internal void OnDeserialized(StreamingContext context)
{
if (_key == null)
throw new UProveSerializationException("key");
this.PrivateKey = _key.ToFieldZqElement(Serializer.ip.Zq);
}
/// <summary>
/// Constructs a new <code>ProofGenerationRandomData</code> instance.
/// </summary>
/// <param name="w0">The <code>w0</code> value.</param>
/// <param name="w">The <code>w</code> values.</param>
/// <param name="wd">The <code>wd</code> value if the token is Device-protected; null otherwise.</param>
/// <param name="tildeO">The <code>tildeO</code> values (if attribute commitments are generated).</param>
/// <param name="tildeW">The <code>tildeW</code> values (if attribute commitments are generated).</param>
public ProofGenerationRandomData(FieldZqElement w0, FieldZqElement[] w, FieldZqElement wd, FieldZqElement[] tildeO, FieldZqElement[] tildeW)
{
this.w0 = w0;
this.w = w;
this.wd = wd;
this.tildeO = tildeO;
this.tildeW = tildeW;
}
/// <summary>
/// Generates an array of random Zq elements.
/// </summary>
/// <param name="n">The number of elements to return.</param>
/// <param name="nonZero">True to return non-zero elements.</param>
/// <param name="maxBitLength">Maximum length of the random elements, or -1 for full size elements.</param>
/// <returns>Random Zq elements.</returns>
public FieldZqElement[] GetRandomElements(int n, bool nonZero, int maxBitLength = -1)
{
FieldZqElement[] r = new FieldZqElement[n];
for (int i = 0; i < n; i++)
{
r[i] = GetRandomElement(nonZero, maxBitLength);
}
return(r);
}
/// <summary>
/// Construct a FieldZqElement array with the values given.
/// </summary>
/// <param name="values">An array of arrays of bytes representing the values in big endian order.</param>
/// <returns>A new FieldZqElement from this field with the given value.</returns>
public FieldZqElement[] GetElements(byte[][] values)
{
FieldZqElement[] elements = new FieldZqElement[values.Length];
for (int j = 0; j < values.Length; j++)
{
elements[j] = GetElement(values[j]);
}
return elements;
}
/// <summary>
/// Construct a FieldZqElement array with the values given.
/// </summary>
/// <param name="values">An array of arrays of bytes representing the non-negative values in big endian order.</param>
/// <returns>A new FieldZqElement from this field with the given value.</returns>
public FieldZqElement[] GetElements(byte[][] values)
{
FieldZqElement[] elements = new FieldZqElement[values.Length];
for (int j = 0; j < values.Length; j++)
{
elements[j] = GetElement(values[j]);
}
return(elements);
}
/// <summary>
/// Represents a U-Prove token.
/// </summary>
/// <param name="uidp">The Issuer parameters UID.</param>
/// <param name="h">The public key value h.</param>
/// <param name="TI">The token information field value.</param>
/// <param name="PI">The Prover information field value.</param>
/// <param name="sigmaZPrime">The sigmaZPrime value.</param>
/// <param name="sigmaCPrime">The sigmaCPrime value.</param>
/// <param name="sigmaRPrime">The sigmaRPrime value.</param>
/// <param name="isDeviceProtected">True if the token is Device-protected, false otherwise.</param>
public UProveToken(byte[] uidp, GroupElement h, byte[] TI, byte[] PI, GroupElement sigmaZPrime, FieldZqElement sigmaCPrime, FieldZqElement sigmaRPrime, bool isDeviceProtected)
{
this.uidp = uidp;
this.h = h;
this.ti = TI;
this.pi = PI;
this.sigmaZPrime = sigmaZPrime;
this.sigmaCPrime = sigmaCPrime;
this.sigmaRPrime = sigmaRPrime;
this.isDeviceProtected = isDeviceProtected;
}
/// <summary>
/// Constructs an IssuerKeyAndParameters instance.
/// </summary>
/// <param name="privateKey">The private key.</param>
/// <param name="issuerParameters">The Issuer parameters.</param>
public IssuerKeyAndParameters(FieldZqElement privateKey, IssuerParameters issuerParameters)
{
if (privateKey == null)
{
throw new ArgumentNullException("privateKey");
}
if (issuerParameters == null)
{
throw new ArgumentNullException("issuerParameters");
}
this.privateKey = privateKey;
this.issuerParameters = issuerParameters;
}
/// <summary> /// Compute a product of powers. /// Return the product of the <code>bases[i].Exponentiate(exponents[i])</code> for <c>i</c> from <c>0</c> to <c>bases.Length -1</c>. /// The inputs <c>bases</c> and <c>exponents</c> must have the same length /// </summary> /// <param name="bases">Group elements array.</param> /// <param name="exponents">Field elements array.</param> /// <returns>Multi-exponentiation of the group elements to the field elements.</returns> public abstract GroupElement MultiExponentiate(GroupElement[] bases, FieldZqElement[] exponents);
/// <summary> /// Returns <code>this^exponent</code>. /// </summary> /// <param name="exponent">The exponent.</param> /// <returns>A group element.</returns> public abstract GroupElement Exponentiate(FieldZqElement exponent);
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO)
{
return Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO);
}
public void Verify(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, UProveToken upt)
{
try
{
// make sure disclosed list is sorted
if (disclosed == null)
{
// can't be null later, so make it an empty array
disclosed = new int[] { };
}
Array.Sort(disclosed);
Group Gq = ip.Gq;
int n = ip.E.Length;
bool presentPseudonym = false;
if (gs != null && pseudonymAttribIndex != 0)
{
if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
{
throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
}
if (disclosed.Contains(pseudonymAttribIndex))
{
throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
}
presentPseudonym = true;
}
else // no nym
{
pseudonymAttribIndex = 0;
}
bool verifyCommitments = (committed != null && committed.Length > 0);
if (verifyCommitments)
{
Array.Sort(committed);
}
ProtocolHelper.VerifyTokenSignature(ip, upt);
FieldZqElement[] disclosedX = new FieldZqElement[disclosedAttributes.Length];
GroupElement dAccumulator = ip.G[0] * ip.G[n + 1].Exponentiate(ProtocolHelper.ComputeXt(ip, upt.TI, upt.IsDeviceProtected)); // g0 * gt^xt
GroupElement uAccumulator = upt.H.Exponentiate(this.r[0]);
int dIndex = 0;
int uIndex = 1;
int cIndex = 0;
int pseudonymResponseIndex = 0;
int[] commitmentResponseIndices = verifyCommitments ? new int[committed.Length] : null;
for (int i = 1; i <= n; i++)
{
if (disclosed.Contains(i))
{
disclosedX[dIndex] = ProtocolHelper.ComputeXi(ip, i - 1, disclosedAttributes[dIndex]);
dAccumulator = dAccumulator * ip.G[i].Exponentiate(disclosedX[dIndex]);
dIndex++;
}
else
{
uAccumulator = uAccumulator * ip.G[i].Exponentiate(this.r[uIndex]);
if (presentPseudonym)
{
if (pseudonymAttribIndex == i)
{
pseudonymResponseIndex = uIndex;
}
}
if (verifyCommitments)
{
if (committed.Contains(i))
{
// remember which response correspond to which commitment
commitmentResponseIndices[cIndex] = uIndex;
cIndex++;
}
}
uIndex++;
}
}
if (pseudonymAttribIndex == DeviceAttributeIndex)
{
pseudonymResponseIndex = this.r.Length - 1; // r_d is the last response in the array
}
byte[] unused; // verifier doesn't use the returned message for device
FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upt, this.a, pseudonymAttribIndex, this.ap, this.ps, message, messageD, disclosed, disclosedX, committed, this.Commitments, out unused);
HashFunction hash = ip.HashFunction;
hash.Hash((dAccumulator.Exponentiate(c.Negate()) * uAccumulator * (upt.IsDeviceProtected ? ip.Gd.Exponentiate(this.r[this.r.Length -1]) : Gq.Identity)));
if (!this.a.SequenceEqual(hash.Digest))
{
throw new InvalidUProveArtifactException("Invalid presentation proof");
}
if (presentPseudonym)
{
hash.Hash(this.ps.Exponentiate(c).Multiply(gs.Exponentiate(this.r[pseudonymResponseIndex])));
if (!this.ap.SequenceEqual(hash.Digest))
{
throw new InvalidUProveArtifactException("Invalid pseudonym");
}
}
if (verifyCommitments)
{
for (int i = 0; i < commitmentResponseIndices.Length; i++)
{
CommitmentValues commitment = this.Commitments[i];
hash.Hash(commitment.TildeC.Exponentiate(c).Multiply(ip.Gq.G.Exponentiate(this.r[commitmentResponseIndices[i]])).Multiply(ip.G[1].Exponentiate(commitment.TildeR)));
if (!commitment.TildeA.SequenceEqual(hash.Digest))
{
throw new InvalidUProveArtifactException("Invalid commitment " + committed[i]);
}
}
}
}
catch (ArgumentException)
{
throw new InvalidUProveArtifactException("Invalid presentation proof");
}
catch (IndexOutOfRangeException)
{
throw new InvalidUProveArtifactException("Invalid presentation proof");
}
}
/// <summary>
/// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values.
/// </summary>
/// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param>
/// <param name="disclosed">An ordered array of disclosed attribute indices.</param>
/// <param name="committed">An ordered array of committed attribute indices.</param>
/// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param>
/// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param>
/// <param name="message">The presentation message.</param>
/// <param name="messageD">The message for the Device, or null.</param>
/// <param name="deviceContext">The active device context, if token is device-protected, or null.</param>
/// <param name="upkt">The U-Proke key and token.</param>
/// <param name="attributes">The token attributes.</param>
/// <param name="preGenW">Optional pregenerated random data for the proof generation.</param>
/// <param name="cpv">Returned commitment private values if commitments are computed.</param>
/// <returns>A presentation proof.</returns>
internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv)
{
if (upkt.Token.IsDeviceProtected && deviceContext == null)
{
throw new ArgumentNullException("Device context is not initialized");
}
bool generateCommitments = (committed != null && committed.Length > 0);
FieldZqElement[] tildeO = null;
// make sure disclosed and committed lists are sorted
if (disclosed == null)
{
// can't be null later, so make it an empty array
disclosed = new int[] { };
}
Array.Sort(disclosed);
if (generateCommitments)
{
Array.Sort(committed);
}
int n = 0;
if (ip.E != null)
n = ip.E.Length;
bool presentPseudonym = false;
if (gs != null)
{
if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
{
throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
}
if (disclosed.Contains(pseudonymAttribIndex))
{
throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
}
presentPseudonym = true;
}
else if (pseudonymAttribIndex > 0)
{
throw new ArgumentNullException("gs is null");
}
else
{
pseudonymAttribIndex = 0;
}
Group Gq = ip.Gq;
FieldZq Zq = ip.Zq;
FieldZqElement xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected);
ProofGenerationRandomData random;
if (preGenW == null)
{
random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected);
}
else
{
random = preGenW;
}
FieldZqElement[] x = new FieldZqElement[n];
GroupElement temp = upkt.Token.H.Exponentiate(random.W0);
int uIndex = 0;
int dIndex = 0;
int cIndex = 0;
PresentationProof proof = new PresentationProof();
proof.DisclosedAttributes = new byte[disclosed.Length][];
int pseudonymRandomizerIndex = 0;
if (generateCommitments)
{
proof.Commitments = new CommitmentValues[committed.Length];
tildeO = new FieldZqElement[committed.Length];
}
HashFunction hash = ip.HashFunction;
for (int i = 0; i < n; i++)
{
x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]);
if (!disclosed.Contains(i + 1))
{
temp = temp * ip.G[i + 1].Exponentiate(random.W[uIndex]);
if (presentPseudonym)
{
if (pseudonymAttribIndex == (i + 1))
{
pseudonymRandomizerIndex = uIndex;
}
}
if (generateCommitments && committed.Contains(i + 1))
{
GroupElement tildeC = ip.Gq.G.Exponentiate(x[i]) * ip.G[1].Exponentiate(random.TildeO[cIndex]);
tildeO[cIndex] = random.TildeO[cIndex];
GroupElement temp2 = ip.Gq.G.Exponentiate(random.W[uIndex]) * ip.G[1].Exponentiate(random.TildeW[cIndex]);
hash.Hash(temp2);
byte[] tildeA = hash.Digest;
proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null);
cIndex++;
}
uIndex++;
}
else if (generateCommitments && committed.Contains(i + 1))
{
throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed");
}
else
{
proof.DisclosedAttributes[dIndex] = attributes[i];
dIndex++;
}
}
if (upkt.Token.IsDeviceProtected)
{
GroupElement ad;
// pseudonym computed by device
if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex)
{
GroupElement apPrime;
GroupElement Ps;
ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps);
hash.Hash(apPrime * gs.Exponentiate(random.Wd));
proof.Ap = hash.Digest;
proof.Ps = Ps;
}
else
{
ad = deviceContext.GetInitialWitness();
}
temp = temp * ip.Gd.Exponentiate(random.Wd) * ad;
}
hash.Hash(temp);
proof.a = hash.Digest;
// pseudonym derived from one token attribute
if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex)
{
hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex]));
proof.Ap = hash.Digest;
proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]);
}
byte[] mdPrime;
FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime);
proof.r = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d
proof.r[0] = c * upkt.PrivateKey + random.W0;
uIndex = 1;
for (int i = 1; i <= n; i++)
{
if (!disclosed.Contains(i))
{
proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1];
uIndex++;
}
}
if (upkt.Token.IsDeviceProtected)
{
proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd;
}
if (generateCommitments)
{
for (int i = 0; i < committed.Length; i++)
{
proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i];
}
}
random.Clear();
cpv = new CommitmentPrivateValues(tildeO);
return proof;
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
{
CommitmentPrivateValues cpv;
PresentationProof proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv);
tildeO = cpv.TildeO;
return proof;
}
/// <summary> /// Multiply this element by the element e. /// </summary> /// <param name="e">The value to multiply this value by.</param> /// <returns>The value of this * e.</returns> public abstract FieldZqElement Multiply(FieldZqElement e);
/// <summary>
/// Constructs a new instance.
/// </summary>
/// <param name="tildeO">The <code>tildeO</code> value of the commitments.</param>
public CommitmentPrivateValues(FieldZqElement[] tildeO)
{
TildeO = tildeO;
}
/// <summary>
/// Convert a base64 string to a FieldElement[] using a specific FieldZq object.
/// </summary>
/// <param name="encodedElements">The encoded string to convert.</param>
/// <param name="Zq">The fieldZq object to use.</param>
/// <returns>The converted object.</returns>
public static FieldZqElement[] ToFieldElementArray(this String[] encodedElements, FieldZq Zq)
{
if (encodedElements == null) return null;
FieldZqElement[] fieldElements = new FieldZqElement[encodedElements.Length];
for (int i = 0; i < encodedElements.Length; i++)
{
fieldElements[i] = encodedElements[i].ToFieldZqElement(Zq);
}
return fieldElements;
}
/// <summary> /// Exponentiate this value to the exponent power. /// </summary> /// <param name="exponent">The exponent to raise this value to.</param> /// <returns>This value to the exponent power.</returns> public abstract FieldZqElement ModPow(FieldZqElement exponent);
/// <summary>
/// Hash a FieldZqElement array.
/// </summary>
/// <param name="values">An array of FieldZqElements to be hashed.</param>
public void Hash(FieldZqElement[] values)
{
if (values == null)
{
HashNull();
}
else
{
Hash(values.Length);
foreach (FieldZqElement i in values)
{
Hash(i);
}
}
}
/// <summary>
/// Divide this element by the element e. Does not check for division
/// by 0 errors.
/// </summary>
/// <param name="e">The value to divide this value by.</param>
/// <returns>The value of this / e</returns>
public FieldZqElement Divide(FieldZqElement e)
{
return(this * e.Invert());
}
internal void OnDeserialized(StreamingContext context)
{
if (_uidp == null)
throw new UProveSerializationException("uidp");
if (_h == null)
throw new UProveSerializationException("h");
if (_sigmaZPrime == null)
throw new UProveSerializationException("szp");
if (_sigmaCPrime == null)
throw new UProveSerializationException("scp");
if (_sigmaRPrime == null)
throw new UProveSerializationException("srp");
// default to false if not provided
if (_isDeviceProtected == null)
_isDeviceProtected = false;
this.uidp = _uidp.ToByteArray();
this.h = _h.ToGroupElement(Serializer.ip);
this.ti = _ti.ToByteArray();
this.pi = _pi.ToByteArray();
this.sigmaZPrime = _sigmaZPrime.ToGroupElement(Serializer.ip);
this.sigmaCPrime = _sigmaCPrime.ToFieldZqElement(Serializer.ip.Zq);
this.sigmaRPrime = _sigmaRPrime.ToFieldZqElement(Serializer.ip.Zq);
this.isDeviceProtected = _isDeviceProtected.Value;
}
/// <summary>
/// Constructs a new VirtualDevice instance.
/// </summary>
/// <param name="parameterSet">The parameter set.</param>
/// <param name="xd">The device private key.</param>
/// <param name="preGenWdPrime">The pregenerated w_d prime value (for one presentation)</param>
public VirtualDevice(ParameterSet parameterSet, FieldZqElement xd, FieldZqElement preGenWdPrime)
: this(parameterSet.Group, parameterSet.Gd, FieldZq.CreateFieldZq(parameterSet.Group.Q), xd, preGenWdPrime)
{
}
/// <summary> /// Add the value to this value and return the result. /// </summary> /// <param name="e">The value to add to this value.</param> /// <returns>This value plus e.</returns> public abstract FieldZqElement Add(FieldZqElement e);
/// <summary>
/// Constructs a new instance.
/// </summary>
/// <param name="tildeC">The <code>tildeC</code> value.</param>
/// <param name="tildeA">The <code>tildeA</code> value.</param>
/// <param name="tildeR">The <code>tildeR</code> value.</param>
public CommitmentValues(GroupElement tildeC, byte[] tildeA, FieldZqElement tildeR)
{
TildeC = tildeC;
TildeA = tildeA;
TildeR = tildeR;
}
/// <summary>
/// Private constructor - takes and sets all fields.
/// </summary>
/// <param name="Gq">The group</param>
/// <param name="gd">The device generator</param>
/// <param name="Zq">The Field associated to the group <c>Gq</c></param>
/// <param name="xd">The xd.</param>
/// <param name="preGenWdPrime">The pre gen wd prime.</param>
VirtualDevice(Group Gq, GroupElement gd, FieldZq Zq, FieldZqElement xd, FieldZqElement preGenWdPrime)
{
if (xd != null && !Zq.IsElement(xd))
{
throw new ArgumentException("xd is not a valid Zq element");
}
this.Gd = gd;
this.Gq = Gq;
this.Zq = Zq;
this.xd = xd ?? this.Zq.GetRandomElement(true); // assign xd a random value if null
this.wdPrime = preGenWdPrime;
this.hd = this.Gd.Exponentiate(this.xd);
}
/// <summary>
/// Constructs a new <code>PresentationProof</code> instance.
/// </summary>
/// <param name="disclosedAttributes">The disclosed attributes.</param>
/// <param name="a">The <code>a</code> value.</param>
/// <param name="ap">The <code>ap</code> value.</param>
/// <param name="ps">The <code>Ps</code> value.</param>
/// <param name="r">The <code>r</code> values.</param>
/// <param name="commitments">The commitments values.</param>
public PresentationProof(byte[][] disclosedAttributes, byte[] a, byte[] ap, GroupElement ps, FieldZqElement[] r, CommitmentValues[] commitments)
{
this.disclosedAttributes = disclosedAttributes;
this.a = a;
this.ap = ap;
this.ps = ps;
this.r = r;
this.commitments = commitments;
}
GroupElement IDevicePresentationContext.GetInitialWitness()
{
if (this.device == null)
{
throw new DeviceException("Invalid context.");
}
if (this.wdPrime != null)
{
throw new DeviceException("Initial witness already calculated.");
}
this.wdPrime = this.device.wdPrime ?? this.device.Zq.GetRandomElement(false);
return this.device.Gd.Exponentiate(this.wdPrime);
}
/// <summary>
/// Generates an array of random Zq elements.
/// </summary>
/// <param name="n">The number of elements to return.</param>
/// <param name="nonZero">True to return non-zero elements.</param>
/// <param name="maxBitLength">Maximum length of the random elements, or -1 for full size elements.</param>
/// <returns>Random Zq elements.</returns>
public FieldZqElement[] GetRandomElements(int n, bool nonZero, int maxBitLength = -1)
{
FieldZqElement[] r = new FieldZqElement[n];
for (int i = 0; i < n; i++)
{
r[i] = GetRandomElement(nonZero, maxBitLength);
}
return r;
}
/// <summary>
/// Hash a FieldZqElement.
/// </summary>
/// <param name="value">A field Zq element to be hashed.</param>
public void Hash(FieldZqElement value)
{
if (value == null)
{
HashNull();
return;
}
Hash(value.ToByteArray());
}
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
{
GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope);
return Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO);
}
/// <summary> /// Returns true if the given element is an element from this field. /// </summary> /// <param name="element">The element to check.</param> /// <returns>True if the given element is an element from this field.</returns> public abstract bool IsElement(FieldZqElement element);
// Helper method for Generate(...)
private static FieldZqElement[] GetDisclosedX(int[] disclosed, FieldZqElement[] x)
{
FieldZqElement[] disclosedX = new FieldZqElement[disclosed.Length];
int index = 0;
foreach (int i in disclosed)
{
disclosedX[index++] = x[i - 1];
}
return disclosedX;
}
/// <summary>
/// Constructs a new VirtualDevice instance.
/// </summary>
/// <param name="ip">The Issuer parameters.</param>
/// <param name="xd">The device private key.</param>
/// <param name="preGenWdPrime">The pregenerated w_d prime value (for one presentation)</param>
public VirtualDevice(IssuerParameters ip, FieldZqElement xd, FieldZqElement preGenWdPrime)
: this(ip.Gq, ip.Gd, ip.Zq, xd, preGenWdPrime)
{
}
/// <summary>
/// Clears the object.
/// Note that this method does not guarantee the memory will be securely zeroized.
/// </summary>
public void Clear()
{
w0 = null;
if (w != null)
{
Array.Clear(w, 0, w.Length);
w = null;
}
wd = null;
if (tildeO != null)
{
Array.Clear(tildeO, 0, tildeO.Length);
tildeO = null;
}
if (tildeW != null)
{
Array.Clear(tildeW, 0, tildeW.Length);
tildeW = null;
}
}
/// <summary>
/// Constructs a new VirtualDevice instance.
/// </summary>
/// <param name="parameterSet">The parameter set.</param>
/// <param name="xd">The device private key.</param>
public VirtualDevice(ParameterSet parameterSet, FieldZqElement xd)
: this(parameterSet, xd, null)
{ }
GroupElement IDevicePresentationContext.GetInitialWitnessesAndPseudonym(GroupElement gs, out GroupElement apPrime, out GroupElement Ps)
{
if (this.device == null)
{
throw new DeviceException("Invalid context.");
}
if (this.wdPrime != null)
{
throw new DeviceException("Initial witness already calculated.");
}
this.wdPrime = this.device.wdPrime ?? this.device.Zq.GetRandomElement(false);
// compute pseudonym
apPrime = gs.Exponentiate(this.wdPrime);
Ps = gs.Exponentiate(this.device.xd);
// compute initial witness
return this.device.Gd.Exponentiate(this.wdPrime);
}
/// <summary>
/// Subtracts e from this value and returns the result.
/// </summary>
/// <param name="e">The value to subtract from this value.</param>
/// <returns>This value minus e.</returns>
public FieldZqElement Subtract(FieldZqElement e)
{
return(this + e.Negate());
}
/// <summary> /// Returns true if the given element is an element from this field. /// </summary> /// <param name="element">The element to check.</param> /// <returns>True if the given element is an element from this field.</returns> public abstract bool IsElement(FieldZqElement element);
/// <summary>
/// Constructs a new VirtualDevice instance.
/// </summary>
/// <param name="ip">The Issuer parameters.</param>
/// <param name="xd">The device private key.</param>
public VirtualDevice(IssuerParameters ip, FieldZqElement xd)
: this(ip, xd, null)
{}