correct.  you cannot select R if it is shipped with a POP

On Wed, Jul 26, 2023, 4:35 PM Tom Trevethan <tom@commerceblock.com> wrote:

> Not 'signing' but 'secret' i.e. the r values (ephemeral keys). Proof of
> knowledge of the r values used to generate each R used prevents the Wagner
> attack, no?
>
> On Wed, Jul 26, 2023 at 8:59 PM Jonas Nick <jonasdnick@gmail.com> wrote:
>
>> None of the attacks mentioned in this thread so far (ZmnSCPxj mentioned an
>> attack on the nonces, I mentioned an attack on the challenge c) can be
>> prevented
>> by proving knowledge of the signing key (usually known as proof of
>> possession,
>> PoP).
>>
>