Thanks Greg for the feedback. We’re aware of the proposals for delinearization mechanisms to increase robustness to related-key attacks such as key cancellation, and we’re completely open to refinements like these in an eventual standard for collective signatures. I seem to recall that refinements like this were discussed on the CFRG list back in the work leading up to RFC 8032, but weren't adopted in that context for reasons I can't remember well - perhaps simply because the focus then was on individual rather than collective signatures. So perhaps then wasn’t the right time to discuss such enhancements, but maybe now is the right time. Can anyone else remember exactly when that discussion occurred or find the relevant messages in the CFRG list archive?

At any rate, our Internet-Draft is intended to be just a first draft, not by any means a final specification. Our immediate goal is to get a critical mass of support within CFRG to adopt collective signing as a working group item. Once we get to that point, then we can begin the process of (collectively) figuring out exactly what that signing scheme should look like, including which particular hardening refinements (such as delinearization mechanisms) it should include.

So if you and/or others on this list are interested in seeing collective signing in some form move toward standardization, what would be ideal at the moment is if you could post to the CFRG mailing list an E-mail stating (a) that you support the CFRG adopting collective signing as a working group item, and (b) a list of issues or changes such as the above that you'd like to see considered in the context of that work, of which delinearization should certainly be a high-priority topic.

Thanks
Bryan