In this attack hacker gets a pair of valid signatures for the same transaction: (R1, s1, R2, s2) and (R1', s1', R2, s2'). Here R2 is the same, but R = R1+R2 and R'=R1'+R2 are different. This means that the hacker can calculate our second private key: s2-s2'=(hash(P,R1+R2,m)-hash(P,R1'+R2,m))⋅pk2 and pk2=(s2-s2')/(hash(P,R1+R2,m)-hash(P,R1'+R2,m)). I find this the most inconvenient feature of key aggregation — we will need to use a good random number generators everywhere to use key aggregation.
