From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 26 Feb 2026 07:56:26 -0800 Received: from mail-ot1-f57.google.com ([209.85.210.57]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vvdj0-00070O-EV for bitcoindev@gnusha.org; Thu, 26 Feb 2026 07:56:26 -0800 Received: by mail-ot1-f57.google.com with SMTP id 46e09a7af769-7d195fe3eb4sf19044189a34.3 for ; Thu, 26 Feb 2026 07:56:25 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1772121380; cv=pass; d=google.com; s=arc-20240605; b=YETjCN0tBYPMjXomIim4xyaePeuTiaYuyt40AQY0cOStglYvIE+wCdPacfBICu8FP3 Fj7WHADoYibKYvHUSItxGjS1rzHwtTFbLCBSMdQuY2fJ6qcc7c/5+r4frtD1sRm7GlSd ZROrVXh7bcGL6+lUSRHKYLOi610S9cEhiDRytWM/CqKwPEcs2UXq9VCXeec6J2JseofN laPloGJOJBAEpMtuhVr08t6MfPz5rDClsmTlopBlbvFL1AUaRugSXB3KkxKp/uxgslK4 1JdANnmoHXYSnt+nvgiMHMyS1urlWjURjbtz0vAktDwtdDe7fktGK2FcvNR8k6o579Sr sXNg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=GWYLpyTMKf6H3twV7rIzduF7FIOBAzyjcXvC6tssXnU=; fh=Csgc1LvrV1SWDNvqFhwRXWWMtQkdFLHJ2Fjmg0Q9KYo=; b=lxDSyf/oy6J0sR+y3bS1VkMjcoHG7A18kT6iMCilILy1+QEIB11iOJY+ETaKUcO31Z 5iG7jEnP9qNfvhePAdX2vXGD4PbTB/XWVegHc2sV2yHdd3awpxYaGZ5r0O8QIZSE7wlS qwo9VdBTRd9iCnWRusNrpYx98X8hI+SEHW5wJa98QuEuiw86DP5nAXkFQcwosUJ+4DOw 68Uqetq1108of101EgFURjiLsY9pY0ALGD4Y+2EDWle7ajAiJOTIF5+DUbsRUGQt0OIi AHi1XAKFU3hDTCNQEAxj5bI4MoyX6nW2mz8DFGCfUel1cJpdER3XM3AtUh6QlWpBFTWt vBOA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1772119261 header.b=dmlFrlZm; dkim=pass header.i=@clients.mail.as397444.net header.s=1772119264 header.b="BrLpxEV/"; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1772121380; x=1772726180; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=GWYLpyTMKf6H3twV7rIzduF7FIOBAzyjcXvC6tssXnU=; b=OfYNXaQp7JCbARNaRK0kgiS/x8Ey4U7+CXUWTpzXWmfVqSfl9Z296tdUOgSs/bhOdb UxJSMgCsdl7np+N2rk+8qdK3UbLvC3QhoCDiomPSkv3Ssa8g/kqQwk9jGmT+9pkiGH0N YxI+fIr5yH5BCvbzCLilrDUHvofnbEP+l46lDOuT6Wj5AZQMry4HzdoIO14Z4Zgw/bOr zEuWE5qjuVK48vib0yMMpwfJbI6gLCmwAFd9dIAkz6cy9PCPGZYSX2QkIGk6I4C01WHg zwuQcpKoEQwAoPucHcwyGoS3P6TBgCVgH1yCA5qtOwGCWiX2q4mRlmctqqxhcRlL/HIA sbKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772121380; x=1772726180; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=GWYLpyTMKf6H3twV7rIzduF7FIOBAzyjcXvC6tssXnU=; b=WFAQdLGSTpCw/hIfCBZu3HNNtYUoaKSrsM1F1Hyrslpzg2jSiLb7ZLqZ6xbg4FkjVG JGjxjX+fsQ8x+d83umom75/s1wQt8AhN/HyjpkjsDJTLhBhzd98F7k/ReUytIKZiW92z 68VmxF5e76BEPuK7Hwn8EC4sQXBNxYckByiuQ8Uk8oJett+xHloEdXI59PWGljdhD2Bz QpCBl+Uc/4ANJB6cj7gmHTRBW3i0NgZbNzxhQEP38PnwMMsBSUWlYtdFqbX9CJupJ2AP L3awhViRegYXG6FDLOIiE55lrGiatYEHhpdOXgAGFs6wgCT7cRNFy7HrrN4JKtAyAj26 lo/g== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWyqPVmI6gKbuI3SprYZh9Qon3kmJ8TfmE4eBq9dpMU3P9Wd8ODZkLbj9MMgQKJSzhCdrkzurB+em8+@gnusha.org X-Gm-Message-State: AOJu0Yy2oBn45rsuFsWKHCCbCzOc2QCuxbQEynKRGNCI7ASEXBnIEe46 CZkfXXFEQPfDq8psZxc/9cFG/wlC+6WrSGbukGMz6dxc1GfyfcRHxlB7 X-Received: by 2002:a05:6870:d147:b0:3d1:d26e:e163 with SMTP id 586e51a60fabf-4157ac214b3mr10944993fac.3.1772121379688; Thu, 26 Feb 2026 07:56:19 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+Heb36upuh8nRDplSvfH9JkdhRT+mZaq+UoUEOFwxIp6A==" Received: by 2002:a05:6870:224e:b0:3e8:9f07:3b9 with SMTP id 586e51a60fabf-415ede5c5edls1145289fac.0.-pod-prod-03-us; Thu, 26 Feb 2026 07:56:14 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWZ3N0ACsRoQC6yUfHr6wpPenZUq2OiJ7gpG6lTppRQcH/3BpoILbePdm4DfcXkjOlSdjjx/zDsrH5j@googlegroups.com X-Received: by 2002:a05:6808:894d:b0:455:7fe4:b215 with SMTP id 5614622812f47-464463b7db3mr11083788b6e.53.1772121374359; Thu, 26 Feb 2026 07:56:14 -0800 (PST) Received: by 2002:a05:6808:7008:b0:464:8699:dc43 with SMTP id 5614622812f47-46496e0b9d8msb6e; Thu, 26 Feb 2026 07:51:34 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUyCnlpkiLq/z4zd0Wl020UbHW6OH4XOoYE1HlFVPCMyRRPN4hiTVVpZz7SLosToqeqAwLpUU6h/rVA@googlegroups.com X-Received: by 2002:a17:90b:3852:b0:341:b5a2:3e7b with SMTP id 98e67ed59e1d1-358ae7c8465mr17962971a91.4.1772121093673; Thu, 26 Feb 2026 07:51:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1772121093; cv=none; d=google.com; s=arc-20240605; b=F5JdsPLmHs55gNRwll52zLYiex3B+T5wLSVlV6zs7T3zAL9eHlTebfAmLjWR+wdXrf F0K/ifrm8V+vGp3KZ/LiZgf0981DEK4P0vMYeycn22lTSMNM2yi6Z4gPuAwOL8XTFtCe JcLJPOrILzSKrXzOxYOWfHmVbJyGhjMFfOmZuRbpR6ATRLAyzi5CmU47jf34NaR84OWD 3VULmGHIQtJj1HVeJU6HUBOnqYNM/X89WcP/9lO6pX2mmy3rU5EvkD6f5JsOcbvMRdu5 /GyMDsudf19y0qbIt+P66A9Ox5lSkG3DFAUyTX3SyKfKAfDi4kwhb2rQ5n23xlet7Pic aIQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=rK1J9Sbt639g3n5u6Rv68nl6Tm/Ta5XL1abvLDh6jpg=; fh=msJv2/s+z+D78QGlwwsI4Gz6wl4dflX6Wd//fNVzNsI=; b=EeyrNkOr6GEIAM0tyTwMrFxRxNNmLnT5hwCqN/GDYJmsvl/KRcC/wxzyzEunpzHpyk WqwbAPwbmkifZxEMMNObvGFMb1yoQnIf3p5t0gvtxG7wbrpObKmMsS4N/MVww+weCr0A PZTNZlvXlE/1/JNIlEJhHDFKSLH60DgbawdK8GJEV9DASSbbr9G8HyoJthYPUmIICWTZ ZLxrrCSAH4wUrD+chet6+EyXmQqCu8eV5vSl+aQdTidx9JeeBKU6gvWW0iBFoe2R21aM hUfgWt1DbW7FWIgi5NHB2ee8PKsVkLAAqe4Yxzhxz8bPPVjQfo4G4+EfjtzoVSA9kIlL KIqw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1772119261 header.b=dmlFrlZm; dkim=pass header.i=@clients.mail.as397444.net header.s=1772119264 header.b="BrLpxEV/"; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [2620:6e:a000:1::99]) by gmr-mx.google.com with ESMTPS id 98e67ed59e1d1-3593dd8666esi77897a91.2.2026.02.26.07.51.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 07:51:33 -0800 (PST) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) client-ip=2620:6e:a000:1::99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1vvdeE-0000000Amti-1nkC; Thu, 26 Feb 2026 15:51:30 +0000 Message-ID: <1ee30c09-ca46-404f-a9f4-2ff8ff6a2c0b@mattcorallo.com> Date: Thu, 26 Feb 2026 10:51:28 -0500 MIME-Version: 1.0 Subject: Re: [bitcoindev] Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms To: Ethan Heilman , Erik Aronesty Cc: conduition , "garlonicon@gmail.com" , Jonas Nick , bitcoindev@googlegroups.com References: Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1772119261 header.b=dmlFrlZm; dkim=pass header.i=@clients.mail.as397444.net header.s=1772119264 header.b="BrLpxEV/"; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 2/23/26 4:42 PM, Ethan Heilman wrote: > > I thought "tweaking", in general, is lost in SPHINCS, as well as multi= party sigs.=C2=A0 Be interested=20 > to see those solutions.=C2=A0 =C2=A0But, regardless, 17kb sigs are... not= compatible with a decentralized=20 > bitcoin, imo.=C2=A0 =C2=A0Lattice-sigs are the only reasonable PQ way for= ward and they aren't ready yet. >=20 > SPHINCS is ~8kb (7,888 bytes) not 17kb. >=20 > SPHINCS SLH-DSA-128s has 32 byte public keys and=C2=A07,856 byte signatur= es > Total size of 7,888 bytes not 17kb. >=20 > The Lattice sigs aren't that much better than SPHINCS >=20 > CRYSTALS-Dilithium ML-DSA has 1,312 byte public keys and 2,420 byte signa= tures > Total size of 3,732 bytes. >=20 > Falcon has 897 byte public keys and 666 signatures > 1,563 bytes >=20 > ML-DSA currently has the most support in the Lattice world, but it is sti= ll too large to be a drop=20 > in replacement for ECC without a witness discount. If we had to choose to= morrow, I'd advocate for=20 > ML-DSA with a massive witness discount, but I'd be very unhappy with the = witness discount. If the=20 > witness discount was out of the question, then I'd advocate for something= similar to 324-byte=20 > stateful hash based SHRINCS signature. Neither is ideal. >=20 > My current thinking is to use SLH-DSA as a backup. This keeps us safe if = everything goes wrong and=20 > allows us to reach safety early so we can take time to determine the righ= t drop-in replacement for=20 > ECC. Hopefully in 3 years, SQI-sign is fast enough to be considered. Why not just do SHRINCS today? The cost to use it in "stateless mode" is on= ly marginally higher than=20 other stateless hash-based signatures, and wallets can elect to use the sta= teful mode at signing=20 time if they're set up for it. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 1ee30c09-ca46-404f-a9f4-2ff8ff6a2c0b%40mattcorallo.com.