No, proof of knowledge of the r values used to generate each R does not prevent Wagner's attack. I wrote
> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that > c[0] + ... + c[K-1] = c[K]. You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't make sense if he didn't. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev