What is RIP-7212? The First Rollup Improvement Proposal (RIP)
Introduction:
On EVM networks, the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for creating externally owned accounts (EOA), signing transactions and verifying digital signatures. The ECDSA relies on the secp256k1 elliptic curves because of its efficiency and security.
These elliptic curves play a crucial role in blockchain security and integrity, ensuring trust and reliability in transactions.
Understanding Elliptic Curves:
Elliptic curves are continuous curves described by the equation:
$$y² = x³ + ax + b$$
These curves have special mathematical properties allowing points on the curves to be added together. In simpler terms, these curves are used to generate random points by drawing and reflecting lines, and then these points are used to create key pairs.
Below is the graphical representation of the elliptic curve.
There are different types of elliptic curves but we will cover secp256k1 and secp256r1 in this blog.
1) secp256k1:
secp256k1 is an elliptic curve that is primarily used for cryptographic applications, the “k“ here denotes koblitz. In the koblitz curves like secp256k1 the parameters “a“ and “b“ are pre-defined and allow more effective computation that is advantageous for blockchains.
it is defined by
$$y² = x³ + 7$$
Here:
$$a = 0, b=7$$
This curve operates over a finite field of prime order “p“, where:
$$p = 2²⁵⁶ - 2³² - 2⁹ - 2⁸ - 2⁷ - 2⁶ - 2⁴ - 1$$
2) secp256r1:
secp256r1 is an elliptic curve also known as “P256“ commonly used in security protocols and standards for web communication and hardware security modules. The “r“ here denotes random, unlike secp256k1 in this curve the “a“ and “b“ parameters are not predefined but are chosen randomly. These values are selected through a rigorous process to maintain the curve’s security.
The parameters “a“ and “b“ are part of a larger standard designed for broader cryptographic applications like web communications.
It is defined by:
$$y 2 =x 3 +ax+b$$
Here:
a is set to a value equivalent to −3-3−3 modulo p. In hexadecimal, this is typically represented as
$$a=FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC$$
b is a large, seemingly random constant:
$$b=5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B$$
The appearance of randomness in these parameters is the intended choice to ensure security.
Now you might have thought that secp256k1 favours blockchain and cryptocurrencies but why are we studying secp256r1?
Well because the secp256r1 elliptic curve is supported by secure enclaves and passkey used in modern devices for secure authentication. Many Trusted Execution Environment (TEE) chips like Apple secure enclave generate and store cryptographic keys using the secp256r1 curve, ensuring that the private keys never leave the device and can only be accessible through biometric verification.
Similarly, passkey which provides password authentication for web applications also uses the secp256r1 curve for generating and managing key pairs. However, Ethereum natively supports secp256k1. To bridge this gap and enable on-chain verification of these signatures on modern devices we need a way to verify secp256r1 signatures on Ethereum.
The Solution: RIP-7212
RIP-7212 is an important change in the Ethereum protocol that introduces precompiled contracts for secp256r1 curve signature verification. It is the first-ever Rollup Improvement Proposal (RIP) aiming to enable the verification of signatures used in modern systems while maintaining high-performance standards.
RIP-7212 bridges a crucial gap between Ethereum’s native secp256k1 curve and the secp256r1 that is used in secure enclaves and biometric systems.
What Are Precompiled Contracts?
These are not traditional smart contracts that we interact with usually but they are predefined native functions that are precompiled because they are natively available in the Ethereum protocol.
For performing cryptographic operations such as signature verification, precompiled smart contracts are the best choice as they are highly efficient and require low gas costs. Without these contracts performing these operations would cost high computational energy which will eventually lead to higher gas costs.
Precompiled Contract Specification:
In RIP-7212, new precompiled specifications for P256VERIFY precompiled contracts have been introduced. These specifications have been introduced with the following inputs and outputs.
Input data: 160 bytes of data including:
32 bytes of the signed data
hash32 bytes of the
rcomponent of the signature32 bytes of the
scomponent of the signature32 bytes of the
xcoordinate of the public key32 bytes of the
ycoordinate of the public key
Output data:
If the signature verification process succeeds, it returns 1 in 32-byte format.
If the signature verification process fails, it does not return any output data.
Source => https://github.com/ethereum/RIPs/blob/master/RIPS/rip-7212.md
Gas Efficiency of RIP-7212:
RIP-7212 only cost 3450 gas verifying P256. It is the most secure, gas-efficient and fastest way to verify P256 on EVM chains.
There are many other ways to verify the P256 curve on-chain. The below table shows that none of them are cheaper than RIP-7212.
| Verifier | Gas Consumption At Account Creation | Gas Consumption at Single Transaction | Proving Time | Type |
| Obvious' Solidity Verifier | 330k | 330k | instant | Smart Contract Verifier |
| Alembic's Solidity Verifier | 2M | 375k | instant | Smart Contract Verifier |
| FCL's Solidity Verifier without precomputation | 205k | 205k | instant | Smart Contract Verifier |
| FCL's Solidity Verifier with precomputation | 3.2M | 69k | instant | Smart Contract Verifier |
| Risc0 Verifier | 250k | 250k | nearly instant | Zero Knowledge Verifier |
| KnowNothingLabs's Verifier | 520k | 520k | ~ 4 seconds | Zero Knowledge Verifier |
| Circom | 230k | 300k | nearly instant | Zero Knowledge Verifier |
| A Verifier With EVMMAX | 73k | 73k | instant | A Core Protocol Change |
| EIP-7212 - Precompiler Contract for P256 | 3450 | 3450 | instant | A Core Protocol Change |
Source => https://hackmd.io/@1ofB8klpQky-YoR5pmPXFQ/SJ0nuzD1T
Adoption of RIP 7212:
RIP-7212 has been implemented by major rollups and blockchains that include ZKsync, optimism, Kakorot ZkEvm and Polygon.
Practical Applications Enabled By RIP-7212:
The adoption of RIP-7212 unlocks many applications that include:
Biometric Verification For Ethereum Transaction:
With the support secp256r1 support, users can leverage biometric authentication methods for signing Ethereum transactions.
Smart Account Integrations:
It can facilitate programmable features like daily spending limits and multi-signer arrangements allowing for more transactions.
Attestation of TEEs:
It can be used to verify remote attestation of Trusted Execution Environments (TEEs) which can used for different purposes in blockchain.
Conclusion And Future Outlook:
The proposal of RIP-7212 was submitted by Ulaş Erdoğan and Doğan Alpaslan on June 20, 2023, and represents an achievement for the Ethereum protocol because it enhances Ethereum’s functionality by enabling cheaper, faster and more secure secp256r1 curve verification.
This proposal has garnered support from various Ethereum ecosystems such as Arbitrum that have proposed adopting this precompile to facilitate account abstraction wallets and improve user experience on DAPPs.
By embracing this proposal Ethereum would be able to enhance its technical capabilities by integrating with modern devices that would help the developers to build more user-friendly software and application
