Bird of Prey 2: non-malleable Schnorr + PQ signatures

Boris Nagaev has proposed an implementation method for BIP340 that could integrate a hash-based scheme, adding only 48 bytes of overhead. However, following discussions with Jonas Nick, it was determined that the hybrid public key (PK) root would need to be expanded from its initial size to 32 bytes to prevent related-key collision attacks. This adjustment means that the potential byte savings would be reduced to just 32 bytes compared to a straightforward concatenated signature approach.

The hybrid scheme discussed does not offer black-box compatibility, and considering other factors, it seems that the BoP2 scheme might be a superior option for developing a robust hybrid system. The discussion also addresses concerns about deterministic signing which limits honest signers but does little to prevent adversaries who have access to private keys. In scenarios where one of the constituent schemes fails, such as secp256k1 being compromised by a CRQC, or if a post-quantum mechanism proves classically insecure, adversaries could potentially manipulate the hybrid signature by substituting the compromised part.

There is a particular vulnerability to classical adversaries who might exploit the visibility of multiple signatures on the same message to create a malleated version by mixing and matching components of different signatures. This risk can be mitigated by ensuring that honest signers generate a unique signature for each message, possibly through deterministic processes. However, introducing quantum adversaries complicates the scenario further, necessitating a more unified approach like BoP2 to effectively counteract signature malleation. Despite these concerns, the likelihood of encountering hybrid script issues remains low, suggesting a limited urgency in pursuing extensive development in hybrid signing schemes without clear and compelling use cases. The potential for a 32-byte reduction in overhead, although appealing, may not justify the effort required in the absence of significant applications.