EIP-8030: P256 transaction support

Adds an EIP-7932 algorithm type for P256 support of type `0x0`

Metadata
Status: DraftStandards Track: CoreCreated: 2025-09-20
Authors
James Kempton (@SirSpudlington)
Requires
EIP-7932
Links
GitHub pageDiscussion on Ethereum Magicians

Abstract

This EIP adds a new EIP-7932 algorithm of type 0x0 for supporting P256 signatures.

Motivation

P256 (a.k.a secp256r1) is a widely-used NIST standardized algorithm that already has a presence within the Ethereum codebase. This makes it a great algorithm to write test cases against implementations of EIP-7932.

Specification

This EIP defines a new EIP-7932 algorithmic type with the following parameters:

ConstantValue
ALG_TYPEBytes1(0x0)
GAS_PENALTY500
MAX_SIZE128


P256Verify Function


The P256Verify function is identical to the precompile introduced by RIP-7212. However, due to EIP linking restrictions, the verification steps defined below MUST be used instead of any definitions in RIP-7212.


Elliptic Curve Information


“secp256r1” is a specific elliptic curve, also known as “P-256” and “prime256v1” curves. The curve is defined with the following equation and domain parameters:




Elliptic Curve Signature Verification Steps


The signature verifying algorithm takes the signed message hash, the signature components provided by the “secp256r1” curve algorithm, and the public key derived from the signer private key. The verification can be done with the following steps:




Required Checks in Verification


The following requirements MUST be checked by the precompiled contract to verify signature components are valid:


    

  • Verify that the r and s values are in (0, n) (exclusive) where n is the order of the subgroup.
    • 

  • Verify that the point formed by (x, y) is on the curve and that both x and y are in [0, p) (inclusive 0, exclusive p) where p is the prime field modulus. Note that many implementations use (0, 0) as the reference point at infinity, which is not on the curve and should therefore be rejected.
    • 



Rationale


Additional 500 gas penalty


Much of this proposal is drawn from RIP-7212. Some of the test cases in RIP-7212 show that P256 is slower than secp256k1 and as such, a small penalty has been added to combat the slowdown of verification.


Why P256?


P256 or secp256r1, is used globally but (more importantly) has an existing implementation in all execution clients. This allows easy implementation of a known-safe algorithm, which is perfect for a test algorithm.


Backwards Compatibility


No backward compatibility issues found.


Security Considerations


Needs discussion.



Copyright


Copyright and related rights waived via CC0.