In BIP-0340, within the Batch Verification part, (u - 1) randomly chosen coefficients a2, ..., au are used within the batch verification equation, versus simply setting all of those to worth of 1. The reason being given within the following two sources :
https://is.muni.cz/th/oaxta/thesis.pdf :
Web page 7
A malicious celebration might produce an invalid signature, which might
complement or cancel out one other (probably invalid) signature, thus
making the batch verification succeed even for invalid signatures.
Nonetheless, this equation is not utterly safe, because it’s potential to
assemble a signature that can steadiness out the equation for an
invalid signature. So to stop this from taking place, we multiply every
particular person verification equation by its personal random quantity (which we
name a).
Nonetheless how might such a balancing out be achieved? Take into account the case of u = 2 and set a2 = 1 in BIP-0340 and suppose that (pk1, m1, sig1) is an INVALID signature (in order that s1*G != R1 + e1*P1) and we search some signature (pk2, m2, sig2) (legitimate or invalid) that we are able to provide in order that the next batch equation balances :
(s1 + s2)*G = R1 + R2 + e1*P1 + e2*P2
My speedy thought was to decide on any signature (pk2, m2, sig2) which has R2 equal to the next :
R2 = (s1 + s2)*G - R1 - e1*P1 - e2*P2
which might then make the above equation steadiness.
However this is able to not work as a result of e2 has a hash dependency on R2, as a result of e2 equals a hash of information which incorporates the x-coordinate r2 of R2.
So how can an acceptable signature (pk2, m2, sig2) be discovered, and the way would setting a2 != 1 forestall that from working?
In BIP-0340, within the Batch Verification part, (u - 1) randomly chosen coefficients a2, ..., au are used within the batch verification equation, versus simply setting all of those to worth of 1. The reason being given within the following two sources :
https://is.muni.cz/th/oaxta/thesis.pdf :
Web page 7
A malicious celebration might produce an invalid signature, which might
complement or cancel out one other (probably invalid) signature, thus
making the batch verification succeed even for invalid signatures.
Nonetheless, this equation is not utterly safe, because it’s potential to
assemble a signature that can steadiness out the equation for an
invalid signature. So to stop this from taking place, we multiply every
particular person verification equation by its personal random quantity (which we
name a).
Nonetheless how might such a balancing out be achieved? Take into account the case of u = 2 and set a2 = 1 in BIP-0340 and suppose that (pk1, m1, sig1) is an INVALID signature (in order that s1*G != R1 + e1*P1) and we search some signature (pk2, m2, sig2) (legitimate or invalid) that we are able to provide in order that the next batch equation balances :
(s1 + s2)*G = R1 + R2 + e1*P1 + e2*P2
My speedy thought was to decide on any signature (pk2, m2, sig2) which has R2 equal to the next :
R2 = (s1 + s2)*G - R1 - e1*P1 - e2*P2
which might then make the above equation steadiness.
However this is able to not work as a result of e2 has a hash dependency on R2, as a result of e2 equals a hash of information which incorporates the x-coordinate r2 of R2.
So how can an acceptable signature (pk2, m2, sig2) be discovered, and the way would setting a2 != 1 forestall that from working?
