* [bitcoindev] Formal verification of secp256k1 modular scalar multiplication
@ 2026-04-07 11:56 'remix7531' via Bitcoin Development Mailing List
2026-04-15 18:39 ` [bitcoindev] " jeremy
0 siblings, 1 reply; 2+ messages in thread
From: 'remix7531' via Bitcoin Development Mailing List @ 2026-04-07 11:56 UTC (permalink / raw)
To: bitcoindev
Hi all,
I have been lurking on this list for years. It is time for my first post.
This is my first result under my OpenSats grant [0]. Full writeup
with technical details and Rocq (formerly Coq) code examples is on
my blog [1].
Code and proofs are available on GitHub [2].
I produced a machine-checked proof that secp256k1_scalar_mul computes
r = a * b mod N correctly for all representable inputs, where N is the
secp256k1 group order. The proof covers arithmetic correctness, absence
of integer overflow in all intermediate computations, and memory safety.
Scalar multiplication sits on the critical path of every signature
operation.
Together with all supporting helpers, the verified code totals roughly
300 lines of C. The proof code totals ~6,400 lines in Rocq, giving a
proof-to-code ratio of roughly 21:1.
I verified the non-assembly, 64-bit only fallback path using the
Verified Software Toolchain (VST) [3]. The verified code differs
from upstream in two ways: assert statements are removed
(not present in production builds) and macros are converted to
inline functions. The algorithmic logic is unchanged. When compiled
with CompCert, the correctness guarantee extends from the
mathematical specification to assembly.
One mistake I made was a missing "mod 2^256" in a helper
specification, which made it unprovable. The code was correct,
the error was in my specification. The proof assistant caught it
because the proof cannot go through when the specification does
not match the code's behavior.
Next targets are porting to RefinedC for a framework comparison,
verifying Pippenger's algorithm for batch signature verification
(axiomatizing group operations), and evaluating Cryptol/SAW.
Feedback welcome.
remix7531
[0]
https://opensats.org/blog/sixteenth-wave-of-bitcoin-grants#advancing-formal-verification-for-bitcoin-cryptography
[1] https://remix7531.com/post/formal_verification_secp256k1_scalar_mul/
[2] https://github.com/remix7531/secp256k1-scalar-fv-test
[3] https://vst.cs.princeton.edu/
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/09b8adf7-0faa-4efa-b53a-7d29a5f40c12%40mailbox.org.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [bitcoindev] Re: Formal verification of secp256k1 modular scalar multiplication
2026-04-07 11:56 [bitcoindev] Formal verification of secp256k1 modular scalar multiplication 'remix7531' via Bitcoin Development Mailing List
@ 2026-04-15 18:39 ` jeremy
0 siblings, 0 replies; 2+ messages in thread
From: jeremy @ 2026-04-15 18:39 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 2842 bytes --]
This is really neat!
For my purify impl[0], I've also had some success with using CBMC on a toy
curve prime to "prove" correctness, but an actually Rocq proof is obviously
better.
[0] https://judica.org/purify
On Tuesday, April 7, 2026 at 8:13:01 AM UTC-4 remix7531 wrote:
> Hi all,
>
> I have been lurking on this list for years. It is time for my first post.
>
> This is my first result under my OpenSats grant [0]. Full writeup
> with technical details and Rocq (formerly Coq) code examples is on
> my blog [1].
>
> Code and proofs are available on GitHub [2].
>
> I produced a machine-checked proof that secp256k1_scalar_mul computes
> r = a * b mod N correctly for all representable inputs, where N is the
> secp256k1 group order. The proof covers arithmetic correctness, absence
> of integer overflow in all intermediate computations, and memory safety.
> Scalar multiplication sits on the critical path of every signature
> operation.
>
> Together with all supporting helpers, the verified code totals roughly
> 300 lines of C. The proof code totals ~6,400 lines in Rocq, giving a
> proof-to-code ratio of roughly 21:1.
>
> I verified the non-assembly, 64-bit only fallback path using the
> Verified Software Toolchain (VST) [3]. The verified code differs
> from upstream in two ways: assert statements are removed
> (not present in production builds) and macros are converted to
> inline functions. The algorithmic logic is unchanged. When compiled
> with CompCert, the correctness guarantee extends from the
> mathematical specification to assembly.
>
> One mistake I made was a missing "mod 2^256" in a helper
> specification, which made it unprovable. The code was correct,
> the error was in my specification. The proof assistant caught it
> because the proof cannot go through when the specification does
> not match the code's behavior.
>
> Next targets are porting to RefinedC for a framework comparison,
> verifying Pippenger's algorithm for batch signature verification
> (axiomatizing group operations), and evaluating Cryptol/SAW.
>
> Feedback welcome.
>
> remix7531
>
> [0]
>
> https://opensats.org/blog/sixteenth-wave-of-bitcoin-grants#advancing-formal-verification-for-bitcoin-cryptography
> [1] https://remix7531.com/post/formal_verification_secp256k1_scalar_mul/
> [2] https://github.com/remix7531/secp256k1-scalar-fv-test
> [3] https://vst.cs.princeton.edu/
>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/531d1095-435c-4e8f-b8d1-8fdc26aeab2cn%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 4790 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-15 18:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-04-07 11:56 [bitcoindev] Formal verification of secp256k1 modular scalar multiplication 'remix7531' via Bitcoin Development Mailing List
2026-04-15 18:39 ` [bitcoindev] " jeremy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox