<philogy "<a_L - 1 - a_R, y^n> = 0"> This equation essential says that aR = aL - 1

Yeah, I just don't understand why the challenge vector y^n isn't enough and you need the additional randomness from z

If aL is really a bit vector, so just 0s and 1s, then aR is 0 when aL is 1 and aR is -1 when aL is zero

<philogy "Yeah, I just don't understand wh"> It might help to think of it as an interactive protocol, where you are trying to convince me of an equality

You want to convince me that X + Y + Z = 0

If I leave you to compute it and tell me the answer you could cheat

You could make X and Y cancel out with Z or you could trivially tell me that it’s zero

So what I can do is the following:

You send me a hiddenX and I send you C1

You then send me hiddenY and I send you C2

And then lastly you send me hiddenZ and I send back C3

I understand the general idea about why you need challenges in order to prevent "forgeries" but my question is why doesn't y^n suffice in the first step, why do you need the additional challenge z?

However you could as mentioned above, manipúlate Y and Z so that X + Y + Z = 0

But X, Y or Z are not 0

What I do is I use the challenges we generated before and instead ask you to prove that:

X * C1 + Y * C2 + Z * C3 = 0

If X, Y and Z were zero, then multiplying it by this random challenge will not affect the outcome

But we must use the random challenge, as a bad actor could manipulate the equations when they are being combined

If you want to know when to use a challenge, it would generally be whenever you say that word “AND” . It’s about generalisation, but works most of the time

So we want to prove that v can be decomposed into aL AND that aL only consists of bits

Not sure if that helps

It’s quite late where I am, I can stay around for another minute or so before I hit the sack

For the other equations, if you do a small example, I think it might become clearer

yeah thx for the help, it's late here too. gn

night waves