|
@@ -107,6 +107,7 @@ pub struct Credential5 {
|
|
|
// are blinded to the issuer.
|
|
|
pub mod issue_nonblind_5 {
|
|
|
use curve25519_dalek::ristretto::RistrettoPoint;
|
|
|
+ use curve25519_dalek::ristretto::RistrettoBasepointTable;
|
|
|
use curve25519_dalek::scalar::Scalar;
|
|
|
use curve25519_dalek::traits::IsIdentity;
|
|
|
|
|
@@ -114,7 +115,7 @@ pub mod issue_nonblind_5 {
|
|
|
use zkp::ProofError;
|
|
|
use zkp::Transcript;
|
|
|
|
|
|
- use super::{CMZ_A,CMZ_B,Issuer,IssuerPubKey,Credential5};
|
|
|
+ use super::{CMZ_A,CMZ_B,CMZ_B_TABLE,Issuer,IssuerPubKey,Credential5};
|
|
|
|
|
|
#[derive(Debug)]
|
|
|
pub struct CredentialRequest {
|
|
@@ -184,10 +185,11 @@ pub mod issue_nonblind_5 {
|
|
|
-> CredentialResponse {
|
|
|
let A : &RistrettoPoint = &CMZ_A;
|
|
|
let B : &RistrettoPoint = &CMZ_B;
|
|
|
+ let Btable : &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
|
|
|
let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
|
|
|
let b: Scalar = Scalar::random(&mut rng);
|
|
|
- let P: RistrettoPoint = b * B;
|
|
|
+ let P: RistrettoPoint = &b * Btable;
|
|
|
// There is a typo in the Hyphae paper: in Section 4.1, Q should
|
|
|
// also have an x0*P term (also in Q'). (You can see that term
|
|
|
// in Section 4.2.)
|
|
@@ -293,7 +295,8 @@ pub mod issue_blind124_5 {
|
|
|
use zkp::ProofError;
|
|
|
use zkp::Transcript;
|
|
|
|
|
|
- use super::{CMZ_A,CMZ_B,CMZ_B_TABLE,Issuer,IssuerPubKey,Credential5};
|
|
|
+ use super::{CMZ_A,CMZ_B,CMZ_A_TABLE,CMZ_B_TABLE};
|
|
|
+ use super::{Issuer,IssuerPubKey,Credential5};
|
|
|
|
|
|
// Example of a 5-attribute credential where the issuer sees attributes
|
|
|
// 3 and 5, but attributes 1, 2, and 4 are blinded.
|
|
@@ -439,6 +442,8 @@ pub mod issue_blind124_5 {
|
|
|
-> Result<CredentialResponse, ProofError> {
|
|
|
let A : &RistrettoPoint = &CMZ_A;
|
|
|
let B : &RistrettoPoint = &CMZ_B;
|
|
|
+ let Atable : &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
|
+ let Btable : &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
|
|
|
// First check the proof in the request
|
|
|
let mut transcript = Transcript::new(b"Blind124 5 userblind proof");
|
|
@@ -460,25 +465,25 @@ pub mod issue_blind124_5 {
|
|
|
// Compute the MAC on the visible attributes
|
|
|
let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
|
|
|
let b: Scalar = Scalar::random(&mut rng);
|
|
|
- let P: RistrettoPoint = b * B;
|
|
|
+ let P: RistrettoPoint = &b * Btable;
|
|
|
let QHc: RistrettoPoint = (self.privkey.x[0] + (
|
|
|
self.privkey.x[3] * req.m3 +
|
|
|
self.privkey.x[5] * req.m5)) * P;
|
|
|
|
|
|
// El Gamal encrypt it to the public key req.D
|
|
|
let s: Scalar = Scalar::random(&mut rng);
|
|
|
- let EncQHc = (s*B, QHc + s*req.D);
|
|
|
+ let EncQHc = (&s*Btable, QHc + s*req.D);
|
|
|
|
|
|
// Homomorphically compute the part of the MAC corresponding to
|
|
|
// the blinded attributes
|
|
|
let t1 = self.privkey.x[1] * b;
|
|
|
- let T1 = t1 * A;
|
|
|
+ let T1 = &t1 * Atable;
|
|
|
let EncQ1 = ( t1 * req.Encm1B.0, t1 * req.Encm1B.1 );
|
|
|
let t2 = self.privkey.x[2] * b;
|
|
|
- let T2 = t2 * A;
|
|
|
+ let T2 = &t2 * Atable;
|
|
|
let EncQ2 = ( t2 * req.Encm2B.0, t2 * req.Encm2B.1 );
|
|
|
let t4 = self.privkey.x[4] * b;
|
|
|
- let T4 = t4 * A;
|
|
|
+ let T4 = &t4 * Atable;
|
|
|
let EncQ4 = ( t4 * req.Encm4B.0, t4 * req.Encm4B.1 );
|
|
|
|
|
|
let EncQ = ( EncQHc.0 + EncQ1.0 + EncQ2.0 + EncQ4.0,
|