If I read the protocol correctly, one signer could sign numerous messages simultaneously, like in BLS, using the same alpha and beta, and the same point not involving the hash Z, but supplying numerous π_2 and π_4 points. All messages could then be verified simultaneously by using Z = Σ_i Z_i and π_2 = Σ_i π_{2,i} and π_4 = Σ_i π_{4,i}. In this variant, adversaries could forge signatures on linear combinations of Z, and similarly malicious signers could play games, but this should yield nothing useful.
This looks useful because users could pay to query the threshold VRF alongside the randomness beacon.
Ideally one wants slightly more than this: Users should query for secret evaluations. We could implement secrecy by users providing a SNARK on BW6 that secretly evaluates the hash-to-curve on BLS12-377 and multiplies by a blinding scalar. Again this should yield security for this scheme.
I'm unsure if this make sense as some brain wallet recovery method, but it should definitely makes sense for public rendezvous protocols, like SecureDrop or the Panda protocol in Pond.
If I read the protocol correctly, one signer could sign numerous messages simultaneously, like in BLS, using the same alpha and beta, and the same point not involving the hash Z, but supplying numerous π_2 and π_4 points. All messages could then be verified simultaneously by using Z = Σ_i Z_i and π_2 = Σ_i π_{2,i} and π_4 = Σ_i π_{4,i}. In this variant, adversaries could forge signatures on linear combinations of Z, and similarly malicious signers could play games, but this should yield nothing useful.
This looks useful because users could pay to query the threshold VRF alongside the randomness beacon.
Ideally one wants slightly more than this: Users should query for secret evaluations. We could implement secrecy by users providing a SNARK on BW6 that secretly evaluates the hash-to-curve on BLS12-377 and multiplies by a blinding scalar. Again this should yield security for this scheme.
I'm unsure if this make sense as some brain wallet recovery method, but it should definitely makes sense for public rendezvous protocols, like SecureDrop or the Panda protocol in Pond.