Revisiting secp256r1 signatures (i.e. P256, mobile HSM support)

This endeavor necessitates widespread community agreement, the creation of a high-quality implementation comparable to the existing libsecp256k1, and the successful execution of a soft fork. These steps are set against the backdrop of ongoing developments in cryptographic technology, including initiatives like BIP360 and discussions on post-quantum cryptography, suggesting a potential shift in focus toward these emerging technologies before P256 could be fully implemented. Moreover, the emergence of quantum computing could potentially undermine the relevance of such efforts if quantum capabilities develop more rapidly than anticipated.

Attention then shifts to the WebAuthn standard and its suitability for future-proofing Bitcoin against advancements in cryptography, especially in the realm of hardware security modules (HSMs) and post-quantum cryptographic standards. The dialogue suggests that aligning WebAuthn's signature mechanisms with Bitcoin's evolving cryptographic requirements might offer a viable path towards enhancing long-term security and functional compatibility. However, concerns are raised about WebAuthn's ability to meet the specific needs of Bitcoin, particularly regarding user autonomy, the provision of deterministic backup solutions, and the management of multiple addresses, highlighting the challenges of adapting a system designed for centralized web authentication to a decentralized and user-centric platform like Bitcoin.

The conversation also revisits the topic of incorporating support for secp256r1 (P256) within Bitcoin, a subject that has not seen significant discussion since 2011 and 2013. Despite the lack of recent discourse, the widespread adoption of P256 across the internet and within mobile device architectures presents a compelling case for reconsideration. Such integration could unlock new possibilities for millions of users to self-custody Bitcoin through secure enclave technologies available on contemporary mobile platforms, which currently do not support Bitcoin's secp256k1 curve. Historical apprehensions regarding the potential for a NIST backdoor in P256 have been overshadowed by the potential benefits of adoption, including improved user onboarding, enhanced wallet security and accessibility, and reduced costs for collaborative multi-signature operations. Additionally, the advent of Tapscript introduces technical pathways for accommodating P256, distinguishing between keys requiring P256 ECDSA signatures and those utilizing Schnorr signatures over secp256k1. Although validation speed for P256 is slower, proposed adjustments to validation weight costs could address this concern, underscoring the feasibility of integrating P256 support into Bitcoin. This reevaluation of P256's role in Bitcoin not only contemplates its direct benefits for user experience and security but also situates these advantages within the broader context of Bitcoin's technological evolution and the industry-wide transition towards more secure cryptographic standards.