remix7531

Formal Verification of WOTS+ post-quantum signatures

Tue, 19 May 2026 00:00:00 +0000

Adjacent to my work on formal verification of libsecp256k1, I dabbled in a side project on hash-based signatures. Unsure about the difficulty, I built a formally verified C implementation of the Winternitz One Time Signature Plus (WOTS+) using the Verified Software Toolchain. It turned out to be surprisingly easy relative to the modular scalar multiplication in libsecp256k1.

Every WOTS+ C function is proved to match a mathematical specification of what it should compute, and the specification itself is proved to be internally consistent.¹ The trusted base is SHA-256 (left abstract in the model, and the C implementation is assumed to match that abstract model), CompCert, VST, and the Rocq kernel. Code and proofs are at https://github.com/remix7531/wots-fv.

Benchmarking SLH-DSA Aggregation with STARKs

Sun, 12 Apr 2026 00:00:00 +0000

Code: github.com/remix7531/slh-dsa-stark-bench

Background

In April 2025, Ethan Heilman posted Post Quantum Signatures and Scaling Bitcoin to the bitcoin-dev mailing list, proposing Non-Interactive Transaction Compression (NTC) using STARK proofs. The idea: once Bitcoin adopts post-quantum signatures, miners would aggregate all PQ signatures in a block into a single proof, replacing thousands of large signatures with one constant-size proof. This addresses the main downside of PQ signatures, namely their size, and could increase Bitcoin’s transaction throughput.

Formal Verification of secp256k1 modular scalar multiplication

Tue, 07 Apr 2026 00:00:00 +0000

I produced a machine-checked proof that secp256k1_scalar_mul computes exactly r = a * b mod N for all representable inputs, where N is the secp256k1 group order. Together with all supporting helpers, the verified code totals roughly 300 lines of C. The proof covers arithmetic correctness, absence of integer overflow in all intermediate computations, and memory safety. Scalar multiplication sits on the critical path of every signature operation.

This is my first result under the OpenSats grant Advancing Formal Verification for Bitcoin Cryptography. The code and proofs are available at https://github.com/remix7531/secp256k1-scalar-fv-test.

AI and Formal Verification

Sat, 04 Apr 2026 00:00:00 +0000

I have been trying to get LLMs to write formal verification proofs for about two years. Most recently as part of my work proving C code from bitcoin-core/secp256k1 correct. Every attempt failed. Different models through Copilot Chat would produce plausible-looking tactic sequences that did not type-check, hallucinate lemma names, or get stuck in loops. I kept trying because the idea is so compelling: as others have predicted, formal verification and AI form a natural synergy. Proofs are machine-checkable, so an LLM can try things and get immediate feedback on whether they work.

Learning Rocq with Software Foundations

Mon, 02 Feb 2026 00:00:00 +0000

Last month (January 2026) I got into the Rocq proof assistant.

In this post, I’m going into my experience learning the basics of Rocq by working through the Software Foundations: Logical Foundations (Volume 1) book. We’ll take a quick look at Constructive Logic and Inductive Propositions (my biggest learnings), as well as common errors I made. Finally, I’ll summarize my experience so far with Rocq and what I’m doing next.

Rocq is a proof assistant that was recently renamed from Coq. Rocq is an interactive theorem prover and a functional programming language. Rocq has a small core: even familiar things like natural numbers and lists aren’t kernel built-ins. They’re defined in libraries. Using Rocq, we can define our own types (or use ones from the standard library) and prove theorems about them. This might be basic lemmas about natural numbers or large proofs such as the Four color theorem.

Hello, World!

Fri, 02 Jan 2026 00:00:00 +0000

Welcome to my website on formal verification and cryptography.

What I’m Working On

Cryptographic systems rely on the correctness of their implementations. This website documents my work applying formal methods to strengthen that foundation.

Current Focus:

RustCrypto: Formally verifying the sha2 and k256 implementations using HAX and F*
secp256k1: Working on correctness and safety proofs for elliptic curve operations and multi-scalar multiplication in libsecp256k1. Researching which framework and proof assistants work best.

Why Formal Methods?

While code review, testing and fuzzing catch many bugs, formal verification goes further: Proving the absence of entire classes of errors. For critical cryptographic code, this level of assurance matters.