Skip to content

[cryptography] use aws-lc-rs for optimized secp256r1 verification #2684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
patrick-ogrady merged 7 commits into from
Jan 3, 2026
Merged

[cryptography] use aws-lc-rs for optimized secp256r1 verification #2684

patrick-ogrady merged 7 commits into from
Jan 3, 2026

Conversation

@patrick-ogrady
Copy link
Contributor

@patrick-ogrady patrick-ogrady commented Jan 3, 2026
edited
Loading

Uses aws-lc-rs for secp256r1 signature verification on x86_64 and aarch64. This provides a C/assembly backend similar to blst (BLS12-381), significantly improving on the performance of pure-Rust p256.

We still retain p256 for signing (for RFC6979) and for recoverable signatures. Falls back to the p256 crate on other architectures (e.g., wasm32).

Fixes #2681

Performance

Implementation Verification Time Speedup
p256 (pure Rust) ~192 µs baseline
aws-lc-rs ~34 µs 5.7x faster

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 3, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 commonware-mcp 266c93c Jan 03 2026, 07:19 PM

@patrick-ogrady patrick-ogrady force-pushed the only-instrument-workspace branch from 40fe594 to 86fbf15 Compare January 3, 2026 17:45
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 3, 2026
edited
Loading

Deploying monorepo with  Cloudflare Pages  Cloudflare Pages

Latest commit: 266c93c
Status: ✅  Deploy successful!
Preview URL: https://d9ee1813.monorepo-eu0.pages.dev
Branch Preview URL: https://only-instrument-workspace.monorepo-eu0.pages.dev

View logs

@patrick-ogrady patrick-ogrady force-pushed the only-instrument-workspace branch 3 times, most recently from 920cbb1 to 9e638f8 Compare January 3, 2026 17:55
@patrick-ogrady @claude
[coverage] only instrument workspace crates, not dependencies
9972965 
The p256 crate (used for secp256r1) is pure Rust with no assembly/C
backend, unlike blst (BLS12-381) which uses C with assembly, or
ed25519-consensus which has optimized backends. When LLVM coverage
instrumentation was applied via RUSTFLAGS, all Rust code including
dependencies got instrumented. The tight cryptographic loops in p256
became significantly slower due to instrumentation overhead, causing
the 1000-view secp256r1 tests to timeout.

This change uses RUSTC_WORKSPACE_WRAPPER to only instrument workspace
crates, not dependencies. A wrapper script adds the coverage flags only
when invoked by Cargo for workspace crates, leaving dependencies
uninstrumented.

Fixes #2681

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@patrick-ogrady patrick-ogrady force-pushed the only-instrument-workspace branch from 9e638f8 to 9972965 Compare January 3, 2026 18:13
patrick-ogrady and others added 6 commits January 3, 2026 11:03
@patrick-ogrady @claude
[cryptography] use aws-lc-rs for optimized secp256r1 verification
f957a7b 
- Add aws-lc-rs dependency for x86_64 and aarch64 platforms
- Use aws-lc-rs for P-256 ECDSA verification (~4-6x faster)
- Keep p256 for signing (preserves RFC 6979 deterministic signatures)
- Automatic platform detection (no feature flag needed)
- Falls back to p256 on unsupported platforms (WASM, etc.)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@patrick-ogrady @claude
[cryptography] fix import formatting
6899b18 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@patrick-ogrady @claude
[cryptography] move Verifier import to top of file
7d26139 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@patrick-ogrady @claude
[cryptography] fix Cargo.toml formatting
b9f278e 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@patrick-ogrady
change comment order
ef2e484
@patrick-ogrady @claude
Revert coverage CI to simple cargo llvm-cov nextest command
266c93c 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@patrick-ogrady patrick-ogrady changed the title [coverage] only instrument workspace crates, not dependencies [cryptography] use aws-lc-rs for optimized secp256r1 verification Jan 3, 2026
@patrick-ogrady patrick-ogrady marked this pull request as ready for review January 3, 2026 19:47
@patrick-ogrady patrick-ogrady merged commit fd8d2bb into andre/exclude-1k-secp256r1-test-coverage Jan 3, 2026
119 checks passed
@patrick-ogrady patrick-ogrady deleted the only-instrument-workspace branch January 3, 2026 19:48
@codecov
Copy link

codecov bot commented Jan 3, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.77%. Comparing base (74f6b05) to head (266c93c).
⚠️ Report is 3 commits behind head on andre/exclude-1k-secp256r1-test-coverage.

@@                            Coverage Diff                            @@
##           andre/exclude-1k-secp256r1-test-coverage    #2684   +/-   ##
=========================================================================
  Coverage                                     92.77%   92.77%           
=========================================================================
  Files                                           362      362           
  Lines                                        105109   105115    +6     
=========================================================================
+ Hits                                          97518    97525    +7     
+ Misses                                         7591     7590    -1
Files with missing lines Coverage Δ
consensus/src/ordered_broadcast/mod.rs 99.04% <ø> (ø)
consensus/src/simplex/mod.rs 98.87% <ø> (ø)
cryptography/src/secp256r1/common.rs 88.00% <100.00%> (+0.08%) ⬆️
cryptography/src/secp256r1/standard.rs 95.65% <100.00%> (+0.03%) ⬆️

... and 1 file with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 74f6b05...266c93c. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@patrick-ogrady patrick-ogrady mentioned this pull request Jan 3, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@patrick-ogrady