Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms

The ongoing adoption of Post-Quantum (PQ) cryptographic solutions is making significant strides in the real world, though there is a notable observation that signatures have not been as widely implemented. A recent development from Apple indicates a strategic approach towards quantum-secure cryptography on their devices, explicitly opting for level 3 or level 5 security for lattice-based schemes, specifically ML-KEM and ML-DSA, bypassing the level 1 security option. This decision aligns with Cloudflare's stance on the matter, as detailed in their blog post about preparing for a post-quantum future by 2025. Cloudflare's choice to adopt ML-KEM-768 and X25519 reflects a careful balance between current security needs and the anticipation of cryptanalytic advancements, underscoring a general preference within the industry to maintain a margin for security that accounts for potential future developments in cryptanalysis.

Cloudflare's rationale behind selecting a smaller margin for ML-DSA, compared to ML-KEM, highlights a strategic flexibility in responding to potential future attacks; the underlying belief is that while captured data encrypted with ML-KEM cannot be retrospectively secured following an advancement in attack methods, ML-DSA certificates, conversely, can be updated to bolster security as needed. This perspective underscores a broader industry challenge in transitioning to new cryptographic parameters, especially within settings where changes are difficult to implement, emphasizing the importance of incorporating a security margin when discussing lattice-based constructions.

Additionally, the conversation touches upon the implications of excluding level 1 security, which results in the smallest viable size being 3073 bytes for Falcon level 5, according to a comparison provided by PQShield. The necessity of larger sizes to include a security margin for anticipated improvements in cryptanalysis is acknowledged, alongside the benefits lattice constructions offer beyond compact sizes, such as the potential for public key derivation and more efficient multi/threshold signatures. This discourse illustrates a complex balancing act between embracing the promising horizon of PQ cryptography and navigating the pragmatic challenges of integrating these advancements into existing systems and standards. For further details on Apple's approach to quantum-secure cryptography, refer to their security guide, and for an in-depth look at Cloudflare's roadmap to post-quantum cryptography, visit their blog post on PQ 2025, including specific insights on ML-KEM and X25519 at this link.