1 files changed, 28 insertions, 0 deletions

diff --git a/chip/g/dcrypto/proofs_p256.md b/chip/g/dcrypto/proofs_p256.md
new file mode 100644
index 0000000000..c0fa7ef6ad
--- /dev/null
+++ b/chip/g/dcrypto/proofs_p256.md
@@ -0,0 +1,28 @@
+Proving P256 dcrypto code
+=========================
+
+In 2018, partial proofs of modular reduction were written in the Coq proof
+assistant.
+They can be used against the crypto accelerator code in [chip/g/dcrypto/dcrypto_p256.c](dcrypto_p256.c).
+
+The Coq code is in this file:
+[github.com/mit-plv/fiat-crypto/.../Experiments/SimplyTypedArithmetic.v](https://github.com/mit-plv/fiat-crypto/blob/e469076c37fc8b1b6d66eb700e379b9b2a093cb7/src/Experiments/SimplyTypedArithmetic.v)
+
+Specific lines of interest:
+
+Instruction specifications:
+[fiat-crypto/.../Experiments/SimplyTypedArithmetic.v#L10014](https://github.com/mit-plv/fiat-crypto/blob/e469076c37fc8b1b6d66eb700e379b9b2a093cb7/src/Experiments/SimplyTypedArithmetic.v#L10014)
+
+Printouts of verified code versions with explanatory comments are at the very
+end of the same file (which GitHub cuts off, so here is the link to the raw
+version):
+https://raw.githubusercontent.com/mit-plv/fiat-crypto/e469076c37fc8b1b6d66eb700e379b9b2a093cb7/src/Experiments/SimplyTypedArithmetic.v
+
+Additionally, the MulMod procedure in p256 uses a non-standard Barrett
+reduction optimization. In particular, it assumes that the quotient estimate is
+off by no more than 1, while most resources say it can be off by 2. This
+assumption was proven correct for most primes (including p256) here:
+
+[fiat-crypto/.../Arithmetic/BarrettReduction/Generalized.v#L140](https://github.com/mit-plv/fiat-crypto/blob/e469076c37fc8b1b6d66eb700e379b9b2a093cb7/src/Arithmetic/BarrettReduction/Generalized.v#L140)
+
+The proofs can be re-checked using Coq version 8.7 or 8.8 (or above, probably).