Головна сторінка Огляд Довідка
Увійти
iang
/
lox
2
0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Дерево: d0684bb5d6
Гілки Теги
lox
/
src
/
proto
/
issue_invite.rs

issue_invite.rs 28 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793 
  1. /*! A module for the protocol for a user to request the issuing of an
    2. 

  2. Invitation credential they can pass to someone they know.
    3. 

  3. 

  4. They are allowed to do this as long as their current Lox credentials has
    5. 

  5. a non-zero "invites_remaining" attribute (which will be decreased by
    6. 

  6. one), and they have a Bucket Reachability credential for their current
    7. 

  7. bucket and today's date.  (Such credentials are placed daily in the
    8. 

  8. encrypted bridge table.)
    9. 

  9. 

  10. The user presents their current Lox credential:
    11. 

  11. - id: revealed
    12. 

  12. - bucket: blinded
    13. 

  13. - trust_level: blinded
    14. 

  14. - level_since: blinded
    15. 

  15. - invites_remaining: blinded, but proved in ZK that it's not zero
    16. 

  16. - blockages: blinded
    17. 

  17. 

  18. and a Bucket Reachability credential:
    19. 

  19. - date: revealed to be today
    20. 

  20. - bucket: blinded, but proved in ZK that it's the same as in the Lox
    21. 

  21.   credential above
    22. 

  22. 

  23. and a new Lox credential to be issued:
    24. 

  24. 

  25. - id: jointly chosen by the user and BA
    26. 

  26. - bucket: blinded, but proved in ZK that it's the same as in the Lox
    27. 

  27.   credential above
    28. 

  28. - trust_level: blinded, but proved in ZK that it's the same as in the
    29. 

  29.   Lox credential above
    30. 

  30. - level_since: blinded, but proved in ZK that it's the same as in the
    31. 

  31.   Lox credential above
    32. 

  32. - invites_remaining: blinded, but proved in ZK that it's one less than
    33. 

  33.   the number in the Lox credential above
    34. 

  34. - blockages: blinded, but proved in ZK that it's the same as in the
    35. 

  35.   Lox credential above
    36. 

  36. 

  37. and a new Invitation credential to be issued:
    38. 

  38. 

  39. - inv_id: jointly chosen by the user and BA
    40. 

  40. - date: revealed to be today
    41. 

  41. - bucket: blinded, but proved in ZK that it's the same as in the Lox
    42. 

  42.   credential above
    43. 

  43. - blockages: blinded, but proved in ZK that it's the same as in the Lox
    44. 

  44.   credential above
    45. 

  45. 

  46. */
    47. 

  47. 

  48. use curve25519_dalek::ristretto::RistrettoBasepointTable;
    49. 

  49. use curve25519_dalek::ristretto::RistrettoPoint;
    50. 

  50. use curve25519_dalek::scalar::Scalar;
    51. 

  51. use curve25519_dalek::traits::IsIdentity;
    52. 

  52. 

  53. use zkp::CompactProof;
    54. 

  54. use zkp::ProofError;
    55. 

  55. use zkp::Transcript;
    56. 

  56. 

  57. use super::super::cred;
    58. 

  58. use super::super::dup_filter::SeenType;
    59. 

  59. use super::super::scalar_u32;
    60. 

  60. use super::super::{BridgeAuth, IssuerPubKey};
    61. 

  61. use super::super::{CMZ_A, CMZ_A_TABLE, CMZ_B, CMZ_B_TABLE};
    62. 

  62. 

  63. pub struct Request {
    64. 

  64.     // Fields for blind showing the Lox credential
    65. 

  65.     P: RistrettoPoint,
    66. 

  66.     id: Scalar,
    67. 

  67.     CBucket: RistrettoPoint,
    68. 

  68.     CLevel: RistrettoPoint,
    69. 

  69.     CSince: RistrettoPoint,
    70. 

  70.     CInvRemain: RistrettoPoint,
    71. 

  71.     CBlockages: RistrettoPoint,
    72. 

  72.     CQ: RistrettoPoint,
    73. 

  73. 

  74.     // Fields for blind showing the Bucket Reachability credential
    75. 

  75.     P_reach: RistrettoPoint,
    76. 

  76.     CBucket_reach: RistrettoPoint,
    77. 

  77.     CQ_reach: RistrettoPoint,
    78. 

  78. 

  79.     // Fields for user blinding of the Lox credential to be issued
    80. 

  80.     D: RistrettoPoint,
    81. 

  81.     EncIdClient: (RistrettoPoint, RistrettoPoint),
    82. 

  82.     EncBucket: (RistrettoPoint, RistrettoPoint),
    83. 

  83.     EncLevel: (RistrettoPoint, RistrettoPoint),
    84. 

  84.     EncSince: (RistrettoPoint, RistrettoPoint),
    85. 

  85.     EncInvRemain: (RistrettoPoint, RistrettoPoint),
    86. 

  86.     EncBlockages: (RistrettoPoint, RistrettoPoint),
    87. 

  87. 

  88.     // Fields for user blinding of the Inivtation credential to be
    89. 

  89.     // issued
    90. 

  90.     EncInvIdClient: (RistrettoPoint, RistrettoPoint),
    91. 

  91.     // The bucket and blockages attributes in the Invitation credential
    92. 

  92.     // issuing protocol can just reuse the exact encryptions as for the
    93. 

  93.     // Lox credential issuing protocol above.
    94. 

  94. 

  95.     // The combined ZKP
    96. 

  96.     piUser: CompactProof,
    97. 

  97. }
    98. 

  98. 

  99. #[derive(Debug)]
    100. 

  100. pub struct State {
    101. 

  101.     d: Scalar,
    102. 

  102.     D: RistrettoPoint,
    103. 

  103.     EncIdClient: (RistrettoPoint, RistrettoPoint),
    104. 

  104.     EncBucket: (RistrettoPoint, RistrettoPoint),
    105. 

  105.     EncLevel: (RistrettoPoint, RistrettoPoint),
    106. 

  106.     EncSince: (RistrettoPoint, RistrettoPoint),
    107. 

  107.     EncInvRemain: (RistrettoPoint, RistrettoPoint),
    108. 

  108.     EncBlockages: (RistrettoPoint, RistrettoPoint),
    109. 

  109.     EncInvIdClient: (RistrettoPoint, RistrettoPoint),
    110. 

  110.     id_client: Scalar,
    111. 

  111.     bucket: Scalar,
    112. 

  112.     level: Scalar,
    113. 

  113.     since: Scalar,
    114. 

  114.     invremain: Scalar,
    115. 

  115.     blockages: Scalar,
    116. 

  116.     inv_id_client: Scalar,
    117. 

  117. }
    118. 

  118. 

  119. pub struct Response {
    120. 

  120.     // The fields for the new Lox credential; the new invites_remaining
    121. 

  121.     // is one less than the old value, so we don't have to include it
    122. 

  122.     // here explicitly
    123. 

  123.     P: RistrettoPoint,
    124. 

  124.     EncQ: (RistrettoPoint, RistrettoPoint),
    125. 

  125.     id_server: Scalar,
    126. 

  126.     TId: RistrettoPoint,
    127. 

  127.     TBucket: RistrettoPoint,
    128. 

  128.     TLevel: RistrettoPoint,
    129. 

  129.     TSince: RistrettoPoint,
    130. 

  130.     TInvRemain: RistrettoPoint,
    131. 

  131.     TBlockages: RistrettoPoint,
    132. 

  132. 

  133.     // The fields for the new Invitation credential
    134. 

  134.     P_inv: RistrettoPoint,
    135. 

  135.     EncQ_inv: (RistrettoPoint, RistrettoPoint),
    136. 

  136.     inv_id_server: Scalar,
    137. 

  137.     TId_inv: RistrettoPoint,
    138. 

  138.     date_inv: Scalar,
    139. 

  139.     TBucket_inv: RistrettoPoint,
    140. 

  140.     TBlockages_inv: RistrettoPoint,
    141. 

  141. 

  142.     // The ZKP
    143. 

  143.     piBlindIssue: CompactProof,
    144. 

  144. }
    145. 

  145. 

  146. define_proof! {
    147. 

  147.     requestproof,
    148. 

  148.     "Issue Invite Request",
    149. 

  149.     (bucket, level, since, invremain, blockages, zbucket, zlevel,
    150. 

  150.      zsince, zinvremain, zblockages, negzQ,
    151. 

  151.      zbucket_reach, negzQ_reach,
    152. 

  152.      d, eid_client, ebucket, elevel, esince, einvremain, eblockages, id_client,
    153. 

  153.      inv_id_client, einv_id_client,
    154. 

  154.      invremain_inverse, zinvremain_inverse),
    155. 

  155.     (P, CBucket, CLevel, CSince, CInvRemain, CBlockages, V, Xbucket,
    156. 

  156.      Xlevel, Xsince, Xinvremain, Xblockages,
    157. 

  157.      P_reach, CBucket_reach, V_reach, Xbucket_reach,
    158. 

  158.      D, EncIdClient0, EncIdClient1, EncBucket0, EncBucket1,
    159. 

  159.      EncLevel0, EncLevel1, EncSince0, EncSince1,
    160. 

  160.      EncInvRemain0, EncInvRemain1_plus_B, EncBlockages0, EncBlockages1,
    161. 

  161.      EncInvIdClient0, EncInvIdClient1),
    162. 

  162.     (A, B):
    163. 

  163.     // Blind showing of the Lox credential
    164. 

  164.     CBucket = (bucket*P + zbucket*A),
    165. 

  165.     CLevel = (level*P + zlevel*A),
    166. 

  166.     CSince = (since*P + zsince*A),
    167. 

  167.     CInvRemain = (invremain*P + zinvremain*A),
    168. 

  168.     CBlockages = (blockages*P + zblockages*A),
    169. 

  169.     // Proof that invremain is not 0
    170. 

  170.     P = (invremain_inverse*CInvRemain + zinvremain_inverse*A),
    171. 

  171.     // Blind showing of the Bucket Reachability credential; note the
    172. 

  172.     // same bucket is used in the proof
    173. 

  173.     CBucket_reach = (bucket*P_reach + zbucket_reach*A),
    174. 

  174.     // User blinding of the Lox credential to be issued
    175. 

  175.     D = (d*B),
    176. 

  176.     EncIdClient0 = (eid_client*B),
    177. 

  177.     EncIdClient1 = (id_client*B + eid_client*D),
    178. 

  178.     EncBucket0 = (ebucket*B),
    179. 

  179.     EncBucket1 = (bucket*B + ebucket*D),
    180. 

  180.     EncLevel0 = (elevel*B),
    181. 

  181.     EncLevel1 = (level*B + elevel*D),
    182. 

  182.     EncSince0 = (esince*B),
    183. 

  183.     EncSince1 = (since*B + esince*D),
    184. 

  184.     EncInvRemain0 = (einvremain*B),
    185. 

  185.     EncInvRemain1_plus_B = (invremain*B + einvremain*D),
    186. 

  186.     EncBlockages0 = (eblockages*B),
    187. 

  187.     EncBlockages1 = (blockages*B + eblockages*D),
    188. 

  188.     // User blinding of the Invitation to be issued
    189. 

  189.     EncInvIdClient0 = (einv_id_client*B),
    190. 

  190.     EncInvIdClient1 = (inv_id_client*B + einv_id_client*D)
    191. 

  191. }
    192. 

  192. 

  193. define_proof! {
    194. 

  194.     blindissue,
    195. 

  195.     "Issue Invite Issuing",
    196. 

  196.     (x0, x0tilde, xid, xbucket, xlevel, xsince, xinvremain, xblockages,
    197. 

  197.      s, b, tid, tbucket, tlevel, tsince, tinvremain, tblockages,
    198. 

  198.      x0_inv, x0tilde_inv, xid_inv, xdate_inv, xbucket_inv,
    199. 

  199.      xblockages_inv,
    200. 

  200.      s_inv, b_inv, tid_inv, tbucket_inv, tblockages_inv),
    201. 

  201.     (P, EncQ0, EncQ1, X0, Xid, Xbucket, Xlevel, Xsince, Xinvremain,
    202. 

  202.      Xblockages, TId, TBucket, TLevel, TSince, TInvRemain, TBlockages,
    203. 

  203.      P_inv, EncQ_inv0, EncQ_inv1, X0_inv, Xid_inv, Xdate_inv,
    204. 

  204.      Xbucket_inv, Xblockages_inv, Pdate_inv, TId_inv, TBucket_inv,
    205. 

  205.      TBlockages_inv,
    206. 

  206.      D, EncId0, EncId1, EncBucket0, EncBucket1, EncLevel0, EncLevel1,
    207. 

  207.      EncSince0, EncSince1, EncInvRemain0, EncInvRemain1,
    208. 

  208.      EncBlockages0, EncBlockages1,
    209. 

  209.      EncInvId0, EncInvId1),
    210. 

  210.     (A, B):
    211. 

  211.     Xid = (xid*A),
    212. 

  212.     Xbucket = (xbucket*A),
    213. 

  213.     Xlevel = (xlevel*A),
    214. 

  214.     Xsince = (xsince*A),
    215. 

  215.     Xinvremain = (xinvremain*A),
    216. 

  216.     Xblockages = (xblockages*A),
    217. 

  217.     X0 = (x0*B + x0tilde*A),
    218. 

  218.     P = (b*B),
    219. 

  219.     TId = (b*Xid),
    220. 

  220.     TId = (tid*A),
    221. 

  221.     TBucket = (b*Xbucket),
    222. 

  222.     TBucket = (tbucket*A),
    223. 

  223.     TLevel = (b*Xlevel),
    224. 

  224.     TLevel = (tlevel*A),
    225. 

  225.     TSince = (b*Xsince),
    226. 

  226.     TSince = (tsince*A),
    227. 

  227.     TInvRemain = (b*Xinvremain),
    228. 

  228.     TInvRemain = (tinvremain*A),
    229. 

  229.     TBlockages = (b*Xblockages),
    230. 

  230.     TBlockages = (tblockages*A),
    231. 

  231.     EncQ0 = (s*B + tid*EncId0 + tbucket*EncBucket0 + tlevel*EncLevel0
    232. 

  232.         + tsince*EncSince0 + tinvremain*EncInvRemain0 + tblockages*EncBlockages0),
    233. 

  233.     EncQ1 = (s*D + tid*EncId1 + tbucket*EncBucket1 + tlevel*EncLevel1
    234. 

  234.         + tsince*EncSince1 + tinvremain*EncInvRemain1 + tblockages*EncBlockages1
    235. 

  235.         + x0*P),
    236. 

  236.     Xid_inv = (xid_inv*A),
    237. 

  237.     Xdate_inv = (xdate_inv*A),
    238. 

  238.     Xbucket_inv = (xbucket_inv*A),
    239. 

  239.     Xblockages_inv = (xblockages_inv*A),
    240. 

  240.     X0_inv = (x0_inv*B + x0tilde_inv*A),
    241. 

  241.     P_inv = (b_inv*B),
    242. 

  242.     TId_inv = (b_inv*Xid_inv),
    243. 

  243.     TId_inv = (tid_inv*A),
    244. 

  244.     TBucket_inv = (b_inv*Xbucket_inv),
    245. 

  245.     TBucket_inv = (tbucket_inv*A),
    246. 

  246.     TBlockages_inv = (b_inv*Xblockages_inv),
    247. 

  247.     TBlockages_inv = (tblockages_inv*A),
    248. 

  248.     EncQ_inv0 = (s_inv*B + tid_inv*EncInvId0 + tbucket_inv*EncBucket0
    249. 

  249.         + tblockages_inv*EncBlockages0),
    250. 

  250.     EncQ_inv1 = (s_inv*D + tid_inv*EncInvId1 + tbucket_inv*EncBucket1
    251. 

  251.         + tblockages_inv*EncBlockages1 + x0_inv*P_inv + xdate_inv*Pdate_inv)
    252. 

  252. }
    253. 

  253. 

  254. pub fn request(
    255. 

  255.     lox_cred: &cred::Lox,
    256. 

  256.     reach_cred: &cred::BucketReachability,
    257. 

  257.     lox_pub: &IssuerPubKey,
    258. 

  258.     reach_pub: &IssuerPubKey,
    259. 

  259.     today: u32,
    260. 

  260. ) -> Result<(Request, State), ProofError> {
    261. 

  261.     let A: &RistrettoPoint = &CMZ_A;
    262. 

  262.     let B: &RistrettoPoint = &CMZ_B;
    263. 

  263.     let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
    264. 

  264.     let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
    265. 

  265. 

  266.     // Ensure the credential can be correctly shown: it must be the case
    267. 

  267.     // that invites_remaining not be 0
    268. 

  268.     if lox_cred.invites_remaining == Scalar::zero() {
    269. 

  269.         return Err(ProofError::VerificationFailure);
    270. 

  270.     }
    271. 

  271.     // The buckets in the Lox and Bucket Reachability credentials have
    272. 

  272.     // to match
    273. 

  273.     if lox_cred.bucket != reach_cred.bucket {
    274. 

  274.         return Err(ProofError::VerificationFailure);
    275. 

  275.     }
    276. 

  276.     // The Bucket Reachability credential has to be dated today
    277. 

  277.     let reach_date: u32 = match scalar_u32(&reach_cred.date) {
    278. 

  278.         Some(v) => v,
    279. 

  279.         None => return Err(ProofError::VerificationFailure),
    280. 

  280.     };
    281. 

  281.     if reach_date != today {
    282. 

  282.         return Err(ProofError::VerificationFailure);
    283. 

  283.     }
    284. 

  284.     // The new invites_remaining
    285. 

  285.     let new_invites_remaining = &lox_cred.invites_remaining - Scalar::one();
    286. 

  286. 

  287.     // Blind showing the Lox credential
    288. 

  288. 

  289.     // Reblind P and Q
    290. 

  290.     let mut rng = rand::thread_rng();
    291. 

  291.     let t = Scalar::random(&mut rng);
    292. 

  292.     let P = t * lox_cred.P;
    293. 

  293.     let Q = t * lox_cred.Q;
    294. 

  294. 

  295.     // Form Pedersen commitments to the blinded attributes
    296. 

  296.     let zbucket = Scalar::random(&mut rng);
    297. 

  297.     let zlevel = Scalar::random(&mut rng);
    298. 

  298.     let zsince = Scalar::random(&mut rng);
    299. 

  299.     let zinvremain = Scalar::random(&mut rng);
    300. 

  300.     let zblockages = Scalar::random(&mut rng);
    301. 

  301.     let CBucket = lox_cred.bucket * P + &zbucket * Atable;
    302. 

  302.     let CLevel = lox_cred.trust_level * P + &zlevel * Atable;
    303. 

  303.     let CSince = lox_cred.level_since * P + &zsince * Atable;
    304. 

  304.     let CInvRemain = lox_cred.invites_remaining * P + &zinvremain * Atable;
    305. 

  305.     let CBlockages = lox_cred.blockages * P + &zblockages * Atable;
    306. 

  306. 

  307.     // Form a Pedersen commitment to the MAC Q
    308. 

  308.     // We flip the sign of zQ from that of the Hyphae paper so that
    309. 

  309.     // the ZKP has a "+" instead of a "-", as that's what the zkp
    310. 

  310.     // macro supports.
    311. 

  311.     let negzQ = Scalar::random(&mut rng);
    312. 

  312.     let CQ = Q - &negzQ * Atable;
    313. 

  313. 

  314.     // Compute the "error factor"
    315. 

  315.     let V = zbucket * lox_pub.X[2]
    316. 

  316.         + zlevel * lox_pub.X[3]
    317. 

  317.         + zsince * lox_pub.X[4]
    318. 

  318.         + zinvremain * lox_pub.X[5]
    319. 

  319.         + zblockages * lox_pub.X[6]
    320. 

  320.         + &negzQ * Atable;
    321. 

  321. 

  322.     // Blind showing the Bucket Reachability credential
    323. 

  323. 

  324.     // Reblind P and Q
    325. 

  325.     let t_reach = Scalar::random(&mut rng);
    326. 

  326.     let P_reach = t_reach * reach_cred.P;
    327. 

  327.     let Q_reach = t_reach * reach_cred.Q;
    328. 

  328. 

  329.     // Form Pedersen commitments to the blinded attributes
    330. 

  330.     let zbucket_reach = Scalar::random(&mut rng);
    331. 

  331.     let CBucket_reach = reach_cred.bucket * P_reach + &zbucket_reach * Atable;
    332. 

  332. 

  333.     // Form a Pedersen commitment to the MAC Q
    334. 

  334.     // We flip the sign of zQ from that of the Hyphae paper so that
    335. 

  335.     // the ZKP has a "+" instead of a "-", as that's what the zkp
    336. 

  336.     // macro supports.
    337. 

  337.     let negzQ_reach = Scalar::random(&mut rng);
    338. 

  338.     let CQ_reach = Q_reach - &negzQ_reach * Atable;
    339. 

  339. 

  340.     // Compute the "error factor"
    341. 

  341.     let V_reach = zbucket_reach * reach_pub.X[2] + &negzQ_reach * Atable;
    342. 

  342. 

  343.     // User blinding for the Lox certificate to be issued
    344. 

  344. 

  345.     // Pick an ElGamal keypair
    346. 

  346.     let d = Scalar::random(&mut rng);
    347. 

  347.     let D = &d * Btable;
    348. 

  348. 

  349.     // Pick a random client component of the id
    350. 

  350.     let id_client = Scalar::random(&mut rng);
    351. 

  351. 

  352.     // Encrypt it (times the basepoint B) to the ElGamal public key D we
    353. 

  353.     // just created
    354. 

  354.     let eid_client = Scalar::random(&mut rng);
    355. 

  355.     let EncIdClient = (&eid_client * Btable, &id_client * Btable + eid_client * D);
    356. 

  356. 

  357.     // Encrypt the other blinded fields (times B) to D as well
    358. 

  358.     let ebucket = Scalar::random(&mut rng);
    359. 

  359.     let EncBucket = (&ebucket * Btable, &lox_cred.bucket * Btable + ebucket * D);
    360. 

  360.     let elevel = Scalar::random(&mut rng);
    361. 

  361.     let EncLevel = (
    362. 

  362.         &elevel * Btable,
    363. 

  363.         &lox_cred.trust_level * Btable + elevel * D,
    364. 

  364.     );
    365. 

  365.     let esince = Scalar::random(&mut rng);
    366. 

  366.     let EncSince = (
    367. 

  367.         &esince * Btable,
    368. 

  368.         &lox_cred.level_since * Btable + esince * D,
    369. 

  369.     );
    370. 

  370.     let einvremain = Scalar::random(&mut rng);
    371. 

  371.     let EncInvRemain = (
    372. 

  372.         &einvremain * Btable,
    373. 

  373.         &new_invites_remaining * Btable + einvremain * D,
    374. 

  374.     );
    375. 

  375.     let eblockages = Scalar::random(&mut rng);
    376. 

  376.     let EncBlockages = (
    377. 

  377.         &eblockages * Btable,
    378. 

  378.         &lox_cred.blockages * Btable + eblockages * D,
    379. 

  379.     );
    380. 

  380. 

  381.     // User blinding for the Invitation certificate to be issued
    382. 

  382. 

  383.     // Pick a random client component of the id
    384. 

  384.     let inv_id_client = Scalar::random(&mut rng);
    385. 

  385. 

  386.     // Encrypt it (times the basepoint B) to the ElGamal public key D we
    387. 

  387.     // just created
    388. 

  388.     let einv_id_client = Scalar::random(&mut rng);
    389. 

  389.     let EncInvIdClient = (
    390. 

  390.         &einv_id_client * Btable,
    391. 

  391.         &inv_id_client * Btable + einv_id_client * D,
    392. 

  392.     );
    393. 

  393. 

  394.     // The proof that invites_remaining is not zero.  We prove this by
    395. 

  395.     // demonstrating that we know its inverse.
    396. 

  396.     let invremain_inverse = &lox_cred.invites_remaining.invert();
    397. 

  397. 

  398.     let zinvremain_inverse = -zinvremain * invremain_inverse;
    399. 

  399. 

  400.     // So now invremain_inverse * CInvRemain + zinvremain_inverse * A = P
    401. 

  401. 

  402.     // Construct the proof
    403. 

  403.     let mut transcript = Transcript::new(b"issue invite request");
    404. 

  404.     let piUser = requestproof::prove_compact(
    405. 

  405.         &mut transcript,
    406. 

  406.         requestproof::ProveAssignments {
    407. 

  407.             A: &A,
    408. 

  408.             B: &B,
    409. 

  409.             P: &P,
    410. 

  410.             CBucket: &CBucket,
    411. 

  411.             CLevel: &CLevel,
    412. 

  412.             CSince: &CSince,
    413. 

  413.             CInvRemain: &CInvRemain,
    414. 

  414.             CBlockages: &CBlockages,
    415. 

  415.             V: &V,
    416. 

  416.             Xbucket: &lox_pub.X[2],
    417. 

  417.             Xlevel: &lox_pub.X[3],
    418. 

  418.             Xsince: &lox_pub.X[4],
    419. 

  419.             Xinvremain: &lox_pub.X[5],
    420. 

  420.             Xblockages: &lox_pub.X[6],
    421. 

  421.             P_reach: &P_reach,
    422. 

  422.             CBucket_reach: &CBucket_reach,
    423. 

  423.             V_reach: &V_reach,
    424. 

  424.             Xbucket_reach: &reach_pub.X[2],
    425. 

  425.             D: &D,
    426. 

  426.             EncIdClient0: &EncIdClient.0,
    427. 

  427.             EncIdClient1: &EncIdClient.1,
    428. 

  428.             EncBucket0: &EncBucket.0,
    429. 

  429.             EncBucket1: &EncBucket.1,
    430. 

  430.             EncLevel0: &EncLevel.0,
    431. 

  431.             EncLevel1: &EncLevel.1,
    432. 

  432.             EncSince0: &EncSince.0,
    433. 

  433.             EncSince1: &EncSince.1,
    434. 

  434.             EncInvRemain0: &EncInvRemain.0,
    435. 

  435.             EncInvRemain1_plus_B: &(EncInvRemain.1 + B),
    436. 

  436.             EncBlockages0: &EncBlockages.0,
    437. 

  437.             EncBlockages1: &EncBlockages.1,
    438. 

  438.             EncInvIdClient0: &EncInvIdClient.0,
    439. 

  439.             EncInvIdClient1: &EncInvIdClient.1,
    440. 

  440.             bucket: &lox_cred.bucket,
    441. 

  441.             level: &lox_cred.trust_level,
    442. 

  442.             since: &lox_cred.level_since,
    443. 

  443.             invremain: &lox_cred.invites_remaining,
    444. 

  444.             blockages: &lox_cred.blockages,
    445. 

  445.             zbucket: &zbucket,
    446. 

  446.             zlevel: &zlevel,
    447. 

  447.             zsince: &zsince,
    448. 

  448.             zinvremain: &zinvremain,
    449. 

  449.             zblockages: &zblockages,
    450. 

  450.             negzQ: &negzQ,
    451. 

  451.             zbucket_reach: &zbucket_reach,
    452. 

  452.             negzQ_reach: &negzQ_reach,
    453. 

  453.             d: &d,
    454. 

  454.             eid_client: &eid_client,
    455. 

  455.             ebucket: &ebucket,
    456. 

  456.             elevel: &elevel,
    457. 

  457.             esince: &esince,
    458. 

  458.             einvremain: &einvremain,
    459. 

  459.             eblockages: &eblockages,
    460. 

  460.             id_client: &id_client,
    461. 

  461.             inv_id_client: &inv_id_client,
    462. 

  462.             einv_id_client: &einv_id_client,
    463. 

  463.             invremain_inverse: &invremain_inverse,
    464. 

  464.             zinvremain_inverse: &zinvremain_inverse,
    465. 

  465.         },
    466. 

  466.     )
    467. 

  467.     .0;
    468. 

  468. 

  469.     Ok((
    470. 

  470.         Request {
    471. 

  471.             P,
    472. 

  472.             id: lox_cred.id,
    473. 

  473.             CBucket,
    474. 

  474.             CLevel,
    475. 

  475.             CSince,
    476. 

  476.             CInvRemain,
    477. 

  477.             CBlockages,
    478. 

  478.             CQ,
    479. 

  479.             P_reach,
    480. 

  480.             CBucket_reach,
    481. 

  481.             CQ_reach,
    482. 

  482.             D,
    483. 

  483.             EncIdClient,
    484. 

  484.             EncBucket,
    485. 

  485.             EncLevel,
    486. 

  486.             EncSince,
    487. 

  487.             EncInvRemain,
    488. 

  488.             EncBlockages,
    489. 

  489.             EncInvIdClient,
    490. 

  490.             piUser,
    491. 

  491.         },
    492. 

  492.         State {
    493. 

  493.             d,
    494. 

  494.             D,
    495. 

  495.             EncIdClient,
    496. 

  496.             EncBucket,
    497. 

  497.             EncLevel,
    498. 

  498.             EncSince,
    499. 

  499.             EncInvRemain,
    500. 

  500.             EncBlockages,
    501. 

  501.             EncInvIdClient,
    502. 

  502.             id_client,
    503. 

  503.             bucket: lox_cred.bucket,
    504. 

  504.             level: lox_cred.trust_level,
    505. 

  505.             since: lox_cred.level_since,
    506. 

  506.             invremain: new_invites_remaining,
    507. 

  507.             blockages: lox_cred.blockages,
    508. 

  508.             inv_id_client,
    509. 

  509.         },
    510. 

  510.     ))
    511. 

  511. }
    512. 

  512. 

  513. impl BridgeAuth {
    514. 

  514.     /// Receive an issue invite request
    515. 

  515.     pub fn handle_issue_invite(&mut self, req: Request) -> Result<Response, ProofError> {
    516. 

  516.         let A: &RistrettoPoint = &CMZ_A;
    517. 

  517.         let B: &RistrettoPoint = &CMZ_B;
    518. 

  518.         let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
    519. 

  519.         let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
    520. 

  520. 

  521.         if req.P.is_identity() || req.P_reach.is_identity() {
    522. 

  522.             return Err(ProofError::VerificationFailure);
    523. 

  523.         }
    524. 

  524. 

  525.         let today: Scalar = self.today().into();
    526. 

  526. 

  527.         // Recompute the "error factors" using knowledge of our own
    528. 

  528.         // (the issuer's) private key instead of knowledge of the
    529. 

  529.         // hidden attributes
    530. 

  530.         let Vprime = (self.lox_priv.x[0] + self.lox_priv.x[1] * req.id) * req.P
    531. 

  531.             + self.lox_priv.x[2] * req.CBucket
    532. 

  532.             + self.lox_priv.x[3] * req.CLevel
    533. 

  533.             + self.lox_priv.x[4] * req.CSince
    534. 

  534.             + self.lox_priv.x[5] * req.CInvRemain
    535. 

  535.             + self.lox_priv.x[6] * req.CBlockages
    536. 

  536.             - req.CQ;
    537. 

  537. 

  538.         let Vprime_reach = (self.reachability_priv.x[0] + self.reachability_priv.x[1] * today)
    539. 

  539.             * req.P_reach
    540. 

  540.             + self.reachability_priv.x[2] * req.CBucket_reach
    541. 

  541.             - req.CQ_reach;
    542. 

  542. 

  543.         // Verify the ZKP
    544. 

  544.         let mut transcript = Transcript::new(b"issue invite request");
    545. 

  545.         requestproof::verify_compact(
    546. 

  546.             &req.piUser,
    547. 

  547.             &mut transcript,
    548. 

  548.             requestproof::VerifyAssignments {
    549. 

  549.                 A: &A.compress(),
    550. 

  550.                 B: &B.compress(),
    551. 

  551.                 P: &req.P.compress(),
    552. 

  552.                 CBucket: &req.CBucket.compress(),
    553. 

  553.                 CLevel: &req.CLevel.compress(),
    554. 

  554.                 CSince: &req.CSince.compress(),
    555. 

  555.                 CInvRemain: &req.CInvRemain.compress(),
    556. 

  556.                 CBlockages: &req.CBlockages.compress(),
    557. 

  557.                 V: &Vprime.compress(),
    558. 

  558.                 Xbucket: &self.lox_pub.X[2].compress(),
    559. 

  559.                 Xlevel: &self.lox_pub.X[3].compress(),
    560. 

  560.                 Xsince: &self.lox_pub.X[4].compress(),
    561. 

  561.                 Xinvremain: &self.lox_pub.X[5].compress(),
    562. 

  562.                 Xblockages: &self.lox_pub.X[6].compress(),
    563. 

  563.                 P_reach: &req.P_reach.compress(),
    564. 

  564.                 CBucket_reach: &req.CBucket_reach.compress(),
    565. 

  565.                 V_reach: &Vprime_reach.compress(),
    566. 

  566.                 Xbucket_reach: &self.reachability_pub.X[2].compress(),
    567. 

  567.                 D: &req.D.compress(),
    568. 

  568.                 EncIdClient0: &req.EncIdClient.0.compress(),
    569. 

  569.                 EncIdClient1: &req.EncIdClient.1.compress(),
    570. 

  570.                 EncBucket0: &req.EncBucket.0.compress(),
    571. 

  571.                 EncBucket1: &req.EncBucket.1.compress(),
    572. 

  572.                 EncLevel0: &req.EncLevel.0.compress(),
    573. 

  573.                 EncLevel1: &req.EncLevel.1.compress(),
    574. 

  574.                 EncSince0: &req.EncSince.0.compress(),
    575. 

  575.                 EncSince1: &req.EncSince.1.compress(),
    576. 

  576.                 EncInvRemain0: &req.EncInvRemain.0.compress(),
    577. 

  577.                 EncInvRemain1_plus_B: &(req.EncInvRemain.1 + B).compress(),
    578. 

  578.                 EncBlockages0: &req.EncBlockages.0.compress(),
    579. 

  579.                 EncBlockages1: &req.EncBlockages.1.compress(),
    580. 

  580.                 EncInvIdClient0: &req.EncInvIdClient.0.compress(),
    581. 

  581.                 EncInvIdClient1: &req.EncInvIdClient.1.compress(),
    582. 

  582.             },
    583. 

  583.         )?;
    584. 

  584. 

  585.         // Ensure the id has not been seen before, and add it to the
    586. 

  586.         // seen list.
    587. 

  587.         if self.id_filter.filter(&req.id) == SeenType::Seen {
    588. 

  588.             return Err(ProofError::VerificationFailure);
    589. 

  589.         }
    590. 

  590. 

  591.         // Blind issuing of the new Lox credential
    592. 

  592. 

  593.         // Choose a random server id component to add to the client's
    594. 

  594.         // (blinded) id component
    595. 

  595.         let mut rng = rand::thread_rng();
    596. 

  596.         let id_server = Scalar::random(&mut rng);
    597. 

  597.         let EncId = (req.EncIdClient.0, req.EncIdClient.1 + &id_server * Btable);
    598. 

  598. 

  599.         // Compute the MAC on the visible attributes (none here)
    600. 

  600.         let b = Scalar::random(&mut rng);
    601. 

  601.         let P = &b * Btable;
    602. 

  602.         let QHc = self.lox_priv.x[0] * P;
    603. 

  603. 

  604.         // El Gamal encrypt it to the public key req.D
    605. 

  605.         let s = Scalar::random(&mut rng);
    606. 

  606.         let EncQHc = (&s * Btable, QHc + s * req.D);
    607. 

  607. 

  608.         // Homomorphically compute the part of the MAC corresponding to
    609. 

  609.         // the blinded attributes
    610. 

  610.         let tid = self.lox_priv.x[1] * b;
    611. 

  611.         let TId = &tid * Atable;
    612. 

  612.         let EncQId = (tid * EncId.0, tid * EncId.1);
    613. 

  613.         let tbucket = self.lox_priv.x[2] * b;
    614. 

  614.         let TBucket = &tbucket * Atable;
    615. 

  615.         let EncQBucket = (tbucket * req.EncBucket.0, tbucket * req.EncBucket.1);
    616. 

  616.         let tlevel = self.lox_priv.x[3] * b;
    617. 

  617.         let TLevel = &tlevel * Atable;
    618. 

  618.         let EncQLevel = (tlevel * req.EncLevel.0, tlevel * req.EncLevel.1);
    619. 

  619.         let tsince = self.lox_priv.x[4] * b;
    620. 

  620.         let TSince = &tsince * Atable;
    621. 

  621.         let EncQSince = (tsince * req.EncSince.0, tsince * req.EncSince.1);
    622. 

  622.         let tinvremain = self.lox_priv.x[5] * b;
    623. 

  623.         let TInvRemain = &tinvremain * Atable;
    624. 

  624.         let EncQInvRemain = (
    625. 

  625.             tinvremain * req.EncInvRemain.0,
    626. 

  626.             tinvremain * req.EncInvRemain.1,
    627. 

  627.         );
    628. 

  628.         let tblockages = self.lox_priv.x[6] * b;
    629. 

  629.         let TBlockages = &tblockages * Atable;
    630. 

  630.         let EncQBlockages = (
    631. 

  631.             tblockages * req.EncBlockages.0,
    632. 

  632.             tblockages * req.EncBlockages.1,
    633. 

  633.         );
    634. 

  634. 

  635.         let EncQ = (
    636. 

  636.             EncQHc.0
    637. 

  637.                 + EncQId.0
    638. 

  638.                 + EncQBucket.0
    639. 

  639.                 + EncQLevel.0
    640. 

  640.                 + EncQSince.0
    641. 

  641.                 + EncQInvRemain.0
    642. 

  642.                 + EncQBlockages.0,
    643. 

  643.             EncQHc.1
    644. 

  644.                 + EncQId.1
    645. 

  645.                 + EncQBucket.1
    646. 

  646.                 + EncQLevel.1
    647. 

  647.                 + EncQSince.1
    648. 

  648.                 + EncQInvRemain.1
    649. 

  649.                 + EncQBlockages.1,
    650. 

  650.         );
    651. 

  651. 

  652.         // Blind issuing of the new Invitation credential
    653. 

  653. 

  654.         // Choose a random server id component to add to the client's
    655. 

  655.         // (blinded) id component
    656. 

  656.         let inv_id_server = Scalar::random(&mut rng);
    657. 

  657.         let EncInvId = (
    658. 

  658.             req.EncInvIdClient.0,
    659. 

  659.             req.EncInvIdClient.1 + &inv_id_server * Btable,
    660. 

  660.         );
    661. 

  661. 

  662.         // Compute the MAC on the visible attributes
    663. 

  663.         let b_inv = Scalar::random(&mut rng);
    664. 

  664.         let P_inv = &b_inv * Btable;
    665. 

  665.         let QHc_inv = (self.invitation_priv.x[0] + self.invitation_priv.x[2] * today) * P;
    666. 

  666. 

  667.         // El Gamal encrypt it to the public key req.D
    668. 

  668.         let s_inv = Scalar::random(&mut rng);
    669. 

  669.         let EncQHc_inv = (&s_inv * Btable, QHc_inv + s_inv * req.D);
    670. 

  670. 

  671.         // Homomorphically compute the part of the MAC corresponding to
    672. 

  672.         // the blinded attributes
    673. 

  673.         let tinvid = self.invitation_priv.x[1] * b_inv;
    674. 

  674.         let TId_inv = &tinvid * Atable;
    675. 

  675.         let EncQInvId = (tinvid * EncInvId.0, tinvid * EncInvId.1);
    676. 

  676.         let tinvbucket = self.invitation_priv.x[3] * b_inv;
    677. 

  677.         let TBucket_inv = &tinvbucket * Atable;
    678. 

  678.         // The bucket and blockages encrypted attributes are reused from
    679. 

  679.         // the Lox credential
    680. 

  680.         let EncQInvBucket = (tinvbucket * req.EncBucket.0, tinvbucket * req.EncBucket.1);
    681. 

  681.         let tinvblockages = self.invitation_priv.x[4] * b_inv;
    682. 

  682.         let TBlockages_inv = &tinvblockages * Atable;
    683. 

  683.         let EncQInvBlockages = (
    684. 

  684.             tinvblockages * req.EncBlockages.0,
    685. 

  685.             tinvblockages * req.EncBlockages.1,
    686. 

  686.         );
    687. 

  687. 

  688.         let EncQ_inv = (
    689. 

  689.             EncQHc_inv.0 + EncQInvId.0 + EncQInvBucket.0 + EncQInvBlockages.0,
    690. 

  690.             EncQHc_inv.1 + EncQInvId.1 + EncQInvBucket.1 + EncQInvBlockages.1,
    691. 

  691.         );
    692. 

  692. 

  693.         let mut transcript = Transcript::new(b"issue invite issuing");
    694. 

  694.         let piBlindIssue = blindissue::prove_compact(
    695. 

  695.             &mut transcript,
    696. 

  696.             blindissue::ProveAssignments {
    697. 

  697.                 A: &A,
    698. 

  698.                 B: &B,
    699. 

  699.                 P: &P,
    700. 

  700.                 EncQ0: &EncQ.0,
    701. 

  701.                 EncQ1: &EncQ.1,
    702. 

  702.                 X0: &self.lox_pub.X[0],
    703. 

  703.                 Xid: &self.lox_pub.X[1],
    704. 

  704.                 Xbucket: &self.lox_pub.X[2],
    705. 

  705.                 Xlevel: &self.lox_pub.X[3],
    706. 

  706.                 Xsince: &self.lox_pub.X[4],
    707. 

  707.                 Xinvremain: &self.lox_pub.X[5],
    708. 

  708.                 Xblockages: &self.lox_pub.X[6],
    709. 

  709.                 TId: &TId,
    710. 

  710.                 TBucket: &TBucket,
    711. 

  711.                 TLevel: &TLevel,
    712. 

  712.                 TSince: &TSince,
    713. 

  713.                 TInvRemain: &TInvRemain,
    714. 

  714.                 TBlockages: &TBlockages,
    715. 

  715.                 P_inv: &P_inv,
    716. 

  716.                 EncQ_inv0: &EncQ_inv.0,
    717. 

  717.                 EncQ_inv1: &EncQ_inv.1,
    718. 

  718.                 X0_inv: &self.invitation_pub.X[0],
    719. 

  719.                 Xid_inv: &self.invitation_pub.X[1],
    720. 

  720.                 Xdate_inv: &self.invitation_pub.X[2],
    721. 

  721.                 Xbucket_inv: &self.invitation_pub.X[3],
    722. 

  722.                 Xblockages_inv: &self.invitation_pub.X[4],
    723. 

  723.                 Pdate_inv: &(today * P_inv),
    724. 

  724.                 TId_inv: &TId_inv,
    725. 

  725.                 TBucket_inv: &TBucket_inv,
    726. 

  726.                 TBlockages_inv: &TBlockages_inv,
    727. 

  727.                 D: &req.D,
    728. 

  728.                 EncId0: &EncId.0,
    729. 

  729.                 EncId1: &EncId.1,
    730. 

  730.                 EncBucket0: &req.EncBucket.0,
    731. 

  731.                 EncBucket1: &req.EncBucket.1,
    732. 

  732.                 EncLevel0: &req.EncLevel.0,
    733. 

  733.                 EncLevel1: &req.EncLevel.1,
    734. 

  734.                 EncSince0: &req.EncSince.0,
    735. 

  735.                 EncSince1: &req.EncSince.1,
    736. 

  736.                 EncInvRemain0: &req.EncInvRemain.0,
    737. 

  737.                 EncInvRemain1: &req.EncInvRemain.1,
    738. 

  738.                 EncBlockages0: &req.EncBlockages.0,
    739. 

  739.                 EncBlockages1: &req.EncBlockages.1,
    740. 

  740.                 EncInvId0: &EncInvId.0,
    741. 

  741.                 EncInvId1: &EncInvId.1,
    742. 

  742.                 x0: &self.lox_priv.x[0],
    743. 

  743.                 x0tilde: &self.lox_priv.x0tilde,
    744. 

  744.                 xid: &self.lox_priv.x[1],
    745. 

  745.                 xbucket: &self.lox_priv.x[2],
    746. 

  746.                 xlevel: &self.lox_priv.x[3],
    747. 

  747.                 xsince: &self.lox_priv.x[4],
    748. 

  748.                 xinvremain: &self.lox_priv.x[5],
    749. 

  749.                 xblockages: &self.lox_priv.x[6],
    750. 

  750.                 s: &s,
    751. 

  751.                 b: &b,
    752. 

  752.                 tid: &tid,
    753. 

  753.                 tbucket: &tbucket,
    754. 

  754.                 tlevel: &tlevel,
    755. 

  755.                 tsince: &tsince,
    756. 

  756.                 tinvremain: &tinvremain,
    757. 

  757.                 tblockages: &tblockages,
    758. 

  758.                 x0_inv: &self.invitation_priv.x[0],
    759. 

  759.                 x0tilde_inv: &self.invitation_priv.x0tilde,
    760. 

  760.                 xid_inv: &self.invitation_priv.x[1],
    761. 

  761.                 xdate_inv: &self.invitation_priv.x[2],
    762. 

  762.                 xbucket_inv: &self.invitation_priv.x[3],
    763. 

  763.                 xblockages_inv: &self.invitation_priv.x[4],
    764. 

  764.                 s_inv: &s_inv,
    765. 

  765.                 b_inv: &b_inv,
    766. 

  766.                 tid_inv: &tinvid,
    767. 

  767.                 tbucket_inv: &tinvbucket,
    768. 

  768.                 tblockages_inv: &tinvblockages,
    769. 

  769.             },
    770. 

  770.         )
    771. 

  771.         .0;
    772. 

  772. 

  773.         Ok(Response {
    774. 

  774.             P,
    775. 

  775.             EncQ,
    776. 

  776.             id_server,
    777. 

  777.             TId,
    778. 

  778.             TBucket,
    779. 

  779.             TLevel,
    780. 

  780.             TSince,
    781. 

  781.             TInvRemain,
    782. 

  782.             TBlockages,
    783. 

  783.             P_inv,
    784. 

  784.             EncQ_inv,
    785. 

  785.             inv_id_server,
    786. 

  786.             TId_inv,
    787. 

  787.             date_inv: today,
    788. 

  788.             TBucket_inv,
    789. 

  789.             TBlockages_inv,
    790. 

  790.             piBlindIssue,
    791. 

  791.         })
    792. 

  792.     }
    793. 

  793. }
    794.