AdamISZ
Should the proof of soundness (Schnorr) in page 12 use fixed C_0 (as well as the corresponding x_0) to extract (x_1, x_2, ..., x_m) by running m+1 times?
Should the proof of soundness (Schnorr) in page 12 use fixed C_0 (as well as the corresponding x_0) to extract (x_1, x_2, ..., x_m) by running m+1 times?
I think C_0 should be fixed to get the Vandermonde matrix, which should be as follows:
(C_0, e_1, (z_1, s_1))
(C_0, e_2, (z_2, s_2))
...
(C_0, e_m, (z_m, s_m))
Otherwise we cannot get the Vandermonde matrix since x_0 changes every time.
Anyway, thanks for your perfect introduction of ZK and bullet proof.
A lot of time since you opening this issue, anyway....
nope, Vandermonde matrix is a math entity existing regardless of prover rewinding (resulting in constant C_0) or not during the m+1 runs. What could be improved in the text is run index starting from 0 e not from 1 , so the first run transcript should be (C_0,0, e_0, (z_0, s_0)) - see PR #17
Extractor proof doesn't rely on initial commitment being constant on multiple rounds, which seems a relevant point in commitments case compared to Schnorr identity case: it seems to suggest rewinding is not necessary in commitments case.. which I fear it could cause problems to ZK, but that's another matter..
Ok, I have studied better the proof: I was wrong, it needs constant C_0, because it uses C_i with i in [0...m] range
However I underline again it's not because otherwise you cannot define Vandermonde matrix, in fact it's a consequence of equalities on page 14
Im going to update my PR #17