Do we know if ComSig Signature for Mimblewimble Non-Interactive Transaction is secure? It’s very important we use a secure way of proving ownership as this could itself leak information that would allow stealing of coins.
Perhaps a much simpler proof of ownership would be to show a BP for C' = C + C.
Not sure if it is simpler, but using BPs for ownership proofs doesn’t add any new scheme and perhaps saves some scheme implementation headache/auditing.
This might even make the onioned message simpler e.g.
M {
// The first and last node receive a rangeproof.
// The first for ownership proof, the last for the final output.
Rangeproof: BP | nil
// Partial excess
ExcessShare: Scalar
// M' is the message for the next node. Nil if last node.
M': M | nil
}
where you receive a pair <Enc(M, your_key.pub), Enc(C)>.
Every a mwixnet node receives an encrypted commitment and an encrypted message. The message is encrypted by the coinswap owner while the commitment is encrypted by the previous node. In the case of the first node, it is encrypted by the coinswap owner. So a coinswap submitted by the user to node1 is a pair <Enc(M, node1.pub), Enc(C, node1.pub)> where C is a valid input in the UTXO set. With this structure, node at position i decrypts the commitment it received from the previous node, decrypts the message and adds the scalar*G to the commitment. Then it encrypts this new commitment for the next node and sends it along with M'. Only the first node will need to carry the rangeproof that serves as the proof of ownership because it is only in the very first message.
There are probably simpler ways of doing this, but it might be worth thinking in this direction as well.