Documentation Index
Fetch the complete documentation index at: https://voltaire.tevm.sh/llms.txt
Use this file to discover all available pages before exploring further.
Elliptic Curve Comparison: secp256k1 vs P-256
Comprehensive comparison of the two ECDSA curves supported by Voltaire.
Overview Table
| Feature | Secp256k1 | P-256 (secp256r1) |
|---|
| Full Name | secp256k1 | NIST P-256 / secp256r1 / prime256v1 |
| Standardization | SECG SEC 2 | NIST FIPS 186-4, SECG SEC 2 |
| Security Level | 128-bit | 128-bit |
| Curve Equation | y² = x³ + 7 | y² = x³ - 3x + b |
| Field Prime (p) | 2²⁵⁶ - 2³² - 977 | 2²⁵⁶ - 2²²⁴ + 2¹⁹² + 2⁹⁶ - 1 |
| Ethereum Core | ✅ Required | ❌ Not used (L2 only) |
| Bitcoin | ✅ Yes | ❌ No |
| WebAuthn/FIDO2 | ❌ Not supported | ✅ Default curve |
| iOS Secure Enclave | ❌ Not supported | ✅ Only supported curve |
| Android Keystore | ❌ Limited | ✅ Full support |
| TLS 1.3 | ❌ Rare | ✅ Default |
| Hardware Wallets | ✅ Universal | ⚠️ Some (YubiKey, TPM) |
| Recovery ID | ✅ Yes (v parameter) | ❌ No (not needed) |
| Signature Size | 65 bytes (r,s,v) | 64 bytes (r,s) |
When to Use Each Curve
Use Secp256k1 When:
✅ Ethereum transactions - Required for EOA (Externally Owned Account)
✅ Bitcoin compatibility - Cross-chain applications
✅ ecRecover - On-chain signature verification (EVM precompile)
✅ Traditional crypto wallets - Ledger, Trezor, MetaMask
✅ Public key recovery needed - Derive address from signature without storing pubkey
Use P-256 When:
✅ WebAuthn/Passkeys - Passwordless authentication (Face ID, Touch ID, Windows Hello)
✅ iOS Secure Enclave - Hardware-backed keys on Apple devices
✅ Enterprise PKI - Government and corporate compliance (FIPS)
✅ Smart cards - PIV, CAC, YubiKey
✅ Account abstraction - Smart contract wallets with hardware authentication (RIP-7212)
✅ TLS/HTTPS - Modern web security
Technical Differences
Curve Equations
Secp256k1:
y² = x³ + 7 (mod p)
Coefficients: a = 0, b = 7
y² = x³ - 3x + b (mod p)
Coefficients: a = -3, b = 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
Field Primes
Secp256k1:
p = 2²⁵⁶ - 2³² - 977
= 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
- Form: Pseudo-Mersenne prime (near 2²⁵⁶)
- Optimization: Fast modular reduction (subtract small constant)
P-256:
p = 2²⁵⁶ - 2²²⁴ + 2¹⁹² + 2⁹⁶ - 1
= 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
- Form: NIST prime (specific structure)
- Optimization: Specialized reduction algorithm
Curve Orders
Secp256k1:
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
n = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
TypeScript (@noble/curves)
Measured on MacBook Pro M1, Node.js v20:
| Operation | Secp256k1 | P-256 | Winner |
|---|
| Public key derivation | 0.50ms | 0.55ms | Secp256k1 (10% faster) |
| Signing | 1.25ms | 1.30ms | Secp256k1 (4% faster) |
| Verification | 2.50ms | 2.60ms | Secp256k1 (4% faster) |
| ECDH | N/A | 1.20ms | P-256 only |
Native (C libraries)
| Operation | libsecp256k1 | OpenSSL P-256 | Winner |
|---|
| Signing | 0.50ms | 0.60ms | Secp256k1 (20% faster) |
| Verification | 1.00ms | 1.10ms | Secp256k1 (10% faster) |
Hardware Acceleration
| Platform | Secp256k1 | P-256 |
|---|
| Intel CPU | ❌ No acceleration | ❌ No acceleration |
| ARM Crypto Extensions | ❌ No | ❌ No |
| iOS Secure Enclave | ❌ Not supported | ✅ Hardware-accelerated |
| Android Keystore | ❌ Limited | ✅ Hardware-accelerated |
| TPM 2.0 | ❌ Rare | ✅ Standard |
| YubiKey | ❌ No | ✅ Yes |
Security Comparison
Trust Model
Secp256k1:
- Origin: SECG (Standards for Efficient Cryptography Group)
- Selection: Parameters verifiably random (“nothing up my sleeve”)
- Transparency: Clear justification for all constants
- Community trust: High (Bitcoin, Ethereum adoption)
P-256:
- Origin: NIST (National Institute of Standards and Technology)
- Selection: Generated using SHA-1 hash of seed value
- Transparency: Some skepticism about NIST curve selection process
- Government trust: Required for US federal systems (FIPS)
Controversy: Some cryptographers prefer non-NIST curves (like Curve25519) due to transparency concerns, but no known backdoors in P-256.
Known Vulnerabilities
Both curves:
- ✅ No known mathematical weaknesses
- ✅ No known backdoors
- ✅ No feasible discrete log attacks
- ✅ Side-channel resistance (if implemented correctly)
Implementation risks:
- ⚠️ Nonce reuse leaks private key (both)
- ⚠️ Timing attacks possible (both, if not constant-time)
- ⚠️ Invalid curve attacks (both, must validate points)
Audit Status
Secp256k1:
libsecp256k1 - Multiple audits, Bitcoin Core@noble/curves - Security audited, production-ready- Widely used: Bitcoin, Ethereum, thousands of projects
P-256:
- OpenSSL - Extensively audited, ubiquitous
@noble/curves - Same library as secp256k1 (audited)- Widely used: TLS, WebAuthn, enterprise PKI
Winner: Tie - both have well-audited implementations.
Ecosystem Support
Blockchain
| Blockchain | Secp256k1 | P-256 |
|---|
| Ethereum mainnet | ✅ Required | ❌ No (RIP-7212 pending) |
| Bitcoin | ✅ Required | ❌ No |
| Polygon | ✅ Yes | ⚠️ Precompile proposed |
| StarkNet | ✅ Yes | ⚠️ Optional (AA) |
| zkSync | ✅ Yes | ⚠️ Account abstraction |
| Optimism | ✅ Yes | ⚠️ Roadmap |
Web/Mobile
| Platform | Secp256k1 | P-256 |
|---|
| Browser WebCrypto | ❌ Not standard | ✅ Yes |
| WebAuthn | ❌ Not supported | ✅ Default |
| iOS Keychain | ❌ No | ✅ Yes |
| Android Keystore | ❌ Limited | ✅ Full support |
| Windows Hello | ❌ No | ✅ Yes |
Libraries
| Library | Secp256k1 | P-256 |
|---|
| @noble/curves | ✅ Yes | ✅ Yes |
| ethers.js | ✅ Yes | ❌ No |
| viem | ✅ Yes | ❌ No |
| Web3.js | ✅ Yes | ❌ No |
| OpenSSL | ✅ Yes | ✅ Yes |
| BouncyCastle | ✅ Yes | ✅ Yes |
Use Case Examples
Ethereum Transaction Signing (Secp256k1)
import * as Secp256k1 from '@tevm/voltaire/Secp256k1';
import * as Transaction from '@tevm/voltaire/Transaction';
// Sign transaction with secp256k1 (required)
const tx = {
to: '0x...',
value: 1000000000000000000n,
// ...
};
const txHash = Transaction.hash(tx);
const signature = Secp256k1.sign(txHash, privateKey);
// Recover sender address (ecRecover)
const publicKey = Secp256k1.recoverPublicKey(signature, txHash);
const senderAddress = Address.fromPublicKey(publicKey);
WebAuthn Authentication (P-256)
import * as P256 from '@tevm/voltaire/P256';
import { Bytes32 } from '@tevm/voltaire/Bytes32';
// User authenticates with Face ID/Touch ID
const credential = await navigator.credentials.create({
publicKey: {
challenge: Bytes32('0x0000000000000000000000000000000000000000000000000000000000000001'),
rp: { name: 'My DApp' },
user: { id: userId, name: 'alice@example.com', displayName: 'Alice' },
pubKeyCredParams: [{ alg: -7, type: 'public-key' }], // ES256 (P-256)
authenticatorSelection: { userVerification: 'required' },
},
});
// Extract P-256 public key from credential
const publicKey = extractP256Key(credential);
// Verify WebAuthn signature
const isValid = P256.verify(signature, messageHash, publicKey);
Account Abstraction (Both)
Traditional EOA (secp256k1):
// Validate signature with ecrecover
address signer = ecrecover(messageHash, v, r, s);
require(signer == owner, "Invalid signature");
// Validate P-256 signature (proposed precompile at 0x100)
bool valid = verifyP256(messageHash, r, s, publicKey.x, publicKey.y);
require(valid, "Invalid passkey signature");
Migration Considerations
From Secp256k1 to P-256
Challenges:
- ❌ Different curves (not compatible)
- ❌ Requires smart contract wallet (EOAs are secp256k1 only)
- ❌ Limited L1 support (RIP-7212 not yet deployed)
Opportunities:
- ✅ Hardware wallet support (YubiKey, Secure Enclave)
- ✅ Passwordless authentication (WebAuthn)
- ✅ Enterprise compliance (FIPS)
Hybrid Approach
Account abstraction with multiple signers:
contract MultiSigWallet {
address public secp256k1Owner; // Traditional
P256PublicKey public p256Owner; // Passkey
function execute(bytes calldata data, bytes calldata signature, SignatureType sigType)
external
{
if (sigType == SignatureType.Secp256k1) {
// Validate secp256k1 (ecrecover)
require(validateSecp256k1(data, signature, secp256k1Owner));
} else if (sigType == SignatureType.P256) {
// Validate P-256 (RIP-7212 precompile)
require(validateP256(data, signature, p256Owner));
}
// Execute transaction
(bool success, ) = target.call(data);
require(success);
}
}
- Secp256k1 for compatibility
- P-256 for UX (Face ID, Touch ID)
- Graceful degradation
Recommendations
For Ethereum DApps
Transaction signing:
- ✅ Use secp256k1 (required for EOAs)
- ⚠️ Consider P-256 for smart contract wallets (future)
Off-chain authentication:
- ✅ secp256k1 for wallet compatibility (EIP-191, EIP-712)
- ✅ P-256 for WebAuthn/passkeys (better UX)
For Enterprise Applications
Government/regulated:
- ✅ Use P-256 (FIPS compliance required)
- ❌ Avoid secp256k1 (not FIPS-approved)
Public blockchain:
- ✅ Use secp256k1 (universal support)
For Mobile/Web Apps
iOS app:
- ✅ Use P-256 (Secure Enclave)
- ⚠️ secp256k1 for Ethereum compatibility
Web app:
- ✅ Use P-256 (WebAuthn, WebCrypto API)
- ✅ secp256k1 for Web3 wallet integration
Progressive approach:
- Secp256k1 for blockchain operations
- P-256 for user authentication
- Bridge the two via smart contract wallet
Future Outlook
RIP-7212: P-256 Precompile
Status: Proposed for Ethereum L1
Precompile address: 0x100
Impact:
- ✅ On-chain P-256 verification (3000 gas)
- ✅ Enables passkey-based smart wallets
- ✅ Hardware wallet integration (YubiKey)
Timeline: Likely inclusion in future hard fork
Account Abstraction (EIP-4337)
Trend: Move toward smart contract wallets
Implication:
- Signature scheme flexibility
- Support for multiple curves (secp256k1 + P-256)
- Hardware-based authentication
Post-Quantum Cryptography
Both curves vulnerable to quantum computers:
- Shor’s algorithm breaks ECDLP
- Estimated 10-20 years until threat
Future migration:
- NIST post-quantum standards (CRYSTALS, etc.)
- Hybrid classical + post-quantum schemes
Conclusion
| Criterion | Winner |
|---|
| Ethereum compatibility | Secp256k1 |
| Hardware wallet support | P-256 |
| Software performance | Secp256k1 (slight) |
| Hardware acceleration | P-256 |
| Standardization | P-256 (NIST/FIPS) |
| Ecosystem maturity | Tie (both widely used) |
| Security | Tie (both 128-bit secure) |
| Future-proofing | P-256 (broader adoption) |
- Ethereum-native apps: Secp256k1 (required)
- Modern web/mobile: P-256 (better UX)
- Enterprise: P-256 (compliance)
- Hybrid/AA: Both (best of both worlds)
