In BIP-0340, within the Batch Verification part, (u - 1) randomly chosen coefficients a2, ..., au are used within the batch verification equation, versus simply setting all of those to worth of 1. The reason being given within the following two sources :

https://is.muni.cz/th/oaxta/thesis.pdf :

Web page 7

A malicious get together might produce an invalid signature, which might
complement or cancel out one other (probably invalid) signature, thus
making the batch verification succeed even for invalid signatures.

LearnMeABitcoin.com :

Nonetheless, this equation is not utterly safe, because it’s attainable to
assemble a signature that can stability out the equation for an
invalid signature. So to forestall this from occurring, we multiply every
particular person verification equation by its personal random quantity (which we
name a).

Nonetheless how might such a balancing out be achieved? Take into account the case of u = 2 and set a2 = 1 in BIP-0340 and suppose that (pk1, m1, sig1) is an INVALID signature (in order that s1*G != R1 + e1*P1) and we search some signature (pk2, m2, sig2) (legitimate or invalid) that we are able to provide in order that the next batch equation balances :

(s1 + s2)*G = R1 + R2 + e1*P1 + e2*P2

My quick thought was to decide on any signature (pk2, m2, sig2) which has R2 equal to the next :

R2 = (s1 + s2)*G - R1  - e1*P1 - e2*P2

which might then make the above equation stability.

However this could not work as a result of e2 has a hash dependency on R2, as a result of e2 equals a hash of knowledge which incorporates the x-coordinate r2 of R2.

So how can an appropriate signature (pk2, m2, sig2) be discovered, and the way would setting a2 != 1 forestall that from working?