Bird of Prey 2: non-malleable Schnorr + PQ signatures

The significance of signature uniqueness flag (SUF) in the realm of cryptocurrency, particularly after the implementation of segregated witness (segwit), has notably diminished. Previously, signatures played a critical role in affecting transaction IDs, but post-segwit, this is no longer the case. SUF now serves more as a convenience feature, helping to manage transactions without needing to alter inputs when malleation occurs. Segwit allows for adjustments to be made to dependent transactions even if their parent transactions are altered; however, these adaptations still require manual intervention.

In discussing the robustness of hybrid cryptographic schemes, it’s important to note the potential vulnerabilities that arise if one component of the hybrid fails. For instance, if a component like secp256k1 is compromised due to advancements in quantum computing, or if the post-quantum element proves to be insecure with classical computing techniques, the integrity of the entire hybrid scheme could be jeopardized. Such vulnerabilities expose the system to risks where malicious entities could manipulate signatures by substituting them with alternatives they generate, leveraging the broken component of the hybrid system. This risk is akin to issues present in multisig configurations in Bitcoin, where trust must be placed in co-signers not to substitute their part of the signature.

Moreover, there's an argument concerning whether to adopt hybrid signing methods over deterministic signing algorithms. Deterministic algorithms provide consistency in signature generation, benefiting honest signers by eliminating variability and reducing the possibility of signature malleability by external parties. However, if an adversary were to discover the private key, particularly the segment associated with the vulnerable scheme, they could potentially manipulate signatures at will, irrespective of the signing method used.

Finally, the discussion touches on the potential benefits of space-saving in hybrid schemes. Boris Nagaev suggests an implementation strategy that could integrate BIP340 with a hash-based scheme, possibly adding only 48 bytes of overhead. This proposal hints at a way to enhance efficiency in public key management within blockchain technology, though the specific details and implications of such integration need further scrutiny to evaluate its practicality and security fully.