Why does IOTA use a post-quantum signature scheme?

Question

There is an existing question about why Iota chose their specific post-quantum signature scheme. But my question is, why use a post-quantum signature scheme at all? Were the motivations discussed anywhere?

My understanding is that many of IOTA's unique design choices were driven by a need for performance on resource-constrained IoT/embedded devices. But as far as I know (perhaps not far), post-quantum schemes have worse performance characteristics than the schemes they're replacing, increasing the bandwidth and memory requirements for these devices. It may not be a huge difference, but other performance choices like the use of ternary were seen as worthwhile despite the benefits being relatively small.

(Post-quantum schemes are certainly cool. Like many people, I "independently re-invented" (ha!) a Lamport-style signature scheme when studying undergrad cryptography, and it was fascinating. But I assume "it's cool!" is not the reason here.)

What benefits justified the performance and immaturity costs of a post-quantum scheme?

Answer 1

While it's true that many of IOTA design choices were made with IoT devices in mind, it's important to note that being future proof is also a very important feature of the project.

Admittedly, many of the current choices could seem overthought - and impractical - for today's use (namely ternary system and quantum proof algorithms). But the rise of quantum computing and the potential beginning of a ternary processor era might justify these choices in the years to come.

The developers probably want to avoid ending up like large scale blockchains in the long run (like Bitcoin) : slow and limited by design.

---

On a side note, one could argue that we may never see QC and ternary CPUs, thus reducing the benefits of IOTA choices, but that's another topic.