There's a good video from Bitcoin Optech that covers this for anyone interested in learning more. The video is really about musig though, which is a method for signature aggregation that does not suffer from this attack.

Link:

Nice explanation thanks!!! I remember a lecture in youtube where Tadge D. explained that but I failed to understand at the time.

The mitigation obviously must be that both send an encrypted form of their signature and then they send the unlocks and combine them. Both should agree. I think this is called a "commitment".

The encryption would be based on an ECDH shared secret, they have to first share a public key, generate a random private key, generate a secret with the other side's public key, send the encrypted packet, wait for acknowledgement (the hash of the message encrypted message) and then wait for their side and return the ack and once both send and both get acks they then share the public key used to generate the cipher used on the signature.

BTW, when the diagram shows the addition of the two keys, that is literally how schnorr keys are aggregated. The only bit that is unfamiliar to most is that is an operation where the overflow bits are added to the other side, modulo addition, a form of clockwork arithmetic in binary.

Also, note that the very same thing can be done with more than two, but it could take a long time if there is hundreds of parties as this is an interactive protocol, although if you have the patience it certainly can be done more or less asynchronously, like it was email.

Interesting scenario. The thing that comes to my mind immediately when hearing "Schnorr" and "attack" is the Sony-hack that is based on accidentally choosing the same r-value more than once. Which is a very famous attack in crypto

Is this attack mitigated by checking the destination address?