On public keys and frozen hearts:
Recently, I was discussing with #[0] the other day, about the slightly disappointing fact that BIP340 Schnorr stopped us from being able to do pubkey recovery.
(Sidebar: what's that? In ECDSA, since s = k^-1(H(m) + rd) where d is the private key, so that ksG = H(m)G + rP, it means that P can be calculated from r^-1(sR-H(m)G) .. so, given a message m and a signature (R, s) you can always find a/the pubkey that makes the signature verify, even though you don't know its private key (d)).
There's a good reason that this property is explicitly broken by BIP340 "key-prefixed" Schnorr, though (but *not* by Schnorr's original algorithm from the 1980s). It's because it violates a crucial cryptographic principle used in the "Fiat Shamir transform", which turns identity protocols into non interactive proof of knowledge protocols (which signatures are a type of). The principle is "the challenge hash must cover the entirety of the conversation between prover and verifier that preceded the challenge". That conversation *must* include the communication of the pubkey in cases, like bitcoin, where the key is ephemeral and not a global, fixed constant of the system.
Where this can crop up is in cases like elucidated in Sec 4.4 of this paper: https://arxiv.org/pdf/2006.16714.pdf , quote "If the signature algorithm did not commit to the public key, then an attacker could claim any Taproot
spending conditions, and a watch-only wallet could maul signatures for one BIP-32 key tree to be valid for another.".
I went into this point in some detail in the middle of https://reyify.com/blog/ring-signatures (see "Tweaked s values on fixed message and tweaked keys" .. you can malleate a signature both additively and multiplicatively) ... once you see this it's really clear that key-prefixing is an absolute requirement.
But this has cropped up outside signature schemes, too. For example the Bulletproofs paper had an error in this regard, where a key was left out of the transcript committed to, and so did several other implementations of new ZK schemes. This point was covered in considerable detail in this rather wonderful "Frozen Heart" writeup: