He explains that as long as graftroot and NOINPUT signatures commit to the public key, it is possible for a server to have unique keys for every output while retaining the same private key and ensure that "one sig can spend only one output" holds. Poelstra then provides a simple scheme for blind signatures to accomplish this, which is vulnerable to Wagner's attack. He also suggests that key-prefixing may not be necessary but makes the security argument clearer since the messagehash contains some data that can be made unique per-utxo and committed in the chain.