> On 23 Dec 2020, at 12:30, Martin Schanzenbach <[email protected]> wrote: >> You only need the commutative diagram of compatible public and >> private derivation paths if you give someone else the power to derive >> your new public key for you, and then you later derive its secret >> key. This means the randomness cannot be trusted, well unless you >> use fancy zk proofs like MuSig-DN does. > > But they do. See also 4.3 last paragraph for more details on how a > counter could be used for hot wallets.
There are no known nice lattice-based VRFs, much less “verifiably produce a secret scalar" like what MuSig-DN does. All elliptic curve protocols like MuSig-DN need general purpose NIZKs with thousands of constraints, so all require pairing-based SNARK with a trusted setup, or very large proofs (bulletproofs). I have not looked closely at 4.2 but it seemingly talks about the usual lattice based distribution issues. This is not remotely the same problem. The adversary can sample according to any rules they like but do so repeatedly until they find something they like. As I said, they assume honest randomness, but soft key derivations have no honest randomness. Jeff
signature.asc
Description: Message signed with OpenPGP
