Node n is the first to make a kernel so I don’t know what you mean here…

Note that my reply was to my suggestion that mixnodes could make a single joint kernel:

I just realized there’s an even more obvious solution and I believe a better one. Mixnodes add their partial excess when going forward and they sign the total excess and adjust the offset when going backwards. Why is this better? Because we have a single kernel with the same guarantee as with M kernels (no undo attack if 1 is honest)

Unfortunately, what I suggested back then seems to have the problem with key cancellation that I’m mentioning now. If every node creates its own kernel, there is no such issue.

I don’t see how keys could be cancelled, since each mixnode’s partial sig is needed to relate the inputs and outputs.

Ugh, I think I have made a mistake in my calculations and you’re right that the equation would not verify if the last node cancelled a key or many. If it cancelled a key of node 2, the private key that node 2 proved through the partial sig would need to have been contributed to the offset by node 2, but it has not been added there and ends up missing in this case (I think). I need to think about this a bit more…

Thank you very much for working on this. Where are the updates posted?

Sounds like the best side on the Wendy’s menu.