I’d like to point out that this modification of the Schnorr signature protocol is insecure for Mimblewimble as it does not actually commit to the kernel public key.
Let R' = X + R
and e' = e - 1
where e = H(R', m)
.
The signature verification equation simplifies to:
s*G = R' + e'*X
which is the standard Schnorr verification except the hash function is redefined as H'(x) = H(x) - 1
.
We can see that the challenge e'
is independent of the public key X
, which means this scheme is susceptible to the counterfeiting attack described here: Eliminating finalize step - #91 by david