I'm not an expert in this area, but if z isn't derived from the message, then the same signature can be applied to any message (assuming that you don't verify the hash).


Read this: If someone wanted to pretend to be Satoshi by posting a fake signature to defraud people how could they?