You notice the core work function is slightly incompatible maybe enough to break existing double SHA256 hashcash ASICs. We can fix that if desired by doing:
s=random, r=random
compute a=h^r*h0^-s
find i such that 0=?H(s,i,a,m) mod 2^w
and the verification compute c=s+H(s,i,a,m) and check as before a=?h^r*h0^-c.
(edited slightly)
Its an interesting side effect that the ASIC hashcash backwards compatible variant is actually more convenient because you can test the work separately from the signature.
Just check H(s,i,a,m) mod 2^w == 0 as now. Then optionally you can check the signature could be useful its much simpler to check the hash, and for some aspects of validation the hash alone would be enough.
(Step c=s+H(s,i,a,m) mod 2^w is equivalent to check 0=?H(s,i,a,m) then c=s).
So far this is a blindable signature, I need to write up (and check) how the Brands blind schnorr signature fits together with blindable-hashcash.
Adam