From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 10 Dec 2025 08:19:51 -0800 Received: from mail-oa1-f64.google.com ([209.85.160.64]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vTMus-0000Uj-Oy for bitcoindev@gnusha.org; Wed, 10 Dec 2025 08:19:51 -0800 Received: by mail-oa1-f64.google.com with SMTP id 586e51a60fabf-3e890e6be00sf9326140fac.3 for ; Wed, 10 Dec 2025 08:19:50 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1765383584; cv=pass; d=google.com; s=arc-20240605; b=bBE7RyI9q4NBI5iwE2ofmtBXMdTGynOT8ZFmgly7L5SaRCwrels9jiGvJ3WTxnJA5C vD9gI/L/vux7A5tWv5vHMxjdxtoODNpY7J5v9gZJ/oFuXGezKLgfFyuTfvLl/HWMgIk9 pNamjBEZtOVnETSDNI4dAVQEoYQ7N9dED3t1pi4zoXWJUgQrGUTiKXH+oKGMTN9rmmQJ 1P/j8OL8/gh6FGM74WEyKhfLOdfCQrmGakwUOi93Ht0YQ5njAcHIfZ7x4hT39GwpDKPH f/NYxn2E0v1qpuM2oXqwYmkbBtKW0Bc8jOGmLNWIzf3awf5yUczXgFuO71MJJsr1wU/E vfWQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=PVGwPpVpLMKmoFBheP+4p2v1/C8as3y+p8ZnDKxFlSs=; fh=U8fQ3ssyxFtBYscwnM+s0k+UNl/9k27etxuDJvg4RHs=; b=Jm+gu+0Qa3nZKpaB9dF/seJ0Suhz2aj/9L78iPb2g8D1qMbGNhA+2y7dxTTgoboQmZ pdYxnCVO3elj/TQd03ACtZOVwJrTK4ZOitqVDJL47B/PS/Rn8ZjW3ks0fDxyIt9IEk/8 F+yz+uS91iLyrQIKZKRRuiyRcemWJflQSE6pHcThI6R+xC789hYCV4sJds8ni/n00xhn hBrdQUjvFsDpcvlyYszs78V8UZuyzYwsMfIenpMWE9p/dCQuPyK9v2Lof+9vjjWlCMOr i56XHdn7N1NNxjwYQKTjwwK6aw8jnLs1SCqT/GFK6oqw/hFkrTga7A0yzOk57LLHiwBz lTKA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=nFiIVa71; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765383584; x=1765988384; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=PVGwPpVpLMKmoFBheP+4p2v1/C8as3y+p8ZnDKxFlSs=; b=ndrQwy0aEM8mNzvnGGmdIVL9/Xxw+kvrgtod6+8qWtJ2UlvcAW00SwH5JCELekm4pE aDnb6BL6uQENBUzJByJ+ZNi8mRl2alTrANrogEosJxHSRXVJXTefkVTdrPcdbWGYIEq1 EAw+etI3UsAK2ETAmjaqwoUOIDhvI8ypuusG2A2TkZgEqvCiM8VEUEBVziJ0wNwTeE+X HCaWfcHcGEVGCxssexsXk2anQpqcU1dNDyMCC9rrOJ7YEYugZlB2XiZj1nqvedZ9KH++ WVin+Zg1I85jHTGDOw4dbwSXyldHd8qS5KkiJD5xs/65k74q2Hti0G8Nvf6Ho4flHvrF m95A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765383584; x=1765988384; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:x-gm-gg :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PVGwPpVpLMKmoFBheP+4p2v1/C8as3y+p8ZnDKxFlSs=; b=RzEm6sqS1cjBFLEIb/iRBmp4sDbHMdS8UNO59TmddpDgk7gzr/jxYqFPIwR92FsxlJ HnSMcd7T6tAFYYmccFlMDqtbHqJH0FRv+feZgqX01FHQ+SOVJlKTJlO6RuV5ZKZrzakL OJolsUiGlH1nJSVeFkyjSUSWyeGdRQ3Oy5kL3EreetMvqq/KPmhri4+fwYSaD3UXzMSQ uBfktJGcCyURrhZLE9EwcyGpBt9cT1zF5MtD92KfXrejRHjcRhONSUBwfVx4mU0MELX0 MKCd5pjr09lSys+EKKOaynM9Mh2do119hoMGk81XbNokVDJeF0JQorF6Rb6S+XQ28g4a DCxg== X-Forwarded-Encrypted: i=2; AJvYcCU9EpI/ip5y+MK2tUNmBmklkLOsiETkR2D2qO9E8E6HjuUroM+QwTere1YmI8STWxBs848s42LYAf8n@gnusha.org X-Gm-Message-State: AOJu0YzhGnRVwSiYsRiUG70THQ/G0+SAWzyQQ20bv8DgReOyO6wR6lWA QWN1lQVf5NRkm2Iqy53b5kL+8VYLe1uo3zAIyKfi+hN1dW3nyAxWsAU6 X-Google-Smtp-Source: AGHT+IGT/7qjOwT6ASJohkhVtieCfHipSOsVrtNqnub73xKy9pAu3Pd6XoFiVs+EQeG/fQdWlEbhpw== X-Received: by 2002:a05:6870:4186:b0:381:e796:fbdd with SMTP id 586e51a60fabf-3f5bdbd68c9mr1725590fac.35.1765383584073; Wed, 10 Dec 2025 08:19:44 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AWVwgWYxc3nydQ4L24i29zAqMdMtsQEshp+XyRuDK+jyTGInSQ==" Received: by 2002:a05:6870:e136:b0:35a:ce0a:d0a3 with SMTP id 586e51a60fabf-3f508b18265ls3690041fac.0.-pod-prod-08-us; Wed, 10 Dec 2025 08:19:39 -0800 (PST) X-Received: by 2002:a05:6808:1490:b0:450:c9f4:ca18 with SMTP id 5614622812f47-455866cc526mr1688770b6e.41.1765383579787; Wed, 10 Dec 2025 08:19:39 -0800 (PST) Received: by 2002:a05:600c:181b:b0:471:13aa:415a with SMTP id 5b1f17b1804b1-47933ec5554ms5e9; Wed, 10 Dec 2025 07:55:36 -0800 (PST) X-Received: by 2002:a05:600c:6209:b0:477:8ba7:fe0a with SMTP id 5b1f17b1804b1-47a838065b5mr34617055e9.24.1765382133542; Wed, 10 Dec 2025 07:55:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765382133; cv=none; d=google.com; s=arc-20240605; b=ecU6rZoH7EQoYTvew+gzN5IP4ChfTZ7RksFxDj/CgLP8q99DDx41Rg+eLxQDlkJmK7 tbrYIjkiVvjxe6/DXDOcLi5+ywvTh6rz1cIJAp7fAHGn42wcr1WaK1krJ02Do4g1tGXw +OGdoxcabpDP16aQXsw7pFVetD2UQ6M+wXz1CsOzeTCjRl+7cpQS2MkH+9QCR36zVUHs VLsOqjCFSxjtLWggql89bhNKi2aA2okdt3SSSM/0MPCPlXVY0aFjJDl0kkWVEmRumC7T oLiZy6TI0qdf7oZTgwB+7FsCxZSjEME/qqdQo9zCFoFdobbe1Ga5un3Fkqjc1uTrlAMO fZSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=zk8jcTwluR7Fr1bQQe6BsEJQP+/NOPQhHniU+7Mg6HM=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=iYvMSzzb99KP/OUtc9YGb3EXHKd8dtWGJZCM3eGaoGA9hRANPQjoy6UleL1+2Q+pqa oOz8SgdtHavYcXcyHGzt6kSX8X50ALwpR66970u3jgHWadXJAGPI14bndw1R8iLTIYPk B228He4ZeAHSD0YCaBF255Fxdy5bm6Xf+mA4eJSwnjircvjnbfUInPcphdKXenvzRpFd e/mNrTKbHBLwZyj9dyYO1j3sF55Ilfv7GI+wtM0khm8LNS7WptGOJnLcGcqVPVF0VwJn AynLfg83UD0/PhoaKl7ue4SQQR5IWJtCdaPIvTde6j/3bvaXRTaBLiwODPInINeFUJ1h rUwQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=nFiIVa71; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com. [2a00:1450:4864:20::436]) by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-42f7cbd50f5si236015f8f.2.2025.12.10.07.55.33 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Dec 2025 07:55:33 -0800 (PST) Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) client-ip=2a00:1450:4864:20::436; Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-42f9ece6387so967729f8f.0 for ; Wed, 10 Dec 2025 07:55:33 -0800 (PST) X-Gm-Gg: AY/fxX71TqmlH/eELasiPZZ0lM2V1I+HuXGB04GEuRMkxI2Ag2G1IYq/Ma1FWZoyABy y6kTOi7leRQslq3hBLE3cMvZS08eGSwtxq/mXxqZOaaBA7snl2NUK2e5LXLu/ls5kQ/fc/tJwiB JuKLPl2d/5fpa6Ebikypa92v0tLDkeG0IV/JcoEjXg9ll5cuxbWEawPVbWAkYyiJFOIwrt5wl3I nZhu3J5SjEhVfsut8txfU0twIl1cCrB6OVqj+XleLMnT+Gj2Qj4ry/8Ly7Bw18NGLV6QQUHhpWM YiBwwR33cQ0GAD5/7JhjikfzFI7bf557pZjvAzh1L640rOdEWDX1NV4gEHxMsWlS3CeWnb6uQZF hop73UZleSD2ngdpsS+t1vW46m+C4K38z8bHGhPgwQGU6OfMQZOZV5kJjgHZtj46ZymQhc0Sz1p 3QCtzst2KzmIy3lFS1DYpHvmNcJg4NogVfbu2d2uNIIek= X-Received: by 2002:a05:6000:2dc7:b0:42b:3bee:a7ff with SMTP id ffacd0b85a97d-42fa39d2f96mr3440830f8f.24.1765382132903; Wed, 10 Dec 2025 07:55:32 -0800 (PST) Received: from [10.11.10.42] (p54b84210.dip0.t-ipconnect.de. [84.184.66.16]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-42f7cbe9065sm38055229f8f.8.2025.12.10.07.55.31 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Dec 2025 07:55:32 -0800 (PST) Sender: Jonas Nick Message-ID: <27070789-50f0-4d2d-a107-c90be445db14@gmail.com> Date: Wed, 10 Dec 2025 15:55:31 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [bitcoindev] Re: Hash-Based Signatures for Bitcoin's Post-Quantum Future To: bitcoindev@googlegroups.com References: <3e815d03-5e21-41ed-ba1a-4f9b2120a986n@googlegroups.com> <492feee7-e0da-4d4d-bb7a-e903b321a977n@googlegroups.com> <018ee35e-af3d-49d8-a8f2-5c478e681efan@googlegroups.com> Content-Language: en-US From: Jonas Nick In-Reply-To: <018ee35e-af3d-49d8-a8f2-5c478e681efan@googlegroups.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Original-Sender: jonasdnick@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=nFiIVa71; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Thanks for all the feedback. Trying to remain consistent with widely deployed, standardized variants of SLH-DSA is a reasonable design consideration. But in that context it seems noteworthy that using optimized schemes, instead of just tweaking parameters, leads to way more than just a 4% reduction in signature size. The WOTS+C + PORS+FP variant is 16% to 18% smaller than vanilla, size-optimized SPHINCS+ (for 2^40 signatures max) according to our scripts [0]. Another consideration is that in the scenario you [conduition] mention where Bitcoin would adopt a lattice-based signature scheme and a hash-based signature scheme, the lattice-based scheme may not be ML-DSA. Maximizing the functionality benefits of lattice-based sigs may require a custom signature scheme that supports public key derivation, multi/threshold signatures, aggregate signatures, silent payments, etc. If the lattice-based signature scheme is custom, there is little reason why the hash-based signature scheme should not be custom as well. More generally, one of my main motivations for working on this project was whether there exist variants of hash-based signature schemes that are more suitable for the "advanced" constructions we care about (HD wallets, multi-signatures, ...). After doing this project with Mike (who has done research on hash-based signatures for quite a few years), it seems like the answer is basically no. We discuss some of the approaches in the paper, but it's of course possible we're missing something. However, in that sense, the paper is also a negative result. I cannot follow the conclusion that 99% of people would use ML-DSA. Signature size is pretty much the same as for parameter-optimized SPHINCS+. Without lattice-based signature aggregation or silent payments, it seems like the main benefit is verification time. Since you have probably the best collection of numbers for perfomance of SLH-DSA, I'd be interested in the performance numbers of ML-DSA you use for comparison with SLH-DSA. [0] https://github.com/BlockstreamResearch/SPHINCS-Parameters/blob/main/costs.sage -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/27070789-50f0-4d2d-a107-c90be445db14%40gmail.com.