fix(schnorr): support nonlinear relations in simulate_commitment and add related test

- Fixed the `SchnorrProof::simulate_commitment` method to correctly handle nonlinear
  relations during simulation, ensuring compliance with the protocol’s expected behavior.
- Added a dedicated test (`translated_discrete_logarithm`) to validate simulation and
  verification in the presence of nonlinear constraints.

These changes improve protocol correctness and strengthen test coverage for complex use cases.

Author: nougzarm

src/schnorr_protocol.rs

@@ -324,13 +324,16 @@ where
             return Err(Error::InvalidInstanceWitnessPair);
         }
 
+        let zero_vec = vec![<<G as Group>::Scalar as Field>::ZERO; self.0.linear_map.num_scalars];
+        let zero_image = self.0.linear_map.evaluate(&zero_vec)?;
         let response_image = self.0.linear_map.evaluate(response)?;
         let image = self.0.image()?;
 
         let commitment = response_image
             .iter()
             .zip(&image)
-            .map(|(res, img)| *res - *img * challenge)
+            .zip(&zero_image)
+            .map(|((res, img), z_img)| *res - (*img - *z_img) * challenge)
             .collect::<Vec<_>>();
         Ok(commitment)
     }

src/tests/relations.rs

@@ -5,7 +5,7 @@ use rand::rngs::OsRng;
 use crate::fiat_shamir::NISigmaProtocol;
 use crate::tests::test_utils::{
     bbs_blind_commitment_computation, discrete_logarithm, dleq, pedersen_commitment,
-    pedersen_commitment_dleq,
+    pedersen_commitment_dleq, translated_discrete_logarithm,
 };
 use crate::{codec::ShakeCodec, schnorr_protocol::SchnorrProof};
 
@@ -17,6 +17,12 @@ fn test_discrete_logarithm() {
     discrete_logarithm::<G>(Scalar::random(&mut rng));
 }
 
+#[test]
+fn test_translated_discrete_logarithm() {
+    let mut rng = OsRng;
+    translated_discrete_logarithm::<G>(Scalar::random(&mut rng));
+}
+
 #[test]
 fn test_dleq() {
     let mut rng = OsRng;
@@ -97,6 +103,33 @@ fn noninteractive_discrete_logarithm() {
     );
 }
 
+#[test]
+fn noninteractive_translated_discrete_logarithm() {
+    let mut rng = OsRng;
+    let (relation, witness) = translated_discrete_logarithm(Scalar::random(&mut rng));
+
+    // The SigmaProtocol induced by relation
+    let protocol = SchnorrProof::from(relation);
+    // Fiat-Shamir wrapper
+    let domain_sep = b"test-fiat-shamir-schnorr";
+    let nizk = NISigmaProtocol::<SchnorrProof<G>, ShakeCodec<G>>::new(domain_sep, protocol);
+
+    // Batchable and compact proofs
+    let proof_batchable_bytes = nizk.prove_batchable(&witness, &mut rng).unwrap();
+    let proof_compact_bytes = nizk.prove_compact(&witness, &mut rng).unwrap();
+    // Verify proofs
+    let verified_batchable = nizk.verify_batchable(&proof_batchable_bytes).is_ok();
+    let verified_compact = nizk.verify_compact(&proof_compact_bytes).is_ok();
+    assert!(
+        verified_batchable,
+        "Fiat-Shamir Schnorr proof verification failed"
+    );
+    assert!(
+        verified_compact,
+        "Fiat-Shamir Schnorr proof verification failed"
+    );
+}
+
 #[test]
 fn noninteractive_dleq() {
     let mut rng = OsRng;

src/tests/test_utils.rs

@@ -1,5 +1,6 @@
 //! Definitions used in tests for this crate.
 
+use ff::Field;
 use group::{Group, GroupEncoding};
 
 use crate::linear_relation::{msm_pr, LinearRelation};
@@ -25,6 +26,27 @@ pub fn discrete_logarithm<G: Group + GroupEncoding>(
     (relation, vec![x])
 }
 
+/// LinearMap for knowledge of a translated discrete logarithm relative to a fixed basepoint.
+#[allow(non_snake_case)]
+pub fn translated_discrete_logarithm<G: Group + GroupEncoding>(
+    x: G::Scalar,
+) -> (LinearRelation<G>, Vec<G::Scalar>) {
+    let mut relation: LinearRelation<G> = LinearRelation::new();
+
+    let var_x = relation.allocate_scalar();
+    let var_G = relation.allocate_element();
+
+    let var_X = relation.allocate_eq((var_x + <<G as Group>::Scalar as Field>::ONE) * var_G);
+
+    relation.set_element(var_G, G::generator());
+    relation.compute_image(&[x]).unwrap();
+
+    let X = relation.linear_map.group_elements.get(var_X).unwrap();
+
+    assert!(vec![X] == relation.linear_map.evaluate(&[x]).unwrap());
+    (relation, vec![x])
+}
+
 /// LinearMap for knowledge of a discrete logarithm equality between two pairs.
 #[allow(non_snake_case)]
 pub fn dleq<G: Group + GroupEncoding>(H: G, x: G::Scalar) -> (LinearRelation<G>, Vec<G::Scalar>) {