Skip to content

Commit

Permalink
Merge pull request #35 from privacybydesign/new-keyshare-protocol
Browse files Browse the repository at this point in the history
New keyshare protocol
  • Loading branch information
synaptic-cleft authored Nov 9, 2022
2 parents 8e978bf + ff148ec commit 8e9ce1f
Show file tree
Hide file tree
Showing 10 changed files with 716 additions and 120 deletions.
80 changes: 41 additions & 39 deletions builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ func userCommitment(pk *gabikeys.PublicKey, secret *big.Int, vPrime *big.Int, ms
// NewCredentialBuilder creates a new credential builder.
// The resulting credential builder is already committed to the provided secret.
// arg blind: list of indices of random blind attributes (excluding the secret key)
func NewCredentialBuilder(pk *gabikeys.PublicKey, context, secret *big.Int, nonce2 *big.Int, blind []int) (*CredentialBuilder, error) {
func NewCredentialBuilder(pk *gabikeys.PublicKey, context, secret *big.Int, nonce2 *big.Int, keyshareP *big.Int, blind []int) (*CredentialBuilder, error) {
vPrime, err := common.RandomBigInt(pk.Params.LvPrime)
if err != nil {
return nil, err
Expand All @@ -96,16 +96,35 @@ func NewCredentialBuilder(pk *gabikeys.PublicKey, context, secret *big.Int, nonc

// Commit to secret and, optionally, user's shares of random blind attributes
U := userCommitment(pk, secret, vPrime, mUser)
if keyshareP != nil {
U.Mul(U, keyshareP).Mod(U, pk.N)
}

// Generate randomizers for the commitment
vPrimeCommit, err := common.RandomBigInt(pk.Params.LvPrimeCommit)
if err != nil {
return nil, err
}
mUserCommit := make(map[int]*big.Int)
for i := range mUser {
mUserCommit[i], err = common.RandomBigInt(pk.Params.LmCommit)
if err != nil {
return nil, err
}
}

return &CredentialBuilder{
pk: pk,
context: context,
secret: secret,
vPrime: vPrime,
u: U,
uCommit: big.NewInt(1),
nonce2: nonce2,
mUser: mUser,
pk: pk,
context: context,
secret: secret,
u: U,
nonce2: nonce2,
keyshareP: keyshareP,

vPrime: vPrime,
vPrimeCommit: vPrimeCommit,
mUser: mUser,
mUserCommit: mUserCommit,
}, nil
}

Expand Down Expand Up @@ -150,8 +169,8 @@ func (b *CredentialBuilder) ConstructCredential(msg *IssueSignatureMessage, attr
E: msg.Signature.E,
V: new(big.Int).Add(msg.Signature.V, b.vPrime),
}
if b.proofPcomm != nil {
signature.KeyshareP = b.proofPcomm.P
if b.keyshareP != nil {
signature.KeyshareP = b.keyshareP
}

// For all attributes that are sums of shares between user/issuer, compute this sum
Expand Down Expand Up @@ -213,23 +232,19 @@ type CredentialBuilder struct {
vPrimeCommit *big.Int
nonce2 *big.Int
u *big.Int
uCommit *big.Int
skRandomizer *big.Int

pk *gabikeys.PublicKey
context *big.Int
proofPcomm *ProofPCommitment
keyshareP *big.Int

mUser map[int]*big.Int // Map of users shares of random blind attributes
mUserCommit map[int]*big.Int
}

func (b *CredentialBuilder) MergeProofPCommitment(commitment *ProofPCommitment) {
func (b *CredentialBuilder) SetProofPCommitment(commitment *ProofPCommitment) {
b.proofPcomm = commitment
b.uCommit.Mod(
b.uCommit.Mul(b.uCommit, commitment.Pcommit),
b.pk.N,
)
}

// PublicKey returns the Idemix public key against which the credential will verify.
Expand All @@ -241,37 +256,24 @@ func (b *CredentialBuilder) PublicKey() *gabikeys.PublicKey {
// Optionally commits to the user shares of random blind attributes if any are present.
func (b *CredentialBuilder) Commit(randomizers map[string]*big.Int) ([]*big.Int, error) {
b.skRandomizer = randomizers["secretkey"]
var err error
b.vPrimeCommit, err = common.RandomBigInt(b.pk.Params.LvPrimeCommit)
if err != nil {
return nil, err
}
b.mUserCommit = make(map[int]*big.Int)
for i := range b.mUser {
b.mUserCommit[i], err = common.RandomBigInt(b.pk.Params.LmCommit)
if err != nil {
return nil, err
}
}

// U_commit = U_commit * S^{v_prime_commit} * R_0^{s_commit}
sv := new(big.Int).Exp(b.pk.S, b.vPrimeCommit, b.pk.N)
r0s := new(big.Int).Exp(b.pk.R[0], b.skRandomizer, b.pk.N)
b.uCommit.Mul(b.uCommit, sv).Mul(b.uCommit, r0s)
b.uCommit.Mod(b.uCommit, b.pk.N)
uCommit := big.NewInt(1)
if b.proofPcomm != nil {
uCommit.Set(b.proofPcomm.Pcommit)
}
uCommit.Mul(uCommit, sv).Mul(uCommit, r0s)
uCommit.Mod(uCommit, b.pk.N)

// U_commit = U_commit * R_i^{m_iUserCommit} for i in random blind
for i := range b.mUser {
b.uCommit.Mul(b.uCommit, new(big.Int).Exp(b.pk.R[i], b.mUserCommit[i], b.pk.N))
b.uCommit.Mod(b.uCommit, b.pk.N)
}

ucomm := new(big.Int).Set(b.u)
if b.proofPcomm != nil {
ucomm.Mul(ucomm, b.proofPcomm.P).Mod(ucomm, b.pk.N)
uCommit.Mul(uCommit, new(big.Int).Exp(b.pk.R[i], b.mUserCommit[i], b.pk.N))
uCommit.Mod(uCommit, b.pk.N)
}

return []*big.Int{ucomm, b.uCommit}, nil
return []*big.Int{b.u, uCommit}, nil
}

// CreateProof creates a (ProofU) Proof using the provided challenge.
Expand Down
24 changes: 12 additions & 12 deletions credential.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,12 @@ type DisclosureProofBuilder struct {
randomizedSignature *CLSignature
eCommit, vCommit *big.Int
attrRandomizers map[int]*big.Int
z *big.Int
disclosedAttributes []int
undisclosedAttributes []int
pk *gabikeys.PublicKey
attributes []*big.Int
nonrevBuilder *NonRevocationProofBuilder
proofPcomm *ProofPCommitment

rpStructures map[int][]*rangeproof.ProofStructure
rpCommits map[int][]*rangeproof.ProofCommit
Expand Down Expand Up @@ -133,7 +133,6 @@ func (ic *Credential) CreateDisclosureProofBuilder(
nonrev bool,
) (*DisclosureProofBuilder, error) {
d := &DisclosureProofBuilder{}
d.z = big.NewInt(1)
d.pk = ic.Pk
var err error
d.randomizedSignature, err = ic.Signature.Randomize(ic.Pk)
Expand Down Expand Up @@ -272,11 +271,8 @@ func (ic *Credential) NonrevIndex() (int, error) {
return -1, errors.New("revocation attribute not included in credential")
}

func (d *DisclosureProofBuilder) MergeProofPCommitment(commitment *ProofPCommitment) {
d.z.Mod(
d.z.Mul(d.z, commitment.Pcommit),
d.pk.N,
)
func (d *DisclosureProofBuilder) SetProofPCommitment(commitment *ProofPCommitment) {
d.proofPcomm = commitment
}

// PublicKey returns the Idemix public key against which this disclosure proof will verify.
Expand All @@ -299,18 +295,22 @@ func (d *DisclosureProofBuilder) Commit(randomizers map[string]*big.Int) ([]*big
if err != nil {
return nil, err
}
d.z.Mul(d.z, Ae).Mul(d.z, Sv).Mod(d.z, d.pk.N)
z := big.NewInt(1)
if d.proofPcomm != nil {
z.Set(d.proofPcomm.Pcommit)
}
z.Mul(z, Ae).Mul(z, Sv).Mod(z, d.pk.N)

for _, v := range d.undisclosedAttributes {
t, err := common.ModPow(d.pk.R[v], d.attrRandomizers[v], d.pk.N)
if err != nil {
return nil, err
}
d.z.Mul(d.z, t)
d.z.Mod(d.z, d.pk.N)
z.Mul(z, t)
z.Mod(z, d.pk.N)
}

list := []*big.Int{d.randomizedSignature.A, d.z}
list := []*big.Int{d.randomizedSignature.A, z}

if d.nonrevBuilder != nil {
l, err := d.nonrevBuilder.Commit()
Expand Down Expand Up @@ -412,5 +412,5 @@ func (d *DisclosureProofBuilder) TimestampRequestContributions() (*big.Int, []*b

// GenerateSecretAttribute generates secret attribute used prove ownership and links between credentials from the same user.
func GenerateSecretAttribute() (*big.Int, error) {
return common.RandomBigInt(gabikeys.DefaultSystemParameters[1024].Lm)
return common.RandomBigInt(gabikeys.DefaultSystemParameters[1024].Lm - 1)
}
Loading

0 comments on commit 8e9ce1f

Please sign in to comment.