What is RIP-7212? Precompile for secp256r1 Curve Support
Account Abstraction has introduced a significant feature for Ethereum accounts which is account programmability. This allows developers to create thousands of new features, such as having daily spending limits, using different signers, and paying fees with any token. In this text, we will focus on how developers can improve the user experience with the upcoming integration of RIP-7212 (previously known as EIP-7212) on rollups by allowing the use of biometric signers.
Ethereum Signatures Today
On EVM networks, where most default accounts are an externally owned accounts (EOA), ownership is proven via elliptic curve cryptography (ECC) which is the trustless way to prove that you have a key, and the message has been signed with the key without revealing it.
The current way that users manage their funds is with either self-custodial wallets (i.e. by storing their keys as seed phrases) or custodial solutions (i.e. by trusting 3rd parties for key management).
In parallel, decades of web2 security research has culminated in a battle-tested hardware-software-social stack for private key management. As a result, modern devices have secure hardware elements that are designed to protect users' keys. However, they don’t support the secp256k1 elliptic curve that Ethereum currently supports. Thus, there is no way to incorporate these security best practices with EOAs.
Smart contract accounts enable different authentication mechanisms, including the use of elliptic curves other than secp256k1 (Ethereum’s only native curve). Using different authentication mechanisms like biometric signers improves the user experience and increases security. In this section, we will explain how those secure enclaves work and how it looks when they are combined with smart accounts.
Secure Enclaves on everyday devices: Hardware Wallet in your phone
Almost all modern devices incorporate into their chip design what’s called a Trusted Execution Environment (TEE), which is an advanced hardware element specifically designed to act as a protective shield around users' most sensitive data.
For example, all Apple products have included a TEE called the Secure Enclave since 2013. Unlike other parts of the device, which might handle everything from app processes to notifications, the TEE is a separate microchip, isolated from all other components of the device. This separation ensures that sensitive data, such as biometric information and cryptographic keys, are isolated from potential threats that might compromise other parts of a device. Leveraging TEEs is the most secure way to store keys on modern devices, effectively converting everyday devices into hardware wallets that can only be accessed through biometric authentication.
How can we use TEEs with Smart Accounts?
Secure enclaves allow users to create a key inside the TEE and sign arbitrary messages with these keys.This is exactly what we need to verify them onchain. We can create a smart account with an owner derived from a private key that lives inside the TEE. These keys never leave the device and can be accessed by only the device owner (thanks to biometric authentication).
Passkeys: A Way for Passwordless Web
Approximately 81% of hacking-related breaches involve the use of stolen or weak passwords. As a result, researchers have been focusing on the WebAuthn protocol, which has been developed by the FIDO Alliance and W3C, to address this by offering a more secure key management system using public key cryptography, improving both security and user experience. WebAuthn, to date, has been adopted for authentication by large companies such as Google, Amazon, Microsoft, and Coinbase, with broader adoption quickly picking up.
WebAuthn aims to overcome the weaknesses and inconveniences of traditional password systems by using domain-specific public-key cryptography for user authentication. This approach eliminates passwords, forgotten passwords, account lockouts, and reduces common security risks.
How do passkeys work?
Passkey is an implementation of the Webauthn standard and works on almost all modern devices. When a user signs up for an account, the operating system generates a unique key pair linked to their account which is exclusive to the app or website. These keys are encrypted using Secure Enclaves, often with biometric authentication, and synced across devices via iCloud Keychain or other password managers.
Passkeys have a lot of use cases in blockchains for account management. To use it on the blockchain, developers can put the passkey’s public key into a smart contract and use it as the authentication method.
Unfortunately, almost all secure enclaves and passkeys support the secp256r1 (P256) curve which is developed by NIST, whereas Ethereum only natively supports the secp256k1 curve. So, we must verify them onchain to prove the ownership to our peers, but how can we do it?
The answer is RIP-7212.
What is RIP-7212? A Precompiled Contract for secp256r1 Curve Support
RIP-7212 is a core change in the Ethereum protocol that opens up a way to have cheap, secure, and fast P256 curve verification with a precompiled contract. It is the first Rollup Improvement Proposal that was proposed and successfully accepted by Layer 2 blockchains.
What are precompiled contracts?
Precompiled contracts are not "contracts" in the traditional sense, but rather predefined, native functions that are "precompiled" because they are available natively in the Ethereum protocol.
Precompiled contracts are optimized for performance and low gas costs for certain operations, such as cryptographic calculations (e.g. signature verification for secp256k1 and secp256r1) or hashing functions. Without precompiled contracts, performing these operations on the Ethereum Virtual Machine would require more code and significantly more computational power, leading to higher gas fees. You can see a list of precompiles on Ethereum on the evm.codes website.
How does RIP-7212 compare to other solutions?
With RIP-7212 verifying P256 only costs 3450 gas, a 100x reduction from the best non-protocol change option. RIP-7212 is the most gas-efficient, secure, and fastest way to verify the P256 on EVM chains.
As we have previously explained, using biometric signers (e.g. Passkeys and Secure Enclave based) is only possible if we have a way to verify P256 curve onchain. There are several options available to verify P256 curve onchain but none of them are cheap.
Verifier | Gas Consumption (Account Creation) | Gas Consumption (Single Transaction) | Proving Time | Type |
---|---|---|---|---|
Obvious' Solidity Verifier | 330k | 330k | Instant | Smart Contract Verifier |
Alembic's Solidity Verifier | 2M | 375k | Instant | Smart Contract Verifier |
FCL's Solidity Verifier w/o precomputation | 205k | 205k | Instant | Smart Contract Verifier |
FCL's Solidity Verifier with precomputation | 3.2M | 69k | Instant | Smart Contract Verifier |
Risc0 Verifier | 250k | 250k | Nearly instant | Zero Knowledge Verifier |
KnowNothingLab's Verifier | 520k | 520k | ~4 seconds | Zero Knowledge Verifier |
Circom | 230k | 300k | Nearly instant | Zero Knowledge Verifier |
A Verifier with EVMMAX | 73k | 73k | Instant | Core Protocol Change |
EIP-7212 Precomiler Contract for P256 | 3450 | 3450 | Instant | Core Protocol Change |
The State of RIP-7212 and Use Cases
RIP-7212 specs are finalized and a few teams (Kakarot, Polygon, Optimism, zkSync, and Arbitrum) have already committed to implementing this precompile into their rollup ecosystems. Polygon recently shipped RIP-7212 to their testnet and developers are starting to test it.
The use cases for RIP-7212 is not limited to smart accounts. RIP-7212 can also be used to verify remote attestations of Trusted Execution Environments, which have been used for decentralized block building (SUAVE), 2FA for rollups (Taiko and Scroll), and many more!
Building an ERC-6900 Compatible P256 Validator Contract That Uses RIP-7212
Once RIP-7212 is live, the next step is to make it maximally easy for developers to use to improve their end user experiences. Integrating new code into smart accounts is a high friction, high risk endeavor and even highly simplified flows like those provided by RIP-7212 still need to be carefully architected, tested, and audited.
This is where ERC-6900 fits in.
ERC-6900: Modular Smart Contract Accounts and Plugins is an EVM standard designed to enable developers to capture logical pieces as plugins, which any other account developer can use. Developers can then rely on battle tested plugins to improve their end user experience, instead of having to build their own plugins.
Combining RIP-7212 and ERC-6900 results in a simple account plugin for efficient P256 validation, enabling cheap, secure biometric authentication for users with minimal developer overhead. We’re excited to release this plugin on supporting rollups as mainnet adoption of RIP-7212 accelerates.
Related articles
Preparing for the Agave 2.0 Upgrade
ERC-1271 Signature Replay Vulnerability
On October 27th 2023, Alchemy discovered a ERC1271 contract signature replay vulnerability that affected a large number of smart contract accounts (SCA), and led to risks when interacting with several applications.
Base Goerli Support Ending 2/9 - Migrate to Sepolia
Base's Goerli testnet is scheduled to be spun down on February 9th. We will keep our nodes running for an extra week after this date.