Bird of Prey 2: non-malleable Schnorr + PQ signatures

The recent paper presented at EuroCrypt 2026, detailed in this paper, explores a significant question in the realm of post-quantum cryptography (PQC) and signature schemes. It investigates how to effectively combine two distinct types of signature schemes - one being a Schnorr-like scheme and another that could be any PQC scheme - into a hybrid system that ensures both unforgeability and non-malleability. This research is particularly relevant given the growing interest in PQC signature schemes within cryptographic communities.

The paper introduces a hybrid scheme known as BoP-2, which aims to address the challenges associated with creating a signature system that is not only unforgeable if at least one of the individual schemes remains secure but also non-malleable. The conventional approach of simply signing a message with both schemes and concatenating the signatures does provide unforgeability; however, it fails in terms of non-malleability. If one of the schemes were compromised, an attacker could potentially alter the signature corresponding to the broken scheme without affecting the other, thereby mauling the overall signature.

The proposed BoP-2 scheme operates by generating a random nonce and creating a composite signature that combines elements from both the Schnorr-like and the arbitrary PQC scheme. Specifically, it involves computing a hash that includes the message and parts of both signatures, then using this hash to modify the nonce in a specific way before combining it with the private key of the Schnorr scheme to produce the final signature. This method ensures that the recovery of certain signature parameters (like the random nonce) is necessary for verification, which adds a layer of security but sacrifices batch verifiability and increases the signature size slightly.

This approach is noteworthy for its reliance on the informational-theoretical commitment properties of the PQC scheme component of the signature, which enhances security by not depending solely on the computational hardness of the underlying algorithms. This makes the BoP-2 scheme a promising candidate for applications where enhanced security against quantum computing attacks is crucial.