Re: Post-quantum secure hierachical deterministic key derivation

[Schanzenbach, Martin]

There is a (kind of) new paper which is shows how to do the blinding (we do not 
really need a full blown HDKD scheme) for
current PQ signature schemes: https://eprint.iacr.org/2021/963.pdf
They also have (C-based) implementations, which is nice.

BR

> On 23. Dec 2020, at 14:20, Jeff Burdges <burdges@gnunet.org> wrote:
> 
> 
> 
>> On 23 Dec 2020, at 12:30, Martin Schanzenbach <mschanzenbach@posteo.de> 
>> wrote:
>>> You only need the commutative diagram of compatible public and
>>> private derivation paths if you give someone else the power to derive
>>> your new public key for you, and then you later derive its secret
>>> key.  This means the randomness cannot be trusted, well unless you
>>> use fancy zk proofs like MuSig-DN does.
>> 
>> But they do. See also 4.3 last paragraph for more details on how a
>> counter could be used for hot wallets.
> 
> There are no known nice lattice-based VRFs, much less “verifiably produce a 
> secret scalar" like what MuSig-DN does.  All elliptic curve protocols like 
> MuSig-DN need general purpose NIZKs with thousands of constraints, so all 
> require pairing-based SNARK with a trusted setup, or very large proofs 
> (bulletproofs).
> 
> I have not looked closely at 4.2 but it seemingly talks about the usual 
> lattice based distribution issues.  This is not remotely the same problem.  
> The adversary can sample according to any rules they like but do so 
> repeatedly until they find something they like.
> 
> As I said, they assume honest randomness, but soft key derivations have no 
> honest randomness.
> 
> Jeff
> 
>

signature.asc
Description: Message signed with OpenPGP