Remember kids, in the Schnorr family of signatures nonces are *fragile* not robust. Bias them by a few bits and you're in serious danger to lattice attacks. Generating them with an algo where half the bits are public knowledge could be considered ... inadvisable ๐
Discussion
What? TLDR?
Considering 4bit bias is feasible to compute in reasonable timeframe and cost and <1bit is the real statistic LLL threat, we should add to schnorr and ECDSA even with det a disclaimer -sign never not more than ... times with the same key - i wonder how many crypto K... (ETH, nostr et al.) can guess ... correct.
I had the same thought, especially about nostr. It might push these schemes a bit beyond their acceptable limit.
Sorry for late reply, only now getting the feed properly stable.