> Party 1 never learns the final value of (R,s1+s2) or m.
Actually, it seems like a blinding step is missing. Assume the server (party 1) received some c during the signature protocol. Can't the server scan the blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as in signature verification and then check c == c'? If true, then the server has the preimage for the c received from the client, including m. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
