1 files changed, 19 insertions, 22 deletions

diff --git a/nizk/stage1.go b/nizk/stage1.go
index 228970b..21d63c6 100644
--- a/nizk/stage1.go
+++ b/nizk/stage1.go
@@ -4,7 +4,6 @@ import . "kesim.org/seal/common"
 
 type Stage struct {
 	x *Scalar
-	y *Scalar
 	r *Scalar
 
 	com  *StageCommitment
@@ -32,44 +31,42 @@ type Stage1Proof struct {
 	Rho [2][2]*Scalar
 }
 
-func (b *Bit) stage(x, y, r *Scalar) *Stage {
+func (b *Bit) stage(x, r *Scalar) *Stage {
+	b.Commit() // ensure non-null values for A, B, C
 	return &Stage{
-		x: x,
-		y: y,
-		r: r,
-
+		x:   x,
+		r:   r,
 		bit: b,
 	}
 }
 
-func (b *Bit) CommitStage1() (c *Stage, s *StageCommitment, p *Stage1Proof) {
-	var x [3]*Scalar
-	for i := range x {
-		x[i] = Curve.RandomScalar()
-	}
-	return b.CommitStage1FromScalars(x[0], x[1], x[2])
+func (b *Bit) CommitStage1(Xs ...*Point) (c *Stage, s *StageCommitment, p *Stage1Proof) {
+	x := Curve.RandomScalar()
+	r := Curve.RandomScalar()
+	return b.CommitStage1FromScalars(x, r, Xs...)
 }
 
-func (b *Bit) CommitStage1FromScalars(x, y, r *Scalar) (s *Stage, c *StageCommitment, p *Stage1Proof) {
-	s = b.stage(x, y, r)
-	return s, s.commit1(), s.proof1()
+func (b *Bit) CommitStage1FromScalars(x, r *Scalar, Xs ...*Point) (s *Stage, c *StageCommitment, p *Stage1Proof) {
+	s = b.stage(x, r)
+	return s, s.commit(false, Xs...), s.proof1()
 }
 
-func (s *Stage) commit1() *StageCommitment {
+func (s *Stage) commit(lost bool, Xs ...*Point) *StageCommitment {
 	if s.com != nil {
 		return s.com
 	}
-	var Z *Point
-	if s.bit.IsSet() {
+	var Y, Z *Point
+	Y = G // TODO! BUG! THIS HAS TO BE Pj<i(X_j)/Pj>i(X_j)
+	if !lost && s.bit.IsSet() {
 		Z = G.Exp(s.x.Mul(s.r))
 	} else {
-		Z = G.Exp(s.x.Mul(s.y))
+		Z = Y.Exp(s.x)
 	}
 
 	s.com = &StageCommitment{
 		Z: Z,
 		X: G.Exp(s.x),
-		Y: G.Exp(s.y),
+		Y: Y,
 		R: G.Exp(s.r),
 	}
 	return s.com
@@ -81,8 +78,8 @@ func (s *Stage) proof1() *Stage1Proof {
 	for _, s := range []**Scalar{&r1, &r2, &ρ1, &ρ2, &ω} {
 		*s = Curve.RandomScalar()
 	}
-	c := s.commit1()
-	bc, _ := s.bit.Commit()
+	c := s.commit(false)
+	bc := s.bit.com
 
 	if s.bit.IsSet() {
 		ε[0][0] = G.Exp(r1).Mul(c.X.Exp(ω))