PQC: Lattice-based signatures

Jesse Posner raises concerns about the practicality and necessity of implementing a unified hybrid cryptographic scheme, particularly in the context of blockchain technology. He acknowledges the potential security benefits such a scheme could offer by combining elements like SHRINCS+BIP340 or HAWK+BIP340, which theoretically would enhance security beyond the capabilities of these individual components alone. However, Posner points out significant drawbacks that accompany this approach, especially post-Q-day—a hypothetical future point when quantum computers become powerful enough to break current cryptographic systems. He argues that a unified scheme would not only increase witness sizes by approximately 100 bytes per input but also complicate the signer code unnecessarily. This complexity could introduce technical debt that would be challenging to manage on a blockchain, as opposed to more traditional web2 environments.

Posner discusses possible engineering solutions that might mitigate some of these challenges, such as designing the hybrid scheme to allow for later soft-forking out the ECC component or using feature flags to let users migrate independently without necessitating another soft-fork. Despite these possible solutions, he questions the overall necessity of such complex engineering efforts. He suggests that comparable security can be achieved through simpler methods, such as concealing keys for classical and post-quantum cryptographic schemes in separate or the same P2MR script leaves—an original use-case of P2MR. This would allow those who desire the security offered by a hybrid BIP340+SHRINCS scheme to implement it voluntarily, potentially supported by new wallet standards, rather than imposing it as a requirement on all users. Posner emphasizes that such an imposition seems excessive, particularly given the arguably greater classical security of hash-based signatures compared to ECC, aside from the risks associated with stateful schemes.