RING_ELEMENT) ((j + 1) * v $BYTES_PER_RING_ELEMENT) ==
                     Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $key j))) =
                 Lib.Sequence.eq_intro #u8 #(v $BYTES_PER_RING_ELEMENT)
                 (Seq.slice out (j * v $BYTES_PER_RING_ELEMENT) ((j + 1) * v $BYTES_PER_RING_ELEMENT))
                 (Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $key j)))
             in
-            Classical.forall_intro lemma_aux");
+            Classical.forall_intro lemma_aux"#);
         }
     }
 
-    hax_lib::fstar!("assert (Spec.MLKEM.coerce_vector_12 (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key) ==
+    hax_lib::fstar!(
+        r#"assert (Spec.MLKEM.coerce_vector_12 (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key) ==
         Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key);
     reveal_opaque (`%Spec.MLKEM.vector_encode_12) (Spec.MLKEM.vector_encode_12 #$K);
     Lib.Sequence.eq_intro #u8 #(v $OUT_LEN) $out
         (Spec.MLKEM.vector_encode_12 #$K
-            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key))");
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key))"#
+    );
     out
 }
 
@@ -181,7 +183,7 @@ pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector:
 #[cfg_attr(
     hax,
     hax_lib::fstar::before(
-        "let sample_ring_element_cbd_helper_2
+        r#"let sample_ring_element_cbd_helper_2
       (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -190,9 +192,9 @@ pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector:
       (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
       (prf_input: t_Array u8 (sz 33))
       (domain_separator: u8) : Lemma
-        (requires Spec.MLKEM.is_rank v_K /\\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\\
-          v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\\
-          v domain_separator < 2 * v v_K /\\ 
+        (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+          v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+          v domain_separator < 2 * v v_K /\ 
           (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE
             (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
               (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
@@ -205,20 +207,20 @@ pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector:
     =
     Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
     (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) 
-    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))"
+    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))"#
     )
 )]
 #[cfg_attr(
     hax,
     hax_lib::fstar::before(
-        "let sample_ring_element_cbd_helper_1
+        r#"let sample_ring_element_cbd_helper_1
       (v_K: usize)
       (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
       (prf_input: t_Array u8 (sz 33))
       (domain_separator: u8) : Lemma 
-        (requires Spec.MLKEM.is_rank v_K /\\ v domain_separator < 2 * v v_K /\\
+        (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
           (forall (i: nat). i < v v_K ==>
-            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\\
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
             Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
         (ensures prf_inputs == createi v_K
           (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
@@ -234,18 +236,18 @@ pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector:
     Classical.forall_intro lemma_aux;
     Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
       (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
-        (Seq.slice prf_input 0 32) (sz (v domain_separator))))"
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))"#
     )
 )]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    v $domain_separator < 2 * v $K /\\
-    range (v $domain_separator + v $K) u8_inttype"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    v $domain_separator < 2 * v $K /\
+    range (v $domain_separator + v $K) u8_inttype"#))]
 #[hax_lib::ensures(|(err1,ds)|
-    fstar!("v $ds == v $domain_separator + v $K /\\
+    fstar!(r#"v $ds == v $domain_separator + v $K /\
                 Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $err1 ==
-                Spec.MLKEM.sample_vector_cbd2 #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))")
+                Spec.MLKEM.sample_vector_cbd2 #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))"#)
 )]
 fn sample_ring_element_cbd<
     const K: usize,
@@ -289,7 +291,7 @@ fn sample_ring_element_cbd<
 #[hax_lib::fstar::options(
     "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always"
 )]
-#[cfg_attr(hax, hax_lib::fstar::before("let sample_vector_cbd_then_ntt_helper_2
+#[cfg_attr(hax, hax_lib::fstar::before(r#"let sample_vector_cbd_then_ntt_helper_2
       (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -298,9 +300,9 @@ fn sample_ring_element_cbd<
       (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
       (prf_input: t_Array u8 (sz 33))
       (domain_separator: u8) : Lemma
-        (requires Spec.MLKEM.is_rank v_K /\\ v_ETA == Spec.MLKEM.v_ETA1 v_K /\\
-          v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\\
-          v domain_separator < 2 * v v_K /\\ 
+        (requires Spec.MLKEM.is_rank v_K /\ v_ETA == Spec.MLKEM.v_ETA1 v_K /\
+          v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+          v domain_separator < 2 * v v_K /\ 
           (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA_RANDOMNESS_SIZE
             (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
               (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
@@ -315,18 +317,18 @@ fn sample_ring_element_cbd<
     Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
       (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt)
       (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
-        (Seq.slice prf_input 0 32) (sz (v domain_separator)))"))]
+        (Seq.slice prf_input 0 32) (sz (v domain_separator)))"#))]
 #[cfg_attr(
     hax,
     hax_lib::fstar::before(
-        "let sample_vector_cbd_then_ntt_helper_1
+        r#"let sample_vector_cbd_then_ntt_helper_1
       (v_K: usize)
       (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
       (prf_input: t_Array u8 (sz 33))
       (domain_separator: u8) : Lemma 
-        (requires Spec.MLKEM.is_rank v_K /\\ v domain_separator < 2 * v v_K /\\
+        (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
           (forall (i: nat). i < v v_K ==>
-            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\\
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
             Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
         (ensures prf_inputs == createi v_K
           (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
@@ -342,20 +344,20 @@ fn sample_ring_element_cbd<
     Classical.forall_intro lemma_aux;
     Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
       (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
-        (Seq.slice prf_input 0 32) (sz (v domain_separator))))"
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))"#
     )
 )]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA == Spec.MLKEM.v_ETA1 $K /\\
-    v $domain_separator < 2 * v $K /\\
-    range (v $domain_separator + v $K) u8_inttype"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA == Spec.MLKEM.v_ETA1 $K /\
+    v $domain_separator < 2 * v $K /\
+    range (v $domain_separator + v $K) u8_inttype"#))]
 #[hax_lib::ensures(|ds|
-    fstar!("v $ds == v $domain_separator + v $K /\\
+    fstar!(r#"v $ds == v $domain_separator + v $K /\
             Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${re_as_ntt}_future ==
-            Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator)) /\\
+            Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator)) /\
             (forall (i: nat). i < v $K ==>
-              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector (Seq.index ${re_as_ntt}_future i))")
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector (Seq.index ${re_as_ntt}_future i))"#)
 )]
 fn sample_vector_cbd_then_ntt<
     const K: usize,
@@ -380,7 +382,7 @@ fn sample_vector_cbd_then_ntt<
             fstar!(
                 "forall (j:nat). j < v $i ==>
             Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector re_as_ntt.[ sz j ] ==
-              Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd $ETA ${prf_outputs}.[ sz j ]) /\\
+              Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd $ETA ${prf_outputs}.[ sz j ]) /\
             Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector re_as_ntt.[ sz j ]"
             )
         });
@@ -395,15 +397,15 @@ fn sample_vector_cbd_then_ntt<
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA == Spec.MLKEM.v_ETA1 $K /\\
-    v $domain_separator < 2 * v $K /\\
-    range (v $domain_separator + v $K) u8_inttype"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA == Spec.MLKEM.v_ETA1 $K /\
+    v $domain_separator < 2 * v $K /\
+    range (v $domain_separator + v $K) u8_inttype"#))]
 #[hax_lib::ensures(|(re,ds)|
-    fstar!("v $ds == v $domain_separator + v $K /\\
+    fstar!(r#"v $ds == v $domain_separator + v $K /\
                 Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${re} ==
-                Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))")
+                Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))"#)
 )]
 fn sample_vector_cbd_then_ntt_out<
     const K: usize,
@@ -464,20 +466,20 @@ fn sample_vector_cbd_then_ntt_out<
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 #[allow(non_snake_case)]
 #[hax_lib::fstar::options("--z3rlimit 500 --ext context_pruning --z3refresh")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"))]
-#[hax_lib::ensures(|_| fstar!("let ((((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid) = Spec.MLKEM.ind_cpa_generate_keypair_unpacked $K $key_generation_seed in 
-    (valid ==> (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}_future.f_t_as_ntt == t_as_ntt) /\\
-        (${public_key}_future.f_seed_for_A == seed_for_A) /\\
-        (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}_future.f_A == matrix_A_as_ntt) /\\
-        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${private_key}_future.f_secret_as_ntt == secret_as_ntt)) /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"#))]
+#[hax_lib::ensures(|_| fstar!(r#"let ((((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid) = Spec.MLKEM.ind_cpa_generate_keypair_unpacked $K $key_generation_seed in 
+    (valid ==> (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}_future.f_t_as_ntt == t_as_ntt) /\
+        (${public_key}_future.f_seed_for_A == seed_for_A) /\
+        (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}_future.f_A == matrix_A_as_ntt) /\
+        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${private_key}_future.f_secret_as_ntt == secret_as_ntt)) /\
     (forall (i:nat). i < v $K ==>
-        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${private_key}_future.f_secret_as_ntt i)) /\\
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${private_key}_future.f_secret_as_ntt i)) /\
     (forall (i:nat). i < v $K ==>
         Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${public_key}_future.f_t_as_ntt i))
-"))]
+"#))]
 #[inline(always)]
 pub(crate) fn generate_keypair_unpacked<
     const K: usize,
@@ -501,8 +503,10 @@ pub(crate) fn generate_keypair_unpacked<
     );
     sample_matrix_A::<K, Vector, Hasher>(&mut public_key.A, into_padded_array(seed_for_A), true);
 
-    hax_lib::fstar!("let (matrix_A_as_ntt, valid) = Spec.MLKEM.sample_matrix_A_ntt #$K $seed_for_A in
-        assert (valid ==> matrix_A_as_ntt == Libcrux_ml_kem.Polynomial.to_spec_matrix_t public_key.f_A)");
+    hax_lib::fstar!(
+        r#"let (matrix_A_as_ntt, valid) = Spec.MLKEM.sample_matrix_A_ntt #$K $seed_for_A in
+        assert (valid ==> matrix_A_as_ntt == Libcrux_ml_kem.Polynomial.to_spec_matrix_t public_key.f_A)"#
+    );
     let prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error);
     hax_lib::fstar!(
         "Lib.Sequence.eq_intro #u8 #32 $seed_for_secret_and_error (Seq.slice $prf_input 0 32)"
@@ -529,18 +533,20 @@ pub(crate) fn generate_keypair_unpacked<
 
     public_key.seed_for_A = seed_for_A.try_into().unwrap();
 
-    hax_lib::fstar!("let (((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid =
+    hax_lib::fstar!(
+        r#"let (((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid =
         Spec.MLKEM.ind_cpa_generate_keypair_unpacked $K $key_generation_seed in
         assert (valid ==>
             ((Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector public_key.f_t_as_ntt) ==
-              t_as_ntt) /\\ (public_key.f_seed_for_A == seed_for_A) /\\
-            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector public_key.f_A == matrix_A_as_ntt) /\\
+              t_as_ntt) /\ (public_key.f_seed_for_A == seed_for_A) /\
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector public_key.f_A == matrix_A_as_ntt) /\
             ((Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector private_key.f_secret_as_ntt) ==
               secret_as_ntt));
         assert ((forall (i: nat). i < v $K ==>
-              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key.f_secret_as_ntt i)) /\\
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key.f_secret_as_ntt i)) /\
           (forall (i: nat). i < v $K ==>
-              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key.f_t_as_ntt i)))");
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key.f_t_as_ntt i)))"#
+    );
 
     // For encapsulation, we need to store A not Aˆ, and so we untranspose A
     // However, we pass A_transpose here and let the IND-CCA layer do the untranspose.
@@ -548,15 +554,15 @@ pub(crate) fn generate_keypair_unpacked<
 }
 
 #[allow(non_snake_case)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"))]
-#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed in 
-                                    valid ==> $result == expected"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed in 
+                                    valid ==> $result == expected"#))]
 #[inline(always)]
 pub(crate) fn generate_keypair<
     const K: usize,
@@ -616,16 +622,16 @@ pub(crate) fn serialize_unpacked_secret_key<
 
 /// Call [`compress_then_serialize_ring_element_u`] on each ring element.
 #[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning --z3refresh")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $OUT_LEN == Spec.MLKEM.v_C1_SIZE $K /\\
-    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-    $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    ${out.len()} == $OUT_LEN /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $OUT_LEN == Spec.MLKEM.v_C1_SIZE $K /\
+    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    ${out.len()} == $OUT_LEN /\
     (forall (i:nat). i < v $K ==>
-        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input i))"))]
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input i))"#))]
 #[hax_lib::ensures(|_|
-    fstar!("$out_future == Spec.MLKEM.compress_then_encode_u #$K
-               (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $input)")
+    fstar!(r#"$out_future == Spec.MLKEM.compress_then_encode_u #$K
+               (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $input)"#)
 )]
 #[inline(always)]
 fn compress_then_serialize_u<
@@ -647,22 +653,22 @@ fn compress_then_serialize_u<
     // for the following bug https://github.com/hacspec/hax/issues/720
     cloop! {
         for (i, re) in input.into_iter().enumerate() {
-            hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < v $K ==> Seq.length out == v $OUT_LEN /\\
-                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input (v $i))) /\\
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"(v $i < v $K ==> Seq.length out == v $OUT_LEN /\
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input (v $i))) /\
             (forall (j: nat). j < v $i ==>
-                Seq.length out == v $OUT_LEN /\\
-                (j + 1) * (v $OUT_LEN / v $K) <= Seq.length out /\\
+                Seq.length out == v $OUT_LEN /\
+                (j + 1) * (v $OUT_LEN / v $K) <= Seq.length out /\
                 (Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) == 
                     Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
-                        (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j))))") });
-            hax_lib::fstar!("assert (forall (j: nat). j < v $i ==>
+                        (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j))))"#) });
+            hax_lib::fstar!(r#"assert (forall (j: nat). j < v $i ==>
                 ((Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) == 
                 Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
-                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j)))))");
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j)))))"#);
             out[i * (OUT_LEN / K)..(i + 1) * (OUT_LEN / K)].copy_from_slice(
                 &compress_then_serialize_ring_element_u::<COMPRESSION_FACTOR, BLOCK_LEN, Vector>(&re),
             );
-            hax_lib::fstar!("let lemma_aux (j: nat{ j < v $i }) : Lemma
+            hax_lib::fstar!(r#"let lemma_aux (j: nat{ j < v $i }) : Lemma
                 (Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) ==
                 Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
                     (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index $input j))) =
@@ -671,7 +677,7 @@ fn compress_then_serialize_u<
                 (Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
                     (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j)))
             in
-            Classical.forall_intro lemma_aux");
+            Classical.forall_intro lemma_aux"#);
         }
     };
     hax_lib::fstar!(
@@ -723,22 +729,22 @@ fn compress_then_serialize_u<
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 #[allow(non_snake_case)]
 #[hax_lib::fstar::options("--z3rlimit 200")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-      $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-      $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-      $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-      $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-      $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\\
-      $C2_LEN == Spec.MLKEM.v_C2_SIZE $K /\\
-      $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-      $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-      $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-      $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-      length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+      $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+      $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+      $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+      $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+      $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\
+      $C2_LEN == Spec.MLKEM.v_C2_SIZE $K /\
+      $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+      $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+      $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+      $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+      length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))]
 #[hax_lib::ensures(|result|
-    fstar!("$result == Spec.MLKEM.ind_cpa_encrypt_unpacked $K $message $randomness
+    fstar!(r#"$result == Spec.MLKEM.ind_cpa_encrypt_unpacked $K $message $randomness
         (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}.f_t_as_ntt)
-        (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}.f_A)")
+        (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}.f_A)"#)
 )]
 #[inline(always)]
 pub(crate) fn encrypt_unpacked<
@@ -836,23 +842,23 @@ pub(crate) fn encrypt_unpacked<
 
 #[allow(non_snake_case)]
 #[hax_lib::fstar::options("--z3rlimit 500 --ext context_pruning")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $ETA1 = Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA2 = Spec.MLKEM.v_ETA2 $K /\\
-    $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    $ETA2_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
-    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\\
-    $C2_LEN == Spec.MLKEM.v_C2_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA1 = Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 = Spec.MLKEM.v_ETA2 $K /\
+    $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA2_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_LEN == Spec.MLKEM.v_C2_SIZE $K"#))]
 #[hax_lib::ensures(|result|
-    fstar!("let (expected, valid) = Spec.MLKEM.ind_cpa_encrypt $K $public_key $message $randomness in
-            valid ==> $result == expected")
+    fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cpa_encrypt $K $public_key $message $randomness in
+            valid ==> $result == expected"#)
 )]
 #[inline(always)]
 pub(crate) fn encrypt<
@@ -875,7 +881,7 @@ pub(crate) fn encrypt<
     message: [u8; SHARED_SECRET_SIZE],
     randomness: &[u8],
 ) -> [u8; CIPHERTEXT_SIZE] {
-    hax_lib::fstar!("reveal_opaque (`%Spec.MLKEM.ind_cpa_encrypt) Spec.MLKEM.ind_cpa_encrypt");
+    hax_lib::fstar!(r#"reveal_opaque (`%Spec.MLKEM.ind_cpa_encrypt) Spec.MLKEM.ind_cpa_encrypt"#);
     let unpacked_public_key =
         build_unpacked_public_key::<K, T_AS_NTT_ENCODED_SIZE, Vector, Hasher>(public_key);
 
@@ -899,15 +905,15 @@ pub(crate) fn encrypt<
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"))]
-#[hax_lib::ensures(|result| fstar!("
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"
     let (t_as_ntt_bytes, seed_for_A) = split public_key $T_AS_NTT_ENCODED_SIZE in
     let t_as_ntt = Spec.MLKEM.vector_decode_12 #$K t_as_ntt_bytes in 
     let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #$K seed_for_A in
-    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${result}.f_t_as_ntt == t_as_ntt /\\
-     valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${result}.f_A == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"))]
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${result}.f_t_as_ntt == t_as_ntt /\
+     valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${result}.f_A == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"#))]
 fn build_unpacked_public_key<
     const K: usize,
     const T_AS_NTT_ENCODED_SIZE: usize,
@@ -925,15 +931,15 @@ fn build_unpacked_public_key<
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"))]
-#[hax_lib::ensures(|_| fstar!("
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
+#[hax_lib::ensures(|_| fstar!(r#"
     let (t_as_ntt_bytes, seed_for_A) = split public_key $T_AS_NTT_ENCODED_SIZE in
     let t_as_ntt = Spec.MLKEM.vector_decode_12 #$K t_as_ntt_bytes in 
     let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #$K seed_for_A in
-    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${unpacked_public_key}_future.f_t_as_ntt == t_as_ntt /\\
-    valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${unpacked_public_key}_future.f_A == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"))]
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${unpacked_public_key}_future.f_t_as_ntt == t_as_ntt /\
+    valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${unpacked_public_key}_future.f_A == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"#))]
 pub(crate) fn build_unpacked_public_key_mut<
     const K: usize,
     const T_AS_NTT_ENCODED_SIZE: usize,
@@ -971,12 +977,12 @@ pub(crate) fn build_unpacked_public_key_mut<
 /// in the `ciphertext`.
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K"#))]
 #[hax_lib::ensures(|res|
-    fstar!("Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res ==
-        Spec.MLKEM.(vector_ntt (decode_then_decompress_u #$K (Seq.slice $ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE $K)))))")
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res ==
+        Spec.MLKEM.(vector_ntt (decode_then_decompress_u #$K (Seq.slice $ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE $K)))))"#)
 )]
 fn deserialize_then_decompress_u<
     const K: usize,
@@ -996,12 +1002,12 @@ fn deserialize_then_decompress_u<
             .chunks_exact((COEFFICIENTS_IN_RING_ELEMENT * U_COMPRESSION_FACTOR) / 8)
             .enumerate()
         {
-            hax_lib::loop_invariant!(|i: usize| { fstar!("forall (j: nat). j < v $i ==>
-              j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) <= v $CIPHERTEXT_SIZE /\\
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"forall (j: nat). j < v $i ==>
+              j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) <= v $CIPHERTEXT_SIZE /\
               Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $u_as_ntt j) ==
                 Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v $U_COMPRESSION_FACTOR)
                   (Seq.slice $ciphertext (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))
-                    (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))))") });
+                    (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))))"#) });
             u_as_ntt[i]  = deserialize_then_decompress_ring_element_u::<U_COMPRESSION_FACTOR, Vector>(u_bytes);
             ntt_vector_u::<U_COMPRESSION_FACTOR, Vector>(&mut u_as_ntt[i]);
         }
@@ -1018,27 +1024,27 @@ fn deserialize_then_decompress_u<
 /// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    v (${secret_key.len()}) / v $BYTES_PER_RING_ELEMENT <= v $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    v (${secret_key.len()}) / v $BYTES_PER_RING_ELEMENT <= v $K"#))]
 #[hax_lib::ensures(|res|
-    fstar!("Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res ==
-         Spec.MLKEM.vector_decode_12 #$K $secret_key")
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res ==
+         Spec.MLKEM.vector_decode_12 #$K $secret_key"#)
 )]
 pub(crate) fn deserialize_secret_key<const K: usize, Vector: Operations>(
     secret_key: &[u8],
 ) -> [PolynomialRingElement<Vector>; K] {
-    hax_lib::fstar!("assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)");
+    hax_lib::fstar!(r#"assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)"#);
     let mut secret_as_ntt = from_fn(|_| PolynomialRingElement::<Vector>::ZERO());
     cloop! {
         for (i, secret_bytes) in secret_key.chunks_exact(BYTES_PER_RING_ELEMENT).enumerate() {
-            hax_lib::loop_invariant!(|i: usize| { fstar!("forall (j: nat). j < v $i ==>
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"forall (j: nat). j < v $i ==>
                 j * v $BYTES_PER_RING_ELEMENT + v $BYTES_PER_RING_ELEMENT <=
-                    v (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K) /\\
+                    v (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K) /\
                 Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $secret_as_ntt j) ==
                     Spec.MLKEM.byte_decode 12 (Seq.slice $secret_key
                         (j * v $BYTES_PER_RING_ELEMENT)
-                        (j * v $BYTES_PER_RING_ELEMENT + v $BYTES_PER_RING_ELEMENT))") });
+                        (j * v $BYTES_PER_RING_ELEMENT + v $BYTES_PER_RING_ELEMENT))"#) });
             secret_as_ntt[i] = deserialize_to_uncompressed_ring_element(secret_bytes);
         }
     }
@@ -1073,14 +1079,14 @@ pub(crate) fn deserialize_secret_key<const K: usize, Vector: Operations>(
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 #[allow(non_snake_case)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-    $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+    $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K"#))]
 #[hax_lib::ensures(|result|
-    fstar!("$result == Spec.MLKEM.ind_cpa_decrypt_unpacked $K $ciphertext
-        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${secret_key}.f_secret_as_ntt)")
+    fstar!(r#"$result == Spec.MLKEM.ind_cpa_decrypt_unpacked $K $ciphertext
+        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${secret_key}.f_secret_as_ntt)"#)
 )]
 #[inline(always)]
 pub(crate) fn decrypt_unpacked<
@@ -1110,14 +1116,14 @@ pub(crate) fn decrypt_unpacked<
 }
 
 #[allow(non_snake_case)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\
-    length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ 
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\
-    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ 
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K"#))]
 #[hax_lib::ensures(|result|
-    fstar!("$result == Spec.MLKEM.ind_cpa_decrypt $K $secret_key $ciphertext")
+    fstar!(r#"$result == Spec.MLKEM.ind_cpa_decrypt $K $secret_key $ciphertext"#)
 )]
 #[inline(always)]
 pub(crate) fn decrypt<
@@ -1131,7 +1137,7 @@ pub(crate) fn decrypt<
     secret_key: &[u8],
     ciphertext: &[u8; CIPHERTEXT_SIZE],
 ) -> [u8; SHARED_SECRET_SIZE] {
-    hax_lib::fstar!("reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt");
+    hax_lib::fstar!(r#"reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt"#);
     // sˆ := Decode_12(sk)
     let secret_as_ntt = deserialize_secret_key::<K, Vector>(secret_key);
     let secret_key_unpacked = IndCpaPrivateKeyUnpacked { secret_as_ntt };
diff --git a/libcrux-ml-kem/src/invert_ntt.rs b/libcrux-ml-kem/src/invert_ntt.rs
index 87bc90fed..81d9db04f 100644
--- a/libcrux-ml-kem/src/invert_ntt.rs
+++ b/libcrux-ml-kem/src/invert_ntt.rs
@@ -24,35 +24,37 @@ use crate::{
        forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328)
             (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"
 )]
-#[hax_lib::requires(fstar!("v ${*zeta_i} == 128 /\\
-    invert_ntt_re_range_1 $re"))]
-#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\
-    v ${*zeta_i}_future == 64"))]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 128 /\
+    invert_ntt_re_range_1 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"invert_ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 64"#))]
 pub(crate) fn invert_ntt_at_layer_1<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
     _layer: usize,
 ) {
-    hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #$:Vector)");
-    hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)");
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"#);
     let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
         hax_lib::loop_invariant!(|round: usize| {
             fstar!(
-                "v zeta_i == v $_zeta_i_init - v $round * 4 /\\
-          (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==>
+                r#"v zeta_i == v $_zeta_i_init - v $round * 4 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
             Spec.Utils.is_i16b_array_opaque (4 * 3328)
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
           (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
             )
         });
         *zeta_i -= 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque (4*3328) 
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] = Vector::inv_ntt_layer_1_step(
             re.coefficients[round],
             zeta(*zeta_i),
@@ -61,9 +63,11 @@ pub(crate) fn invert_ntt_at_layer_1<Vector: Operations>(
             zeta(*zeta_i - 3),
         );
         *zeta_i -= 3;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque 3328 
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         hax_lib::fstar!(
             "assert (Spec.Utils.is_i16b_array_opaque 3328
             (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
@@ -73,41 +77,45 @@ pub(crate) fn invert_ntt_at_layer_1<Vector: Operations>(
 }
 
 #[inline(always)]
-#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
-#[hax_lib::requires(fstar!("v ${*zeta_i} == 64 /\\
-    invert_ntt_re_range_2 $re "))]
-#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\
-    v ${*zeta_i}_future == 32"))]
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning"#)]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 64 /\
+    invert_ntt_re_range_2 $re "#))]
+#[hax_lib::ensures(|result| fstar!(r#"invert_ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 32"#))]
 pub(crate) fn invert_ntt_at_layer_2<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
     _layer: usize,
 ) {
-    hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)");
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"#);
     let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
         hax_lib::loop_invariant!(|round: usize| {
             fstar!(
-                "v zeta_i == v $_zeta_i_init - v $round * 2 /\\
-          (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==>
+                r#"v zeta_i == v $_zeta_i_init - v $round * 2 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
             Spec.Utils.is_i16b_array_opaque 3328
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
           (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
             )
         });
         *zeta_i -= 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque 3328 
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] =
             Vector::inv_ntt_layer_2_step(re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i - 1));
         *zeta_i -= 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque 3328 
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         hax_lib::fstar!(
             "assert (Spec.Utils.is_i16b_array_opaque 3328
             (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
@@ -118,34 +126,36 @@ pub(crate) fn invert_ntt_at_layer_2<Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
-#[hax_lib::requires(fstar!("v ${*zeta_i} == 32 /\\
-    invert_ntt_re_range_2 $re"))]
-#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\
-    v ${*zeta_i}_future == 16"))]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 32 /\
+    invert_ntt_re_range_2 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"invert_ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 16"#))]
 pub(crate) fn invert_ntt_at_layer_3<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
     _layer: usize,
 ) {
-    hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)");
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"#);
     let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
         hax_lib::loop_invariant!(|round: usize| {
             fstar!(
-                "v zeta_i == v $_zeta_i_init - v $round /\\
-          (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==>
+                r#"v zeta_i == v $_zeta_i_init - v $round /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
             Spec.Utils.is_i16b_array_opaque 3328
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
           (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
             )
         });
         *zeta_i -= 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque 3328 
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] =
             Vector::inv_ntt_layer_3_step(re.coefficients[round], zeta(*zeta_i));
         hax_lib::fstar!(
@@ -162,17 +172,17 @@ pub(crate) fn invert_ntt_at_layer_3<Vector: Operations>(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta_r /\
     (forall i. i < 16 ==>
         Spec.Utils.is_intb (pow2 15 - 1)
         (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i) -
-        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i))) /\\
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i))) /\
     (forall i. i < 16 ==>
         Spec.Utils.is_intb (pow2 15 - 1)
         (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) +
-        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i))) /\\
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i))) /\
     Spec.Utils.is_i16b_array 28296 (Libcrux_ml_kem.Vector.Traits.f_to_i16_array
-        (Libcrux_ml_kem.Vector.Traits.f_add $a $b))"))]
+        (Libcrux_ml_kem.Vector.Traits.f_add $a $b))"#))]
 pub(crate) fn inv_ntt_layer_int_vec_step_reduce<Vector: Operations>(
     mut a: Vector,
     mut b: Vector,
@@ -186,7 +196,7 @@ pub(crate) fn inv_ntt_layer_int_vec_step_reduce<Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7"))]
+#[hax_lib::requires(fstar!(r#"v $layer >= 4 /\ v $layer <= 7"#))]
 pub(crate) fn invert_ntt_at_layer_4_plus<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
@@ -217,7 +227,7 @@ pub(crate) fn invert_ntt_at_layer_4_plus<Vector: Operations>(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("invert_ntt_re_range_1 $re"))]
+#[hax_lib::requires(fstar!(r#"invert_ntt_re_range_1 $re"#))]
 pub(crate) fn invert_ntt_montgomery<const K: usize, Vector: Operations>(
     re: &mut PolynomialRingElement<Vector>,
 ) {
diff --git a/libcrux-ml-kem/src/matrix.rs b/libcrux-ml-kem/src/matrix.rs
index 29a90874c..3f008cd32 100644
--- a/libcrux-ml-kem/src/matrix.rs
+++ b/libcrux-ml-kem/src/matrix.rs
@@ -6,12 +6,12 @@ use crate::{
 #[inline(always)]
 #[allow(non_snake_case)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
 #[hax_lib::ensures(|res|
-    fstar!("let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in
+    fstar!(r#"let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in
         valid ==> (
         if $transpose then Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == matrix_A
-        else Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == Spec.MLKEM.matrix_transpose matrix_A)")
+        else Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == Spec.MLKEM.matrix_transpose matrix_A)"#)
 )]
 pub(crate) fn sample_matrix_A<const K: usize, Vector: Operations, Hasher: Hash<K>>(
     A_transpose: &mut [[PolynomialRingElement<Vector>; K]; K],
@@ -46,15 +46,15 @@ pub(crate) fn sample_matrix_A<const K: usize, Vector: Operations, Hasher: Hash<K
 /// Compute v − InverseNTT(sᵀ ◦ NTT(u))
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
 #[hax_lib::ensures(|res|
-    fstar!("let open Libcrux_ml_kem.Polynomial in
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
         let secret_spec = to_spec_vector_t $secret_as_ntt in
         let u_spec = to_spec_vector_t $u_as_ntt in
         let v_spec = to_spec_poly_t $v in
         to_spec_poly_t $res ==
             Spec.MLKEM.(poly_sub v_spec (poly_inv_ntt (vector_dot_product_ntt #$K secret_spec u_spec))) /\\
-        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res")
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res"#)
 )]
 pub(crate) fn compute_message<const K: usize, Vector: Operations>(
     v: &PolynomialRingElement<Vector>,
@@ -77,16 +77,16 @@ pub(crate) fn compute_message<const K: usize, Vector: Operations>(
 /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
 #[hax_lib::ensures(|res|
-    fstar!("let open Libcrux_ml_kem.Polynomial in
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
         let tt_spec = to_spec_vector_t $t_as_ntt in
         let r_spec = to_spec_vector_t $r_as_ntt in
         let e2_spec = to_spec_poly_t $error_2 in
         let m_spec = to_spec_poly_t $message in
         let res_spec = to_spec_poly_t $res in
         res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\\
-        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res")
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res"#)
 )]
 pub(crate) fn compute_ring_element_v<const K: usize, Vector: Operations>(
     t_as_ntt: &[PolynomialRingElement<Vector>; K],
@@ -110,16 +110,16 @@ pub(crate) fn compute_ring_element_v<const K: usize, Vector: Operations>(
 /// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
 #[hax_lib::ensures(|res|
-    fstar!("let open Libcrux_ml_kem.Polynomial in
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
         let a_spec = to_spec_matrix_t $a_as_ntt in
         let r_spec = to_spec_vector_t $r_as_ntt in
         let e_spec = to_spec_vector_t $error_1 in
         let res_spec = to_spec_vector_t $res in
         res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\\
         (forall (i:nat). i < v $K ==>
-            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $res i))")
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $res i))"#)
 )]
 pub(crate) fn compute_vector_u<const K: usize, Vector: Operations>(
     a_as_ntt: &[[PolynomialRingElement<Vector>; K]; K],
@@ -149,16 +149,16 @@ pub(crate) fn compute_vector_u<const K: usize, Vector: Operations>(
 #[inline(always)]
 #[allow(non_snake_case)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
 #[hax_lib::ensures(|res|
-    fstar!("let open Libcrux_ml_kem.Polynomial in
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
         to_spec_vector_t ${t_as_ntt}_future =
              Spec.MLKEM.compute_As_plus_e_ntt
                (to_spec_matrix_t $matrix_A) 
                (to_spec_vector_t $s_as_ntt) 
                (to_spec_vector_t $error_as_ntt) /\\
         (forall (i: nat). i < v $K ==>
-            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${t_as_ntt}_future i))")
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${t_as_ntt}_future i))"#)
 )]
 pub(crate) fn compute_As_plus_e<const K: usize, Vector: Operations>(
     t_as_ntt: &mut [PolynomialRingElement<Vector>; K],
diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs
index 175ee8d2e..7e90491ea 100644
--- a/libcrux-ml-kem/src/mlkem1024.rs
+++ b/libcrux-ml-kem/src/mlkem1024.rs
@@ -263,9 +263,9 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 4 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 4 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn serialized_public_key(
                     public_key: &MlKem1024PublicKeyUnpacked,
                     serialized: &mut MlKem1024PublicKey,
@@ -287,17 +287,17 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 4 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 4 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key_mut(key_pair: &MlKem1024KeyPairUnpacked, serialized: &mut MlKem1024PublicKey) {
                     key_pair.serialized_public_key_mut::<RANKED_BYTES_PER_RING_ELEMENT_1024, CPA_PKE_PUBLIC_KEY_SIZE_1024>(serialized);
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 4 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 4 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key(key_pair: &MlKem1024KeyPairUnpacked) ->MlKem1024PublicKey {
                     key_pair.serialized_public_key::<RANKED_BYTES_PER_RING_ELEMENT_1024, CPA_PKE_PUBLIC_KEY_SIZE_1024>()
                 }
@@ -467,8 +467,8 @@ pub fn validate_private_key(
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem1024_generate_keypair $randomness in
-        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)")
+    fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem1024_generate_keypair $randomness in
+        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)"#)
 )]
 pub fn generate_key_pair(
     randomness: [u8; KEY_GENERATION_SEED_SIZE],
@@ -492,9 +492,9 @@ pub fn generate_key_pair(
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem1024_encapsulate ${public_key}.f_value $randomness in
+    fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem1024_encapsulate ${public_key}.f_value $randomness in
         let (res_ciphertext, res_shared_secret) = $res in
-        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)")
+        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)"#)
 )]
 pub fn encapsulate(
     public_key: &MlKem1024PublicKey,
@@ -524,8 +524,8 @@ pub fn encapsulate(
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem1024_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
-        valid ==> $res == shared_secret")
+    fstar!(r#"let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem1024_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
+        valid ==> $res == shared_secret"#)
 )]
 pub fn decapsulate(
     private_key: &MlKem1024PrivateKey,
diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs
index b9b33596d..6b5498d51 100644
--- a/libcrux-ml-kem/src/mlkem512.rs
+++ b/libcrux-ml-kem/src/mlkem512.rs
@@ -253,9 +253,9 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 2 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 2 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn serialized_public_key(
                     public_key: &MlKem512PublicKeyUnpacked,
                     serialized: &mut MlKem512PublicKey,
@@ -277,17 +277,17 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 2 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 2 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key_mut(key_pair: &MlKem512KeyPairUnpacked, serialized: &mut MlKem512PublicKey) {
                     key_pair.serialized_public_key_mut::<RANKED_BYTES_PER_RING_ELEMENT_512, CPA_PKE_PUBLIC_KEY_SIZE_512>(serialized);
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 2 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 2 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key(key_pair: &MlKem512KeyPairUnpacked) ->MlKem512PublicKey {
                     key_pair.serialized_public_key::<RANKED_BYTES_PER_RING_ELEMENT_512, CPA_PKE_PUBLIC_KEY_SIZE_512>()
                 }
@@ -455,8 +455,8 @@ pub fn validate_private_key(
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem512_generate_keypair $randomness in
-        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)")
+    fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem512_generate_keypair $randomness in
+        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)"#)
 )]
 pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair {
     multiplexing::generate_keypair::<
@@ -478,9 +478,9 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem512_encapsulate ${public_key}.f_value $randomness in
+    fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem512_encapsulate ${public_key}.f_value $randomness in
         let (res_ciphertext, res_shared_secret) = $res in
-        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)")
+        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)"#)
 )]
 pub fn encapsulate(
     public_key: &MlKem512PublicKey,
@@ -510,8 +510,8 @@ pub fn encapsulate(
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem512_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
-        valid ==> $res == shared_secret")
+    fstar!(r#"let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem512_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
+        valid ==> $res == shared_secret"#)
 )]
 pub fn decapsulate(
     private_key: &MlKem512PrivateKey,
diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs
index 7a684b2a4..9deb50115 100644
--- a/libcrux-ml-kem/src/mlkem768.rs
+++ b/libcrux-ml-kem/src/mlkem768.rs
@@ -254,9 +254,9 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 3 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 3 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn serialized_public_key(public_key: &MlKem768PublicKeyUnpacked, serialized : &mut MlKem768PublicKey) {
                     public_key.serialized_mut::<RANKED_BYTES_PER_RING_ELEMENT_768, CPA_PKE_PUBLIC_KEY_SIZE_768>(serialized);
                 }
@@ -272,17 +272,17 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("(forall (i:nat). i < 3 ==>
+                #[hax_lib::requires(fstar!(r#"(forall (i:nat). i < 3 ==>
                         Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                            ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"))]
+                            ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
                 pub fn key_pair_serialized_public_key_mut(key_pair: &MlKem768KeyPairUnpacked, serialized: &mut MlKem768PublicKey) {
                     key_pair.serialized_public_key_mut::<RANKED_BYTES_PER_RING_ELEMENT_768, CPA_PKE_PUBLIC_KEY_SIZE_768>(serialized);
                 }
 
                 /// Get the serialized public key.
-                #[hax_lib::requires(fstar!("forall (i:nat). i < 3 ==>
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 3 ==>
                     Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
-                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"))]
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key(key_pair: &MlKem768KeyPairUnpacked) ->MlKem768PublicKey {
                     key_pair.serialized_public_key::<RANKED_BYTES_PER_RING_ELEMENT_768, CPA_PKE_PUBLIC_KEY_SIZE_768>()
                 }
@@ -450,8 +450,8 @@ pub fn validate_private_key(
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem768_generate_keypair $randomness in
-        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)")
+    fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem768_generate_keypair $randomness in
+        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)"#)
 )]
 pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair {
     multiplexing::generate_keypair::<
@@ -473,9 +473,9 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem768_encapsulate ${public_key}.f_value $randomness in
+    fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem768_encapsulate ${public_key}.f_value $randomness in
         let (res_ciphertext, res_shared_secret) = $res in
-        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)")
+        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)"#)
 )]
 pub fn encapsulate(
     public_key: &MlKem768PublicKey,
@@ -505,8 +505,8 @@ pub fn encapsulate(
 #[cfg(not(eurydice))]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
-    fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem768_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
-        valid ==> $res == shared_secret")
+    fstar!(r#"let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem768_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
+        valid ==> $res == shared_secret"#)
 )]
 pub fn decapsulate(
     private_key: &MlKem768PrivateKey,
diff --git a/libcrux-ml-kem/src/ntt.rs b/libcrux-ml-kem/src/ntt.rs
index fa08e35e5..12feb2485 100644
--- a/libcrux-ml-kem/src/ntt.rs
+++ b/libcrux-ml-kem/src/ntt.rs
@@ -24,36 +24,38 @@ use crate::{
         forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328)
                 (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"
 )]
-#[hax_lib::requires(fstar!("v ${*zeta_i} == 63 /\\
-    ntt_re_range_2 $re"))]
-#[hax_lib::ensures(|result| fstar!("ntt_re_range_1 ${re}_future /\\
-    v ${*zeta_i}_future == 127"))]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 63 /\
+    ntt_re_range_2 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_1 ${re}_future /\
+    v ${*zeta_i}_future == 127"#))]
 pub(crate) fn ntt_at_layer_1<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
     _layer: usize,
     _initial_coefficient_bound: usize,
 ) {
-    hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)");
-    hax_lib::fstar!("reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #$:Vector)");
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #$:Vector)"#);
     let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
         hax_lib::loop_invariant!(|round: usize| {
             fstar!(
-                "v zeta_i == v $_zeta_i_init + v $round * 4 /\\
-          (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==>
+                r#"v zeta_i == v $_zeta_i_init + v $round * 4 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
             Spec.Utils.is_i16b_array_opaque (11207+5*3328)
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
           (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328)
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
             )
         });
         *zeta_i += 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque (11207+5*3328)
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] = Vector::ntt_layer_1_step(
             re.coefficients[round],
             zeta(*zeta_i),
@@ -62,9 +64,11 @@ pub(crate) fn ntt_at_layer_1<Vector: Operations>(
             zeta(*zeta_i + 3),
         );
         *zeta_i += 3;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque (11207+6*3328)
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         hax_lib::fstar!(
             "assert (Spec.Utils.is_i16b_array_opaque (11207+6*3328)
         (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
@@ -84,42 +88,46 @@ pub(crate) fn ntt_at_layer_1<Vector: Operations>(
        forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328)
             (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"
 )]
-#[hax_lib::requires(fstar!("v ${*zeta_i} == 31 /\\
-    ntt_re_range_3 $re"))]
-#[hax_lib::ensures(|result| fstar!("ntt_re_range_2 ${re}_future /\\
-    v ${*zeta_i}_future == 63"))]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 31 /\
+    ntt_re_range_3 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 63"#))]
 pub(crate) fn ntt_at_layer_2<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
     _layer: usize,
     _initial_coefficient_bound: usize,
 ) {
-    hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)");
-    hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)");
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"#);
     let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
         hax_lib::loop_invariant!(|round: usize| {
             fstar!(
-                "v zeta_i == v $_zeta_i_init + v $round * 2 /\\
-          (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==>
+                r#"v zeta_i == v $_zeta_i_init + v $round * 2 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
             Spec.Utils.is_i16b_array_opaque (11207+4*3328)
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
           (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328)
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
             )
         });
         *zeta_i += 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque (11207+4*3328)
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] =
             Vector::ntt_layer_2_step(re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i + 1));
         *zeta_i += 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque (11207+5*3328)
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         hax_lib::fstar!(
             "assert (Spec.Utils.is_i16b_array_opaque (11207+5*3328)
             (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
@@ -139,36 +147,38 @@ pub(crate) fn ntt_at_layer_2<Vector: Operations>(
        forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328)
             (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"
 )]
-#[hax_lib::requires(fstar!("v ${*zeta_i} == 15 /\\
-    ntt_re_range_4 $re"))]
-#[hax_lib::ensures(|result| fstar!("ntt_re_range_3 ${re}_future /\\
-    v ${*zeta_i}_future == 31"))]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 15 /\
+    ntt_re_range_4 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_3 ${re}_future /\
+    v ${*zeta_i}_future == 31"#))]
 pub(crate) fn ntt_at_layer_3<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
     _layer: usize,
     _initial_coefficient_bound: usize,
 ) {
-    hax_lib::fstar!("reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #$:Vector)");
-    hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)");
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"#);
     let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
         hax_lib::loop_invariant!(|round: usize| {
             fstar!(
-                "v zeta_i == v $_zeta_i_init + v $round /\\
-          (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==>
+                r#"v zeta_i == v $_zeta_i_init + v $round /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
             Spec.Utils.is_i16b_array_opaque (11207+3*3328)
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
           (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328)
-              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
             )
         });
         *zeta_i += 1;
-        hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
                         (Spec.Utils.is_i16b_array_opaque (11207+3*3328)
-                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))");
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] = Vector::ntt_layer_3_step(re.coefficients[round], zeta(*zeta_i));
         hax_lib::fstar!(
             "reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
@@ -184,16 +194,16 @@ pub(crate) fn ntt_at_layer_3<Vector: Operations>(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta_r /\
     (let t = ${montgomery_multiply_fe::<Vector>} $b $zeta_r in
     (forall i. i < 16 ==>
         Spec.Utils.is_intb (pow2 15 - 1)
         (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) -
-        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
     (forall i. i < 16 ==>
         Spec.Utils.is_intb (pow2 15 - 1)
         (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) +
-        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"))]
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"#))]
 fn ntt_layer_int_vec_step<Vector: Operations>(
     mut a: Vector,
     mut b: Vector,
@@ -207,16 +217,16 @@ fn ntt_layer_int_vec_step<Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7 /\\
-    ((v $layer == 4 ==> v ${*zeta_i} == 7) /\\
-    (v $layer == 5 ==> v ${*zeta_i} == 3) /\\
-    (v $layer == 6 ==> v ${*zeta_i} == 1) /\\
-    (v $layer == 7 ==> v ${*zeta_i} == 0))"))]
-#[hax_lib::ensures(|result| fstar!("ntt_re_range_4 ${re}_future /\\
-    (v $layer == 4 ==> v ${*zeta_i}_future == 15) /\\
-    (v $layer == 5 ==> v ${*zeta_i}_future == 7) /\\
-    (v $layer == 6 ==> v ${*zeta_i}_future == 3) /\\
-    (v $layer == 7 ==> v ${*zeta_i}_future == 1)"))]
+#[hax_lib::requires(fstar!(r#"v $layer >= 4 /\ v $layer <= 7 /\
+    ((v $layer == 4 ==> v ${*zeta_i} == 7) /\
+    (v $layer == 5 ==> v ${*zeta_i} == 3) /\
+    (v $layer == 6 ==> v ${*zeta_i} == 1) /\
+    (v $layer == 7 ==> v ${*zeta_i} == 0))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_4 ${re}_future /\
+    (v $layer == 4 ==> v ${*zeta_i}_future == 15) /\
+    (v $layer == 5 ==> v ${*zeta_i}_future == 7) /\
+    (v $layer == 6 ==> v ${*zeta_i}_future == 3) /\
+    (v $layer == 7 ==> v ${*zeta_i}_future == 1)"#))]
 pub(crate) fn ntt_at_layer_4_plus<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
@@ -259,33 +269,33 @@ pub(crate) fn ntt_at_layer_4_plus<Vector: Operations>(
         (re_0 re_1: v_Vector) =
     (forall i. i < 16 ==>
       Spec.Utils.is_intb (pow2 15 - 1)
-      (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\\
+      (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\
     (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in
     (forall i. i < 16 ==> 
       Spec.Utils.is_intb (pow2 15 - 1) 
         (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - 
-          v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\
+          v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
     (forall i. i < 16 ==> 
       Spec.Utils.is_intb (pow2 15 - 1) 
         (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + 
           v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"
 )]
-#[hax_lib::requires(fstar!("forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ])
-    (${re}.f_coefficients.[ sz i +! sz 8 ])"))]
+#[hax_lib::requires(fstar!(r#"forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ])
+    (${re}.f_coefficients.[ sz i +! sz 8 ])"#))]
 pub(crate) fn ntt_at_layer_7<Vector: Operations>(re: &mut PolynomialRingElement<Vector>) {
     let step = VECTORS_IN_RING_ELEMENT / 2;
-    hax_lib::fstar!("assert (v $step == 8)");
+    hax_lib::fstar!(r#"assert (v $step == 8)"#);
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for j in 0..step {
         hax_lib::loop_invariant!(|j: usize| {
             fstar!(
-                "(v j < 8 ==>
-          (forall (i:nat). (i >= v j /\\ i < 8) ==>
-            ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))"
+                r#"(v j < 8 ==>
+          (forall (i:nat). (i >= v j /\ i < 8) ==>
+            ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))"#
             )
         });
-        hax_lib::fstar!("reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #$:Vector)");
+        hax_lib::fstar!(r#"reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #$:Vector)"#);
         let t = Vector::multiply_by_constant(re.coefficients[j + step], -1600);
         re.coefficients[j + step] = Vector::sub(re.coefficients[j], &t);
         re.coefficients[j] = Vector::add(re.coefficients[j], &t);
@@ -296,11 +306,11 @@ pub(crate) fn ntt_at_layer_7<Vector: Operations>(re: &mut PolynomialRingElement<
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::fstar::options("--z3rlimit 200")]
-#[hax_lib::requires(fstar!("forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ])
-    (${re}.f_coefficients.[ sz i +! sz 8 ])"))]
-#[hax_lib::ensures(|_| fstar!("Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future ==
-    Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re) /\\
-    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector ${re}_future"))]
+#[hax_lib::requires(fstar!(r#"forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ])
+    (${re}.f_coefficients.[ sz i +! sz 8 ])"#))]
+#[hax_lib::ensures(|_| fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future ==
+    Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re) /\
+    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector ${re}_future"#))]
 pub(crate) fn ntt_binomially_sampled_ring_element<Vector: Operations>(
     re: &mut PolynomialRingElement<Vector>,
 ) {
@@ -322,8 +332,8 @@ pub(crate) fn ntt_binomially_sampled_ring_element<Vector: Operations>(
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::fstar::options("--z3rlimit 200")]
-#[hax_lib::ensures(|_| fstar!("Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future ==
-    Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"))]
+#[hax_lib::ensures(|_| fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future ==
+    Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#))]
 pub(crate) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize, Vector: Operations>(
     re: &mut PolynomialRingElement<Vector>,
 ) {
diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index 541322227..accd43531 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -1,7 +1,7 @@
 use crate::vector::{to_standard_domain, Operations, FIELD_ELEMENTS_IN_VECTOR};
 
 pub(crate) const ZETAS_TIMES_MONTGOMERY_R: [i16; 128] = {
-    hax_lib::fstar!("assert_norm (pow2 16 == 65536)");
+    hax_lib::fstar!(r#"assert_norm (pow2 16 == 65536)"#);
     [
         -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474,
         1468, 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411,
@@ -19,7 +19,7 @@ pub(crate) const ZETAS_TIMES_MONTGOMERY_R: [i16; 128] = {
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::requires(i < 128)]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 1664 result"))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b 1664 result"#))]
 pub fn zeta(i: usize) -> i16 {
     ZETAS_TIMES_MONTGOMERY_R[i]
 }
diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs
index 9f17bf8c1..d10a4a7f2 100644
--- a/libcrux-ml-kem/src/sampling.rs
+++ b/libcrux-ml-kem/src/sampling.rs
@@ -178,21 +178,21 @@ fn sample_from_binomial_distribution_2<Vector: Operations>(
 
             let even_bits = random_bits_as_u32 & 0x55555555;
             let odd_bits = (random_bits_as_u32 >> 1) & 0x55555555;
-            hax_lib::fstar!("logand_lemma $random_bits_as_u32 1431655765ul;
-                logand_lemma ($random_bits_as_u32 >>! 1l) 1431655765ul");
+            hax_lib::fstar!(r#"logand_lemma $random_bits_as_u32 1431655765ul;
+                logand_lemma ($random_bits_as_u32 >>! 1l) 1431655765ul"#);
             let coin_toss_outcomes = even_bits + odd_bits;
 
             cloop! {
                 for outcome_set in (0..u32::BITS).step_by(4) {
                     let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as i16;
                     let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as i16;
-                    hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 3ul;
+                    hax_lib::fstar!(r#"logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 3ul;
                         logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 2ul <: u32) <: u32) 3ul;
                         assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 3);
                         assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 3);
                         assert (v $chunk_number <= 31);
                         assert (v (sz 8 *! $chunk_number <: usize) <= 248);
-                        assert (v (cast ($outcome_set >>! 2l <: u32) <: usize) <= 7)");
+                        assert (v (cast ($outcome_set >>! 2l <: u32) <: usize) <= 7)"#);
 
                     let offset = (outcome_set >> 2) as usize;
                     sampled_i16s[8 * chunk_number + offset] = outcome_1 - outcome_2;
@@ -228,9 +228,9 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
             let first_bits = random_bits_as_u24 & 0x00249249;
             let second_bits = (random_bits_as_u24 >> 1) & 0x00249249;
             let third_bits = (random_bits_as_u24 >> 2) & 0x00249249;
-            hax_lib::fstar!("logand_lemma $random_bits_as_u24 2396745ul;
+            hax_lib::fstar!(r#"logand_lemma $random_bits_as_u24 2396745ul;
                 logand_lemma ($random_bits_as_u24 >>! 1l <: u32) 2396745ul;
-                logand_lemma ($random_bits_as_u24 >>! 2l <: u32) 2396745ul");
+                logand_lemma ($random_bits_as_u24 >>! 2l <: u32) 2396745ul"#);
 
             let coin_toss_outcomes = first_bits + second_bits + third_bits;
 
@@ -238,13 +238,13 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
                 for outcome_set in (0..24).step_by(6) {
                     let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as i16;
                     let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as i16;
-                    hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 7ul;
+                    hax_lib::fstar!(r#"logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 7ul;
                         logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 3l <: i32) <: u32) 7ul;
                         assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 7);
                         assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 7);
                         assert (v $chunk_number <= 63);
                         assert (v (sz 4 *! $chunk_number <: usize) <= 252);
-                        assert (v (cast ($outcome_set /! 6l <: i32) <: usize) <= 3)");
+                        assert (v (cast ($outcome_set /! 6l <: i32) <: usize) <= 3)"#);
 
                     let offset = (outcome_set / 6) as usize;
                     sampled_i16s[4 * chunk_number + offset] = outcome_1 - outcome_2;
@@ -258,10 +258,10 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::requires((ETA == 2 || ETA == 3) && randomness.len() == ETA * 64)]
-#[hax_lib::ensures(|result| fstar!("(forall (i:nat). i < 8 ==> Libcrux_ml_kem.Ntt.ntt_layer_7_pre
+#[hax_lib::ensures(|result| fstar!(r#"(forall (i:nat). i < 8 ==> Libcrux_ml_kem.Ntt.ntt_layer_7_pre
     (${result}.f_coefficients.[ sz i ]) (${result}.f_coefficients.[ sz i +! sz 8 ])) /\\
     Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result ==
-        Spec.MLKEM.sample_poly_cbd $ETA $randomness"))]
+        Spec.MLKEM.sample_poly_cbd $ETA $randomness"#))]
 pub(super) fn sample_from_binomial_distribution<const ETA: usize, Vector: Operations>(
     randomness: &[u8],
 ) -> PolynomialRingElement<Vector> {
diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs
index 211b1a08b..8fc1de500 100644
--- a/libcrux-ml-kem/src/serialize.rs
+++ b/libcrux-ml-kem/src/serialize.rs
@@ -23,25 +23,25 @@ let field_modulus_range (#v_Vector: Type0)
         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
         (a: v_Vector) =
     let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in
-    forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\\
+    forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\
         v (Seq.index coef i) < v $FIELD_MODULUS"
 )]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("field_modulus_range $a"))]
-#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==>
-    v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\\
-    v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v $FIELD_MODULUS"))]
+#[hax_lib::requires(fstar!(r#"field_modulus_range $a"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==>
+    v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\
+    v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v $FIELD_MODULUS"#))]
 pub(super) fn to_unsigned_field_modulus<Vector: Operations>(a: Vector) -> Vector {
-    hax_lib::fstar!("reveal_opaque (`%field_modulus_range) (field_modulus_range #$:Vector)");
+    hax_lib::fstar!(r#"reveal_opaque (`%field_modulus_range) (field_modulus_range #$:Vector)"#);
     to_unsigned_representative::<Vector>(a)
 }
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("coefficients_field_modulus_range $re"))]
+#[hax_lib::requires(fstar!(r#"coefficients_field_modulus_range $re"#))]
 #[hax_lib::ensures(|result|
-    fstar!("$result ==
-        Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)")
+    fstar!(r#"$result ==
+        Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
 )]
 pub(super) fn compress_then_serialize_message<Vector: Operations>(
     re: PolynomialRingElement<Vector>,
@@ -54,7 +54,7 @@ pub(super) fn compress_then_serialize_message<Vector: Operations>(
             coefficients_field_modulus_range $re"
             )
         });
-        hax_lib::fstar!("assert (2 * v $i + 2 <= 32)");
+        hax_lib::fstar!(r#"assert (2 * v $i + 2 <= 32)"#);
         hax_lib::fstar!(
             "reveal_opaque (`%coefficients_field_modulus_range)
             (coefficients_field_modulus_range #$:Vector)"
@@ -72,8 +72,8 @@ pub(super) fn compress_then_serialize_message<Vector: Operations>(
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|result|
-    fstar!("Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result ==
-        Spec.MLKEM.decode_then_decompress_message $serialized")
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result ==
+        Spec.MLKEM.decode_then_decompress_message $serialized"#)
 )]
 pub(super) fn deserialize_then_decompress_message<Vector: Operations>(
     serialized: [u8; SHARED_SECRET_SIZE],
@@ -88,24 +88,24 @@ pub(super) fn deserialize_then_decompress_message<Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("coefficients_field_modulus_range $re"))]
+#[hax_lib::requires(fstar!(r#"coefficients_field_modulus_range $re"#))]
 #[hax_lib::ensures(|result|
-    fstar!("$result ==
-        Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)")
+    fstar!(r#"$result ==
+        Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
 )]
 pub(super) fn serialize_uncompressed_ring_element<Vector: Operations>(
     re: &PolynomialRingElement<Vector>,
 ) -> [u8; BYTES_PER_RING_ELEMENT] {
-    hax_lib::fstar!("assert_norm (pow2 12 == 4096)");
+    hax_lib::fstar!(r#"assert_norm (pow2 12 == 4096)"#);
     let mut serialized = [0u8; BYTES_PER_RING_ELEMENT];
     for i in 0..VECTORS_IN_RING_ELEMENT {
         hax_lib::loop_invariant!(|i: usize| {
             fstar!(
-                "v $i >= 0 /\\ v $i <= 16 /\\
-            v $i < 16 ==> coefficients_field_modulus_range $re"
+                r#"v $i >= 0 /\ v $i <= 16 /\
+            v $i < 16 ==> coefficients_field_modulus_range $re"#
             )
         });
-        hax_lib::fstar!("assert (24 * v $i + 24 <= 384)");
+        hax_lib::fstar!(r#"assert (24 * v $i + 24 <= 384)"#);
         hax_lib::fstar!(
             "reveal_opaque (`%coefficients_field_modulus_range)
             (coefficients_field_modulus_range #$:Vector)"
@@ -124,13 +124,13 @@ pub(super) fn serialize_uncompressed_ring_element<Vector: Operations>(
     serialized.len() == BYTES_PER_RING_ELEMENT
 )]
 #[hax_lib::ensures(|result|
-    fstar!("Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
-        Spec.MLKEM.byte_decode 12 $serialized")
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
+        Spec.MLKEM.byte_decode 12 $serialized"#)
 )]
 pub(super) fn deserialize_to_uncompressed_ring_element<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)");
+    hax_lib::fstar!(r#"assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -153,7 +153,7 @@ pub(super) fn deserialize_to_uncompressed_ring_element<Vector: Operations>(
 fn deserialize_to_reduced_ring_element<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)");
+    hax_lib::fstar!(r#"assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -172,12 +172,12 @@ fn deserialize_to_reduced_ring_element<Vector: Operations>(
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::requires(
-    fstar!("Spec.MLKEM.is_rank v_K /\\ 
-            Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)")
+    fstar!(r#"Spec.MLKEM.is_rank v_K /\ 
+            Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#)
 )]
 #[hax_lib::ensures(|result|
-    fstar!("forall (i:nat). i < v $K ==>
-        coefficients_field_modulus_range (Seq.index $result i)")
+    fstar!(r#"forall (i:nat). i < v $K ==>
+        coefficients_field_modulus_range (Seq.index $result i)"#)
 )]
 pub(super) fn deserialize_ring_elements_reduced_out<const K: usize, Vector: Operations>(
     public_key: &[u8],
@@ -191,12 +191,12 @@ pub(super) fn deserialize_ring_elements_reduced_out<const K: usize, Vector: Oper
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::requires(
-    fstar!("Spec.MLKEM.is_rank v_K /\\ 
-            Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)")
+    fstar!(r#"Spec.MLKEM.is_rank v_K /\ 
+            Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#)
 )]
 #[hax_lib::ensures(|_|
-    fstar!("Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${deserialized_pk}_future == 
-        Spec.MLKEM.vector_decode_12 #$K $public_key")
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${deserialized_pk}_future == 
+        Spec.MLKEM.vector_decode_12 #$K $public_key"#)
 )]
 pub(super) fn deserialize_ring_elements_reduced<const K: usize, Vector: Operations>(
     public_key: &[u8],
@@ -215,20 +215,20 @@ pub(super) fn deserialize_ring_elements_reduced<const K: usize, Vector: Operatio
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("v $OUT_LEN == 320 /\\ coefficients_field_modulus_range $re"))]
+#[hax_lib::requires(fstar!(r#"v $OUT_LEN == 320 /\ coefficients_field_modulus_range $re"#))]
 fn compress_then_serialize_10<const OUT_LEN: usize, Vector: Operations>(
     re: &PolynomialRingElement<Vector>,
 ) -> [u8; OUT_LEN] {
-    hax_lib::fstar!("assert_norm (pow2 10 == 1024)");
+    hax_lib::fstar!(r#"assert_norm (pow2 10 == 1024)"#);
     let mut serialized = [0u8; OUT_LEN];
     for i in 0..VECTORS_IN_RING_ELEMENT {
         hax_lib::loop_invariant!(|i: usize| {
             fstar!(
-                "v $i >= 0 /\\ v $i <= 16 /\\
-            v $i < 16 ==> coefficients_field_modulus_range $re"
+                r#"v $i >= 0 /\ v $i <= 16 /\
+            v $i < 16 ==> coefficients_field_modulus_range $re"#
             )
         });
-        hax_lib::fstar!("assert (20 * v $i + 20 <= 320)");
+        hax_lib::fstar!(r#"assert (20 * v $i + 20 <= 320)"#);
         hax_lib::fstar!(
             "reveal_opaque (`%coefficients_field_modulus_range)
             (coefficients_field_modulus_range #$:Vector)"
@@ -259,11 +259,11 @@ fn compress_then_serialize_11<const OUT_LEN: usize, Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("(v $COMPRESSION_FACTOR == 10 \\/ v $COMPRESSION_FACTOR == 11) /\\
-    v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\\ coefficients_field_modulus_range $re"))]
+#[hax_lib::requires(fstar!(r#"(v $COMPRESSION_FACTOR == 10 \\/ v $COMPRESSION_FACTOR == 11) /\
+    v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\ coefficients_field_modulus_range $re"#))]
 #[hax_lib::ensures(|result|
-    fstar!("$result == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
-        (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)")
+    fstar!(r#"$result == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
+        (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
 )]
 pub(super) fn compress_then_serialize_ring_element_u<
     const COMPRESSION_FACTOR: usize,
@@ -287,27 +287,27 @@ pub(super) fn compress_then_serialize_ring_element_u<
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("Seq.length $serialized == 128 /\\
-    coefficients_field_modulus_range $re"))]
+#[hax_lib::requires(fstar!(r#"Seq.length $serialized == 128 /\
+    coefficients_field_modulus_range $re"#))]
 #[hax_lib::ensures(|_|
-    fstar!("${serialized_future.len()} == ${serialized.len()}")
+    fstar!(r#"${serialized_future.len()} == ${serialized.len()}"#)
 )]
 fn compress_then_serialize_4<Vector: Operations>(
     re: PolynomialRingElement<Vector>,
     serialized: &mut [u8],
 ) {
-    hax_lib::fstar!("assert_norm (pow2 4 == 16)");
+    hax_lib::fstar!(r#"assert_norm (pow2 4 == 16)"#);
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for i in 0..VECTORS_IN_RING_ELEMENT {
         // NOTE: Using `$serialized` in loop_invariant doesn't work here
         hax_lib::loop_invariant!(|i: usize| {
             fstar!(
-                "v $i >= 0 /\\ v $i <= 16 /\\
-            v $i < 16 ==> (Seq.length serialized == 128 /\\ coefficients_field_modulus_range $re)"
+                r#"v $i >= 0 /\ v $i <= 16 /\
+            v $i < 16 ==> (Seq.length serialized == 128 /\ coefficients_field_modulus_range $re)"#
             )
         });
-        hax_lib::fstar!("assert (8 * v $i + 8 <= 128)");
+        hax_lib::fstar!(r#"assert (8 * v $i + 8 <= 128)"#);
         hax_lib::fstar!(
             "reveal_opaque (`%coefficients_field_modulus_range)
             (coefficients_field_modulus_range #$:Vector)"
@@ -326,7 +326,7 @@ fn compress_then_serialize_4<Vector: Operations>(
     serialized.len() == 160
 )]
 #[hax_lib::ensures(|_|
-    fstar!("${serialized_future.len()} == ${serialized.len()}")
+    fstar!(r#"${serialized_future.len()} == ${serialized.len()}"#)
 )]
 fn compress_then_serialize_5<Vector: Operations>(
     re: PolynomialRingElement<Vector>,
@@ -346,14 +346,14 @@ fn compress_then_serialize_5<Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank v_K /\\ 
-    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\\
-    Seq.length $out == v $OUT_LEN /\\ v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\\
-    coefficients_field_modulus_range $re"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank v_K /\ 
+    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+    Seq.length $out == v $OUT_LEN /\ v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\
+    coefficients_field_modulus_range $re"#))]
 #[hax_lib::ensures(|_|
-    fstar!("${out_future.len()} == ${out.len()} /\\
+    fstar!(r#"${out_future.len()} == ${out.len()} /\
         ${out}_future == Spec.MLKEM.compress_then_encode_v #v_K
-            (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)")
+            (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
 )]
 pub(super) fn compress_then_serialize_ring_element_v<
     const K: usize,
@@ -384,7 +384,7 @@ pub(super) fn compress_then_serialize_ring_element_v<
 fn deserialize_then_decompress_10<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)");
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     let _coefficients_length = re.coefficients.len();
@@ -405,7 +405,7 @@ fn deserialize_then_decompress_10<Vector: Operations>(
 fn deserialize_then_decompress_11<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)");
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -425,8 +425,8 @@ fn deserialize_then_decompress_11<Vector: Operations>(
     serialized.len() == 32 * COMPRESSION_FACTOR
 )]
 #[hax_lib::ensures(|result|
-    fstar!("Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
-        Spec.MLKEM.byte_decode_then_decompress (v $COMPRESSION_FACTOR) $serialized")
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
+        Spec.MLKEM.byte_decode_then_decompress (v $COMPRESSION_FACTOR) $serialized"#)
 )]
 pub(super) fn deserialize_then_decompress_ring_element_u<
     const COMPRESSION_FACTOR: usize,
@@ -453,7 +453,7 @@ pub(super) fn deserialize_then_decompress_ring_element_u<
 fn deserialize_then_decompress_4<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)");
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -473,7 +473,7 @@ fn deserialize_then_decompress_4<Vector: Operations>(
 fn deserialize_then_decompress_5<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)");
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -487,13 +487,13 @@ fn deserialize_then_decompress_5<Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ 
-    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\
-    Seq.length $serialized == 32 * v $COMPRESSION_FACTOR")
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ 
+    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+    Seq.length $serialized == 32 * v $COMPRESSION_FACTOR"#)
 )]
 #[hax_lib::ensures(|result|
-    fstar!("Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
-        Spec.MLKEM.decode_then_decompress_v #${K} $serialized")
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
+        Spec.MLKEM.decode_then_decompress_v #${K} $serialized"#)
 )]
 pub(super) fn deserialize_then_decompress_ring_element_v<
     const K: usize,
diff --git a/libcrux-ml-kem/src/types.rs b/libcrux-ml-kem/src/types.rs
index f1a11eb52..851700cfb 100644
--- a/libcrux-ml-kem/src/types.rs
+++ b/libcrux-ml-kem/src/types.rs
@@ -13,7 +13,7 @@ macro_rules! impl_generic_struct {
 
         #[hax_lib::attributes]
         impl<const SIZE: usize> AsRef<[u8]> for $name<SIZE> {
-            #[ensures(|result| fstar!("$result = self___.f_value"))]
+            #[ensures(|result| fstar!(r#"$result = self___.f_value"#))]
             fn as_ref(&self) -> &[u8] {
                 &self.value
             }
@@ -21,7 +21,7 @@ macro_rules! impl_generic_struct {
 
         #[hax_lib::attributes]
         impl<const SIZE: usize> From<[u8; SIZE]> for $name<SIZE> {
-            #[ensures(|result| fstar!("${result}.f_value = $value"))]
+            #[ensures(|result| fstar!(r#"${result}.f_value = $value"#))]
             fn from(value: [u8; SIZE]) -> Self {
                 Self { value }
             }
@@ -55,7 +55,7 @@ macro_rules! impl_generic_struct {
         #[hax_lib::attributes]
         impl<const SIZE: usize> $name<SIZE> {
             /// A reference to the raw byte slice.
-            #[ensures(|result| fstar!("$result == self.f_value"))]
+            #[ensures(|result| fstar!(r#"$result == self.f_value"#))]
             pub fn as_slice(&self) -> &[u8; SIZE] {
                 &self.value
             }
@@ -165,7 +165,7 @@ impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
     }
 
     /// Create a new [`MlKemKeyPair`] from the secret and public key.
-    #[ensures(|result| fstar!("${result}.f_sk == $sk /\\ ${result}.f_pk == $pk"))]
+    #[ensures(|result| fstar!(r#"${result}.f_sk == $sk /\\ ${result}.f_pk == $pk"#))]
     pub fn from(
         sk: MlKemPrivateKey<PRIVATE_KEY_SIZE>,
         pk: MlKemPublicKey<PUBLIC_KEY_SIZE>,
@@ -207,10 +207,10 @@ impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
 /// Unpack an incoming private key into it's different parts.
 ///
 /// We have this here in types to extract into a common core for C.
-#[hax_lib::requires(fstar!("Seq.length private_key >= 
+#[hax_lib::requires(fstar!(r#"Seq.length private_key >= 
                             v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + 
-                            v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE"))]
-#[hax_lib::ensures(|result| fstar!("
+                            v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"
            let (ind_cpa_secret_key_s,rest) = split $private_key $CPA_SECRET_KEY_SIZE in
            let (ind_cpa_public_key_s,rest) = split rest $PUBLIC_KEY_SIZE in
            let (ind_cpa_public_key_hash_s,implicit_rejection_value_s) = split rest Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in
@@ -226,7 +226,7 @@ impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
            Seq.length implicit_rejection_value == 
            Seq.length private_key - 
              (v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)
-           "))]
+           "#))]
 pub(crate) fn unpack_private_key<const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>(
     private_key: &[u8], // len: SECRET_KEY_SIZE
 ) -> (&[u8], &[u8], &[u8], &[u8]) {
diff --git a/libcrux-ml-kem/src/utils.rs b/libcrux-ml-kem/src/utils.rs
index ec055f816..f38e3c088 100644
--- a/libcrux-ml-kem/src/utils.rs
+++ b/libcrux-ml-kem/src/utils.rs
@@ -9,16 +9,20 @@
     slice.len() <= LEN
 ))]
 #[cfg_attr(hax, hax_lib::ensures(|result|
-    fstar!("$result == Seq.append $slice (Seq.create (v $LEN - v (${slice.len()})) 0uy)")))]
+    fstar!(r#"$result == Seq.append $slice (Seq.create (v $LEN - v (${slice.len()})) 0uy)"#)))]
 pub(crate) fn into_padded_array<const LEN: usize>(slice: &[u8]) -> [u8; LEN] {
     let mut out = [0u8; LEN];
     out[0..slice.len()].copy_from_slice(slice);
-    hax_lib::fstar!("assert (Seq.slice out 0 (Seq.length slice) == slice)");
-    hax_lib::fstar!("assert (Seq.slice out (Seq.length slice) (v v_LEN) == Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))");
+    hax_lib::fstar!(r#"assert (Seq.slice out 0 (Seq.length slice) == slice)"#);
+    hax_lib::fstar!(
+        r#"assert (Seq.slice out (Seq.length slice) (v v_LEN) == Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))"#
+    );
     hax_lib::fstar!(
         "assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)"
     );
-    hax_lib::fstar!("assert (forall i. (i >= Seq.length slice && i < v v_LEN) ==> Seq.index out i == Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))");
+    hax_lib::fstar!(
+        r#"assert (forall i. (i >= Seq.length slice && i < v v_LEN) ==> Seq.index out i == Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))"#
+    );
     hax_lib::fstar!(
         "Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))"
     );
@@ -27,12 +31,12 @@ pub(crate) fn into_padded_array<const LEN: usize>(slice: &[u8]) -> [u8; LEN] {
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 200")]
-#[hax_lib::requires(fstar!("range (v $domain_separator + v $K) u8_inttype"))]
+#[hax_lib::requires(fstar!(r#"range (v $domain_separator + v $K) u8_inttype"#))]
 #[hax_lib::ensures(|ds|
-    fstar!("v $ds == v $domain_separator + v $K /\\
+    fstar!(r#"v $ds == v $domain_separator + v $K /\\
             (forall (i:nat). i < v $K ==>
                 v (Seq.index (Seq.index ${prf_inputs}_future i) 32) == v $domain_separator + i /\\
-                Seq.slice (Seq.index ${prf_inputs}_future i) 0 32 == Seq.slice (Seq.index $prf_inputs i) 0 32)")
+                Seq.slice (Seq.index ${prf_inputs}_future i) 0 32 == Seq.slice (Seq.index $prf_inputs i) 0 32)"#)
 )]
 pub(crate) fn prf_input_inc<const K: usize>(
     prf_inputs: &mut [[u8; 33]; K],
@@ -42,11 +46,13 @@ pub(crate) fn prf_input_inc<const K: usize>(
     let _prf_inputs_init = prf_inputs.clone();
     for i in 0..K {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("v $domain_separator == v $_domain_separator_init + v $i /\\
+            fstar!(
+                r#"v $domain_separator == v $_domain_separator_init + v $i /\\
           (v $i < v $K ==> (forall (j:nat). (j >= v $i /\\ j < v $K) ==>
             prf_inputs.[ sz j ] == ${_prf_inputs_init}.[ sz j ])) /\\
           (forall (j:nat). j < v $i ==> v (Seq.index (Seq.index prf_inputs j) 32) == v $_domain_separator_init + j /\\
-            Seq.slice (Seq.index prf_inputs j) 0 32 == Seq.slice (Seq.index $_prf_inputs_init j) 0 32)")
+            Seq.slice (Seq.index prf_inputs j) 0 32 == Seq.slice (Seq.index $_prf_inputs_init j) 0 32)"#
+            )
         });
         prf_inputs[i][32] = domain_separator;
         domain_separator += 1;
diff --git a/libcrux-ml-kem/src/variant.rs b/libcrux-ml-kem/src/variant.rs
index 0cdfa024b..fade344e8 100644
--- a/libcrux-ml-kem/src/variant.rs
+++ b/libcrux-ml-kem/src/variant.rs
@@ -12,17 +12,17 @@ use crate::{constants::CPA_PKE_KEY_GENERATION_SEED_SIZE, hash_functions::Hash, M
 #[hax_lib::attributes]
 pub(crate) trait Variant {
     #[requires(shared_secret.len() == 32)]
-    #[ensures(|res| fstar!("$res == $shared_secret"))] // We only have post-conditions for ML-KEM, not Kyber
+    #[ensures(|res| fstar!(r#"$res == $shared_secret"#))] // We only have post-conditions for ML-KEM, not Kyber
     fn kdf<const K: usize, const CIPHERTEXT_SIZE: usize, Hasher: Hash<K>>(
         shared_secret: &[u8],
         ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
     ) -> [u8; 32];
     #[requires(randomness.len() == 32)]
-    #[ensures(|res| fstar!("$res == $randomness"))] // We only have post-conditions for ML-KEM, not Kyber
+    #[ensures(|res| fstar!(r#"$res == $randomness"#))] // We only have post-conditions for ML-KEM, not Kyber
     fn entropy_preprocess<const K: usize, Hasher: Hash<K>>(randomness: &[u8]) -> [u8; 32];
     #[requires(seed.len() == 32)]
-    #[ensures(|res| fstar!("Seq.length $seed == 32 ==> $res == Spec.Utils.v_G
-        (Seq.append $seed (Seq.create 1 (cast $K <: u8)))")
+    #[ensures(|res| fstar!(r#"Seq.length $seed == 32 ==> $res == Spec.Utils.v_G
+        (Seq.append $seed (Seq.create 1 (cast $K <: u8)))"#)
     )]
     fn cpa_keygen_seed<const K: usize, Hasher: Hash<K>>(seed: &[u8]) -> [u8; 64];
 }
@@ -73,7 +73,7 @@ pub(crate) struct MlKem {}
 impl Variant for MlKem {
     #[inline(always)]
     #[requires(shared_secret.len() == 32)]
-    #[ensures(|res| fstar!("$res == $shared_secret"))]
+    #[ensures(|res| fstar!(r#"$res == $shared_secret"#))]
     fn kdf<const K: usize, const CIPHERTEXT_SIZE: usize, Hasher: Hash<K>>(
         shared_secret: &[u8],
         _: &MlKemCiphertext<CIPHERTEXT_SIZE>,
@@ -85,7 +85,7 @@ impl Variant for MlKem {
 
     #[inline(always)]
     #[requires(randomness.len() == 32)]
-    #[ensures(|res| fstar!("$res == $randomness"))]
+    #[ensures(|res| fstar!(r#"$res == $randomness"#))]
     fn entropy_preprocess<const K: usize, Hasher: Hash<K>>(randomness: &[u8]) -> [u8; 32] {
         let mut out = [0u8; 32];
         out.copy_from_slice(randomness);
@@ -94,8 +94,8 @@ impl Variant for MlKem {
 
     #[inline(always)]
     #[requires(key_generation_seed.len() == 32)]
-    #[ensures(|res| fstar!("Seq.length $key_generation_seed == 32 ==> $res == Spec.Utils.v_G
-        (Seq.append $key_generation_seed (Seq.create 1 (cast $K <: u8)))")
+    #[ensures(|res| fstar!(r#"Seq.length $key_generation_seed == 32 ==> $res == Spec.Utils.v_G
+        (Seq.append $key_generation_seed (Seq.create 1 (cast $K <: u8)))"#)
     )]
     fn cpa_keygen_seed<const K: usize, Hasher: Hash<K>>(key_generation_seed: &[u8]) -> [u8; 64] {
         let mut seed = [0u8; CPA_PKE_KEY_GENERATION_SEED_SIZE + 1];
diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs
index 31ff6debe..80373cd1a 100644
--- a/libcrux-ml-kem/src/vector/avx2.rs
+++ b/libcrux-ml-kem/src/vector/avx2.rs
@@ -16,7 +16,7 @@ pub struct SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::ensures(|result| fstar!("repr ${result} == Seq.create 16 0s"))]
+#[hax_lib::ensures(|result| fstar!(r#"repr ${result} == Seq.create 16 0s"#))]
 fn vec_zero() -> SIMD256Vector {
     SIMD256Vector {
         elements: mm256_setzero_si256(),
@@ -25,7 +25,7 @@ fn vec_zero() -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))]
+#[hax_lib::ensures(|result| fstar!(r#"${result} == repr ${v}"#))]
 fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] {
     let mut output = [0i16; 16];
     mm256_storeu_si256_i16(&mut output, v.elements);
@@ -35,7 +35,7 @@ fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::ensures(|result| fstar!("repr ${result} == ${array}"))]
+#[hax_lib::ensures(|result| fstar!(r#"repr ${result} == ${array}"#))]
 fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector {
     SIMD256Vector {
         elements: mm256_loadu_si256_i16(array),
@@ -44,8 +44,8 @@ fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (repr $vector)"))]
-#[hax_lib::ensures(|out| fstar!("repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr $vector)"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr $vector)"#))]
 fn cond_subtract_3329(vector: SIMD256Vector) -> SIMD256Vector {
     SIMD256Vector {
         elements: arithmetic::cond_subtract_3329(vector.elements),
@@ -54,9 +54,9 @@ fn cond_subtract_3329(vector: SIMD256Vector) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\\
-    v (Seq.index (repr $vector) i) < 3329"))]
-#[hax_lib::ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) 1"))]
+#[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\\
+    v (Seq.index (repr $vector) i) < 3329"#))]
+#[hax_lib::ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) 1"#))]
 fn compress_1(vector: SIMD256Vector) -> SIMD256Vector {
     SIMD256Vector {
         elements: compress::compress_message_coefficient(vector.elements),
@@ -65,17 +65,17 @@ fn compress_1(vector: SIMD256Vector) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+#[hax_lib::requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
     v $COEFFICIENT_BITS == 5 \\/
     v $COEFFICIENT_BITS == 10 \\/
     v $COEFFICIENT_BITS == 11) /\\
     (forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\\
-    v (Seq.index (repr $vector) i) < 3329)"))]
-#[hax_lib::ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    v (Seq.index (repr $vector) i) < 3329)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
     v $COEFFICIENT_BITS == 5 \\/
     v $COEFFICIENT_BITS == 10 \\/
     v $COEFFICIENT_BITS == 11) ==>
-        (forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) (v $COEFFICIENT_BITS))"))]
+        (forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) (v $COEFFICIENT_BITS))"#))]
 fn compress<const COEFFICIENT_BITS: i32>(vector: SIMD256Vector) -> SIMD256Vector {
     SIMD256Vector {
         elements: compress::compress_ciphertext_coefficient::<COEFFICIENT_BITS>(vector.elements),
@@ -84,10 +84,10 @@ fn compress<const COEFFICIENT_BITS: i32>(vector: SIMD256Vector) -> SIMD256Vector
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                     Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                    Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector})"))]
-#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (repr $out)"))]
+                    Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (repr $out)"#))]
 fn ntt_layer_1_step(
     vector: SIMD256Vector,
     zeta0: i16,
@@ -102,9 +102,9 @@ fn ntt_layer_1_step(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                    Spec.Utils.is_i16b_array (11207+4*3328) (repr ${vector})"))]
-#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (repr $out)"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                    Spec.Utils.is_i16b_array (11207+4*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (repr $out)"#))]
 fn ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
     SIMD256Vector {
         elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1),
@@ -113,9 +113,9 @@ fn ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vec
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                    Spec.Utils.is_i16b_array (11207+3*3328) (repr ${vector})"))]
-#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (repr $out)"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+                    Spec.Utils.is_i16b_array (11207+3*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (repr $out)"#))]
 fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
     SIMD256Vector {
         elements: ntt::ntt_layer_3_step(vector.elements, zeta),
@@ -124,10 +124,10 @@ fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                     Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3  /\\
-                    Spec.Utils.is_i16b_array (4*3328) (repr ${vector})"))]
-#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+                    Spec.Utils.is_i16b_array (4*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn inv_ntt_layer_1_step(
     vector: SIMD256Vector,
     zeta0: i16,
@@ -142,9 +142,9 @@ fn inv_ntt_layer_1_step(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"))]
-#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn inv_ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
     SIMD256Vector {
         elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1),
@@ -153,9 +153,9 @@ fn inv_ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD25
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"))]
-#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
     SIMD256Vector {
         elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta),
@@ -164,11 +164,11 @@ fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
                     Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
                     Spec.Utils.is_i16b_array 3328 (repr ${lhs}) /\\
-                    Spec.Utils.is_i16b_array 3328 (repr ${rhs})"))]
-#[hax_lib::ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (repr $out)"))]
+                    Spec.Utils.is_i16b_array 3328 (repr ${rhs})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn ntt_multiply(
     lhs: &SIMD256Vector,
     rhs: &SIMD256Vector,
@@ -184,8 +184,8 @@ fn ntt_multiply(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 1 (repr $vector)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (repr $vector) ==> Spec.MLKEM.serialize_post 1 (repr $vector) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (repr $vector) ==> Spec.MLKEM.serialize_post 1 (repr $vector) $out"#))]
 fn serialize_1(vector: SIMD256Vector) -> [u8; 2] {
     serialize::serialize_1(vector.elements)
 }
@@ -193,7 +193,7 @@ fn serialize_1(vector: SIMD256Vector) -> [u8; 2] {
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
 #[hax_lib::requires(bytes.len() == 2)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (repr $out)"#))]
 fn deserialize_1(bytes: &[u8]) -> SIMD256Vector {
     SIMD256Vector {
         elements: serialize::deserialize_1(bytes),
@@ -202,8 +202,8 @@ fn deserialize_1(bytes: &[u8]) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 4 (repr $vector)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (repr $vector) ==> Spec.MLKEM.serialize_post 4 (repr $vector) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (repr $vector) ==> Spec.MLKEM.serialize_post 4 (repr $vector) $out"#))]
 fn serialize_4(vector: SIMD256Vector) -> [u8; 8] {
     serialize::serialize_4(vector.elements)
 }
@@ -211,7 +211,7 @@ fn serialize_4(vector: SIMD256Vector) -> [u8; 8] {
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
 #[hax_lib::requires(bytes.len() == 8)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (repr $out)"#))]
 fn deserialize_4(bytes: &[u8]) -> SIMD256Vector {
     SIMD256Vector {
         elements: serialize::deserialize_4(bytes),
@@ -220,8 +220,8 @@ fn deserialize_4(bytes: &[u8]) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 10 (repr $vector)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (repr $vector) ==> Spec.MLKEM.serialize_post 10 (repr $vector) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (repr $vector) ==> Spec.MLKEM.serialize_post 10 (repr $vector) $out"#))]
 fn serialize_10(vector: SIMD256Vector) -> [u8; 20] {
     serialize::serialize_10(vector.elements)
 }
@@ -229,7 +229,7 @@ fn serialize_10(vector: SIMD256Vector) -> [u8; 20] {
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
 #[hax_lib::requires(bytes.len() == 20)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (repr $out)"#))]
 fn deserialize_10(bytes: &[u8]) -> SIMD256Vector {
     SIMD256Vector {
         elements: serialize::deserialize_10(bytes),
@@ -238,8 +238,8 @@ fn deserialize_10(bytes: &[u8]) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 12 (repr $vector)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (repr $vector) ==> Spec.MLKEM.serialize_post 12 (repr $vector) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (repr $vector) ==> Spec.MLKEM.serialize_post 12 (repr $vector) $out"#))]
 fn serialize_12(vector: SIMD256Vector) -> [u8; 24] {
     serialize::serialize_12(vector.elements)
 }
@@ -247,7 +247,7 @@ fn serialize_12(vector: SIMD256Vector) -> [u8; 24] {
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
 #[hax_lib::requires(bytes.len() == 24)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (repr $out)"#))]
 fn deserialize_12(bytes: &[u8]) -> SIMD256Vector {
     SIMD256Vector {
         elements: serialize::deserialize_12(bytes),
@@ -264,29 +264,29 @@ impl crate::vector::traits::Repr for SIMD256Vector {
 #[hax_lib::attributes]
 impl Operations for SIMD256Vector {
     #[inline(always)]
-    #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Seq.create 16 0s"#))]
     fn ZERO() -> Self {
         vec_zero()
     }
 
     #[requires(array.len() == 16)]
-    #[ensures(|out| fstar!("impl.f_repr out == $array"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))]
     #[inline(always)]
     fn from_i16_array(array: &[i16]) -> Self {
         vec_from_i16_array(array)
     }
 
-    #[ensures(|out| fstar!("out == impl.f_repr $x"))]
+    #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))]
     #[inline(always)]
     fn to_i16_array(x: Self) -> [i16; 16] {
         vec_to_i16_array(x)
     }
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index (impl.f_repr ${result}) i) == 
-         v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"))]
+         v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"#))]
     #[inline(always)]
     fn add(lhs: Self, rhs: &Self) -> Self {
         Self {
@@ -294,11 +294,11 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index (impl.f_repr ${result}) i) == 
-         v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"))]
+         v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"#))]
     #[inline(always)]
     fn sub(lhs: Self, rhs: &Self) -> Self {
         Self {
@@ -306,11 +306,11 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${vec}) i) * v c)"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${vec}) i) * v c)"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index (impl.f_repr ${result}) i) == 
-         v (Seq.index (impl.f_repr ${vec}) i) * v c)"))]
+         v (Seq.index (impl.f_repr ${vec}) i) * v c)"#))]
     #[inline(always)]
     fn multiply_by_constant(vec: Self, c: i16) -> Self {
         Self {
@@ -318,7 +318,7 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> x &. $constant) (impl.f_repr $vector)"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> x &. $constant) (impl.f_repr $vector)"#))]
     #[inline(always)]
     fn bitwise_and_with_constant(vector: Self, constant: i16) -> Self {
         Self {
@@ -327,7 +327,7 @@ impl Operations for SIMD256Vector {
     }
 
     #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
-    #[ensures(|out| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $vector)"))]
+    #[ensures(|out| fstar!(r#"(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $vector)"#))]
     #[inline(always)]
     fn shift_right<const SHIFT_BY: i32>(vector: Self) -> Self {
         Self {
@@ -335,14 +335,14 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $vector)"))]
-    #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"#))]
     #[inline(always)]
     fn cond_subtract_3329(vector: Self) -> Self {
         cond_subtract_3329(vector)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vector})"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vector})"#))]
     #[inline(always)]
     fn barrett_reduce(vector: Self) -> Self {
         Self {
@@ -350,7 +350,7 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 $constant"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 $constant"#))]
     #[inline(always)]
     fn montgomery_multiply_by_constant(vector: Self, constant: i16) -> Self {
         Self {
@@ -358,36 +358,36 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\
-        v (Seq.index (impl.f_repr $vector) i) < 3329"))]
-    #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))]
+    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\
+        v (Seq.index (impl.f_repr $vector) i) < 3329"#))]
+    #[ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"#))]
     #[inline(always)]
     fn compress_1(vector: Self) -> Self {
         compress_1(vector)
     }
 
-    #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
             v $COEFFICIENT_BITS == 10 \\/
             v $COEFFICIENT_BITS == 11) /\\
         (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\
-            v (Seq.index (impl.f_repr $vector) i) < 3329)"))]
-    #[ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/
+            v (Seq.index (impl.f_repr $vector) i) < 3329)"#))]
+    #[ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
             v $COEFFICIENT_BITS == 10 \\/
             v $COEFFICIENT_BITS == 11) ==>
-                (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))]
+                (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"#))]
     #[inline(always)]
     fn compress<const COEFFICIENT_BITS: i32>(vector: Self) -> Self {
         compress::<COEFFICIENT_BITS>(vector)
     }
 
-    #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
         v $COEFFICIENT_BITS == 5 \\/
         v $COEFFICIENT_BITS == 10 \\/
         v $COEFFICIENT_BITS == 11) /\\
     (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\
-        v (Seq.index (impl.f_repr $vector) i) < pow2 (v $COEFFICIENT_BITS))"))]
+        v (Seq.index (impl.f_repr $vector) i) < pow2 (v $COEFFICIENT_BITS))"#))]
     #[inline(always)]
     fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(vector: Self) -> Self {
         Self {
@@ -397,61 +397,61 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                       Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${vector})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))]
+                       Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
         ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                       Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${vector})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                       Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self {
         ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                       Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${vector})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+                       Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self {
         ntt_layer_3_step(vector, zeta)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3  /\\
-                       Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${vector})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+                       Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
         inv_ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self {
         inv_ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self {
         inv_ntt_layer_3_step(vector, zeta)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
                        Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\\
-                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_multiply(
         lhs: &Self,
@@ -464,29 +464,29 @@ impl Operations for SIMD256Vector {
         ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_1(vector: Self) -> [u8; 2] {
         serialize_1(vector)
     }
 
     #[requires(bytes.len() == 2)]
-    #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_1(bytes: &[u8]) -> Self {
         deserialize_1(bytes)
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_4(vector: Self) -> [u8; 8] {
         serialize_4(vector)
     }
 
     #[requires(bytes.len() == 8)]
-    #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_4(bytes: &[u8]) -> Self {
         deserialize_4(bytes)
@@ -500,21 +500,21 @@ impl Operations for SIMD256Vector {
     #[requires(bytes.len() == 10)]
     #[inline(always)]
     fn deserialize_5(bytes: &[u8]) -> Self {
-        hax_lib::fstar!("assert (v (Core.Slice.impl__len $bytes) == Seq.length $bytes)");
+        hax_lib::fstar!(r#"assert (v (Core.Slice.impl__len $bytes) == Seq.length $bytes)"#);
         Self {
             elements: serialize::deserialize_5(bytes),
         }
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_10(vector: Self) -> [u8; 20] {
         serialize_10(vector)
     }
 
     #[requires(bytes.len() == 20)]
-    #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_10(bytes: &[u8]) -> Self {
         deserialize_10(bytes)
@@ -533,15 +533,15 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_12(vector: Self) -> [u8; 24] {
         serialize_12(vector)
     }
 
     #[requires(bytes.len() == 24)]
-    #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_12(bytes: &[u8]) -> Self {
         deserialize_12(bytes)
@@ -549,7 +549,7 @@ impl Operations for SIMD256Vector {
 
     #[requires(input.len() == 24 && output.len() == 16)]
     #[ensures(|result|
-        fstar!("Seq.length $output_future == Seq.length $output /\\ v $result <= 16")
+        fstar!(r#"Seq.length $output_future == Seq.length $output /\\ v $result <= 16"#)
     )]
     #[inline(always)]
     fn rej_sample(input: &[u8], output: &mut [i16]) -> usize {
diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
index 38cc0f4cd..1a46a54b6 100644
--- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
+++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
@@ -5,85 +5,95 @@ use super::*;
 #[inline(always)]
 #[hax_lib::fstar::before(interface, "open Libcrux_intrinsics.Avx2_extract")]
 #[hax_lib::fstar::before(
-    "
+    r#"
 let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma 
-  (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i))))
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i))))
   (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) ==
             (v (get_lane lhs i) + v (get_lane rhs i))))
-  [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()"
+  [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()"#
 )]
-#[hax_lib::requires(fstar!("forall i. i < 16 ==> 
-    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"))]
-#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> 
-    v (get_lane $result i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"))]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    v (get_lane $result i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"#))]
 pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 {
     let result = mm256_add_epi16(lhs, rhs);
-    hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i);
-                     assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i);
+                     assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))"#
+    );
     result
 }
 
 #[inline(always)]
 #[hax_lib::fstar::before(
-    "
+    r#"
 let lemma_sub_i (lhs rhs: t_Vec256) (i:nat):  Lemma 
-  (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))))
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))))
   (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) ==
             (v (get_lane lhs i) - v (get_lane rhs i))))
-  [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()"
+  [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()"#
 )]
-#[hax_lib::requires(fstar!("forall i. i < 16 ==> 
-    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"))]
-#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> 
-    v (get_lane $result i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"))]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    v (get_lane $result i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"#))]
 pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 {
     let result = mm256_sub_epi16(lhs, rhs);
-    hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i);
-                     assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i);
+                     assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))"#
+    );
     result
 }
 
 #[inline(always)]
 #[hax_lib::fstar::before(
-    "
+    r#"
 let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16):  Lemma 
-  (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c)))
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c)))
   (ensures (v (mul_mod (get_lane lhs i) c) ==
             (v (get_lane lhs i) * v c)))
-  [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()"
+  [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()"#
 )]
-#[hax_lib::requires(fstar!("forall i. i < 16 ==> 
-    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"))]
-#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> 
-    v (get_lane $result i) == (v (get_lane $vector i) * v constant)"))]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    v (get_lane $result i) == (v (get_lane $vector i) * v constant)"#))]
 pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 {
     let cv = mm256_set1_epi16(constant);
     let result = mm256_mullo_epi16(vector, cv);
-    hax_lib::fstar!("Seq.lemma_eq_intro (vec256_as_i16x16 ${result})
-                        (Spec.Utils.map_array (fun x -> x *. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))");
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro (vec256_as_i16x16 ${result})
+                        (Spec.Utils.map_array (fun x -> x *. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"#
+    );
 
-    hax_lib::fstar!("assert (forall i. get_lane result i == get_lane vector i *. constant);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane result i == get_lane vector i *. constant);
                      assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant);
-                     assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)");
+                     assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)"#
+    );
     result
 }
 
 #[inline(always)]
-#[hax_lib::ensures(|result| fstar!("Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == 
-                           Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))]
+#[hax_lib::ensures(|result| fstar!(r#"Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == 
+                           Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))]
 pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 {
     let cv = mm256_set1_epi16(constant);
     let result = mm256_and_si256(vector, cv);
-    hax_lib::fstar!("Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result})
-                        (Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))");
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result})
+                        (Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"#
+    );
     result
 }
 
 #[inline(always)]
 #[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
-#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> 
+#[hax_lib::ensures(|result| fstar!(r#"(v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> 
                             Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == 
-                            Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))]
+                            Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))]
 pub(crate) fn shift_right<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
     let result = mm256_srai_epi16::<{ SHIFT_BY }>(vector);
     hax_lib::fstar!(
@@ -95,14 +105,14 @@ pub(crate) fn shift_right<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
 }
 
 #[inline(always)]
-#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))]
-#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> 
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"#))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
                 get_lane $result i == 
-                (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"))]
+                (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"#))]
 pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 {
     let field_modulus = mm256_set1_epi16(FIELD_MODULUS);
-    hax_lib::fstar!("assert (forall i. get_lane $field_modulus i == 3329s)");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $field_modulus i == 3329s)"#);
     // Compute v_i - Q and crate a mask from the sign bit of each of these
     // quantities.
     let v_minus_field_modulus = mm256_sub_epi16(vector, field_modulus);
@@ -117,12 +127,16 @@ pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 {
 
     // If v_i - Q < 0 then add back Q to (v_i - Q).
     let conditional_add_field_modulus = mm256_and_si256(sign_mask, field_modulus);
-    hax_lib::fstar!("assert (forall i. get_lane $conditional_add_field_modulus i == (get_lane $sign_mask i &. 3329s))");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $conditional_add_field_modulus i == (get_lane $sign_mask i &. 3329s))"#
+    );
 
     let result = mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus);
-    hax_lib::fstar!("assert (forall i. get_lane $result i == (get_lane $v_minus_field_modulus i +. get_lane $conditional_add_field_modulus i));
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $result i == (get_lane $v_minus_field_modulus i +. get_lane $conditional_add_field_modulus i));
                      assert (forall i. get_lane $result i == Spec.Utils.cond_sub (get_lane $vector i));
-                     assert (forall i. get_lane $result i == (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i))");
+                     assert (forall i. get_lane $result i == (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i))"#
+    );
 
     result
 }
@@ -132,18 +146,20 @@ const BARRETT_MULTIPLIER: i16 = 20159;
 /// See Section 3.2 of the implementation notes document for an explanation
 /// of this code.
 #[inline(always)]
-#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"#))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
                 (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
-                                      (v (get_lane $vector i) % 3329))")))]
+                                      (v (get_lane $vector i) % 3329))"#)))]
 pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 {
     let t0 = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER));
-    hax_lib::fstar!("assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) <: i16))");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) <: i16))"#
+    );
     let t512 = mm256_set1_epi16(512);
-    hax_lib::fstar!("assert (forall i. get_lane $t512 i == 512s)");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $t512 i == 512s)"#);
     let t1 = mm256_add_epi16(t0, t512);
-    hax_lib::fstar!("assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)"#);
     let quotient = mm256_srai_epi16::<10>(t1);
     hax_lib::fstar!(
         "assert (forall i. get_lane $quotient i == (((get_lane $t1 i) <: i16) >>! (10l <: i32)))"
@@ -154,48 +170,57 @@ pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 {
                      get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)"
     );
     let result = mm256_sub_epi16(vector, quotient_times_field_modulus);
-    hax_lib::fstar!("assert (forall i. get_lane $result i ==
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $result i ==
                                        get_lane $vector i -.  get_lane $quotient_times_field_modulus i);
                     assert (forall i. get_lane $result i == Spec.Utils.barrett_red (get_lane $vector i));
                     assert (forall i. v (get_lane $result i) % 3329 == v (get_lane $vector i) % 3329);
                     assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i));
                     assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i));
-                    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result))");
+                    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result))"#
+    );
     result
 }
 
 #[inline(always)]
 #[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100 --ext context_pruning"))]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 constant")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 constant"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
                 (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
-                                      ((v (get_lane $vector i) * v constant * 169) % 3329))")))]
+                                      ((v (get_lane $vector i) * v constant * 169) % 3329))"#)))]
 pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 {
     let vec_constant = mm256_set1_epi16(constant);
-    hax_lib::fstar!("assert (forall i. get_lane $vec_constant i == $constant)");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $vec_constant i == $constant)"#);
     let value_low = mm256_mullo_epi16(vector, vec_constant);
-    hax_lib::fstar!("assert (forall i. get_lane $value_low i == get_lane $vector i *. $constant)");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $value_low i == get_lane $vector i *. $constant)"#
+    );
     let k = mm256_mullo_epi16(
         value_low,
         mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16),
     );
-    hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"#);
     let modulus = mm256_set1_epi16(FIELD_MODULUS);
-    hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $modulus i == 3329s)"#);
     let k_times_modulus = mm256_mulhi_epi16(k, modulus);
-    hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == 
+    hax_lib::fstar!(
+        r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == 
                         Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
                                 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k)
                                 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus));
                      assert (forall i. get_lane $k_times_modulus i == 
-                        (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))");
+                        (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"#
+    );
 
     let value_high = mm256_mulhi_epi16(vector, vec_constant);
-    hax_lib::fstar!("assert (forall i. get_lane $value_high i == 
-        (cast (((cast (get_lane $vector i) <: i32) *. (cast (get_lane $vec_constant i) <: i32)) >>! 16l) <: i16))");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $value_high i == 
+        (cast (((cast (get_lane $vector i) <: i32) *. (cast (get_lane $vec_constant i) <: i32)) >>! 16l) <: i16))"#
+    );
 
     let result = mm256_sub_epi16(value_high, k_times_modulus);
-    hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
                     assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
                     assert (v (cast 3329s <: i32) == 3329);
                     assert ((cast 3329s <: i32) == 3329l);
@@ -204,16 +229,17 @@ pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) ->
                     assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i));
                     assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i));
                     assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result));
-                    assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vector i) * v $constant * 169) % 3329))");
+                    assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vector i) * v $constant * 169) % 3329))"#
+    );
     result
 }
 
 #[inline(always)]
-#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $constants))")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"#))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $constants))"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
                 (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
-                                      ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))")))]
+                                      ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"#)))]
 pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -> Vec256 {
     let value_low = mm256_mullo_epi16(vec, constants);
     hax_lib::fstar!(
@@ -224,25 +250,30 @@ pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -
         value_low,
         mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16),
     );
-    hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"#);
 
     let modulus = mm256_set1_epi16(FIELD_MODULUS);
-    hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)");
+    hax_lib::fstar!(r#"assert (forall i. get_lane $modulus i == 3329s)"#);
 
     let k_times_modulus = mm256_mulhi_epi16(k, modulus);
-    hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == 
+    hax_lib::fstar!(
+        r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == 
                         Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
                                 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k)
                                 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus));
                     assert (forall i. get_lane $k_times_modulus i == 
-                        (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))");
+                        (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"#
+    );
 
     let value_high = mm256_mulhi_epi16(vec, constants);
-    hax_lib::fstar!("assert (forall i. get_lane $value_high i == 
-            (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! 16l) <: i16))");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $value_high i == 
+            (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! 16l) <: i16))"#
+    );
 
     let result = mm256_sub_epi16(value_high, k_times_modulus);
-    hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
                     assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
                     assert (v (cast 3329s <: i32) == 3329);
                     assert ((cast 3329s <: i32) == 3329l);
@@ -251,18 +282,19 @@ pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -
                     assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i));
                     assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i));
                     assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result));
-                    assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))");
+                    assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"#
+    );
     result
 }
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (3328 * pow2 16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec))")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (3328 + 1665) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (3328 * pow2 16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec))"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (3328 + 1665) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
                 (Spec.Utils.is_i16b_array (3328 * pow2 15) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec) ==>
-                 Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)) /\\
+                 Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)) /\
                 (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
-                                      ((v (get_lane $vec i) * 169) % 3329))")))]
+                                      ((v (get_lane $vec i) * 169) % 3329))"#)))]
 pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 {
     let k = mm256_mullo_epi16(
         vec,
@@ -280,14 +312,16 @@ pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 {
 }
 
 #[inline(always)]
-#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $constants))")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 ${result}) /\\
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"#))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $constants))"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 ${result}) /\
                 (forall i. i < 8 ==> v (get_lane128 $result i) % 3329 == 
-                                      ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))")))]
+                                      ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"#)))]
 pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec128) -> Vec128 {
     let value_low = mm_mullo_epi16(vec, constants);
-    hax_lib::fstar!("assert (forall i. get_lane128 $value_low i == get_lane128 $vec i *. get_lane128 $constants i)");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane128 $value_low i == get_lane128 $vec i *. get_lane128 $constants i)"#
+    );
 
     let k = mm_mullo_epi16(
         value_low,
@@ -298,22 +332,27 @@ pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec
     );
 
     let modulus = mm_set1_epi16(FIELD_MODULUS);
-    hax_lib::fstar!("assert (forall i. get_lane128 $modulus i == 3329s)");
+    hax_lib::fstar!(r#"assert (forall i. get_lane128 $modulus i == 3329s)"#);
 
     let k_times_modulus = mm_mulhi_epi16(k, modulus);
-    hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == 
+    hax_lib::fstar!(
+        r#"assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == 
                         Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
                                 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k)
                                 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $modulus));
                     assert (forall i. get_lane128 $k_times_modulus i == 
-                        (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! 16l) <: i16))");
+                        (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! 16l) <: i16))"#
+    );
 
     let value_high = mm_mulhi_epi16(vec, constants);
-    hax_lib::fstar!("assert (forall i. get_lane128 $value_high i == 
-                        (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! 16l) <: i16))");
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane128 $value_high i == 
+                        (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! 16l) <: i16))"#
+    );
 
     let result = mm_sub_epi16(value_high, k_times_modulus);
-    hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
                     assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
                     assert (v (cast 3329s <: i32) == 3329);
                     assert ((cast 3329s <: i32) == 3329l);
@@ -322,7 +361,8 @@ pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec
                     assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 $result i));
                     assert (forall (i:nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 $result i));
                     assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $result));
-                    assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))");
+                    assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"#
+    );
 
     result
 }
diff --git a/libcrux-ml-kem/src/vector/avx2/compress.rs b/libcrux-ml-kem/src/vector/avx2/compress.rs
index 9d02e9730..bd428426b 100644
--- a/libcrux-ml-kem/src/vector/avx2/compress.rs
+++ b/libcrux-ml-kem/src/vector/avx2/compress.rs
@@ -38,8 +38,8 @@ pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 {
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype /\\
-    range (v (1l <<! $COEFFICIENT_BITS) - 1) i32_inttype"))]
+#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype /\\
+    range (v (1l <<! $COEFFICIENT_BITS) - 1) i32_inttype"#))]
 pub(crate) fn compress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
     vector: Vec256,
 ) -> Vec256 {
@@ -105,7 +105,7 @@ pub(crate) fn compress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype"))]
+#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype"#))]
 pub(crate) fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
     vector: Vec256,
 ) -> Vec256 {
diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs
index eedc0a1fd..14701b96c 100644
--- a/libcrux-ml-kem/src/vector/avx2/ntt.rs
+++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs
@@ -1,7 +1,7 @@
 use super::*;
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn ntt_layer_1_step(
     vector: Vec256,
     zeta0: i16,
@@ -23,7 +23,7 @@ pub(crate) fn ntt_layer_1_step(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"#))]
 pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 {
     let zetas = mm256_set_epi16(
         -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0,
@@ -39,7 +39,7 @@ pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta"#))]
 pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
     let rhs = mm256_extracti128_si256::<1>(vector);
     let rhs = arithmetic::montgomery_multiply_m128i_by_constants(rhs, mm_set1_epi16(zeta));
@@ -57,7 +57,7 @@ pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn inv_ntt_layer_1_step(
     vector: Vec256,
     zeta0: i16,
@@ -87,7 +87,7 @@ pub(crate) fn inv_ntt_layer_1_step(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"#))]
 pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 {
     let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector);
 
@@ -109,7 +109,7 @@ pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Ve
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta"#))]
 pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
     let lhs = mm256_extracti128_si256::<1>(vector);
     let rhs = mm256_castsi256_si128(vector);
@@ -128,7 +128,7 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn ntt_multiply(
     lhs: Vec256,
     rhs: Vec256,
diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs
index 7c3f0b500..d4451fdad 100644
--- a/libcrux-ml-kem/src/vector/avx2/serialize.rs
+++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs
@@ -3,8 +3,8 @@ use crate::vector::portable::PortableVector;
 
 #[inline(always)]
 #[hax_lib::fstar::options("--ext context_pruning --compat_pre_core 0")]
-#[hax_lib::requires(fstar!("forall i. i % 16 >= 1 ==> vector i == 0"))]
-#[hax_lib::ensures(|result| fstar!("forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"))]
+#[hax_lib::requires(fstar!(r#"forall i. i % 16 >= 1 ==> vector i == 0"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"#))]
 pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] {
     // Suppose |vector| is laid out as follows (superscript number indicates the
     // corresponding bit is duplicated that many times):
@@ -179,7 +179,7 @@ fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 {
         r#"forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0"#
     )
 )]
-#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"))]
+#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"#))]
 #[inline(always)]
 pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] {
     let mut serialized = [0u8; 16];
@@ -504,11 +504,11 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 {
 
 #[inline(always)]
 #[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
-#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))]
-#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"))]
+#[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"#))]
+#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"#))]
 pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] {
     #[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
-    #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))]
+    #[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"#))]
     #[hax_lib::ensures(|(lower_8, upper_8)| fstar!(
         r#"
          forall (i: nat{i < 160}).
@@ -686,12 +686,12 @@ pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 {
 
 #[inline(always)]
 #[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
-#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))]
-#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"))]
+#[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"#))]
+#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"#))]
 pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] {
     #[inline(always)]
     #[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
-    #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))]
+    #[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"#))]
     #[hax_lib::ensures(|(lower_8, upper_8)| fstar!(
         r#"
          forall (i: nat{i < 192}).
diff --git a/libcrux-ml-kem/src/vector/neon.rs b/libcrux-ml-kem/src/vector/neon.rs
index bd3be862a..c961c654d 100644
--- a/libcrux-ml-kem/src/vector/neon.rs
+++ b/libcrux-ml-kem/src/vector/neon.rs
@@ -26,18 +26,18 @@ impl crate::vector::traits::Repr for SIMD128Vector {
 #[hax_lib::attributes]
 impl Operations for SIMD128Vector {
     #[inline(always)]
-    #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Seq.create 16 0s"#))]
     fn ZERO() -> Self {
         ZERO()
     }
 
     #[requires(array.len() == 16)]
-    #[ensures(|out| fstar!("impl.f_repr out == $array"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))]
     fn from_i16_array(array: &[i16]) -> Self {
         from_i16_array(array)
     }
 
-    #[ensures(|out| fstar!("out == impl.f_repr $x"))]
+    #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))]
     fn to_i16_array(x: Self) -> [i16; 16] {
         to_i16_array(x)
     }
diff --git a/libcrux-ml-kem/src/vector/portable.rs b/libcrux-ml-kem/src/vector/portable.rs
index 3eb62aa28..cc997b79e 100644
--- a/libcrux-ml-kem/src/vector/portable.rs
+++ b/libcrux-ml-kem/src/vector/portable.rs
@@ -21,36 +21,40 @@ impl crate::vector::traits::Repr for PortableVector {
     }
 }
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> 
-                                 Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> 
+                                 Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"#))]
 fn serialize_1(a: PortableVector) -> [u8; 2] {
-    hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 1)");
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a");
+    hax_lib::fstar!(
+        r#"assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 1)"#
+    );
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a"#);
     serialize::serialize_1(a)
 }
 
 #[hax_lib::requires(a.len() == 2)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"#))]
 fn deserialize_1(a: &[u8]) -> PortableVector {
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a");
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma $a");
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma $a"#);
     serialize::deserialize_1(a)
 }
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"#))]
 fn serialize_4(a: PortableVector) -> [u8; 8] {
-    hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 4)");
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a");
+    hax_lib::fstar!(
+        r#"assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 4)"#
+    );
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a"#);
     serialize::serialize_4(a)
 }
 
 #[hax_lib::requires(a.len() == 8)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"#))]
 fn deserialize_4(a: &[u8]) -> PortableVector {
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a");
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma $a");
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma $a"#);
     serialize::deserialize_4(a)
 }
 
@@ -63,18 +67,18 @@ fn deserialize_5(a: &[u8]) -> PortableVector {
     serialize::deserialize_5(a)
 }
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"#))]
 fn serialize_10(a: PortableVector) -> [u8; 20] {
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a");
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a"#);
     serialize::serialize_10(a)
 }
 
 #[hax_lib::requires(a.len() == 20)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"#))]
 fn deserialize_10(a: &[u8]) -> PortableVector {
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a");
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma $a");
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma $a"#);
     serialize::deserialize_10(a)
 }
 
@@ -87,18 +91,18 @@ fn deserialize_11(a: &[u8]) -> PortableVector {
     serialize::deserialize_11(a)
 }
 
-#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))]
-#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"#))]
 fn serialize_12(a: PortableVector) -> [u8; 24] {
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a");
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a"#);
     serialize::serialize_12(a)
 }
 
 #[hax_lib::requires(a.len() == 24)]
-#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"#))]
 fn deserialize_12(a: &[u8]) -> PortableVector {
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a");
-    hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma $a");
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma $a"#);
     serialize::deserialize_12(a)
 }
 
@@ -106,157 +110,157 @@ fn deserialize_12(a: &[u8]) -> PortableVector {
 #[hax_lib::fstar::after(r#"#pop-options"#)]
 #[hax_lib::attributes]
 impl Operations for PortableVector {
-    #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Seq.create 16 0s"#))]
     fn ZERO() -> Self {
         zero()
     }
 
     #[requires(array.len() == 16)]
-    #[ensures(|out| fstar!("impl.f_repr out == $array"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))]
     fn from_i16_array(array: &[i16]) -> Self {
         from_i16_array(array)
     }
 
-    #[ensures(|out| fstar!("out == impl.f_repr $x"))]
+    #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))]
     fn to_i16_array(x: Self) -> [i16; 16] {
         to_i16_array(x)
     }
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index ${result}.f_elements i) == 
-         v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))]
+         v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
     fn add(lhs: Self, rhs: &Self) -> Self {
         add(lhs, rhs)
     }
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index ${result}.f_elements i) == 
-         v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))]
+         v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
     fn sub(lhs: Self, rhs: &Self) -> Self {
         sub(lhs, rhs)
     }
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index ${result}.f_elements i) == 
-        v (Seq.index ${vec}.f_elements i) * v c)"))]
+        v (Seq.index ${vec}.f_elements i) * v c)"#))]
     fn multiply_by_constant(vec: Self, c: i16) -> Self {
         multiply_by_constant(vec, c)
     }
 
-    #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr $v)"))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr $v)"#))]
     fn bitwise_and_with_constant(v: Self, c: i16) -> Self {
         bitwise_and_with_constant(v, c)
     }
 
     #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
-    #[ensures(|out| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $v)"))]
+    #[ensures(|out| fstar!(r#"(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $v)"#))]
     fn shift_right<const SHIFT_BY: i32>(v: Self) -> Self {
         shift_right::<{ SHIFT_BY }>(v)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $v)"))]
-    #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $v)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $v)"#))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $v)"#))]
     fn cond_subtract_3329(v: Self) -> Self {
         cond_subtract_3329(v)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (impl.f_repr ${v})"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (impl.f_repr ${v})"#))]
     fn barrett_reduce(v: Self) -> Self {
         barrett_reduce(v)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 $r"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 $r"#))]
     fn montgomery_multiply_by_constant(v: Self, r: i16) -> Self {
         montgomery_multiply_by_constant(v, r)
     }
 
-    #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\
-        v (Seq.index (impl.f_repr $a) i) < 3329"))]
-    #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))]
+    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\
+        v (Seq.index (impl.f_repr $a) i) < 3329"#))]
+    #[ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"#))]
     fn compress_1(a: Self) -> Self {
         compress_1(a)
     }
 
-    #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
             v $COEFFICIENT_BITS == 10 \\/
             v $COEFFICIENT_BITS == 11) /\\
         (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\
-            v (Seq.index (impl.f_repr $a) i) < 3329)"))]
-    #[ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/
+            v (Seq.index (impl.f_repr $a) i) < 3329)"#))]
+    #[ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
             v $COEFFICIENT_BITS == 10 \\/
             v $COEFFICIENT_BITS == 11) ==>
-                (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))]
+                (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"#))]
     fn compress<const COEFFICIENT_BITS: i32>(a: Self) -> Self {
         compress::<COEFFICIENT_BITS>(a)
     }
 
-    #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
         v $COEFFICIENT_BITS == 5 \\/
         v $COEFFICIENT_BITS == 10 \\/
         v $COEFFICIENT_BITS == 11) /\\
     (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\
-        v (Seq.index (impl.f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"))]
+        v (Seq.index (impl.f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"#))]
     fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(a: Self) -> Self {
         decompress_ciphertext_coefficient::<COEFFICIENT_BITS>(a)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3  /\\
-                       Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))]
+                       Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"#))]
     fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
         ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                       Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                       Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"#))]
     fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self {
         ntt_layer_2_step(a, zeta0, zeta1)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                       Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+                       Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"#))]
     fn ntt_layer_3_step(a: Self, zeta: i16) -> Self {
         ntt_layer_3_step(a, zeta)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                       Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+                       Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
         inv_ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self {
         inv_ntt_layer_2_step(a, zeta0, zeta1)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self {
         inv_ntt_layer_3_step(a, zeta)
     }
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
                        Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\\
-                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))]
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn ntt_multiply(
         lhs: &Self,
         rhs: &Self,
@@ -268,26 +272,26 @@ impl Operations for PortableVector {
         ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"#))]
     fn serialize_1(a: Self) -> [u8; 2] {
         serialize_1(a)
     }
 
     #[requires(a.len() == 2)]
-    #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"#))]
     fn deserialize_1(a: &[u8]) -> Self {
         deserialize_1(a)
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"#))]
     fn serialize_4(a: Self) -> [u8; 8] {
         serialize_4(a)
     }
 
     #[requires(a.len() == 8)]
-    #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"#))]
     fn deserialize_4(a: &[u8]) -> Self {
         deserialize_4(a)
     }
@@ -301,14 +305,14 @@ impl Operations for PortableVector {
         deserialize_5(a)
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"#))]
     fn serialize_10(a: Self) -> [u8; 20] {
         serialize_10(a)
     }
 
     #[requires(a.len() == 20)]
-    #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"#))]
     fn deserialize_10(a: &[u8]) -> Self {
         deserialize_10(a)
     }
@@ -322,21 +326,21 @@ impl Operations for PortableVector {
         deserialize_11(a)
     }
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))]
-    #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"#))]
     fn serialize_12(a: Self) -> [u8; 24] {
         serialize_12(a)
     }
 
     #[requires(a.len() == 24)]
-    #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"#))]
     fn deserialize_12(a: &[u8]) -> Self {
         deserialize_12(a)
     }
 
     #[requires(a.len() == 24 && out.len() == 16)]
     #[ensures(|result|
-        fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16")
+        fstar!(r#"Seq.length $out_future == Seq.length $out /\\ v $result <= 16"#)
     )]
     fn rej_sample(a: &[u8], out: &mut [i16]) -> usize {
         rej_sample(a, out)
diff --git a/libcrux-ml-kem/src/vector/portable/arithmetic.rs b/libcrux-ml-kem/src/vector/portable/arithmetic.rs
index 64b92baed..9e909c2b6 100644
--- a/libcrux-ml-kem/src/vector/portable/arithmetic.rs
+++ b/libcrux-ml-kem/src/vector/portable/arithmetic.rs
@@ -22,7 +22,7 @@ pub(crate) const BARRETT_MULTIPLIER: i32 = 20159;
 
 #[hax_lib::fstar::options("--z3rlimit 150 --split_queries always")]
 #[cfg_attr(hax, hax_lib::requires(n <= 16))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("v result == v value % pow2(v n)")))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"v result == v value % pow2(v n)"#)))]
 #[inline(always)]
 pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
     let res = value & ((1 << n) - 1);
@@ -46,19 +46,21 @@ pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 150")]
-#[hax_lib::requires(fstar!("forall i. i < 16 ==> 
-    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))]
-#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> 
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
     (v (Seq.index ${result}.f_elements i) == 
-     v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))]
+     v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
 pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector {
     let _lhs0 = lhs;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
               (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == 
                                      (Seq.index ${_lhs0}.f_elements j) +! (Seq.index ${rhs}.f_elements j)) /\\
-              (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))")
+              (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))"#
+            )
         });
         lhs.elements[i] += rhs.elements[i];
     }
@@ -70,19 +72,21 @@ pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector {
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("forall i. i < 16 ==> 
-    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))]
-#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> 
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
     (v (Seq.index ${result}.f_elements i) == 
-     v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))]
+     v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
 pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector {
     let _lhs0 = lhs;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
               (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == 
                                      (Seq.index ${_lhs0}.f_elements j) -! (Seq.index ${rhs}.f_elements j)) /\\
-              (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))")
+              (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))"#
+            )
         });
         lhs.elements[i] -= rhs.elements[i];
     }
@@ -94,19 +98,21 @@ pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector {
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!("forall i. i < 16 ==> 
-    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))]
-#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> 
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
     (v (Seq.index ${result}.f_elements i) == 
-     v (Seq.index ${vec}.f_elements i) * v c)"))]
+     v (Seq.index ${vec}.f_elements i) * v c)"#))]
 pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector {
     let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
               (forall j. j < v i ==> (Seq.index ${vec}.f_elements j) == 
                                      (Seq.index ${_vec0}.f_elements j) *! c) /\\
-              (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))")
+              (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))"#
+            )
         });
         vec.elements[i] *= c;
     }
@@ -118,38 +124,46 @@ pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector {
 }
 
 #[inline(always)]
-#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"))]
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"#))]
 pub fn bitwise_and_with_constant(mut vec: PortableVector, c: i16) -> PortableVector {
     let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
               (forall j. j < v i ==> Seq.index ${vec}.f_elements j == 
                                      (Seq.index ${_vec0}.f_elements j &. c)) /\\
-              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)")
+              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"#
+            )
         });
         vec.elements[i] &= c;
     }
-    hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x &. c) ${_vec0}.f_elements)");
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x &. c) ${_vec0}.f_elements)"#
+    );
     vec
 }
 
 #[inline(always)]
 #[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
-#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> 
-        ${result}.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"))]
+#[hax_lib::ensures(|result| fstar!(r#"(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> 
+        ${result}.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"#))]
 pub fn shift_right<const SHIFT_BY: i32>(mut vec: PortableVector) -> PortableVector {
     let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
               (forall j. j < v i ==> Seq.index ${vec}.f_elements j == 
                                      (Seq.index ${_vec0}.f_elements j >>! ${SHIFT_BY})) /\\
-              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)")
+              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"#
+            )
         });
         vec.elements[i] = vec.elements[i] >> SHIFT_BY;
     }
-    hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) ${_vec0}.f_elements)");
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) ${_vec0}.f_elements)"#
+    );
     vec
 }
 
@@ -157,26 +171,28 @@ pub fn shift_right<const SHIFT_BY: i32>(mut vec: PortableVector) -> PortableVect
 /// Only use with public values.
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 300")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array 
-                (fun x -> if x >=. 3329s then x -! 3329s else x) (${vec}.f_elements)"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Spec.Utils.map_array 
+                (fun x -> if x >=. 3329s then x -! 3329s else x) (${vec}.f_elements)"#))]
 pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector {
     let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
               (forall j. j < v i ==> Seq.index ${vec}.f_elements j == 
                                      (let x = Seq.index ${_vec0}.f_elements j in
                                       if x >=. 3329s then x -! 3329s else x)) /\\
-              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)")
+              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"#
+            )
         });
         if vec.elements[i] >= 3329 {
             vec.elements[i] -= 3329
         }
     }
     hax_lib::fstar!(
-        "Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array 
-                            (fun x -> if x >=. 3329s then x -! 3329s else x) ${_vec0}.f_elements)"
+        r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array 
+                            (fun x -> if x >=. 3329s then x -! 3329s else x) ${_vec0}.f_elements)"#
     );
     vec
 }
@@ -194,20 +210,20 @@ pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector {
 /// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS
 ///
 #[hax_lib::fstar::options("--z3rlimit 150 --ext context_pruning")]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 28296 value")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\
-                v result % 3329 == v value % 3329")))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 28296 value"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b 3328 result /\\
+                v result % 3329 == v value % 3329"#)))]
 pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement {
     let t = (i32::from(value) * BARRETT_MULTIPLIER) + (BARRETT_R >> 1);
     hax_lib::fstar!(
         "assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2*3329));
                      assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)"
     );
-    hax_lib::fstar!("assert (v t / pow2 26 < 9)");
-    hax_lib::fstar!("assert (v t / pow2 26 > - 9)");
+    hax_lib::fstar!(r#"assert (v t / pow2 26 < 9)"#);
+    hax_lib::fstar!(r#"assert (v t / pow2 26 > - 9)"#);
     let quotient = (t >> BARRETT_SHIFT) as i16;
-    hax_lib::fstar!("assert (v quotient = v t / pow2 26)");
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b 9 quotient)");
+    hax_lib::fstar!(r#"assert (v quotient = v t / pow2 26)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 9 quotient)"#);
     let result = value - (quotient * FIELD_MODULUS);
     hax_lib::fstar!(
         "calc (==) {
@@ -227,27 +243,31 @@ pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement {
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 150")]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 ${vec}.f_elements")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 ${vec}.f_elements"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\
                 (forall i. (v (Seq.index ${result}.f_elements i) % 3329) == 
-                           (v (Seq.index ${vec}.f_elements i) % 3329))")))]
+                           (v (Seq.index ${vec}.f_elements i) % 3329))"#)))]
 pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector {
     let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
                 (forall j. j < v i ==> (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements j) /\\
                                         v (Seq.index ${vec}.f_elements j) % 3329 == (v (Seq.index ${_vec0}.f_elements j) % 3329))) /\\
                 (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j /\\
-                                         Spec.Utils.is_i16b 28296 (Seq.index ${vec}.f_elements j)))")
+                                         Spec.Utils.is_i16b 28296 (Seq.index ${vec}.f_elements j)))"#
+            )
         });
         let vi = barrett_reduce_element(vec.elements[i]);
         vec.elements[i] = vi;
-        hax_lib::fstar!("assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1);
+        hax_lib::fstar!(
+            r#"assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1);
                          assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j));
                          assert(Spec.Utils.is_i16b 3328 vi);
                          assert(Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i)));
-                         assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))");
+                         assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))"#
+        );
     }
     vec
 }
@@ -266,10 +286,10 @@ pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector {
 /// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664
 ///
 #[hax_lib::fstar::options("--z3rlimit 500 --split_queries always")]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i32b (3328 * pow2 16) value ")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b (3328 + 1665) result /\\
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i32b (3328 * pow2 16) value "#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b (3328 + 1665) result /\\
                 (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\\
-                v result % 3329 == (v value * 169) % 3329")))]
+                v result % 3329 == (v value * 169) % 3329"#)))]
 pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
     // This forces hax to extract code for MONTGOMERY_R before it extracts code
     // for this function. The removal of this line is being tracked in:
@@ -277,15 +297,19 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
     let _ = MONTGOMERY_R;
 
     let k = (value as i16) as i32 * (INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32);
-    hax_lib::fstar!("assert(v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16);
+    hax_lib::fstar!(
+        r#"assert(v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16);
                      assert(v k == (v value @% pow2 16) * 62209);
                      assert(v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16);
                      assert(v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15);
                      assert(v (cast (cast (k <: i32) <: i16) <: i32) >= -pow2 15);
-                     assert(v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)");
+                     assert(v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)"#
+    );
     let k_times_modulus = (k as i16 as i32) * (FIELD_MODULUS as i32);
-    hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (3329) (cast (k <: i32) <: i16) Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS;
-                     assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)");
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_mul_i16b (pow2 15) (3329) (cast (k <: i32) <: i16) Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS;
+                     assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)"#
+    );
     let c = (k_times_modulus >> MONTGOMERY_SHIFT) as i16;
     hax_lib::fstar!(
         "assert (v k_times_modulus < pow2 31);
@@ -295,19 +319,22 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
                      assert(Spec.Utils.is_i16b 1665 c)"
     );
     let value_high = (value >> MONTGOMERY_SHIFT) as i16;
-    hax_lib::fstar!("assert (v value < pow2 31);
+    hax_lib::fstar!(
+        r#"assert (v value < pow2 31);
                      assert (v value / pow2 16 < pow2 15);
                      assert (v value_high == (v value / pow2 16) @% pow2 16);
                      Spec.Utils.lemma_div_at_percent (v value) (pow2 16);
                      assert (v value_high == (v value / pow2 16)); 
                      assert(Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high);
-                     assert(Spec.Utils.is_i16b 3328 value_high)");
+                     assert(Spec.Utils.is_i16b 3328 value_high)"#
+    );
     let res = value_high - c;
-    hax_lib::fstar!("assert(Spec.Utils.is_i16b (3328 + 1665) res)");
+    hax_lib::fstar!(r#"assert(Spec.Utils.is_i16b (3328 + 1665) res)"#);
     hax_lib::fstar!(
         "assert(Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)"
     );
-    hax_lib::fstar!("calc ( == ) {
+    hax_lib::fstar!(
+        r#"calc ( == ) {
         v k_times_modulus % pow2 16;
           ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
         ((v k @% pow2 16) * 3329) % pow2 16;
@@ -323,8 +350,10 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
         (v value) % pow2 16;
         };
       Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus);
-      assert ((v value - v k_times_modulus) % pow2 16 == 0)");
-    hax_lib::fstar!("calc ( == ) {
+      assert ((v value - v k_times_modulus) % pow2 16 == 0)"#
+    );
+    hax_lib::fstar!(
+        r#"calc ( == ) {
         v res % 3329;
             ( == ) { assert (v res == v value_high - v c) }
         (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329 ;
@@ -340,7 +369,8 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
         ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; 
             ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169)}
         (v value * 169) % 3329;  
-        }");
+        }"#
+    );
     res
 }
 
@@ -354,36 +384,38 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
 /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`.
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 300")]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 fer")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\
-                v result % 3329 == (v fe * v fer * 169) % 3329")))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 fer"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b 3328 result /\\
+                v result % 3329 == (v fe * v fer * 169) % 3329"#)))]
 pub(crate) fn montgomery_multiply_fe_by_fer(
     fe: FieldElement,
     fer: FieldElementTimesMontgomeryR,
 ) -> FieldElement {
-    hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer");
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer"#);
     let product = (fe as i32) * (fer as i32);
     montgomery_reduce_element(product)
 }
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 150")]
-#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 c")))]
-#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 c"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"
 Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\
 (forall i. i < 16 ==> 
     (v (Seq.index ${result}.f_elements i) % 3329 == 
-       (v (Seq.index ${vec}.f_elements i) * v c * 169) %3329))")))]
+       (v (Seq.index ${vec}.f_elements i) * v c * 169) %3329))"#)))]
 pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector {
     let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("
+            fstar!(
+                r#"
               (forall j. j < v i ==>
 	      	  (let vecj = Seq.index ${vec}.f_elements j in
 		       (Spec.Utils.is_i16b 3328 vecj /\\
                 v vecj % 3329 == (v (Seq.index ${_vec0}.f_elements j) * v c * 169) % 3329))) /\\
-              (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))")
+              (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))"#
+            )
         });
         vec.elements[i] = montgomery_multiply_fe_by_fer(vec.elements[i], c)
     }
diff --git a/libcrux-ml-kem/src/vector/portable/compress.rs b/libcrux-ml-kem/src/vector/portable/compress.rs
index d9628d539..3b9d946ee 100644
--- a/libcrux-ml-kem/src/vector/portable/compress.rs
+++ b/libcrux-ml-kem/src/vector/portable/compress.rs
@@ -36,7 +36,7 @@ pub(crate) fn compress_message_coefficient(fe: u16) -> u8 {
     // If 833 <= fe <= 2496,
     // then -832 <= shifted <= 831
     let shifted: i16 = 1664 - (fe as i16);
-    hax_lib::fstar!("assert (v $shifted == 1664 - v $fe)");
+    hax_lib::fstar!(r#"assert (v $shifted == 1664 - v $fe)"#);
 
     // If shifted < 0, then
     // (shifted >> 15) ^ shifted = flip_bits(shifted) = -shifted - 1, and so
@@ -75,14 +75,14 @@ pub(crate) fn compress_message_coefficient(fe: u16) -> u8 {
     let r1: i16 = r0 & 1;
     let res = r1 as u8;
     hax_lib::fstar!(
-        "assert (v $r0 = v $shifted_positive_in_range / pow2 15);
+        r#"assert (v $r0 = v $shifted_positive_in_range / pow2 15);
         assert (if v $shifted_positive_in_range < 0 then $r0 = ones else $r0 = zero);
         logand_lemma (mk_i16 1) $r0; 
         assert (if v $shifted_positive_in_range < 0 then $r1 = mk_i16 1 else $r1 = mk_i16 0);
         assert ((v $fe >= 833 && v $fe <= 2496) ==> $r1 = mk_i16 1);
         assert (v $fe < 833 ==> $r1 = mk_i16 0);
         assert (v $fe > 2496 ==> $r1 = mk_i16 0);
-        assert (v $res = v $r1)"
+        assert (v $res = v $r1)"#
     );
     res
 }
@@ -122,21 +122,21 @@ pub(crate) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) ->
 #[cfg_attr(
     hax,
     hax_lib::fstar::before(
-        "
+        r#"
 let compress_message_coefficient_range_helper (fe: u16) : Lemma
   (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))
-  (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\
+  (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
     v (cast (compress_message_coefficient fe) <: i16) < 2) =
-  assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\
+  assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
     v (cast (compress_message_coefficient fe) <: i16) < 2)
-"
+"#
     )
 )]
 #[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")]
-#[hax_lib::requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\\
-    v (Seq.index ${a}.f_elements i) < 3329"))]
-#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\\
-    v (${result}.f_elements.[ sz i ] <: i16) < 2"))]
+#[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\
+    v (Seq.index ${a}.f_elements i) < 3329"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\
+    v (${result}.f_elements.[ sz i ] <: i16) < 2"#))]
 pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector {
     hax_lib::fstar!(
         "assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <.
@@ -145,10 +145,10 @@ pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector {
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
             fstar!(
-                "(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==>
-            v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\
-            (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\
-                v (${a}.f_elements.[ sz j ] <: i16) < 2)"
+                r#"(v $i < 16 ==> (forall (j:nat). (j >= v $i /\ j < 16) ==>
+            v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\
+            (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\
+                v (${a}.f_elements.[ sz j ] <: i16) < 2)"#
             )
         });
         hax_lib::fstar!(
@@ -156,13 +156,13 @@ pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector {
         );
         a.elements[i] = compress_message_coefficient(a.elements[i] as u16) as i16;
         hax_lib::fstar!(
-            "assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\
+            "assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\
             v (${a}.f_elements.[ $i ] <: i16) < 2)"
         );
     }
 
     hax_lib::fstar!(
-        "assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\
+        "assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\
         v (${a}.f_elements.[ sz i ] <: i16) < 2)"
     );
     a
@@ -170,14 +170,14 @@ pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector {
 
 #[inline(always)]
 #[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")]
-#[hax_lib::requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+#[hax_lib::requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
         v $COEFFICIENT_BITS == 5 \\/
         v $COEFFICIENT_BITS == 10 \\/
-        v $COEFFICIENT_BITS == 11) /\\
-    (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\\
-        v (Seq.index ${a}.f_elements i) < 3329)"))]
-#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\\
-    v (${result}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"))]
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\
+        v (Seq.index ${a}.f_elements i) < 3329)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\
+    v (${result}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"#))]
 pub(crate) fn compress<const COEFFICIENT_BITS: i32>(mut a: PortableVector) -> PortableVector {
     hax_lib::fstar!(
         "assert (v (cast ($COEFFICIENT_BITS) <: u8) == v $COEFFICIENT_BITS);
@@ -191,21 +191,21 @@ pub(crate) fn compress<const COEFFICIENT_BITS: i32>(mut a: PortableVector) -> Po
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
             fstar!(
-                "(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==>
-            v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\
-            (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\
-                v (${a}.f_elements.[ sz j ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"
+                r#"(v $i < 16 ==> (forall (j:nat). (j >= v $i /\ j < 16) ==>
+            v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\
+            (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\
+                v (${a}.f_elements.[ sz j ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"#
             )
         });
         a.elements[i] =
             compress_ciphertext_coefficient(COEFFICIENT_BITS as u8, a.elements[i] as u16) as i16;
         hax_lib::fstar!(
-            "assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\
+            "assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\
             v (${a}.f_elements.[ $i ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"
         );
     }
     hax_lib::fstar!(
-        "assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\
+        "assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\
         v (${a}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"
     );
     a
@@ -213,13 +213,13 @@ pub(crate) fn compress<const COEFFICIENT_BITS: i32>(mut a: PortableVector) -> Po
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 300 --ext context_pruning")]
-#[hax_lib::requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+#[hax_lib::requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
         v $COEFFICIENT_BITS == 5 \\/
         v $COEFFICIENT_BITS == 10 \\/
-        v $COEFFICIENT_BITS == 11) /\\
-    (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\\
-        v (Seq.index ${a}.f_elements i) < pow2 (v $COEFFICIENT_BITS))"))]
-#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (Seq.index ${result}.f_elements i) < v $FIELD_MODULUS"))]
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\
+        v (Seq.index ${a}.f_elements i) < pow2 (v $COEFFICIENT_BITS))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index ${result}.f_elements i) < v $FIELD_MODULUS"#))]
 pub(crate) fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
     mut a: PortableVector,
 ) -> PortableVector {
@@ -233,10 +233,12 @@ pub(crate) fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
 
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
         hax_lib::loop_invariant!(|i: usize| {
-            fstar!("(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==>
-            v (Seq.index ${a}.f_elements j) >= 0 /\\  v (Seq.index ${a}.f_elements j) < pow2 (v $COEFFICIENT_BITS))) /\\
+            fstar!(
+                r#"(v $i < 16 ==> (forall (j:nat). (j >= v $i /\ j < 16) ==>
+            v (Seq.index ${a}.f_elements j) >= 0 /\  v (Seq.index ${a}.f_elements j) < pow2 (v $COEFFICIENT_BITS))) /\
             (forall (j:nat). j < v $i ==>
-                v (Seq.index ${a}.f_elements j) < v $FIELD_MODULUS)")
+                v (Seq.index ${a}.f_elements j) < v $FIELD_MODULUS)"#
+            )
         });
         hax_lib::fstar!(
             "assert (v (${a}.f_elements.[ $i ] <: i16) < pow2 11);
diff --git a/libcrux-ml-kem/src/vector/portable/ntt.rs b/libcrux-ml-kem/src/vector/portable/ntt.rs
index 46ef118d5..bf746901d 100644
--- a/libcrux-ml-kem/src/vector/portable/ntt.rs
+++ b/libcrux-ml-kem/src/vector/portable/ntt.rs
@@ -3,25 +3,26 @@ use super::vector_type::*;
 
 #[inline(always)]
 #[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")]
-#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\ v i <> v j /\\ 
-                            Spec.Utils.is_i16b 1664 $zeta  /\\
-                            Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\\
-                            Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[i] /\\
-                            Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[j]"))]
-#[hax_lib::ensures(|result| fstar!("(forall k. (k <> v i /\\ k <> v j) ==>
-                                         Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\
-                                    (forall b. (Spec.Utils.is_i16b b ${vec}.f_elements.[i] /\\
+#[hax_lib::requires(fstar!(r#"v i < 16 /\ v j < 16 /\ v i <> v j /\ 
+                            Spec.Utils.is_i16b 1664 $zeta  /\
+                            Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\
+                            Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[i] /\
+                            Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[j]"#))]
+#[hax_lib::ensures(|result| fstar!(r#"(forall k. (k <> v i /\ k <> v j) ==>
+                                         Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\
+                                    (forall b. (Spec.Utils.is_i16b b ${vec}.f_elements.[i] /\
                                                Spec.Utils.is_i16b b ${vec}.f_elements.[j]) ==>
-                                              (Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[i] /\\
-                                               Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[j])) /\\
-                                    Spec.Utils.ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))]
+                                              (Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[i] /\
+                                               Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[j])) /\
+                                    Spec.Utils.ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"#))]
 pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) {
     let t = montgomery_multiply_fe_by_fer(vec.elements[j], zeta);
     hax_lib::fstar!(
         "assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))"
     );
     let a_minus_t = vec.elements[i] - t;
-    hax_lib::fstar!("
+    hax_lib::fstar!(
+        r#"
     calc (==) {
         v $a_minus_t % 3329;
         (==) {}
@@ -32,9 +33,11 @@ pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize)
         (v (Seq.index vec.f_elements (v i)) - ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329;
         (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329}
         (v (Seq.index vec.f_elements (v $i)) - (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329;
-        }");
+        }"#
+    );
     let a_plus_t = vec.elements[i] + t;
-    hax_lib::fstar!("
+    hax_lib::fstar!(
+        r#"
     calc (==) {
         v a_plus_t % 3329;
         (==) {}
@@ -45,7 +48,8 @@ pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize)
         (v (Seq.index vec.f_elements (v $i)) + ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329;
         (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329}
         (v (Seq.index vec.f_elements (v $i)) + (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329;
-    }");
+    }"#
+    );
     vec.elements[j] = a_minus_t;
     vec.elements[i] = a_plus_t;
     hax_lib::fstar!(
@@ -56,10 +60,10 @@ pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize)
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 100")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                            Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                            Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                            Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"#))]
 pub(crate) fn ntt_layer_1_step(
     mut vec: PortableVector,
     zeta0: i16,
@@ -80,9 +84,9 @@ pub(crate) fn ntt_layer_1_step(
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 100")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                            Spec.Utils.is_i16b_array (11207+4*3328) ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) ${result}.f_elements"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b_array (11207+4*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) ${result}.f_elements"#))]
 pub(crate) fn ntt_layer_2_step(mut vec: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector {
     ntt_step(&mut vec, zeta0, 0, 4);
     ntt_step(&mut vec, zeta0, 1, 5);
@@ -97,9 +101,9 @@ pub(crate) fn ntt_layer_2_step(mut vec: PortableVector, zeta0: i16, zeta1: i16)
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 100")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                            Spec.Utils.is_i16b_array (11207+3*3328) ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) ${result}.f_elements"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                            Spec.Utils.is_i16b_array (11207+3*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) ${result}.f_elements"#))]
 pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector {
     ntt_step(&mut vec, zeta, 0, 8);
     ntt_step(&mut vec, zeta, 1, 9);
@@ -114,23 +118,26 @@ pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVe
 
 #[inline(always)]
 #[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")]
-#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\  v i <> v j /\\ 
-                        Spec.Utils.is_i16b 1664 $zeta /\\
-                        Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\\
-                                    (forall k. (k <> v i /\\ k <> v j) ==>
-                                         Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\
-                                    Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v i)) /\\
-                                    Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v j)) /\\
-                                    Spec.Utils.inv_ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))]
+#[hax_lib::requires(fstar!(r#"v i < 16 /\ v j < 16 /\  v i <> v j /\ 
+                        Spec.Utils.is_i16b 1664 $zeta /\
+                        Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\
+                                    (forall k. (k <> v i /\ k <> v j) ==>
+                                         Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\
+                                    Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v i)) /\
+                                    Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v j)) /\
+                                    Spec.Utils.inv_ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"#))]
 pub(crate) fn inv_ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) {
     let a_minus_b = vec.elements[j] - vec.elements[i];
     let a_plus_b = vec.elements[j] + vec.elements[i];
-    hax_lib::fstar!("assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i)));
-                     assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i)))");
+    hax_lib::fstar!(
+        r#"assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i)));
+                     assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i)))"#
+    );
     let o0 = barrett_reduce_element(a_plus_b);
     let o1 = montgomery_multiply_fe_by_fer(a_minus_b, zeta);
-    hax_lib::fstar!("
+    hax_lib::fstar!(
+        r#"
     calc (==) {
         v o0 % 3329;
         (==) { }
@@ -144,21 +151,22 @@ pub(crate) fn inv_ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usi
         (v a_minus_b * v zeta * 169) % 3329;
         (==) { }
         ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % 3329;
-    }");
+    }"#
+    );
     vec.elements[i] = o0;
     vec.elements[j] = o1;
     hax_lib::fstar!(
-        "assert (Seq.index vec.f_elements (v i) == o0);
-                     assert (Seq.index vec.f_elements (v j) == o1)"
+        r#"assert (Seq.index vec.f_elements (v i) == o0);
+                     assert (Seq.index vec.f_elements (v j) == o1)"#
     );
 }
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 200")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                            Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                            Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                            Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))]
 pub(crate) fn inv_ntt_layer_1_step(
     mut vec: PortableVector,
     zeta0: i16,
@@ -191,15 +199,15 @@ pub(crate) fn inv_ntt_layer_1_step(
         assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 3));
         assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 0));
         assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 2));
-        assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements i))");
+        assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements i))"#);
     vec
 }
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 100")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                            Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))]
 pub(crate) fn inv_ntt_layer_2_step(
     mut vec: PortableVector,
     zeta0: i16,
@@ -218,9 +226,9 @@ pub(crate) fn inv_ntt_layer_2_step(
 
 #[inline(always)]
 #[hax_lib::fstar::options("--z3rlimit 100")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                            Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                            Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))]
 pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector {
     inv_ntt_step(&mut vec, zeta, 0, 8);
     inv_ntt_step(&mut vec, zeta, 1, 9);
@@ -259,22 +267,22 @@ pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> Portab
     "--z3rlimit 250 --split_queries always --query_stats --ext context_prune"
 )]
 #[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")]
-#[hax_lib::requires(fstar!("v i < 8 /\\ Spec.Utils.is_i16b 1664 $zeta /\\
-        Spec.Utils.is_i16b_array 3328 ${a}.f_elements /\\
-        Spec.Utils.is_i16b_array 3328 ${b}.f_elements /\\
-        Spec.Utils.is_i16b_array 3328 ${out}.f_elements "))]
-#[hax_lib::ensures(|()| fstar!("
-        Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\\
-        (forall k. (k <> 2 * v $i /\\ k <> 2 * v $i + 1) ==> 
-                    Seq.index ${out}_future.f_elements k == Seq.index ${out}.f_elements k) /\\                 
+#[hax_lib::requires(fstar!(r#"v i < 8 /\ Spec.Utils.is_i16b 1664 $zeta /\
+        Spec.Utils.is_i16b_array 3328 ${a}.f_elements /\
+        Spec.Utils.is_i16b_array 3328 ${b}.f_elements /\
+        Spec.Utils.is_i16b_array 3328 ${out}.f_elements "#))]
+#[hax_lib::ensures(|()| fstar!(r#"
+        Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\
+        (forall k. (k <> 2 * v $i /\ k <> 2 * v $i + 1) ==> 
+                    Seq.index ${out}_future.f_elements k == Seq.index ${out}.f_elements k) /\                 
         (let ai = Seq.index ${a}.f_elements (2 * v $i) in
          let aj = Seq.index ${a}.f_elements (2 * v $i + 1) in
          let bi = Seq.index ${b}.f_elements (2 * v $i) in
          let bj = Seq.index ${b}.f_elements (2 * v $i + 1) in
          let oi = Seq.index out_future.f_elements (2 * v $i) in
          let oj = Seq.index out_future.f_elements (2 * v $i + 1) in
-         ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\\
-         ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))"))]
+         ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\
+         ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))"#))]
 pub(crate) fn ntt_multiply_binomials(
     a: &PortableVector,
     b: &PortableVector,
@@ -294,19 +302,20 @@ pub(crate) fn ntt_multiply_binomials(
                      assert_norm (3328 * 3328 < pow2 31)"
     );
 
-    hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bi");
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bi"#);
     let ai_bi = (ai as i32) * (bi as i32);
-    hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bj");
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bj"#);
     let aj_bj_ = (aj as i32) * (bj as i32);
-    hax_lib::fstar!("assert_norm (3328 * 3328 <= 3328 * pow2 15)");
+    hax_lib::fstar!(r#"assert_norm (3328 * 3328 <= 3328 * pow2 15)"#);
     let aj_bj = montgomery_reduce_element(aj_bj_);
-    hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 1664 $aj_bj $zeta");
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 1664 $aj_bj $zeta"#);
     let aj_bj_zeta = (aj_bj as i32) * (zeta as i32);
     let ai_bi_aj_bj = ai_bi + aj_bj_zeta;
-    hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*1664) $ai_bi_aj_bj)");
-    hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15)");
+    hax_lib::fstar!(r#"assert(Spec.Utils.is_i32b (3328*3328 + 3328*1664) $ai_bi_aj_bj)"#);
+    hax_lib::fstar!(r#"assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15)"#);
     let o0 = montgomery_reduce_element(ai_bi_aj_bj);
-    hax_lib::fstar!("calc  ( == ) {
+    hax_lib::fstar!(
+        r#"calc  ( == ) {
         v $o0 % 3329;
         ( == ) { () }
         (v $ai_bi_aj_bj * 169) % 3329;
@@ -332,14 +341,15 @@ pub(crate) fn ntt_multiply_binomials(
         (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) % 3329 * 169) % 3329;
         ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) 169 3329 }
         (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) * 169) % 3329;
-        }");
-    hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bj");
+        }"#
+    );
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bj"#);
     let ai_bj = (ai as i32) * (bj as i32);
-    hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bi");
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bi"#);
     let aj_bi = (aj as i32) * (bi as i32);
     let ai_bj_aj_bi = ai_bj + aj_bi;
-    hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*3328) ai_bj_aj_bi) ");
-    hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15)");
+    hax_lib::fstar!(r#"assert(Spec.Utils.is_i32b (3328*3328 + 3328*3328) ai_bj_aj_bi) "#);
+    hax_lib::fstar!(r#"assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15)"#);
     let o1 = montgomery_reduce_element(ai_bj_aj_bi);
     hax_lib::fstar!(
         "calc  ( == ) {
@@ -358,25 +368,25 @@ pub(crate) fn ntt_multiply_binomials(
     out.elements[2 * i] = o0;
     out.elements[2 * i + 1] = o1;
     hax_lib::fstar!(
-        "assert (Seq.index out.f_elements (2 * v i) == o0);
+        r#"assert (Seq.index out.f_elements (2 * v i) == o0);
                      assert (Seq.index out.f_elements (2 * v i + 1) == o1);
                      assert (Spec.Utils.is_i16b_array 3328 out.f_elements);
-                     assert (forall k. (k <> 2 * v i /\\ k <> 2 * v i + 1) ==>
+                     assert (forall k. (k <> 2 * v i /\ k <> 2 * v i + 1) ==>
                                         Seq.index out.f_elements k ==
-                                        Seq.index ${_out0} k)"
+                                        Seq.index ${_out0} k)"#
     );
 }
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::fstar::options("--z3rlimit 100")]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta0 /\\
-        Spec.Utils.is_i16b 1664 $zeta1 /\\
-        Spec.Utils.is_i16b 1664 $zeta2 /\\
-        Spec.Utils.is_i16b 1664 $zeta3 /\\
-        Spec.Utils.is_i16b_array 3328 ${lhs}.f_elements /\\
-        Spec.Utils.is_i16b_array 3328 ${rhs}.f_elements "))]
-#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta0 /\
+        Spec.Utils.is_i16b 1664 $zeta1 /\
+        Spec.Utils.is_i16b 1664 $zeta2 /\
+        Spec.Utils.is_i16b 1664 $zeta3 /\
+        Spec.Utils.is_i16b_array 3328 ${lhs}.f_elements /\
+        Spec.Utils.is_i16b_array 3328 ${rhs}.f_elements "#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\
           (let zetas = Seq.seq_of_list [v zeta0; - v zeta0; v zeta1; - v zeta1; v zeta2; - v zeta2; v zeta3; - v zeta3] in
           (forall (i:nat). i < 8 ==>
            (let ai = Seq.index lhs.f_elements (2 * i) in
@@ -385,8 +395,8 @@ pub(crate) fn ntt_multiply_binomials(
             let bj = Seq.index rhs.f_elements (2 * i + 1) in
             let oi = Seq.index result.f_elements (2 * i) in
             let oj = Seq.index result.f_elements (2 * i + 1) in
-            ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\\
-            ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))"))]
+            ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\
+            ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))"#))]
 pub(crate) fn ntt_multiply(
     lhs: &PortableVector,
     rhs: &PortableVector,
@@ -399,27 +409,27 @@ pub(crate) fn ntt_multiply(
     let nzeta1 = -zeta1;
     let nzeta2 = -zeta2;
     let nzeta3 = -zeta3;
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta0)");
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta1)");
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta2)");
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta3)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta0)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta1)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta2)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta3)"#);
     let mut out = zero();
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, zeta0, 0, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, nzeta0, 1, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, zeta1, 2, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, nzeta1, 3, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, zeta2, 4, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, nzeta2, 5, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, zeta3, 6, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     ntt_multiply_binomials(lhs, rhs, nzeta3, 7, &mut out);
-    hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)");
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     out
 }
diff --git a/libcrux-ml-kem/src/vector/portable/sampling.rs b/libcrux-ml-kem/src/vector/portable/sampling.rs
index 13f6f9f33..b2f4b4110 100644
--- a/libcrux-ml-kem/src/vector/portable/sampling.rs
+++ b/libcrux-ml-kem/src/vector/portable/sampling.rs
@@ -4,7 +4,7 @@ use crate::vector::FIELD_MODULUS;
 #[hax_lib::fstar::verification_status(lax)]
 #[hax_lib::requires(a.len() == 24 && result.len() == 16)]
 #[hax_lib::ensures(|res|
-        fstar!("Seq.length $result_future == Seq.length $result /\\ v $res <= 16")
+        fstar!(r#"Seq.length $result_future == Seq.length $result /\ v $res <= 16"#)
     )]
 pub(crate) fn rej_sample(a: &[u8], result: &mut [i16]) -> usize {
     let mut sampled = 0;
diff --git a/libcrux-ml-kem/src/vector/portable/vector_type.rs b/libcrux-ml-kem/src/vector/portable/vector_type.rs
index 94dde4e71..aa52886dc 100644
--- a/libcrux-ml-kem/src/vector/portable/vector_type.rs
+++ b/libcrux-ml-kem/src/vector/portable/vector_type.rs
@@ -10,7 +10,7 @@ pub struct PortableVector {
 }
 
 #[inline(always)]
-#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Seq.create 16 0s"))]
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Seq.create 16 0s"#))]
 pub fn zero() -> PortableVector {
     PortableVector {
         elements: [0i16; FIELD_ELEMENTS_IN_VECTOR],
@@ -18,14 +18,14 @@ pub fn zero() -> PortableVector {
 }
 
 #[inline(always)]
-#[hax_lib::ensures(|result| fstar!("${result} == ${x}.f_elements"))]
+#[hax_lib::ensures(|result| fstar!(r#"${result} == ${x}.f_elements"#))]
 pub fn to_i16_array(x: PortableVector) -> [i16; 16] {
     x.elements
 }
 
 #[inline(always)]
 #[hax_lib::requires(array.len() == 16)]
-#[hax_lib::ensures(|result| fstar!("${result}.f_elements == $array"))]
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == $array"#))]
 pub fn from_i16_array(array: &[i16]) -> PortableVector {
     PortableVector {
         elements: array[0..16].try_into().unwrap(),
diff --git a/libcrux-ml-kem/src/vector/traits.rs b/libcrux-ml-kem/src/vector/traits.rs
index 193d0edf6..87436fcd1 100644
--- a/libcrux-ml-kem/src/vector/traits.rs
+++ b/libcrux-ml-kem/src/vector/traits.rs
@@ -19,162 +19,162 @@ pub trait Repr: Copy + Clone {
 pub trait Operations: Copy + Clone + Repr {
     #[allow(non_snake_case)]
     #[requires(true)]
-    #[ensures(|result| fstar!("f_repr $result == Seq.create 16 0s"))]
+    #[ensures(|result| fstar!(r#"f_repr $result == Seq.create 16 0s"#))]
     fn ZERO() -> Self;
 
     #[requires(array.len() == 16)]
-    #[ensures(|result| fstar!("f_repr $result == $array"))]
+    #[ensures(|result| fstar!(r#"f_repr $result == $array"#))]
     fn from_i16_array(array: &[i16]) -> Self;
 
     #[requires(true)]
-    #[ensures(|result| fstar!("f_repr $x == $result"))]
+    #[ensures(|result| fstar!(r#"f_repr $x == $result"#))]
     fn to_i16_array(x: Self) -> [i16; 16];
 
     // Basic arithmetic
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index (f_repr ${result}) i) == 
-         v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))]
+         v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"#))]
     fn add(lhs: Self, rhs: &Self) -> Self;
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index (f_repr ${result}) i) == 
-         v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))]
+         v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"#))]
     fn sub(lhs: Self, rhs: &Self) -> Self;
 
-    #[requires(fstar!("forall i. i < 16 ==> 
-        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${vec}) i) * v c)"))]
-    #[ensures(|result| fstar!("forall i. i < 16 ==> 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${vec}) i) * v c)"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
         (v (Seq.index (f_repr ${result}) i) == 
-         v (Seq.index (f_repr ${vec}) i) * v c)"))]
+         v (Seq.index (f_repr ${vec}) i) * v c)"#))]
     fn multiply_by_constant(vec: Self, c: i16) -> Self;
 
     // Bitwise operations
     #[requires(true)]
-    #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> x &. c) (f_repr $v)"))]
+    #[ensures(|result| fstar!(r#"f_repr $result == Spec.Utils.map_array (fun x -> x &. c) (f_repr $v)"#))]
     fn bitwise_and_with_constant(v: Self, c: i16) -> Self;
 
     #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
-    #[ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> f_repr $result == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (f_repr $v)"))]
+    #[ensures(|result| fstar!(r#"(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> f_repr $result == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (f_repr $v)"#))]
     fn shift_right<const SHIFT_BY: i32>(v: Self) -> Self;
     // fn shift_left<const SHIFT_BY: i32>(v: Self) -> Self;
 
     // Modular operations
-    #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr $v)"))]
-    #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr $v)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr $v)"#))]
+    #[ensures(|result| fstar!(r#"f_repr $result == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr $v)"#))]
     fn cond_subtract_3329(v: Self) -> Self;
 
-    #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (f_repr $vector)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (f_repr $vector)"#))]
     fn barrett_reduce(vector: Self) -> Self;
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 c"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 c"#))]
     fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self;
 
     // Compression
-    #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\
-        v (Seq.index (f_repr $a) i) < 3329"))]
-    #[ensures(|result| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) 1"))]
+    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\
+        v (Seq.index (f_repr $a) i) < 3329"#))]
+    #[ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) 1"#))]
     fn compress_1(a: Self) -> Self;
-    #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
             v $COEFFICIENT_BITS == 10 \\/
             v $COEFFICIENT_BITS == 11) /\\
         (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\
-            v (Seq.index (f_repr $a) i) < 3329)"))]
-    #[ensures(|result| fstar!("(v $COEFFICIENT_BITS == 4 \\/
+            v (Seq.index (f_repr $a) i) < 3329)"#))]
+    #[ensures(|result| fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
             v $COEFFICIENT_BITS == 10 \\/
             v $COEFFICIENT_BITS == 11) ==>
-                (forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) (v $COEFFICIENT_BITS))"))]
+                (forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) (v $COEFFICIENT_BITS))"#))]
     fn compress<const COEFFICIENT_BITS: i32>(a: Self) -> Self;
-    #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
         v $COEFFICIENT_BITS == 5 \\/
         v $COEFFICIENT_BITS == 10 \\/
         v $COEFFICIENT_BITS == 11) /\\
     (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\
-        v (Seq.index (f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"))]
+        v (Seq.index (f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"#))]
     fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(a: Self) -> Self;
 
     // NTT
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                       Spec.Utils.is_i16b_array (11207+5*3328) (f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (f_repr $out)"))]
+                       Spec.Utils.is_i16b_array (11207+5*3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (f_repr $out)"#))]
     fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self;
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                       Spec.Utils.is_i16b_array (11207+4*3328) (f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                       Spec.Utils.is_i16b_array (11207+4*3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (f_repr $out)"#))]
     fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self;
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\
-                       Spec.Utils.is_i16b_array (11207+3*3328) (f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+                       Spec.Utils.is_i16b_array (11207+3*3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (f_repr $out)"#))]
     fn ntt_layer_3_step(a: Self, zeta: i16) -> Self;
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                       Spec.Utils.is_i16b_array (4 * 3328) (f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))]
+                       Spec.Utils.is_i16b_array (4 * 3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self;
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                       Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+                       Spec.Utils.is_i16b_array 3328 (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self;
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta/\\
-                       Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))]
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta/\\
+                       Spec.Utils.is_i16b_array 3328 (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self;
 
-    #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
                        Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
                        Spec.Utils.is_i16b_array 3328 (f_repr ${lhs}) /\\
-                       Spec.Utils.is_i16b_array 3328 (f_repr ${rhs}) "))]
-    #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))]
+                       Spec.Utils.is_i16b_array 3328 (f_repr ${rhs}) "#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16)
         -> Self;
 
     // Serialization and deserialization
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a)"))]
-    #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a) ==> Spec.MLKEM.serialize_post 1 (f_repr $a) $result"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 1 (f_repr $a) ==> Spec.MLKEM.serialize_post 1 (f_repr $a) $result"#))]
     fn serialize_1(a: Self) -> [u8; 2];
     #[requires(a.len() == 2)]
-    #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (f_repr $result)"))]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (f_repr $result)"#))]
     fn deserialize_1(a: &[u8]) -> Self;
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a)"))]
-    #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a) ==> Spec.MLKEM.serialize_post 4 (f_repr $a) $result"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 4 (f_repr $a) ==> Spec.MLKEM.serialize_post 4 (f_repr $a) $result"#))]
     fn serialize_4(a: Self) -> [u8; 8];
     #[requires(a.len() == 8)]
-    #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (f_repr $result)"))]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (f_repr $result)"#))]
     fn deserialize_4(a: &[u8]) -> Self;
 
     fn serialize_5(a: Self) -> [u8; 10];
     #[requires(a.len() == 10)]
     fn deserialize_5(a: &[u8]) -> Self;
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a)"))]
-    #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a) ==> Spec.MLKEM.serialize_post 10 (f_repr $a) $result"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 10 (f_repr $a) ==> Spec.MLKEM.serialize_post 10 (f_repr $a) $result"#))]
     fn serialize_10(a: Self) -> [u8; 20];
     #[requires(a.len() == 20)]
-    #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (f_repr $result)"))]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (f_repr $result)"#))]
     fn deserialize_10(a: &[u8]) -> Self;
 
     fn serialize_11(a: Self) -> [u8; 22];
     #[requires(a.len() == 22)]
     fn deserialize_11(a: &[u8]) -> Self;
 
-    #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a)"))]
-    #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a) ==> Spec.MLKEM.serialize_post 12 (f_repr $a) $result"))]
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 12 (f_repr $a) ==> Spec.MLKEM.serialize_post 12 (f_repr $a) $result"#))]
     fn serialize_12(a: Self) -> [u8; 24];
     #[requires(a.len() == 24)]
-    #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (f_repr $result)"))]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (f_repr $result)"#))]
     fn deserialize_12(a: &[u8]) -> Self;
 
     #[requires(a.len() == 24 && out.len() == 16)]
     #[ensures(|result|
-        fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16")
+        fstar!(r#"Seq.length $out_future == Seq.length $out /\\ v $result <= 16"#)
     )]
     fn rej_sample(a: &[u8], out: &mut [i16]) -> usize;
 }
@@ -220,7 +220,7 @@ pub trait Operations: Copy + Clone {
 }
 
 // hax does not support trait with default implementations, so we use the following pattern
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $fer"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $fer"#))]
 #[inline(always)]
 pub fn montgomery_multiply_fe<T: Operations>(v: T, fer: i16) -> T {
     T::montgomery_multiply_by_constant(v, fer)
@@ -232,11 +232,11 @@ pub fn to_standard_domain<T: Operations>(v: T) -> T {
 }
 
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 3328 (i1._super_8706949974463268012.f_repr a)"))]
-#[hax_lib::ensures(|result| fstar!("forall i.
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 3328 (i1._super_8706949974463268012.f_repr a)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i.
                                        (let x = Seq.index (i1._super_8706949974463268012.f_repr ${a}) i in
                                         let y = Seq.index (i1._super_8706949974463268012.f_repr ${result}) i in
-                                        (v y >= 0 /\\ v y <= 3328 /\\ (v y % 3329 == v x % 3329)))"))]
+                                        (v y >= 0 /\\ v y <= 3328 /\\ (v y % 3329 == v x % 3329)))"#))]
 #[inline(always)]
 pub fn to_unsigned_representative<T: Operations>(a: T) -> T {
     let t = T::shift_right::<15>(a);
@@ -244,9 +244,9 @@ pub fn to_unsigned_representative<T: Operations>(a: T) -> T {
     T::add(a, &fm)
 }
 
-#[hax_lib::fstar::options("--z3rlimit 200 --split_queries always")]
-#[hax_lib::requires(fstar!("forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in 
-                                      (x == 0s \\/ x == 1s)"))]
+#[hax_lib::fstar::options("--z3rlimit 200 --split_queries always"#)]
+#[hax_lib::requires(fstar!(r#"forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in 
+                                      (x == 0s \\/ x == 1s)"#))]
 #[inline(always)]
 pub fn decompress_1<T: Operations>(vec: T) -> T {
     let z = T::ZERO();
@@ -257,14 +257,18 @@ pub fn decompress_1<T: Operations>(vec: T) -> T {
         "assert(forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in 
                                       ((0 - v x) == 0 \\/ (0 - v x) == -1))"
     );
-    hax_lib::fstar!("assert(forall i. i < 16 ==>
+    hax_lib::fstar!(
+        r#"assert(forall i. i < 16 ==>
                                       Spec.Utils.is_intb (pow2 15 - 1) 
-                                        (0 - v (Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i)))");
+                                        (0 - v (Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i)))"#
+    );
 
     let s = T::sub(z, &vec);
-    hax_lib::fstar!("assert(forall i. Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == 0s \\/ 
-                                      Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == -1s)");
-    hax_lib::fstar!("assert (i1.f_bitwise_and_with_constant_pre ${s} 1665s)");
+    hax_lib::fstar!(
+        r#"assert(forall i. Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == 0s \\/ 
+                                      Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == -1s)"#
+    );
+    hax_lib::fstar!(r#"assert (i1.f_bitwise_and_with_constant_pre ${s} 1665s)"#);
     let res = T::bitwise_and_with_constant(s, 1665);
     res
 }

From 0953378121322f4b3bfa94f1e178e59537c275ab Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 18:11:52 +0100
Subject: [PATCH 22/23] raw strings

---
 libcrux-ml-kem/src/hash_functions.rs         |  22 +--
 libcrux-ml-kem/src/ind_cca/instantiations.rs | 156 +++++++++----------
 libcrux-ml-kem/src/ind_cca/multiplexing.rs   |  74 ++++-----
 libcrux-ml-kem/src/matrix.rs                 |   8 +-
 libcrux-ml-kem/src/mlkem1024.rs              |   4 +-
 libcrux-ml-kem/src/mlkem512.rs               |   4 +-
 libcrux-ml-kem/src/mlkem768.rs               |   4 +-
 libcrux-ml-kem/src/sampling.rs               |  16 +-
 libcrux-ml-kem/src/serialize.rs              |  26 ++--
 libcrux-ml-kem/src/types.rs                  |  16 +-
 libcrux-ml-kem/src/vector/avx2.rs            |  64 ++++----
 libcrux-ml-kem/src/vector/avx2/compress.rs   |   4 +-
 libcrux-ml-kem/src/vector/avx2/ntt.rs        |  10 +-
 libcrux-ml-kem/src/vector/avx2/sampling.rs   |   8 +-
 14 files changed, 209 insertions(+), 207 deletions(-)

diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs
index f76ad4c8f..d0acbab30 100644
--- a/libcrux-ml-kem/src/hash_functions.rs
+++ b/libcrux-ml-kem/src/hash_functions.rs
@@ -48,10 +48,10 @@ pub(crate) trait Hash<const K: usize> {
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN];
 
     /// PRFxN aka N SHAKE256
-    #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
+    #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
     #[ensures(|result|
         // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-        fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+        fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
             $result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
     fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K];
@@ -114,7 +114,7 @@ pub(crate) mod portable {
         digest
     }
 
-    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
     #[hax_lib::ensures(|result|
         fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
@@ -197,9 +197,9 @@ pub(crate) mod portable {
             PRF::<LEN>(input)
         }
 
-        #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
         #[ensures(|out|
-            fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+            fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
                 $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
         ]
         #[inline(always)]
@@ -273,7 +273,7 @@ pub(crate) mod avx2 {
         digest
     }
 
-    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
     #[hax_lib::ensures(|result|
         fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
@@ -450,9 +450,9 @@ pub(crate) mod avx2 {
             PRF::<LEN>(input)
         }
 
-        #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
         #[ensures(|out|
-            fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+            fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
                 $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
         ]
         #[inline(always)]
@@ -524,7 +524,7 @@ pub(crate) mod neon {
         digest
     }
 
-    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
     #[hax_lib::ensures(|result|
         fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
     ]
@@ -728,10 +728,10 @@ pub(crate) mod neon {
             PRF::<LEN>(input)
         }
 
-        #[requires(fstar!(r#"v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)"#))]
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
         #[ensures(|out|
             // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
-            fstar!(r#"(v $LEN < pow2 32 /\\ (v $K == 2 \\/ v $K == 3 \\/ v $K == 4)) ==>
+            fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
                 $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
         ]
         #[inline(always)]
diff --git a/libcrux-ml-kem/src/ind_cca/instantiations.rs b/libcrux-ml-kem/src/ind_cca/instantiations.rs
index b9c6f7ff6..441279351 100644
--- a/libcrux-ml-kem/src/ind_cca/instantiations.rs
+++ b/libcrux-ml-kem/src/ind_cca/instantiations.rs
@@ -7,12 +7,12 @@ macro_rules! instantiate {
             };
 
             /// Portable generate key pair.
-            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-                $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-                $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-                $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+                $ETA1 == Spec.MLKEM.v_ETA1 $K /\
                 $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
             pub(crate) fn generate_keypair<
                 const K: usize,
@@ -67,8 +67,8 @@ macro_rules! instantiate {
 
             /// Public key validation
             #[inline(always)]
-            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
                 $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
             pub(crate) fn validate_public_key<
                 const K: usize,
@@ -87,8 +87,8 @@ macro_rules! instantiate {
 
             /// Private key validation
             #[inline(always)]
-            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
                 $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
             pub(crate) fn validate_private_key<
                 const K: usize,
@@ -106,7 +106,7 @@ macro_rules! instantiate {
 
             /// Private key validation
             #[inline(always)]
-            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
                 $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"#))]
             pub(crate) fn validate_private_key_only<
                 const K: usize,
@@ -157,18 +157,18 @@ macro_rules! instantiate {
                 >(public_key, randomness)
             }
 
-            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-                $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-                $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-                $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-                $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-                $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-                $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-                $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-                $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                $ETA2 == Spec.MLKEM.v_ETA2 $K /\
                 $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
             pub(crate) fn encapsulate<
                 const K: usize,
@@ -255,21 +255,21 @@ macro_rules! instantiate {
             }
 
             /// Portable decapsulate
-            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-                $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-                $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-                $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-                $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-                $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-                $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-                $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-                $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-                $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-                $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+                $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
                 $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
             pub fn decapsulate<
                 const K: usize,
@@ -326,8 +326,8 @@ macro_rules! instantiate {
 
                 /// Get the unpacked public key.
                 #[hax_lib::requires(
-                    fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
+                    fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
                     $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
                 )]
                 #[inline(always)]
@@ -353,11 +353,11 @@ macro_rules! instantiate {
                 /// Take a serialized private key and generate an unpacked key pair from it.
                 #[inline(always)]
                 #[hax_lib::requires(
-                    fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                            v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\\
-                            v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\\
-                            v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\\
-                            v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\\
+                    fstar!(r#"Spec.MLKEM.is_rank $K /\
+                            v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+                            v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+                            v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+                            v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
                             v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))]
                 pub(crate) fn keypair_from_private_key<
                     const K: usize,
@@ -382,12 +382,12 @@ macro_rules! instantiate {
                 }
 
                 /// Generate a key pair
-                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-                    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-                    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
                     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn generate_keypair<
@@ -417,18 +417,18 @@ macro_rules! instantiate {
                 }
 
                 /// Unpacked encapsulate
-                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-                    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-                    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-                    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-                    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-                    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-                    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
                     $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn encapsulate<
@@ -469,21 +469,21 @@ macro_rules! instantiate {
                 }
 
                 /// Unpacked decapsulate
-                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-                    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-                    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-                    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-                    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-                    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-                    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-                    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-                    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-                    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+                    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
                     $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn decapsulate<
diff --git a/libcrux-ml-kem/src/ind_cca/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/multiplexing.rs
index d0ae1d7a9..ad13d9c58 100644
--- a/libcrux-ml-kem/src/ind_cca/multiplexing.rs
+++ b/libcrux-ml-kem/src/ind_cca/multiplexing.rs
@@ -52,8 +52,8 @@ use instantiations::portable::{
     kyber_generate_keypair as kyber_generate_keypair_neon,
 };
 
-#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
     $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 #[inline(always)]
 pub(crate) fn validate_public_key<
@@ -69,8 +69,8 @@ pub(crate) fn validate_public_key<
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
                 $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 pub(crate) fn validate_private_key<
     const K: usize,
@@ -132,12 +132,12 @@ pub(crate) fn kyber_generate_keypair<
     }
 }
 
-#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
     $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn generate_keypair<
     const K: usize,
@@ -254,18 +254,18 @@ pub(crate) fn kyber_encapsulate<
     }
 }
 
-#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
     $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn encapsulate<
     const K: usize,
@@ -418,21 +418,21 @@ pub(crate) fn kyber_decapsulate<
     }
 }
 
-#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\\
-    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\
-    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\
-    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\
-    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\
-    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\
-    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\
-    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\
-    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\\
-    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\\
-    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\
-    $ETA1 == Spec.MLKEM.v_ETA1 $K /\\
-    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\
-    $ETA2 == Spec.MLKEM.v_ETA2 $K /\\
-    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
     $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
 pub(crate) fn decapsulate<
     const K: usize,
diff --git a/libcrux-ml-kem/src/matrix.rs b/libcrux-ml-kem/src/matrix.rs
index 3f008cd32..80f232545 100644
--- a/libcrux-ml-kem/src/matrix.rs
+++ b/libcrux-ml-kem/src/matrix.rs
@@ -53,7 +53,7 @@ pub(crate) fn sample_matrix_A<const K: usize, Vector: Operations, Hasher: Hash<K
         let u_spec = to_spec_vector_t $u_as_ntt in
         let v_spec = to_spec_poly_t $v in
         to_spec_poly_t $res ==
-            Spec.MLKEM.(poly_sub v_spec (poly_inv_ntt (vector_dot_product_ntt #$K secret_spec u_spec))) /\\
+            Spec.MLKEM.(poly_sub v_spec (poly_inv_ntt (vector_dot_product_ntt #$K secret_spec u_spec))) /\
         Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res"#)
 )]
 pub(crate) fn compute_message<const K: usize, Vector: Operations>(
@@ -85,7 +85,7 @@ pub(crate) fn compute_message<const K: usize, Vector: Operations>(
         let e2_spec = to_spec_poly_t $error_2 in
         let m_spec = to_spec_poly_t $message in
         let res_spec = to_spec_poly_t $res in
-        res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\\
+        res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\
         Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res"#)
 )]
 pub(crate) fn compute_ring_element_v<const K: usize, Vector: Operations>(
@@ -117,7 +117,7 @@ pub(crate) fn compute_ring_element_v<const K: usize, Vector: Operations>(
         let r_spec = to_spec_vector_t $r_as_ntt in
         let e_spec = to_spec_vector_t $error_1 in
         let res_spec = to_spec_vector_t $res in
-        res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\\
+        res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\
         (forall (i:nat). i < v $K ==>
             Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $res i))"#)
 )]
@@ -156,7 +156,7 @@ pub(crate) fn compute_vector_u<const K: usize, Vector: Operations>(
              Spec.MLKEM.compute_As_plus_e_ntt
                (to_spec_matrix_t $matrix_A) 
                (to_spec_vector_t $s_as_ntt) 
-               (to_spec_vector_t $error_as_ntt) /\\
+               (to_spec_vector_t $error_as_ntt) /\
         (forall (i: nat). i < v $K ==>
             Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${t_as_ntt}_future i))"#)
 )]
diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs
index 7e90491ea..7976f095e 100644
--- a/libcrux-ml-kem/src/mlkem1024.rs
+++ b/libcrux-ml-kem/src/mlkem1024.rs
@@ -468,7 +468,7 @@ pub fn validate_private_key(
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
     fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem1024_generate_keypair $randomness in
-        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)"#)
+        valid ==> (${res}.f_sk.f_value == secret_key /\ ${res}.f_pk.f_value == public_key)"#)
 )]
 pub fn generate_key_pair(
     randomness: [u8; KEY_GENERATION_SEED_SIZE],
@@ -494,7 +494,7 @@ pub fn generate_key_pair(
 #[hax_lib::ensures(|res|
     fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem1024_encapsulate ${public_key}.f_value $randomness in
         let (res_ciphertext, res_shared_secret) = $res in
-        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)"#)
+        valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)"#)
 )]
 pub fn encapsulate(
     public_key: &MlKem1024PublicKey,
diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs
index 6b5498d51..52cfa2543 100644
--- a/libcrux-ml-kem/src/mlkem512.rs
+++ b/libcrux-ml-kem/src/mlkem512.rs
@@ -456,7 +456,7 @@ pub fn validate_private_key(
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
     fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem512_generate_keypair $randomness in
-        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)"#)
+        valid ==> (${res}.f_sk.f_value == secret_key /\ ${res}.f_pk.f_value == public_key)"#)
 )]
 pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair {
     multiplexing::generate_keypair::<
@@ -480,7 +480,7 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512
 #[hax_lib::ensures(|res|
     fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem512_encapsulate ${public_key}.f_value $randomness in
         let (res_ciphertext, res_shared_secret) = $res in
-        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)"#)
+        valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)"#)
 )]
 pub fn encapsulate(
     public_key: &MlKem512PublicKey,
diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs
index 9deb50115..a96c83304 100644
--- a/libcrux-ml-kem/src/mlkem768.rs
+++ b/libcrux-ml-kem/src/mlkem768.rs
@@ -451,7 +451,7 @@ pub fn validate_private_key(
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::ensures(|res|
     fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem768_generate_keypair $randomness in
-        valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)"#)
+        valid ==> (${res}.f_sk.f_value == secret_key /\ ${res}.f_pk.f_value == public_key)"#)
 )]
 pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair {
     multiplexing::generate_keypair::<
@@ -475,7 +475,7 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768
 #[hax_lib::ensures(|res|
     fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem768_encapsulate ${public_key}.f_value $randomness in
         let (res_ciphertext, res_shared_secret) = $res in
-        valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)"#)
+        valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)"#)
 )]
 pub fn encapsulate(
     public_key: &MlKem768PublicKey,
diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs
index d10a4a7f2..080d8e41b 100644
--- a/libcrux-ml-kem/src/sampling.rs
+++ b/libcrux-ml-kem/src/sampling.rs
@@ -188,8 +188,8 @@ fn sample_from_binomial_distribution_2<Vector: Operations>(
                     let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as i16;
                     hax_lib::fstar!(r#"logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 3ul;
                         logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 2ul <: u32) <: u32) 3ul;
-                        assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 3);
-                        assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 3);
+                        assert (v $outcome_1 >= 0 /\ v $outcome_1 <= 3);
+                        assert (v $outcome_2 >= 0 /\ v $outcome_2 <= 3);
                         assert (v $chunk_number <= 31);
                         assert (v (sz 8 *! $chunk_number <: usize) <= 248);
                         assert (v (cast ($outcome_set >>! 2l <: u32) <: usize) <= 7)"#);
@@ -240,8 +240,8 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
                     let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as i16;
                     hax_lib::fstar!(r#"logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 7ul;
                         logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 3l <: i32) <: u32) 7ul;
-                        assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 7);
-                        assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 7);
+                        assert (v $outcome_1 >= 0 /\ v $outcome_1 <= 7);
+                        assert (v $outcome_2 >= 0 /\ v $outcome_2 <= 7);
                         assert (v $chunk_number <= 63);
                         assert (v (sz 4 *! $chunk_number <: usize) <= 252);
                         assert (v (cast ($outcome_set /! 6l <: i32) <: usize) <= 3)"#);
@@ -259,16 +259,16 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
 #[hax_lib::fstar::verification_status(panic_free)]
 #[hax_lib::requires((ETA == 2 || ETA == 3) && randomness.len() == ETA * 64)]
 #[hax_lib::ensures(|result| fstar!(r#"(forall (i:nat). i < 8 ==> Libcrux_ml_kem.Ntt.ntt_layer_7_pre
-    (${result}.f_coefficients.[ sz i ]) (${result}.f_coefficients.[ sz i +! sz 8 ])) /\\
+    (${result}.f_coefficients.[ sz i ]) (${result}.f_coefficients.[ sz i +! sz 8 ])) /\
     Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result ==
         Spec.MLKEM.sample_poly_cbd $ETA $randomness"#))]
 pub(super) fn sample_from_binomial_distribution<const ETA: usize, Vector: Operations>(
     randomness: &[u8],
 ) -> PolynomialRingElement<Vector> {
     hax_lib::fstar!(
-        "assert (
-        (v (cast $ETA <: u32) == 2) \\/
-        (v (cast $ETA <: u32) == 3))"
+        r#"assert (
+        (v (cast $ETA <: u32) == 2) \/
+        (v (cast $ETA <: u32) == 3))"#
     );
     match ETA as u32 {
         2 => sample_from_binomial_distribution_2(randomness),
diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs
index 8fc1de500..0ae669038 100644
--- a/libcrux-ml-kem/src/serialize.rs
+++ b/libcrux-ml-kem/src/serialize.rs
@@ -259,7 +259,7 @@ fn compress_then_serialize_11<const OUT_LEN: usize, Vector: Operations>(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(panic_free)]
-#[hax_lib::requires(fstar!(r#"(v $COMPRESSION_FACTOR == 10 \\/ v $COMPRESSION_FACTOR == 11) /\
+#[hax_lib::requires(fstar!(r#"(v $COMPRESSION_FACTOR == 10 \/ v $COMPRESSION_FACTOR == 11) /\
     v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\ coefficients_field_modulus_range $re"#))]
 #[hax_lib::ensures(|result|
     fstar!(r#"$result == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
@@ -273,10 +273,10 @@ pub(super) fn compress_then_serialize_ring_element_u<
     re: &PolynomialRingElement<Vector>,
 ) -> [u8; OUT_LEN] {
     hax_lib::fstar!(
-        "assert (
-        (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 10) \/
         (v (cast $COMPRESSION_FACTOR <: u32) == 11));
-        Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"
+        Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"#
     );
     match COMPRESSION_FACTOR as u32 {
         10 => compress_then_serialize_10(re),
@@ -365,10 +365,10 @@ pub(super) fn compress_then_serialize_ring_element_v<
     out: &mut [u8],
 ) {
     hax_lib::fstar!(
-        "assert (
-        (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 4) \/
         (v (cast $COMPRESSION_FACTOR <: u32) == 5));
-        Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"
+        Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"#
     );
     match COMPRESSION_FACTOR as u32 {
         4 => compress_then_serialize_4(re, out),
@@ -435,9 +435,9 @@ pub(super) fn deserialize_then_decompress_ring_element_u<
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
     hax_lib::fstar!(
-        "assert (
-        (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/
-        (v (cast $COMPRESSION_FACTOR <: u32) == 11))"
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 10) \/
+        (v (cast $COMPRESSION_FACTOR <: u32) == 11))"#
     );
     match COMPRESSION_FACTOR as u32 {
         10 => deserialize_then_decompress_10(serialized),
@@ -503,9 +503,9 @@ pub(super) fn deserialize_then_decompress_ring_element_v<
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
     hax_lib::fstar!(
-        "assert (
-        (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/
-        (v (cast $COMPRESSION_FACTOR <: u32) == 5))"
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 4) \/
+        (v (cast $COMPRESSION_FACTOR <: u32) == 5))"#
     );
     match COMPRESSION_FACTOR as u32 {
         4 => deserialize_then_decompress_4(serialized),
diff --git a/libcrux-ml-kem/src/types.rs b/libcrux-ml-kem/src/types.rs
index 851700cfb..f20498185 100644
--- a/libcrux-ml-kem/src/types.rs
+++ b/libcrux-ml-kem/src/types.rs
@@ -165,7 +165,7 @@ impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
     }
 
     /// Create a new [`MlKemKeyPair`] from the secret and public key.
-    #[ensures(|result| fstar!(r#"${result}.f_sk == $sk /\\ ${result}.f_pk == $pk"#))]
+    #[ensures(|result| fstar!(r#"${result}.f_sk == $sk /\ ${result}.f_pk == $pk"#))]
     pub fn from(
         sk: MlKemPrivateKey<PRIVATE_KEY_SIZE>,
         pk: MlKemPublicKey<PUBLIC_KEY_SIZE>,
@@ -216,13 +216,13 @@ impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
            let (ind_cpa_public_key_hash_s,implicit_rejection_value_s) = split rest Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in
            let (ind_cpa_secret_key,ind_cpa_public_key,ind_cpa_public_key_hash,implicit_rejection_value)
                = result in
-           ind_cpa_secret_key_s == ind_cpa_secret_key /\\
-           ind_cpa_public_key_s == ind_cpa_public_key /\\
-           ind_cpa_public_key_hash_s == ind_cpa_public_key_hash /\\
-           implicit_rejection_value_s == implicit_rejection_value /\\
-           Seq.length ind_cpa_secret_key == v v_CPA_SECRET_KEY_SIZE /\\
-           Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE /\\
-           Seq.length ind_cpa_public_key_hash == v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE /\\
+           ind_cpa_secret_key_s == ind_cpa_secret_key /\
+           ind_cpa_public_key_s == ind_cpa_public_key /\
+           ind_cpa_public_key_hash_s == ind_cpa_public_key_hash /\
+           implicit_rejection_value_s == implicit_rejection_value /\
+           Seq.length ind_cpa_secret_key == v v_CPA_SECRET_KEY_SIZE /\
+           Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE /\
+           Seq.length ind_cpa_public_key_hash == v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE /\
            Seq.length implicit_rejection_value == 
            Seq.length private_key - 
              (v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)
diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs
index 80373cd1a..87d0f873b 100644
--- a/libcrux-ml-kem/src/vector/avx2.rs
+++ b/libcrux-ml-kem/src/vector/avx2.rs
@@ -54,7 +54,7 @@ fn cond_subtract_3329(vector: SIMD256Vector) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\\
+#[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\
     v (Seq.index (repr $vector) i) < 3329"#))]
 #[hax_lib::ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) 1"#))]
 fn compress_1(vector: SIMD256Vector) -> SIMD256Vector {
@@ -68,8 +68,8 @@ fn compress_1(vector: SIMD256Vector) -> SIMD256Vector {
 #[hax_lib::requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
     v $COEFFICIENT_BITS == 5 \\/
     v $COEFFICIENT_BITS == 10 \\/
-    v $COEFFICIENT_BITS == 11) /\\
-    (forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\\
+    v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\
     v (Seq.index (repr $vector) i) < 3329)"#))]
 #[hax_lib::ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
     v $COEFFICIENT_BITS == 5 \\/
@@ -84,8 +84,8 @@ fn compress<const COEFFICIENT_BITS: i32>(vector: SIMD256Vector) -> SIMD256Vector
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
-                    Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                    Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
                     Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector})"#))]
 #[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (repr $out)"#))]
 fn ntt_layer_1_step(
@@ -102,7 +102,7 @@ fn ntt_layer_1_step(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
                     Spec.Utils.is_i16b_array (11207+4*3328) (repr ${vector})"#))]
 #[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (repr $out)"#))]
 fn ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
@@ -113,7 +113,7 @@ fn ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vec
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
                     Spec.Utils.is_i16b_array (11207+3*3328) (repr ${vector})"#))]
 #[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (repr $out)"#))]
 fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
@@ -124,8 +124,8 @@ fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
-                    Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3  /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                    Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3  /\
                     Spec.Utils.is_i16b_array (4*3328) (repr ${vector})"#))]
 #[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn inv_ntt_layer_1_step(
@@ -142,7 +142,7 @@ fn inv_ntt_layer_1_step(
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
                     Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))]
 #[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn inv_ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
@@ -153,7 +153,7 @@ fn inv_ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD25
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
                     Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))]
 #[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
@@ -164,9 +164,9 @@ fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                    Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                    Spec.Utils.is_i16b_array 3328 (repr ${lhs}) /\\
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                    Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                    Spec.Utils.is_i16b_array 3328 (repr ${lhs}) /\
                     Spec.Utils.is_i16b_array 3328 (repr ${rhs})"#))]
 #[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
 fn ntt_multiply(
@@ -327,7 +327,7 @@ impl Operations for SIMD256Vector {
     }
 
     #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
-    #[ensures(|out| fstar!(r#"(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"(v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $vector)"#))]
     #[inline(always)]
     fn shift_right<const SHIFT_BY: i32>(vector: Self) -> Self {
         Self {
@@ -358,7 +358,7 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\
+    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\
         v (Seq.index (impl.f_repr $vector) i) < 3329"#))]
     #[ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"#))]
     #[inline(always)]
@@ -369,8 +369,8 @@ impl Operations for SIMD256Vector {
     #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
             v $COEFFICIENT_BITS == 10 \\/
-            v $COEFFICIENT_BITS == 11) /\\
-        (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\
+            v $COEFFICIENT_BITS == 11) /\
+        (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\
             v (Seq.index (impl.f_repr $vector) i) < 3329)"#))]
     #[ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
             v $COEFFICIENT_BITS == 5 \\/
@@ -385,8 +385,8 @@ impl Operations for SIMD256Vector {
     #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \\/
         v $COEFFICIENT_BITS == 5 \\/
         v $COEFFICIENT_BITS == 10 \\/
-        v $COEFFICIENT_BITS == 11) /\\
-    (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\
         v (Seq.index (impl.f_repr $vector) i) < pow2 (v $COEFFICIENT_BITS))"#))]
     #[inline(always)]
     fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(vector: Self) -> Self {
@@ -397,8 +397,8 @@ impl Operations for SIMD256Vector {
         }
     }
 
-    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
-                       Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
                        Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${vector})"#))]
     #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
@@ -406,7 +406,7 @@ impl Operations for SIMD256Vector {
         ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
                        Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${vector})"#))]
     #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
@@ -414,7 +414,7 @@ impl Operations for SIMD256Vector {
         ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
-    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
                        Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${vector})"#))]
     #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
@@ -422,8 +422,8 @@ impl Operations for SIMD256Vector {
         ntt_layer_3_step(vector, zeta)
     }
 
-    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ 
-                       Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3  /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3  /\
                        Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${vector})"#))]
     #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
@@ -431,7 +431,7 @@ impl Operations for SIMD256Vector {
         inv_ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
-    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
                        Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))]
     #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
@@ -439,7 +439,7 @@ impl Operations for SIMD256Vector {
         inv_ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
-    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
                        Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))]
     #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
@@ -447,9 +447,9 @@ impl Operations for SIMD256Vector {
         inv_ntt_layer_3_step(vector, zeta)
     }
 
-    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\
-                       Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\
-                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\\
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\
                        Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"#))]
     #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
@@ -549,7 +549,7 @@ impl Operations for SIMD256Vector {
 
     #[requires(input.len() == 24 && output.len() == 16)]
     #[ensures(|result|
-        fstar!(r#"Seq.length $output_future == Seq.length $output /\\ v $result <= 16"#)
+        fstar!(r#"Seq.length $output_future == Seq.length $output /\ v $result <= 16"#)
     )]
     #[inline(always)]
     fn rej_sample(input: &[u8], output: &mut [i16]) -> usize {
diff --git a/libcrux-ml-kem/src/vector/avx2/compress.rs b/libcrux-ml-kem/src/vector/avx2/compress.rs
index bd428426b..1761915b7 100644
--- a/libcrux-ml-kem/src/vector/avx2/compress.rs
+++ b/libcrux-ml-kem/src/vector/avx2/compress.rs
@@ -38,7 +38,7 @@ pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 {
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype /\\
+#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\ v $COEFFICIENT_BITS < bits i32_inttype /\
     range (v (1l <<! $COEFFICIENT_BITS) - 1) i32_inttype"#))]
 pub(crate) fn compress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
     vector: Vec256,
@@ -105,7 +105,7 @@ pub(crate) fn compress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype"#))]
+#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\ v $COEFFICIENT_BITS < bits i32_inttype"#))]
 pub(crate) fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
     vector: Vec256,
 ) -> Vec256 {
diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs
index 14701b96c..518548b6b 100644
--- a/libcrux-ml-kem/src/vector/avx2/ntt.rs
+++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs
@@ -1,7 +1,7 @@
 use super::*;
 
 #[inline(always)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"#))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn ntt_layer_1_step(
     vector: Vec256,
     zeta0: i16,
@@ -23,7 +23,7 @@ pub(crate) fn ntt_layer_1_step(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"#))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1"#))]
 pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 {
     let zetas = mm256_set_epi16(
         -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0,
@@ -57,7 +57,7 @@ pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"#))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn inv_ntt_layer_1_step(
     vector: Vec256,
     zeta0: i16,
@@ -87,7 +87,7 @@ pub(crate) fn inv_ntt_layer_1_step(
 }
 
 #[inline(always)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"#))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1"#))]
 pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 {
     let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector);
 
@@ -128,7 +128,7 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
 
 #[inline(always)]
 #[hax_lib::fstar::verification_status(lax)]
-#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"#))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn ntt_multiply(
     lhs: Vec256,
     rhs: Vec256,
diff --git a/libcrux-ml-kem/src/vector/avx2/sampling.rs b/libcrux-ml-kem/src/vector/avx2/sampling.rs
index 1f3565b40..f8320e1d0 100644
--- a/libcrux-ml-kem/src/vector/avx2/sampling.rs
+++ b/libcrux-ml-kem/src/vector/avx2/sampling.rs
@@ -8,7 +8,7 @@ use super::{
 #[hax_lib::fstar::verification_status(lax)]
 #[hax_lib::requires(input.len() == 24 && output.len() == 16)]
 #[hax_lib::ensures(|res|
-        fstar!("Seq.length $output_future == Seq.length $output /\\ v $res <= 16")
+        fstar!(r#"Seq.length $output_future == Seq.length $output /\ v $res <= 16"#)
     )]
 pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize {
     let field_modulus = mm256_set1_epi16(FIELD_MODULUS);
@@ -31,14 +31,16 @@ pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize {
     // each lane in the register to tell us what coefficients to keep and what
     // to throw-away. Combine all the bits (there are 16) into two bytes.
     let good = serialize_1(compare_with_field_modulus);
-    hax_lib::fstar!("assert (v (cast (${good}.[ sz 0 ] <: u8) <: usize) < 256);
+    hax_lib::fstar!(
+        r#"assert (v (cast (${good}.[ sz 0 ] <: u8) <: usize) < 256);
         assert (v (cast (${good}.[ sz 1 ] <: u8) <: usize) < 256);
         // We need to provide a definition or post-condition for Core.Num.impl__u8__count_ones
         assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) <= 8);
         assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 1 ]) <: usize) <= 8);
         assume (Core.Ops.Index.f_index_pre output ({
                     Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize;
-                    Core.Ops.Range.f_end = (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) +! sz 8 }))");
+                    Core.Ops.Range.f_end = (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) +! sz 8 }))"#
+    );
 
     // Each bit (and its corresponding position) represents an element we
     // want to sample. We'd like all such elements to be next to each other starting

From 939e5ea340ab0ec982f051ad2c14e36ad61dac29 Mon Sep 17 00:00:00 2001
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 11 Dec 2024 18:19:35 +0100
Subject: [PATCH 23/23] issue ref

---
 libcrux-ml-kem/src/polynomial.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index accd43531..75cfd1e49 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -264,6 +264,8 @@ fn ntt_multiply<Vector: Operations>(
     out
 }
 
+// FIXME: We pulled out all the items because of https://github.com/hacspec/hax/issues/1183
+// Revisit when that issue is fixed.
 #[hax_lib::attributes]
 impl<Vector: Operations> PolynomialRingElement<Vector> {
     #[allow(non_snake_case)]