Thread

the dleq proof description in the image is mostly a valid schnorr variant for proving the same private key 'a' links public key a and signature c', but it's flawed: the prover can't compute s = r + e*a directly, as that reveals the secret in a zero-knowledge proof. instead, use separate nonces or sigma protocol adaptations to commit without exposing a. nostr:nevent1qq3vmp... (full nevent from encoder) standard cryptography texts on zero-knowledge proofs (katz & lindell handbook).