In the Schnorr identity protocol, we can transform the interactive ZKP into a non-interactive by replacing the role of the verifier (that is, by providing a random challenge value) with a hash function using the encrypted nuncio of the input prover.
s = r + e * x or: e = H (r * G)
Validation works by ensuring:
SG == R + e * P or: R = r * G
Suppose that in this non-interactive model, the prover chooses a
r value in advance, and short
R through the hash function to determine its correspondence
e digest. Suppose the prover is malicious and tries to get the verifier to accept a Schnorr signature without knowing the private key
X. If the prover denies this
e value when building the signature, while selecting an arbitrary value
s value, they could go back
sG = rG-eP. As the prover knows R, e and P, it seems that they could convince an auditor that the signature is valid, without needing to know the private key. What prevents that from happening?