public void CanProveAndVerifyMAC() { // The coordinator generates a composed private key called CoordinatorSecretKey // and derives from that the coordinator's public parameters called CoordinatorParameters. var rnd = new SecureRandom(); var coordinatorKey = new CoordinatorSecretKey(rnd); var coordinatorParameters = coordinatorKey.ComputeCoordinatorParameters(); // A blinded amount is known as an `attribute`. In this case the attribute Ma is the // value 10000 blinded with a random `blindingFactor`. This attribute is sent to // the coordinator. var amount = new Scalar(10_000); var blindingFactor = rnd.GetScalar(); var Ma = amount * Generators.G + blindingFactor * Generators.Gh; // The coordinator generates a MAC and a proof that the MAC was generated using the // coordinator's secret key. The coordinator sends the pair (MAC + proofOfMac) back // to the client. var t = rnd.GetScalar(); var mac = MAC.ComputeMAC(coordinatorKey, Ma, t); var coordinatorStatement = ProofSystem.CreateStatement(coordinatorParameters, mac.V, Ma, t); var proverBuilder = ProofSystem.CreateProver(coordinatorStatement, coordinatorKey); var macProver = proverBuilder(rnd); var proofOfMac = macProver(); // The client receives the MAC and the proofOfMac which let the client know that the MAC // was generated with the coordinator's secret key. var clientStatement = ProofSystem.CreateStatement(coordinatorParameters, mac.V, Ma, mac.T); var verifierBuilder = ProofSystem.CreateVerifier(clientStatement); var macVerifier = verifierBuilder(proofOfMac); var isValidProof = macVerifier(); Assert.True(isValidProof); }
private (MAC Mac, Knowledge Knowledge) IssueCredential(GroupElement ma, Scalar t) { var sk = CoordinatorSecretKey; var mac = MAC.ComputeMAC(sk, ma, t); var knowledge = ProofSystem.IssuerParameters(mac, ma, sk); return(mac, knowledge); }
public void CannotBuildWrongMac() { var sk = new CredentialIssuerSecretKey(Rnd); Assert.Throws <ArgumentNullException>(() => MAC.ComputeMAC(null !, Generators.G, Scalar.One)); Assert.Throws <ArgumentNullException>(() => MAC.ComputeMAC(sk, null !, Scalar.One)); var ex = Assert.Throws <ArgumentException>(() => MAC.ComputeMAC(sk, Generators.G, Scalar.Zero)); Assert.StartsWith("Value cannot be zero.", ex.Message); }
public void CanProduceAndVerifyMAC() { var sk = new CredentialIssuerSecretKey(Rnd); var attribute = Rnd.GetScalar() * Generators.G; // any random point var t = Rnd.GetScalar(); var mac = MAC.ComputeMAC(sk, attribute, t); Assert.True(mac.VerifyMAC(sk, attribute)); }
public void CanProduceAndVerifyMAC() { var rnd = new SecureRandom(); var sk = new CoordinatorSecretKey(rnd); var attribute = rnd.GetScalar() * Generators.G; // any random point var t = rnd.GetScalar(); var mac = MAC.ComputeMAC(sk, attribute, t); Assert.True(mac.VerifyMAC(sk, attribute)); }
public void CanProveAndVerifyMAC() { // The coordinator generates a composed private key called CoordinatorSecretKey // and derives from that the coordinator's public parameters called CoordinatorParameters. var rnd = new SecureRandom(); var coordinatorKey = new CoordinatorSecretKey(rnd); var coordinatorParameters = coordinatorKey.ComputeCoordinatorParameters(); // A blinded amount is known as an `attribute`. In this case the attribute Ma is the // value 10000 blinded with a random `blindingFactor`. This attribute is sent to // the coordinator. var amount = new Scalar(10_000); var r = rnd.GetScalar(); var Ma = amount * Generators.G + r * Generators.Gh; // The coordinator generates a MAC and a proof that the MAC was generated using the // coordinator's secret key. The coordinator sends the pair (MAC + proofOfMac) back // to the client. var t = rnd.GetScalar(); var mac = MAC.ComputeMAC(coordinatorKey, Ma, t); var coordinatorKnowledge = ProofSystem.IssuerParameters(mac, Ma, coordinatorKey); var proofOfMac = ProofSystem.Prove(coordinatorKnowledge, rnd); // The client receives the MAC and the proofOfMac which let the client know that the MAC // was generated with the coordinator's secret key. var clientStatement = ProofSystem.IssuerParameters(coordinatorParameters, mac, Ma); var isValidProof = ProofSystem.Verify(clientStatement, proofOfMac); Assert.True(isValidProof); var corruptedResponses = new ScalarVector(proofOfMac.Responses.Reverse()); var invalidProofOfMac = new Proof(proofOfMac.PublicNonces, corruptedResponses); isValidProof = ProofSystem.Verify(clientStatement, invalidProofOfMac); Assert.False(isValidProof); var corruptedPublicNonces = new GroupElementVector(proofOfMac.PublicNonces.Reverse()); invalidProofOfMac = new Proof(corruptedPublicNonces, proofOfMac.Responses); isValidProof = ProofSystem.Verify(clientStatement, invalidProofOfMac); Assert.False(isValidProof); }
public void CanDetectInvalidMAC() { var sk = new CredentialIssuerSecretKey(Rnd); var attribute = Rnd.GetScalar() * Generators.G; // any random point var differentAttribute = Rnd.GetScalar() * Generators.G; // any other random point var t = Rnd.GetScalar(); // Create MAC for realAttribute and verify with fake/wrong attribute var mac = MAC.ComputeMAC(sk, attribute, t); Assert.False(mac.VerifyMAC(sk, differentAttribute)); var differentT = Rnd.GetScalar(); var differentMac = MAC.ComputeMAC(sk, attribute, differentT); Assert.NotEqual(mac, differentMac); mac = MAC.ComputeMAC(sk, attribute, differentT); var differentSk = new CredentialIssuerSecretKey(Rnd); Assert.False(mac.VerifyMAC(differentSk, attribute)); }
public void CanProveAndVerifyMacShow() { var rnd = new SecureRandom(); var coordinatorKey = new CoordinatorSecretKey(rnd); var coordinatorParameters = coordinatorKey.ComputeCoordinatorParameters(); // A blinded amount is known as an `attribute`. In this case the attribute Ma is the // value 10000 blinded with a random `blindingFactor`. This attribute is sent to // the coordinator. var amount = new Scalar(10_000); var r = rnd.GetScalar(); var Ma = amount * Generators.Gg + r * Generators.Gh; // The coordinator generates a MAC and a proof that the MAC was generated using the // coordinator's secret key. The coordinator sends the pair (MAC, proofOfMac) back // to the client. var t = rnd.GetScalar(); var mac = MAC.ComputeMAC(coordinatorKey, Ma, t); // The client randomizes the commitments before presenting them to the coordinator proving to // the coordinator that a credential is valid (prover knows a valid MAC on non-randomized attribute) var credential = new Credential(amount, r, mac); var z = rnd.GetScalar(); var randomizedCredential = credential.Present(z); var knowledge = ProofSystem.ShowCredential(randomizedCredential, z, credential, coordinatorParameters); var proofOfMacShow = ProofSystem.Prove(knowledge, rnd); // The coordinator must verify the received randomized credential is valid. var Z = randomizedCredential.ComputeZ(coordinatorKey); Assert.Equal(Z, z * coordinatorParameters.I); var statement = ProofSystem.ShowCredential(randomizedCredential, Z, coordinatorParameters); var isValidProof = ProofSystem.Verify(statement, proofOfMacShow); Assert.True(isValidProof); }