6 files changed, 73 insertions, 77 deletions
diff --git a/nizk/commit.go b/nizk/commit.go
index 5634b16..ecb1568 100644
--- a/nizk/commit.go
+++ b/nizk/commit.go
@@ -38,18 +38,19 @@ type Proof struct {
 	}
 }
 
-func NewBit(id Bytes, set bool) *Bit {
+func NewBit(id Bytes, set bool) (*Bit, *Commitment, *Proof) {
 	α, β := Curve.RandomScalar(), Curve.RandomScalar()
 	return NewBitFromScalars(id, set, α, β)
 }
 
-func NewBitFromScalars(id Bytes, set bool, α, β *Scalar) *Bit {
-	return &Bit{
+func NewBitFromScalars(id Bytes, set bool, α, β *Scalar) (*Bit, *Commitment, *Proof) {
+	b := &Bit{
 		id:  id,
 		set: set,
 		α:   α,
 		β:   β,
 	}
+	return b, b.commit(), b.proof()
 }
 
 func (b *Bit) IsSet() bool {
@@ -122,10 +123,6 @@ func (s *Bit) proof() *Proof {
 	return pr
 }
 
-func (s *Bit) Commit() (*Commitment, *Proof) {
-	return s.commit(), s.proof()
-}
-
 func (c *Commitment) Verify(id Bytes, p *Proof) bool {
 	var e [2][2]*Point
 
diff --git a/nizk/commit_test.go b/nizk/commit_test.go
index 3d65aa4..a09ae70 100644
--- a/nizk/commit_test.go
+++ b/nizk/commit_test.go
@@ -9,9 +9,9 @@ import (
 func TestStatement(t *testing.T) {
 	id := Curve.RandomScalar()
 
-	st1, st2 := NewBit(id, true), NewBit(id, false)
-	c1, p1 := st1.Commit()
-	c2, p2 := st2.Commit()
+	_, c1, p1 := NewBit(id, true)
+	_, c2, p2 := NewBit(id, false)
+
 	if !c1.Verify(id, p1) {
 		t.Fatal("Could not verify st1 with c1, plus=true case")
 	}
@@ -34,9 +34,9 @@ func TestStatement(t *testing.T) {
 func TestStatementFromScalar(t *testing.T) {
 	var α, β, id = Curve.RandomScalar(), Curve.RandomScalar(), Curve.RandomScalar()
 
-	st1, st2 := NewBitFromScalars(id, true, α, β), NewBitFromScalars(id, false, α, β)
-	c1, p1 := st1.Commit()
-	c2, p2 := st2.Commit()
+	_, c1, p1 := NewBitFromScalars(id, true, α, β)
+	_, c2, p2 := NewBitFromScalars(id, false, α, β)
+
 	if !c1.Verify(id, p1) {
 		t.Fatal("Could not verify st1 with c1, plus=true case")
 	}
diff --git a/nizk/stage1.go b/nizk/stage1.go
index 3ebed27..07eba3f 100644
--- a/nizk/stage1.go
+++ b/nizk/stage1.go
@@ -1,8 +1,6 @@
 package nizk
 
 import (
-	"fmt"
-
 	. "kesim.org/seal/common"
 )
 
@@ -36,14 +34,13 @@ type Stage1Proof struct {
 }
 
 func (b *Bit) stage(x, r *Scalar) {
-	b.Commit() // ensure non-null values for A, B, C
 	b.Stage = &Stage{
 		x: x,
 		r: r,
 	}
 }
 
-func (s *Stage) commit(Xs ...*Point) *StageCommitment {
+func (s *Stage) commit() *StageCommitment {
 	if s.StageCommitment != nil {
 		return s.StageCommitment
 	}
@@ -55,22 +52,22 @@ func (s *Stage) commit(Xs ...*Point) *StageCommitment {
 	return s.StageCommitment
 }
 
-func (b *Bit) StageCommit(Xs ...*Point) (s *StageCommitment) {
+func (b *Bit) StageCommit() (s *StageCommitment) {
+	if b.Stage != nil {
+		return b.Stage.StageCommitment
+	}
 	x := Curve.RandomScalar()
 	r := Curve.RandomScalar()
-	return b.StageFromScalars(x, r, Xs...)
+	return b.StageFromScalars(x, r)
 }
 
-func (b *Bit) StageFromScalars(x, r *Scalar, Xs ...*Point) (c *StageCommitment) {
+func (b *Bit) StageFromScalars(x, r *Scalar) (c *StageCommitment) {
 	b.stage(x, r)
-	return b.Stage.commit(Xs...)
+	return b.Stage.commit()
 }
 
-func (b *Bit) reveal(prev_true bool, Xs ...*Point) (r *StageReveal, e error) {
+func (b *Bit) reveal(prev_true bool, Xs ...*Point) (r *StageReveal) {
 	s := b.Stage
-	if s == nil {
-		return nil, fmt.Errorf("stage not ready")
-	}
 
 	// TODO: Calculate Y based on the Xs and our own X_i
 	// as Π_(i<k) X_k / Π_(i>k) X_k
@@ -85,14 +82,15 @@ func (b *Bit) reveal(prev_true bool, Xs ...*Point) (r *StageReveal, e error) {
 		r.Z = Y.Exp(s.x)
 	}
 
-	return r, e
+	return r
 }
 
-func (b *Bit) RevealStage1(Xs ...*Point) (rev *StageReveal, pr *Stage1Proof, e error) {
-	s := b.Stage
-	if s == nil {
-		return nil, nil, fmt.Errorf("stage not ready")
+func (b *Bit) RevealStage1(Xs ...*Point) (rev *StageReveal, pr *Stage1Proof) {
+	if b.Stage == nil {
+		b.StageCommit()
 	}
+	s := b.Stage
+
 	var ε [2][4]*Point
 	var r1, r2, ρ1, ρ2, ω *Scalar
 	for _, s := range []**Scalar{&r1, &r2, &ρ1, &ρ2, &ω} {
@@ -100,10 +98,7 @@ func (b *Bit) RevealStage1(Xs ...*Point) (rev *StageReveal, pr *Stage1Proof, e e
 	}
 	c := s.commit()
 
-	rev, e = b.reveal(true, Xs...)
-	if e != nil {
-		return nil, nil, e
-	}
+	rev = b.reveal(true, Xs...)
 
 	if b.IsSet() {
 		ε[0][0] = G.Exp(r1).Mul(c.X.Exp(ω))
@@ -126,11 +121,11 @@ func (b *Bit) RevealStage1(Xs ...*Point) (rev *StageReveal, pr *Stage1Proof, e e
 	}
 
 	p := []Bytes{G, b.A, b.B, b.C, c.R, c.X, rev.Y, rev.Z}
-	for _, e := range ε[0] {
-		p = append(p, e)
+	for _, ε := range ε[0] {
+		p = append(p, ε)
 	}
-	for _, e := range ε[1] {
-		p = append(p, e)
+	for _, ε := range ε[1] {
+		p = append(p, ε)
 	}
 
 	ch := Challenge(p...)
@@ -153,7 +148,7 @@ func (b *Bit) RevealStage1(Xs ...*Point) (rev *StageReveal, pr *Stage1Proof, e e
 	}
 
 	s.StageReveal = rev
-	return rev, pr, e
+	return rev, pr
 }
 
 func (c *Commitment) VerifyStage1(sc *StageCommitment, r *StageReveal, p *Stage1Proof) bool {
diff --git a/nizk/stage1_test.go b/nizk/stage1_test.go
index 954f356..2dd719b 100644
--- a/nizk/stage1_test.go
+++ b/nizk/stage1_test.go
@@ -8,15 +8,13 @@ import (
 
 func TestStage1Simple(t *testing.T) {
 	id := Curve.RandomScalar()
-	b1 := NewBit(id, true)
-	b2 := NewBit(id, false)
-	bc1, _ := b1.Commit()
-	bc2, _ := b2.Commit()
+	b1, bc1, _ := NewBit(id, true)
+	b2, bc2, _ := NewBit(id, false)
 
 	c1 := b1.StageCommit()
 	c2 := b2.StageCommit()
-	r1, pr1, _ := b1.RevealStage1() // Note: no Xs.
-	r2, pr2, _ := b2.RevealStage1() // Note: no Xs.
+	r1, pr1 := b1.RevealStage1() // Note: no Xs.
+	r2, pr2 := b2.RevealStage1() // Note: no Xs.
 	if !bc1.VerifyStage1(c1, r1, pr1) {
 		t.Fatal("Could not verify st1 with c1 and pr1, plus=true case")
 	}
@@ -35,15 +33,13 @@ func TestStage1FromScalars(t *testing.T) {
 		*s = Curve.RandomScalar()
 	}
 
-	b1 := NewBitFromScalars(id, true, α, β)
-	b2 := NewBitFromScalars(id, false, α, β)
-	bc1, _ := b1.Commit()
-	bc2, _ := b2.Commit()
+	b1, bc1, _ := NewBitFromScalars(id, true, α, β)
+	b2, bc2, _ := NewBitFromScalars(id, false, α, β)
 
 	c1 := b1.StageFromScalars(r, x)
 	c2 := b2.StageFromScalars(x, r)
-	r1, pr1, _ := b1.RevealStage1() // Note: no Xs
-	r2, pr2, _ := b2.RevealStage1() // Note: no Xs
+	r1, pr1 := b1.RevealStage1() // Note: no Xs
+	r2, pr2 := b2.RevealStage1() // Note: no Xs
 	if !bc1.VerifyStage1(c1, r1, pr1) {
 		t.Fatal("Could not verify st1 with c1 and pr1, plus=true case")
 	}
diff --git a/nizk/stage2.go b/nizk/stage2.go
index e6e6b34..c9ee517 100644
--- a/nizk/stage2.go
+++ b/nizk/stage2.go
@@ -1,8 +1,6 @@
 package nizk
 
 import (
-	"fmt"
-
 	. "kesim.org/seal/common"
 )
 
@@ -21,11 +19,12 @@ type Stage2Proof struct {
 	R3 [2]*Scalar
 }
 
-func (b *Bit) RevealStage2(prev *Bit, Xs ...*Point) (rv2 *StageReveal, pr *Stage2Proof, e error) {
-	s := b.Stage
-	if s == nil {
-		return nil, nil, fmt.Errorf("stage not ready")
+func (b *Bit) RevealStage2(lost bool, prev *Bit, Xs ...*Point) (rv2 *StageReveal, pr *Stage2Proof) {
+	if b.Stage == nil {
+		b.StageCommit()
 	}
+	s := b.Stage
+
 	var (
 		ε1, ε1_ [3]Bytes
 		ε2, ε2_ [3]Bytes
@@ -45,12 +44,9 @@ func (b *Bit) RevealStage2(prev *Bit, Xs ...*Point) (rv2 *StageReveal, pr *Stage
 	c1 := prev.StageCommitment
 	c2 := s.StageCommitment
 	rv1 := prev.StageReveal
-	rv2, e = b.reveal(prev.IsSet(), Xs...)
-	if e != nil {
-		return nil, nil, e
-	}
+	rv2 = b.reveal(prev.IsSet(), Xs...)
 
-	if !prev.IsSet() {
+	if lost {
 		ε1[0] = G.Exp(ρ1[0]).Mul(c2.X.Exp(ω[0]))
 		ε1[1] = G.Exp(ρ1[1]).Mul(c1.X.Exp(ω[0]))
 		ε1[2] = G.Exp(ρ1[2]).Mul(b.A.Exp(ω[0]))
@@ -180,7 +176,7 @@ func (b *Bit) RevealStage2(prev *Bit, Xs ...*Point) (rv2 *StageReveal, pr *Stage
 		}
 	}
 
-	return rv2, pr, e
+	return rv2, pr
 }
 
 func (c *Commitment) VerifyStage2(c1, c2 *StageCommitment, r1, r2 *StageReveal, p *Stage2Proof) bool {
diff --git a/nizk/stage2_test.go b/nizk/stage2_test.go
index e5b44c6..446f20d 100644
--- a/nizk/stage2_test.go
+++ b/nizk/stage2_test.go
@@ -7,21 +7,33 @@ import (
 )
 
 func TestStage2Simple(t *testing.T) {
-	id1 := Curve.RandomScalar()
-	b1 := NewBit(id1, false)
-	b2 := NewBit(id1, true)
-
+	id := Curve.RandomScalar()
+	b1, _, _ := NewBit(id, false) // This is also the junction
+	r1, _ := b1.RevealStage1()
 	c1 := b1.StageCommit()
-	r1, _, _ := b1.RevealStage1()
 
-	bc2, _ := b2.Commit()
-	c2 := b2.StageCommit()
-	r2, p2, e := b2.RevealStage2(b1)
-	if e != nil {
-		t.Fatalf("e: %v", e)
-	}
-	if !bc2.VerifyStage2(c1, c2, r1, r2, p2) {
-		t.Fatalf("failed to verify!\nbc2: %#v\nc1: %#v\nc2: %#v\nr1: %#v\nr2: %#v\np2: %#v\n",
-			bc2, c1, c2, r1, r2, p2)
+	for _, s := range [][2]bool{
+		{false, false},
+		{true, false},
+		{true, true},
+		{false, true},
+	} {
+		b2, bc2, _ := NewBit(id, s[0])
+		b3, bc3, _ := NewBit(id, s[1])
+
+		c2 := b2.StageCommit()
+		c3 := b3.StageCommit()
+
+		r2, p2 := b2.RevealStage2(true, b1)
+		if !bc2.VerifyStage2(c1, c2, r1, r2, p2) {
+			t.Fatalf("failed to verify!\nbc2: %#v\nc1: %#v\nc2: %#v\nr1: %#v\nr2: %#v\np2: %#v\n",
+				bc2, c1, c2, r1, r2, p2)
+		}
+
+		r3, p3 := b3.RevealStage2(true, b1)
+		if !bc3.VerifyStage2(c1, c3, r1, r3, p3) {
+			t.Fatalf("faild to verify bc3")
+		}
 	}
+
 }