Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms

In the exploration of quantum-resistant cryptographic methods suitable for ensuring the continued decentralization of Bitcoin, multiparty signatures present an intriguing possibility. However, the practicality of implementing such solutions remains uncertain, particularly in light of the significant size of certain signatures, which poses compatibility issues. The discussion highlights that lattice-based signatures, despite being the most viable path forward in post-quantum cryptography, are not yet ready for implementation. Specifically, SPHINCS signatures, though smaller than initially suggested at approximately 7,888 bytes, still exceed desirable limits for efficient decentralized application.

Further examination reveals a comparative analysis of various signature schemes. For instance, SPHINCS SLH-DSA-128s offers 32 byte public keys with 7,856 byte signatures, indicating a slight variation within the SPHINCS framework itself. Conversely, lattice signatures, exemplified by CRYSTALS-Dilithium ML-DSA and Falcon, show promise with significantly reduced signature sizes - 2,420 bytes and 666 bytes respectively. Despite these advancements, ML-DSA, recognized for garnering the most support within the lattice signature domain, is critiqued for its inability to seamlessly replace Elliptic Curve Cryptography (ECC) without substantial adjustments, notably a "witness discount."

The discourse then shifts towards potential interim solutions, acknowledging the necessity of compromise. If immediate action were required, the preference would lean towards ML-DSA accompanied by a considerable witness discount, albeit reluctantly due to the implications of such a discount. Alternatively, in the absence of a witness discount, a preference is indicated for stateful hash-based signatures resembling a 324-byte SHRINCS model, though this too is seen as less than ideal.

The narrative concludes with a strategic perspective, endorsing SLH-DSA as a provisional measure. This approach is justified as a precautionary step to maintain security amidst uncertainty, thereby affording the community time to identify and agree upon an optimal ECC replacement. The ultimate hope is pinned on the future readiness of SQI-sign technologies, anticipated to meet speed and efficiency criteria within a three-year timeframe, thus offering a potential long-term solution to the challenges posed by quantum computing advancements.