2020.02.17 19:40:36 (1229475752862605312) from Daniel J. Bernstein, replying to "Sam (@sam280)" (1228461409119408131):
Compare that figure to the publicly verifiable sphincss128sha256simple benchmarks in https://bench.cr.yp.to/results-sign.html#amd64-hiphop: 8080-byte sigs, 914806052 cycles to sign, just 2688952 cycles to verify. If you aren't scared of non-standard hashes, sphincss128harakasimple is 613576 cycles to verify.
2020.02.17 20:08:09 (1229482685401194496) from Daniel J. Bernstein:
My main concerns with Picnic, PorcRoast, etc. are the unstable security story for MPC-friendly primitives and the weak evidence for signature security (issues: many hashes; many targets; quantum attacks) even if primitive is secure. But they should also admit the verify slowdown.
2020.02.15 00:29:58 (1228461409119408131) from "Sam (@sam280)":
Porcroast claims to be the most efficient post-quantum digital signature scheme based on symmetric primitives: https://eprint.iacr.org/2020/128