doganalpaslan
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
      • Invitee
      • No invitee
    • Publish Note

      Publish Note

      Everyone on the web can find and read all notes of this public team.
      Once published, notes can be searched and viewed by anyone online.
      See published notes
      Please check the box to agree to the Community Guidelines.
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Versions and GitHub Sync Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
Invitee
No invitee
Publish Note

Publish Note

Everyone on the web can find and read all notes of this public team.
Once published, notes can be searched and viewed by anyone online.
See published notes
Please check the box to agree to the Community Guidelines.
Engagement control
Commenting
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
  • Everyone
Suggest edit
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
Emoji Reply
Enable
Import from Dropbox Google Drive Gist Clipboard
   owned this note    owned this note      
Published Linked with GitHub
12
Subscribed
  • Any changes
    Be notified of any changes
  • Mention me
    Be notified of mention me
  • Unsubscribe
Subscribe
# Current State of Verifying P256 Curve The ownership on Ethereum is based on a cryptographic function known as Elliptic Curve Cryptography (ECC). This is the mechanism used to prove the ownership of accounts in web3. Let's break down how it operates: 1. To begin, a user generates a private key using randomness. This key must be kept securely and remain confidential and Public Key is derived from it. 2. Once the key is created, the user signs a message using an ECC function. (Currently, Ethereum supports only the secp256k1 curve.) 3. With a signature, public key, and message in hand, the user then transmits this data to the blockchain. 4. Upon receipt, the blockchain verifies the message using a verifier function. (The only native supported verifier function is ecrecovery for the secp256k1 curve.) ![](https://hackmd.io/_uploads/rkwlFGw16.png) The secp256r1 curve is widely adopted in internet systems, which explains its myriad use cases in platforms such as TLS, DNSSEC, Apple’s Secure Enclave, Passkeys, Android Keystore, and Yubikey. While it can be utilized within the EVM, verifying it onchain has been challenging since it wasn't natively supported in the EVM or in many other VMs within web3. This gap led various individuals to design verifier contracts using Solidity, ZK proofs, precompilers, and more. In this article, we will delve into the various methods to verify the p256 curve onchain. Let's get started: --- # **Smart Contract Based Verifiers:** There are several Solidity verifiers designed for verification. Their gas consumption and deployment costs vary (keep in mind that some of these verifiers are smart contracts, so there's an initial payment for deployment). Let's explore some examples: **Obvious Wallet’s Implementation**: Obvious Wallet is a 4337-based wallet that employs passkeys instead of seed phrases. As passkeys solely support the p256 curve, they have constructed a Solidity verifier. This verifier uses 330K gas for WebAuthn verification and 590k gas for the initial contract deployment. To explore further: - [Website](https://www.obvious.technology/) - [Transaction Hash](https://mumbai.polygonscan.com/tx/0x7fb88c247dcf64ff20a2e4014613fda941aafe09edbf18633bec04ae7d9e9db0) - [Code Base](https://github.com/itsobvioustech/aa-passkeys-wallet/blob/main/src/Secp256r1.sol) **Alembic**: Alembic is a web3 development platform, and they've crafted a p256 verifier in Solidity. Their verifier requires 375K gas for WebAuthn verification and 2M gas for deployment. They have showcased an NFT minting demo that leverages a WebAuthn-based key management system. For more details: - [Demo](https://p256.alembic.tech/) - [Deployment Transaction Hash](https://mumbai.polygonscan.com/tx/0xfbf81c49fe3a4d21d34771eb3a5ec5bccb5c3506585c0e3ea414d977806f266a) - [NFT Minting Transaction Hash](https://mumbai.polygonscan.com/tx/0x46c8bef6d98570c01cab44efa849d00797d8ba65fb5843245446e761be54cd02) - [Code Base](https://github.com/alembic-tech/P256-verify-signature) **[FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Ledger's Implementation Without Precomputation**: The innovation team at Ledger has developed various verifier implementations. Their primary implementation expends 202k gas for WebAuthn verification and 1M gas for the first deployment. The Clave team, which I am also a member of, leverages this verifier. - [Transaction Hash](https://goerli-optimism.etherscan.io/tx/0xda453ec0b2b6987f2952748bf7375cd55ac1c06484af1dffb41b4ea2cefb8773) - [Code Base](https://github.com/rdubois-crypto/FreshCryptoLib/blob/master/solidity/src/FCL_elliptic.sol) **[FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Ledger's Implementation with Precomputation**: The second implementation from the Ledger team incorporates a precomputation that necessitates 16kb of storage for the initial deployment. As a result, while the deployment cost rises to 3.2M gas, the verification cost is reduced to 69K. This presents a trade-off between the initial deployment cost and the subsequent verification cost. [Forum DAO's](https://www.forumdaos.com/) team have impelemented this verifier in their production ready product. You can try in their website. Transaction Hash for Account Creation Transaction Hash for a Regular Transaction [A Blog Post about the precomputation](https://mirror.xyz/jamesmccomish.eth/qGbrWk_EyNzyl3lZDmRzO1LEwHRsHrA2iMDuU9q1fds) **More smart contract based Verifiers can be found in this [link](https://github.com/rdubois-crypto/FreshCryptoLib)** ![](https://hackmd.io/_uploads/rJwfXRu16.png) A Table from [Ledger's Article](https://eprint.iacr.org/2023/939.pdf) # **Zero Knowledge Based Verifiers:** ZKP empowers us to validate intricate computations via specialized mathematical algorithms, ensuring computational integrity and potentially reducing both calldata and gas expenses [**Risc0 Bonsai**](https://github.com/risc0/bonsai-foundry-template) facilitates the conversion of Starks to Snarks, with a verification cost of 280k gas for the Risc0 Bonsai proofs. Risc0’s STARK proof is verified inside a groth16 prover, then the groth16 proof is verified on-chain. Once a user authenticates with WebAuthn, a P256 signature is generated. The signature is then sent to a smart contract that offloads the heavy computation off-chain to Bonsai Proving Service. The signature is then verified and a proof is sent to the smart contract where the transaction is executed. * [Kobi Gurkan's Implementation via Utilizing Risc0](https://x.com/kobigurk/status/1691898186904854771?s=20) * [Bonfire Demo](https://ethglobal.com/showcase/bonfire-wallet-n1dzp) * [A Case Study From Me](https://mirror.xyz/0x8958D0c419BCDFB8A86b8c0089552bE015fbe364/IzmGOJM8y_02JofILk7n4yAbCnVx4D7Zt3TAxKl04_U) [**Know Nothing Labs**](https://github.com/zkwebauthn/webauthn-halo2) have built a wallet that allows sign in using Face ID. A WebAuthn registration is trigged on client device for authentication. When a transaction is signed, the ECDSA signature and public key is used to generate a ZK proof using the Halo2 proof system. This proof is set in the signature field within the UserOperations bundle which is sent to a smart contract that verifies and executes the transaction. 520K Gas was used for this transaction. With lower gas costs, it is easier to generate proofs from the client side even on Chrome or Safari. A Mac Book Pro with 16GB RAM and an M1 chip was used in this instance. * [Codebase](https://github.com/zkwebauthn/webauthn-halo2/tree/76f3ac6cbc3356fee58a58445968a6d88040e557) * [Axiom’s implementation](https://github.com/axiom-crypto/halo2-lib) * [Noseedphrase demo](https://www.noseedphrases.xyz/) [**ZK WebAuthn with Circom**](https://github.com/zkwebauthn/webauthn-circom) Circom is a DSL used to generate a ZK proof. A similar workflow using Circom would approximately cost 230k fixed gas and ~100k per signature (total ~330k gas). * [WebAuthn with Circom](https://github.com/zkwebauthn/webauthn-circom) * [ECDSA in Circom](https://github.com/0xPARC/circom-ecdsa) | Proof System | Type | Proving Time | Gas consumption | Where is the proof generated | | --- | --- | --- | --- | --- | | Risc0 Bonsai | STARK to SNARK | nearly instant | 220K | Bonsai Proving Service | | Halo2 | SNARK | 4s / 20s | 500K | M1 Pro with 16 GB / Smart Phone | | Circom | SNARK | nearly instant | 300K | 16-core 3.0GHz, 32G RAM machine | # **Verifying With EVMMAX** EIP-6990, EIP-6601, and EIP-5483 are proposals aimed at improving the efficiency of modular arithmetic operations in Ethereum by introducing new opcodes and changes. EVMMAX can also be utilized to verify the p256 curve. [According to jwasinger, the author of EIP-6601,](https://ethereum-magicians.org/t/eip-6690-evm-modular-arithmetic-extensions-evmmax-decoupled-from-eof/13322/4) verifying the p256 curve with EVMMAX theoretically consumes 73,810 gas, which is more expensive than Ledger's implementation. (expensiver than Ledger's most optimized implementation. *Q: Does it makes sense in case of p256 curve verification?)* **Note that EVMMAX is also a protocol level, core change and hasn't been accepted yet.** ![](https://hackmd.io/_uploads/B1FzhB_y6.png) # **Verifying With EIP-7212** [EIP-7212](https://eips.ethereum.org/EIPS/eip-7212) proposes a new precompiled contract for verifying the secp256r1 curve at a cost of just 3,450 gas. While it is still under review, it requires community support to make it to the mainnet. Notably, some Layer 2 solutions are already considering the implementation of EIP-7212 in their EVMs. I'm a co-author of this EIP, and we're actively seeking more reviewers for further evaluation. EIP-7212 represents the most cost-effective method for on-chain verification of the p256 curve. [Ethereum Research Post](https://ethereum-magicians.org/t/eip-7212-precompiled-for-secp256r1-curve-support/14789) [A Smart Contract Example That Uses EIP-7212](https://twitter.com/0xz80/status/1697256356909346906) | Verifier |Gas consumption |Type | | --- | --- | --- | | EVMMAX| 73k | Core Protocol Change | | EIP-7212 | 3450 | Core Protocol Change | # **Verifying at Different Networks** **Arbitrum - Stylus:** Offchain Labs has introduced an upgrade for Arbitrum chains called Stylus, which enables a WASM virtual machine to run alongside the EVM. This means any language that can be compiled down to WASM is now compatible with Stylus. Smart contracts written in Rust, C, or C++ are fully interoperable with Solidity and Vyper contracts. In Solidity, you can call a Rust program and vice versa. Due to the superior efficeincy of WASM programs, fees are slashed by over 10x for compute and by over 100x for memory. This flexibility allows verifiers for the P256 curve to be developed using Stylus. While no optimized verifier exists at the moment, a proof-of-concept is accessible at [this GitHub repository](https://github.com/jake-nyquist/stylus-p256-example). [Transaction Hash (850k gas)](https://stylus-testnet-explorer.arbitrum.io/tx/0x262d63de85365cad7bbd34e07640542430bf09be7748ab2070a5bc706db85c83) --- **Native Supported Chains - Aztec, Fuel and zkSync (soon)** While we can verify p256 curve with smart contracts there are already a few networks that supports p256 as a native curve. **Aztec:** Aztec has a native verifier that verifies p256 curve.[ Source](https://github.com/noir-lang/noir/releases/tag/v0.9.0) ![](https://hackmd.io/_uploads/BJEonL_y6.jpg) **Fuel:** FuelVM also supports secp256r1 curve natively. [Source:](https://specs.fuel.network/master/fuel-vm/instruction-set.html#ecr1-secp256r1-signature-recovery) ![](https://hackmd.io/_uploads/SyPIpLOJp.png) **zkSync:** zkSync team discusses to impleement EIP7212 at the protocol which enables native verifier for p256. https://twitter.com/LambdazkSync/status/1702556940168217039 ![](https://hackmd.io/_uploads/H14tCIukp.png) --- **Cairo:** There are currently different products that use p256 curve for at Starknet Ecosystem. **Bravoos's implementation:** Bravoos is an Account Abstraction based wallet that uses Secure Enclave for key management. [Github Link for the Verifier](https://github.com/myBraavos/efficient-secp256r1/blob/develop/src/secp256r1/ec_mulmuladd.cairo) **Cartridge’s implementation:** Cartridge is building onchain games and autnomous worlds. Part of the product offering, the Cartridge Controller, leverages WebAuthn for transaction signing. They’ve developed a Cairo verifier for WebAuthn. [Github Link for the Verifier](https://github.com/cartridge-gg/cairo-webauthn) [**Spartucus's implementation**](https://github.com/spartucus/nistp256-cairo) **[A Starknet Forum Post About Supporting Webauthn at Starknet](https://community.starknet.io/t/supporting-webauthn-on-starknet/3910)** --- # **Final Thoughts** Here is the summary: | Verifier | Gas Consumption At Account Creation |Gas consumption at Single Transaction | Proving Time |Type | | --- | --- | --- | --- | --- | | Obvious' Solidity Verifier | 330k | 330k | instant | Smart Contract Verifier | | Alembic's Solidity Verifier | 2M | 375k | instant | Smart Contract Verifier | | [FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Solidity Verifier without precomputation | 205k | 205k | instant | Smart Contract Verifier | | [FCL's](https://github.com/rdubois-crypto/FreshCryptoLib) Solidity Verifier with precomputation | 3.2M | 69k | instant | Smart Contract Verifier | | Risc0 Verifier | 250k | 250k | nearly instant | Zero Knowledge Verifier | | KnowNothingLabs's Verifier | 520k | 520k | ~ 4 seconds | Zero Knowledge Verifier | | Circom | 230K | 300K | nearly instant | Zero Knowledge Verifier| | A Verifier With EVMMAX | 73k | 73k | instant| A Core Protocol Change | | EIP-7212 - Precompiler Contract for P256 | 3450 | 3450 | instant| A Core Protocol Change | Clearly, every contribution to this subject holds great value and will significantly impact the future. Together, we aim to shape the future of the internet. A special thanks to [Reno from Ledger](https://twitter.com/RenaudDUBOIS10) for the insightful feedbacks, [Muhammad from Delphi](https://twitter.com/yusufxzy) for assisting with the ZK section of the article, [Andy Guzzman from EF](https://twitter.com/AndyGuzmanEth), [Will Paper](https://twitter.com/WillPapper), [Richard Liu](https://richardliu.me/) from Skiff, Jebu from Obvious Wallet Yoav from Bravoos, [Austin](https://twitter.com/gmEthereum) From Offchain Labs and Tarrance from Cartrige!

Import from clipboard

Advanced permission required

Your current role can only read. Ask the system administrator to acquire write and comment permission.

This team is disabled

Sorry, this team is disabled. You can't edit this note.

This note is locked

Sorry, only owner can edit this note.

Reach the limit

Sorry, you've reached the max length this note can be.
Please reduce the content or divide it to more notes, thank you!

Import from Gist

Import from Snippet

or

Export to Snippet

Are you sure?

Do you really want to delete this note?
All users will lose their connection.

Create a note from template

Create a note from template

Oops...
This template is not available.
Upgrade
All
  • All
  • Team
No template found.

Create custom template

Upgrade

Delete template

Do you really want to delete this template?
Turn this template into a regular note and keep its content, versions, and comments.

This page need refresh

You have an incompatible client version.
Refresh to update.
New version available!
See releases notes here
Refresh to enjoy new features.
Your user state has changed.
Refresh to load new user state.

Sign in

Forgot password

or

By clicking below, you agree to our terms of service.

Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
Wallet ( )
Connect another wallet

New to HackMD? Sign up

Help

  • English
  • 中文
  • Français
  • Deutsch
  • 日本語
  • Español
  • Català
  • Ελληνικά
  • Português
  • italiano
  • Türkçe
  • Русский
  • Nederlands
  • hrvatski jezik
  • język polski
  • Українська
  • हिन्दी
  • svenska
  • Esperanto
  • dansk

Documents

Help & Tutorial

How to use Book mode

How to use Slide mode

API Docs

Edit in VSCode

Install browser extension

Get in Touch

Feedback

Discord

Send us email

Resources

Releases

Pricing

Blog

Policy

Terms

Privacy

Cheatsheet

Syntax Example Reference
# Header Header 基本排版
- Unordered List
  • Unordered List
1. Ordered List
  1. Ordered List
- [ ] Todo List
  • Todo List
> Blockquote
Blockquote
**Bold font** Bold font
*Italics font* Italics font
~~Strikethrough~~ Strikethrough
19^th^ 19th
H~2~O H2O
++Inserted text++ Inserted text
==Marked text== Marked text
[link text](https:// "title") Link
![image alt](https:// "title") Image
`Code` Code 在筆記中貼入程式碼
```javascript
var i = 0;
```
var i = 0;
:smile: :smile: Emoji list
{%youtube youtube_id %} Externals
$L^aT_eX$ LaTeX
:::info
This is a alert area.
:::

This is a alert area.

Versions and GitHub Sync
Upgrade to Prime Plan

  • Edit version name
  • Delete

revision author avatar     named on  

More Less

No updates to save
Compare
    Choose a version
    No search result
    Version not found
Sign in to link this note to GitHub
Learn more
This note is not linked with GitHub
 

Feedback

Submission failed, please try again

Thanks for your support.

On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

Please give us some advice and help us improve HackMD.

 

Thanks for your feedback

Remove version name

Do you want to remove this version name and description?

Transfer ownership

Transfer to
    Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

      Link with GitHub

      Please authorize HackMD on GitHub
      • Please sign in to GitHub and install the HackMD app on your GitHub repo.
      • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
      Learn more  Sign in to GitHub

      Push the note to GitHub Push to GitHub Pull a file from GitHub

        Authorize again
       

      Choose which file to push to

      Select repo
      Refresh Authorize more repos
      Select branch
      Select file
      Select branch
      Choose version(s) to push
      • Save a new version and push
      • Choose from existing versions
      Include title and tags
      Available push count

      Upgrade

      Pull from GitHub

       
      File from GitHub
      File from HackMD

      GitHub Link Settings

      File linked

      Linked by
      File path
      Last synced branch
      Available push count

      Upgrade

      Danger Zone

      Unlink
      You will no longer receive notification when GitHub file changes after unlink.

      Syncing

      Push failed

      Push successfully