Constant-time implementation with security proof

[sander]

Discussed during the 2025-01-20 meeting with @mickrau and @emlun: we may replace:

def DeriveBlindingFactor(bk, ctx) =
    HashToScalar(bk || 0x00 || ctx)
def BlindPublicKey(pk, bk, ctx) =
    blind pk using DeriveBlindingFactor(bk, ctx)
def BlindPrivateKey(sk, bf) =
    Combine(sk, bf) mod Order()

with:

def DeriveBlindingFactor(pk, bk, ctx) =
    HashToScalar(bk || 0x00 || SerializeElement(pk) || ctx)
def BlindPublicKey(pk, bk, ctx) =
    blind pk using DeriveBlindingFactor(pk, bk, ctx)
def BlindPrivateKey(sk, bk, ctx, bf) =
    sk' = Combine(sk, bf)
    pk' = ScalarBaseMult(sk')
    Combine(sk', DeriveBlindingFactor(pk', bk, ctx))

Or instead, taking ctx = SerializeElement(pk) || ctx_original as input to BlindPublicKey, this could be reformulated using the original construct, but where the implementation of BlindPrivateKey needs to also provide:

def BlindBlindedPrivateKey(sk, bk, ctx, bf) =
    sk' = Combine(sk, bf)
    pk' = ScalarBaseMult(sk')
    BlindPrivateKey(sk', bk, SerializeElement(pk' || ctx)

That function would inherit the security properties of BlindPrivateKey, such as not leaking information about Combine(sk, bf), making it impossible to form bf in such a way that it leaks information about sk. Furthermore, by including bf in the context over which the blinding factor is derived using a hash, it is infeasible to construct bf in such a way that it cancels the DeriveBlindingFactor output.

This would require no updates to Key Blinding for Signature Schemes, but would require changes to ARKG:

• make ARKG-Derive-Private-Key to accept a bf parameter (default 0 for additive, 1 for multiplicative blinding), which is used to call BlindBlindedPrivateKey
• make ARKG-Derive-Public-Key prefix the application context string with SerializeElement(pk)