1 files changed, 38 insertions, 24 deletions

diff --git a/nizk/commit/commit.go b/nizk/commit/commit.go
index 085d9a2..c2a6848 100644
--- a/nizk/commit/commit.go
+++ b/nizk/commit/commit.go
@@ -2,6 +2,7 @@ package commit
 
 import (
 	. "kesim.org/seal/nizk"
+	"kesim.org/seal/nizk/schnorr"
 )
 
 // This is a construction of a proof of a statement of the form
@@ -18,9 +19,10 @@ type Statement struct {
 }
 
 type Commitment struct {
-	C *Point
-	A *Point
-	B *Point
+	C     *Point
+	A     *Point
+	B     *Point
+	Proof *Proof
 }
 
 func NewStatement(a, b *Scalar, plus bool) *Statement {
@@ -48,16 +50,22 @@ func commitment(a, b *Scalar, plus bool) *Commitment {
 	}
 }
 
-func (s *Statement) Commit() *Commitment {
+func (s *Statement) Commit(id *Point) *Commitment {
+	s.Commitment.Proof = s.Proof(id)
 	return s.Commitment
 }
 
 type Proof struct {
-	Ch [2]*Scalar
-	R  [2]*Scalar
+	Id *Point
+	A  *schnorr.Proof // Proof for knowledge of a in A = G^a
+	B  *schnorr.Proof // Proof for knowledge of b in B = G^b
+	C  struct {       // Proof for knowledge of statement above
+		Ch [2]*Scalar
+		R  [2]*Scalar
+	}
 }
 
-func (s *Statement) Proof() *Proof {
+func (s *Statement) Proof(id *Point) *Proof {
 	var e [2][2]*Point
 	var r1, r2, w *Scalar
 	r1 = Curve.RandomScalar()
@@ -76,30 +84,36 @@ func (s *Statement) Proof() *Proof {
 		e[1][1] = s.B.Exp(r2).Mul(s.C.Div(G).Exp(w))
 	}
 
-	ch := Challenge(G, s.C, s.A, s.B, e[0][0], e[0][1], e[1][0], e[1][1])
-	pr := &Proof{}
+	ch := Challenge(G, s.C, s.A, s.B, e[0][0], e[0][1], e[1][0], e[1][1], id)
+	pr := &Proof{Id: id}
 
 	if s.plus {
-		pr.Ch[0] = w
-		pr.Ch[1] = ch.Sub(w)
-		pr.R[0] = r1.Sub(s.a.Mul(pr.Ch[0]))
-		pr.R[1] = r2.Sub(s.a.Mul(pr.Ch[1]))
+		pr.C.Ch[0] = w
+		pr.C.Ch[1] = ch.Sub(w)
+		pr.C.R[0] = r1.Sub(s.a.Mul(pr.C.Ch[0]))
+		pr.C.R[1] = r2.Sub(s.a.Mul(pr.C.Ch[1]))
 	} else {
-		pr.Ch[0] = ch.Sub(w)
-		pr.Ch[1] = w
-		pr.R[0] = r1.Sub(s.a.Mul(pr.Ch[0]))
-		pr.R[1] = r2
+		pr.C.Ch[0] = ch.Sub(w)
+		pr.C.Ch[1] = w
+		pr.C.R[0] = r1.Sub(s.a.Mul(pr.C.Ch[0]))
+		pr.C.R[1] = r2
 	}
+	pr.A = (*schnorr.Statement)(s.a).Proof(id)
+	pr.B = (*schnorr.Statement)(s.b).Proof(id)
 
 	return pr
 }
 
-func (c *Commitment) Verify(p *Proof) bool {
+func (c *Commitment) Verify() bool {
 	var e [2][2]*Point
-	e[0][0] = G.Exp(p.R[0]).Mul(c.A.Exp(p.Ch[0]))
-	e[0][1] = c.B.Exp(p.R[0]).Mul(c.C.Exp(p.Ch[0]))
-	e[1][0] = G.Exp(p.R[1]).Mul(c.A.Exp(p.Ch[1]))
-	e[1][1] = c.B.Exp(p.R[1]).Mul(c.C.Div(G).Exp(p.Ch[1]))
-	ch := Challenge(G, c.C, c.A, c.B, e[0][0], e[0][1], e[1][0], e[1][1])
-	return p.Ch[0].Add(p.Ch[1]).Equal(ch)
+	p := c.Proof
+
+	e[0][0] = G.Exp(p.C.R[0]).Mul(c.A.Exp(p.C.Ch[0]))
+	e[0][1] = c.B.Exp(p.C.R[0]).Mul(c.C.Exp(p.C.Ch[0]))
+	e[1][0] = G.Exp(p.C.R[1]).Mul(c.A.Exp(p.C.Ch[1]))
+	e[1][1] = c.B.Exp(p.C.R[1]).Mul(c.C.Div(G).Exp(p.C.Ch[1]))
+	ch := Challenge(G, c.C, c.A, c.B, e[0][0], e[0][1], e[1][0], e[1][1], p.Id)
+	return p.C.Ch[0].Add(p.C.Ch[1]).Equal(ch) &&
+		(*schnorr.Commitment)(c.A).Verify(p.A, p.Id) &&
+		(*schnorr.Commitment)(c.B).Verify(p.B, p.Id)
 }