secp256r1 (P-256) P256VERIFY precompile for FEVM (EIP-7951 / RIP-7212)

[snissn]

Hi all — we’d like to propose a FIP adding a secp256r1 (P-256) ECDSA verification precompile to the FEVM at 0x0000000000000000000000000000000000000100 (0x0100), implementing the Ethereum EIP-7951 semantics while remaining interface-compatible with RIP-7212.

For Filecoin’s purposes, EIP-7951 and RIP-7212 should be understood as addressing the same user-facing feature: a P256VERIFY precompile at 0x0100. At the EVM interface level they are equivalent: same address, same 160-byte input format, and same return values/failure behavior. The key difference is that EIP-7951 includes two security fixes: a point-at-infinity check and a modular comparison to handle cases where the x-coordinate of R’ exceeds the curve order n. Ethereum also specifies different fixed EVM gas costs across RIP-7212 and EIP-7951, but those do not apply directly to the FEVM (which uses Filecoin gas accounting per FIP-0054).

Given these security fixes, we will maintain compliance with the EIP-7951 specification. From a product and developer-experience perspective, this FIP fulfills the intent of both RIP-7212 and EIP-7951: despite minor differences in specification details and naming, they aim to enable the same capability—efficient on-chain verification of secp256r1 (P-256) signatures via 0x0100.

Notably, Ethereum L1 has now activated support for this precompile as part of the Fusaka network upgrade (mainnet activation: December 3, 2025). See the Ethereum Foundation announcement: https://blog.ethereum.org/2025/11/06/fusaka-mainnet-announcement

Draft FIP: FIPS/fip-draft_secp256r1-precompile.md

Summary

This FIP adds a P256VERIFY precompile to enable efficient verification of secp256r1 signatures in FEVM smart contracts. This unlocks practical integrations with:

• WebAuthn / FIDO2 / passkeys
• device secure enclaves / HSM-backed keys
• account abstraction patterns and authentication flows that rely on P-256

Why this matters for WebAuthn (passkeys)

WebAuthn is a widely deployed web standard for passwordless authentication (passkeys) supported by all major platforms and browsers. WebAuthn authenticators commonly produce signatures on secp256r1, often with keys held in secure hardware (e.g., platform authenticators).

Bringing P256VERIFY to FEVM enables new UX patterns that are hard or impractical without a precompile, such as:

• “Sign in with passkey” flows where a user’s WebAuthn credential authorizes on-chain actions directly.
• Smart accounts / AA-style wallets where the signing key lives in WebAuthn-compatible secure hardware (or is protected by biometrics).
• Better key management and recovery patterns by leveraging familiar, standardized authentication infrastructure.

Specification (high level)

• Address: 0x0100 (reserved precompile address; not deployable via EAM)
• Input: msg_hash(32) || r(32) || s(32) || pubkey_x(32) || pubkey_y(32) (160 bytes total; big-endian)
• Output: 0x…01 (32 bytes) on success; empty bytes on failure
• Failure semantics: MUST NOT revert; invalid inputs must return empty bytes
• Validation: Must follow EIP-7951 rules (bounds checks, on-curve check, not-infinity checks, deterministic behavior)

Rationale / Why now

Without a precompile, P-256 verification in Solidity is expensive and complex, limiting adoption of passkeys and hardware-backed authentication on FEVM. With EIP-7951 now activated on Ethereum mainnet (Fusaka), the 0x0100 interface is becoming a de-facto standard across the EVM ecosystem; supporting it in FEVM improves portability and developer experience.

Implementation status / references

• Reference implementation (ready for review): EIP-7951 (RIP-7212-compatible): secp256r1 P256VERIFY precompile builtin-actors#1708
• The change is based on EIP-7951 (security fixes vs RIP-7212):
  • https://eips.ethereum.org/EIPS/eip-7951
  • https://github.com/ethereum/RIPs/blob/master/RIPS/rip-7212.md

Thanks in advance for reviews and feedback.

— Aarav Mehta (@aaravm), Michael Seiler (@snissn) from the Fil-B / Germina Labs team