This proposal aims to create a new precompile (if you don’t know what it is take a look here Ethereum Precompiles) at address 0x19 that computes signature verification in the “secp256r1” curve by given parameters of message hash, r - s components of the signature, and x - y coordinates of the public key.
“secp256r1” is one of the most used elliptic curves in the Web2 world and is also standardized by NIST. It is supported in many modern devices such as Apple’s Secure Enclave, Webauthn and Android Keychain.
# curve:
y^2 ≡ x^3 + ax + b
# p: specifies reduced elliptic group
0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
# a: elliptic curve coefficient
0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc
# b: elliptic curve coefficient
0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
# G: base point of the subgroup
(0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
# n: order of the subgroup
0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
# h: cofactor of the subgroup
0x1
The verification of the signature can be done with the following steps:
# h (message hash)
# pubKey = (public key of the signer private key)
# Calculate the modular inverse of the signature proof:
s1 = s^(−1)(modn)
# Recover the random point used during the signing:
R' = (h * s1) * G + (r * s1) * pubKey
# Take from R' its x-coordinate:
r' = R'.x
# Calculate the signature validation result by comparing whether:
r' == r
hashr component of the signatures component of the signaturex coordinate of the public keyy coordinate of the public keyNote that there is a difference between this output (which only is 0 or 1 depending on the correctness of the signature) and the one of ECRECOVER precompile that return the address.
3450 gas.
https://github.com/ethereum/go-ethereum/pull/27540
Right now there is only a reference implementation for Geth.