feat(inlines): add P-256 (secp256r1) inline instructions and ECDSA example#1381
Open
sagar-a16z wants to merge 6 commits intomainfrom
Open
feat(inlines): add P-256 (secp256r1) inline instructions and ECDSA example#1381sagar-a16z wants to merge 6 commits intomainfrom
sagar-a16z wants to merge 6 commits intomainfrom
Conversation
sagar-a16z
requested review from
0xAndoroid,
markosg04 and
moodlezoup
as code owners
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
0xAndoroid
reviewed
Mar 27, 2026
Collaborator
0xAndoroid
left a comment
0xAndoroid
left a comment
There was a problem hiding this comment.
Review from automated code review agents.
0xAndoroid
reviewed
Mar 27, 2026
…ample Adds jolt-inlines-p256 crate with field mul/square/div inlines for both the base field and scalar field, plus a Fake GLV advice inline for efficient ECDSA verification (~283K cycles). Uses "Fake GLV" (Latincrypt 2025) to decompose 256-bit scalars into 128-bit pairs via half-GCD, enabling 4-scalar Shamir's trick without an endomorphism. Handles the dense 4-limb modular complement (vs secp256k1's 1-limb) and the a=-3 curve parameter. Includes examples/p256-ecdsa-verify with an RFC 6979 test vector.
- Extract half-GCD decomposition to shared fake_glv.rs module - Switch host field ops from BigUint to ark_secp256r1 types - Fix scalar field comments: wq → wn (use n for scalar order) - Remove unused Sign imports after fake_glv extraction
Move 13 multiply-accumulate helper methods (mac_low, mac_high, mac_low_w_carry, mac_high_w_carry, mac_low_conditional, mac_high_conditional, m2ac_low, m2ac_high, m2ac_low_w_carry, m2ac_high_w_carry, adc, adc_w_carry, add_conditional) from the P256 sequence builder to a shared MulAccExt trait in jolt-inlines-sdk. These helpers are byte-for-byte identical between secp256k1 and P-256. The secp256k1 crate can adopt MulAccExt in a follow-up.
Replace the near-identical P256Fq and P256Fr structs (~580 lines of copy-paste) with a single generic P256Field<C: P256FieldConfig>. The config trait captures the five differences: modulus, funct3 opcodes, error variant, canonicality check, and host arkworks dispatch. P256Fq = P256Field<FqConfig>, P256Fr = P256Field<FrConfig>. Public API unchanged — all downstream code compiles without modification. sdk.rs: 1115 → 943 lines (-172).
- Extract limbs_to_nbiguint, nbiguint_to_limbs, MulqType, decode_sign_word, emit_advice_stores to jolt-inlines-sdk for cross-crate reuse - Update P-256, secp256k1, and grumpkin to use shared utilities - Remove dead constants P256_BASEFIELD_NEG_MODULUS, P256_SCALARFIELD_NEG_ORDER - Remove section separator comments from P-256 sdk.rs - Fix misleading RFC 6979 comment in example and tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds jolt-inlines-p256 crate with field mul/square/div inlines for both the base field and scalar field, plus a Fake GLV advice inline for efficient ECDSA verification (~283K cycles).
Uses "Fake GLV" (Latincrypt 2025) to decompose 256-bit scalars into 128-bit pairs via half-GCD, enabling 4-scalar Shamir's trick without an endomorphism. Handles the dense 4-limb modular complement (vs secp256k1's 1-limb) and the a=-3 curve parameter.
Includes examples/p256-ecdsa-verify with an RFC 6979 test vector.