2018.10.11 17:08:42 (1050402818195111937) from Daniel J. Bernstein, replying to "Gregory Neven (@gregoryneven)" (1050093668089106432):
The chance of breaking 1 of N signature users with key prefixing is at most the chance of breaking a targeted user in the original system. Simple; tight; real H, not ROM; eliminates concerns about multi-user attacks. Theorems without key prefixing have questionable assumptions.
2018.10.09 14:39:30 (1049640496988065793) from "Gregory Neven (@gregoryneven)", replying to "Calvin (@kcalvinalvinn)" (1049637945794162689):
Short answer: no need for pubkey inclusion in Schnorr sigs, even to be safe. It was thought to have effect on tightness in multi-user security (https://ed25519.cr.yp.to/multischnorr-20151012.pdf), but https://eprint.iacr.org/2016/191 proved that it is unnecessary.
2018.10.10 18:29:18 (1050060715065790465) from Daniel J. Bernstein, replying to "Gregory Neven (@gregoryneven)" (1049640496988065793):
Not true. https://eprint.iacr.org/2016/191 makes assumptions that are stronger and that have been less studied by cryptanalysts. Including the public key in the hash gives a multi-user security proof from _standard_ assumptions. (Side benefits: simpler, and quantitatively a bit stronger.)
2018.10.10 20:40:14 (1050093668089106432) from "Gregory Neven (@gregoryneven)":
Which assumptions do you mean, exactly? They prove Schnorr without key prefixing secure under DL in the ROM, with tightness loss of Qh. That's pretty much as good as one could hope for, right? Or am I missing something?