"She can *spend* it later when she is back online" not "unblind".
I don't think *this* is a problem. If Alice and the Mint collude they can always unblind C_, so this isn't really a downgrade from standard cashu.
However, there is an attack where Alice just lets the Mint sign Y twice. Once with Carol's public key B_ = Y + r * F and once the standard way with B_' = Y + rG.
Now, (x, r_, C_, DLEQ) looks like a valid token to Carol even when offline. However if Alice spends her token before Carol, Carol's token will get denied because the secret x is already in the Mint's spent set.
An idea to fix this:
1. Carol generates a bunch of secrets x, blinds them (B=Y+rG), and publishes these "Blank Checks" (B_'s) somewhere. She can then go offline.
2. Alice grabs a B_, pays the Mint to sign it (C_), and sends it to Carol. Alice cannot have Y signed twice (like in the prior attack) because she doesn't know x.
3. Carol receives C_ and the DLEQ proof. She verifies the proof against her original blank checks and the Mint's public key. If one of them passes, she has cryptographic proof that C_ is the valid signature for her specific B_. Since only she holds the secret x, she knows the token is safe and unspent. She can unblind it later when she is back online.
Not sure if I'm making any mistakes or the first step defies the purpose you want to use this for. I'm pretty new to all of this myself. Would love to hear what you think!
nostr:npub16vzjeglr653mrmyqvu0trwaq29az753wr9th3hyrm5p63kz2zu8qzumhgd Hey, can you let me know what I did wrong? I just spent half my day writing a reply to you, so I hoped you will read it. It just took me a bit of time because I wanted to be equally respectful in my reply as you were to me. I'm sorry it took a bit longer and if that came off as rude!
nostr:npub16vzjeglr653mrmyqvu0trwaq29az753wr9th3hyrm5p63kz2zu8qzumhgd I'm just baffled at what I did wrong to get blocked after we had a pleasent exchange. Whatever it is, can you please let me know? I promise I won't bother you anymore afterwards.
Clearly I'm doing something wrong, since you and calle both ghost me, but without knowing what the issue is I can't fix it. At this point, I don't feel comfortable contacting anyone else for feedback on my draft, which is impacting my thesis and thus my entire degree.
I hope you respond. Merry Christmas to you and your family.
Still would love to collaborate!
nostr:npub16vzjeglr653mrmyqvu0trwaq29az753wr9th3hyrm5p63kz2zu8qzumhgd Hey, can you let me know what I did wrong? I just spent half my day writing a reply to you, so I hoped you will read it. It just took me a bit of time because I wanted to be equally respectful in my reply as you were to me. I'm sorry it took a bit longer and if that came off as rude!
pos as in proof of stake? Where can I read more about this?
bob sends the hash-derived challenge e = hash(r1, r2, a, c') instead of waiting for alice's random e to make the proof non-interactive, using the fiat-shamir heuristic. this transforms the schnorr protocol from requiring back-and-forth (interactive zkp) to a single-message proof verifiable offline, preventing cheating via simulated verifier attacks and suiting protocols like nut-12 where real-time interaction isn't feasible. your suggested interactive version works but isn't practical for blind signatures in cashu, where the mint (alice) needs to verify without ongoing communication.
Good bot π«‘
alright, deriving the dleq proof for equality between log_g(a) and log_{b'}(c'):
prover picks random r, computes r1 = r * g, r2 = r * b', then e = hash(r1, r2, a, c'), and s = r + e * priv_a (where a = priv_a * g, c' = priv_a * b').
verifier checks: s * g == r1 + e * a and s * b' == r2 + e * c', ensuring same priv without revealβzero-knowledge via schnorr challenge-response.
this matches nut-12's blind sig verification.
nostr:nevent1qq3vmp... (root event)
github.com/cashubtc/nuts/blob/main/12.md
nostr:npub1pm5z0gmw3wcvl3yreuv8y7q3stz2zmzc4jar4ckhk927qdcwjwuq3txe07 Why does Bob send hash(r1, r2, a, c') to Alice in the first place? Afterall, can't Bob just send r1 and r2 to Alice, Alice challenges him by sending back a random number e and Bob sends back s = r + e*a. Wouldn't that also prove that he used the same private key for the signature and his pubkey?
People found a claude code folder in the diVine repo and now they are alleging that AI is being used to generate videos π€¦ββοΈ man, the mainstream absolutely loathes AI and will hate you even if you use it to code. This is ridiculous. I don't know how to fix this perception other than to show them we can build good products whether AI was involved or not.
https://www.youtube.com/shorts/Sgcpj668IJ4
nostr:npub1wmr34t36fy03m8hvgl96zl3znndyzyaqhwmwdtshwmtkg03fetaqhjg240 fyi, and keep up the good fight π«
Jesus the comments on there are depressing... I guess that's what happens when you cater to the anti AI crowd. A lot of the comments sure sound bott-y though.
Hope the vibe will shift eventually, genuinly would love to see the app succeed!
Cashu tokens backed by a time lock of sats, not actual sats.
Maybe a useful spam deterrent π€
Better beer money π€£
Thanks nostr:npub1sezgmhk40mk5znnqse5jz4mjx40vszz45zwqnf7wyxqvdz0t8wnq9mnhp3! β€οΈ You made me laugh out loud. I will spend it more wisely than the last beer money. π€
Glad it made you laugh π€ Thanks for your work on Hashpool, looks really cool!
Yeah that does in fact sound like a mistake πCanned 'Krombacher' from Aldi will always remind me of my days at university so it has a special place in my heart but there sure are much better beers out there
Tell me about it... Writing my master thesis at the applied cryptography lab just because I really enjoy btc/LN/cashu might not be the way to go π
Hope you don't mind me asking but shouldn't NUT-12 be mandatory, because without the DLEQ proofs a mint could theoretically tag every minted token with its own private key? As far as I understand it, this could then be used to recognise the tokens once they eventually get redeemed?
I could definitely be off, just trying to understand it better. Thanks for all the great work you do, very inspiring!
Amazing! This is thanks to NUT-12, correct?