https://github.com/AlphaWallet/TokenScript/blob/master/doc/security.md

based on the design in the doc, I created a demo tool with a small test case in JUnit test for generating proof-of-trust and proof-of-revoke address.

currently, it's hard for me to spare time to work on it as I'm still on a two-week business trip, welcome to contribute your effort to help me improve the tool. and also there is one small question regarding the statement:

it can calculate the private key of that address by 𝑥·ℎ given that (𝑔ˣ)ʰ = (gʰ)ˣ.

at first I thought it's talking about RSA, Y' = Yʰ = (𝑔ˣ)ʰ = 𝑔ˣʰ = RSA.generate(Y, 𝑒=ℎ)
and then I realised ECC also belongs to *discrete logarithm problem*(still not clear why it belongs to it, it looks to me that ecc is scala multiplicative not exponents, need to take time to find out and please comment below explain to me if you know)

I still feel it's better to use denote like this: h*(x*G)=x*(h*G)

for an elliptic curve E over a prime field Fp (denoted by E(Fp)), elliptic curve belongs to abelian groups, so it satisfies commutative and associative for Point Addition

Y=x*G

Y' = h*Y =h*(x*G) = (x*h)*G

about abelian group:

A set G is called an abelian group (G,* ) with a binary operation *, G*G->G if it satisfies the following properties:

- Associativity: (a*b)*c=a*(b*c) for all a,b,c in G .
- Commutativity: a*b=b*a for all a,b in G .
- Identity: there exists i in G such that i*a=a*i=a, for all a in G .
- Inverse: for each a in G , there exists b in G such that a*b=b*a=i . Element b is called the inverse of a.