Abstract

This EIP adds a new EIP-7932 algorithm of type 0x0 for supporting Ed25519 signatures.

Motivation

Ed25519 is one of the most widely used forms of Elliptic Curve Cryptography and is one of the defaults for SSH keys, this makes it a good contender to be able to sign transactions with. It also provides an algorithm to write test cases against during the implementation phase of EIP-7932.

Specification

This EIP defines a new EIP-7932 algorithmic type with the following parameters:

Constant	Value
ALG_TYPE	Bytes1(0x0)
GAS_PENALTY	1000
MAX_SIZE	96

def verify(signature_info: bytes, payload_hash: Hash32) -> ExecutionAddress:
  assert(len(signature_info) == 96)

  signature = signature_info[:64]
  public_key = signature_info[64:]
  
  # This is the `Verify` function described in [RFC 8032 Section 5.1.7](https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7),
  # This MUST be processed as raw `Ed25519` and not `Ed25519ctx` or `Ed25519ph`
  assert(ed25519_verify(signature, public_key, payload_hash))

  return keccak256(public_key)[-20:]

Rationale

Additional 1000 gas penalty

The gas penalty discourages people from attempting to migrate off current secp256k1 accounts, and also covers the additional overhead (in regards to hashing) that the ed25519 curve applies.

Why Ed25519?

Ed25519 has significant tooling backing it, this makes it a good candidate for using as a "dummy" algorithm. This allows it to be an algorithm for client teams to easily test EIP-7932.

It may also be useful for signing in Hardware security modules in server environments designed for serving as ERC-4337 bundlers. It may also improve interoperability with other components such as TPM chips.

Appending the public key to the signature

Currently, without changing the algorithm itself, it is impossible to efficiently recover the public key from a signature and message.

Backwards Compatibility

No backward compatibility issues found.

Security Considerations

Needs discussion.

Copyright

Copyright and related rights waived via CC0.