Diversified public keys

[sug0]

Based on https://protocol.penumbra.zone/main/crypto/fmd/construction.html#diversified-detection-from-s-fmd2-to-s-fmd2-d

[larraia]

Just couple of questions (before reviewing the code)

• In Penumbra they do say that public key diversification is NOT compatible with compact keys (Update: see below why). Are we happy with having all gamma public keys in addressees?
• Given the above, I think it would make sense to have the FMD with diversified public keys as a separate implementation of trait FMDScheme, and leave the current FMD2 implementation (almost) aligned with the original FMD paper.

Incompatibility of compact keys and Penumbra-style FMD diversification
Given secret key $s$, the solution in Penumbra is to form two public keys $P_1 = sG_1$ and $P_2 = s G_2$ diversified using two different base points $G_1,G_2$. But, if if we need to derive $s$ from a master keypair $(x,X)$ then we need to choose in what base $x$ is the discrete logarithm of $X$. Say the first base point: $X = x G_1$.
Then, if $\mathsf{Hash}(X,blah)$ and $s = x+h$, anyone can derive the first public key $P_1 = X+hG_1$. To derive $P_2$ we can either:

• (a) use same $x$. Thus $P_2 = X+hG_2$. But this breaks diversification, because now $P_2 \neq s G_2$
• (b) use a second master key pair $(y,Y:=y G_2)$. But there is no point in deriving $P_1,P_2$ from two master public keys $X,Y$ -- no compactness.