LP-0112Finalevmprecompilecurve25519edwards25519bulletproofs

LP-112: Curve25519 Point Operations

Abstract

Provides raw Edwards25519 point arithmetic as an EVM precompile. Lower-level than X25519 (LP-114), which only exposes Diffie-Hellman. This precompile enables direct point addition, scalar multiplication, basepoint multiplication, and multi-scalar multiplication for advanced cryptographic protocols: ring signatures, Bulletproofs, VRFs, and Ristretto255 primitives.

Specification

Address

0x0000000000000000000000000000000000009204 -- Privacy range.

Interface

Operation selector is the first byte of input. All points are 32-byte compressed Edwards form.


0x01 PointAdd:     P1(32) + P2(32) -> P3(32)
0x02 ScalarMul:    P(32) + scalar(32) -> P*s(32)
0x03 BasepointMul: scalar(32) -> B*s(32)    (constant-time)
0x04 MSM:          n*(point(32) + scalar(32)) -> sum(32)

Gas Schedule

| Operation | Gas |

|-----------|-----|

| PointAdd | 1,500 |

| ScalarMul | 5,000 |

| BasepointMul | 5,000 |

| MSM (base) | 5,000 |

| MSM (per additional pair) | 4,000 |

Security Considerations

1. Uses filippo.io/edwards25519 for constant-time arithmetic.

2. Scalars are canonicalized; non-canonical inputs are clamped per RFC 7748.

3. Provides ~128-bit security (Curve25519 group order ~2^252). Not post-quantum.

4. MSM uses variable-time Straus/Pippenger internally -- safe because inputs are public on-chain.

References

D.J. Bernstein, Curve25519: new Diffie-Hellman speed records (2006)
RFC 7748 -- Elliptic Curves for Security
Source: github.com/luxfi/precompile/curve25519/

Copyright

Licensed under the MIT License.