From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 19 May 2026 20:27:47 -0700 Received: from mail-oi1-f188.google.com ([209.85.167.188]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wPXb0-0001BJ-G1 for bitcoindev@gnusha.org; Tue, 19 May 2026 20:27:46 -0700 Received: by mail-oi1-f188.google.com with SMTP id 5614622812f47-4718a1723a5sf8552897b6e.3 for ; Tue, 19 May 2026 20:27:45 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1779247660; cv=pass; d=google.com; s=arc-20240605; b=iCr/QqiiTaGLgXUInyOUjBRMuJwEVeaOl/SH2oiMMpK1FR6hjQiztlMGp/EkTcBeIP 2oFYLvC0Vrm0r/G2f7JX8te6mfD6zPOABMLtwpSmhFzXMHUnR+G0xYM1gm1vPjJb0qL/ WeYUEUd2GF7tOEf2ZRcL0nHS2rrH2SgZibTGK0kXv8FDZLCUt5ZgpcxRoJEglFiIg2eI jFMb5MgbcjXpbHbvMHZnXVB7dbzCMulTD3px/G7LtPirV+bc76/0KHpCXBAO+Q3pI5ZE En0ZwybHPTo3qsLy2Pq4q1/bdMiYmD94rmHCs8Mt+DfEGr0Yo/6O/aR4wG+EjWhYH1uo iWQQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:cc:from:to:date :dkim-signature; bh=wgxQ5vtI+xjftnj5rs8LRY2Bwt8pSPVfR6J6Sythm04=; fh=eNKVC9mqMjElY/lmON10r3JwkGzxwjyJZBlH1G5aDLc=; b=gWmGmNQU4ZvcqklqTJK7297mrF49v6kzbFN5p9MKtstvuNvPL4SVv4XmE3LGUyhhaX eP3O5wvuVjFUrl+E2yYg41V9LfScNCV9xJkPJLDcqJM5TnjtKo6rpJ44BKjJAaRuxu57 7SWEZfS2GxhC3fur4RrLV9/dL8Jlnlitvj9F8APKe0Jhax/K96PB0A3uUuA6drOOuQCb mq0fgZ+1/rsE5GC53EWSz5+8F2QSYLQrWF01i+gX5qfYkpF77LAoMa3MZYYYwRmyZCJe zznb0zF12p51mHdyGPaQIzynPS1xEtIJYnQ3S/X/mfYR/fMOt8rnJKovKJlw26ZbQUpe wr5g==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=htZNPsbg; spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.104 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1779247660; x=1779852460; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:from:to:cc:subject:date:message-id:reply-to; bh=wgxQ5vtI+xjftnj5rs8LRY2Bwt8pSPVfR6J6Sythm04=; b=RtBU6eqo7klxcKIBXRd0+id3acwyvvcjnK71E4QxM4gFvBs9pZIuzOoy7kHFogQ7CY xI/hOQsQ6JFPyfiiTW9YoRlRxUUCXvN43OQxdzES0IxJi1dJrZoxA+sqcl/OLzLOGzF0 pOUJCNw3ZEJaN/N+Eh8/qFA0vOH1SElS1yDEUEIb9l2PxjB3/R1ecNh+68t/Rbjhf3Kc to7DlD/ysQTM1lBYezrVo9pLsCpocb1/vMVUa9ZFXilT1bY/XMkaWSLLueLwEwklPp2Z BSdJtCJtJALEB4fWMXOKxlLrzLhCo4dwRLkBMSGpVlnEE27LC517ucaN7DYVwEPhNiM9 /fIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779247660; x=1779852460; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wgxQ5vtI+xjftnj5rs8LRY2Bwt8pSPVfR6J6Sythm04=; b=XMpeU3qDjSWw66AEVyvVQdWZVVTZluSYFcZwahMCRhS+lcMOKZ5ciW7fs5KQgtbymB AhgKCpsr9r1RCU1RD3urn1cYagyHojajrD7Ci9T4ldCxC3yasqUxPo4cIQh8daQdouyB tZB0iWEbmoiemJuJr26DZgXU52AJntjy0MAv0P65R0m2cNDmLMSbfR0niKZjPuQvFhfI 8lec6SBN+vyAB05vjrEZgHIStKR/KaWBM7neDiJkKRU2NWdCouky7y53GK+a2i6z8XjR gTTxGex3ZDxIR5SbZQNUkuCPytS+zUMXe5iKzu7cubP3n7NnI8LAn0yIGvAKgX7/xyIg X9lg== X-Forwarded-Encrypted: i=2; AFNElJ/v9Coew1RAJ4xH6utjOdqOXmC4Et+ipJbjIa1MtpYyKNGLjVr9uwHhq2aGhi4+15P0sBTcaIU9VbEt@gnusha.org X-Gm-Message-State: AOJu0YzrMRqV4+1tmUo5B61YraFKTdMBO+hCtAzro58TOE+eFuQaKMBk jxC6o64llR1Q6GSkqkzKubNewYfift1IZrIka8kGZgYDz4iZ5CTlv+1P X-Received: by 2002:a05:6820:4b0d:b0:69c:502f:bcdf with SMTP id 006d021491bc7-69c945844bcmr13994784eaf.50.1779247659891; Tue, 19 May 2026 20:27:39 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AUV6zMN3Fx8kEGz+h401e0UZHJxGp2eEE9XCsumwxl9UV/CwfA==" Received: by 2002:a05:6820:825:b0:696:6db8:d1af with SMTP id 006d021491bc7-69b8c3a04c8ls5922876eaf.1.-pod-prod-09-us; Tue, 19 May 2026 20:27:35 -0700 (PDT) X-Received: by 2002:a05:6808:308f:b0:463:93a5:a5bf with SMTP id 5614622812f47-482e562d2a1mr16195311b6e.8.1779247655538; Tue, 19 May 2026 20:27:35 -0700 (PDT) Received: by 2002:a05:600d:8446:10b0:485:53e3:ec5e with SMTP id 5b1f17b1804b1-48fc9147e3fms5e9; Tue, 19 May 2026 20:18:43 -0700 (PDT) X-Received: by 2002:a05:6000:430c:b0:43d:7bc9:9b2c with SMTP id ffacd0b85a97d-45e5c5a0dcdmr35288825f8f.17.1779247121974; Tue, 19 May 2026 20:18:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779247121; cv=none; d=google.com; s=arc-20240605; b=EpTZBVjGi0ojQsr1nlrMDxty05oTEBqYU4i8MFO3URu69sc81ip33luMWnF4VqR9H4 42ngpev3UTz+fbJVCYlEwoCgrWuQ8qdJj7mv5ArU4JjaYR5piqCB8SATL0FJUx4BuHdc FvXFdNW6x/SC+R+X1oT1fea7ITTesBYXfAa0ckgEHM00Dno+wahaHxiUSGJQF6iuJayJ iKW1WCJj0lmaVuH8cZfJJ7LYZszZS08c14D9ARMvGICaPfuezCmo6TbJgAZAJ4LnQls4 ujq6DGIdi1f8CtU7nqe/ZRxBxjOmqkaGF01oSRDf9dce3X717JTlIIzjCHCIAn2Stpc2 GqxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :cc:from:to:date:dkim-signature; bh=3dNIzov/iGum004YxQp8JPXYbfDulxxdhlLLtmB2bmM=; fh=nbAZClzpXYwaQIrDn+crdjPlqeKtlwDC7mccRDseXSA=; b=ClTjBOg1R47xg+qtbRcRKmqCcevWpbDS/iQtZ5YyP3dBr1u32D7CYmeBE/aI1K4Efn QLA3YMy7rVfmFhVA0L9qQPA8czXeNy/C2FS7Z4P9eJviAZK9NWNkHHf/FaqDQUnh0+so z9rHKtKgB+3fx5xijSw4AbbaunQAKMRZnGhNe/Rh91ZZJUjE4SlX9kj8fO8Yy51wDgbW od5rW/k+KzR/M8SuBX/VGgIUH4cIWYooWJTTIxWoyH078IM3/NRb09TeldDZkwR+TqJw M5Iyk1Uaga/paH9XZeaWEkky3BhfnJl1yEUXx70itsoDyIETOAY5WSUv4z7DX5MFY0DM KW4A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=htZNPsbg; spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.104 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from mail-106104.protonmail.ch (mail-106104.protonmail.ch. [79.135.106.104]) by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-45da0c0564esi420509f8f.6.2026.05.19.20.18.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 May 2026 20:18:41 -0700 (PDT) Received-SPF: pass (google.com: domain of conduition@proton.me designates 79.135.106.104 as permitted sender) client-ip=79.135.106.104; Date: Wed, 20 May 2026 03:18:35 +0000 To: Nikita Karetnikov From: "'conduition' via Bitcoin Development Mailing List" Cc: bitcoindev@googlegroups.com Subject: Re: [bitcoindev] PQC: Lattice-based signatures Message-ID: In-Reply-To: References: Feedback-ID: 72003692:user:proton X-Pm-Message-ID: 0e557d3d6c673c6727f7dc3d6199ecb548f5f2f4 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------96a8c5af90301ed3f34b52f16bb4a814956f416f7621d1c87b5e88a3cec2835a"; charset=utf-8 X-Original-Sender: conduition@proton.me X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=htZNPsbg; spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.104 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me X-Original-From: conduition Reply-To: conduition Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------96a8c5af90301ed3f34b52f16bb4a814956f416f7621d1c87b5e88a3cec2835a Content-Type: multipart/mixed;boundary=---------------------a5975fadffc9e52716a2a7ff7b78f529 -----------------------a5975fadffc9e52716a2a7ff7b78f529 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Hey Nikita, thanks for broaching the idea. I can't speak for Blockstream, but as to the spirit of your question - Why = people are looking at hash-based sigs more than lattices - I can think of f= our major reasons: 1. Conservatism. Hash based signatures are incredibly conservative. They re= ly on strictly weaker assumptions than what we already depend on for other = things. No other family of signatures can claim this property, and for some= thing as inflexible-yet-sensitive as Bitcoin, conservativism is appealing. 2. Simplicity. Hash-based signatures are easier to grasp, simpler to prove = secure, and easier to implement compared to almost anything else (even simp= ler than ECC). We Bitcoiners tend to clutch our pearls in fear of trusting = flawed assumptions... but in reality most vulnerabilities are not cryptogra= phic in nature: Most are implementation failures. Hash-based sigs are harde= r (but not impossible) to screw up. An experienced engineer can implement F= IPS-205 (SPHINCS) in a weekend, or less with AI tools. This simplicity also= makes hash-based sigs easier to pitch during consensus debates: It's harde= r to fear something once you understand it. 3. Efficiency. Hash-based sigs are surprisingly fast to verify [0]. Their c= ost-per-byte is way lower than Schnorr. If you can bite the statefulness bu= llet, hash-based sigs can even be compact (and still fast). There remains s= ome hope we might be able to use them as a daily driver if CRQCs appear fas= ter than anticipated. This efficiency comes at a price of course, but that = price is paid by the signer implementation while verifiers remain slim, qui= ck, and secure. 4. Future-proofing. Because of their conservatism, hash-based sigs stand a = better chance of remaining secure over a long time-frame, so it seems more = likely we could rely on them to fulfill a long-term fallback role. We will = likely someday need to deploy a new cryptosystem to replace ECC as a daily = driver if ECDLP is broken, whether classically or by a CRQC. When/if this h= appens, we'll be REALLY glad we added hash-based sigs first, because then w= e'll have something to use if the novel scheme's assumptions (or more likel= y, implementation) are broken. This is not to say we shouldn't be researching lattices. Or isogenies, or a= nything else for that matter. We need to know what's possible, and to educa= te the community about the options we have. I'm glad to see Blockstream fun= ding this important work. I view hash-based sigs as the first episode of a = decades-long saga, but unfortunately we lack enough knowledge to know what = should come next. Maybe that is lattices? maybe something else. With time, = effort, and (hopefully) funding, we shall find out. If I had to pen a wishlist of stuff I'd like to see from lattice crypto res= earch, this would be it: - [ ] compact keys and sigs. Ideally, less than a kilobyte witness size tot= al, but I'd be happy with at least a twofold improvement over what stateles= s hash-based sigs can offer. - [ ] rerandomization e.g. BIP32 unhardened derivation. This has been done = [1], but AFAIK it is impossible without massively expanding the sizes of ke= ys and/or signatures. - [ ] a multisignature scheme, or a threshold protocol with a DKG. Again, n= ever seen this without massive keys and sigs, but I see no reason why it sh= ould be impossible. - [ ] integer-only arithmetic. Falcon keys and sigs are smaller than ML-DSA= , but it comes at the expense of complex floating point arithmetic headache= s. It'd be nice if we could do away with that. - [ ] signature aggregation. This is a more general wish of any PQ scheme, = and if someone can do it, even with somewhat large sigs or poor performance= , it might make the whole scheme way more palatable, in tandem with a CISA = proposal. Also see this relevant delvingbitcoin thread [1] for more sources. regards, conduition [0]: https://conduition.io/code/fast-slh-dsa-verification/ [1]: https://delvingbitcoin.org/t/post-quantum-hd-wallets-silent-payments-k= ey-aggregation-and-threshold-signatures/1854/ On Tuesday, May 19th, 2026 at 9:06 PM, Nikita Karetnikov wrote: > Dear list, >=20 > I hate to contribute to the recent flood of PQC posts, but I think it=E2= =80=99s an important issue that=E2=80=99s worth discussing. >=20 > In particular, what I usually see is various competing proposals without = a clear winner. >=20 > So I=E2=80=99d like to bring everyone=E2=80=99s attention to this new pos= t from Blockstream: > https://blog.blockstream.com/schnorr-but-with-vectors-lattice-based-signa= tures-explained/ >=20 > This post is interesting because unlike a lot of PQC discussions, it actu= ally includes a comparison table of various approaches, where lattices seem= to come out ahead. >=20 > This raises a few questions. >=20 > Since lattices are not a new topic in cryptography, why has Blockstream f= ocused their efforts on hash-based approaches so far? > Are hashes seen as a more conservative choice? >=20 > Given the problems with hashes outlined in the post, are lattices actuall= y the current most likely candidate for a PQC implementation? > If so, should the community effort be focused on lattices instead of othe= r proposals? > Or is the comparison table not telling the whole story? >=20 > I=E2=80=99d like to hear your thoughts on the topic. >=20 > Thanks, > Nikita >=20 > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/ffa56d63-32c6-4fc3-a150-4fe62ac2e00b%40app.fastmail.com. >=20 --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= lnp3AdRhvhMvjRwRBdZXH07ZNc8qDoBDyhpB7fGH_twBfIXs1wUfXli-c0g7zuNMPhmN64DFMkb= 2v9CPlCprSiMfRozIM1oykxTliSx_Qc4%3D%40proton.me. -----------------------a5975fadffc9e52716a2a7ff7b78f529 Content-Type: application/pgp-keys; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4ak1FWkRub0tSWUpLd1lCQkFI YVJ3OEJBUWRBcnBZYWFjZDgwcXdocmNaQW9VbW9NSHNWS21iZWlPZUEKcFhXbk1ybFdPZkxOSzJO dmJtUjFhWFJwYjI1QWNISnZkRzl1TG0xbElEeGpiMjVrZFdsMGFXOXVRSEJ5CmIzUnZiaTV0WlQ3 Q2pBUVFGZ29BUGdXQ1pEbm9LUVFMQ1FjSUNaQjRLV3p0aFBhenhRTVZDQW9FRmdBQwpBUUlaQVFL YkF3SWVBUlloQkVkSWthMENNdHJMZGcxM2EzZ3BiTzJFOXJQRkFBQTZhQUVBM1RmNHdqSVoKYnox K0diS0h4K09WQytNUXlVdi84RStoWUpjTE5QZnA0NEFBLzNiak5OTXN4WHdJTGZEM0xManNVVWFo CitBV2JyblVjVUFqQ2R1d3hUT01LempnRVpEbm9LUklLS3dZQkJBR1hWUUVGQVFFSFFDSXYxZW5J MU5MbAo3Zm55RzlVWk1wQ3ZsdG5vc0JrTmhQUVZxT3BXL3RKSkF3RUlCOEo0QkJnV0NBQXFCWUpr T2VncENaQjQKS1d6dGhQYXp4UUtiREJZaEJFZElrYTBDTXRyTGRnMTNhM2dwYk8yRTlyUEZBQUFR TFFEL2NCR2kwUDdwCkZTTkl2N1B6OVpkeUNVQjhzTy90dWZkV3NjQkNZK2ZMYTV3QkFNK0hTL3Jp S014RGt0TkhLakRGc2EvUgpEVDFxUGNBYXZCaXc2dDZ4Ti9jRgo9Y3d5eAotLS0tLUVORCBQR1Ag UFVCTElDIEtFWSBCTE9DSy0tLS0tCg== -----------------------a5975fadffc9e52716a2a7ff7b78f529-- --------96a8c5af90301ed3f34b52f16bb4a814956f416f7621d1c87b5e88a3cec2835a Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wrsEARYKAG0FgmoNJ/0JEHgpbO2E9rPFRRQAAAAAABwAIHNhbHRAbm90YXRp b25zLm9wZW5wZ3Bqcy5vcmcse601i7nrQRTebTPH7gGBke4Q/DZ62GEMq0z2 /MhRaxYhBEdIka0CMtrLdg13a3gpbO2E9rPFAAAhfwD6AyAHuC1a/23GGvOK QoduDVwuSygUTbbgTBMb5YiqiI0BAJqm2DrPJcR+RLTniuQY6ndHGLxy4NSD 18UrgZudUPUB =JPGa -----END PGP SIGNATURE----- --------96a8c5af90301ed3f34b52f16bb4a814956f416f7621d1c87b5e88a3cec2835a--