Let's say that Alice and Bob have generated truly random private keys $a$ and $b$ and want to use them in Schnorr signing. They calculate $X = g^a \cdot g^b$ as their mutual public key. For whatever reason, they want to derive several new key pairs from their existing keys. They pick a hash function $H$ and some prefix "foobar" and derive new keys like this:
$$
X_1 = X^{H(\text{"foobar"} || 1)} \\
X_2 = X^{H(\text{"foobar"} || 2)}
$$
etc.
They can now sign any data for any of their derived keys by adding their signatures like this:
- randomly pick $k_a$ and $k_b$
- calculate $R = g^{k_a} \cdot g^{k_b}$
- calculate $e = H(\text{"message"} || R)$
- calculate $s_a = k_a + e \cdot a \cdot H(\text{"foobar"} || n)$ and $s_b = k_b + e \cdot b \cdot H(\text{"foobar"} || n)$
- calculate $s = s_a + s_b$
$(R,s)$ is now a valid Schnorr signature for the public key $X_n$
My question is: Are there any obvious flaws in this approach? I'm not worried about things like rogue-key attacks here, the question is specifically about the chosen approach to modify the private key shares with some "salted" hash values in order to derive multiple new key pairs from $a$ and $b$. The crucial feature here is that anyone can calculate an arbitrary number of public keys that Alice and Bob could sign for.
