The other day I was reading about ring signatures. I don’t know if they work for Nostr private keys, but if they do, we can use two private keys—the sender’s and a random one—in a ring signature. Then we can reveal an arbitrary part of the random private key in the “ephemeral message” so we can control how difficult it is to guess it.