waxwing on Nostr: Huh, I sent a reply an hour ago on the phone but just seems to have vanished. First, ...
Huh, I sent a reply an hour ago on the phone but just seems to have vanished.
First, about the curly braces, yes there was just one missing sorry (R_{A2} + R_{B2}).
Second, doh, I totally missed the point of the question, and, my fault, your language was pretty clear.
So I don't think there's any issue, no: if Alice gives R_{A1} and Bob picks -R_{A1} as his R_{B1} (and same for index 2) then, yes, the aggregate cancels.
But that doesn't allow him to cancel the secret nonce:
Alice may send him s_alice = k_{A1} + bk_{A2} + (hashes of stuff) * x_{A}. But he cannot cancel out those k-values by adding his s_bob because he cannot provide e.g. -k_{A1}. He doesn't know those scalars (DLP).
So he can't get the secret key by doing that cancellation (and yes, absolutely, he *would* be able to get Alice's key if he could effect that cancellation).
(It's a sidebar but 0 values for the nonce are explicitly disallowed in plain ECDSA and plain Schnorr iirc).
First, about the curly braces, yes there was just one missing sorry (R_{A2} + R_{B2}).
Second, doh, I totally missed the point of the question, and, my fault, your language was pretty clear.
So I don't think there's any issue, no: if Alice gives R_{A1} and Bob picks -R_{A1} as his R_{B1} (and same for index 2) then, yes, the aggregate cancels.
But that doesn't allow him to cancel the secret nonce:
Alice may send him s_alice = k_{A1} + bk_{A2} + (hashes of stuff) * x_{A}. But he cannot cancel out those k-values by adding his s_bob because he cannot provide e.g. -k_{A1}. He doesn't know those scalars (DLP).
So he can't get the secret key by doing that cancellation (and yes, absolutely, he *would* be able to get Alice's key if he could effect that cancellation).
(It's a sidebar but 0 values for the nonce are explicitly disallowed in plain ECDSA and plain Schnorr iirc).