909 lines
32 KiB
Rust
909 lines
32 KiB
Rust
/*! A module for the protocol for a user to request the issuing of an
|
|
Invitation credential they can pass to someone they know.
|
|
|
|
They are allowed to do this as long as their current Lox credentials has
|
|
a non-zero "invites_remaining" attribute (which will be decreased by
|
|
one), and they have a Bucket Reachability credential for their current
|
|
bucket and today's date. (Such credentials are placed daily in the
|
|
encrypted bridge table.)
|
|
|
|
The user presents their current Lox credential:
|
|
- id: revealed
|
|
- bucket: blinded
|
|
- trust_level: blinded
|
|
- level_since: blinded
|
|
- invites_remaining: blinded, but proved in ZK that it's not zero
|
|
- blockages: blinded
|
|
|
|
and a Bucket Reachability credential:
|
|
- date: revealed to be today
|
|
- bucket: blinded, but proved in ZK that it's the same as in the Lox
|
|
credential above
|
|
|
|
and a new Lox credential to be issued:
|
|
|
|
- id: jointly chosen by the user and BA
|
|
- bucket: blinded, but proved in ZK that it's the same as in the Lox
|
|
credential above
|
|
- trust_level: blinded, but proved in ZK that it's the same as in the
|
|
Lox credential above
|
|
- level_since: blinded, but proved in ZK that it's the same as in the
|
|
Lox credential above
|
|
- invites_remaining: blinded, but proved in ZK that it's one less than
|
|
the number in the Lox credential above
|
|
- blockages: blinded, but proved in ZK that it's the same as in the
|
|
Lox credential above
|
|
|
|
and a new Invitation credential to be issued:
|
|
|
|
- inv_id: jointly chosen by the user and BA
|
|
- date: revealed to be today
|
|
- bucket: blinded, but proved in ZK that it's the same as in the Lox
|
|
credential above
|
|
- blockages: blinded, but proved in ZK that it's the same as in the Lox
|
|
credential above
|
|
|
|
*/
|
|
|
|
use curve25519_dalek::ristretto::RistrettoBasepointTable;
|
|
use curve25519_dalek::ristretto::RistrettoPoint;
|
|
use curve25519_dalek::scalar::Scalar;
|
|
use curve25519_dalek::traits::IsIdentity;
|
|
|
|
use zkp::CompactProof;
|
|
use zkp::ProofError;
|
|
use zkp::Transcript;
|
|
|
|
use serde::{Deserialize, Serialize};
|
|
|
|
use super::super::cred;
|
|
use super::super::dup_filter::SeenType;
|
|
use super::super::scalar_u32;
|
|
use super::super::{BridgeAuth, IssuerPubKey};
|
|
use super::super::{CMZ_A, CMZ_A_TABLE, CMZ_B, CMZ_B_TABLE};
|
|
|
|
#[derive(Serialize, Deserialize)]
|
|
pub struct Request {
|
|
// Fields for blind showing the Lox credential
|
|
P: RistrettoPoint,
|
|
id: Scalar,
|
|
CBucket: RistrettoPoint,
|
|
CLevel: RistrettoPoint,
|
|
CSince: RistrettoPoint,
|
|
CInvRemain: RistrettoPoint,
|
|
CBlockages: RistrettoPoint,
|
|
CQ: RistrettoPoint,
|
|
|
|
// Fields for blind showing the Bucket Reachability credential
|
|
P_reach: RistrettoPoint,
|
|
CBucket_reach: RistrettoPoint,
|
|
CQ_reach: RistrettoPoint,
|
|
|
|
// Fields for user blinding of the Lox credential to be issued
|
|
D: RistrettoPoint,
|
|
EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
EncLevel: (RistrettoPoint, RistrettoPoint),
|
|
EncSince: (RistrettoPoint, RistrettoPoint),
|
|
EncInvRemain: (RistrettoPoint, RistrettoPoint),
|
|
EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
|
|
// Fields for user blinding of the Inivtation credential to be
|
|
// issued
|
|
EncInvIdClient: (RistrettoPoint, RistrettoPoint),
|
|
// The bucket and blockages attributes in the Invitation credential
|
|
// issuing protocol can just reuse the exact encryptions as for the
|
|
// Lox credential issuing protocol above.
|
|
|
|
// The combined ZKP
|
|
piUser: CompactProof,
|
|
}
|
|
|
|
#[derive(Debug)]
|
|
pub struct State {
|
|
d: Scalar,
|
|
D: RistrettoPoint,
|
|
EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
EncLevel: (RistrettoPoint, RistrettoPoint),
|
|
EncSince: (RistrettoPoint, RistrettoPoint),
|
|
EncInvRemain: (RistrettoPoint, RistrettoPoint),
|
|
EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
EncInvIdClient: (RistrettoPoint, RistrettoPoint),
|
|
id_client: Scalar,
|
|
bucket: Scalar,
|
|
level: Scalar,
|
|
since: Scalar,
|
|
invremain: Scalar,
|
|
blockages: Scalar,
|
|
inv_id_client: Scalar,
|
|
}
|
|
|
|
#[derive(Serialize, Deserialize)]
|
|
pub struct Response {
|
|
// The fields for the new Lox credential; the new invites_remaining
|
|
// is one less than the old value, so we don't have to include it
|
|
// here explicitly
|
|
P: RistrettoPoint,
|
|
EncQ: (RistrettoPoint, RistrettoPoint),
|
|
id_server: Scalar,
|
|
TId: RistrettoPoint,
|
|
TBucket: RistrettoPoint,
|
|
TLevel: RistrettoPoint,
|
|
TSince: RistrettoPoint,
|
|
TInvRemain: RistrettoPoint,
|
|
TBlockages: RistrettoPoint,
|
|
|
|
// The fields for the new Invitation credential
|
|
P_inv: RistrettoPoint,
|
|
EncQ_inv: (RistrettoPoint, RistrettoPoint),
|
|
inv_id_server: Scalar,
|
|
TId_inv: RistrettoPoint,
|
|
date_inv: Scalar,
|
|
TBucket_inv: RistrettoPoint,
|
|
TBlockages_inv: RistrettoPoint,
|
|
|
|
// The ZKP
|
|
piBlindIssue: CompactProof,
|
|
}
|
|
|
|
define_proof! {
|
|
requestproof,
|
|
"Issue Invite Request",
|
|
(bucket, level, since, invremain, blockages, zbucket, zlevel,
|
|
zsince, zinvremain, zblockages, negzQ,
|
|
zbucket_reach, negzQ_reach,
|
|
d, eid_client, ebucket, elevel, esince, einvremain, eblockages, id_client,
|
|
inv_id_client, einv_id_client,
|
|
invremain_inverse, zinvremain_inverse),
|
|
(P, CBucket, CLevel, CSince, CInvRemain, CBlockages, V, Xbucket,
|
|
Xlevel, Xsince, Xinvremain, Xblockages,
|
|
P_reach, CBucket_reach, V_reach, Xbucket_reach,
|
|
D, EncIdClient0, EncIdClient1, EncBucket0, EncBucket1,
|
|
EncLevel0, EncLevel1, EncSince0, EncSince1,
|
|
EncInvRemain0, EncInvRemain1_plus_B, EncBlockages0, EncBlockages1,
|
|
EncInvIdClient0, EncInvIdClient1),
|
|
(A, B):
|
|
// Blind showing of the Lox credential
|
|
CBucket = (bucket*P + zbucket*A),
|
|
CLevel = (level*P + zlevel*A),
|
|
CSince = (since*P + zsince*A),
|
|
CInvRemain = (invremain*P + zinvremain*A),
|
|
CBlockages = (blockages*P + zblockages*A),
|
|
// Proof that invremain is not 0
|
|
P = (invremain_inverse*CInvRemain + zinvremain_inverse*A),
|
|
// Blind showing of the Bucket Reachability credential; note the
|
|
// same bucket is used in the proof
|
|
CBucket_reach = (bucket*P_reach + zbucket_reach*A),
|
|
// User blinding of the Lox credential to be issued
|
|
D = (d*B),
|
|
EncIdClient0 = (eid_client*B),
|
|
EncIdClient1 = (id_client*B + eid_client*D),
|
|
EncBucket0 = (ebucket*B),
|
|
EncBucket1 = (bucket*B + ebucket*D),
|
|
EncLevel0 = (elevel*B),
|
|
EncLevel1 = (level*B + elevel*D),
|
|
EncSince0 = (esince*B),
|
|
EncSince1 = (since*B + esince*D),
|
|
EncInvRemain0 = (einvremain*B),
|
|
EncInvRemain1_plus_B = (invremain*B + einvremain*D),
|
|
EncBlockages0 = (eblockages*B),
|
|
EncBlockages1 = (blockages*B + eblockages*D),
|
|
// User blinding of the Invitation to be issued
|
|
EncInvIdClient0 = (einv_id_client*B),
|
|
EncInvIdClient1 = (inv_id_client*B + einv_id_client*D)
|
|
}
|
|
|
|
define_proof! {
|
|
blindissue,
|
|
"Issue Invite Issuing",
|
|
(x0, x0tilde, xid, xbucket, xlevel, xsince, xinvremain, xblockages,
|
|
s, b, tid, tbucket, tlevel, tsince, tinvremain, tblockages,
|
|
x0_inv, x0tilde_inv, xid_inv, xdate_inv, xbucket_inv,
|
|
xblockages_inv,
|
|
s_inv, b_inv, tid_inv, tbucket_inv, tblockages_inv),
|
|
(P, EncQ0, EncQ1, X0, Xid, Xbucket, Xlevel, Xsince, Xinvremain,
|
|
Xblockages, TId, TBucket, TLevel, TSince, TInvRemain, TBlockages,
|
|
P_inv, EncQ_inv0, EncQ_inv1, X0_inv, Xid_inv, Xdate_inv,
|
|
Xbucket_inv, Xblockages_inv, Pdate_inv, TId_inv, TBucket_inv,
|
|
TBlockages_inv,
|
|
D, EncId0, EncId1, EncBucket0, EncBucket1, EncLevel0, EncLevel1,
|
|
EncSince0, EncSince1, EncInvRemain0, EncInvRemain1,
|
|
EncBlockages0, EncBlockages1,
|
|
EncInvId0, EncInvId1),
|
|
(A, B):
|
|
Xid = (xid*A),
|
|
Xbucket = (xbucket*A),
|
|
Xlevel = (xlevel*A),
|
|
Xsince = (xsince*A),
|
|
Xinvremain = (xinvremain*A),
|
|
Xblockages = (xblockages*A),
|
|
X0 = (x0*B + x0tilde*A),
|
|
P = (b*B),
|
|
TId = (b*Xid),
|
|
TId = (tid*A),
|
|
TBucket = (b*Xbucket),
|
|
TBucket = (tbucket*A),
|
|
TLevel = (b*Xlevel),
|
|
TLevel = (tlevel*A),
|
|
TSince = (b*Xsince),
|
|
TSince = (tsince*A),
|
|
TInvRemain = (b*Xinvremain),
|
|
TInvRemain = (tinvremain*A),
|
|
TBlockages = (b*Xblockages),
|
|
TBlockages = (tblockages*A),
|
|
EncQ0 = (s*B + tid*EncId0 + tbucket*EncBucket0 + tlevel*EncLevel0
|
|
+ tsince*EncSince0 + tinvremain*EncInvRemain0 + tblockages*EncBlockages0),
|
|
EncQ1 = (s*D + tid*EncId1 + tbucket*EncBucket1 + tlevel*EncLevel1
|
|
+ tsince*EncSince1 + tinvremain*EncInvRemain1 + tblockages*EncBlockages1
|
|
+ x0*P),
|
|
Xid_inv = (xid_inv*A),
|
|
Xdate_inv = (xdate_inv*A),
|
|
Xbucket_inv = (xbucket_inv*A),
|
|
Xblockages_inv = (xblockages_inv*A),
|
|
X0_inv = (x0_inv*B + x0tilde_inv*A),
|
|
P_inv = (b_inv*B),
|
|
TId_inv = (b_inv*Xid_inv),
|
|
TId_inv = (tid_inv*A),
|
|
TBucket_inv = (b_inv*Xbucket_inv),
|
|
TBucket_inv = (tbucket_inv*A),
|
|
TBlockages_inv = (b_inv*Xblockages_inv),
|
|
TBlockages_inv = (tblockages_inv*A),
|
|
EncQ_inv0 = (s_inv*B + tid_inv*EncInvId0 + tbucket_inv*EncBucket0
|
|
+ tblockages_inv*EncBlockages0),
|
|
EncQ_inv1 = (s_inv*D + tid_inv*EncInvId1 + tbucket_inv*EncBucket1
|
|
+ tblockages_inv*EncBlockages1 + x0_inv*P_inv + xdate_inv*Pdate_inv)
|
|
}
|
|
|
|
pub fn request(
|
|
lox_cred: &cred::Lox,
|
|
reach_cred: &cred::BucketReachability,
|
|
lox_pub: &IssuerPubKey,
|
|
reach_pub: &IssuerPubKey,
|
|
today: u32,
|
|
) -> Result<(Request, State), ProofError> {
|
|
let A: &RistrettoPoint = &CMZ_A;
|
|
let B: &RistrettoPoint = &CMZ_B;
|
|
let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
|
// Ensure the credential can be correctly shown: it must be the case
|
|
// that invites_remaining not be 0
|
|
if lox_cred.invites_remaining == Scalar::zero() {
|
|
return Err(ProofError::VerificationFailure);
|
|
}
|
|
// The buckets in the Lox and Bucket Reachability credentials have
|
|
// to match
|
|
if lox_cred.bucket != reach_cred.bucket {
|
|
return Err(ProofError::VerificationFailure);
|
|
}
|
|
// The Bucket Reachability credential has to be dated today
|
|
let reach_date: u32 = match scalar_u32(&reach_cred.date) {
|
|
Some(v) => v,
|
|
None => return Err(ProofError::VerificationFailure),
|
|
};
|
|
if reach_date != today {
|
|
return Err(ProofError::VerificationFailure);
|
|
}
|
|
// The new invites_remaining
|
|
let new_invites_remaining = lox_cred.invites_remaining - Scalar::one();
|
|
|
|
// Blind showing the Lox credential
|
|
|
|
// Reblind P and Q
|
|
let mut rng = rand::thread_rng();
|
|
let t = Scalar::random(&mut rng);
|
|
let P = t * lox_cred.P;
|
|
let Q = t * lox_cred.Q;
|
|
|
|
// Form Pedersen commitments to the blinded attributes
|
|
let zbucket = Scalar::random(&mut rng);
|
|
let zlevel = Scalar::random(&mut rng);
|
|
let zsince = Scalar::random(&mut rng);
|
|
let zinvremain = Scalar::random(&mut rng);
|
|
let zblockages = Scalar::random(&mut rng);
|
|
let CBucket = lox_cred.bucket * P + &zbucket * Atable;
|
|
let CLevel = lox_cred.trust_level * P + &zlevel * Atable;
|
|
let CSince = lox_cred.level_since * P + &zsince * Atable;
|
|
let CInvRemain = lox_cred.invites_remaining * P + &zinvremain * Atable;
|
|
let CBlockages = lox_cred.blockages * P + &zblockages * Atable;
|
|
|
|
// Form a Pedersen commitment to the MAC Q
|
|
// We flip the sign of zQ from that of the Hyphae paper so that
|
|
// the ZKP has a "+" instead of a "-", as that's what the zkp
|
|
// macro supports.
|
|
let negzQ = Scalar::random(&mut rng);
|
|
let CQ = Q - &negzQ * Atable;
|
|
|
|
// Compute the "error factor"
|
|
let V = zbucket * lox_pub.X[2]
|
|
+ zlevel * lox_pub.X[3]
|
|
+ zsince * lox_pub.X[4]
|
|
+ zinvremain * lox_pub.X[5]
|
|
+ zblockages * lox_pub.X[6]
|
|
+ &negzQ * Atable;
|
|
|
|
// Blind showing the Bucket Reachability credential
|
|
|
|
// Reblind P and Q
|
|
let t_reach = Scalar::random(&mut rng);
|
|
let P_reach = t_reach * reach_cred.P;
|
|
let Q_reach = t_reach * reach_cred.Q;
|
|
|
|
// Form Pedersen commitments to the blinded attributes
|
|
let zbucket_reach = Scalar::random(&mut rng);
|
|
let CBucket_reach = reach_cred.bucket * P_reach + &zbucket_reach * Atable;
|
|
|
|
// Form a Pedersen commitment to the MAC Q
|
|
// We flip the sign of zQ from that of the Hyphae paper so that
|
|
// the ZKP has a "+" instead of a "-", as that's what the zkp
|
|
// macro supports.
|
|
let negzQ_reach = Scalar::random(&mut rng);
|
|
let CQ_reach = Q_reach - &negzQ_reach * Atable;
|
|
|
|
// Compute the "error factor"
|
|
let V_reach = zbucket_reach * reach_pub.X[2] + &negzQ_reach * Atable;
|
|
|
|
// User blinding for the Lox certificate to be issued
|
|
|
|
// Pick an ElGamal keypair
|
|
let d = Scalar::random(&mut rng);
|
|
let D = &d * Btable;
|
|
|
|
// Pick a random client component of the id
|
|
let id_client = Scalar::random(&mut rng);
|
|
|
|
// Encrypt it (times the basepoint B) to the ElGamal public key D we
|
|
// just created
|
|
let eid_client = Scalar::random(&mut rng);
|
|
let EncIdClient = (&eid_client * Btable, &id_client * Btable + eid_client * D);
|
|
|
|
// Encrypt the other blinded fields (times B) to D as well
|
|
let ebucket = Scalar::random(&mut rng);
|
|
let EncBucket = (&ebucket * Btable, &lox_cred.bucket * Btable + ebucket * D);
|
|
let elevel = Scalar::random(&mut rng);
|
|
let EncLevel = (
|
|
&elevel * Btable,
|
|
&lox_cred.trust_level * Btable + elevel * D,
|
|
);
|
|
let esince = Scalar::random(&mut rng);
|
|
let EncSince = (
|
|
&esince * Btable,
|
|
&lox_cred.level_since * Btable + esince * D,
|
|
);
|
|
let einvremain = Scalar::random(&mut rng);
|
|
let EncInvRemain = (
|
|
&einvremain * Btable,
|
|
&new_invites_remaining * Btable + einvremain * D,
|
|
);
|
|
let eblockages = Scalar::random(&mut rng);
|
|
let EncBlockages = (
|
|
&eblockages * Btable,
|
|
&lox_cred.blockages * Btable + eblockages * D,
|
|
);
|
|
|
|
// User blinding for the Invitation certificate to be issued
|
|
|
|
// Pick a random client component of the id
|
|
let inv_id_client = Scalar::random(&mut rng);
|
|
|
|
// Encrypt it (times the basepoint B) to the ElGamal public key D we
|
|
// just created
|
|
let einv_id_client = Scalar::random(&mut rng);
|
|
let EncInvIdClient = (
|
|
&einv_id_client * Btable,
|
|
&inv_id_client * Btable + einv_id_client * D,
|
|
);
|
|
|
|
// The proof that invites_remaining is not zero. We prove this by
|
|
// demonstrating that we know its inverse.
|
|
let invremain_inverse = &lox_cred.invites_remaining.invert();
|
|
|
|
let zinvremain_inverse = -zinvremain * invremain_inverse;
|
|
|
|
// So now invremain_inverse * CInvRemain + zinvremain_inverse * A = P
|
|
|
|
// Construct the proof
|
|
let mut transcript = Transcript::new(b"issue invite request");
|
|
let piUser = requestproof::prove_compact(
|
|
&mut transcript,
|
|
requestproof::ProveAssignments {
|
|
A: &A,
|
|
B: &B,
|
|
P: &P,
|
|
CBucket: &CBucket,
|
|
CLevel: &CLevel,
|
|
CSince: &CSince,
|
|
CInvRemain: &CInvRemain,
|
|
CBlockages: &CBlockages,
|
|
V: &V,
|
|
Xbucket: &lox_pub.X[2],
|
|
Xlevel: &lox_pub.X[3],
|
|
Xsince: &lox_pub.X[4],
|
|
Xinvremain: &lox_pub.X[5],
|
|
Xblockages: &lox_pub.X[6],
|
|
P_reach: &P_reach,
|
|
CBucket_reach: &CBucket_reach,
|
|
V_reach: &V_reach,
|
|
Xbucket_reach: &reach_pub.X[2],
|
|
D: &D,
|
|
EncIdClient0: &EncIdClient.0,
|
|
EncIdClient1: &EncIdClient.1,
|
|
EncBucket0: &EncBucket.0,
|
|
EncBucket1: &EncBucket.1,
|
|
EncLevel0: &EncLevel.0,
|
|
EncLevel1: &EncLevel.1,
|
|
EncSince0: &EncSince.0,
|
|
EncSince1: &EncSince.1,
|
|
EncInvRemain0: &EncInvRemain.0,
|
|
EncInvRemain1_plus_B: &(EncInvRemain.1 + B),
|
|
EncBlockages0: &EncBlockages.0,
|
|
EncBlockages1: &EncBlockages.1,
|
|
EncInvIdClient0: &EncInvIdClient.0,
|
|
EncInvIdClient1: &EncInvIdClient.1,
|
|
bucket: &lox_cred.bucket,
|
|
level: &lox_cred.trust_level,
|
|
since: &lox_cred.level_since,
|
|
invremain: &lox_cred.invites_remaining,
|
|
blockages: &lox_cred.blockages,
|
|
zbucket: &zbucket,
|
|
zlevel: &zlevel,
|
|
zsince: &zsince,
|
|
zinvremain: &zinvremain,
|
|
zblockages: &zblockages,
|
|
negzQ: &negzQ,
|
|
zbucket_reach: &zbucket_reach,
|
|
negzQ_reach: &negzQ_reach,
|
|
d: &d,
|
|
eid_client: &eid_client,
|
|
ebucket: &ebucket,
|
|
elevel: &elevel,
|
|
esince: &esince,
|
|
einvremain: &einvremain,
|
|
eblockages: &eblockages,
|
|
id_client: &id_client,
|
|
inv_id_client: &inv_id_client,
|
|
einv_id_client: &einv_id_client,
|
|
invremain_inverse: &invremain_inverse,
|
|
zinvremain_inverse: &zinvremain_inverse,
|
|
},
|
|
)
|
|
.0;
|
|
|
|
Ok((
|
|
Request {
|
|
P,
|
|
id: lox_cred.id,
|
|
CBucket,
|
|
CLevel,
|
|
CSince,
|
|
CInvRemain,
|
|
CBlockages,
|
|
CQ,
|
|
P_reach,
|
|
CBucket_reach,
|
|
CQ_reach,
|
|
D,
|
|
EncIdClient,
|
|
EncBucket,
|
|
EncLevel,
|
|
EncSince,
|
|
EncInvRemain,
|
|
EncBlockages,
|
|
EncInvIdClient,
|
|
piUser,
|
|
},
|
|
State {
|
|
d,
|
|
D,
|
|
EncIdClient,
|
|
EncBucket,
|
|
EncLevel,
|
|
EncSince,
|
|
EncInvRemain,
|
|
EncBlockages,
|
|
EncInvIdClient,
|
|
id_client,
|
|
bucket: lox_cred.bucket,
|
|
level: lox_cred.trust_level,
|
|
since: lox_cred.level_since,
|
|
invremain: new_invites_remaining,
|
|
blockages: lox_cred.blockages,
|
|
inv_id_client,
|
|
},
|
|
))
|
|
}
|
|
|
|
impl BridgeAuth {
|
|
/// Receive an issue invite request
|
|
pub fn handle_issue_invite(&mut self, req: Request) -> Result<Response, ProofError> {
|
|
let A: &RistrettoPoint = &CMZ_A;
|
|
let B: &RistrettoPoint = &CMZ_B;
|
|
let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
|
if req.P.is_identity() || req.P_reach.is_identity() {
|
|
return Err(ProofError::VerificationFailure);
|
|
}
|
|
|
|
let today: Scalar = self.today().into();
|
|
|
|
// Recompute the "error factors" using knowledge of our own
|
|
// (the issuer's) private key instead of knowledge of the
|
|
// hidden attributes
|
|
let Vprime = (self.lox_priv.x[0] + self.lox_priv.x[1] * req.id) * req.P
|
|
+ self.lox_priv.x[2] * req.CBucket
|
|
+ self.lox_priv.x[3] * req.CLevel
|
|
+ self.lox_priv.x[4] * req.CSince
|
|
+ self.lox_priv.x[5] * req.CInvRemain
|
|
+ self.lox_priv.x[6] * req.CBlockages
|
|
- req.CQ;
|
|
|
|
let Vprime_reach = (self.reachability_priv.x[0] + self.reachability_priv.x[1] * today)
|
|
* req.P_reach
|
|
+ self.reachability_priv.x[2] * req.CBucket_reach
|
|
- req.CQ_reach;
|
|
|
|
// Verify the ZKP
|
|
let mut transcript = Transcript::new(b"issue invite request");
|
|
requestproof::verify_compact(
|
|
&req.piUser,
|
|
&mut transcript,
|
|
requestproof::VerifyAssignments {
|
|
A: &A.compress(),
|
|
B: &B.compress(),
|
|
P: &req.P.compress(),
|
|
CBucket: &req.CBucket.compress(),
|
|
CLevel: &req.CLevel.compress(),
|
|
CSince: &req.CSince.compress(),
|
|
CInvRemain: &req.CInvRemain.compress(),
|
|
CBlockages: &req.CBlockages.compress(),
|
|
V: &Vprime.compress(),
|
|
Xbucket: &self.lox_pub.X[2].compress(),
|
|
Xlevel: &self.lox_pub.X[3].compress(),
|
|
Xsince: &self.lox_pub.X[4].compress(),
|
|
Xinvremain: &self.lox_pub.X[5].compress(),
|
|
Xblockages: &self.lox_pub.X[6].compress(),
|
|
P_reach: &req.P_reach.compress(),
|
|
CBucket_reach: &req.CBucket_reach.compress(),
|
|
V_reach: &Vprime_reach.compress(),
|
|
Xbucket_reach: &self.reachability_pub.X[2].compress(),
|
|
D: &req.D.compress(),
|
|
EncIdClient0: &req.EncIdClient.0.compress(),
|
|
EncIdClient1: &req.EncIdClient.1.compress(),
|
|
EncBucket0: &req.EncBucket.0.compress(),
|
|
EncBucket1: &req.EncBucket.1.compress(),
|
|
EncLevel0: &req.EncLevel.0.compress(),
|
|
EncLevel1: &req.EncLevel.1.compress(),
|
|
EncSince0: &req.EncSince.0.compress(),
|
|
EncSince1: &req.EncSince.1.compress(),
|
|
EncInvRemain0: &req.EncInvRemain.0.compress(),
|
|
EncInvRemain1_plus_B: &(req.EncInvRemain.1 + B).compress(),
|
|
EncBlockages0: &req.EncBlockages.0.compress(),
|
|
EncBlockages1: &req.EncBlockages.1.compress(),
|
|
EncInvIdClient0: &req.EncInvIdClient.0.compress(),
|
|
EncInvIdClient1: &req.EncInvIdClient.1.compress(),
|
|
},
|
|
)?;
|
|
|
|
// Ensure the id has not been seen before, and add it to the
|
|
// seen list.
|
|
if self.id_filter.filter(&req.id) == SeenType::Seen {
|
|
return Err(ProofError::VerificationFailure);
|
|
}
|
|
|
|
// Blind issuing of the new Lox credential
|
|
|
|
// Choose a random server id component to add to the client's
|
|
// (blinded) id component
|
|
let mut rng = rand::thread_rng();
|
|
let id_server = Scalar::random(&mut rng);
|
|
let EncId = (req.EncIdClient.0, req.EncIdClient.1 + &id_server * Btable);
|
|
|
|
// Compute the MAC on the visible attributes (none here)
|
|
let b = Scalar::random(&mut rng);
|
|
let P = &b * Btable;
|
|
let QHc = self.lox_priv.x[0] * P;
|
|
|
|
// El Gamal encrypt it to the public key req.D
|
|
let s = Scalar::random(&mut rng);
|
|
let EncQHc = (&s * Btable, QHc + s * req.D);
|
|
|
|
// Homomorphically compute the part of the MAC corresponding to
|
|
// the blinded attributes
|
|
let tid = self.lox_priv.x[1] * b;
|
|
let TId = &tid * Atable;
|
|
let EncQId = (tid * EncId.0, tid * EncId.1);
|
|
let tbucket = self.lox_priv.x[2] * b;
|
|
let TBucket = &tbucket * Atable;
|
|
let EncQBucket = (tbucket * req.EncBucket.0, tbucket * req.EncBucket.1);
|
|
let tlevel = self.lox_priv.x[3] * b;
|
|
let TLevel = &tlevel * Atable;
|
|
let EncQLevel = (tlevel * req.EncLevel.0, tlevel * req.EncLevel.1);
|
|
let tsince = self.lox_priv.x[4] * b;
|
|
let TSince = &tsince * Atable;
|
|
let EncQSince = (tsince * req.EncSince.0, tsince * req.EncSince.1);
|
|
let tinvremain = self.lox_priv.x[5] * b;
|
|
let TInvRemain = &tinvremain * Atable;
|
|
let EncQInvRemain = (
|
|
tinvremain * req.EncInvRemain.0,
|
|
tinvremain * req.EncInvRemain.1,
|
|
);
|
|
let tblockages = self.lox_priv.x[6] * b;
|
|
let TBlockages = &tblockages * Atable;
|
|
let EncQBlockages = (
|
|
tblockages * req.EncBlockages.0,
|
|
tblockages * req.EncBlockages.1,
|
|
);
|
|
|
|
let EncQ = (
|
|
EncQHc.0
|
|
+ EncQId.0
|
|
+ EncQBucket.0
|
|
+ EncQLevel.0
|
|
+ EncQSince.0
|
|
+ EncQInvRemain.0
|
|
+ EncQBlockages.0,
|
|
EncQHc.1
|
|
+ EncQId.1
|
|
+ EncQBucket.1
|
|
+ EncQLevel.1
|
|
+ EncQSince.1
|
|
+ EncQInvRemain.1
|
|
+ EncQBlockages.1,
|
|
);
|
|
|
|
// Blind issuing of the new Invitation credential
|
|
|
|
// Choose a random server id component to add to the client's
|
|
// (blinded) id component
|
|
let inv_id_server = Scalar::random(&mut rng);
|
|
let EncInvId = (
|
|
req.EncInvIdClient.0,
|
|
req.EncInvIdClient.1 + &inv_id_server * Btable,
|
|
);
|
|
|
|
// Compute the MAC on the visible attributes
|
|
let b_inv = Scalar::random(&mut rng);
|
|
let P_inv = &b_inv * Btable;
|
|
let QHc_inv = (self.invitation_priv.x[0] + self.invitation_priv.x[2] * today) * P_inv;
|
|
|
|
// El Gamal encrypt it to the public key req.D
|
|
let s_inv = Scalar::random(&mut rng);
|
|
let EncQHc_inv = (&s_inv * Btable, QHc_inv + s_inv * req.D);
|
|
|
|
// Homomorphically compute the part of the MAC corresponding to
|
|
// the blinded attributes
|
|
let tinvid = self.invitation_priv.x[1] * b_inv;
|
|
let TId_inv = &tinvid * Atable;
|
|
let EncQInvId = (tinvid * EncInvId.0, tinvid * EncInvId.1);
|
|
let tinvbucket = self.invitation_priv.x[3] * b_inv;
|
|
let TBucket_inv = &tinvbucket * Atable;
|
|
// The bucket and blockages encrypted attributes are reused from
|
|
// the Lox credential
|
|
let EncQInvBucket = (tinvbucket * req.EncBucket.0, tinvbucket * req.EncBucket.1);
|
|
let tinvblockages = self.invitation_priv.x[4] * b_inv;
|
|
let TBlockages_inv = &tinvblockages * Atable;
|
|
let EncQInvBlockages = (
|
|
tinvblockages * req.EncBlockages.0,
|
|
tinvblockages * req.EncBlockages.1,
|
|
);
|
|
|
|
let EncQ_inv = (
|
|
EncQHc_inv.0 + EncQInvId.0 + EncQInvBucket.0 + EncQInvBlockages.0,
|
|
EncQHc_inv.1 + EncQInvId.1 + EncQInvBucket.1 + EncQInvBlockages.1,
|
|
);
|
|
|
|
let mut transcript = Transcript::new(b"issue invite issuing");
|
|
let piBlindIssue = blindissue::prove_compact(
|
|
&mut transcript,
|
|
blindissue::ProveAssignments {
|
|
A: &A,
|
|
B: &B,
|
|
P: &P,
|
|
EncQ0: &EncQ.0,
|
|
EncQ1: &EncQ.1,
|
|
X0: &self.lox_pub.X[0],
|
|
Xid: &self.lox_pub.X[1],
|
|
Xbucket: &self.lox_pub.X[2],
|
|
Xlevel: &self.lox_pub.X[3],
|
|
Xsince: &self.lox_pub.X[4],
|
|
Xinvremain: &self.lox_pub.X[5],
|
|
Xblockages: &self.lox_pub.X[6],
|
|
TId: &TId,
|
|
TBucket: &TBucket,
|
|
TLevel: &TLevel,
|
|
TSince: &TSince,
|
|
TInvRemain: &TInvRemain,
|
|
TBlockages: &TBlockages,
|
|
P_inv: &P_inv,
|
|
EncQ_inv0: &EncQ_inv.0,
|
|
EncQ_inv1: &EncQ_inv.1,
|
|
X0_inv: &self.invitation_pub.X[0],
|
|
Xid_inv: &self.invitation_pub.X[1],
|
|
Xdate_inv: &self.invitation_pub.X[2],
|
|
Xbucket_inv: &self.invitation_pub.X[3],
|
|
Xblockages_inv: &self.invitation_pub.X[4],
|
|
Pdate_inv: &(today * P_inv),
|
|
TId_inv: &TId_inv,
|
|
TBucket_inv: &TBucket_inv,
|
|
TBlockages_inv: &TBlockages_inv,
|
|
D: &req.D,
|
|
EncId0: &EncId.0,
|
|
EncId1: &EncId.1,
|
|
EncBucket0: &req.EncBucket.0,
|
|
EncBucket1: &req.EncBucket.1,
|
|
EncLevel0: &req.EncLevel.0,
|
|
EncLevel1: &req.EncLevel.1,
|
|
EncSince0: &req.EncSince.0,
|
|
EncSince1: &req.EncSince.1,
|
|
EncInvRemain0: &req.EncInvRemain.0,
|
|
EncInvRemain1: &req.EncInvRemain.1,
|
|
EncBlockages0: &req.EncBlockages.0,
|
|
EncBlockages1: &req.EncBlockages.1,
|
|
EncInvId0: &EncInvId.0,
|
|
EncInvId1: &EncInvId.1,
|
|
x0: &self.lox_priv.x[0],
|
|
x0tilde: &self.lox_priv.x0tilde,
|
|
xid: &self.lox_priv.x[1],
|
|
xbucket: &self.lox_priv.x[2],
|
|
xlevel: &self.lox_priv.x[3],
|
|
xsince: &self.lox_priv.x[4],
|
|
xinvremain: &self.lox_priv.x[5],
|
|
xblockages: &self.lox_priv.x[6],
|
|
s: &s,
|
|
b: &b,
|
|
tid: &tid,
|
|
tbucket: &tbucket,
|
|
tlevel: &tlevel,
|
|
tsince: &tsince,
|
|
tinvremain: &tinvremain,
|
|
tblockages: &tblockages,
|
|
x0_inv: &self.invitation_priv.x[0],
|
|
x0tilde_inv: &self.invitation_priv.x0tilde,
|
|
xid_inv: &self.invitation_priv.x[1],
|
|
xdate_inv: &self.invitation_priv.x[2],
|
|
xbucket_inv: &self.invitation_priv.x[3],
|
|
xblockages_inv: &self.invitation_priv.x[4],
|
|
s_inv: &s_inv,
|
|
b_inv: &b_inv,
|
|
tid_inv: &tinvid,
|
|
tbucket_inv: &tinvbucket,
|
|
tblockages_inv: &tinvblockages,
|
|
},
|
|
)
|
|
.0;
|
|
|
|
Ok(Response {
|
|
P,
|
|
EncQ,
|
|
id_server,
|
|
TId,
|
|
TBucket,
|
|
TLevel,
|
|
TSince,
|
|
TInvRemain,
|
|
TBlockages,
|
|
P_inv,
|
|
EncQ_inv,
|
|
inv_id_server,
|
|
TId_inv,
|
|
date_inv: today,
|
|
TBucket_inv,
|
|
TBlockages_inv,
|
|
piBlindIssue,
|
|
})
|
|
}
|
|
}
|
|
|
|
/// Handle the response to the request, producing the new Lox credential
|
|
/// and Invitation credential if successful.
|
|
pub fn handle_response(
|
|
state: State,
|
|
resp: Response,
|
|
lox_pub: &IssuerPubKey,
|
|
invitation_pub: &IssuerPubKey,
|
|
) -> Result<(cred::Lox, cred::Invitation), ProofError> {
|
|
let A: &RistrettoPoint = &CMZ_A;
|
|
let B: &RistrettoPoint = &CMZ_B;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
|
if resp.P.is_identity() || resp.P_inv.is_identity() {
|
|
return Err(ProofError::VerificationFailure);
|
|
}
|
|
|
|
// Add the server's contribution to the id to our own, both in plain
|
|
// and encrypted form and for both the Lox credential id and the
|
|
// Invitation credential id
|
|
let id = state.id_client + resp.id_server;
|
|
let EncId = (
|
|
state.EncIdClient.0,
|
|
state.EncIdClient.1 + &resp.id_server * Btable,
|
|
);
|
|
|
|
let inv_id = state.inv_id_client + resp.inv_id_server;
|
|
let EncInvId = (
|
|
state.EncInvIdClient.0,
|
|
state.EncInvIdClient.1 + &resp.inv_id_server * Btable,
|
|
);
|
|
|
|
// Verify the proof
|
|
let mut transcript = Transcript::new(b"issue invite issuing");
|
|
blindissue::verify_compact(
|
|
&resp.piBlindIssue,
|
|
&mut transcript,
|
|
blindissue::VerifyAssignments {
|
|
A: &A.compress(),
|
|
B: &B.compress(),
|
|
P: &resp.P.compress(),
|
|
EncQ0: &resp.EncQ.0.compress(),
|
|
EncQ1: &resp.EncQ.1.compress(),
|
|
X0: &lox_pub.X[0].compress(),
|
|
Xid: &lox_pub.X[1].compress(),
|
|
Xbucket: &lox_pub.X[2].compress(),
|
|
Xlevel: &lox_pub.X[3].compress(),
|
|
Xsince: &lox_pub.X[4].compress(),
|
|
Xinvremain: &lox_pub.X[5].compress(),
|
|
Xblockages: &lox_pub.X[6].compress(),
|
|
TId: &resp.TId.compress(),
|
|
TBucket: &resp.TBucket.compress(),
|
|
TLevel: &resp.TLevel.compress(),
|
|
TSince: &resp.TSince.compress(),
|
|
TInvRemain: &resp.TInvRemain.compress(),
|
|
TBlockages: &resp.TBlockages.compress(),
|
|
P_inv: &resp.P_inv.compress(),
|
|
EncQ_inv0: &resp.EncQ_inv.0.compress(),
|
|
EncQ_inv1: &resp.EncQ_inv.1.compress(),
|
|
X0_inv: &invitation_pub.X[0].compress(),
|
|
Xid_inv: &invitation_pub.X[1].compress(),
|
|
Xdate_inv: &invitation_pub.X[2].compress(),
|
|
Xbucket_inv: &invitation_pub.X[3].compress(),
|
|
Xblockages_inv: &invitation_pub.X[4].compress(),
|
|
Pdate_inv: &(resp.date_inv * resp.P_inv).compress(),
|
|
TId_inv: &resp.TId_inv.compress(),
|
|
TBucket_inv: &resp.TBucket_inv.compress(),
|
|
TBlockages_inv: &resp.TBlockages_inv.compress(),
|
|
D: &state.D.compress(),
|
|
EncId0: &EncId.0.compress(),
|
|
EncId1: &EncId.1.compress(),
|
|
EncBucket0: &state.EncBucket.0.compress(),
|
|
EncBucket1: &state.EncBucket.1.compress(),
|
|
EncLevel0: &state.EncLevel.0.compress(),
|
|
EncLevel1: &state.EncLevel.1.compress(),
|
|
EncSince0: &state.EncSince.0.compress(),
|
|
EncSince1: &state.EncSince.1.compress(),
|
|
EncInvRemain0: &state.EncInvRemain.0.compress(),
|
|
EncInvRemain1: &state.EncInvRemain.1.compress(),
|
|
EncBlockages0: &state.EncBlockages.0.compress(),
|
|
EncBlockages1: &state.EncBlockages.1.compress(),
|
|
EncInvId0: &EncInvId.0.compress(),
|
|
EncInvId1: &EncInvId.1.compress(),
|
|
},
|
|
)?;
|
|
|
|
// Decrypt EncQ and EncQ_inv
|
|
let Q = resp.EncQ.1 - (state.d * resp.EncQ.0);
|
|
let Q_inv = resp.EncQ_inv.1 - (state.d * resp.EncQ_inv.0);
|
|
|
|
Ok((
|
|
cred::Lox {
|
|
P: resp.P,
|
|
Q,
|
|
id,
|
|
bucket: state.bucket,
|
|
trust_level: state.level,
|
|
level_since: state.since,
|
|
invites_remaining: state.invremain,
|
|
blockages: state.blockages,
|
|
},
|
|
cred::Invitation {
|
|
P: resp.P_inv,
|
|
Q: Q_inv,
|
|
inv_id,
|
|
date: resp.date_inv,
|
|
bucket: state.bucket,
|
|
blockages: state.blockages,
|
|
},
|
|
))
|
|
}
|