/// <summary> /// Verifies that a UProve token attribute is not equal to the given attribute value. /// </summary> /// <param name="verifier">Verifier info about token.</param> /// <param name="attributeIndexForVerifier">Target attribute, 1-based index.</param> /// <param name="attributeValue">Bad value for attribute.</param> /// <returns></returns> public bool Verify( VerifierPresentationProtocolParameters verifier, int attributeIndexForVerifier, byte [] attributeValue) { // Verify UProve Integration Proof if (this.UPIProof == null) { return(false); } VerifierPresentationProtocolParameters[] verifiers = new VerifierPresentationProtocolParameters[1] { verifier }; int[] attributeIndices = new int[1] { attributeIndexForVerifier }; if (!this.UPIProof.Verify(verifiers, attributeIndices)) { return(false); } // Verify Inequality Proof FieldZqElement committedAttribute = ProtocolHelper.ComputeXi(verifier.IP, attributeIndexForVerifier - 1, attributeValue); VerifierInequalityProofParameters ieqVerifier = new VerifierInequalityProofParameters(this.UPIProof.PedersenCommitmentValues[0], committedAttribute, new CryptoParameters(verifier.IP)); return(this.Verify(ieqVerifier)); }
/// <summary> /// Creates a UProve token for non-device protected tokens. /// </summary> /// <param name="pppp">Prover presentation protocol parameters for non-device protected token.</param> /// <param name="device">Device information. Required for device protected tokens.</param> public OpenUProveToken(ProverPresentationProtocolParameters pppp) : base(null, null, null) { if (pppp == null) { throw new ArgumentNullException("UProveToken constructor expects non-null input."); } this.Group = pppp.IP.Gq; this.Bases = new GroupElement[pppp.Attributes.Length + 2]; for (int i = 0; i < this.G.Length; ++i) { this.G[i] = pppp.IP.G[i]; } this.Value = pppp.KeyAndToken.Token.H; this.Exponents = new FieldZqElement[this.RepresentationLength]; this.Alpha = pppp.KeyAndToken.PrivateKey.Invert(); FieldZqElement [] attributes = new FieldZqElement[pppp.Attributes.Length]; for (int i = 0; i < attributes.Length; ++i) { attributes[i] = ProtocolHelper.ComputeXi(pppp.IP, i, pppp.Attributes[i]); } this.SetAttributeXI(attributes); this.AttributeXT = ProtocolHelper.ComputeXt(pppp.IP, pppp.KeyAndToken.Token.TI, pppp.KeyAndToken.Token.IsDeviceProtected); }
/// <summary> /// Computes the revocation value from its byte array encoding, to be added to an accumulator or used /// to compute the witness. /// </summary> /// <param name="ip">The issuer parameters, containing the information on how to transform the encoded value.</param> /// <param name="revocationIndex">The 1-based index of the revocation attribute.</param> /// <param name="attributeValue">The attribute value.</param> /// <returns>The revocation value.</returns> public static FieldZqElement ComputeRevocationValue(IssuerParameters ip, int revocationIndex, byte[] attributeValue) { if (revocationIndex <= 0) { throw new ArgumentException("revocationIndex must be positive: " + revocationIndex); } return(ProtocolHelper.ComputeXi(ip, revocationIndex - 1, attributeValue)); }
/// <summary> /// Computes the non-revocation proof. /// </summary> /// <param name="ip">The Issuer parameters associated with the presented U-Prove token.</param> /// <param name="rap">The Revocation Authority parameters.</param> /// <param name="witness">The user non-revocation witness.</param> /// <param name="commitmentIndex">The 0-based index of the revocation commitment in the attribute commitments.</param> /// <param name="presentationProof">The presentation proof generated with the U-Prove token.</param> /// <param name="cpv">The commitment private values generated when presenting the U-Prove token.</param> /// <param name="revocationIndex">The 1-based index of the revocation attribute in the U-Prove token.</param> /// <param name="attributes">The token attributes.</param> /// <returns>A non-revocation proof.</returns> public static NonRevocationProof GenerateNonRevocationProof(IssuerParameters ip, RAParameters rap, RevocationWitness witness, int commitmentIndex, PresentationProof presentationProof, CommitmentPrivateValues cpv, int revocationIndex, byte[][] attributes) { if (revocationIndex <= 0) { throw new ArgumentException("revocationIndex must be positive: " + revocationIndex); } GroupElement tildeCid = presentationProof.Commitments[commitmentIndex].TildeC; FieldZqElement xid = ProtocolHelper.ComputeXi(ip, revocationIndex - 1, attributes[revocationIndex - 1]); FieldZqElement tildeOid = cpv.TildeO[commitmentIndex]; return(GenerateNonRevocationProof(rap, witness, tildeCid, xid, tildeOid)); }
/// <summary> /// Generates a member set for UProve tokens. /// </summary> /// <param name="ip">Issuer parameters.</param> /// <param name="attributeIndexInToken">Index of attribute in the token the proof will be about (encoding of memberSet depends on this). Index is 1....n.</param> /// <param name="memberSet">Member set</param> /// <returns></returns> public static FieldZqElement[] GenerateMemberSet(IssuerParameters ip, int attributeIndexInToken, byte[][] memberSet) { if (attributeIndexInToken <= 0) { throw new ArgumentException("attributeIndexInToken must be a positive integer"); } FieldZqElement[] output = new FieldZqElement[memberSet.Length]; for (int i = 0; i < output.Length; ++i) { output[i] = ProtocolHelper.ComputeXi(ip, attributeIndexInToken - 1, memberSet[i]); } return(output); }
/// <summary> /// Generates a Pedersen Commitment to the attribute. The committed value is equal to /// what it would be if the attribute was encoded in the token. The committed value depends /// on the attribute index. /// </summary> /// <param name="ip">Issuer parameters</param> /// <param name="attributeIndex">The 1-based index of the attribute as it would be in the token</param> /// <param name="attribute">Encoding of the attribute</param> public PedersenCommitment(IssuerParameters ip, int attributeIndex, byte[] attribute) { CryptoParameters crypto = new CryptoParameters(ip); this.Group = crypto.Group; this.Bases = new GroupElement[2] { crypto.Generators[0], crypto.Generators[1] }; FieldZqElement committedValue = ProtocolHelper.ComputeXi(ip, attributeIndex - 1, attribute); FieldZqElement opening = this.Group.FieldZq.GetRandomElement(false); this.Exponents = new FieldZqElement[2] { committedValue, opening }; this.Value = this.Group.MultiExponentiate(this.Bases, this.Exponents); }
/// <summary> /// Generates proofs that a token attribute value is not equal to any values in the target array. /// </summary> /// <param name="prover">Inequality proof parameters for the token.</param> /// <param name="target">Target values array.</param> /// <returns>An inequality proof.</returns> public static InequalityProof[] GenerateUProveInequalityProofs(EQProofUProveProverData prover, byte[][] target) { // Create PedersenCommitments int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(prover.PPPP.Committed, prover.index); PedersenCommitment ped = new PedersenCommitment(prover.PPPP, prover.PP, prover.CPV, commitmentIndex); // Create EqualityProof CryptoParameters crypto = new CryptoParameters(prover.PPPP.IP); InequalityProof[] proofs = new InequalityProof[target.Length]; for (int i = 0; i < target.Length; i++) { FieldZqElement targetValue = ProtocolHelper.ComputeXi(prover.PPPP.IP, prover.index - 1, target[i]); proofs[i] = new InequalityProof(new ProverInequalityProofParameters(ped, targetValue, crypto)); } return(proofs); }
/// <summary> /// Constructor. Creates an inequality proof that a token attribute is not equal to some value. /// </summary> /// <param name="prover">Token description.</param> /// <param name="attributeIndexForProver">1-based attribute index in token.</param> /// <param name="attributeValue">Attribute value to compare actual token attribute.</param> /// <returns>Inequality proof.</returns> public InequalityProof(ProverPresentationProtocolParameters prover, int attributeIndexForProver, byte[] attributeValue) { // generate Pedersen Commitments to attributes ProverPresentationProtocolParameters[] provers = new ProverPresentationProtocolParameters[] { prover }; int[] attributeIndices = new int[] { attributeIndexForProver }; PedersenCommitment[] attributeCommitments = PedersenCommitment.PedersenCommmitmentsToAttributes(provers, attributeIndices); // create inequality proof using Pedersen Commitmetns FieldZqElement committedAttribute = ProtocolHelper.ComputeXi(prover.IP, attributeIndexForProver - 1, attributeValue); ProverInequalityProofParameters ieqProver = new ProverInequalityProofParameters(attributeCommitments[0], committedAttribute, new CryptoParameters(prover.IP)); ConstructorHelper(ieqProver); // add UProve Integration proof this.UPIProof = new UProveIntegrationProof(provers, attributeIndices, attributeCommitments); this.UPIProof.IsGroupSerializable = false; }
/// <summary> /// Creates a Pedersen Commitment for one of the attributes using the commitment /// from the PresentationProof. /// </summary> /// <param name="pppp">Parameters used by Prover</param> /// <param name="pp">The presentation proof generated by the Prover</param> /// <param name="cpv">Output of PresentationProof.Generate()</param> /// <param name="commitmentIndex">Which commitment to use: index into cpv.TildeO array. /// DO NOT use the attribute index, the Constructor will compute it from /// the commitmentIndex.</param> public PedersenCommitment(ProverPresentationProtocolParameters pppp, PresentationProof pp, CommitmentPrivateValues cpv, int commitmentIndex) { int attributeIndex = pppp.Committed[commitmentIndex] - 1; FieldZqElement committedValue = ProtocolHelper.ComputeXi(pppp.IP, attributeIndex, pppp.Attributes[attributeIndex]); FieldZqElement opening = cpv.TildeO[commitmentIndex]; CryptoParameters crypto = new CryptoParameters(pppp.IP); this.Group = crypto.Group; this.Bases = new GroupElement[2] { crypto.Generators[0], crypto.Generators[1] }; this.Exponents = new FieldZqElement[2] { committedValue, opening }; this.Value = pp.Commitments[commitmentIndex].TildeC; }
public void PresentationProofConstructorTest() { // generate array of commitments using PresentationProof CommitmentPrivateValues cpv; Assert.IsNotNull(_proverParams, "prover params null"); PresentationProof proof = PresentationProof.Generate(_proverParams, out cpv); Assert.IsNotNull(proof.Commitments, "proof failed to generate commitments"); Assert.IsNotNull(cpv, "failed to output cpv"); Assert.IsNotNull(cpv.TildeO, "cpv.TildeO is null"); CommitmentValues [] expectedCommitmentValues = proof.Commitments; // generate array of commitments using Pedersen Commitment constructor PedersenCommitment [] proverCommitments = PedersenCommitment.ArrayOfPedersenCommitments(_proverParams, proof, cpv); // compare values GroupElement expectedG = _proverParams.IP.Gq.G; GroupElement expectedH = _proverParams.IP.G[1]; for (int commitIndex = 0; commitIndex < expectedCommitmentValues.Length; ++commitIndex) { int attributeIndex = _proverParams.Committed[commitIndex] - 1; FieldZqElement expectedCommittedValue = ProtocolHelper.ComputeXi(_proverParams.IP, attributeIndex, _proverParams.Attributes[attributeIndex]); Assert.AreEqual(expectedCommittedValue, proverCommitments[commitIndex].CommittedValue, "wrong committed value"); Assert.AreEqual(cpv.TildeO[commitIndex], proverCommitments[commitIndex].Opening, "opening does not match tildeO"); Assert.AreEqual(expectedG, proverCommitments[commitIndex].G, "base g wrong"); Assert.AreEqual(expectedH, proverCommitments[commitIndex].H, "base h wrong"); Assert.AreEqual(expectedCommitmentValues[commitIndex].TildeC, proverCommitments[commitIndex].Value, "wrong value"); } // generate array of closed pedersen commitments ClosedPedersenCommitment[] verifierCommitments = ClosedPedersenCommitment.ArrayOfClosedPedersenCommitments(_verifierParams.IP, proof); // compare bases and values to actualCommitments Assert.IsTrue(ClosedPedersenCommitment.AreBasesEqual(verifierCommitments), "all closed commitments should have same bases."); Assert.IsTrue(verifierCommitments[0].AreBasesEqual(proverCommitments[0]), "all closed commitments should have same bases as open commitments"); Assert.AreEqual(proverCommitments.Length, verifierCommitments.Length, "should be as many open and closed commitments"); for (int i = 0; i < verifierCommitments.Length; ++i) { Assert.AreEqual(verifierCommitments[i].Value, proverCommitments[i].Value, "open and closed commitments should be equal."); } }
/// <summary> /// Verifies proofs that a token attribute value is not equal to a any of the target values. /// </summary> /// <param name="verifier">Equality proof parameters for the token.</param> /// <param name="target">Target values.</param> /// <param name="eQProof">The inequality proofs to verify.</param> /// <exception cref="InvalidUProveArtifactException">Thrown if a proof is invalid.</exception> public static void VerifyUProveEqualityProofs(EQProofUProveVerifierData verifier, byte[][] target, InequalityProof[] iNeqProof) { if (target == null || iNeqProof == null || target.Length != iNeqProof.Length) { throw new ArgumentException("target and iNeqProof must have the same length"); } int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(verifier.VPPP.Committed, verifier.index); ClosedPedersenCommitment closedPed = new ClosedPedersenCommitment(verifier.VPPP.IP, verifier.PP, commitmentIndex); CryptoParameters crypto = new CryptoParameters(verifier.VPPP.IP); for (int i = 0; i < target.Length; i++) { FieldZqElement targetValue = ProtocolHelper.ComputeXi(verifier.VPPP.IP, verifier.index - 1, target[i]); if (!iNeqProof[i].Verify(new VerifierInequalityProofParameters(closedPed.Value, targetValue, crypto))) { throw new InvalidUProveArtifactException("invalid equality proof"); } } }
/// <summary> /// Create a verifiable encryption of a pseudonym based on a U-Prove presentation proof. This is a wrapper /// of <c>VerifiableEncrypt</c>. /// /// </summary> /// <param name="escrowParams"> Parameters of the ID escrow scheme</param> /// <param name="escrowPublicKey"> Public key of the Auditor (the authority who can decrypt the output ciphertex).</param> /// <param name="token"> The U-Prove token corresponding to the <c>proof</c>. </param> /// <param name="additionalInfo">See documentation of <c>VerifiableEncrypt</c></param> /// <param name="proof">A U-Prove prsentation proof.</param> /// <param name="cpv">Commitment opening information, output when generating <c>proof</c>.</param> /// <param name="idAttributeIndex"> Index of the attribute to use for identity escrow (1-based indexing). This attribute <b>must be</b> /// the first commited attribute (take care if using multiple extensions). </param> /// <param name="attributes"> Attributes in <c>token</c>.</param> /// <returns></returns> public static IDEscrowCiphertext UProveVerifableEncrypt(IDEscrowParams escrowParams, IDEscrowPublicKey escrowPublicKey, UProveToken token, byte[] additionalInfo, PresentationProof proof, CommitmentPrivateValues cpv, int idAttributeIndex, byte[][] attributes) { if (token == null || escrowParams == null || proof == null || cpv == null) { throw new ArgumentNullException("null input to UProveVerifiableEncrypt"); } if (proof.Commitments == null || proof.Commitments.Length < 1 || attributes.Length < idAttributeIndex || cpv.TildeO == null || cpv.TildeO.Length < 1) { throw new InvalidUProveArtifactException("invalid inputs to UProveVerifiableEncrypt"); } byte[] tokenId = ProtocolHelper.ComputeTokenID(escrowParams.ip, token); GroupElement Cx1 = proof.Commitments[0].TildeC; // x1 is the first committed attribute FieldZqElement x1 = ProtocolHelper.ComputeXi(escrowParams.ip, idAttributeIndex - 1, attributes[idAttributeIndex - 1]); // arrays are 0-based FieldZqElement tildeO1 = cpv.TildeO[0]; return(IDEscrowFunctions.VerifiableEncrypt(escrowParams, escrowPublicKey, tokenId, Cx1, x1, tildeO1, additionalInfo)); }
public void TestIEWithRealToken() { /********** begin: this section of code taken from EndToEndTest.cs, TestMethod PseudonymAndCommitmentsTest *****/ System.Text.UTF8Encoding encoding = new System.Text.UTF8Encoding(); // Issuer setup IssuerSetupParameters isp = new IssuerSetupParameters(maxNumberOfAttributes); isp.UidP = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; isp.E = new byte[] { (byte)1, (byte)1, (byte)1, (byte)1 }; isp.UseRecommendedParameterSet = true; isp.S = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; IssuerKeyAndParameters ikap = isp.Generate(); IssuerParameters ip2 = ikap.IssuerParameters; // Issuance byte[][] attributes = new byte[][] { encoding.GetBytes("Attribute 1"), encoding.GetBytes("Attribute 2"), encoding.GetBytes("Attribute 3"), encoding.GetBytes("Attribute 4") }; byte[] tokenInformation = new byte[] { }; byte[] proverInformation = new byte[] { }; int numberOfTokens = 1; IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap); ipp.Attributes = attributes; ipp.NumberOfTokens = numberOfTokens; ipp.TokenInformation = tokenInformation; Issuer issuer = ipp.CreateIssuer(); FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage(); ProverProtocolParameters ppp = new ProverProtocolParameters(ip2); ppp.Attributes = attributes; ppp.NumberOfTokens = numberOfTokens; ppp.TokenInformation = tokenInformation; ppp.ProverInformation = proverInformation; Prover prover = ppp.CreateProver(); SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1); ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2); UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3); // Pseudonym int[] disclosed = new int[0]; int[] committed = new int[] { 2, 4 }; byte[] message = encoding.GetBytes("this is the presentation message, this can be a very long message"); byte[] scope = encoding.GetBytes("scope"); PresentationProof proof; FieldZqElement[] tildeO; // Valid presentation proof = PresentationProof.Generate(ip2, disclosed, committed, 1, scope, message, null, null, upkt[0], attributes, out tildeO); try { proof.Verify(ip2, disclosed, committed, 1, scope, message, null, upkt[0].Token); } catch { Assert.Fail("Proof failed to verify"); } /******** end code from EndToEndTest.cs ***********/ // Use the commitment to attribute x_2 for ID escrow GroupElement Cx2 = proof.Commitments[0].TildeC; // x2 is the first committed attribute FieldZqElement x2 = ProtocolHelper.ComputeXi(ip2, 1, attributes[1]); // attributes[] is zero indexed. FieldZqElement tildeO2 = tildeO[0]; // double check that Cx2 is computed as we expect. GroupElement Cx2Prime = ip2.Gq.G.Exponentiate(x2); Cx2Prime = Cx2Prime.Multiply(ip2.G[1].Exponentiate(tildeO2)); Assert.IsTrue(Cx2Prime.Equals(Cx2)); // Setup IDEscrowParams ieParam3 = new IDEscrowParams(ip2); IDEscrowPrivateKey priv = new IDEscrowPrivateKey(ieParam3); // we can't re-use the keypair above, it was created with different issuer params IDEscrowPublicKey pub = new IDEscrowPublicKey(ieParam3, priv); byte[] tokenID = ProtocolHelper.ComputeTokenID(ip2, upkt[0].Token); // additionalInfo is defined above. // Encrypt IDEscrowCiphertext ctext = IDEscrowFunctions.VerifiableEncrypt(ieParam3, pub, tokenID, Cx2, x2, tildeO2, additionalInfo); // Verify Assert.IsTrue(IDEscrowFunctions.Verify(ieParam3, ctext, tokenID, pub, Cx2)); // Decrypt GroupElement PE = IDEscrowFunctions.Decrypt(ieParam3, ctext, priv); Assert.IsTrue(PE.Equals(ieParam3.Ge.Exponentiate(x2))); // Ensure PE == (ge)^x2 }
public void ProtocolTest() { Stopwatch sw = new Stopwatch(); sw.Start(); bool[] bools = new bool[] { true, false }; foreach (bool isSubgroupConstruction in bools) { foreach (bool supportDevice in bools) { var vectors = supportDevice ? (isSubgroupConstruction ? GetTestVectors("testvectorssubgroup_Device_doc.txt") : GetTestVectors("testvectorsEC_Device_doc.txt")) : (isSubgroupConstruction ? GetTestVectors("testvectorssubgroup_doc.txt") : GetTestVectors("testvectorsEC_doc.txt")); IssuerKeyAndParameters ikap = LoadIssuerKeyAndParameters(isSubgroupConstruction, vectors["GroupName"], supportDevice, vectors); FieldZq Zq = ikap.IssuerParameters.Zq; // replace random y0/g0 with test vector values ikap.PrivateKey = Zq.GetElement(HexToBytes(vectors["y0"])); ikap.IssuerParameters.G[0] = CreateGroupElement(ikap.IssuerParameters.Gq, vectors["g0"]); Assert.AreEqual(ikap.IssuerParameters.G[0], ikap.IssuerParameters.Gq.G.Exponentiate(ikap.PrivateKey), "g0 computation"); IssuerParameters ip = ikap.IssuerParameters; ip.Verify(); /* * issuance */ byte[][] A = new byte[][] { HexToBytes(vectors["A1"]), HexToBytes(vectors["A2"]), HexToBytes(vectors["A3"]), HexToBytes(vectors["A4"]), HexToBytes(vectors["A5"]) }; Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x1"])), ProtocolHelper.ComputeXi(ip, 0, A[0]), "x1"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x2"])), ProtocolHelper.ComputeXi(ip, 1, A[1]), "x2"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x3"])), ProtocolHelper.ComputeXi(ip, 2, A[2]), "x3"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x4"])), ProtocolHelper.ComputeXi(ip, 3, A[3]), "x4"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x5"])), ProtocolHelper.ComputeXi(ip, 4, A[4]), "x5"); byte[] TI = HexToBytes(vectors["TI"]); Assert.IsTrue(HexToBytes(vectors["P"]).SequenceEqual(ip.Digest(supportDevice)), "P"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["xt"])), ProtocolHelper.ComputeXt(ip, TI, supportDevice), "xt"); IDevice device = null; GroupElement hd = null; if (supportDevice) { device = new VirtualDevice(ip, Zq.GetElement(HexToBytes(vectors["xd"])), Zq.GetElement(HexToBytes(vectors["wdPrime"]))); IDevicePresentationContext context = device.GetPresentationContext(); // Test device responses Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["hd"]), device.GetDevicePublicKey(), "hd"); Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["ad"]), context.GetInitialWitness(), "ad"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["rdPrime"])), context.GetDeviceResponse(HexToBytes(vectors["md"]), HexToBytes(vectors["mdPrime"]), ip.HashFunctionOID), "rdPrime"); hd = CreateGroupElement(ip.Gq, vectors["hd"]); } IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap); ipp.Attributes = A; ipp.NumberOfTokens = 1; ipp.TokenInformation = TI; ipp.DevicePublicKey = hd; ipp.PreGeneratedW = new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["w"])) }; Issuer issuer = ipp.CreateIssuer(); byte[] PI = HexToBytes(vectors["PI"]); ProverProtocolParameters ppp = new ProverProtocolParameters(ip); ppp.Attributes = A; ppp.NumberOfTokens = 1; ppp.TokenInformation = TI; ppp.ProverInformation = PI; ppp.DevicePublicKey = hd; ppp.ProverRandomData = new ProverRandomData( new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["alpha"])) }, new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta1"])) }, new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta2"])) }); Prover prover = ppp.CreateProver(); FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage(); Assert.AreEqual(msg1.sigmaZ, CreateGroupElement(ip.Gq, vectors["sigmaZ"]), "sigmaZ"); Assert.AreEqual(msg1.sigmaA[0], CreateGroupElement(ip.Gq, vectors["sigmaA"]), "sigmaA"); Assert.AreEqual(msg1.sigmaB[0], CreateGroupElement(ip.Gq, vectors["sigmaB"]), "sigmaB"); SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1); Assert.AreEqual(msg2.sigmaC[0], Zq.GetElement(HexToBytes(vectors["sigmaC"])), "sigmaC"); ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2); Assert.AreEqual(msg3.sigmaR[0], Zq.GetElement(HexToBytes(vectors["sigmaR"])), "sigmaR"); UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3); Assert.AreEqual(upkt[0].PrivateKey, Zq.GetElement(HexToBytes(vectors["alphaInverse"])), "alphaInverse"); UProveToken token = upkt[0].Token; Assert.AreEqual(token.H, CreateGroupElement(ip.Gq, vectors["h"]), "h"); Assert.AreEqual(token.SigmaZPrime, CreateGroupElement(ip.Gq, vectors["sigmaZPrime"]), "sigmaZPrime"); Assert.AreEqual(token.SigmaCPrime, Zq.GetElement(HexToBytes(vectors["sigmaCPrime"])), "sigmaCPrime"); Assert.AreEqual(token.SigmaRPrime, Zq.GetElement(HexToBytes(vectors["sigmaRPrime"])), "sigmaRPrime"); Assert.IsTrue(HexToBytes(vectors["UIDt"]).SequenceEqual(ProtocolHelper.ComputeTokenID(ip, token)), "UIDt"); Assert.IsTrue(supportDevice == token.IsDeviceProtected); /* * presentation */ int[] disclosed = Array.ConvertAll <string, int>(vectors["D"].Split(','), new Converter <string, int>(stringToInt)); int[] committed = Array.ConvertAll <string, int>(vectors["C"].Split(','), new Converter <string, int>(stringToInt)); byte[] m = HexToBytes(vectors["m"]); byte[] md = null; IDevicePresentationContext deviceContext = null; if (supportDevice) { md = HexToBytes(vectors["md"]); deviceContext = device.GetPresentationContext(); } int p; if (!int.TryParse(vectors["p"], out p)) { p = PresentationProof.DeviceAttributeIndex; } byte[] s = HexToBytes(vectors["s"]); int commitmentIndex = committed[0]; ProverPresentationProtocolParameters pppp = new ProverPresentationProtocolParameters(ip, disclosed, m, upkt[0], A); pppp.Committed = committed; pppp.PseudonymAttributeIndex = p; pppp.PseudonymScope = s; pppp.DeviceMessage = md; pppp.DeviceContext = deviceContext; pppp.RandomData = new ProofGenerationRandomData( Zq.GetElement(HexToBytes(vectors["w0"])), new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["w1"])), Zq.GetElement(HexToBytes(vectors["w3"])), Zq.GetElement(HexToBytes(vectors["w4"])) }, supportDevice ? Zq.GetElement(HexToBytes(vectors["wd"])) : null, new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["tildeO" + commitmentIndex])), }, new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["tildeW" + commitmentIndex])) }); CommitmentPrivateValues cpv; PresentationProof proof = PresentationProof.Generate(pppp, out cpv); Assert.IsTrue(HexToBytes(vectors["a"]).SequenceEqual(proof.A), "a"); Assert.AreEqual(ProtocolHelper.GenerateScopeElement(ip.Gq, s), CreateGroupElement(ip.Gq, vectors["gs"])); Assert.IsTrue(HexToBytes(vectors["ap"]).SequenceEqual(proof.Ap), "ap"); Assert.AreEqual(proof.Ps, CreateGroupElement(ip.Gq, vectors["Ps"]), "Ps"); Assert.IsTrue(HexToBytes(vectors["A2"]).SequenceEqual(proof.DisclosedAttributes[0]), "A2"); Assert.IsTrue(HexToBytes(vectors["A5"]).SequenceEqual(proof.DisclosedAttributes[1]), "A5"); Assert.AreEqual(proof.R[0], Zq.GetElement(HexToBytes(vectors["r0"])), "r0"); Assert.AreEqual(proof.R[1], Zq.GetElement(HexToBytes(vectors["r1"])), "r1"); Assert.AreEqual(proof.R[2], Zq.GetElement(HexToBytes(vectors["r3"])), "r3"); Assert.AreEqual(proof.R[3], Zq.GetElement(HexToBytes(vectors["r4"])), "r4"); if (supportDevice) { Assert.AreEqual(proof.R[4], Zq.GetElement(HexToBytes(vectors["rd"])), "rd"); } Assert.AreEqual(proof.Commitments[0].TildeR, Zq.GetElement(HexToBytes(vectors["tildeR" + commitmentIndex])), "tildeR" + commitmentIndex); Assert.IsTrue(cpv.TildeO.Length == 1); Assert.AreEqual(cpv.TildeO[0], Zq.GetElement(HexToBytes(vectors["tildeO" + commitmentIndex])), "tildeO" + commitmentIndex); VerifierPresentationProtocolParameters vppp = new VerifierPresentationProtocolParameters(ip, disclosed, m, upkt[0].Token); vppp.Committed = committed; vppp.PseudonymAttributeIndex = p; vppp.PseudonymScope = s; vppp.DeviceMessage = md; proof.Verify(vppp); } } sw.Stop(); Debug.WriteLine("Protocol Test Elapsed Time: " + sw.ElapsedMilliseconds + "ms"); }
public void InequalityTokenIntegration2Test() { // In this example, the token hashes the attribute // but example also works if hashAttributes=false bool hashAttributes = true; // Setting up attributes for token byte[][] attributes = new byte[][] { _encoding.GetBytes("Attribute 1"), _encoding.GetBytes("Attribute 2"), _encoding.GetBytes("Teaching Assistant"), // this is the attribute we'll compare _encoding.GetBytes("Attribute 4") }; // generate token ProverPresentationProtocolParameters prover; VerifierPresentationProtocolParameters verifier; StaticHelperClass.GetUProveParameters(hashAttributes, out prover, out verifier, null, attributes); CommitmentPrivateValues cpv; PresentationProof proof = PresentationProof.Generate(prover, out cpv); // computing target constant - "Student" byte[] targetAttribute = _encoding.GetBytes("Student"); int targetAttributeIndex = 3 - 1; // We will compare "Student" to the third token attribute. FieldZqElement targetValue = ProtocolHelper.ComputeXi(prover.IP, targetAttributeIndex, targetAttribute); // this is what "Student" would be encoded as if it was the third token attribute // Create PedersenCommitments // The prover and verifier have a map Committed that contains the relationship between // token attributes and CommitmentPrivateValues. int commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(prover.Committed, 3); // attribute 3 from prover1 PedersenCommitment ped = new PedersenCommitment(prover, proof, cpv, commitmentIndex); Assert.AreNotEqual(targetValue, ped.CommittedValue, "Committed value is not Student."); // Check that "Teaching Assistant" is the commited value of the pedesen commitment. FieldZqElement expectedCommittedValue = ProtocolHelper.ComputeXi(prover.IP, targetAttributeIndex, _encoding.GetBytes("Teaching Assistant")); Assert.AreEqual(expectedCommittedValue, ped.CommittedValue, "Committed value is Teaching Assistant."); // Create InequalityProof CryptoParameters crypto = new CryptoParameters(prover.IP); // Can use prover2.IP ProverInequalityProofParameters inequalityProver = new ProverInequalityProofParameters(ped, targetValue, crypto); // compares committed values in ped1 and ped2 InequalityProof ineQproof = new InequalityProof(inequalityProver); // Verify InequalityProof commitmentIndex = ClosedPedersenCommitment.GetCommitmentIndex(verifier.Committed, 3); // attribute 3 from prover ClosedPedersenCommitment closedPed = new ClosedPedersenCommitment(verifier.IP, proof, commitmentIndex); VerifierInequalityProofParameters inequalityVerifier = new VerifierInequalityProofParameters(closedPed.Value, targetValue, crypto); Assert.IsTrue(ineQproof.Verify(inequalityVerifier)); // test U-Prove wrapper InequalityProof ineQProof2 = InequalityProof.GenerateUProveInequalityProof( new EQProofUProveProverData(prover, cpv, proof, 3), targetAttribute); InequalityProof.VerifyUProveEqualityProof( new EQProofUProveVerifierData(verifier, proof, 3), targetAttribute, ineQProof2); }
public void ProtocolTest() { Stopwatch sw = new Stopwatch(); sw.Start(); bool[] bools = new bool[] { true, false }; foreach (bool isSubgroupConstruction in bools) { foreach (bool supportDevice in bools) { foreach (int DSize in new int[] { 0, 2, 5 }) { foreach (bool isLite in bools) { string filename = "TestVectorData\\testvectors_"; if (isSubgroupConstruction) { filename += "SG"; } else { filename += "EC"; } if (supportDevice) { filename += "_Device"; } filename += ("_D" + DSize); if (isLite) { filename += "_lite"; } filename += "_doc.txt"; var vectors = GetTestVectors(filename); IssuerKeyAndParameters ikap = LoadIssuerKeyAndParameters(isSubgroupConstruction, vectors["GroupName"], supportDevice, vectors); FieldZq Zq = ikap.IssuerParameters.Zq; // replace random y0/g0 with test vector values ikap.PrivateKey = Zq.GetElement(HexToBytes(vectors["y0"])); ikap.IssuerParameters.G[0] = CreateGroupElement(ikap.IssuerParameters.Gq, vectors["g0"]); Assert.AreEqual(ikap.IssuerParameters.G[0], ikap.IssuerParameters.Gq.G.Exponentiate(ikap.PrivateKey), "g0 computation"); IssuerParameters ip = ikap.IssuerParameters; ip.Verify(); /* * issuance */ byte[][] A = new byte[][] { HexToBytes(vectors["A1"]), HexToBytes(vectors["A2"]), HexToBytes(vectors["A3"]), HexToBytes(vectors["A4"]), HexToBytes(vectors["A5"]) }; Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x1"])), ProtocolHelper.ComputeXi(ip, 0, A[0]), "x1"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x2"])), ProtocolHelper.ComputeXi(ip, 1, A[1]), "x2"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x3"])), ProtocolHelper.ComputeXi(ip, 2, A[2]), "x3"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x4"])), ProtocolHelper.ComputeXi(ip, 3, A[3]), "x4"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["x5"])), ProtocolHelper.ComputeXi(ip, 4, A[4]), "x5"); byte[] TI = HexToBytes(vectors["TI"]); Assert.IsTrue(HexToBytes(vectors["P"]).SequenceEqual(ip.Digest(supportDevice)), "P"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["xt"])), ProtocolHelper.ComputeXt(ip, TI, supportDevice), "xt"); IDevice device = null; GroupElement hd = null; if (supportDevice) { device = new VirtualDevice(ip, Zq.GetElement(HexToBytes(vectors["xd"])), Zq.GetElement(HexToBytes(vectors["wdPrime"]))); IDevicePresentationContext context = device.GetPresentationContext(); // Test device responses Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["hd"]), device.GetDevicePublicKey(), "hd"); Assert.AreEqual(CreateGroupElement(ip.Gq, vectors["ad"]), context.GetInitialWitness(), "ad"); Assert.AreEqual(Zq.GetElement(HexToBytes(vectors["rdPrime"])), context.GetDeviceResponse(HexToBytes(vectors["md"]), HexToBytes(vectors["cp"]), ip.HashFunctionOID), "rdPrime"); hd = CreateGroupElement(ip.Gq, vectors["hd"]); } IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap); ipp.Attributes = A; ipp.NumberOfTokens = 1; ipp.TokenInformation = TI; ipp.DevicePublicKey = hd; ipp.PreGeneratedW = new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["w"])) }; Issuer issuer = ipp.CreateIssuer(); byte[] PI = HexToBytes(vectors["PI"]); ProverProtocolParameters ppp = new ProverProtocolParameters(ip); ppp.Attributes = A; ppp.NumberOfTokens = 1; ppp.TokenInformation = TI; ppp.ProverInformation = PI; ppp.DevicePublicKey = hd; ppp.ProverRandomData = new ProverRandomData( new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["alpha"])) }, new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta1"])) }, new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["beta2"])) }); Prover prover = ppp.CreateProver(); FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage(); Assert.AreEqual(msg1.sigmaZ, CreateGroupElement(ip.Gq, vectors["sigmaZ"]), "sigmaZ"); Assert.AreEqual(msg1.sigmaA[0], CreateGroupElement(ip.Gq, vectors["sigmaA"]), "sigmaA"); Assert.AreEqual(msg1.sigmaB[0], CreateGroupElement(ip.Gq, vectors["sigmaB"]), "sigmaB"); SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1); Assert.AreEqual(msg2.sigmaC[0], Zq.GetElement(HexToBytes(vectors["sigmaC"])), "sigmaC"); ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2); Assert.AreEqual(msg3.sigmaR[0], Zq.GetElement(HexToBytes(vectors["sigmaR"])), "sigmaR"); UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3); Assert.AreEqual(upkt[0].PrivateKey, Zq.GetElement(HexToBytes(vectors["alphaInverse"])), "alphaInverse"); UProveToken token = upkt[0].Token; Assert.AreEqual(token.H, CreateGroupElement(ip.Gq, vectors["h"]), "h"); Assert.AreEqual(token.SigmaZPrime, CreateGroupElement(ip.Gq, vectors["sigmaZPrime"]), "sigmaZPrime"); Assert.AreEqual(token.SigmaCPrime, Zq.GetElement(HexToBytes(vectors["sigmaCPrime"])), "sigmaCPrime"); Assert.AreEqual(token.SigmaRPrime, Zq.GetElement(HexToBytes(vectors["sigmaRPrime"])), "sigmaRPrime"); Assert.IsTrue(HexToBytes(vectors["UIDt"]).SequenceEqual(ProtocolHelper.ComputeTokenID(ip, token)), "UIDt"); Assert.IsTrue(supportDevice == token.IsDeviceProtected); /* * presentation */ int[] disclosed = new int[] { }; if (vectors.ContainsKey("D") && vectors["D"].Length > 0) { disclosed = Array.ConvertAll <string, int>(vectors["D"].Split(','), new Converter <string, int>(stringToInt)); } int[] undisclosed = new int[5 - disclosed.Length]; int dIndex = 0, uIndex = 0; for (int i = 1; i <= 5; i++) { if (disclosed.Length > 0 && disclosed[dIndex] == i) { dIndex++; } else { undisclosed[uIndex++] = i; } } int[] committed = new int[] { }; if (vectors.ContainsKey("C") && vectors["C"].Length > 0) { committed = Array.ConvertAll <string, int>(vectors["C"].Split(','), new Converter <string, int>(stringToInt)); } byte[] m = HexToBytes(vectors["m"]); byte[] md = HexToBytes(vectors["md"]); IDevicePresentationContext deviceContext = null; if (supportDevice) { deviceContext = device.GetPresentationContext(); } int p = 0; if (vectors.ContainsKey("p") && !int.TryParse(vectors["p"], out p)) { p = PresentationProof.DeviceAttributeIndex; } byte[] s = vectors.ContainsKey("s") ? HexToBytes(vectors["s"]) : null; int commitmentIndex = committed.Length > 0 ? committed[0] : 0; ProverPresentationProtocolParameters pppp = new ProverPresentationProtocolParameters(ip, disclosed, m, upkt[0], A); pppp.Committed = committed; pppp.PseudonymAttributeIndex = p; pppp.PseudonymScope = s; pppp.DeviceMessage = md; pppp.DeviceContext = deviceContext; FieldZqElement[] w = new FieldZqElement[undisclosed.Length]; for (int i = 0; i < undisclosed.Length; i++) { w[i] = Zq.GetElement(HexToBytes(vectors["w" + undisclosed[i]])); } FieldZqElement[] tildeO = new FieldZqElement[committed.Length]; FieldZqElement[] tildeW = new FieldZqElement[committed.Length]; for (int i = 0; i < committed.Length; i++) { tildeO[i] = Zq.GetElement(HexToBytes(vectors["tildeO" + committed[i]])); tildeW[i] = Zq.GetElement(HexToBytes(vectors["tildeW" + committed[i]])); } pppp.RandomData = new ProofGenerationRandomData( Zq.GetElement(HexToBytes(vectors["w0"])), w, supportDevice ? Zq.GetElement(HexToBytes(vectors["wd"])) : null, tildeO, tildeW); CommitmentPrivateValues cpv; PresentationProof proof = PresentationProof.Generate(pppp, out cpv); Assert.IsTrue(HexToBytes(vectors["a"]).SequenceEqual(proof.A), "a"); if (vectors.ContainsKey("gs")) { Assert.AreEqual(ProtocolHelper.GenerateScopeElement(ip.Gq, s), CreateGroupElement(ip.Gq, vectors["gs"])); Assert.IsTrue(HexToBytes(vectors["ap"]).SequenceEqual(proof.Ap), "ap"); Assert.AreEqual(proof.Ps, CreateGroupElement(ip.Gq, vectors["Ps"]), "Ps"); } for (int i = 0; i < disclosed.Length; i++) { Assert.IsTrue(HexToBytes(vectors["A" + disclosed[i]]).SequenceEqual(proof.DisclosedAttributes[i]), "A" + disclosed[i]); } Assert.AreEqual(proof.R[0], Zq.GetElement(HexToBytes(vectors["r0"])), "r0"); for (int i = 0; i < undisclosed.Length; i++) { Assert.AreEqual(proof.R[i + 1], Zq.GetElement(HexToBytes(vectors["r" + undisclosed[i]])), "r" + undisclosed[i]); } if (supportDevice) { Assert.AreEqual(proof.R[proof.R.Length - 1], Zq.GetElement(HexToBytes(vectors["rd"])), "rd"); } for (int i = 0; i < committed.Length; i++) { Assert.AreEqual(proof.Commitments[i].TildeR, Zq.GetElement(HexToBytes(vectors["tildeR" + committed[i]])), "tildeR" + committed[i]); Assert.IsTrue(cpv.TildeO.Length == committed.Length); Assert.AreEqual(cpv.TildeO[i], Zq.GetElement(HexToBytes(vectors["tildeO" + committed[i]])), "tildeO" + committed[i]); } VerifierPresentationProtocolParameters vppp = new VerifierPresentationProtocolParameters(ip, disclosed, m, upkt[0].Token); vppp.Committed = committed; vppp.PseudonymAttributeIndex = p; vppp.PseudonymScope = s; vppp.DeviceMessage = md; proof.Verify(vppp); #if TEST_ID_ESCROW if (committed.Length > 0) { IDEscrowParams escrowParams = new IDEscrowParams(ip); IDEscrowPrivateKey escrowPrivateKey = new IDEscrowPrivateKey(Zq.GetElement(HexToBytes(vectors["ie_x"]))); IDEscrowPublicKey escrowPublicKey = new IDEscrowPublicKey(escrowParams, escrowPrivateKey); Assert.AreEqual(escrowPublicKey.H, CreateGroupElement(ip.Gq, vectors["ie_H"]), "ie_H"); byte[] additionalInfo = HexToBytes(vectors["ie_additionalInfo"]); int ie_bIndex = int.Parse(vectors["ie_b"]); IDEscrowCiphertext ctext = IDEscrowFunctions.VerifiableEncrypt( escrowParams, escrowPublicKey, HexToBytes(vectors["UIDt"]), proof.Commitments[0].TildeC, ProtocolHelper.ComputeXi(ip, ie_bIndex - 1, A[ie_bIndex - 1]), cpv.TildeO[0], additionalInfo, new IDEscrowFunctions.IDEscrowProofGenerationRandomData( Zq.GetElement(HexToBytes(vectors["ie_r"])), Zq.GetElement(HexToBytes(vectors["ie_xbPrime"])), Zq.GetElement(HexToBytes(vectors["ie_rPrime"])), Zq.GetElement(HexToBytes(vectors["ie_obPrime"])))); Assert.IsTrue(IDEscrowFunctions.UProveVerify(escrowParams, ctext, proof, upkt[0].Token, escrowPublicKey)); Assert.AreEqual(ctext.E1, CreateGroupElement(ip.Gq, vectors["ie_E1"]), "ie_E1"); Assert.AreEqual(ctext.E2, CreateGroupElement(ip.Gq, vectors["ie_E2"]), "ie_E2"); Assert.AreEqual(ctext.proof.c, Zq.GetElement(HexToBytes(vectors["ie_c"])), "ie_c"); Assert.AreEqual(ctext.proof.rR, Zq.GetElement(HexToBytes(vectors["ie_rr"])), "ie_rr"); Assert.AreEqual(ctext.proof.rXb, Zq.GetElement(HexToBytes(vectors["ie_rxb"])), "ie_rxb"); Assert.AreEqual(ctext.proof.rOb, Zq.GetElement(HexToBytes(vectors["ie_rob"])), "ie_rob"); GroupElement PE = IDEscrowFunctions.Decrypt(escrowParams, ctext, escrowPrivateKey); } #endif #if TEST_DVA_REVOCATION if (committed.Length > 0) { RAParameters raParams = new RAParameters(ip.Gq.GroupName, CreateGroupElement(ip.Gq, vectors["r_K"]), ip.UidH); FieldZqElement delta = Zq.GetElement(HexToBytes(vectors["r_delta"])); RevocationAuthority RA = new RevocationAuthority(raParams, delta); HashSet <FieldZqElement> revoked = new HashSet <FieldZqElement>(); for (int i = 1; i <= 4; i++) { revoked.Add(Zq.GetElement(HexToBytes(vectors["r_R" + i]))); } RA.UpdateAccumulator(revoked, null); Assert.AreEqual(RA.Accumulator, CreateGroupElement(ip.Gq, vectors["r_V"]), "r_V"); int r_id = 0; int.TryParse(vectors["r_id"], out r_id); RevocationWitness witness = RA.ComputeRevocationWitness(revoked, Zq.GetElement(HexToBytes(vectors["x" + r_id]))); Assert.AreEqual(witness.d, Zq.GetElement(HexToBytes(vectors["r_d"])), "r_d"); Assert.AreEqual(witness.W, CreateGroupElement(ip.Gq, vectors["r_W"]), "r_W"); Assert.AreEqual(witness.Q, CreateGroupElement(ip.Gq, vectors["r_Q"]), "r_Q"); NonRevocationProof nrProof = RevocationUser.GenerateNonRevocationProof( raParams, witness, proof.Commitments[0].TildeC, ProtocolHelper.ComputeXi(ip, r_id - 1, A[r_id - 1]), cpv.TildeO[0], new NonRevocationProofGenerationRandomData(new FieldZqElement[] { Zq.GetElement(HexToBytes(vectors["r_t1"])), Zq.GetElement(HexToBytes(vectors["r_t2"])), Zq.GetElement(HexToBytes(vectors["r_k1"])), Zq.GetElement(HexToBytes(vectors["r_k2"])), Zq.GetElement(HexToBytes(vectors["r_k3"])), Zq.GetElement(HexToBytes(vectors["r_k4"])), Zq.GetElement(HexToBytes(vectors["r_k5"])), Zq.GetElement(HexToBytes(vectors["r_k6"])) })); Assert.AreEqual(nrProof.X, CreateGroupElement(ip.Gq, vectors["r_X"]), "r_X"); Assert.AreEqual(nrProof.Y, CreateGroupElement(ip.Gq, vectors["r_Y"]), "r_Y"); Assert.AreEqual(nrProof.Cd, CreateGroupElement(ip.Gq, vectors["r_Cd"]), "r_Cd"); Assert.AreEqual(nrProof.cPrime, Zq.GetElement(HexToBytes(vectors["r_cPrime"])), "r_cPrime"); Assert.AreEqual(nrProof.s[0], Zq.GetElement(HexToBytes(vectors["r_s1"])), "r_s1"); Assert.AreEqual(nrProof.s[1], Zq.GetElement(HexToBytes(vectors["r_s2"])), "r_s2"); Assert.AreEqual(nrProof.s[2], Zq.GetElement(HexToBytes(vectors["r_s3"])), "r_s3"); Assert.AreEqual(nrProof.s[3], Zq.GetElement(HexToBytes(vectors["r_s4"])), "r_s4"); Assert.AreEqual(nrProof.s[4], Zq.GetElement(HexToBytes(vectors["r_s5"])), "r_s5"); Assert.AreEqual(nrProof.s[5], Zq.GetElement(HexToBytes(vectors["r_s6"])), "r_s6"); // validate proof RA.VerifyNonRevocationProof(ip, 0, proof, nrProof); } #endif #if TEST_SET_MEMBERSHIP if (committed.Length > 0) { int sm_x_index = 0; int.TryParse(vectors["sm_x_index"], out sm_x_index); int sm_n = 0; int.TryParse(vectors["sm_n"], out sm_n); int sm_i = 0; int.TryParse(vectors["sm_i"], out sm_i); byte[][] setValues = new byte[sm_n][]; FieldZqElement[] sm_c = new FieldZqElement[sm_n - 1]; FieldZqElement[] sm_r = new FieldZqElement[sm_n - 1]; int randomIndex = 0; for (int i = 1; i <= sm_n; i++) { if (i == sm_i) { setValues[i - 1] = HexToBytes(vectors["A" + sm_x_index]); } else { setValues[i - 1] = HexToBytes(vectors["sm_s" + i]); sm_c[randomIndex] = Zq.GetElement(HexToBytes(vectors["sm_c" + i])); sm_r[randomIndex] = Zq.GetElement(HexToBytes(vectors["sm_r" + i])); randomIndex++; } } SetMembershipProofGenerationRandomData smRandom = new SetMembershipProofGenerationRandomData(sm_c, sm_r, Zq.GetElement(HexToBytes(vectors["sm_w"]))); SetMembershipProof setMembershipProof = SetMembershipProof.Generate(pppp, proof, cpv, sm_x_index, setValues, smRandom); for (int i = 1; i <= sm_n; i++) { Assert.AreEqual(setMembershipProof.a[i - 1], CreateGroupElement(ip.Gq, vectors["sm_a" + i]), "sm_a" + i); if (i < sm_n) // no c_n in the proof { Assert.AreEqual(setMembershipProof.c[i - 1], Zq.GetElement(HexToBytes(vectors["sm_c" + i])), "sm_c" + i); } Assert.AreEqual(setMembershipProof.r[i - 1], Zq.GetElement(HexToBytes(vectors["sm_r" + i])), "sm_r" + i); } if (!SetMembershipProof.Verify(vppp, proof, setMembershipProof, sm_x_index, setValues)) { throw new InvalidUProveArtifactException("Invalid set membership proof"); } } #endif } } } } sw.Stop(); Debug.WriteLine("Protocol Test Elapsed Time: " + sw.ElapsedMilliseconds + "ms"); }
public void PseudonymAndCommitmentsTest() { // Issuer setup IssuerSetupParameters isp = new IssuerSetupParameters(maxNumberOfAttributes); isp.UidP = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; isp.E = new byte[] { (byte)1, (byte)1, (byte)1, (byte)1 }; isp.UseRecommendedParameterSet = true; isp.S = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; IssuerKeyAndParameters ikap = isp.Generate(); IssuerParameters ip = ikap.IssuerParameters; // Issuance byte[][] attributes = new byte[][] { encoding.GetBytes("Attribute 1"), encoding.GetBytes("Attribute 2"), encoding.GetBytes("Attribute 3"), encoding.GetBytes("Attribute 4") }; byte[] tokenInformation = new byte[] { }; byte[] proverInformation = new byte[] { }; int numberOfTokens = 1; IssuerProtocolParameters ipp = new IssuerProtocolParameters(ikap); ipp.Attributes = attributes; ipp.NumberOfTokens = numberOfTokens; ipp.TokenInformation = tokenInformation; Issuer issuer = ipp.CreateIssuer(); FirstIssuanceMessage msg1 = issuer.GenerateFirstMessage(); ProverProtocolParameters ppp = new ProverProtocolParameters(ip); ppp.Attributes = attributes; ppp.NumberOfTokens = numberOfTokens; ppp.TokenInformation = tokenInformation; ppp.ProverInformation = proverInformation; Prover prover = ppp.CreateProver(); SecondIssuanceMessage msg2 = prover.GenerateSecondMessage(msg1); ThirdIssuanceMessage msg3 = issuer.GenerateThirdMessage(msg2); UProveKeyAndToken[] upkt = prover.GenerateTokens(msg3); // Pseudonym int[] disclosed = new int[0]; int[] committed = new int[] { 2, 4 }; byte[] message = encoding.GetBytes("this is the presentation message, this can be a very long message"); byte[] scope = encoding.GetBytes("scope"); PresentationProof proof; FieldZqElement[] tildeO; // Valid presentation proof = PresentationProof.Generate(ip, disclosed, committed, 1, scope, message, null, null, upkt[0], attributes, out tildeO); proof.Verify(ip, disclosed, committed, 1, scope, message, null, upkt[0].Token); // Invalid pseudonym (wrong scope) proof = PresentationProof.Generate(ip, disclosed, committed, 1, scope, message, null, null, upkt[0], attributes, out tildeO); try { proof.Verify(ip, disclosed, committed, 1, encoding.GetBytes("bad scope"), message, null, upkt[0].Token); Assert.Fail(); } catch (InvalidUProveArtifactException) { } // Invalid pseudonym (wrong attribute) try { proof.Verify(ip, disclosed, committed, 2, scope, message, null, upkt[0].Token); Assert.Fail(); } catch (InvalidUProveArtifactException) { } // Invalid commitment (null list) try { proof.Verify(ip, disclosed, null, 2, scope, message, null, upkt[0].Token); Assert.Fail(); } catch (InvalidUProveArtifactException) { } // Invalid commitment (wrong committed values) try { proof.Verify(ip, disclosed, new int[] { 1, 4 }, 2, scope, message, null, upkt[0].Token); Assert.Fail(); } catch (InvalidUProveArtifactException) { } // Invalid commitment (wront number of committed values) try { proof.Verify(ip, disclosed, new int[] { 1 }, 2, scope, message, null, upkt[0].Token); Assert.Fail(); } catch (InvalidUProveArtifactException) { } // Invalid commitment (value) proof.Commitments[0].TildeA[0]++; try { proof.Verify(ip, disclosed, committed, 2, scope, message, null, upkt[0].Token); Assert.Fail(); } catch (InvalidUProveArtifactException) { } // Ensure tildeO is correct GroupElement Cx2 = proof.Commitments[0].TildeC; // x2 is the first committed attribute FieldZqElement x2 = ProtocolHelper.ComputeXi(ip, 1, attributes[1]); // attributes[] is zero indexed. FieldZqElement tildeO2 = tildeO[0]; // double check that Cx2 is computed correctly. GroupElement Cx2Prime = ip.Gq.MultiExponentiate(new GroupElement[] { ip.Gq.G, ip.G[1] }, new FieldZqElement[] { x2, tildeO2 }); Assert.IsTrue(Cx2Prime.Equals(Cx2)); }