I am confused about the sigma protocol presented in this paper: One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin (enter link description here). I wonder how to understand each step of this protocol.
In my understanding, $(a,s)$ is a random mask of the prover's witness $(m, r)$, and $c_a$ is a commitment of $(a,s)$. And $(f, z_a)$ is a response to the challenge $x$, which proves the knowledge of $(m, r)$. This is actually similar to the Schnoor protocol.
I also understand that $c_b$ and $z_b$ are used to prove that $m$ is $\{0,1\}$. And indeed in the verification step we are actually checking $m(1-m)=0$. My question is about the design logic behind the protocol. I mean, why does the prover first commit to $am$, and then have $x-f$? I know that $x-f=x-(mx+a)=x(1-m)+a$, which we construct a factor $(1-m)$. But why we using $f$ to construct this factor?
