/*! A module for the protocol for a user to request the issuing of an Invitation credential they can pass to someone they know. They are allowed to do this as long as their current Lox credentials has a non-zero "invites_remaining" attribute (which will be decreased by one), and they have a Bucket Reachability credential for their current bucket and today's date. (Such credentials are placed daily in the encrypted bridge table.) The user presents their current Lox credential: - id: revealed - bucket: blinded - trust_level: blinded - level_since: blinded - invites_remaining: blinded, but proved in ZK that it's not zero - blockages: blinded and a Bucket Reachability credential: - date: revealed to be today - bucket: blinded, but proved in ZK that it's the same as in the Lox credential above and a new Lox credential to be issued: - id: jointly chosen by the user and BA - bucket: blinded, but proved in ZK that it's the same as in the Lox credential above - trust_level: blinded, but proved in ZK that it's the same as in the Lox credential above - level_since: blinded, but proved in ZK that it's the same as in the Lox credential above - invites_remaining: blinded, but proved in ZK that it's one less than the number in the Lox credential above - blockages: blinded, but proved in ZK that it's the same as in the Lox credential above and a new Invitation credential to be issued: - inv_id: jointly chosen by the user and BA - date: revealed to be today - bucket: blinded, but proved in ZK that it's the same as in the Lox credential above - blockages: blinded, but proved in ZK that it's the same as in the Lox credential above */ use curve25519_dalek::ristretto::RistrettoBasepointTable; use curve25519_dalek::ristretto::RistrettoPoint; use curve25519_dalek::scalar::Scalar; use curve25519_dalek::traits::IsIdentity; use zkp::CompactProof; use zkp::ProofError; use zkp::Transcript; use serde::{Deserialize, Serialize}; use super::super::cred; use super::super::dup_filter::SeenType; use super::super::scalar_u32; use super::super::{BridgeAuth, IssuerPubKey}; use super::super::{CMZ_A, CMZ_A_TABLE, CMZ_B, CMZ_B_TABLE}; #[derive(Serialize, Deserialize)] pub struct Request { // Fields for blind showing the Lox credential P: RistrettoPoint, id: Scalar, CBucket: RistrettoPoint, CLevel: RistrettoPoint, CSince: RistrettoPoint, CInvRemain: RistrettoPoint, CBlockages: RistrettoPoint, CQ: RistrettoPoint, // Fields for blind showing the Bucket Reachability credential P_reach: RistrettoPoint, CBucket_reach: RistrettoPoint, CQ_reach: RistrettoPoint, // Fields for user blinding of the Lox credential to be issued D: RistrettoPoint, EncIdClient: (RistrettoPoint, RistrettoPoint), EncBucket: (RistrettoPoint, RistrettoPoint), EncLevel: (RistrettoPoint, RistrettoPoint), EncSince: (RistrettoPoint, RistrettoPoint), EncInvRemain: (RistrettoPoint, RistrettoPoint), EncBlockages: (RistrettoPoint, RistrettoPoint), // Fields for user blinding of the Inivtation credential to be // issued EncInvIdClient: (RistrettoPoint, RistrettoPoint), // The bucket and blockages attributes in the Invitation credential // issuing protocol can just reuse the exact encryptions as for the // Lox credential issuing protocol above. // The combined ZKP piUser: CompactProof, } #[derive(Debug)] pub struct State { d: Scalar, D: RistrettoPoint, EncIdClient: (RistrettoPoint, RistrettoPoint), EncBucket: (RistrettoPoint, RistrettoPoint), EncLevel: (RistrettoPoint, RistrettoPoint), EncSince: (RistrettoPoint, RistrettoPoint), EncInvRemain: (RistrettoPoint, RistrettoPoint), EncBlockages: (RistrettoPoint, RistrettoPoint), EncInvIdClient: (RistrettoPoint, RistrettoPoint), id_client: Scalar, bucket: Scalar, level: Scalar, since: Scalar, invremain: Scalar, blockages: Scalar, inv_id_client: Scalar, } #[derive(Serialize, Deserialize)] pub struct Response { // The fields for the new Lox credential; the new invites_remaining // is one less than the old value, so we don't have to include it // here explicitly P: RistrettoPoint, EncQ: (RistrettoPoint, RistrettoPoint), id_server: Scalar, TId: RistrettoPoint, TBucket: RistrettoPoint, TLevel: RistrettoPoint, TSince: RistrettoPoint, TInvRemain: RistrettoPoint, TBlockages: RistrettoPoint, // The fields for the new Invitation credential P_inv: RistrettoPoint, EncQ_inv: (RistrettoPoint, RistrettoPoint), inv_id_server: Scalar, TId_inv: RistrettoPoint, date_inv: Scalar, TBucket_inv: RistrettoPoint, TBlockages_inv: RistrettoPoint, // The ZKP piBlindIssue: CompactProof, } define_proof! { requestproof, "Issue Invite Request", (bucket, level, since, invremain, blockages, zbucket, zlevel, zsince, zinvremain, zblockages, negzQ, zbucket_reach, negzQ_reach, d, eid_client, ebucket, elevel, esince, einvremain, eblockages, id_client, inv_id_client, einv_id_client, invremain_inverse, zinvremain_inverse), (P, CBucket, CLevel, CSince, CInvRemain, CBlockages, V, Xbucket, Xlevel, Xsince, Xinvremain, Xblockages, P_reach, CBucket_reach, V_reach, Xbucket_reach, D, EncIdClient0, EncIdClient1, EncBucket0, EncBucket1, EncLevel0, EncLevel1, EncSince0, EncSince1, EncInvRemain0, EncInvRemain1_plus_B, EncBlockages0, EncBlockages1, EncInvIdClient0, EncInvIdClient1), (A, B): // Blind showing of the Lox credential CBucket = (bucket*P + zbucket*A), CLevel = (level*P + zlevel*A), CSince = (since*P + zsince*A), CInvRemain = (invremain*P + zinvremain*A), CBlockages = (blockages*P + zblockages*A), // Proof that invremain is not 0 P = (invremain_inverse*CInvRemain + zinvremain_inverse*A), // Blind showing of the Bucket Reachability credential; note the // same bucket is used in the proof CBucket_reach = (bucket*P_reach + zbucket_reach*A), // User blinding of the Lox credential to be issued D = (d*B), EncIdClient0 = (eid_client*B), EncIdClient1 = (id_client*B + eid_client*D), EncBucket0 = (ebucket*B), EncBucket1 = (bucket*B + ebucket*D), EncLevel0 = (elevel*B), EncLevel1 = (level*B + elevel*D), EncSince0 = (esince*B), EncSince1 = (since*B + esince*D), EncInvRemain0 = (einvremain*B), EncInvRemain1_plus_B = (invremain*B + einvremain*D), EncBlockages0 = (eblockages*B), EncBlockages1 = (blockages*B + eblockages*D), // User blinding of the Invitation to be issued EncInvIdClient0 = (einv_id_client*B), EncInvIdClient1 = (inv_id_client*B + einv_id_client*D) } define_proof! { blindissue, "Issue Invite Issuing", (x0, x0tilde, xid, xbucket, xlevel, xsince, xinvremain, xblockages, s, b, tid, tbucket, tlevel, tsince, tinvremain, tblockages, x0_inv, x0tilde_inv, xid_inv, xdate_inv, xbucket_inv, xblockages_inv, s_inv, b_inv, tid_inv, tbucket_inv, tblockages_inv), (P, EncQ0, EncQ1, X0, Xid, Xbucket, Xlevel, Xsince, Xinvremain, Xblockages, TId, TBucket, TLevel, TSince, TInvRemain, TBlockages, P_inv, EncQ_inv0, EncQ_inv1, X0_inv, Xid_inv, Xdate_inv, Xbucket_inv, Xblockages_inv, Pdate_inv, TId_inv, TBucket_inv, TBlockages_inv, D, EncId0, EncId1, EncBucket0, EncBucket1, EncLevel0, EncLevel1, EncSince0, EncSince1, EncInvRemain0, EncInvRemain1, EncBlockages0, EncBlockages1, EncInvId0, EncInvId1), (A, B): Xid = (xid*A), Xbucket = (xbucket*A), Xlevel = (xlevel*A), Xsince = (xsince*A), Xinvremain = (xinvremain*A), Xblockages = (xblockages*A), X0 = (x0*B + x0tilde*A), P = (b*B), TId = (b*Xid), TId = (tid*A), TBucket = (b*Xbucket), TBucket = (tbucket*A), TLevel = (b*Xlevel), TLevel = (tlevel*A), TSince = (b*Xsince), TSince = (tsince*A), TInvRemain = (b*Xinvremain), TInvRemain = (tinvremain*A), TBlockages = (b*Xblockages), TBlockages = (tblockages*A), EncQ0 = (s*B + tid*EncId0 + tbucket*EncBucket0 + tlevel*EncLevel0 + tsince*EncSince0 + tinvremain*EncInvRemain0 + tblockages*EncBlockages0), EncQ1 = (s*D + tid*EncId1 + tbucket*EncBucket1 + tlevel*EncLevel1 + tsince*EncSince1 + tinvremain*EncInvRemain1 + tblockages*EncBlockages1 + x0*P), Xid_inv = (xid_inv*A), Xdate_inv = (xdate_inv*A), Xbucket_inv = (xbucket_inv*A), Xblockages_inv = (xblockages_inv*A), X0_inv = (x0_inv*B + x0tilde_inv*A), P_inv = (b_inv*B), TId_inv = (b_inv*Xid_inv), TId_inv = (tid_inv*A), TBucket_inv = (b_inv*Xbucket_inv), TBucket_inv = (tbucket_inv*A), TBlockages_inv = (b_inv*Xblockages_inv), TBlockages_inv = (tblockages_inv*A), EncQ_inv0 = (s_inv*B + tid_inv*EncInvId0 + tbucket_inv*EncBucket0 + tblockages_inv*EncBlockages0), EncQ_inv1 = (s_inv*D + tid_inv*EncInvId1 + tbucket_inv*EncBucket1 + tblockages_inv*EncBlockages1 + x0_inv*P_inv + xdate_inv*Pdate_inv) } pub fn request( lox_cred: &cred::Lox, reach_cred: &cred::BucketReachability, lox_pub: &IssuerPubKey, reach_pub: &IssuerPubKey, today: u32, ) -> Result<(Request, State), ProofError> { let A: &RistrettoPoint = &CMZ_A; let B: &RistrettoPoint = &CMZ_B; let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE; let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE; // Ensure the credential can be correctly shown: it must be the case // that invites_remaining not be 0 if lox_cred.invites_remaining == Scalar::zero() { return Err(ProofError::VerificationFailure); } // The buckets in the Lox and Bucket Reachability credentials have // to match if lox_cred.bucket != reach_cred.bucket { return Err(ProofError::VerificationFailure); } // The Bucket Reachability credential has to be dated today let reach_date: u32 = match scalar_u32(&reach_cred.date) { Some(v) => v, None => return Err(ProofError::VerificationFailure), }; if reach_date != today { return Err(ProofError::VerificationFailure); } // The new invites_remaining let new_invites_remaining = lox_cred.invites_remaining - Scalar::one(); // Blind showing the Lox credential // Reblind P and Q let mut rng = rand::thread_rng(); let t = Scalar::random(&mut rng); let P = t * lox_cred.P; let Q = t * lox_cred.Q; // Form Pedersen commitments to the blinded attributes let zbucket = Scalar::random(&mut rng); let zlevel = Scalar::random(&mut rng); let zsince = Scalar::random(&mut rng); let zinvremain = Scalar::random(&mut rng); let zblockages = Scalar::random(&mut rng); let CBucket = lox_cred.bucket * P + &zbucket * Atable; let CLevel = lox_cred.trust_level * P + &zlevel * Atable; let CSince = lox_cred.level_since * P + &zsince * Atable; let CInvRemain = lox_cred.invites_remaining * P + &zinvremain * Atable; let CBlockages = lox_cred.blockages * P + &zblockages * Atable; // Form a Pedersen commitment to the MAC Q // We flip the sign of zQ from that of the Hyphae paper so that // the ZKP has a "+" instead of a "-", as that's what the zkp // macro supports. let negzQ = Scalar::random(&mut rng); let CQ = Q - &negzQ * Atable; // Compute the "error factor" let V = zbucket * lox_pub.X[2] + zlevel * lox_pub.X[3] + zsince * lox_pub.X[4] + zinvremain * lox_pub.X[5] + zblockages * lox_pub.X[6] + &negzQ * Atable; // Blind showing the Bucket Reachability credential // Reblind P and Q let t_reach = Scalar::random(&mut rng); let P_reach = t_reach * reach_cred.P; let Q_reach = t_reach * reach_cred.Q; // Form Pedersen commitments to the blinded attributes let zbucket_reach = Scalar::random(&mut rng); let CBucket_reach = reach_cred.bucket * P_reach + &zbucket_reach * Atable; // Form a Pedersen commitment to the MAC Q // We flip the sign of zQ from that of the Hyphae paper so that // the ZKP has a "+" instead of a "-", as that's what the zkp // macro supports. let negzQ_reach = Scalar::random(&mut rng); let CQ_reach = Q_reach - &negzQ_reach * Atable; // Compute the "error factor" let V_reach = zbucket_reach * reach_pub.X[2] + &negzQ_reach * Atable; // User blinding for the Lox certificate to be issued // Pick an ElGamal keypair let d = Scalar::random(&mut rng); let D = &d * Btable; // Pick a random client component of the id let id_client = Scalar::random(&mut rng); // Encrypt it (times the basepoint B) to the ElGamal public key D we // just created let eid_client = Scalar::random(&mut rng); let EncIdClient = (&eid_client * Btable, &id_client * Btable + eid_client * D); // Encrypt the other blinded fields (times B) to D as well let ebucket = Scalar::random(&mut rng); let EncBucket = (&ebucket * Btable, &lox_cred.bucket * Btable + ebucket * D); let elevel = Scalar::random(&mut rng); let EncLevel = ( &elevel * Btable, &lox_cred.trust_level * Btable + elevel * D, ); let esince = Scalar::random(&mut rng); let EncSince = ( &esince * Btable, &lox_cred.level_since * Btable + esince * D, ); let einvremain = Scalar::random(&mut rng); let EncInvRemain = ( &einvremain * Btable, &new_invites_remaining * Btable + einvremain * D, ); let eblockages = Scalar::random(&mut rng); let EncBlockages = ( &eblockages * Btable, &lox_cred.blockages * Btable + eblockages * D, ); // User blinding for the Invitation certificate to be issued // Pick a random client component of the id let inv_id_client = Scalar::random(&mut rng); // Encrypt it (times the basepoint B) to the ElGamal public key D we // just created let einv_id_client = Scalar::random(&mut rng); let EncInvIdClient = ( &einv_id_client * Btable, &inv_id_client * Btable + einv_id_client * D, ); // The proof that invites_remaining is not zero. We prove this by // demonstrating that we know its inverse. let invremain_inverse = &lox_cred.invites_remaining.invert(); let zinvremain_inverse = -zinvremain * invremain_inverse; // So now invremain_inverse * CInvRemain + zinvremain_inverse * A = P // Construct the proof let mut transcript = Transcript::new(b"issue invite request"); let piUser = requestproof::prove_compact( &mut transcript, requestproof::ProveAssignments { A, B, P: &P, CBucket: &CBucket, CLevel: &CLevel, CSince: &CSince, CInvRemain: &CInvRemain, CBlockages: &CBlockages, V: &V, Xbucket: &lox_pub.X[2], Xlevel: &lox_pub.X[3], Xsince: &lox_pub.X[4], Xinvremain: &lox_pub.X[5], Xblockages: &lox_pub.X[6], P_reach: &P_reach, CBucket_reach: &CBucket_reach, V_reach: &V_reach, Xbucket_reach: &reach_pub.X[2], D: &D, EncIdClient0: &EncIdClient.0, EncIdClient1: &EncIdClient.1, EncBucket0: &EncBucket.0, EncBucket1: &EncBucket.1, EncLevel0: &EncLevel.0, EncLevel1: &EncLevel.1, EncSince0: &EncSince.0, EncSince1: &EncSince.1, EncInvRemain0: &EncInvRemain.0, EncInvRemain1_plus_B: &(EncInvRemain.1 + B), EncBlockages0: &EncBlockages.0, EncBlockages1: &EncBlockages.1, EncInvIdClient0: &EncInvIdClient.0, EncInvIdClient1: &EncInvIdClient.1, bucket: &lox_cred.bucket, level: &lox_cred.trust_level, since: &lox_cred.level_since, invremain: &lox_cred.invites_remaining, blockages: &lox_cred.blockages, zbucket: &zbucket, zlevel: &zlevel, zsince: &zsince, zinvremain: &zinvremain, zblockages: &zblockages, negzQ: &negzQ, zbucket_reach: &zbucket_reach, negzQ_reach: &negzQ_reach, d: &d, eid_client: &eid_client, ebucket: &ebucket, elevel: &elevel, esince: &esince, einvremain: &einvremain, eblockages: &eblockages, id_client: &id_client, inv_id_client: &inv_id_client, einv_id_client: &einv_id_client, invremain_inverse, zinvremain_inverse: &zinvremain_inverse, }, ) .0; Ok(( Request { P, id: lox_cred.id, CBucket, CLevel, CSince, CInvRemain, CBlockages, CQ, P_reach, CBucket_reach, CQ_reach, D, EncIdClient, EncBucket, EncLevel, EncSince, EncInvRemain, EncBlockages, EncInvIdClient, piUser, }, State { d, D, EncIdClient, EncBucket, EncLevel, EncSince, EncInvRemain, EncBlockages, EncInvIdClient, id_client, bucket: lox_cred.bucket, level: lox_cred.trust_level, since: lox_cred.level_since, invremain: new_invites_remaining, blockages: lox_cred.blockages, inv_id_client, }, )) } impl BridgeAuth { /// Receive an issue invite request pub fn handle_issue_invite(&mut self, req: Request) -> Result { let A: &RistrettoPoint = &CMZ_A; let B: &RistrettoPoint = &CMZ_B; let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE; let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE; if req.P.is_identity() || req.P_reach.is_identity() { return Err(ProofError::VerificationFailure); } let today: Scalar = self.today().into(); // Recompute the "error factors" using knowledge of our own // (the issuer's) private key instead of knowledge of the // hidden attributes let Vprime = (self.lox_priv.x[0] + self.lox_priv.x[1] * req.id) * req.P + self.lox_priv.x[2] * req.CBucket + self.lox_priv.x[3] * req.CLevel + self.lox_priv.x[4] * req.CSince + self.lox_priv.x[5] * req.CInvRemain + self.lox_priv.x[6] * req.CBlockages - req.CQ; let Vprime_reach = (self.reachability_priv.x[0] + self.reachability_priv.x[1] * today) * req.P_reach + self.reachability_priv.x[2] * req.CBucket_reach - req.CQ_reach; // Verify the ZKP let mut transcript = Transcript::new(b"issue invite request"); requestproof::verify_compact( &req.piUser, &mut transcript, requestproof::VerifyAssignments { A: &A.compress(), B: &B.compress(), P: &req.P.compress(), CBucket: &req.CBucket.compress(), CLevel: &req.CLevel.compress(), CSince: &req.CSince.compress(), CInvRemain: &req.CInvRemain.compress(), CBlockages: &req.CBlockages.compress(), V: &Vprime.compress(), Xbucket: &self.lox_pub.X[2].compress(), Xlevel: &self.lox_pub.X[3].compress(), Xsince: &self.lox_pub.X[4].compress(), Xinvremain: &self.lox_pub.X[5].compress(), Xblockages: &self.lox_pub.X[6].compress(), P_reach: &req.P_reach.compress(), CBucket_reach: &req.CBucket_reach.compress(), V_reach: &Vprime_reach.compress(), Xbucket_reach: &self.reachability_pub.X[2].compress(), D: &req.D.compress(), EncIdClient0: &req.EncIdClient.0.compress(), EncIdClient1: &req.EncIdClient.1.compress(), EncBucket0: &req.EncBucket.0.compress(), EncBucket1: &req.EncBucket.1.compress(), EncLevel0: &req.EncLevel.0.compress(), EncLevel1: &req.EncLevel.1.compress(), EncSince0: &req.EncSince.0.compress(), EncSince1: &req.EncSince.1.compress(), EncInvRemain0: &req.EncInvRemain.0.compress(), EncInvRemain1_plus_B: &(req.EncInvRemain.1 + B).compress(), EncBlockages0: &req.EncBlockages.0.compress(), EncBlockages1: &req.EncBlockages.1.compress(), EncInvIdClient0: &req.EncInvIdClient.0.compress(), EncInvIdClient1: &req.EncInvIdClient.1.compress(), }, )?; // Ensure the id has not been seen before, and add it to the // seen list. if self.id_filter.filter(&req.id) == SeenType::Seen { return Err(ProofError::VerificationFailure); } // Blind issuing of the new Lox credential // Choose a random server id component to add to the client's // (blinded) id component let mut rng = rand::thread_rng(); let id_server = Scalar::random(&mut rng); let EncId = (req.EncIdClient.0, req.EncIdClient.1 + &id_server * Btable); // Compute the MAC on the visible attributes (none here) let b = Scalar::random(&mut rng); let P = &b * Btable; let QHc = self.lox_priv.x[0] * P; // El Gamal encrypt it to the public key req.D let s = Scalar::random(&mut rng); let EncQHc = (&s * Btable, QHc + s * req.D); // Homomorphically compute the part of the MAC corresponding to // the blinded attributes let tid = self.lox_priv.x[1] * b; let TId = &tid * Atable; let EncQId = (tid * EncId.0, tid * EncId.1); let tbucket = self.lox_priv.x[2] * b; let TBucket = &tbucket * Atable; let EncQBucket = (tbucket * req.EncBucket.0, tbucket * req.EncBucket.1); let tlevel = self.lox_priv.x[3] * b; let TLevel = &tlevel * Atable; let EncQLevel = (tlevel * req.EncLevel.0, tlevel * req.EncLevel.1); let tsince = self.lox_priv.x[4] * b; let TSince = &tsince * Atable; let EncQSince = (tsince * req.EncSince.0, tsince * req.EncSince.1); let tinvremain = self.lox_priv.x[5] * b; let TInvRemain = &tinvremain * Atable; let EncQInvRemain = ( tinvremain * req.EncInvRemain.0, tinvremain * req.EncInvRemain.1, ); let tblockages = self.lox_priv.x[6] * b; let TBlockages = &tblockages * Atable; let EncQBlockages = ( tblockages * req.EncBlockages.0, tblockages * req.EncBlockages.1, ); let EncQ = ( EncQHc.0 + EncQId.0 + EncQBucket.0 + EncQLevel.0 + EncQSince.0 + EncQInvRemain.0 + EncQBlockages.0, EncQHc.1 + EncQId.1 + EncQBucket.1 + EncQLevel.1 + EncQSince.1 + EncQInvRemain.1 + EncQBlockages.1, ); // Blind issuing of the new Invitation credential // Choose a random server id component to add to the client's // (blinded) id component let inv_id_server = Scalar::random(&mut rng); let EncInvId = ( req.EncInvIdClient.0, req.EncInvIdClient.1 + &inv_id_server * Btable, ); // Compute the MAC on the visible attributes let b_inv = Scalar::random(&mut rng); let P_inv = &b_inv * Btable; let QHc_inv = (self.invitation_priv.x[0] + self.invitation_priv.x[2] * today) * P_inv; // El Gamal encrypt it to the public key req.D let s_inv = Scalar::random(&mut rng); let EncQHc_inv = (&s_inv * Btable, QHc_inv + s_inv * req.D); // Homomorphically compute the part of the MAC corresponding to // the blinded attributes let tinvid = self.invitation_priv.x[1] * b_inv; let TId_inv = &tinvid * Atable; let EncQInvId = (tinvid * EncInvId.0, tinvid * EncInvId.1); let tinvbucket = self.invitation_priv.x[3] * b_inv; let TBucket_inv = &tinvbucket * Atable; // The bucket and blockages encrypted attributes are reused from // the Lox credential let EncQInvBucket = (tinvbucket * req.EncBucket.0, tinvbucket * req.EncBucket.1); let tinvblockages = self.invitation_priv.x[4] * b_inv; let TBlockages_inv = &tinvblockages * Atable; let EncQInvBlockages = ( tinvblockages * req.EncBlockages.0, tinvblockages * req.EncBlockages.1, ); let EncQ_inv = ( EncQHc_inv.0 + EncQInvId.0 + EncQInvBucket.0 + EncQInvBlockages.0, EncQHc_inv.1 + EncQInvId.1 + EncQInvBucket.1 + EncQInvBlockages.1, ); let mut transcript = Transcript::new(b"issue invite issuing"); let piBlindIssue = blindissue::prove_compact( &mut transcript, blindissue::ProveAssignments { A, B, P: &P, EncQ0: &EncQ.0, EncQ1: &EncQ.1, X0: &self.lox_pub.X[0], Xid: &self.lox_pub.X[1], Xbucket: &self.lox_pub.X[2], Xlevel: &self.lox_pub.X[3], Xsince: &self.lox_pub.X[4], Xinvremain: &self.lox_pub.X[5], Xblockages: &self.lox_pub.X[6], TId: &TId, TBucket: &TBucket, TLevel: &TLevel, TSince: &TSince, TInvRemain: &TInvRemain, TBlockages: &TBlockages, P_inv: &P_inv, EncQ_inv0: &EncQ_inv.0, EncQ_inv1: &EncQ_inv.1, X0_inv: &self.invitation_pub.X[0], Xid_inv: &self.invitation_pub.X[1], Xdate_inv: &self.invitation_pub.X[2], Xbucket_inv: &self.invitation_pub.X[3], Xblockages_inv: &self.invitation_pub.X[4], Pdate_inv: &(today * P_inv), TId_inv: &TId_inv, TBucket_inv: &TBucket_inv, TBlockages_inv: &TBlockages_inv, D: &req.D, EncId0: &EncId.0, EncId1: &EncId.1, EncBucket0: &req.EncBucket.0, EncBucket1: &req.EncBucket.1, EncLevel0: &req.EncLevel.0, EncLevel1: &req.EncLevel.1, EncSince0: &req.EncSince.0, EncSince1: &req.EncSince.1, EncInvRemain0: &req.EncInvRemain.0, EncInvRemain1: &req.EncInvRemain.1, EncBlockages0: &req.EncBlockages.0, EncBlockages1: &req.EncBlockages.1, EncInvId0: &EncInvId.0, EncInvId1: &EncInvId.1, x0: &self.lox_priv.x[0], x0tilde: &self.lox_priv.x0tilde, xid: &self.lox_priv.x[1], xbucket: &self.lox_priv.x[2], xlevel: &self.lox_priv.x[3], xsince: &self.lox_priv.x[4], xinvremain: &self.lox_priv.x[5], xblockages: &self.lox_priv.x[6], s: &s, b: &b, tid: &tid, tbucket: &tbucket, tlevel: &tlevel, tsince: &tsince, tinvremain: &tinvremain, tblockages: &tblockages, x0_inv: &self.invitation_priv.x[0], x0tilde_inv: &self.invitation_priv.x0tilde, xid_inv: &self.invitation_priv.x[1], xdate_inv: &self.invitation_priv.x[2], xbucket_inv: &self.invitation_priv.x[3], xblockages_inv: &self.invitation_priv.x[4], s_inv: &s_inv, b_inv: &b_inv, tid_inv: &tinvid, tbucket_inv: &tinvbucket, tblockages_inv: &tinvblockages, }, ) .0; Ok(Response { P, EncQ, id_server, TId, TBucket, TLevel, TSince, TInvRemain, TBlockages, P_inv, EncQ_inv, inv_id_server, TId_inv, date_inv: today, TBucket_inv, TBlockages_inv, piBlindIssue, }) } } /// Handle the response to the request, producing the new Lox credential /// and Invitation credential if successful. pub fn handle_response( state: State, resp: Response, lox_pub: &IssuerPubKey, invitation_pub: &IssuerPubKey, ) -> Result<(cred::Lox, cred::Invitation), ProofError> { let A: &RistrettoPoint = &CMZ_A; let B: &RistrettoPoint = &CMZ_B; let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE; if resp.P.is_identity() || resp.P_inv.is_identity() { return Err(ProofError::VerificationFailure); } // Add the server's contribution to the id to our own, both in plain // and encrypted form and for both the Lox credential id and the // Invitation credential id let id = state.id_client + resp.id_server; let EncId = ( state.EncIdClient.0, state.EncIdClient.1 + &resp.id_server * Btable, ); let inv_id = state.inv_id_client + resp.inv_id_server; let EncInvId = ( state.EncInvIdClient.0, state.EncInvIdClient.1 + &resp.inv_id_server * Btable, ); // Verify the proof let mut transcript = Transcript::new(b"issue invite issuing"); blindissue::verify_compact( &resp.piBlindIssue, &mut transcript, blindissue::VerifyAssignments { A: &A.compress(), B: &B.compress(), P: &resp.P.compress(), EncQ0: &resp.EncQ.0.compress(), EncQ1: &resp.EncQ.1.compress(), X0: &lox_pub.X[0].compress(), Xid: &lox_pub.X[1].compress(), Xbucket: &lox_pub.X[2].compress(), Xlevel: &lox_pub.X[3].compress(), Xsince: &lox_pub.X[4].compress(), Xinvremain: &lox_pub.X[5].compress(), Xblockages: &lox_pub.X[6].compress(), TId: &resp.TId.compress(), TBucket: &resp.TBucket.compress(), TLevel: &resp.TLevel.compress(), TSince: &resp.TSince.compress(), TInvRemain: &resp.TInvRemain.compress(), TBlockages: &resp.TBlockages.compress(), P_inv: &resp.P_inv.compress(), EncQ_inv0: &resp.EncQ_inv.0.compress(), EncQ_inv1: &resp.EncQ_inv.1.compress(), X0_inv: &invitation_pub.X[0].compress(), Xid_inv: &invitation_pub.X[1].compress(), Xdate_inv: &invitation_pub.X[2].compress(), Xbucket_inv: &invitation_pub.X[3].compress(), Xblockages_inv: &invitation_pub.X[4].compress(), Pdate_inv: &(resp.date_inv * resp.P_inv).compress(), TId_inv: &resp.TId_inv.compress(), TBucket_inv: &resp.TBucket_inv.compress(), TBlockages_inv: &resp.TBlockages_inv.compress(), D: &state.D.compress(), EncId0: &EncId.0.compress(), EncId1: &EncId.1.compress(), EncBucket0: &state.EncBucket.0.compress(), EncBucket1: &state.EncBucket.1.compress(), EncLevel0: &state.EncLevel.0.compress(), EncLevel1: &state.EncLevel.1.compress(), EncSince0: &state.EncSince.0.compress(), EncSince1: &state.EncSince.1.compress(), EncInvRemain0: &state.EncInvRemain.0.compress(), EncInvRemain1: &state.EncInvRemain.1.compress(), EncBlockages0: &state.EncBlockages.0.compress(), EncBlockages1: &state.EncBlockages.1.compress(), EncInvId0: &EncInvId.0.compress(), EncInvId1: &EncInvId.1.compress(), }, )?; // Decrypt EncQ and EncQ_inv let Q = resp.EncQ.1 - (state.d * resp.EncQ.0); let Q_inv = resp.EncQ_inv.1 - (state.d * resp.EncQ_inv.0); Ok(( cred::Lox { P: resp.P, Q, id, bucket: state.bucket, trust_level: state.level, level_since: state.since, invites_remaining: state.invremain, blockages: state.blockages, }, cred::Invitation { P: resp.P_inv, Q: Q_inv, inv_id, date: resp.date_inv, bucket: state.bucket, blockages: state.blockages, }, )) }