swasilyev
commented
2 years ago I see 2 problems here:
- For a prover it's enough to know the polynomials and the xs, but verifier knows only alleged claims: commiments, xs and ys. I guess the solution here is to assume prover possesses commitments also. Then the verifying key, commitments and xs look solid
- If it is used as a subprotocol, like for opening a Plonk proof. All these thing will already be in the transcript. Is it always the case? Guess so, so there are 2 cases only: standalone run and a run inside some outer protocol, who takes care of the transcript.
...even in this particular case. I forgot to seed the transcript with public data. In private aggregation (halo-inf/shplonk#2) scheme.