Be consistent about the ordering of the parameters in the ZKPs

Particularly D

src/proto/migration.rs

@@ -117,11 +117,11 @@ define_proof! {
     V_mig = (zfrombucket*Xfrombucket + ztobucket*Xtobucket + negzQ_mig*A),
     // User blinding of the Lox credential to be issued; note the use of
     // the same "tobucket" secret variable
+    D = (d*B),
     EncIdClient0 = (eid_client*B),
     EncIdClient1 = (id_client*B + eid_client*D),
     EncBucket0 = (ebucket*B),
-    EncBucket1 = (tobucket*B + ebucket*D),
-    D = (d*B)
+    EncBucket1 = (tobucket*B + ebucket*D)
 }
 
 define_proof! {

src/proto/open_invite.rs

@@ -62,11 +62,11 @@ define_proof! {
     userblinding,
     "Open Invitation User Blinding",
     (d, eid_client, id_client),
-    (EncIdClient0, EncIdClient1, D),
+    (D, EncIdClient0, EncIdClient1),
     (B) :
+    D = (d*B),
     EncIdClient0 = (eid_client*B),
-    EncIdClient1 = (id_client*B + eid_client*D),
-    D = (d*B)
+    EncIdClient1 = (id_client*B + eid_client*D)
 }
 
 // The issuing ZKP
@@ -113,9 +113,9 @@ pub fn request(invite: &[u8; OPENINV_LENGTH]) -> (Request, State) {
         &mut transcript,
         userblinding::ProveAssignments {
             B: &B,
+            D: &D,
             EncIdClient0: &EncIdClient.0,
             EncIdClient1: &EncIdClient.1,
-            D: &D,
             d: &d,
             eid_client: &eid_client,
             id_client: &id_client,

src/proto/trust_promotion.rs

@@ -123,7 +123,7 @@ define_proof! {
      wg0, wg1, wg2, wg3, wg4, wg5, wg6, wg7, wg8,
      yg0, yg1, yg2, yg3, yg4, yg5, yg6, yg7, yg8),
     (P, CBucket, CSince, V, Xbucket, Xsince,
-     EncBucket0, EncBucket1, D,
+     D, EncBucket0, EncBucket1,
      CG0, CG1, CG2, CG3, CG4, CG5, CG6, CG7, CG8,
      CG0sq, CG1sq, CG2sq, CG3sq, CG4sq, CG5sq, CG6sq, CG7sq, CG8sq),
     (A, B):
@@ -132,9 +132,9 @@ define_proof! {
     CSince = (since*P + zsince*A),
     V = (zbucket*Xbucket + zsince*Xsince + negzQ*A),
     // User blinding of the Migration Key credential
+    D = (d*B),
     EncBucket0 = (ebucket*B),
     EncBucket1 = (bucket*B + ebucket*D),
-    D = (d*B),
     // Prove CSince encodes a value at least UNTRUSTED_INTERVAL
     // days ago (and technically at most UNTRUSTED_INTERVAL+511 days
     // ago): first prove each of g0, ..., g8 is a bit by proving that
@@ -303,9 +303,9 @@ pub fn request(
             V: &V,
             Xbucket: &lox_pub.X[2],
             Xsince: &lox_pub.X[4],
+            D: &D,
             EncBucket0: &EncBucket.0,
             EncBucket1: &EncBucket.1,
-            D: &D,
             CG0: &CG0,
             CG1: &CG1,
             CG2: &CG2,
@@ -460,9 +460,9 @@ impl BridgeAuth {
                 V: &Vprime.compress(),
                 Xbucket: &self.lox_pub.X[2].compress(),
                 Xsince: &self.lox_pub.X[4].compress(),
+                D: &req.D.compress(),
                 EncBucket0: &req.EncBucket.0.compress(),
                 EncBucket1: &req.EncBucket.1.compress(),
-                D: &req.D.compress(),
                 CG0: &CG0prime.compress(),
                 CG1: &req.CG1.compress(),
                 CG2: &req.CG2.compress(),