How to generate Curve25519 code with Fiat-Crypto?

Use the command-line binary with the unsaturated Solinas strategy; for example, `./fiat_crypto unsaturated-solinas '25519' '64' '5' '2^255 - 19' carry_mul carry_square ...` as shown in the README, which outputs C code to a file. The web demo also allows trying this interactively.

Fiat-Crypto vs hand-written crypto implementations: which is better?

Fiat-Crypto provides formal verification for correctness, eliminating bugs, while hand-written code might be more optimized or flexible but error-prone. For high-assurance projects like cryptographic libraries, Fiat-Crypto is superior, but for rapid prototyping, manual coding could be faster.

Can Fiat-Crypto generate code for Go or Zig?

Yes, Fiat-Crypto supports Go and Zig backends, with Go maintained by external contributors and Zig used in the Zig standard library, but check the status table for testing levels as they may not be as robust as C or Rust.

What are the performance trade-offs of Fiat-Crypto generated code?

The generated code is optimized using strategies like Montgomery reduction, but the synthesis process itself can be slow for large primes, requiring stack size increases. Runtime performance is typically high, but verification adds build-time overhead.

How to contribute a new backend to Fiat-Crypto?

Follow the steps in the README: add a stringification file, update CLI.v and the Makefile, set up CI testing, and mark yourself as maintainer in the status table. Pull requests like #936 for Rust serve as examples.

Is Fiat-Crypto suitable for educational purposes?

Yes, it's excellent for learning verified cryptography, with demo files and papers explaining the synthesis. However, the Coq dependency and complex setup might be challenging for beginners without formal methods background.

Fiat-Crypto — Verified Cryptographic Code Synthesizer

What is Fiat-Crypto?

Fiat-Crypto is a Coq-based tool that synthesizes formally verified, correct-by-construction code for cryptographic field arithmetic primitives. It generates high-assurance implementations of operations like modular multiplication and addition for elliptic curves (e.g., Curve25519, NIST P-256), solving the problem of error-prone manual crypto implementation.

Target Audience

Cryptography engineers, security researchers, and developers building verified cryptographic libraries who need mathematically correct and efficient field arithmetic code.

Value Proposition

Developers choose Fiat-Crypto because it provides formally verified code that eliminates subtle bugs, supports multiple output languages and optimization strategies, and integrates into existing cryptographic libraries with high assurance.

Cryptographic Primitive Code Generation by Fiat

Use Cases

Best For

Generating verified field arithmetic code for elliptic curve implementations
Building high-assurance cryptographic libraries in C, Rust, or Go
Prototyping new cryptographic primitives with formal correctness guarantees
Educational purposes for understanding verified crypto implementation
Integrating formally verified components into existing security projects
Reducing manual review burden for critical cryptographic software

Not Ideal For

Teams needing quick, drop-in cryptographic libraries without formal verification setup overhead
Projects targeting languages with poorly maintained backends like Java, where generated code may be buggy
Developers with tight deadlines who cannot afford the hour-long builds and Coq learning curve
Real-time applications where code generation speed is critical, as synthesis for large primes can take hours

Pros & Cons

Pros

Formally Verified Correctness

All generated code is proven correct in Coq against mathematical specifications, eliminating subtle implementation bugs common in manual crypto code, as highlighted in the project's papers and thesis links.

Multi-Language Output

Synthesizes code for C, Rust, Go, Java, Zig, and Bedrock2/C, allowing integration into diverse projects, with some backends like C and Rust tested against external test suites.

Flexible Optimization Strategies

Supports multiple strategies like unsaturated Solinas and word-by-word Montgomery, enabling performance tuning for specific hardware, as demonstrated in the command-line examples for curves like Curve25519.

Interactive Web Demo

Includes a web interface powered by js_of_ocaml for trying synthesis without local setup, making it easier to experiment with parameters and strategies.

Cons

Complex Build and Setup

Requires Coq 8.20+, OCaml, and specific dependencies; the README notes builds can take over an hour, and setup involves managing submodules and package installations across different OSes.

Variable Backend Reliability

Some backends like Java are marked as buggy and unmaintained in the status table, while others like JSON are experimental, reducing trust for production use in those languages.

Steep Formal Methods Barrier

Users must understand Coq and formal methods to modify or extend the synthesis, as the pipeline relies on verified transformations and proofs, limiting accessibility for non-experts.

Frequently Asked Questions

What is Fiat-Crypto?

Target Audience

Cryptography engineers, security researchers, and developers building verified cryptographic libraries who need mathematically correct and efficient field arithmetic code.

Value Proposition

Use Cases

Best For

Generating verified field arithmetic code for elliptic curve implementations
Building high-assurance cryptographic libraries in C, Rust, or Go
Prototyping new cryptographic primitives with formal correctness guarantees
Educational purposes for understanding verified crypto implementation
Integrating formally verified components into existing security projects
Reducing manual review burden for critical cryptographic software

Not Ideal For

Teams needing quick, drop-in cryptographic libraries without formal verification setup overhead
Projects targeting languages with poorly maintained backends like Java, where generated code may be buggy
Developers with tight deadlines who cannot afford the hour-long builds and Coq learning curve
Real-time applications where code generation speed is critical, as synthesis for large primes can take hours

Pros & Cons

Pros

Formally Verified Correctness

Multi-Language Output

Synthesizes code for C, Rust, Go, Java, Zig, and Bedrock2/C, allowing integration into diverse projects, with some backends like C and Rust tested against external test suites.

Flexible Optimization Strategies

Interactive Web Demo

Includes a web interface powered by js_of_ocaml for trying synthesis without local setup, making it easier to experiment with parameters and strategies.

Cons

Complex Build and Setup

Requires Coq 8.20+, OCaml, and specific dependencies; the README notes builds can take over an hour, and setup involves managing submodules and package installations across different OSes.

Variable Backend Reliability

Some backends like Java are marked as buggy and unmaintained in the status table, while others like JSON are experimental, reducing trust for production use in those languages.

Steep Formal Methods Barrier

Users must understand Coq and formal methods to modify or extend the synthesis, as the pipeline relies on verified transformations and proofs, limiting accessibility for non-experts.

Frequently Asked Questions

Fiat-Crypto

What is Fiat-Crypto?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

Fiat-Crypto

What is Fiat-Crypto?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?