secp256r1 (or P-256) is a common elliptic curve used in signature schemes, including by Apple’s Secure Enclave, Webauthn, Android Keystore, and Passkeys.

EIP-7212/RIP-7212 adds a new P256VERIFY precompile contract at address(0x100), enabling signature verification at a cost of 3450 gas.

EIP-7212 enables transaction signing support for Passkeys and other keystores, hardware-based signing keys, and improved UX.

EIP Specification

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119 and RFC 8174.

As of FORK_TIMESTAMP in the integrated EVM chain, add precompiled contract P256VERIFY for signature verifications in the “secp256r1” elliptic curve at address PRECOMPILED_ADDRESS in 0x100 (indicates 0x0000000000000000000000000000000000000100).

Elliptic Curve Information

“secp256r1” is a specific elliptic curve, also known as “P-256” and “prime256v1” curves. The curve is defined with the following equation and domain parameters:

# curve: short weierstrass form
y^2 ≡ x^3 + ax + b

# p: curve prime field modulus
0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff

# a: elliptic curve short weierstrass first coefficient
0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc

# b: elliptic curve short weierstrass second coefficient
0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b

# G: base point of the subgroup
(0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)

# n: subgroup order (number of points)
0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551

# h: cofactor of the subgroup
0x1

Elliptic Curve Signature Verification Steps

The signature verifying algorithm takes the signed message hash, the signature components provided by the “secp256r1” curve algorithm, and the public key derived from the signer private key. The verification can be done with the following steps:

# h (message hash)
# pubKey = (public key of the signer private key)

# Calculate the modular inverse of the signature proof:
s1 = s^(−1) (mod n)

# Recover the random point used during the signing:
R' = (h * s1) * G + (r * s1) * pubKey

# Take from R' its x-coordinate:
r' = R'.x

# Calculate the signature validation result by comparing whether:
r' == r

Required Checks in Verification

The following requirements MUST be checked by the precompiled contract to verify signature components are valid:

  • Verify that the r and s values are in (0, n) (exclusive) where n is the order of the subgroup.
  • Verify that the point formed by (x, y) is on the curve and that both x and y are in [0, p) (inclusive 0, exclusive p) where p is the prime field modulus. Note that many implementations use (0, 0) as the reference point at infinity, which is not on the curve and should therefore be rejected.

Precompiled Contract Specification

The P256VERIFY precompiled contract is proposed with the following input and outputs, which are big-endian values:

  • Input data: 160 bytes of data including:

    • 32 bytes of the signed data hash
    • 32 bytes of the r component of the signature
    • 32 bytes of the s component of the signature
    • 32 bytes of the x coordinate of the public key
    • 32 bytes of the y coordinate of the public key

  • Output data:

    • If the signature verification process succeeds, it returns 1 in 32 bytes format.
    • If the signature verification process fails, it does not return any output data.

Precompiled Contract Gas Usage

The use of signature verification cost by P256VERIFY is 3450 gas.