Stefan - excellent suggestion. That's a neat way to do things. To sign for the control output then, the current bond owner would have to calculate owner privkey*bond record hash too to make it match the pubkey, is that right?
Yep.
--
One more point that is going to be obvious to those comfortable with elliptic curve math, but bears writing down: It's important that the base pubkey is captured in the hash, otherwise the scheme becomes ambiguous. I'll use the bond message case as an example.
Let's say you have a message pubkey M. It was calculated from issuer public key P
1 and Bond message hash b
1 as M = P
1 * b
1.
Now I'm an evil attacker and I want to create another pair P
2, b
2 that also results in M. What I can do I choose an arbitrary Bond message, calculate its hash b
2 and then calculate P
2 = M * b
2-1. Obviously I don't have the corresponding private key but having a valid pair P
2, b
2 might be enough to cause problems depending on the use case. What prevents this attack is the fact that the Bond message contains the pubkey. If I try to enter P
2 into the bond message, its hash changes and P
2 is no longer correct. To make the message valid I would have to find a SHA256 collision, i.e. a Bond message where I've inserted P
2, but that results in the same hash b
2.