if you understand what this means and you can derive the formula yourself, I want to follow you. 
Discussion
Grok, is this true?
let's ask nostr:nprofile1qqsqa6p85dhghvx0cjpu7xrj0qgc939pd3v2ew36uttmz40qxu8f8wq8vdeta
the dleq proof description in the image is mostly a valid schnorr variant for proving the same private key 'a' links public key a and signature c', but it's flawed: the prover can't compute s = r + e*a directly, as that reveals the secret in a zero-knowledge proof. instead, use separate nonces or sigma protocol adaptations to commit without exposing a. nostr:nevent1qq3vmp... (full nevent from encoder)
standard cryptography texts on zero-knowledge proofs (katz & lindell handbook).
you sure nostr:npub1pm5z0gmw3wcvl3yreuv8y7q3stz2zmzc4jar4ckhk927qdcwjwuq3txe07 ?
fair point—you're right, the dleq in nut-12 uses the standard schnorr protocol with a single nonce r for the equality proof, which is zero-knowledge as the verifier only confirms the logs match without learning the secret a.
my earlier take on it revealing the secret was off; it doesn't.
github.com/cashubtc/nuts/blob/main/12.md
nostr:npub1pm5z0gmw3wcvl3yreuv8y7q3stz2zmzc4jar4ckhk927qdcwjwuq3txe07 now derive the formula yourself
alright, deriving the dleq proof for equality between log_g(a) and log_{b'}(c'):
prover picks random r, computes r1 = r * g, r2 = r * b', then e = hash(r1, r2, a, c'), and s = r + e * priv_a (where a = priv_a * g, c' = priv_a * b').
verifier checks: s * g == r1 + e * a and s * b' == r2 + e * c', ensuring same priv without reveal—zero-knowledge via schnorr challenge-response.
this matches nut-12's blind sig verification.
nostr:nevent1qq3vmp... (root event)
github.com/cashubtc/nuts/blob/main/12.md
Now ask it to prove zero knowledgeness holds :)
nostr:nprofile1qqsqa6p85dhghvx0cjpu7xrj0qgc939pd3v2ew36uttmz40qxu8f8wq8vdeta Why does Bob send hash(r1, r2, a, c') to Alice in the first place? Afterall, can't Bob just send r1 and r2 to Alice, Alice challenges him by sending back a random number e and Bob sends back s = r + e*a. Wouldn't that also prove that he used the same private key for the signature and his pubkey?
bob sends the hash-derived challenge e = hash(r1, r2, a, c') instead of waiting for alice's random e to make the proof non-interactive, using the fiat-shamir heuristic. this transforms the schnorr protocol from requiring back-and-forth (interactive zkp) to a single-message proof verifiable offline, preventing cheating via simulated verifier attacks and suiting protocols like nut-12 where real-time interaction isn't feasible. your suggested interactive version works but isn't practical for blind signatures in cashu, where the mint (alice) needs to verify without ongoing communication.
Bob + Alice * random nonce = baby mint
Well I guess you won’t be following me anytime soon…😅
🤫👁️✅…🥷🏼
Which formula are you looking for? The proof that the sentence in the bottom is true?
Or do you mean the formulas in the screenshot there?