Bounty: Implement DLEQ proofs for client-side mint signature validation

[callebtc]

This is a bounty offered by the Nodesignal Podcast and the developer who provides this functionality will receive a 250,000 sats bounty. More Information about the bounty program can be found here:
https://nodesignal.space/spenden-bitcoin-bounties/

Bounty goals

The goal of this bounty is to implement discrete log equality (DLEQ) proofs in Cashu.

This will enable three concrete things:

1. It will be possible for user Alice to make sure that the token they received from the mint Bob was indeed signed by them and not by a man-in-the-middle.
2. Alice can be sure that Bob has indeed used a the private key for signing their token that it had used, say, the day before. Otherwise, Bob could secretly use a special private key for every single token they sign, undermining the privacy of the entire setup by collapsing the anonymity set to 1.
3. In combination with P2SH, this will enable secure offline token transfers from Alice to Carol without Carol having to redeem tokens immediately to be sure that the signatures haven't been forged by Alice.

Cryptography

To quote from the original gist of Ruben Somsen (note that Alice and Bob have been swapped below because in the notation of Cashu, Alice is the user and Bob is the mint):

The protocol also has one additional weakness that can be addressed. Bob can't be certain that C' was correctly generated and thus corresponds to a*B' . Alice can resolve this by also supplying a discrete log equality proof (DLEQ), showing that a in A = a*G is equal to a in C' = a*B'. This equality can be proven with a relatively simple Schnorr signature, as described below.

Step 1

These steps occur while Bob the mint returns the blinded signature C'

Bob:
 r = random nonce
R1 = r*G
R2 = r*B'
 e = hash(R1,R2,A,C')
 s = r + e*a
return e, s

Step 2

The wallet (Alice) validates DLEQ proofs once it receives the blinded signature:

Alice:
R1 = e*A - s*G
R2 = e*C'- s*B'
e == hash(R1,R2,A,C')

If true, a in A = a*G must be equal to a in C' = a*B'

Step 3

When a token is transferred from Alice to Carol, Carol executes the same steps as Alice in Step 2 to validate that the tokens from Alices are indeed signed by Bob.

[moonsettler]

There is a sign error in the verification, Step 2. (confirmed it with waxwing)

R1' = e*A - s*G = -r*G
R2' = e*C'- s*B'= -r*B'

So the DLEQ proof would fail. To easily correct it, we can replace the sides in the subtractions.

Alice:
R1 = s*G - e*A
R2 = s*B'- e*C'
e == hash(R1,R2,A,C')

If true, a in A = a*G must be equal to a in C' = a*B'

[callebtc]

Congratulations for the bounty @moonsettler!