cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures
This attack is against presignatures used in very specific context: Presignatures + HD wallets derivation: security level reduces to 85 bits Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature via Presignature::set_derivation_path, which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API. Presignatures + "raw signing" (when signer signs a hash without …