Post Quantum transaction signature (PQTS) Breakout #5

The meeting was the fifth occurrence of a post-Quantum transaction signature breakout room, focusing on hardware support. Conor Deegan from Project 11 was scheduled to present papers on BIP32 for lattice, followed by Yannick from Ledger discussing post-quantum signatures. Antonio mentioned Julio from Aragon’s contribution of testnet wallet functionality at a freshly created address, supporting algorithms like Falcon and Dalithium, as well as ephemeral ECDSA.

Conor from Project 11 presented a paper on maintaining BIP32 in a post-quantum setting using lattice-based cryptography. He outlined two constructions: a standard MLDSA HD wallet and a new non-hardened key derivation scheme using Raccoon G, which maintains extended public key functionality while reducing security proofs to standard lattice assumptions. Conor emphasized that while lattice-based solutions offer a path forward for maintaining BIP32 features, they come with significant trade-offs including larger key sizes and the use of lattice cryptography, which may not be the preferred approach for all applications.

Conor and Antonio discussed the possibility of using ephemeral key derivation with a 500 million direction limit, which Conor confirmed would work alongside an ephemeral scheme. They explored challenges with hash-based signatures, with Conor explaining that replicating the solution for hash-based signatures would be difficult due to commutativity issues and is likely not feasible without post-quantum algorithms. The group agreed to further discuss potential solutions, including using lightweight one-time signatures like Winternets or Ed25519, during an in-person meeting in Cannes.

Yannick and Alain from Ledger’s Security team presented on the challenges of implementing post-quantum cryptography in hardware signers. They explained that while current post-quantum signature schemes like Dilithium, SPHINCS+, and Falcon are not well-suited for constrained hardware platforms due to high memory requirements and computational demands, Ledger’s hardware signers rely on two chips: an MCU (STM32) and a secure element (ST33) with limited resources including 64KB of RAM and 1.5MB of non-volatile memory. The presentation focused on demonstrating the hardware constraints that make post-quantum implementation challenging, with Yannick preparing to hand over to Alain to present preliminary benchmarks of post-quantum standards running on the ST33.

The team discussed benchmarking results for three post-quantum cryptography algorithms: Falcon, Lithium, and SLHDSA (Sphinx). Alain presented findings showing that Falcon had acceptable performance but high memory requirements, while Lithium offered better security but slower execution times. SLHDSA showed unacceptable signing times of 6 minutes for basic security levels, making it unsuitable for current devices. Yannick outlined future prospects, noting that the next generation of secure elements will have more memory and hardware acceleration for lattice-based schemes, though hash-based signatures remain uncertain. The team identified several next steps including implementing side-channel attack countermeasures, exploring stateful hash-based signatures, and investigating potential improvements to current implementations.