refactor: rename eddsa proc to verify_prehash

bobbinth · bobbinth · commit 112b9092ba9f · 2025-12-05T18:49:39.000-08:00
diff --git a/crates/lib/core/asm/crypto/dsa/ecdsa_k256_keccak.masm b/crates/lib/core/asm/crypto/dsa/ecdsa_k256_keccak.masm
@@ -33,19 +33,26 @@ const SIG_LEN_FELTS = 17   # 65.div_ceil(4)
 #!
 #! Inputs:
 #!   Operand stack: [PK_COMM, MSG, ...]
-#!   Advice stack:  [PK[9] | SIG_BYTES[17] | ...]
+#!   Advice stack:  [PK[9] | SIG[17] | ...]
 #! Outputs:
 #!   Operand stack: []
 #!   Advice stack:  []
 #!
+#! Where:
+#! - `PK_COMM`: RPO hash commitment of the 32-byte ECDSA public key
+#! - `MSG`: single word (4 field elements) representing the message to verify
+#! - `PK[9]`: 33-byte public key packed as 9 field elements on advice stack
+#! - `SIG[17]`: 65-byte signature packed as 17 field elements on advice stack
+#!
 #! Local memory layout (element addresses):
 #!   - locaddr[0 ..9 ] : compressed public key (33 bytes packed as 9 felts)
 #!   - locaddr[12..20] : message bytes (MSG written as eight u32 limbs)
 #!   - locaddr[20..28] : keccak256(message) digest (8 felts)
-#!   - locaddr[28..45] : signature (66 bytes packed as 17 felts)
+#!   - locaddr[28..45] : signature (65 bytes packed as 17 felts)
 #!
-#! The procedure traps if the public key in the advice stack does not hash to `PK_COMM`;
-#! otherwise it returns cleanly after emitting the deferred verification request.
+#! The procedure traps if:
+#! - The public key does not hash to `PK_COMM` (invalid commitment)
+#! - The signature verification fails
 @locals(48)
 pub proc verify
     # Load the compressed public key (9 felts) into local memory at locaddr.[0..9]
@@ -86,10 +93,13 @@ pub proc verify
     # => [pk_ptr, digest_ptr, sig_ptr]
     exec.verify_prehash
     # => [result, ...]
+
+    # Trap if verification failed
     assert.err="ECDSA signature verification failed"
 end
 
 #! Verifies an ECDSA signature with pre-hashed message using deferred execution.
+#!
 #! This procedure is intended for manual signature verification where the caller
 #! has already computed the message digest.
 #!
@@ -98,13 +108,13 @@ end
 #! In typical flows the digest is obtained from `keccak256::hash_bytes`, but any 32-byte prehash
 #! is accepted.
 #!
-#! Input: `[pk_ptr, digest_ptr, sig_ptr, ...]`
+#! Input:  `[pk_ptr, digest_ptr, sig_ptr, ...]`
 #! Output: `[result, ...]`
 #!
 #! Where:
 #! - `pk_ptr`: word-aligned memory address containing the 33-byte compressed secp256k1 public key
 #! - `digest_ptr`: word-aligned memory address containing the 32-byte message digest
-#! - `sig_ptr`: word-aligned memory address containing the 66-byte signature
+#! - `sig_ptr`: word-aligned memory address containing the 65-byte signature
 #! - `result`: 1 if the signature is valid, 0 if invalid
 #!
 #! All data must be stored in memory as packed u32 values (little-endian), with unused bytes
@@ -138,7 +148,7 @@ end
 #! Where:
 #! - `pk_ptr`: word-aligned memory address containing 33-byte public key
 #! - `digest_ptr`: word-aligned memory address containing 32-byte digest
-#! - `sig_ptr`: word-aligned memory address containing 66-byte signature
+#! - `sig_ptr`: word-aligned memory address containing 65-byte signature
 #! - `COMM`: commitment to calldata computed as
 #!       `Rpo256(Rpo256(Rpo256(pk) || Rpo256(digest)) || Rpo256(sig))`
 #! - `TAG`: `[ECDSA_VERIFY_EVENT, result, 0, 0]`
diff --git a/crates/lib/core/asm/crypto/dsa/eddsa_ed25519.masm b/crates/lib/core/asm/crypto/dsa/eddsa_ed25519.masm
@@ -110,7 +110,7 @@ pub proc verify
     locaddr.16  # sig_ptr
     locaddr.56  # k_digest_ptr
     locaddr.0   # pk_ptr
-    exec.verify_with_unchecked_k_digest
+    exec.verify_prehash
     # => [result, ...]
 
     # Trap if verification failed
@@ -120,6 +120,9 @@ end
 
 #! Verifies an EdDSA (Ed25519) signature with a pre-computed nonce digest.
 #!
+#! This procedure is intended for manual signature verification where the caller
+#! has already computed the message digest.
+#!
 #! This procedure uses deferred verification via a precompile. The actual cryptographic
 #! verification is performed by the host, and the result is provided via the advice stack.
 #!
@@ -134,8 +137,8 @@ end
 #!
 #! All data must be stored in memory as packed u32 field elements (little-endian), with unused limbs
 #! in the final word set to zero.
-pub proc verify_with_unchecked_k_digest
-    exec.verify_with_unchecked_k_digest_impl
+pub proc verify_prehash
+    exec.verify_prehash_impl
     # => [COMM, TAG, result, ...]
 
     # Log the precompile request for deferred verification.
@@ -218,7 +221,7 @@ end
 #! - `COMM`: `Rpo256(Rpo256(Rpo256(pk) || Rpo256(k_digest)) || Rpo256(sig))`
 #! - `TAG`:  `[EDDSA_VERIFY_EVENT, result, 0, 0]`
 #! - `result`: host verification result (1 or 0)
-pub proc verify_with_unchecked_k_digest_impl
+pub proc verify_prehash_impl
     emit.EDDSA_VERIFY_EVENT
     # => [pk_ptr, k_digest_ptr, sig_ptr, ...]
 
diff --git a/crates/lib/core/docs/crypto/dsa/ecdsa_k256_keccak.md b/crates/lib/core/docs/crypto/dsa/ecdsa_k256_keccak.md
@@ -2,6 +2,6 @@
 ## miden::core::crypto::dsa::ecdsa_k256_keccak
 | Procedure | Description |
 | ----------- | ------------- |
-| verify | Verifies an secp256k1 ECDSA signature compatible with `miden-crypto::ecdsa_k256_keccak`.<br /><br />This wrapper mirrors the materialization performed in `miden-crypto::ecdsa_k256_keccak`: given<br />a public key commitment and the original message, it reconstructs the calldata expected by the<br />precompile (public key bytes, Keccak256(message), signature). The public key and signature are<br />supplied via the advice stack, and can be obtained with the `ecdsa_k256_keccak` function.<br /><br />Inputs:<br />Operand stack: [PK_COMM, MSG, ...]<br />Advice stack:  [PK[9] \| SIG_BYTES[17] \| ...]<br />Outputs:<br />Operand stack: []<br />Advice stack:  []<br /><br />Local memory layout (element addresses):<br />- locaddr[0 ..9 ] : compressed public key (33 bytes packed as 9 felts)<br />- locaddr[12..20] : message bytes (MSG written as eight u32 limbs)<br />- locaddr[20..28] : keccak256(message) digest (8 felts)<br />- locaddr[28..45] : signature (66 bytes packed as 17 felts)<br /><br />The procedure traps if the public key in the advice stack does not hash to `PK_COMM`;<br />otherwise it returns cleanly after emitting the deferred verification request.<br /> |
-| verify_prehash | Verifies an ECDSA signature with pre-hashed message using deferred execution.<br />This procedure is intended for manual signature verification where the caller<br />has already computed the message digest.<br /><br />The caller provides the public key, the pre-hashed message digest, and the signature data in<br />memory. This routine forwards the request to the host precompile and returns the boolean result.<br />In typical flows the digest is obtained from `keccak256::hash_bytes`, but any 32-byte prehash<br />is accepted.<br /><br />Input: `[pk_ptr, digest_ptr, sig_ptr, ...]`<br />Output: `[result, ...]`<br /><br />Where:<br />- `pk_ptr`: word-aligned memory address containing the 33-byte compressed secp256k1 public key<br />- `digest_ptr`: word-aligned memory address containing the 32-byte message digest<br />- `sig_ptr`: word-aligned memory address containing the 66-byte signature<br />- `result`: 1 if the signature is valid, 0 if invalid<br /><br />All data must be stored in memory as packed u32 values (little-endian), with unused bytes<br />in the final u32 set to zero.<br /> |
-| verify_prehash_impl | Internal implementation of ECDSA signature verification via deferred computation.<br />This procedure is intended for manual signature verification where the caller<br />has already computed the message digest.<br /><br />Emits an event to trigger the precompile handler, reads the verification result from<br />the advice stack, and computes the commitment and tag for tracking deferred verification.<br /><br />This procedure mimics the `ecdsa_secp256k1::PublicKey::verify_prehash()` function from<br />`miden-crypto`, which takes a pre-hashed message that the caller must provide<br />(e.g. obtained using the keccak256 precompile).<br /><br />Input: `[pk_ptr, digest_ptr, sig_ptr, ...]`<br />Output: `[COMM, TAG, result, ...]`<br /><br />Where:<br />- `pk_ptr`: word-aligned memory address containing 33-byte public key<br />- `digest_ptr`: word-aligned memory address containing 32-byte digest<br />- `sig_ptr`: word-aligned memory address containing 66-byte signature<br />- `COMM`: commitment to calldata computed as<br />`Rpo256(Rpo256(Rpo256(pk) \|\| Rpo256(digest)) \|\| Rpo256(sig))`<br />- `TAG`: `[ECDSA_VERIFY_EVENT, result, 0, 0]`<br />- `result`: 1 if signature is valid, 0 if invalid<br /> |
+| verify | Verifies an secp256k1 ECDSA signature compatible with `miden-crypto::ecdsa_k256_keccak`.<br /><br />This wrapper mirrors the materialization performed in `miden-crypto::ecdsa_k256_keccak`: given<br />a public key commitment and the original message, it reconstructs the calldata expected by the<br />precompile (public key bytes, Keccak256(message), signature). The public key and signature are<br />supplied via the advice stack, and can be obtained with the `ecdsa_k256_keccak` function.<br /><br />Inputs:<br />Operand stack: [PK_COMM, MSG, ...]<br />Advice stack:  [PK[9] \| SIG[17] \| ...]<br />Outputs:<br />Operand stack: []<br />Advice stack:  []<br /><br />Where:<br />- `PK_COMM`: RPO hash commitment of the 32-byte ECDSA public key<br />- `MSG`: single word (4 field elements) representing the message to verify<br />- `PK[9]`: 33-byte public key packed as 9 field elements on advice stack<br />- `SIG[17]`: 65-byte signature packed as 17 field elements on advice stack<br /><br />Local memory layout (element addresses):<br />- locaddr[0 ..9 ] : compressed public key (33 bytes packed as 9 felts)<br />- locaddr[12..20] : message bytes (MSG written as eight u32 limbs)<br />- locaddr[20..28] : keccak256(message) digest (8 felts)<br />- locaddr[28..45] : signature (65 bytes packed as 17 felts)<br /><br />The procedure traps if:<br />- The public key does not hash to `PK_COMM` (invalid commitment)<br />- The signature verification fails<br /> |
+| verify_prehash | Verifies an ECDSA signature with pre-hashed message using deferred execution.<br /><br />This procedure is intended for manual signature verification where the caller<br />has already computed the message digest.<br /><br />The caller provides the public key, the pre-hashed message digest, and the signature data in<br />memory. This routine forwards the request to the host precompile and returns the boolean result.<br />In typical flows the digest is obtained from `keccak256::hash_bytes`, but any 32-byte prehash<br />is accepted.<br /><br />Input:  `[pk_ptr, digest_ptr, sig_ptr, ...]`<br />Output: `[result, ...]`<br /><br />Where:<br />- `pk_ptr`: word-aligned memory address containing the 33-byte compressed secp256k1 public key<br />- `digest_ptr`: word-aligned memory address containing the 32-byte message digest<br />- `sig_ptr`: word-aligned memory address containing the 65-byte signature<br />- `result`: 1 if the signature is valid, 0 if invalid<br /><br />All data must be stored in memory as packed u32 values (little-endian), with unused bytes<br />in the final u32 set to zero.<br /> |
+| verify_prehash_impl | Internal implementation of ECDSA signature verification via deferred computation.<br />This procedure is intended for manual signature verification where the caller<br />has already computed the message digest.<br /><br />Emits an event to trigger the precompile handler, reads the verification result from<br />the advice stack, and computes the commitment and tag for tracking deferred verification.<br /><br />This procedure mimics the `ecdsa_secp256k1::PublicKey::verify_prehash()` function from<br />`miden-crypto`, which takes a pre-hashed message that the caller must provide<br />(e.g. obtained using the keccak256 precompile).<br /><br />Input: `[pk_ptr, digest_ptr, sig_ptr, ...]`<br />Output: `[COMM, TAG, result, ...]`<br /><br />Where:<br />- `pk_ptr`: word-aligned memory address containing 33-byte public key<br />- `digest_ptr`: word-aligned memory address containing 32-byte digest<br />- `sig_ptr`: word-aligned memory address containing 65-byte signature<br />- `COMM`: commitment to calldata computed as<br />`Rpo256(Rpo256(Rpo256(pk) \|\| Rpo256(digest)) \|\| Rpo256(sig))`<br />- `TAG`: `[ECDSA_VERIFY_EVENT, result, 0, 0]`<br />- `result`: 1 if signature is valid, 0 if invalid<br /> |
diff --git a/crates/lib/core/docs/crypto/dsa/eddsa_ed25519.md b/crates/lib/core/docs/crypto/dsa/eddsa_ed25519.md
@@ -3,5 +3,5 @@
 | Procedure | Description |
 | ----------- | ------------- |
 | verify | Verifies an Ed25519 EdDSA signature compatible with `miden-crypto::eddsa_25519_sha512`.<br /><br />This wrapper mirrors the materialization performed in `miden-crypto::eddsa_25519_sha512`: given<br />a public key commitment and the original message, it reconstructs the calldata expected by the<br />precompile (public key bytes, SHA512(R \|\| PK \|\| MSG), signature). The public key and signature<br />are supplied via the advice stack, and can be obtained with the `eddsa_sign` function.<br /><br />Inputs:<br />Operand stack: [PK_COMM, MSG, ...]<br />Advice stack:  [PK[8] \| SIG[16] \| ...]<br />Outputs:<br />Operand stack: []<br />Advice stack:  []<br /><br />Where:<br />- `PK_COMM`: RPO hash commitment of the 32-byte Ed25519 public key<br />- `MSG`: single word (4 field elements) representing the message to verify<br />- `PK[8]`: 32-byte public key packed as 8 field elements on advice stack<br />- `SIG[16]`: 64-byte signature packed as 16 field elements on advice stack<br /><br />Local memory layout (element addresses):<br />- locaddr[0..8]:   public key (32 bytes packed as 8 felts)<br />- locaddr[8..16]:  message (32 bytes = 8 felts)<br />- locaddr[16..32]: signature (64 bytes packed as 16 felts)<br />- locaddr[32..56]: SHA512 input buffer (R \|\| PK \|\| MSG = 96 bytes = 24 felts)<br />- locaddr[56..72]: k_digest = SHA512(R \|\| PK \|\| MSG) (64 bytes = 16 felts)<br /><br />The procedure traps if:<br />- The public key does not hash to `PK_COMM` (invalid commitment)<br />- The signature verification fails<br /> |
-| verify_with_unchecked_k_digest | Verifies an EdDSA (Ed25519) signature with a pre-computed nonce digest.<br /><br />This procedure uses deferred verification via a precompile. The actual cryptographic<br />verification is performed by the host, and the result is provided via the advice stack.<br /><br />Input:  `[pk_ptr, k_digest_ptr, sig_ptr, ...]`<br />Output: `[result, ...]`<br /><br />Where:<br />- `pk_ptr`:  word-aligned memory address containing the 32-byte Ed25519 public key<br />- `k_digest_ptr`: word-aligned memory address containing the 64-byte challenge hash `k`<br />- `sig_ptr`: word-aligned memory address containing the 64-byte Ed25519 signature<br />- `result`:  1 if the signature is valid, 0 otherwise<br /><br />All data must be stored in memory as packed u32 field elements (little-endian), with unused limbs<br />in the final word set to zero.<br /> |
-| verify_with_unchecked_k_digest_impl | Internal implementation of EdDSA verification via deferred computation.<br /><br />Emits an event to trigger the host precompile, reads the verification result from the<br />advice stack, and computes the commitment/tag pair used for deferred verification.<br /><br />Input:  `[pk_ptr, k_digest_ptr, sig_ptr, ...]`<br />Output: `[COMM, TAG, result, ...]`<br /><br />Where:<br />- `COMM`: `Rpo256(Rpo256(Rpo256(pk) \|\| Rpo256(k_digest)) \|\| Rpo256(sig))`<br />- `TAG`:  `[EDDSA_VERIFY_EVENT, result, 0, 0]`<br />- `result`: host verification result (1 or 0)<br /> |
+| verify_prehash | Verifies an EdDSA (Ed25519) signature with a pre-computed nonce digest.<br /><br />This procedure is intended for manual signature verification where the caller<br />has already computed the message digest.<br /><br />This procedure uses deferred verification via a precompile. The actual cryptographic<br />verification is performed by the host, and the result is provided via the advice stack.<br /><br />Input:  `[pk_ptr, digest_ptr, sig_ptr, ...]`<br />Output: `[result, ...]`<br /><br />Where:<br />- `pk_ptr`:  word-aligned memory address containing the 32-byte Ed25519 public key<br />- `digest_ptr`: word-aligned memory address containing the 64-byte challenge hash `k`<br />- `sig_ptr`: word-aligned memory address containing the 64-byte Ed25519 signature<br />- `result`:  1 if the signature is valid, 0 otherwise<br /><br />All data must be stored in memory as packed u32 field elements (little-endian), with unused limbs<br />in the final word set to zero.<br /> |
+| verify_prehash_impl | Internal implementation of EdDSA verification via deferred computation.<br /><br />Emits an event to trigger the host precompile, reads the verification result from the<br />advice stack, and computes the commitment/tag pair used for deferred verification.<br /><br />Input:  `[pk_ptr, k_digest_ptr, sig_ptr, ...]`<br />Output: `[COMM, TAG, result, ...]`<br /><br />Where:<br />- `COMM`: `Rpo256(Rpo256(Rpo256(pk) \|\| Rpo256(k_digest)) \|\| Rpo256(sig))`<br />- `TAG`:  `[EDDSA_VERIFY_EVENT, result, 0, 0]`<br />- `result`: host verification result (1 or 0)<br /> |
diff --git a/crates/lib/core/tests/crypto/eddsa_ed25519.rs b/crates/lib/core/tests/crypto/eddsa_ed25519.rs
@@ -55,7 +55,7 @@ fn test_eddsa_verify_prehash_cases() {
                 {memory_stores}
 
                 push.{SIG_ADDR}.{K_DIGEST_ADDR}.{PK_ADDR}
-                exec.eddsa_ed25519::verify_with_unchecked_k_digest
+                exec.eddsa_ed25519::verify_prehash
 
                 exec.sys::truncate_stack
             end
@@ -83,7 +83,7 @@ fn test_eddsa_verify_prehash_cases() {
                 {memory_stores}
 
                 push.{SIG_ADDR}.{K_DIGEST_ADDR}.{PK_ADDR}
-                exec.eddsa_ed25519::verify_with_unchecked_k_digest
+                exec.eddsa_ed25519::verify_prehash
 
                 exec.sys::truncate_stack
             end
@@ -122,7 +122,7 @@ fn test_eddsa_verify_prehash_impl_commitment() {
                 {memory_stores}
 
                 push.{SIG_ADDR}.{K_DIGEST_ADDR}.{PK_ADDR}
-                exec.eddsa_ed25519::verify_with_unchecked_k_digest_impl
+                exec.eddsa_ed25519::verify_prehash_impl
 
                 exec.sys::truncate_stack
             end
@@ -150,7 +150,7 @@ fn test_eddsa_verify_prehash_impl_commitment() {
 
         assert!(
             output.advice_provider().stack().is_empty(),
-            "advice stack should be empty after verify_with_unchecked_k_digest_impl"
+            "advice stack should be empty after verify_prehash_impl"
         );
     }
 }
diff --git a/docs/src/user_docs/core_lib/crypto/dsa.md b/docs/src/user_docs/core_lib/crypto/dsa.md
diff --git a/docs/src/user_docs/core_lib/index.md b/docs/src/user_docs/core_lib/index.md
