The cr.yp.to microblog: 2018.10.10 18:29:18

2018.10.10 18:29:18 (1050060715065790465) from Daniel J. Bernstein, replying to "Gregory Neven (@gregoryneven)" (1049640496988065793):

Not true. https://eprint.iacr.org/2016/191 makes assumptions that are stronger and that have been less studied by cryptanalysts. Including the public key in the hash gives a multi-user security proof from _standard_ assumptions. (Side benefits: simpler, and quantitatively a bit stronger.)

Context

2018.10.09 14:39:30 (1049640496988065793) from "Gregory Neven (@gregoryneven)", replying to "Calvin (@kcalvinalvinn)" (1049637945794162689):

Short answer: no need for pubkey inclusion in Schnorr sigs, even to be safe. It was thought to have effect on tightness in multi-user security (https://ed25519.cr.yp.to/multischnorr-20151012.pdf), but https://eprint.iacr.org/2016/191 proved that it is unnecessary.