Current State of Verifying P256 Curve

The ownership on Ethereum is based on a cryptographic function known as Elliptic Curve Cryptography (ECC). This is the mechanism used to prove the ownership of accounts in web3. Let's break down how it operates:

To begin, a user generates a private key using randomness. This key must be kept securely and remain confidential and Public Key is derived from it.
Once the key is created, the user signs a message using an ECC function. (Currently, Ethereum supports only the secp256k1 curve.)
With a signature, public key, and message in hand, the user then transmits this data to the blockchain.
Upon receipt, the blockchain verifies the message using a verifier function. (The only native supported verifier function is ecrecovery for the secp256k1 curve.)

The secp256r1 curve is widely adopted in internet systems, which explains its myriad use cases in platforms such as TLS, DNSSEC, Apple’s Secure Enclave, Passkeys, Android Keystore, and Yubikey. While it can be utilized within the EVM, verifying it onchain has been challenging since it wasn't natively supported in the EVM or in many other VMs within web3. This gap led various individuals to design verifier contracts using Solidity, ZK proofs, precompilers, and more. In this article, we will delve into the various methods to verify the p256 curve onchain. Let's get started:

Smart Contract Based Verifiers:

There are several Solidity verifiers designed for verification. Their gas consumption and deployment costs vary (keep in mind that some of these verifiers are smart contracts, so there's an initial payment for deployment). Let's explore some examples:

Obvious Wallet’s Implementation: Obvious Wallet is a 4337-based wallet that employs passkeys instead of seed phrases. As passkeys solely support the p256 curve, they have constructed a Solidity verifier. This verifier uses 330K gas for WebAuthn verification and 590k gas for the initial contract deployment. To explore further:

Alembic: Alembic is a web3 development platform, and they've crafted a p256 verifier in Solidity. Their verifier requires 375K gas for WebAuthn verification and 2M gas for deployment. They have showcased an NFT minting demo that leverages a WebAuthn-based key management system. For more details:

FCL's Ledger's Implementation Without Precomputation: The innovation team at Ledger has developed various verifier implementations. Their primary implementation expends 202k gas for WebAuthn verification and 1M gas for the first deployment. The Clave team, which I am also a member of, leverages this verifier.

FCL's Ledger's Implementation with Precomputation: The second implementation from the Ledger team incorporates a precomputation that necessitates 16kb of storage for the initial deployment. As a result, while the deployment cost rises to 3.2M gas, the verification cost is reduced to 69K. This presents a trade-off between the initial deployment cost and the subsequent verification cost.
Forum DAO's team have impelemented this verifier in their production ready product. You can try in their website.
Transaction Hash for Account Creation
Transaction Hash for a Regular Transaction
A Blog Post about the precomputation

More smart contract based Verifiers can be found in this link

A Table from Ledger's Article

Zero Knowledge Based Verifiers:

ZKP empowers us to validate intricate computations via specialized mathematical algorithms, ensuring computational integrity and potentially reducing both calldata and gas expenses

Risc0 Bonsai facilitates the conversion of Starks to Snarks, with a verification cost of 280k gas for the Risc0 Bonsai proofs. Risc0’s STARK proof is verified inside a groth16 prover, then the groth16 proof is verified on-chain. Once a user authenticates with WebAuthn, a P256 signature is generated. The signature is then sent to a smart contract that offloads the heavy computation off-chain to Bonsai Proving Service. The signature is then verified and a proof is sent to the smart contract where the transaction is executed.

Know Nothing Labs have built a wallet that allows sign in using Face ID. A WebAuthn registration is trigged on client device for authentication. When a transaction is signed, the ECDSA signature and public key is used to generate a ZK proof using the Halo2 proof system. This proof is set in the signature field within the UserOperations bundle which is sent to a smart contract that verifies and executes the transaction. 520K Gas was used for this transaction. With lower gas costs, it is easier to generate proofs from the client side even on Chrome or Safari. A Mac Book Pro with 16GB RAM and an M1 chip was used in this instance.

ZK WebAuthn with Circom
Circom is a DSL used to generate a ZK proof. A similar workflow using Circom would approximately cost 230k fixed gas and ~100k per signature (total ~330k gas).

Proof System	Type	Proving Time	Gas consumption	Where is the proof generated
Risc0 Bonsai	STARK to SNARK	nearly instant	220K	Bonsai Proving Service
Halo2	SNARK	4s / 20s	500K	M1 Pro with 16 GB / Smart Phone
Circom	SNARK	nearly instant	300K	16-core 3.0GHz, 32G RAM machine

Verifying With EVMMAX

EIP-6990, EIP-6601, and EIP-5483 are proposals aimed at improving the efficiency of modular arithmetic operations in Ethereum by introducing new opcodes and changes. EVMMAX can also be utilized to verify the p256 curve. According to jwasinger, the author of EIP-6601, verifying the p256 curve with EVMMAX theoretically consumes 73,810 gas, which is more expensive than Ledger's implementation.

(expensiver than Ledger's most optimized implementation. Q: Does it makes sense in case of p256 curve verification?)
Note that EVMMAX is also a protocol level, core change and hasn't been accepted yet.

Verifying With EIP-7212

EIP-7212 proposes a new precompiled contract for verifying the secp256r1 curve at a cost of just 3,450 gas. While it is still under review, it requires community support to make it to the mainnet. Notably, some Layer 2 solutions are already considering the implementation of EIP-7212 in their EVMs. I'm a co-author of this EIP, and we're actively seeking more reviewers for further evaluation. EIP-7212 represents the most cost-effective method for on-chain verification of the p256 curve.

Ethereum Research Post
A Smart Contract Example That Uses EIP-7212

Verifier	Gas consumption	Type
EVMMAX	73k	Core Protocol Change
EIP-7212	3450	Core Protocol Change

Verifying at Different Networks

Arbitrum - Stylus:
Offchain Labs has introduced an upgrade for Arbitrum chains called Stylus, which enables a WASM virtual machine to run alongside the EVM. This means any language that can be compiled down to WASM is now compatible with Stylus. Smart contracts written in Rust, C, or C++ are fully interoperable with Solidity and Vyper contracts. In Solidity, you can call a Rust program and vice versa. Due to the superior efficeincy of WASM programs, fees are slashed by over 10x for compute and by over 100x for memory.

This flexibility allows verifiers for the P256 curve to be developed using Stylus. While no optimized verifier exists at the moment, a proof-of-concept is accessible at this GitHub repository.

Transaction Hash (850k gas)

Native Supported Chains - Aztec, Fuel and zkSync (soon)
While we can verify p256 curve with smart contracts there are already a few networks that supports p256 as a native curve.

Aztec: Aztec has a native verifier that verifies p256 curve. Source

Fuel: FuelVM also supports secp256r1 curve natively. Source:

zkSync: zkSync team discusses to impleement EIP7212 at the protocol which enables native verifier for p256.

https://twitter.com/LambdazkSync/status/1702556940168217039

Cairo:
There are currently different products that use p256 curve for at Starknet Ecosystem.
Bravoos's implementation: Bravoos is an Account Abstraction based wallet that uses Secure Enclave for key management.
Github Link for the Verifier

Cartridge’s implementation: Cartridge is building onchain games and autnomous worlds. Part of the product offering, the Cartridge Controller, leverages WebAuthn for transaction signing. They’ve developed a Cairo verifier for WebAuthn.
Github Link for the Verifier

Spartucus's implementation

A Starknet Forum Post About Supporting Webauthn at Starknet

Final Thoughts

Here is the summary:

Verifier	Gas Consumption At Account Creation	Gas consumption at Single Transaction	Proving Time	Type
Obvious' Solidity Verifier	330k	330k	instant	Smart Contract Verifier
Alembic's Solidity Verifier	2M	375k	instant	Smart Contract Verifier
FCL's Solidity Verifier without precomputation	205k	205k	instant	Smart Contract Verifier
FCL's Solidity Verifier with precomputation	3.2M	69k	instant	Smart Contract Verifier
Risc0 Verifier	250k	250k	nearly instant	Zero Knowledge Verifier
KnowNothingLabs's Verifier	520k	520k	~ 4 seconds	Zero Knowledge Verifier
Circom	230K	300K	nearly instant	Zero Knowledge Verifier
A Verifier With EVMMAX	73k	73k	instant	A Core Protocol Change
EIP-7212 - Precompiler Contract for P256	3450	3450	instant	A Core Protocol Change

Clearly, every contribution to this subject holds great value and will significantly impact the future. Together, we aim to shape the future of the internet.
A special thanks to Reno from Ledger for the insightful feedbacks, Muhammad from Delphi for assisting with the ZK section of the article, Andy Guzzman from EF, Will Paper, Richard Liu from Skiff, Jebu from Obvious Wallet Yoav from Bravoos, Austin From Offchain Labs and Tarrance from Cartrige!

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.