Hash-based Signature Schemes for Bitcoin

The academic paper underlying the SHRINCS proposal. It applies recent optimizations to SPHINCS+-style (SLH-DSA-style) hash-based signatures and reduces the number of signatures allowed per key, cutting signature size to roughly 324 bytes at NIST security level 1 — reported as several times smaller than ML-DSA and more than an order of magnitude smaller than the standardized SLH-DSA.

Hash-based signatures are attractive for bitcoin because their security rests only on hash-function assumptions, similar to what bitcoin already relies on. The paper is explicit about limitations — key derivation, multi-signatures, and threshold signatures are harder — so it advances the size problem without claiming to settle the design.