On 2/23/26 4:42 PM, Ethan Heilman wrote:
> I thought "tweaking", in general, is lost in SPHINCS, as well as multiparty sigs. Be interested
to see those solutions. But, regardless, 17kb sigs are... not compatible with a decentralized
bitcoin, imo. Lattice-sigs are the only reasonable PQ way forward and they aren't ready yet.
SPHINCS is ~8kb (7,888 bytes) not 17kb.
SPHINCS SLH-DSA-128s has 32 byte public keys and 7,856 byte signatures
Total size of 7,888 bytes not 17kb.
The Lattice sigs aren't that much better than SPHINCS
CRYSTALS-Dilithium ML-DSA has 1,312 byte public keys and 2,420 byte signatures
Total size of 3,732 bytes.
Falcon has 897 byte public keys and 666 signatures
1,563 bytes
ML-DSA currently has the most support in the Lattice world, but it is still too large to be a drop
in replacement for ECC without a witness discount. If we had to choose tomorrow, I'd advocate for
ML-DSA with a massive witness discount, but I'd be very unhappy with the witness discount. If the
witness discount was out of the question, then I'd advocate for something similar to 324-byte
stateful hash based SHRINCS signature. Neither is ideal.
My current thinking is to use SLH-DSA as a backup. This keeps us safe if everything goes wrong and
allows us to reach safety early so we can take time to determine the right drop-in replacement for
ECC. Hopefully in 3 years, SQI-sign is fast enough to be considered.
Why not just do SHRINCS today? The cost to use it in "stateless mode" is only marginally higher than
other stateless hash-based signatures, and wallets can elect to use the stateful mode at signing
time if they're set up for it.
Matt
--
You received this message because you are subscribed to the Google Groups "Bitcoin
Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/1ee30c09-ca46-404f-a9f4-2ff8ff6a2c0b%40mattcorallo.com.
