sarang: I believe there's a vulnerability in MRL-0010, "Discrete logarithm equality across groups". There's nothing requiring the sum of the commitments to be entirely within G' / H'.

Simply not having one set of blinders not sum to zero, and creating a new public key from those set of commitments, allows the proof to be correctly generated while violating the proof statement.

Luckily, this is easy to fix. Signing as each public key on its desired basepoint (G'/H') proves that it's entirely on its basepoint and do not have any leftover blinding key material.