“…We denote C(a, r a ) = g a 1 g ra 2 modn a commitment to a in bases (g 1 , g 2 ), where r a is randomly selected over {0, 2 s n}, where s is a security parameter. This commitment scheme first appeared in [12] and reconsidered by Damgård and Fujisaki [10] is statistically hiding and computationally binding, i.e., -a committer is unable to commit itself to two values a 1 , a 2 such that a 1 = a 2 in Z by the same commitment unless the committed can factor n or solves the discrete logarithm of g 1 in base g 2 or the the discrete logarithm of g 2 in base g 1 ; -C(a, r a ) statistically reveals no information to the receiver, i.e., there is a simulator which outputs simulated commitments to a which are statistically indistinguishable from true ones. -this commitment is homomorphic, i.e., C(a+b, r a +r b ) = C(a, r a ) × C(b, r b ).…”