Hash-Based Signatures for Bitcoin's Post-Quantum Future

The email highlights an ongoing discussion about the design considerations for cryptographic signature schemes, specifically focusing on the trade-offs between using optimized schemes versus tweaking parameters within standardized variants like SLH-DSA. The sender points out that opting for optimized schemes, such as WOTS+C + PORS+FP, can significantly reduce signature size by 16% to 18% compared to the size-optimized versions of SPHINCS+, particularly for a maximum of 2^40 signatures. This information underscores the potential benefits of exploring beyond mere parameter adjustments in cryptographic designs.

Furthermore, the conversation touches upon the implications of integrating lattice-based signature schemes into systems like Bitcoin, contrasting them with hash-based signature schemes. The sender argues that if Bitcoin were to adopt a lattice-based signature scheme, it might necessitate a custom approach to fully exploit features like public key derivation, multi/threshold signatures, and silent payments. This perspective suggests that both lattice and hash-based signature schemes could benefit from customization to meet advanced requirements, rather than strictly adhering to existing standards.

The email also reflects on the sender's motivations and findings from a project conducted with a colleague named Mike, who has extensive research experience in hash-based signatures. They have explored whether variants of hash-based signature schemes could be effectively adapted for advanced cryptographic constructions, such as Hierarchical Deterministic (HD) wallets or multi-signatures. However, their research appears to culminate in a somewhat negative result, indicating that current hash-based signature scheme variants may not sufficiently cater to these advanced needs.

Lastly, the sender expresses skepticism regarding the widespread adoption of ML-DSA over SLH-DSA, questioning the assertion that 99% of users would prefer ML-DSA based on its similar signature size and potential advantages in verification time alone. They hint at a desire to see comparative performance data for ML-DSA, especially given its relevance to the discussion on optimizing cryptographic schemes for better performance and functionality.