diff --git a/static/js/modules/crypto/paillier.js b/static/js/modules/crypto/paillier.js
index 1a9376d..04fb92d 100644
--- a/static/js/modules/crypto/paillier.js
+++ b/static/js/modules/crypto/paillier.js
@@ -16,11 +16,11 @@ class Ciphertext {
         let gm = (1n + key.n * plainText) % key.n2;
 
         // Compute g^m r^n from crt.
-        this.cyphertext = (gm * mod_exp(r, key.n, key.n2)) % key.n2;
+        this.cipherText = (gm * mod_exp(r, key.n, key.n2)) % key.n2;
 
         // Force into range.
-        while (this.cyphertext < 0n) {
-            this.cyphertext += key.n2;
+        while (this.cipherText < 0n) {
+            this.cipherText += key.n2;
         }
 
         this.r = r;
@@ -31,30 +31,69 @@ class Ciphertext {
     }
 
     update(c) {
-        this.cyphertext = (this.cyphertext * c.cyphertext) % this.pubKey.n2;
+        this.cipherText = (this.cipherText * c.cipherText) % this.pubKey.n2;
         this.r = (this.r * c.r) % this.pubKey.n2;
         this.plainText += c.plainText;
 
         // Force into range
-        while (this.cyphertext < 0n) {
-            this.cyphertext += this.pubKey.n2;
+        while (this.cipherText < 0n) {
+            this.cipherText += this.pubKey.n2;
         }
     }
 
     toString() {
-        return "0x" + this.cyphertext.toString(16);
+        return "0x" + this.cipherText.toString(16);
     }
 
     prove() {
-        return new ZeroProofSessionProver(this);
+        return new ValueProofSessionProver(this);
     }
 
-    asReadOnlyCyphertext() {
-        return new ReadOnlyCiphertext(this.pubKey, this.cyphertext);
+    // Construct a non-interactive proof
+    proveNI() {
+        let rp = cryptoRandom(4096);
+        while (rp >= this.pubKey.n) {
+            rp = cryptoRandom(4096);
+        }
+
+        let a = mod_exp(rp, this.pubKey.n, this.pubKey.n2);
+        let hasher = new jsSHA("SHAKE256", "HEX");
+
+        let plainText = this.plainText.toString(16);
+        if (plainText.length % 2 !== 0) {
+            plainText = "0" + plainText;
+        }
+
+        let aStr = a.toString(16);
+        if (aStr.length % 2 !== 0) {
+            aStr = "0" + aStr;
+        }
+
+        hasher.update(this.pubKey.g.toString(16));
+        hasher.update(plainText);
+        hasher.update(aStr);
+
+        let challenge = BigInt("0x" + hasher.getHash("HEX", { outputLen: 2048 }));
+
+        return {
+            plainText: "0x" + this.plainText.toString(16),
+            a: "0x" + a.toString(16),
+            challenge: "0x" + challenge.toString(16),
+            proof:
+                "0x" +
+                (
+                    ((rp % this.pubKey.n) * mod_exp(this.r, challenge, this.pubKey.n)) %
+                    this.pubKey.n
+                ).toString(16),
+        };
+    }
+
+    asReadOnlyCiphertext() {
+        return new ReadOnlyCiphertext(this.pubKey, this.cipherText);
     }
 }
 
-class ZeroProofSessionProver {
+class ValueProofSessionProver {
     constructor(cipherText) {
         this.cipherText = cipherText;
 
@@ -82,46 +121,63 @@ class ZeroProofSessionProver {
 
     asVerifier() {
         return this.cipherText
-            .asReadOnlyCyphertext()
+            .asReadOnlyCiphertext()
             .prove(this.cipherText.plainText, this.noise());
     }
 }
 
-window.Cyphertext = Ciphertext;
+window.Ciphertext = Ciphertext;
 
 export class ReadOnlyCiphertext {
-    constructor(key, cyphertext) {
-        this.cyphertext = cyphertext;
+    constructor(key, cipherText) {
+        this.cipherText = cipherText;
         this.pubKey = key;
 
         this.readOnly = true;
     }
 
     update(c) {
-        this.cyphertext = (this.cyphertext * c.cyphertext) % this.pubKey.n2;
+        this.cipherText = (this.cipherText * c.cipherText) % this.pubKey.n2;
 
         // Force into range
-        while (this.cyphertext < 0n) {
-            this.cyphertext += this.pubKey.n2;
+        while (this.cipherText < 0n) {
+            this.cipherText += this.pubKey.n2;
         }
     }
 
     prove(plainText, a) {
-        return new ZeroProofSessionVerifier(this, plainText, a);
+        return new ValueProofSessionVerifier(this, plainText, a);
+    }
+
+    verifyNI(statement) {
+        let verifier = new ValueProofSessionVerifier(
+            this,
+            BigInt(statement.plainText),
+            BigInt(statement.a),
+            BigInt(statement.challenge)
+        );
+
+        return verifier.verify(BigInt(statement.proof));
     }
 
     clone() {
-        return new ReadOnlyCiphertext(this.pubKey, this.cyphertext);
+        return new ReadOnlyCiphertext(this.pubKey, this.cipherText);
     }
 }
 
-class ZeroProofSessionVerifier {
-    constructor(cipherText, plainText, a) {
+class ValueProofSessionVerifier {
+    constructor(cipherText, plainText, a, challenge) {
         // Clone, otherwise the update below will mutate the original value
         this.cipherText = cipherText.clone();
         this.cipherText.update(this.cipherText.pubKey.encrypt(-1n * plainText, 1n));
-        // Shift the challenge down by 1 to ensure it is smaller than either prime factor.
-        this.challenge = cryptoRandom(2048) << 1n;
+
+        if (challenge === undefined) {
+            // Shift the challenge down by 1 to ensure it is smaller than either prime factor.
+            this.challenge = cryptoRandom(2048) << 1n;
+        } else {
+            this.challenge = challenge;
+        }
+
         this.a = a;
 
         this.plainText = plainText;
@@ -130,14 +186,14 @@ class ZeroProofSessionVerifier {
     verify(proof) {
         // check coprimality
         if (gcd(proof, this.cipherText.pubKey.n) !== 1n) return -1;
-        if (gcd(this.cipherText.cyphertext, this.cipherText.pubKey.n) !== 1n) return -2;
+        if (gcd(this.cipherText.cipherText, this.cipherText.pubKey.n) !== 1n) return -2;
         if (gcd(this.a, this.cipherText.pubKey.n) !== 1n) return -3;
 
         // check exp
         return mod_exp(proof, this.cipherText.pubKey.n, this.cipherText.pubKey.n2) ===
             (this.a *
                 mod_exp(
-                    this.cipherText.cyphertext,
+                    this.cipherText.cipherText,
                     this.challenge,
                     this.cipherText.pubKey.n2
                 )) %
@@ -147,7 +203,7 @@ class ZeroProofSessionVerifier {
     }
 }
 
-window.ReadOnlyCyphertext = ReadOnlyCiphertext;
+window.ReadOnlyCiphertext = ReadOnlyCiphertext;
 
 export class PaillierPubKey {
     constructor(n) {
diff --git a/static/js/modules/interface/main.js b/static/js/modules/interface/main.js
index 97052c9..f3d8306 100644
--- a/static/js/modules/interface/main.js
+++ b/static/js/modules/interface/main.js
@@ -5,6 +5,7 @@ import { Packet } from "./packet.js";
 import { Game } from "./game.js";
 import { Region } from "./map.js";
 import "./dom.js";
+import "./proofs.js";
 
 export const ID = window.crypto.randomUUID();
 export const game = new Game();
diff --git a/static/js/modules/interface/proofs.js b/static/js/modules/interface/proofs.js
new file mode 100644
index 0000000..9868111
--- /dev/null
+++ b/static/js/modules/interface/proofs.js
@@ -0,0 +1,17 @@
+function cryptoShuffle(l) {
+    for (let i = 0; i < l.length - 1; i++) {}
+}
+
+window.cryptoShuffle = cryptoShuffle;
+
+function proveRegions(regions) {
+    // Construct prover coins
+    let regionNames = Object.keys(regions.keys());
+    let psi = [regionNames];
+
+    // Construct verifier coins
+    let hasher = new jsSHA("SHA3-256", "TEXT");
+    hasher.update(JSON.stringify(regions));
+
+    // Construct prover proofs
+}
diff --git a/static/js/sha3.js b/static/js/sha3.js
new file mode 100644
index 0000000..8799e0d
--- /dev/null
+++ b/static/js/sha3.js
@@ -0,0 +1,21 @@
+/**
+ * A JavaScript implementation of the SHA family of hashes - defined in FIPS PUB 180-4, FIPS PUB 202,
+ * and SP 800-185 - as well as the corresponding HMAC implementation as defined in FIPS PUB 198-1.
+ *
+ * Copyright 2008-2022 Brian Turek, 1998-2009 Paul Johnston & Contributors
+ * Distributed under the BSD License
+ * See http://caligatio.github.com/jsSHA/ for more information
+ *
+ * Two ECMAScript polyfill functions carry the following license:
+ *
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * THIS CODE IS PROVIDED ON AN *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED,
+ * INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A PARTICULAR PURPOSE,
+ * MERCHANTABLITY OR NON-INFRINGEMENT.
+ *
+ * See the Apache Version 2.0 License for specific language governing permissions and limitations under the License.
+ */
+!function(r,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(r="undefined"!=typeof globalThis?globalThis:r||self).jsSHA=t()}(this,(function(){"use strict";var r=function(t,n){return r=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(r,t){r.__proto__=t}||function(r,t){for(var n in t)Object.prototype.hasOwnProperty.call(t,n)&&(r[n]=t[n])},r(t,n)};var t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",n="ARRAYBUFFER not supported by this environment",e="UINT8ARRAY not supported by this environment";function i(r,t,n,e){var i,o,u,s=t||[0],f=(n=n||0)>>>3,a=-1===e?3:0;for(i=0;i<r.length;i+=1)o=(u=i+f)>>>2,s.length<=o&&s.push(0),s[o]|=r[i]<<8*(a+e*(u%4));return{value:s,binLen:8*r.length+n}}function o(r,o,u){switch(o){case"UTF8":case"UTF16BE":case"UTF16LE":break;default:throw new Error("encoding must be UTF8, UTF16BE, or UTF16LE")}switch(r){case"HEX":return function(r,t,n){return function(r,t,n,e){var i,o,u,s;if(0!=r.length%2)throw new Error("String of HEX type must be in byte increments");var f=t||[0],a=(n=n||0)>>>3,h=-1===e?3:0;for(i=0;i<r.length;i+=2){if(o=parseInt(r.substr(i,2),16),isNaN(o))throw new Error("String of HEX type contains invalid characters");for(u=(s=(i>>>1)+a)>>>2;f.length<=u;)f.push(0);f[u]|=o<<8*(h+e*(s%4))}return{value:f,binLen:4*r.length+n}}(r,t,n,u)};case"TEXT":return function(r,t,n){return function(r,t,n,e,i){var o,u,s,f,a,h,c,w,v=0,l=n||[0],E=(e=e||0)>>>3;if("UTF8"===t)for(c=-1===i?3:0,s=0;s<r.length;s+=1)for(u=[],128>(o=r.charCodeAt(s))?u.push(o):2048>o?(u.push(192|o>>>6),u.push(128|63&o)):55296>o||57344<=o?u.push(224|o>>>12,128|o>>>6&63,128|63&o):(s+=1,o=65536+((1023&o)<<10|1023&r.charCodeAt(s)),u.push(240|o>>>18,128|o>>>12&63,128|o>>>6&63,128|63&o)),f=0;f<u.length;f+=1){for(a=(h=v+E)>>>2;l.length<=a;)l.push(0);l[a]|=u[f]<<8*(c+i*(h%4)),v+=1}else for(c=-1===i?2:0,w="UTF16LE"===t&&1!==i||"UTF16LE"!==t&&1===i,s=0;s<r.length;s+=1){for(o=r.charCodeAt(s),!0===w&&(o=(f=255&o)<<8|o>>>8),a=(h=v+E)>>>2;l.length<=a;)l.push(0);l[a]|=o<<8*(c+i*(h%4)),v+=2}return{value:l,binLen:8*v+e}}(r,o,t,n,u)};case"B64":return function(r,n,e){return function(r,n,e,i){var o,u,s,f,a,h,c=0,w=n||[0],v=(e=e||0)>>>3,l=-1===i?3:0,E=r.indexOf("=");if(-1===r.search(/^[a-zA-Z0-9=+/]+$/))throw new Error("Invalid character in base-64 string");if(r=r.replace(/=/g,""),-1!==E&&E<r.length)throw new Error("Invalid '=' found in base-64 string");for(o=0;o<r.length;o+=4){for(f=r.substr(o,4),s=0,u=0;u<f.length;u+=1)s|=t.indexOf(f.charAt(u))<<18-6*u;for(u=0;u<f.length-1;u+=1){for(a=(h=c+v)>>>2;w.length<=a;)w.push(0);w[a]|=(s>>>16-8*u&255)<<8*(l+i*(h%4)),c+=1}}return{value:w,binLen:8*c+e}}(r,n,e,u)};case"BYTES":return function(r,t,n){return function(r,t,n,e){var i,o,u,s,f=t||[0],a=(n=n||0)>>>3,h=-1===e?3:0;for(o=0;o<r.length;o+=1)i=r.charCodeAt(o),u=(s=o+a)>>>2,f.length<=u&&f.push(0),f[u]|=i<<8*(h+e*(s%4));return{value:f,binLen:8*r.length+n}}(r,t,n,u)};case"ARRAYBUFFER":try{new ArrayBuffer(0)}catch(r){throw new Error(n)}return function(r,t,n){return function(r,t,n,e){return i(new Uint8Array(r),t,n,e)}(r,t,n,u)};case"UINT8ARRAY":try{new Uint8Array(0)}catch(r){throw new Error(e)}return function(r,t,n){return i(r,t,n,u)};default:throw new Error("format must be HEX, TEXT, B64, BYTES, ARRAYBUFFER, or UINT8ARRAY")}}function u(r,i,o,u){switch(r){case"HEX":return function(r){return function(r,t,n,e){var i,o,u="0123456789abcdef",s="",f=t/8,a=-1===n?3:0;for(i=0;i<f;i+=1)o=r[i>>>2]>>>8*(a+n*(i%4)),s+=u.charAt(o>>>4&15)+u.charAt(15&o);return e.outputUpper?s.toUpperCase():s}(r,i,o,u)};case"B64":return function(r){return function(r,n,e,i){var o,u,s,f,a,h="",c=n/8,w=-1===e?3:0;for(o=0;o<c;o+=3)for(f=o+1<c?r[o+1>>>2]:0,a=o+2<c?r[o+2>>>2]:0,s=(r[o>>>2]>>>8*(w+e*(o%4))&255)<<16|(f>>>8*(w+e*((o+1)%4))&255)<<8|a>>>8*(w+e*((o+2)%4))&255,u=0;u<4;u+=1)h+=8*o+6*u<=n?t.charAt(s>>>6*(3-u)&63):i.b64Pad;return h}(r,i,o,u)};case"BYTES":return function(r){return function(r,t,n){var e,i,o="",u=t/8,s=-1===n?3:0;for(e=0;e<u;e+=1)i=r[e>>>2]>>>8*(s+n*(e%4))&255,o+=String.fromCharCode(i);return o}(r,i,o)};case"ARRAYBUFFER":try{new ArrayBuffer(0)}catch(r){throw new Error(n)}return function(r){return function(r,t,n){var e,i=t/8,o=new ArrayBuffer(i),u=new Uint8Array(o),s=-1===n?3:0;for(e=0;e<i;e+=1)u[e]=r[e>>>2]>>>8*(s+n*(e%4))&255;return o}(r,i,o)};case"UINT8ARRAY":try{new Uint8Array(0)}catch(r){throw new Error(e)}return function(r){return function(r,t,n){var e,i=t/8,o=-1===n?3:0,u=new Uint8Array(i);for(e=0;e<i;e+=1)u[e]=r[e>>>2]>>>8*(o+n*(e%4))&255;return u}(r,i,o)};default:throw new Error("format must be HEX, B64, BYTES, ARRAYBUFFER, or UINT8ARRAY")}}var s=4294967296,f="Cannot set numRounds with MAC";function a(r,t){var n,e,i=r.binLen>>>3,o=t.binLen>>>3,u=i<<3,s=4-i<<3;if(i%4!=0){for(n=0;n<o;n+=4)e=i+n>>>2,r.value[e]|=t.value[n>>>2]<<u,r.value.push(0),r.value[e+1]|=t.value[n>>>2]>>>s;return(r.value.length<<2)-4>=o+i&&r.value.pop(),{value:r.value,binLen:r.binLen+t.binLen}}return{value:r.value.concat(t.value),binLen:r.binLen+t.binLen}}function h(r){var t={outputUpper:!1,b64Pad:"=",outputLen:-1},n=r||{},e="Output length must be a multiple of 8";if(t.outputUpper=n.outputUpper||!1,n.b64Pad&&(t.b64Pad=n.b64Pad),n.outputLen){if(n.outputLen%8!=0)throw new Error(e);t.outputLen=n.outputLen}else if(n.shakeLen){if(n.shakeLen%8!=0)throw new Error(e);t.outputLen=n.shakeLen}if("boolean"!=typeof t.outputUpper)throw new Error("Invalid outputUpper formatting option");if("string"!=typeof t.b64Pad)throw new Error("Invalid b64Pad formatting option");return t}function c(r,t,n,e){var i=r+" must include a value and format";if(!t){if(!e)throw new Error(i);return e}if(void 0===t.value||!t.format)throw new Error(i);return o(t.format,t.encoding||"UTF8",n)(t.value)}var w=function(){function r(r,t,n){var e=n||{};if(this.t=t,this.i=e.encoding||"UTF8",this.numRounds=e.numRounds||1,isNaN(this.numRounds)||this.numRounds!==parseInt(this.numRounds,10)||1>this.numRounds)throw new Error("numRounds must a integer >= 1");this.o=r,this.u=[],this.h=0,this.v=!1,this.l=0,this.A=!1,this.p=[],this.m=[]}return r.prototype.update=function(r){var t,n=0,e=this.U>>>5,i=this.R(r,this.u,this.h),o=i.binLen,u=i.value,s=o>>>5;for(t=0;t<s;t+=e)n+this.U<=o&&(this.T=this.F(u.slice(t,t+e),this.T),n+=this.U);return this.l+=n,this.u=u.slice(n>>>5),this.h=o%this.U,this.v=!0,this},r.prototype.getHash=function(r,t){var n,e,i=this.C,o=h(t);if(this.H){if(-1===o.outputLen)throw new Error("Output length must be specified in options");i=o.outputLen}var s=u(r,i,this.S,o);if(this.A&&this.g)return s(this.g(o));for(e=this.L(this.u.slice(),this.h,this.l,this.B(this.T),i),n=1;n<this.numRounds;n+=1)this.H&&i%32!=0&&(e[e.length-1]&=16777215>>>24-i%32),e=this.L(e,i,0,this.k(this.o),i);return s(e)},r.prototype.setHMACKey=function(r,t,n){if(!this.Y)throw new Error("Variant does not support HMAC");if(this.v)throw new Error("Cannot set MAC key after calling update");var e=o(t,(n||{}).encoding||"UTF8",this.S);this.K(e(r))},r.prototype.K=function(r){var t,n=this.U>>>3,e=n/4-1;if(1!==this.numRounds)throw new Error(f);if(this.A)throw new Error("MAC key already set");for(n<r.binLen/8&&(r.value=this.L(r.value,r.binLen,0,this.k(this.o),this.C));r.value.length<=e;)r.value.push(0);for(t=0;t<=e;t+=1)this.p[t]=909522486^r.value[t],this.m[t]=1549556828^r.value[t];this.T=this.F(this.p,this.T),this.l=this.U,this.A=!0},r.prototype.getHMAC=function(r,t){var n=h(t);return u(r,this.C,this.S,n)(this.N())},r.prototype.N=function(){var r;if(!this.A)throw new Error("Cannot call getHMAC without first setting MAC key");var t=this.L(this.u.slice(),this.h,this.l,this.B(this.T),this.C);return r=this.F(this.m,this.k(this.o)),r=this.L(t,this.C,this.U,r,this.C)},r}(),v=function(r,t){this.I=r,this.M=t};function l(r,t){var n;return t>32?(n=64-t,new v(r.M<<t|r.I>>>n,r.I<<t|r.M>>>n)):0!==t?(n=32-t,new v(r.I<<t|r.M>>>n,r.M<<t|r.I>>>n)):r}function E(r,t){return new v(r.I^t.I,r.M^t.M)}var A=[new v(0,1),new v(0,32898),new v(2147483648,32906),new v(2147483648,2147516416),new v(0,32907),new v(0,2147483649),new v(2147483648,2147516545),new v(2147483648,32777),new v(0,138),new v(0,136),new v(0,2147516425),new v(0,2147483658),new v(0,2147516555),new v(2147483648,139),new v(2147483648,32905),new v(2147483648,32771),new v(2147483648,32770),new v(2147483648,128),new v(0,32778),new v(2147483648,2147483658),new v(2147483648,2147516545),new v(2147483648,32896),new v(0,2147483649),new v(2147483648,2147516424)],b=[[0,36,3,41,18],[1,44,10,45,2],[62,6,43,15,61],[28,55,25,21,56],[27,20,39,8,14]];function d(r){var t,n=[];for(t=0;t<5;t+=1)n[t]=[new v(0,0),new v(0,0),new v(0,0),new v(0,0),new v(0,0)];return n}function p(r){var t,n=[];for(t=0;t<5;t+=1)n[t]=r[t].slice();return n}function y(r,t){var n,e,i,o,u,s,f,a,h,c=[],w=[];if(null!==r)for(e=0;e<r.length;e+=2)t[(e>>>1)%5][(e>>>1)/5|0]=E(t[(e>>>1)%5][(e>>>1)/5|0],new v(r[e+1],r[e]));for(n=0;n<24;n+=1){for(o=d(),e=0;e<5;e+=1)c[e]=(u=t[e][0],s=t[e][1],f=t[e][2],a=t[e][3],h=t[e][4],new v(u.I^s.I^f.I^a.I^h.I,u.M^s.M^f.M^a.M^h.M));for(e=0;e<5;e+=1)w[e]=E(c[(e+4)%5],l(c[(e+1)%5],1));for(e=0;e<5;e+=1)for(i=0;i<5;i+=1)t[e][i]=E(t[e][i],w[e]);for(e=0;e<5;e+=1)for(i=0;i<5;i+=1)o[i][(2*e+3*i)%5]=l(t[e][i],b[e][i]);for(e=0;e<5;e+=1)for(i=0;i<5;i+=1)t[e][i]=E(o[e][i],new v(~o[(e+1)%5][i].I&o[(e+2)%5][i].I,~o[(e+1)%5][i].M&o[(e+2)%5][i].M));t[0][0]=E(t[0][0],A[n])}return t}function m(r){var t,n,e=0,i=[0,0],o=[4294967295&r,r/s&2097151];for(t=6;t>=0;t--)0===(n=o[t>>2]>>>8*t&255)&&0===e||(i[e+1>>2]|=n<<8*(e+1),e+=1);return e=0!==e?e:1,i[0]|=e,{value:e+1>4?i:[i[0]],binLen:8+8*e}}function U(r){return a(m(r.binLen),r)}function R(r,t){var n,e=m(t),i=t>>>2,o=(i-(e=a(e,r)).value.length%i)%i;for(n=0;n<o;n++)e.value.push(0);return e.value}return function(t){function n(r,n,e){var i=this,u=6,s=0,a=e||{};if(1!==(i=t.call(this,r,n,e)||this).numRounds){if(a.kmacKey||a.hmacKey)throw new Error(f);if("CSHAKE128"===i.o||"CSHAKE256"===i.o)throw new Error("Cannot set numRounds for CSHAKE variants")}switch(i.S=1,i.R=o(i.t,i.i,i.S),i.F=y,i.B=p,i.k=d,i.T=d(),i.H=!1,r){case"SHA3-224":i.U=s=1152,i.C=224,i.Y=!0,i.g=i.N;break;case"SHA3-256":i.U=s=1088,i.C=256,i.Y=!0,i.g=i.N;break;case"SHA3-384":i.U=s=832,i.C=384,i.Y=!0,i.g=i.N;break;case"SHA3-512":i.U=s=576,i.C=512,i.Y=!0,i.g=i.N;break;case"SHAKE128":u=31,i.U=s=1344,i.C=-1,i.H=!0,i.Y=!1,i.g=null;break;case"SHAKE256":u=31,i.U=s=1088,i.C=-1,i.H=!0,i.Y=!1,i.g=null;break;case"KMAC128":u=4,i.U=s=1344,i.X(e),i.C=-1,i.H=!0,i.Y=!1,i.g=i.O;break;case"KMAC256":u=4,i.U=s=1088,i.X(e),i.C=-1,i.H=!0,i.Y=!1,i.g=i.O;break;case"CSHAKE128":i.U=s=1344,u=i.j(e),i.C=-1,i.H=!0,i.Y=!1,i.g=null;break;case"CSHAKE256":i.U=s=1088,u=i.j(e),i.C=-1,i.H=!0,i.Y=!1,i.g=null;break;default:throw new Error("Chosen SHA variant is not supported")}return i.L=function(r,t,n,e,i){return function(r,t,n,e,i,o,u){var s,f,a=0,h=[],c=i>>>5,w=t>>>5;for(s=0;s<w&&t>=i;s+=c)e=y(r.slice(s,s+c),e),t-=i;for(r=r.slice(s),t%=i;r.length<c;)r.push(0);for(r[(s=t>>>3)>>2]^=o<<s%4*8,r[c-1]^=2147483648,e=y(r,e);32*h.length<u&&(f=e[a%5][a/5|0],h.push(f.M),!(32*h.length>=u));)h.push(f.I),0==64*(a+=1)%i&&(y(null,e),a=0);return h}(r,t,0,e,s,u,i)},a.hmacKey&&i.K(c("hmacKey",a.hmacKey,i.S)),i}return function(t,n){if("function"!=typeof n&&null!==n)throw new TypeError("Class extends value "+String(n)+" is not a constructor or null");function e(){this.constructor=t}r(t,n),t.prototype=null===n?Object.create(n):(e.prototype=n.prototype,new e)}(n,t),n.prototype.j=function(r,t){var n=function(r){var t=r||{};return{funcName:c("funcName",t.funcName,1,{value:[],binLen:0}),customization:c("Customization",t.customization,1,{value:[],binLen:0})}}(r||{});t&&(n.funcName=t);var e=a(U(n.funcName),U(n.customization));if(0!==n.customization.binLen||0!==n.funcName.binLen){for(var i=R(e,this.U>>>3),o=0;o<i.length;o+=this.U>>>5)this.T=this.F(i.slice(o,o+(this.U>>>5)),this.T),this.l+=this.U;return 4}return 31},n.prototype.X=function(r){var t=function(r){var t=r||{};return{kmacKey:c("kmacKey",t.kmacKey,1),funcName:{value:[1128353099],binLen:32},customization:c("Customization",t.customization,1,{value:[],binLen:0})}}(r||{});this.j(r,t.funcName);for(var n=R(U(t.kmacKey),this.U>>>3),e=0;e<n.length;e+=this.U>>>5)this.T=this.F(n.slice(e,e+(this.U>>>5)),this.T),this.l+=this.U;this.A=!0},n.prototype.O=function(r){var t=a({value:this.u.slice(),binLen:this.h},function(r){var t,n,e=0,i=[0,0],o=[4294967295&r,r/s&2097151];for(t=6;t>=0;t--)0==(n=o[t>>2]>>>8*t&255)&&0===e||(i[e>>2]|=n<<8*e,e+=1);return i[(e=0!==e?e:1)>>2]|=e<<8*e,{value:e+1>4?i:[i[0]],binLen:8+8*e}}(r.outputLen));return this.L(t.value,t.binLen,this.l,this.B(this.T),r.outputLen)},n}(w)}));
diff --git a/templates/index.html b/templates/index.html
index 6f31eba..f80a0bd 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -7,6 +7,7 @@
 
     <script src="https://cdn.socket.io/4.5.4/socket.io.min.js"></script>
     <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>
+    <script src="{{ url_for('static', filename='js/sha3.js') }}" type="module"></script>
     <script src="{{ url_for('static', filename='js/modules/interface/main.js') }}" type="module"></script>
     <script src="{{ url_for('static', filename='js/modules/crypto/main.js') }}" type="module"></script>
 </head>
diff --git a/whitepaper/Dissertation.bib b/whitepaper/Dissertation.bib
index 545cb32..5ccb5dd 100644
--- a/whitepaper/Dissertation.bib
+++ b/whitepaper/Dissertation.bib
@@ -263,6 +263,15 @@ doi={10.1109/SP.2014.36}}
     howpublished = {\url{https://github.com/msgpack/msgpack}},
 }
 
+@misc{jssha,
+    author = {Caligatio},
+    title = {jsSHA: A JavaScript/TypeScript implementation of the complete Secure Hash Standard (SHA) family},
+    year = {2022},
+    publisher = {GitHub},
+    journal = {GitHub repository},
+    howpublished = {\url{https://github.com/Caligatio/jsSHA}},
+}
+
 @article{RABIN1980128,
     title = {Probabilistic algorithm for testing primality},
     journal = {Journal of Number Theory},
@@ -320,4 +329,13 @@ doi={10.1109/SP.2014.36}}
 	year={2000}
 }
 
-@misc{projectgemini, url={gemini://gemini.circumlunar.space/docs/specification.gmi}, journal={Project gemini}}
\ No newline at end of file
+@misc{projectgemini, url={gemini://gemini.circumlunar.space/docs/specification.gmi}, journal={Project gemini}}
+
+@techreport{FIPS202,
+    author = {National Institute of Standards and Technology},
+    title = {SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions},
+    institution = {U.S. Department of Commerce},
+    address= {Washington, D.C.},
+    DOI = {10.6028/NIST.FIPS.202},
+    year = {2015},
+}
\ No newline at end of file
diff --git a/whitepaper/Dissertation.pdf b/whitepaper/Dissertation.pdf
index 96d8e19..e0bb78c 100644
Binary files a/whitepaper/Dissertation.pdf and b/whitepaper/Dissertation.pdf differ
diff --git a/whitepaper/Dissertation.tex b/whitepaper/Dissertation.tex
index 3b3c271..4c413d9 100644
--- a/whitepaper/Dissertation.tex
+++ b/whitepaper/Dissertation.tex
@@ -406,8 +406,6 @@ The proof system presented is an interactive proof for a given ciphertext $c$ be
 
 A proof for the following homologous problem can be trivially constructed: given some ciphertext $c = g^mr^n \mod n^2$, prove that the text $cg^{-m} \mod n^2$ is an encryption of 0. The text $cg^{-m}$ is constructed by the verifier. The prover then proceeds with the proof as normal, since $cg^{-m}$ is an encryption of 0 under the same noise as the encryption of $m$ given.
 
-% Furthermore, the above protocol can be made non-interactive using the Fiat-Shamir heuristic \citep{fiatshamir}. (this contradicts the lit review)
-
 \subsection{Implementation details}
 
 Proofs of zero use messages labelled as \texttt{"PROOF"} to resolve, and resolve between two parties. The proof is initiated by the verifier as part of the game protocol, who sends a request containing the region to prove. Initiating proofs on the verifier side has benefits to synchronisation, and helps to reduce race conditions, as the proof is only requested after the verifier has updated their state.
@@ -445,7 +443,7 @@ Players should prove a number of properties of their game state to each other to
 
 \subsection{Cheating with negative values}
 
-By using negative values, a player can cheat stage (1) of the above. This is a severe issue, as potentially the cheat could be completely unnoticed even in the conclusion of the game. To overcome this, we apply proofs on each committed value that are verified by all players.
+Using just the additive homomorphic property to guarantee (1) opens up the ability for a player to cheat by using negative values. This is a severe issue, as potentially the cheat could be completely unnoticed even in the conclusion of the game. To overcome this, we need a new protocol that is still in zero-knowledge, but proves a different property of a player's move.
 
 One consideration is to use a range proof as above. The full proof would then be the combination of a proof that the sum of all ciphertexts is 1, and the range of each ciphertext is as tight as possible, which is within the range $[0, 3]$. This is acceptable in the specific application, however we can achieve a better proof that is similar in operation to \cite{Boudot2000EfficientPT}.
 
@@ -462,7 +460,7 @@ Instead of proving a value is within a range, the prover will demonstrate that a
 		\item Prover transmits $\{ (\psi(R_i), E(n_i, r_i^*)) \mid 0 < i \leq N \}$ where $\psi$ is a random bijection on the regions.
 
 		\item Verifier chooses a random $c \in \{0, 1\}$. \begin{enumerate}
-			\item If $c = 0$, the verifier requests the definition of $\psi$, to indeed see that this is a valid bijection. They then compute the product of the $E(x, r_1) \cdot E(x^*, r_1^*)$ and verify proofs that each of these is zero.
+			\item If $c = 0$, the verifier requests the definition of $\psi$. They then compute the product of the $E(x, r_i) \cdot E(x, r_i^*)$ and verify proofs that each of these is zero.
 
 			\item If $c = 1$, the verifier requests a proof that each $E(n_i, r_i^*)$ is as claimed.
 		\end{enumerate}
@@ -498,13 +496,21 @@ Additionally, we can consider this protocol perfect zero-knowledge.
 
 \subsection{Optimising}
 
-To reduce the number of times the proof must be conducted, we use the Fiat-Shamir heuristic. For this, we need a random oracle: in our situation, this will be substituted by using a cryptographic hash function.
+It is preferred that these proofs can be performed with only a few communications: this issue is particularly prevalent here as this protocol requires multiple rounds to complete. The independence of each round on the next is a beneficial property, as it means the proof can be performed in parallel, so the prover transmits \textit{all} of their $\psi$'s, then the verifier transmits all of their challenges. However, still is the issue of performing proofs of zero.
+
+We can apply the Fiat-Shamir heuristic \cite{fiatshamir} to make proofs of zero non-interactive. In place of a random oracle, we use a cryptographic hash function. %todo cite & discuss
+We take the hash of some public parameters to prevent cheating by searching for some values that hash in a preferable manner. In this case, selecting $e = H(g, m, a)$ is a valid choice. To get a hash of desired length, an extendable output function such as SHAKE256 \cite{FIPS202} could be used.
+The library jsSHA \cite{jssha} provides an implementation of SHAKE256 that works within a browser.
 
 \section{Review}
 
 \subsection{Random oracles}
 
-Various parts of the implementation use the random oracle model: in particular, the zero-knowledge proof sections. The extent to which the random oracle model is used is in the construction of truly random values that will not reveal information about the prover's state. In practice, a cryptographically secure pseudo random number generator will suffice for this application, as CSPRNGs typically incorporate environmental data to ensure outputs are unpredictable \cite{random(4)}.
+Various parts of the implementation use the random oracle model: in particular, the zero-knowledge proof sections.
+
+The random oracle model is used for two guarantees. The first is in the construction of truly random values that will not reveal information about the prover's state. In practice, a cryptographically secure pseudo random number generator will suffice for this application, as CSPRNGs typically incorporate environmental data to ensure outputs are unpredictable \cite{random(4)}.
+
+The second is to associate a non-random value with a random value. In practice, a cryptographic hash function such as SHA-3 is used. This gives appropriately pseudo-random outputs that appear truly random, and additionally are assumed to be preimage resistant: a necessary property when constructing non-interactive proofs in order to prevent a prover manipulating the signature used to derive the proof.
 
 \subsection{Efficiency}