secp256k1 ECDSA verification example. Uses new secp256k1 inlines which requires a refactor to allow for custom trace generation.

[mathmasterzach]

• Adds secp256k1 ECDSA verification example
• Adds an API for secp256k1 base field, scalar field, and point operations built on lightweight inlines.
• Adds an optional InlineTraceFunction to allow for custom trace generation for user defined inlines (e.g. supplying a/b as advice to a user defined inline).
• Exposes VirtualAssertEQ to allow for "halt-and-catch-fire" style instructions outside of inlines (to spoil proofs when conditions aren't met).
• Modifies linker script to remove DWARF call frame information. This shrinks binaries and avoids issues with long distance .eh_frame relocations.

[0xAndoroid]

Sorry for the delay, will review today.

[0xAndoroid]

Thanks for taking this task on, and sorry for the delay in review process.
Mostly some nits, just one big change is to change the custom trace function with a custom advice function or something; and to not spoil the proof on signature verification.

There's also a pending question about how this advice going to interact with GPU.

[0xAndoroid]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[0xAndoroid]

Additional Review: Incorrect hcf() Usage

The hcf() function should only be used when advice is invalid (prover is cheating). For invalid user input, use regular panic!() so the proof remains valid but execution terminates.

Incorrect usages that should use panic!() instead of hcf():

1. sdk.rs:74 - Secp256k1Fq::from_u64_arr - Invalid field element from user input
2. sdk.rs:236 - Secp256k1Fr::from_u64_arr - Invalid field element from user input
3. sdk.rs:383 - Secp256k1Point::new - Point not on curve from user input

Remove ecdsa_verify_hard_fail entirely (sdk.rs:793-807)

Per the design requirements:

• Valid signature → successful proof, no panic
• Invalid signature → successful proof with panic or Err() return
• Invalid advice → spoil proof via hcf()

ecdsa_verify_hard_fail using hcf() for invalid signatures is incorrect - it spoils the proof when it should just panic normally. Since ecdsa_verify_soft_fail already handles the correct behavior (returning Result), this hard fail variant should be removed to avoid misuse.

Correct usages (keep as-is):

• sdk.rs:193 - Fq::div advice verification (c*b==a) ✓
• sdk.rs:330 - Fr::div advice verification (c*b==a) ✓
• sdk.rs:347 - Fr::div canonical form check ✓
• sdk.rs:617 - decompose_scalar advice verification ✓

[0xAndoroid]

Review: Incorrect hcf() usage

[0xAndoroid]

The conclusion on the hcf is to replace the return of all of these functions with Result<T, SecpError> and then have a new trait UnwrapOrSpoilProof that would be implemented for this Result and calling the .unwrap_or_spoil_proof() would spoil the proof.

[0xAndoroid]

Thanks for pushing this through @mathmasterzach
Great work!