Hi,

It seems to me that there is a mismatch between the implementation of the function proveExp() in exp/exp.ts and the corresponding protocol from the ZKAttest paper (Proof of Scalar Multiplication, Section 5).

The difference is that in proveExp() the challenge variable challenge is the same for all instances, while in the protocol from the paper the challenge string c = (c0, c1) is different for every instance.

I do not know yet the security issues that it might raise (I have to read the protocol more carefully), but practically it means that inside the for loop (line 168, exp.ts), we will constantly evaluate the same branch for all i < secparam.

Suggestion: create a challenge for all instances i:

    ...
    // Compute challenge c = H (Cx, Cy, A, Tx, Ty)
    const challenges = new Array<bigint>(secparam)
    for (let i = 0; i < secparam; i++) {
        challenges[i as number] = await hashPoints('SHA-256',  [Px.p, Py.p, A[i as number], Tx[i as number].p,  Ty[i as number].p])
    }
    const allProofs = new Array<ExpProof>(secparam)
    let proof: ExpProof
    for (let i = 0; i < secparam; i++) {
        if (isOdd(challenges[i as number])) {
            ...

If this sounds right to you I can make a pull request with this change.

I guess this line from exp/exp.ts is the answer:

226        challenge >>= BigInt(1)

Indeed the challenge is changed. Thanks!