Public Goods RFP Proposal: P256 precompile support in the EVM

I wouldn’t say its necessary, it just opens the door for developers to create novel applications that would be prohibitively expensive using the EVM.

Absolutely. My point was that previously we believed that only Arbitrum Orbit could offer the secp256r1 elliptic curve but as a result of this standardisation work any chain that implements this precompile could. RIPs are optional so it is not necessarily the case that all L2s will implement the precompile.

This is something we would like to do. Once we have some clarity on direction we will make a forum post

Sure. Arbitrum have this super cool repo that links to some examples. Some that stand out are below:

• GitHub - jake-nyquist/stylus-p256-example: examples of a c p.256 signature verification implemented in arbitrum stylus. This is secp256r1
• GitHub - LimeChain/stylus-benchmark: Repostory for benchmarking Stylus vs EVM contracts outlines some benchmarks for ED25519 verify.
• GitHub - rauljordan/stylus-blst verification of Ethereum BLS signatures onchain
• GitHub - supernovahs/zk-sunade: Groth16 verifier on Arbitrum Stylus

It’s related to k1 vs r1 topics that we were following… r1 is more compatible with web2 services using new passkeys in browsers… *coz Chrome rejected k1 in webcrypto api.

Screenshot2132×840 173 KB

Bug 29005 - Add support for secp256k1 curve · Issue #82 · w3c/webcrypto · GitHub

I think the word “advanced” may have been used wrongly here which led to Marcus getting confused. Both ed25519 and secp256r1 curves are basic cryptography and not much different than secp256k1 at all; only difference is in the sampling of prime generator point(s) and consequently in available divisor subgroups (for BLS and ZKP). In terms of implementation, security or complexity, all are equivalent. Like @0xc0de4c0ffee mentioned, only real issue is compatibility. Web2 systems like using r1 whereas Satoshi led crypto on the path of k1 (for reasons that I do not agree with mathematically; r1 is negligibly more pre-quantum secure than k1 in my opinion). Other minor difference is that the r1 verifier doesn’t spit out public key for comparison but instead only relies on checking the validity of a given public key (I guess to avoid pubkey fingerprint rainbow-ing).

tl;dr It is not advanced cryptography, only a matter of web2 vs web3 standardisation; r1 and k1 are principally the same.

Hey, I know a bit about cryptography myself! I actually drafted an ELI5 on @ulerdogan’s EIP, which led me down the rabbit hole of elliptic curve cryptography. Thanks, for elaborating on this though, it was very helpful!