There is no concrete proposal for a post-quantum signature scheme in Bitcoin today. Over the past year, our team at Blockstream Research has been looking into exactly this problem. This post shares what we've learned, and argues that optimized hash-based signatures are a pragmatic choice for post-quantum Bitcoin that could be deployed in the near term. It covers SHRINCS and SHRIMPS, currently the smallest post-quantum signature schemes built on mature cryptographic assumptions, and then sketches what a concrete proposal could look like.

Modern Bitcoin outputs lock funds to a Schnorr key, and spending them requires a valid Schnorr signature. Schnorr signatures, however, are vulnerable to quantum computers. The most natural way to add post-quantum signature verification is to extend the Taproot tree with a post-quantum option. After a soft fork, an output can commit to both a Schnorr key and a post-quantum key. Because Taproot only reveals the path that actually gets spent, users can keep spending with cheap Schnorr signatures, and the transaction cost stays essentially unchanged. The post-quantum option sits dormant in the tree. Only once a sufficiently powerful quantum computer arrives do users switch to the second path, spend with the post-quantum signature, and pay its transaction cost.



...read more at blockstream.com