# Current State of Verifying P256 Curve The ownership on Ethereum is based on a cryptographic function known as Elliptic Curve Cryptography (ECC). This is the mechanism used to prove the ownership of accounts in web3. Let's break down how it operates: 1. To begin, a user generates a private key using randomness. This key must be kept securely and remain confidential and Public Key is derived from it. 2. Once the key is created, the user signs a message using an ECC function. (Currently, Ethereum supports only the secp256k1 curve.) 3. With a signature, public key, and message in hand, the user then transmits this data to the blockchain. 4. Upon receipt, the blockchain verifies the message using a verifier function. (The only native supported verifier function is ecrecovery for the secp256k1 curve.) ![](https://hackmd.io/_uploads/rkwlFGw16.png) The secp256r1 curve is widely adopted in internet systems, which explains its myriad use cases in platforms such as TLS, DNSSEC, Apple’s Secure Enclave, Passkeys, Android Keystore, and Yubikey. While it can be utilized within the EVM, verifying it onchain has been challenging since it wasn't natively supported in the EVM or in many other VMs within web3. This gap led various individuals to design verifier contracts using Solidity, ZK proofs, precompilers, and more. In this article, we will delve into the various methods to verify the p256 curve onchain. Let's get started: --- # **Smart Contract Based Verifiers:** There are several Solidity verifiers designed for verification. Their gas consumption and deployment costs vary (keep in mind that some of these verifiers are smart contracts, so there's an initial payment for deployment). Let's explore some examples: **Obvious Wallet’s Implementation**: Obvious Wallet is a 4337-based wallet that employs passkeys instead of seed phrases. As passkeys solely support the p256 curve, they have constructed a Solidity verifier. This verifier uses 330K gas for WebAuthn verification and 590k gas for the initial contract deployment. To explore further: - [Website](https://www.obvious.technology/) - [Transaction Hash](https://mumbai.polygonscan.com/tx/0x7fb88c247dcf64ff20a2e4014613fda941aafe09edbf18633bec04ae7d9e9db0) - [Code Base](https://github.com/itsobvioustech/aa-passkeys-wallet/blob/main/src/Secp256r1.sol) **Alembic**: Alembic is a web3 development platform, and they've crafted a p256 verifier in Solidity. Their verifier requires 375K gas for WebAuthn verification and 2M gas for deployment. They have showcased an NFT minting demo that leverages a WebAuthn-based key management system. For more details: - [Demo](https://p256.alembic.tech/) - [Deployment Transaction Hash](https://mumbai.polygonscan.com/tx/0xfbf81c49fe3a4d21d34771eb3a5ec5bccb5c3506585c0e3ea414d977806f266a) - [NFT Minting Transaction Hash](https://mumbai.polygonscan.com/tx/0x46c8bef6d98570c01cab44efa849d00797d8ba65fb5843245446e761be54cd02) - [Code Base](https://github.com/alembic-tech/P256-verify-signature) **[FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Ledger's Implementation Without Precomputation**: The innovation team at Ledger has developed various verifier implementations. Their primary implementation expends 202k gas for WebAuthn verification and 1M gas for the first deployment. The Clave team, which I am also a member of, leverages this verifier. - [Transaction Hash](https://goerli-optimism.etherscan.io/tx/0xda453ec0b2b6987f2952748bf7375cd55ac1c06484af1dffb41b4ea2cefb8773) - [Code Base](https://github.com/rdubois-crypto/FreshCryptoLib/blob/master/solidity/src/FCL_elliptic.sol) **[FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Ledger's Implementation with Precomputation**: The second implementation from the Ledger team incorporates a precomputation that necessitates 16kb of storage for the initial deployment. As a result, while the deployment cost rises to 3.2M gas, the verification cost is reduced to 69K. This presents a trade-off between the initial deployment cost and the subsequent verification cost. [Forum DAO's](https://www.forumdaos.com/) team have impelemented this verifier in their production ready product. You can try in their website. Transaction Hash for Account Creation Transaction Hash for a Regular Transaction [A Blog Post about the precomputation](https://mirror.xyz/jamesmccomish.eth/qGbrWk_EyNzyl3lZDmRzO1LEwHRsHrA2iMDuU9q1fds) **More smart contract based Verifiers can be found in this [link](https://github.com/rdubois-crypto/FreshCryptoLib)** ![](https://hackmd.io/_uploads/rJwfXRu16.png) A Table from [Ledger's Article](https://eprint.iacr.org/2023/939.pdf) # **Zero Knowledge Based Verifiers:** ZKP empowers us to validate intricate computations via specialized mathematical algorithms, ensuring computational integrity and potentially reducing both calldata and gas expenses [**Risc0 Bonsai**](https://github.com/risc0/bonsai-foundry-template) facilitates the conversion of Starks to Snarks, with a verification cost of 280k gas for the Risc0 Bonsai proofs. Risc0’s STARK proof is verified inside a groth16 prover, then the groth16 proof is verified on-chain. Once a user authenticates with WebAuthn, a P256 signature is generated. The signature is then sent to a smart contract that offloads the heavy computation off-chain to Bonsai Proving Service. The signature is then verified and a proof is sent to the smart contract where the transaction is executed. * [Kobi Gurkan's Implementation via Utilizing Risc0](https://x.com/kobigurk/status/1691898186904854771?s=20) * [Bonfire Demo](https://ethglobal.com/showcase/bonfire-wallet-n1dzp) * [A Case Study From Me](https://mirror.xyz/0x8958D0c419BCDFB8A86b8c0089552bE015fbe364/IzmGOJM8y_02JofILk7n4yAbCnVx4D7Zt3TAxKl04_U) [**Know Nothing Labs**](https://github.com/zkwebauthn/webauthn-halo2) have built a wallet that allows sign in using Face ID. A WebAuthn registration is trigged on client device for authentication. When a transaction is signed, the ECDSA signature and public key is used to generate a ZK proof using the Halo2 proof system. This proof is set in the signature field within the UserOperations bundle which is sent to a smart contract that verifies and executes the transaction. 520K Gas was used for this transaction. With lower gas costs, it is easier to generate proofs from the client side even on Chrome or Safari. A Mac Book Pro with 16GB RAM and an M1 chip was used in this instance. * [Codebase](https://github.com/zkwebauthn/webauthn-halo2/tree/76f3ac6cbc3356fee58a58445968a6d88040e557) * [Axiom’s implementation](https://github.com/axiom-crypto/halo2-lib) * [Noseedphrase demo](https://www.noseedphrases.xyz/) [**ZK WebAuthn with Circom**](https://github.com/zkwebauthn/webauthn-circom) Circom is a DSL used to generate a ZK proof. A similar workflow using Circom would approximately cost 230k fixed gas and ~100k per signature (total ~330k gas). * [WebAuthn with Circom](https://github.com/zkwebauthn/webauthn-circom) * [ECDSA in Circom](https://github.com/0xPARC/circom-ecdsa) | Proof System | Type | Proving Time | Gas consumption | Where is the proof generated | | --- | --- | --- | --- | --- | | Risc0 Bonsai | STARK to SNARK | nearly instant | 220K | Bonsai Proving Service | | Halo2 | SNARK | 4s / 20s | 500K | M1 Pro with 16 GB / Smart Phone | | Circom | SNARK | nearly instant | 300K | 16-core 3.0GHz, 32G RAM machine | # **Verifying With EVMMAX** EIP-6990, EIP-6601, and EIP-5483 are proposals aimed at improving the efficiency of modular arithmetic operations in Ethereum by introducing new opcodes and changes. EVMMAX can also be utilized to verify the p256 curve. [According to jwasinger, the author of EIP-6601,](https://ethereum-magicians.org/t/eip-6690-evm-modular-arithmetic-extensions-evmmax-decoupled-from-eof/13322/4) verifying the p256 curve with EVMMAX theoretically consumes 73,810 gas, which is more expensive than Ledger's implementation. (expensiver than Ledger's most optimized implementation. *Q: Does it makes sense in case of p256 curve verification?)* **Note that EVMMAX is also a protocol level, core change and hasn't been accepted yet.** ![](https://hackmd.io/_uploads/B1FzhB_y6.png) # **Verifying With EIP-7212** [EIP-7212](https://eips.ethereum.org/EIPS/eip-7212) proposes a new precompiled contract for verifying the secp256r1 curve at a cost of just 3,450 gas. While it is still under review, it requires community support to make it to the mainnet. Notably, some Layer 2 solutions are already considering the implementation of EIP-7212 in their EVMs. I'm a co-author of this EIP, and we're actively seeking more reviewers for further evaluation. EIP-7212 represents the most cost-effective method for on-chain verification of the p256 curve. [Ethereum Research Post](https://ethereum-magicians.org/t/eip-7212-precompiled-for-secp256r1-curve-support/14789) [A Smart Contract Example That Uses EIP-7212](https://twitter.com/0xz80/status/1697256356909346906) | Verifier |Gas consumption |Type | | --- | --- | --- | | EVMMAX| 73k | Core Protocol Change | | EIP-7212 | 3450 | Core Protocol Change | # **Verifying at Different Networks** **Arbitrum - Stylus:** Offchain Labs has introduced an upgrade for Arbitrum chains called Stylus, which enables a WASM virtual machine to run alongside the EVM. This means any language that can be compiled down to WASM is now compatible with Stylus. Smart contracts written in Rust, C, or C++ are fully interoperable with Solidity and Vyper contracts. In Solidity, you can call a Rust program and vice versa. Due to the superior efficeincy of WASM programs, fees are slashed by over 10x for compute and by over 100x for memory. This flexibility allows verifiers for the P256 curve to be developed using Stylus. While no optimized verifier exists at the moment, a proof-of-concept is accessible at [this GitHub repository](https://github.com/jake-nyquist/stylus-p256-example). [Transaction Hash (850k gas)](https://stylus-testnet-explorer.arbitrum.io/tx/0x262d63de85365cad7bbd34e07640542430bf09be7748ab2070a5bc706db85c83) --- **Native Supported Chains - Aztec, Fuel and zkSync (soon)** While we can verify p256 curve with smart contracts there are already a few networks that supports p256 as a native curve. **Aztec:** Aztec has a native verifier that verifies p256 curve.[ Source](https://github.com/noir-lang/noir/releases/tag/v0.9.0) ![](https://hackmd.io/_uploads/BJEonL_y6.jpg) **Fuel:** FuelVM also supports secp256r1 curve natively. [Source:](https://specs.fuel.network/master/fuel-vm/instruction-set.html#ecr1-secp256r1-signature-recovery) ![](https://hackmd.io/_uploads/SyPIpLOJp.png) **zkSync:** zkSync team discusses to impleement EIP7212 at the protocol which enables native verifier for p256. https://twitter.com/LambdazkSync/status/1702556940168217039 ![](https://hackmd.io/_uploads/H14tCIukp.png) --- **Cairo:** There are currently different products that use p256 curve for at Starknet Ecosystem. **Bravoos's implementation:** Bravoos is an Account Abstraction based wallet that uses Secure Enclave for key management. [Github Link for the Verifier](https://github.com/myBraavos/efficient-secp256r1/blob/develop/src/secp256r1/ec_mulmuladd.cairo) **Cartridge’s implementation:** Cartridge is building onchain games and autnomous worlds. Part of the product offering, the Cartridge Controller, leverages WebAuthn for transaction signing. They’ve developed a Cairo verifier for WebAuthn. [Github Link for the Verifier](https://github.com/cartridge-gg/cairo-webauthn) [**Spartucus's implementation**](https://github.com/spartucus/nistp256-cairo) **[A Starknet Forum Post About Supporting Webauthn at Starknet](https://community.starknet.io/t/supporting-webauthn-on-starknet/3910)** --- # **Final Thoughts** Here is the summary: | Verifier | Gas Consumption At Account Creation |Gas consumption at Single Transaction | Proving Time |Type | | --- | --- | --- | --- | --- | | Obvious' Solidity Verifier | 330k | 330k | instant | Smart Contract Verifier | | Alembic's Solidity Verifier | 2M | 375k | instant | Smart Contract Verifier | | [FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Solidity Verifier without precomputation | 205k | 205k | instant | Smart Contract Verifier | | [FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Solidity Verifier with precomputation | 3.2M | 69k | instant | Smart Contract Verifier | | Risc0 Verifier | 250k | 250k | nearly instant | Zero Knowledge Verifier | | KnowNothingLabs's Verifier | 520k | 520k | ~ 4 seconds | Zero Knowledge Verifier | | Circom | 230K | 300K | nearly instant | Zero Knowledge Verifier| | A Verifier With EVMMAX | 73k | 73k | instant| A Core Protocol Change | | EIP-7212 - Precompiler Contract for P256 | 3450 | 3450 | instant| A Core Protocol Change | Clearly, every contribution to this subject holds great value and will significantly impact the future. Together, we aim to shape the future of the internet. A special thanks to [Reno from Ledger](https://twitter.com/RenaudDUBOIS10) for the insightful feedbacks, [Muhammad from Delphi](https://twitter.com/yusufxzy) for assisting with the ZK section of the article, [Andy Guzzman from EF](https://twitter.com/AndyGuzmanEth), [Will Paper](https://twitter.com/WillPapper), [Richard Liu](https://richardliu.me/) from Skiff, Jebu from Obvious Wallet Yoav from Bravoos, [Austin](https://twitter.com/gmEthereum) From Offchain Labs and Tarrance from Cartrige!