1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
|
Delivery-date: Fri, 25 Jul 2025 10:01:48 -0700
Received: from mail-qt1-f192.google.com ([209.85.160.192])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC7JRFXO3MCBB4PQR3CAMGQEGGFECQQ@googlegroups.com>)
id 1ufLnn-00088r-Lh
for bitcoindev@gnusha.org; Fri, 25 Jul 2025 10:01:48 -0700
Received: by mail-qt1-f192.google.com with SMTP id d75a77b69052e-4ab844acca0sf54012241cf.1
for <bitcoindev@gnusha.org>; Fri, 25 Jul 2025 10:01:47 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1753462901; cv=pass;
d=google.com; s=arc-20240605;
b=eDYqArUOd99KTilsQ7eRS27JLo6r6QsTMNAUbMvUzyRiZXOOfOzqhxja8Hb2l6/S+n
FukPkhF7hbc3+2CVfQDJwCObGdA26bhjKrknVv9Sbw6LTezPQ16irnnvym+O7dnseSHQ
WCUuYgm0hwnnCslkGbxAyMZ0if36tnS8X/U1csFX9l0CfP5Zo7fpmekOnGv/5nC0OHvW
vUtXDIESz8w+OXkVGisdYVDTcnvSn4j5Zwo8dxrsnJKKCzBRf6kgPS89XKiPCqhWKikp
4ALtYRrNRRYNAEjknlGwU5NCdg6lKzglIZNcAUra/76tKnVL7ncnYnTKFkWfCdomnfhr
JrKw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:to:subject:message-id:date:from
:in-reply-to:references:mime-version:sender:dkim-signature
:dkim-signature;
bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=;
fh=b+9+x3w58c2mcKd/AszpYHKOoCYe8bx7v8ua8x5QLYU=;
b=eBQFVEN02/n85n60NZkps2lb9gG/PZNx9P1nwcjWIkOXbGXRVKQoM8cwT67Ur7u2P2
/0Bhdk8KhWQcpo2ui0GYmswhSY42iizEAA5AD/n7mOHVNbNCiwUcymhFjWDh+T4IHQFa
6FzsXClPSaaArKXoQvC0DYYVBHshWE/j1gXbSMou85n08N35w6yqqzO3FBm4bPYoeKc9
fVrJnclOiLNVUB1HjmiL5mVzGfgUkm4R+pWxq5wzFFMsOZaKuCJq16V3CJ3wmxh8ld1h
jlR0j28oDMdxZUZM6gCgCKp9CBLCHigzJPv+OWh/faawGzCm9oid51NdjoB1tT8CHYCf
tWaw==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=IfpowKB7;
spf=pass (google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) smtp.mailfrom=gregtonoski@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1753462901; x=1754067701; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:to:subject:message-id:date:from:in-reply-to
:references:mime-version:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=;
b=pIIoIkc5CfiERbrK9GS20cJRxi29/f6iJ+gEgyHFrQkp6Qi36zIM/Mj+7w81RCQnzC
+g/CWX+wIizmAH6pbFASuiMyIH70v5CxDvuylVzipAM1Tv8y/0G/7lSRnxpQ2//tc8+U
H1HypsQrWFEzaW3+6voD7SYIPf98wrFA7qDZPAg+fFnQ5VBg/NsZu12u3EnCuZlkXP6i
CyJ6erxcrRWmUtVJ6FM/Tz73JE3Q6Ve30wK/6po+jRxSaEUGxiQTOPeD4tBDKYKb6yJE
D/KXg2ABN41voZpYQu4l+UCZBYmy5vt+r1UNT9k3XrNbwyUKVc0eDnsvabbTSdq/lRL9
8vqg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1753462901; x=1754067701; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:to:subject:message-id:date:from:in-reply-to
:references:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=;
b=GM+5IpNDjEM8qFNvppouCro7+fcMDlMr4ePwmEOWq2fUOxzErsMvQyzZ6pJkhwvbYI
A3dwDUdFUJ+sSP+CFj05PQOTEY4kf8EBFS5jYuTemsP3LCL1E/lcpEP4jkbTCaXh4ByM
Pj0+2+P/qvzNaPEP6ErfJHZBor3dmXpzPx/YzQLhMeXSOMVONajI6/VWGRluywFhROzr
mTQGIgpUdRsecM1yO3wjGAqhwGMxAoer3XQv015IpFkA8RKbeQFvdFqqMDyIe29j372e
U1zXlzlFItPyxkatmNuZnkeCD0JDs7tuoMR2So1ipXo/uGoAfE3AMEpGSBsRnpjOER2i
aHhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1753462901; x=1754067701;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:to:subject:message-id:date:from:in-reply-to
:references:mime-version:x-beenthere:x-gm-message-state:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=942sh55uKsepNg5YlgOoJMgn8JdsZ7jA0QFXwfbPgxk=;
b=oQ872qnek3JvfTMC9Uke96fLiglzmHBPj0x9XPz4K+bFTMSGFX7wiPaMguF8+SfZ+u
wNJT3wE4VM2hfp4m/mEPK+Yoyw/cOdnXlvuDeKyL5fl2mqCIbgzVYEdXJXE6qPwv6GRk
OPHy44riUvH1n+p+f74SIfccN+cwyzWlHSVgGjwt/Dv6HZhN5CWghrALR+qbOivHRRIv
rpAoM+7znRfMqEqNbXeCrkHkvTfsGFbzMz6A5vQKdTEO9cR1eFyUVnk3kMmJJzV0DLty
fYaVgmw2kP82IoLvnIlZOPsuF8yNABqmIi6IJL468ZiOfLiyjreojebS8+PCJ1k3G5GA
CjfQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCV9EnMKVm3szWg3PIn5RDyd2jGT0wHKrx3K5iMpN3QjW/ABhq2peoCEonnNrLNl9miZZVQPUfS+9kom@gnusha.org
X-Gm-Message-State: AOJu0YzBoxIUXneSJjnYq5HJGOwBdsFTfqsDARIQLRUUNEE+7PXRnH1E
vY+REmh5pY9QMpKR5uHOvYMTUNu1nhBhi+Ijguq4lSUWU2UbpB8Xm/PT
X-Google-Smtp-Source: AGHT+IFlKwOorpU66maiZKYSB6dVl3o8mXwpeURAHkrMpu/gmO/SR7n471n7/QLLW6hNKRGAfnHtEg==
X-Received: by 2002:a05:622a:189a:b0:4ab:37bd:5a8b with SMTP id d75a77b69052e-4ae8ef5eee3mr29637091cf.1.1753462901135;
Fri, 25 Jul 2025 10:01:41 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfpIEHQ6eAvmSmUJronyinKTyLa9CLz5y2WmY6PFTfk5g==
Received: by 2002:ac8:7c55:0:b0:4ab:722d:38b9 with SMTP id d75a77b69052e-4ae7bbafad6ls40987981cf.0.-pod-prod-09-us;
Fri, 25 Jul 2025 10:01:37 -0700 (PDT)
X-Received: by 2002:ae9:ec0d:0:b0:7e6:23cb:7296 with SMTP id af79cd13be357-7e63bfa9366mr229037085a.28.1753462897453;
Fri, 25 Jul 2025 10:01:37 -0700 (PDT)
Received: by 2002:a81:dc0a:0:b0:711:63b1:720 with SMTP id 00721157ae682-719b29f903ams7b3;
Wed, 23 Jul 2025 01:50:14 -0700 (PDT)
X-Received: by 2002:a05:690c:87:b0:712:c295:d013 with SMTP id 00721157ae682-719b42271b7mr28142107b3.34.1753260613552;
Wed, 23 Jul 2025 01:50:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1753260613; cv=none;
d=google.com; s=arc-20240605;
b=NFWCq7Ba/nOwRtob/1dIAlTvINypNtAQbRjIJ52MrpktSEk5AS0C4rEiU9Qn+Mrec2
azYLFGgHmnqBtuLDdiikbVgnlg0NqG0NGOtyFSj/SSXOrx/oQhJ4nmhXKeea1xNwzSMl
Zsn8ok2jZ2hIC1YZj9bYrJphjNrh81zNVpbRNDW9n2SgdcHADw6McrSvaYH1kBmS5E7O
macKamk4WLTJJ1XEDQSytEptbHTsQvBt3UJLbm9nGPkT6YZMb/9p5ap25XhPqabiKZEm
jbhyKb5wu4Ez4pqvwxcNGh/lKIORbocq8QXqF7KeM3zunxna7aBTqKT3BeUBAAwOsZz3
l33g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:dkim-signature;
bh=05415FFnVrKc3FiaxAPuAuFnDf9zEau1tgec9GqsjRU=;
fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=;
b=Cn7hVdig64e1TGYBJRwwJ5km8nt6Nm249wALpXzPr2O3DnfQDYep96WWm2+eCZtvI2
wydjXb9JDNgUNGi9yLaCqXk6WfzMk4QOTS0V6QPVIi2oexkNWNecsHJHeqMVeMZyO4Cr
SVnIffom692/wh0KpgKMgYFVYewseDOpbJvWEu+covV0VtSzgcfRpKD2X65zUBXgMzM1
DhFanVdlWpnaAJ7FAtm68pgSWSoTCVDkpdgh2FjVthNIuw23pTbhbQjNveQ7KAYDbRwX
wZ8RtliEVNdXK2b8TWQXzlHX+52HpLn/NGrWNRlDn4zxwLVXdQ7OqcARSMj2xYRnQB4r
23jg==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=IfpowKB7;
spf=pass (google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) smtp.mailfrom=gregtonoski@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com. [2607:f8b0:4864:20::b29])
by gmr-mx.google.com with ESMTPS id 00721157ae682-71989dd0c9asi3208217b3.2.2025.07.23.01.50.13
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 23 Jul 2025 01:50:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29 as permitted sender) client-ip=2607:f8b0:4864:20::b29;
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-e8bcbe46cf1so5987233276.2
for <bitcoindev@googlegroups.com>; Wed, 23 Jul 2025 01:50:13 -0700 (PDT)
X-Gm-Gg: ASbGncv4mUs7SrFlIEvnd1e0cLWwT/grRGlFLfu/Ce2/pAuYHG7obYPoUu18GVQT93b
K+nZuThxjSiONkKgkQXh2XVEyIJH53C1Cus29qOUHseCjJr5+cQ+gZXIYHoAr0W24pIclsgZ3Ox
3Iin4XVdjtDZyqoqdgX9AFHbD49HeejCu3D8mc7225cj3rGelo7lUyvEgicTT5pPias9VDxy7Ez
z8X+Hfh5Xxd8TWfxFil/MtUS7iM3dG5mpBliLSh
X-Received: by 2002:a05:690c:6e0c:b0:718:38be:bb41 with SMTP id
00721157ae682-719b424f56fmr24773467b3.42.1753260613029; Wed, 23 Jul 2025
01:50:13 -0700 (PDT)
MIME-Version: 1.0
References: <8fbe1fe3-425d-4056-8387-993f6ecc1been@googlegroups.com>
In-Reply-To: <8fbe1fe3-425d-4056-8387-993f6ecc1been@googlegroups.com>
From: Greg Tonoski <gregtonoski@gmail.com>
Date: Wed, 23 Jul 2025 10:49:55 +0200
X-Gm-Features: Ac12FXxkHcm6oMHsNqjsKzTahvSK9gNtNS7fd98fD_vNMnPg2714AYBQlogIjp0
Message-ID: <CAMHHROzaOap8d8gJ+zOcSQ5t9f7u_MQ5M=5abebkWpqkM7tprQ@mail.gmail.com>
Subject: Re: [bitcoindev] Revisiting secp256r1 signatures (i.e. P256, mobile
HSM support)
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: multipart/alternative; boundary="00000000000009d2f2063a94ccae"
X-Original-Sender: gregtonoski@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=IfpowKB7; spf=pass
(google.com: domain of gregtonoski@gmail.com designates 2607:f8b0:4864:20::b29
as permitted sender) smtp.mailfrom=gregtonoski@gmail.com; dmarc=pass
(p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: 2.6 (++)
--00000000000009d2f2063a94ccae
Content-Type: text/plain; charset="UTF-8"
I can see another attempt to re-open the vulnerability OP_CAT which had
been closed in Bitcoin long time ago. It's pushed under the guise of
secp256r1 which has nothing to do with the OP_CAT. Also, HSM and other
technobabble is irrelevant. For example, mobile users already have "mobile
HSM support" - see Samsung Blockchain Keystore.
--
Greg Tonoski
On Wed, 23 Jul 2025, 00:03 Josh Doman, <joshsdoman@gmail.com> wrote:
> A brief search on gnusha.org
> <https://gnusha.org/pi/bitcoindev/?q=secp256r1> suggests that it's been
> over 10 years since the Bitcoin community last discussed adding secp256r1
> support (also known as P256). The most in-depth discussions I found were on
> BitcoinTalk in 2011 <https://bitcointalk.org/?topic=2699.0> and 2013
> <https://bitcointalk.org/index.php?topic=151120.0>.
>
> Since then, P256 has gained widespread adoption across the modern internet
> and on mobile. Most notably, millions of users now possess mobile devices
> capable of generating and storing private keys in secure enclaves (see
> Apple iCloud Keychain and Android Keystore). Millions of users might be
> able to immediately use this to start self-custodying bitcoin, except this
> hardware only supports P256 signatures, which is incompatible with the
> secp256k1 curve that Bitcoin currently uses.
>
> Reading through old discussions, it appears that the primary concern the
> community had with P256 is the possibility of a NIST backdoor. Putting the
> likelihood of this aside, it seems reasonable to me that in 2025, users
> should at least have the option of using P256, if they wish. Native HSM
> support would significantly improve the onboarding experience for new
> users, increase the security and accessibility of hot wallets, and
> potentially reduce the cost of collaborative multisigs. Meanwhile, the
> community can continue to use secp256k1 as the ideal curve for private keys
> secured in cold storage.
>
> At a technical level, Tapscript makes P256 mechanically straightforward to
> adopt, because it has built-in support for new types of public keys. For
> example, we could define a 33-byte public key as one requiring a P256 ECDSA
> signature, while continuing to use 32-bytes for keys requiring Schnorr
> signatures over secp256k1.
>
> A secondary concern that I came across is that P256 can be 2-3x slower to
> validate than secp256k1. Assuming this cannot be improved, we can account
> for slower validation by doubling or tripling the validation weight cost
> for a P256 signature. Users can then pre-commit in their script to this
> additional weight or commit to it in the annex, as intended by BIP341
> <https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki>.
>
> P256 support would grant apps the ability to use platform APIs to access
> the secure HSM on user's mobile devices, but alone, P256 is insufficient
> for non-custodial WebAuthn / passkey-based wallets. To verify a WebAuthn
> signature, we'd additionally need CSFS and CAT, so we can compute a
> WebAuthn message from a sighash and the necessary WebAuthn data on the
> stack. Alternatively, we could create a dedicated WebAuthn opcode to verify
> a WebAuthn message without enabling recursive covenants. Regardless, the
> ability to verify a P256 signature would be an important primitive.
>
> In summary, *given the widespread hardware adoption and industry usage,
> is it worth revisiting adding P256 support to Bitcoin?*
>
> Josh Doman
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/8fbe1fe3-425d-4056-8387-993f6ecc1been%40googlegroups.com
> <https://groups.google.com/d/msgid/bitcoindev/8fbe1fe3-425d-4056-8387-993f6ecc1been%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAMHHROzaOap8d8gJ%2BzOcSQ5t9f7u_MQ5M%3D5abebkWpqkM7tprQ%40mail.gmail.com.
--00000000000009d2f2063a94ccae
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto">I can see another attempt to re-open the vulnerability OP=
_CAT which had been closed in Bitcoin long time ago. It's pushed under =
the guise of secp256r1=C2=A0 which has nothing to do with the OP_CAT. Also,=
HSM and other technobabble is irrelevant. For example, mobile users alread=
y have "mobile HSM support" - see Samsung Blockchain Keystore.<br=
><br>--=C2=A0<div dir=3D"auto">Greg Tonoski<br><br><div class=3D"gmail_quot=
e gmail_quote_container" dir=3D"auto"><div dir=3D"ltr" class=3D"gmail_attr"=
>On Wed, 23 Jul 2025, 00:03 Josh Doman, <<a href=3D"mailto:joshsdoman@gm=
ail.com">joshsdoman@gmail.com</a>> wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex">A brief search on <a href=3D"https://gnusha.or=
g/pi/bitcoindev/?q=3Dsecp256r1" target=3D"_blank" rel=3D"noreferrer">gnusha=
.org</a> suggests that it's been over 10 years since the Bitcoin commun=
ity last discussed adding secp256r1 support (also known as P256). The most =
in-depth discussions I found were on BitcoinTalk in <a href=3D"https://bitc=
ointalk.org/?topic=3D2699.0" target=3D"_blank" rel=3D"noreferrer">2011</a> =
and <a href=3D"https://bitcointalk.org/index.php?topic=3D151120.0" target=
=3D"_blank" rel=3D"noreferrer">2013</a>.<br><br>Since then, P256 has gained=
widespread adoption across the modern internet and on mobile. Most notably=
, millions of users now possess mobile devices capable of generating and st=
oring private keys in secure enclaves (see Apple iCloud Keychain and Androi=
d Keystore). Millions of users might be able to immediately use this to sta=
rt self-custodying bitcoin, except this hardware only supports P256 signatu=
res, which is incompatible with the secp256k1 curve that Bitcoin currently =
uses.<br><br>Reading through old discussions, it appears that the primary c=
oncern the community had with P256 is the possibility of a NIST backdoor. P=
utting the likelihood of this aside, it seems reasonable to me that in 2025=
, users should at least have the option of using P256, if they wish. Native=
HSM support would significantly improve the onboarding experience for new =
users, increase the security and accessibility of hot wallets, and potentia=
lly reduce the cost of collaborative multisigs. Meanwhile, the community ca=
n continue to use secp256k1 as the ideal curve for private keys secured in =
cold storage.<br><br>At a technical level, Tapscript makes P256 mechanicall=
y straightforward to adopt, because it has built-in support for new types o=
f public keys. For example, we could define a 33-byte public key as one req=
uiring a P256 ECDSA signature, while continuing to use 32-bytes for keys re=
quiring Schnorr signatures over secp256k1.<br><br>A secondary concern that =
I came across is that P256 can be 2-3x slower to validate than secp256k1. A=
ssuming this cannot be improved, we can account for slower validation by do=
ubling or tripling the validation weight cost for a P256 signature. Users c=
an then pre-commit in their script to this additional weight or commit to i=
t in the annex, as intended by <a href=3D"https://github.com/bitcoin/bips/b=
lob/master/bip-0341.mediawiki" target=3D"_blank" rel=3D"noreferrer">BIP341<=
/a>.<br><br>P256 support would grant apps the ability to use platform APIs =
to access the secure HSM on user's mobile devices, but alone, P256 is i=
nsufficient for non-custodial WebAuthn / passkey-based wallets. To verify a=
WebAuthn signature, we'd additionally need CSFS and CAT, so we can com=
pute a WebAuthn message from a sighash and the necessary WebAuthn data on t=
he stack. Alternatively, we could create a dedicated WebAuthn opcode to ver=
ify a WebAuthn message without enabling recursive covenants. Regardless, th=
e ability to verify a P256 signature would be an important primitive.<br><b=
r>In summary, <b>given the widespread hardware adoption and industry usage,=
is it worth revisiting adding P256 support to Bitcoin?</b><br><div><b><br>=
</b></div><div>Josh Doman</div>
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" target=
=3D"_blank" rel=3D"noreferrer">bitcoindev+unsubscribe@googlegroups.com</a>.=
<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/8fbe1fe3-425d-4056-8387-993f6ecc1been%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter" target=3D"_blank" rel=3D"noreferrer">h=
ttps://groups.google.com/d/msgid/bitcoindev/8fbe1fe3-425d-4056-8387-993f6ec=
c1been%40googlegroups.com</a>.<br><br>
</blockquote></div></div></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAMHHROzaOap8d8gJ%2BzOcSQ5t9f7u_MQ5M%3D5abebkWpqkM7tprQ%40mail.g=
mail.com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/=
d/msgid/bitcoindev/CAMHHROzaOap8d8gJ%2BzOcSQ5t9f7u_MQ5M%3D5abebkWpqkM7tprQ%=
40mail.gmail.com</a>.<br />
--00000000000009d2f2063a94ccae--
|
