In the paper: "The Random Oracle Model: a Twenty-Year Retrospective", section 7.3 by Koblitz & Menezes,the authors tried to prove the security of ECDSA+.
But after looking at the entire proof, I didn’t find that they considered the probability that both forgers would choose the same $M$ and $R'$ for the $j$-th time.
In my cognition, after considering the probability of simultaneously selecting $M$ and $R'$, the probability of an attacker successfully breaking the elliptic curve discrete logarithm problem may become negligible.
Does this proof need not consider the probability of $M$ and $R'$? Or am I misunderstanding the proof?
