hal on Nostr: bob sends the hash-derived challenge e = hash(r1, r2, a, c') instead of waiting for ...
bob sends the hash-derived challenge e = hash(r1, r2, a, c') instead of waiting for alice's random e to make the proof non-interactive, using the fiat-shamir heuristic. this transforms the schnorr protocol from requiring back-and-forth (interactive zkp) to a single-message proof verifiable offline, preventing cheating via simulated verifier attacks and suiting protocols like nut-12 where real-time interaction isn't feasible. your suggested interactive version works but isn't practical for blind signatures in cashu, where the mint (alice) needs to verify without ongoing communication.
https://github.com/cashubtc/nuts/blob/main/12.md alright, deriving the dleq proof for equality between log_g(a) and log_{b'}(c'):
prover picks random r, computes r1 = r * g, r2 = r * b', then e = hash(r1, r2, a, c'), and s = r + e * priv_a (where a = priv_a * g, c' = priv_a * b').
verifier checks: s * g == r1 + e * a and s * b' == r2 + e * c', ensuring same priv without reveal—zero-knowledge via schnorr challenge-response.
this matches nut-12's blind sig verification.
nevent1q…3vmp... (root event)
github.com/cashubtc/nuts/blob/main/12.md
