public void CanProveAndVerifyMAC()
{
// The coordinator generates a composed private key called CoordinatorSecretKey
// and derives from that the coordinator's public parameters called CoordinatorParameters.
var rnd = new SecureRandom();
var coordinatorKey = new CoordinatorSecretKey(rnd);
var coordinatorParameters = coordinatorKey.ComputeCoordinatorParameters();
// A blinded amount is known as an `attribute`. In this case the attribute Ma is the
// value 10000 blinded with a random `blindingFactor`. This attribute is sent to
// the coordinator.
var amount = new Scalar(10_000);
var blindingFactor = rnd.GetScalar();
var Ma = amount * Generators.G + blindingFactor * Generators.Gh;
// The coordinator generates a MAC and a proof that the MAC was generated using the
// coordinator's secret key. The coordinator sends the pair (MAC + proofOfMac) back
// to the client.
var t = rnd.GetScalar();
var mac = MAC.ComputeMAC(coordinatorKey, Ma, t);
var coordinatorStatement = ProofSystem.CreateStatement(coordinatorParameters, mac.V, Ma, t);
var proverBuilder = ProofSystem.CreateProver(coordinatorStatement, coordinatorKey);
var macProver = proverBuilder(rnd);
var proofOfMac = macProver();
// The client receives the MAC and the proofOfMac which let the client know that the MAC
// was generated with the coordinator's secret key.
var clientStatement = ProofSystem.CreateStatement(coordinatorParameters, mac.V, Ma, mac.T);
var verifierBuilder = ProofSystem.CreateVerifier(clientStatement);
var macVerifier = verifierBuilder(proofOfMac);
var isValidProof = macVerifier();
Assert.True(isValidProof);
}
private (MAC Mac, Knowledge Knowledge) IssueCredential(GroupElement ma, Scalar t)
{
var sk = CoordinatorSecretKey;
var mac = MAC.ComputeMAC(sk, ma, t);
var knowledge = ProofSystem.IssuerParameters(mac, ma, sk);
return(mac, knowledge);
}
public void CannotBuildWrongMac()
{
var sk = new CredentialIssuerSecretKey(Rnd);
Assert.Throws <ArgumentNullException>(() => MAC.ComputeMAC(null !, Generators.G, Scalar.One));
Assert.Throws <ArgumentNullException>(() => MAC.ComputeMAC(sk, null !, Scalar.One));
var ex = Assert.Throws <ArgumentException>(() => MAC.ComputeMAC(sk, Generators.G, Scalar.Zero));
Assert.StartsWith("Value cannot be zero.", ex.Message);
}
public void CanProduceAndVerifyMAC()
{
var sk = new CredentialIssuerSecretKey(Rnd);
var attribute = Rnd.GetScalar() * Generators.G; // any random point
var t = Rnd.GetScalar();
var mac = MAC.ComputeMAC(sk, attribute, t);
Assert.True(mac.VerifyMAC(sk, attribute));
}
public void CanProduceAndVerifyMAC()
{
var rnd = new SecureRandom();
var sk = new CoordinatorSecretKey(rnd);
var attribute = rnd.GetScalar() * Generators.G; // any random point
var t = rnd.GetScalar();
var mac = MAC.ComputeMAC(sk, attribute, t);
Assert.True(mac.VerifyMAC(sk, attribute));
}
public void CanProveAndVerifyMAC()
{
// The coordinator generates a composed private key called CoordinatorSecretKey
// and derives from that the coordinator's public parameters called CoordinatorParameters.
var rnd = new SecureRandom();
var coordinatorKey = new CoordinatorSecretKey(rnd);
var coordinatorParameters = coordinatorKey.ComputeCoordinatorParameters();
// A blinded amount is known as an `attribute`. In this case the attribute Ma is the
// value 10000 blinded with a random `blindingFactor`. This attribute is sent to
// the coordinator.
var amount = new Scalar(10_000);
var r = rnd.GetScalar();
var Ma = amount * Generators.G + r * Generators.Gh;
// The coordinator generates a MAC and a proof that the MAC was generated using the
// coordinator's secret key. The coordinator sends the pair (MAC + proofOfMac) back
// to the client.
var t = rnd.GetScalar();
var mac = MAC.ComputeMAC(coordinatorKey, Ma, t);
var coordinatorKnowledge = ProofSystem.IssuerParameters(mac, Ma, coordinatorKey);
var proofOfMac = ProofSystem.Prove(coordinatorKnowledge, rnd);
// The client receives the MAC and the proofOfMac which let the client know that the MAC
// was generated with the coordinator's secret key.
var clientStatement = ProofSystem.IssuerParameters(coordinatorParameters, mac, Ma);
var isValidProof = ProofSystem.Verify(clientStatement, proofOfMac);
Assert.True(isValidProof);
var corruptedResponses = new ScalarVector(proofOfMac.Responses.Reverse());
var invalidProofOfMac = new Proof(proofOfMac.PublicNonces, corruptedResponses);
isValidProof = ProofSystem.Verify(clientStatement, invalidProofOfMac);
Assert.False(isValidProof);
var corruptedPublicNonces = new GroupElementVector(proofOfMac.PublicNonces.Reverse());
invalidProofOfMac = new Proof(corruptedPublicNonces, proofOfMac.Responses);
isValidProof = ProofSystem.Verify(clientStatement, invalidProofOfMac);
Assert.False(isValidProof);
}
public void CanDetectInvalidMAC()
{
var sk = new CredentialIssuerSecretKey(Rnd);
var attribute = Rnd.GetScalar() * Generators.G; // any random point
var differentAttribute = Rnd.GetScalar() * Generators.G; // any other random point
var t = Rnd.GetScalar();
// Create MAC for realAttribute and verify with fake/wrong attribute
var mac = MAC.ComputeMAC(sk, attribute, t);
Assert.False(mac.VerifyMAC(sk, differentAttribute));
var differentT = Rnd.GetScalar();
var differentMac = MAC.ComputeMAC(sk, attribute, differentT);
Assert.NotEqual(mac, differentMac);
mac = MAC.ComputeMAC(sk, attribute, differentT);
var differentSk = new CredentialIssuerSecretKey(Rnd);
Assert.False(mac.VerifyMAC(differentSk, attribute));
}
public void CanProveAndVerifyMacShow()
{
var rnd = new SecureRandom();
var coordinatorKey = new CoordinatorSecretKey(rnd);
var coordinatorParameters = coordinatorKey.ComputeCoordinatorParameters();
// A blinded amount is known as an `attribute`. In this case the attribute Ma is the
// value 10000 blinded with a random `blindingFactor`. This attribute is sent to
// the coordinator.
var amount = new Scalar(10_000);
var r = rnd.GetScalar();
var Ma = amount * Generators.Gg + r * Generators.Gh;
// The coordinator generates a MAC and a proof that the MAC was generated using the
// coordinator's secret key. The coordinator sends the pair (MAC, proofOfMac) back
// to the client.
var t = rnd.GetScalar();
var mac = MAC.ComputeMAC(coordinatorKey, Ma, t);
// The client randomizes the commitments before presenting them to the coordinator proving to
// the coordinator that a credential is valid (prover knows a valid MAC on non-randomized attribute)
var credential = new Credential(amount, r, mac);
var z = rnd.GetScalar();
var randomizedCredential = credential.Present(z);
var knowledge = ProofSystem.ShowCredential(randomizedCredential, z, credential, coordinatorParameters);
var proofOfMacShow = ProofSystem.Prove(knowledge, rnd);
// The coordinator must verify the received randomized credential is valid.
var Z = randomizedCredential.ComputeZ(coordinatorKey);
Assert.Equal(Z, z * coordinatorParameters.I);
var statement = ProofSystem.ShowCredential(randomizedCredential, Z, coordinatorParameters);
var isValidProof = ProofSystem.Verify(statement, proofOfMacShow);
Assert.True(isValidProof);
}
