/// <summary>
/// Verifies that a UProve token attribute is not equal to the given attribute value.
/// </summary>
/// <param name="verifier">Verifier info about token.</param>
/// <param name="attributeIndexForVerifier">Target attribute, 1-based index.</param>
/// <param name="attributeValue">Bad value for attribute.</param>
/// <returns></returns>
public bool Verify(
VerifierPresentationProtocolParameters verifier,
int attributeIndexForVerifier,
byte [] attributeValue)
{
// Verify UProve Integration Proof
if (this.UPIProof == null)
{
return(false);
}
VerifierPresentationProtocolParameters[] verifiers = new VerifierPresentationProtocolParameters[1] {
verifier
};
int[] attributeIndices = new int[1] {
attributeIndexForVerifier
};
if (!this.UPIProof.Verify(verifiers, attributeIndices))
{
return(false);
}
// Verify Inequality Proof
FieldZqElement committedAttribute = ProtocolHelper.ComputeXi(verifier.IP, attributeIndexForVerifier - 1, attributeValue);
VerifierInequalityProofParameters ieqVerifier = new VerifierInequalityProofParameters(this.UPIProof.PedersenCommitmentValues[0], committedAttribute, new CryptoParameters(verifier.IP));
return(this.Verify(ieqVerifier));
}
/// <summary>
/// Creates a UProve token for non-device protected tokens.
/// </summary>
/// <param name="pppp">Prover presentation protocol parameters for non-device protected token.</param>
/// <param name="device">Device information. Required for device protected tokens.</param>
public OpenUProveToken(ProverPresentationProtocolParameters pppp) : base(null, null, null)
{
if (pppp == null)
{
throw new ArgumentNullException("UProveToken constructor expects non-null input.");
}
this.Group = pppp.IP.Gq;
this.Bases = new GroupElement[pppp.Attributes.Length + 2];
for (int i = 0; i < this.G.Length; ++i)
{
this.G[i] = pppp.IP.G[i];
}
this.Value = pppp.KeyAndToken.Token.H;
this.Exponents = new FieldZqElement[this.RepresentationLength];
this.Alpha = pppp.KeyAndToken.PrivateKey.Invert();
FieldZqElement [] attributes = new FieldZqElement[pppp.Attributes.Length];
for (int i = 0; i < attributes.Length; ++i)
{
attributes[i] = ProtocolHelper.ComputeXi(pppp.IP, i, pppp.Attributes[i]);
}
this.SetAttributeXI(attributes);
this.AttributeXT = ProtocolHelper.ComputeXt(pppp.IP, pppp.KeyAndToken.Token.TI, pppp.KeyAndToken.Token.IsDeviceProtected);
}
/// <summary>
/// Computes the revocation value from its byte array encoding, to be added to an accumulator or used
/// to compute the witness.
/// </summary>
/// <param name="ip">The issuer parameters, containing the information on how to transform the encoded value.</param>
/// <param name="revocationIndex">The 1-based index of the revocation attribute.</param>
/// <param name="attributeValue">The attribute value.</param>
/// <returns>The revocation value.</returns>
public static FieldZqElement ComputeRevocationValue(IssuerParameters ip, int revocationIndex, byte[] attributeValue)
{
if (revocationIndex <= 0)
{
throw new ArgumentException("revocationIndex must be positive: " + revocationIndex);
}
return(ProtocolHelper.ComputeXi(ip, revocationIndex - 1, attributeValue));
}
/// <summary>
/// Computes the non-revocation proof.
/// </summary>
/// <param name="ip">The Issuer parameters associated with the presented U-Prove token.</param>
/// <param name="rap">The Revocation Authority parameters.</param>
/// <param name="witness">The user non-revocation witness.</param>
/// <param name="commitmentIndex">The 0-based index of the revocation commitment in the attribute commitments.</param>
/// <param name="presentationProof">The presentation proof generated with the U-Prove token.</param>
/// <param name="cpv">The commitment private values generated when presenting the U-Prove token.</param>
/// <param name="revocationIndex">The 1-based index of the revocation attribute in the U-Prove token.</param>
/// <param name="attributes">The token attributes.</param>
/// <returns>A non-revocation proof.</returns>
public static NonRevocationProof GenerateNonRevocationProof(IssuerParameters ip, RAParameters rap, RevocationWitness witness, int commitmentIndex, PresentationProof presentationProof, CommitmentPrivateValues cpv, int revocationIndex, byte[][] attributes)
{
if (revocationIndex <= 0)
{
throw new ArgumentException("revocationIndex must be positive: " + revocationIndex);
}
GroupElement tildeCid = presentationProof.Commitments[commitmentIndex].TildeC;
FieldZqElement xid = ProtocolHelper.ComputeXi(ip, revocationIndex - 1, attributes[revocationIndex - 1]);
FieldZqElement tildeOid = cpv.TildeO[commitmentIndex];
return(GenerateNonRevocationProof(rap, witness, tildeCid, xid, tildeOid));
}
/// <summary>
/// Generates a member set for UProve tokens.
/// </summary>
/// <param name="ip">Issuer parameters.</param>
/// <param name="attributeIndexInToken">Index of attribute in the token the proof will be about (encoding of memberSet depends on this). Index is 1....n.</param>
/// <param name="memberSet">Member set</param>
/// <returns></returns>
public static FieldZqElement[] GenerateMemberSet(IssuerParameters ip, int attributeIndexInToken, byte[][] memberSet)
{
if (attributeIndexInToken <= 0)
{
throw new ArgumentException("attributeIndexInToken must be a positive integer");
}
FieldZqElement[] output = new FieldZqElement[memberSet.Length];
for (int i = 0; i < output.Length; ++i)
{
output[i] = ProtocolHelper.ComputeXi(ip, attributeIndexInToken - 1, memberSet[i]);
}
return(output);
}
/// <summary>
/// Generates a Pedersen Commitment to the attribute. The committed value is equal to
/// what it would be if the attribute was encoded in the token. The committed value depends
/// on the attribute index.
/// </summary>
/// <param name="ip">Issuer parameters</param>
/// <param name="attributeIndex">The 1-based index of the attribute as it would be in the token</param>
/// <param name="attribute">Encoding of the attribute</param>
public PedersenCommitment(IssuerParameters ip, int attributeIndex, byte[] attribute)
{
CryptoParameters crypto = new CryptoParameters(ip);
this.Group = crypto.Group;
this.Bases = new GroupElement[2] {
crypto.Generators[0], crypto.Generators[1]
};
FieldZqElement committedValue = ProtocolHelper.ComputeXi(ip, attributeIndex - 1, attribute);
FieldZqElement opening = this.Group.FieldZq.GetRandomElement(false);
this.Exponents = new FieldZqElement[2] {
committedValue, opening
};
this.Value = this.Group.MultiExponentiate(this.Bases, this.Exponents);
}
/// <summary>
/// Generates proofs that a token attribute value is not equal to any values in the target array.
/// </summary>
/// <param name="prover">Inequality proof parameters for the token.</param>
/// <param name="target">Target values array.</param>
/// <returns>An inequality proof.</returns>
public static InequalityProof[] GenerateUProveInequalityProofs(EQProofUProveProverData prover, byte[][] target)
{
// Create PedersenCommitments
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(prover.PPPP.Committed, prover.index);
PedersenCommitment ped = new PedersenCommitment(prover.PPPP, prover.PP, prover.CPV, commitmentIndex);
// Create EqualityProof
CryptoParameters crypto = new CryptoParameters(prover.PPPP.IP);
InequalityProof[] proofs = new InequalityProof[target.Length];
for (int i = 0; i < target.Length; i++)
{
FieldZqElement targetValue = ProtocolHelper.ComputeXi(prover.PPPP.IP, prover.index - 1, target[i]);
proofs[i] = new InequalityProof(new ProverInequalityProofParameters(ped, targetValue, crypto));
}
return(proofs);
}
/// <summary>
/// Constructor. Creates an inequality proof that a token attribute is not equal to some value.
/// </summary>
/// <param name="prover">Token description.</param>
/// <param name="attributeIndexForProver">1-based attribute index in token.</param>
/// <param name="attributeValue">Attribute value to compare actual token attribute.</param>
/// <returns>Inequality proof.</returns>
public InequalityProof(ProverPresentationProtocolParameters prover, int attributeIndexForProver, byte[] attributeValue)
{
// generate Pedersen Commitments to attributes
ProverPresentationProtocolParameters[] provers = new ProverPresentationProtocolParameters[] { prover };
int[] attributeIndices = new int[] { attributeIndexForProver };
PedersenCommitment[] attributeCommitments = PedersenCommitment.PedersenCommmitmentsToAttributes(provers, attributeIndices);
// create inequality proof using Pedersen Commitmetns
FieldZqElement committedAttribute = ProtocolHelper.ComputeXi(prover.IP, attributeIndexForProver - 1, attributeValue);
ProverInequalityProofParameters ieqProver = new ProverInequalityProofParameters(attributeCommitments[0], committedAttribute, new CryptoParameters(prover.IP));
ConstructorHelper(ieqProver);
// add UProve Integration proof
this.UPIProof = new UProveIntegrationProof(provers, attributeIndices, attributeCommitments);
this.UPIProof.IsGroupSerializable = false;
}
/// <summary>
/// Creates a Pedersen Commitment for one of the attributes using the commitment
/// from the PresentationProof.
/// </summary>
/// <param name="pppp">Parameters used by Prover</param>
/// <param name="pp">The presentation proof generated by the Prover</param>
/// <param name="cpv">Output of PresentationProof.Generate()</param>
/// <param name="commitmentIndex">Which commitment to use: index into cpv.TildeO array.
/// DO NOT use the attribute index, the Constructor will compute it from
/// the commitmentIndex.</param>
public PedersenCommitment(ProverPresentationProtocolParameters pppp, PresentationProof pp, CommitmentPrivateValues cpv, int commitmentIndex)
{
int attributeIndex = pppp.Committed[commitmentIndex] - 1;
FieldZqElement committedValue = ProtocolHelper.ComputeXi(pppp.IP, attributeIndex, pppp.Attributes[attributeIndex]);
FieldZqElement opening = cpv.TildeO[commitmentIndex];
CryptoParameters crypto = new CryptoParameters(pppp.IP);
this.Group = crypto.Group;
this.Bases = new GroupElement[2] {
crypto.Generators[0], crypto.Generators[1]
};
this.Exponents = new FieldZqElement[2] {
committedValue, opening
};
this.Value = pp.Commitments[commitmentIndex].TildeC;
}
public void PresentationProofConstructorTest()
{
// generate array of commitments using PresentationProof
CommitmentPrivateValues cpv;
Assert.IsNotNull(_proverParams, "prover params null");
PresentationProof proof = PresentationProof.Generate(_proverParams, out cpv);
Assert.IsNotNull(proof.Commitments, "proof failed to generate commitments");
Assert.IsNotNull(cpv, "failed to output cpv");
Assert.IsNotNull(cpv.TildeO, "cpv.TildeO is null");
CommitmentValues [] expectedCommitmentValues = proof.Commitments;
// generate array of commitments using Pedersen Commitment constructor
PedersenCommitment [] proverCommitments = PedersenCommitment.ArrayOfPedersenCommitments(_proverParams, proof, cpv);
// compare values
GroupElement expectedG = _proverParams.IP.Gq.G;
GroupElement expectedH = _proverParams.IP.G[1];
for (int commitIndex = 0; commitIndex < expectedCommitmentValues.Length; ++commitIndex)
{
int attributeIndex = _proverParams.Committed[commitIndex] - 1;
FieldZqElement expectedCommittedValue = ProtocolHelper.ComputeXi(_proverParams.IP, attributeIndex, _proverParams.Attributes[attributeIndex]);
Assert.AreEqual(expectedCommittedValue, proverCommitments[commitIndex].CommittedValue, "wrong committed value");
Assert.AreEqual(cpv.TildeO[commitIndex], proverCommitments[commitIndex].Opening, "opening does not match tildeO");
Assert.AreEqual(expectedG, proverCommitments[commitIndex].G, "base g wrong");
Assert.AreEqual(expectedH, proverCommitments[commitIndex].H, "base h wrong");
Assert.AreEqual(expectedCommitmentValues[commitIndex].TildeC, proverCommitments[commitIndex].Value, "wrong value");
}
// generate array of closed pedersen commitments
ClosedPedersenCommitment[] verifierCommitments = ClosedPedersenCommitment.ArrayOfClosedPedersenCommitments(_verifierParams.IP, proof);
// compare bases and values to actualCommitments
Assert.IsTrue(ClosedPedersenCommitment.AreBasesEqual(verifierCommitments), "all closed commitments should have same bases.");
Assert.IsTrue(verifierCommitments[0].AreBasesEqual(proverCommitments[0]), "all closed commitments should have same bases as open commitments");
Assert.AreEqual(proverCommitments.Length, verifierCommitments.Length, "should be as many open and closed commitments");
for (int i = 0; i < verifierCommitments.Length; ++i)
{
Assert.AreEqual(verifierCommitments[i].Value, proverCommitments[i].Value, "open and closed commitments should be equal.");
}
}
/// <summary>
/// Verifies proofs that a token attribute value is not equal to a any of the target values.
/// </summary>
/// <param name="verifier">Equality proof parameters for the token.</param>
/// <param name="target">Target values.</param>
/// <param name="eQProof">The inequality proofs to verify.</param>
/// <exception cref="InvalidUProveArtifactException">Thrown if a proof is invalid.</exception>
public static void VerifyUProveEqualityProofs(EQProofUProveVerifierData verifier, byte[][] target, InequalityProof[] iNeqProof)
{
if (target == null || iNeqProof == null || target.Length != iNeqProof.Length)
{
throw new ArgumentException("target and iNeqProof must have the same length");
}
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(verifier.VPPP.Committed, verifier.index);
ClosedPedersenCommitment closedPed = new ClosedPedersenCommitment(verifier.VPPP.IP, verifier.PP, commitmentIndex);
CryptoParameters crypto = new CryptoParameters(verifier.VPPP.IP);
for (int i = 0; i < target.Length; i++)
{
FieldZqElement targetValue = ProtocolHelper.ComputeXi(verifier.VPPP.IP, verifier.index - 1, target[i]);
if (!iNeqProof[i].Verify(new VerifierInequalityProofParameters(closedPed.Value, targetValue, crypto)))
{
throw new InvalidUProveArtifactException("invalid equality proof");
}
}
}
/// <summary>
/// Create a verifiable encryption of a pseudonym based on a U-Prove presentation proof. This is a wrapper
/// of <c>VerifiableEncrypt</c>.
///
/// </summary>
/// <param name="escrowParams"> Parameters of the ID escrow scheme</param>
/// <param name="escrowPublicKey"> Public key of the Auditor (the authority who can decrypt the output ciphertex).</param>
/// <param name="token"> The U-Prove token corresponding to the <c>proof</c>. </param>
/// <param name="additionalInfo">See documentation of <c>VerifiableEncrypt</c></param>
/// <param name="proof">A U-Prove prsentation proof.</param>
/// <param name="cpv">Commitment opening information, output when generating <c>proof</c>.</param>
/// <param name="idAttributeIndex"> Index of the attribute to use for identity escrow (1-based indexing). This attribute <b>must be</b>
/// the first commited attribute (take care if using multiple extensions). </param>
/// <param name="attributes"> Attributes in <c>token</c>.</param>
/// <returns></returns>
public static IDEscrowCiphertext UProveVerifableEncrypt(IDEscrowParams escrowParams, IDEscrowPublicKey escrowPublicKey,
UProveToken token, byte[] additionalInfo, PresentationProof proof,
CommitmentPrivateValues cpv, int idAttributeIndex, byte[][] attributes)
{
if (token == null || escrowParams == null || proof == null || cpv == null)
{
throw new ArgumentNullException("null input to UProveVerifiableEncrypt");
}
if (proof.Commitments == null || proof.Commitments.Length < 1 ||
attributes.Length < idAttributeIndex || cpv.TildeO == null || cpv.TildeO.Length < 1)
{
throw new InvalidUProveArtifactException("invalid inputs to UProveVerifiableEncrypt");
}
byte[] tokenId = ProtocolHelper.ComputeTokenID(escrowParams.ip, token);
GroupElement Cx1 = proof.Commitments[0].TildeC; // x1 is the first committed attribute
FieldZqElement x1 = ProtocolHelper.ComputeXi(escrowParams.ip, idAttributeIndex - 1, attributes[idAttributeIndex - 1]); // arrays are 0-based
FieldZqElement tildeO1 = cpv.TildeO[0];
return(IDEscrowFunctions.VerifiableEncrypt(escrowParams, escrowPublicKey, tokenId, Cx1, x1, tildeO1, additionalInfo));
}
public void TestIEWithRealToken()
{
/********** begin: this section of code taken from EndToEndTest.cs, TestMethod PseudonymAndCommitmentsTest *****/
System.Text.UTF8Encoding encoding = new System.Text.UTF8Encoding();
// Issuer setup
IssuerSetupParameters isp = new IssuerSetupParameters(maxNumberOfAttributes);
isp.UidP = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 };
isp.E = new byte[] { (byte)1, (byte)1, (byte)1, (byte)1 };
isp.UseRecommendedParameterSet = true;
isp.S = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 };
IssuerKeyAndParameters ikap = isp.Generate();
IssuerParameters ip2 = ikap.IssuerParameters;
// Issuance
byte[][] attributes = new byte[][] { encoding.GetBytes("Attribute 1"), encoding.GetBytes("Attribute 2"), encoding.GetBytes("Attribute 3"), encoding.GetBytes("Attribute 4") };
byte[] tokenInformation = new byte[] { };
byte[] proverInformation = new byte[] { };
int numberOfTokens = 1;
IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap);
ipp.Attributes = attributes;
ipp.NumberOfTokens = numberOfTokens;
ipp.TokenInformation = tokenInformation;
Issuer issuer = ipp.CreateIssuer();
FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage();
ProverProtocolParameters ppp = new ProverProtocolParameters(ip2);
ppp.Attributes = attributes;
ppp.NumberOfTokens = numberOfTokens;
ppp.TokenInformation = tokenInformation;
ppp.ProverInformation = proverInformation;
Prover prover = ppp.CreateProver();
SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1);
ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2);
UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3);
// Pseudonym
int[] disclosed = new int[0];
int[] committed = new int[] { 2, 4 };
byte[] message = encoding.GetBytes("this is the presentation message, this can be a very long message");
byte[] scope = encoding.GetBytes("scope");
PresentationProof proof;
FieldZqElement[] tildeO;
// Valid presentation
proof = PresentationProof.Generate(ip2, disclosed, committed, 1, scope, message, null, null, upkt[0], attributes, out tildeO);
try { proof.Verify(ip2, disclosed, committed, 1, scope, message, null, upkt[0].Token); }
catch { Assert.Fail("Proof failed to verify"); }
/******** end code from EndToEndTest.cs ***********/
// Use the commitment to attribute x_2 for ID escrow
GroupElement Cx2 = proof.Commitments[0].TildeC; // x2 is the first committed attribute
FieldZqElement x2 = ProtocolHelper.ComputeXi(ip2, 1, attributes[1]); // attributes[] is zero indexed.
FieldZqElement tildeO2 = tildeO[0];
// double check that Cx2 is computed as we expect.
GroupElement Cx2Prime = ip2.Gq.G.Exponentiate(x2);
Cx2Prime = Cx2Prime.Multiply(ip2.G[1].Exponentiate(tildeO2));
Assert.IsTrue(Cx2Prime.Equals(Cx2));
// Setup
IDEscrowParams ieParam3 = new IDEscrowParams(ip2);
IDEscrowPrivateKey priv = new IDEscrowPrivateKey(ieParam3); // we can't re-use the keypair above, it was created with different issuer params
IDEscrowPublicKey pub = new IDEscrowPublicKey(ieParam3, priv);
byte[] tokenID = ProtocolHelper.ComputeTokenID(ip2, upkt[0].Token);
// additionalInfo is defined above.
// Encrypt
IDEscrowCiphertext ctext = IDEscrowFunctions.VerifiableEncrypt(ieParam3, pub, tokenID, Cx2, x2, tildeO2, additionalInfo);
// Verify
Assert.IsTrue(IDEscrowFunctions.Verify(ieParam3, ctext, tokenID, pub, Cx2));
// Decrypt
GroupElement PE = IDEscrowFunctions.Decrypt(ieParam3, ctext, priv);
Assert.IsTrue(PE.Equals(ieParam3.Ge.Exponentiate(x2))); // Ensure PE == (ge)^x2
}
public void ProtocolTest()
{
Stopwatch sw = new Stopwatch();
sw.Start();
bool[] bools = new bool[] { true, false };
foreach (bool isSubgroupConstruction in bools)
{
foreach (bool supportDevice in bools)
{
var vectors =
supportDevice ?
(isSubgroupConstruction ?
GetTestVectors("testvectorssubgroup_Device_doc.txt")
:
GetTestVectors("testvectorsEC_Device_doc.txt"))
:
(isSubgroupConstruction ?
GetTestVectors("testvectorssubgroup_doc.txt")
:
GetTestVectors("testvectorsEC_doc.txt"));
IssuerKeyAndParameters ikap = LoadIssuerKeyAndParameters(isSubgroupConstruction, vectors["GroupName"], supportDevice, vectors);
FieldZq Zq = ikap.IssuerParameters.Zq;
// replace random y0/g0 with test vector values
ikap.PrivateKey = Zq.GetElement(HexToBytes(vectors["y0"]));
ikap.IssuerParameters.G[0] = CreateGroupElement(ikap.IssuerParameters.Gq, vectors["g0"]);
Assert.AreEqual(ikap.IssuerParameters.G[0], ikap.IssuerParameters.Gq.G.Exponentiate(ikap.PrivateKey), "g0 computation");
IssuerParameters ip = ikap.IssuerParameters;
ip.Verify();
/*
* issuance
*/
byte[][] A = new byte[][] {
HexToBytes(vectors["A1"]),
HexToBytes(vectors["A2"]),
HexToBytes(vectors["A3"]),
HexToBytes(vectors["A4"]),
HexToBytes(vectors["A5"])
};
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x1"])), ProtocolHelper.ComputeXi(ip, 0, A[0]), "x1");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x2"])), ProtocolHelper.ComputeXi(ip, 1, A[1]), "x2");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x3"])), ProtocolHelper.ComputeXi(ip, 2, A[2]), "x3");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x4"])), ProtocolHelper.ComputeXi(ip, 3, A[3]), "x4");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x5"])), ProtocolHelper.ComputeXi(ip, 4, A[4]), "x5");
byte[] TI = HexToBytes(vectors["TI"]);
Assert.IsTrue(HexToBytes(vectors["P"]).SequenceEqual(ip.Digest(supportDevice)), "P");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["xt"])), ProtocolHelper.ComputeXt(ip, TI, supportDevice), "xt");
IDevice device = null;
GroupElement hd = null;
if (supportDevice)
{
device = new VirtualDevice(ip, Zq.GetElement(HexToBytes(vectors["xd"])), Zq.GetElement(HexToBytes(vectors["wdPrime"])));
IDevicePresentationContext context = device.GetPresentationContext();
// Test device responses
Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["hd"]), device.GetDevicePublicKey(), "hd");
Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["ad"]), context.GetInitialWitness(), "ad");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["rdPrime"])), context.GetDeviceResponse(HexToBytes(vectors["md"]), HexToBytes(vectors["mdPrime"]), ip.HashFunctionOID), "rdPrime");
hd = CreateGroupElement(ip.Gq, vectors["hd"]);
}
IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap);
ipp.Attributes = A;
ipp.NumberOfTokens = 1;
ipp.TokenInformation = TI;
ipp.DevicePublicKey = hd;
ipp.PreGeneratedW = new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["w"])) };
Issuer issuer = ipp.CreateIssuer();
byte[] PI = HexToBytes(vectors["PI"]);
ProverProtocolParameters ppp = new ProverProtocolParameters(ip);
ppp.Attributes = A;
ppp.NumberOfTokens = 1;
ppp.TokenInformation = TI;
ppp.ProverInformation = PI;
ppp.DevicePublicKey = hd;
ppp.ProverRandomData = new ProverRandomData(
new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["alpha"])) },
new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta1"])) },
new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta2"])) });
Prover prover = ppp.CreateProver();
FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage();
Assert.AreEqual(msg1.sigmaZ, CreateGroupElement(ip.Gq, vectors["sigmaZ"]), "sigmaZ");
Assert.AreEqual(msg1.sigmaA[0], CreateGroupElement(ip.Gq, vectors["sigmaA"]), "sigmaA");
Assert.AreEqual(msg1.sigmaB[0], CreateGroupElement(ip.Gq, vectors["sigmaB"]), "sigmaB");
SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1);
Assert.AreEqual(msg2.sigmaC[0], Zq.GetElement(HexToBytes(vectors["sigmaC"])), "sigmaC");
ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2);
Assert.AreEqual(msg3.sigmaR[0], Zq.GetElement(HexToBytes(vectors["sigmaR"])), "sigmaR");
UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3);
Assert.AreEqual(upkt[0].PrivateKey, Zq.GetElement(HexToBytes(vectors["alphaInverse"])), "alphaInverse");
UProveToken token = upkt[0].Token;
Assert.AreEqual(token.H, CreateGroupElement(ip.Gq, vectors["h"]), "h");
Assert.AreEqual(token.SigmaZPrime, CreateGroupElement(ip.Gq, vectors["sigmaZPrime"]), "sigmaZPrime");
Assert.AreEqual(token.SigmaCPrime, Zq.GetElement(HexToBytes(vectors["sigmaCPrime"])), "sigmaCPrime");
Assert.AreEqual(token.SigmaRPrime, Zq.GetElement(HexToBytes(vectors["sigmaRPrime"])), "sigmaRPrime");
Assert.IsTrue(HexToBytes(vectors["UIDt"]).SequenceEqual(ProtocolHelper.ComputeTokenID(ip, token)), "UIDt");
Assert.IsTrue(supportDevice == token.IsDeviceProtected);
/*
* presentation
*/
int[] disclosed = Array.ConvertAll <string, int>(vectors["D"].Split(','), new Converter <string, int>(stringToInt));
int[] committed = Array.ConvertAll <string, int>(vectors["C"].Split(','), new Converter <string, int>(stringToInt));
byte[] m = HexToBytes(vectors["m"]);
byte[] md = null;
IDevicePresentationContext deviceContext = null;
if (supportDevice)
{
md = HexToBytes(vectors["md"]);
deviceContext = device.GetPresentationContext();
}
int p;
if (!int.TryParse(vectors["p"], out p))
{
p = PresentationProof.DeviceAttributeIndex;
}
byte[] s = HexToBytes(vectors["s"]);
int commitmentIndex = committed[0];
ProverPresentationProtocolParameters pppp = new ProverPresentationProtocolParameters(ip, disclosed, m, upkt[0], A);
pppp.Committed = committed;
pppp.PseudonymAttributeIndex = p;
pppp.PseudonymScope = s;
pppp.DeviceMessage = md;
pppp.DeviceContext = deviceContext;
pppp.RandomData = new ProofGenerationRandomData(
Zq.GetElement(HexToBytes(vectors["w0"])),
new FieldZqElement[] {
Zq.GetElement(HexToBytes(vectors["w1"])),
Zq.GetElement(HexToBytes(vectors["w3"])),
Zq.GetElement(HexToBytes(vectors["w4"]))
},
supportDevice ? Zq.GetElement(HexToBytes(vectors["wd"])) : null,
new FieldZqElement[] {
Zq.GetElement(HexToBytes(vectors["tildeO" + commitmentIndex])),
},
new FieldZqElement[] {
Zq.GetElement(HexToBytes(vectors["tildeW" + commitmentIndex]))
});
CommitmentPrivateValues cpv;
PresentationProof proof = PresentationProof.Generate(pppp, out cpv);
Assert.IsTrue(HexToBytes(vectors["a"]).SequenceEqual(proof.A), "a");
Assert.AreEqual(ProtocolHelper.GenerateScopeElement(ip.Gq, s), CreateGroupElement(ip.Gq, vectors["gs"]));
Assert.IsTrue(HexToBytes(vectors["ap"]).SequenceEqual(proof.Ap), "ap");
Assert.AreEqual(proof.Ps, CreateGroupElement(ip.Gq, vectors["Ps"]), "Ps");
Assert.IsTrue(HexToBytes(vectors["A2"]).SequenceEqual(proof.DisclosedAttributes[0]), "A2");
Assert.IsTrue(HexToBytes(vectors["A5"]).SequenceEqual(proof.DisclosedAttributes[1]), "A5");
Assert.AreEqual(proof.R[0], Zq.GetElement(HexToBytes(vectors["r0"])), "r0");
Assert.AreEqual(proof.R[1], Zq.GetElement(HexToBytes(vectors["r1"])), "r1");
Assert.AreEqual(proof.R[2], Zq.GetElement(HexToBytes(vectors["r3"])), "r3");
Assert.AreEqual(proof.R[3], Zq.GetElement(HexToBytes(vectors["r4"])), "r4");
if (supportDevice)
{
Assert.AreEqual(proof.R[4], Zq.GetElement(HexToBytes(vectors["rd"])), "rd");
}
Assert.AreEqual(proof.Commitments[0].TildeR, Zq.GetElement(HexToBytes(vectors["tildeR" + commitmentIndex])), "tildeR" + commitmentIndex);
Assert.IsTrue(cpv.TildeO.Length == 1);
Assert.AreEqual(cpv.TildeO[0], Zq.GetElement(HexToBytes(vectors["tildeO" + commitmentIndex])), "tildeO" + commitmentIndex);
VerifierPresentationProtocolParameters vppp = new VerifierPresentationProtocolParameters(ip, disclosed, m, upkt[0].Token);
vppp.Committed = committed;
vppp.PseudonymAttributeIndex = p;
vppp.PseudonymScope = s;
vppp.DeviceMessage = md;
proof.Verify(vppp);
}
}
sw.Stop();
Debug.WriteLine("Protocol Test Elapsed Time: " + sw.ElapsedMilliseconds + "ms");
}
public void InequalityTokenIntegration2Test()
{
// In this example, the token hashes the attribute
// but example also works if hashAttributes=false
bool hashAttributes = true;
// Setting up attributes for token
byte[][] attributes = new byte[][]
{
_encoding.GetBytes("Attribute 1"),
_encoding.GetBytes("Attribute 2"),
_encoding.GetBytes("Teaching Assistant"), // this is the attribute we'll compare
_encoding.GetBytes("Attribute 4")
};
// generate token
ProverPresentationProtocolParameters prover;
VerifierPresentationProtocolParameters verifier;
StaticHelperClass.GetUProveParameters(hashAttributes, out prover, out verifier, null, attributes);
CommitmentPrivateValues cpv;
PresentationProof proof = PresentationProof.Generate(prover, out cpv);
// computing target constant - "Student"
byte[] targetAttribute = _encoding.GetBytes("Student");
int targetAttributeIndex = 3 - 1; // We will compare "Student" to the third token attribute.
FieldZqElement targetValue = ProtocolHelper.ComputeXi(prover.IP, targetAttributeIndex, targetAttribute); // this is what "Student" would be encoded as if it was the third token attribute
// Create PedersenCommitments
// The prover and verifier have a map Committed that contains the relationship between
// token attributes and CommitmentPrivateValues.
int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(prover.Committed, 3); // attribute 3 from prover1
PedersenCommitment ped = new PedersenCommitment(prover, proof, cpv, commitmentIndex);
Assert.AreNotEqual(targetValue, ped.CommittedValue, "Committed value is not Student.");
// Check that "Teaching Assistant" is the commited value of the pedesen commitment.
FieldZqElement expectedCommittedValue = ProtocolHelper.ComputeXi(prover.IP, targetAttributeIndex, _encoding.GetBytes("Teaching Assistant"));
Assert.AreEqual(expectedCommittedValue, ped.CommittedValue, "Committed value is Teaching Assistant.");
// Create InequalityProof
CryptoParameters crypto = new CryptoParameters(prover.IP); // Can use prover2.IP
ProverInequalityProofParameters inequalityProver = new ProverInequalityProofParameters(ped, targetValue, crypto); // compares committed values in ped1 and ped2
InequalityProof ineQproof = new InequalityProof(inequalityProver);
// Verify InequalityProof
commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(verifier.Committed, 3); // attribute 3 from prover
ClosedPedersenCommitment closedPed = new ClosedPedersenCommitment(verifier.IP, proof, commitmentIndex);
VerifierInequalityProofParameters inequalityVerifier = new VerifierInequalityProofParameters(closedPed.Value, targetValue, crypto);
Assert.IsTrue(ineQproof.Verify(inequalityVerifier));
// test U-Prove wrapper
InequalityProof ineQProof2 = InequalityProof.GenerateUProveInequalityProof(
new EQProofUProveProverData(prover, cpv, proof, 3), targetAttribute);
InequalityProof.VerifyUProveEqualityProof(
new EQProofUProveVerifierData(verifier, proof, 3), targetAttribute, ineQProof2);
}
public void ProtocolTest()
{
Stopwatch sw = new Stopwatch();
sw.Start();
bool[] bools = new bool[] { true, false };
foreach (bool isSubgroupConstruction in bools)
{
foreach (bool supportDevice in bools)
{
foreach (int DSize in new int[] { 0, 2, 5 })
{
foreach (bool isLite in bools)
{
string filename = "TestVectorData\\testvectors_";
if (isSubgroupConstruction)
{
filename += "SG";
}
else
{
filename += "EC";
}
if (supportDevice)
{
filename += "_Device";
}
filename += ("_D" + DSize);
if (isLite)
{
filename += "_lite";
}
filename += "_doc.txt";
var vectors = GetTestVectors(filename);
IssuerKeyAndParameters ikap = LoadIssuerKeyAndParameters(isSubgroupConstruction, vectors["GroupName"], supportDevice, vectors);
FieldZq Zq = ikap.IssuerParameters.Zq;
// replace random y0/g0 with test vector values
ikap.PrivateKey = Zq.GetElement(HexToBytes(vectors["y0"]));
ikap.IssuerParameters.G[0] = CreateGroupElement(ikap.IssuerParameters.Gq, vectors["g0"]);
Assert.AreEqual(ikap.IssuerParameters.G[0], ikap.IssuerParameters.Gq.G.Exponentiate(ikap.PrivateKey), "g0 computation");
IssuerParameters ip = ikap.IssuerParameters;
ip.Verify();
/*
* issuance
*/
byte[][] A = new byte[][] {
HexToBytes(vectors["A1"]),
HexToBytes(vectors["A2"]),
HexToBytes(vectors["A3"]),
HexToBytes(vectors["A4"]),
HexToBytes(vectors["A5"])
};
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x1"])), ProtocolHelper.ComputeXi(ip, 0, A[0]), "x1");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x2"])), ProtocolHelper.ComputeXi(ip, 1, A[1]), "x2");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x3"])), ProtocolHelper.ComputeXi(ip, 2, A[2]), "x3");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x4"])), ProtocolHelper.ComputeXi(ip, 3, A[3]), "x4");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x5"])), ProtocolHelper.ComputeXi(ip, 4, A[4]), "x5");
byte[] TI = HexToBytes(vectors["TI"]);
Assert.IsTrue(HexToBytes(vectors["P"]).SequenceEqual(ip.Digest(supportDevice)), "P");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["xt"])), ProtocolHelper.ComputeXt(ip, TI, supportDevice), "xt");
IDevice device = null;
GroupElement hd = null;
if (supportDevice)
{
device = new VirtualDevice(ip, Zq.GetElement(HexToBytes(vectors["xd"])), Zq.GetElement(HexToBytes(vectors["wdPrime"])));
IDevicePresentationContext context = device.GetPresentationContext();
// Test device responses
Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["hd"]), device.GetDevicePublicKey(), "hd");
Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["ad"]), context.GetInitialWitness(), "ad");
Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["rdPrime"])), context.GetDeviceResponse(HexToBytes(vectors["md"]), HexToBytes(vectors["cp"]), ip.HashFunctionOID), "rdPrime");
hd = CreateGroupElement(ip.Gq, vectors["hd"]);
}
IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap);
ipp.Attributes = A;
ipp.NumberOfTokens = 1;
ipp.TokenInformation = TI;
ipp.DevicePublicKey = hd;
ipp.PreGeneratedW = new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["w"])) };
Issuer issuer = ipp.CreateIssuer();
byte[] PI = HexToBytes(vectors["PI"]);
ProverProtocolParameters ppp = new ProverProtocolParameters(ip);
ppp.Attributes = A;
ppp.NumberOfTokens = 1;
ppp.TokenInformation = TI;
ppp.ProverInformation = PI;
ppp.DevicePublicKey = hd;
ppp.ProverRandomData = new ProverRandomData(
new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["alpha"])) },
new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta1"])) },
new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta2"])) });
Prover prover = ppp.CreateProver();
FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage();
Assert.AreEqual(msg1.sigmaZ, CreateGroupElement(ip.Gq, vectors["sigmaZ"]), "sigmaZ");
Assert.AreEqual(msg1.sigmaA[0], CreateGroupElement(ip.Gq, vectors["sigmaA"]), "sigmaA");
Assert.AreEqual(msg1.sigmaB[0], CreateGroupElement(ip.Gq, vectors["sigmaB"]), "sigmaB");
SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1);
Assert.AreEqual(msg2.sigmaC[0], Zq.GetElement(HexToBytes(vectors["sigmaC"])), "sigmaC");
ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2);
Assert.AreEqual(msg3.sigmaR[0], Zq.GetElement(HexToBytes(vectors["sigmaR"])), "sigmaR");
UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3);
Assert.AreEqual(upkt[0].PrivateKey, Zq.GetElement(HexToBytes(vectors["alphaInverse"])), "alphaInverse");
UProveToken token = upkt[0].Token;
Assert.AreEqual(token.H, CreateGroupElement(ip.Gq, vectors["h"]), "h");
Assert.AreEqual(token.SigmaZPrime, CreateGroupElement(ip.Gq, vectors["sigmaZPrime"]), "sigmaZPrime");
Assert.AreEqual(token.SigmaCPrime, Zq.GetElement(HexToBytes(vectors["sigmaCPrime"])), "sigmaCPrime");
Assert.AreEqual(token.SigmaRPrime, Zq.GetElement(HexToBytes(vectors["sigmaRPrime"])), "sigmaRPrime");
Assert.IsTrue(HexToBytes(vectors["UIDt"]).SequenceEqual(ProtocolHelper.ComputeTokenID(ip, token)), "UIDt");
Assert.IsTrue(supportDevice == token.IsDeviceProtected);
/*
* presentation
*/
int[] disclosed = new int[] { };
if (vectors.ContainsKey("D") && vectors["D"].Length > 0)
{
disclosed = Array.ConvertAll <string, int>(vectors["D"].Split(','), new Converter <string, int>(stringToInt));
}
int[] undisclosed = new int[5 - disclosed.Length];
int dIndex = 0, uIndex = 0;
for (int i = 1; i <= 5; i++)
{
if (disclosed.Length > 0 && disclosed[dIndex] == i)
{
dIndex++;
}
else
{
undisclosed[uIndex++] = i;
}
}
int[] committed = new int[] { };
if (vectors.ContainsKey("C") && vectors["C"].Length > 0)
{
committed = Array.ConvertAll <string, int>(vectors["C"].Split(','), new Converter <string, int>(stringToInt));
}
byte[] m = HexToBytes(vectors["m"]);
byte[] md = HexToBytes(vectors["md"]);
IDevicePresentationContext deviceContext = null;
if (supportDevice)
{
deviceContext = device.GetPresentationContext();
}
int p = 0;
if (vectors.ContainsKey("p") && !int.TryParse(vectors["p"], out p))
{
p = PresentationProof.DeviceAttributeIndex;
}
byte[] s = vectors.ContainsKey("s") ? HexToBytes(vectors["s"]) : null;
int commitmentIndex = committed.Length > 0 ? committed[0] : 0;
ProverPresentationProtocolParameters pppp = new ProverPresentationProtocolParameters(ip, disclosed, m, upkt[0], A);
pppp.Committed = committed;
pppp.PseudonymAttributeIndex = p;
pppp.PseudonymScope = s;
pppp.DeviceMessage = md;
pppp.DeviceContext = deviceContext;
FieldZqElement[] w = new FieldZqElement[undisclosed.Length];
for (int i = 0; i < undisclosed.Length; i++)
{
w[i] = Zq.GetElement(HexToBytes(vectors["w" + undisclosed[i]]));
}
FieldZqElement[] tildeO = new FieldZqElement[committed.Length];
FieldZqElement[] tildeW = new FieldZqElement[committed.Length];
for (int i = 0; i < committed.Length; i++)
{
tildeO[i] = Zq.GetElement(HexToBytes(vectors["tildeO" + committed[i]]));
tildeW[i] = Zq.GetElement(HexToBytes(vectors["tildeW" + committed[i]]));
}
pppp.RandomData = new ProofGenerationRandomData(
Zq.GetElement(HexToBytes(vectors["w0"])),
w,
supportDevice ? Zq.GetElement(HexToBytes(vectors["wd"])) : null,
tildeO,
tildeW);
CommitmentPrivateValues cpv;
PresentationProof proof = PresentationProof.Generate(pppp, out cpv);
Assert.IsTrue(HexToBytes(vectors["a"]).SequenceEqual(proof.A), "a");
if (vectors.ContainsKey("gs"))
{
Assert.AreEqual(ProtocolHelper.GenerateScopeElement(ip.Gq, s), CreateGroupElement(ip.Gq, vectors["gs"]));
Assert.IsTrue(HexToBytes(vectors["ap"]).SequenceEqual(proof.Ap), "ap");
Assert.AreEqual(proof.Ps, CreateGroupElement(ip.Gq, vectors["Ps"]), "Ps");
}
for (int i = 0; i < disclosed.Length; i++)
{
Assert.IsTrue(HexToBytes(vectors["A" + disclosed[i]]).SequenceEqual(proof.DisclosedAttributes[i]), "A" + disclosed[i]);
}
Assert.AreEqual(proof.R[0], Zq.GetElement(HexToBytes(vectors["r0"])), "r0");
for (int i = 0; i < undisclosed.Length; i++)
{
Assert.AreEqual(proof.R[i + 1], Zq.GetElement(HexToBytes(vectors["r" + undisclosed[i]])), "r" + undisclosed[i]);
}
if (supportDevice)
{
Assert.AreEqual(proof.R[proof.R.Length - 1], Zq.GetElement(HexToBytes(vectors["rd"])), "rd");
}
for (int i = 0; i < committed.Length; i++)
{
Assert.AreEqual(proof.Commitments[i].TildeR, Zq.GetElement(HexToBytes(vectors["tildeR" + committed[i]])), "tildeR" + committed[i]);
Assert.IsTrue(cpv.TildeO.Length == committed.Length);
Assert.AreEqual(cpv.TildeO[i], Zq.GetElement(HexToBytes(vectors["tildeO" + committed[i]])), "tildeO" + committed[i]);
}
VerifierPresentationProtocolParameters vppp = new VerifierPresentationProtocolParameters(ip, disclosed, m, upkt[0].Token);
vppp.Committed = committed;
vppp.PseudonymAttributeIndex = p;
vppp.PseudonymScope = s;
vppp.DeviceMessage = md;
proof.Verify(vppp);
#if TEST_ID_ESCROW
if (committed.Length > 0)
{
IDEscrowParams escrowParams = new IDEscrowParams(ip);
IDEscrowPrivateKey escrowPrivateKey = new IDEscrowPrivateKey(Zq.GetElement(HexToBytes(vectors["ie_x"])));
IDEscrowPublicKey escrowPublicKey = new IDEscrowPublicKey(escrowParams, escrowPrivateKey);
Assert.AreEqual(escrowPublicKey.H, CreateGroupElement(ip.Gq, vectors["ie_H"]), "ie_H");
byte[] additionalInfo = HexToBytes(vectors["ie_additionalInfo"]);
int ie_bIndex = int.Parse(vectors["ie_b"]);
IDEscrowCiphertext ctext = IDEscrowFunctions.VerifiableEncrypt(
escrowParams,
escrowPublicKey,
HexToBytes(vectors["UIDt"]),
proof.Commitments[0].TildeC,
ProtocolHelper.ComputeXi(ip, ie_bIndex - 1, A[ie_bIndex - 1]),
cpv.TildeO[0],
additionalInfo,
new IDEscrowFunctions.IDEscrowProofGenerationRandomData(
Zq.GetElement(HexToBytes(vectors["ie_r"])),
Zq.GetElement(HexToBytes(vectors["ie_xbPrime"])),
Zq.GetElement(HexToBytes(vectors["ie_rPrime"])),
Zq.GetElement(HexToBytes(vectors["ie_obPrime"]))));
Assert.IsTrue(IDEscrowFunctions.UProveVerify(escrowParams, ctext, proof, upkt[0].Token, escrowPublicKey));
Assert.AreEqual(ctext.E1, CreateGroupElement(ip.Gq, vectors["ie_E1"]), "ie_E1");
Assert.AreEqual(ctext.E2, CreateGroupElement(ip.Gq, vectors["ie_E2"]), "ie_E2");
Assert.AreEqual(ctext.proof.c, Zq.GetElement(HexToBytes(vectors["ie_c"])), "ie_c");
Assert.AreEqual(ctext.proof.rR, Zq.GetElement(HexToBytes(vectors["ie_rr"])), "ie_rr");
Assert.AreEqual(ctext.proof.rXb, Zq.GetElement(HexToBytes(vectors["ie_rxb"])), "ie_rxb");
Assert.AreEqual(ctext.proof.rOb, Zq.GetElement(HexToBytes(vectors["ie_rob"])), "ie_rob");
GroupElement PE = IDEscrowFunctions.Decrypt(escrowParams, ctext, escrowPrivateKey);
}
#endif
#if TEST_DVA_REVOCATION
if (committed.Length > 0)
{
RAParameters raParams = new RAParameters(ip.Gq.GroupName, CreateGroupElement(ip.Gq, vectors["r_K"]), ip.UidH);
FieldZqElement delta = Zq.GetElement(HexToBytes(vectors["r_delta"]));
RevocationAuthority RA = new RevocationAuthority(raParams, delta);
HashSet <FieldZqElement> revoked = new HashSet <FieldZqElement>();
for (int i = 1; i <= 4; i++)
{
revoked.Add(Zq.GetElement(HexToBytes(vectors["r_R" + i])));
}
RA.UpdateAccumulator(revoked, null);
Assert.AreEqual(RA.Accumulator, CreateGroupElement(ip.Gq, vectors["r_V"]), "r_V");
int r_id = 0;
int.TryParse(vectors["r_id"], out r_id);
RevocationWitness witness = RA.ComputeRevocationWitness(revoked, Zq.GetElement(HexToBytes(vectors["x" + r_id])));
Assert.AreEqual(witness.d, Zq.GetElement(HexToBytes(vectors["r_d"])), "r_d");
Assert.AreEqual(witness.W, CreateGroupElement(ip.Gq, vectors["r_W"]), "r_W");
Assert.AreEqual(witness.Q, CreateGroupElement(ip.Gq, vectors["r_Q"]), "r_Q");
NonRevocationProof nrProof = RevocationUser.GenerateNonRevocationProof(
raParams,
witness,
proof.Commitments[0].TildeC, ProtocolHelper.ComputeXi(ip, r_id - 1, A[r_id - 1]),
cpv.TildeO[0],
new NonRevocationProofGenerationRandomData(new FieldZqElement[] {
Zq.GetElement(HexToBytes(vectors["r_t1"])),
Zq.GetElement(HexToBytes(vectors["r_t2"])),
Zq.GetElement(HexToBytes(vectors["r_k1"])),
Zq.GetElement(HexToBytes(vectors["r_k2"])),
Zq.GetElement(HexToBytes(vectors["r_k3"])),
Zq.GetElement(HexToBytes(vectors["r_k4"])),
Zq.GetElement(HexToBytes(vectors["r_k5"])),
Zq.GetElement(HexToBytes(vectors["r_k6"]))
}));
Assert.AreEqual(nrProof.X, CreateGroupElement(ip.Gq, vectors["r_X"]), "r_X");
Assert.AreEqual(nrProof.Y, CreateGroupElement(ip.Gq, vectors["r_Y"]), "r_Y");
Assert.AreEqual(nrProof.Cd, CreateGroupElement(ip.Gq, vectors["r_Cd"]), "r_Cd");
Assert.AreEqual(nrProof.cPrime, Zq.GetElement(HexToBytes(vectors["r_cPrime"])), "r_cPrime");
Assert.AreEqual(nrProof.s[0], Zq.GetElement(HexToBytes(vectors["r_s1"])), "r_s1");
Assert.AreEqual(nrProof.s[1], Zq.GetElement(HexToBytes(vectors["r_s2"])), "r_s2");
Assert.AreEqual(nrProof.s[2], Zq.GetElement(HexToBytes(vectors["r_s3"])), "r_s3");
Assert.AreEqual(nrProof.s[3], Zq.GetElement(HexToBytes(vectors["r_s4"])), "r_s4");
Assert.AreEqual(nrProof.s[4], Zq.GetElement(HexToBytes(vectors["r_s5"])), "r_s5");
Assert.AreEqual(nrProof.s[5], Zq.GetElement(HexToBytes(vectors["r_s6"])), "r_s6");
// validate proof
RA.VerifyNonRevocationProof(ip, 0, proof, nrProof);
}
#endif
#if TEST_SET_MEMBERSHIP
if (committed.Length > 0)
{
int sm_x_index = 0;
int.TryParse(vectors["sm_x_index"], out sm_x_index);
int sm_n = 0;
int.TryParse(vectors["sm_n"], out sm_n);
int sm_i = 0;
int.TryParse(vectors["sm_i"], out sm_i);
byte[][] setValues = new byte[sm_n][];
FieldZqElement[] sm_c = new FieldZqElement[sm_n - 1];
FieldZqElement[] sm_r = new FieldZqElement[sm_n - 1];
int randomIndex = 0;
for (int i = 1; i <= sm_n; i++)
{
if (i == sm_i)
{
setValues[i - 1] = HexToBytes(vectors["A" + sm_x_index]);
}
else
{
setValues[i - 1] = HexToBytes(vectors["sm_s" + i]);
sm_c[randomIndex] = Zq.GetElement(HexToBytes(vectors["sm_c" + i]));
sm_r[randomIndex] = Zq.GetElement(HexToBytes(vectors["sm_r" + i]));
randomIndex++;
}
}
SetMembershipProofGenerationRandomData smRandom = new SetMembershipProofGenerationRandomData(sm_c, sm_r, Zq.GetElement(HexToBytes(vectors["sm_w"])));
SetMembershipProof setMembershipProof = SetMembershipProof.Generate(pppp, proof, cpv, sm_x_index, setValues, smRandom);
for (int i = 1; i <= sm_n; i++)
{
Assert.AreEqual(setMembershipProof.a[i - 1], CreateGroupElement(ip.Gq, vectors["sm_a" + i]), "sm_a" + i);
if (i < sm_n) // no c_n in the proof
{
Assert.AreEqual(setMembershipProof.c[i - 1], Zq.GetElement(HexToBytes(vectors["sm_c" + i])), "sm_c" + i);
}
Assert.AreEqual(setMembershipProof.r[i - 1], Zq.GetElement(HexToBytes(vectors["sm_r" + i])), "sm_r" + i);
}
if (!SetMembershipProof.Verify(vppp, proof, setMembershipProof, sm_x_index, setValues))
{
throw new InvalidUProveArtifactException("Invalid set membership proof");
}
}
#endif
}
}
}
}
sw.Stop();
Debug.WriteLine("Protocol Test Elapsed Time: " + sw.ElapsedMilliseconds + "ms");
}
public void PseudonymAndCommitmentsTest()
{
// Issuer setup
IssuerSetupParameters isp = new IssuerSetupParameters(maxNumberOfAttributes);
isp.UidP = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 };
isp.E = new byte[] { (byte)1, (byte)1, (byte)1, (byte)1 };
isp.UseRecommendedParameterSet = true;
isp.S = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 };
IssuerKeyAndParameters ikap = isp.Generate();
IssuerParameters ip = ikap.IssuerParameters;
// Issuance
byte[][] attributes = new byte[][] { encoding.GetBytes("Attribute 1"), encoding.GetBytes("Attribute 2"), encoding.GetBytes("Attribute 3"), encoding.GetBytes("Attribute 4") };
byte[] tokenInformation = new byte[] { };
byte[] proverInformation = new byte[] { };
int numberOfTokens = 1;
IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap);
ipp.Attributes = attributes;
ipp.NumberOfTokens = numberOfTokens;
ipp.TokenInformation = tokenInformation;
Issuer issuer = ipp.CreateIssuer();
FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage();
ProverProtocolParameters ppp = new ProverProtocolParameters(ip);
ppp.Attributes = attributes;
ppp.NumberOfTokens = numberOfTokens;
ppp.TokenInformation = tokenInformation;
ppp.ProverInformation = proverInformation;
Prover prover = ppp.CreateProver();
SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1);
ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2);
UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3);
// Pseudonym
int[] disclosed = new int[0];
int[] committed = new int[] { 2, 4 };
byte[] message = encoding.GetBytes("this is the presentation message, this can be a very long message");
byte[] scope = encoding.GetBytes("scope");
PresentationProof proof;
FieldZqElement[] tildeO;
// Valid presentation
proof = PresentationProof.Generate(ip, disclosed, committed, 1, scope, message, null, null, upkt[0], attributes, out tildeO);
proof.Verify(ip, disclosed, committed, 1, scope, message, null, upkt[0].Token);
// Invalid pseudonym (wrong scope)
proof = PresentationProof.Generate(ip, disclosed, committed, 1, scope, message, null, null, upkt[0], attributes, out tildeO);
try { proof.Verify(ip, disclosed, committed, 1, encoding.GetBytes("bad scope"), message, null, upkt[0].Token); Assert.Fail(); }
catch (InvalidUProveArtifactException) { }
// Invalid pseudonym (wrong attribute)
try { proof.Verify(ip, disclosed, committed, 2, scope, message, null, upkt[0].Token); Assert.Fail(); }
catch (InvalidUProveArtifactException) { }
// Invalid commitment (null list)
try { proof.Verify(ip, disclosed, null, 2, scope, message, null, upkt[0].Token); Assert.Fail(); }
catch (InvalidUProveArtifactException) { }
// Invalid commitment (wrong committed values)
try { proof.Verify(ip, disclosed, new int[] { 1, 4 }, 2, scope, message, null, upkt[0].Token); Assert.Fail(); }
catch (InvalidUProveArtifactException) { }
// Invalid commitment (wront number of committed values)
try { proof.Verify(ip, disclosed, new int[] { 1 }, 2, scope, message, null, upkt[0].Token); Assert.Fail(); }
catch (InvalidUProveArtifactException) { }
// Invalid commitment (value)
proof.Commitments[0].TildeA[0]++;
try { proof.Verify(ip, disclosed, committed, 2, scope, message, null, upkt[0].Token); Assert.Fail(); }
catch (InvalidUProveArtifactException) { }
// Ensure tildeO is correct
GroupElement Cx2 = proof.Commitments[0].TildeC; // x2 is the first committed attribute
FieldZqElement x2 = ProtocolHelper.ComputeXi(ip, 1, attributes[1]); // attributes[] is zero indexed.
FieldZqElement tildeO2 = tildeO[0];
// double check that Cx2 is computed correctly.
GroupElement Cx2Prime = ip.Gq.MultiExponentiate(new GroupElement[] { ip.Gq.G, ip.G[1] }, new FieldZqElement[] { x2, tildeO2 });
Assert.IsTrue(Cx2Prime.Equals(Cx2));
}
