lattices are the best post-quantum replacement for Bitcoin why?

Blockstream, the company co-founded by Adam Back, published this May 18 a comparative analysis of the four post-quantum signature paradigms applicable to Bitcoin and concluded that lattice-based schemes are the most promising.

The central argument is that they are the only cryptographic family that allows you to build the same advanced tools that exist in Bitcoinsuch as multi-signatures, where several parties authorize a transaction with a single signature, without sacrificing quantum resistance.

Of the four families evaluated, three have limitations that Blockstream considers decisive:

• Based on hash functions: They are the most secure but do not allow signatures to be combined, which makes them incompatible with multi-signatures and threshold signatures, which allow a group to decide that it is enough for a fraction of its members to sign to validate an operation. Their signatures weigh between 3,500 and 8,000 bytes depending on the scheme.
• Based on error correcting codes: produce signatures of more than 10,000 bytes (compared to 64 bytes of Schnorr and the 70-72 bytes of ECDSA), too heavy for Bitcoin’s block space limits, according to the report.
• Based on isogenies: They generate compact signatures, between 200 and 300 bytes, but their mathematical complexity makes them difficult to implement safely, the document warns. They will need “significant battle-testing time” before they can be considered for Bitcoin, according to Blockstream.

Advantages and challenges of reticles

The Blockstream article points out that crosshairs They produce signatures of between 1,600 and 4,000 bytes and preserve the mathematical property that allows combining keys and constructing multisignatures. “Lattices potentially open the door to advanced modifications such as post-quantum multisignatures, zero-knowledge proofs, and sensitive assets,” the company team noted.

The reticles are the basis of ML-DSA (formerly called Dilithium), the post-quantum signature standard that the United States National Institute of Standards and Technology (NIST) formally approved in 2024. It is not an experimental bet, but is the family that has already passed years of international cryptographic review. This data anchors the choice of Blockstream in something verifiable and external to the companyalthough the team at the company co-founded by Back did not include a formal proposal or implementation schedule in Bitcoin.

However, the implementation difficulty is, according to the report, the most relevant pending limitation of this family.

With crosshairs, the jump in size over the current schemes used in Bitcoin is significant. Lattice signatures are 22 to 55 times heavier than those of the elliptic curve scheme ECDSAand between 25 and 62 times more than those of Schnorr (included in taproot in 2021). Both would be vulnerable to a sufficiently powerful quantum computer.

In Bitcoin, each transaction includes at least one signature, and blocks have a fixed space limit: heavier signatures mean fewer transactions per block, greater competition for that space, and consequently, higher commissions for users. This impact on the network is one of the central challenges that any post-quantum migration will have to solve.

What Blockstream has already tried

In March, as explained by CriptoNoticias, Blockstream broadcast the first transactions signed with SHRINCS, its own post-quantum scheme based on hash functions, on the Liquid Network, the Bitcoin sidechain operated by the company. SHRINCS belongs to the hash family, not the lattice family, which indicates that the company is testing different lines of research.

Thus, the May 18 report focuses on the crosshairs as the long-term bet for Bitcoin’s base layerwhile hashing schemes continue to be explored for environments where algebraic flexibility is not a priority. Bringing any of these developments to Bitcoin would require a consensus process between developers, miners and node operators for which there is no formal proposal or defined date.