From ed72b05347931d6824df5ab9aece493cdc88ce2c Mon Sep 17 00:00:00 2001
From: onyinyang <onyinyang@torproject.org>
Date: Thu, 21 Sep 2023 10:25:28 -0400
Subject: [PATCH] Add changes for bug fix in zkp crate

---
 .../src/proto/blockage_migration.rs           | 55 ++++---------------
 1 file changed, 12 insertions(+), 43 deletions(-)

diff --git a/crates/lox-library/src/proto/blockage_migration.rs b/crates/lox-library/src/proto/blockage_migration.rs
index 9c6cc87..7b18902 100644
--- a/crates/lox-library/src/proto/blockage_migration.rs
+++ b/crates/lox-library/src/proto/blockage_migration.rs
@@ -26,9 +26,7 @@ and a new Lox credential to be issued:
 - trust_level: revealed to be 2 less than the trust_level above
 - level_since: today
 - invites_remaining: revealed to be LEVEL_INVITATIONS for the new trust
-  level [Actually, there's a bug in the zkp crate that's triggered when
-  a public value is 0 (the identity element of the Ristretto group), so
-  we treat this field as blinded, but the _server_ encrypts the value.]
+  level
 - blockages: blinded, but proved in ZK that it's one more than the
   blockages above
 
@@ -100,15 +98,14 @@ pub struct Response {
     // The new attributes; the trust_level and invites_remaining are
     // implicit
     level_since: Scalar,
+    invremain: Scalar,
 
     // The fields for the new Lox credential
     P: RistrettoPoint,
     EncQ: (RistrettoPoint, RistrettoPoint),
-    EncInvRemain: (RistrettoPoint, RistrettoPoint),
     id_server: Scalar,
     TId: RistrettoPoint,
     TBucket: RistrettoPoint,
-    TInvRemain: RistrettoPoint,
     TBlockages: RistrettoPoint,
 
     // The ZKP
@@ -155,11 +152,10 @@ define_proof! {
     blindissue,
     "Blockage Migration Blind Issuing",
     (x0, x0tilde, xid, xbucket, xlevel, xsince, xinvremain, xblockages,
-     s, b, tid, tbucket, tinvremain, tblockages),
+     s, b, tid, tbucket, tblockages),
     (P, EncQ0, EncQ1, X0, Xid, Xbucket, Xlevel, Xsince, Xinvremain,
-    Xblockages, Plevel, Psince, TId, TBucket, TInvRemain, TBlockages,
-     D, EncId0, EncId1, EncBucket0, EncBucket1, EncInvRemain0,
-     EncInvRemain1, EncBlockages0, EncBlockages1),
+    Xblockages, Plevel, Psince, Pinvremain, TId, TBucket, TBlockages,
+     D, EncId0, EncId1, EncBucket0, EncBucket1, EncBlockages0, EncBlockages1),
     (A, B):
     Xid = (xid*A),
     Xlevel = (xlevel*A),
@@ -173,14 +169,12 @@ define_proof! {
     TId = (tid*A),
     TBucket = (b*Xbucket),
     TBucket = (tbucket*A),
-    TInvRemain = (b*Xinvremain),
-    TInvRemain = (tinvremain*A),
     TBlockages = (b*Xblockages),
     TBlockages = (tblockages*A),
     EncQ0 = (s*B + tid*EncId0 + tbucket*EncBucket0
-        + tinvremain*EncInvRemain0 + tblockages*EncBlockages0),
+        + tblockages*EncBlockages0),
     EncQ1 = (s*D + tid*EncId1 + tbucket*EncBucket1
-        + tinvremain*EncInvRemain1 + tblockages*EncBlockages1
+         + tblockages*EncBlockages1
         + x0*P + xlevel*Plevel + xsince*Psince)
 }
 
@@ -484,14 +478,6 @@ impl BridgeAuth {
         // invitations for moving from level i to level i+1)
         let invremain: Scalar = LEVEL_INVITATIONS[(level - 3) as usize].into();
 
-        // Because of the bug in the zkp crate, encrypt the invites
-        // remaining instead of sending it in the clear
-        let sinvremain = Scalar::random(&mut rng);
-        let EncInvRemain = (
-            &sinvremain * Btable,
-            &invremain * Btable + sinvremain * req.D,
-        );
-
         // Compute the MAC on the visible attributes
         let b = Scalar::random(&mut rng);
         let P = &b * Btable;
@@ -512,9 +498,6 @@ impl BridgeAuth {
         let tbucket = self.lox_priv.x[2] * b;
         let TBucket = &tbucket * Atable;
         let EncQBucket = (tbucket * req.EncBucket.0, tbucket * req.EncBucket.1);
-        let tinvremain = self.lox_priv.x[5] * b;
-        let TInvRemain = &tinvremain * Atable;
-        let EncQInvRemain = (tinvremain * EncInvRemain.0, tinvremain * EncInvRemain.1);
         let tblockages = self.lox_priv.x[6] * b;
         let TBlockages = &tblockages * Atable;
         let EncQBlockages = (
@@ -523,8 +506,8 @@ impl BridgeAuth {
         );
 
         let EncQ = (
-            EncQHc.0 + EncQId.0 + EncQBucket.0 + EncQInvRemain.0 + EncQBlockages.0,
-            EncQHc.1 + EncQId.1 + EncQBucket.1 + EncQInvRemain.1 + EncQBlockages.1,
+            EncQHc.0 + EncQId.0 + EncQBucket.0 + EncQBlockages.0,
+            EncQHc.1 + EncQId.1 + EncQBucket.1 + EncQBlockages.1,
         );
 
         let mut transcript = Transcript::new(b"blockage migration issuing");
@@ -545,17 +528,15 @@ impl BridgeAuth {
                 Xblockages: &self.lox_pub.X[6],
                 Plevel: &(trust_level * P),
                 Psince: &(level_since * P),
+                Pinvremain: &(invremain * P),
                 TId: &TId,
                 TBucket: &TBucket,
-                TInvRemain: &TInvRemain,
                 TBlockages: &TBlockages,
                 D: &req.D,
                 EncId0: &EncId.0,
                 EncId1: &EncId.1,
                 EncBucket0: &req.EncBucket.0,
                 EncBucket1: &req.EncBucket.1,
-                EncInvRemain0: &EncInvRemain.0,
-                EncInvRemain1: &EncInvRemain.1,
                 EncBlockages0: &req.EncBlockages.0,
                 EncBlockages1: &req.EncBlockages.1,
                 x0: &self.lox_priv.x[0],
@@ -570,7 +551,6 @@ impl BridgeAuth {
                 b: &b,
                 tid: &tid,
                 tbucket: &tbucket,
-                tinvremain: &tinvremain,
                 tblockages: &tblockages,
             },
         )
@@ -578,13 +558,12 @@ impl BridgeAuth {
 
         Ok(Response {
             level_since,
+            invremain,
             P,
             EncQ,
-            EncInvRemain,
             id_server,
             TId,
             TBucket,
-            TInvRemain,
             TBlockages,
             piBlindIssue,
         })
@@ -601,7 +580,6 @@ pub fn handle_response(
     let A: &RistrettoPoint = &CMZ_A;
     let B: &RistrettoPoint = &CMZ_B;
     let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
-
     if resp.P.is_identity() {
         return Err(ProofError::VerificationFailure);
     }
@@ -627,13 +605,6 @@ pub fn handle_response(
     // moving from level i to level i+1)
     let invremain: Scalar = LEVEL_INVITATIONS[(new_level - 1) as usize].into();
 
-    // Decrypt EncInvRemain
-    let recv_invremain = resp.EncInvRemain.1 - (state.d * resp.EncInvRemain.0);
-
-    if recv_invremain != &invremain * Btable {
-        return Err(ProofError::VerificationFailure);
-    }
-
     // Verify the proof
     let mut transcript = Transcript::new(b"blockage migration issuing");
     blindissue::verify_compact(
@@ -654,17 +625,15 @@ pub fn handle_response(
             Xblockages: &lox_pub.X[6].compress(),
             Plevel: &(state.trust_level * resp.P).compress(),
             Psince: &(resp.level_since * resp.P).compress(),
+            Pinvremain: &(resp.invremain * resp.P).compress(),
             TId: &resp.TId.compress(),
             TBucket: &resp.TBucket.compress(),
-            TInvRemain: &resp.TInvRemain.compress(),
             TBlockages: &resp.TBlockages.compress(),
             D: &state.D.compress(),
             EncId0: &EncId.0.compress(),
             EncId1: &EncId.1.compress(),
             EncBucket0: &state.EncBucket.0.compress(),
             EncBucket1: &state.EncBucket.1.compress(),
-            EncInvRemain0: &resp.EncInvRemain.0.compress(),
-            EncInvRemain1: &resp.EncInvRemain.1.compress(),
             EncBlockages0: &state.EncBlockages.0.compress(),
             EncBlockages1: &state.EncBlockages.1.compress(),
         },