PQC: Lattice-based signatures

The recent discussion on the Bitcoin Development Mailing List highlights a creative approach to cryptographic key management, specifically involving the reuse of elliptic curve (EC) nonces in Schnorr signatures. The proposed method involves using the EC nonce as the SHRINCS randomizer, which is an innovative way to optimize resource use while maintaining security integrity. This technique allows the SHRINCS randomizer to be sampled from a pseudorandom function (PRF) that ingests SK.prf and the message to sign. The randomness is preserved even if computational reductions allow for factoring, since the randomizer, represented as xonly(r*G), remains randomly distributed across the secp256k1 curve.

However, concerns were raised about potential security trade-offs when implementing recoverable public key schemes with Schnorr signatures. Specifically, such schemes could hinder key-prefixing, which is crucial for thwarting related-key attacks under BIP32 standards. An alternative suggestion was to consider ECDSA due to its inherent non-linearity, though this would sacrifice the desirable linear properties of Schnorr signatures.

Further technical details included adjustments to the size of the SHRINCS randomizer, reducing it from 32 bytes to 16 bytes. This adjustment aims to align more closely with other cryptographic standards like SLH-DSA and XMSS, thus showcasing a thoughtful integration of traditional and novel cryptographic practices to enhance overall efficiency and security in blockchain technology implementations.