started working on another proof

static/js/modules/interface/proofs.js

@@ -1,5 +1,6 @@
 import { cryptoRandom } from "../crypto/random_primes.js";
 import { Region } from "./map.js";
+import { mod_exp } from "../crypto/math.js";
 
 function cryptoRange(upper) {
     // This is ridiculous: why implement a BigInt primitive, have it behave like a number, and then _not_ offer
@@ -294,6 +295,43 @@ export function verifyRange(obj, key) {
 
 window.verifyRange = verifyRange;
 
+export function proveBitLength(cipherText) {
+    if (cipherText.readOnly) {
+        throw "Cannot prove readonly ciphertext";
+    }
+
+    let key = cipherText.pubKey;
+
+    // Compute decomposition
+    let bitCommitments = [];
+
+    let m = cipherText.plainText;
+    let prod = cipherText.clone();
+    let e = 1n;
+
+    while (m !== 0n) {
+        let bit = m & 0b1n;
+        let cBit = key.encrypt(-bit);
+        bitCommitments.push(cBit);
+
+        let cBit2 = cBit.clone();
+        cBit2.mul(e);
+        prod.update(cBit2);
+
+        e <<= 1n;
+        m >>= 1n;
+    }
+
+    // TODO finish this
+
+    return {
+        bitCommitments: bitCommitments,
+        bitProof: prod.proveNI(),
+    };
+}
+
+window.proveBitLength = proveBitLength;
+
 /**
  * - We prove that the set contains |S| - 2 zeros, with the final pair summing to zero and sums with the original
  * set are zero.