ERC-8111 - Bound Signatures

Abstract

Recoverable ECDSA signatures can flip s and v while remaining valid, so they can be compressed to 64 bytes by restricting v.

Motivation

ECDSA signatures are often encoded with three parameters: v, r, and s. In the Solidity ABI encoding, this is 96 bytes. By eliminating the degree of freedom, v, the encoded size of a recoverable signature can be reduced to 64 bytes. Additionally, such signatures are not malleable.

Specification

Smart contracts accepting bound signatures MUST supply 27 for v.

address signer = ecrecover(digest, 27, r, s);
require(signer != address(0));

ECDSA signatures MUST be bound before supplied to such contracts.

const SECP256K1_N: bigint = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n

function bind(sig: Signature, v: 27 | 28 = 27): Signature {
    if (sig.v === v) {
        return sig
    }
    const s = SECP256K1_N - sig.s
    return new Signature(sig.r, s, v)
}

Rationale

Another signature compression approach, ERC-2098, stores the y-parity bit in the most-significant bit of the low s. Bound signatures are preferable because they are valid inputs to the ecrecover precompile. They require less gas because they do not need to be unpacked by the smart contract.

27 was chosen over 28 to make the y-parity falsy.

Backwards Compatibility

Bound signatures are compatible with ecrecover if 27 is supplied for the v parameter. They cannot be used for transaction signatures because they permit high s, in violation of EIP-2.

Test Cases

Reference Implementation

pragma solidity ^0.8.30;

library BoundSignatures {
    function recover(bytes32 digest, bytes32 r, bytes32 s) internal pure returns (address signer) {
        signer = ecrecover(digest, 27, r, s);
        require(signer != address(0));
    }
}

Security Considerations

Bound signatures are recoverable and not malleable.

Copyright

Copyright and related rights waived via CC0.