Super cool work on the NTT precompile @rdubois-crypto. Just purely evaluating PQ signatures by EVM verification gas cost, I think one would choose WOTS+ (cca. 200k gas). One-time signatures (OTS) have already allowed us to survive in a post-quantum world since one can always sign the public key of the next transaction. Though, OTSs do not allow, for instance, “replace by fee” mechanism, since one would need to sign with the same secret key multiple times. Therefore, transactions could get stuck in the mempool, as this was previously observed in the Bitcoin community. I believe XMSS is on par with Falcon in terms of verification gas cost. I also think that MAYO (and possibly other 2nd round NIST contenders as well) might be good candidates given the upcoming EVM upgrades, e.g., SIMD operations for the EVM or EOF.
(lol. just realised that @CPerezz already brought this up above)
I want to bring in a new perspective to evaluate/benchmark PQ signature schemes that previously (at least not in this thread) were not considered in detail. It might be worthwhile to anticipate that people also want to use these signature schemes in (zero-knowledge) proof systems to prove various statements. So, it would also be interesting to evaluate the ZK/MPC circuit-friendliness of the above-discussed verification algorithms and, put differently, how amenable they are to proof systems. I’d assume that hash-based signatures will compose well with hash-based proof systems, while FALCON and DILITHIUM may perform better when proven with lattice-based proof systems. (???) It’d be cool to have a concrete analysis on this.