1 files changed, 103 insertions, 104 deletions

diff --git a/nizk/stage2.go b/nizk/stage2.go
index 14eb1d3..37cd8c1 100644
--- a/nizk/stage2.go
+++ b/nizk/stage2.go
@@ -19,164 +19,163 @@ type Stage2Proof struct {
 	R3 [2]*Scalar
 }
 
-func (s *Stage) RevealStage2(prev_true bool, prev *Stage, Xs ...*Point) (rev *StageReveal, pr *Stage2Proof, e error) {
+func (s *Stage) RevealStage2(prev_true bool, prev *Stage, Xs ...*Point) (rv2 *StageReveal, pr *Stage2Proof, e error) {
 	var (
-		e1, e1_ [3]Bytes
-		e2, e2_ [3]Bytes
-		e3, e3_ [2]Bytes
+		ε1, ε1_ [3]Bytes
+		ε2, ε2_ [3]Bytes
+		ε3, ε3_ [2]Bytes
 
-		r1, r2 [3]*Scalar
-		r3     [2]*Scalar
-		w      [2]*Scalar
+		ρ1, ρ2 [3]*Scalar
+		ρ3     [2]*Scalar
+		ω      [2]*Scalar
 	)
 
-	for _, scs := range [][]*Scalar{r1[:], r2[:], r3[:], w[:]} {
-		for i := range scs {
-			scs[i] = Curve.RandomScalar()
+	for _, s := range [][]*Scalar{ρ1[:], ρ2[:], ρ3[:], ω[:]} {
+		for i := range s {
+			s[i] = Curve.RandomScalar()
 		}
 	}
 
-	c := s.com
 	bc := s.bit.com
-	pc := prev.com
-	rvp := prev.rev
-
-	rev, e = s.reveal(prev_true, Xs...)
+	c1 := prev.com
+	c2 := s.com
+	rv1 := prev.rev
+	rv2, e = s.reveal(prev_true, Xs...)
 	if e != nil {
 		return nil, nil, e
 	}
 
 	if !prev_true {
-		e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0]))
-		e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0]))
-		e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0]))
+		ε1[0] = G.Exp(ρ1[0]).Mul(c2.X.Exp(ω[0]))
+		ε1[1] = G.Exp(ρ1[1]).Mul(c1.X.Exp(ω[0]))
+		ε1[2] = G.Exp(ρ1[2]).Mul(bc.A.Exp(ω[0]))
 
-		e1_[0] = c.R.Exp(r1[0]).Mul(rev.Z.Exp(w[0]))
-		e1_[1] = pc.R.Exp(r1[1]).Mul(rvp.Z.Exp(w[0]))
-		e1_[2] = bc.B.Exp(r1[2]).Mul(bc.C.Div(G).Exp(w[0]))
+		ε1_[0] = c2.R.Exp(ρ1[0]).Mul(rv2.Z.Exp(ω[0]))
+		ε1_[1] = c1.R.Exp(ρ1[1]).Mul(rv1.Z.Exp(ω[0]))
+		ε1_[2] = bc.B.Exp(ρ1[2]).Mul(bc.C.Div(G).Exp(ω[0]))
 
-		e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[1]))
-		e2[1] = G.Exp(r2[1]).Mul(pc.X.Exp(w[1]))
-		e2[2] = G.Exp(r2[2]).Mul(bc.A.Exp(w[1]))
+		ε2[0] = G.Exp(ρ2[0]).Mul(c2.X.Exp(ω[1]))
+		ε2[1] = G.Exp(ρ2[1]).Mul(c1.X.Exp(ω[1]))
+		ε2[2] = G.Exp(ρ2[2]).Mul(bc.A.Exp(ω[1]))
 
-		e2_[0] = rev.Y.Exp(r2[0]).Mul(rev.Z.Exp(w[1]))
-		e2_[1] = pc.R.Exp(r2[1]).Mul(rvp.Z.Exp(w[1]))
-		e2_[2] = bc.B.Exp(r2[2]).Mul(bc.C.Exp(w[1]))
+		ε2_[0] = rv2.Y.Exp(ρ2[0]).Mul(rv2.Z.Exp(ω[1]))
+		ε2_[1] = c1.R.Exp(ρ2[1]).Mul(rv1.Z.Exp(ω[1]))
+		ε2_[2] = bc.B.Exp(ρ2[2]).Mul(bc.C.Exp(ω[1]))
 
-		e3[0] = G.Exp(r3[0])
-		e3[1] = G.Exp(r3[1])
+		ε3[0] = G.Exp(ρ3[0])
+		ε3[1] = G.Exp(ρ3[1])
 
-		e3_[0] = rev.Y.Exp(r3[0])
-		e3_[1] = rvp.Y.Exp(r3[1])
+		ε3_[0] = rv2.Y.Exp(ρ3[0])
+		ε3_[1] = rv1.Y.Exp(ρ3[1])
 	} else {
 		if s.bit.IsSet() {
-			e1[0] = G.Exp(r1[0])
-			e1[1] = G.Exp(r1[1])
-			e1[2] = G.Exp(r1[2])
+			ε1[0] = G.Exp(ρ1[0])
+			ε1[1] = G.Exp(ρ1[1])
+			ε1[2] = G.Exp(ρ1[2])
 
-			e1_[0] = c.R.Exp(r1[0])
-			e1_[1] = pc.R.Exp(r1[1])
-			e1_[2] = bc.B.Exp(r1[2])
+			ε1_[0] = c2.R.Exp(ρ1[0])
+			ε1_[1] = c1.R.Exp(ρ1[1])
+			ε1_[2] = bc.B.Exp(ρ1[2])
 
-			e2[0] = G.Exp(r2[0]).Mul(c.X.Exp(w[0]))
-			e2[1] = G.Exp(r2[1]).Mul(pc.X.Exp(w[0]))
-			e2[2] = G.Exp(r2[2]).Mul(bc.A.Exp(w[0]))
+			ε2[0] = G.Exp(ρ2[0]).Mul(c2.X.Exp(ω[0]))
+			ε2[1] = G.Exp(ρ2[1]).Mul(c1.X.Exp(ω[0]))
+			ε2[2] = G.Exp(ρ2[2]).Mul(bc.A.Exp(ω[0]))
 
-			e2_[0] = rev.Y.Exp(r2[0]).Mul(rev.Z.Exp(w[0]))
-			e2_[1] = pc.R.Exp(r2[1]).Mul(rvp.Z.Exp(w[0]))
-			e2_[2] = bc.B.Exp(r2[2]).Mul(bc.C.Exp(w[0]))
+			ε2_[0] = rv2.Y.Exp(ρ2[0]).Mul(rv2.Z.Exp(ω[0]))
+			ε2_[1] = c1.R.Exp(ρ2[1]).Mul(rv1.Z.Exp(ω[0]))
+			ε2_[2] = bc.B.Exp(ρ2[2]).Mul(bc.C.Exp(ω[0]))
 
-			e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1]))
-			e3[1] = G.Exp(r3[1]).Mul(pc.X.Exp(w[1]))
+			ε3[0] = G.Exp(ρ3[0]).Mul(c2.X.Exp(ω[1]))
+			ε3[1] = G.Exp(ρ3[1]).Mul(c1.X.Exp(ω[1]))
 
-			e3_[0] = rev.Y.Exp(r3[0]).Mul(rev.Z.Exp(w[1]))
-			e3_[1] = rvp.Y.Exp(r3[1]).Mul(rvp.Z.Exp(w[1]))
+			ε3_[0] = rv2.Y.Exp(ρ3[0]).Mul(rv2.Z.Exp(ω[1]))
+			ε3_[1] = rv1.Y.Exp(ρ3[1]).Mul(rv1.Z.Exp(ω[1]))
 		} else {
-			e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0]))
-			e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0]))
-			e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0]))
+			ε1[0] = G.Exp(ρ1[0]).Mul(c2.X.Exp(ω[0]))
+			ε1[1] = G.Exp(ρ1[1]).Mul(c1.X.Exp(ω[0]))
+			ε1[2] = G.Exp(ρ1[2]).Mul(bc.A.Exp(ω[0]))
 
-			e1_[0] = c.R.Exp(r1[0]).Mul(rev.Z.Exp(w[0]))
-			e1_[1] = pc.R.Exp(r1[1]).Mul(rvp.Z.Exp(w[0]))
-			e1_[2] = bc.B.Exp(r1[2]).Mul(bc.C.Div(G).Exp(w[0]))
+			ε1_[0] = c2.R.Exp(ρ1[0]).Mul(rv2.Z.Exp(ω[0]))
+			ε1_[1] = c1.R.Exp(ρ1[1]).Mul(rv1.Z.Exp(ω[0]))
+			ε1_[2] = bc.B.Exp(ρ1[2]).Mul(bc.C.Div(G).Exp(ω[0]))
 
-			e2[0] = G.Exp(r2[0])
-			e2[1] = G.Exp(r2[1])
-			e2[2] = G.Exp(r2[2])
+			ε2[0] = G.Exp(ρ2[0])
+			ε2[1] = G.Exp(ρ2[1])
+			ε2[2] = G.Exp(ρ2[2])
 
-			e2_[0] = rev.Y.Exp(r2[0])
-			e2_[1] = pc.R.Exp(r2[1])
-			e2_[2] = bc.B.Exp(r2[2])
+			ε2_[0] = rv2.Y.Exp(ρ2[0])
+			ε2_[1] = c1.R.Exp(ρ2[1])
+			ε2_[2] = bc.B.Exp(ρ2[2])
 
-			e3[0] = G.Exp(r3[0]).Mul(c.X.Exp(w[1]))
-			e3[1] = G.Exp(r3[1]).Mul(pc.X.Exp(w[1]))
+			ε3[0] = G.Exp(ρ3[0]).Mul(c2.X.Exp(ω[1]))
+			ε3[1] = G.Exp(ρ3[1]).Mul(c1.X.Exp(ω[1]))
 
-			e3_[0] = rev.Y.Exp(r3[0]).Mul(rev.Z.Exp(w[1]))
-			e3_[1] = rvp.Y.Exp(r3[1]).Mul(rvp.Z.Exp(w[1]))
+			ε3_[0] = rv2.Y.Exp(ρ3[0]).Mul(rv2.Z.Exp(ω[1]))
+			ε3_[1] = rv1.Y.Exp(ρ3[1]).Mul(rv1.Z.Exp(ω[1]))
 		}
 	}
 
-	points := []Bytes{G, bc.A, bc.B, bc.C, c.R, c.X, rev.Y, rev.Z, pc.R, pc.X, rvp.Y, rvp.Z}
-	points = append(points, e1[:]...)
-	points = append(points, e2[:]...)
-	points = append(points, e3[:]...)
-	points = append(points, e1_[:]...)
-	points = append(points, e2_[:]...)
-	points = append(points, e3_[:]...)
+	points := []Bytes{G, bc.A, bc.B, bc.C, c2.R, c2.X, rv2.Y, rv2.Z, c1.R, c1.X, rv1.Y, rv1.Z}
+	points = append(points, ε1[:]...)
+	points = append(points, ε2[:]...)
+	points = append(points, ε3[:]...)
+	points = append(points, ε1_[:]...)
+	points = append(points, ε2_[:]...)
+	points = append(points, ε3_[:]...)
 
 	ch := Challenge(points...)
 	pr = &Stage2Proof{}
 
 	if !prev_true {
-		pr.Ch[0] = w[0]
-		pr.Ch[1] = w[1]
-		pr.Ch[2] = ch.Sub(w[0]).Sub(w[1])
+		pr.Ch[0] = ω[0]
+		pr.Ch[1] = ω[1]
+		pr.Ch[2] = ch.Sub(ω[0]).Sub(ω[1])
 
-		pr.R1[0] = r1[0]
-		pr.R1[1] = r1[1]
-		pr.R1[2] = r1[2]
+		pr.R1[0] = ρ1[0]
+		pr.R1[1] = ρ1[1]
+		pr.R1[2] = ρ1[2]
 
-		pr.R2[0] = r2[0]
-		pr.R2[1] = r2[1]
-		pr.R2[2] = r2[2]
+		pr.R2[0] = ρ2[0]
+		pr.R2[1] = ρ2[1]
+		pr.R2[2] = ρ2[2]
 
-		pr.R3[0] = r3[0].Sub(s.x.Mul(pr.Ch[2]))
-		pr.R3[1] = r3[1].Sub(prev.x.Mul(pr.Ch[2]))
+		pr.R3[0] = ρ3[0].Sub(s.x.Mul(pr.Ch[2]))
+		pr.R3[1] = ρ3[1].Sub(prev.x.Mul(pr.Ch[2]))
 	} else {
 		if s.bit.IsSet() {
-			pr.Ch[0] = ch.Sub(w[0]).Sub(w[1])
-			pr.Ch[1] = w[0]
-			pr.Ch[2] = w[1]
+			pr.Ch[0] = ch.Sub(ω[0]).Sub(ω[1])
+			pr.Ch[1] = ω[0]
+			pr.Ch[2] = ω[1]
 
-			pr.R1[0] = r1[0].Sub(s.x.Mul(pr.Ch[0]))
-			pr.R1[1] = r1[1].Sub(prev.x.Mul(pr.Ch[0]))
-			pr.R1[2] = r1[2].Sub(s.bit.α.Mul(pr.Ch[0]))
+			pr.R1[0] = ρ1[0].Sub(s.x.Mul(pr.Ch[0]))
+			pr.R1[1] = ρ1[1].Sub(prev.x.Mul(pr.Ch[0]))
+			pr.R1[2] = ρ1[2].Sub(s.bit.α.Mul(pr.Ch[0]))
 
-			pr.R2[0] = r2[0]
-			pr.R2[1] = r2[1]
-			pr.R2[2] = r2[2]
+			pr.R2[0] = ρ2[0]
+			pr.R2[1] = ρ2[1]
+			pr.R2[2] = ρ2[2]
 
-			pr.R3[0] = r3[0]
-			pr.R3[1] = r3[1]
+			pr.R3[0] = ρ3[0]
+			pr.R3[1] = ρ3[1]
 		} else {
-			pr.Ch[0] = w[0]
-			pr.Ch[1] = ch.Sub(w[0]).Sub(w[1])
-			pr.Ch[2] = w[1]
+			pr.Ch[0] = ω[0]
+			pr.Ch[1] = ch.Sub(ω[0]).Sub(ω[1])
+			pr.Ch[2] = ω[1]
 
-			pr.R1[0] = r1[0]
-			pr.R1[1] = r1[1]
-			pr.R1[2] = r1[2]
+			pr.R1[0] = ρ1[0]
+			pr.R1[1] = ρ1[1]
+			pr.R1[2] = ρ1[2]
 
-			pr.R2[0] = r2[0].Sub(s.x.Mul(pr.Ch[1]))
-			pr.R2[1] = r2[1].Sub(prev.x.Mul(pr.Ch[1]))
-			pr.R2[2] = r2[2].Sub(s.bit.α.Mul(pr.Ch[1]))
+			pr.R2[0] = ρ2[0].Sub(s.x.Mul(pr.Ch[1]))
+			pr.R2[1] = ρ2[1].Sub(prev.x.Mul(pr.Ch[1]))
+			pr.R2[2] = ρ2[2].Sub(s.bit.α.Mul(pr.Ch[1]))
 
-			pr.R3[0] = r3[0]
-			pr.R3[1] = r3[1]
+			pr.R3[0] = ρ3[0]
+			pr.R3[1] = ρ3[1]
 		}
 	}
 
-	return rev, pr, e
+	return rv2, pr, e
 }
 
 func (c *Commitment) VerifyStage2(c1, c2 *StageCommitment, r1, r2 *StageReveal, p *Stage2Proof) bool {