Fix: the transcript should not depend on the proving order

[kunxian-xia]

The input transcript to opcode circuits and table circuits should be the same.

This will fix #222 and also resolve the failure in #210.

[naure]

This seems unsound dangerous because each thread starting with the same transcript will get the same or correlated challenges.

→ Make each thread different, e.g. by appending a unique circuit name or ID.

Also, an argument by-ref &mut Transcript is expected to include the history of everything that happened in the function.

→ Change the argument to by-value Transcript, showing that it cannot be used afterwards.

In case you want to support a larger protocol that builds on top of that &mut Transcript, then it must include some result from all threads before returning.

→ Introduce a fork / merge API.

impl Transcript {
    /// Fork this transcript into n different threads.
    pub fn fork(&mut self, n: usize) -> Vec<Self> {
        let mut forks = Vec::with_capacity(n);
        for i in 0..n {
            let mut t = self.clone();
            t.append_field_element(&(i as u64).into());
            forks.push(t);
        }
        forks
    }

    /// Include the history of the forks into the current transcript.
    pub fn merge(&mut self, forks: Vec<Self>) {
        for fork in forks {
            self.append_field_element_ext(&fork.read_field_element_ext());
        }
    }
}

[naure]

→ Alternative in #224 .

[naure]

This does solve the issue though, nice catch.

[kunxian-xia]

Close this as #224 is better.