@Jonas

OK, thanks, I get the logic now. I believe this attack can be mitigated (at least in the case of using this scheme for statechains) by the receiver of a coin verifying the construction of all previous challenges. 

So in this case, the sender of a coin would record R2[K-1] in addition to m (and any c blinding nonce used) for the signature it generates with the server. It would then send this (and all previous R2 values i = 0, ..., K-2) to the receiver. 

The receiver would then query the server for the full set (i = 0, ..., K-1) of R1[i] values it has generated, and the corresponding (blinded) c[i] values used for each co-signing it has performed on this key. The receiver would then verify that each previous c[i] (i = 0, ... K-1) has been correctly formed and includes the server generated R1[i]. 

If any of the c values fail to verify against the values of R1 provided by the server, then the coin is invalid. 

On Thu, Jul 27, 2023 at 9:08 AM Jonas Nick <jonasdnick@gmail.com> wrote:
No, proof of knowledge of the r values used to generate each R does not prevent
Wagner's attack. I wrote

 >   Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
 >    c[0] + ... + c[K-1] = c[K].

You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't make
sense if he didn't.