How To Make Smaller Post-Quantum Signatures
- Stateful and Stateless
- SHRINCS: An Hybrid Approach
- SPHINCS+
- Putting It All Together
- Algorithmic Agility
- Why Does This Matter?
On March 3rd, Blockstream Research demonstrated the use of post-quantum (PQ) signatures on the Liquid Network, the Blockstream powered federated sidechain. Researchers Oleksandr Kurbatov, Viktor Mashtaliar, Dmytrii Kurbatov, Mikhail Kudinov, and stringhandler were able to sign a real Liquid mainnet transaction leveraging Simplicity, Blockstream’s smart contract language, and its capacity to express custom, complex spending conditions to demonstrate what one potential quantum safe signature scheme might look like.
The scheme used for this test transaction was another produce of Blockstream Research: a hash-based algorithm called SHRINCS.
First presented by Director of Research Jonas Nick and cryptography researcher Mikhail Kudinov in December 2025, SHRINCS combines both stateful and stateless hash schemes, attempting to leverage the benefits of stateless signing while reducing the onchain footprint.
Before diving into the technical details, let’s take a moment to define the difference between stateful and stateless cryptographic signatures, highlighting the corresponding trade-offs.
Stateful and Stateless
Stateful hash-based signature schemes, such as XMSS, rely on so-called One-Time Signatures (OTS), where each key-pair must be used exactly once. Reusing a key means breaking the security fundamentals of the cryptographic scheme, allowing attackers to forge signatures and potentially steal funds. Thus, it is crucial to keep track of which keys have already been used (a.k.a. the state) to avoid compromising the funds. This means updating the state after each signature, so that we keep track of which keys have already been used. Holding onto this state introduces a layer of complexity in keys management, making static backups, or ones that aren’t updated after every use, de facto dangerous. Currently, you can find all of your funds from 12 seed words, and can sign for any key under those words without worrying about saving any additional information. A stateful scheme would mean you wouldn’t be able to do this without possibly leaking information and losing funds.
Despite their need to remember every signature, stateful schemes produce smaller size signatures, and require minimal computational effort for verification. The smaller size makes them attractive, particularly when compared to stateless signature schemes.
On the other hand, stateless signature schemes do not need to keep track of which keys have been used, making key management as simple as remembering a static backup, similar to how 12-words work today. The same key-pair can be used multiple times without compromising the safety assumptions behind it. To achieve this, stateless schemes make use of massive, multi-layered trees, which create a pool of possible signatures so large that makes the possibility of using the same key twice statistically irrelevant. As you may have already guessed, this comes at the price of way larger signatures than stateful schemes and a higher computational cost for verification.
SHRINCS: An Hybrid Approach
SHRINCS combines stateful and stateless signature schemes, attempting to take advantage of the strengths of each while mitigating their specific limitations. Specifically, SHRINCS leverages the efficiency in size and verification of a stateful scheme, while allowing users to easily recover their keys and safeguard their funds with a stateless counterpart in case the state is lost.
To achieve this, SHRINCS is built using both a stateless scheme (SPHINCS+) and a stateful scheme (Unbalanced XMSS).
During normal operation, SHRINCS uses the stateful unbalanced XMSS tree, producing a 324 bytes signature, a tiny signature compared to most other PQ signature proposals. The state is updated every time a message is signed and is securely stored, to be sure not to reuse the same key twice.
What happens if we need to restore our keys? As we said, it is not possible to recover a key from a stateful scheme with a static backup, since it would result in compromised security and possible loss of funds. If the state of the keys is ever lost, SHRINCS can fallback to the SPHINCS+ stateless signature scheme instead. Signature size will explode, reaching up to 8KB, but the funds aren’t at risk of being lost or stolen.
[Source](https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatures-with-static-backups/2158?ref=blog.blockstream.com)
### **Unbalanced XMSS of WOTS**
SHRINCS uses a stateful scheme based on an unbalanced XMSS tree of OTSs. This is basically a Merkle tree where each leaves represent an OTS.
To sign, the algorithm chooses a new OTS based on the current state, signs the message, and updates the state to signal that the chosen key should never be used again.
To verify a signature, we have to demonstrate that the OTS we are using belongs to the tree. Thus, the whole authentication path (a.k.a. the Merkle path) need to be provided together with the signature, which requires storing every hash of each sibling node up to the root.
To speed things up, SHRINCS uses an unbalanced tree, which results in a smaller authentication path and, as a consequence, smaller signatures. Moreover, the tree being unbalanced helps simplifying state tracking, since it basically matches the height of the Merkle tree.
The following image helps clarifying this concept. For the first signature,
</div>
</div>
<div class=)
Write a comment