A covert-channel-free black-box signer without ZNPs

[gmaxwell]

I removed my message while I was working out how to use uP|x. In my message I wrote k = uP|x which I realized later doesn't work.
Adam's modified version should work, shouldn't it?

Yes/no. I thought it was nice at first but then I realized it's no better than my two move scheme, I think.

The signer knows the resulting r that will show up in the signature so he can grind u to stuff bits into it.

[1538086664]

1538086664

[1538086664]

1538086664

[1538086664]

1538086664

[1538086664]

1538086664

[hhanh00]

I removed my message while I was working out how to use uP|x. In my message I wrote k = uP|x which I realized later doesn't work.
Adam's modified version should work, shouldn't it?

Yes/no. I thought it was nice at first but then I realized it's no better than my two move scheme, I think.

The signer knows the resulting r that will show up in the signature so he can grind u to stuff bits into it.

I can't see how this can be avoided without blinding the signature but this would require a hard fork.

[gmaxwell]

I can't see how this can be avoided without blinding the signature but this would require a hard fork.

No it wouldn't, adding a new signature system is just a soft forking addition, of a smaller scale than we've made several times before (e.g. with the introduction of p2sh).  Not something to do lightly but not that big a deal.

But blinding alone isn't enough, because you actually want the signer to see the message (because the signer needs to display what the message will do to act as an independent check or to enforce business logic).  Though there is probably a very narrow and very efficient ZKP that can be used to unblind only the message.