|
@@ -0,0 +1,350 @@
|
|
|
+/*! A module for the protocol for a new user to redeem an Invitation
|
|
|
+credential. The user will start at trust level 1 (instead of 0 for
|
|
|
+untrusted uninvited users).
|
|
|
+
|
|
|
+The user presents the Invitation credential:
|
|
|
+- id: revealed
|
|
|
+- date: blinded, but proved in ZK to be at most INVITATION_EXPIRY days ago
|
|
|
+- bucket: blinded
|
|
|
+- blockages: blinded
|
|
|
+
|
|
|
+and a new Lox credential to be issued:
|
|
|
+
|
|
|
+- id: jointly chosen by the user and BA
|
|
|
+- bucket: blinded, but proved in ZK that it's the same as in the
|
|
|
+ Invitation credential above
|
|
|
+- trust_level: revealed to be 1
|
|
|
+- level_since: today
|
|
|
+- invites_remaining: revealed to be 0
|
|
|
+- blockages: blinded, but proved in ZK that it's the same as in the
|
|
|
+ Invitations credential above
|
|
|
+
|
|
|
+*/
|
|
|
+
|
|
|
+use curve25519_dalek::ristretto::RistrettoBasepointTable;
|
|
|
+use curve25519_dalek::ristretto::RistrettoPoint;
|
|
|
+use curve25519_dalek::scalar::Scalar;
|
|
|
+use curve25519_dalek::traits::IsIdentity;
|
|
|
+
|
|
|
+use zkp::CompactProof;
|
|
|
+use zkp::ProofError;
|
|
|
+use zkp::Transcript;
|
|
|
+
|
|
|
+use super::super::cred;
|
|
|
+use super::super::dup_filter::SeenType;
|
|
|
+use super::super::{pt_dbl, scalar_dbl, scalar_u32};
|
|
|
+use super::super::{BridgeAuth, IssuerPubKey};
|
|
|
+use super::super::{CMZ_A, CMZ_A_TABLE, CMZ_B, CMZ_B_TABLE};
|
|
|
+
|
|
|
+/// Invitations must be used within this many days of being issued.
|
|
|
+/// Note that if you change this number to be larger than 15, you must
|
|
|
+/// also add bits to the zero knowledge proof.
|
|
|
+pub const INVITATION_EXPIRY: u32 = 15;
|
|
|
+
|
|
|
+pub struct Request {
|
|
|
+ // Fields for showing the Invitation credential
|
|
|
+ P: RistrettoPoint,
|
|
|
+ id: Scalar,
|
|
|
+ CDate: RistrettoPoint,
|
|
|
+ CBucket: RistrettoPoint,
|
|
|
+ CBlockages: RistrettoPoint,
|
|
|
+ CQ: RistrettoPoint,
|
|
|
+
|
|
|
+ // Fields for the inequality proof
|
|
|
+ // date + INVITATION_EXPIRY >= today
|
|
|
+ CG1: RistrettoPoint,
|
|
|
+ CG2: RistrettoPoint,
|
|
|
+ CG3: RistrettoPoint,
|
|
|
+ CG0sq: RistrettoPoint,
|
|
|
+ CG1sq: RistrettoPoint,
|
|
|
+ CG2sq: RistrettoPoint,
|
|
|
+ CG3sq: RistrettoPoint,
|
|
|
+
|
|
|
+ // Fields for user blinding of the Lox credential to be issued
|
|
|
+ D: RistrettoPoint,
|
|
|
+ EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
|
+
|
|
|
+ // The combined ZKP
|
|
|
+ piUser: CompactProof,
|
|
|
+}
|
|
|
+
|
|
|
+#[derive(Debug)]
|
|
|
+pub struct State {
|
|
|
+ d: Scalar,
|
|
|
+ D: RistrettoPoint,
|
|
|
+ EncIdClient: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBucket: (RistrettoPoint, RistrettoPoint),
|
|
|
+ EncBlockages: (RistrettoPoint, RistrettoPoint),
|
|
|
+ id_client: Scalar,
|
|
|
+ bucket: Scalar,
|
|
|
+ blockages: Scalar,
|
|
|
+}
|
|
|
+
|
|
|
+pub struct Response {
|
|
|
+ // The fields for the new Lox credential; the new trust level is 1
|
|
|
+ // and the new invites_remaining is 0, so we don't have to include
|
|
|
+ // them here explicitly
|
|
|
+ P: RistrettoPoint,
|
|
|
+ EncQ: (RistrettoPoint, RistrettoPoint),
|
|
|
+ id_server: Scalar,
|
|
|
+ level_since: Scalar,
|
|
|
+ TId: RistrettoPoint,
|
|
|
+ TBucket: RistrettoPoint,
|
|
|
+ TBlockages: RistrettoPoint,
|
|
|
+
|
|
|
+ // The ZKP
|
|
|
+ piBlindIssue: CompactProof,
|
|
|
+}
|
|
|
+
|
|
|
+define_proof! {
|
|
|
+ requestproof,
|
|
|
+ "Redeem Invite Request",
|
|
|
+ (date, bucket, blockages, zdate, zbucket, zblockages, negzQ,
|
|
|
+ d, eid_client, ebucket, eblockages, id_client,
|
|
|
+ g0, g1, g2, g3,
|
|
|
+ zg0, zg1, zg2, zg3,
|
|
|
+ wg0, wg1, wg2, wg3,
|
|
|
+ yg0, yg1, yg2, yg3),
|
|
|
+ (P, CDate, CBucket, CBlockages, V, Xdate, Xbucket, Xblockages,
|
|
|
+ D, EncIdClient0, EncIdClient1, EncBucket0, EncBucket1,
|
|
|
+ EncBlockages0, EncBlockages1,
|
|
|
+ CG0, CG1, CG2, CG3,
|
|
|
+ CG0sq, CG1sq, CG2sq, CG3sq),
|
|
|
+ (A, B):
|
|
|
+ // Blind showing of the Invitation credential
|
|
|
+ CDate = (date*P + zdate*A),
|
|
|
+ CBucket = (bucket*P + zbucket*A),
|
|
|
+ CBlockages = (blockages*P + zblockages*A),
|
|
|
+ // User blinding of the Lox credential to be issued
|
|
|
+ D = (d*B),
|
|
|
+ EncIdClient0 = (eid_client*B),
|
|
|
+ EncIdClient1 = (id_client*B + eid_client*D),
|
|
|
+ EncBucket0 = (ebucket*B),
|
|
|
+ EncBucket1 = (bucket*B + ebucket*D),
|
|
|
+ EncBlockages0 = (eblockages*B),
|
|
|
+ EncBlockages1 = (blockages*B + eblockages*D),
|
|
|
+ // Prove CDate encodes a value at most INVITATION_EXPIRY
|
|
|
+ // days ago: first prove each of g0, ..., g3 is a bit by
|
|
|
+ // proving that gi = gi^2
|
|
|
+ CG0 = (g0*P + zg0*A), CG0sq = (g0*CG0 + wg0*A), CG0sq = (g0*P + yg0*A),
|
|
|
+ CG1 = (g1*P + zg1*A), CG1sq = (g1*CG1 + wg1*A), CG1sq = (g1*P + yg1*A),
|
|
|
+ CG2 = (g2*P + zg2*A), CG2sq = (g2*CG2 + wg2*A), CG2sq = (g2*P + yg2*A),
|
|
|
+ CG3 = (g3*P + zg3*A), CG3sq = (g3*CG3 + wg3*A), CG3sq = (g3*P + yg3*A)
|
|
|
+ // Then we'll check that today*P + CG0 + 2*CG1 + 4*CG2 + 8*CG3 =
|
|
|
+ // CDate + INVITATION_EXPIRY*P by having the verifier
|
|
|
+ // plug in CDate + INVITATION_EXPIRY*P - (today*P + 2*CG1 + 4*CG2
|
|
|
+ // + 8*CG3) as its value of CG0.
|
|
|
+}
|
|
|
+
|
|
|
+pub fn request(
|
|
|
+ inv_cred: &cred::Invitation,
|
|
|
+ invitation_pub: &IssuerPubKey,
|
|
|
+ today: u32,
|
|
|
+) -> Result<(Request, State), ProofError> {
|
|
|
+ let A: &RistrettoPoint = &CMZ_A;
|
|
|
+ let B: &RistrettoPoint = &CMZ_B;
|
|
|
+ let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
|
|
|
+ let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
|
|
|
+
|
|
|
+ // Ensure the credential can be correctly shown: it must be the case
|
|
|
+ // that date + INVITATION_EXPIRY >= today.
|
|
|
+ let date: u32 = match scalar_u32(&inv_cred.date) {
|
|
|
+ Some(v) => v,
|
|
|
+ None => return Err(ProofError::VerificationFailure),
|
|
|
+ };
|
|
|
+ if date + INVITATION_EXPIRY < today {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+ let diffdays = date + INVITATION_EXPIRY - today;
|
|
|
+ // If diffdays > 15, then since INVITATION_EXPIRY <= 15, then date
|
|
|
+ // must be in the future. Reject.
|
|
|
+ if diffdays > 15 {
|
|
|
+ return Err(ProofError::VerificationFailure);
|
|
|
+ }
|
|
|
+
|
|
|
+ // Blind showing the Invitation credential
|
|
|
+
|
|
|
+ // Reblind P and Q
|
|
|
+ let mut rng = rand::thread_rng();
|
|
|
+ let t = Scalar::random(&mut rng);
|
|
|
+ let P = t * inv_cred.P;
|
|
|
+ let Q = t * inv_cred.Q;
|
|
|
+
|
|
|
+ // Form Pedersen commitments to the blinded attributes
|
|
|
+ let zdate = Scalar::random(&mut rng);
|
|
|
+ let zbucket = Scalar::random(&mut rng);
|
|
|
+ let zblockages = Scalar::random(&mut rng);
|
|
|
+ let CDate = inv_cred.date * P + &zdate * Atable;
|
|
|
+ let CBucket = inv_cred.bucket * P + &zbucket * Atable;
|
|
|
+ let CBlockages = inv_cred.blockages * P + &zblockages * Atable;
|
|
|
+
|
|
|
+ // Form a Pedersen commitment to the MAC Q
|
|
|
+ // We flip the sign of zQ from that of the Hyphae paper so that
|
|
|
+ // the ZKP has a "+" instead of a "-", as that's what the zkp
|
|
|
+ // macro supports.
|
|
|
+ let negzQ = Scalar::random(&mut rng);
|
|
|
+ let CQ = Q - &negzQ * Atable;
|
|
|
+
|
|
|
+ // Compute the "error factor"
|
|
|
+ let V = zdate * invitation_pub.X[2]
|
|
|
+ + zbucket * invitation_pub.X[3]
|
|
|
+ + zblockages * invitation_pub.X[4]
|
|
|
+ + &negzQ * Atable;
|
|
|
+
|
|
|
+ // User blinding for the Lox certificate to be issued
|
|
|
+
|
|
|
+ // Pick an ElGamal keypair
|
|
|
+ let d = Scalar::random(&mut rng);
|
|
|
+ let D = &d * Btable;
|
|
|
+
|
|
|
+ // Pick a random client component of the id
|
|
|
+ let id_client = Scalar::random(&mut rng);
|
|
|
+
|
|
|
+ // Encrypt it (times the basepoint B) to the ElGamal public key D we
|
|
|
+ // just created
|
|
|
+ let eid_client = Scalar::random(&mut rng);
|
|
|
+ let EncIdClient = (&eid_client * Btable, &id_client * Btable + eid_client * D);
|
|
|
+
|
|
|
+ // Encrypt the other blinded fields (times B) to D as well
|
|
|
+ let ebucket = Scalar::random(&mut rng);
|
|
|
+ let EncBucket = (&ebucket * Btable, &inv_cred.bucket * Btable + ebucket * D);
|
|
|
+ let eblockages = Scalar::random(&mut rng);
|
|
|
+ let EncBlockages = (
|
|
|
+ &eblockages * Btable,
|
|
|
+ &inv_cred.blockages * Btable + eblockages * D,
|
|
|
+ );
|
|
|
+
|
|
|
+ // The range proof that 0 <= diffdays <= 15
|
|
|
+
|
|
|
+ // Extract the 4 bits from diffdays
|
|
|
+ let g0: Scalar = (diffdays & 1).into();
|
|
|
+ let g1: Scalar = ((diffdays >> 1) & 1).into();
|
|
|
+ let g2: Scalar = ((diffdays >> 2) & 1).into();
|
|
|
+ let g3: Scalar = ((diffdays >> 3) & 1).into();
|
|
|
+
|
|
|
+ // Pick random factors for the Pedersen commitments
|
|
|
+ let wg0 = Scalar::random(&mut rng);
|
|
|
+ let zg1 = Scalar::random(&mut rng);
|
|
|
+ let wg1 = Scalar::random(&mut rng);
|
|
|
+ let zg2 = Scalar::random(&mut rng);
|
|
|
+ let wg2 = Scalar::random(&mut rng);
|
|
|
+ let zg3 = Scalar::random(&mut rng);
|
|
|
+ let wg3 = Scalar::random(&mut rng);
|
|
|
+
|
|
|
+ // Compute zg0 to cancel things out as
|
|
|
+ // zg0 = -(zdate + 2*zg1 + 4*zg2 + 8*zg3)
|
|
|
+ // but use Horner's method
|
|
|
+ let zg0 = -(scalar_dbl(&(scalar_dbl(&(scalar_dbl(&zg3) + zg2)) + zg1)) + zdate);
|
|
|
+
|
|
|
+ let yg0 = wg0 + g0 * zg0;
|
|
|
+ let yg1 = wg1 + g1 * zg1;
|
|
|
+ let yg2 = wg2 + g2 * zg2;
|
|
|
+ let yg3 = wg3 + g3 * zg3;
|
|
|
+
|
|
|
+ let CG0 = g0 * P + &zg0 * Atable;
|
|
|
+ let CG1 = g1 * P + &zg1 * Atable;
|
|
|
+ let CG2 = g2 * P + &zg2 * Atable;
|
|
|
+ let CG3 = g3 * P + &zg3 * Atable;
|
|
|
+
|
|
|
+ let CG0sq = g0 * P + &yg0 * Atable;
|
|
|
+ let CG1sq = g1 * P + &yg1 * Atable;
|
|
|
+ let CG2sq = g2 * P + &yg2 * Atable;
|
|
|
+ let CG3sq = g3 * P + &yg3 * Atable;
|
|
|
+
|
|
|
+ // Construct the proof
|
|
|
+ let mut transcript = Transcript::new(b"redeem invite request");
|
|
|
+ let piUser = requestproof::prove_compact(
|
|
|
+ &mut transcript,
|
|
|
+ requestproof::ProveAssignments {
|
|
|
+ A: &A,
|
|
|
+ B: &B,
|
|
|
+ P: &P,
|
|
|
+ CDate: &CDate,
|
|
|
+ CBucket: &CBucket,
|
|
|
+ CBlockages: &CBlockages,
|
|
|
+ V: &V,
|
|
|
+ Xdate: &invitation_pub.X[2],
|
|
|
+ Xbucket: &invitation_pub.X[3],
|
|
|
+ Xblockages: &invitation_pub.X[4],
|
|
|
+ D: &D,
|
|
|
+ EncIdClient0: &EncIdClient.0,
|
|
|
+ EncIdClient1: &EncIdClient.1,
|
|
|
+ EncBucket0: &EncBucket.0,
|
|
|
+ EncBucket1: &EncBucket.1,
|
|
|
+ EncBlockages0: &EncBlockages.0,
|
|
|
+ EncBlockages1: &EncBlockages.1,
|
|
|
+ CG0: &CG0,
|
|
|
+ CG1: &CG1,
|
|
|
+ CG2: &CG2,
|
|
|
+ CG3: &CG3,
|
|
|
+ CG0sq: &CG0sq,
|
|
|
+ CG1sq: &CG1sq,
|
|
|
+ CG2sq: &CG2sq,
|
|
|
+ CG3sq: &CG3sq,
|
|
|
+ date: &inv_cred.date,
|
|
|
+ bucket: &inv_cred.bucket,
|
|
|
+ blockages: &inv_cred.blockages,
|
|
|
+ zdate: &zdate,
|
|
|
+ zbucket: &zbucket,
|
|
|
+ zblockages: &zblockages,
|
|
|
+ negzQ: &negzQ,
|
|
|
+ d: &d,
|
|
|
+ eid_client: &eid_client,
|
|
|
+ ebucket: &ebucket,
|
|
|
+ eblockages: &eblockages,
|
|
|
+ id_client: &id_client,
|
|
|
+ g0: &g0,
|
|
|
+ g1: &g1,
|
|
|
+ g2: &g2,
|
|
|
+ g3: &g3,
|
|
|
+ zg0: &zg0,
|
|
|
+ zg1: &zg1,
|
|
|
+ zg2: &zg2,
|
|
|
+ zg3: &zg3,
|
|
|
+ wg0: &wg0,
|
|
|
+ wg1: &wg1,
|
|
|
+ wg2: &wg2,
|
|
|
+ wg3: &wg3,
|
|
|
+ yg0: &yg0,
|
|
|
+ yg1: &yg1,
|
|
|
+ yg2: &yg2,
|
|
|
+ yg3: &yg3,
|
|
|
+ },
|
|
|
+ )
|
|
|
+ .0;
|
|
|
+
|
|
|
+ Ok((
|
|
|
+ Request {
|
|
|
+ P,
|
|
|
+ id: inv_cred.inv_id,
|
|
|
+ CDate,
|
|
|
+ CBucket,
|
|
|
+ CBlockages,
|
|
|
+ CQ,
|
|
|
+ D,
|
|
|
+ EncIdClient,
|
|
|
+ EncBucket,
|
|
|
+ EncBlockages,
|
|
|
+ CG1,
|
|
|
+ CG2,
|
|
|
+ CG3,
|
|
|
+ CG0sq,
|
|
|
+ CG1sq,
|
|
|
+ CG2sq,
|
|
|
+ CG3sq,
|
|
|
+ piUser,
|
|
|
+ },
|
|
|
+ State {
|
|
|
+ d,
|
|
|
+ D,
|
|
|
+ EncIdClient,
|
|
|
+ EncBucket,
|
|
|
+ EncBlockages,
|
|
|
+ id_client,
|
|
|
+ bucket: inv_cred.bucket,
|
|
|
+ blockages: inv_cred.blockages,
|
|
|
+ },
|
|
|
+ ))
|
|
|
+}
|