-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | An implementation of Pedersen commitment schemes
--   
--   An implementation of Pedersen commitment schemes for multiparty
--   protocols.
@package pedersen-commitment
@version 0.2.0

module PrimeField

-- | A large, safe prime, p = 2q + 1, where q is a large prime
data P
unP :: P -> Integer

-- | A large prime such that p = 2q + 1 and p is also prime
data Q
unQ :: Q -> Integer

-- | A generator order Q for prime field order P
data G
unG :: G -> Integer

-- | A Safe Prime Field (Zp): Q = large prime P = 2Q + 1, also prime G =
--   generator for Zp order q
data SPF
spfP :: SPF -> P
spfQ :: SPF -> Q
spfG :: SPF -> G
mkSPF :: MonadRandom m => Int -> m SPF
mkSPF' :: Integer -> Integer -> Integer -> Maybe SPF

-- | For computations using Safe Prime Field params
type SPFM = ReaderT SPF
runSPFT :: SPF -> SPFM m a -> m a
runSPFM :: SPF -> SPFM Identity a -> a

-- | Compute g^e <a>mod</a> p
gexpSafeSPF :: SPF -> Integer -> Integer
gexpSafeSPFM :: Monad m => Integer -> SPFM m Integer

-- | Compute b^e <a>mod</a> p
expSafeSPF :: SPF -> Integer -> Integer -> Integer
expSafeSPFM :: Monad m => Integer -> Integer -> SPFM m Integer

-- | Generate random number in Zq
randomInZq :: MonadRandom m => SPF -> m Integer
randomInZqM :: MonadRandom m => SPFM m Integer

-- | Generate random number in Zp
randomInZp :: MonadRandom m => SPF -> m Integer
randomInZpM :: MonadRandom m => SPFM m Integer
modp :: SPF -> Integer -> Integer
modpM :: Monad m => Integer -> SPFM m Integer
(|*|) :: Monad m => SPFM m Integer -> SPFM m Integer -> SPFM m Integer
(|+|) :: Monad m => SPFM m Integer -> SPFM m Integer -> SPFM m Integer
instance GHC.Classes.Ord PrimeField.G
instance GHC.Classes.Eq PrimeField.G
instance GHC.Show.Show PrimeField.G
instance GHC.Classes.Ord PrimeField.Q
instance GHC.Classes.Eq PrimeField.Q
instance GHC.Show.Show PrimeField.Q
instance GHC.Classes.Ord PrimeField.P
instance GHC.Classes.Eq PrimeField.P
instance GHC.Show.Show PrimeField.P


-- | The Pedersen commitment scheme has three operations:
--   
--   <ul>
--   <li>Setup</li>
--   <li>Commit</li>
--   <li>Open</li>
--   </ul>
module Pedersen
data Pedersen
Pedersen :: Commitment -> Reveal -> Pedersen
[commitment] :: Pedersen -> Commitment
[reveal] :: Pedersen -> Reveal
data CommitParams
CommitParams :: SPF -> Integer -> CommitParams

-- | Safe prime field for pedersen commitment
[pedersenSPF] :: CommitParams -> SPF

-- | &lt;math&gt; where a is random
[pedersenH] :: CommitParams -> Integer
newtype Commitment
Commitment :: Integer -> Commitment
[unCommitment] :: Commitment -> Integer
data Reveal
Reveal :: Integer -> Integer -> Reveal

-- | Original value comitted
[revealVal] :: Reveal -> Integer

-- | random exponent r, &lt;math&gt;
[revealExp] :: Reveal -> Integer

-- | Generates a Safe Prime Field (p,q,g) and a random value &lt;math&gt;
--   such that &lt;math&gt;, where g and h are the bases to be used in the
--   pedersen commit function.
setup :: MonadRandom m => Int -> m (Integer, CommitParams)

-- | Commit a value by generating a random number &lt;math&gt; and
--   computing &lt;math&gt; where x is the value to commit
commit :: MonadRandom m => Integer -> CommitParams -> m Pedersen

-- | Open the commit by supplying the value commited, <tt>x</tt>, the
--   random value <tt>r</tt> and the pedersen bases <tt>g</tt> and
--   <tt>h</tt>, and verifying that &lt;math&gt;
open :: CommitParams -> Commitment -> Reveal -> Bool

-- | This addition should be recorded as the previous commits are unable to
--   be extracted from this new commitment. The only way to open this
--   commiment is to tell the committing party the two commitments that
--   were added so that the commitment can be validated and opening
--   parameters can be created.
addCommitments :: CommitParams -> Commitment -> Commitment -> Commitment

-- | This function validates a homomorphic addition of two commitments
--   using the original pedersen commits and reveals to compute the new
--   commitment without homomorphic addition.
verifyAddCommitments :: CommitParams -> Pedersen -> Pedersen -> Pedersen

-- | Check that `g^a = h` to verify integrity of a counterparty's
--   commitment
verifyCommitParams :: Integer -> CommitParams -> Bool
data ECPedersen
ECPedersen :: ECCommitment -> ECReveal -> ECPedersen
[ecCommitment] :: ECPedersen -> ECCommitment
[ecReveal] :: ECPedersen -> ECReveal
data ECCommitParams
ECCommitParams :: Curve -> Point -> ECCommitParams
[ecCurve] :: ECCommitParams -> Curve
[ecH] :: ECCommitParams -> Point
data ECCommitment
ECCommitment :: Point -> ECCommitment
[unECCommitment] :: ECCommitment -> Point
data ECReveal
ECReveal :: Integer -> Integer -> ECReveal
[ecRevealVal] :: ECReveal -> Integer
[ecRevealScalar] :: ECReveal -> Integer

-- | Setup EC Pedersen commit params, defaults to curve secp256k1
ecSetup :: MonadRandom m => Maybe CurveName -> m ECCommitParams
ecCommit :: MonadRandom m => Integer -> ECCommitParams -> m ECPedersen
ecOpen :: ECCommitParams -> ECCommitment -> ECReveal -> Bool

-- | In order for this resulting commitment to be opened, the commiter must
--   construct a new set of reveal parameters. The new reveal is then sent
--   to the counterparty to open the homomorphically added commitment.
ecAddCommitments :: ECCommitParams -> ECCommitment -> ECCommitment -> ECCommitment

-- | Verify the addition of two EC Pedersen Commitments by constructing the
--   new Pedersen commitment on the uncommitted values.
ecVerifyAddCommitments :: ECCommitParams -> ECPedersen -> ECPedersen -> ECPedersen

-- | Add an integer to the committed value. The committer should be
--   informed of the integer added to the commitment so that a valid
--   pedersen reveal can be constructed and the resulting commitment can be
--   opened
ecAddInteger :: ECCommitParams -> ECCommitment -> Integer -> ECCommitment
ecVerifyAddInteger :: ECCommitParams -> ECPedersen -> Integer -> ECPedersen
verifyECCommitParams :: Integer -> ECCommitParams -> Bool
instance GHC.Classes.Eq Pedersen.ECCommitment
instance GHC.Classes.Eq Pedersen.Commitment


-- | Mutually Independent Commitments Protocol (MICP)
--   
--   <ul>
--   <li>1, 2(a): send pedersen bases to each other</li>
--   <li>2(b): Send bobGK1Map to alice</li>
--   <li>2(c): Send bobCommit to alice using alice params</li>
--   <li>3(a): Send aliceGK1Map to bob</li>
--   <li>3(b): Send aliceCommit to bob</li>
--   <li>3(c): Send aliceC to bob</li>
--   <li>4(a): Send bobC to alice</li>
--   <li>4(b): Send bobReveal to alice</li>
--   <li>4(c): Send bobDMap to alice</li>
--   <li>5(a): alice checks bob's commit</li>
--   <li>5(b): Send aliceReveal to bob</li>
--   <li>5(c): Send aliceDMap to bob</li>
--   <li>5(d): send alice's <tt>a</tt> to bob</li>
--   <li>6(a): bob checks alice's commit</li>
--   <li>6(b): bob checks that alice's ga^a == ha</li>
--   <li>6(c): bob sends k'map and bob's <tt>a</tt> to alice</li>
--   <li>7(a): alice checks that bob's ga^a == ha</li>
--   <li>7(b): alice checks k'map from bob matches gk'map received
--   earlier</li>
--   <li>8(a): bob checks k'map from alice matches gk'map recieved
--   earlier</li>
--   <li>Reveal: Alice &amp; Bob reveal KMaps</li>
--   </ul>
module MICP.Internal

-- | Commitment parameters
data MICParams
type K1Map = Map Int Integer
type K2Map = Map Int Integer
type DMap = Map Int Integer
type GtoK1Map = Map Int Integer
type GtoK2Map = Map Int Integer

-- | 2(b), 3(a): Generate two integer maps where the ith entry in each map
--   corresponds to the ith k1 and k2 values respectively such that
--   `Hn(k1_i) xor Hn(k2_i) == byte_i`. Two maps are generated map because
--   the values k and k' are to be exposed at different stages of the
--   protocol.
genKMaps :: MonadRandom m => [Word8] -> SPFM m (K1Map, K2Map)

-- | Takes a Map k v and returns Map k (g^v mod p)
kmapToGKMap :: Monad m => Map Int Integer -> SPFM m (Map Int Integer)

-- | Generates a hardcore bit sequence using the result from the paper:
--   "How to generate cryptographically strong sequences of pseudo random
--   bits" - M. Blum and S. Micali, 1984
--   
--   Reference:
--   <a>https://crypto.stanford.edu/pbc/notes/crypto/blummicali.html</a>
blumMicaliPRNG :: MonadRandom m => Int -> Integer -> SPF -> m Integer
genPRNGSeed :: MonadRandom m => SPF -> m Integer

-- | 2(c), 3(b): Generate random r in Z_q and commit using Pedersen
--   Commitment
genAndCommitR :: MonadRandom m => CommitParams -> SPFM m (Integer, Pedersen)

-- | 4(c),5(c): computes d_i = c*k_i + r
computeDMap :: Integer -> K1Map -> Integer -> DMap
mkMICParams :: Int -> ByteString -> SPF -> MICParams

-- | 3(c), 4(a): Generate random c in Z_q
genC :: MonadRandom m => SPFM m Integer

-- | 5(a), 6(a): Verifies that the counterparty has not lied about their
--   original commitment and has not tampered with the k values they used
--   to encrypt their original message: `g^d_i == (g^k_i)^c * g^r`
verifyDMap :: Monad m => DMap -> GtoK1Map -> Integer -> Integer -> SPFM m Bool

-- | Computes the original bytestring that was commited by a counterparty
--   once they have supplied the neccessary parameters k_i and k_i'.
micpReveal :: MonadRandom m => K1Map -> K2Map -> SPFM m ByteString
instance GHC.Show.Show MICP.Internal.Bit
instance GHC.Enum.Enum MICP.Internal.Bit
instance GHC.Classes.Ord MICP.Internal.Bit
instance GHC.Classes.Eq MICP.Internal.Bit

module MICP
data IPhase
IPhase1 :: IPhase1Msg -> IPhase
IPhase2 :: IPhase2Msg -> IPhase
IPhase3 :: IPhase3Msg -> IPhase
IPhase4 :: IPhase4Msg -> IPhase
IPhase5 :: IPhase5Msg -> IPhase
data IPhase1Priv
data IPhase1Msg
iPhase1 :: MonadRandom m => Int -> m (IPhase1Priv, IPhase1Msg)
data IPhase2Priv
data IPhase2Params
mkIPhase2Params :: ByteString -> RPhase1Msg -> IPhase2Params
data IPhase2Msg
iPhase2 :: MonadRandom m => IPhase2Params -> SPFM m (IPhase2Priv, IPhase2Msg)
data IPhase3Params
mkIPhase3Params :: IPhase1Priv -> IPhase1Msg -> IPhase2Priv -> IPhase2Msg -> RPhase1Msg -> RPhase2Msg -> IPhase3Params
data IPhase3Msg
IPhase3Reject :: IPhase3Msg
IPhase3Msg :: Reveal -> DMap -> Integer -> IPhase3Msg
[iReveal] :: IPhase3Msg -> Reveal
[iDMap] :: IPhase3Msg -> DMap
[iA] :: IPhase3Msg -> Integer
iPhase3 :: MonadRandom m => IPhase3Params -> SPFM m IPhase3Msg
data IPhase4Params
mkIPhase4Params :: IPhase2Priv -> RPhase1Msg -> RPhase3Msg -> IPhase4Params
data IPhase4Msg
iPhase4 :: MonadRandom m => IPhase4Params -> SPFM m IPhase4Msg
data IPhase5Msg
iPhase5 :: IPhase2Priv -> IPhase5Msg
iGetK1Map :: IPhase5Msg -> K1Map
iGetK2Map :: IPhase4Msg -> Maybe K2Map
data RPhase
RPhase1 :: RPhase1Msg -> RPhase
RPhase2 :: RPhase2Msg -> RPhase
RPhase3 :: RPhase3Msg -> RPhase
RPhase4 :: RPhase4Msg -> RPhase
data RPhase1Priv
data RPhase1Params
mkRPhase1Params :: Int -> ByteString -> IPhase1Msg -> RPhase1Params
data RPhase1Msg
rPhase1 :: MonadRandom m => RPhase1Params -> SPFM m (RPhase1Priv, RPhase1Msg)
data RPhase2Params
mkRPhase2Params :: RPhase1Priv -> IPhase2Msg -> RPhase2Params
data RPhase2Msg
rPhase2 :: MonadRandom m => RPhase2Params -> SPFM m RPhase2Msg
data RPhase3Params
mkRPhase3Params :: RPhase1Priv -> RPhase1Msg -> RPhase2Msg -> IPhase1Msg -> IPhase2Msg -> IPhase3Msg -> RPhase3Params
data RPhase3Msg
rPhase3 :: MonadRandom m => RPhase3Params -> SPFM m RPhase3Msg
data RPhase4Params
mkRPhase4Params :: RPhase1Priv -> IPhase2Msg -> IPhase4Msg -> RPhase4Params

-- | Final message in the protocol
data RPhase4Msg
rPhase4 :: MonadRandom m => RPhase4Params -> SPFM m RPhase4Msg
rGetK1Map :: RPhase4Msg -> K1Map
rGetK2Map :: RPhase3Msg -> K2Map

module VectorPedersen

-- | Dot product between a vector of scalars and a vector of ECC.Points
dot :: Curve -> [Integer] -> [Point] -> Point

-- | Generate vector of generators in a deterministic way from the curve
--   generator g by applying H(encode(g) || i) where H is a secure hash
--   function
mkGs :: Curve -> [Point]

-- | Generate a commit value which is a vector of N elements
scalarGenerateN :: MonadRandom m => Curve -> Word8 -> m [Integer]

-- | Commitment function. The value we commit to is now a vector
ecCommit :: MonadRandom m => [Integer] -> ECCommitParams -> m ECPedersen

-- | Open commitment to check its validity
ecOpen :: ECCommitParams -> ECCommitment -> ECReveal -> Bool

-- | Verify the addition of two EC Vector Pedersen Commitments by
--   constructing the new Pedersen commitment on the uncommitted values.
ecVerifyAddCommitments :: ECCommitParams -> ECPedersen -> ECPedersen -> ECPedersen

-- | Sum of vectors in a curve
vecSum :: Curve -> [Integer] -> [Integer] -> [Integer]

-- | Add a vector to the committed value such that C'= C + wG
ecAddVector :: ECCommitParams -> ECCommitment -> [Integer] -> ECCommitment
ecVerifyAddVector :: ECCommitParams -> ECPedersen -> [Integer] -> ECPedersen

-- | ecRevealVal is a vector of scalars
data ECReveal
ECReveal :: [Integer] -> Integer -> ECReveal
[ecRevealVal] :: ECReveal -> [Integer]
[ecRevealScalar] :: ECReveal -> Integer
data ECPedersen
ECPedersen :: ECCommitment -> ECReveal -> ECPedersen
[ecCommitment] :: ECPedersen -> ECCommitment
[ecReveal] :: ECPedersen -> ECReveal
data ECCommitParams
ECCommitParams :: Curve -> Point -> ECCommitParams
[ecCurve] :: ECCommitParams -> Curve
[ecH] :: ECCommitParams -> Point
data ECCommitment
ECCommitment :: Point -> ECCommitment
[unECCommitment] :: ECCommitment -> Point