y"h      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Safe"#;=] PNone"#&'8;=>?QV] .For computations using Safe Prime Field paramskA Safe Prime Field (Zp): Q = large prime P = 2Q + 1, also prime G = generator for Zp order q+A generator order Q for prime field order P6A large prime such that p = 2q + 1 and p is also prime 9A large, safe prime, p = 2q + 1, where q is a large prime Compute g^e  p Compute b^e  pGenerate random number in ZqGenerate random number in Zp !    None"#;=]-T9Original value comitted:random exponent r,  g^x \cdot h^r@(Safe prime field for pedersen commitmentAh = g^a \mod p where a is randomB9Generates a Safe Prime Field (p,q,g) and a random value  a \in Z_q such that g^a = hJ, where g and h are the bases to be used in the pedersen commit function.C-Commit a value by generating a random number  r \in Z_q and computing C(x) = g^x \cdot h^r where x is the value to commitD1Open the commit by supplying the value commited, x, the random value r and the pedersen bases g and h, and verifying that C(x) \overset{!}{=} g^x * h^rE'This addition should be recorded as the previous commits are unable to be extracted from this new commitment. The only way to open this commiment is to tell the committing party the two commitments that were added so that the commitment can be validated and opening parameters can be created.FThis function validates a homomorphic addition of two commitments using the original pedersen commits and reveals to compute the new commitment without homomorphic addition.GGCheck that `g^a = h` to verify integrity of a counterparty's commitmentH<Setup EC Pedersen commit params, defaults to curve secp256k1KIn order for this resulting commitment to be opened, the commiter must construct a new set of reveal parameters. The new reveal is then sent to the counterparty to open the homomorphically added commitment.LzVerify the addition of two EC Pedersen Commitments by constructing the new Pedersen commitment on the uncommitted values.MAdd an integer to the committed value. The committer should be informed of the integer added to the commitment so that a valid pedersen reveal can be constructed and the resulting commitment can be opened,$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO,3456>?@A;<=789:BCDEFG$%&'/012,-.()*+HIJKLMNO$%&'()*+,-./0123456789:;<=>?@ANone"#;=]S WCommitment parameters)Security parameter, # bits of large primeSecret to commit to, as bytesSafe Prime field (shared)YGenerates a hardcore bit sequence using the result from the paper: "How to generate cryptographically strong sequences of pseudo random bits" - M. Blum and S. Micali, 1984 Reference: <https://crypto.stanford.edu/pbc/notes/crypto/blummicali.html[Strong one way function, discrete log problem: f(x) = g^x mod p in some prime field ZpHardcore predicate H (Blum-Micali): given p from LocalParams: let H(x) = if x < (p - 1)/2 then 1 else 0 resource: :https://crypto.stanford.edu/pbc/notes/crypto/hardcore.htmlqForce random nums to be generated with (p,g) from shared env and returns a single byte (8 random bits) as output<Force random seed to be generated with (p,g) from shared env[2(b), 3(a): Generate two integer maps where the ith entry in each map corresponds to the ith k1 and k2 values respectively such that `Hn(k1_i) xor Hn(k2_i) == byte_i`. Two maps are generated map because the values k and k' are to be exposed at different stages of the protocol.>Generate a pair of values such that `Hn(k1) xor Hn(k2) = byte`\-Takes a Map k v and returns Map k (g^v mod p)]I2(c), 3(b): Generate random r in Z_q and commit using Pedersen Commitment^$3(c), 4(a): Generate random c in Z_q_#4(c),5(c): computes d_i = c*k_i + r`5(a), 6(a): Verifies that the counterparty has not lied about their original commitment and has not tampered with the k values they used to encrypt their original message: `g^d_i == (g^k_i)^c * g^r`Verifies the ith d_i% value for the ith byte of the secretaComputes the original bytestring that was commited by a counterparty once they have supplied the neccessary parameters k_i and k_i'.nGenerate the byte correspoding to `Hn(k) xor Hn(k')` where Hn(k) is the blum-micali PRNG hardcore nbit outputYNumber of bits to generateInitial seed (must be in Zp)"Safe prime field to compute withinn-bit, pseudo-random result_Counterparty's cCurrent party's K1MapCurrent party's r`Counterparty's DMapCounterparty's (g^k, g^k') mapCurrent party's cCounterparty's 'g^r'Current party's cCounterparty's 'g^r'Counterparty's diCounterparty's 'g^ki'RSTUVWXYZ[\]^_`aWVURTS[\YX]_Z^`aWNone"#;=]WfFinal message in the protocolCommitment of private R value&Exponent such that g^rA = h (pedersen)Commitment of private R valueInfo to open the g^r commitmentBases to send to Responder&Exponent such that g^iA = h (pedersen)7fghijklmnopqrstuvwyxz{|}~7~}wxyz{|vutopqrsmnlkjihgffghi jklmnopqrstuv  wxyz{|}    ~ !"#None"#;=]h "ecRevealVal is a vector of scalars$5Outputs unpredictable but deterministic random values%"Secure cryptographic hash function7Generate a commit value which is a vector of N elementsBDot product between a vector of scalars and a vector of ECC.Points&7Concatenate point coordinates to create a hashable typeGenerate vector of generators in a deterministic way from the curve generator g by applying H(encode(g) || i) where H is a secure hash function;Commitment function. The value we commit to is now a vector%Open commitment to check its validitySum of vectors in a curveVerify the addition of two EC Vector Pedersen Commitments by constructing the new Pedersen commitment on the uncommitted values.9Add a vector to the committed value such that C'= C + wG ,-./012/012,-.'      !"#$%&'()*++,-../0112334567889:;;<==>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvuwxyz{|}~++,-../0GHJ Udefghijklrstz{|}~0pedersen-commitment-0.2.0-2qVrsUS8hbIFCfs5F3mvMC PrimeFieldPedersen MICP.InternalMICPVectorPedersenPaths_pedersen_commitmentSPFMSPFspfPspfQspfGGunGQunQPunPmkSPFmkSPF'runSPFTrunSPFM gexpSafeSPF gexpSafeSPFM expSafeSPF expSafeSPFM randomInZq randomInZqM randomInZp randomInZpMmodpmodpM|*||+|$fShowP$fEqP$fOrdP$fShowQ$fEqQ$fOrdQ$fShowG$fEqG$fOrdG ECPedersen ecCommitmentecRevealECReveal ecRevealValecRevealScalar ECCommitmentunECCommitmentECCommitParamsecCurveecH commitmentrevealReveal revealVal revealExp Commitment unCommitment CommitParams pedersenSPF pedersenHsetupcommitopenaddCommitmentsverifyAddCommitmentsverifyCommitParamsecSetupecCommitecOpenecAddCommitmentsecVerifyAddCommitments ecAddIntegerecVerifyAddIntegerverifyECCommitParams$fEqCommitment$fEqECCommitmentDMapGtoK2MapGtoK1MapK2MapK1Map MICParams genPRNGSeedblumMicaliPRNG mkMICParamsgenKMaps kmapToGKMap genAndCommitRgenC computeDMap verifyDMap micpReveal$fEqBit$fOrdBit $fEnumBit $fShowBit RPhase4Msg RPhase4Params RPhase3Msg RPhase3Params RPhase2Msg RPhase2Params RPhase1Msg RPhase1Priv RPhase1ParamsRPhaseRPhase1RPhase2RPhase3RPhase4 IPhase5Msg IPhase4Msg IPhase4Params IPhase3Msg IPhase3RejectiRevealiDMapiA IPhase3Params IPhase2Msg IPhase2Priv IPhase2Params IPhase1Msg IPhase1PrivIPhaseIPhase1IPhase2IPhase3IPhase4IPhase5iPhase1mkIPhase2ParamsiPhase2mkIPhase3ParamsiPhase3mkIPhase4Params iGetK2MapiPhase4 iGetK1MapiPhase5mkRPhase1ParamsrPhase1mkRPhase2ParamsrPhase2mkRPhase3Params rGetK2MaprPhase3mkRPhase4Params rGetK1MaprPhase4scalarGenerateNdotmkGsvecSum ecAddVectorecVerifyAddVectorversion getBinDir getLibDir getDynLibDir getDataDir getLibexecDir getSysconfDirgetDataFileNamebaseGHC.RealmodsecParam secretBytesmicpSPF blumMicaliF blumMicaliHmicpBlumMicaliPRNGmicpBlumMicaliSeedgenKPairverifyDi kpairToByte PRNGStateibitsseedBitZeroOnerCommitrprivA iCommitment iprivReveal iCommitParamsiprivA RPhase4RejectrK1Map rp4pRK1Map rp4pIK2Map rp4pIGtoK2Map RPhase3RejectrK2MaprArp3pRCommitParamsrp3pICommitment rp3pIReveal rp3pIDMap rp3pIGtoK1Maprp3pRCrp3pIArp3pICommitParams rp3pRK2Maprp3pRArCrRevealrDMaprp2pIC rp2pRK1Map rp2pRRevealrp2pRR rCommitParams rGtoK1Map rGtoK2Map rprivK1Map rprivK2Map rprivRevealrprivRrp1pSecurityParamrp1pSecretBytesrp1pICommitParamsiK1Map IPhase4RejectiK2Mapip4pRAip4pRCommitParams ip4pRK2Map ip4pRGtoK2Map ip4pIK2Mapip3pRCommitment ip3pRReveal ip3pRDMap ip3pRGtoK1Mapip3pRCip3pICommitParamsip3pIC ip3pK1Mapip3pIR ip3pIRevealip3pA iGtoK1Map iGtoK2MapiC iprivK1Map iprivK2MapiprivRip2pSecretBytesip2pRCommitParamsoraclesha256appendCoordinates