[Cryptography] Opinions on signatures algorithms for post-quantum crypto?

[Zooko Wilcox-OHearn]

Disclaimer #1: I'm one of the authors of SPHINCS: http://sphincs.cr.yp.to/

Disclaimer #2: I don't really deserve to be—the other authors are the
smart ones.

I don't disagree with what's already been written on this thread,
including about the efficiency issues of SPHINCS — it has large
signature sizes.

I just want to add that SPHINCS is a safer digsig algorithm than any
known alternative *even* if there will never be a large quantum
computer.

That's because all the alternatives can be broken by *either*
second-preimage attack on the hash function (message-representative),
or a mathematical breakthrough against the asymmetric primitive, but
SPHINCS can be broken *only* by a second-preimage attack on the hash
function.

Here's my attempt at encoding a 2-D matrix into text suitable for this list:

digsig type: current mainstream (RSA, DSA, ECDSA, Ed25519, etc.)
today: safe
quantum computer: unsafe
asymmetric crypto breakthrough: unsafe
second-preimage attack: unsafe

digsig type: post-quantum (McEliece, NTRUsign, LWE, Ring-LWE,
Lattice-based signatures, code-based signatures, Rainbow,
multivariate-quadratic, etc.)
today: safe
quantum computer: safe
asymmetric crypto breakthrough: unsafe
second-preimage attack: unsafe

digsig type: SPHINCS
today: safe
quantum computer: safe
asymmetric crypto breakthrough: safe
second-preimage attack: unsafe

Note that no secure hash function has *ever* proven vulnerable to a
second-preimage attack, except Snefru, which was invented by Ralph
Merkle in 1990 and broken by Eli Biham and Adi Shamir's discovery of
differential cryptanalysis in 1991.

Every other secure hash function that has ever been seriously
proposed, even weak little old MD5, is still completely immune to
second-preimage attacks as far as we know.

So I feel pretty confident that SPHINCS is a safer digital signature
algorithm than any other alternative currently known.

Sincerely,

Zooko