On the topic of half aggregation, Chalkias et al. gave a convincing security proof last year: https://eprint.iacr.org/2021/350
As an aside, half aggregation is not exactly the scheme in the OP because that one is insecure. This does not affect Zmn's conclusion and was already pointed out in the original half aggregation thread: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014306.html It is required that each of the "s"-values are multiplied with a different unpredictable value, for example like this: https://github.com/ElementsProject/cross-input-aggregation/blob/master/slides/2021-Q2-halfagg-impl.org#schnorr-signature-half-aggregation-1 _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev