Exemplo n.º 1
0
        /// <summary>
        /// Constructs a new <code>Prover</code> instance.
        /// </summary>
        /// <param name="ip">The Issuer parameters.</param>
        /// <param name="psms">The post second message state.</param>
        public Prover(IssuerParameters ip, PostSecondMessageState psms)
        {
            psms.Validate();

            this.ip                = ip;
            this.numberOfTokens    = psms.AlphaInverse.Length;
            this.TI                = psms.TI;
            this.PI                = psms.PI;
            this.isDeviceProtected = psms.IsDeviceProtected;
            this.beta2             = psms.Beta2;

            this.h           = psms.H;
            this.sigmaZPrime = psms.SigmaZPrime;
            this.sigmaAPrime = psms.SigmaAPrime;
            this.sigmaBPrime = psms.SigmaBPrime;
            this.sigmaCPrime = psms.SigmaCPrime;

            ukat = new UProveKeyAndToken[numberOfTokens];
            for (int i = 0; i < numberOfTokens; i++)
            {
                ukat[i]            = new UProveKeyAndToken();
                ukat[i].PrivateKey = psms.AlphaInverse[i];
            }

            state = State.Second;
        }
Exemplo n.º 2
0
        private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData)
        {
            Group   Gq = ip.Gq;
            FieldZq Zq = ip.Zq;

            if (pregeneratedRandomData == null)
            {
                alpha = Zq.GetRandomElements(numberOfTokens, true);
                beta1 = Zq.GetRandomElements(numberOfTokens, false);
                beta2 = Zq.GetRandomElements(numberOfTokens, false);
            }
            else
            {
                alpha = pregeneratedRandomData.Alpha;
                beta1 = pregeneratedRandomData.Beta1;
                beta2 = pregeneratedRandomData.Beta2;
            }
            h    = new GroupElement[numberOfTokens];
            t1   = new GroupElement[numberOfTokens];
            t2   = new GroupElement[numberOfTokens];
            ukat = new UProveKeyAndToken[numberOfTokens];
            for (int i = 0; i < numberOfTokens; i++)
            {
                ukat[i]            = new UProveKeyAndToken();
                h[i]               = gamma.Exponentiate(alpha[i]);
                t1[i]              = ip.G[0].Exponentiate(beta1[i]) * Gq.G.Exponentiate(beta2[i]);
                t2[i]              = h[i].Exponentiate(beta2[i]);
                ukat[i].PrivateKey = alpha[i].Invert();
            }
            state = State.Initialized;
        }
Exemplo n.º 3
0
        private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData)
        {
            Group   Gq = ip.Gq;
            FieldZq Zq = ip.Zq;

            if (pregeneratedRandomData == null)
            {
                alpha = Zq.GetRandomElements(numberOfTokens, true);
                beta1 = Zq.GetRandomElements(numberOfTokens, false);
                beta2 = Zq.GetRandomElements(numberOfTokens, false);
            }
            else
            {
                alpha = pregeneratedRandomData.Alpha;
                beta1 = pregeneratedRandomData.Beta1;
                beta2 = pregeneratedRandomData.Beta2;
            }

            h  = new GroupElement[numberOfTokens];
            t1 = new GroupElement[numberOfTokens];
            // we don't compute t2 in the precomputation since we prefer to
            // compute h^beta2 as part of the sigmaBPrime multi-exponentiation
            ukat = new UProveKeyAndToken[numberOfTokens];
            for (int i = 0; i < numberOfTokens; i++)
            {
                ukat[i]            = new UProveKeyAndToken();
                h[i]               = gamma.Exponentiate(alpha[i].Multiply(beta0Inverse)); // remove collab issuance blind, if present
                t1[i]              = Gq.MultiExponentiate(new GroupElement[] { ip.G[0], Gq.G }, new FieldZqElement[] { beta1[i], beta2[i] });
                ukat[i].PrivateKey = alpha[i].Invert();
            }
            state = State.Initialized;
        }
 /// <summary>
 /// Constructs a <code>ProverPresentationProtocolParameters</code> instance.
 /// </summary>
 /// <param name="ip">The issuer parameters.</param>
 /// <param name="disclosed">Disclosed attribute indices.</param>
 /// <param name="message">Presentation message.</param>
 /// <param name="keyAndToken">Presented key and token.</param>
 /// <param name="attributes">Token attributes.</param>
 public ProverPresentationProtocolParameters(IssuerParameters ip, int[] disclosed, byte[] message, UProveKeyAndToken keyAndToken, byte[][] attributes)
 {
     IP          = ip;
     Disclosed   = disclosed;
     Message     = message;
     KeyAndToken = keyAndToken;
     Attributes  = attributes;
 }
Exemplo n.º 5
0
 /// <summary>
 /// Indicates that attributes are carried over from the source token into the new one.
 /// </summary>
 /// <param name="sourceIndex">The indices of the attributes in the existing token.</param>
 /// <param name="destinationIndex">The indices of the attributes in the new token.</param>
 /// /// <param name="sourceIP">The Issuer Parameters used to issue the source token. This can be the same as <c>Ip</c> if the
 /// same Issuer issues the source and new tokens.</param>
 /// <param name="sourceKeyAndToken">The source key and token.</param>
 /// <param name="sourceAttributes">The attributes in the source token.</param>
 public void CarryOverAttribute(int[] sourceIndex, int[] destinationIndex, IssuerParameters sourceIP, UProveKeyAndToken sourceKeyAndToken, byte[][] sourceAttributes)
 {
     if (sourceIndex == null || destinationIndex == null || sourceIP == null || sourceKeyAndToken == null || sourceAttributes == null)
     {
         throw new ArgumentNullException("arguments can't be null");
     }
     if (sourceIndex.Length != destinationIndex.Length)
     {
         throw new ArgumentException("sourceIndex and destinationIndex must have the same lenght");
     }
     if (!sourceKeyAndToken.Token.Uidp.SequenceEqual <byte>(sourceIP.UidP))
     {
         throw new ArgumentException("sourceToken and sourceIP do not match");
     }
     C                      = destinationIndex;
     Corig                  = sourceIndex;
     SourceIP               = sourceIP;
     KeyAndToken            = sourceKeyAndToken;
     SourceAttributes       = sourceAttributes;
     HasCarryOverAttributes = true;
 }
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
 {
     CommitmentPrivateValues cpv;
     PresentationProof proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv);
     tildeO = cpv.TildeO;
     return proof;
 }
        /// <summary>
        /// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values.
        /// </summary>
        /// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param>
        /// <param name="disclosed">An ordered array of disclosed attribute indices.</param>
        /// <param name="committed">An ordered array of committed attribute indices.</param>
        /// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param>
        /// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param>
        /// <param name="message">The presentation message.</param>
        /// <param name="messageD">The message for the Device, or null.</param>
        /// <param name="deviceContext">The active device context, if token is device-protected, or null.</param>
        /// <param name="upkt">The U-Proke key and token.</param>
        /// <param name="attributes">The token attributes.</param>
        /// <param name="preGenW">Optional pregenerated random data for the proof generation.</param>
        /// <param name="cpv">Returned commitment private values if commitments are computed.</param>
        /// <returns>A presentation proof.</returns>
        internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv)
        {
            if (upkt.Token.IsDeviceProtected && deviceContext == null)
            {
                throw new ArgumentNullException("Device context is not initialized");
            }
            bool generateCommitments = (committed != null && committed.Length > 0);
            FieldZqElement[] tildeO = null;

            // make sure disclosed and committed lists are sorted
            if (disclosed == null)
            {
                // can't be null later, so make it an empty array
                disclosed = new int[] { };
            }
            Array.Sort(disclosed);
            if (generateCommitments)
            {
                Array.Sort(committed);
            }

            int n = 0;
            if (ip.E != null)
                n = ip.E.Length;

            bool presentPseudonym = false;

            if (gs != null)
            {
                if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
                {
                    throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
                }
                if (disclosed.Contains(pseudonymAttribIndex))
                {
                    throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
                }
                presentPseudonym = true;
            }
            else if (pseudonymAttribIndex > 0)
            {
                throw new ArgumentNullException("gs is null");
            }
            else
            {
                pseudonymAttribIndex = 0;
            }

            Group Gq = ip.Gq;
            FieldZq Zq = ip.Zq;

            FieldZqElement xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected);
            ProofGenerationRandomData random;
            if (preGenW == null)
            {
                random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected);
            }
            else
            {
                random = preGenW;
            }

            FieldZqElement[] x = new FieldZqElement[n];
            GroupElement temp = upkt.Token.H.Exponentiate(random.W0);
            int uIndex = 0;
            int dIndex = 0;
            int cIndex = 0;
            PresentationProof proof = new PresentationProof();
            proof.DisclosedAttributes = new byte[disclosed.Length][];
            int pseudonymRandomizerIndex = 0;
            if (generateCommitments)
            {
                proof.Commitments = new CommitmentValues[committed.Length];
                tildeO = new FieldZqElement[committed.Length];
            }
            HashFunction hash = ip.HashFunction;
            for (int i = 0; i < n; i++)
            {
                x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]);
                if (!disclosed.Contains(i + 1))
                {
                    temp = temp * ip.G[i + 1].Exponentiate(random.W[uIndex]);
                    if (presentPseudonym)
                    {
                        if (pseudonymAttribIndex == (i + 1))
                        {
                            pseudonymRandomizerIndex = uIndex;
                        }
                    }

                    if (generateCommitments && committed.Contains(i + 1))
                    {
                        GroupElement tildeC = ip.Gq.G.Exponentiate(x[i]) * ip.G[1].Exponentiate(random.TildeO[cIndex]);
                        tildeO[cIndex] = random.TildeO[cIndex];
                        GroupElement temp2 = ip.Gq.G.Exponentiate(random.W[uIndex]) * ip.G[1].Exponentiate(random.TildeW[cIndex]);
                        hash.Hash(temp2);
                        byte[] tildeA = hash.Digest;
                        proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null);

                        cIndex++;
                    }

                    uIndex++;
                }
                else if (generateCommitments && committed.Contains(i + 1))
                {
                    throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed");
                }
                else
                {
                    proof.DisclosedAttributes[dIndex] = attributes[i];
                    dIndex++;
                }
            }
            if (upkt.Token.IsDeviceProtected)
            {
                GroupElement ad;
                // pseudonym computed by device
                if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex)
                {
                    GroupElement apPrime;
                    GroupElement Ps;
                    ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps);
                    hash.Hash(apPrime * gs.Exponentiate(random.Wd));
                    proof.Ap = hash.Digest;
                    proof.Ps = Ps;
                }
                else
                {
                    ad = deviceContext.GetInitialWitness();
                }
                temp = temp * ip.Gd.Exponentiate(random.Wd) * ad;
            }
            hash.Hash(temp);
            proof.a = hash.Digest;

            // pseudonym derived from one token attribute
            if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex)
            {
                hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex]));
                proof.Ap = hash.Digest;
                proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]);
            }

            byte[] mdPrime;
            FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime);
            proof.r = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d
            proof.r[0] = c * upkt.PrivateKey + random.W0;
            uIndex = 1;
            for (int i = 1; i <= n; i++)
            {
                if (!disclosed.Contains(i))
                {
                    proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1];
                    uIndex++;
                }
            }
            if (upkt.Token.IsDeviceProtected)
            {
                proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd;
            }
            if (generateCommitments)
            {
                for (int i = 0; i < committed.Length; i++)
                {
                    proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i];
                }
            }

            random.Clear();
            cpv = new CommitmentPrivateValues(tildeO);
            return proof;
        }
        public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes)
        {
            GroupElement gs = null;

            FieldZqElement[] unused;
            return(Generate(ip, disclosed, null, 0, gs, message, messageD, deviceContext, upkt, attributes, null, out unused));
        }
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO)
 {
     return(Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO));
 }
Exemplo n.º 10
0
        public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
        {
            GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope);

            return(Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO));
        }
Exemplo n.º 11
0
 private void Precompute(GroupElement gamma, ProverRandomData pregeneratedRandomData)
 {
     Group Gq = ip.Gq;
     FieldZq Zq = ip.Zq;
     if (pregeneratedRandomData == null)
     {
         alpha = Zq.GetRandomElements(numberOfTokens, true);
         beta1 = Zq.GetRandomElements(numberOfTokens, false);
         beta2 = Zq.GetRandomElements(numberOfTokens, false);
     }
     else
     {
         alpha = pregeneratedRandomData.Alpha;
         beta1 = pregeneratedRandomData.Beta1;
         beta2 = pregeneratedRandomData.Beta2;
     }
     h = new GroupElement[numberOfTokens];
     t1 = new GroupElement[numberOfTokens];
     t2 = new GroupElement[numberOfTokens];
     ukat = new UProveKeyAndToken[numberOfTokens];
     for (int i = 0; i < numberOfTokens; i++)
     {
         ukat[i] = new UProveKeyAndToken();
         h[i] = gamma.Exponentiate(alpha[i]);
         t1[i] = ip.G[0].Exponentiate(beta1[i]) * Gq.G.Exponentiate(beta2[i]);
         t2[i] = h[i].Exponentiate(beta2[i]);
         ukat[i].PrivateKey = alpha[i].Invert();
     }
     state = State.Initialized;
 }
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes)
 {
     GroupElement gs = null;
     FieldZqElement[] unused;
     return Generate(ip, disclosed, null, 0, gs, message, messageD, deviceContext, upkt, attributes, null, out unused);
 }
Exemplo n.º 13
0
    public PresentationProofComposite proveToken(string[] attributesParam, int[] disclosedIndices, int[] committedIndices, string messageParam, string verifierScopeParam, IssuerParametersComposite ipc, UProveTokenComposite tokenComposite, byte[] tokenPrivateKeyParam, string sessionID)
    {
      /*
       *  token presentation
       */

      cOut.write("Presenting a U-Prove token");
      VerifySessionId(sessionID);
      try
      {
        // specify the attribute values agreed to by the Issuer and Prover
        int numberOfAttributes = attributesParam.Length;
        byte[][] attributes = new byte[numberOfAttributes][];
        for (int i = 0; i < numberOfAttributes; i++)
        {
          attributes[i] = encoding.GetBytes(attributesParam[i]);
        }

        IssuerParameters ip = ConvertUtils.convertIssuerParametersComposite(ipc, sessionDB[sessionID]);
        // the application-specific message that the prover will sign. Typically this is a nonce combined
        // with any application-specific transaction data to be signed.
        byte[] message = encoding.GetBytes(messageParam);

        // the application-specific verifier scope from which a scope-exclusive pseudonym will be created
        // (if null, then a pseudonym will not be presented)
        byte[] scope = null;
        if (verifierScopeParam != null && verifierScopeParam != "null")
        {
          scope = encoding.GetBytes(verifierScopeParam);
        }

        // generate the presentation proof
        UProveToken uProveToken = ConvertUtils.convertUProveTokenComposite(ip, tokenComposite);
        byte[] bigInt = tokenPrivateKeyParam;
        DeviceManager dManager = sessionDB[sessionID].deviceManager;
        UProveKeyAndToken keyAndToken = new UProveKeyAndToken();
        keyAndToken.PrivateKey = new BigInteger(1, bigInt);
        keyAndToken.Token = uProveToken;
        byte[] proofSession = null;
        if (!dManager.IsVirtualDevice)
        {
          SmartCardDevice smartDevice = (SmartCardDevice)dManager.GetDevice();
          smartDevice.ProofSession = smartDevice.Device.BeginCommitment(1);
          byte[] proofSessionRaw = smartDevice.ProofSession;
          proofSession = new byte[1 + proofSessionRaw.Length];
          proofSession[0] = 1;
          Buffer.BlockCopy(proofSessionRaw, 0, proofSession, 1, proofSessionRaw.Length);
        }
        BigInteger[] commitmentValues;
        PresentationProof p =
          PresentationProof.Generate(ip,
                                     disclosedIndices,
                                     committedIndices,
                                     scope != null ? DevicePseudonymIndex : 0,
                                     scope,
                                     message,
                                     proofSession,
                                     dManager.GetDevice().GetPresentationContext(),
                                     keyAndToken,
                                     attributes,
                                     out commitmentValues);
#if DEBUG
        dManager.pDebug = p;
#endif

        return ConvertUtils.convertPresentationProof(p, commitmentValues, ProtocolHelper.ComputeTokenID(ip, uProveToken), proofSession);
      }
      catch (Exception e)
      {
        cOut.write(e.ToString());
        DebugUtils.DebugPrint(e.StackTrace.ToString());
      }

      return null;
    }
 /// <summary>
 /// Constructs a <code>ProverPresentationProtocolParameters</code> instance.
 /// </summary>
 /// <param name="ip">The issuer parameters.</param>
 /// <param name="disclosed">Disclosed attribute indices.</param>
 /// <param name="message">Presentation message.</param>
 /// <param name="keyAndToken">Presented key and token.</param>
 /// <param name="attributes">Token attributes.</param>
 public ProverPresentationProtocolParameters(IssuerParameters ip, int[] disclosed, byte[] message, UProveKeyAndToken keyAndToken, byte[][] attributes)
 {
     IP = ip;
     Disclosed = disclosed;
     Message = message;
     KeyAndToken = keyAndToken;
     Attributes = attributes;
 }
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
 {
     GroupElement gs = ProtocolHelper.GenerateScopeElement(ip.Gq, pseudonymScope);
     return Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out tildeO); 
 }
Exemplo n.º 16
0
        /// <summary>
        /// Generates a presentation proof including optionally presenting a pseudonym, creating attribute commitments, and passing pre-generated random values.
        /// </summary>
        /// <param name="ip">The issuer parameters corresponding to <code>upkt</code>.</param>
        /// <param name="disclosed">An ordered array of disclosed attribute indices.</param>
        /// <param name="committed">An ordered array of committed attribute indices.</param>
        /// <param name="pseudonymAttribIndex">Index of the attribute used to create a scope-exclusive pseudonym, or 0 if no pseudonym is to be presented. The index must not be part of the disclosed attributes.</param>
        /// <param name="gs">The pseudonym scope element, or null if no pseudonym is to be presented.</param>
        /// <param name="message">The presentation message.</param>
        /// <param name="messageD">The message for the Device, or null.</param>
        /// <param name="deviceContext">The active device context, if token is device-protected, or null.</param>
        /// <param name="upkt">The U-Proke key and token.</param>
        /// <param name="attributes">The token attributes.</param>
        /// <param name="preGenW">Optional pregenerated random data for the proof generation.</param>
        /// <param name="cpv">Returned commitment private values if commitments are computed.</param>
        /// <returns>A presentation proof.</returns>
        internal static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out CommitmentPrivateValues cpv)
        {
            if (upkt.Token.IsDeviceProtected && deviceContext == null)
            {
                throw new ArgumentNullException("Device context is not initialized");
            }
            bool generateCommitments = (committed != null && committed.Length > 0);

            FieldZqElement[] tildeO = null;

            // make sure disclosed and committed lists are sorted
            if (disclosed == null)
            {
                // can't be null later, so make it an empty array
                disclosed = new int[] { };
            }
            Array.Sort(disclosed);
            if (generateCommitments)
            {
                Array.Sort(committed);
            }

            int n = 0;

            if (ip.E != null)
            {
                n = ip.E.Length;
                if (n != attributes.Length)
                {
                    throw new ArgumentException("number of attributes is inconsistent with issuer parameters");
                }
            }

            bool presentPseudonym = false;

            if (gs != null)
            {
                if (pseudonymAttribIndex < 1 || (pseudonymAttribIndex > n && pseudonymAttribIndex != DeviceAttributeIndex))
                {
                    throw new ArgumentException("pseudonymAttribIndex must be between 1 and " + n + " (inclusive)");
                }
                if (disclosed.Contains(pseudonymAttribIndex))
                {
                    throw new ArgumentException("pseudonymAttribIndex cannot be in the disclosed attribute array");
                }
                presentPseudonym = true;
            }
            else if (pseudonymAttribIndex > 0)
            {
                throw new ArgumentNullException("gs is null");
            }
            else
            {
                pseudonymAttribIndex = 0;
            }

            Group   Gq = ip.Gq;
            FieldZq Zq = ip.Zq;

            FieldZqElement            xt = ProtocolHelper.ComputeXt(ip, upkt.Token.TI, upkt.Token.IsDeviceProtected);
            ProofGenerationRandomData random;

            if (preGenW == null)
            {
                random = ProofGenerationRandomData.Generate(n - disclosed.Length, generateCommitments ? committed.Length : 0, Zq, upkt.Token.IsDeviceProtected);
            }
            else
            {
                random = preGenW;
            }

            // set up the multi-exponentiation arrays, with h^w0 as the first term
            int multiExpArraySize = 1 + (n - disclosed.Length) + (upkt.Token.IsDeviceProtected ? 1 : 0);

            GroupElement[]   bases     = new GroupElement[multiExpArraySize];
            FieldZqElement[] exponents = new FieldZqElement[multiExpArraySize];
            int multiExpIndex          = 0;

            bases[multiExpIndex]       = upkt.Token.H;
            exponents[multiExpIndex++] = random.W0;

            FieldZqElement[] x      = new FieldZqElement[n];
            int uIndex              = 0;
            int dIndex              = 0;
            int cIndex              = 0;
            PresentationProof proof = new PresentationProof();

            proof.DisclosedAttributes = new byte[disclosed.Length][];
            int pseudonymRandomizerIndex = 0;

            if (generateCommitments)
            {
                proof.Commitments = new CommitmentValues[committed.Length];
                tildeO            = new FieldZqElement[committed.Length];
            }
            HashFunction hash = ip.HashFunction;

            GroupElement[] cBases = new GroupElement[2] {
                Gq.G, ip.G[1]
            };
            for (int i = 0; i < n; i++)
            {
                x[i] = ProtocolHelper.ComputeXi(ip, i, attributes[i]);
                if (!disclosed.Contains(i + 1))
                {
                    bases[multiExpIndex]       = ip.G[i + 1];
                    exponents[multiExpIndex++] = random.W[uIndex];
                    if (presentPseudonym)
                    {
                        if (pseudonymAttribIndex == (i + 1))
                        {
                            pseudonymRandomizerIndex = uIndex;
                        }
                    }

                    if (generateCommitments && committed.Contains(i + 1))
                    {
                        GroupElement tildeC = ip.Gq.MultiExponentiate(cBases, new FieldZqElement[2] {
                            x[i], random.TildeO[cIndex]
                        });
                        tildeO[cIndex] = random.TildeO[cIndex];
                        GroupElement temp2 = ip.Gq.MultiExponentiate(cBases, new FieldZqElement[2] {
                            random.W[uIndex], random.TildeW[cIndex]
                        });
                        hash.Hash(temp2);
                        byte[] tildeA = hash.Digest;
                        proof.Commitments[cIndex] = new CommitmentValues(tildeC, tildeA, null);
                        cIndex++;
                    }

                    uIndex++;
                }
                else if (generateCommitments && committed.Contains(i + 1))
                {
                    throw new ArgumentException("attribute " + (i + 1) + " cannot be both disclosed and committed");
                }
                else
                {
                    proof.DisclosedAttributes[dIndex] = attributes[i];
                    dIndex++;
                }
            }
            GroupElement aPreImage;

            if (upkt.Token.IsDeviceProtected)
            {
                GroupElement ad;
                // pseudonym computed by device
                if (presentPseudonym && pseudonymAttribIndex == DeviceAttributeIndex)
                {
                    GroupElement apPrime;
                    GroupElement Ps;
                    ad = deviceContext.GetInitialWitnessesAndPseudonym(gs, out apPrime, out Ps);
                    hash.Hash(apPrime * gs.Exponentiate(random.Wd));
                    proof.Ap = hash.Digest;
                    proof.Ps = Ps;
                }
                else
                {
                    ad = deviceContext.GetInitialWitness();
                }
                bases[multiExpIndex]       = ip.Gd;
                exponents[multiExpIndex++] = random.Wd;
                aPreImage = Gq.MultiExponentiate(bases, exponents) * ad;
            }
            else
            {
                aPreImage = Gq.MultiExponentiate(bases, exponents);
            }
            hash.Hash(aPreImage);
            proof.a = hash.Digest;

            // pseudonym derived from one token attribute
            if (presentPseudonym && pseudonymAttribIndex != DeviceAttributeIndex)
            {
                hash.Hash(gs.Exponentiate(random.W[pseudonymRandomizerIndex]));
                proof.Ap = hash.Digest;
                proof.Ps = gs.Exponentiate(x[pseudonymAttribIndex - 1]);
            }

            byte[]         mdPrime;
            FieldZqElement c = ProtocolHelper.GenerateChallenge(ip, upkt.Token, proof.a, pseudonymAttribIndex, proof.ap, proof.Ps, message, messageD, disclosed, GetDisclosedX(disclosed, x), committed, proof.Commitments, out mdPrime);

            proof.r    = new FieldZqElement[1 + n - disclosed.Length + (upkt.Token.IsDeviceProtected ? 1 : 0)]; // r_0, {r_i} for undisclosed i, r_d
            proof.r[0] = c * upkt.PrivateKey + random.W0;
            uIndex     = 1;
            for (int i = 1; i <= n; i++)
            {
                if (!disclosed.Contains(i))
                {
                    proof.r[uIndex] = c.Negate() * x[i - 1] + random.W[uIndex - 1];
                    uIndex++;
                }
            }
            if (upkt.Token.IsDeviceProtected)
            {
                proof.r[proof.r.Length - 1] = deviceContext.GetDeviceResponse(messageD, mdPrime, ip.HashFunctionOID) + random.Wd;
            }
            if (generateCommitments)
            {
                for (int i = 0; i < committed.Length; i++)
                {
                    proof.Commitments[i].TildeR = c.Negate() * random.TildeO[i] + random.TildeW[i];
                }
            }

            random.Clear();
            cpv = new CommitmentPrivateValues(tildeO);
            return(proof);
        }
 public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, byte[] pseudonymScope, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, out FieldZqElement[] tildeO)
 {
     return Generate(ip, disclosed, committed, pseudonymAttribIndex, pseudonymScope, message, messageD, deviceContext, upkt, attributes, null, out tildeO);
 }
Exemplo n.º 18
0
        public static PresentationProof Generate(IssuerParameters ip, int[] disclosed, int[] committed, int pseudonymAttribIndex, GroupElement gs, byte[] message, byte[] messageD, IDevicePresentationContext deviceContext, UProveKeyAndToken upkt, byte[][] attributes, ProofGenerationRandomData preGenW, out FieldZqElement[] tildeO)
        {
            CommitmentPrivateValues cpv;
            PresentationProof       proof = Generate(ip, disclosed, committed, pseudonymAttribIndex, gs, message, messageD, deviceContext, upkt, attributes, preGenW, out cpv);

            tildeO = cpv.TildeO;
            return(proof);
        }
Exemplo n.º 19
0
        private static CommitmentPrivateValues PresentUProveToken(IssuerParameters ip, UProveKeyAndToken upkt, byte[][] attributes, int[] disclosed, int[] committed, byte[] message, byte[] scope, IDevice device, byte[] deviceMessage)
        {
            WriteLine("Presenting one token");
            // the returned commitment randomizer (to be used by an external proof module)
            CommitmentPrivateValues cpv;

            // generate the presentation proof
            string token = ip.Serialize<UProveToken>(upkt.Token);
            ProverPresentationProtocolParameters pppp = new ProverPresentationProtocolParameters(ip, disclosed, message, upkt, attributes);
            pppp.Committed = committed;
            // if a scope is defined, we use the first attribute to derive a scope exclusive pseudonym            
            pppp.PseudonymAttributeIndex = (scope == null ? 0 : 1);
            pppp.PseudonymScope = scope;
            if (device != null)
            {
                pppp.SetDeviceData(deviceMessage, device.GetPresentationContext());
            }
            pppp.KeyAndToken = upkt;
            pppp.Attributes = attributes;
            string proof = ip.Serialize<PresentationProof>(PresentationProof.Generate(pppp, out cpv));

            // verify the presentation proof
            VerifierPresentationProtocolParameters vppp = new VerifierPresentationProtocolParameters(ip, disclosed, message, ip.Deserialize<UProveToken>(token));
            vppp.Committed = committed;
            // if a scope is defined, we use the first attribute to derive a scope exclusive pseudonym            
            vppp.PseudonymAttributeIndex = (scope == null ? 0 : 1);
            vppp.PseudonymScope = scope;
            vppp.DeviceMessage = deviceMessage;
            ip.Deserialize<PresentationProof>(proof).Verify(vppp);

            return cpv;
        }
Exemplo n.º 20
0
        /// <summary>
        /// Constructs a new <code>Prover</code> instance.
        /// </summary>
        /// <param name="ip">The Issuer parameters.</param>
        /// <param name="psms">The post second message state.</param>
        public Prover(IssuerParameters ip, PostSecondMessageState psms)
        {
            psms.Validate();

            this.ip = ip;
            this.numberOfTokens = psms.AlphaInverse.Length;
            this.TI = psms.TI;
            this.PI = psms.PI;
            this.isDeviceProtected = psms.IsDeviceProtected;
            this.beta2 = psms.Beta2;
            
            this.h = psms.H;
            this.sigmaZPrime = psms.SigmaZPrime;
            this.sigmaAPrime = psms.SigmaAPrime;
            this.sigmaBPrime = psms.SigmaBPrime;
            this.sigmaCPrime = psms.SigmaCPrime;

            ukat = new UProveKeyAndToken[numberOfTokens];
            for (int i = 0; i < numberOfTokens; i++)
            {
                ukat[i] = new UProveKeyAndToken();
                ukat[i].PrivateKey = psms.AlphaInverse[i];
            }

            state = State.Second;
        }