hi, check this out.  two simple new opcodes without requiring massive hash-based signatures and gets you all the quantum resistance you need.   <br /><br />the trick is.. commit to a secret in one block, and reveal in a later block.  you use time-asymmetry to solve the information-asymmetry problem without needing a full signature.<br /><br />anchor-gated, template-bound spend using OP_CTV (BIP119) plus one new opcode for on-chain anchor validation.  <br /><br />https://gist.github.com/earonesty/ea086aa995be1a860af093f93bd45bf2<br /><br />two new opcodes needd:<br /><br />OP_CTV : commit to a spending template ( well tested already)<br />OP_CHECKTXIDDEPTHVERIFY: check that a tx exists a given depth and contains an op_return with specific value:<br /><br />none of these are slow or expensive... and they are radically simpler than quantum signature schemes, while still giving the spending limitations needed for bitcoin<br /><br /><div><div dir="auto">On Monday, December 8, 2025 at 12:47:49 PM UTC-8 Mikhail Kudinov wrote:<br /></div><blockquote style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi everyone,<br /><br />We'd like to share our analysis of post-quantum options for Bitcoin, focusing specifically on hash-based schemes. The Bitcoin community has already discussed SPHINCS+ adoption in previous mailing list threads. We also looked at this option. A detailed technical report exploring these schemes, parameter selections, security analysis, and implementation considerations is available at <a href="https://eprint.iacr.org/2025/2203.pdf" target="_blank" rel="nofollow">https://eprint.iacr.org/2025/2203.pdf</a>. This report can also serve as a gentle introduction into hash-based schemes, covering the recent optimization techniques. The scripts that support this report are available at <a href="https://github.com/BlockstreamResearch/SPHINCS-Parameters" target="_blank" rel="nofollow">https://github.com/BlockstreamResearch/SPHINCS-Parameters</a> .<br />Below, we give a quick summary of our findings.<br /><br />We find hash-based signatures to be a compelling post-quantum solution for several reasons. They rely solely on the security of hash functions (Bitcoin already depends on the collision resistance of SHA-256) and are conceptually simple. Moreover, these schemes have undergone extensive cryptanalysis during the NIST post-quantum standardization process, adding confidence in their robustness.<br /><br />One of the biggest drawbacks is the signature sizes. Standard SPHINCS+ signatures are almost 8KB. An important observation is that SPHINCS+ is designed to support up to 2^64 signatures. We argue that this bound can be set lower for Bitcoin use-cases. Moreover, there are several different optimizations (like WOTS+C, FORS+C, PORS+FP) to the standard SPHINCS+ scheme, that can reduce the signature size even more. <br />For example, with these optimizations and a bound on 2^40 signatures we can get signatures of size 4036 bytes. For 2^30 signatures, we can achieve 3440 bytes, and for 2^20, one can get 3128 bytes, while keeping the signing time reasonable. <br /><br />We should not forget that for Bitcoin, it is important that the size of the public key plus the size of the signature remains small. Hash-based schemes have one of the smallest sizes of public keys, which can be around 256 bits. For comparison, ML-DSA pk+sig size is at least 3732 bytes.<br /><br />Verification cost per byte is comparable to current Schnorr signatures, alleviating concerns about blockchain validation overhead. <br /><br />As for security targets, we argue that NIST Level 1 (128-bit security) provides sufficient protection. Quantum attacks require not just O(2^64) operations but approximately 2^78 Toffoli depth operations in practice, with limited parallelization benefits.<br /><br />One of the key design decisions for Bitcoin is whether to rely exclusively on stateless schemes (where the secret key need not be updated for each signature) or whether stateful schemes could be viable. Stateful schemes introduce operational complexity in key management but can offer better performance.<br /><br />We explored the possibilities of using hash-based schemes with Hierarchical Deterministic Wallets. The public child key derivation does not seem to be efficiently achievable. The hardened derivation is naturally possible for hash-based schemes. <br /><br />If we look at multi/distributed/threshold-signatures, we find that current approaches either don't give much gains compared to plain usage of multiple signatures, or require a trusted dealer, which drastically limits the use-cases. <br /><br />We welcome community feedback on this approach and hope to contribute to the broader discourse on ensuring Bitcoin's long-term security in the post-quantum era. In particular, we are interested in your thoughts on the following questions:<br />1) What are the concrete performance requirements across various hardware, including low-power devices?<br />2) Should multiple schemes with different signature limits be standardized?<br />3) Is there value in supporting stateful schemes alongside stateless ones?<br /><br />Best regards,<br />Mikhail Kudinov and Jonas Nick<br />Blockstream Research</blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/60d61084-f1aa-4911-a615-77d8597645c0n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/60d61084-f1aa-4911-a615-77d8597645c0n%40googlegroups.com</a>.<br />