|
@@ -38,8 +38,8 @@ impl IssuerPrivKey {
|
|
// Create an IssuerPrivKey for credentials with the given number of
|
|
// Create an IssuerPrivKey for credentials with the given number of
|
|
// attributes.
|
|
// attributes.
|
|
pub fn new(n: u16) -> IssuerPrivKey {
|
|
pub fn new(n: u16) -> IssuerPrivKey {
|
|
- let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
|
|
|
|
- let x0tilde: Scalar = Scalar::random(&mut rng);
|
|
|
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
|
+ let x0tilde = Scalar::random(&mut rng);
|
|
let mut x: Vec<Scalar> = Vec::with_capacity((n + 1) as usize);
|
|
let mut x: Vec<Scalar> = Vec::with_capacity((n + 1) as usize);
|
|
|
|
|
|
// Set x to a vector of n+1 random Scalars
|
|
// Set x to a vector of n+1 random Scalars
|
|
@@ -59,7 +59,7 @@ impl IssuerPubKey {
|
|
pub fn new(privkey: &IssuerPrivKey) -> IssuerPubKey {
|
|
pub fn new(privkey: &IssuerPrivKey) -> IssuerPubKey {
|
|
let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
- let n_plus_one: usize = privkey.x.len();
|
|
|
|
|
|
+ let n_plus_one = privkey.x.len();
|
|
let mut X: Vec<RistrettoPoint> = Vec::with_capacity(n_plus_one);
|
|
let mut X: Vec<RistrettoPoint> = Vec::with_capacity(n_plus_one);
|
|
|
|
|
|
// The first element is a special case; it is
|
|
// The first element is a special case; it is
|
|
@@ -195,13 +195,13 @@ pub mod issue_nonblind_5 {
|
|
let B: &RistrettoPoint = &CMZ_B;
|
|
let B: &RistrettoPoint = &CMZ_B;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
|
|
|
- let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
|
|
|
|
- let b: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let P: RistrettoPoint = &b * Btable;
|
|
|
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
|
+ let b = Scalar::random(&mut rng);
|
|
|
|
+ let P = &b * Btable;
|
|
// There is a typo in the Hyphae paper: in Section 4.1, Q should
|
|
// There is a typo in the Hyphae paper: in Section 4.1, Q should
|
|
// also have an x0*P term (also in Q'). (You can see that term
|
|
// also have an x0*P term (also in Q'). (You can see that term
|
|
// in Section 4.2.)
|
|
// in Section 4.2.)
|
|
- let Q: RistrettoPoint = (self.privkey.x[0]
|
|
|
|
|
|
+ let Q = (self.privkey.x[0]
|
|
+ (self.privkey.x[1] * req.m1
|
|
+ (self.privkey.x[1] * req.m1
|
|
+ self.privkey.x[2] * req.m2
|
|
+ self.privkey.x[2] * req.m2
|
|
+ self.privkey.x[3] * req.m3
|
|
+ self.privkey.x[3] * req.m3
|
|
@@ -210,7 +210,7 @@ pub mod issue_nonblind_5 {
|
|
* P;
|
|
* P;
|
|
|
|
|
|
let mut transcript = Transcript::new(b"Nonblind 5 issuing proof");
|
|
let mut transcript = Transcript::new(b"Nonblind 5 issuing proof");
|
|
- let piNonblindIssue: CompactProof = issue::prove_compact(
|
|
|
|
|
|
+ let piNonblindIssue = issue::prove_compact(
|
|
&mut transcript,
|
|
&mut transcript,
|
|
issue::ProveAssignments {
|
|
issue::ProveAssignments {
|
|
A: &A,
|
|
A: &A,
|
|
@@ -410,21 +410,21 @@ pub mod issue_blind124_5 {
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
|
|
|
// Pick an ElGamal keypair
|
|
// Pick an ElGamal keypair
|
|
- let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
|
|
|
|
- let d: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let D: RistrettoPoint = &d * Btable;
|
|
|
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
|
+ let d = Scalar::random(&mut rng);
|
|
|
|
+ let D = &d * Btable;
|
|
|
|
|
|
// Encrypt the attributes to be blinded (each times the
|
|
// Encrypt the attributes to be blinded (each times the
|
|
// basepoint B) to the public key we just created
|
|
// basepoint B) to the public key we just created
|
|
- let e1: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let e2: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let e4: Scalar = Scalar::random(&mut rng);
|
|
|
|
|
|
+ let e1 = Scalar::random(&mut rng);
|
|
|
|
+ let e2 = Scalar::random(&mut rng);
|
|
|
|
+ let e4 = Scalar::random(&mut rng);
|
|
let Encm1B = (&e1 * Btable, m1 * Btable + e1 * D);
|
|
let Encm1B = (&e1 * Btable, m1 * Btable + e1 * D);
|
|
let Encm2B = (&e2 * Btable, m2 * Btable + e2 * D);
|
|
let Encm2B = (&e2 * Btable, m2 * Btable + e2 * D);
|
|
let Encm4B = (&e4 * Btable, m4 * Btable + e4 * D);
|
|
let Encm4B = (&e4 * Btable, m4 * Btable + e4 * D);
|
|
|
|
|
|
let mut transcript = Transcript::new(b"Blind124 5 userblind proof");
|
|
let mut transcript = Transcript::new(b"Blind124 5 userblind proof");
|
|
- let piUserBlinding: CompactProof = userblinding::prove_compact(
|
|
|
|
|
|
+ let piUserBlinding = userblinding::prove_compact(
|
|
&mut transcript,
|
|
&mut transcript,
|
|
userblinding::ProveAssignments {
|
|
userblinding::ProveAssignments {
|
|
B: &B,
|
|
B: &B,
|
|
@@ -500,14 +500,14 @@ pub mod issue_blind124_5 {
|
|
)?;
|
|
)?;
|
|
|
|
|
|
// Compute the MAC on the visible attributes
|
|
// Compute the MAC on the visible attributes
|
|
- let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
|
|
|
|
- let b: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let P: RistrettoPoint = &b * Btable;
|
|
|
|
- let QHc: RistrettoPoint =
|
|
|
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
|
+ let b = Scalar::random(&mut rng);
|
|
|
|
+ let P = &b * Btable;
|
|
|
|
+ let QHc =
|
|
(self.privkey.x[0] + (self.privkey.x[3] * req.m3 + self.privkey.x[5] * req.m5)) * P;
|
|
(self.privkey.x[0] + (self.privkey.x[3] * req.m3 + self.privkey.x[5] * req.m5)) * P;
|
|
|
|
|
|
// El Gamal encrypt it to the public key req.D
|
|
// El Gamal encrypt it to the public key req.D
|
|
- let s: Scalar = Scalar::random(&mut rng);
|
|
|
|
|
|
+ let s = Scalar::random(&mut rng);
|
|
let EncQHc = (&s * Btable, QHc + s * req.D);
|
|
let EncQHc = (&s * Btable, QHc + s * req.D);
|
|
|
|
|
|
// Homomorphically compute the part of the MAC corresponding to
|
|
// Homomorphically compute the part of the MAC corresponding to
|
|
@@ -528,7 +528,7 @@ pub mod issue_blind124_5 {
|
|
);
|
|
);
|
|
|
|
|
|
let mut transcript = Transcript::new(b"Blind124 5 issuing proof");
|
|
let mut transcript = Transcript::new(b"Blind124 5 issuing proof");
|
|
- let piBlindIssue: CompactProof = blindissue::prove_compact(
|
|
|
|
|
|
+ let piBlindIssue = blindissue::prove_compact(
|
|
&mut transcript,
|
|
&mut transcript,
|
|
blindissue::ProveAssignments {
|
|
blindissue::ProveAssignments {
|
|
A: &A,
|
|
A: &A,
|
|
@@ -700,33 +700,32 @@ pub mod show_blind345_5 {
|
|
let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
|
|
|
|
// Reblind P and Q
|
|
// Reblind P and Q
|
|
- let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
|
|
|
|
- let t: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let P: RistrettoPoint = t * cred.P;
|
|
|
|
- let Q: RistrettoPoint = t * cred.Q;
|
|
|
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
|
+ let t = Scalar::random(&mut rng);
|
|
|
|
+ let P = t * cred.P;
|
|
|
|
+ let Q = t * cred.Q;
|
|
|
|
|
|
// Form Pedersen commitments to the blinded attributes
|
|
// Form Pedersen commitments to the blinded attributes
|
|
- let z3: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let z4: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let z5: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let Cm3: RistrettoPoint = cred.m[3] * P + &z3 * Atable;
|
|
|
|
- let Cm4: RistrettoPoint = cred.m[4] * P + &z4 * Atable;
|
|
|
|
- let Cm5: RistrettoPoint = cred.m[5] * P + &z5 * Atable;
|
|
|
|
|
|
+ let z3 = Scalar::random(&mut rng);
|
|
|
|
+ let z4 = Scalar::random(&mut rng);
|
|
|
|
+ let z5 = Scalar::random(&mut rng);
|
|
|
|
+ let Cm3 = cred.m[3] * P + &z3 * Atable;
|
|
|
|
+ let Cm4 = cred.m[4] * P + &z4 * Atable;
|
|
|
|
+ let Cm5 = cred.m[5] * P + &z5 * Atable;
|
|
|
|
|
|
// Form a Pedersen commitment to the MAC Q
|
|
// Form a Pedersen commitment to the MAC Q
|
|
// We flip the sign of zQ from that of the Hyphae paper so that
|
|
// We flip the sign of zQ from that of the Hyphae paper so that
|
|
// the ZKP has a "+" instead of a "-", as that's what the zkp
|
|
// the ZKP has a "+" instead of a "-", as that's what the zkp
|
|
// macro supports.
|
|
// macro supports.
|
|
- let negzQ: Scalar = Scalar::random(&mut rng);
|
|
|
|
- let CQ: RistrettoPoint = Q - &negzQ * Atable;
|
|
|
|
|
|
+ let negzQ = Scalar::random(&mut rng);
|
|
|
|
+ let CQ = Q - &negzQ * Atable;
|
|
|
|
|
|
// Compute the "error factor"
|
|
// Compute the "error factor"
|
|
- let V: RistrettoPoint =
|
|
|
|
- z3 * pubkey.X[3] + z4 * pubkey.X[4] + z5 * pubkey.X[5] + &negzQ * Atable;
|
|
|
|
|
|
+ let V = z3 * pubkey.X[3] + z4 * pubkey.X[4] + z5 * pubkey.X[5] + &negzQ * Atable;
|
|
|
|
|
|
// Create the ZKP
|
|
// Create the ZKP
|
|
let mut transcript = Transcript::new(b"Blind345 5 showing proof");
|
|
let mut transcript = Transcript::new(b"Blind345 5 showing proof");
|
|
- let piCredShow: CompactProof = show::prove_compact(
|
|
|
|
|
|
+ let piCredShow = show::prove_compact(
|
|
&mut transcript,
|
|
&mut transcript,
|
|
show::ProveAssignments {
|
|
show::ProveAssignments {
|
|
A: &A,
|
|
A: &A,
|
|
@@ -781,7 +780,7 @@ pub mod show_blind345_5 {
|
|
// Recompute the "error factor" using knowledge of our own
|
|
// Recompute the "error factor" using knowledge of our own
|
|
// (the issuer's) private key instead of knowledge of the
|
|
// (the issuer's) private key instead of knowledge of the
|
|
// hidden attributes
|
|
// hidden attributes
|
|
- let Vprime: RistrettoPoint = (self.privkey.x[0]
|
|
|
|
|
|
+ let Vprime = (self.privkey.x[0]
|
|
+ (self.privkey.x[1] * showmsg.m1 + self.privkey.x[2] * showmsg.m2))
|
|
+ (self.privkey.x[1] * showmsg.m1 + self.privkey.x[2] * showmsg.m2))
|
|
* showmsg.P
|
|
* showmsg.P
|
|
+ self.privkey.x[3] * showmsg.Cm3
|
|
+ self.privkey.x[3] * showmsg.Cm3
|