Not 'signing' but 'secret' i.e. the r values (ephemeral keys). Proof of
knowledge of the r values used to generate each R used prevents the Wagner
attack, no?

On Wed, Jul 26, 2023 at 8:59 PM Jonas Nick <jonasdnick@gmail.com> wrote:

> None of the attacks mentioned in this thread so far (ZmnSCPxj mentioned an
> attack on the nonces, I mentioned an attack on the challenge c) can be
> prevented
> by proving knowledge of the signing key (usually known as proof of
> possession,
> PoP).
>