From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 21 May 2026 03:00:17 -0700 Received: from mail-ot1-f56.google.com ([209.85.210.56]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wQ0CP-0007bD-0U for bitcoindev@gnusha.org; Thu, 21 May 2026 03:00:17 -0700 Received: by mail-ot1-f56.google.com with SMTP id 46e09a7af769-7dcd9061254sf24524a34.0 for ; Thu, 21 May 2026 03:00:16 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1779357611; cv=pass; d=google.com; s=arc-20240605; b=T/vmn5gILpresSOqh+E/ANZTitzJNNZUan8yd1rnzmz+EyWzmGZjsSPvZ3Z47DSna7 /+414h7ulUqPSR+BnaDxE2OcVmr8QCDURWrpP65yLgLWP+phtVKaCZef2HDGFSVMBmA0 zjpOyBy/l1wfpEgBr+QXHsSjSqBxxnUnz4aX3lX5jWd+SMU9d8IDpOBiPj6p+27O9vos TmZ6LJLruc8nz2mep7VX9uwD8PER5jsBLhPRA/3a9v0DO4p6ON5Hbqzgv15UHxxXBckk zh6t+FJqzyhTIOjG1FSFC+f+GKH06GY1PBfi/0LVKIu0P1AVFAkEURNpWEUGGx7joBbK Ga8g== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:cc:to:subject:message-id :date:from:in-reply-to:references:mime-version:dkim-signature; bh=xl5FefFKdfH86JUrR+iexYOzmy18nadbWXpRNQ202oQ=; fh=2LirtG5GI7j5UaDPvhNJ7CzmZEqsloWyvOdkHXKjWb4=; b=JjfF18w/Pg0oexfVAAeOwamuBTHf5mdeyd23zdbGZpnPG+PivUlqdW+jdtrR1Vra5P DTBMus9M297n45CQrgHu06dQguh1FPAxCN7jWPrjqmK0T9NB1i2DfRZcg3dMhDMNX0sc wvi1yMHNKHrgdLSWqC+LF5fabj3YK1KXxEYKhzo/cWLR2RrH8A598SZ65mRIS6B4YQJB o5QQzpH2/7U72/aAEfBPzZ3GRrJR87PmcKxyAP7tcu1GYC/NW2QcEWS5Dr07/3J2WFUB a8iu/4KeVYPsMakdWuJTX9nMP4/IGIF8k08kTCHd8bYGUoiRX/rfVJvDlm+/ASdiQ05q sYPQ==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@blockstream.com header.s=google header.b=T4yNE95G; arc=pass (i=1); spf=pass (google.com: domain of mkudinov@blockstream.com designates 2a00:1450:4864:20::235 as permitted sender) smtp.mailfrom=mkudinov@blockstream.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=blockstream.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1779357611; x=1779962411; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=xl5FefFKdfH86JUrR+iexYOzmy18nadbWXpRNQ202oQ=; b=HpQ/2OdrL7syJfyCeBE5l3fV2EOb9EFou910Aj+xzWfk8j5+gtvIDQMrp4/xT6171H 1zvDF3sD5aTR1gRvAxj96PbCZIki3tNJrhXDmrp92Ly3mA1NmLGuT2C2JGqXpKLa7Hlp THTkfiJSaDq8i3Z157Hb/QEiubEtackM4ic2zv0ULEIRgEpoBKQ9kQ5kha+evfDwOEtq htf9bjl8bZCw7JslwVVgpXynRyJs66v6CZq9AXglEe6YDxhPC9PqrKQvlyYm1HIwicid 5/jXnTS1zffGbTSESfwp7QK60pb8fJKkVD6JOtKs9lKPwlIUrjoeXZ5IN6iC3B9fmMBn ZOmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779357611; x=1779962411; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:x-gm-gg :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xl5FefFKdfH86JUrR+iexYOzmy18nadbWXpRNQ202oQ=; b=Aq0KUg1xyyg71LaQsKQAjqWfGLJZX8FTKjQ7GcX+VQoeVQx0+pmznOEkJ+sRXC+rGM hDun7XTvCZOWzHUjrIeKnfHbOolh3NfaOBBrEV8hhrMCKV+mKLdW9jwTlYtjw+2yNi6M iaKtYNLgd5Inme3bB6QdLzWf6mk8M3Bls4YmFySIBJYf3YOVcJZQIEXr1uslYhBnj3g7 neIB0WrrXsZMerkwzhapwpudMipemfPJ/JND8e1eQn6L/FvBqHlTJsOvNWXvINb2+JpI roBuvu5Lww8tUCBuKOZy0I4i2vQU20jqROpCVmQRGJW1h3y6HObYyXJXXOwFMdDGmxcE OCZg== X-Forwarded-Encrypted: i=3; AFNElJ+crKa6Cabncyo1sUTvwBwbONeE5cRXqnqjeqWRO54vDQaCLS0OLwd7si9Sk179OkDHiddSIrj64Teo@gnusha.org X-Gm-Message-State: AOJu0Yx9okVYr9tf6ZMHbLrZ9z/6lUPtfSiNhDMuZnsFC+t7b22Tapz+ y2+3PAOzionl9dxTuiW28Iuv0LwVqDeiOpQZ4ixg9dTrxDbLx+M2acPY X-Received: by 2002:a05:6820:1c93:b0:696:7f04:ec8e with SMTP id 006d021491bc7-69d6ef4cf7cmr817134eaf.60.1779357610548; Thu, 21 May 2026 03:00:10 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AUV6zMPTQSNepHNxJqTT2XzEmdd3phItggFkg/yOQ2+iDY08pg==" Received: by 2002:a05:6870:8254:b0:435:94c4:30a8 with SMTP id 586e51a60fabf-43a01d5b7dbls6908310fac.1.-pod-prod-08-us; Thu, 21 May 2026 03:00:05 -0700 (PDT) X-Received: by 2002:a54:438e:0:b0:45e:f0af:5148 with SMTP id 5614622812f47-4852ed76579mr807145b6e.30.1779357605846; Thu, 21 May 2026 03:00:05 -0700 (PDT) Received: by 2002:a05:600d:8446:10b0:485:53e3:ec5e with SMTP id 5b1f17b1804b1-48fc9147e3fms5e9; Thu, 21 May 2026 02:55:01 -0700 (PDT) X-Received: by 2002:a05:600c:1f89:b0:488:d6eb:e63c with SMTP id 5b1f17b1804b1-4903607fd11mr26817555e9.15.1779357299603; Thu, 21 May 2026 02:54:59 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1779357299; cv=pass; d=google.com; s=arc-20240605; b=V3KdzaWmet0AxRCUsBOp9DwCBVIvUl4/oy5XwdF0NTlFQe2j056ITAFl0hpfadey+e Fytuo43f9VLv/pg6u098IPNgwsLkkh2dp2+/wu2CzryksHAG0SVqimtpVy+sEgpGQt1e NIQ/uK5GfqAzAflqrNghQlKtUrUZNBVVY2dS8MDwh4Zaxl5TaiV/fu9uz9FRkoIP+UFE uKGGA/7R5WuslV3kLkHxhjIdafWQM/68IKgpsbg+RAsjJqO+MPQxvoOwibPBnWjIiVHa m2os9G61eOrXPSIK9f+Do/Wp8F8qMduI4XMBFAAmYYL2+lqds+eyjbNo/aKILFfW6wMw eoaA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=YcsfptFgbkxbgd9ENqDipUTc2NAN7zrxnUF76uk+jbs=; fh=aLCQdAC+qOlZswv4b2ODrS4x1FFLLH6Bw8xxp+OpW+E=; b=WC/i+kXLQj64bQvMKeMJ73Y55xEc4wRCqgiOd4yFGicnvcJh3M8U/hJJCaPmW0yP7B vIGSGMFklJWC9K5GJFJk24jwdO+oolN8O/9v1vE+hMfcGla1uC3OSgOCzz4/fshAgc/s X6qrsCjnydqDnouqDos7VoXG4folYcYWB07Uegqx6KogmVlQZm0WdwFm/vCx1Uk7OEmx qmOAJL0jrRxMqpWrJcnJ2bFo8GxsTO0QDwvaj6nHVhfLXVKkn35+LV4VmIBRshk4r0/T 9rdxJJukerDOC1MCSEOkLliYoJ9mdeut8RV+c1Fnq8ex7D0donM0towDRSw+4x8480o1 nxQg==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@blockstream.com header.s=google header.b=T4yNE95G; arc=pass (i=1); spf=pass (google.com: domain of mkudinov@blockstream.com designates 2a00:1450:4864:20::235 as permitted sender) smtp.mailfrom=mkudinov@blockstream.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=blockstream.com; dara=pass header.i=@googlegroups.com Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com. [2a00:1450:4864:20::235]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4903c9d3ec0si110175e9.1.2026.05.21.02.54.59 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 21 May 2026 02:54:59 -0700 (PDT) Received-SPF: pass (google.com: domain of mkudinov@blockstream.com designates 2a00:1450:4864:20::235 as permitted sender) client-ip=2a00:1450:4864:20::235; Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-393841c70a2so6490241fa.2 for ; Thu, 21 May 2026 02:54:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779357299; cv=none; d=google.com; s=arc-20240605; b=bXiFUjW1kulY8C3bNSkdgV3qSeRn8cVjKDANiWFnu7feJk1gtwb9525fODufppw154 UuCP/hxRauWVxxgLVGE8Qf9dDEwEsVQWS2WLfGL0xh4n0B96kFSbr0d62KbqykxvCQo3 CWoBJiBcL1oe+Rkz4M21XO5whV0jNQxDm4JRWYIFMkU+Wlru16O9iEKfUMg5TtUT1F2k 2EeFKzzlvRSJ/YTVP9NfErjyehYPQ7KHr32baoZQJ7du3gaKUZr8fPaebdyWPu0weK5r 8Atl1w7QVirGJc4+d5+ddSp5aSLmbk8pPCK3b/L7p76Nowns8JyxNYW4dd16ix59b78q A5uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=YcsfptFgbkxbgd9ENqDipUTc2NAN7zrxnUF76uk+jbs=; fh=aLCQdAC+qOlZswv4b2ODrS4x1FFLLH6Bw8xxp+OpW+E=; b=He21ZYUX79XnMUf/5GpSRCx5US9ELQoB8OaWq+NmbIuKStg1Q166S0OVK1OwU3O+vl Ub/N2PgGGIWvr0b+6J+jPBk/fbrXRSLrkHJ9f5CFtf1F07E93XJ9ACjKM/nv6zGyjNrI Tb+z1xKdYWEE//vTw5nUW1iakZNXi731/d8prHxZ7dVMsYFkoDja1854NK7qCAEAr2Dl rAyM3G7EIcSSm2IAmIQzdTxFrJtTv8O1pMx10iEC/6RL4Phm15nRma5i4NlHCfv5yJBU FZQDim77ndTv8vHs8ovh0quMFx4cCS7NIH6+qGLokL4NQwiWxAdz6u/2m3+oJ1lGMDzS dLJg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Gm-Gg: Acq92OFdR1cuKccCC4pZElO4L0SJ+Z0pJlsrbgtR1mp+shqO61ktVa5jzRzxrTGiC8y 0k2ZTqceXb4OH+fVl+evK8Zox+bZGFut2cA1ZlHY+tPqvRkNo6EctVfkWDklZU/M7+nO790tjSw kuAMrYMWsbkaY7rK4NYf5GWYgHZLYKyK3qWketvY3C02dWZZm40xc4lEn2vYjMaFCi9+Fax+gYK C38BqPKi3vDGOS9IG2wVlLwMc0sftMrMoz/b2TeqehILqzzYOIof7oHxeTZp1QO+Qr7p2FGG6FD tynkpwSzeJjBFThfC8zZiP85TC9B4YeJMhugAbUUzdF4 X-Received: by 2002:a2e:a590:0:b0:38e:861b:de9f with SMTP id 38308e7fff4ca-395ca6c3a62mr3218091fa.7.1779357298714; Thu, 21 May 2026 02:54:58 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "'Mikhail Kudinov' via Bitcoin Development Mailing List" Date: Thu, 21 May 2026 11:54:46 +0200 X-Gm-Features: AVHnY4L_Ks1aNSZSjL7taUKi-_m4JGijESDk5qz5xphacMTI0F6vmGVEC5MQPtQ Message-ID: Subject: Re: [bitcoindev] One Time Signatures as an Advantage? To: Jason Resch Cc: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="000000000000b7fb42065250e759" X-Original-Sender: mkudinov@blockstream.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@blockstream.com header.s=google header.b=T4yNE95G; arc=pass (i=1); spf=pass (google.com: domain of mkudinov@blockstream.com designates 2a00:1450:4864:20::235 as permitted sender) smtp.mailfrom=mkudinov@blockstream.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=blockstream.com; dara=pass header.i=@googlegroups.com X-Original-From: Mikhail Kudinov Reply-To: Mikhail Kudinov Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) --000000000000b7fb42065250e759 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Stateful hash-based schemes have been recommended by NIST. See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf . Also you might be interested to read about SHRINCS: https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatu= res-with-static-backups/2158 . Best, Mikhail On Wed, May 20, 2026 at 7:44=E2=80=AFPM Jason Resch = wrote: > NIST is standardizing SLH-DSA as a stateless, post-quantum-secure > hash-based signature scheme. However, to achieve the stateless feature of > being able to sign multiple messages, requires a significant size overhea= d. > > SLH-DSA (for parameters n=3D16, w=3D16) results in signatures that are 7,= 888 > bytes long. > > However, if statelessness isn't required, and this can be reduced to 900 > bytes for something like XMSS using the same parameters. > > Furthermore, if multiple signings per key are dropped as a requirement, > and "one time signatures" are used (e.g. WOTS+) then this size reduces > further to 560 bytes. > > This is a ~14=C3=97 reduction in signature size for a feature that Bitcoi= n > transactions not only don't need, but are strongly discouraged if not > harmful. Using the same key more than once is only required if one is > reusing the same address (discouraged), or if one is attempting some kind > of double-spend attack. > > This could be seen as a sort of advantage: if one attempts to > double-spend, they may expose their private key. This same property was a= n > element of Chaum's digital cash: attempting to double-spend exposed you. > > Is there any advocacy for NIST to standardize stateful or one-time-use > signature algorithms? They seem well-suited to the block-chain use case, > where there is always global and persistent state, and keys ought not be > re-used. Though this needs to be carefully managed by wallet software: to > only expose a one-time-use address to handle a single transaction with a > single payer, and never use a OTS address for any kind of public-facing o= r > long-term donation address. Perhaps this complication makes OTS not worth > introducing generally, but their space saving properties are attractive. > > Jason > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/d3648bd4-03d3-4b98-92bf-d845= 302be349n%40googlegroups.com > > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAPcK4uTy3Rj6NxhQPQhY0Ps8JFH1S8bDj29PW7autqTYhH4-kw%40mail.gmail.com. --000000000000b7fb42065250e759 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Stateful hash-based schemes have been recommended=C2= =A0by NIST. See=C2=A0https://nvlpubs.nist.gov/nistpubs/SpecialPu= blications/NIST.SP.800-208.pdf .=C2=A0Also you might be interested to r= ead about SHRINCS:=C2=A0https://de= lvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatures-with-s= tatic-backups/2158.

Best,
Mikhail


On Wed, May 20, 2026 at 7:44=E2=80=AFPM Jason Resch <jasonresch@gmail.com> wrote:
NIST is standardizing SLH-DSA as= a stateless, post-quantum-secure hash-based signature scheme. However, to = achieve the stateless feature of being able to sign multiple messages, requ= ires a significant size overhead.

SLH-DSA (for parameter= s n=3D16, w=3D16) results in signatures that are 7,888 bytes long.

However, if statelessness isn't required, and this can= be reduced to 900 bytes for something like XMSS using the same parameters.=

Furthermore, if multiple signings per key are dro= pped as a requirement, and "one time signatures" are used (e.g. W= OTS+) then this size reduces further to 560 bytes.

This is a ~14=C3=97 reduction in signature size for a feature that Bitcoin= transactions not only don't need, but are strongly discouraged if not = harmful. Using the same key more than once is only required if one is reusi= ng the same address (discouraged), or if one is attempting some kind of dou= ble-spend attack.

This could be seen as a sort of = advantage: if one attempts to double-spend, they may expose their private k= ey. This same property was an element of Chaum's digital cash: attempti= ng to double-spend exposed you.

Is there any advoc= acy for NIST to standardize stateful or one-time-use signature algorithms? = They seem well-suited to the block-chain use case, where there is always gl= obal and persistent state, and keys ought not be re-used. Though this needs= to be carefully managed by wallet software: to only expose a one-time-use = address to handle a single transaction with a single payer, and never use a= OTS address for any kind of public-facing or long-term donation address. P= erhaps this complication makes OTS not worth introducing generally, but the= ir space saving properties are attractive.

Jason

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.googl= e.com/d/msgid/bitcoindev/d3648bd4-03d3-4b98-92bf-d845302be349n%40googlegrou= ps.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/ms= gid/bitcoindev/CAPcK4uTy3Rj6NxhQPQhY0Ps8JFH1S8bDj29PW7autqTYhH4-kw%40mail.g= mail.com.
--000000000000b7fb42065250e759--