PQC: Lattice-based signatures

The recent proposal in Bitcoin cryptography aims to enhance security by modifying the Schnorr signature scheme, specifically addressing the related-key attack issue inherent in previous implementations. This new approach modifies the BIP340-style Schnorr signatures by altering how the challenge is prefixed. Traditionally, the raw Elliptic Curve (EC) public key P was used. However, the proposed method prefixes the challenge with a hybrid public key instead of the raw EC public key. This hybrid public key comprises both the Post-Quantum (PQ) root and the standard P, ensuring a more robust commitment and integrity in the cryptographic process.

This alteration ensures that any modifications to P would consequently change the hybrid public key, thereby altering the challenge itself. Such a mechanism prevents a signature associated with one BIP32-derived key from being wrongly converted into a valid signature for a neighboring key within the same derivation family. Furthermore, it binds the message hash to the final hybrid key rather than just the standalone PQ key. This change is crucial as it prevents the extraction and independent reuse of a PQ signature from a hybrid signature, effectively "gluing" EC and PQ signatures together for increased security.

While this proposal offers promising enhancements to signature security, it represents a departure from current practices and would require a comprehensive formal security evaluation. Nonetheless, the fundamental linearity of the Schnorr signing equation is retained, which is compatible with advanced signature aggregation methods such as MuSig2 and FROST. This compatibility suggests that while the proposal introduces significant changes, it maintains coherence with existing aggregation frameworks, potentially facilitating smoother integration and adoption within the cryptographic community.