|
|
@@ -15,7 +15,8 @@ The user presents their current Lox credential:
|
|
|
- level_since: blinded, but proved in ZK that it's at least the
|
|
|
appropriate number of days ago
|
|
|
- invites_remaining: blinded
|
|
|
-- invites_issued: blinded
|
|
|
+- blockages: blinded, but proved in ZK that it's at most the appropriate
|
|
|
+ blockage limit for the target trust level
|
|
|
|
|
|
and a Bucket Reachability credential:
|
|
|
- date: revealed to be today
|
|
|
@@ -32,7 +33,7 @@ and a new Lox credential to be issued:
|
|
|
- invites_remaining: revealed to be the number of invites for the new
|
|
|
level (note that the invites_remaining from the previous credential
|
|
|
are _not_ carried over)
|
|
|
-- invites_issued: blinded, but proved in ZK that it's the same as in the
|
|
|
+- blockages: blinded, but proved in ZK that it's the same as in the
|
|
|
Lox credential above
|
|
|
|
|
|
*/
|
|
|
@@ -79,7 +80,7 @@ pub struct Request {
|
|
|
level: Scalar,
|
|
|
CSince: RistrettoPoint,
|
|
|
CInvRemain: RistrettoPoint,
|
|
|
- CInvIssued: RistrettoPoint,
|
|
|
+ CBlockages: RistrettoPoint,
|
|
|
CQ: RistrettoPoint,
|
|
|
|
|
|
// Fields for blind showing the Bucket Reachability credential
|
|
|
@@ -111,7 +112,7 @@ pub struct Request {
|
|
|
D: RistrettoPoint,
|
|
|
EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
|
EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
|
- EncInvIssued: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
|
|
|
|
// The combined ZKP
|
|
|
piUser: CompactProof,
|
|
|
@@ -123,12 +124,12 @@ pub struct State {
|
|
|
D: RistrettoPoint,
|
|
|
EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
|
EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
|
- EncInvIssued: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
|
id_client: Scalar,
|
|
|
bucket: Scalar,
|
|
|
level: Scalar,
|
|
|
invremain: Scalar,
|
|
|
- invissued: Scalar,
|
|
|
+ blockages: Scalar,
|
|
|
}
|
|
|
|
|
|
pub struct Response {
|
|
|
@@ -141,7 +142,7 @@ pub struct Response {
|
|
|
level_since: Scalar,
|
|
|
TId: RistrettoPoint,
|
|
|
TBucket: RistrettoPoint,
|
|
|
- TInvIssued: RistrettoPoint,
|
|
|
+ TBlockages: RistrettoPoint,
|
|
|
|
|
|
// The ZKP
|
|
|
piBlindIssue: CompactProof,
|
|
|
@@ -150,19 +151,19 @@ pub struct Response {
|
|
|
define_proof! {
|
|
|
requestproof,
|
|
|
"Level Upgrade Request",
|
|
|
- (bucket, since, invremain, invissued, zbucket, zsince, zinvremain,
|
|
|
- zinvissued, negzQ,
|
|
|
+ (bucket, since, invremain, blockages, zbucket, zsince, zinvremain,
|
|
|
+ zblockages, negzQ,
|
|
|
zbucket_reach, negzQ_reach,
|
|
|
- d, eid_client, ebucket, einvissued, id_client,
|
|
|
+ d, eid_client, ebucket, eblockages, id_client,
|
|
|
g0, g1, g2, g3, g4, g5, g6, g7, g8,
|
|
|
zg0, zg1, zg2, zg3, zg4, zg5, zg6, zg7, zg8,
|
|
|
wg0, wg1, wg2, wg3, wg4, wg5, wg6, wg7, wg8,
|
|
|
yg0, yg1, yg2, yg3, yg4, yg5, yg6, yg7, yg8),
|
|
|
- (P, CBucket, CSince, CInvRemain, CInvIssued, V, Xbucket, Xsince,
|
|
|
- Xinvremain, Xinvissued,
|
|
|
+ (P, CBucket, CSince, CInvRemain, CBlockages, V, Xbucket, Xsince,
|
|
|
+ Xinvremain, Xblockages,
|
|
|
P_reach, CBucket_reach, V_reach, Xbucket_reach,
|
|
|
D, EncIdClient0, EncIdClient1, EncBucket0, EncBucket1,
|
|
|
- EncInvIssued0, EncInvIssued1,
|
|
|
+ EncBlockages0, EncBlockages1,
|
|
|
CG0, CG1, CG2, CG3, CG4, CG5, CG6, CG7, CG8,
|
|
|
CG0sq, CG1sq, CG2sq, CG3sq, CG4sq, CG5sq, CG6sq, CG7sq, CG8sq),
|
|
|
(A, B) :
|
|
|
@@ -170,7 +171,7 @@ define_proof! {
|
|
|
CBucket = (bucket*P + zbucket*A),
|
|
|
CSince = (since*P + zsince*A),
|
|
|
CInvRemain = (invremain*P + zinvremain*A),
|
|
|
- CInvIssued = (invissued*P + zinvissued*A),
|
|
|
+ CBlockages = (blockages*P + zblockages*A),
|
|
|
// Blind showing of the Bucket Reachability credential; note the
|
|
|
// same bucket is used in the proof
|
|
|
CBucket_reach = (bucket*P_reach + zbucket_reach*A),
|
|
|
@@ -180,8 +181,8 @@ define_proof! {
|
|
|
EncIdClient1 = (id_client*B + eid_client*D),
|
|
|
EncBucket0 = (ebucket*B),
|
|
|
EncBucket1 = (bucket*B + ebucket*D),
|
|
|
- EncInvIssued0 = (einvissued*B),
|
|
|
- EncInvIssued1 = (invissued*B + einvissued*D),
|
|
|
+ EncBlockages0 = (eblockages*B),
|
|
|
+ EncBlockages1 = (blockages*B + eblockages*D),
|
|
|
// Prove CSince encodes a value at least LEVEL_INTERVAL
|
|
|
// days ago (at technically at most LEVEL_INTERVAL+511 days
|
|
|
// ago): first prove each of g0, ..., g8 is a bit by proving that
|
|
|
@@ -204,11 +205,11 @@ define_proof! {
|
|
|
define_proof! {
|
|
|
blindissue,
|
|
|
"Level Upgrade Issuing",
|
|
|
- (x0, x0tilde, xid, xbucket, xlevel, xsince, xinvremain, xinvissued,
|
|
|
- s, b, tid, tbucket, tinvissued),
|
|
|
+ (x0, x0tilde, xid, xbucket, xlevel, xsince, xinvremain, xblockages,
|
|
|
+ s, b, tid, tbucket, tblockages),
|
|
|
(P, EncQ0, EncQ1, X0, Xid, Xbucket, Xlevel, Xsince, Xinvremain,
|
|
|
- Xinvissued, Plevel, Psince, Pinvremain, TId, TBucket, TInvIssued,
|
|
|
- D, EncId0, EncId1, EncBucket0, EncBucket1, EncInvIssued0, EncInvIssued1),
|
|
|
+ Xblockages, Plevel, Psince, Pinvremain, TId, TBucket, TBlockages,
|
|
|
+ D, EncId0, EncId1, EncBucket0, EncBucket1, EncBlockages0, EncBlockages1),
|
|
|
(A, B):
|
|
|
Xid = (xid*A),
|
|
|
Xid = (xid*A),
|
|
|
@@ -216,18 +217,18 @@ define_proof! {
|
|
|
Xbucket = (xbucket*A),
|
|
|
Xsince = (xsince*A),
|
|
|
Xinvremain = (xinvremain*A),
|
|
|
- Xinvissued = (xinvissued*A),
|
|
|
+ Xblockages = (xblockages*A),
|
|
|
X0 = (x0*B + x0tilde*A),
|
|
|
P = (b*B),
|
|
|
TId = (b*Xid),
|
|
|
TId = (tid*A),
|
|
|
TBucket = (b*Xbucket),
|
|
|
TBucket = (tbucket*A),
|
|
|
- TInvIssued = (b*Xinvissued),
|
|
|
- TInvIssued = (tinvissued*A),
|
|
|
- EncQ0 = (s*B + tid*EncId0 + tbucket*EncBucket0 + tinvissued*EncInvIssued0),
|
|
|
+ TBlockages = (b*Xblockages),
|
|
|
+ TBlockages = (tblockages*A),
|
|
|
+ EncQ0 = (s*B + tid*EncId0 + tbucket*EncBucket0 + tblockages*EncBlockages0),
|
|
|
EncQ1 = (s*D + tid*EncId1 + tbucket*EncBucket1
|
|
|
- + tinvissued*EncInvIssued1 + x0*P + xlevel*Plevel + xsince*Psince
|
|
|
+ + tblockages*EncBlockages1 + x0*P + xlevel*Plevel + xsince*Psince
|
|
|
+ xinvremain*Pinvremain)
|
|
|
}
|
|
|
|
|
|
@@ -302,11 +303,11 @@ pub fn request(
|
|
|
let zbucket = Scalar::random(&mut rng);
|
|
|
let zsince = Scalar::random(&mut rng);
|
|
|
let zinvremain = Scalar::random(&mut rng);
|
|
|
- let zinvissued = Scalar::random(&mut rng);
|
|
|
+ let zblockages = Scalar::random(&mut rng);
|
|
|
let CBucket = lox_cred.bucket * P + &zbucket * Atable;
|
|
|
let CSince = lox_cred.level_since * P + &zsince * Atable;
|
|
|
let CInvRemain = lox_cred.invites_remaining * P + &zinvremain * Atable;
|
|
|
- let CInvIssued = lox_cred.invites_issued * P + &zinvissued * Atable;
|
|
|
+ let CBlockages = lox_cred.blockages * P + &zblockages * Atable;
|
|
|
|
|
|
// Form a Pedersen commitment to the MAC Q
|
|
|
// We flip the sign of zQ from that of the Hyphae paper so that
|
|
|
@@ -319,7 +320,7 @@ pub fn request(
|
|
|
let V = zbucket * lox_pub.X[2]
|
|
|
+ zsince * lox_pub.X[4]
|
|
|
+ zinvremain * lox_pub.X[5]
|
|
|
- + zinvissued * lox_pub.X[6]
|
|
|
+ + zblockages * lox_pub.X[6]
|
|
|
+ &negzQ * Atable;
|
|
|
|
|
|
// Blind showing the Bucket Reachability credential
|
|
|
@@ -361,10 +362,10 @@ pub fn request(
|
|
|
let ebucket = Scalar::random(&mut rng);
|
|
|
let EncBucket = (&ebucket * Btable, &lox_cred.bucket * Btable + ebucket * D);
|
|
|
let newinvites: Scalar = LEVEL_INVITATIONS[new_level as usize].into();
|
|
|
- let einvissued = Scalar::random(&mut rng);
|
|
|
- let EncInvIssued = (
|
|
|
- &einvissued * Btable,
|
|
|
- &lox_cred.invites_issued * Btable + einvissued * D,
|
|
|
+ let eblockages = Scalar::random(&mut rng);
|
|
|
+ let EncBlockages = (
|
|
|
+ &eblockages * Btable,
|
|
|
+ &lox_cred.blockages * Btable + eblockages * D,
|
|
|
);
|
|
|
|
|
|
// The range proof that 0 <= diffdays <= 511
|
|
|
@@ -455,12 +456,12 @@ pub fn request(
|
|
|
CBucket: &CBucket,
|
|
|
CSince: &CSince,
|
|
|
CInvRemain: &CInvRemain,
|
|
|
- CInvIssued: &CInvIssued,
|
|
|
+ CBlockages: &CBlockages,
|
|
|
V: &V,
|
|
|
Xbucket: &lox_pub.X[2],
|
|
|
Xsince: &lox_pub.X[4],
|
|
|
Xinvremain: &lox_pub.X[5],
|
|
|
- Xinvissued: &lox_pub.X[6],
|
|
|
+ Xblockages: &lox_pub.X[6],
|
|
|
P_reach: &P_reach,
|
|
|
CBucket_reach: &CBucket_reach,
|
|
|
V_reach: &V_reach,
|
|
|
@@ -470,8 +471,8 @@ pub fn request(
|
|
|
EncIdClient1: &EncIdClient.1,
|
|
|
EncBucket0: &EncBucket.0,
|
|
|
EncBucket1: &EncBucket.1,
|
|
|
- EncInvIssued0: &EncInvIssued.0,
|
|
|
- EncInvIssued1: &EncInvIssued.1,
|
|
|
+ EncBlockages0: &EncBlockages.0,
|
|
|
+ EncBlockages1: &EncBlockages.1,
|
|
|
CG0: &CG0,
|
|
|
CG1: &CG1,
|
|
|
CG2: &CG2,
|
|
|
@@ -493,18 +494,18 @@ pub fn request(
|
|
|
bucket: &lox_cred.bucket,
|
|
|
since: &lox_cred.level_since,
|
|
|
invremain: &lox_cred.invites_remaining,
|
|
|
- invissued: &lox_cred.invites_issued,
|
|
|
+ blockages: &lox_cred.blockages,
|
|
|
zbucket: &zbucket,
|
|
|
zsince: &zsince,
|
|
|
zinvremain: &zinvremain,
|
|
|
- zinvissued: &zinvissued,
|
|
|
+ zblockages: &zblockages,
|
|
|
negzQ: &negzQ,
|
|
|
zbucket_reach: &zbucket_reach,
|
|
|
negzQ_reach: &negzQ_reach,
|
|
|
d: &d,
|
|
|
eid_client: &eid_client,
|
|
|
ebucket: &ebucket,
|
|
|
- einvissued: &einvissued,
|
|
|
+ eblockages: &eblockages,
|
|
|
id_client: &id_client,
|
|
|
g0: &g0,
|
|
|
g1: &g1,
|
|
|
@@ -554,7 +555,7 @@ pub fn request(
|
|
|
level: lox_cred.trust_level,
|
|
|
CSince,
|
|
|
CInvRemain,
|
|
|
- CInvIssued,
|
|
|
+ CBlockages,
|
|
|
CQ,
|
|
|
P_reach,
|
|
|
CBucket_reach,
|
|
|
@@ -562,7 +563,7 @@ pub fn request(
|
|
|
D,
|
|
|
EncIdClient,
|
|
|
EncBucket,
|
|
|
- EncInvIssued,
|
|
|
+ EncBlockages,
|
|
|
CG1,
|
|
|
CG2,
|
|
|
CG3,
|
|
|
@@ -587,12 +588,12 @@ pub fn request(
|
|
|
D,
|
|
|
EncIdClient,
|
|
|
EncBucket,
|
|
|
- EncInvIssued,
|
|
|
+ EncBlockages,
|
|
|
id_client,
|
|
|
bucket: lox_cred.bucket,
|
|
|
level: new_level.into(),
|
|
|
invremain: newinvites,
|
|
|
- invissued: lox_cred.invites_issued,
|
|
|
+ blockages: lox_cred.blockages,
|
|
|
},
|
|
|
))
|
|
|
}
|
|
|
@@ -626,7 +627,7 @@ impl BridgeAuth {
|
|
|
+ self.lox_priv.x[2] * req.CBucket
|
|
|
+ self.lox_priv.x[4] * req.CSince
|
|
|
+ self.lox_priv.x[5] * req.CInvRemain
|
|
|
- + self.lox_priv.x[6] * req.CInvIssued
|
|
|
+ + self.lox_priv.x[6] * req.CBlockages
|
|
|
- req.CQ;
|
|
|
|
|
|
let Vprime_reach = (self.reachability_priv.x[0] + self.reachability_priv.x[1] * today)
|
|
|
@@ -663,12 +664,12 @@ impl BridgeAuth {
|
|
|
CBucket: &req.CBucket.compress(),
|
|
|
CSince: &req.CSince.compress(),
|
|
|
CInvRemain: &req.CInvRemain.compress(),
|
|
|
- CInvIssued: &req.CInvIssued.compress(),
|
|
|
+ CBlockages: &req.CBlockages.compress(),
|
|
|
V: &Vprime.compress(),
|
|
|
Xbucket: &self.lox_pub.X[2].compress(),
|
|
|
Xsince: &self.lox_pub.X[4].compress(),
|
|
|
Xinvremain: &self.lox_pub.X[5].compress(),
|
|
|
- Xinvissued: &self.lox_pub.X[6].compress(),
|
|
|
+ Xblockages: &self.lox_pub.X[6].compress(),
|
|
|
P_reach: &req.P_reach.compress(),
|
|
|
CBucket_reach: &req.CBucket_reach.compress(),
|
|
|
V_reach: &Vprime_reach.compress(),
|
|
|
@@ -678,8 +679,8 @@ impl BridgeAuth {
|
|
|
EncIdClient1: &req.EncIdClient.1.compress(),
|
|
|
EncBucket0: &req.EncBucket.0.compress(),
|
|
|
EncBucket1: &req.EncBucket.1.compress(),
|
|
|
- EncInvIssued0: &req.EncInvIssued.0.compress(),
|
|
|
- EncInvIssued1: &req.EncInvIssued.1.compress(),
|
|
|
+ EncBlockages0: &req.EncBlockages.0.compress(),
|
|
|
+ EncBlockages1: &req.EncBlockages.1.compress(),
|
|
|
CG0: &CG0prime.compress(),
|
|
|
CG1: &req.CG1.compress(),
|
|
|
CG2: &req.CG2.compress(),
|
|
|
@@ -750,16 +751,16 @@ impl BridgeAuth {
|
|
|
let tbucket = self.lox_priv.x[2] * b;
|
|
|
let TBucket = &tbucket * Atable;
|
|
|
let EncQBucket = (tbucket * req.EncBucket.0, tbucket * req.EncBucket.1);
|
|
|
- let tinvissued = self.lox_priv.x[6] * b;
|
|
|
- let TInvIssued = &tinvissued * Atable;
|
|
|
- let EncQInvIssued = (
|
|
|
- tinvissued * req.EncInvIssued.0,
|
|
|
- tinvissued * req.EncInvIssued.1,
|
|
|
+ let tblockages = self.lox_priv.x[6] * b;
|
|
|
+ let TBlockages = &tblockages * Atable;
|
|
|
+ let EncQBlockages = (
|
|
|
+ tblockages * req.EncBlockages.0,
|
|
|
+ tblockages * req.EncBlockages.1,
|
|
|
);
|
|
|
|
|
|
let EncQ = (
|
|
|
- EncQHc.0 + EncQId.0 + EncQBucket.0 + EncQInvIssued.0,
|
|
|
- EncQHc.1 + EncQId.1 + EncQBucket.1 + EncQInvIssued.1,
|
|
|
+ EncQHc.0 + EncQId.0 + EncQBucket.0 + EncQBlockages.0,
|
|
|
+ EncQHc.1 + EncQId.1 + EncQBucket.1 + EncQBlockages.1,
|
|
|
);
|
|
|
|
|
|
let mut transcript = Transcript::new(b"level upgrade issuing");
|
|
|
@@ -777,20 +778,20 @@ impl BridgeAuth {
|
|
|
Xlevel: &self.lox_pub.X[3],
|
|
|
Xsince: &self.lox_pub.X[4],
|
|
|
Xinvremain: &self.lox_pub.X[5],
|
|
|
- Xinvissued: &self.lox_pub.X[6],
|
|
|
+ Xblockages: &self.lox_pub.X[6],
|
|
|
Plevel: &(trust_level * P),
|
|
|
Psince: &(level_since * P),
|
|
|
Pinvremain: &(invitations_remaining * P),
|
|
|
TId: &TId,
|
|
|
TBucket: &TBucket,
|
|
|
- TInvIssued: &TInvIssued,
|
|
|
+ TBlockages: &TBlockages,
|
|
|
D: &req.D,
|
|
|
EncId0: &EncId.0,
|
|
|
EncId1: &EncId.1,
|
|
|
EncBucket0: &req.EncBucket.0,
|
|
|
EncBucket1: &req.EncBucket.1,
|
|
|
- EncInvIssued0: &req.EncInvIssued.0,
|
|
|
- EncInvIssued1: &req.EncInvIssued.1,
|
|
|
+ EncBlockages0: &req.EncBlockages.0,
|
|
|
+ EncBlockages1: &req.EncBlockages.1,
|
|
|
x0: &self.lox_priv.x[0],
|
|
|
x0tilde: &self.lox_priv.x0tilde,
|
|
|
xid: &self.lox_priv.x[1],
|
|
|
@@ -798,12 +799,12 @@ impl BridgeAuth {
|
|
|
xlevel: &self.lox_priv.x[3],
|
|
|
xsince: &self.lox_priv.x[4],
|
|
|
xinvremain: &self.lox_priv.x[5],
|
|
|
- xinvissued: &self.lox_priv.x[6],
|
|
|
+ xblockages: &self.lox_priv.x[6],
|
|
|
s: &s,
|
|
|
b: &b,
|
|
|
tid: &tid,
|
|
|
tbucket: &tbucket,
|
|
|
- tinvissued: &tinvissued,
|
|
|
+ tblockages: &tblockages,
|
|
|
},
|
|
|
)
|
|
|
.0;
|
|
|
@@ -815,7 +816,7 @@ impl BridgeAuth {
|
|
|
level_since,
|
|
|
TId,
|
|
|
TBucket,
|
|
|
- TInvIssued,
|
|
|
+ TBlockages,
|
|
|
piBlindIssue,
|
|
|
})
|
|
|
}
|
|
|
@@ -861,20 +862,20 @@ pub fn handle_response(
|
|
|
Xlevel: &lox_pub.X[3].compress(),
|
|
|
Xsince: &lox_pub.X[4].compress(),
|
|
|
Xinvremain: &lox_pub.X[5].compress(),
|
|
|
- Xinvissued: &lox_pub.X[6].compress(),
|
|
|
+ Xblockages: &lox_pub.X[6].compress(),
|
|
|
Plevel: &(state.level * resp.P).compress(),
|
|
|
Psince: &(resp.level_since * resp.P).compress(),
|
|
|
Pinvremain: &(state.invremain * resp.P).compress(),
|
|
|
TId: &resp.TId.compress(),
|
|
|
TBucket: &resp.TBucket.compress(),
|
|
|
- TInvIssued: &resp.TInvIssued.compress(),
|
|
|
+ TBlockages: &resp.TBlockages.compress(),
|
|
|
D: &state.D.compress(),
|
|
|
EncId0: &EncId.0.compress(),
|
|
|
EncId1: &EncId.1.compress(),
|
|
|
EncBucket0: &state.EncBucket.0.compress(),
|
|
|
EncBucket1: &state.EncBucket.1.compress(),
|
|
|
- EncInvIssued0: &state.EncInvIssued.0.compress(),
|
|
|
- EncInvIssued1: &state.EncInvIssued.1.compress(),
|
|
|
+ EncBlockages0: &state.EncBlockages.0.compress(),
|
|
|
+ EncBlockages1: &state.EncBlockages.1.compress(),
|
|
|
},
|
|
|
)?;
|
|
|
|
|
|
@@ -889,6 +890,6 @@ pub fn handle_response(
|
|
|
trust_level: state.level,
|
|
|
level_since: resp.level_since,
|
|
|
invites_remaining: state.invremain,
|
|
|
- invites_issued: state.invissued,
|
|
|
+ blockages: state.blockages,
|
|
|
})
|
|
|
}
|
