Justin Drake

And there's not that many post-quantum SNOCs that we know about.

It's basically one major family, which is the hash-based SNOCs.

So the basic idea is that you take individual post-quantum signatures, and then you prove knowledge of all of these signatures to end up with a final SNOC proof.

Now, if you're going to go with the hash-based snarks, you might as well also go with the hash-based leaf signatures, the unaggregated raw signatures.

And the reason is that this gives you simplicity and security benefits.

It is the most minimal security assumptions that you can have where you're just assuming that your hash function is secure.

And in the world of blockchains, hash functions are some costs.

We have them everywhere, you know, for building blocks and Merkle trees and state trees and blockchains where the chaining is done with hashes.

And so the Ethereum Foundation has put in a lot of effort to start with hash-based signatures and make sure to make them as snark-friendly as possible so that the cost of aggregation is as low as possible.

And I'm pleased to report that the performance of this approach is actually good enough for all of the blockchains.

So whatever the throughput of your chain is, you can have an aggregator on reasonable hardware, for example, on a laptop CPU that can just be aggregating all these transactions and producing a final proof that gets accompanied with the block.

And one of the ironic things about this approach is that it's actually a scalability increase relative to what we have today.

And the reason is that you don't have the fixed cost of 64 bytes per transactions.

The transactions have like zero bytes of signature data, and then you have this one master signature

which gets amortized away across all of the transactions in the block.

Yeah, exactly.

And just like Satoshi with ECDSA set a de facto standard for the whole industry.

And we basically copied even the curve, the K1 curve, which is very unusual to pick with Satoshi.

No one knows why he picked that curve, but that became the de facto standard.

I think there's an opportunity for Ethereum to be a first mover and set the de facto standard.