Replying to Avatar Mike Dilger ☑️

PQ cryptography has all kinds of wild key sizes and signature sizes, some very large.

For Mosaic I've been ruminating about multiple algorithms (in support of nostr backwards compatibility) and from that considering not storing keys or signatures in the records themselves, but rather just hashes of these. Then you look up the keys and the signature by their hash on a keyserver (also serving signatures). Self-hosters would run their own keyserver. Separating large keys saves data by not repeating them, but separating large signatures does not since every record has to have a distinct signature... but in PQ cryptography it is usually the signatures that are wildly large. So it unfortunately doesn't quite fit my idea.
Avatar
Garbage nsec 5mo ago 💬 2

How large is wildly large for the signatures?

Reply to this note

Please Login to reply.

Discussion

Avatar
Daniel Wigton 5mo ago 💬 1

40kB for a "short" signature.

Avatar
Garbage nsec 5mo ago 💬 1

Dang.

Gemini is suggesting FALCON-512 as the most efficient option at around 666 bytes for the sig, with public key itself ~897 bytes (okay still 10x sig size vs K1 but...). Is that flat out wrong or are there some tradeoffs that come with PQ and these "shorter" ones?

Avatar
Mike Dilger ☑️ 5mo ago

The sizes of the keys and signatures aren't even the most important factor. Security of the algorithm comes first. And I just don't know enough.

All I really care about is flexibility at this point -- make things work with any key size and any signature size and any algorithm, so that it is PQ ready, without actually making any choices right now. I'm hoping the cryptographers make better stuff in the future before we need these.