Falcon Post-Quantum Signature Scheme Proposal

The email from Mikhail Kudinov on the Bitcoin Development Mailing List highlights significant aspects of post-quantum cryptography implementations for Bitcoin, focusing on the Falcon signature scheme's deterministic mode. This mode is emphasized due to its software floating-point emulation, which mitigates side-channel attack risks by avoiding non-constant-time hardware Floating Point Units (FPUs). Despite the performance trade-offs compared to hardware FPUs, this approach is deemed suitable for Bitcoin, where the verification process is more critical than the speed of signing transactions. Furthermore, this deterministic Falcon mode is compatible with SNARKs (Succinct Non-Interactive Arguments of Knowledge), addressing portability issues and making it a viable option despite the lack of standardization among post-quantum cryptographic schemes.

The discussion extends to the limitations of other schemes like SPHINCS+, which is not considered a viable alternative for Bitcoin due to its substantial signature overhead, unsuitability for Bitcoin-like applications, and incompatibility with Trusted Platform Module (TPM)-based state management systems. These systems could hinder performance and interoperability across different architectures. Additionally, the hash-based nature of SHRINCS is mentioned as being particularly unfriendly to SNARKs, posing significant challenges for integration with Layer 2 (L2) solutions such as zero-knowledge rollups. In high-throughput L2 environments, issues like state management, limitations on the number of signatures, and performance degradation related to the volume of published signatures are identified as critical bottlenecks.

For further information, links to the Falcon implementation and discussions around SHRINCS are provided, offering technical insights and contributing to the ongoing discourse on securing Bitcoin against quantum threats. The references include detailed documentation on the deterministic Falcon mode (Falcon-det.pdf) and a thread discussing the characteristics and limitations of SHRINCS (SHRINCS 324-byte stateful post-quantum signatures with static backups). These resources serve as a foundation for understanding the complexities and considerations in developing post-quantum cryptographic solutions for Bitcoin and similar cryptocurrencies.