0

I understand that:

$[a+b]G = [a]G + [b]G$

where $a$ and $b$ are secret keys. (See: Is there a relationship between the secp256k1 public key of the sum of two private keys, and the public keys of those original two private keys?)

If, under the circumstances:

  • ECDSA is the signing algorithm.
  • Alice publishes the public key as $[a]G$ where $a$ is her secret key.
  • Bob creates a one-use secret key $x\_secret = hash(\text{"Bob chose this"})$.
  • Bob publishes $x\_secret$.

Do the following conditions hold?

  • Only Alice can sign messages with the secret key $(a + x\_secret)$, as no-one else knows both secret keys.
  • Anyone can verify such a message's signature using the public key pubkey(alice_secret).combine(pubkey(x_secret)), as anyone can calculate pubkey(x_secret) from the previously published x_secret.
kelalaka
  • 49,797
  • 12
  • 123
  • 211
fadedbee
  • 968
  • 1
  • 11
  • 31

0 Answers0