Delivery-date: Fri, 25 Jul 2025 10:01:48 -0700 Received: from mail-qt1-f192.google.com ([209.85.160.192]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1ufLnn-00088r-Lh for bitcoindev@gnusha.org; Fri, 25 Jul 2025 10:01:48 -0700 Received: by mail-qt1-f192.google.com with SMTP id d75a77b69052e-4ab844acca0sf54012241cf.1 for ; Fri, 25 Jul 2025 10:01:47 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1753462901; cv=pass; d=google.com; s=arc-20240605; b=eDYqArUOd99KTilsQ7eRS27JLo6r6QsTMNAUbMvUzyRiZXOOfOzqhxja8Hb2l6/S+n FukPkhF7hbc3+2CVfQDJwCObGdA26bhjKrknVv9Sbw6LTezPQ16irnnvym+O7dnseSHQ WCUuYgm0hwnnCslkGbxAyMZ0if36tnS8X/U1csFX9l0CfP5Zo7fpmekOnGv/5nC0OHvW vUtXDIESz8w+OXkVGisdYVDTcnvSn4j5Zwo8dxrsnJKKCzBRf6kgPS89XKiPCqhWKikp 4ALtYRrNRRYNAEjknlGwU5NCdg6lKzglIZNcAUra/76tKnVL7ncnYnTKFkWfCdomnfhr JrKw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=; fh=b+9+x3w58c2mcKd/AszpYHKOoCYe8bx7v8ua8x5QLYU=; b=eBQFVEN02/n85n60NZkps2lb9gG/PZNx9P1nwcjWIkOXbGXRVKQoM8cwT67Ur7u2P2 /0Bhdk8KhWQcpo2ui0GYmswhSY42iizEAA5AD/n7mOHVNbNCiwUcymhFjWDh+T4IHQFa 6FzsXClPSaaArKXoQvC0DYYVBHshWE/j1gXbSMou85n08N35w6yqqzO3FBm4bPYoeKc9 fVrJnclOiLNVUB1HjmiL5mVzGfgUkm4R+pWxq5wzFFMsOZaKuCJq16V3CJ3wmxh8ld1h jlR0j28oDMdxZUZM6gCgCKp9CBLCHigzJPv+OWh/faawGzCm9oid51NdjoB1tT8CHYCf tWaw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IfpowKB7; spf=pass (google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) smtp.mailfrom=gregtonoski@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1753462901; x=1754067701; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=; b=pIIoIkc5CfiERbrK9GS20cJRxi29/f6iJ+gEgyHFrQkp6Qi36zIM/Mj+7w81RCQnzC +g/CWX+wIizmAH6pbFASuiMyIH70v5CxDvuylVzipAM1Tv8y/0G/7lSRnxpQ2//tc8+U H1HypsQrWFEzaW3+6voD7SYIPf98wrFA7qDZPAg+fFnQ5VBg/NsZu12u3EnCuZlkXP6i CyJ6erxcrRWmUtVJ6FM/Tz73JE3Q6Ve30wK/6po+jRxSaEUGxiQTOPeD4tBDKYKb6yJE D/KXg2ABN41voZpYQu4l+UCZBYmy5vt+r1UNT9k3XrNbwyUKVc0eDnsvabbTSdq/lRL9 8vqg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753462901; x=1754067701; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=; b=GM+5IpNDjEM8qFNvppouCro7+fcMDlMr4ePwmEOWq2fUOxzErsMvQyzZ6pJkhwvbYI A3dwDUdFUJ+sSP+CFj05PQOTEY4kf8EBFS5jYuTemsP3LCL1E/lcpEP4jkbTCaXh4ByM Pj0+2+P/qvzNaPEP6ErfJHZBor3dmXpzPx/YzQLhMeXSOMVONajI6/VWGRluywFhROzr mTQGIgpUdRsecM1yO3wjGAqhwGMxAoer3XQv015IpFkA8RKbeQFvdFqqMDyIe29j372e U1zXlzlFItPyxkatmNuZnkeCD0JDs7tuoMR2So1ipXo/uGoAfE3AMEpGSBsRnpjOER2i aHhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753462901; x=1754067701; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=; b=oQ872qnek3JvfTMC9Uke96fLiglzmHBPj0x9XPz4K+bFTMSGFX7wiPaMguF8+SfZ+u wNJT3wE4VM2hfp4m/mEPK+Yoyw/cOdnXlvuDeKyL5fl2mqCIbgzVYEdXJXE6qPwv6GRk OPHy44riUvH1n+p+f74SIfccN+cwyzWlHSVgGjwt/Dv6HZhN5CWghrALR+qbOivHRRIv rpAoM+7znRfMqEqNbXeCrkHkvTfsGFbzMz6A5vQKdTEO9cR1eFyUVnk3kMmJJzV0DLty fYaVgmw2kP82IoLvnIlZOPsuF8yNABqmIi6IJL468ZiOfLiyjreojebS8+PCJ1k3G5GA CjfQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCV9EnMKVm3szWg3PIn5RDyd2jGT0wHKrx3K5iMpN3QjW/ABhq2peoCEonnNrLNl9miZZVQPUfS+9kom@gnusha.org X-Gm-Message-State: AOJu0YzBoxIUXneSJjnYq5HJGOwBdsFTfqsDARIQLRUUNEE+7PXRnH1E vY+REmh5pY9QMpKR5uHOvYMTUNu1nhBhi+Ijguq4lSUWU2UbpB8Xm/PT X-Google-Smtp-Source: AGHT+IFlKwOorpU66maiZKYSB6dVl3o8mXwpeURAHkrMpu/gmO/SR7n471n7/QLLW6hNKRGAfnHtEg== X-Received: by 2002:a05:622a:189a:b0:4ab:37bd:5a8b with SMTP id d75a77b69052e-4ae8ef5eee3mr29637091cf.1.1753462901135; Fri, 25 Jul 2025 10:01:41 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfpIEHQ6eAvmSmUJronyinKTyLa9CLz5y2WmY6PFTfk5g== Received: by 2002:ac8:7c55:0:b0:4ab:722d:38b9 with SMTP id d75a77b69052e-4ae7bbafad6ls40987981cf.0.-pod-prod-09-us; Fri, 25 Jul 2025 10:01:37 -0700 (PDT) X-Received: by 2002:ae9:ec0d:0:b0:7e6:23cb:7296 with SMTP id af79cd13be357-7e63bfa9366mr229037085a.28.1753462897453; Fri, 25 Jul 2025 10:01:37 -0700 (PDT) Received: by 2002:a81:dc0a:0:b0:711:63b1:720 with SMTP id 00721157ae682-719b29f903ams7b3; Wed, 23 Jul 2025 01:50:14 -0700 (PDT) X-Received: by 2002:a05:690c:87:b0:712:c295:d013 with SMTP id 00721157ae682-719b42271b7mr28142107b3.34.1753260613552; Wed, 23 Jul 2025 01:50:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1753260613; cv=none; d=google.com; s=arc-20240605; b=NFWCq7Ba/nOwRtob/1dIAlTvINypNtAQbRjIJ52MrpktSEk5AS0C4rEiU9Qn+Mrec2 azYLFGgHmnqBtuLDdiikbVgnlg0NqG0NGOtyFSj/SSXOrx/oQhJ4nmhXKeea1xNwzSMl Zsn8ok2jZ2hIC1YZj9bYrJphjNrh81zNVpbRNDW9n2SgdcHADw6McrSvaYH1kBmS5E7O macKamk4WLTJJ1XEDQSytEptbHTsQvBt3UJLbm9nGPkT6YZMb/9p5ap25XhPqabiKZEm jbhyKb5wu4Ez4pqvwxcNGh/lKIORbocq8QXqF7KeM3zunxna7aBTqKT3BeUBAAwOsZz3 l33g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=05415FFnVrKc3FiaxAPuAuFnDf9zEau1tgec9GqsjRU=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=Cn7hVdig64e1TGYBJRwwJ5km8nt6Nm249wALpXzPr2O3DnfQDYep96WWm2+eCZtvI2 wydjXb9JDNgUNGi9yLaCqXk6WfzMk4QOTS0V6QPVIi2oexkNWNecsHJHeqMVeMZyO4Cr SVnIffom692/wh0KpgKMgYFVYewseDOpbJvWEu+covV0VtSzgcfRpKD2X65zUBXgMzM1 DhFanVdlWpnaAJ7FAtm68pgSWSoTCVDkpdgh2FjVthNIuw23pTbhbQjNveQ7KAYDbRwX wZ8RtliEVNdXK2b8TWQXzlHX+52HpLn/NGrWNRlDn4zxwLVXdQ7OqcARSMj2xYRnQB4r 23jg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IfpowKB7; spf=pass (google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) smtp.mailfrom=gregtonoski@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com. [2607:f8b0:4864:20::b29]) by gmr-mx.google.com with ESMTPS id 00721157ae682-71989dd0c9asi3208217b3.2.2025.07.23.01.50.13 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Jul 2025 01:50:13 -0700 (PDT) Received-SPF: pass (google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) client-ip=2607:f8b0:4864:20::b29; Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-e8bcbe46cf1so5987233276.2 for ; Wed, 23 Jul 2025 01:50:13 -0700 (PDT) X-Gm-Gg: ASbGncv4mUs7SrFlIEvnd1e0cLWwT/grRGlFLfu/Ce2/pAuYHG7obYPoUu18GVQT93b K+nZuThxjSiONkKgkQXh2XVEyIJH53C1Cus29qOUHseCjJr5+cQ+gZXIYHoAr0W24pIclsgZ3Ox 3Iin4XVdjtDZyqoqdgX9AFHbD49HeejCu3D8mc7225cj3rGelo7lUyvEgicTT5pPias9VDxy7Ez z8X+Hfh5Xxd8TWfxFil/MtUS7iM3dG5mpBliLSh X-Received: by 2002:a05:690c:6e0c:b0:718:38be:bb41 with SMTP id 00721157ae682-719b424f56fmr24773467b3.42.1753260613029; Wed, 23 Jul 2025 01:50:13 -0700 (PDT) MIME-Version: 1.0 References: <8fbe1fe3-425d-4056-8387-993f6ecc1been@googlegroups.com> In-Reply-To: <8fbe1fe3-425d-4056-8387-993f6ecc1been@googlegroups.com> From: Greg Tonoski Date: Wed, 23 Jul 2025 10:49:55 +0200 X-Gm-Features: Ac12FXxkHcm6oMHsNqjsKzTahvSK9gNtNS7fd98fD_vNMnPg2714AYBQlogIjp0 Message-ID: Subject: Re: [bitcoindev] Revisiting secp256r1 signatures (i.e. P256, mobile HSM support) To: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="00000000000009d2f2063a94ccae" X-Original-Sender: gregtonoski@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IfpowKB7; spf=pass (google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) smtp.mailfrom=gregtonoski@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 2.6 (++) --00000000000009d2f2063a94ccae Content-Type: text/plain; charset="UTF-8" I can see another attempt to re-open the vulnerability OP_CAT which had been closed in Bitcoin long time ago. It's pushed under the guise of secp256r1 which has nothing to do with the OP_CAT. Also, HSM and other technobabble is irrelevant. For example, mobile users already have "mobile HSM support" - see Samsung Blockchain Keystore. -- Greg Tonoski On Wed, 23 Jul 2025, 00:03 Josh Doman, wrote: > A brief search on gnusha.org > suggests that it's been > over 10 years since the Bitcoin community last discussed adding secp256r1 > support (also known as P256). The most in-depth discussions I found were on > BitcoinTalk in 2011 and 2013 > . > > Since then, P256 has gained widespread adoption across the modern internet > and on mobile. Most notably, millions of users now possess mobile devices > capable of generating and storing private keys in secure enclaves (see > Apple iCloud Keychain and Android Keystore). Millions of users might be > able to immediately use this to start self-custodying bitcoin, except this > hardware only supports P256 signatures, which is incompatible with the > secp256k1 curve that Bitcoin currently uses. > > Reading through old discussions, it appears that the primary concern the > community had with P256 is the possibility of a NIST backdoor. Putting the > likelihood of this aside, it seems reasonable to me that in 2025, users > should at least have the option of using P256, if they wish. Native HSM > support would significantly improve the onboarding experience for new > users, increase the security and accessibility of hot wallets, and > potentially reduce the cost of collaborative multisigs. Meanwhile, the > community can continue to use secp256k1 as the ideal curve for private keys > secured in cold storage. > > At a technical level, Tapscript makes P256 mechanically straightforward to > adopt, because it has built-in support for new types of public keys. For > example, we could define a 33-byte public key as one requiring a P256 ECDSA > signature, while continuing to use 32-bytes for keys requiring Schnorr > signatures over secp256k1. > > A secondary concern that I came across is that P256 can be 2-3x slower to > validate than secp256k1. Assuming this cannot be improved, we can account > for slower validation by doubling or tripling the validation weight cost > for a P256 signature. Users can then pre-commit in their script to this > additional weight or commit to it in the annex, as intended by BIP341 > . > > P256 support would grant apps the ability to use platform APIs to access > the secure HSM on user's mobile devices, but alone, P256 is insufficient > for non-custodial WebAuthn / passkey-based wallets. To verify a WebAuthn > signature, we'd additionally need CSFS and CAT, so we can compute a > WebAuthn message from a sighash and the necessary WebAuthn data on the > stack. Alternatively, we could create a dedicated WebAuthn opcode to verify > a WebAuthn message without enabling recursive covenants. Regardless, the > ability to verify a P256 signature would be an important primitive. > > In summary, *given the widespread hardware adoption and industry usage, > is it worth revisiting adding P256 support to Bitcoin?* > > Josh Doman > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/8fbe1fe3-425d-4056-8387-993f6ecc1been%40googlegroups.com > > . > > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAMHHROzaOap8d8gJ%2BzOcSQ5t9f7u_MQ5M%3D5abebkWpqkM7tprQ%40mail.gmail.com. --00000000000009d2f2063a94ccae Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I can see another attempt to re-open the vulnerability OP= _CAT which had been closed in Bitcoin long time ago. It's pushed under = the guise of secp256r1=C2=A0 which has nothing to do with the OP_CAT. Also,= HSM and other technobabble is irrelevant. For example, mobile users alread= y have "mobile HSM support" - see Samsung Blockchain Keystore.
--=C2=A0
Greg Tonoski

On Wed, 23 Jul 2025, 00:03 Josh Doman, <joshsdoman@gmail.com> wrote:
A brief search on gnusha= .org suggests that it's been over 10 years since the Bitcoin commun= ity last discussed adding secp256r1 support (also known as P256). The most = in-depth discussions I found were on BitcoinTalk in 2011 = and 2013.

Since then, P256 has gained= widespread adoption across the modern internet and on mobile. Most notably= , millions of users now possess mobile devices capable of generating and st= oring private keys in secure enclaves (see Apple iCloud Keychain and Androi= d Keystore). Millions of users might be able to immediately use this to sta= rt self-custodying bitcoin, except this hardware only supports P256 signatu= res, which is incompatible with the secp256k1 curve that Bitcoin currently = uses.

Reading through old discussions, it appears that the primary c= oncern the community had with P256 is the possibility of a NIST backdoor. P= utting the likelihood of this aside, it seems reasonable to me that in 2025= , users should at least have the option of using P256, if they wish. Native= HSM support would significantly improve the onboarding experience for new = users, increase the security and accessibility of hot wallets, and potentia= lly reduce the cost of collaborative multisigs. Meanwhile, the community ca= n continue to use secp256k1 as the ideal curve for private keys secured in = cold storage.

At a technical level, Tapscript makes P256 mechanicall= y straightforward to adopt, because it has built-in support for new types o= f public keys. For example, we could define a 33-byte public key as one req= uiring a P256 ECDSA signature, while continuing to use 32-bytes for keys re= quiring Schnorr signatures over secp256k1.

A secondary concern that = I came across is that P256 can be 2-3x slower to validate than secp256k1. A= ssuming this cannot be improved, we can account for slower validation by do= ubling or tripling the validation weight cost for a P256 signature. Users c= an then pre-commit in their script to this additional weight or commit to i= t in the annex, as intended by BIP341<= /a>.

P256 support would grant apps the ability to use platform APIs = to access the secure HSM on user's mobile devices, but alone, P256 is i= nsufficient for non-custodial WebAuthn / passkey-based wallets. To verify a= WebAuthn signature, we'd additionally need CSFS and CAT, so we can com= pute a WebAuthn message from a sighash and the necessary WebAuthn data on t= he stack. Alternatively, we could create a dedicated WebAuthn opcode to ver= ify a WebAuthn message without enabling recursive covenants. Regardless, th= e ability to verify a P256 signature would be an important primitive.
In summary, given the widespread hardware adoption and industry usage,= is it worth revisiting adding P256 support to Bitcoin?

=
Josh Doman

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.=
To view this discussion visit h= ttps://groups.google.com/d/msgid/bitcoindev/8fbe1fe3-425d-4056-8387-993f6ec= c1been%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/= d/msgid/bitcoindev/CAMHHROzaOap8d8gJ%2BzOcSQ5t9f7u_MQ5M%3D5abebkWpqkM7tprQ%= 40mail.gmail.com.
--00000000000009d2f2063a94ccae--