From: "'conduition' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Falcon Post-Quantum Signature Scheme Proposal
Date: Tue, 27 Jan 2026 08:39:07 -0800 (PST) [thread overview]
Message-ID: <3c9eb86f-13e0-4a18-b978-9fea89d4f6e8n@googlegroups.com> (raw)
In-Reply-To: <2e4abb5a847ab9d78857aee2fded500a234f68a6.camel@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 8035 bytes --]
I would be happy to be proven wrong, and to learn that Falcon is actually
very easy to implement. Of all the NIST PQC schemes, Falcon is the one I
understand least, so I may be mistaken. But software emulation of floating
point arithmetic doesn't sound easy, especially if getting it wrong means a
potential forgery attack. Also, there is still discrete Gaussian sampling
to contend with.
> SPHINCS+ cannot be considered a valid fallback as it introduces large
signature overhead (it's not meant for bitcoin-like use-cases).
I disagree. I think it's crucial for us to have a conservative stateless
signing scheme ready as a fallback to authenticate the UTXO set if a CRQC
appears. Though the signatures are indeed large, that can be mitigated by
smaller parameter sets as Mikhail mentioned, or if you're OK with losing
NIST compatibility, using the SPHINCS+C variant and friends.
> Any TPM-based state management would reduce performance and compatibility
across architectures
It doesn't have to be a TPM
<https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatures-with-static-backups/2158/14>.
My point is that if your wallet *can* manage state in some way, XMSS makes
for really tiny, fast, and easy-to-implement signatures. Even if some
platforms can't hack it, others would happily make the trade-off. It
doesn't hurt that unbalanced XMSS disincentivizes address reuse as well.
regards,
conduition
On Friday, January 23, 2026 at 7:03:46 AM UTC-7 Giulio Golinelli wrote:
> Falcon (FN-DSA) relies on discrete gaussian sampling using constant-time
> floating point arithmetic for signers, which is very hard to implement
> quickly and in constant time (securely).
>
> This is true for the first Falcon version published (randomized mode of
> operation). This implementation uses the author-recommended deterministic
> Falcon mode (see author’s notes
> <https://github.com/algorand/falcon/blob/main/falcon-det.pdf>) which uses
> software floating-point emulation . This eliminates side-channel risks
> associated with non-constant-time hardware FPUs. It is also SNARK-friendly
> and overcomes portability limitation. While this sacrifices the performance
> optimizations of true FPUs, signing speed is not critical in Bitcoin, where
> verification dominates node activity.
>
> If small signatures are your goal, then I'd look into SQIsign
> <https://sqisign.org/>
>
> This would be good like many other PQ exotic schemes but all of these are
> far from being standardized soon.
>
> If you want a PQC scheme that's ready *today* and also provides small
> signatures, I'll point you to XMSS, and Jonas Nick's SHRINCS proposal
> <https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatures-with-static-backups/2158>.
> You can configure an unbalanced XMSS tree to get 272 byte signatures,
> potentially smaller if you crank up the parameters. The catch is a
> dependence on statefulness.
>
> SPHINCS+ cannot be considered a valid fallback as it introduces large
> signature overhead (it's not meant for bitcoin-like use-cases). Any
> TPM-based state management would reduce performance and compatibility
> across architectures. The hash-based nature of SHRINCS is highly
> SNARK-unfriendly, making them incompatible with emerging L2 ZK rollup
> constructions. Moreover in high-throughput L2 environments, state
> management, limits on the number of signatures and performance degradation
> proportional to published signatures are critical bottlenecks.
>
> On Thu, 2026-01-22 at 14:35 +0000, conduition wrote:
>
> Falcon (FN-DSA) relies on discrete gaussian sampling using constant-time
> floating point arithmetic for signers, which is very hard to implement
> quickly and in constant time (securely). Despite being significantly harder
> to implement than ML-DSA, it only provides a mild (factor of two or so)
> improvement in signature + pubkey size. This is why we're probably not
> including FN-DSA in our PQ signature opcode BIP following BIP360.
>
>
> https://blog.cloudflare.com/nist-post-quantum-surprise/#floating-points-falcons-achilles
>
> While I wouldn't rule out Falcon permanently, I personally feel more
> research is needed to explore Falcon, its weaknesses, and how flexibly it
> can be adapted to schemes like CISA, BIP32, and multisignatures. Let it
> bake a little longer.
>
> If small signatures are your goal, then I'd look into SQIsign
> <https://sqisign.org/>, which uses isogeny-based cryptography to produce
> very small sigs (148b) and pubkeys (65b) using some convoluted mathematical
> tricks. However, much like Falcon, it is still immature and needs more
> researchers to optimize its verification, explore its strengths, and attack
> its weaknesses.
>
> If you want a PQC scheme that's ready *today* and also provides small
> signatures, I'll point you to XMSS, and Jonas Nick's SHRINCS proposal
> <https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatures-with-static-backups/2158>.
> You can configure an unbalanced XMSS tree to get 272 byte signatures,
> potentially smaller if you crank up the parameters. The catch is a
> dependence on statefulness.
>
> regards,
> conduition
> On Wednesday, January 21st, 2026 at 11:09 PM, Giulio Golinelli <
> golinelli...@gmail.com> wrote:
>
> Hi everyone,
>
> I am to share a technical demonstration and benchmarking project that
> integrates the Falcon post-quantum signature scheme (Falcon-512) into
> Bitcoin Core, implemented as a soft-fork within the classic P2WPKH mode.
> This work aims to provide a practical reference for possible future Falcon
> adoption, especially as it approaches FIPS standardization.
> You can find details at this fork
> <https://github.com/thisisnotgcsar/bitcoin-falcon>.
>
> *Why Falcon?*
> Falcon is a lattice-based, post-quantum digital signature scheme designed
> to be secure against quantum attacks. Unlike other PQC candidates such as
> SPHINCS+ and ML-DSA, Falcon offers significantly smaller signature and
> public key sizes, as well as efficient signing and verification times. It
> is implemented in pure C and does not require external dependencies.
>
> *Benchmarking & Results*
> Aspect Falcon ECDSA
> Public Key Size (B) 897 33
> Signature Size (B) 655 71
> Verification Time (μs) 57 120
>
> Verification time is more critical than signature creation time in
> Bitcoin, since signature creation is performed by clients (wallets), while
> nodes focus on verification.
>
> *Integration*
>
> - Falcon was included into the codebase from the original GitHub
> repository.
> - The build system (CMakeLists.txt) was updated to support Falcon.
> - Falcon verification has been soft-fork enabled via a new script
> verification flag.
>
> *Next Steps & Reference*
> This project serves as a practical demonstration of Falcon’s promising
> performance, highlighting its advantages over currently selected
> post-quantum signature algorithms such as SPHINCS+ and ML-DSA, which face
> significant time and space limitations. As Falcon approaches FIPS
> standardization, this work aims to provide a reference for future adoption
> and integration in Bitcoin.
>
> Let me know what you think and if this could be of interest for which case
> I can complement the project by integrating Falcon into all the other
> spending paths. I also look forward to development/integration corrections.
>
> Best regards,
> Giulio
>
>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/3c9eb86f-13e0-4a18-b978-9fea89d4f6e8n%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 13702 bytes --]
prev parent reply other threads:[~2026-01-28 20:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 7:01 Giulio Golinelli
2026-01-22 12:48 ` [bitcoindev] " waxwing/ AdamISZ
2026-01-23 3:45 ` Giulio Golinelli
2026-01-22 14:35 ` [bitcoindev] " 'conduition' via Bitcoin Development Mailing List
2026-01-23 7:12 ` Giulio Golinelli
2026-01-23 15:36 ` 'Mikhail Kudinov' via Bitcoin Development Mailing List
2026-01-24 13:04 ` waxwing/ AdamISZ
2026-01-25 21:54 ` cassio gusson
2026-01-26 10:33 ` 'Mikhail Kudinov' via Bitcoin Development Mailing List
2026-01-26 15:21 ` waxwing/ AdamISZ
2026-01-27 16:07 ` 'conduition' via Bitcoin Development Mailing List
2026-01-24 13:31 ` Giulio Golinelli
2026-01-27 16:39 ` 'conduition' via Bitcoin Development Mailing List [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3c9eb86f-13e0-4a18-b978-9fea89d4f6e8n@googlegroups.com \
--to=bitcoindev@googlegroups.com \
--cc=conduition@proton.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox