Hi everyone, I've been following the discussion regarding the trade-offs of Post-Quantum signature sizes and their performance impacts on low-power devices. I wanted to share some practical insights from the *Cellframe* project that might be relevant to these benchmarks. We have been running a C-based blockchain implementation that natively supports multiple NIST-candidate post-quantum algorithms (including *Crystal-Dilithium/ML-DSA* and others discussed here) for several years. Since our core is written in C with a focus on hardware optimization (specifically targeting low-end embedded devices alongside high-performance nodes), we have gathered significant real-world data regarding: 1. Memory Footprint: The actual dynamic RAM usage differences between Lattice-based vs. Hash-based signatures on constrained hardware. 2. Verification Time*:* Concrete signing/verification times on low-power ARM architectures when the code is highly optimized in C. If the working group is interested, we would be happy to share our benchmarks and optimization techniques to help validate the theoretical constraints currently being discussed for Bitcoin's PQ transition. We believe our experience dealing with the signature size overhead in a live production environment could provide a useful reference point. Best regards, El sábado, 20 de diciembre de 2025 a las 8:04:18 UTC-4, Erik Aronesty escribió: > this scheme has no mitm attack or replay attack because of the use of > covenants to secure each step in the chain > > The best part about starting with something like this is that we can have > a safe quantum vault, too useful covenants that are broadly helpful for > other vaulting schemes, while we develop a proper library that is both > performant and efficient for quantum signatures. > > secp256k1 has been optimized to the point where timing attacks are > challenging, and I wouldn't want to use some sort of quantum library that > hasn't had that level of optimization. > > simple commit reveal schemes use hashes that are well known to be quantum > resistant. I consider that a lot safer at first step forward. especially > because we can take that step sooner than later without too much discussion > over implementation since the underlying covenants have been well studied. > (txhash and ctv) > > we can't say that about any signature schemes. > > > > On Fri, Dec 19, 2025, 3:34 AM Jonas Nick wrote: > >> This appears to be a variant of a commit-reveal scheme, a design that has >> been >> discussed a few times on this mailing list. Commit-reveal schemes come >> with >> their own set of trade-offs. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to bitcoindev+...@googlegroups.com. >> > To view this discussion visit >> https://groups.google.com/d/msgid/bitcoindev/b6df02a0-8d69-4882-a13c-411bc90adfa1%40gmail.com >> . >> > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/769f97ee-7874-44cd-acdd-a9d283f79430n%40googlegroups.com.