On 4/4/25 12:29 PM, Ethan Heilman wrote:
I strongly believe Bitcoin will need to move to PQ signatures in the near future. The rest of this email is premised on this belief.
Whether this is true or not, none of the non-hash-based PQC signature schemes seem like reasonable candidates to include in Bitcoin's consensus today (as far as I'm aware no sensible cryptographer anywhere is suggesting migrating to only PQC schemes given the likelihood that they end up broken by classical methods at some point in the next decade, which makes putting them in Bitcoin's consensus for the long term an incredibly questionable idea). Worse, making STARKs a part of Bitcoin's security assumption seems even more far-fetched.
While this is all cool, I don't really see how this is a viable path any time in the next decade, sadly. If you believe that we need a PQ signature scheme in the near future, it seems to me the only option is something hash-based and we eat the cost (optionally, see eg [1]).
[1] https://groups.google.com/g/bitcoindev/c/oQKezDOc4us/m/F-Pq-Jw2AgAJ -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/76c5ec26-5fd5-4746-86ed-89d2c8e28cbc%40mattcorallo.com.
