{"id":20600983,"url":"https://github.com/get-smooth/secp256r1-verify","last_synced_at":"2026-04-17T08:03:38.030Z","repository":{"id":239113869,"uuid":"650608942","full_name":"get-smooth/secp256r1-verify","owner":"get-smooth","description":"A solidity library to verify a secp256r1 signature in several ways","archived":false,"fork":false,"pushed_at":"2024-05-08T11:39:03.000Z","size":1536,"stargazers_count":1,"open_issues_count":4,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-18T21:51:17.635Z","etag":null,"topics":["4337-mafia","account","account-abstraction","blockchain","ecdsa","ecdsa-cryptography","eip-4337","ethereum","evm","forge","foundry","p256r1","secp256r1","smart-account","smart-contracts","solidity","web-authentication","webauthn","weierstrass","weierstrass-curves"],"latest_commit_sha":null,"homepage":"https://get-smooth.github.io/secp256r1-verify/","language":"Solidity","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/get-smooth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-07T12:32:19.000Z","updated_at":"2024-10-22T23:07:40.000Z","dependencies_parsed_at":"2024-05-10T04:50:20.607Z","dependency_job_id":"7183d184-e792-4bc7-9b89-e4ceace36cc8","html_url":"https://github.com/get-smooth/secp256r1-verify","commit_stats":null,"previous_names":["get-smooth/secp256r1-verify"],"tags_count":14,"template":false,"template_full_name":"PaulRBerg/foundry-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/get-smooth%2Fsecp256r1-verify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/get-smooth%2Fsecp256r1-verify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/get-smooth%2Fsecp256r1-verify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/get-smooth%2Fsecp256r1-verify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/get-smooth","download_url":"https://codeload.github.com/get-smooth/secp256r1-verify/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242241246,"owners_count":20095339,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["4337-mafia","account","account-abstraction","blockchain","ecdsa","ecdsa-cryptography","eip-4337","ethereum","evm","forge","foundry","p256r1","secp256r1","smart-account","smart-contracts","solidity","web-authentication","webauthn","weierstrass","weierstrass-curves"],"created_at":"2024-11-16T09:07:54.869Z","updated_at":"2026-04-17T08:03:37.971Z","avatar_url":"https://github.com/get-smooth.png","language":"Solidity","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003e ❌ This repository is deprecated. Please refer to the [crypto-lib](https://github.com/get-smooth/CryptoLib) repository\n\u003e to find the latest implementation of the secp256r1 curve.\n\n# secp256r1 verify\n\n[![Open in Github][github-editor-badge]][github-editor-url] [![Github Actions][gha-quality-badge]][gha-quality-url]\n[![Github Actions][gha-test-badge]][gha-test-url]\n[![Github Actions][gha-static-analysis-badge]][gha-static-analysis-url]\n[![Github Actions][gha-release-badge]][gha-release-url] [![Foundry][foundry-badge]][foundry]\n[![License: MIT][license-badge]][license] ![Is it audited?][audit]\n\n[github-editor-url]: https://github.dev/get-smooth/secp256r1-verify/tree/main\n[github-editor-badge]: https://img.shields.io/badge/Github-Open%20the%20Editor-purple?logo=github\n[gha-quality-url]: https://github.com/get-smooth/secp256r1-verify/actions/workflows/quality-checks.yml\n[gha-quality-badge]:\n  https://github.com/get-smooth/secp256r1-verify/actions/workflows/quality-checks.yml/badge.svg?branch=main\n[gha-test-url]: https://github.com/get-smooth/secp256r1-verify/actions/workflows/tests.yml\n[gha-test-badge]: https://github.com/get-smooth/secp256r1-verify/actions/workflows/tests.yml/badge.svg?branch=main\n[gha-static-analysis-url]: https://github.com/get-smooth/secp256r1-verify/actions/workflows/static-analysis.yml\n[gha-static-analysis-badge]:\n  https://github.com/get-smooth/template-foundry/actions/workflows/static-analysis.yml/badge.svg?branch=main\n[gha-release-url]: https://github.com/get-smooth/secp256r1-verify/actions/workflows/release-package.yml\n[gha-release-badge]: https://github.com/get-smooth/secp256r1-verify/actions/workflows/release-package.yml/badge.svg\n[foundry]: https://book.getfoundry.sh/\n[foundry-badge]: https://img.shields.io/badge/Built%20with-Foundry-FFDB1C.svg\n[license]: ./LICENSE.md\n[license-badge]: https://img.shields.io/badge/License-MIT-blue.svg\n[audit]: https://img.shields.io/badge/Audited-No-red.svg\n\n## Description\n\n`secp256r1-verify` is a specialized Solidity library that enables on-chain ECDSA signature verification on the secp256r1\ncurve with notable efficiency. This repository is a simple implementation for signature verification. It sets a vital\nfoundation for the widespread application of FIDO2's Webauthn, serving as an authentication protocol for smart accounts.\nIf you are looking for an alternative implementation, such as the ones based on the `*codedopy` opcodes, check out\nRenaud Dubois' [FreshCryptoLib](https://github.com/rdubois-crypto/FreshCryptoLib) repository.\n\n## Installation\n\n### Foundry\n\nTo install the `secp256r1-verify` package in a Foundry project, execute the following command:\n\n```sh\nforge install https://github.com/get-smooth/secp256r1-verify\n```\n\nThis command will install the latest version of the package in your lib directory. To install a specific version of the\nlibrary, follow the instructions in the\n[official Foundry documentation](https://book.getfoundry.sh/reference/forge/forge-install?highlight=forge%20install#forge-install).\n\n### Hardhat or Truffle\n\nTo install the `secp256r1-verify` package in a Hardhat or Truffle project, use `npm` to run the following command:\n\n```sh\nnpm install @smoo.th/secp256r1-verify\n```\n\nAfter the installation, import the package into your project and use it.\n\n## Usage\n\nThis repository provides a unique verification implementation. After you've integrated this library into your project,\nyou can freely import the `ECDSA256r1` and use it.\n\n\u003e 🚨 The implementations have not been audited. DO NOT USE IT IN PRODUCTION.\n\n### 1️⃣ The traditional implementation\n\nThe traditional approach is the implementation present in this repository. You can take a look to it here:\n[ECDSA256r1 file](./src/ECDSA256r1.sol). This implementation is ready to use right out of the box; simply deploy the\nlibrary and interact with it by calling its singular exposed function, `verify`, which accepts three parameters:\n\n- `bytes32 messageHash`: The hash of the message to verify\n- `uint256[2] calldata rs`: The r and s values of the ECDSA signature\n- `uint256[2] calldata point`: The public key point of the signer\n\nThis approach computes `uG + vQ` using the Strauss-Shamir's trick on the secp256r1 elliptic curve **on-chain**, where G\nis the base point and Q is the public key.\n\n### Scripts\n\nThis repository includes a [script](./script) directory containing a set of scripts that can be used to deploy the\ndifferent implementations on-chain. Each script contains a set of instructions and an example of how to use it. The\nscripts are expected to be run using the `forge script` command.\n\n## Gas reports\n\nThese gas reports were produced using the `0.8.19` version of the Solidity compiler (with 100k optimizer runs),\nspecifically for the [`0.4.1`](https://github.com/get-smooth/secp256r1-verify/releases/tag/v0.4.1) version of the\nlibrary. The library version corresponds to commit\n[4d0716f](https://github.com/get-smooth/secp256r1-verify/commit/4d0716fc6fd14a92488442e1dd0c18bb2c24ff41).\n\n\u003e ℹ️ If you import the library into your project, we strongly recommend you to enable the optimizer with 100k in order\n\u003e to have the best gas consumption.\n\n### The traditional implementation [🔗](#1️⃣-the-traditional-implementation)\n\n| Deployment Cost | Deployment Size |        |        |        |\n| --------------- | --------------- | ------ | ------ | ------ |\n| 1002641         | 5040            |        |        |        |\n| Function Name   | min             | avg    | median | max    |\n| verify          | 192620          | 202959 | 202905 | 210079 |\n\n## Contributing\n\nTo contribute to the project, you must have Foundry and Node.js installed on your system. You can download them from\ntheir official websites:\n\n- Node.js: https://nodejs.org/\n- Foundry: https://book.getfoundry.sh/getting-started/installation\n\n\u003e ℹ️ We recommend using [nvm](https://github.com/nvm-sh/nvm) to manage your Node.js versions. Nvm is a flexible node\n\u003e version manager that allows you to switch between different versions of Node.js effortlessly. This repository includes\n\u003e a `.nvmrc` file at the root of the project. If you have nvm installed, you can run `nvm use` at the root of the\n\u003e project to automatically switch to the appropriate version of Node.js.\n\nFollowing the installation of Foundry and Node.js, there's an additional dependency called `make` that needs to be\naddressed.\n\n`make` is a build automation tool that employs a file known as a makefile to automate the construction of executable\nprograms and libraries. The makefile details the process of deriving the target program from the source files and other\ndependencies. This allows developers to automate repetitive tasks and manage complex build processes efficiently. `make`\nis our primary tool in a multi-environment repository. It enables us to centralize all commands into a single file\n([the makefile](./makefile)), eliminating the need to deal with `npm` scripts defined in a package.json or remembering\nthe various commands provided by the `foundry` cli. If you're unfamiliar with `make`, you can read more about it\n[here](https://www.gnu.org/software/make/manual/make.html).\n\n`make` is automatically included in all modern Linux distributions. If you're using Linux, you should be able to use\n`make` without any additional steps. If not, you can likely find it in the package tool you usually use. MacOS users can\ninstall `make` using [Homebrew](https://formulae.brew.sh/formula/make) with the following command:\n\n```sh\nbrew install make\n```\n\nAt this point, you should have all the required dependencies installed on your system.\n\n\u003e 💡 Running make at the root of the project will display a list of all the available commands. This can be useful to\n\u003e know what you can do\n\n### Installing the dependencies\n\nTo install the project dependencies, you can run the following command:\n\n```sh\nmake install\n```\n\nThis command will install the forge dependencies in the `lib/` directory, the npm dependencies in the `node_modules`\ndirectory and the git hooks defined in the project ([refer to the Git hooks section](#git-hooks)s to learn more about\nthem). These dependencies aren't shipped in production; they're utility dependencies used to build, test, lint, format,\nand more, for the project.\n\n\u003e ⚠️ This package uses a dependency installed on the Github package registry, meaning you need to authenticate with\n\u003e GitHub Packages to install it. For more information, refer to the [troubleshooting section](#setup-github-registry).\n\u003e We're open to deploying it on the npm registry if there's a demand for it. Please open an issue if you'd like to see\n\u003e this package on the npm registry.\n\nNext, let's set up the git hooks.\n\n### Git hooks\n\nThis project uses `Lefthook` to manage Git hooks, which are scripts that run automatically when certain Git events\noccur, such as committing code or pushing changes to a remote repository. `Lefthook` simplifies the management and\nexecution of these scripts.\n\nAfter installing the dependencies, you can configure the Git hooks by running the following command in the project\ndirectory:\n\n```sh\nmake hooks-i\n```\n\nThis command installs a Git hook that runs Lefthook before pushing code to a remote repository. If Lefthook fails, the\npush is aborted.\n\nIf you wish to run Lefthook manually, you can use the following command:\n\n```sh\nmake hooks\n```\n\nThis will run all the Git hooks defined in the [lefthook](./lefthook.yml) file.\n\n#### Skipping git hooks\n\nShould you need to intentionally skip Lefthook, you can pass the `--no-verify` flag to the git push command. To bypass\nLefthook when pushing code, use the following command:\n\n```sh\ngit push origin --no-verify\n```\n\n## Testing\n\n### Unit tests\n\nThe unit tests are stored in the `test` directory. They test individual functions of the package in isolation. These\ntests are automatically run by GitHub Actions with every push to the `main` branch and on every pull request targeting\nthis branch. They are also automatically run by the git hook on every push to a remote repository if you have installed\nit ([refer to the Git hooks section](#git-hooks)). Alternatively, you can run them locally by executing the following\ncommand in the project directory:\n\n```sh\nmake test\n```\n\n\u003e ℹ️ By adding the sufix `-v` the test command will run in verbose mode, displaying valuable output for debugging.\n\nFor your information, these tests are written using [forge](https://book.getfoundry.sh/forge/tests), and some employ the\nproperty-based testing pattern _(fuzzing)_ to generate random inputs for the functions under test.\n\nAdditionally, some test fixtures have been generated using [Google's wycheproof](https://github.com/google/wycheproof)\nproject, which tests crypto libraries against known attacks. These fixtures are located in the\n[fixtures](./test/fixtures) directory.\n\nThe tests use two different `cheatcodes` you should be aware of:\n\n- `vm.readFile`: This cheatcode lets us read the fixtures data from the test/fixtures directory. This means that every\n  time you run the test suite, the fixtures are read from the disk, eliminating the need to copy/paste the fixtures into\n  the test files. However, if you modify a fixture, you need to rerun the tests to see the changes. More information is\n  available [here](https://book.getfoundry.sh/cheatcodes/fs?highlight=readFile).\n- `vm.ffi`: This cheatcode allows us to execute an arbitrary command during the test suite. This cheatcode is not\n  enabled by default when creating a new foundry project, but in our case, it's enabled in our configuration\n  ([foundry configuration](./foundry.toml)) for all tests. This cheatcode is used to run the computation library that\n  calculates 256 points on the secp256r1 elliptic curve from a public key. This is required for the variants that need\n  these points to be deployed on-chain. Therefore, even if it's not explicit, every time you run the test suite, a\n  Node.js script is executed multiple times. You can learn more about the library we use\n  [here](https://github.com/get-smooth/secp256r1-computation).\n\n\u003e 📖 Cheatcodes are special instructions exposed by Foundry to enhance the developer experience. Learn more about them\n\u003e [here](https://book.getfoundry.sh/cheatcodes/).\n\n\u003e 💡 Run `make` to learn how to run the test in verbose mode, or to display the coverage or the gas consumption.\n\n### Quality\n\nThis repository uses `forge-fmt`, `solhint` and `prettier` to enforce code quality. These tools are automatically run by\nthe GitHub Actions on every push to the `main` branch and on every pull request targeting this branch. They are also\nautomatically run by the git hook on every push to a remote repository if you have installed it\n([refer to the Git hooks section](#git-hooks)). Alternatively, you can run them locally by executing the following\ncommand in the project directory:\n\n```sh\nmake lint # run the linter\nmake format # run the formatter\nmake quality # run both\n```\n\n\u003e ℹ️ By adding the sufix `-fix` the linter and the formatter will try to fix the issues automatically.\n\n## Acknowledgements\n\nSpecial thanks to [rdubois-crypto](https://github.com/rdubois-crypto) for developing the reference implementation\n[here](https://github.com/rdubois-crypto/FreshCryptoLib) and for the invaluable cryptographic guidance. The\nimplementation, and more precisely, all the ingenious mathematical tricks you can discover in this repository, are from\nhis mind. My role here was to clean up his work to improve the chances of accepting contributions. All credit goes to\nhim.\n\nIf you want to learn more about the math behind this project, check out\n[this publication](https://eprint.iacr.org/2023/939.pdf) written by\n[rdubois-crypto](https://twitter.com/RenaudDUBOIS10).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fget-smooth%2Fsecp256r1-verify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fget-smooth%2Fsecp256r1-verify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fget-smooth%2Fsecp256r1-verify/lists"}