1 files changed, 21 insertions, 41 deletions
diff --git a/nizk/stage2.go b/nizk/stage2.go
index 8747ebf..f565ad0 100644
--- a/nizk/stage2.go
+++ b/nizk/stage2.go
@@ -4,18 +4,6 @@ import (
 	. "kesim.org/seal/common"
 )
 
-func (b *Bit) CommitStage2(lost bool, prev *Stage) (s *Stage, c *StageCommitment) {
-	x := Curve.RandomScalar()
-	r := Curve.RandomScalar()
-	return b.CommitStage2FromScalars(lost, prev, x, r)
-}
-
-func (b *Bit) CommitStage2FromScalars(lost bool, prev *Stage, x, r *Scalar) (s *Stage, c *StageCommitment) {
-	s = b.stage(x, r)
-	c = s.commit(lost)
-	return
-}
-
 // Represents the proof of a statement of the following form:
 //
 //	( Z=g^(x*y) && X=g^x && Y=g^y && Z_=g^(x_*y_) && X_=g^x_ && Y_=g^y_ )	// case "none"
@@ -31,7 +19,7 @@ type Stage2Proof struct {
 	R3 [2]*Scalar
 }
 
-func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proof, e error) {
+func (s *Stage) RevealStage2(prev_true bool, prev *Stage, Xs ...*Point) (rev *StageReveal, pr *Stage2Proof, e error) {
 	var (
 		e1, e1_ [3]Bytes
 		e2, e2_ [3]Bytes
@@ -48,24 +36,17 @@ func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proo
 		}
 	}
 
-	c := s.commit(lost)
+	c := s.com
 	bc := prev.bit.com
 	pc := prev.com
 	rvp := prev.rev
 
-	// TODO: Calculate Y based on the Xs and our own X_i
-	// as Π_(i<k) X_k / Π_(i>k) X_k
-	// For now:
-	Y := G.Exp(Curve.RandomScalar())
-
-	rev = &StageReveal{Y: Y}
-	if s.bit.IsSet() {
-		rev.Z = c.R.Exp(s.x)
-	} else {
-		rev.Z = rev.Y.Exp(s.x)
+	rev, e = s.reveal(prev_true, Xs...)
+	if e != nil {
+		return nil, nil, e
 	}
 
-	if lost {
+	if !prev_true {
 		e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0]))
 		e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0]))
 		e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0]))
@@ -146,7 +127,7 @@ func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proo
 	ch := Challenge(points...)
 	pr = &Stage2Proof{}
 
-	if lost {
+	if !prev_true {
 		pr.Ch[0] = w[0]
 		pr.Ch[1] = w[1]
 		pr.Ch[2] = ch.Sub(w[0]).Sub(w[1])
@@ -195,39 +176,38 @@ func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proo
 		}
 	}
 
-	s.prf2 = pr
 	return rev, pr, e
 }
 
-func (c *Commitment) VerifyStage2(pcom, ccom *StageCommitment, prev, crev *StageReveal, p *Stage2Proof) bool {
+func (c *Commitment) VerifyStage2(c1, c2 *StageCommitment, r1, r2 *StageReveal, p *Stage2Proof) bool {
 	var (
 		e1, e1_ [3]Bytes
 		e2, e2_ [3]Bytes
 		e3, e3_ [2]Bytes
 	)
-	e1[0] = G.Exp(p.R1[0]).Mul(ccom.X.Exp(p.Ch[0]))
-	e1[1] = G.Exp(p.R1[1]).Mul(pcom.X.Exp(p.Ch[0]))
+	e1[0] = G.Exp(p.R1[0]).Mul(c2.X.Exp(p.Ch[0]))
+	e1[1] = G.Exp(p.R1[1]).Mul(c1.X.Exp(p.Ch[0]))
 	e1[2] = G.Exp(p.R1[2]).Mul(c.A.Exp(p.Ch[0]))
 
-	e1_[0] = ccom.R.Exp(p.R1[0]).Mul(crev.Z.Exp(p.Ch[0]))
-	e1_[1] = pcom.R.Exp(p.R1[1]).Mul(prev.Z.Exp(p.Ch[0]))
+	e1_[0] = c2.R.Exp(p.R1[0]).Mul(r2.Z.Exp(p.Ch[0]))
+	e1_[1] = c1.R.Exp(p.R1[1]).Mul(r1.Z.Exp(p.Ch[0]))
 	e1_[2] = c.B.Exp(p.R1[2]).Mul(c.C.Div(G).Exp(p.Ch[0]))
 
-	e2[0] = G.Exp(p.R2[0]).Mul(ccom.X.Exp(p.Ch[1]))
-	e2[1] = G.Exp(p.R2[1]).Mul(pcom.X.Exp(p.Ch[1]))
+	e2[0] = G.Exp(p.R2[0]).Mul(c2.X.Exp(p.Ch[1]))
+	e2[1] = G.Exp(p.R2[1]).Mul(c1.X.Exp(p.Ch[1]))
 	e2[2] = G.Exp(p.R2[2]).Mul(c.A.Exp(p.Ch[1]))
 
-	e2_[0] = crev.Y.Exp(p.R2[0]).Mul(crev.Z.Exp(p.Ch[1]))
-	e2_[1] = pcom.R.Exp(p.R2[1]).Mul(prev.Z.Exp(p.Ch[1]))
+	e2_[0] = r2.Y.Exp(p.R2[0]).Mul(r2.Z.Exp(p.Ch[1]))
+	e2_[1] = c1.R.Exp(p.R2[1]).Mul(r1.Z.Exp(p.Ch[1]))
 	e2_[2] = c.B.Exp(p.R2[2]).Mul(c.C.Exp(p.Ch[1]))
 
-	e3[0] = G.Exp(p.R3[0]).Mul(ccom.X.Exp(p.Ch[2]))
-	e3[1] = G.Exp(p.R3[1]).Mul(pcom.X.Exp(p.Ch[2]))
+	e3[0] = G.Exp(p.R3[0]).Mul(c2.X.Exp(p.Ch[2]))
+	e3[1] = G.Exp(p.R3[1]).Mul(c1.X.Exp(p.Ch[2]))
 
-	e3_[0] = crev.Y.Exp(p.R3[0]).Mul(crev.Z.Exp(p.Ch[2]))
-	e3_[1] = prev.Y.Exp(p.R3[1]).Mul(prev.Z.Exp(p.Ch[2]))
+	e3_[0] = r2.Y.Exp(p.R3[0]).Mul(r2.Z.Exp(p.Ch[2]))
+	e3_[1] = r1.Y.Exp(p.R3[1]).Mul(r1.Z.Exp(p.Ch[2]))
 
-	points := []Bytes{G, c.A, c.B, c.C, ccom.R, ccom.X, crev.Y, crev.Z, pcom.R, pcom.X, prev.Y, prev.Z}
+	points := []Bytes{G, c.A, c.B, c.C, c2.R, c2.X, r2.Y, r2.Z, c1.R, c1.X, r1.Y, r1.Z}
 	points = append(points, e1[:]...)
 	points = append(points, e2[:]...)
 	points = append(points, e3[:]...)