Timo Hanke

It's not the same decryption key on all devices. It's one decryption key per device and there are multiple ciphertexts stored in the canister. Nevertheless, your observation is correct. If...

Yes, but there doesn't seem to be a deterministic signature scheme. It's either EC-based which is by definition not deterministic or RSA-OAEP which is RSA "made non-deterministic". There may be...

Yes, that's right. In the WebAuthn specification I only found signature schemes that are non-deterministic. You could also use a public key as the seed if you can get that...

@jddllwqa I have problems understanding the question or comment. Did you mean to say "What can" or "Why can't"? The term "public seed phrase" seems to be a contradiction in...

What is the application of the shared key? Is it encryption like here in icvault or is it something else?

The biggest vulnerability is that a per-device secret is persisted in browser local storage where it could be found by an attacker if the device (or the browser) gets compromised....

Interested in what this refers to. Could you elaborate a little bit?

> In case future applications of Schnorr/Ed25519 signatures will require signing of larger messages, then additional APIs could be added to management canister to allow for message chunking. Wouldn't it...

> if the Schnorr presignature is revealed before the message is committed to, the scheme is compromised That breaks the approach then, ok. Too bad that some applications decided to...

@randombit I don't see how the attack described in the paper you cited applies here. The attack roughly goes like this: attacker obtains k pre-signatures, attacker crafts k benign-looking messages...