Hash-Based Signatures
The provably quantum-resistant backup plan for high-stakes operations
What Makes Hash-Based Different
Hash-based signatures like SPHINCS+ are the only post-quantum schemes with provable security—they rely solely on the one-way property of hash functions, not unproven mathematical assumptions. The tradeoff is size: signatures range from 7-50 KB compared to 64 bytes for ECDSA. This makes them ideal for critical, low-frequency operations like governance keys and treasury multisig, but impractical for everyday transactions.
Why Provable Security Matters
Every other post-quantum candidate—Dilithium, Kyber, FALCON—depends on assumptions about hard mathematical problems. Lattice-based schemes assume finding short vectors in high-dimensional lattices is computationally infeasible. Code-based schemes assume decoding random linear codes is hard. These assumptions have withstood decades of analysis, but they remain unproven.
Hash Functions Are Different
Hash-based signatures require only one property: that hash functions are one-way. Given H(x), it’s computationally infeasible to find x. This is proven under minimal assumptions. If SHA-256 is secure, hash-based signatures are secure. No complex mathematics. No theoretical breakthroughs needed.
Even quantum computers can’t efficiently reverse hash functions. Grover’s algorithm provides a quadratic speedup for preimage attacks, but SHA-256 retains 128-bit security against quantum adversaries—more than sufficient for any foreseeable threat.
The Signature Size Problem
NIST standardized SPHINCS+ with three security levels, each trading performance for security strength:
| Algorithm | Signature Size | vs. ECDSA |
|---|---|---|
| ECDSA (current) | 64 bytes | — |
| Dilithium | 2,420 bytes | 38× |
| SPHINCS+ (128-bit) | 7,856 bytes | 123× |
| SPHINCS+ (192-bit) | 17,088 bytes | 267× |
| SPHINCS+ (256-bit) | 49,856 bytes | 779× |
Blockchain Impact
A Bitcoin block holds roughly 2,000 transactions today. With SPHINCS+ at 128-bit security, capacity drops to approximately 60 transactions per block. At 256-bit security, capacity falls to 20 transactions per block.
Transaction throughput would decrease by 30-100×, rendering the network unusable for everyday payments. This is why SPHINCS+ is positioned as a backup option, not a primary solution.
Where Hash-Based Signatures Fit
The signature size constraint defines clear use cases. Hash-based signatures excel when security is paramount and frequency is low:
Appropriate Use Cases
- Treasury multisig: Large holdings that sign transactions once or twice annually. Signature size is irrelevant; maximum security is essential.
- Protocol governance: Upgrade proposals, parameter changes, and other infrequent but critical decisions where provable security justifies the overhead.
- Emergency keys: Break-glass credentials used only if primary signature schemes fail. Insurance against cryptographic surprises.
- Root certificates: Long-lived keys that sign other keys. Rarely invoked but extremely high-stakes when used.
Inappropriate Use Cases
- Transaction signing: High-frequency operations where signature size destroys throughput and increases costs.
- Payment channels: Lightning Network and similar systems require many signatures per second. SPHINCS+ latency is prohibitive.
- Mobile wallets: Bandwidth constraints make 50 KB signatures expensive and slow over cellular networks.
- DEX trading: Decentralized exchanges need fast, frequent signatures. SPHINCS+ undermines performance.
Stateful vs. Stateless
Earlier hash-based schemes like XMSS and LMS offer smaller signatures but require state management—tracking which keys have been used. Reusing a key even once allows attackers to forge signatures, making these schemes unsuitable for cryptocurrency wallets where backups, crashes, and device synchronization create reuse risks.
SPHINCS+ solves this by being stateless. You can sign unlimited messages without tracking state, eliminating catastrophic failure modes. The cost is larger signatures, but for cryptocurrency applications, statelessness is mandatory.
Performance Comparison
| Scheme | Signing Speed | Verification Speed | Best Use |
|---|---|---|---|
| ECDSA | ~0.1 ms | ~0.2 ms | Current standard |
| Dilithium | ~0.5 ms | ~0.2 ms | Transaction signing |
| SPHINCS+ (small) | ~15 ms | ~1 ms | Governance, multisig |
| SPHINCS+ (large) | ~120 ms | ~0.5 ms | Emergency keys only |
Signing latency affects user experience—waiting 120 milliseconds per signature is noticeable. For high-frequency operations, Dilithium provides better ergonomics. For critical, infrequent operations, SPHINCS+ latency is acceptable.
Implementation Strategy
Leading projects adopt a tiered approach:
- Primary signatures: Hybrid ECDSA + Dilithium for everyday transactions, balancing current compatibility with quantum resistance.
- Critical operations: SPHINCS+ for governance votes, treasury movements, and protocol upgrades where provable security justifies overhead.
- Contingency planning: If Dilithium suffers a cryptographic break, fall back to SPHINCS+ network-wide despite performance impact.
This strategy provides practical performance today, ultra-conservative security for high-stakes operations, and insurance against cryptographic surprises.
Investor Signal
Projects using SPHINCS+ for governance and emergency keys demonstrate mature security thinking. They understand the tradeoffs and prioritize correctness over convenience for critical operations.
Projects claiming SPHINCS+ for all transactions either misunderstand the performance implications or are building ultra-low-throughput chains. Ask hard questions about scalability.
Why Not Just Use SPHINCS+ Everywhere?
The 100× signature size increase creates cascading problems:
- Block size: Larger blocks increase propagation time, creating centralization pressure as smaller nodes struggle to keep up.
- Storage costs: Full nodes must store the entire blockchain. A 100× expansion makes running a node prohibitively expensive.
- Bandwidth: Downloading and uploading larger blocks consumes more bandwidth, pricing out users with limited connectivity.
- Fees: Reduced throughput increases competition for block space, driving transaction costs higher.
These aren’t minor inconveniences—they fundamentally alter the economics and accessibility of the network. Dilithium offers a middle ground: significantly better than ECDSA against quantum threats, significantly better than SPHINCS+ for everyday use.
The Conservative Choice for Critical Operations
Hash-based signatures represent the most conservative option in post-quantum cryptography. When making decisions that are difficult or impossible to reverse—protocol upgrades, large fund movements, long-term key delegation—the provable security of hash-based schemes justifies their overhead.
This is risk management: accept performance costs for operations where being wrong is catastrophic. For day-to-day transactions, accept the (small) theoretical risk of lattice-based schemes to maintain usability.
Compare Post-Quantum Approaches
See how different projects balance performance and security with Dilithium, SPHINCS+, and hybrid implementations.