Oracle warning: Re-iterate importance of selecting _independent_ nonces

[Christewart]

We had a discussion internally at Suredbits about doing this with a BIP32 scheme, which @nkohen shot down as it is probably not secure.

There was also a conversation about this in the LDK slack this morning between @NicolasDorier , @nkohen and @LLFourn about another nonce derivation scheme

https://lightningdevkit.slack.com/archives/C012TKK8EJC/p1600233252138500

Too summarize, I think we should be high skeptical of deterministic nonce generation schemes for an oracle, and probably should discourage it a oracle security section?

This should probably go in a "warning" section with #88

[devrandom]

Are there thoughts about best-practices? RNG? deterministic derivation from message and key similar to RFC 6979?

[LLFourn]

I did deterministic derivation here:

This is what I have here: https://github.com/LLFourn/olivia/blob/905e165d079ccb65ded969ca17b631f31cd8f031/src/keychain.rs#L26

so the oracle doesn't store secret data in the database. But maybe it should do a query to check that it is attesting with what it said it would. I haven't made up my mind.

The concern isn't about deterministic nonce generation -- it's about public key derivation schemes like BIP32 non-hardened for nonces which is something you must never ever do.

[benthecarman]

In my personal oracle project I used a hardened bip 32 path and then tweaked the resulting key by sha256(R || event_label). This idea came from @LLFourn

https://github.com/benthecarman/krystal-bull/blob/master/core/src/main/scala/com/krystal/bull/core/KrystalBull.scala#L64