Post-quantum solutions for Ethereum #636
Comments
kayabaNerve
added
ethereum
|
We do have the privilege of not needing a threshold protocol which is indistinguishable from a single-signer protocol. In the worst case, we could use Lamport signatures where we verify each individual one on-chain. Threshold MAYO with a 5-round DKG and 9-round signing protocol, with a chance of random failure increasing the round count by repeating the last part of the protocol. This doesn't appear to offer identifiable aborts. Threshold Raccoon with a 2-round signing protocol. They don't explicitly posit a DKG but suggest use of others without confirming their validity. This doesn't offer identifiable aborts. We can re-introduce identifiable aborts via the use of expensive, generic ZK proofs, but that wouldn't be great. Pelican, with a 3-round key gen and 4-round signing protocol. This is notable for being robust. Unfortunately, the signing protocol is of quadratic complexity (at least). We could also use a ZK-STARK aggregating Dilithium signatures. |
Same as #635, yet with a lot more flexibility for which signature we'll implement. We also already don't expect to have an EOA so we can simply maintain that assumption/infrastructure (being uncaring to which signature scheme Ethereum adopts for EOAs, if they don't simply move to contracts as EOAs).
The text was updated successfully, but these errors were encountered: