IxVM kernel: cut Aiur FFT cost on reduction- and check-heavy shards (#438)

* IxVM: cheaper Expr.Share / universe lookups (list_drop + field index)

Expr.Share resolution and universe lookups walked the sharing/univ lists
with `list_lookup_u64` (per-step `u64_is_zero` + `relaxed_u64_pred`). Switch
to:

- universe lookups: `list_lookup(univs, flatten_u64(idx))` — cheap per-step
  field subtraction instead of the U64 predecessor.
- Expr.Share (Convert convert_expr + Ingress deref_share):
  `let ListNode.Cons(e, _) = load(list_drop(sharing, flatten_u64(idx)));`.
  list_drop returns the sublist *pointer*; repeated Share lookups collapse
  to shared memo entries, so the walk is near-free.

Measured on `lake exe ix check --ixe init.ixe --ixes init.ixes --shard 10`
(Init, owned=3, closure=676): total FFT 3.89G -> 2.11G. The merged
pointer-list walk drops from 1.93G (list_lookup) to 5.8M (list_drop, 0.27%).

(Measurement run had in-circuit blake3 verification disabled — not committed.)

* IxVM: hot/cold split address_eq on a limb-0 prefilter

The primitive-dispatch gauntlet in whnf compares each Const head against ~50
known primitive addresses, so address_eq is the single hottest circuit. The
full 32-limb compare ran at width 109 on every call.

Split it: `address_eq` now compares limb 0 only and rejects (the common case —
a single differing limb proves inequality), delegating the remaining 31-limb
compare to a separate `address_eq_tail`. Because Aiur charges a function's full
width on every one of its rows, the cold path must be a separate function (a
nested match in address_eq changes nothing — measured identical); as its own
circuit, address_eq_tail's height is only the rare limb-0-match rows.

Measured on `lake exe ix check --ixe init.ixe --ixes init.ixes --shard 10`:
- address_eq: width 109 -> 80, FFT 509.8M -> 374.1M
- address_eq_tail (new): width 108, height 1683, FFT 1.9M
- total shard FFT: 2.106G -> 1.973G

Limb-0 is the sweet spot: hot height (259991) dominates tail height (1683), so
pulling a second limb forward (N=2) widens the hot circuit by more than it
saves in the tail (measured 1.976G, worse). Result is identical to a full
32-limb compare (sound).

(Measurement run had in-circuit blake3 verification disabled — not committed.)

* IxVM: hot/cold split whnf_with_spine (Const + Proj head dispatch)

whnf_with_spine is the single hottest circuit on reduction-heavy consts: width
89 charged on every one of its 3.36M rows. The width was set by two arms that
only a minority of rows reach — the Const-head dispatch (delta/iota/quot/prim
gauntlet) and the Proj-head reduction.

Factor both into their own functions (`whnf_const_head`, `whnf_proj_head`).
Because Aiur charges a function's full width on every row, the ~76% of steps
that are App/Lam/Let now run at the narrow residual width instead of 89; the
wide dispatch only taxes its own (smaller) row count.

Measured on `lake exe ix check --ixe init.ixe --ixes init.ixes --shard 9`
(1 reduction-heavy owned const):
- whnf_with_spine: width 89 -> 34, FFT 6.48G -> 2.48G
- whnf_const_head (new): width 77, height 821490, FFT 1.24G
- whnf_proj_head (new): width 56, height 3452, FFT 0.002G
- total shard FFT: 45.54G -> 42.78G (-6.1%)

The Proj arm is rare (3452 rows) but was nearly half the width; extracting it
dropped whnf_with_spine 65 -> 34 for ~zero relocated cost. Pure refactor.

* IxVM: non-tail collect_spine, single shared definition

Replace the tail-recursive `collect_spine_go(e, acc)` (and its verbatim copy
`collect_spine_simple_go`) with one non-tail `collect_spine(e)` in the
kernelTypes block. Repoint all callers (whnf, primitive, inductive_check,
def_eq); delete both old copies. Keyed on `e` alone, it now dedups shared
sub-spines (0 -> 2.19M cache hits).

Measured on `lake exe ix check --ixe init.ixe --ixes init.ixes --shard 9`:
- collect_spine: 5.38M rows / 2.65G -> 2.17M rows / 0.96G
- list_snoc.Ptr: +0.96G (new)
- total shard FFT: 42.78G -> 41.67G

* IxVM: keyed skip-set for sharded check (replace addr_in_list scan)

check_all_skipping tested each closure const against the assumption-leaf list
via addr_in_list, an O(N) linear address_eq scan — the single largest address_eq
source on sharded checks (1.81M calls on Init shard 9, more than all primitive
dispatch combined).

Build an RBTreeMap skip-set once (keyed on the first 4 address bytes), then test
membership with one rbtree lookup + one confirming address_eq. Key collisions
overwrite: sound because a missed skip only rechecks a frontier const, and the
confirming address_eq rules out false positives.

Measured on `lake exe ix check --ixe init.ixe --ixes init.ixes --shard 9`:
- address_eq: 2.07M rows / 3.48G -> 274K rows / 0.40G
- rbtree build + lookups: +~0.46G
- total shard FFT: 41.67G -> 37.84G

* IxVM: collapse symbolic-base Nat.rec succ-tower to an offset

try_nat_linear_rec only folded `Nat.rec base (λ_ ih => succ ih) (Lit n)` when
the base was also a literal; a symbolic base declined and fell through to n
iota steps that materialize succ^n(base). Reduce the symbolic-base case
directly to the offset primitive `Nat.add base (Lit n)` instead.

This keeps the value in the same compact `base + n` form a literal already has,
so def-eq comparing it converges instead of descending n unary succ layers (the
UTF-8 `x + 0xC0` reduction class). Offset magnitude stays KLimbs; only the
nat_add top-position index is a (small) G.

Measured on a `x + D = Nat.rec x succ-step D` benchmark: the unary def-eq
descent collapses (nat_succ_of D -> ~constant), ~-15% total FFT at D=512. The
remaining cost is the in-whnf chain reduction (substitution), unchanged here.

* IxVM: keep Nat base+literal compact (stop succ-tower materialization)

Reducing `Nat.add x (Lit n)` (symbolic x) delta-unfolded into a succ^n(x)
tower, and the nat_succ dispatch then whnf-cascaded the whole chain — O(n)
substitution per reduction, the dominant cost on Nat-arithmetic proofs (the
UTF-8 codec class).

Two coordinated changes:
- whnf (try_nat_offset_stuck): leave `Nat.add base (Lit n)` (non-literal base,
  nonzero n) stuck as a compact offset instead of unfolding it.
- def-eq (nat_offset_of + try_def_eq_nat): decompose each side to base + KLimbs
  offset (reading `Nat.add base (Lit m)` in O(1), peeling the few succs whnf
  exposes) and decide `base_a ≟ base_b` only when offsets are equal; otherwise
  fall back. All magnitudes stay KLimbs (no Goldilocks collapse).

Measured on `x + D = Nat.rec x succ-step D` (depths 64..512): total FFT goes
from O(D) (328M at D=512) to a depth-independent ~28.5M (-91% at D=512). Full
`lake test -- --ignored ixvm` passes (297 tests; BAD cases still rejected);
a recursor-on-symbolic-offset completeness test reduces correctly.

* IxVM: keep symbolic Nat.div/mod stuck (stop division-tower blowup)

`Nat.div x (Lit k)` / `Nat.mod x (Lit k)` with a symbolic base delta-unfolded
the division algorithm and expanded hugely, even though the result is
irreducible for a symbolic base. `Nat.shiftRight x k` unfolds to k nested
`Nat.div _ 2`, so a symbolic `>>>` materialized a deep, super-linear tower —
the dominant cost in the UTF-8 codec's `c >>> 6/12/18` encoding.

Generalize `try_nat_offset_stuck` (which already keeps `Nat.add base (Lit n)`
compact) to also leave `Nat.div`/`Nat.mod base (Lit k)` (k ≥ 2) stuck. Thresholds
keep `x/1 = x` and `x/0 = 0` reducing. Both `x >>> 18` and `(x >>> 9) >>> 9` then
reduce to the same nested-stuck-div form, so def-eq stays structural and the
identity still holds.

Measured on `x >>> 18 = (x >>> 9) >>> 9`: total FFT 15.65G -> 455M (-97%), now
depth-independent (matches `x >>> 6`). No regression on the Nat.add reproducers;
full `lake test -- --ignored ixvm` passes (297 tests).

* IxVM: narrow Ixon expr deserialization (Let split + telescope by &Expr)

Ingress deserialization (parsing every closure const's Ixon bytes into Expr
trees) is the dominant cost when checking large-closure constants. Two width
cuts on the hottest parsers:

- get_expr: the Let arm (three recursive get_expr calls) set the function width
  though Let is rare. Factored into get_expr_let — width 102 -> 75.
- get_app_telescope: passed `func` by value (the wide Expr union) on every
  recursion step. Pass it by `&Expr`, loaded only at the base case — width
  95 -> 78.

Measured by profiling ingress of the `ByteArray.utf8DecodeChar?…` closure
(2000 consts): get_expr 766M -> 563M, get_app_telescope 477M -> 392M, total
ingress FFT 3.13G -> 2.85G. Full `lake test -- --ignored ixvm` passes (297).

* IxVM: lbr-trimmed context keys for whnf/infer/def-eq memoization

Key whnf / k_infer / k_is_def_eq memoization on the loose-bvar-reachable
suffix of the local context (ctx_trim / ctx_reachable), mirroring Rust's
whnf_key / infer_key / def_eq_ctx_key. A closed subterm (lbr 0) keys to
the empty context and shares its result across every binder depth; eager
substitution is unchanged. Fast paths (closed -> Nil, full-reach -> as-is)
keep the boundary cheap.

FFT (lake exe ix check <const> --stats-out): Nat.add_comm 58.28M -> 57.90M
(-0.66%); Int.emod_emod_of_dvd 5.090G -> 4.691G (-7.85%); Init shard 10
4.738G -> 4.721G (-0.37%). 297 ixvm tests pass.

* ix CLI: resolve private Lean.Name args in check/prove

parseName can't rebuild a private name (_private.M.0.foo) from its
display string -- the marker / scope-index components don't round-trip
through naive dot-splitting. Add toString fallbacks: resolveName for the
compiled-in env and resolveIxeAddr for a .ixe env, so check and prove
(which share forEachClaim) resolve names like
_private.Init.Data.Vector.Extract.0.Vector.extract_append._proof_1
across both the compiled-in and --ixe paths.

* IxVM: multi-arg beta with narrow substitution walk

whnf_apply_beta substituted one spine arg per expr_inst1, re-walking the
(shrinking) body for each, so a K-arg application `(λλλ.body) x y z` walked
the body K times. Mirror Rust whnf.rs:541-567: peel the whole telescope
(peel_beta) and substitute all consumed args in ONE expr_inst_many walk
(simul_subst semantics). Single-arg betas stay on the cheap expr_inst1 path,
so short telescopes don't pay the list overhead (why the earlier
unconditional simul_subst regressed). Hot/cold split expr_inst_many_walk's
BVar arm (list_length / list_lookup / expr_lift) into expr_inst_many_bvar so
the hot App/Lam walk stays narrow.

Substitution was 53% of FFT on omega-heavy proofs. FFT (ix check <const>):
_private.…Vector.extract_append._proof_1 56.64G -> 38.31G (-32.4%);
Nat.add_comm 57.90M -> 56.17M; Init shard 10 4.721G -> 4.668G (-1.1%);
shard 9 16.346G -> 16.314G. 297 ixvm tests pass.

* IxVM: gate the primitive gauntlet behind a memoized prim_any_addr

whnf_const_head ran 5 try_* dispatchers (nat / str / bitvec / native /
decidable) in sequence on every Const head, each comparing the head address
against its family's primitive addresses — wasted on the common non-primitive
head, and worse, several try_* speculatively WHNF their args (to test for
literals / decidables), cascading into deep reductions that are then thrown
away. Factor the chain into try_address_primitives and gate it behind
prim_any_addr: a memoized (per head address) sum of the 43 head-dispatched
primitive address_eq checks — 1 only for a real primitive, so a 0 skips the
whole gauntlet straight to projection-definition / delta.

Validated by a differential assert (prim_any_addr must be 1 whenever the
gauntlet matched) run over the 297-test suite + Int.emod_emod_of_dvd +
Vector.extract_append._proof_1; it caught two missing addresses
(string_utf8_byte_size, punit_size_of_1), then passed clean across millions of
reductions. Assert removed after validation.

FFT (ix check <const>): _private.…Vector.extract_append._proof_1
38.31G -> 28.02G (-26.8%); Int.emod_emod_of_dvd 4.69G -> 3.97G (-15%);
Nat.add_comm 56.17M -> 56.06M; Init shard 9 16.314G -> 16.279G; shard 10
4.668G -> 4.659G. 297 ixvm tests pass.

Author: arthurpaulino

Ix/Cli/CheckCmd.lean

@@ -45,6 +45,16 @@ def parseName (arg : String) : Lean.Name :=
       | some n => Lean.Name.mkNum acc n
       | none   => Lean.Name.mkStr acc s
 
+/-- Resolve a CLI name argument against the env. `parseName` can't rebuild
+    private names (`_private.M.0.foo`) — the marker/scope-index components
+    don't round-trip through naive dot-splitting. So if the parsed name
+    isn't present, fall back to matching the arg against each constant's
+    `toString` (the displayed form the user copied). -/
+def resolveName (env : Lean.Environment) (arg : String) : Option Lean.Name :=
+  let parsed := parseName arg
+  if env.constants.contains parsed then some parsed
+  else (env.constants.toList.find? (fun (k, _) => toString k == arg)).map (·.1)
+
 def addrOfHex! (label : String) (s : String) : IO Address := do
   match Address.fromString s with
   | some a => pure a
@@ -88,6 +98,16 @@ partial def ixNameToLeanName : Ix.Name → Lean.Name
   | .str p s _ => .str (ixNameToLeanName p) s
   | .num p n _ => .num (ixNameToLeanName p) n
 
+/-- Resolve a CLI name argument against a `.ixe` env's named map. Like
+    `resolveName` for the compiled-in env: `parseName` can't rebuild private
+    names, so when the direct lookup misses, fall back to matching the arg
+    against each named constant's displayed `toString`. -/
+def resolveIxeAddr (ixonEnv : Ixon.Env) (arg : String) : Option Address :=
+  match ixonEnv.getAddr? (Ix.Name.fromLeanName (parseName arg)) with
+  | some a => some a
+  | none =>
+    (ixonEnv.named.toList.find? (fun (k, _) => toString (ixNameToLeanName k) == arg)).map (·.2.addr)
+
 /-- Build a `ClaimWitness` for the `verify_claim` entrypoint against
     `Ix.Claim.check addr none` (full transitive typecheck of the
     target's closure). -/
@@ -189,14 +209,13 @@ def forEachClaim
           if !keepGoing then break
     else
       for arg in names do
-        let name := parseName arg
-        match ixonEnv.getAddr? (Ix.Name.fromLeanName name) with
+        match resolveIxeAddr ixonEnv arg with
         | none =>
-          IO.eprintln s!"{name} not found in {path}"
-          failures := failures.push (toString name)
+          IO.eprintln s!"{arg} not found in {path}"
+          failures := failures.push arg
           if !keepGoing then break
         | some addr =>
-          let label := toString name
+          let label := arg
           let claim := Ix.Claim.check addr none
           let witness ← mkWitness addr ixonEnv
           if (← runOne claim witness label) ≠ 0 then
@@ -224,17 +243,18 @@ def forEachClaim
           if !keepGoing then break
     else
       for arg in names do
-        let name := parseName arg
-        if !env.constants.contains name then
-          IO.eprintln s!"{name} not found"
-          failures := failures.push (toString name)
+        match resolveName env arg with
+        | none =>
+          IO.eprintln s!"{arg} not found"
+          failures := failures.push arg
           if !keepGoing then break
           else continue
-        let label := toString name
-        let (claim, witness) ← buildOne name
-        if (← runOne claim witness label) ≠ 0 then
-          failures := failures.push label
-          if !keepGoing then break
+        | some name =>
+          let label := toString name
+          let (claim, witness) ← buildOne name
+          if (← runOne claim witness label) ≠ 0 then
+            failures := failures.push label
+            if !keepGoing then break
 
   if failures.isEmpty then pure 0
   else

Ix/IxVM/Convert.lean

@@ -68,7 +68,9 @@ def convert := ⟦
     match load(idxs) {
       ListNode.Nil => store(ListNode.Nil),
       ListNode.Cons(idx, rest) =>
-        let u = load(list_lookup_u64(univs, idx));
+        -- universe indices are small; walk with a field index (cheap per-step
+        -- field sub) instead of `list_lookup_u64`'s per-step U64 predecessor.
+        let u = load(list_lookup(univs, flatten_u64(idx)));
         store(ListNode.Cons(store(convert_univ(u)), convert_univ_idxs(rest, univs))),
     }
   }
@@ -145,7 +147,9 @@ def convert := ⟦
   ) -> KExpr {
     match load(e) {
       Expr.Srt(univ_idx) =>
-        let u = load(list_lookup_u64(univs, univ_idx));
+        -- field-indexed walk (see `convert_univ_idxs`): avoids the per-step
+        -- U64 predecessor of `list_lookup_u64` on this hot universe lookup.
+        let u = load(list_lookup(univs, flatten_u64(univ_idx)));
         store(KExprNode.Srt(store(convert_univ(u)))),
 
       Expr.Var(idx) =>
@@ -199,7 +203,8 @@ def convert := ⟦
           convert_expr(body, sharing, ref_idxs, recur_idxs, lit_blobs, univs))),
 
       Expr.Share(idx) =>
-        convert_expr(list_lookup_u64(sharing, idx), sharing, ref_idxs, recur_idxs, lit_blobs, univs),
+        let ListNode.Cons(e, _) = load(list_drop(sharing, flatten_u64(idx)));
+        convert_expr(e, sharing, ref_idxs, recur_idxs, lit_blobs, univs),
     }
   }
 

Ix/IxVM/Ingress.lean

@@ -53,17 +53,23 @@ def ingress := ⟦
     bytes
   }
 
-  -- Compare two 32-byte addresses for equality
-  fn address_eq(a: Addr, b: Addr) -> G {
-    let [a0, a1, a2, a3, a4, a5, a6, a7,
+  -- Compare two 32-byte addresses for equality.
+  --
+  -- Cold path: limb 0 already matched, compare the remaining 31 limbs.
+  -- Factored into its own function so it forms a separate circuit whose height
+  -- is only the (rare) limb-0-match rows; Aiur charges a function's full width
+  -- on every one of its rows, so a nested match in `address_eq` would not save
+  -- anything — the split must be a function boundary.
+  fn address_eq_tail(a: Addr, b: Addr) -> G {
+    let [_, a1, a2, a3, a4, a5, a6, a7,
          a8, a9, a10, a11, a12, a13, a14, a15,
          a16, a17, a18, a19, a20, a21, a22, a23,
          a24, a25, a26, a27, a28, a29, a30, a31] = load(a);
-    let [b0, b1, b2, b3, b4, b5, b6, b7,
+    let [_, b1, b2, b3, b4, b5, b6, b7,
          b8, b9, b10, b11, b12, b13, b14, b15,
          b16, b17, b18, b19, b20, b21, b22, b23,
          b24, b25, b26, b27, b28, b29, b30, b31] = load(b);
-    match [to_field(a0) - to_field(b0), to_field(a1) - to_field(b1),
+    match [to_field(a1) - to_field(b1),
            to_field(a2) - to_field(b2), to_field(a3) - to_field(b3),
            to_field(a4) - to_field(b4), to_field(a5) - to_field(b5),
            to_field(a6) - to_field(b6), to_field(a7) - to_field(b7),
@@ -80,7 +86,20 @@ def ingress := ⟦
            to_field(a28) - to_field(b28), to_field(a29) - to_field(b29),
            to_field(a30) - to_field(b30), to_field(a31) - to_field(b31)] {
       [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] => 1,
+       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] => 1,
+      _ => 0,
+    }
+  }
+
+  -- Limb-0 prefilter: a single differing limb proves inequality, and almost
+  -- every comparison (the primitive-dispatch gauntlet in whnf) mismatches at
+  -- limb 0. Hot rows reject here at narrow width; only limb-0 matches pay the
+  -- wide `address_eq_tail` compare. Identical result to a full 32-limb compare.
+  fn address_eq(a: Addr, b: Addr) -> G {
+    let av = load(a);
+    let bv = load(b);
+    match to_field(av[0]) - to_field(bv[0]) {
+      0 => address_eq_tail(a, b),
       _ => 0,
     }
   }
@@ -792,7 +811,9 @@ def ingress := ⟦
   -- Deref Expr.Share via the constant's sharing list.
   fn deref_share(e: Expr, sharing: List‹&Expr›) -> Expr {
     match e {
-      Expr.Share(idx) => deref_share(load(list_lookup_u64(sharing, idx)), sharing),
+      Expr.Share(idx) =>
+        let ListNode.Cons(e, _) = load(list_drop(sharing, flatten_u64(idx)));
+        deref_share(load(e), sharing),
       _ => e,
     }
   }

Ix/IxVM/IxonDeserialize.lean

@@ -101,15 +101,17 @@ def ixonDeserialize := ⟦
   -- Expression deserialization
   -- ============================================================================
 
-  -- App telescope: read count args, wrapping func in App nodes
-  fn get_app_telescope(func: Expr, stream: ByteStream, count: U64) -> (Expr, ByteStream) {
+  -- App telescope: read count args, wrapping func in App nodes. `func` is passed
+  -- by pointer (loaded only at the base case) so the recursion doesn't carry the
+  -- wide `Expr` union by value on every row.
+  fn get_app_telescope(func: &Expr, stream: ByteStream, count: U64) -> (Expr, ByteStream) {
     let is_zero = u64_is_zero(count);
     match is_zero {
-      1 => (func, stream),
+      1 => (load(func), stream),
       0 =>
         let (arg, s) = get_expr(stream);
-        let app = Expr.App(store(func), store(arg));
-        get_app_telescope(app, s, relaxed_u64_pred(count)),
+        let app = Expr.App(func, store(arg));
+        get_app_telescope(store(app), s, relaxed_u64_pred(count)),
     }
   }
 
@@ -180,7 +182,7 @@ def ixonDeserialize := ⟦
       -- App: Tag4(0x7, count) + func + args...
       0x7 =>
         let (func, s2) = get_expr(s);
-        get_app_telescope(func, s2, size),
+        get_app_telescope(store(func), s2, size),
 
       -- Lam: Tag4(0x8, count) + types... + body
       0x8 => get_lam_telescope(s, size),
@@ -189,17 +191,23 @@ def ixonDeserialize := ⟦
       0x9 => get_all_telescope(s, size),
 
       -- Let: Tag4(0xA, non_dep) + expr(ty) + expr(val) + expr(body)
-      0xA =>
-        let (ty, s2) = get_expr(s);
-        let (val, s3) = get_expr(s2);
-        let (body, s4) = get_expr(s3);
-        (Expr.Let(size, store(ty), store(val), store(body)), s4),
+      0xA => get_expr_let(s, size),
 
       -- Share: Tag4(0xB, idx)
       0xB => (Expr.Share(size), s),
     }
   }
 
+  -- Let arm of get_expr, split out: three recursive `get_expr` calls make it the
+  -- widest (and a rare) arm, so inlined it taxes every get_expr row.
+  fn get_expr_let(s: ByteStream, size: U64) -> (Expr, ByteStream) {
+    let (ty, s2) = get_expr(s);
+    let (val, s3) = get_expr(s2);
+    let (body, s4) = get_expr(s3);
+    (Expr.Let(size, store(ty), store(val), store(body)), s4)
+  }
+
+
   -- ============================================================================
   -- Universe deserialization
   -- ============================================================================

Ix/IxVM/Kernel/Claim.lean

@@ -804,6 +804,43 @@ def claim := ⟦
     }
   }
 
+  -- Pack the first 4 address bytes (LE) into a u32 key for the skip-set rbtree.
+  --
+  -- Capped at 4 bytes because `RBTreeMap` orders keys with `u32_less_than`, a
+  -- 32-bit comparator gadget — a wider key (a single `G` could hold 7 bytes in
+  -- Goldilocks) would overflow it and corrupt the tree ordering. A 32-bit key
+  -- space means key collisions are possible (~N²/2^33 over N leaves), but they
+  -- are harmless: a collision makes `addr_in_set`'s confirming `address_eq`
+  -- fail, yielding a false negative (a frontier const gets rechecked) never a
+  -- false positive (a wrong skip). See `build_skip_set`.
+  fn addr_key(a: Addr) -> G {
+    let arr = load(a);
+    to_field(arr[0])
+      + to_field(arr[1]) * 256
+      + to_field(arr[2]) * 65536
+      + to_field(arr[3]) * 16777216
+  }
+
+  -- Build an O(log N) membership set from the assumption-leaf list, keyed on
+  -- `addr_key`. Key collisions overwrite — sound because the only consequence is
+  -- a missed skip (a frontier const gets rechecked, never wrongly trusted); the
+  -- confirming `address_eq` in `addr_in_set` rules out false positives.
+  fn build_skip_set(leaves: List‹Addr›, acc: RBTreeMap‹Addr›) -> RBTreeMap‹Addr› {
+    match load(leaves) {
+      ListNode.Nil => acc,
+      ListNode.Cons(a, rest) =>
+        build_skip_set(rest, rbtree_map_insert(addr_key(a), a, acc)),
+    }
+  }
+
+  -- Membership via one rbtree lookup (cheap u32 key compares) + one confirming
+  -- full `address_eq`, replacing the O(N) linear `addr_in_list` scan that
+  -- dominated address_eq cost on sharded checks.
+  fn addr_in_set(target: Addr, skip_set: RBTreeMap‹Addr›) -> G {
+    let found = rbtree_map_lookup_or_default(addr_key(target), skip_set, store([0u8; 32]));
+    address_eq(found, target)
+  }
+
   -- ============================================================================
   -- check_all variant that skips positions whose addr is in the
   -- supplied assumption-leaf list.
@@ -813,24 +850,27 @@ def claim := ⟦
                         addrs: List‹Addr›,
                         asm_leaves: List‹Addr›) {
     let _ = check_canonical_block_sort(top);
-    check_all_skipping_iter(consts, top, addrs, asm_leaves, 0)
+    -- Build the skip-set once (O(N log N)) instead of an O(N) linear scan per
+    -- checked const.
+    let skip_set = build_skip_set(asm_leaves, RBTreeMap.Nil);
+    check_all_skipping_iter(consts, top, addrs, skip_set, 0)
   }
 
   fn check_all_skipping_iter(consts: List‹&KConstantInfo›,
                              top: List‹&KConstantInfo›,
                              addrs: List‹Addr›,
-                             asm_leaves: List‹Addr›,
+                             skip_set: RBTreeMap‹Addr›,
                              pos: G) {
     match load(consts) {
       ListNode.Nil => (),
       ListNode.Cons(&ci, rest) =>
         let addr = list_lookup(addrs, pos);
-        match addr_in_list(addr, asm_leaves) {
+        match addr_in_set(addr, skip_set) {
           1 =>
-            check_all_skipping_iter(rest, top, addrs, asm_leaves, pos + 1),
+            check_all_skipping_iter(rest, top, addrs, skip_set, pos + 1),
           _ =>
             let _ = check_const(ci, pos, top, addrs);
-            check_all_skipping_iter(rest, top, addrs, asm_leaves, pos + 1),
+            check_all_skipping_iter(rest, top, addrs, skip_set, pos + 1),
         },
     }
   }