Skip to content

precompile(secp256r1): align RIP-7212 with EIP-7951 specification #3012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
doocho wants to merge 2 commits into from
Closed

precompile(secp256r1): align RIP-7212 with EIP-7951 specification #3012

doocho wants to merge 2 commits into from

Conversation

@doocho
Copy link
Contributor

@doocho doocho commented Sep 26, 2025

Description

Overview

This PR adds explicit infinity point validation to the secp256r1 precompile to comply with EIP-7951: Precompile for secp256r1 Curve Support specification.

Key Change

Added Infinity Point Check

// EIP-7951: Reject infinity point (0,0) encoding
if pk.iter().all(|b| *b == 0) {
    return None;
}

This prevents consensus failures from infinity point attacks by explicitly rejecting the point-at-infinity encoding.

EIP-7951 Compliance

The implementation satisfies EIP-7951 requirements through:

1. Precompile Address

  • Address: 0x100 (256) - P256VERIFY_ADDRESS = 256

2. Gas Costs

  • Osaka spec: 6900 gas (P256VERIFY_BASE_GAS_FEE_OSAKA)
  • Legacy spec: 3450 gas (maintains L2 compatibility)

3. Input Validation (via p256 library)

  • Signature bounds: 0 < r < n, 0 < s < n (enforced by Signature::from_slice)
  • Public key bounds: 0 ≤ qx < p, 0 ≤ qy < p (enforced by VerifyingKey::from_encoded_point)
  • Curve equation: qy² ≡ qx³ + ax + b (mod p) (enforced by VerifyingKey::from_encoded_point)
  • Input length: exactly 160 bytes (enforced by input.len() != 160)

4. Modular Comparison

  • ECDSA standard: r' ≡ r (mod n) (handled by p256 library's verify_prehash)

5. Failure Handling

  • Returns empty bytes on failure
  • Consumes same gas as successful verification

Testing

Added Test Cases

  • ✅ Infinity point encoding rejection
  • r = 0 and s = 0 rejection
  • r ≥ n and s ≥ n rejection
  • qx ≥ p and qy ≥ p rejection
  • ✅ Osaka path 6900 gas verification
  • ✅ OutOfGas error handling

Compatibility

  • RIP-7212 compatibility: Existing valid signatures continue to work
  • L2 compatibility: 3450 gas path maintained
  • Interface: Same ABI, same calling convention

References

@doocho
precompile(secp256r1): align RIP-7212 with EIP-7951 (infinity check; …
ddf754d 
…canonical bounds; modular comparison via verifier); keep Osaka gas at 6900
@doocho
test(precompile/secp256r1): add EIP-7951 validation tests (infinity p…
881955b 
…oint, r/s bounds, qx/qy bounds, Osaka gas)
@codspeed-hq
Copy link

codspeed-hq bot commented Sep 26, 2025

CodSpeed Performance Report

Merging #3012 will not alter performance

Comparing doocho:feat/eip-7951-secp256r1 (881955b) with main (0e05a30)

Summary

✅ 173 untouched

@doocho doocho closed this Sep 26, 2025
@doocho doocho deleted the feat/eip-7951-secp256r1 branch September 26, 2025 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@doocho