I don’t think regular PQC signature schemes have any use in post-quantum blockchains given the general desire to also prove them in zero-knowledge. zkSTARKs can make HMAC asymmetric with a very cheap and simple circuit. The resulting zkSTARK would be larger than a regular PQC signature, but unlike the latter you would be able to aggregate and wrap it inside a larger zkSTARK that proves the whole block. We’re discussing that scheme in this thread and I think that’s what Ethereum will use in the future because you should think about the zero-knowledge roadmap, not just the quantum-safety roadmap. @vbuterin has explicitly written he wants all consumer devices (including low-end ones) to be able to validate blocks in a matter of milliseconds, you need zkSTARKs for that.
1 Like