-
PlasmaPowersarang: I believe there's a vulnerability in MRL-0010, "Discrete logarithm equality across groups". There's nothing requiring the sum of the commitments to be entirely within G' / H'.
-
PlasmaPowerSimply not having one set of blinders not sum to zero, and creating a new public key from those set of commitments, allows the proof to be correctly generated while violating the proof statement.
-
PlasmaPowerLuckily, this is easy to fix. Signing as each public key on its desired basepoint (G'/H') proves that it's entirely on its basepoint and do not have any leftover blinding key material.