Here's a diff to the prove function in your skunkworks impl demonstrating the issue. Tests still pass with it applied, but the outputted public keys clearly do not fulfill the proof statement that for some x the public keys are xG' and xH'. gist.github.com/adcf5047888ce51b81097d32efd0b06c

Thanks for reporting.

No problem. llfourn from COMIT originally found this when looking at implementing the xmr-btc atomic swap protocol which uses this.

So .. say you have 500K - and abother 125K if you succeed in sone tracing of Monero. How would YOU go about attacking it?

Thinking like a capitalist pig ? Trace a fork without much in the way of txes, say it's just a matter of engineering to improve the success rate, but enginnering costs......

(tracing the fork done with existing probabilistic techniques, which give good results on small numbers)

I guess this doesn't answer the question ^_^

repeatable good results in some cases, e.g. with exchange data, yielding high probability hits, might be good enough.

would also be interesting to see what would be possible to unmask if we assume most of the TX growth was for tracking purposes.

There are plenty of low hanging fruit in the transaction graph. EAE and so on