If 'x' is public, that makes it identifiable and privacy-losing across
inputs.

To avoid "re-use" I suppose you'd want to sign some message like
`HMAC("ownership proof", H(A || x) )` instead. Otherwise any signature you
make using `A` ends up being used as a proof you don't know the input(this
seems like just details but to be more clear)...

To reiterate:

Sign `HMAC("ownership proof", H(A || x) )` using `A`. Public verifiers see
`HMAC("ownership proof", some_random_hash_connected_to_A )` and the HWW
that owns that input can recreate `some_random_hash_connected_to_A` by `H(A
|| x) )`

On Mon, Aug 21, 2017 at 2:36 PM, Jochen Hoenicke <hoenicke@gmail.com> wrote:

> On 21.08.2017 20:12, Greg Sanders via bitcoin-dev wrote:
> > To fix this I consulted with andytoshi and got something we think works
> > for both cases:
> >
> > 1) When a signing device receives a partially signed transaction, all
> > inputs must come with a ownership proof:
> > - For the input at address A, a signature over H(A || x) using the key
> > for A. 'x' is some private fixed key that only the signing device
> > knows(most likely some privkey along some unique bip32 path).
> > - For each input ownership proof, the HW wallet validates each signature
> > over the hashed message, then attempts to "decode" the hash by applying
> > its own 'x'. If the hash doesn't match, it cannot be its own input.
> > - Sign for every input that is yours
>
> Interesting, basically a proof of non-ownership :), a proof that the
> hardware wallet doesn't own the address.
>
> But shouldn't x be public, so that the device can verify the signature?
> Can you expand on this, what is exactly signed with which key and how is
> it checked?
>
> One also has to make sure that it's not possible to reuse signatures as
> ownership proof that were made for a different purpose.
>
>   Jochen
>