@Jonas

OK, thanks, I get the logic now. I believe this attack can be mitigated (at
least in the case of using this scheme for statechains) by the receiver of
a coin verifying the construction of all previous challenges.

So in this case, the sender of a coin would record R2[K-1] in addition to m
(and any c blinding nonce used) for the signature it generates with the
server. It would then send this (and all previous R2 values i = 0, ...,
K-2) to the receiver.

The receiver would then query the server for the full set (i = 0, ..., K-1)
of R1[i] values it has generated, and the corresponding (blinded) c[i]
values used for each co-signing it has performed on this key. The
receiver would then verify that each previous c[i] (i = 0, ... K-1) has
been correctly formed and includes the server generated R1[i].

If any of the c values fail to verify against the values of R1 provided by
the server, then the coin is invalid.

On Thu, Jul 27, 2023 at 9:08 AM Jonas Nick <jonasdnick@gmail.com> wrote:

> No, proof of knowledge of the r values used to generate each R does not
> prevent
> Wagner's attack. I wrote
>
>  >   Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
>  >    c[0] + ... + c[K-1] = c[K].
>
> You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
> define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't
> make
> sense if he didn't.
>