ECDSA secp256{k,r}1 builtin and reference semantics #296
Open
Eduardogbg wants to merge 2 commits into
Open
Conversation
Eduardogbg
changed the title
Eduardogbg
changed the title
Eduardogbg
force-pushed
the
edu/bump-lean-4.22
branch
from
41979c5 to
0578532
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
db5b7a5 to
f9a4876
Compare
Eduardogbg
commented
May 21, 2026
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
f9a4876 to
4615896
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
4615896 to
f40eef0
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
f40eef0 to
c4b4d9d
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
c4b4d9d to
625a2eb
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
625a2eb to
1a3dd4e
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
1a3dd4e to
6d7d1c0
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
6d7d1c0 to
7845022
Compare
Eduardogbg
force-pushed
the
edu/embedded-curve-ops
branch
from
7845022 to
565250b
Compare
kustosz
approved these changes
May 29, 2026
Formalizes Noir's `#[foreign(ecdsa_secp256k1)]` and
`#[foreign(ecdsa_secp256r1)]` builtins, with concrete Lean
reference implementations to certify agreement with Barretenberg.
- `Lampe/Builtin/Crypto/Ecdsa.lean`: precondition-style
descriptors for both builtins. The output forwards to
`Lampe.Crypto.Ecdsa.secp256{k,r}1Verify`.
- `Lampe/Crypto/Secp256{k1,r1}.lean`: per-curve FIPS 186-4 §6.4.2
verification on Mathlib's `WeierstrassCurve.Affine.Point`. The
curve, generator, and order are spelled out concretely; ECDSA
test vectors close by `native_decide` against RFC 6979
deterministic signatures.
- `Lampe/Crypto/Secp256{k1,r1}/Prime.lean`: Pratt primality
certificates for the secp field primes, mechanically generated
by `scripts/gen_pratt.py`.
- `Lampe/Crypto/Ecdsa.lean`: thin Lean wrappers exposing the
Noir-typed (`[u8;32]`, `[u8;64]`) view of the builtins.
`Point.some` uses are written with explicit `(x := …) (y := …)`
named arguments (and `@Point.some _ _ _ x y _` for patterns)
under Mathlib v4.29's stricter implicit-argument transparency
rules (leanprover/lean4#12179).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ecdsa_secp256k1::verify_signature,ecdsa_secp256r1::verify_signature) on top of Mathlib'sWeierstrassCurve.Affine.Point(computable in v4.22 via PR #27299). Each curve has 3 RFC 6979 deterministic test vectors validated bynative_decide.scripts/gen_pratt.py.W.Equation,W.Nonsingular,DecidableEq W.PointatCrypto/MathlibBridge.lean. (maybe upstream to Mathlib?)+/nsmuldirectly