2024-09 Minor review comments

[emlun]

• Outputs sk', a blinded private key Scalar based on ARKG private seed

  This is the first time "Scalar" is referenced, and I don't think the extra qualification is necessary - just "blinded private key" should be enough. Especially since the abstraction is not yet limited to just EC instantiations at this point.

• 3.1. Using elliptic curves

  In key, it seems safer to me to use hash_to_field (RFC 9380) than just plain modulo reduction. See for example how it's used in ARKG to implement blinding on elliptic curves.

• (_, sk') = key(okm[0:Nk]) pk' = EC-Add(pk_device, EC-Scalar-Base-Mult(sk')))

  I think this is equivalent to:

  (pk'', _) = key(okm[0:Nk]) pk' = EC-Add(pk_device, pk''))

  (should probably use a better name than pk'' though)

[sander]

• Outputs sk', a blinded private key Scalar based on ARKG private seed

  This is the first time "Scalar" is referenced, and I don't think the extra qualification is necessary - just "blinded private key" should be enough. Especially since the abstraction is not yet limited to just EC instantiations at this point.

Agreed.

• 3.1. Using elliptic curves

  In key, it seems safer to me to use hash_to_field (RFC 9380) than just plain modulo reduction. See for example how it's used in ARKG to implement blinding on elliptic curves.

This would introduce additional hashing operations, after deriving the already uniformly expand output, which is computed using an expand_message from RFC 9380 indeed.

• (_, sk') = key(okm[0:Nk]) pk' = EC-Add(pk_device, EC-Scalar-Base-Mult(sk')))

  I think this is equivalent to:

  (pk'', _) = key(okm[0:Nk]) pk' = EC-Add(pk_device, pk''))

  (should probably use a better name than pk'' though)

Agreed this is cleaner. Thanks.

[sander]

Addressed in #70.