2018.10.12 03:38:23 (1050561287070109696) from Daniel J. Bernstein, replying to "Gregory Neven (@gregoryneven)" (1050418559485136896):
No. The ROM proofs for Schnorr signatures are too weak to be useful. The _real_ argument for security is that some cryptanalysts have tried and failed to break the system. But how many cryptanalysts have tried attacking multiple Schnorr users? Key prefixing answers this question.
2018.10.10 18:29:18 (1050060715065790465) from Daniel J. Bernstein, replying to "Gregory Neven (@gregoryneven)" (1049640496988065793):
Not true. https://eprint.iacr.org/2016/191 makes assumptions that are stronger and that have been less studied by cryptanalysts. Including the public key in the hash gives a multi-user security proof from _standard_ assumptions. (Side benefits: simpler, and quantitatively a bit stronger.)
2018.10.10 20:40:14 (1050093668089106432) from "Gregory Neven (@gregoryneven)":
Which assumptions do you mean, exactly? They prove Schnorr without key prefixing secure under DL in the ROM, with tightness loss of Qh. That's pretty much as good as one could hope for, right? Or am I missing something?
2018.10.11 17:08:42 (1050402818195111937) from Daniel J. Bernstein, replying to "Gregory Neven (@gregoryneven)" (1050093668089106432):
The chance of breaking 1 of N signature users with key prefixing is at most the chance of breaking a targeted user in the original system. Simple; tight; real H, not ROM; eliminates concerns about multi-user attacks. Theorems without key prefixing have questionable assumptions.
2018.10.11 18:11:15 (1050418559485136896) from "Gregory Neven (@gregoryneven)":
Sure, with key prefixing, multi-user security is implied tightly by single-user security. But single-user security for Schnorr is still under DL in ROM with Qh loss. So final security statement remains the same, with or without key prefixing.