Hash-Based Signatures for Bitcoin's Post-Quantum Future

Hash-based schemes, especially SPHINCS+, have emerged as a promising option due to their reliance on the well-established security of hash functions like SHA-256, which is already integral to Bitcoin's design. Despite their larger signature sizes compared to current standards, optimizations are being explored to make these signatures more practical for Bitcoin's use case without compromising on security or efficiency.

A comprehensive analysis of these schemes, including detailed technical insights into parameter selections and security considerations, has been made available in a report (https://eprint.iacr.org/2025/2203.pdf), with supporting scripts hosted on GitHub (https://github.com/BlockstreamResearch/SPHINCS-Parameters). These documents outline how adjustments to the number of allowable signatures could lead to significantly reduced signature sizes, thereby addressing one of the primary challenges associated with hash-based signatures. Furthermore, hash-based schemes offer one of the smallest public key sizes, crucial for maintaining manageable blockchain storage and transmission requirements.

Another critical aspect under discussion is the choice between stateless and stateful schemes, with the former offering simplicity and ease of operation and the latter potentially delivering better performance at the cost of operational complexity. The integration of hash-based schemes within Hierarchical Deterministic Wallets also presents specific challenges, particularly regarding efficient public child key derivation.

The discourse extends to evaluating the potential of multi-signature, distributed, and threshold-signature approaches within a post-quantum context. However, current methods do not provide significant advantages over traditional techniques or require a trusted intermediary, posing limitations to their applicability.

The conversation around signature and public key sizes emphasizes the need for a careful balance between security and practicality, especially when considering the verification costs and overall block capacity of Bitcoin. Advanced cryptographic solutions, such as combining threshold Schnorr signatures with post-quantum schemes, are being explored to create hybrid security models that cater to different security needs and hardware capabilities.

Developers and researchers are encouraged to participate in this critical discussion, focusing on the practicality of implementing these post-quantum cryptographic solutions in Bitcoin. This includes considerations on performance requirements across various hardware platforms, the feasibility of standardizing multiple schemes to accommodate different signature limits, and the examination of both stateful and stateless schemes' potential benefits and drawbacks.

In parallel discussions, there's interest in exploring the possibilities of lattice-based schemes and other cryptographic assumptions for post-quantum security. The idea of limiting the number of signatures to optimize parameter sets, even if it means deviating from standardized schemes, suggests a willingness to adapt and innovate to ensure Bitcoin's resilience against quantum computing threats. This includes contemplating modifications that might diverge from established standards but could offer significant savings in terms of signature sizes and implementation complexity.