1 month ago
27
RIP-7212, also known as “ Precompile for secp256r1 Curve Support,” is a proposal that was put forth to add a precompiled contract that performs signature verification in the “ secp256r1 ” elliptic curve. This was proposed by Ulaş Erdoğan, Doğan Alpaslan on 20th June, 2023.
Let’s explore what this exactly means:-
Think about attempting to secure your crypto wallet using your iPhone’s Face ID. This makes perfect sense; we use biometric security for our banking apps and other sensitive information. Here’s the rub, though: it doesn’t presently mesh well with Ethereum. Why? Modern devices’ security systems conflict at their base with the one used by Ethereum.
Let us first examine how Ethereum accounts operate to appreciate why this is important. An Externally Owned Account (EOA) is the most frequent type of account. View it as a super secure digital safe using two keys: one public (like your email address) and one private (like your password, but much more secretive).
An elliptic curve is a mathematical curve described by the equation:
y² = x³ + ax + bwhere a and b are constants that define the curve’s shape.
A curve may look like this
If you take an arbitrary point P = (x,y) on this curve and add it to another point Q on the curve, you will again get a point located on this very elliptic curve. A visualization of this point addition can be seen in the figure below.
You can also choose some point P on the curve and add it x-times to itself — you will still get a point located on the elliptic curve.
P+P+…+P = xP = R
Here, x is merely a random natural number. In elliptic curve cryptography, one leverages the truth that knowing only the points P and R would make it computationally impossible to estimate the value x. Solving the discrete logarithm is frequently said to be the problem. For cryptography, one selects an appropriate point P on the elliptic curve and creates a high enough random natural number x. The private key is identified by this number. From the selected point P and the private key, one computes the point R on the curve, which afterward is known as the public key. Thus, public and private keys are intimately related! The public key is nonexistent apart from the private key, and it is almost impossible to finalize the private key due to the discrete logarithm problem.
Here, it starts to get really interesting. Ethereum uses the secp256k1 curve for its cryptography. Current secp256r1 (also known as NIST P256) utilizes many of the most cutting-edge tools, including the Secure Enclave of Apple, the Keychain of Android, and even the security features of your web browser.
An approach of data encryption called Elliptic Curve cryptography emphasizes the employment of a pair of keys — private and public keys — for data encryption and decryption. The term “elliptic curves” defines a plane curve over a given field made up of the points y²=x³ + ax + b fulfilling the equation, used by Elliptic Curve cryptography.
The blockchain could be considered descendant of the elliptic curve since it is used to validate any kind of ownership on the blockchain with key pairs — that is, private and public keys. Complicities in two categories — secp256r1 and secp256k1 — can assist one in arranging elliptic curves.
secp256k1 (Ethereum’s Native Curve)
This curve is also known as the Koblitz curve. It is an elliptic curve that is known for its non-random construction, which allows for especially efficient computation. This curve was implemented into the Bitcoin protocol in its early days to remove any human effect on the curve parameter.
y² = x³ + 7Parameters:
- Prime field: ²²⁵⁶ — ²³² — ²⁹ — ²⁸ — ²⁷ — ²⁶ — ²⁴ — 1
- a = 0
- b = 7
secp256r1 (NIST P-256)
In Secp256r1, the “ r “ stands for random. This curve operates on a finite field of 256-bit. This curve is a few bits stronger than the Koblitz curve. Although secp256r1 is stronger than the secp256k1 curve, it was not used in the bitcoin protocol as it was suspected of having a backdoor ( created by the NSA ) using the random generator in secp256r1 for a and b. This curve is also known as the prime field curve.
y² = x³ + ax + bParameters:
- a = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC
- b = 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
Private keys are randomly generated 256-bit numbers, typically produced using cryptographically secure pseudorandom number generators. These private keys are kept secret and serve as the foundation for address creation. Public keys are derived from private keys using elliptic curve cryptography, specifically on the secp256k1 curve. The public key is a point on the elliptic curve, represented by two numbers. Ethereum addresses are formed by taking the Keccak-256 hash of the public key and extracting specific portions of the resulting hash.
Also, Ethereum’s official client( Geth) utilizes Bitcoin codes inside the client to inherit the elliptic curve functions directly, making it easier for Bitcoin interoperability.
Given the title “Is secp256r1 the future,” let’s first consider the realm of Externally Owned Accounts (EOAs) — accounts controlled by private keys. Restricting the potential of Ethereum is the fact that EOAs operate from the secp256k1 curve, which is only used by the Ethereum ecosystem and not by any sort of protocol. They see themselves locked in a cage. Here is where secp256r1 applies.
The Secp256r1 elliptic curve is widely used in mobile devices and hardware that have Trusted Execution Environment such as Apple’s Secure Enclave, Webauthn, and Android Keychain, which improves user adoption. These chips can generate private and public keys and also sign the messages.
This is a suggestion for a significant modification of the Ethereum protocol: including a precompiled contract using the secp256r1 elliptic curve for signature verification. The Ethereum Rollup community reacted favorably to the first Rollup Improvement Proposal. By allowing smart contracts to work with native signers of mobile devices, it is a defining feature in key management in Account Abstraction. Clave, Safe, Coinbase intelligent wallet, and Soul Wallet are all actively used by the following wallets.
Precompiled contracts are kinds of contracts that are preset and are inherent in the Ethereum protocol. They can also be termed a fixed gasoline cost. The ECRECOVER precompiled address 0x01 is a function that returns the public address from a secp256k1 curve signature. For the secp256r1 curve, which is P256VERIFY, RIP7212 suggests a similar approach.
The P256VERIFY Precompile
The precompiled contract takes 160 bytes of input data:
- 32 bytes message hash
- 32 bytes r component
- 32 bytes s component
- 32 bytes x coordinate
- 32 bytes y coordinate
RIP7212’s gas cost is roughly 3450 gas, lower than other alternatives, therefore, it is quite a challenge for RIP7212 to reduce gas fees by comparing nonprotocol change options.
Real-World Applications and Future Implications
As Ethereum progresses, EIP 7212 offers new avenues for cross-chain interoperability and better transaction handling. Using the secp256r1 curve could help developers use existing internet protocols and improve user experiences with account management.
Notable Use Cases:
- Direct integration of web domains into Ethereum with DNSSEC.
- Improved transaction signing through mobile devices with secure enclaves, simplifying recovery processes.
Web3 Authentication Flow
The new authentication flow enables:
- Biometric authentication
- Hardware-backed key storage
- WebAuthn integration
- Passkey support
With RIP-7212 verifying P256 only costs 3450 gas, a 100x reduction from the best non-protocol change option. RIP-7212 is the most gas-efficient, secure, and fastest way to verify the P256 on EVM chains.
As we have previously explained, using biometric signers (e.g., Passkeys and Secure Enclave based) is only possible if we have a way to verify P256 curve onchain. There are several options available to verify P256 curve onchain, but none of them are cheap.
- Enhanced mobile wallet security
- Better integration with existing web standards
- Reduced friction in Web3 adoption
- New authentication paradigms
- Cross-chain standardization
- IoT device integration
EIP 7212 marks an important advancement for Ethereum, tackling significant issues in scalability and connectivity within its ecosystem. By presenting a pre-compiled contract for the secp256r1 elliptic curve, this proposal aims not only to optimize operations but also to encourage more teamwork between Ethereum and various outside protocols. The effects of this proposal reach beyond technical improvements, fostering a more open and inventive space for developers and users. As the Ethereum community stays engaged, successfully implementing EIP 7212 could become a model for future proposals, highlighting the value of community-focused development in blockchain.
Technical Documentation
Mathematical Background
Implementation Resources
English (US) ·