-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | Please see the README on GitHub at
--   <a>https://github.com/adjoint-io/bulletproofs#readme</a>
@package bulletproofs
@version 0.4.0

module Bulletproofs.Curve

-- | Order of the curve
q :: Integer

-- | Generator of the curve
g :: Point

-- | H = aG where a is not known
h :: Point

-- | Generate vector of generators in a deterministic way from the curve
--   generator g by applying H(encode(g) || i) where H is a secure hash
--   function
gs :: [Point]

-- | Generate vector of generators in a deterministic way from the curve
--   generator h by applying H(encode(h) || i) where H is a secure hash
--   function
hs :: [Point]
curve :: Curve

-- | A random oracle. In the Fiat-Shamir heuristic, its input is
--   specifically the transcript of the interaction up to that point.
oracle :: ByteString -> Integer
pointToBS :: Point -> ByteString

module Bulletproofs.Fq

-- | Prime field with characteristic <tt>_q</tt>
newtype Fq

-- | Use <tt>new</tt> instead of this constructor
Fq :: Integer -> Fq

-- | Turn an integer into an <tt>Fq</tt> number, should be used instead of
--   the <tt>Fq</tt> constructor.
new :: Integer -> Fq
norm :: Fq -> Fq
fqAdd :: Fq -> Fq -> Fq
fqMul :: Fq -> Fq -> Fq
fqNeg :: Fq -> Fq
fqDiv :: Fq -> Fq -> Fq

-- | Multiplicative inverse
fqInv :: Fq -> Fq

-- | Additive identity
fqZero :: Fq

-- | Multiplicative identity
fqOne :: Fq
fqSquare :: Fq -> Fq
fqCube :: Fq -> Fq
fqPower :: Fq -> Integer -> Fq
fqPower' :: Fq -> Integer -> Fq -> Fq
inv :: Fq -> Fq
asInteger :: Fq -> Integer

-- | Euclidean algorithm to compute inverse in an integral domain
--   <tt>a</tt>
euclidean :: Integral a => a -> a -> a
inv' :: Integral a => a -> a -> (a, a)
random :: MonadRandom m => m Fq
instance Control.DeepSeq.NFData Bulletproofs.Fq.Fq
instance GHC.Generics.Generic Bulletproofs.Fq.Fq
instance GHC.Classes.Ord Bulletproofs.Fq.Fq
instance Data.Bits.Bits Bulletproofs.Fq.Fq
instance GHC.Classes.Eq Bulletproofs.Fq.Fq
instance GHC.Show.Show Bulletproofs.Fq.Fq
instance GHC.Num.Num Bulletproofs.Fq.Fq
instance GHC.Real.Fractional Bulletproofs.Fq.Fq

module Bulletproofs.InnerProductProof.Internal
data InnerProductProof f
InnerProductProof :: [Point] -> [Point] -> f -> f -> InnerProductProof f

-- | Vector of commitments of the elements in the original vector l whose
--   size is the logarithm of base 2 of the size of vector l
[lCommits] :: InnerProductProof f -> [Point]

-- | Vector of commitments of the elements in the original vector r whose
--   size is the logarithm of base 2 of the size of vector r
[rCommits] :: InnerProductProof f -> [Point]

-- | Remaining element of vector l at the end of the recursive algorithm
--   that generates the inner-product proof
[l] :: InnerProductProof f -> f

-- | Remaining element of vector r at the end of the recursive algorithm
--   that generates the inner-product proof
[r] :: InnerProductProof f -> f
data InnerProductWitness f
InnerProductWitness :: [f] -> [f] -> InnerProductWitness f

-- | Vector of values l that the prover uses to compute lCommits in the
--   recursive inner product algorithm
[ls] :: InnerProductWitness f -> [f]

-- | Vector of values r that the prover uses to compute rCommits in the
--   recursive inner product algorithm
[rs] :: InnerProductWitness f -> [f]
data InnerProductBase
InnerProductBase :: [Point] -> [Point] -> Point -> InnerProductBase

-- | Independent generator Gs ∈ G^n
[bGs] :: InnerProductBase -> [Point]

-- | Independent generator Hs ∈ G^n
[bHs] :: InnerProductBase -> [Point]

-- | Internally fixed group element H ∈ G for which there is no known
--   discrete-log relation among Gs, Hs, bG
[bH] :: InnerProductBase -> Point
instance GHC.Classes.Eq Bulletproofs.InnerProductProof.Internal.InnerProductBase
instance GHC.Show.Show Bulletproofs.InnerProductProof.Internal.InnerProductBase
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.InnerProductProof.Internal.InnerProductWitness f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.InnerProductProof.Internal.InnerProductWitness f)
instance Control.DeepSeq.NFData f => Control.DeepSeq.NFData (Bulletproofs.InnerProductProof.Internal.InnerProductProof f)
instance GHC.Generics.Generic (Bulletproofs.InnerProductProof.Internal.InnerProductProof f)
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.InnerProductProof.Internal.InnerProductProof f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.InnerProductProof.Internal.InnerProductProof f)

module Bulletproofs.Utils
class AsInteger a
asInteger :: AsInteger a => a -> Integer
class (Num f, Fractional f) => Field f
fSquare :: Field f => f -> f

-- | Return a vector containing the first n powers of a
powerVector :: (Eq f, Num f) => f -> Integer -> [f]

-- | Hadamard product or entry wise multiplication of two vectors
hadamardp :: Num a => [a] -> [a] -> [a]
dot :: Num a => [a] -> [a] -> a
(^+^) :: Num a => [a] -> [a] -> [a]
(^-^) :: Num a => [a] -> [a] -> [a]

-- | Add two points of the same curve
addP :: Point -> Point -> Point

-- | Substract two points of the same curve
subP :: Point -> Point -> Point

-- | Multiply a scalar and a point in an elliptic curve
mulP :: AsInteger f => f -> Point -> Point

-- | Double exponentiation (Shamir's trick): g0^x0 + g1^x1
addTwoMulP :: AsInteger f => f -> Point -> f -> Point -> Point

-- | Raise every point to the corresponding exponent, sum up results
sumExps :: AsInteger f => [f] -> [Point] -> Point

-- | Create a Pedersen commitment to a value given a value and a blinding
--   factor
commit :: AsInteger f => f -> f -> Point
isLogBase2 :: Integer -> Bool
logBase2 :: Integer -> Integer
logBase2M :: Integer -> Maybe Integer
slice :: Integer -> Integer -> [a] -> [a]

-- | Append minimal amount of zeroes until the list has a length which is a
--   power of two.
padToNearestPowerOfTwo :: Num f => [f] -> [f]

-- | Given n, append zeroes until the list has length 2^n.
padToNearestPowerOfTwoOf :: Num f => Int -> [f] -> [f]

-- | Calculate ceiling of log base 2 of an integer.
log2Ceil :: Int -> Int
randomN :: MonadRandom m => Integer -> m Integer
chooseBlindingVectors :: (Num f, MonadRandom m) => Integer -> m ([f], [f])
shamirY :: Num f => Point -> Point -> f
shamirZ :: (Show f, Num f) => Point -> Point -> f -> f
shamirX :: (Show f, Num f) => Point -> Point -> Point -> Point -> f -> f -> f
shamirX' :: Num f => Point -> Point -> Point -> f
shamirU :: (Show f, Num f) => f -> f -> f -> f
instance Bulletproofs.Utils.Field Bulletproofs.Fq.Fq
instance Bulletproofs.Utils.AsInteger Bulletproofs.Fq.Fq
instance Bulletproofs.Utils.AsInteger GHC.Integer.Type.Integer

module Bulletproofs.RangeProof.Internal
data RangeProof f
RangeProof :: f -> f -> f -> Point -> Point -> Point -> Point -> InnerProductProof f -> RangeProof f

-- | Blinding factor of the T1 and T2 commitments, combined into the form
--   required to make the committed version of the x-polynomial add up
[tBlinding] :: RangeProof f -> f

-- | Blinding factor required for the Verifier to verify commitments A, S
[mu] :: RangeProof f -> f

-- | Dot product of vectors l and r that prove knowledge of the value in
--   range t = t(x) = l(x) · r(x)
[t] :: RangeProof f -> f

-- | Commitment to aL and aR, where aL and aR are vectors of bits such that
--   aL · 2^n = v and aR = aL − 1^n . A = α · H + aL · G + aR · H
[aCommit] :: RangeProof f -> Point

-- | Commitment to new vectors sL, sR, created at random by the Prover
[sCommit] :: RangeProof f -> Point

-- | Pedersen commitment to coefficient t1
[t1Commit] :: RangeProof f -> Point

-- | Pedersen commitment to coefficient t2
[t2Commit] :: RangeProof f -> Point

-- | Inner product argument to prove that a commitment P has vectors l, r ∈
--   Z^n for which P = l · G + r · H + ( l, r ) · U
[productProof] :: RangeProof f -> InnerProductProof f
data RangeProofError

-- | The upper bound of the range is too large
UpperBoundTooLarge :: Integer -> RangeProofError

-- | Value is not within the range required
ValueNotInRange :: Integer -> RangeProofError

-- | Values are not within the range required
ValuesNotInRange :: [Integer] -> RangeProofError

-- | Dimension n is required to be a power of 2
NNotPowerOf2 :: Integer -> RangeProofError
data LRPolys f
LRPolys :: [f] -> [f] -> [f] -> [f] -> LRPolys f
[l0] :: LRPolys f -> [f]
[l1] :: LRPolys f -> [f]
[r0] :: LRPolys f -> [f]
[r1] :: LRPolys f -> [f]
data TPoly f
TPoly :: f -> f -> f -> TPoly f
[t0] :: TPoly f -> f
[t1] :: TPoly f -> f
[t2] :: TPoly f -> f

-- | Encode the value v into a bit representation. Let aL be a vector of
--   bits such that <a>2^n</a> = v (put more simply, the components of a L
--   are the binary digits of v).
encodeBit :: (AsInteger f, Num f) => Integer -> f -> [f]

-- | Bits of v reversed. v = <a>2^n</a> = a_0 * 2^0 + ... + a_n-1 * 2^(n-1)
reversedEncodeBit :: (AsInteger f, Num f) => Integer -> f -> [f]
reversedEncodeBitMulti :: (AsInteger f, Num f) => Integer -> [f] -> [f]

-- | In order to prove that v is in range, each element of aL is either 0
--   or 1. We construct a “complementary” vector aR = aL − 1^n and require
--   that aL ◦ aR = 0 hold.
complementaryVector :: Num a => [a] -> [a]

-- | Add non-relevant zeros to a vector to match the size of the other
--   vectors used in the protocol
fillWithZeros :: Num f => Integer -> [f] -> [f]

-- | Obfuscate encoded bits with challenges y and z. z^2 * <a>2^n</a> + z *
--   <a>− 1^n − aR, y^n</a> + <a>aR · y^n</a> = (z^2) * v The property
--   holds because <a>− 1^n − aR, y^n</a> = 0 and <a>· aR, y^n</a> = 0
obfuscateEncodedBits :: (Eq f, Field f) => Integer -> [f] -> [f] -> f -> f -> f
obfuscateEncodedBitsSingle :: (Eq f, Field f) => Integer -> [f] -> [f] -> f -> f -> f

-- | We need to blind the vectors aL, aR to make the proof zero knowledge.
--   The Prover creates randomly vectors sL and sR. On creating these, the
--   Prover can send commitments to these vectors; these are properly
--   blinded vector Pedersen commitments:
commitBitVectors :: (MonadRandom m, AsInteger f) => f -> f -> [f] -> [f] -> [f] -> [f] -> m (Point, Point)

-- | (z − z^2) * <a>y^n</a> − z^3 * <a>2^n</a>
delta :: (Eq f, Field f) => Integer -> Integer -> f -> f -> f

-- | Check that a value is in a specific range
checkRange :: Integer -> Integer -> Bool

-- | Check that a value is in a specific range
checkRanges :: Integer -> [Integer] -> Bool

-- | Compute commitment of linear vector polynomials l and r P = A + xS −
--   zG + (z*y^n + z^2 * 2^n) * hs'
computeLRCommitment :: (AsInteger f, Eq f, Num f, Show f) => Integer -> Integer -> Point -> Point -> f -> f -> f -> f -> f -> f -> [Point] -> Point
instance Control.DeepSeq.NFData Bulletproofs.RangeProof.Internal.RangeProofError
instance GHC.Generics.Generic Bulletproofs.RangeProof.Internal.RangeProofError
instance GHC.Classes.Eq Bulletproofs.RangeProof.Internal.RangeProofError
instance GHC.Show.Show Bulletproofs.RangeProof.Internal.RangeProofError
instance Control.DeepSeq.NFData f => Control.DeepSeq.NFData (Bulletproofs.RangeProof.Internal.RangeProof f)
instance GHC.Generics.Generic (Bulletproofs.RangeProof.Internal.RangeProof f)
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.RangeProof.Internal.RangeProof f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.RangeProof.Internal.RangeProof f)

module Bulletproofs.InnerProductProof.Verifier

-- | Optimized non-interactive verifier using multi-exponentiation and
--   batch verification
verifyProof :: (AsInteger f, Field f) => Integer -> InnerProductBase -> Point -> InnerProductProof f -> Bool

module Bulletproofs.InnerProductProof.Prover

-- | Generate proof that a witness l, r satisfies the inner product
--   relation on public input (Gs, Hs, h)
generateProof :: (AsInteger f, Eq f, Field f) => InnerProductBase -> Point -> InnerProductWitness f -> InnerProductProof f

module Bulletproofs.InnerProductProof

-- | Generate proof that a witness l, r satisfies the inner product
--   relation on public input (Gs, Hs, h)
generateProof :: (AsInteger f, Eq f, Field f) => InnerProductBase -> Point -> InnerProductWitness f -> InnerProductProof f

-- | Optimized non-interactive verifier using multi-exponentiation and
--   batch verification
verifyProof :: (AsInteger f, Field f) => Integer -> InnerProductBase -> Point -> InnerProductProof f -> Bool
data InnerProductProof f
InnerProductProof :: [Point] -> [Point] -> f -> f -> InnerProductProof f

-- | Vector of commitments of the elements in the original vector l whose
--   size is the logarithm of base 2 of the size of vector l
[lCommits] :: InnerProductProof f -> [Point]

-- | Vector of commitments of the elements in the original vector r whose
--   size is the logarithm of base 2 of the size of vector r
[rCommits] :: InnerProductProof f -> [Point]

-- | Remaining element of vector l at the end of the recursive algorithm
--   that generates the inner-product proof
[l] :: InnerProductProof f -> f

-- | Remaining element of vector r at the end of the recursive algorithm
--   that generates the inner-product proof
[r] :: InnerProductProof f -> f
data InnerProductBase
InnerProductBase :: [Point] -> [Point] -> Point -> InnerProductBase

-- | Independent generator Gs ∈ G^n
[bGs] :: InnerProductBase -> [Point]

-- | Independent generator Hs ∈ G^n
[bHs] :: InnerProductBase -> [Point]

-- | Internally fixed group element H ∈ G for which there is no known
--   discrete-log relation among Gs, Hs, bG
[bH] :: InnerProductBase -> Point
data InnerProductWitness f
InnerProductWitness :: [f] -> [f] -> InnerProductWitness f

-- | Vector of values l that the prover uses to compute lCommits in the
--   recursive inner product algorithm
[ls] :: InnerProductWitness f -> [f]

-- | Vector of values r that the prover uses to compute rCommits in the
--   recursive inner product algorithm
[rs] :: InnerProductWitness f -> [f]

module Bulletproofs.MultiRangeProof.Verifier

-- | Verify that a commitment was computed from a value in a given range
verifyProof :: (AsInteger f, Eq f, Field f, Show f) => Integer -> [Point] -> RangeProof f -> Bool

-- | Verify the constant term of the polynomial t t = t(x) = t0 + t1*x +
--   t2*x^2 This is what binds the proof to the actual original Pedersen
--   commitment V to the actual value
verifyTPoly :: (AsInteger f, Eq f, Field f) => Integer -> [Point] -> RangeProof f -> f -> f -> f -> Bool

-- | Verify the inner product argument for the vectors l and r that form t
verifyLRCommitment :: (AsInteger f, Eq f, Field f, Show f) => Integer -> Integer -> RangeProof f -> f -> f -> f -> Bool

module Bulletproofs.RangeProof.Verifier

-- | Verify that a commitment was computed from a value in a given range
verifyProof :: (AsInteger f, Eq f, Field f, Show f) => Integer -> Point -> RangeProof f -> Bool

-- | Verify the constant term of the polynomial t t = t(x) = t0 + t1*x +
--   t2*x^2 This is what binds the proof to the actual original Pedersen
--   commitment V to the actual value
verifyTPoly :: (AsInteger f, Eq f, Field f, Show f) => Integer -> Point -> RangeProof f -> f -> f -> f -> Bool

-- | Verify the inner product argument for the vectors l and r that form t
verifyLRCommitment :: (AsInteger f, Eq f, Field f, Show f) => Integer -> RangeProof f -> f -> f -> f -> Bool

module Bulletproofs.MultiRangeProof.Prover

-- | Prove that a list of values lies in a specific range
generateProof :: (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> [(Integer, Integer)] -> ExceptT RangeProofError m (RangeProof f)

-- | Generate range proof from valid inputs
generateProofUnsafe :: forall f m. (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> [(Integer, Integer)] -> m (RangeProof f)

module Bulletproofs.RangeProof.Prover

-- | Prove that a value lies in a specific range
generateProof :: (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> (Integer, Integer) -> ExceptT RangeProofError m (RangeProof f)

-- | Generate range proof from valid inputs
generateProofUnsafe :: (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> (Integer, Integer) -> m (RangeProof f)

module Bulletproofs.RangeProof
data RangeProof f
RangeProof :: f -> f -> f -> Point -> Point -> Point -> Point -> InnerProductProof f -> RangeProof f

-- | Blinding factor of the T1 and T2 commitments, combined into the form
--   required to make the committed version of the x-polynomial add up
[tBlinding] :: RangeProof f -> f

-- | Blinding factor required for the Verifier to verify commitments A, S
[mu] :: RangeProof f -> f

-- | Dot product of vectors l and r that prove knowledge of the value in
--   range t = t(x) = l(x) · r(x)
[t] :: RangeProof f -> f

-- | Commitment to aL and aR, where aL and aR are vectors of bits such that
--   aL · 2^n = v and aR = aL − 1^n . A = α · H + aL · G + aR · H
[aCommit] :: RangeProof f -> Point

-- | Commitment to new vectors sL, sR, created at random by the Prover
[sCommit] :: RangeProof f -> Point

-- | Pedersen commitment to coefficient t1
[t1Commit] :: RangeProof f -> Point

-- | Pedersen commitment to coefficient t2
[t2Commit] :: RangeProof f -> Point

-- | Inner product argument to prove that a commitment P has vectors l, r ∈
--   Z^n for which P = l · G + r · H + ( l, r ) · U
[productProof] :: RangeProof f -> InnerProductProof f
data RangeProofError

-- | The upper bound of the range is too large
UpperBoundTooLarge :: Integer -> RangeProofError

-- | Value is not within the range required
ValueNotInRange :: Integer -> RangeProofError

-- | Values are not within the range required
ValuesNotInRange :: [Integer] -> RangeProofError

-- | Dimension n is required to be a power of 2
NNotPowerOf2 :: Integer -> RangeProofError

-- | Prove that a value lies in a specific range
generateProof :: (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> (Integer, Integer) -> ExceptT RangeProofError m (RangeProof f)

-- | Generate range proof from valid inputs
generateProofUnsafe :: (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> (Integer, Integer) -> m (RangeProof f)

-- | Verify that a commitment was computed from a value in a given range
verifyProof :: (AsInteger f, Eq f, Field f, Show f) => Integer -> Point -> RangeProof f -> Bool

module Bulletproofs.MultiRangeProof
data RangeProof f
RangeProof :: f -> f -> f -> Point -> Point -> Point -> Point -> InnerProductProof f -> RangeProof f

-- | Blinding factor of the T1 and T2 commitments, combined into the form
--   required to make the committed version of the x-polynomial add up
[tBlinding] :: RangeProof f -> f

-- | Blinding factor required for the Verifier to verify commitments A, S
[mu] :: RangeProof f -> f

-- | Dot product of vectors l and r that prove knowledge of the value in
--   range t = t(x) = l(x) · r(x)
[t] :: RangeProof f -> f

-- | Commitment to aL and aR, where aL and aR are vectors of bits such that
--   aL · 2^n = v and aR = aL − 1^n . A = α · H + aL · G + aR · H
[aCommit] :: RangeProof f -> Point

-- | Commitment to new vectors sL, sR, created at random by the Prover
[sCommit] :: RangeProof f -> Point

-- | Pedersen commitment to coefficient t1
[t1Commit] :: RangeProof f -> Point

-- | Pedersen commitment to coefficient t2
[t2Commit] :: RangeProof f -> Point

-- | Inner product argument to prove that a commitment P has vectors l, r ∈
--   Z^n for which P = l · G + r · H + ( l, r ) · U
[productProof] :: RangeProof f -> InnerProductProof f
data RangeProofError

-- | The upper bound of the range is too large
UpperBoundTooLarge :: Integer -> RangeProofError

-- | Value is not within the range required
ValueNotInRange :: Integer -> RangeProofError

-- | Values are not within the range required
ValuesNotInRange :: [Integer] -> RangeProofError

-- | Dimension n is required to be a power of 2
NNotPowerOf2 :: Integer -> RangeProofError

-- | Prove that a list of values lies in a specific range
generateProof :: (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> [(Integer, Integer)] -> ExceptT RangeProofError m (RangeProof f)

-- | Generate range proof from valid inputs
generateProofUnsafe :: forall f m. (AsInteger f, Eq f, Field f, Show f, MonadRandom m) => Integer -> [(Integer, Integer)] -> m (RangeProof f)

-- | Verify that a commitment was computed from a value in a given range
verifyProof :: (AsInteger f, Eq f, Field f, Show f) => Integer -> [Point] -> RangeProof f -> Bool

module Bulletproofs.ArithmeticCircuit.Internal
data ArithCircuitProofError

-- | The number of gates is too high
TooManyGates :: Integer -> ArithCircuitProofError

-- | The number of gates is not a power of 2
NNotPowerOf2 :: Integer -> ArithCircuitProofError
data ArithCircuitProof f
ArithCircuitProof :: f -> f -> f -> Point -> Point -> Point -> [Point] -> InnerProductProof f -> ArithCircuitProof f

-- | Blinding factor of the T1 and T2 commitments, combined into the form
--   required to make the committed version of the x-polynomial add up
[tBlinding] :: ArithCircuitProof f -> f

-- | Blinding factor required for the Verifier to verify commitments A, S
[mu] :: ArithCircuitProof f -> f

-- | Dot product of vectors l and r that prove knowledge of the value in
--   range t = t(x) = l(x) · r(x)
[t] :: ArithCircuitProof f -> f

-- | Commitment to vectors aL and aR
[aiCommit] :: ArithCircuitProof f -> Point

-- | Commitment to vectors aO
[aoCommit] :: ArithCircuitProof f -> Point

-- | Commitment to new vectors sL, sR, created at random by the Prover
[sCommit] :: ArithCircuitProof f -> Point

-- | Commitments to t1, t3, t4, t5, t6
[tCommits] :: ArithCircuitProof f -> [Point]
[productProof] :: ArithCircuitProof f -> InnerProductProof f
data ArithCircuit f
ArithCircuit :: GateWeights f -> [[f]] -> [f] -> ArithCircuit f

-- | Weights for vectors of left and right inputs and for vector of outputs
[weights] :: ArithCircuit f -> GateWeights f

-- | Weigths for a commitments V of rank m
[commitmentWeights] :: ArithCircuit f -> [[f]]

-- | Vector of constants of size Q
[cs] :: ArithCircuit f -> [f]
data GateWeights f
GateWeights :: [[f]] -> [[f]] -> [[f]] -> GateWeights f

-- | WL ∈ F^(Q x n)
[wL] :: GateWeights f -> [[f]]

-- | WR ∈ F^(Q x n)
[wR] :: GateWeights f -> [[f]]

-- | WO ∈ F^(Q x n)
[wO] :: GateWeights f -> [[f]]
data ArithWitness f
ArithWitness :: Assignment f -> [Point] -> [f] -> ArithWitness f

-- | Vectors of left and right inputs and vector of outputs
[assignment] :: ArithWitness f -> Assignment f

-- | Vector of commited input values ∈ F^m
[commitments] :: ArithWitness f -> [Point]

-- | Vector of blinding factors for input values ∈ F^m
[commitBlinders] :: ArithWitness f -> [f]
data Assignment f
Assignment :: [f] -> [f] -> [f] -> Assignment f

-- | aL ∈ F^n. Vector of left inputs of each multiplication gate
[aL] :: Assignment f -> [f]

-- | aR ∈ F^n. Vector of right inputs of each multiplication gate
[aR] :: Assignment f -> [f]

-- | aO ∈ F^n. Vector of outputs of each multiplication gate
[aO] :: Assignment f -> [f]

-- | Pad circuit weights to make n be a power of 2, which is required to
--   compute the inner product proof
padCircuit :: Num f => ArithCircuit f -> ArithCircuit f

-- | Pad assignment vectors to make their length n be a power of 2, which
--   is required to compute the inner product proof
padAssignment :: Num f => Assignment f -> Assignment f
delta :: (Eq f, Field f) => Integer -> f -> [f] -> [f] -> f
commitBitVector :: AsInteger f => f -> [f] -> [f] -> Point
shamirGxGxG :: (Show f, Num f) => Point -> Point -> Point -> f
shamirGs :: (Show f, Num f) => [Point] -> f
shamirZ :: (Show f, Num f) => f -> f
evaluatePolynomial :: Num f => Integer -> [[f]] -> f -> [f]
multiplyPoly :: Num n => [[n]] -> [[n]] -> [n]
vectorMatrixProduct :: Num f => [f] -> [[f]] -> [f]
vectorMatrixProductT :: Num f => [f] -> [[f]] -> [f]
matrixVectorProduct :: Num f => [[f]] -> [f] -> [f]
powerMatrix :: Num f => [[f]] -> Integer -> [[f]]
matrixProduct :: Num a => [[a]] -> [[a]] -> [[a]]
insertAt :: Int -> a -> [a] -> [a]
genIdenMatrix :: Num f => Integer -> [[f]]
genZeroMatrix :: Num f => Integer -> Integer -> [[f]]
generateWv :: (Num f, MonadRandom m) => Integer -> Integer -> m [[f]]
generateGateWeights :: (MonadRandom m, Num f) => Integer -> Integer -> m (GateWeights f)
generateRandomAssignment :: forall f m. (Num f, AsInteger f, MonadRandom m) => Integer -> m (Assignment f)
computeInputValues :: (Field f, Eq f) => GateWeights f -> [[f]] -> Assignment f -> [f] -> [f]
gaussianReduce :: (Field f, Eq f) => [[f]] -> [[f]]
substituteMatrix :: (Field f, Eq f) => [[f]] -> [f]
solveLinearSystem :: (Field f, Eq f) => [[f]] -> [f]
instance Control.DeepSeq.NFData f => Control.DeepSeq.NFData (Bulletproofs.ArithmeticCircuit.Internal.ArithWitness f)
instance GHC.Generics.Generic (Bulletproofs.ArithmeticCircuit.Internal.ArithWitness f)
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.ArithmeticCircuit.Internal.ArithWitness f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.ArithmeticCircuit.Internal.ArithWitness f)
instance Control.DeepSeq.NFData f => Control.DeepSeq.NFData (Bulletproofs.ArithmeticCircuit.Internal.Assignment f)
instance GHC.Generics.Generic (Bulletproofs.ArithmeticCircuit.Internal.Assignment f)
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.ArithmeticCircuit.Internal.Assignment f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.ArithmeticCircuit.Internal.Assignment f)
instance Control.DeepSeq.NFData f => Control.DeepSeq.NFData (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuit f)
instance GHC.Generics.Generic (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuit f)
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuit f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuit f)
instance Control.DeepSeq.NFData f => Control.DeepSeq.NFData (Bulletproofs.ArithmeticCircuit.Internal.GateWeights f)
instance GHC.Generics.Generic (Bulletproofs.ArithmeticCircuit.Internal.GateWeights f)
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.ArithmeticCircuit.Internal.GateWeights f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.ArithmeticCircuit.Internal.GateWeights f)
instance Control.DeepSeq.NFData f => Control.DeepSeq.NFData (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuitProof f)
instance GHC.Generics.Generic (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuitProof f)
instance GHC.Classes.Eq f => GHC.Classes.Eq (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuitProof f)
instance GHC.Show.Show f => GHC.Show.Show (Bulletproofs.ArithmeticCircuit.Internal.ArithCircuitProof f)
instance GHC.Classes.Eq Bulletproofs.ArithmeticCircuit.Internal.ArithCircuitProofError
instance GHC.Show.Show Bulletproofs.ArithmeticCircuit.Internal.ArithCircuitProofError

module Bulletproofs.ArithmeticCircuit.Verifier

-- | Verify that a zero-knowledge proof holds for an arithmetic circuit
--   given committed input values
verifyProof :: (AsInteger f, Field f, Eq f, Show f) => [Point] -> ArithCircuitProof f -> ArithCircuit f -> Bool

module Bulletproofs.ArithmeticCircuit.Prover

-- | Generate a zero-knowledge proof of computation for an arithmetic
--   circuit with a valid witness
generateProof :: forall f m. (MonadRandom m, AsInteger f, Field f, Show f, Eq f) => ArithCircuit f -> ArithWitness f -> m (ArithCircuitProof f)

module Bulletproofs.ArithmeticCircuit

-- | Generate a zero-knowledge proof of computation for an arithmetic
--   circuit with a valid witness
generateProof :: forall f m. (MonadRandom m, AsInteger f, Field f, Show f, Eq f) => ArithCircuit f -> ArithWitness f -> m (ArithCircuitProof f)

-- | Verify that a zero-knowledge proof holds for an arithmetic circuit
--   given committed input values
verifyProof :: (AsInteger f, Field f, Eq f, Show f) => [Point] -> ArithCircuitProof f -> ArithCircuit f -> Bool
data ArithCircuitProof f
ArithCircuitProof :: f -> f -> f -> Point -> Point -> Point -> [Point] -> InnerProductProof f -> ArithCircuitProof f

-- | Blinding factor of the T1 and T2 commitments, combined into the form
--   required to make the committed version of the x-polynomial add up
[tBlinding] :: ArithCircuitProof f -> f

-- | Blinding factor required for the Verifier to verify commitments A, S
[mu] :: ArithCircuitProof f -> f

-- | Dot product of vectors l and r that prove knowledge of the value in
--   range t = t(x) = l(x) · r(x)
[t] :: ArithCircuitProof f -> f

-- | Commitment to vectors aL and aR
[aiCommit] :: ArithCircuitProof f -> Point

-- | Commitment to vectors aO
[aoCommit] :: ArithCircuitProof f -> Point

-- | Commitment to new vectors sL, sR, created at random by the Prover
[sCommit] :: ArithCircuitProof f -> Point

-- | Commitments to t1, t3, t4, t5, t6
[tCommits] :: ArithCircuitProof f -> [Point]
[productProof] :: ArithCircuitProof f -> InnerProductProof f
data ArithCircuit f
ArithCircuit :: GateWeights f -> [[f]] -> [f] -> ArithCircuit f

-- | Weights for vectors of left and right inputs and for vector of outputs
[weights] :: ArithCircuit f -> GateWeights f

-- | Weigths for a commitments V of rank m
[commitmentWeights] :: ArithCircuit f -> [[f]]

-- | Vector of constants of size Q
[cs] :: ArithCircuit f -> [f]
data ArithWitness f
ArithWitness :: Assignment f -> [Point] -> [f] -> ArithWitness f

-- | Vectors of left and right inputs and vector of outputs
[assignment] :: ArithWitness f -> Assignment f

-- | Vector of commited input values ∈ F^m
[commitments] :: ArithWitness f -> [Point]

-- | Vector of blinding factors for input values ∈ F^m
[commitBlinders] :: ArithWitness f -> [f]
data GateWeights f
GateWeights :: [[f]] -> [[f]] -> [[f]] -> GateWeights f

-- | WL ∈ F^(Q x n)
[wL] :: GateWeights f -> [[f]]

-- | WR ∈ F^(Q x n)
[wR] :: GateWeights f -> [[f]]

-- | WO ∈ F^(Q x n)
[wO] :: GateWeights f -> [[f]]
data Assignment f
Assignment :: [f] -> [f] -> [f] -> Assignment f

-- | aL ∈ F^n. Vector of left inputs of each multiplication gate
[aL] :: Assignment f -> [f]

-- | aR ∈ F^n. Vector of right inputs of each multiplication gate
[aR] :: Assignment f -> [f]

-- | aO ∈ F^n. Vector of outputs of each multiplication gate
[aO] :: Assignment f -> [f]
