EIPs/EIPS/eip-665.md

---
eip: 665
title: Add precompiled contract for Ed25519 signature verification
author: Tobias Oberstein <tobias.oberstein@crossbario.com>
status: Draft
type: Standards Track
category: Core
created: 2018-03-25
---

## Simple Summary

Support performant and cheap verification of Ed25519 cryptographic signatures in smart contracts in general by adding a precompiled contract for Ed25519 signature verification to the EVM.

## Abstract

Verification of Ed25519 cryptographic signatures is obviously possible in EVM bytecode. However, the gas cost will be very high, and computationally expensive, as such tight, wide word operations intensive code as required for Ed25519 is not a good fit for the EVM bytecode model.

The addition of a native compiled function, in a precompiled contract, to the EVM solves both cost and performance problems.

## Motivation

One motivation for Ed25519 signature verification in smart contracts is to associate existing off-chain systems, records or accounts that use Ed25519 with blockchain transactions.

Another motivation is the processing of external, Ed25519 proof-of-stake based blockchains within Ethereum smart contracts.

When a transactions contains data that comes with an Ed25519 signature, that proves that the sender of the Ethereum transaction was also in control of the private key (and the data), and this allows the contract to establish an association between the blockchain and the external system or account, and the external system establish the reverse relation.

For example, a contract might check a Ed25519 signed piece of data submitted to the Ethereum transaction like the current block number. That proves to the contract, that the sender is in possession of both the Ethereum private key and the Ed25518 private key, and hence the contract will accept an association between both. This again can be the root anchor for various powerful applications, as now a potentially crypto holding key owner has proven to be in control of some external off-chain system or account, like e.g. a DNS server, a DNS domain, a cluster node and so on.

## Specification

The proposal adds a new precompiled function with the following signature

```
ed25519verify(bytes32 m, bytes32 pk, bytes32 s1, bytes32 s2) returns (uint8)
```

The `ed25519verify` function takes as parameters:

1. `m` (bytes32): The message that was signed.
2. `pk` (bytes32): The Ed25519 public key of the signer.
3. `s1` (bytes32): The first part of the 64-byte Ed25519 signature.
4. `s2` (bytes32): The second part of the 64-byte Ed25519 signature.

The `ed25519verify` function returns zero if the signature was valid, and a non-zero value if the signature was invalid.

## Rationale

The proposed `ed25519verify` function takes the signer public key as a call parameter, as with Ed25519, I don't believe it is possible to derive the signers public key from the signature and message alone.

The proposed `ed25519verify` function uses a zero return value to indicate success, since this allows for different errors to be distinguished by return value, as all non-zero return values signal a verification failure.

## Backwards Compatibility

The proposal is belived not to introduce any backward compatibility issues.

## Test Cases

Test vectors for Ed25519 can be found in this IETF ID https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03#section-6.

More test vectors can be found in the regression tests of NaCl (see references).

## Implementation

NaCl is a high-quality implementation of Ed25519, available from the same team that created the algorithms and cryptography behind Ed25519.

The library should allow implementations of the proposed `ed25519verify` function with few lines of code in the hosting Ethereum implementation.

## References

* Definition of Ed25519: https://ed25519.cr.yp.to/ed25519-20110926.pdf
* Ed25519 - high-speed high-security signatures: https://ed25519.cr.yp.to/
* NaCl - Networking and Cryptography library: https://nacl.cr.yp.to/sign.html
* NaCl Crypto Libraries (which contains Ed25519): https://ianix.com/pub/ed25519-deployment.html
* Test vectors for Ed25519: https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03#section-6
* NaCl regression tests: https://ed25519.cr.yp.to/python/sign.py and https://ed25519.cr.yp.to/python/sign.input
* On the recoverability of public keys from signature+message (alone): https://crypto.stackexchange.com/questions/9936/what-signature-schemes-allow-recovering-the-public-key-from-a-signature

## Copyright

Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00			`---`
add proposal text 2018-03-25 18:55:44 +00:00			`eip: 665`
			`title: Add precompiled contract for Ed25519 signature verification`
			`author: Tobias Oberstein <tobias.oberstein@crossbario.com>`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00			`status: Draft`
add proposal text 2018-03-25 18:55:44 +00:00			`type: Standards Track`
			`category: Core`
			`created: 2018-03-25`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00			`---`

add proposal text 2018-03-25 18:55:44 +00:00			`## Simple Summary`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
add proposal text 2018-03-25 18:55:44 +00:00			`Support performant and cheap verification of Ed25519 cryptographic signatures in smart contracts in general by adding a precompiled contract for Ed25519 signature verification to the EVM.`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
add proposal text 2018-03-25 18:55:44 +00:00			`## Abstract`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
add proposal text 2018-03-25 18:55:44 +00:00			`Verification of Ed25519 cryptographic signatures is obviously possible in EVM bytecode. However, the gas cost will be very high, and computationally expensive, as such tight, wide word operations intensive code as required for Ed25519 is not a good fit for the EVM bytecode model.`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
add proposal text 2018-03-25 18:55:44 +00:00			`The addition of a native compiled function, in a precompiled contract, to the EVM solves both cost and performance problems.`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
			`## Motivation`
add proposal text 2018-03-25 18:55:44 +00:00
			`One motivation for Ed25519 signature verification in smart contracts is to associate existing off-chain systems, records or accounts that use Ed25519 with blockchain transactions.`

			`Another motivation is the processing of external, Ed25519 proof-of-stake based blockchains within Ethereum smart contracts.`

			`When a transactions contains data that comes with an Ed25519 signature, that proves that the sender of the Ethereum transaction was also in control of the private key (and the data), and this allows the contract to establish an association between the blockchain and the external system or account, and the external system establish the reverse relation.`

			For example, a contract might check a Ed25519 signed piece of data submitted to the Ethereum transaction like the current block number. That proves to the contract, that the sender is in possession of both the Ethereum private key and the Ed25518 private key, and hence the contract will accept an association between both. This again can be the root anchor for various powerful applications, as now a potentially crypto holding key owner has proven to be in control of some external off-chain system or account, like e.g. a DNS server, a DNS domain, a cluster node and so on.
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
			`## Specification`
add proposal text 2018-03-25 18:55:44 +00:00
			`The proposal adds a new precompiled function with the following signature`

			```
			`ed25519verify(bytes32 m, bytes32 pk, bytes32 s1, bytes32 s2) returns (uint8)`
			```

			The `ed25519verify` function takes as parameters:

			1. `m` (bytes32): The message that was signed.
			2. `pk` (bytes32): The Ed25519 public key of the signer.
			3. `s1` (bytes32): The first part of the 64-byte Ed25519 signature.
			4. `s2` (bytes32): The second part of the 64-byte Ed25519 signature.

			The `ed25519verify` function returns zero if the signature was valid, and a non-zero value if the signature was invalid.
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
			`## Rationale`
add proposal text 2018-03-25 18:55:44 +00:00
			The proposed `ed25519verify` function takes the signer public key as a call parameter, as with Ed25519, I don't believe it is possible to derive the signers public key from the signature and message alone.

			The proposed `ed25519verify` function uses a zero return value to indicate success, since this allows for different errors to be distinguished by return value, as all non-zero return values signal a verification failure.
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
			`## Backwards Compatibility`
add proposal text 2018-03-25 18:55:44 +00:00
			`The proposal is belived not to introduce any backward compatibility issues.`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
			`## Test Cases`
add proposal text 2018-03-25 18:55:44 +00:00
			`Test vectors for Ed25519 can be found in this IETF ID https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03#section-6.`

			`More test vectors can be found in the regression tests of NaCl (see references).`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
			`## Implementation`
add proposal text 2018-03-25 18:55:44 +00:00
			`NaCl is a high-quality implementation of Ed25519, available from the same team that created the algorithms and cryptography behind Ed25519.`

			The library should allow implementations of the proposed `ed25519verify` function with few lines of code in the hosting Ethereum implementation.

			`## References`

			`* Definition of Ed25519: https://ed25519.cr.yp.to/ed25519-20110926.pdf`
			`* Ed25519 - high-speed high-security signatures: https://ed25519.cr.yp.to/`
			`* NaCl - Networking and Cryptography library: https://nacl.cr.yp.to/sign.html`
			`* NaCl Crypto Libraries (which contains Ed25519): https://ianix.com/pub/ed25519-deployment.html`
			`* Test vectors for Ed25519: https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03#section-6`
			`* NaCl regression tests: https://ed25519.cr.yp.to/python/sign.py and https://ed25519.cr.yp.to/python/sign.input`
			`* On the recoverability of public keys from signature+message (alone): https://crypto.stackexchange.com/questions/9936/what-signature-schemes-allow-recovering-the-public-key-from-a-signature`
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00
			`## Copyright`
add proposal text 2018-03-25 18:55:44 +00:00
copied EIP template to EIP 665 2018-03-25 17:24:41 +00:00			`Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).`