From briefly observing Bitcoin/secp256k1 code of Schnorr sigs implementation, I've came to the conclusion it is assumed there multi-user Schnorr is about the same security as single-user. That was proven, but recently D. Bernstein did show the proof was incorrect, and multi-user Schnorr is provably secure only if key-prefixing. The paper is there: https://eprint.iacr.org/2015/996.pdf .
Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care.
We're aware. (Though thank you, we could have not been as well). In general I prefer prefixing-- without it the signature is not really a proof of knowledge--, and the libsecp256k1 "test schnorr" construction goes out of its way to enable things like compact signature key recovery while also using prefixing. Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care.
