here are the slides for my talk at the @PresidioBitcoin Quantum Bitcoin Summit: TL;DR: I propose that sha2 param set(s) of SPHINCs+ (SLH-DSA/FIPS-205) tuned for smaller signatures (~3KB, smaller possible) be adopted in Bitcoin as PQC signature scheme

I also explore what the implications are for the sig type across the stack (tapscript changes, etc) the biggest shift is that BIP-32 public key derivation no longer works (eg: which watch-only hardware wallets rely on), as hash-based sigs don't offer type of algebraic structure

deterministic key derivation from a seed is still supported, but there'd be no such thing as an "xpub"

so we can target a smaller amt for max amt of sigs for a single key + tune other params to trade off slightly slower sig generation (validation is still fast), for smaller sigs if you breach that max amt target, security degrades (128-bit -> 112-bit) but doesn't insta break

so possible to arrive at a range of params w/ sigs smaller or at par w/ ML-DSA (lattice based sig), w/ smaller private+public keys: * SLH-DSA: 32-byte pub keys, 64-byte priv keys * ML-DSA: 2KB+ priv keys, 1KB+ pub keys tradeoff is no extra structure to do fancy crypto

less flexible, but more conservative Bitcoin already uses sha2 everywhere all sigs has a hash function somewhere no new crypto assumptions (1st or 2nd preimage resistance, etc) introduced, doing a ton of hashes is fast, especially w/ vectorized inst + hardware acceleration

cooking up some code+specs 😈 not too interested in the political question of if coins should be frozen/seized, etc, etc imo that breaks a fundamental tenant of Bitcoin, we MUST resist groups trying coordinate to effectively redistribute wealth value loss from that > PQ break