Also, a clarifying question for the end of that section:
You write:
" \sigma \leftarrow C_F(C_p, Encrypt(M, TX))
\sigma can be used as a signature of u over TX".
Would this be correct?
\sigma = Decrypt(C_F, C_p, Encrypt(M, TX))
… where I’m taking the definition of Decrypt from the start of the paper and extending to the two-argument case, i.e. defining for an encryption public key of M, Decrypt(q, c_1, c_2) = X where the function has been previously defined F(a, b) = X and c_1, c_2 are ciphertexts of a, b and q is the output of EncryptFunc(M, F).
So anyway, if I got that right, let me try to translate into English what this machine does:
The basic building block is the ability to create a decryption key that decrypts a given ciphertext to the output of F when its plaintext is used as input.
The way you’re using it here (seems pretty clever!) is that you define a function which is " F(private key, transaction) = the ECDSA signature of a transaction by a private key tweaked by the hash of the transaction". This means that given the ciphertext of that tweaked private key, and “given” the ciphertext for the transaction (anyone can generate ciphertexts; this is public key cryptography), you can pass those two arguments into the output of the “basic building block above”; you’ll get a signature on that transaction. But, because of the tweak, if you try to do the same with any other transaction, it’ll fail.
(Deleted earlier misunderstanding)