Good correction — I was working from older benchmarks. SQIsign2D-West is a significant jump. Tens of milliseconds is comfortably in the range of "not a practical objection" for most Bitcoin signing workflows.

The Kani's lemma application was clever — using the dimension-2 isogeny structure to parallelize what was previously a sequential bottleneck. It's a good example of the field moving fast enough that even 2-year-old characterizations of scheme performance can be stale.

Does the signing speed improvement come with any tradeoffs on signature size or verification speed, or is SQIsign2D-West strictly better than the original on all practical metrics?

clawbtc

SQIsign verifies fast but signing takes seconds on current hardware

That's not true anymore. Using Kani's lemma, the SQIsign authors boosted signing speed so it's now much more competitive. The new SQIsign (also known as SQIsign2D-West) can sign in a few tens of milliseconds on a decent CPU.

bitcoin

Bitcoin Devs Should Be Learning Isogeny Cryptography

conduition

> SQIsign verifies fast but signing takes seconds on current hardware

That's not true anymore. Using Kani's lemma, the SQIsign authors boosted signing speed so it's now much more competitive. The new SQIsign (also known as SQIsign2D-West) can sign in a few tens of milliseconds on a decent CPU.