/// <summary> /// Constructs a new <code>Prover</code> instance. /// </summary> /// <param name="ip">The Issuer parameters.</param> /// <param name="psms">The post second message state.</param> public Prover(IssuerParameters ip, PostSecondMessageState psms) { psms.Validate(); this.ip = ip; this.numberOfTokens = psms.AlphaInverse.Length; this.TI = psms.TI; this.PI = psms.PI; this.isDeviceProtected = psms.IsDeviceProtected; this.beta2 = psms.Beta2; this.h = psms.H; this.sigmaZPrime = psms.SigmaZPrime; this.sigmaAPrime = psms.SigmaAPrime; this.sigmaBPrime = psms.SigmaBPrime; this.sigmaCPrime = psms.SigmaCPrime; ukat = new UProveKeyAndToken[numberOfTokens]; for (int i = 0; i < numberOfTokens; i++) { ukat[i] = new UProveKeyAndToken(); ukat[i].PrivateKey = psms.AlphaInverse[i]; } state = State.Second; }
private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData) { Group Gq = ip.Gq; FieldZq Zq = ip.Zq; if (pregeneratedRandomData == null) { alpha = Zq.GetRandomElements(numberOfTokens, true); beta1 = Zq.GetRandomElements(numberOfTokens, false); beta2 = Zq.GetRandomElements(numberOfTokens, false); } else { alpha = pregeneratedRandomData.Alpha; beta1 = pregeneratedRandomData.Beta1; beta2 = pregeneratedRandomData.Beta2; } h = new GroupElement[numberOfTokens]; t1 = new GroupElement[numberOfTokens]; t2 = new GroupElement[numberOfTokens]; ukat = new UProveKeyAndToken[numberOfTokens]; for (int i = 0; i < numberOfTokens; i++) { ukat[i] = new UProveKeyAndToken(); h[i] = gamma.Exponentiate(alpha[i]); t1[i] = ip.G[0].Exponentiate(beta1[i]) * Gq.G.Exponentiate(beta2[i]); t2[i] = h[i].Exponentiate(beta2[i]); ukat[i].PrivateKey = alpha[i].Invert(); } state = State.Initialized; }
private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData) { Group Gq = ip.Gq; FieldZq Zq = ip.Zq; if (pregeneratedRandomData == null) { alpha = Zq.GetRandomElements(numberOfTokens, true); beta1 = Zq.GetRandomElements(numberOfTokens, false); beta2 = Zq.GetRandomElements(numberOfTokens, false); } else { alpha = pregeneratedRandomData.Alpha; beta1 = pregeneratedRandomData.Beta1; beta2 = pregeneratedRandomData.Beta2; } h = new GroupElement[numberOfTokens]; t1 = new GroupElement[numberOfTokens]; // we don't compute t2 in the precomputation since we prefer to // compute h^beta2 as part of the sigmaBPrime multi-exponentiation ukat = new UProveKeyAndToken[numberOfTokens]; for (int i = 0; i < numberOfTokens; i++) { ukat[i] = new UProveKeyAndToken(); h[i] = gamma.Exponentiate(alpha[i].Multiply(beta0Inverse)); // remove collab issuance blind, if present t1[i] = Gq.MultiExponentiate(new GroupElement[] { ip.G[0], Gq.G }, new FieldZqElement[] { beta1[i], beta2[i] }); ukat[i].PrivateKey = alpha[i].Invert(); } state = State.Initialized; }
/// <summary> /// Constructs a <code>ProverPresentationProtocolParameters</code> instance. /// </summary> /// <param name="ip">The issuer parameters.</param> /// <param name="disclosed">Disclosed attribute indices.</param> /// <param name="message">Presentation message.</param> /// <param name="keyAndToken">Presented key and token.</param> /// <param name="attributes">Token attributes.</param> public ProverPresentationProtocolParameters(IssuerParameters ip, int[] disclosed, byte[] message, UProveKeyAndToken keyAndToken, byte[][] attributes) { IP = ip; Disclosed = disclosed; Message = message; KeyAndToken = keyAndToken; Attributes = attributes; }
/// <summary> /// Indicates that attributes are carried over from the source token into the new one. /// </summary> /// <param name="sourceIndex">The indices of the attributes in the existing token.</param> /// <param name="destinationIndex">The indices of the attributes in the new token.</param> /// /// <param name="sourceIP">The Issuer Parameters used to issue the source token. This can be the same as <c>Ip</c> if the /// same Issuer issues the source and new tokens.</param> /// <param name="sourceKeyAndToken">The source key and token.</param> /// <param name="sourceAttributes">The attributes in the source token.</param> public void CarryOverAttribute(int[] sourceIndex, int[] destinationIndex, IssuerParameters sourceIP, UProveKeyAndToken sourceKeyAndToken, byte[][] sourceAttributes) { if (sourceIndex == null || destinationIndex == null || sourceIP == null || sourceKeyAndToken == null || sourceAttributes == null) { throw new ArgumentNullException("arguments can't be null"); } if (sourceIndex.Length != destinationIndex.Length) { throw new ArgumentException("sourceIndex and destinationIndex must have the same lenght"); } if (!sourceKeyAndToken.Token.Uidp.SequenceEqual <byte>(sourceIP.UidP)) { throw new ArgumentException("sourceToken and sourceIP do not match"); } C = destinationIndex; Corig = sourceIndex; SourceIP = sourceIP; KeyAndToken = sourceKeyAndToken; SourceAttributes = sourceAttributes; HasCarryOverAttributes = true; }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO) { CommitmentPrivateValues cpv; PresentationProof proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv); tildeO = cpv.TildeO; return proof; }
/// <summary> /// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values. /// </summary> /// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param> /// <param name="disclosed">An ordered array of disclosed attribute indices.</param> /// <param name="committed">An ordered array of committed attribute indices.</param> /// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param> /// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param> /// <param name="message">The presentation message.</param> /// <param name="messageD">The message for the Device, or null.</param> /// <param name="deviceContext">The active device context, if token is device-protected, or null.</param> /// <param name="upkt">The U-Proke key and token.</param> /// <param name="attributes">The token attributes.</param> /// <param name="preGenW">Optional pregenerated random data for the proof generation.</param> /// <param name="cpv">Returned commitment private values if commitments are computed.</param> /// <returns>A presentation proof.</returns> internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv) { if (upkt.Token.IsDeviceProtected && deviceContext == null) { throw new ArgumentNullException("Device context is not initialized"); } bool generateCommitments = (committed != null && committed.Length > 0); FieldZqElement[] tildeO = null; // make sure disclosed and committed lists are sorted if (disclosed == null) { // can't be null later, so make it an empty array disclosed = new int[] { }; } Array.Sort(disclosed); if (generateCommitments) { Array.Sort(committed); } int n = 0; if (ip.E != null) n = ip.E.Length; bool presentPseudonym = false; if (gs != null) { if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex)) { throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)"); } if (disclosed.Contains(pseudonymAttribIndex)) { throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array"); } presentPseudonym = true; } else if (pseudonymAttribIndex > 0) { throw new ArgumentNullException("gs is null"); } else { pseudonymAttribIndex = 0; } Group Gq = ip.Gq; FieldZq Zq = ip.Zq; FieldZqElement xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected); ProofGenerationRandomData random; if (preGenW == null) { random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected); } else { random = preGenW; } FieldZqElement[] x = new FieldZqElement[n]; GroupElement temp = upkt.Token.H.Exponentiate(random.W0); int uIndex = 0; int dIndex = 0; int cIndex = 0; PresentationProof proof = new PresentationProof(); proof.DisclosedAttributes = new byte[disclosed.Length][]; int pseudonymRandomizerIndex = 0; if (generateCommitments) { proof.Commitments = new CommitmentValues[committed.Length]; tildeO = new FieldZqElement[committed.Length]; } HashFunction hash = ip.HashFunction; for (int i = 0; i < n; i++) { x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]); if (!disclosed.Contains(i + 1)) { temp = temp * ip.G[i + 1].Exponentiate(random.W[uIndex]); if (presentPseudonym) { if (pseudonymAttribIndex == (i + 1)) { pseudonymRandomizerIndex = uIndex; } } if (generateCommitments && committed.Contains(i + 1)) { GroupElement tildeC = ip.Gq.G.Exponentiate(x[i]) * ip.G[1].Exponentiate(random.TildeO[cIndex]); tildeO[cIndex] = random.TildeO[cIndex]; GroupElement temp2 = ip.Gq.G.Exponentiate(random.W[uIndex]) * ip.G[1].Exponentiate(random.TildeW[cIndex]); hash.Hash(temp2); byte[] tildeA = hash.Digest; proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null); cIndex++; } uIndex++; } else if (generateCommitments && committed.Contains(i + 1)) { throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed"); } else { proof.DisclosedAttributes[dIndex] = attributes[i]; dIndex++; } } if (upkt.Token.IsDeviceProtected) { GroupElement ad; // pseudonym computed by device if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex) { GroupElement apPrime; GroupElement Ps; ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps); hash.Hash(apPrime * gs.Exponentiate(random.Wd)); proof.Ap = hash.Digest; proof.Ps = Ps; } else { ad = deviceContext.GetInitialWitness(); } temp = temp * ip.Gd.Exponentiate(random.Wd) * ad; } hash.Hash(temp); proof.a = hash.Digest; // pseudonym derived from one token attribute if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex) { hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex])); proof.Ap = hash.Digest; proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]); } byte[] mdPrime; FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime); proof.r = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d proof.r[0] = c * upkt.PrivateKey + random.W0; uIndex = 1; for (int i = 1; i <= n; i++) { if (!disclosed.Contains(i)) { proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1]; uIndex++; } } if (upkt.Token.IsDeviceProtected) { proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd; } if (generateCommitments) { for (int i = 0; i < committed.Length; i++) { proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i]; } } random.Clear(); cpv = new CommitmentPrivateValues(tildeO); return proof; }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes) { GroupElement gs = null; FieldZqElement[] unused; return(Generate(ip, disclosed, null, 0, gs, message, messageD, deviceContext, upkt, attributes, null, out unused)); }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO) { return(Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO)); }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO) { GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope); return(Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO)); }
private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData) { Group Gq = ip.Gq; FieldZq Zq = ip.Zq; if (pregeneratedRandomData == null) { alpha = Zq.GetRandomElements(numberOfTokens, true); beta1 = Zq.GetRandomElements(numberOfTokens, false); beta2 = Zq.GetRandomElements(numberOfTokens, false); } else { alpha = pregeneratedRandomData.Alpha; beta1 = pregeneratedRandomData.Beta1; beta2 = pregeneratedRandomData.Beta2; } h = new GroupElement[numberOfTokens]; t1 = new GroupElement[numberOfTokens]; t2 = new GroupElement[numberOfTokens]; ukat = new UProveKeyAndToken[numberOfTokens]; for (int i = 0; i < numberOfTokens; i++) { ukat[i] = new UProveKeyAndToken(); h[i] = gamma.Exponentiate(alpha[i]); t1[i] = ip.G[0].Exponentiate(beta1[i]) * Gq.G.Exponentiate(beta2[i]); t2[i] = h[i].Exponentiate(beta2[i]); ukat[i].PrivateKey = alpha[i].Invert(); } state = State.Initialized; }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes) { GroupElement gs = null; FieldZqElement[] unused; return Generate(ip, disclosed, null, 0, gs, message, messageD, deviceContext, upkt, attributes, null, out unused); }
public PresentationProofComposite proveToken(string[] attributesParam, int[] disclosedIndices, int[] committedIndices, string messageParam, string verifierScopeParam, IssuerParametersComposite ipc, UProveTokenComposite tokenComposite, byte[] tokenPrivateKeyParam, string sessionID) { /* * token presentation */ cOut.write("Presenting a U-Prove token"); VerifySessionId(sessionID); try { // specify the attribute values agreed to by the Issuer and Prover int numberOfAttributes = attributesParam.Length; byte[][] attributes = new byte[numberOfAttributes][]; for (int i = 0; i < numberOfAttributes; i++) { attributes[i] = encoding.GetBytes(attributesParam[i]); } IssuerParameters ip = ConvertUtils.convertIssuerParametersComposite(ipc, sessionDB[sessionID]); // the application-specific message that the prover will sign. Typically this is a nonce combined // with any application-specific transaction data to be signed. byte[] message = encoding.GetBytes(messageParam); // the application-specific verifier scope from which a scope-exclusive pseudonym will be created // (if null, then a pseudonym will not be presented) byte[] scope = null; if (verifierScopeParam != null && verifierScopeParam != "null") { scope = encoding.GetBytes(verifierScopeParam); } // generate the presentation proof UProveToken uProveToken = ConvertUtils.convertUProveTokenComposite(ip, tokenComposite); byte[] bigInt = tokenPrivateKeyParam; DeviceManager dManager = sessionDB[sessionID].deviceManager; UProveKeyAndToken keyAndToken = new UProveKeyAndToken(); keyAndToken.PrivateKey = new BigInteger(1, bigInt); keyAndToken.Token = uProveToken; byte[] proofSession = null; if (!dManager.IsVirtualDevice) { SmartCardDevice smartDevice = (SmartCardDevice)dManager.GetDevice(); smartDevice.ProofSession = smartDevice.Device.BeginCommitment(1); byte[] proofSessionRaw = smartDevice.ProofSession; proofSession = new byte[1 + proofSessionRaw.Length]; proofSession[0] = 1; Buffer.BlockCopy(proofSessionRaw, 0, proofSession, 1, proofSessionRaw.Length); } BigInteger[] commitmentValues; PresentationProof p = PresentationProof.Generate(ip, disclosedIndices, committedIndices, scope != null ? DevicePseudonymIndex : 0, scope, message, proofSession, dManager.GetDevice().GetPresentationContext(), keyAndToken, attributes, out commitmentValues); #if DEBUG dManager.pDebug = p; #endif return ConvertUtils.convertPresentationProof(p, commitmentValues, ProtocolHelper.ComputeTokenID(ip, uProveToken), proofSession); } catch (Exception e) { cOut.write(e.ToString()); DebugUtils.DebugPrint(e.StackTrace.ToString()); } return null; }
/// <summary> /// Constructs a <code>ProverPresentationProtocolParameters</code> instance. /// </summary> /// <param name="ip">The issuer parameters.</param> /// <param name="disclosed">Disclosed attribute indices.</param> /// <param name="message">Presentation message.</param> /// <param name="keyAndToken">Presented key and token.</param> /// <param name="attributes">Token attributes.</param> public ProverPresentationProtocolParameters(IssuerParameters ip, int[] disclosed, byte[] message, UProveKeyAndToken keyAndToken, byte[][] attributes) { IP = ip; Disclosed = disclosed; Message = message; KeyAndToken = keyAndToken; Attributes = attributes; }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO) { GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope); return Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO); }
/// <summary> /// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values. /// </summary> /// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param> /// <param name="disclosed">An ordered array of disclosed attribute indices.</param> /// <param name="committed">An ordered array of committed attribute indices.</param> /// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param> /// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param> /// <param name="message">The presentation message.</param> /// <param name="messageD">The message for the Device, or null.</param> /// <param name="deviceContext">The active device context, if token is device-protected, or null.</param> /// <param name="upkt">The U-Proke key and token.</param> /// <param name="attributes">The token attributes.</param> /// <param name="preGenW">Optional pregenerated random data for the proof generation.</param> /// <param name="cpv">Returned commitment private values if commitments are computed.</param> /// <returns>A presentation proof.</returns> internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv) { if (upkt.Token.IsDeviceProtected && deviceContext == null) { throw new ArgumentNullException("Device context is not initialized"); } bool generateCommitments = (committed != null && committed.Length > 0); FieldZqElement[] tildeO = null; // make sure disclosed and committed lists are sorted if (disclosed == null) { // can't be null later, so make it an empty array disclosed = new int[] { }; } Array.Sort(disclosed); if (generateCommitments) { Array.Sort(committed); } int n = 0; if (ip.E != null) { n = ip.E.Length; if (n != attributes.Length) { throw new ArgumentException("number of attributes is inconsistent with issuer parameters"); } } bool presentPseudonym = false; if (gs != null) { if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex)) { throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)"); } if (disclosed.Contains(pseudonymAttribIndex)) { throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array"); } presentPseudonym = true; } else if (pseudonymAttribIndex > 0) { throw new ArgumentNullException("gs is null"); } else { pseudonymAttribIndex = 0; } Group Gq = ip.Gq; FieldZq Zq = ip.Zq; FieldZqElement xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected); ProofGenerationRandomData random; if (preGenW == null) { random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected); } else { random = preGenW; } // set up the multi-exponentiation arrays, with h^w0 as the first term int multiExpArraySize = 1 + (n - disclosed.Length) + (upkt.Token.IsDeviceProtected ? 1 : 0); GroupElement[] bases = new GroupElement[multiExpArraySize]; FieldZqElement[] exponents = new FieldZqElement[multiExpArraySize]; int multiExpIndex = 0; bases[multiExpIndex] = upkt.Token.H; exponents[multiExpIndex++] = random.W0; FieldZqElement[] x = new FieldZqElement[n]; int uIndex = 0; int dIndex = 0; int cIndex = 0; PresentationProof proof = new PresentationProof(); proof.DisclosedAttributes = new byte[disclosed.Length][]; int pseudonymRandomizerIndex = 0; if (generateCommitments) { proof.Commitments = new CommitmentValues[committed.Length]; tildeO = new FieldZqElement[committed.Length]; } HashFunction hash = ip.HashFunction; GroupElement[] cBases = new GroupElement[2] { Gq.G, ip.G[1] }; for (int i = 0; i < n; i++) { x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]); if (!disclosed.Contains(i + 1)) { bases[multiExpIndex] = ip.G[i + 1]; exponents[multiExpIndex++] = random.W[uIndex]; if (presentPseudonym) { if (pseudonymAttribIndex == (i + 1)) { pseudonymRandomizerIndex = uIndex; } } if (generateCommitments && committed.Contains(i + 1)) { GroupElement tildeC = ip.Gq.MultiExponentiate(cBases, new FieldZqElement[2] { x[i], random.TildeO[cIndex] }); tildeO[cIndex] = random.TildeO[cIndex]; GroupElement temp2 = ip.Gq.MultiExponentiate(cBases, new FieldZqElement[2] { random.W[uIndex], random.TildeW[cIndex] }); hash.Hash(temp2); byte[] tildeA = hash.Digest; proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null); cIndex++; } uIndex++; } else if (generateCommitments && committed.Contains(i + 1)) { throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed"); } else { proof.DisclosedAttributes[dIndex] = attributes[i]; dIndex++; } } GroupElement aPreImage; if (upkt.Token.IsDeviceProtected) { GroupElement ad; // pseudonym computed by device if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex) { GroupElement apPrime; GroupElement Ps; ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps); hash.Hash(apPrime * gs.Exponentiate(random.Wd)); proof.Ap = hash.Digest; proof.Ps = Ps; } else { ad = deviceContext.GetInitialWitness(); } bases[multiExpIndex] = ip.Gd; exponents[multiExpIndex++] = random.Wd; aPreImage = Gq.MultiExponentiate(bases, exponents) * ad; } else { aPreImage = Gq.MultiExponentiate(bases, exponents); } hash.Hash(aPreImage); proof.a = hash.Digest; // pseudonym derived from one token attribute if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex) { hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex])); proof.Ap = hash.Digest; proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]); } byte[] mdPrime; FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime); proof.r = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d proof.r[0] = c * upkt.PrivateKey + random.W0; uIndex = 1; for (int i = 1; i <= n; i++) { if (!disclosed.Contains(i)) { proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1]; uIndex++; } } if (upkt.Token.IsDeviceProtected) { proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd; } if (generateCommitments) { for (int i = 0; i < committed.Length; i++) { proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i]; } } random.Clear(); cpv = new CommitmentPrivateValues(tildeO); return(proof); }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO) { return Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO); }
public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO) { CommitmentPrivateValues cpv; PresentationProof proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv); tildeO = cpv.TildeO; return(proof); }
private static CommitmentPrivateValues PresentUProveToken(IssuerParameters ip, UProveKeyAndToken upkt, byte[][] attributes, int[] disclosed, int[] committed, byte[] message, byte[] scope, IDevice device, byte[] deviceMessage) { WriteLine("Presenting one token"); // the returned commitment randomizer (to be used by an external proof module) CommitmentPrivateValues cpv; // generate the presentation proof string token = ip.Serialize<UProveToken>(upkt.Token); ProverPresentationProtocolParameters pppp = new ProverPresentationProtocolParameters(ip, disclosed, message, upkt, attributes); pppp.Committed = committed; // if a scope is defined, we use the first attribute to derive a scope exclusive pseudonym pppp.PseudonymAttributeIndex = (scope == null ? 0 : 1); pppp.PseudonymScope = scope; if (device != null) { pppp.SetDeviceData(deviceMessage, device.GetPresentationContext()); } pppp.KeyAndToken = upkt; pppp.Attributes = attributes; string proof = ip.Serialize<PresentationProof>(PresentationProof.Generate(pppp, out cpv)); // verify the presentation proof VerifierPresentationProtocolParameters vppp = new VerifierPresentationProtocolParameters(ip, disclosed, message, ip.Deserialize<UProveToken>(token)); vppp.Committed = committed; // if a scope is defined, we use the first attribute to derive a scope exclusive pseudonym vppp.PseudonymAttributeIndex = (scope == null ? 0 : 1); vppp.PseudonymScope = scope; vppp.DeviceMessage = deviceMessage; ip.Deserialize<PresentationProof>(proof).Verify(vppp); return cpv; }
/// <summary> /// Constructs a new <code>Prover</code> instance. /// </summary> /// <param name="ip">The Issuer parameters.</param> /// <param name="psms">The post second message state.</param> public Prover(IssuerParameters ip, PostSecondMessageState psms) { psms.Validate(); this.ip = ip; this.numberOfTokens = psms.AlphaInverse.Length; this.TI = psms.TI; this.PI = psms.PI; this.isDeviceProtected = psms.IsDeviceProtected; this.beta2 = psms.Beta2; this.h = psms.H; this.sigmaZPrime = psms.SigmaZPrime; this.sigmaAPrime = psms.SigmaAPrime; this.sigmaBPrime = psms.SigmaBPrime; this.sigmaCPrime = psms.SigmaCPrime; ukat = new UProveKeyAndToken[numberOfTokens]; for (int i = 0; i < numberOfTokens; i++) { ukat[i] = new UProveKeyAndToken(); ukat[i].PrivateKey = psms.AlphaInverse[i]; } state = State.Second; }