2020.10.29 16:45:46 (1321840658517164032) from Daniel J. Bernstein:
If someone is worried that hashcash drops from pre-quantum security 2^n to post-quantum security 2^(n/2), why address this with lattices as in https://eprint.iacr.org/2020/1362 rather than symmetric techniques? Search for, e.g., 2n-bit hash collisions, and rely on https://cr.yp.to/papers.html#collisioncost.
2020.10.29 17:18:04 (1321848787283791872) from Daniel J. Bernstein:
There are many other applicable symmetric techniques: e.g., typical password-hashing functions will be super-expensive to compute reversibly. Lattices create unnecessary security risks and in any case make the security analysis vastly more complicated. What's the claimed benefit?