Transaction malleability needs to be prevented

[AntoineRondelet]

See Section 4.15.1 of https://github.com/zcash/zips/blob/master/protocol/protocol.pdf
(or Section 4.10 of the same document).

It should also be feasible to extend the statement with a PoK for the statement I know (m, r) s.t for each c_i (the ciphertexts), c_i = E(m, r). This should enable to "attach/bind" the ciphertexts to the rest of the statement, and force the Adversary willing to modify the ciphertexts of a tx, to generate a new proof. However, I guess that representing E as a multiplicative sub-circuit, and evaluating it on each plaintext is way too "constraint-expensive"..

[AntoineRondelet]

Closing as the corresponding PR has been merged