Revisiting secp256r1 signatures (i.e. P256, mobile HSM support)

This endeavor is anticipated to span multiple years, during which the focus within the Bitcoin community may shift towards newer technologies such as BIP360 and post-quantum cryptographic solutions. The rapid advancements in these areas suggest that by the time P256 could be implemented, it might become obsolete, especially with the potential advent of quantum computing.

There is an ongoing discussion about the compatibility of the WebAuthn standard with future Bitcoin cryptographic needs, particularly concerning hardware security modules (HSMs) and post-quantum security. The exploration into making WebAuthn's signature formats compatible with Bitcoin's evolving standards appears as a more productive approach for ensuring long-term security and utility. However, integrating WebAuthn with Bitcoin presents practical challenges, notably its limitations in supporting key features essential to Bitcoin, such as deterministic backup seeds, compatibility with hierarchical deterministic wallets like BIP32, and the management of multiple addresses. These issues highlight the difficulty of adapting WebAuthn—primarily designed for centralized web authentication—to decentralized systems that prioritize user autonomy and security.

The proposal to add secp256r1 support to Bitcoin has resurfaced despite not being a prominent topic of discussion for over a decade. Despite its historical concerns, including potential backdoors by NIST, the widespread adoption of secp256r1 across the internet and mobile devices underscores a significant opportunity to enhance user experience and security in self-custodying bitcoin. Devices equipped with secure enclaves, like Apple iCloud Keychain and Android Keystore, though currently incompatible with Bitcoin's secp256k1 curve, represent a missed opportunity for improving security and user onboarding. The adoption of P256 in 2025 is argued to potentially improve the onboarding process for new users, enhance hot wallet security and accessibility, and lower costs associated with collaborative multi-signatures, while still allowing the use of secp256k1 for cold storage.

Technical adjustments, such as Tapscript, have simplified the inclusion of P256 by supporting new public key types, distinguishing between keys requiring P256 ECDSA signatures and those needing Schnorr signatures with secp256k1. Despite P256's slower validation compared to secp256k1, proposed adjustments to validation weight costs in BIP341 could mitigate this issue. The broader implications of P256 support include enabling applications to utilize platform APIs for accessing secure HSM on mobile devices. However, P256 alone does not fully meet the requirements for non-custodial WebAuthn/passkey-based wallets, indicating additional needs such as CSFS and CAT for verifying WebAuthn signatures or the creation of a dedicated WebAuthn opcode. This context underscores the critical consideration of P256's potential to facilitate secure signature verification within the evolving landscape of Bitcoin security and accessibility, emphasizing the compelling case for revisiting the conversation on incorporating P256 support into Bitcoin to significantly enhance ecosystem protocols and user experiences.