From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Thu, 22 Jan 2026 04:55:16 -0800
Received: from mail-yx1-f60.google.com ([74.125.224.60])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDI23FE35EIBBJ54ZDFQMGQEYDIFP3I@googlegroups.com>)
	id 1viuDT-0008F5-Sa
	for bitcoindev@gnusha.org; Thu, 22 Jan 2026 04:55:16 -0800
Received: by mail-yx1-f60.google.com with SMTP id 956f58d0204a3-646faf19e49sf1515600d50.2
        for <bitcoindev@gnusha.org>; Thu, 22 Jan 2026 04:55:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1769086509; x=1769691309; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=4BXC9QAy7QR15IN5OeIu/bIBZnTrTPlxqRTVs1hE/TI=;
        b=ic0ZIDINq0G+ZUq6Po2NR8FOAN5kLYzK8FASehf1XRizWls2NXMDKM+9r3Z7X4R8ey
         weH08xIhqqGYVWrwi7vqxJ2A7YRU3eMJ8fmzIRTi4t9Cxh41h9ihYduHUQy1Gt7lWdYS
         xuzfongu+Oy2kayHStQQpr4zWw4AykCi8sr42OVrObp8+WhNgAV4/7fyrCmukuEGtWVX
         kND58GwFSgSz/RE9CYxg7275y7PJC34k5UdpIzsROReNdXYx7jGyM/GlWXunsKqR1CKR
         6ReJIbmPwTeyCM0UePx8H74tXr1u3lVnqCOa8AMtNnVrZxkqBoqnGqR4xFdms9KPv6t7
         3yCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769086509; x=1769691309; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4BXC9QAy7QR15IN5OeIu/bIBZnTrTPlxqRTVs1hE/TI=;
        b=Q3l8CXfE1FLr5VHVjU6ZlM4JJnDUruYMIK2qbCeUnm1oeuo0ochjtDlCc//PCxEN+s
         CuSsdIa83BgID7g9uU6UgoBnwXTYB9Fef5PfxKcfAlCBI0gRWC5qpXbuB4UDnf53VfwB
         +nf8tXnz1axNI6oQSZOmCrfe8Ep7uNw+aWYi5xKcMJ93FghBkWbRXMZaG4xdzebGyauc
         3A0Nwl7kIikXAuZRSN+q1tv10YFjUD99oSiikPfdUNnX0wKyN9WOb6XbMyqNJy7BXH+t
         8fHlmY+Z839HypMPt4HgJBy5tDH9mtCpM7Y3b3LVAszcXjjaPPnbaZxLPRz1Nyi7QT9J
         AWpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769086509; x=1769691309;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=4BXC9QAy7QR15IN5OeIu/bIBZnTrTPlxqRTVs1hE/TI=;
        b=mTKcTZRhp8ltW9RYl+ArCrOVU9bSRAkBWohD10EmOe+hb8Ot//E9FkzeBYBc7XI8Fi
         zYyf1ljXeQ6mDXC4XDJdqT8U57W/Zvj4PeOnWnNCf3fqrtDMcl45PV2fa834WTXR3p5j
         oteuuRLJpds113ExmIZxbSjeadnX5CWx482Y8Ic80/UNP7kjho8qDCDQoGjhiRjWkel7
         seWd/EHlgIJYfMRPAMacfkd6VIERAGKni5N+0Aqs/TGpkbbwd8JygnMnXFTsL4x1pPjC
         bo9ljB/17UVlMwbXVBuRbgy2ppfYm0DyxZkZR5fRlR3iwsiBQ+L5cEo/95LRJJ7iSMjN
         XE6Q==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVY67v8hLTBzBb2oUy2JHxwRORLDpKiEzfvXGjISI/no6VcYu3enQ+h5c2u2wXSCzWt5Qu87yKUe14r@gnusha.org
X-Gm-Message-State: AOJu0YzIdLJUA8fWfpnWiF+iCu0xjnIlifaL+XaWTHTMLlN1WxOxaRvw
	M4nF6pnkHYPsbvctsj0DaiPBt2eomNfpFaQK7nAnqoSClB4T+kFxkjLm
X-Received: by 2002:a05:690e:48c:b0:641:f5bc:6945 with SMTP id 956f58d0204a3-6491771e4e4mr11866205d50.73.1769086508793;
        Thu, 22 Jan 2026 04:55:08 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+FpMiUJWkr2WXvBqHIeoRLnV6wzCZTpbVd7R22SKEFCKA=="
Received: by 2002:a53:bdca:0:b0:644:711f:4a0a with SMTP id 956f58d0204a3-6495157a816ls753804d50.1.-pod-prod-09-us;
 Thu, 22 Jan 2026 04:55:03 -0800 (PST)
X-Received: by 2002:a05:690c:4992:b0:793:c8ab:8bc5 with SMTP id 00721157ae682-7940a364f2fmr69793147b3.46.1769086503621;
        Thu, 22 Jan 2026 04:55:03 -0800 (PST)
Received: by 2002:a05:690c:e3ce:b0:786:8d90:70d8 with SMTP id 00721157ae682-793c7d804b2ms7b3;
        Thu, 22 Jan 2026 04:48:43 -0800 (PST)
X-Received: by 2002:a05:690c:90:b0:786:5ce8:179d with SMTP id 00721157ae682-7940a10f06amr64229827b3.9.1769086123225;
        Thu, 22 Jan 2026 04:48:43 -0800 (PST)
Date: Thu, 22 Jan 2026 04:48:42 -0800 (PST)
From: waxwing/ AdamISZ <ekaggata@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <e7977710-22ca-477c-b8cd-0933f41ff398n@googlegroups.com>
In-Reply-To: <16e01530-e9dd-481f-8c7f-ca9ccafcfcden@googlegroups.com>
References: <16e01530-e9dd-481f-8c7f-ca9ccafcfcden@googlegroups.com>
Subject: [bitcoindev] Re: Falcon Post-Quantum Signature Scheme Proposal
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_120244_243164362.1769086122790"
X-Original-Sender: ekaggata@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)

------=_Part_120244_243164362.1769086122790
Content-Type: multipart/alternative; 
	boundary="----=_Part_120245_482014495.1769086122790"

------=_Part_120245_482014495.1769086122790
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks for the report!

Forgive the rather ignorant question here, but:

Given the obvious that we have a problem with size on-chain (and I'm aware=
=20
you've focused here specifically on the most plausible scheme that has the=
=20
least ridiculously large size, and yet it's still 20x larger), has there=20
been comparison of the possibility of batched signing (not batched=20
*verification*, but signing) in different PQ schemes, with a view to a CISA=
=20
like approach to transactions in a future with much larger keys and sigs? A=
=20
nice side effect might be a pure economic motivation for much better=20
fungibility (coinjoin becoming much more desirable for the base layer,=20
albeit I think it's in higher layers where we are/will be get(ting) most=20
privacy).

A cursory search tells me that Falcon specifically can't support any kind=
=20
of batched signing, but I have no idea whether that's correct.

Cheers,
AdamISZ/waxwing


On Thursday, January 22, 2026 at 4:09:34=E2=80=AFAM UTC-3 Giulio Golinelli =
wrote:

> Hi everyone,
>
> I am to share a technical demonstration and benchmarking project that=20
> integrates the Falcon post-quantum signature scheme (Falcon-512) into=20
> Bitcoin Core, implemented as a soft-fork within the classic P2WPKH mode.=
=20
> This work aims to provide a practical reference for possible future Falco=
n=20
> adoption, especially as it approaches FIPS standardization.
> You can find details at this fork=20
> <https://github.com/thisisnotgcsar/bitcoin-falcon>.
>
> *Why Falcon?*
> Falcon is a lattice-based, post-quantum digital signature scheme designed=
=20
> to be secure against quantum attacks. Unlike other PQC candidates such as=
=20
> SPHINCS+ and ML-DSA, Falcon offers significantly smaller signature and=20
> public key sizes, as well as efficient signing and verification times. It=
=20
> is implemented in pure C and does not require external dependencies.
>
> *Benchmarking & Results*
> Aspect                           Falcon    ECDSA
> Public Key Size (B) 897         33
> Signature Size (B) 655         71
> Verification Time (=CE=BCs) 57         120
>
> Verification time is more critical than signature creation time in=20
> Bitcoin, since signature creation is performed by clients (wallets), whil=
e=20
> nodes focus on verification.
>
> *Integration*
>
>    - Falcon was included into the codebase from the original GitHub=20
>    repository.
>    - The build system (CMakeLists.txt) was updated to support Falcon.
>    - Falcon verification has been soft-fork enabled via a new script=20
>    verification flag.
>
> *Next Steps & Reference*
> This project serves as a practical demonstration of Falcon=E2=80=99s prom=
ising=20
> performance, highlighting its advantages over currently selected=20
> post-quantum signature algorithms such as SPHINCS+ and ML-DSA, which face=
=20
> significant time and space limitations. As Falcon approaches FIPS=20
> standardization, this work aims to provide a reference for future adoptio=
n=20
> and integration in Bitcoin.
>
> Let me know what you think and if this could be of interest for which cas=
e=20
> I can complement the project by integrating Falcon into all the other=20
> spending paths. I also look forward to development/integration correction=
s.
>
> Best regards,
> Giulio

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
e7977710-22ca-477c-b8cd-0933f41ff398n%40googlegroups.com.

------=_Part_120245_482014495.1769086122790
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div>Thanks for the report!</div><div><br /></div><div>Forgive the rather i=
gnorant question here, but:</div><div><br /></div><div>Given the obvious th=
at we have a problem with size on-chain (and I'm aware you've focused here =
specifically on the most plausible scheme that has the least ridiculously l=
arge size, and yet it's still 20x larger), has there been comparison of the=
 possibility of batched signing (not batched *verification*, but signing) i=
n different PQ schemes, with a view to a CISA like approach to transactions=
 in a future with much larger keys and sigs? A nice side effect might be a =
pure economic motivation for much better fungibility (coinjoin becoming muc=
h more desirable for the base layer, albeit I think it's in higher layers w=
here we are/will be get(ting) most privacy).</div><div><br /></div><div>A c=
ursory search tells me that Falcon specifically can't support any kind of b=
atched signing, but I have no idea whether that's correct.</div><div><br />=
</div><div>Cheers,</div><div>AdamISZ/waxwing</div><div><br /></div><br /><d=
iv class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Thursday=
, January 22, 2026 at 4:09:34=E2=80=AFAM UTC-3 Giulio Golinelli wrote:<br/>=
</div><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi everyone,<br><=
br>I am to share a technical demonstration and benchmarking project that in=
tegrates the Falcon post-quantum signature scheme (Falcon-512) into Bitcoin=
 Core, implemented as a soft-fork within the classic P2WPKH mode. This work=
 aims to provide a practical reference for possible future Falcon adoption,=
 especially as it approaches FIPS standardization.<br>You can find details =
at <a href=3D"https://github.com/thisisnotgcsar/bitcoin-falcon" target=3D"_=
blank" rel=3D"nofollow" data-saferedirecturl=3D"https://www.google.com/url?=
hl=3Den&amp;q=3Dhttps://github.com/thisisnotgcsar/bitcoin-falcon&amp;source=
=3Dgmail&amp;ust=3D1769172062198000&amp;usg=3DAOvVaw1D0D1JCNLtTPxM7ouEwM_z"=
>this fork</a>.<br><div><br></div><div><b>Why Falcon?</b></div>Falcon is a =
lattice-based, post-quantum digital signature scheme designed to be secure =
against quantum attacks. Unlike other PQC candidates such as SPHINCS+ and M=
L-DSA, Falcon offers significantly smaller signature and public key sizes, =
as well as efficient signing and verification times. It is implemented in p=
ure C and does not require external dependencies.<br><br><b>Benchmarking &a=
mp; Results</b><br>Aspect=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Falcon=C2=A0 =C2=A0 ECDSA<b=
r>Public Key Size (B)<span style=3D"white-space:pre">	</span>897=C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A033<br>Signature Size (B)<span style=3D"white-space:=
pre">	</span>655<span style=3D"white-space:pre">	</span>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 71<br>Verification Time (=CE=BCs)<span style=3D"white-space:pre"=
>	</span>57<span style=3D"white-space:pre">	</span>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 120<br><br>Verification time is more critical than signature creation t=
ime in Bitcoin, since signature creation is performed by clients (wallets),=
 while nodes focus on verification.<div><br></div><div><b>Integration</b><b=
r><ul><li>Falcon was included into the codebase from the original GitHub re=
pository.</li><li>The build system (CMakeLists.txt) was updated to support =
Falcon.</li><li>Falcon verification has been soft-fork enabled via a new sc=
ript verification flag.</li></ul></div><b>Next Steps &amp; Reference</b><br=
>This project serves as a practical demonstration of Falcon=E2=80=99s promi=
sing performance, highlighting its advantages over currently selected post-=
quantum signature algorithms such as SPHINCS+ and ML-DSA, which face signif=
icant time and space limitations. As Falcon approaches FIPS standardization=
, this work aims to provide a reference for future adoption and integration=
 in Bitcoin.<br><br>Let me know what you think and if this could be of inte=
rest for which case I can complement the project by integrating Falcon into=
 all the other spending paths. I also look forward to development/integrati=
on corrections.<br><br>Best regards,<br>Giulio</blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/e7977710-22ca-477c-b8cd-0933f41ff398n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/e7977710-22ca-477c-b8cd-0933f41ff398n%40googlegroups.com</a>.<br />

------=_Part_120245_482014495.1769086122790--

------=_Part_120244_243164362.1769086122790--