Revisiting secp256r1 signatures (i.e. P256, mobile HSM support)

In a recent exchange between two programmers on the Bitcoin Development Mailing List, a comprehensive discussion took place regarding the potential for integrating P256 support into Bitcoin to enhance compatibility with modern internet and mobile devices. The conversation began with an acknowledgment of the current limitations within Bitcoin's architecture, particularly its incompatibility with the P256 curve, which is widely adopted across secure enclaves in mobile devices. This incompatibility restricts millions of users who could potentially use their devices for self-custodying bitcoin.

The dialogue further explored the historical context of the Bitcoin community's reluctance to adopt P256, primarily due to concerns over a possible NIST backdoor. Despite these concerns, the suggestion was made that by 2025, offering the option to use P256 could significantly improve the onboarding experience for new users, enhance the security of hot wallets, and reduce the costs associated with collaborative multisigs. It was argued that while the community continues to prefer secp256k1 for cold storage due to its ideal properties, Tapscript's built-in support for new public key types makes the technical adoption of P256 straightforward.

However, the conversation also touched upon challenges, including the slower validation times associated with P256 compared to secp256k1 and how this might be addressed by adjusting the validation weight cost for P256 signatures. Beyond the technical aspects, the discussion delved into broader considerations about the future of Bitcoin in the face of emerging quantum-resistant signature schemes and the importance of waiting to see which standard becomes dominant.

The potential integration of WebAuthn standards was critically analyzed, with emphasis on the need for research into making WebAuthn's signing flow compatible with post-quantum sig verification opcodes being developed for bitcoin. Concerns were raised about WebAuthn's suitability for long-term cryptographic identities or ownership in distributed systems, given its design for web-based authentication to centralized services and the lack of a deterministic backup seed for user recovery.

Links to potential resources for further reading on the topic were shared, including a draft on WebAuthn's post-quantum signature formats found at IETF and discussions from over ten years ago on adding secp256r1 support to Bitcoin, available on gnusha.org and BitcoinTalk (BitcoinTalk 2011, BitcoinTalk 2013). These resources underscore the depth and ongoing nature of the debate within the Bitcoin development community regarding the evolution of its cryptographic standards to align with advancements in hardware and security standards.