pedersen-commitment-0.2.0: An implementation of Pedersen commitment schemes

Safe HaskellNone



Mutually Independent Commitments Protocol (MICP)

  • 1, 2(a): send pedersen bases to each other
  • 2(b): Send bobGK1Map to alice
  • 2(c): Send bobCommit to alice using alice params
  • 3(a): Send aliceGK1Map to bob
  • 3(b): Send aliceCommit to bob
  • 3(c): Send aliceC to bob
  • 4(a): Send bobC to alice
  • 4(b): Send bobReveal to alice
  • 4(c): Send bobDMap to alice
  • 5(a): alice checks bob's commit
  • 5(b): Send aliceReveal to bob
  • 5(c): Send aliceDMap to bob
  • 5(d): send alice's a to bob
  • 6(a): bob checks alice's commit
  • 6(b): bob checks that alice's ga^a == ha
  • 6(c): bob sends k'map and bob's a to alice
  • 7(a): alice checks that bob's ga^a == ha
  • 7(b): alice checks k'map from bob matches gk'map received earlier
  • 8(a): bob checks k'map from alice matches gk'map recieved earlier
  • Reveal: Alice & Bob reveal KMaps



data MICParams Source #

Commitment parameters

genKMaps :: MonadRandom m => [Word8] -> SPFM m (K1Map, K2Map) Source #

2(b), 3(a): Generate two integer maps where the ith entry in each map corresponds to the ith k1 and k2 values respectively such that `Hn(k1_i) xor Hn(k2_i) == byte_i`. Two maps are generated map because the values k and k' are to be exposed at different stages of the protocol.

kmapToGKMap :: Monad m => Map Int Integer -> SPFM m (Map Int Integer) Source #

Takes a Map k v and returns Map k (g^v mod p)

blumMicaliPRNG Source #


:: MonadRandom m 
=> Int

Number of bits to generate

-> Integer

Initial seed (must be in Zp)

-> SPF

Safe prime field to compute within

-> m Integer

n-bit, pseudo-random result

Generates a hardcore bit sequence using the result from the paper: "How to generate cryptographically strong sequences of pseudo random bits" - M. Blum and S. Micali, 1984


genAndCommitR :: MonadRandom m => CommitParams -> SPFM m (Integer, Pedersen) Source #

2(c), 3(b): Generate random r in Z_q and commit using Pedersen Commitment

computeDMap Source #


:: Integer

Counterparty's c

-> K1Map

Current party's K1Map

-> Integer

Current party's r

-> DMap 

4(c),5(c): computes d_i = c*k_i + r

genC :: MonadRandom m => SPFM m Integer Source #

3(c), 4(a): Generate random c in Z_q

verifyDMap Source #


:: Monad m 
=> DMap

Counterparty's DMap

-> GtoK1Map

Counterparty's (g^k, g^k') map

-> Integer

Current party's c

-> Integer

Counterparty's 'g^r'

-> SPFM m Bool 

5(a), 6(a): Verifies that the counterparty has not lied about their original commitment and has not tampered with the k values they used to encrypt their original message: `g^d_i == (g^k_i)^c * g^r`

micpReveal :: MonadRandom m => K1Map -> K2Map -> SPFM m ByteString Source #

Computes the original bytestring that was commited by a counterparty once they have supplied the neccessary parameters k_i and k_i'.