> A rather delightful property if you want to attack anonymity in some proposed “everybody just uses cryptographic signatures for everything” scheme.<p>I don't follow. Surely the entire point of a public key is that it's public, and the point of signatures is to show that something belongs to you. An anonymous signature makes no sense, because signing something is putting your name on it. If you wanted to be anonymous in the sense that your public key cannot be recovered from a message, you wouldn't sign the message.
Fun fact: Ethereum transaction does not include sender's address or pubkey.<p>It is calculated from the signature.<p>I'm not sure if Bitcoin can use this trick, at least the classic transaction types explicitly included pubkey.
I get this as a hobby but I fail to find any "attack scenarios" where this is relevant. Public keys are the most public thing I can think of. Without a public key you cannot check if a signature is valid. I cannot see any scenario where a person might use its private key to sign something and not wish everybody else to have the corresponding public key to verify it. I wish the author had made some examples when this gets relevant and when I have to design my protocols accordingly.
Is there a name for this property (i.e. a signature scheme only allowing an observer to realize that messages m1 and m2 are signed by the same public key if they know that public key)?<p>I suppose it's an easy enough property to add to any signature protocol via a designated verifier scheme, and just defining the public key to be a combination of the public signature key and the secret verifier key.<p>I also wonder whether there is any formal proof (or at least an intuitive argument for why it would be intractable) for the variant of Schnorr signatures mentioned in the article.