here are the slides for my talk at the @PresidioBitcoin Quantum Bitcoin Summit: https://drive.google.com/file/d/12UlzfGvG09IwvzWscL2FT8CoewGBWlGD/view

TL;DR: I propose that sha2 param set(s) of SPHINCs+ (SLH-DSA/FIPS-205) tuned for smaller signatures (~3KB, smaller possible) be adopted in Bitcoin as PQC signature scheme

I also explore what the implications are for the sig type across the stack (tapscript changes, etc)

the biggest shift is that BIP-32 public key derivation no longer works (eg: which watch-only hardware wallets rely on), as hash-based sigs don't offer type of algebraic structure

deterministic key derivation from a seed is still supported, but there'd be no such thing as an "xpub"

insight to get smaller sigs is to realize that the default params targeting 2^64 possible sigs is overly conservative (see: https://eprint.iacr.org/2024/018/), especially in Bitcoin

for a single key, LN channels maybe need 10s of millions of sigs, but normal addr re-use isn't that bad

so we can target a smaller amt for max amt of sigs for a single key + tune other params to trade off slightly slower sig generation (validation is still fast), for smaller sigs

if you breach that max amt target, security degrades (128-bit -> 112-bit) but doesn't insta break

so possible to arrive at a range of params w/ sigs smaller or at par w/ ML-DSA (lattice based sig), w/ smaller private+public keys:

tradeoff is no extra structure to do fancy crypto

ess flexible, but more conservative

Bitcoin already uses sha2 everywhere

all sigs has a hash function somewhere

no new crypto assumptions (1st or 2nd preimage resistance, etc) introduced, doing a ton of hashes is fast, especially w/ vectorized inst + hardware acceleration

cooking up some code+specs not too interested in the political question of if coins should be frozen/seized, etc, etc

imo that breaks a fundamental tenant of Bitcoin, we MUST resist groups trying coordinate to effectively redistribute wealth

value loss from that > PQ break