From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 21 May 2026 12:29:28 -0700 Received: from mail-oa1-f59.google.com ([209.85.160.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wQ95D-00072U-N0 for bitcoindev@gnusha.org; Thu, 21 May 2026 12:29:28 -0700 Received: by mail-oa1-f59.google.com with SMTP id 586e51a60fabf-43a6343b671sf13645529fac.1 for ; Thu, 21 May 2026 12:29:27 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1779391761; cv=pass; d=google.com; s=arc-20240605; b=Wyi+W+GtEA1iWZDDT7vpCj8Sv21MbqhdSP7vOLKm2+tpkqFwUr1lGEfYqPrS1ketJw eLBPocIuXbCSv5Rz8vzGXm7j7cMBPtJC5FoqfN7YLLk1xmmIfcfDC88ZB/K1nTUdJMOM HOQOmFKkX+F3WoItVMU0qpjCwfwxEdbb/PuHPqfVHoxGTbkFXfWHSeDXS0ubJAU8/Y0m Jq6r6wfvmbyMDh9txFtaVjjyaeO1Zq0fKRMOLrg47ikBbEbu0GzNUI9YYZJHdxlyTMEz 2PNRV4rH1okHehIG62UwsTukaEByRm9wWCFuBywmbbbCRQ2wgZFX6QNXks2C7JxMxb+w +9xg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:cc:from:to:date :dkim-signature; bh=EsTXqBgvEVBKz0Jd0SUz1GjtJRbkva63yZmhoI1W57Q=; fh=tRLMxmb01yJFj7m6VuWRarEro1EeCOFSwnP9Ii4Pa+g=; b=UtpSEnnV3lQS52qT1d4pYQyoubaYV12zZhupQTlV39gtoBbpfD9WmYb6WeT4iMsTKG Ae55OOhOy+tencPb/YzU63iW2d8GERh6FUVNwYXVMsd5APXkNnRJQ4eW8bWQWd9L8Nmb jMTT6Q+iIC6Up5MzGJnq0t5xGJ4beL/f5FXCUgqMT4t+9HinxiVwYgug4EHTRZ+Suz5F aRIkqKj6s46a8Hs4XA/jYJajrn/dGyemDXEI1Yot/Al/vB9GpTGJtrn6hb+ePuhjUl/v JxHo9ZiVreE87AJFHS+7Bi6VEKwaIrjcGObLWb+UkepQ8sFCFJpAw8Im6SJpbvt1+9E+ mp0g==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Ey3q2a15; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.166 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1779391761; x=1779996561; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:from:to:cc:subject:date:message-id:reply-to; bh=EsTXqBgvEVBKz0Jd0SUz1GjtJRbkva63yZmhoI1W57Q=; b=kNY/raz9GD2IxkCKNvdYSI08TElxWSOozbKt4pTa+PhP7bvOp2Tty1iad6vwqinqaE Gw/OQgx8v0cOODRWWB3YXpbPMQEOE/FEgzT3u/6zP77RzrSh4rC1TqHfgcCZqZrBR0Cb SNLIYDb1D5e57Qcnno3+vYcZUDQpRjXaJTo05TyFvrli4+n9Pkdr7s6F2Yuqjk4VNj1U GgAGMCqhvHes49QCTKe54gAPVHL7AQg5K0xlyha/+D25QrRaJBu+zXdhHcBg/T4RKnyM +cZ2VSVl2laODLym/F1facj9ne35PfZfm+61wF6vMWBOVq5zJA28LruTb9J9iL7ykSEL CZAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779391761; x=1779996561; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=EsTXqBgvEVBKz0Jd0SUz1GjtJRbkva63yZmhoI1W57Q=; b=H2LzKV/2XtPm2uXmVoc/eAJTmm1MabwYo8FB+235FNZZmeSA4xinkx47XvC1PLmY9C vdtedYSoyKh7wk1UouO0EF2/6iL3OLSXNzf7x69PqVdKqy09NsGQDC5bW17AbzbTZ0P+ 8aazD8sLeAo34ecL5qMK7rx7xMztvNdE8fRj6aRbj0PYRlKEFgvcLwD3Pe3Y3wBki+Wa PpmKDhxKGAJCksxWeNjiy1QBifmy2rtMiM658zQxNPL2ehOUcaeKhCRk+T9ASt7IHRvg qq4lmPF8F/SRxwJpy/U6mQoKdIsrPQd7JZs1FgrfBXM6aTX2+lq1vviwTLPHLb3Ho+I0 +wvA== X-Forwarded-Encrypted: i=2; AFNElJ+NJz9u/ntsRJqeHWu32aNQvodz6Tn+KfueCwdxRWRdYlnHnIS/1/Xn2PX4UPG89PiWR8vMXDvhdADv@gnusha.org X-Gm-Message-State: AOJu0Ywg/M2OQrnnCtxyS9Qki7K1U4uaC+rOLXlvfNWfTs7xnoK3R7Tc PhYhnKdz+/xzljZ/5m2xkTGti2RSLP1yqTp0jLKizUVFje3hnk8Nq4yR X-Received: by 2002:a05:6870:21d3:b0:42c:49c7:a499 with SMTP id 586e51a60fabf-43b5a9ab800mr258884fac.3.1779391761238; Thu, 21 May 2026 12:29:21 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AUV6zMNCyekMp/Vf2v42ny+vRAOgg/a5J0VyZmVsdryXtC0I/Q==" Received: by 2002:a05:6870:c229:b0:42c:d87:fc11 with SMTP id 586e51a60fabf-43a01d6719als7869708fac.1.-pod-prod-03-us; Thu, 21 May 2026 12:29:16 -0700 (PDT) X-Received: by 2002:a05:6808:1787:b0:479:d779:3544 with SMTP id 5614622812f47-48549ecfdf4mr238375b6e.5.1779391756192; Thu, 21 May 2026 12:29:16 -0700 (PDT) Received: by 2002:aa7:d80c:0:b0:670:416a:5ab4 with SMTP id 4fb4d7f45d1cf-682284480e9msa12; Thu, 21 May 2026 12:16:58 -0700 (PDT) X-Received: by 2002:a05:6402:5110:b0:66e:cf8d:6970 with SMTP id 4fb4d7f45d1cf-6889c46833dmr80121a12.20.1779391016776; Thu, 21 May 2026 12:16:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779391016; cv=none; d=google.com; s=arc-20240605; b=CIgIpf8eReWoahJTJtOQofsBwLWaMhD/mmJe5x/t17WM9+dGMllehKucCezrl8mFvt Vlbd33HvDeqECvG9RwrqClyC5mTsN8SMQICNrQeqV2ARIVwW2+FsP/FVGsVaO3jCbBhG fCpwgd67mJIkwww6HUcIgtETgxa5ypJFIMqRQYOYZofx1JiGwFbDgSeLlweh3/70CzNb LvOxLlXiicIUqjShn5oZZCOeRhVi0zTN9O78HJjCE5X3D8geVl+q72zta2sqxwxRqV4S koOqmsh1D2UtunFvATKHt3SIyzk8MPpv00FRBBbjtusopQMLbDR8x3rBLAuEPsJ1fgfd CM0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :cc:from:to:date:dkim-signature; bh=Vp3ygXvFauMnUy8EiLK3iFvT1YFeMYwwxuTzOvd4taA=; fh=Cvkve5G8fns8GvOAplP1n0GHzn8p4Rz2Z/deam205cU=; b=Uf1wCH6iuBHzvaLVgAGJYpU1om+MDifOjrWfYgNzrRgCVkn1bEHYZ6tZ6izjoJnLbv 9FCBAdh1jY/p9HGUW37oFY3tNWhbwDStQlZ5nMxMZHaD4umSKtUQaIC05Ly9ZQ2NkMKr 2E3qD2ot0FGCsgYy24iCP/aQXLYffmjX97TVNSZ9OdPD87HzeVqeU0iycLLo+AOcYSR/ Meja63QauuzRgRCmVNJYmrBZtIfqTSjnKj/mkvXEmA6fUp0okJ9QaZpJA6L0ecVehdZq ZZwQXBOpziF0gx2fUFqZZO+MOd+3rCDqzUyH08Qaq7kdT4PXV8yix6yxxJ+ggByrOoBS tKRQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Ey3q2a15; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.166 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from mail-43166.protonmail.ch (mail-43166.protonmail.ch. [185.70.43.166]) by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-6887ec6bdd9si27164a12.6.2026.05.21.12.16.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 12:16:56 -0700 (PDT) Received-SPF: pass (google.com: domain of conduition@proton.me designates 185.70.43.166 as permitted sender) client-ip=185.70.43.166; Date: Thu, 21 May 2026 19:16:50 +0000 To: Isabel Foxen Duke From: "'conduition' via Bitcoin Development Mailing List" Cc: Bitcoin Development Mailing List Subject: Re: [bitcoindev] PQC: Lattice-based signatures Message-ID: <673BCz5V_RyCwtNI8IxXeDdauWVmQm9MTvtZ97_2ADXzWZNT9bLJsTx1fli-PEb1-cNIi4nCCS-BIsDP1GBMaldfMSWGBHDKl7bFZWf7T6U=@proton.me> In-Reply-To: <42faeb16-5d01-41ba-a192-e05936b84248n@googlegroups.com> References: <42faeb16-5d01-41ba-a192-e05936b84248n@googlegroups.com> Feedback-ID: 72003692:user:proton X-Pm-Message-ID: 6bbb7e2f7402d4628335e24c041d3523fbd91a67 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------df834550c620f2ff78c2653a50044d733b14addb4cf01ce634f0866c487e8a48"; charset=utf-8 X-Original-Sender: conduition@proton.me X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Ey3q2a15; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.166 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me X-Original-From: conduition Reply-To: conduition Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------df834550c620f2ff78c2653a50044d733b14addb4cf01ce634f0866c487e8a48 Content-Type: multipart/mixed;boundary=---------------------ad410e05b52d8fcda3ec12729ce06d8d -----------------------ad410e05b52d8fcda3ec12729ce06d8d Content-Type: multipart/alternative;boundary=---------------------7c7a9169ff32c47d7b8e566a1f78d308 -----------------------7c7a9169ff32c47d7b8e566a1f78d308 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Hey Isabel, I watched the interview, very cool stuff. I loved seeing Dan do= dge your question about the mysterious "restrictions" google was under (hel= lo NSA). Dan is right that lattice-based crypto offers the promise of algebraic stru= cture, whereas hash-based crypto offers none. Having open research avenues = towards goals like threshold signatures is a great thing.=C2=A0Yet the prom= ise of the algebraic structure in lattices hasn't materialized into anythin= g usable. At least, there are no schemes - yet - which tick the boxes we ne= ed. At best we have hope for future developments. Lattice threshold and key= -rerandomization schemes will likely improve from where they are now, but u= ntil proven otherwise we should make choices about consensus based on what = we have, not what we hope=C2=A0we will have someday. Also, in the interview Dan acted as though deploying hash-based signatures = would preclude the deployment of lattice crypto later. It doesn't.=C2=A0If = we deploy a more cutting-edge cryptosystem like HAWK or SQIsign, it will be= once we have a suitably flexible and compact schemes ready to build atop i= t, and when that happens we will still be glad to have hash-based crypto as= a backstop in case the cutting-edge assumptions (or implementations) are b= usted. regards, conduition On Wednesday, May 20th, 2026 at 3:47 PM, Isabel Foxen Duke wrote: > FWIW =E2=80=94 >=20 > "I would actually like to push for lattice-based signatures..." says Dan = Boneh in new interview out this morning (1:11:00) >=20 > He primarily cites algebraic structure as allowing greater functionality = - and is concerned that features like threshold signature schemes will be m= uch harder to implement with hash-based signatures. >=20 > -Isabel Foxen Duke >=20 > On Tuesday, May 19, 2026 at 8:27:40=E2=80=AFPM UTC-7 conduition wrote: >=20 > > Hey Nikita, thanks for broaching the idea. > >=20 > > I can't speak for Blockstream, but as to the spirit of your question - = Why people are looking at hash-based sigs more than lattices - I can think = of four major reasons: > >=20 > > 1. Conservatism. Hash based signatures are incredibly conservative. The= y rely on strictly weaker assumptions than what we already depend on for ot= her things. No other family of signatures can claim this property, and for = something as inflexible-yet-sensitive as Bitcoin, conservativism is appeali= ng. > >=20 > > 2. Simplicity. Hash-based signatures are easier to grasp, simpler to pr= ove secure, and easier to implement compared to almost anything else (even = simpler than ECC). We Bitcoiners tend to clutch our pearls in fear of trust= ing flawed assumptions... but in reality most vulnerabilities are not crypt= ographic in nature: Most are implementation failures. Hash-based sigs are h= arder (but not impossible) to screw up. An experienced engineer can impleme= nt FIPS-205 (SPHINCS) in a weekend, or less with AI tools. This simplicity = also makes hash-based sigs easier to pitch during consensus debates: It's h= arder to fear something once you understand it. > >=20 > > 3. Efficiency. Hash-based sigs are surprisingly fast to verify [0]. The= ir cost-per-byte is way lower than Schnorr. If you can bite the statefulnes= s bullet, hash-based sigs can even be compact (and still fast). There remai= ns some hope we might be able to use them as a daily driver if CRQCs appear= faster than anticipated. This efficiency comes at a price of course, but t= hat price is paid by the signer implementation while verifiers remain slim,= quick, and secure. > >=20 > > 4. Future-proofing. Because of their conservatism, hash-based sigs stan= d a better chance of remaining secure over a long time-frame, so it seems m= ore likely we could rely on them to fulfill a long-term fallback role. We w= ill likely someday need to deploy a new cryptosystem to replace ECC as a da= ily driver if ECDLP is broken, whether classically or by a CRQC. When/if th= is happens, we'll be REALLY glad we added hash-based sigs first, because th= en we'll have something to use if the novel scheme's assumptions (or more l= ikely, implementation) are broken. > >=20 > > This is not to say we shouldn't be researching lattices. Or isogenies, = or anything else for that matter. We need to know what's possible, and to e= ducate the community about the options we have. I'm glad to see Blockstream= funding this important work. I view hash-based sigs as the first episode o= f a decades-long saga, but unfortunately we lack enough knowledge to know w= hat should come next. Maybe that is lattices? maybe something else. With ti= me, effort, and (hopefully) funding, we shall find out. > >=20 > > If I had to pen a wishlist of stuff I'd like to see from lattice crypto= research, this would be it: > >=20 > > - [ ] compact keys and sigs. Ideally, less than a kilobyte witness size= total, but I'd be happy with at least a twofold improvement over what stat= eless hash-based sigs can offer. > > - [ ] rerandomization e.g. BIP32 unhardened derivation. This has been d= one [1], but AFAIK it is impossible without massively expanding the sizes o= f keys and/or signatures. > > - [ ] a multisignature scheme, or a threshold protocol with a DKG. Agai= n, never seen this without massive keys and sigs, but I see no reason why i= t should be impossible. > > - [ ] integer-only arithmetic. Falcon keys and sigs are smaller than ML= -DSA, but it comes at the expense of complex floating point arithmetic head= aches. It'd be nice if we could do away with that. > > - [ ] signature aggregation. This is a more general wish of any PQ sche= me, and if someone can do it, even with somewhat large sigs or poor perform= ance, it might make the whole scheme way more palatable, in tandem with a C= ISA proposal. > >=20 > > Also see this relevant delvingbitcoin thread [1] for more sources. > >=20 > > regards, > > conduition > >=20 > > [0]: https://conduition.io/code/fast-slh-dsa-verification/ > > [1]: https://delvingbitcoin.org/t/post-quantum-hd-wallets-silent-paymen= ts-key-aggregation-and-threshold-signatures/1854/ > >=20 > > On Tuesday, May 19th, 2026 at 9:06 PM, Nikita Karetnikov wrote: > >=20 > > > Dear list, > > > > >=20 > > > I hate to contribute to the recent flood of PQC posts, but I think it= =E2=80=99s an important issue that=E2=80=99s worth discussing. > > > > >=20 > > > In particular, what I usually see is various competing proposals with= out a clear winner. > > > > >=20 > > > So I=E2=80=99d like to bring everyone=E2=80=99s attention to this new= post from Blockstream: > > > https://blog.blockstream.com/schnorr-but-with-vectors-lattice-based-s= ignatures-explained/ > > > > >=20 > > > This post is interesting because unlike a lot of PQC discussions, it = actually includes a comparison table of various approaches, where lattices = seem to come out ahead. > > > > >=20 > > > This raises a few questions. > > > > >=20 > > > Since lattices are not a new topic in cryptography, why has Blockstre= am focused their efforts on hash-based approaches so far? > > > Are hashes seen as a more conservative choice? > > > > >=20 > > > Given the problems with hashes outlined in the post, are lattices act= ually the current most likely candidate for a PQC implementation? > > > If so, should the community effort be focused on lattices instead of = other proposals? > > > Or is the comparison table not telling the whole story? > > > > >=20 > > > I=E2=80=99d like to hear your thoughts on the topic. > > > > >=20 > > > Thanks, > > > Nikita > > > > >=20 > > > -- > > > You received this message because you are subscribed to the Google Gr= oups "Bitcoin Development Mailing List" group. > > > To unsubscribe from this group and stop receiving emails from it, sen= d an email to bitcoindev+...@googlegroups.com. > > > To view this discussion visit https://groups.google.com/d/msgid/bitco= indev/ffa56d63-32c6-4fc3-a150-4fe62ac2e00b%40app.fastmail.com. > > > >=20 > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/42faeb16-5d01-41ba-a192-e05936b84248n%40googlegroups.com. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 673BCz5V_RyCwtNI8IxXeDdauWVmQm9MTvtZ97_2ADXzWZNT9bLJsTx1fli-PEb1-cNIi4nCCS-= BIsDP1GBMaldfMSWGBHDKl7bFZWf7T6U%3D%40proton.me. -----------------------7c7a9169ff32c47d7b8e566a1f78d308 Content-Type: multipart/related;boundary=---------------------af6ce69167c460f0731382730dd90980 -----------------------af6ce69167c460f0731382730dd90980 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey Isabel,= I watched the interview, very cool stuff. I loved seeing Dan dodge your qu= estion about the mysterious "restrictions" google was under (hello NSA).
<= /div>

Dan is = right that lattice-based crypto offers the promise of algebraic stru= cture, whereas hash-based crypto offers none. Having open research a= venues towards goals like threshold signatures is a great thing. Yet the promise of the algebraic structure in lattices hasn't materialize= d into anything usable. At least, there are no schemes - yet - which tick t= he boxes we need. At best we have hope for future developments. Latt= ice threshold and key-rerandomization schemes will likely improve from wher= e they are now, but until proven otherwise we should make choices about consensus bas= ed on what we have, not what we hope we will have someday.

Also, in the inte= rview Dan acted as though deploying hash-based signatures would preclude th= e deployment of lattice crypto later. It doesn't. If we deploy = a more cutting-edge cryptosystem like HAWK or SQIsign, it will be once we h= ave a suitably flexible and compact schemes ready to build atop it, and whe= n that happens we will still be glad to have hash-based crypto as a backsto= p in case the cutting-edge assumptions (or implementations) are busted.

regards,
conduit= ion
On Wednesday, May 20th, 2026 at 3:47 PM, Isabel Foxen Duke <i= sabel.duke@gmail.com> wrote:
FWIW =E2=80=94

"I would actually like to push for lattic= e-based signatures..." says Dan Boneh in new interview out this morning (1:11:00)

H= e primarily cites algebraic structure as allowing greater functionality - a= nd is concerned that features like threshold signature schemes will be much= harder to implement with hash-based signatures.

-Isabel Foxen Duke=

O= n Tuesday, May 19, 2026 at 8:27:40=E2=80=AFPM UTC-7 conduition wrote:
Hey Nikita, thanks = for broaching the idea.

I can't speak for Blockstream, but as to the spirit of your question - = Why people are looking at hash-based sigs more than lattices - I can think = of four major reasons:

1. Conservatism. Hash based signatures are incredibly conservative. The= y rely on strictly weaker assumptions than what we already depend on for ot= her things. No other family of signatures can claim this property, and for = something as inflexible-yet-sensitive as Bitcoin, conservativism is appeali= ng.

2. Simplicity. Hash-based signatures are easier to grasp, simpler to pr= ove secure, and easier to implement compared to almost anything else (even = simpler than ECC). We Bitcoiners tend to clutch our pearls in fear of trust= ing flawed assumptions... but in reality most vulnerabilities are not crypt= ographic in nature: Most are implementation failures. Hash-based sigs are h= arder (but not impossible) to screw up. An experienced engineer can impleme= nt FIPS-205 (SPHINCS) in a weekend, or less with AI tools. This simplicity = also makes hash-based sigs easier to pitch during consensus debates: It's h= arder to fear something once you understand it.

3. Efficiency. Hash-based sigs are surprisingly fast to verify [0]. The= ir cost-per-byte is way lower than Schnorr. If you can bite the statefulnes= s bullet, hash-based sigs can even be compact (and still fast). There remai= ns some hope we might be able to use them as a daily driver if CRQCs appear= faster than anticipated. This efficiency comes at a price of course, but t= hat price is paid by the signer implementation while verifiers remain slim,= quick, and secure.

4. Future-proofing. Because of their conservatism, hash-based sigs stan= d a better chance of remaining secure over a long time-frame, so it seems m= ore likely we could rely on them to fulfill a long-term fallback role. We w= ill likely someday need to deploy a new cryptosystem to replace ECC as a da= ily driver if ECDLP is broken, whether classically or by a CRQC. When/if th= is happens, we'll be REALLY glad we added hash-based sigs first, because th= en we'll have something to use if the novel scheme's assumptions (or more l= ikely, implementation) are broken.

This is not to say we shouldn't be researching lattices. Or isogenies, = or anything else for that matter. We need to know what's possible, and to e= ducate the community about the options we have. I'm glad to see Blockstream= funding this important work. I view hash-based sigs as the first episode o= f a decades-long saga, but unfortunately we lack enough knowledge to know w= hat should come next. Maybe that is lattices? maybe something else. With ti= me, effort, and (hopefully) funding, we shall find out.

If I had to pen a wishlist of stuff I'd like to see from lattice crypto= research, this would be it:

- [ ] compact keys and sigs. Ideally, less than a kilobyte witness size= total, but I'd be happy with at least a twofold improvement over what stat= eless hash-based sigs can offer.
- [ ] rerandomization e.g. BIP32 unhardened derivation. This has been d= one [1], but AFAIK it is impossible without massively expanding the sizes o= f keys and/or signatures.
- [ ] a multisignature scheme, or a threshold protocol with a DKG. Agai= n, never seen this without massive keys and sigs, but I see no reason why i= t should be impossible.
- [ ] integer-only arithmetic. Falcon keys and sigs are smaller than ML= -DSA, but it comes at the expense of complex floating point arithmetic head= aches. It'd be nice if we could do away with that.
- [ ] signature aggregation. This is a more general wish of any PQ sche= me, and if someone can do it, even with somewhat large sigs or poor perform= ance, it might make the whole scheme way more palatable, in tandem with a C= ISA proposal.

Also see this relevant delvingbitcoin thread [1] for more sources.

regards,
conduition

[0]: http= s://conduition.io/code/fast-slh-dsa-verification/
[1]: https://delvingbitcoin.org/t/p= ost-quantum-hd-wallets-silent-payments-key-aggregation-and-threshold-signat= ures/1854/

On Tuesday, May 19th, 2026 at 9:06 PM, Nikita Karetnikov <nik...@karetnikov.org> wrote:

> Dear list,
>

> I hate to contribute to the recent flood of PQC posts, but I think= it=E2=80=99s an important issue that=E2=80=99s worth discussing.
>

> In particular, what I usually see is various competing proposals w= ithout a clear winner.
>

> So I=E2=80=99d like to bring everyone=E2=80=99s attention to this = new post from Blockstream:
> https:/= /blog.blockstream.com/schnorr-but-with-vectors-lattice-based-signatures-exp= lained/
>

> This post is interesting because unlike a lot of PQC discussions, = it actually includes a comparison table of various approaches, where lattic= es seem to come out ahead.
>

> This raises a few questions.
>

> Since lattices are not a new topic in cryptography, why has Blocks= tream focused their efforts on hash-based approaches so far?
> Are hashes seen as a more conservative choice?
>

> Given the problems with hashes outlined in the post, are lattices = actually the current most likely candidate for a PQC implementation?
> If so, should the community effort be focused on lattices instead = of other proposals?
> Or is the comparison table not telling the whole story?
>

> I=E2=80=99d like to hear your thoughts on the topic.
>

> Thanks,
> Nikita
>

> --
> You received this message because you are subscribed to the Google= Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, = send an email to bitc= oindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/= msgid/bitcoindev/ffa56d63-32c6-4fc3-a150-4fe62ac2e00b%40app.fastmail.com.
>

--
You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+u= nsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/42faeb16-5d01-41ba-a19= 2-e05936b84248n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/673BCz= 5V_RyCwtNI8IxXeDdauWVmQm9MTvtZ97_2ADXzWZNT9bLJsTx1fli-PEb1-cNIi4nCCS-BIsDP1= GBMaldfMSWGBHDKl7bFZWf7T6U%3D%40proton.me.
-----------------------af6ce69167c460f0731382730dd90980-- -----------------------7c7a9169ff32c47d7b8e566a1f78d308-- -----------------------ad410e05b52d8fcda3ec12729ce06d8d Content-Type: application/pgp-keys; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4ak1FWkRub0tSWUpLd1lCQkFI YVJ3OEJBUWRBcnBZYWFjZDgwcXdocmNaQW9VbW9NSHNWS21iZWlPZUEKcFhXbk1ybFdPZkxOSzJO dmJtUjFhWFJwYjI1QWNISnZkRzl1TG0xbElEeGpiMjVrZFdsMGFXOXVRSEJ5CmIzUnZiaTV0WlQ3 Q2pBUVFGZ29BUGdXQ1pEbm9LUVFMQ1FjSUNaQjRLV3p0aFBhenhRTVZDQW9FRmdBQwpBUUlaQVFL YkF3SWVBUlloQkVkSWthMENNdHJMZGcxM2EzZ3BiTzJFOXJQRkFBQTZhQUVBM1RmNHdqSVoKYnox K0diS0h4K09WQytNUXlVdi84RStoWUpjTE5QZnA0NEFBLzNiak5OTXN4WHdJTGZEM0xManNVVWFo CitBV2JyblVjVUFqQ2R1d3hUT01LempnRVpEbm9LUklLS3dZQkJBR1hWUUVGQVFFSFFDSXYxZW5J MU5MbAo3Zm55RzlVWk1wQ3ZsdG5vc0JrTmhQUVZxT3BXL3RKSkF3RUlCOEo0QkJnV0NBQXFCWUpr T2VncENaQjQKS1d6dGhQYXp4UUtiREJZaEJFZElrYTBDTXRyTGRnMTNhM2dwYk8yRTlyUEZBQUFR TFFEL2NCR2kwUDdwCkZTTkl2N1B6OVpkeUNVQjhzTy90dWZkV3NjQkNZK2ZMYTV3QkFNK0hTL3Jp S014RGt0TkhLakRGc2EvUgpEVDFxUGNBYXZCaXc2dDZ4Ti9jRgo9Y3d5eAotLS0tLUVORCBQR1Ag UFVCTElDIEtFWSBCTE9DSy0tLS0tCg== -----------------------ad410e05b52d8fcda3ec12729ce06d8d-- --------df834550c620f2ff78c2653a50044d733b14addb4cf01ce634f0866c487e8a48 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wrsEARYKAG0FgmoPWhAJEHgpbO2E9rPFRRQAAAAAABwAIHNhbHRAbm90YXRp b25zLm9wZW5wZ3Bqcy5vcmd6Fw0xwpYfzVxdJo5nTdr5ugVJIyeye4PPKyNk UcjLcBYhBEdIka0CMtrLdg13a3gpbO2E9rPFAAAzCQD9FV07dONHncIhvtvw EuX8ZRCPhEzPucLZJdh6NY9j8DEBALO0UCjWbiasE0wXw7qkrxecKK3/qPl3 ZTzAURJtRsAN =E0kt -----END PGP SIGNATURE----- --------df834550c620f2ff78c2653a50044d733b14addb4cf01ce634f0866c487e8a48--