Hash-Based Signatures for Bitcoin's Post-Quantum Future

The exploration of post-quantum cryptographic solutions for Bitcoin has intensified, with hash-based schemes emerging as a primary focus due to their reliance on the proven security of hash functions like SHA-256, which is integral to Bitcoin's current infrastructure. These schemes are not only conceptually straightforward but have also been rigorously analyzed during the National Institute of Standards and Technology (NIST) post-quantum standardization process, which adds a layer of confidence in their robustness against quantum attacks. One significant challenge with hash-based signatures, such as SPHINCS+, is their relatively large signature sizes. However, through various optimizations, it is possible to significantly reduce the size of these signatures without compromising their security or efficiency. For instance, adjustments to the number of allowable signatures can lead to more manageable signature sizes, making them more practical for Bitcoin's use case. The detailed technical insights into these schemes, including parameter selections and security considerations, are documented comprehensively in a report available at https://eprint.iacr.org/2025/2203.pdf, alongside supporting scripts found at https://github.com/BlockstreamResearch/SPHINCS-Parameters.

Notably, hash-based schemes offer one of the smallest public key sizes, approximately 256 bits, which is crucial for keeping the blockchain's storage and transmission requirements manageable. This advantage is significant when compared to other post-quantum signature schemes. Furthermore, the verification cost per byte of these optimized hash-based signatures is comparable to that of current Schnorr signatures, mitigating concerns related to blockchain validation overheads. From a security perspective, aiming for NIST Level 1 (128-bit security) appears adequate, considering the substantial computational resources required for quantum attacks.

A pivotal consideration for integrating these cryptographic advancements into Bitcoin is deciding between stateless and stateful schemes. Stateless schemes, where the secret key remains constant, are simpler and less operationally complex. In contrast, stateful schemes, despite their operational challenges, could potentially offer better performance. The application of hash-based schemes within Hierarchical Deterministic Wallets presents its set of challenges, particularly with efficient public child key derivation. Moreover, when evaluating multi-signature, distributed, and threshold-signature approaches, it becomes evident that current methodologies do not offer significant advantages over traditional methods or necessitate a trusted intermediary, which could limit their applicability.

This analysis invites the Bitcoin community to engage in a constructive dialogue regarding the practicality of these post-quantum cryptographic solutions, focusing on performance requirements across different hardware platforms, the feasibility of standardizing multiple schemes to cater to varying signature limits, and the potential benefits and drawbacks of incorporating stateful schemes alongside stateless ones. The ongoing discourse aims to fortify Bitcoin's long-term security resilience in anticipation of quantum computing advancements.