Hash-Based Signatures for Bitcoin's Post-Quantum Future

Olaoluwa Osuntokun emphasizes the complexity of developing post-quantum cryptographic solutions for HD wallet derivation, highlighting the challenges posed by the lack of algebraic structure in SLH-DSA which makes it difficult to replicate BIP32's functionality. He expresses hope for alternative methods such as using lattices (ML-DSA) or isogenies (SQIsign) for child public key derivation, though he notes the absence of solid proposals in these areas. His current focus is on isogeny crypto, considering its potential for creating a 'post quantum xpub' that integrates a regular BIP32 key with post-quantum public keys, facilitating the derivation of child addresses containing tap trees with multiple signing schemes.

Osuntokun also discusses his preference for smaller signatures, critiquing the National Institute of Standards and Technology's (NIST) hesitance to standardize more efficient schemes like SPHINCS+C and SPHINCS-α due to implementation complexities and political factors. He advocates for optimizing signature sizes by adjusting constants without compromising NIST-compliant algorithms, linking this approach to ongoing discussions within the Bitcoin community about adopting new parameter sets for hash-based signatures. This would address both performance concerns and the verification costs associated with large-scale block verifications, which he identifies as critical considerations.

The conversation shifts towards the practicality of stateful versus stateless signatures, with Osuntokun initially supporting the idea of incorporating stateful WOTS into blockchain operations. However, after discussions with peers, he acknowledges the risks and complications inherent to stateful systems, ultimately endorsing stateless signatures as the preferable option. Despite his enthusiasm for hash-based signatures, Osuntokun concedes that performance, functionality, and size trade-offs will likely lead most users to adopt more efficient cryptographic schemes like ML-DSA or SQIsign, reserving hash-based options for worst-case scenarios where newer algorithms fail.

He concludes by addressing hardware limitations observed in devices like Trezor's Model T, which struggles with the computational demands of creating SLH-DSA-SHA2-128s signatures, pointing out the need for hardware improvements such as dedicated chips or FPGAs to support post-quantum cryptography effectively. His insights are drawn from various sources, including his own work, and discussions within the cryptocurrency development community, underscoring the multifaceted challenges and ongoing research efforts aimed at securing digital assets against quantum threats. Relevant links shared include his own work on fast SLH-DSA and quantum HBS, benchmarks on signature creation times, and forums discussing NIST standardization processes.