longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_circuit.h

@@ -0,0 +1,371 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_ECDSA_VERIFY_CIRCUIT_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_ECDSA_VERIFY_CIRCUIT_H_
+
+#include <stddef.h>
+
+#include "circuits/logic/bit_plucker.h"
+
+namespace proofs {
+// Verify ECDSA signature using triple scalar mult form.
+//
+// The field used by sumcheck is the base field of the elliptic curve.
+// Compiled circuit: ecdsa verify
+//  d: 7 wires: 21099 in: 1038 out:764 use:13911 ovh:7188 t:42963 cse:11351
+//  notn:34724
+//
+template <class LogicCircuit, class Field, class EC>
+class VerifyCircuit {
+  using EltW = typename LogicCircuit::EltW;
+  using BitW = typename LogicCircuit::BitW;
+  using Elt = typename LogicCircuit::Elt;
+  using Nat = typename Field::N;
+  static constexpr size_t kBits = EC::kBits;
+  using Bitvec = typename LogicCircuit::v256;
+
+ public:
+  struct Witness {
+    EltW rx, ry;
+    EltW pre[8];
+    EltW rx_inv, s_inv, pk_inv;
+    EltW bi[kBits];
+    EltW int_x[kBits - 1];
+    EltW int_y[kBits - 1];
+    EltW int_z[kBits - 1];
+
+    void input(const LogicCircuit& lc) {
+      rx = lc.eltw_input();
+      ry = lc.eltw_input();
+      rx_inv = lc.eltw_input();
+      s_inv = lc.eltw_input();
+      pk_inv = lc.eltw_input();
+      for (size_t i = 0; i < 8; ++i) {
+        pre[i] = lc.eltw_input();
+      }
+      for (size_t i = 0; i < kBits; ++i) {
+        bi[i] = lc.eltw_input();
+        if (i < kBits - 1) {
+          int_x[i] = lc.eltw_input();
+          int_y[i] = lc.eltw_input();
+          int_z[i] = lc.eltw_input();
+        }
+      }
+    }
+  };
+
+  VerifyCircuit(const LogicCircuit& lc, const EC& ec, const Nat& order)
+      : lc_(lc), ec_(ec), k2_(lc_.elt(2)), k3_(lc_.elt(3)) {
+    // Compute the bit representation of the order of the curve.
+    for (size_t i = 0; i < ec.kBits; ++i) {
+      bits_n_[i] = lc_.bit(order.bit(i));
+    }
+  }
+
+  // This verify takes the triple (pkx,pky,e) and checks that there exists
+  //     (r=rx, ry, s) such that:
+  //           identity = g*e + pk*r + (rx,ry)*-s
+  // It performs this check using a witness table that includes
+  // (g+pk, g+r, r+pk, g+r+pk), a correction element,
+  // bits of exponents (e, r, -s) s.t. each triple of bits is packed into {0,7},
+  // and intermediate ec points in (x,y,z) form.  The bits are used to index the
+  // witness table in order to compute the right-hand side in a loop.  The loop
+  // is sliced by providing the intermediate results in order reduce depth.
+  //
+  // An external constraint will need to ensure that e \neq 0 (e.g.,
+  // either the verifier checks this as part of the public input, or
+  // the hash that defines e is produced in the circuit).  In our mdoc case,
+  // we use the later checks for both signatures.
+  //
+  // Other checks:
+  //   r is interpreted as both in the base field and the scalar field.
+  //   As a result, rx_inv is provided to ensure that r != 0.
+  //   Similarly, s_inv is provided to ensure that s != 0.
+  //
+  //   (rx,ry) is verified to be on the curve.
+  //
+  //   (pkx, pky) \neq identity, because we set pk_z=1, we verify that
+  //    pkx != 0, and we ensure that (pkx,pky) is on the curve.
+  //
+  void verify_signature3(EltW pk_x, EltW pk_y, EltW e, const Witness& w) const {
+    EltW zero = lc_.konst(lc_.zero());
+    EltW one = lc_.konst(lc_.one());
+    EltW gx = lc_.konst(ec_.gx_), gy = lc_.konst(ec_.gy_);
+
+    // indices for the pre[] table, don't change order
+    enum PreIndex {
+      GPK_X = 0,
+      GPK_Y,
+      GR_X,
+      GR_Y,
+      RPK_X,
+      RPK_Y,
+      GRPK_X,
+      GRPK_Y
+    };
+
+    // These variables hold the (e,r) exponents which are computed from the
+    // bits of advice (e,r,-s).  They are compared with their expected values.
+    EltW est = zero, rst = zero, sst = zero;
+
+    // initialize at the 0 point, but these indices are reset on each loop
+    EltW ax = zero, ay = one, az = zero;
+
+    // =========
+    // Verify the values received in the table are correct.
+    // By verifying these values in parallel with using them, we can reduce
+    // the depth of the resulting circuit.
+    EltW cg_pkx, cg_pky, cg_pkz;
+    EltW cr_pkx, cr_pky, cr_pkz;
+    EltW cr_gx, cr_gy, cr_gz;
+    EltW cr_g_pkx, cr_g_pky, cr_g_pkz;
+    addE(cg_pkx, cg_pky, cg_pkz, gx, gy, one, pk_x, pk_y, one);
+    addE(cr_gx, cr_gy, cr_gz, w.rx, w.ry, one, gx, gy, one);
+    addE(cr_pkx, cr_pky, cr_pkz, w.rx, w.ry, one, pk_x, pk_y, one);
+    addE(cr_g_pkx, cr_g_pky, cr_g_pkz, gx, gy, one, w.pre[RPK_X], w.pre[RPK_Y],
+         one);
+    point_equality(cg_pkx, cg_pky, cg_pkz, w.pre[GPK_X], w.pre[GPK_Y]);
+    point_equality(cr_gx, cr_gy, cr_gz, w.pre[GR_X], w.pre[GR_Y]);
+    point_equality(cr_pkx, cr_pky, cr_pkz, w.pre[RPK_X], w.pre[RPK_Y]);
+    point_equality(cr_g_pkx, cr_g_pky, cr_g_pkz, w.pre[GRPK_X], w.pre[GRPK_Y]);
+
+    EltW arr_x[] = {zero, gx,          pk_x,         w.pre[GPK_X],
+                    w.rx, w.pre[GR_X], w.pre[RPK_X], w.pre[GRPK_X]};
+    EltW arr_y[] = {one,  gy,          pk_y,         w.pre[GPK_Y],
+                    w.ry, w.pre[GR_Y], w.pre[RPK_Y], w.pre[GRPK_Y]};
+    EltW arr_z[] = {zero, one, one, one, one, one, one, one};
+    EltW arr_e[] = {zero, one, zero, one, zero, one, zero, one};
+    EltW arr_r[] = {zero, zero, one, one, zero, zero, one, one};
+    EltW arr_s[] = {zero, zero, zero, zero, one, one, one, one};
+
+    // To verify that the advice bit is in [0,7], we need to mux the point
+    // corresponding to the advice bit using degree 8 (9 points). We use the
+    // EltMuxer<LogicCircuit, 9, 8> to do this. See comments in EltMuxer.
+    EltW arr_v[] = {zero, zero, zero, zero, zero, zero, zero, zero, one};
+
+    EltMuxer<LogicCircuit, 8> xx(lc_, arr_x);
+    EltMuxer<LogicCircuit, 8> yy(lc_, arr_y);
+    EltMuxer<LogicCircuit, 8> zz(lc_, arr_z);
+    EltMuxer<LogicCircuit, 8> ee(lc_, arr_e);
+    EltMuxer<LogicCircuit, 8> rr(lc_, arr_r);
+    EltMuxer<LogicCircuit, 8> ss(lc_, arr_s);
+    EltMuxer<LogicCircuit, 9, 8> vv(lc_, arr_v);
+
+    Bitvec r_bits, s_bits;
+
+    // Traverses the bits of the scalar from high-order to low-order.
+    for (size_t i = 0; i < kBits; ++i) {
+      // Use the arr{X..V} arrays and the muxer to pick the correct point
+      // slice based on the bits of advice in the witness.
+      EltW tx = xx.mux(w.bi[i]);
+      EltW ty = yy.mux(w.bi[i]);
+      EltW tz = zz.mux(w.bi[i]);
+
+      // Update the exponent.
+      EltW e_bi = ee.mux(w.bi[i]);
+      EltW r_bi = rr.mux(w.bi[i]);
+      EltW s_bi = ss.mux(w.bi[i]);
+      auto k2 = lc_.konst(k2_);
+      est = lc_.add(e_bi, lc_.mul(k2, est));
+      rst = lc_.add(r_bi, lc_.mul(k2, rst));
+      sst = lc_.add(s_bi, lc_.mul(k2, sst));
+      r_bits[kBits - i - 1] = BitW(r_bi, ec_.f_);
+      s_bits[kBits - i - 1] = BitW(s_bi, ec_.f_);
+
+      // Verify that the advice bit is in [0,7].
+      EltW range = vv.mux(w.bi[i]);
+      lc_.assert0(range);
+
+      // Perform the basic add-dbl step in repeated squaring using the
+      // muxed point {tx, ty, tz}.
+      if (i > 0) {
+        doubleE(ax, ay, az, ax, ay, az);
+      }
+      addE(ax, ay, az, ax, ay, az, tx, ty, tz);
+
+      if (i < kBits - 1) {
+        // Ensure that the resulting point is equal to the intermediate
+        // point provided as input. Performing an explicit equality check
+        // ensures that all intermediate witness points are on the curve.
+        // This follows by induction. The first (ax,ay,az) is on the curve.
+        // The addition formula ensures that the i-th (ax,ay,az) is on the
+        // curve; equality ensures that the i-th witness is on the curve.
+        lc_.assert_eq(ax, w.int_x[i]);
+        lc_.assert_eq(ay, w.int_y[i]);
+        lc_.assert_eq(az, w.int_z[i]);
+
+        // Use the intermediate (x,y,z) point as the next input.
+        ax = w.int_x[i];
+        ay = w.int_y[i];
+        az = w.int_z[i];
+      }
+    }
+
+    // Check that the aX,aZ points are 0.
+    lc_.assert0(ax);
+    lc_.assert0(az);
+
+    // Check that the bits used for {e,rx} correspond to the input {e, rx}.
+    lc_.assert_eq(est, e);
+    lc_.assert_eq(rst, w.rx);
+
+    // Check that (pk,py), (rx,ry) satisfy the curve equation.
+    is_on_curve(pk_x, pk_y);
+    is_on_curve(w.rx, w.ry);
+
+    // Verify that exponents (r,s) are not zero.
+    //   A witness is provided to ensure that both values have inverses in F.
+    //   A bitwise comparison is done to ensure both are < |order| of EC.
+    assert_nonzero(w.rx, w.rx_inv);
+    assert_nonzero(sst, w.s_inv);
+    assert_nonzero(pk_x, w.pk_inv);
+    auto r_range = lc_.vlt(r_bits, bits_n_);
+    auto s_range = lc_.vlt(s_bits, bits_n_);
+    lc_.assert1(r_range);
+    lc_.assert1(s_range);
+  }
+
+ private:
+  void assert_nonzero(EltW x, EltW witness) const {
+    auto maybe_one = lc_.mul(x, witness);
+    auto one = lc_.konst(lc_.one());
+    lc_.assert_eq(maybe_one, one);
+  }
+
+  void point_equality(EltW x, EltW y, EltW z, EltW p_x, EltW p_y) const {
+    lc_.assert_eq(x, lc_.mul(z, p_x));
+    lc_.assert_eq(y, lc_.mul(z, p_y));
+  }
+
+  void is_on_curve(EltW x, EltW y) const {
+    // Check that y^2 = x^3 + ax + b
+    auto yy = lc_.mul(y, y);
+    auto xx = lc_.mul(x, x);
+    auto xxx = lc_.mul(x, xx);
+    auto ax = lc_.mul(ec_.a_, x);
+    auto b = lc_.konst(ec_.b_);
+    auto axb = lc_.add(ax, b);
+    auto rhs = lc_.add(axb, xxx);
+    lc_.assert_eq(yy, rhs);
+  }
+
+  void addE(EltW& X3, EltW& Y3, EltW& Z3, EltW X1, EltW Y1, EltW Z1, EltW X2,
+            EltW Y2, EltW Z2) const {
+    // The general case.
+    // Algorithm 1: Complete, projective point addition for arbitrary prime
+    // order short Weierstrass curves E/Fq : y^2 = x^3 + ax + b
+    // The compiler seems to optimize the cases when Z1,Z2=1.
+    EltW t0 = lc_.mul(X1, X2);
+    EltW t1 = lc_.mul(Y1, Y2);
+    EltW t2 = lc_.mul(Z1, Z2);
+    EltW t3 = lc_.add(X1, Y1);
+    EltW t4 = lc_.add(X2, Y2);
+    t3 = lc_.mul(t3, t4);
+    t4 = lc_.add(t0, t1);
+    t3 = lc_.sub(t3, t4);
+    t4 = lc_.add(X1, Z1);
+    EltW t5 = lc_.add(X2, Z2);
+    t4 = lc_.mul(t4, t5);
+    t5 = lc_.add(t0, t2);
+    t4 = lc_.sub(t4, t5);
+    t5 = lc_.add(Y1, Z1);
+    EltW X3t = lc_.add(Y2, Z2);
+    t5 = lc_.mul(t5, X3t);
+    X3t = lc_.add(t1, t2);
+    t5 = lc_.sub(t5, X3t);
+    auto a = lc_.konst(ec_.a_);
+    EltW Z3t = lc_.mul(a, t4);
+    auto k3b = lc_.konst(ec_.k3b);
+    X3t = lc_.mul(k3b, t2);
+    Z3t = lc_.add(X3t, Z3t);
+    X3t = lc_.sub(t1, Z3t);
+    Z3t = lc_.add(t1, Z3t);
+    EltW Y3t = lc_.mul(X3t, Z3t);
+    t1 = lc_.add(t0, t0);
+    t1 = lc_.add(t1, t0);
+    t2 = lc_.mul(a, t2);
+    t4 = lc_.mul(k3b, t4);
+    t1 = lc_.add(t1, t2);
+    t2 = lc_.sub(t0, t2);
+    t2 = lc_.mul(a, t2);
+    t4 = lc_.add(t4, t2);
+    t0 = lc_.mul(t1, t4);
+    Y3t = lc_.add(Y3t, t0);
+    t0 = lc_.mul(t5, t4);
+    X3t = lc_.mul(t3, X3t);
+    X3t = lc_.sub(X3t, t0);
+    t0 = lc_.mul(t3, t1);
+    Z3t = lc_.mul(t5, Z3t);
+    Z3t = lc_.add(Z3t, t0);
+
+    X3 = X3t;
+    Y3 = Y3t;
+    Z3 = Z3t;
+  }
+
+  void doubleE(EltW& X3, EltW& Y3, EltW& Z3, EltW X, EltW Y, EltW Z) const {
+    // The general case.
+    // Algorithm 3: Exception-free point doubling for arbitrary prime order
+    // short Weierstrass curves E/Fq : y^2 = x^3 + ax + b.
+    // The compiler will presumably optimize away 0 mults when a=0 and 1
+    // mults when Z = 1.
+    EltW t0 = lc_.mul(X, X);
+    EltW t1 = lc_.mul(Y, Y);
+    EltW t2 = lc_.mul(Z, Z);
+    EltW t3 = lc_.mul(X, Y);
+    t3 = lc_.add(t3, t3);
+    EltW Z3t = lc_.mul(X, Z);
+    Z3t = lc_.add(Z3t, Z3t);
+    auto a = lc_.konst(ec_.a_);
+    auto k3b = lc_.konst(ec_.k3b);
+    EltW X3t = lc_.mul(a, Z3t);
+    EltW Y3t = lc_.mul(k3b, t2);
+    Y3t = lc_.add(X3t, Y3t);
+    X3t = lc_.sub(t1, Y3t);
+    Y3t = lc_.add(t1, Y3t);
+    Y3t = lc_.mul(X3t, Y3t);
+    X3t = lc_.mul(t3, X3t);
+    Z3t = lc_.mul(k3b, Z3t);
+    t2 = lc_.mul(a, t2);
+    t3 = lc_.sub(t0, t2);
+    t3 = lc_.mul(a, t3);
+    t3 = lc_.add(t3, Z3t);
+    Z3t = lc_.add(t0, t0);
+    t0 = lc_.add(Z3t, t0);
+    t0 = lc_.add(t0, t2);
+    t0 = lc_.mul(t0, t3);
+    Y3t = lc_.add(Y3t, t0);
+    t2 = lc_.mul(Y, Z);
+    t2 = lc_.add(t2, t2);
+    t0 = lc_.mul(t2, t3);
+    X3t = lc_.sub(X3t, t0);
+    Z3t = lc_.mul(t2, t1);
+    Z3t = lc_.add(Z3t, Z3t);
+    Z3t = lc_.add(Z3t, Z3t);
+
+    X3 = X3t;
+    Y3 = Y3t;
+    Z3 = Z3t;
+  }
+
+  const LogicCircuit& lc_;
+  const EC& ec_;
+
+  Elt k2_, k3_;
+  Bitvec bits_n_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_ECDSA_VERIFY_CIRCUIT_H_

data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_external_test.cc

@@ -0,0 +1,246 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cctype>
+#include <cstddef>
+#include <cstdint>
+#include <cstdio>
+#include <cstring>
+
+// This test is meant to run once for 10^k repetitions to "fuzz" for any
+// possible error in completeness or soundness for our ecdsa verification
+// circuit. The test works by generating a random key, message, and signature
+// using openssl, and then verifying the signature using our circuit. Next, we
+// maul the signature by twiddling a single hex digit in the original 5-tuple,
+// and ensure that the resulting signature fails.  Allthough this only checks
+// that single edit distance changes cause failures, it is a basic test.
+//
+// $ blaze-bin/ecdsa/verify_external_test \
+//     --gunit_repeat 10000
+
+#include "circuits/ecdsa/verify_circuit.h"
+#include "circuits/ecdsa/verify_witness.h"
+#include "circuits/logic/evaluation_backend.h"
+#include "circuits/logic/logic.h"
+#include "ec/p256.h"
+#include "util/log.h"
+#include "gtest/gtest.h"
+#include "openssl/evp.h"
+#include "openssl/bn.h"
+#include "openssl/ec.h"
+
+#include "openssl/ecdsa.h"
+
+
+#include "openssl/rand.h"
+
+namespace proofs {
+namespace {
+
+// This test is specific to P256 via the external openssl dependencies.
+// Therefore the types are globally defined for convenience.
+using Field = Fp256Base;
+using Nat = Field::N;
+using Elt = Field::Elt;
+using EvalBackend = EvaluationBackend<Field>;
+using Logic = Logic<Field, EvalBackend>;
+using Verc = VerifyCircuit<Logic, Field, P256>;
+using Verw = VerifyWitness3<P256, Fp256Scalar>;
+
+struct signature_tuple {
+  char pkx[67];
+  char pky[67];
+  char e[67];
+  char r[67];
+  char s[67];
+};
+
+struct circuit_params {
+  Elt pkx, pky, e;
+  typename Verc::Witness vwc;
+};
+
+class ecdsa_params {
+ public:
+  EC_KEY* eckey_;
+  EC_GROUP* group_;
+
+  ecdsa_params() : eckey_(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)),
+      group_(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) { }
+
+  ~ecdsa_params() {
+    EC_KEY_free(eckey_);
+    EC_GROUP_free(group_);
+  }
+};
+
+// Generates a random key (pkx,pky) and a signature (r,s) on a random message e
+// using the openssl ECDSA implementation. These values are written as
+// null-terminated strings in hex format to the buffers passed in. The caller
+// must ensure that the buffers are at least 67 bytes long.
+// The goal is to produce an externally verified testing tuple for our own
+// implementation.
+bool gensig(signature_tuple& st, const ecdsa_params& params) {
+  if (!EC_KEY_generate_key(params.eckey_)) {
+    return false;
+  }
+
+  // Random message
+  unsigned char hash[32];
+  RAND_bytes(hash, sizeof(hash));
+
+  ECDSA_SIG* sig = ECDSA_do_sign(hash, sizeof(hash), params.eckey_);
+  if (!sig) {
+    return false;
+  }
+
+  // Get the signature components (r and s)
+  const BIGNUM* br = ECDSA_SIG_get0_r(sig);
+  const BIGNUM* bs = ECDSA_SIG_get0_s(sig);
+  char* r_hex = BN_bn2hex(br);
+  char* s_hex = BN_bn2hex(bs);
+
+  // Get the public key
+  const EC_POINT* pub_key = EC_KEY_get0_public_key(params.eckey_);
+  uint8_t buf[200];
+  EC_POINT_point2oct(params.group_, pub_key, POINT_CONVERSION_UNCOMPRESSED, buf,
+                     sizeof(buf), nullptr);
+
+  // Easiest interface to our circuit library is via hex-formatted strings.
+  // NOLINTBEGIN(runtime/printf)
+  snprintf(st.pkx, 3, "0x");
+  snprintf(st.pky, 3, "0x");
+  snprintf(st.e, 3, "0x");
+  for (size_t i = 0; i < 32; ++i) {
+    snprintf(&st.pkx[2 + i * 2], 3, "%02x", buf[i + 1]);
+    snprintf(&st.pky[2 + i * 2], 3, "%02x", buf[i + 33]);
+    snprintf(&st.e[2 + i * 2], 3, "%02x", hash[i]);
+  }
+  // NOLINTEND(runtime/printf)
+
+  snprintf(st.r, sizeof(st.r), "0x%.64s", r_hex);
+  snprintf(st.s, sizeof(st.s), "0x%.64s", s_hex);
+
+  // Clean up
+  ECDSA_SIG_free(sig);
+  OPENSSL_free(r_hex);
+  OPENSSL_free(s_hex);
+
+  return true;
+}
+
+char twiddle(char in) {
+  char d[] = "0123456789abcdef";
+  static size_t cnt = 5;
+  while (tolower(in) == d[cnt]) {
+    cnt = (cnt + 1) % 16;
+  }
+  return d[cnt];
+}
+
+void maulSignature(const signature_tuple& in, signature_tuple& out) {
+  out = in;
+
+  // Pick a (biased) random spot to twiddle.
+  uint8_t pos[2];
+  RAND_bytes(pos, 2);
+  char* fields[] = {out.r, out.s, out.e, out.pkx, out.pky};
+  size_t fi = pos[0] % 5;
+  size_t ind = (pos[1] % 62) + 2;
+  fields[fi][ind] = twiddle(fields[fi][ind]);
+}
+
+void prepare_witness(const signature_tuple& st, circuit_params& in,
+                     const Logic& l, const Field& F) {
+  Verw vw(p256_scalar, p256);
+
+  in.pkx = F.of_string(st.pkx);
+  in.pky = F.of_string(st.pky);
+  Nat e = Nat(st.e);
+  Nat r = Nat(st.r);
+  Nat s = Nat(st.s);
+  in.e = F.to_montgomery(e);
+
+  vw.compute_witness(in.pkx, in.pky, e, r, s);
+
+  in.vwc.rx = l.konst(vw.rx_);
+  in.vwc.ry = l.konst(vw.ry_);
+  in.vwc.rx_inv = l.konst(vw.rx_inv_);
+  in.vwc.s_inv = l.konst(vw.s_inv_);
+  in.vwc.pk_inv = l.konst(vw.pk_inv_);
+  for (size_t j = 0; j < 8; ++j) {
+    in.vwc.pre[j] = l.konst(vw.pre_[j]);
+  }
+  for (size_t j = 0; j < p256.kBits; j++) {
+    in.vwc.bi[j] = l.konst(vw.bi_[j]);
+    if (j < p256.kBits - 1) {
+      in.vwc.int_x[j] = l.konst(vw.int_x_[j]);
+      in.vwc.int_y[j] = l.konst(vw.int_y_[j]);
+      in.vwc.int_z[j] = l.konst(vw.int_z_[j]);
+    }
+  }
+}
+
+// This test verifies our ecdsa signature verification circuit against an
+// external implementation over randomly generated keys and messages.
+TEST(ECDSA, VerifyExternalP256) {
+  const Nat order =
+      Nat("0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551");
+
+  const Field& F = p256.f_;
+  const EvalBackend ebk(F, false);
+  const Logic l(&ebk, F);
+
+  Verc verc(l, p256, order);
+
+  ecdsa_params params;
+
+  for (size_t i = 0; i < 100; ++i) {
+    if (i % 10 == 0) {
+      log(INFO, "Iteration %zu", i);
+    }
+    signature_tuple st;
+    circuit_params in;
+    bool ok = gensig(st, params);
+    EXPECT_TRUE(ok);
+
+    prepare_witness(st, in, l, F);
+
+    verc.verify_signature3(l.konst(in.pkx), l.konst(in.pky), l.konst(in.e),
+                           in.vwc);
+
+    bool failed = ebk.assertion_failed();
+    if (failed) {
+      log(ERROR,
+          "Failed verification on:\npkx:%s\npky:%s\n  e:%s\n  r:%s\n  s:%s",
+          st.pkx, st.pky, st.e, st.r, st.s);
+    }
+    EXPECT_FALSE(failed);
+
+    // Modify one byte of the signature and ensure that it fails.
+    signature_tuple maul_st;
+    circuit_params maul_in;
+    for (size_t j = 0; j < 100; ++j) {
+      maulSignature(st, maul_st);
+      prepare_witness(maul_st, maul_in, l, F);
+      verc.verify_signature3(l.konst(maul_in.pkx), l.konst(maul_in.pky),
+                             l.konst(maul_in.e), maul_in.vwc);
+      failed = ebk.assertion_failed();
+      EXPECT_TRUE(failed);
+    }
+  }
+}
+
+}  // namespace
+}  // namespace proofs