Hi All, I believe it's fairly simple to solve the blinding (sorry for the bastard notation!):
Signing: X = X1 + X2 K1 = k1G K2 = k2G R = K1 + K2 + bX e = hash(R||X||m) e' = e + b s = (k1 + e'*x1) + (k2 + e'*x2) s = (k1 + k2 + b(x1 + x2)) + e(x1 + x2) sG = (K1 + K2 + bX) + eX sG = R + eX Verification: Rv = sG - eX ev = hash(R||X||m) e ?= ev https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb Been trying to get a review on this for a while, please let me know if I got it wrong! BR, moonsettler ------- Original Message ------- On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > > Party 1 never learns the final value of (R,s1+s2) or m. > > > Actually, it seems like a blinding step is missing. Assume the server (party > 1) > received some c during the signature protocol. Can't the server scan the > blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as in > signature verification and then check c == c'? If true, then the server has > the > preimage for the c received from the client, including m. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
