Skip to content

Commit 44b7e67

Browse files
EthanHeilmanEthanHeilman
committed
Update PQ signature table
1 parent e6e7207 commit 44b7e67

File tree

1 file changed

+15
-21
lines changed

1 file changed

+15
-21
lines changed

bip-0360.mediawiki

Lines changed: 15 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -622,45 +622,39 @@ using P2QRH outputs.
622622
== Security ==
623623

624624
{| class="wikitable"
625-
|+ Candidate quantum-resistant signature algorithms ordered by largest to smallest NIST Level V signature size
625+
|+ Candidate quantum-resistant signature algorithms ordered by largest to smallest
626626
|-
627-
! Signature Algorithm !! Year First Introduced !! Signature Size !! Public Key Size !! Cryptographic Assumptions
627+
! Signature Algorithm !! Year First Introduced !! NIST Level !! Signature Size !! Public Key Size !! Cryptographic Assumptions
628628
|-
629-
| [https://en.wikipedia.org/wiki/Lamport_signature Lamport signature] || 1977 || 8,192 bytes || 16,384 bytes ||
629+
| [https://en.wikipedia.org/wiki/Lamport_signature Lamport signature]<ref name="one-time-signatures">Lamport and Winternitz signatures
630+
can only safely be used one time per public key. If addresses are reused, private key information might be leaked, allowing
631+
attackers to spend future outputs assigned to the same address.</ref> || 1977 || - || 8,192 bytes || 16,384 bytes ||
630632
Hash-based cryptography
631633
|-
632-
| [https://eprint.iacr.org/2011/191.pdf Winternitz signature] || 1982 || 2,368 bytes<ref name="winternitz">Winternitz
633-
signatures are much smaller than Lamport signatures due to efficient chunking, but computation is much higher,
634-
especially with high values for w. Winternitz values are for w of 4. It's worth noting that Winternitz signatures can
635-
only safely be used one time per public key. If addresses are reused, private key information might be leaked, allowing
636-
attackers to spend future outputs assigned to the same address.</ref> || 2,368 bytes || Hash-based cryptography
634+
| [https://sphincs.org/data/sphincs+-r3.1-specification.pdf SPHINCS+ Rd. 3.1 (FIPS 205 - SLH-DSA - SHAKE-128s)] || 2015 || 1 || 32 bytes || 7,856 bytes || Hash-based cryptography
637635
|-
638-
| [https://sphincs.org/data/sphincs+-r3.1-specification.pdf SPHINCS+ Rd. 3.1 (FIPS 205 - SLH-DSA)] || 2015 || 29,792
639-
bytes || 64 bytes || Hash-based cryptography
636+
| [https://eprint.iacr.org/2011/191.pdf Winternitz signature]<ref name="one-time-signatures"></ref> || 1982 || - || 2,368 bytes<ref name="one-time-signatures">Winternitz
637+
signatures are much smaller than Lamport signatures due to efficient chunking, but computation is much higher,
638+
especially with high values for w. Winternitz values are for w of 4.</ref> || 2,368 bytes || Hash-based cryptography
640639
|-
641640
| [https://eprint.iacr.org/2011/484.pdf XMSS]<ref name="xmss">XMSS, which is based on Winternitz, uses a value of 108
642641
for its most compact signature size, with only a 4.6x (2.34/0.51) increase in verification time. Signing and key
643642
generation are not considered a significant factor because they are not distributed throughout the entire Bitcoin
644-
network, which take place only inside of wallets one time.</ref> || 2011 || 15,384 bytes || 13,568 bytes ||
643+
network, which take place only inside of wallets one time.</ref> || 2011 || - || 15,384 bytes || 13,568 bytes ||
645644
Hash-based cryptography (Winternitz OTS)
646645
|-
647-
| [https://pq-crystals.org/dilithium/ CRYSTALS-Dilithium (FIPS 204 - ML-DSA)] || 2017 || 4,595 bytes || 2,592 bytes ||
646+
| [https://pq-crystals.org/dilithium/ CRYSTALS-Dilithium (FIPS 204 - ML-DSA)] || 2017 || 2 || 1,312 bytes || 2,420 bytes ||
648647
Lattice cryptography
649648
|-
650-
| [https://eprint.iacr.org/2014/457.pdf pqNTRUsign] || 2016 || 1,814 bytes || 1,927 bytes || Lattice cryptography (NTRU)
649+
| [https://eprint.iacr.org/2014/457.pdf pqNTRUsign] || 2016 || - || 1,814 bytes || 1,927 bytes || Lattice cryptography (NTRU)
651650
|-
652-
| [https://falcon-sign.info FALCON (FIPS 206 - FN-DSA)] || 2017 || 1,280 bytes || 1,793 bytes || Lattice cryptography
651+
| [https://falcon-sign.info FALCON (FIPS 206 - FN-DSA)] || 2017 || 1 || 897 bytes || 666 bytes || Lattice cryptography
653652
(NTRU)
654653
|-
655-
| [https://eprint.iacr.org/2022/1155.pdf HAWK] || 2022 || 1,261 bytes || 2,329 bytes || Lattice cryptography
656-
|-
657-
| [https://sqisign.org SQIsign] || 2023 || 335 bytes || 128 bytes || Supersingular Elliptic Curve Isogeny
654+
| [https://eprint.iacr.org/2022/1155.pdf HAWK] || 2022 || 1 || 1,024 bytes || 555 bytes || Lattice cryptography
658655
|-
659-
| [https://eprint.iacr.org/2024/760.pdf SQIsign2D-West] || 2024 || 294 bytes || 130 bytes || Supersingular Elliptic
660-
Curve Isogeny
656+
| [https://sqisign.org SQIsign] || 2023 || 1 || 65 bytes || 148 bytes || Supersingular Elliptic Curve Isogeny
661657
|-
662-
| [https://eprint.iacr.org/2023/436.pdf SQIsignHD] || 2023 || 109 bytes (NIST Level I) || Not provided ||
663-
Supersingular Elliptic Curve Isogeny
664658
|}
665659

666660
As shown, supersingular elliptic curve quaternion isogeny signature algorithms represent the state of the art in

0 commit comments

Comments
 (0)