Thanks for all the feedback. Trying to remain consistent with widely deployed, standardized variants of SLH-DSA is a reasonable design consideration. But in that context it seems noteworthy that using optimized schemes, instead of just tweaking parameters, leads to way more than just a 4% reduction in signature size. The WOTS+C + PORS+FP variant is 16% to 18% smaller than vanilla, size-optimized SPHINCS+ (for 2^40 signatures max) according to our scripts [0].
Another consideration is that in the scenario you [conduition] mention where Bitcoin would adopt a lattice-based signature scheme and a hash-based signature scheme, the lattice-based scheme may not be ML-DSA. Maximizing the functionality benefits of lattice-based sigs may require a custom signature scheme that supports public key derivation, multi/threshold signatures, aggregate signatures, silent payments, etc. If the lattice-based signature scheme is custom, there is little reason why the hash-based signature scheme should not be custom as well. More generally, one of my main motivations for working on this project was whether there exist variants of hash-based signature schemes that are more suitable for the "advanced" constructions we care about (HD wallets, multi-signatures, ...). After doing this project with Mike (who has done research on hash-based signatures for quite a few years), it seems like the answer is basically no. We discuss some of the approaches in the paper, but it's of course possible we're missing something. However, in that sense, the paper is also a negative result. I cannot follow the conclusion that 99% of people would use ML-DSA. Signature size is pretty much the same as for parameter-optimized SPHINCS+. Without lattice-based signature aggregation or silent payments, it seems like the main benefit is verification time. Since you have probably the best collection of numbers for perfomance of SLH-DSA, I'd be interested in the performance numbers of ML-DSA you use for comparison with SLH-DSA. [0] https://github.com/BlockstreamResearch/SPHINCS-Parameters/blob/main/costs.sage -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/27070789-50f0-4d2d-a107-c90be445db14%40gmail.com.
