mau
  • 🧩Account Abstraction
    • 📎Introduction ERC-4337
    • 🙍Key Roles and Their Interactions
      • 📄UserOperation Breakdown and Security Concerns
    • 🌉Interfaces
      • 1️⃣EntryPoint Interface
      • 2️⃣Account Interface
      • 3️⃣Aggregator
    • ⛓️Transaction Nonce
    • 🤝Using Signature Aggregators
    • 🚪Required entry point contract functionality
      • 🏦Paymaster extension
        • 🌉Paymaster Interfaces
    • 🤸Handling UserOperation
      • 🤖Simulation
      • 🔄Alternative Mempools
    • Bundling
      • Forbidden opcodes
    • Reputation
      • Unstaked
      • Specification
    • Storage associated with an address
    • 📚Extra References
  • 🔐Signature
    • 🔁Replay Attack
    • 🗝️Signature Malleability
  • 🧱Ethereum Blockchain
    • 📖Account State
    • 👩‍💻create2 OPCODE
  • 📑Ethereum Improvement Proposals
    • 📄EIP-191
      • 📄ECDSA
      • 📄ABI Encode and Keccak256
    • 📄EIP-712
    • 📄EIP-7212
      • 📄Abstract
      • 📄Motivation
      • 📄Elliptic Curve Signature Verification Steps
      • 📄Verification and Sepecification
      • 📄Rationale
    • 📄EIP-1271
    • 📄EIP-1167
  • ⚒️Foundry
  • 📚DeFi and the Future of Finance - Book
    • 🔧The Problems DeFi Solves
    • 1️⃣DeFi Basics
      • 🪙Equity, Liquidity and Governance Token
      • 🛃Custody
      • 🔄Supply Adjustment
      • 📈Bounding Curve
      • 💸Incentives
      • 🔁Swaps
      • 💰Collateralized/Uncollateralized Loans
    • 2️⃣Credit and Lending
  • ⛽Gas Griefing
    • 1️⃣Understanding Gas in Ethereum
    • 2️⃣Gas Allocation and Contract Interactions
    • 3️⃣Understanding Gas Limits: Exploring the 63/64 Rule
    • 4️⃣Understanding Gas Limits in Contract-to-Contract Calls
    • 5️⃣Gas Griefing Attack
    • 6️⃣Inner Call Out Of Gas Attack
    • 7️⃣Gas Griefing Contest Findings
      • ⛽Withdrawals with high gas limits can be bricked by a malicious user, permanently locking funds
      • ⛽Gas limit check is inaccurate, leading to an operator being able to fail a job intentionally
  • ✏️My Auditing Process
    • ❓How do I start ?
    • ⭕Bounded Context Technique
    • 🌳BTT
  • 🏃‍♀️Productivity
    • ✖️Best way to use Twitter Bookmarks
    • ⌛How to track focused working hours
    • 👩‍💻VS Code plugins to increase performance
    • 🏗️How to create your audit process methodology
    • 📕You should also have your Gitbook
    • 👮Best way to study for Secureum
  • 📙Secureum
    • 📄RACE 4
    • 📄RACE 5
  • 💻Mainnet Attacks
    • 🔁Reentrancy
      • 2022 Dec - Grim Finance
      • 2016 June - The DAO
  • ABI Encode
    • Basic Design
    • Function Selector
    • Elementary Types
    • Formal Specification of the Encoding
    • Examples
    • Events
    • Errors
    • Non-standard Packed Mode
    • References
  • Solidity
Powered by GitBook
On this page
  1. Ethereum Improvement Proposals
  2. EIP-7212

Verification and Sepecification

Required Checks in the Verification:

Before verifying a signature, certain checks are performed to ensure the provided signature components and public key are valid. Here's what each bullet point means:

  • Verify that both r - s values are greater than 0 and less than the curve order.

    • r and s are the two components of an ECDSA signature. They should be positive values and must be less than the order of the elliptic curve group. This ensures they are valid scalar values in the elliptic curve's finite field.

  • Verify that s is equal to or less than half of the order of the subgroup to prevent signature malleability.

    • Signature malleability refers to the ability to alter a signature without invalidating it. By ensuring s is less than or equal to half the curve's order, the protocol reduces the risk of having two valid signatures for the same message, which is a common ECDSA vulnerability.

  • Verify that the point formed by (x, y) values is on the curve and both components are in between 0 and the p value of the curve.

    • The public key is a point on the elliptic curve defined by its x and y coordinates. This check ensures that the provided point lies on the curve. Additionally, the coordinates should be between 0 and the prime p defining the curve's field. This guarantees the public key is valid.

Precompiled Contract Specification:

The proposed precompiled contract, named P256VERIFY, allows for signature verification on the "secp256r1" (or P-256) elliptic curve. The specification provides details on the expected input and output for this precompiled contract:

  • Input data: 160 bytes of data including:

    • 32 bytes of the signed data hash: This is the hash of the message or data that was signed.

    • 32 bytes of the r component of the signature: r is one component of the ECDSA signature.

    • 32 bytes of the s component of the signature: s is the other component of the ECDSA signature.

    • 32 bytes of the x coordinate of the public key: The x value of the public key's coordinates.

    • 32 bytes of the y coordinate of the public key: The y value of the public key's coordinates.

  • Output data: 32 bytes of result data and error

    • Depending on the outcome of the verification process, the precompiled contract will output:

      • Success: If the signature verification is successful, it will return a 32-byte value of 1.

      • Error: If there's an error in the verification, the return might be a different value or the call might revert. The exact nature of error handling would depend on the contract's implementation details, which aren't specified in the provided section.

The idea behind this precompiled contract is to offer efficient, native support for "secp256r1" elliptic curve operations on the Ethereum platform without requiring extensive gas costs that would be incurred if implemented in standard smart contract code.

PreviousElliptic Curve Signature Verification StepsNextRationale

Last updated 1 year ago

📑
📄
📄