|
|
@@ -0,0 +1,682 @@
|
|
|
+/*! A module for the protocol for the user of trust level 3 or higher to
|
|
|
+migrate from one bucket to another because their current bucket has been
|
|
|
+blocked. Their trust level will go down by 2.
|
|
|
+
|
|
|
+The user presents their current Lox credential:
|
|
|
+
|
|
|
+- id: revealed
|
|
|
+- bucket: blinded
|
|
|
+- trust_level: revealed to be 3 or higher
|
|
|
+- level_since: blinded
|
|
|
+- invites_remaining: blinded
|
|
|
+- blockages: blinded
|
|
|
+
|
|
|
+and a Migration credential:
|
|
|
+
|
|
|
+- id: revealed as the same as the Lox credential id above
|
|
|
+- from_bucket: blinded, but proved in ZK that it's the same as the
|
|
|
+ bucket in the Lox credential above
|
|
|
+- to_bucket: blinded
|
|
|
+
|
|
|
+and a new Lox credential to be issued:
|
|
|
+
|
|
|
+- id: jointly chosen by the user and BA
|
|
|
+- bucket: blinded, but proved in ZK that it's the same as the to_bucket
|
|
|
+ in the Migration credential above
|
|
|
+- trust_level: revealed to be 2 less than the trust_level above
|
|
|
+- level_since: today
|
|
|
+- invites_remaining: revealed to be LEVEL_INVITATIONS for the new trust
|
|
|
+ level [Actually, there's a bug in the zkp crate that's triggered when
|
|
|
+ a public value is 0 (the identity element of the Ristretto group), so
|
|
|
+ we treat this field as blinded, but the _server_ encrypts the value.]
|
|
|
+- blockages: blinded, but proved in ZK that it's one more than the
|
|
|
+ blockages above
|
|
|
+
|
|
|
+*/
|
|
|
+
|
|
|
+use curve25519_dalek::ristretto::RistrettoBasepointTable;
|
|
|
+use curve25519_dalek::ristretto::RistrettoPoint;
|
|
|
+use curve25519_dalek::scalar::Scalar;
|
|
|
+use curve25519_dalek::traits::IsIdentity;
|
|
|
+
|
|
|
+use zkp::CompactProof;
|
|
|
+use zkp::ProofError;
|
|
|
+use zkp::Transcript;
|
|
|
+
|
|
|
+use super::super::cred;
|
|
|
+use super::super::dup_filter::SeenType;
|
|
|
+use super::super::migration_table::MigrationType;
|
|
|
+use super::super::scalar_u32;
|
|
|
+use super::super::{BridgeAuth, IssuerPubKey};
|
|
|
+use super::super::{CMZ_A, CMZ_A_TABLE, CMZ_B, CMZ_B_TABLE};
|
|
|
+use super::check_blockage::MIN_TRUST_LEVEL;
|
|
|
+use super::level_up::LEVEL_INVITATIONS;
|
|
|
+
|
|
|
+pub struct Request {
|
|
|
+ // Fields for blind showing the Lox credential
|
|
|
+ P_lox: RistrettoPoint,
|
|
|
+ id: Scalar,
|
|
|
+ CBucket: RistrettoPoint,
|
|
|
+ trust_level: Scalar,
|
|
|
+ CSince: RistrettoPoint,
|
|
|
+ CInvRemain: RistrettoPoint,
|
|
|
+ CBlockages: RistrettoPoint,
|
|
|
+ CQ_lox: RistrettoPoint,
|
|
|
+
|
|
|
+ // Fields for blind showing the Migration credential
|
|
|
+ P_mig: RistrettoPoint,
|
|
|
+ CFromBucket: RistrettoPoint,
|
|
|
+ CToBucket: RistrettoPoint,
|
|
|
+ CQ_mig: RistrettoPoint,
|
|
|
+
|
|
|
+ // Fields for user blinding of the Lox credential to be issued
|
|
|
+ D: RistrettoPoint,
|
|
|
+ EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
|
+
|
|
|
+ // The combined ZKP
|
|
|
+ piUser: CompactProof,
|
|
|
+}
|
|
|
+
|
|
|
+#[derive(Debug)]
|
|
|
+pub struct State {
|
|
|
+ d: Scalar,
|
|
|
+ D: RistrettoPoint,
|
|
|
+ EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
|
+ id_client: Scalar,
|
|
|
+ to_bucket: Scalar,
|
|
|
+ trust_level: Scalar,
|
|
|
+ blockages: Scalar,
|
|
|
+}
|
|
|
+
|
|
|
+pub struct Response {
|
|
|
+ // The new attributes; the trust_level and invites_remaining are
|
|
|
+ // implicit
|
|
|
+ level_since: Scalar,
|
|
|
+
|
|
|
+ // The fields for the new Lox credential
|
|
|
+ P: RistrettoPoint,
|
|
|
+ EncQ: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncInvRemain: (RistrettoPoint, RistrettoPoint),
|
|
|
+ id_server: Scalar,
|
|
|
+ TId: RistrettoPoint,
|
|
|
+ TBucket: RistrettoPoint,
|
|
|
+ TInvRemain: RistrettoPoint,
|
|
|
+ TBlockages: RistrettoPoint,
|
|
|
+
|
|
|
+ // The ZKP
|
|
|
+ piBlindIssue: CompactProof,
|
|
|
+}
|
|
|
+
|
|
|
+define_proof! {
|
|
|
+ requestproof,
|
|
|
+ "Blockage Migration Request",
|
|
|
+ (bucket, since, invremain, blockages, zbucket, zsince, zinvremain,
|
|
|
+ zblockages, negzQ_lox,
|
|
|
+ tobucket, zfrombucket, ztobucket, negzQ_mig,
|
|
|
+ d, eid_client, ebucket, eblockages, id_client),
|
|
|
+ (P_lox, CBucket, CSince, CInvRemain, CBlockages, V_lox, Xbucket,
|
|
|
+ Xsince, Xinvremain, Xblockages,
|
|
|
+ P_mig, CFromBucket, CToBucket, V_mig, Xfrombucket, Xtobucket,
|
|
|
+ D, EncIdClient0, EncIdClient1, EncBucket0, EncBucket1,
|
|
|
+ EncBlockages0, EncBlockages1_minus_B),
|
|
|
+ (A, B):
|
|
|
+ // Blind showing of the Lox credential
|
|
|
+ CBucket = (bucket*P_lox + zbucket*A),
|
|
|
+ CSince = (since*P_lox + zsince*A),
|
|
|
+ CInvRemain = (invremain*P_lox + zinvremain*A),
|
|
|
+ CBlockages = (blockages*P_lox + zblockages*A),
|
|
|
+ V_lox = (zbucket*Xbucket + zsince*Xsince + zinvremain*Xinvremain
|
|
|
+ + zblockages*Xblockages + negzQ_lox*A),
|
|
|
+ // Blind showing of the Migration credential; note the use of the
|
|
|
+ // same "bucket" secret variable
|
|
|
+ CFromBucket = (bucket*P_mig + zfrombucket*A),
|
|
|
+ CToBucket = (tobucket*P_mig + ztobucket*A),
|
|
|
+ V_mig = (zfrombucket*Xfrombucket + ztobucket*Xtobucket + negzQ_mig*A),
|
|
|
+ // User blinding of the Lox credential to be issued; note the use of
|
|
|
+ // the same "tobucket" secret variable
|
|
|
+ D = (d*B),
|
|
|
+ EncIdClient0 = (eid_client*B),
|
|
|
+ EncIdClient1 = (id_client*B + eid_client*D),
|
|
|
+ EncBucket0 = (ebucket*B),
|
|
|
+ EncBucket1 = (tobucket*B + ebucket*D),
|
|
|
+ EncBlockages0 = (eblockages*B),
|
|
|
+ EncBlockages1_minus_B = (blockages*B + eblockages*D)
|
|
|
+}
|
|
|
+
|
|
|
+define_proof! {
|
|
|
+ blindissue,
|
|
|
+ "Blockage Migration Blind Issuing",
|
|
|
+ (x0, x0tilde, xid, xbucket, xlevel, xsince, xinvremain, xblockages,
|
|
|
+ s, b, tid, tbucket, tinvremain, tblockages),
|
|
|
+ (P, EncQ0, EncQ1, X0, Xid, Xbucket, Xlevel, Xsince, Xinvremain,
|
|
|
+ Xblockages, Plevel, Psince, TId, TBucket, TInvRemain, TBlockages,
|
|
|
+ D, EncId0, EncId1, EncBucket0, EncBucket1, EncInvRemain0,
|
|
|
+ EncInvRemain1, EncBlockages0, EncBlockages1),
|
|
|
+ (A, B):
|
|
|
+ Xid = (xid*A),
|
|
|
+ Xlevel = (xlevel*A),
|
|
|
+ Xbucket = (xbucket*A),
|
|
|
+ Xsince = (xsince*A),
|
|
|
+ Xinvremain = (xinvremain*A),
|
|
|
+ Xblockages = (xblockages*A),
|
|
|
+ X0 = (x0*B + x0tilde*A),
|
|
|
+ P = (b*B),
|
|
|
+ TId = (b*Xid),
|
|
|
+ TId = (tid*A),
|
|
|
+ TBucket = (b*Xbucket),
|
|
|
+ TBucket = (tbucket*A),
|
|
|
+ TInvRemain = (b*Xinvremain),
|
|
|
+ TInvRemain = (tinvremain*A),
|
|
|
+ TBlockages = (b*Xblockages),
|
|
|
+ TBlockages = (tblockages*A),
|
|
|
+ EncQ0 = (s*B + tid*EncId0 + tbucket*EncBucket0
|
|
|
+ + tinvremain*EncInvRemain0 + tblockages*EncBlockages0),
|
|
|
+ EncQ1 = (s*D + tid*EncId1 + tbucket*EncBucket1
|
|
|
+ + tinvremain*EncInvRemain1 + tblockages*EncBlockages1
|
|
|
+ + x0*P + xlevel*Plevel + xsince*Psince)
|
|
|
+}
|
|
|
+
|
|
|
+pub fn request(
|
|
|
+ lox_cred: &cred::Lox,
|
|
|
+ migration_cred: &cred::Migration,
|
|
|
+ lox_pub: &IssuerPubKey,
|
|
|
+ migration_pub: &IssuerPubKey,
|
|
|
+) -> Result<(Request, State), ProofError> {
|
|
|
+ let A: &RistrettoPoint = &CMZ_A;
|
|
|
+ let B: &RistrettoPoint = &CMZ_B;
|
|
|
+ let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
|
+ let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
+
|
|
|
+ // Ensure that the credenials can be correctly shown; that is, the
|
|
|
+ // ids match and the Lox credential bucket matches the Migration
|
|
|
+ // credential from_bucket
|
|
|
+ if lox_cred.id != migration_cred.lox_id || lox_cred.bucket != migration_cred.from_bucket {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // The trust level must be at least MIN_TRUST_LEVEL
|
|
|
+ let level: u32 = match scalar_u32(&lox_cred.trust_level) {
|
|
|
+ Some(v) => v,
|
|
|
+ None => return Err(ProofError::VerificationFailure),
|
|
|
+ };
|
|
|
+ if level < MIN_TRUST_LEVEL {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // Blind showing the Lox credential
|
|
|
+
|
|
|
+ // Reblind P and Q
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
+ let t_lox = Scalar::random(&mut rng);
|
|
|
+ let P_lox = t_lox * lox_cred.P;
|
|
|
+ let Q_lox = t_lox * lox_cred.Q;
|
|
|
+
|
|
|
+ // Form Pedersen commitments to the blinded attributes
|
|
|
+ let zbucket = Scalar::random(&mut rng);
|
|
|
+ let zsince = Scalar::random(&mut rng);
|
|
|
+ let zinvremain = Scalar::random(&mut rng);
|
|
|
+ let zblockages = Scalar::random(&mut rng);
|
|
|
+ let CBucket = lox_cred.bucket * P_lox + &zbucket * Atable;
|
|
|
+ let CSince = lox_cred.level_since * P_lox + &zsince * Atable;
|
|
|
+ let CInvRemain = lox_cred.invites_remaining * P_lox + &zinvremain * Atable;
|
|
|
+ let CBlockages = lox_cred.blockages * P_lox + &zblockages * Atable;
|
|
|
+
|
|
|
+ // Form a Pedersen commitment to the MAC Q
|
|
|
+ // We flip the sign of zQ from that of the Hyphae paper so that
|
|
|
+ // the ZKP has a "+" instead of a "-", as that's what the zkp
|
|
|
+ // macro supports.
|
|
|
+ let negzQ_lox = Scalar::random(&mut rng);
|
|
|
+ let CQ_lox = Q_lox - &negzQ_lox * Atable;
|
|
|
+
|
|
|
+ // Compute the "error factor"
|
|
|
+ let V_lox = zbucket * lox_pub.X[2]
|
|
|
+ + zsince * lox_pub.X[4]
|
|
|
+ + zinvremain * lox_pub.X[5]
|
|
|
+ + zblockages * lox_pub.X[6]
|
|
|
+ + &negzQ_lox * Atable;
|
|
|
+
|
|
|
+ // Blind showing the Migration credential
|
|
|
+
|
|
|
+ // Reblind P and Q
|
|
|
+ let t_mig = Scalar::random(&mut rng);
|
|
|
+ let P_mig = t_mig * migration_cred.P;
|
|
|
+ let Q_mig = t_mig * migration_cred.Q;
|
|
|
+
|
|
|
+ // Form Pedersen commitments to the blinded attributes
|
|
|
+ let zfrombucket = Scalar::random(&mut rng);
|
|
|
+ let ztobucket = Scalar::random(&mut rng);
|
|
|
+ let CFromBucket = migration_cred.from_bucket * P_mig + &zfrombucket * Atable;
|
|
|
+ let CToBucket = migration_cred.to_bucket * P_mig + &ztobucket * Atable;
|
|
|
+
|
|
|
+ // Form a Pedersen commitment to the MAC Q
|
|
|
+ // We flip the sign of zQ from that of the Hyphae paper so that
|
|
|
+ // the ZKP has a "+" instead of a "-", as that's what the zkp
|
|
|
+ // macro supports.
|
|
|
+ let negzQ_mig = Scalar::random(&mut rng);
|
|
|
+ let CQ_mig = Q_mig - &negzQ_mig * Atable;
|
|
|
+
|
|
|
+ // Compute the "error factor"
|
|
|
+ let V_mig =
|
|
|
+ zfrombucket * migration_pub.X[2] + ztobucket * migration_pub.X[3] + &negzQ_mig * Atable;
|
|
|
+
|
|
|
+ // User blinding for the Lox certificate to be issued
|
|
|
+
|
|
|
+ // Pick an ElGamal keypair
|
|
|
+ let d = Scalar::random(&mut rng);
|
|
|
+ let D = &d * Btable;
|
|
|
+
|
|
|
+ // Pick a random client component of the id
|
|
|
+ let id_client = Scalar::random(&mut rng);
|
|
|
+
|
|
|
+ // Encrypt it (times the basepoint B) to the ElGamal public key D we
|
|
|
+ // just created
|
|
|
+ let eid_client = Scalar::random(&mut rng);
|
|
|
+ let EncIdClient = (&eid_client * Btable, &id_client * Btable + eid_client * D);
|
|
|
+
|
|
|
+ // Encrypt the other blinded attributes (times B) to D as well
|
|
|
+ let ebucket = Scalar::random(&mut rng);
|
|
|
+ let EncBucket = (
|
|
|
+ &ebucket * Btable,
|
|
|
+ &migration_cred.to_bucket * Btable + ebucket * D,
|
|
|
+ );
|
|
|
+ let eblockages = Scalar::random(&mut rng);
|
|
|
+ let new_blockages = lox_cred.blockages + Scalar::one();
|
|
|
+ let EncBlockages = (
|
|
|
+ &eblockages * Btable,
|
|
|
+ &new_blockages * Btable + eblockages * D,
|
|
|
+ );
|
|
|
+
|
|
|
+ // Construct the proof
|
|
|
+ let mut transcript = Transcript::new(b"blockage migration request");
|
|
|
+ let piUser = requestproof::prove_compact(
|
|
|
+ &mut transcript,
|
|
|
+ requestproof::ProveAssignments {
|
|
|
+ A: &A,
|
|
|
+ B: &B,
|
|
|
+ P_lox: &P_lox,
|
|
|
+ CBucket: &CBucket,
|
|
|
+ CSince: &CSince,
|
|
|
+ CInvRemain: &CInvRemain,
|
|
|
+ CBlockages: &CBlockages,
|
|
|
+ V_lox: &V_lox,
|
|
|
+ Xbucket: &lox_pub.X[2],
|
|
|
+ Xsince: &lox_pub.X[4],
|
|
|
+ Xinvremain: &lox_pub.X[5],
|
|
|
+ Xblockages: &lox_pub.X[6],
|
|
|
+ P_mig: &P_mig,
|
|
|
+ CFromBucket: &CFromBucket,
|
|
|
+ CToBucket: &CToBucket,
|
|
|
+ V_mig: &V_mig,
|
|
|
+ Xfrombucket: &migration_pub.X[2],
|
|
|
+ Xtobucket: &migration_pub.X[3],
|
|
|
+ D: &D,
|
|
|
+ EncIdClient0: &EncIdClient.0,
|
|
|
+ EncIdClient1: &EncIdClient.1,
|
|
|
+ EncBucket0: &EncBucket.0,
|
|
|
+ EncBucket1: &EncBucket.1,
|
|
|
+ EncBlockages0: &EncBlockages.0,
|
|
|
+ EncBlockages1_minus_B: &(EncBlockages.1 - B),
|
|
|
+ bucket: &lox_cred.bucket,
|
|
|
+ since: &lox_cred.level_since,
|
|
|
+ invremain: &lox_cred.invites_remaining,
|
|
|
+ blockages: &lox_cred.blockages,
|
|
|
+ zbucket: &zbucket,
|
|
|
+ zsince: &zsince,
|
|
|
+ zinvremain: &zinvremain,
|
|
|
+ zblockages: &zblockages,
|
|
|
+ negzQ_lox: &negzQ_lox,
|
|
|
+ tobucket: &migration_cred.to_bucket,
|
|
|
+ zfrombucket: &zfrombucket,
|
|
|
+ ztobucket: &ztobucket,
|
|
|
+ negzQ_mig: &negzQ_mig,
|
|
|
+ d: &d,
|
|
|
+ eid_client: &eid_client,
|
|
|
+ ebucket: &ebucket,
|
|
|
+ eblockages: &eblockages,
|
|
|
+ id_client: &id_client,
|
|
|
+ },
|
|
|
+ )
|
|
|
+ .0;
|
|
|
+
|
|
|
+ Ok((
|
|
|
+ Request {
|
|
|
+ P_lox,
|
|
|
+ id: lox_cred.id,
|
|
|
+ CBucket,
|
|
|
+ trust_level: lox_cred.trust_level,
|
|
|
+ CSince,
|
|
|
+ CInvRemain,
|
|
|
+ CBlockages,
|
|
|
+ CQ_lox,
|
|
|
+ P_mig,
|
|
|
+ CFromBucket,
|
|
|
+ CToBucket,
|
|
|
+ CQ_mig,
|
|
|
+ D,
|
|
|
+ EncIdClient,
|
|
|
+ EncBucket,
|
|
|
+ EncBlockages,
|
|
|
+ piUser,
|
|
|
+ },
|
|
|
+ State {
|
|
|
+ d,
|
|
|
+ D,
|
|
|
+ EncIdClient,
|
|
|
+ EncBucket,
|
|
|
+ EncBlockages,
|
|
|
+ id_client,
|
|
|
+ to_bucket: migration_cred.to_bucket,
|
|
|
+ trust_level: (level - 2).into(),
|
|
|
+ blockages: new_blockages,
|
|
|
+ },
|
|
|
+ ))
|
|
|
+}
|
|
|
+
|
|
|
+impl BridgeAuth {
|
|
|
+ /// Receive a blockage migration request
|
|
|
+ pub fn handle_blockage_migration(&mut self, req: Request) -> Result<Response, ProofError> {
|
|
|
+ let A: &RistrettoPoint = &CMZ_A;
|
|
|
+ let B: &RistrettoPoint = &CMZ_B;
|
|
|
+ let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
|
+ let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
+
|
|
|
+ if req.P_lox.is_identity() || req.P_mig.is_identity() {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // The trust level must be at least MIN_TRUST_LEVEL
|
|
|
+ let level: u32 = match scalar_u32(&req.trust_level) {
|
|
|
+ Some(v) => v,
|
|
|
+ None => return Err(ProofError::VerificationFailure),
|
|
|
+ };
|
|
|
+ if level < MIN_TRUST_LEVEL {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // Recompute the "error factors" using knowledge of our own
|
|
|
+ // (the issuer's) private key instead of knowledge of the
|
|
|
+ // hidden attributes
|
|
|
+ let Vprime_lox = (self.lox_priv.x[0]
|
|
|
+ + self.lox_priv.x[1] * req.id
|
|
|
+ + self.lox_priv.x[3] * req.trust_level)
|
|
|
+ * req.P_lox
|
|
|
+ + self.lox_priv.x[2] * req.CBucket
|
|
|
+ + self.lox_priv.x[4] * req.CSince
|
|
|
+ + self.lox_priv.x[5] * req.CInvRemain
|
|
|
+ + self.lox_priv.x[6] * req.CBlockages
|
|
|
+ - req.CQ_lox;
|
|
|
+
|
|
|
+ let migration_type: Scalar = MigrationType::Blockage.into();
|
|
|
+ let Vprime_mig = (self.migration_priv.x[0]
|
|
|
+ + self.migration_priv.x[1] * req.id
|
|
|
+ + self.migration_priv.x[4] * migration_type)
|
|
|
+ * req.P_mig
|
|
|
+ + self.migration_priv.x[2] * req.CFromBucket
|
|
|
+ + self.migration_priv.x[3] * req.CToBucket
|
|
|
+ - req.CQ_mig;
|
|
|
+
|
|
|
+ // Verify the ZKP
|
|
|
+ let mut transcript = Transcript::new(b"blockage migration request");
|
|
|
+ requestproof::verify_compact(
|
|
|
+ &req.piUser,
|
|
|
+ &mut transcript,
|
|
|
+ requestproof::VerifyAssignments {
|
|
|
+ A: &A.compress(),
|
|
|
+ B: &B.compress(),
|
|
|
+ P_lox: &req.P_lox.compress(),
|
|
|
+ CBucket: &req.CBucket.compress(),
|
|
|
+ CSince: &req.CSince.compress(),
|
|
|
+ CInvRemain: &req.CInvRemain.compress(),
|
|
|
+ CBlockages: &req.CBlockages.compress(),
|
|
|
+ V_lox: &Vprime_lox.compress(),
|
|
|
+ Xbucket: &self.lox_pub.X[2].compress(),
|
|
|
+ Xsince: &self.lox_pub.X[4].compress(),
|
|
|
+ Xinvremain: &self.lox_pub.X[5].compress(),
|
|
|
+ Xblockages: &self.lox_pub.X[6].compress(),
|
|
|
+ P_mig: &req.P_mig.compress(),
|
|
|
+ CFromBucket: &req.CFromBucket.compress(),
|
|
|
+ CToBucket: &req.CToBucket.compress(),
|
|
|
+ V_mig: &Vprime_mig.compress(),
|
|
|
+ Xfrombucket: &self.migration_pub.X[2].compress(),
|
|
|
+ Xtobucket: &self.migration_pub.X[3].compress(),
|
|
|
+ D: &req.D.compress(),
|
|
|
+ EncIdClient0: &req.EncIdClient.0.compress(),
|
|
|
+ EncIdClient1: &req.EncIdClient.1.compress(),
|
|
|
+ EncBucket0: &req.EncBucket.0.compress(),
|
|
|
+ EncBucket1: &req.EncBucket.1.compress(),
|
|
|
+ EncBlockages0: &req.EncBlockages.0.compress(),
|
|
|
+ EncBlockages1_minus_B: &(req.EncBlockages.1 - B).compress(),
|
|
|
+ },
|
|
|
+ )?;
|
|
|
+
|
|
|
+ // Ensure the id has not been seen before, and add it to the
|
|
|
+ // seen list.
|
|
|
+ if self.id_filter.filter(&req.id) == SeenType::Seen {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // Blind issuing of the new Lox credential
|
|
|
+
|
|
|
+ // Choose a random server id component to add to the client's
|
|
|
+ // (blinded) id component
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
+ let id_server = Scalar::random(&mut rng);
|
|
|
+ let EncId = (req.EncIdClient.0, req.EncIdClient.1 + &id_server * Btable);
|
|
|
+
|
|
|
+ // Create the trust_level attrubute (Scalar), which will be
|
|
|
+ // 2 levels down from the one in the provided credential
|
|
|
+ let trust_level: Scalar = (level - 2).into();
|
|
|
+
|
|
|
+ // Create the level_since attribute (Scalar), which is today's
|
|
|
+ // Julian date
|
|
|
+ let level_since: Scalar = self.today().into();
|
|
|
+
|
|
|
+ // The invites remaining is the appropriate number for the new
|
|
|
+ // level (note that LEVEL_INVITATIONS[i] is the number of
|
|
|
+ // invitations for moving from level i to level i+1)
|
|
|
+ let invremain: Scalar = LEVEL_INVITATIONS[(level - 3) as usize].into();
|
|
|
+
|
|
|
+ // Because of the bug in the zkp crate, encrypt the invites
|
|
|
+ // remaining instead of sending it in the clear
|
|
|
+ let sinvremain = Scalar::random(&mut rng);
|
|
|
+ let EncInvRemain = (
|
|
|
+ &sinvremain * Btable,
|
|
|
+ &invremain * Btable + sinvremain * req.D,
|
|
|
+ );
|
|
|
+
|
|
|
+ // Compute the MAC on the visible attributes
|
|
|
+ let b = Scalar::random(&mut rng);
|
|
|
+ let P = &b * Btable;
|
|
|
+ let QHc = (self.lox_priv.x[0]
|
|
|
+ + self.lox_priv.x[3] * trust_level
|
|
|
+ + self.lox_priv.x[4] * level_since)
|
|
|
+ * P;
|
|
|
+
|
|
|
+ // El Gamal encrypt it to the public key req.D
|
|
|
+ let s = Scalar::random(&mut rng);
|
|
|
+ let EncQHc = (&s * Btable, QHc + s * req.D);
|
|
|
+
|
|
|
+ // Homomorphically compute the part of the MAC corresponding to
|
|
|
+ // the blinded attributes
|
|
|
+ let tid = self.lox_priv.x[1] * b;
|
|
|
+ let TId = &tid * Atable;
|
|
|
+ let EncQId = (tid * EncId.0, tid * EncId.1);
|
|
|
+ let tbucket = self.lox_priv.x[2] * b;
|
|
|
+ let TBucket = &tbucket * Atable;
|
|
|
+ let EncQBucket = (tbucket * req.EncBucket.0, tbucket * req.EncBucket.1);
|
|
|
+ let tinvremain = self.lox_priv.x[5] * b;
|
|
|
+ let TInvRemain = &tinvremain * Atable;
|
|
|
+ let EncQInvRemain = (tinvremain * EncInvRemain.0, tinvremain * EncInvRemain.1);
|
|
|
+ let tblockages = self.lox_priv.x[6] * b;
|
|
|
+ let TBlockages = &tblockages * Atable;
|
|
|
+ let EncQBlockages = (
|
|
|
+ tblockages * req.EncBlockages.0,
|
|
|
+ tblockages * req.EncBlockages.1,
|
|
|
+ );
|
|
|
+
|
|
|
+ let EncQ = (
|
|
|
+ EncQHc.0 + EncQId.0 + EncQBucket.0 + EncQInvRemain.0 + EncQBlockages.0,
|
|
|
+ EncQHc.1 + EncQId.1 + EncQBucket.1 + EncQInvRemain.1 + EncQBlockages.1,
|
|
|
+ );
|
|
|
+
|
|
|
+ let mut transcript = Transcript::new(b"blockage migration issuing");
|
|
|
+ let piBlindIssue = blindissue::prove_compact(
|
|
|
+ &mut transcript,
|
|
|
+ blindissue::ProveAssignments {
|
|
|
+ A: &A,
|
|
|
+ B: &B,
|
|
|
+ P: &P,
|
|
|
+ EncQ0: &EncQ.0,
|
|
|
+ EncQ1: &EncQ.1,
|
|
|
+ X0: &self.lox_pub.X[0],
|
|
|
+ Xid: &self.lox_pub.X[1],
|
|
|
+ Xbucket: &self.lox_pub.X[2],
|
|
|
+ Xlevel: &self.lox_pub.X[3],
|
|
|
+ Xsince: &self.lox_pub.X[4],
|
|
|
+ Xinvremain: &self.lox_pub.X[5],
|
|
|
+ Xblockages: &self.lox_pub.X[6],
|
|
|
+ Plevel: &(trust_level * P),
|
|
|
+ Psince: &(level_since * P),
|
|
|
+ TId: &TId,
|
|
|
+ TBucket: &TBucket,
|
|
|
+ TInvRemain: &TInvRemain,
|
|
|
+ TBlockages: &TBlockages,
|
|
|
+ D: &req.D,
|
|
|
+ EncId0: &EncId.0,
|
|
|
+ EncId1: &EncId.1,
|
|
|
+ EncBucket0: &req.EncBucket.0,
|
|
|
+ EncBucket1: &req.EncBucket.1,
|
|
|
+ EncInvRemain0: &EncInvRemain.0,
|
|
|
+ EncInvRemain1: &EncInvRemain.1,
|
|
|
+ EncBlockages0: &req.EncBlockages.0,
|
|
|
+ EncBlockages1: &req.EncBlockages.1,
|
|
|
+ x0: &self.lox_priv.x[0],
|
|
|
+ x0tilde: &self.lox_priv.x0tilde,
|
|
|
+ xid: &self.lox_priv.x[1],
|
|
|
+ xbucket: &self.lox_priv.x[2],
|
|
|
+ xlevel: &self.lox_priv.x[3],
|
|
|
+ xsince: &self.lox_priv.x[4],
|
|
|
+ xinvremain: &self.lox_priv.x[5],
|
|
|
+ xblockages: &self.lox_priv.x[6],
|
|
|
+ s: &s,
|
|
|
+ b: &b,
|
|
|
+ tid: &tid,
|
|
|
+ tbucket: &tbucket,
|
|
|
+ tinvremain: &tinvremain,
|
|
|
+ tblockages: &tblockages,
|
|
|
+ },
|
|
|
+ )
|
|
|
+ .0;
|
|
|
+
|
|
|
+ Ok(Response {
|
|
|
+ level_since,
|
|
|
+ P,
|
|
|
+ EncQ,
|
|
|
+ EncInvRemain,
|
|
|
+ id_server,
|
|
|
+ TId,
|
|
|
+ TBucket,
|
|
|
+ TInvRemain,
|
|
|
+ TBlockages,
|
|
|
+ piBlindIssue,
|
|
|
+ })
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+/// Handle the response to the request, producing the new Lox credential
|
|
|
+/// if successful.
|
|
|
+pub fn handle_response(
|
|
|
+ state: State,
|
|
|
+ resp: Response,
|
|
|
+ lox_pub: &IssuerPubKey,
|
|
|
+) -> Result<cred::Lox, ProofError> {
|
|
|
+ let A: &RistrettoPoint = &CMZ_A;
|
|
|
+ let B: &RistrettoPoint = &CMZ_B;
|
|
|
+ let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
+
|
|
|
+ if resp.P.is_identity() {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // Add the server's contribution to the id to our own, both in plain
|
|
|
+ // and encrypted form
|
|
|
+ let id = state.id_client + resp.id_server;
|
|
|
+ let EncId = (
|
|
|
+ state.EncIdClient.0,
|
|
|
+ state.EncIdClient.1 + &resp.id_server * Btable,
|
|
|
+ );
|
|
|
+
|
|
|
+ let new_level: u32 = match scalar_u32(&state.trust_level) {
|
|
|
+ Some(v) => v,
|
|
|
+ None => return Err(ProofError::VerificationFailure),
|
|
|
+ };
|
|
|
+ if new_level < 1 {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // The invites remaining is the appropriate number for the new level
|
|
|
+ // (note that LEVEL_INVITATIONS[i] is the number of invitations for
|
|
|
+ // moving from level i to level i+1)
|
|
|
+ let invremain: Scalar = LEVEL_INVITATIONS[(new_level - 1) as usize].into();
|
|
|
+
|
|
|
+ // Decrypt EncInvRemain
|
|
|
+ let recv_invremain = resp.EncInvRemain.1 - (state.d * resp.EncInvRemain.0);
|
|
|
+
|
|
|
+ if recv_invremain != &invremain * Btable {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // Verify the proof
|
|
|
+ let mut transcript = Transcript::new(b"blockage migration issuing");
|
|
|
+ blindissue::verify_compact(
|
|
|
+ &resp.piBlindIssue,
|
|
|
+ &mut transcript,
|
|
|
+ blindissue::VerifyAssignments {
|
|
|
+ A: &A.compress(),
|
|
|
+ B: &B.compress(),
|
|
|
+ P: &resp.P.compress(),
|
|
|
+ EncQ0: &resp.EncQ.0.compress(),
|
|
|
+ EncQ1: &resp.EncQ.1.compress(),
|
|
|
+ X0: &lox_pub.X[0].compress(),
|
|
|
+ Xid: &lox_pub.X[1].compress(),
|
|
|
+ Xbucket: &lox_pub.X[2].compress(),
|
|
|
+ Xlevel: &lox_pub.X[3].compress(),
|
|
|
+ Xsince: &lox_pub.X[4].compress(),
|
|
|
+ Xinvremain: &lox_pub.X[5].compress(),
|
|
|
+ Xblockages: &lox_pub.X[6].compress(),
|
|
|
+ Plevel: &(state.trust_level * resp.P).compress(),
|
|
|
+ Psince: &(resp.level_since * resp.P).compress(),
|
|
|
+ TId: &resp.TId.compress(),
|
|
|
+ TBucket: &resp.TBucket.compress(),
|
|
|
+ TInvRemain: &resp.TInvRemain.compress(),
|
|
|
+ TBlockages: &resp.TBlockages.compress(),
|
|
|
+ D: &state.D.compress(),
|
|
|
+ EncId0: &EncId.0.compress(),
|
|
|
+ EncId1: &EncId.1.compress(),
|
|
|
+ EncBucket0: &state.EncBucket.0.compress(),
|
|
|
+ EncBucket1: &state.EncBucket.1.compress(),
|
|
|
+ EncInvRemain0: &resp.EncInvRemain.0.compress(),
|
|
|
+ EncInvRemain1: &resp.EncInvRemain.1.compress(),
|
|
|
+ EncBlockages0: &state.EncBlockages.0.compress(),
|
|
|
+ EncBlockages1: &state.EncBlockages.1.compress(),
|
|
|
+ },
|
|
|
+ )?;
|
|
|
+
|
|
|
+ // Decrypt EncQ
|
|
|
+ let Q = resp.EncQ.1 - (state.d * resp.EncQ.0);
|
|
|
+
|
|
|
+ Ok(cred::Lox {
|
|
|
+ P: resp.P,
|
|
|
+ Q,
|
|
|
+ id,
|
|
|
+ bucket: state.to_bucket,
|
|
|
+ trust_level: new_level.into(),
|
|
|
+ level_since: resp.level_since,
|
|
|
+ invites_remaining: invremain,
|
|
|
+ blockages: state.blockages,
|
|
|
+ })
|
|
|
+}
|
