On Thu, Jan 23, 2025 at 04:25:46PM +0000, Peter Todd wrote:
> The only question left for this technique is a cryptography one:
> 
> Is it possible to create an alternate pubkey p', that such that a valid
> signature s signed by arbitrary pubkey p for message m, also validates
> for p' for signature s and message m? I believe the answer is no for
> schnorr. But I'm not a cryptography expert, and I may have missed
> something.

Sorry, I forgot one condition in that paragraph. Here's what it should
have said:

Is it possible to create an alternate pubkey p', that such that a valid
signature s signed by arbitrary pubkey p for message m, also validates
for p' for signature s and message m, *and* also validates for signature
s' and message m'? I believe the answer is no for schnorr. But I'm not a
cryptography expert, and I may have missed something.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/Z5O5HGWyM597drg3%40petertodd.org.