maxsatoshiMember
Posts: 1 · Reputation: 48
#1Nov 8, 2022, 12:15 AM
I've been diving into creating a Bitcoin clone, but instead of the usual ECDSA signatures, I’m using hash-based post-quantum signatures. This isn't about launching a new coin or anything. The goal is to show the real costs of switching to PQ-sigs think about signature sizes, block sizes, wallet behaviors, signing delays all with actual data to really see the trade-offs.
I'm using the SHRINCS/SHRIMPS signature scheme from Kudinov and Nick (IACR eprint 2025/2203). Other than that, I've kept everything as similar to Bitcoin as possible while accommodating this new method.
Here are some key points:
- The chain layer remains the same: we still have SHA-256d PoW, an 88-byte little-endian header, retarget every 2016 blocks, halving every 210000 blocks, and a Merkle-of-TxIDs.
- Addresses are structured as a two-leaf Merkle root, 32 bytes on-chain, and encoded with bech32.
- Wallet setup follows BIP-39 + BIP-32 with hardened derivation at m/44'/1'/N'/{0',1'}.
- Mempool features BIP-125 RBF, minimum relay requirements, and BIP-152 compact blocks.
- We're using raw TCP with the same message framing as Bitcoin.
- The size for the first signature body is 324 bytes (from paper §B.3 WOTS+C, m=9).
Here are the five changes Bitcoin had to make:
1. We switched from ECDSA/Schnorr signatures to SHRINCS/SHRIMPS.
2. Addresses now commit to two leaves (primary + fallback) instead of one public key hash.
3. There’s no wtxid split since PQ signatures are deterministic, so no need to adjust anything.
4. BIP-32 doesn’t support non-hardened derivation anymore it requires EC point addition, which hash-based keys don’t offer.
5. SHA-256/SHA-512 are integrated within the signature primitive (see paper §2 tweakable hashes), all in one package.
No on-chain key rotation. The wallet updates account indexes like a keypool, as mentioned in §14 of the paper.
Doing things like running a node, making a wallet, mining, and sending transactions is all part of this experiment.