Hey nostr:npub185h9z5yxn8uc7retm0n6gkm88358lejzparxms5kmy9epr236k2qcswrdp, I can't reply on google groups but you should check out my article on hash-based signatures and my DASK proposal, it's very ...
Yes, I saw your post, I thought it was quite clever! That said, I think the Taproot approach is slightly cleaner - it allows wallets more flexibility (eg they could use a static PQ key for all their addresses, and no one would ever know unless they were used).
In terms of one-time vs larger-signatures, my mental model here is basically this stuff will only be used on the margin. Wallets that upgrade today and that people don’t touch for two decades will be safe, but wallets people sure actively using in five or seven years might use other, newer options for PQC. Thus, a bit worse design is fine, if it makes the solution more bulletproof. Now, that said, maybe that’s indeed an argument for a single-use scheme, just because it’s simpler to implement.
In terms of one-time vs larger-signatures, my mental model here is basically this stuff will only be used on the margin. Wallets that upgrade today and that people don’t touch for two decades will be safe, but wallets people sure actively using in five or seven years might use other, newer options for PQC. Thus, a bit worse design is fine, if it makes the solution more bulletproof. Now, that said, maybe that’s indeed an argument for a single-use scheme, just because it’s simpler to implement.
1