What's the purpose of having the nonce commitment, R, in the challenge of of a Schnorr signature?
The only reason I can come up with is malleability. if R isn't part of the challenge and (R,s) is valid for a message m and key P, then (R+xG,s+x) is also valid for m and P.
Are there other issues than this?
I find it helps to start from the Schnorr identity protocol itself. There, the challenge e is sent by the verifier to the prover, *after* he has made the commitment R.
Then providing an s which satisfies sG = R + eP proves that you know an x such that s = r + ep.
(That this is a proof can be deduced using the concept of an 'extractor' from ZKPs).
However if the prover invents his own e, clearly this is useless: (1/n)
say he knows P but not the private key p. Then he can choose s and e at random, and "choose" R as sG -eP and claim that (R, s) "proves he knows p" when it obviously doesn't.
The idea of the Fiat Shamir transform is something like this: given an interactive proving protocol, you can essentially "make the challenge step be a non-backdatable transcript of the commit step", such that there is no longer a need for interactivity. ... (2/n)
@kalle
You go: commit step(s), (challenge=hash(commit step(s))), response all in one without involving the verifier.
Because the hash is one-way, nobody can calculate a challenge e without knowing what the choice of R (the commit) is first, so they cannot re-calculate it as sG -eP (in this specific schnorr case, but it generalises). (3/3)