Revisiting secp256r1 signatures (i.e. P256, mobile HSM support)

The discussion around adding secp256r1 support, also known as P256, to Bitcoin has not been prominent for over a decade, with significant conversations occurring in 2011 and 2013 on BitcoinTalk. Despite this, the technology has seen widespread adoption across the internet and mobile devices, highlighting an opportunity for millions of users to engage in self-custodying bitcoin through secure enclaves found in devices like those supported by Apple iCloud Keychain and Android Keystore. However, these devices are currently incompatible with Bitcoin's secp256k1 curve, pointing to a missed opportunity for enhancing user experience and security.

Historical concerns within the Bitcoin community regarding the integration of P256 have centered on the potential for a backdoor by NIST, though this issue seems to have been set aside in more recent considerations. The argument for adopting P256 in 2025 leans on its ability to improve the onboarding process for new users, enhance the security and accessibility of hot wallets, and potentially lower the costs associated with collaborative multi-signatures, all while allowing the continued use of secp256k1 for cold storage solutions.

From a technical standpoint, the introduction of Tapscript has simplified the potential inclusion of P256 by supporting new public key types. This could allow for a distinction between keys requiring P256 ECDSA signatures and those needing Schnorr signatures with secp256k1. Despite P256 being slower to validate than secp256k1, adjustments to validation weight costs could mitigate this drawback, as outlined in BIP341.

The broader implications of P256 support extend to enabling applications to utilize platform APIs for accessing secure hardware security modules (HSM) on mobile devices, although P256 alone does not address all needs for non-custodial WebAuthn/passkey-based wallets. Additional requirements would include CSFS and CAT for verifying WebAuthn signatures, or alternatively, the creation of a dedicated WebAuthn opcode. Thus, the potential for P256 to facilitate secure signature verification emerges as a critical consideration in the evolving landscape of Bitcoin security and accessibility.

Given the extensive hardware adoption and utilization in the industry, there is a compelling case for revisiting the conversation on incorporating P256 support into Bitcoin, acknowledging its potential to significantly enhance user experience and security protocols within the ecosystem.