Concrete Documentation | Concrete Documentation

Concrete documentation

Concrete

A small systems language for C and Rust programmers where authority, runtime risk, assumptions, and proof evidence are visible in the toolchain.

Project status: experimental. Compiler correctness and backend correctness are not fully proved today.

1. Abstract

Concrete's claim is the composition: systems control and evidence accounting in the same toolchain. It combines no GC systems code, linear ownership, explicit capabilities, contracts in source, Lean checked proof links, drift detection, and audit reports that refuse to hide trust.

The immediate claim is narrow: the toolchain should not let evidence silently lie. If a function body changes, authority widens, allocation appears, or a proof no longer matches the source, normal reports and CI gates should show that change.

2. What Makes It Different

Most nearby systems pick only part of this shape: Rust has strong ownership but external proofs; Zig and C give excellent control but little built in evidence tracking; SPARK, Dafny, F*, and Why3 have strong verification but are usually SMT heavy and not shaped like a small no GC systems language; Lean and Coq have excellent proof kernels but are not ordinary systems languages.

No GC systems code: fixed arrays, explicit control, no hidden runtime story by default.
Linear ownership plus explicit capabilities: functions show what they can touch.
Proofs attached to source: contracts and source linked Lean evidence can go stale when bodies drift.
Multiple evidence classes, not one green badge: Lean proof, kernel decision, SMT with named solver trust, oracle test, enforced, assumed, trusted, partial, stale, and vacuous are distinct.
Audit first philosophy: reports say what is proved, enforced, tested, assumed, and trusted.
Lean as compiler and proof substrate: selected user proofs are checked by Lean's kernel, and compiler soundness work can live in the same ecosystem.

3. Claim Shapes

The audit class matters as much as the code. A Lean theorem, a kernel decision procedure, an oracle test, and an external solver do not mean the same thing.

#[proof_by(Examples.ConstantTimeTag.Proofs.ct_compare_same_tag_correct)]
#[ensures_proof(Examples.ConstantTimeTag.Proofs.ct_compare_different_tag_correct)]
#[proof_coverage(iff)]
#[ensures((a == b && result == 1) || (a != b && result == 0))]
fn ct_compare(a: [u8; 16], b: [u8; 16]) -> i32 {
    let mut diff: u8 = 0;
    for (let mut i: i32 = 0; i < 16; i = i + 1) {
        diff = diff | (a[i] ^ b[i]);
    }
    if diff == 0 { return 1; }
    return 0;
}

Functional correctness, proved in Lean: proved_by_lean, coverage iff.

#[overflow_checked]
#[requires(0 <= off && off + 1 < len && len <= 512)]
fn read_u16_be(packet: [u8; 512], off: i32, len: i32) -> i32 {
    let hi: i32 = packet[off] as i32;
    let lo: i32 = packet[off + 1] as i32;
    return hi * 256 + lo;
}

Runtime safety discharged by kernel decision procedures: omega for bounds, bv_decide for overflow.

$ make test-hmac-oracle

hmac_sha256
  reference: Python hmac/hashlib
  vectors: RFC 4231, FIPS 180-4, 600 generated cases
  status: tested_by_oracle
  proof level: regression evidence, not proof

Oracle evidence is useful, but it stays below proof in the ledger.

#[requires(0 <= msg_len && msg_len <= 256)]
#[ensures(result <= 5)]
fn sha256_padded_blocks(msg_len: i32) -> i32 {
    return (msg_len + 9 + 63) / 64;
}

status: proved_by_smt
solver: z3
trust: solver_trusted
replay: none

External SMT is useful when policy allows it, but the solver and trust class are named.

assumed    explicit assumption, not proof
trusted    outside the proof model, named in audit
partial    one direction or point proved, not the full claim
stale      source changed after the proof was linked
vacuous    contract holds only because the premise is impossible
missing    proof eligible, but no proof is linked yet
unproven   obligation generated, not discharged
violation  runtime safety failure detected
invalid    malformed or ill scoped contract expression

Other statuses are not failures of vocabulary. They are how Concrete refuses to hide weaker evidence.

4. Evidence Model

Concrete separates claim classes instead of reducing everything to one green badge. The current audit vocabulary is deliberately explicit:

Claim	Status class	Current meaning
Capabilities	enforced	Function authority is tracked and reported.
User theorems	Lean kernel	Attached theorems are checked by Lean.
Proof drift	CI gated	Body/spec fingerprints downgrade stale proofs.
Oracle behavior	tested	Flagships carry differential or reference tests.
Extraction soundness	partial	Some source-to-ProofCore rules are proved; work continues.
LLVM/backend	trusted	Generated binary correctness is still in the trusted base.

5. Running Example

The narrow real-crypto example is a constant-time tag comparison. Its proof does not claim machine-level constant time. It proves a source property and names the remaining timing assumptions.

fn ct_compare(a: [u8; 16], b: [u8; 16]) -> Int {
    let diff: u8 = 0;
    let i: Int = 0;

    while i < 16 {
        set diff = diff | (a[i] ^ b[i]);
        set i = i + 1;
    }

    if diff == 0 { return 1; }
    return 0;
}

Listing 1. Source code stays ordinary: fixed arrays, byte operations, bounded loop, no allocation, no ambient authority.

$ concrete audit examples/constant_time_tag/src/main.con

proof:
  ct_compare_same_tag_correct: proved_by_lean
  coverage: one_direction

authority:
  capabilities: none
  allocation: none
  trusted code: none

assumptions:
  machine-level constant-time: assumed
  backend timing preservation: trusted

Listing 2. Audit output keeps proved facts separate from assumptions and trusted backend behavior.

6. Current Status

Example	Status	Purpose
parse_validate	graduated	Parser/protocol validation evidence.
crypto_verify	graduated	Authentication scaffolding with a toy MAC.
fixed_capacity	graduated	Bounded mutable state and array-update proofs.
constant_time_tag	graduated	Narrow real-crypto source proof with timing assumptions.
hmac_sha256	graduated	SHA-256/HMAC refinement chain against an independent spec.

7. HMAC Work

HMAC-SHA256 is the deepest proof artifact. The extracted Concrete source is linked to Lean checked refinements against an independent SHA-256/HMAC specification, with drift gates tying the proof claim to the exact source body.

Source contracts and proof links stay in source.
Loop and bitvector obligations use reusable ProofKit machinery.
Oracle tests remain regression evidence, not proof.
Backend and machine-level behavior remain named trust boundaries.

8. What Concrete Does Not Claim Yet

Concrete is not a verified compiler today. It does not yet prove generated binary correctness, whole-program constant-time behavior, or every source-to-ProofCore extraction rule. Source contracts, generated verification conditions, SMT assistance, ghost state, and gradual runtime checks are roadmap work, not shipped language features.

9. Read Next

Getting startedBuild the compiler and run a program.
Provable subsetWhat can carry Lean backed evidence today.
SafetyCapabilities, trusted code, Unsafe, and proof boundaries.
PaperResearch-style statement and build notes.
RoadmapActive sequencing and open proof work.