Add CMZPriv/Pubkeys to Lox bridgeauth

Cargo.lock

@@ -149,7 +149,6 @@ name = "cmz"
 version = "0.1.0"
 dependencies = [
  "cmzcred_derive",
- "curve25519-dalek",
  "ff",
  "generic_static",
  "group",
@@ -222,8 +221,8 @@ dependencies = [
  "group",
  "rand_core",
  "rustc_version",
+ "serde",
  "subtle",
- "zeroize",
 ]
 
 [[package]]
@@ -792,13 +791,22 @@ dependencies = [
 ]
 
 [[package]]
-name = "sigma_compiler_derive"
+name = "sigma_compiler_core"
 version = "0.1.0"
 dependencies = [
+ "proc-macro2",
  "quote",
  "syn",
 ]
 
+[[package]]
+name = "sigma_compiler_derive"
+version = "0.1.0"
+dependencies = [
+ "sigma_compiler_core",
+ "syn",
+]
+
 [[package]]
 name = "signature"
 version = "2.2.0"
@@ -1064,9 +1072,3 @@ dependencies = [
  "quote",
  "syn",
 ]
-
-[[package]]
-name = "zeroize"
-version = "1.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"

Cargo.toml

@@ -7,7 +7,7 @@ edition = "2021"
 aes-gcm = { version = "0.10", features = ["aes"] }
 base64 = "0.21.0"
 chrono = { version = "0.4.38", default-features = false, features = ["now"], optional = true }
-curve25519-dalek = {version = "4.1.3", default-features = false, features = ["group", "rand_core", "digest"] }
+curve25519-dalek = {version = "4.1.3", default-features = false, features = ["serde", "group", "rand_core", "digest"] }
 ed25519-dalek = { version = "2.1.1", default-features = false, features = ["serde", "rand_core"] }
 lazy_static = "1.5.0"
 rand = {version = "0.8.0", features = ["std_rng"] }

src/lib.rs

@@ -1,16 +1,41 @@
-#[cfg(feature = "bridgeauth")]
-use chrono::{DateTime, Utc};
+/*! Implementation of a new style of bridge authority for Tor that
+allows users to invite other users, while protecting the social graph
+from the bridge authority itself.
+
+We use uCMZ credentials (Orr`u, 2024 https://eprint.iacr.org/2024/1552.pdf) which improves issuer efficiency
+over our original CMZ14 credential (GGM version, which is more efficient, but
+makes a stronger security assumption) implementation: "Algebraic MACs and
+Keyed-Verification Anonymous Credentials" (Chase, Meiklejohn, and
+Zaverucha, CCS 2014)
+
+The notation follows that of the paper "Hyphae: Social Secret Sharing"
+(Lovecruft and de Valence, 2017), Section 4. */
+
+// We want Scalars to be lowercase letters, and Points and credentials
+// to be capital letters
+#![allow(non_snake_case)]
+
 use curve25519_dalek::scalar::Scalar;
 #[cfg(feature = "bridgeauth")]
 use ed25519_dalek::{Signature, SignatureError, SigningKey, Verifier, VerifyingKey};
-#[allow(unused_imports)]
-use rand::rngs::OsRng;
 use subtle::ConstantTimeEq;
 
+#[cfg(feature = "bridgeauth")]
+use chrono::{DateTime, Utc};
+#[cfg(feature = "bridgeauth")]
+use cmz::*;
+#[cfg(feature = "bridgeauth")]
+use curve25519_dalek::ristretto::RistrettoPoint as G;
+use rand_core::OsRng;
+#[cfg(feature = "bridgeauth")]
+use sha2::Sha512;
+
 pub mod bridge_table;
 pub mod dup_filter;
 pub mod lox_creds;
+pub mod migration_table;
 pub mod proto {
+    pub mod blockage_migration;
     pub mod errors;
     pub mod level_up;
     pub mod open_invite;
@@ -19,6 +44,9 @@ pub mod proto {
 use bridge_table::BridgeTable;
 //    BridgeLine, EncryptedBucket, MAX_BRIDGES_PER_BUCKET, MIN_BUCKET_REACHABILITY,
 //};
+use lox_creds::*;
+#[cfg(feature = "bridgeauth")]
+use migration_table::{MigrationTable, MigrationType};
 #[cfg(feature = "bridgeauth")]
 use serde::{Deserialize, Serialize};
 #[cfg(feature = "bridgeauth")]
@@ -52,9 +80,9 @@ pub struct BridgeDb {
 #[cfg(feature = "bridgeauth")]
 pub struct OldKeyStore {
     //    /// Most recently outdated lox secret and private keys for verifying update_cred credentials
-    //    priv_key: IssuerPrivKey,
+    priv_key: CMZPrivkey<G>,
     //    /// The public key for verifying update_cred credentials
-    //    pub pub_key: IssuerPubKey,
+    pub pub_key: CMZPubkey<G>,
 }
 
 #[derive(Debug, Default, Clone, Serialize, Deserialize)]
@@ -135,25 +163,25 @@ impl BridgeDb {
 #[derive(Debug, Serialize, Deserialize)]
 pub struct BridgeAuth {
     /// The private key for the main Lox credential
-    //    lox_priv: IssuerPrivKey,
+    lox_priv: CMZPrivkey<G>,
     /// The public key for the main Lox credential
-    //    pub lox_pub: IssuerPubKey,
+    pub lox_pub: CMZPubkey<G>,
     /// The private key for migration credentials
-    //    migration_priv: IssuerPrivKey,
+    migration_priv: CMZPrivkey<G>,
     /// The public key for migration credentials
-    //    pub migration_pub: IssuerPubKey,
+    pub migration_pub: CMZPubkey<G>,
     /// The private key for migration key credentials
-    //    migrationkey_priv: IssuerPrivKey,
+    migrationkey_priv: CMZPrivkey<G>,
     /// The public key for migration key credentials
-    //    pub migrationkey_pub: IssuerPubKey,
+    pub migrationkey_pub: CMZPubkey<G>,
     /// The private key for bucket reachability credentials
-    //    reachability_priv: IssuerPrivKey,
+    reachability_priv: CMZPrivkey<G>,
     /// The public key for bucket reachability credentials
-    //    pub reachability_pub: IssuerPubKey,
+    pub reachability_pub: CMZPubkey<G>,
     /// The private key for invitation credentials
-    //    invitation_priv: IssuerPrivKey,
+    invitation_priv: CMZPrivkey<G>,
     /// The public key for invitation credentials
-    //    pub invitation_pub: IssuerPubKey,
+    pub invitation_pub: CMZPubkey<G>,
 
     /// The public key of the BridgeDb issuing open invitations
     pub bridgedb_pub: VerifyingKey,
@@ -162,10 +190,10 @@ pub struct BridgeAuth {
     bridge_table: BridgeTable,
 
     // Map of bridge fingerprint to values needed to verify TP reports
-    //    pub tp_bridge_infos: HashMap<String, BridgeVerificationInfo>,
+    //pub tp_bridge_infos: HashMap<String, BridgeVerificationInfo>,
     /// The migration tables
-    //    trustup_migration_table: MigrationTable,
-    //    blockage_migration_table: MigrationTable,
+    trustup_migration_table: MigrationTable,
+    blockage_migration_table: MigrationTable,
 
     /// Duplicate filter for open invitations
     bridgedb_pub_filter: dup_filter::DupFilter<Scalar>,
@@ -189,34 +217,32 @@ pub struct BridgeAuth {
 #[cfg(feature = "bridgeauth")]
 impl BridgeAuth {
     pub fn new(bridgedb_pub: VerifyingKey) -> Self {
+        // Initialization
+        let mut rng = rand::thread_rng();
+        cmz_group_init(G::hash_from_bytes::<Sha512>(b"CMZ Generator A"));
         // Create the private and public keys for each of the types of
-        // credential, each with the appropriate number of attributes
-        //       let lox_priv = IssuerPrivKey::new(6);
-        //       let lox_pub = IssuerPubKey::new(&lox_priv);
-        //       let migration_priv = IssuerPrivKey::new(4);
-        //        let migration_pub = IssuerPubKey::new(&migration_priv);
-        //        let migrationkey_priv = IssuerPrivKey::new(2);
-        //        let migrationkey_pub = IssuerPubKey::new(&migrationkey_priv);
-        //        let reachability_priv = IssuerPrivKey::new(2);
-        //        let reachability_pub = IssuerPubKey::new(&reachability_priv);
-        //        let invitation_priv = IssuerPrivKey::new(4);
-        //        let invitation_pub = IssuerPubKey::new(&invitation_priv);
+        // credential with 'true' to indicate uCMZ
+        let (lox_priv, lox_pub) = Lox::gen_keys(&mut rng, true);
+        let (migration_priv, migration_pub) = Migration::gen_keys(&mut rng, true);
+        let (migrationkey_priv, migrationkey_pub) = MigrationKey::gen_keys(&mut rng, true);
+        let (reachability_priv, reachability_pub) = BucketReachability::gen_keys(&mut rng, true);
+        let (invitation_priv, invitation_pub) = Invitation::gen_keys(&mut rng, true);
         Self {
-            //            lox_priv,
-            //            lox_pub,
-            //            migration_priv,
-            //            migration_pub,
-            //            migrationkey_priv,
-            //            migrationkey_pub,
-            //            reachability_priv,
-            //            reachability_pub,
-            //            invitation_priv,
-            //            invitation_pub,
+            lox_priv,
+            lox_pub,
+            migration_priv,
+            migration_pub,
+            migrationkey_priv,
+            migrationkey_pub,
+            reachability_priv,
+            reachability_pub,
+            invitation_priv,
+            invitation_pub,
             bridgedb_pub,
             bridge_table: Default::default(),
             //            tp_bridge_infos: HashMap::<String, BridgeVerificationInfo>::new(),
-            //            trustup_migration_table: MigrationTable::new(MigrationType::TrustUpgrade),
-            //            blockage_migration_table: MigrationTable::new(MigrationType::Blockage),
+            trustup_migration_table: MigrationTable::new(MigrationType::TrustUpgrade),
+            blockage_migration_table: MigrationTable::new(MigrationType::Blockage),
             bridgedb_pub_filter: Default::default(),
             id_filter: Default::default(),
             inv_id_filter: Default::default(),