There is a (kind of) new paper which is shows how to do the blinding (we do not really need a full blown HDKD scheme) for current PQ signature schemes: https://eprint.iacr.org/2021/963.pdf They also have (C-based) implementations, which is nice.
BR > On 23. Dec 2020, at 14:20, Jeff Burdges <[email protected]> wrote: > > > >> On 23 Dec 2020, at 12:30, Martin Schanzenbach <[email protected]> >> wrote: >>> You only need the commutative diagram of compatible public and >>> private derivation paths if you give someone else the power to derive >>> your new public key for you, and then you later derive its secret >>> key. This means the randomness cannot be trusted, well unless you >>> use fancy zk proofs like MuSig-DN does. >> >> But they do. See also 4.3 last paragraph for more details on how a >> counter could be used for hot wallets. > > There are no known nice lattice-based VRFs, much less “verifiably produce a > secret scalar" like what MuSig-DN does. All elliptic curve protocols like > MuSig-DN need general purpose NIZKs with thousands of constraints, so all > require pairing-based SNARK with a trusted setup, or very large proofs > (bulletproofs). > > I have not looked closely at 4.2 but it seemingly talks about the usual > lattice based distribution issues. This is not remotely the same problem. > The adversary can sample according to any rules they like but do so > repeatedly until they find something they like. > > As I said, they assume honest randomness, but soft key derivations have no > honest randomness. > > Jeff > >
signature.asc
Description: Message signed with OpenPGP
