/// <summary>
/// Constructs a new <code>Prover</code> instance.
/// </summary>
/// <param name="ip">The Issuer parameters.</param>
/// <param name="psms">The post second message state.</param>
public Prover(IssuerParameters ip, PostSecondMessageState psms)
{
psms.Validate();
this.ip = ip;
this.numberOfTokens = psms.AlphaInverse.Length;
this.TI = psms.TI;
this.PI = psms.PI;
this.isDeviceProtected = psms.IsDeviceProtected;
this.beta2 = psms.Beta2;
this.h = psms.H;
this.sigmaZPrime = psms.SigmaZPrime;
this.sigmaAPrime = psms.SigmaAPrime;
this.sigmaBPrime = psms.SigmaBPrime;
this.sigmaCPrime = psms.SigmaCPrime;
ukat = new UProveKeyAndToken[numberOfTokens];
for (int i = 0; i < numberOfTokens; i++)
{
ukat[i] = new UProveKeyAndToken();
ukat[i].PrivateKey = psms.AlphaInverse[i];
}
state = State.Second;
}
private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData)
{
Group Gq = ip.Gq;
FieldZq Zq = ip.Zq;
if (pregeneratedRandomData == null)
{
alpha = Zq.GetRandomElements(numberOfTokens, true);
beta1 = Zq.GetRandomElements(numberOfTokens, false);
beta2 = Zq.GetRandomElements(numberOfTokens, false);
}
else
{
alpha = pregeneratedRandomData.Alpha;
beta1 = pregeneratedRandomData.Beta1;
beta2 = pregeneratedRandomData.Beta2;
}
h = new GroupElement[numberOfTokens];
t1 = new GroupElement[numberOfTokens];
t2 = new GroupElement[numberOfTokens];
ukat = new UProveKeyAndToken[numberOfTokens];
for (int i = 0; i < numberOfTokens; i++)
{
ukat[i] = new UProveKeyAndToken();
h[i] = gamma.Exponentiate(alpha[i]);
t1[i] = ip.G[0].Exponentiate(beta1[i]) * Gq.G.Exponentiate(beta2[i]);
t2[i] = h[i].Exponentiate(beta2[i]);
ukat[i].PrivateKey = alpha[i].Invert();
}
state = State.Initialized;
}
private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData)
{
Group Gq = ip.Gq;
FieldZq Zq = ip.Zq;
if (pregeneratedRandomData == null)
{
alpha = Zq.GetRandomElements(numberOfTokens, true);
beta1 = Zq.GetRandomElements(numberOfTokens, false);
beta2 = Zq.GetRandomElements(numberOfTokens, false);
}
else
{
alpha = pregeneratedRandomData.Alpha;
beta1 = pregeneratedRandomData.Beta1;
beta2 = pregeneratedRandomData.Beta2;
}
h = new GroupElement[numberOfTokens];
t1 = new GroupElement[numberOfTokens];
// we don't compute t2 in the precomputation since we prefer to
// compute h^beta2 as part of the sigmaBPrime multi-exponentiation
ukat = new UProveKeyAndToken[numberOfTokens];
for (int i = 0; i < numberOfTokens; i++)
{
ukat[i] = new UProveKeyAndToken();
h[i] = gamma.Exponentiate(alpha[i].Multiply(beta0Inverse)); // remove collab issuance blind, if present
t1[i] = Gq.MultiExponentiate(new GroupElement[] { ip.G[0], Gq.G }, new FieldZqElement[] { beta1[i], beta2[i] });
ukat[i].PrivateKey = alpha[i].Invert();
}
state = State.Initialized;
}
/// <summary>
/// Constructs a <code>ProverPresentationProtocolParameters</code> instance.
/// </summary>
/// <param name="ip">The issuer parameters.</param>
/// <param name="disclosed">Disclosed attribute indices.</param>
/// <param name="message">Presentation message.</param>
/// <param name="keyAndToken">Presented key and token.</param>
/// <param name="attributes">Token attributes.</param>
public ProverPresentationProtocolParameters(IssuerParameters ip, int[] disclosed, byte[] message, UProveKeyAndToken keyAndToken, byte[][] attributes)
{
IP = ip;
Disclosed = disclosed;
Message = message;
KeyAndToken = keyAndToken;
Attributes = attributes;
}
/// <summary>
/// Indicates that attributes are carried over from the source token into the new one.
/// </summary>
/// <param name="sourceIndex">The indices of the attributes in the existing token.</param>
/// <param name="destinationIndex">The indices of the attributes in the new token.</param>
/// /// <param name="sourceIP">The Issuer Parameters used to issue the source token. This can be the same as <c>Ip</c> if the
/// same Issuer issues the source and new tokens.</param>
/// <param name="sourceKeyAndToken">The source key and token.</param>
/// <param name="sourceAttributes">The attributes in the source token.</param>
public void CarryOverAttribute(int[] sourceIndex, int[] destinationIndex, IssuerParameters sourceIP, UProveKeyAndToken sourceKeyAndToken, byte[][] sourceAttributes)
{
if (sourceIndex == null || destinationIndex == null || sourceIP == null || sourceKeyAndToken == null || sourceAttributes == null)
{
throw new ArgumentNullException("arguments can't be null");
}
if (sourceIndex.Length != destinationIndex.Length)
{
throw new ArgumentException("sourceIndex and destinationIndex must have the same lenght");
}
if (!sourceKeyAndToken.Token.Uidp.SequenceEqual <byte>(sourceIP.UidP))
{
throw new ArgumentException("sourceToken and sourceIP do not match");
}
C = destinationIndex;
Corig = sourceIndex;
SourceIP = sourceIP;
KeyAndToken = sourceKeyAndToken;
SourceAttributes = sourceAttributes;
HasCarryOverAttributes = true;
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
{
CommitmentPrivateValues cpv;
PresentationProof proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv);
tildeO = cpv.TildeO;
return proof;
}
/// <summary>
/// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values.
/// </summary>
/// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param>
/// <param name="disclosed">An ordered array of disclosed attribute indices.</param>
/// <param name="committed">An ordered array of committed attribute indices.</param>
/// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param>
/// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param>
/// <param name="message">The presentation message.</param>
/// <param name="messageD">The message for the Device, or null.</param>
/// <param name="deviceContext">The active device context, if token is device-protected, or null.</param>
/// <param name="upkt">The U-Proke key and token.</param>
/// <param name="attributes">The token attributes.</param>
/// <param name="preGenW">Optional pregenerated random data for the proof generation.</param>
/// <param name="cpv">Returned commitment private values if commitments are computed.</param>
/// <returns>A presentation proof.</returns>
internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv)
{
if (upkt.Token.IsDeviceProtected && deviceContext == null)
{
throw new ArgumentNullException("Device context is not initialized");
}
bool generateCommitments = (committed != null && committed.Length > 0);
FieldZqElement[] tildeO = null;
// make sure disclosed and committed lists are sorted
if (disclosed == null)
{
// can't be null later, so make it an empty array
disclosed = new int[] { };
}
Array.Sort(disclosed);
if (generateCommitments)
{
Array.Sort(committed);
}
int n = 0;
if (ip.E != null)
n = ip.E.Length;
bool presentPseudonym = false;
if (gs != null)
{
if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
{
throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
}
if (disclosed.Contains(pseudonymAttribIndex))
{
throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
}
presentPseudonym = true;
}
else if (pseudonymAttribIndex > 0)
{
throw new ArgumentNullException("gs is null");
}
else
{
pseudonymAttribIndex = 0;
}
Group Gq = ip.Gq;
FieldZq Zq = ip.Zq;
FieldZqElement xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected);
ProofGenerationRandomData random;
if (preGenW == null)
{
random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected);
}
else
{
random = preGenW;
}
FieldZqElement[] x = new FieldZqElement[n];
GroupElement temp = upkt.Token.H.Exponentiate(random.W0);
int uIndex = 0;
int dIndex = 0;
int cIndex = 0;
PresentationProof proof = new PresentationProof();
proof.DisclosedAttributes = new byte[disclosed.Length][];
int pseudonymRandomizerIndex = 0;
if (generateCommitments)
{
proof.Commitments = new CommitmentValues[committed.Length];
tildeO = new FieldZqElement[committed.Length];
}
HashFunction hash = ip.HashFunction;
for (int i = 0; i < n; i++)
{
x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]);
if (!disclosed.Contains(i + 1))
{
temp = temp * ip.G[i + 1].Exponentiate(random.W[uIndex]);
if (presentPseudonym)
{
if (pseudonymAttribIndex == (i + 1))
{
pseudonymRandomizerIndex = uIndex;
}
}
if (generateCommitments && committed.Contains(i + 1))
{
GroupElement tildeC = ip.Gq.G.Exponentiate(x[i]) * ip.G[1].Exponentiate(random.TildeO[cIndex]);
tildeO[cIndex] = random.TildeO[cIndex];
GroupElement temp2 = ip.Gq.G.Exponentiate(random.W[uIndex]) * ip.G[1].Exponentiate(random.TildeW[cIndex]);
hash.Hash(temp2);
byte[] tildeA = hash.Digest;
proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null);
cIndex++;
}
uIndex++;
}
else if (generateCommitments && committed.Contains(i + 1))
{
throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed");
}
else
{
proof.DisclosedAttributes[dIndex] = attributes[i];
dIndex++;
}
}
if (upkt.Token.IsDeviceProtected)
{
GroupElement ad;
// pseudonym computed by device
if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex)
{
GroupElement apPrime;
GroupElement Ps;
ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps);
hash.Hash(apPrime * gs.Exponentiate(random.Wd));
proof.Ap = hash.Digest;
proof.Ps = Ps;
}
else
{
ad = deviceContext.GetInitialWitness();
}
temp = temp * ip.Gd.Exponentiate(random.Wd) * ad;
}
hash.Hash(temp);
proof.a = hash.Digest;
// pseudonym derived from one token attribute
if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex)
{
hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex]));
proof.Ap = hash.Digest;
proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]);
}
byte[] mdPrime;
FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime);
proof.r = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d
proof.r[0] = c * upkt.PrivateKey + random.W0;
uIndex = 1;
for (int i = 1; i <= n; i++)
{
if (!disclosed.Contains(i))
{
proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1];
uIndex++;
}
}
if (upkt.Token.IsDeviceProtected)
{
proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd;
}
if (generateCommitments)
{
for (int i = 0; i < committed.Length; i++)
{
proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i];
}
}
random.Clear();
cpv = new CommitmentPrivateValues(tildeO);
return proof;
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes)
{
GroupElement gs = null;
FieldZqElement[] unused;
return(Generate(ip, disclosed, null, 0, gs, message, messageD, deviceContext, upkt, attributes, null, out unused));
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO)
{
return(Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO));
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
{
GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope);
return(Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO));
}
private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData)
{
Group Gq = ip.Gq;
FieldZq Zq = ip.Zq;
if (pregeneratedRandomData == null)
{
alpha = Zq.GetRandomElements(numberOfTokens, true);
beta1 = Zq.GetRandomElements(numberOfTokens, false);
beta2 = Zq.GetRandomElements(numberOfTokens, false);
}
else
{
alpha = pregeneratedRandomData.Alpha;
beta1 = pregeneratedRandomData.Beta1;
beta2 = pregeneratedRandomData.Beta2;
}
h = new GroupElement[numberOfTokens];
t1 = new GroupElement[numberOfTokens];
t2 = new GroupElement[numberOfTokens];
ukat = new UProveKeyAndToken[numberOfTokens];
for (int i = 0; i < numberOfTokens; i++)
{
ukat[i] = new UProveKeyAndToken();
h[i] = gamma.Exponentiate(alpha[i]);
t1[i] = ip.G[0].Exponentiate(beta1[i]) * Gq.G.Exponentiate(beta2[i]);
t2[i] = h[i].Exponentiate(beta2[i]);
ukat[i].PrivateKey = alpha[i].Invert();
}
state = State.Initialized;
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes)
{
GroupElement gs = null;
FieldZqElement[] unused;
return Generate(ip, disclosed, null, 0, gs, message, messageD, deviceContext, upkt, attributes, null, out unused);
}
public PresentationProofComposite proveToken(string[] attributesParam, int[] disclosedIndices, int[] committedIndices, string messageParam, string verifierScopeParam, IssuerParametersComposite ipc, UProveTokenComposite tokenComposite, byte[] tokenPrivateKeyParam, string sessionID)
{
/*
* token presentation
*/
cOut.write("Presenting a U-Prove token");
VerifySessionId(sessionID);
try
{
// specify the attribute values agreed to by the Issuer and Prover
int numberOfAttributes = attributesParam.Length;
byte[][] attributes = new byte[numberOfAttributes][];
for (int i = 0; i < numberOfAttributes; i++)
{
attributes[i] = encoding.GetBytes(attributesParam[i]);
}
IssuerParameters ip = ConvertUtils.convertIssuerParametersComposite(ipc, sessionDB[sessionID]);
// the application-specific message that the prover will sign. Typically this is a nonce combined
// with any application-specific transaction data to be signed.
byte[] message = encoding.GetBytes(messageParam);
// the application-specific verifier scope from which a scope-exclusive pseudonym will be created
// (if null, then a pseudonym will not be presented)
byte[] scope = null;
if (verifierScopeParam != null && verifierScopeParam != "null")
{
scope = encoding.GetBytes(verifierScopeParam);
}
// generate the presentation proof
UProveToken uProveToken = ConvertUtils.convertUProveTokenComposite(ip, tokenComposite);
byte[] bigInt = tokenPrivateKeyParam;
DeviceManager dManager = sessionDB[sessionID].deviceManager;
UProveKeyAndToken keyAndToken = new UProveKeyAndToken();
keyAndToken.PrivateKey = new BigInteger(1, bigInt);
keyAndToken.Token = uProveToken;
byte[] proofSession = null;
if (!dManager.IsVirtualDevice)
{
SmartCardDevice smartDevice = (SmartCardDevice)dManager.GetDevice();
smartDevice.ProofSession = smartDevice.Device.BeginCommitment(1);
byte[] proofSessionRaw = smartDevice.ProofSession;
proofSession = new byte[1 + proofSessionRaw.Length];
proofSession[0] = 1;
Buffer.BlockCopy(proofSessionRaw, 0, proofSession, 1, proofSessionRaw.Length);
}
BigInteger[] commitmentValues;
PresentationProof p =
PresentationProof.Generate(ip,
disclosedIndices,
committedIndices,
scope != null ? DevicePseudonymIndex : 0,
scope,
message,
proofSession,
dManager.GetDevice().GetPresentationContext(),
keyAndToken,
attributes,
out commitmentValues);
#if DEBUG
dManager.pDebug = p;
#endif
return ConvertUtils.convertPresentationProof(p, commitmentValues, ProtocolHelper.ComputeTokenID(ip, uProveToken), proofSession);
}
catch (Exception e)
{
cOut.write(e.ToString());
DebugUtils.DebugPrint(e.StackTrace.ToString());
}
return null;
}
/// <summary>
/// Constructs a <code>ProverPresentationProtocolParameters</code> instance.
/// </summary>
/// <param name="ip">The issuer parameters.</param>
/// <param name="disclosed">Disclosed attribute indices.</param>
/// <param name="message">Presentation message.</param>
/// <param name="keyAndToken">Presented key and token.</param>
/// <param name="attributes">Token attributes.</param>
public ProverPresentationProtocolParameters(IssuerParameters ip, int[] disclosed, byte[] message, UProveKeyAndToken keyAndToken, byte[][] attributes)
{
IP = ip;
Disclosed = disclosed;
Message = message;
KeyAndToken = keyAndToken;
Attributes = attributes;
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
{
GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope);
return Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO);
}
/// <summary>
/// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values.
/// </summary>
/// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param>
/// <param name="disclosed">An ordered array of disclosed attribute indices.</param>
/// <param name="committed">An ordered array of committed attribute indices.</param>
/// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param>
/// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param>
/// <param name="message">The presentation message.</param>
/// <param name="messageD">The message for the Device, or null.</param>
/// <param name="deviceContext">The active device context, if token is device-protected, or null.</param>
/// <param name="upkt">The U-Proke key and token.</param>
/// <param name="attributes">The token attributes.</param>
/// <param name="preGenW">Optional pregenerated random data for the proof generation.</param>
/// <param name="cpv">Returned commitment private values if commitments are computed.</param>
/// <returns>A presentation proof.</returns>
internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv)
{
if (upkt.Token.IsDeviceProtected && deviceContext == null)
{
throw new ArgumentNullException("Device context is not initialized");
}
bool generateCommitments = (committed != null && committed.Length > 0);
FieldZqElement[] tildeO = null;
// make sure disclosed and committed lists are sorted
if (disclosed == null)
{
// can't be null later, so make it an empty array
disclosed = new int[] { };
}
Array.Sort(disclosed);
if (generateCommitments)
{
Array.Sort(committed);
}
int n = 0;
if (ip.E != null)
{
n = ip.E.Length;
if (n != attributes.Length)
{
throw new ArgumentException("number of attributes is inconsistent with issuer parameters");
}
}
bool presentPseudonym = false;
if (gs != null)
{
if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
{
throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
}
if (disclosed.Contains(pseudonymAttribIndex))
{
throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
}
presentPseudonym = true;
}
else if (pseudonymAttribIndex > 0)
{
throw new ArgumentNullException("gs is null");
}
else
{
pseudonymAttribIndex = 0;
}
Group Gq = ip.Gq;
FieldZq Zq = ip.Zq;
FieldZqElement xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected);
ProofGenerationRandomData random;
if (preGenW == null)
{
random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected);
}
else
{
random = preGenW;
}
// set up the multi-exponentiation arrays, with h^w0 as the first term
int multiExpArraySize = 1 + (n - disclosed.Length) + (upkt.Token.IsDeviceProtected ? 1 : 0);
GroupElement[] bases = new GroupElement[multiExpArraySize];
FieldZqElement[] exponents = new FieldZqElement[multiExpArraySize];
int multiExpIndex = 0;
bases[multiExpIndex] = upkt.Token.H;
exponents[multiExpIndex++] = random.W0;
FieldZqElement[] x = new FieldZqElement[n];
int uIndex = 0;
int dIndex = 0;
int cIndex = 0;
PresentationProof proof = new PresentationProof();
proof.DisclosedAttributes = new byte[disclosed.Length][];
int pseudonymRandomizerIndex = 0;
if (generateCommitments)
{
proof.Commitments = new CommitmentValues[committed.Length];
tildeO = new FieldZqElement[committed.Length];
}
HashFunction hash = ip.HashFunction;
GroupElement[] cBases = new GroupElement[2] {
Gq.G, ip.G[1]
};
for (int i = 0; i < n; i++)
{
x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]);
if (!disclosed.Contains(i + 1))
{
bases[multiExpIndex] = ip.G[i + 1];
exponents[multiExpIndex++] = random.W[uIndex];
if (presentPseudonym)
{
if (pseudonymAttribIndex == (i + 1))
{
pseudonymRandomizerIndex = uIndex;
}
}
if (generateCommitments && committed.Contains(i + 1))
{
GroupElement tildeC = ip.Gq.MultiExponentiate(cBases, new FieldZqElement[2] {
x[i], random.TildeO[cIndex]
});
tildeO[cIndex] = random.TildeO[cIndex];
GroupElement temp2 = ip.Gq.MultiExponentiate(cBases, new FieldZqElement[2] {
random.W[uIndex], random.TildeW[cIndex]
});
hash.Hash(temp2);
byte[] tildeA = hash.Digest;
proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null);
cIndex++;
}
uIndex++;
}
else if (generateCommitments && committed.Contains(i + 1))
{
throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed");
}
else
{
proof.DisclosedAttributes[dIndex] = attributes[i];
dIndex++;
}
}
GroupElement aPreImage;
if (upkt.Token.IsDeviceProtected)
{
GroupElement ad;
// pseudonym computed by device
if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex)
{
GroupElement apPrime;
GroupElement Ps;
ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps);
hash.Hash(apPrime * gs.Exponentiate(random.Wd));
proof.Ap = hash.Digest;
proof.Ps = Ps;
}
else
{
ad = deviceContext.GetInitialWitness();
}
bases[multiExpIndex] = ip.Gd;
exponents[multiExpIndex++] = random.Wd;
aPreImage = Gq.MultiExponentiate(bases, exponents) * ad;
}
else
{
aPreImage = Gq.MultiExponentiate(bases, exponents);
}
hash.Hash(aPreImage);
proof.a = hash.Digest;
// pseudonym derived from one token attribute
if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex)
{
hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex]));
proof.Ap = hash.Digest;
proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]);
}
byte[] mdPrime;
FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime);
proof.r = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d
proof.r[0] = c * upkt.PrivateKey + random.W0;
uIndex = 1;
for (int i = 1; i <= n; i++)
{
if (!disclosed.Contains(i))
{
proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1];
uIndex++;
}
}
if (upkt.Token.IsDeviceProtected)
{
proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd;
}
if (generateCommitments)
{
for (int i = 0; i < committed.Length; i++)
{
proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i];
}
}
random.Clear();
cpv = new CommitmentPrivateValues(tildeO);
return(proof);
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO)
{
return Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO);
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
{
CommitmentPrivateValues cpv;
PresentationProof proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv);
tildeO = cpv.TildeO;
return(proof);
}
private static CommitmentPrivateValues PresentUProveToken(IssuerParameters ip, UProveKeyAndToken upkt, byte[][] attributes, int[] disclosed, int[] committed, byte[] message, byte[] scope, IDevice device, byte[] deviceMessage)
{
WriteLine("Presenting one token");
// the returned commitment randomizer (to be used by an external proof module)
CommitmentPrivateValues cpv;
// generate the presentation proof
string token = ip.Serialize<UProveToken>(upkt.Token);
ProverPresentationProtocolParameters pppp = new ProverPresentationProtocolParameters(ip, disclosed, message, upkt, attributes);
pppp.Committed = committed;
// if a scope is defined, we use the first attribute to derive a scope exclusive pseudonym
pppp.PseudonymAttributeIndex = (scope == null ? 0 : 1);
pppp.PseudonymScope = scope;
if (device != null)
{
pppp.SetDeviceData(deviceMessage, device.GetPresentationContext());
}
pppp.KeyAndToken = upkt;
pppp.Attributes = attributes;
string proof = ip.Serialize<PresentationProof>(PresentationProof.Generate(pppp, out cpv));
// verify the presentation proof
VerifierPresentationProtocolParameters vppp = new VerifierPresentationProtocolParameters(ip, disclosed, message, ip.Deserialize<UProveToken>(token));
vppp.Committed = committed;
// if a scope is defined, we use the first attribute to derive a scope exclusive pseudonym
vppp.PseudonymAttributeIndex = (scope == null ? 0 : 1);
vppp.PseudonymScope = scope;
vppp.DeviceMessage = deviceMessage;
ip.Deserialize<PresentationProof>(proof).Verify(vppp);
return cpv;
}
/// <summary>
/// Constructs a new <code>Prover</code> instance.
/// </summary>
/// <param name="ip">The Issuer parameters.</param>
/// <param name="psms">The post second message state.</param>
public Prover(IssuerParameters ip, PostSecondMessageState psms)
{
psms.Validate();
this.ip = ip;
this.numberOfTokens = psms.AlphaInverse.Length;
this.TI = psms.TI;
this.PI = psms.PI;
this.isDeviceProtected = psms.IsDeviceProtected;
this.beta2 = psms.Beta2;
this.h = psms.H;
this.sigmaZPrime = psms.SigmaZPrime;
this.sigmaAPrime = psms.SigmaAPrime;
this.sigmaBPrime = psms.SigmaBPrime;
this.sigmaCPrime = psms.SigmaCPrime;
ukat = new UProveKeyAndToken[numberOfTokens];
for (int i = 0; i < numberOfTokens; i++)
{
ukat[i] = new UProveKeyAndToken();
ukat[i].PrivateKey = psms.AlphaInverse[i];
}
state = State.Second;
}