SHRINCS: 324-byte stateful post-quantum signatures with static backups

This hybrid approach leverages an unbalanced XMSS tree for its stateful component and a variant of SPHINCS+ for the stateless part, achieving high efficiency in signature generation when the system state is intact while ensuring reliability through stateless signatures in case of state corruption or loss. The public key in SHRINCS is derived from hashing the public keys of both the stateful and stateless components, streamlining the transition between these two modes based on the system's state integrity.

The technical foundation of SHRINCS involves distinct algorithms for key generation, restoration, signing, and verification. Key generation relies on a master seed to produce secret keys for both signature schemes, culminating in a combined public key and an initial state. Restoration, triggered by state loss, re-derives the public key and sets the state to a special "LOST" status, enabling the switch to purely stateless signing. The signing process adapts based on the state's condition: it proceeds normally with the stateful scheme if the state is intact, or switches to the stateless scheme if the state is marked as lost. Verification checks the validity of the signature against the combined public key, ensuring seamless operation regardless of the underlying scheme used.

SHRINCS introduces an "unbalanced XMSS" structure to minimize authentication path length for early signatures, optimizing performance when the number of required signatures is low. This design choice reflects the anticipated usage pattern, especially in contexts like Bitcoin wallets, where few signatures are generated per public key. Despite the inherent challenges in managing stateful schemes securely, SHRINCS mitigates potential risks by providing a fallback to stateless signatures, thereby balancing efficiency with security.

However, concerns about the adequacy of a 128-bit security level within post-quantum cryptography (PQC) contexts highlight the ongoing debate over security standards against quantum attacks, such as those posed by Grover's algorithm. This underscores the importance of considering security margins carefully, especially for schemes intended for environments potentially exposed to advanced cryptographic attacks.

For further details and a comprehensive understanding of SHRINCS, including its theoretical underpinnings and practical implications, readers are encouraged to consult the report "Hash-based Signatures for Bitcoin," available at https://eprint.iacr.org/2025/2203. This document, co-authored by Mikhail Kudinov, delves deeper into the construction, advantages, and considerations surrounding the SHRINCS signature scheme.