PQC: Lattice-based signatures

The email discussion revolves around a cryptographic technique that involves computing a specific equation related to BIP340 Schnorr signatures but with a modification to bind the signature to a hybrid public key (hybrid_pk). This binding is crucial as it prevents any related-key attacks and ensures that a valid signature from P cannot be applied to other hybrid keys, even if they commit to the same P. This structure also blocks a Cryptographic Review and Qualification Committee (CRQC) from factoring P until they see the first signature, enhancing security against certain types of cryptographic attacks.

The implementation discussed would modify batch verification processes, which is considered acceptable in a post-quantum (PQ) cryptography world where different security considerations may apply. Additionally, concerns about whether this approach would interfere with xonly arithmetic were addressed. The method ensures that if the nonce R has odd parity, its sign (and discrete log) should be negated before signing. This allows the correct public key to be recomputed by encoding x(R) in both the signature and challenge hash, maintaining the integrity of the recovered public key.

Further details include an analysis of the potential space savings in blockchain transactions using this hybrid cryptographic method compared to traditional approaches. By removing certain components like the SHRINCS randomizer and the Schnorr public key, approximately 48 bytes can be saved compared to a naive two-opcode script. However, when compared to bare SHRINCS, this new method might require an additional 48 bytes due to the inclusion of Schnorr's s and R components.

Despite these technical advantages, there remains some skepticism about the widespread adoption of hybrid scripts. It is suggested that most users might not use hybrid scripts at all, preferring instead to use hybrid Pay-to-Merkle Root trees (P2MR) with one leaf per signature algorithm. This perspective suggests that while the proposed hybrid scheme has merits, its practical application and user acceptance need careful consideration.