internal void OnDeserialized(StreamingContext context)
        {
            if (_key == null)
                throw new UProveSerializationException("key");

            this.PrivateKey = _key.ToFieldZqElement(Serializer.ip.Zq);
        }
 /// <summary>
 /// Constructs a new <code>ProofGenerationRandomData</code> instance.
 /// </summary>
 /// <param name="w0">The <code>w0</code> value.</param>
 /// <param name="w">The <code>w</code> values.</param>
 /// <param name="wd">The <code>wd</code> value if the token is Device-protected; null otherwise.</param>
 /// <param name="tildeO">The <code>tildeO</code> values (if attribute commitments are generated).</param>
 /// <param name="tildeW">The <code>tildeW</code> values (if attribute commitments are generated).</param>
 public ProofGenerationRandomData(FieldZqElement w0, FieldZqElement[] w, FieldZqElement wd, FieldZqElement[] tildeO, FieldZqElement[] tildeW)
 {
     this.w0 = w0;
     this.w = w;
     this.wd = wd;
     this.tildeO = tildeO;
     this.tildeW = tildeW;
 }
Exemple #3
0
 /// <summary>
 /// Generates an array of random Zq elements.
 /// </summary>
 /// <param name="n">The number of elements to return.</param>
 /// <param name="nonZero">True to return non-zero elements.</param>
 /// <param name="maxBitLength">Maximum length of the random elements, or -1 for full size elements.</param>
 /// <returns>Random Zq elements.</returns>
 public FieldZqElement[] GetRandomElements(int n, bool nonZero, int maxBitLength = -1)
 {
     FieldZqElement[] r = new FieldZqElement[n];
     for (int i = 0; i < n; i++)
     {
         r[i] = GetRandomElement(nonZero, maxBitLength);
     }
     return(r);
 }
        /// <summary>
        /// Construct a FieldZqElement array with the values given.
        /// </summary>
        /// <param name="values">An array of arrays of bytes representing the values in big endian order.</param>
        /// <returns>A new FieldZqElement from this field with the given value.</returns>
        public FieldZqElement[] GetElements(byte[][] values)
        {
            FieldZqElement[] elements = new FieldZqElement[values.Length];
            for (int j = 0; j < values.Length; j++)
            {
                elements[j] = GetElement(values[j]);
            }

            return elements;
        }
Exemple #5
0
        /// <summary>
        /// Construct a FieldZqElement array with the values given.
        /// </summary>
        /// <param name="values">An array of arrays of bytes representing the non-negative values in big endian order.</param>
        /// <returns>A new FieldZqElement from this field with the given value.</returns>
        public FieldZqElement[] GetElements(byte[][] values)
        {
            FieldZqElement[] elements = new FieldZqElement[values.Length];
            for (int j = 0; j < values.Length; j++)
            {
                elements[j] = GetElement(values[j]);
            }

            return(elements);
        }
 /// <summary>
 /// Represents a U-Prove token.
 /// </summary>
 /// <param name="uidp">The Issuer parameters UID.</param>
 /// <param name="h">The public key value h.</param>
 /// <param name="TI">The token information field value.</param>
 /// <param name="PI">The Prover information field value.</param>
 /// <param name="sigmaZPrime">The sigmaZPrime value.</param>
 /// <param name="sigmaCPrime">The sigmaCPrime value.</param>
 /// <param name="sigmaRPrime">The sigmaRPrime value.</param>
 /// <param name="isDeviceProtected">True if the token is Device-protected, false otherwise.</param>
 public UProveToken(byte[] uidp, GroupElement h, byte[] TI, byte[] PI, GroupElement sigmaZPrime, FieldZqElement sigmaCPrime, FieldZqElement sigmaRPrime, bool isDeviceProtected)
 {
     this.uidp = uidp;
     this.h = h;
     this.ti = TI;
     this.pi = PI;
     this.sigmaZPrime = sigmaZPrime;
     this.sigmaCPrime = sigmaCPrime;
     this.sigmaRPrime = sigmaRPrime;
     this.isDeviceProtected = isDeviceProtected;
 }
 /// <summary>
 /// Constructs an IssuerKeyAndParameters instance.
 /// </summary>
 /// <param name="privateKey">The private key.</param>
 /// <param name="issuerParameters">The Issuer parameters.</param>
 public IssuerKeyAndParameters(FieldZqElement privateKey, IssuerParameters issuerParameters)
 {
     if (privateKey == null)
     {
         throw new ArgumentNullException("privateKey");
     }
     if (issuerParameters == null)
     {
         throw new ArgumentNullException("issuerParameters");
     }
     this.privateKey = privateKey;
     this.issuerParameters = issuerParameters;
 }
Exemple #8
0
 /// <summary>
 /// Compute a product of powers.
 /// Return the product of the <code>bases[i].Exponentiate(exponents[i])</code> for <c>i</c> from <c>0</c> to <c>bases.Length -1</c>.
 /// The inputs <c>bases</c> and <c>exponents</c> must have the same length
 /// </summary>
 /// <param name="bases">Group elements array.</param>
 /// <param name="exponents">Field elements array.</param>
 /// <returns>Multi-exponentiation of the group elements to the field elements.</returns>
 public abstract GroupElement MultiExponentiate(GroupElement[] bases, FieldZqElement[] exponents);
 /// <summary>
 /// Returns <code>this^exponent</code>.
 /// </summary>
 /// <param name="exponent">The exponent.</param>
 /// <returns>A group element.</returns>
 public abstract GroupElement Exponentiate(FieldZqElement exponent);
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO)
 {
     return Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO);
 }
        public void Verify(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, UProveToken upt)
        {
            try
            {
                // make sure disclosed list is sorted
                if (disclosed == null)
                {
                    // can't be null later, so make it an empty array
                    disclosed = new int[] { };
                }
                Array.Sort(disclosed);
                Group Gq = ip.Gq;
                int n = ip.E.Length;

                bool presentPseudonym = false;
                if (gs != null && pseudonymAttribIndex != 0)
                {
                    if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
                    {
                        throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
                    }
                    if (disclosed.Contains(pseudonymAttribIndex))
                    {
                        throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
                    }
                    presentPseudonym = true;
                }
                else // no nym
                {
                    pseudonymAttribIndex = 0;
                }
                bool verifyCommitments = (committed != null && committed.Length > 0);
                if (verifyCommitments)
                {
                    Array.Sort(committed);
                }

                ProtocolHelper.VerifyTokenSignature(ip, upt);
                FieldZqElement[] disclosedX = new FieldZqElement[disclosedAttributes.Length];
                GroupElement dAccumulator = ip.G[0] * ip.G[n + 1].Exponentiate(ProtocolHelper.ComputeXt(ip, upt.TI, upt.IsDeviceProtected));     // g0 * gt^xt
                GroupElement uAccumulator = upt.H.Exponentiate(this.r[0]);
                int dIndex = 0;
                int uIndex = 1;
                int cIndex = 0;
                int pseudonymResponseIndex = 0;
                int[] commitmentResponseIndices = verifyCommitments ? new int[committed.Length] : null;
                for (int i = 1; i <= n; i++)
                {
                    if (disclosed.Contains(i))
                    {
                        disclosedX[dIndex] = ProtocolHelper.ComputeXi(ip, i - 1, disclosedAttributes[dIndex]);
                        dAccumulator = dAccumulator * ip.G[i].Exponentiate(disclosedX[dIndex]);
                        dIndex++;
                    }
                    else
                    {
                        uAccumulator = uAccumulator * ip.G[i].Exponentiate(this.r[uIndex]);
                        if (presentPseudonym)
                        {
                            if (pseudonymAttribIndex == i)
                            {
                                pseudonymResponseIndex = uIndex;
                            }
                        }
                        if (verifyCommitments)
                        {
                            if (committed.Contains(i))
                            {
                                // remember which response correspond to which commitment
                                commitmentResponseIndices[cIndex] = uIndex;
                                cIndex++;
                            }
                        }
                        uIndex++;
                    }
                }
                if (pseudonymAttribIndex == DeviceAttributeIndex)
                {
                    pseudonymResponseIndex = this.r.Length - 1; // r_d is the last response in the array
                }

                byte[] unused; // verifier doesn't use the returned message for device
                FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upt, this.a, pseudonymAttribIndex, this.ap, this.ps, message, messageD, disclosed, disclosedX, committed, this.Commitments, out unused);

                HashFunction hash = ip.HashFunction;
                hash.Hash((dAccumulator.Exponentiate(c.Negate()) * uAccumulator * (upt.IsDeviceProtected ? ip.Gd.Exponentiate(this.r[this.r.Length -1]) : Gq.Identity)));
                if (!this.a.SequenceEqual(hash.Digest))
                {
                    throw new InvalidUProveArtifactException("Invalid presentation proof");
                }

                if (presentPseudonym)
                {
                    hash.Hash(this.ps.Exponentiate(c).Multiply(gs.Exponentiate(this.r[pseudonymResponseIndex])));
                    if (!this.ap.SequenceEqual(hash.Digest))
                    {
                        throw new InvalidUProveArtifactException("Invalid pseudonym");
                    }
                }

                if (verifyCommitments)
                {
                    for (int i = 0; i < commitmentResponseIndices.Length; i++)
                    {
                        CommitmentValues commitment = this.Commitments[i];
                        hash.Hash(commitment.TildeC.Exponentiate(c).Multiply(ip.Gq.G.Exponentiate(this.r[commitmentResponseIndices[i]])).Multiply(ip.G[1].Exponentiate(commitment.TildeR)));
                        if (!commitment.TildeA.SequenceEqual(hash.Digest))
                        {
                            throw new InvalidUProveArtifactException("Invalid commitment " + committed[i]);
                        }
                    }
                }
            }
            catch (ArgumentException)
            {
                throw new InvalidUProveArtifactException("Invalid presentation proof");
            }
            catch (IndexOutOfRangeException)
            {
                throw new InvalidUProveArtifactException("Invalid presentation proof");
            }
        }
        /// <summary>
        /// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values.
        /// </summary>
        /// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param>
        /// <param name="disclosed">An ordered array of disclosed attribute indices.</param>
        /// <param name="committed">An ordered array of committed attribute indices.</param>
        /// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param>
        /// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param>
        /// <param name="message">The presentation message.</param>
        /// <param name="messageD">The message for the Device, or null.</param>
        /// <param name="deviceContext">The active device context, if token is device-protected, or null.</param>
        /// <param name="upkt">The U-Proke key and token.</param>
        /// <param name="attributes">The token attributes.</param>
        /// <param name="preGenW">Optional pregenerated random data for the proof generation.</param>
        /// <param name="cpv">Returned commitment private values if commitments are computed.</param>
        /// <returns>A presentation proof.</returns>
        internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv)
        {
            if (upkt.Token.IsDeviceProtected && deviceContext == null)
            {
                throw new ArgumentNullException("Device context is not initialized");
            }
            bool generateCommitments = (committed != null && committed.Length > 0);
            FieldZqElement[] tildeO = null;

            // make sure disclosed and committed lists are sorted
            if (disclosed == null)
            {
                // can't be null later, so make it an empty array
                disclosed = new int[] { };
            }
            Array.Sort(disclosed);
            if (generateCommitments)
            {
                Array.Sort(committed);
            }

            int n = 0;
            if (ip.E != null)
                n = ip.E.Length;

            bool presentPseudonym = false;

            if (gs != null)
            {
                if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
                {
                    throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
                }
                if (disclosed.Contains(pseudonymAttribIndex))
                {
                    throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
                }
                presentPseudonym = true;
            }
            else if (pseudonymAttribIndex > 0)
            {
                throw new ArgumentNullException("gs is null");
            }
            else
            {
                pseudonymAttribIndex = 0;
            }

            Group Gq = ip.Gq;
            FieldZq Zq = ip.Zq;

            FieldZqElement xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected);
            ProofGenerationRandomData random;
            if (preGenW == null)
            {
                random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected);
            }
            else
            {
                random = preGenW;
            }

            FieldZqElement[] x = new FieldZqElement[n];
            GroupElement temp = upkt.Token.H.Exponentiate(random.W0);
            int uIndex = 0;
            int dIndex = 0;
            int cIndex = 0;
            PresentationProof proof = new PresentationProof();
            proof.DisclosedAttributes = new byte[disclosed.Length][];
            int pseudonymRandomizerIndex = 0;
            if (generateCommitments)
            {
                proof.Commitments = new CommitmentValues[committed.Length];
                tildeO = new FieldZqElement[committed.Length];
            }
            HashFunction hash = ip.HashFunction;
            for (int i = 0; i < n; i++)
            {
                x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]);
                if (!disclosed.Contains(i + 1))
                {
                    temp = temp * ip.G[i + 1].Exponentiate(random.W[uIndex]);
                    if (presentPseudonym)
                    {
                        if (pseudonymAttribIndex == (i + 1))
                        {
                            pseudonymRandomizerIndex = uIndex;
                        }
                    }

                    if (generateCommitments && committed.Contains(i + 1))
                    {
                        GroupElement tildeC = ip.Gq.G.Exponentiate(x[i]) * ip.G[1].Exponentiate(random.TildeO[cIndex]);
                        tildeO[cIndex] = random.TildeO[cIndex];
                        GroupElement temp2 = ip.Gq.G.Exponentiate(random.W[uIndex]) * ip.G[1].Exponentiate(random.TildeW[cIndex]);
                        hash.Hash(temp2);
                        byte[] tildeA = hash.Digest;
                        proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null);

                        cIndex++;
                    }

                    uIndex++;
                }
                else if (generateCommitments && committed.Contains(i + 1))
                {
                    throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed");
                }
                else
                {
                    proof.DisclosedAttributes[dIndex] = attributes[i];
                    dIndex++;
                }
            }
            if (upkt.Token.IsDeviceProtected)
            {
                GroupElement ad;
                // pseudonym computed by device
                if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex)
                {
                    GroupElement apPrime;
                    GroupElement Ps;
                    ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps);
                    hash.Hash(apPrime * gs.Exponentiate(random.Wd));
                    proof.Ap = hash.Digest;
                    proof.Ps = Ps;
                }
                else
                {
                    ad = deviceContext.GetInitialWitness();
                }
                temp = temp * ip.Gd.Exponentiate(random.Wd) * ad;
            }
            hash.Hash(temp);
            proof.a = hash.Digest;

            // pseudonym derived from one token attribute
            if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex)
            {
                hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex]));
                proof.Ap = hash.Digest;
                proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]);
            }

            byte[] mdPrime;
            FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime);
            proof.r = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d
            proof.r[0] = c * upkt.PrivateKey + random.W0;
            uIndex = 1;
            for (int i = 1; i <= n; i++)
            {
                if (!disclosed.Contains(i))
                {
                    proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1];
                    uIndex++;
                }
            }
            if (upkt.Token.IsDeviceProtected)
            {
                proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd;
            }
            if (generateCommitments)
            {
                for (int i = 0; i < committed.Length; i++)
                {
                    proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i];
                }
            }

            random.Clear();
            cpv = new CommitmentPrivateValues(tildeO);
            return proof;
        }
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
 {
     CommitmentPrivateValues cpv;
     PresentationProof proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv);
     tildeO = cpv.TildeO;
     return proof;
 }
 /// <summary>
 /// Multiply this element by the element e.
 /// </summary>
 /// <param name="e">The value to multiply this value by.</param>
 /// <returns>The value of this * e.</returns>
 public abstract FieldZqElement Multiply(FieldZqElement e);
 /// <summary>
 /// Constructs a new instance.
 /// </summary>
 /// <param name="tildeO">The <code>tildeO</code> value of the commitments.</param>
 public CommitmentPrivateValues(FieldZqElement[] tildeO)
 {
     TildeO = tildeO;
 }
 /// <summary>
 /// Convert a base64 string to a FieldElement[] using a specific FieldZq object.
 /// </summary>
 /// <param name="encodedElements">The encoded string to convert.</param>
 /// <param name="Zq">The fieldZq object to use.</param>
 /// <returns>The converted object.</returns>
 public static FieldZqElement[] ToFieldElementArray(this String[] encodedElements, FieldZq Zq)
 {
     if (encodedElements == null) return null;
     FieldZqElement[] fieldElements = new FieldZqElement[encodedElements.Length];
     for (int i = 0; i < encodedElements.Length; i++)
     {
         fieldElements[i] = encodedElements[i].ToFieldZqElement(Zq);
     }
     return fieldElements;
 }
 /// <summary>
 /// Exponentiate this value to the exponent power.
 /// </summary>
 /// <param name="exponent">The exponent to raise this value to.</param>
 /// <returns>This value to the exponent power.</returns>
 public abstract FieldZqElement ModPow(FieldZqElement exponent);
 /// <summary>
 /// Hash a FieldZqElement array.
 /// </summary>
 /// <param name="values">An array of FieldZqElements to be hashed.</param>
 public void Hash(FieldZqElement[] values)
 {
     if (values == null)
     {
         HashNull();
     }
     else
     {
         Hash(values.Length);
         foreach (FieldZqElement i in values)
         {
             Hash(i);
         }
     }
 }
 /// <summary>
 /// Divide this element by the element e. Does not check for division
 /// by 0 errors.
 /// </summary>
 /// <param name="e">The value to divide this value by.</param>
 /// <returns>The value of this / e</returns>
 public FieldZqElement Divide(FieldZqElement e)
 {
     return(this * e.Invert());
 }
        internal void OnDeserialized(StreamingContext context)
        {
            if (_uidp == null)
                throw new UProveSerializationException("uidp");
            if (_h == null)
                throw new UProveSerializationException("h");
            if (_sigmaZPrime == null)
                throw new UProveSerializationException("szp");
            if (_sigmaCPrime == null)
                throw new UProveSerializationException("scp");
            if (_sigmaRPrime == null)
                throw new UProveSerializationException("srp");
            
            // default to false if not provided
            if (_isDeviceProtected == null)
                _isDeviceProtected = false;

            this.uidp = _uidp.ToByteArray();
            this.h = _h.ToGroupElement(Serializer.ip);
            this.ti = _ti.ToByteArray();
            this.pi = _pi.ToByteArray();
            this.sigmaZPrime = _sigmaZPrime.ToGroupElement(Serializer.ip);
            this.sigmaCPrime = _sigmaCPrime.ToFieldZqElement(Serializer.ip.Zq);
            this.sigmaRPrime = _sigmaRPrime.ToFieldZqElement(Serializer.ip.Zq);
            this.isDeviceProtected = _isDeviceProtected.Value;
        }
 /// <summary>
 /// Constructs a new VirtualDevice instance.
 /// </summary>
 /// <param name="parameterSet">The parameter set.</param>
 /// <param name="xd">The device private key.</param>
 /// <param name="preGenWdPrime">The pregenerated w_d prime value (for one presentation)</param>
 public VirtualDevice(ParameterSet parameterSet, FieldZqElement xd, FieldZqElement preGenWdPrime)
     : this(parameterSet.Group, parameterSet.Gd, FieldZq.CreateFieldZq(parameterSet.Group.Q), xd, preGenWdPrime)
 {
 }
 /// <summary>
 /// Add the value to this value and return the result.
 /// </summary>
 /// <param name="e">The value to add to this value.</param>
 /// <returns>This value plus e.</returns>
 public abstract FieldZqElement Add(FieldZqElement e);
 /// <summary>
 /// Constructs a new instance.
 /// </summary>
 /// <param name="tildeC">The <code>tildeC</code> value.</param>
 /// <param name="tildeA">The <code>tildeA</code> value.</param>
 /// <param name="tildeR">The <code>tildeR</code> value.</param>
 public CommitmentValues(GroupElement tildeC, byte[] tildeA, FieldZqElement tildeR)
 {
     TildeC = tildeC;
     TildeA = tildeA;
     TildeR = tildeR;
 }
 /// <summary>
 /// Private constructor - takes and sets all fields.
 /// </summary>
 /// <param name="Gq">The group</param>
 /// <param name="gd">The device generator</param>
 /// <param name="Zq">The Field associated to the group <c>Gq</c></param>
 /// <param name="xd">The xd.</param>
 /// <param name="preGenWdPrime">The pre gen wd prime.</param>
 VirtualDevice(Group Gq, GroupElement gd, FieldZq Zq, FieldZqElement xd, FieldZqElement preGenWdPrime)
 {
     if (xd != null && !Zq.IsElement(xd))
     {
         throw new ArgumentException("xd is not a valid Zq element");
     }
     this.Gd = gd;
     this.Gq = Gq;
     this.Zq = Zq;
     this.xd = xd ?? this.Zq.GetRandomElement(true);     // assign xd a random value if null
     this.wdPrime = preGenWdPrime;
     this.hd = this.Gd.Exponentiate(this.xd);
 }
 /// <summary>
 /// Constructs a new <code>PresentationProof</code> instance.
 /// </summary>
 /// <param name="disclosedAttributes">The disclosed attributes.</param>
 /// <param name="a">The <code>a</code> value.</param>
 /// <param name="ap">The <code>ap</code> value.</param>
 /// <param name="ps">The <code>Ps</code> value.</param>
 /// <param name="r">The <code>r</code> values.</param>
 /// <param name="commitments">The commitments values.</param>
 public PresentationProof(byte[][] disclosedAttributes, byte[] a, byte[] ap, GroupElement ps, FieldZqElement[] r, CommitmentValues[] commitments)
 {
     this.disclosedAttributes = disclosedAttributes;
     this.a = a;
     this.ap = ap;
     this.ps = ps;
     this.r = r;
     this.commitments = commitments;
 }
            GroupElement IDevicePresentationContext.GetInitialWitness()
            {
                if (this.device == null)
                {
                    throw new DeviceException("Invalid context.");
                }
                if (this.wdPrime != null)
                {
                    throw new DeviceException("Initial witness already calculated.");
                }

                this.wdPrime = this.device.wdPrime ?? this.device.Zq.GetRandomElement(false);
                return this.device.Gd.Exponentiate(this.wdPrime);
            }
 /// <summary>
 /// Generates an array of random Zq elements.
 /// </summary>
 /// <param name="n">The number of elements to return.</param>
 /// <param name="nonZero">True to return non-zero elements.</param>
 /// <param name="maxBitLength">Maximum length of the random elements, or -1 for full size elements.</param>
 /// <returns>Random Zq elements.</returns>
 public FieldZqElement[] GetRandomElements(int n, bool nonZero, int maxBitLength = -1)
 {
     FieldZqElement[] r = new FieldZqElement[n];
     for (int i = 0; i < n; i++)
     {
         r[i] = GetRandomElement(nonZero, maxBitLength);
     }
     return r;
 }
 /// <summary>
 /// Hash a FieldZqElement.
 /// </summary>
 /// <param name="value">A field Zq element to be hashed.</param>
 public void Hash(FieldZqElement value)
 {
     if (value == null)
     {
         HashNull();
         return;
     }
     Hash(value.ToByteArray());
 }
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
 {
     GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope);
     return Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO); 
 }
 /// <summary>
 /// Returns true if the given element is an element from this field.
 /// </summary>
 /// <param name="element">The element to check.</param>
 /// <returns>True if the given element is an element from this field.</returns>
 public abstract bool IsElement(FieldZqElement element);
 // Helper method for Generate(...)
 private static FieldZqElement[] GetDisclosedX(int[] disclosed, FieldZqElement[] x)
 {
     FieldZqElement[] disclosedX = new FieldZqElement[disclosed.Length];
     int index = 0;
     foreach (int i in disclosed)
     {
         disclosedX[index++] = x[i - 1];
     }
     return disclosedX;
 }
 /// <summary>
 /// Constructs a new VirtualDevice instance.
 /// </summary>
 /// <param name="ip">The Issuer parameters.</param>
 /// <param name="xd">The device private key.</param>
 /// <param name="preGenWdPrime">The pregenerated w_d prime value (for one presentation)</param>
 public VirtualDevice(IssuerParameters ip, FieldZqElement xd, FieldZqElement preGenWdPrime)
     : this(ip.Gq, ip.Gd, ip.Zq, xd, preGenWdPrime)
 {
 }
 /// <summary>
 /// Clears the object.
 /// Note that this method does not guarantee the memory will be securely zeroized. 
 /// </summary>
 public void Clear()
 {
     w0 = null;
     if (w != null)
     {
         Array.Clear(w, 0, w.Length);
         w = null;
     }
     wd = null;
     if (tildeO != null)
     {
         Array.Clear(tildeO, 0, tildeO.Length);
         tildeO = null;
     }
     if (tildeW != null)
     {
         Array.Clear(tildeW, 0, tildeW.Length);
         tildeW = null;
     }
 }
 /// <summary>
 /// Constructs a new VirtualDevice instance.
 /// </summary>
 /// <param name="parameterSet">The parameter set.</param>
 /// <param name="xd">The device private key.</param>
 public VirtualDevice(ParameterSet parameterSet, FieldZqElement xd)
     : this(parameterSet, xd, null)
 { }
            GroupElement IDevicePresentationContext.GetInitialWitnessesAndPseudonym(GroupElement gs, out GroupElement apPrime, out GroupElement Ps)
            {
                if (this.device == null)
                {
                    throw new DeviceException("Invalid context.");
                }
                if (this.wdPrime != null)
                {
                    throw new DeviceException("Initial witness already calculated.");
                }

                this.wdPrime = this.device.wdPrime ?? this.device.Zq.GetRandomElement(false);
                
                // compute pseudonym
                apPrime = gs.Exponentiate(this.wdPrime);
                Ps = gs.Exponentiate(this.device.xd);

                // compute initial witness
                return this.device.Gd.Exponentiate(this.wdPrime);               
            }
 /// <summary>
 /// Subtracts e from this value and returns the result.
 /// </summary>
 /// <param name="e">The value to subtract from this value.</param>
 /// <returns>This value minus e.</returns>
 public FieldZqElement Subtract(FieldZqElement e)
 {
     return(this + e.Negate());
 }
Exemple #37
0
 /// <summary>
 /// Returns true if the given element is an element from this field.
 /// </summary>
 /// <param name="element">The element to check.</param>
 /// <returns>True if the given element is an element from this field.</returns>
 public abstract bool IsElement(FieldZqElement element);
 /// <summary>
 /// Constructs a new VirtualDevice instance.
 /// </summary>
 /// <param name="ip">The Issuer parameters.</param>
 /// <param name="xd">The device private key.</param>
 public VirtualDevice(IssuerParameters ip, FieldZqElement xd)
     : this(ip, xd, null)
 {}