On (in)ability to embed data into Schnorr

Adam's correspondence begins with an acknowledgment of the feedback received, emphasizing his deliberate specificity regarding BIP340 in his theorem 1. He admits awareness of the implications Pohlig-Hellman has on non-prime order groups and accepts the validity of the critique despite his ability to defend his thesis. Adam discusses the framework presented in his paper, acknowledging that while it has been refined over time, it remains too vague in crucial aspects of reasoning, particularly concerning the invertibility of functions described.

Within his analysis, Adam assumes the pseudorandomness (characterized by uncontrollable output) of mappings such as x -> P = xG and k -> R = kG. This assumption was both explicitly and implicitly made at various points in his argumentation. He references his approach to handling functions like f(P, R, s) and acknowledges a potential oversight in not being explicit about the dependencies on P and R due to their uncontrollable nature.

Adam mentions a critical point regarding the embedding impossibility in Schnorr signatures or group element R within a prime-order group, highlighting the necessity to exploit the hardness of computing all bits of k from R. He cites Section 10 in Håstad-Näslund 2003 (Håstad-Näslund 2003) for proof supporting his assumptions regarding prime-order groups. Despite this reference, he admits to assuming certain principles without proper justification, leading to an incomplete conclusion regarding the reduction to hash preimage resistance. Adam suggests that perhaps their efforts should be directed towards a DDH assumption in addition to hash preimage resistance, signaling an area for further exploration and clarification in his work.