ECDSA Autoresearch Harness

This repository is an autoresearch workspace for fault-tolerant ECDLP resource estimates, with the current effort centered on a proof-aware direct reconstruction of the Chevignard-style low-space P-256 attack.

Current status

The highest-priority stack in this repo is now the direct P-256 Qualtran-style accounting path:

• current full search-surface winner: 885 logical qubits
• Toffolis per run: 838,466,125,395
• depth: 852,992,614,052
• runs: 22
• exact paper-only floor: 1193
• best paper-motivated floor: 1017
• compiled witness ratio-projection band from n=64,96,128: 1061-1069
• phase-isolated Legendre witness at n=128: 412 -> 375
• full current proof-aware surface size: 22,394,880 configurations

The current audited winner is tracked in:

• ecdsa_autoresearch/qualtran_chevignard_p256_candidate.py
• CHEVIGNARD_P256_897_CLAIM_AUDIT.md
• CHEVIGNARD_P256_897_REPO_ENGINEERING_GAP.md
• CHEVIGNARD_P256_897_PROOF_ROADMAP.md

The filenames above still contain 897 for continuity, but their contents are kept up to date with the current audited floor.

There is also a separate experimental proof-aware secp256k1 track. It is kept fully isolated from the P-256 leaderboard:

• current experimental secp256k1 winner: 1137 logical qubits
• Toffolis per run: 840,664,542,458
• depth: 838,004,479,352
• runs: 22
• exact paper-explicit floor on the isolated scaffold: 1193
• best paper-motivated floor: 1155
• full current experimental surface size: 9 configurations

The experimental secp256k1 audit is tracked in:

• ecdsa_autoresearch/qualtran_chevignard_secp256k1_candidate.py
• CHEVIGNARD_SECP256K1_EXPERIMENTAL_AUDIT.md

Stack priority

1. Proof-aware direct P-256 stack

This is the main research path and the one to prioritize for new work.

Core modules:

• ecdsa_autoresearch/qualtran_chevignard_p256_backend.py
• ecdsa_autoresearch/qualtran_chevignard_p256_candidate.py
• ecdsa_autoresearch/qualtran_chevignard_p256_independent_counter.py
• ecdsa_autoresearch/qualtran_chevignard_p256_liveness.py
• ecdsa_autoresearch/qualtran_chevignard_p256_provenance_gap.py
• ecdsa_autoresearch/qualtran_chevignard_p256_transcription.py
• ecdsa_autoresearch/qualtran_chevignard_p256_spooky_pebbling.py

What this stack already does:

• reproduces the paper-faithful P-256 -> 1193 baseline
• tracks a paper-motivated restricted surface separately from the full surface
• runs exhaustive width-first search over the direct P-256 knob space
• checks the winner with an independent closed-form counter
• exposes a stage-by-stage liveness breakdown
• proves the P-256 spooky-pebbling cleanup trace step by step
• quantifies how much of the gap below 1017 depends on repo-engineered knobs

Start here:

python3 -m ecdsa_autoresearch.cli audit-chevignard-p256-liveness --use-current-winner
python3 -m ecdsa_autoresearch.cli audit-chevignard-p256-provenance-gap
python3 -m ecdsa_autoresearch.cli run-chevignard-p256-proof-search \
  --initial-config current-winner \
  --rounds 8 \
  --max-changes-per-trial 2 \
  --no-build --no-cache

Useful constrained searches:

python3 -m ecdsa_autoresearch.cli run-chevignard-p256-proof-search \
  --initial-config paper-motivated-best \
  --max-repo-engineered-knobs 6 \
  --rounds 8 \
  --max-changes-per-trial 2 \
  --no-build --no-cache

python3 -m ecdsa_autoresearch.cli run-chevignard-p256-proof-search \
  --initial-config paper-motivated-best \
  --max-repo-engineered-knobs 7 \
  --rounds 8 \
  --max-changes-per-trial 2 \
  --no-build --no-cache

Latest capped-search confirmations on the current surface:

• max 6 repo-engineered knobs: 886 qubits
• max 7 repo-engineered knobs: 885 qubits
• unrestricted current winner: 885 qubits

2. Experimental proof-aware secp256k1 stack

This is a separate curve-specific track for pseudo-Mersenne reduction and GLV-style decomposition experiments. It is useful for audited side exploration, but it does not change the P-256 claim.

Core modules:

• ecdsa_autoresearch/qualtran_chevignard_secp256k1_backend.py
• ecdsa_autoresearch/qualtran_chevignard_secp256k1_candidate.py
• ecdsa_autoresearch/qualtran_chevignard_secp256k1_independent_counter.py
• ecdsa_autoresearch/qualtran_chevignard_secp256k1_liveness.py
• ecdsa_autoresearch/qualtran_chevignard_secp256k1_provenance_gap.py

What this stack currently does:

• keeps a paper-explicit baseline separate from a paper-motivated floor
• models only two curve-specific families in this pass:
  • special_prime_strategy
  • endomorphism_strategy
• exposes an independent counter, liveness audit, and provenance-gap report
• runs its own small proof-aware search without touching the P-256 surface

Start here:

python3 -m ecdsa_autoresearch.cli audit-chevignard-secp256k1-liveness --use-current-winner
python3 -m ecdsa_autoresearch.cli audit-chevignard-secp256k1-provenance-gap
python3 -m ecdsa_autoresearch.cli run-chevignard-secp256k1-proof-search \
  --initial-config current-winner \
  --rounds 4 \
  --max-changes-per-trial 2 \
  --no-build --no-cache

3. Qualtran-native low-space authoring stack

This is the secondary symbolic research path for low-space ideas that are not specific to the direct P-256 proof surface.

Core modules:

• ecdsa_autoresearch/qualtran_low_space_backend.py
• ecdsa_autoresearch/qualtran_low_space_candidate.py

Typical commands:

python3 -m ecdsa_autoresearch.cli doctor-qualtran-backend
python3 -m ecdsa_autoresearch.cli show-qualtran-low-space-calibration
python3 -m ecdsa_autoresearch.cli evaluate-candidate \
  --module ecdsa_autoresearch.qualtran_low_space_candidate
python3 -m ecdsa_autoresearch.cli run-search-loop \
  --module ecdsa_autoresearch.qualtran_low_space_candidate \
  --rounds 2

This stack is where explicit Python-authored low-space arithmetic and compression ideas live without routing everything through the legacy Microsoft estimator path.

4. Q# and calibration stack

This is now a supporting stack rather than the main research surface.

Core modules:

• ecdsa_autoresearch/qsharp_backend.py
• ecdsa_autoresearch/low_space_backend.py
• ecdsa_autoresearch/calibration.py

What this stack is for:

• cached component-level Microsoft estimator projections
• reference-profile capture and backtesting
• legacy low-space calibration against known shapes

Typical commands:

python3 -m ecdsa_autoresearch.cli doctor
python3 -m ecdsa_autoresearch.cli build-qsharp-backend
python3 -m ecdsa_autoresearch.cli list-qsharp-component-sets
python3 -m ecdsa_autoresearch.cli estimate-qsharp-component-set \
  --set-name arithmetic_smoke \
  --n-qubits 16 \
  --no-build
python3 -m ecdsa_autoresearch.cli run-backtest-loop \
  --name chevignard_2026_low_space_reference_n30 \
  --iterations 3 \
  --no-build

5. Shared harness and baseline stack

These modules stay important because they define the common comparison layer:

• ecdsa_autoresearch/baselines.py
• ecdsa_autoresearch/models.py
• ecdsa_autoresearch/evaluator.py
• ecdsa_autoresearch/search_loop.py

They provide:

• frozen benchmark tracks
• literature reference points
• lexicographic and Pareto comparisons
• generic search-loop machinery

What is implemented

• a frozen benchmark schema with two tracks:
  • standard_shor
  • low_space_multi_run
• literature baselines for:
  • Roetteler et al. 2017
  • H"aner et al. 2020
  • Chevignard et al. 2026
• a generic evaluator with success-probability and run-count constraints
• a Q#-backed component cache and calibration path
• a separate low-space backend and reference-profile backtest loop
• a Qualtran-native low-space backend
• a direct Chevignard-style reconstruction path
• a proof-aware direct P-256 reconstruction path with:
  • literal Algorithm 1/2/4 transcription
  • exact P-256 spooky-pebbling transcription
  • formal ghost-state cleanup proof
  • independent counter cross-check
  • liveness audit
  • provenance-gap analysis
  • exhaustive surface search
  • reduced-instance compiled witness checks for the biggest width-saving schedule families
  • combined-winner n=32 compiled witness for all eight repo-engineered schedule knobs at once
  • compiled-vs-model scaling checks at n=16,32,48,64,96,128
  • family-by-family reduced-instance scaling deltas for the eight winner-side witness knobs
  • interaction-aware marginal scaling for the full winner and a separate Legendre-dominant witness shape
  • arithmetic correctness checks for the carry-save residue-overlay path
• a separate experimental proof-aware secp256k1 path with:
  • isolated curve-specific pseudo-Mersenne and GLV families
  • independent counter cross-check
  • liveness audit
  • provenance-gap analysis
  • proof-search smoke validation

What is not implemented yet

• an independently written second implementation of the direct P-256 winner
• a second resource-estimation stack that reproduces the same 885 winner
• full reduced-instance arithmetic circuit instantiation proving the liveness model from explicit compiled circuits instead of schedule-only witnesses
• a paper-faithful proof that the paper's exact circuit, without repo-engineered substitutions, reaches the current optimized floor

Quick start

List baselines:

python3 -m ecdsa_autoresearch.cli list-baselines

Evaluate the default editable candidate surface:

python3 -m ecdsa_autoresearch.cli evaluate-candidate

Run the full test suite:

python3 -m unittest discover -s tests -v

Inspect the current direct P-256 winner:

python3 -m ecdsa_autoresearch.cli audit-chevignard-p256-liveness --use-current-winner
python3 -m ecdsa_autoresearch.cli audit-chevignard-p256-provenance-gap
python3 -m ecdsa_autoresearch.cli audit-chevignard-p256-compiled-witness --use-current-winner --family-scaling --marginal-scaling
python3 -m ecdsa_autoresearch.cli audit-chevignard-p256-compiled-witness --use-current-winner --family-scaling --bitsize 16 --bitsize 32 --bitsize 48 --bitsize 64 --bitsize 96 --bitsize 128 --write-scaling-svg artifacts/p256_compiled_witness_scaling.svg
python3 -m ecdsa_autoresearch.cli audit-chevignard-p256-compiled-witness --use-current-winner --witness-shape legendre_dominant --marginal-scaling --bitsize 32 --bitsize 64 --bitsize 96 --bitsize 128

Inspect the current experimental secp256k1 winner:

python3 -m ecdsa_autoresearch.cli audit-chevignard-secp256k1-liveness --use-current-winner
python3 -m ecdsa_autoresearch.cli audit-chevignard-secp256k1-provenance-gap

Run the generic module-driven search loop:

python3 -m ecdsa_autoresearch.cli run-search-loop --rounds 3

Notes on environments

The proof-aware direct P-256 stack is pure Python and does not require the optional Qualtran package at runtime.

The isolated experimental secp256k1 proof-aware stack is also pure Python and shares the same accounting-first workflow.

Some optional backends and tests do depend on a separate Qualtran environment. If you want that path, set it up with:

/opt/homebrew/bin/python3.12 -m venv .venv-qualtran
.venv-qualtran/bin/pip install -r requirements-qualtran.txt

PennyLane is available in that environment because downstream circuit export and inspection may be useful, but the P-256 proof-aware counting path in this repo remains accounting-first rather than simulator-first.

The reduced-instance compiled witness checks do use that Qualtran environment, because they compile explicit small-n allocation schedules and measure peak live qubits from the compiled event trace. The current witness bridge now includes:

• the full eight-knob current winner at n=32
• scaling checks at n=16,32,48,64,96,128
• a family-by-family breakdown for the eight winner-side witness knobs
• a full-winner marginal breakdown showing that the combined small-n bridge is saturated while the Legendre-dominant bridge recovers hidden Legendre-side gains
• a ratio-projected schedule-only caution band of 1061-1069 at n=256
• an SVG plot written to artifacts/p256_compiled_witness_scaling.svg when requested from the CLI