github.com/anjalikarhana/fabric@v2.1.1+incompatible/idemix/signature.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package idemix 8 9 import ( 10 "crypto/ecdsa" 11 "sort" 12 13 "github.com/hyperledger/fabric-amcl/amcl" 14 "github.com/hyperledger/fabric-amcl/amcl/FP256BN" 15 "github.com/pkg/errors" 16 ) 17 18 // signLabel is the label used in zero-knowledge proof (ZKP) to identify that this ZKP is a signature of knowledge 19 const signLabel = "sign" 20 21 // A signature that is produced using an Identity Mixer credential is a so-called signature of knowledge 22 // (for details see C.P.Schnorr "Efficient Identification and Signatures for Smart Cards") 23 // An Identity Mixer signature is a signature of knowledge that signs a message and proves (in zero-knowledge) 24 // the knowledge of the user secret (and possibly attributes) signed inside a credential 25 // that was issued by a certain issuer (referred to with the issuer public key) 26 // The signature is verified using the message being signed and the public key of the issuer 27 // Some of the attributes from the credential can be selectively disclosed or different statements can be proven about 28 // credential attributes without disclosing them in the clear 29 // The difference between a standard signature using X.509 certificates and an Identity Mixer signature is 30 // the advanced privacy features provided by Identity Mixer (due to zero-knowledge proofs): 31 // - Unlinkability of the signatures produced with the same credential 32 // - Selective attribute disclosure and predicates over attributes 33 34 // Make a slice of all the attribute indices that will not be disclosed 35 func hiddenIndices(Disclosure []byte) []int { 36 HiddenIndices := make([]int, 0) 37 for index, disclose := range Disclosure { 38 if disclose == 0 { 39 HiddenIndices = append(HiddenIndices, index) 40 } 41 } 42 return HiddenIndices 43 } 44 45 // NewSignature creates a new idemix signature (Schnorr-type signature) 46 // The []byte Disclosure steers which attributes are disclosed: 47 // if Disclosure[i] == 0 then attribute i remains hidden and otherwise it is disclosed. 48 // We require the revocation handle to remain undisclosed (i.e., Disclosure[rhIndex] == 0). 49 // We use the zero-knowledge proof by http://eprint.iacr.org/2016/663.pdf, Sec. 4.5 to prove knowledge of a BBS+ signature 50 func NewSignature(cred *Credential, sk *FP256BN.BIG, Nym *FP256BN.ECP, RNym *FP256BN.BIG, ipk *IssuerPublicKey, Disclosure []byte, msg []byte, rhIndex int, cri *CredentialRevocationInformation, rng *amcl.RAND) (*Signature, error) { 51 // Validate inputs 52 if cred == nil || sk == nil || Nym == nil || RNym == nil || ipk == nil || rng == nil || cri == nil { 53 return nil, errors.Errorf("cannot create idemix signature: received nil input") 54 } 55 56 if rhIndex < 0 || rhIndex >= len(ipk.AttributeNames) || len(Disclosure) != len(ipk.AttributeNames) { 57 return nil, errors.Errorf("cannot create idemix signature: received invalid input") 58 } 59 60 if cri.RevocationAlg != int32(ALG_NO_REVOCATION) && Disclosure[rhIndex] == 1 { 61 return nil, errors.Errorf("Attribute %d is disclosed but also used as revocation handle attribute, which should remain hidden.", rhIndex) 62 } 63 64 // locate the indices of the attributes to hide and sample randomness for them 65 HiddenIndices := hiddenIndices(Disclosure) 66 67 // Generate required randomness r_1, r_2 68 r1 := RandModOrder(rng) 69 r2 := RandModOrder(rng) 70 // Set r_3 as \frac{1}{r_1} 71 r3 := FP256BN.NewBIGcopy(r1) 72 r3.Invmodp(GroupOrder) 73 74 // Sample a nonce 75 Nonce := RandModOrder(rng) 76 77 // Parse credential 78 A := EcpFromProto(cred.A) 79 B := EcpFromProto(cred.B) 80 81 // Randomize credential 82 83 // Compute A' as A^{r_!} 84 APrime := FP256BN.G1mul(A, r1) 85 86 // Compute ABar as A'^{-e} b^{r1} 87 ABar := FP256BN.G1mul(B, r1) 88 ABar.Sub(FP256BN.G1mul(APrime, FP256BN.FromBytes(cred.E))) 89 90 // Compute B' as b^{r1} / h_r^{r2}, where h_r is h_r 91 BPrime := FP256BN.G1mul(B, r1) 92 HRand := EcpFromProto(ipk.HRand) 93 // Parse h_{sk} from ipk 94 HSk := EcpFromProto(ipk.HSk) 95 96 BPrime.Sub(FP256BN.G1mul(HRand, r2)) 97 98 S := FP256BN.FromBytes(cred.S) 99 E := FP256BN.FromBytes(cred.E) 100 101 // Compute s' as s - r_2 \cdot r_3 102 sPrime := Modsub(S, FP256BN.Modmul(r2, r3, GroupOrder), GroupOrder) 103 104 // The rest of this function constructs the non-interactive zero knowledge proof 105 // that links the signature, the non-disclosed attributes and the nym. 106 107 // Sample the randomness used to compute the commitment values (aka t-values) for the ZKP 108 rSk := RandModOrder(rng) 109 re := RandModOrder(rng) 110 rR2 := RandModOrder(rng) 111 rR3 := RandModOrder(rng) 112 rSPrime := RandModOrder(rng) 113 rRNym := RandModOrder(rng) 114 115 rAttrs := make([]*FP256BN.BIG, len(HiddenIndices)) 116 for i := range HiddenIndices { 117 rAttrs[i] = RandModOrder(rng) 118 } 119 120 // First compute the non-revocation proof. 121 // The challenge of the ZKP needs to depend on it, as well. 122 prover, err := getNonRevocationProver(RevocationAlgorithm(cri.RevocationAlg)) 123 if err != nil { 124 return nil, err 125 } 126 nonRevokedProofHashData, err := prover.getFSContribution( 127 FP256BN.FromBytes(cred.Attrs[rhIndex]), 128 rAttrs[sort.SearchInts(HiddenIndices, rhIndex)], 129 cri, 130 rng, 131 ) 132 if err != nil { 133 return nil, errors.Wrap(err, "failed to compute non-revoked proof") 134 } 135 136 // Step 1: First message (t-values) 137 138 // t1 is related to knowledge of the credential (recall, it is a BBS+ signature) 139 t1 := APrime.Mul2(re, HRand, rR2) // A'^{r_E} \cdot h_r^{r_{r2}} 140 141 // t2: is related to knowledge of the non-disclosed attributes that signed in (A,B,S,E) 142 t2 := FP256BN.G1mul(HRand, rSPrime) // h_r^{r_{s'}} 143 t2.Add(BPrime.Mul2(rR3, HSk, rSk)) // B'^{r_{r3}} \cdot h_{sk}^{r_{sk}} 144 for i := 0; i < len(HiddenIndices)/2; i++ { 145 t2.Add( 146 // \cdot h_{2 \cdot i}^{r_{attrs,i} 147 EcpFromProto(ipk.HAttrs[HiddenIndices[2*i]]).Mul2( 148 rAttrs[2*i], 149 EcpFromProto(ipk.HAttrs[HiddenIndices[2*i+1]]), 150 rAttrs[2*i+1], 151 ), 152 ) 153 } 154 if len(HiddenIndices)%2 != 0 { 155 t2.Add(FP256BN.G1mul(EcpFromProto(ipk.HAttrs[HiddenIndices[len(HiddenIndices)-1]]), rAttrs[len(HiddenIndices)-1])) 156 } 157 158 // t3 is related to the knowledge of the secrets behind the pseudonym, which is also signed in (A,B,S,E) 159 t3 := HSk.Mul2(rSk, HRand, rRNym) // h_{sk}^{r_{sk}} \cdot h_r^{r_{rnym}} 160 161 // Step 2: Compute the Fiat-Shamir hash, forming the challenge of the ZKP. 162 163 // Compute the Fiat-Shamir hash, forming the challenge of the ZKP. 164 // proofData is the data being hashed, it consists of: 165 // the signature label 166 // 7 elements of G1 each taking 2*FieldBytes+1 bytes 167 // one bigint (hash of the issuer public key) of length FieldBytes 168 // disclosed attributes 169 // message being signed 170 // the amount of bytes needed for the nonrevocation proof 171 proofData := make([]byte, len([]byte(signLabel))+7*(2*FieldBytes+1)+FieldBytes+len(Disclosure)+len(msg)+ProofBytes[RevocationAlgorithm(cri.RevocationAlg)]) 172 index := 0 173 index = appendBytesString(proofData, index, signLabel) 174 index = appendBytesG1(proofData, index, t1) 175 index = appendBytesG1(proofData, index, t2) 176 index = appendBytesG1(proofData, index, t3) 177 index = appendBytesG1(proofData, index, APrime) 178 index = appendBytesG1(proofData, index, ABar) 179 index = appendBytesG1(proofData, index, BPrime) 180 index = appendBytesG1(proofData, index, Nym) 181 index = appendBytes(proofData, index, nonRevokedProofHashData) 182 copy(proofData[index:], ipk.Hash) 183 index = index + FieldBytes 184 copy(proofData[index:], Disclosure) 185 index = index + len(Disclosure) 186 copy(proofData[index:], msg) 187 c := HashModOrder(proofData) 188 189 // add the previous hash and the nonce and hash again to compute a second hash (C value) 190 index = 0 191 proofData = proofData[:2*FieldBytes] 192 index = appendBytesBig(proofData, index, c) 193 index = appendBytesBig(proofData, index, Nonce) 194 ProofC := HashModOrder(proofData) 195 196 // Step 3: reply to the challenge message (s-values) 197 ProofSSk := Modadd(rSk, FP256BN.Modmul(ProofC, sk, GroupOrder), GroupOrder) // s_sk = rSK + C \cdot sk 198 ProofSE := Modsub(re, FP256BN.Modmul(ProofC, E, GroupOrder), GroupOrder) // s_e = re + C \cdot E 199 ProofSR2 := Modadd(rR2, FP256BN.Modmul(ProofC, r2, GroupOrder), GroupOrder) // s_r2 = rR2 + C \cdot r2 200 ProofSR3 := Modsub(rR3, FP256BN.Modmul(ProofC, r3, GroupOrder), GroupOrder) // s_r3 = rR3 + C \cdot r3 201 ProofSSPrime := Modadd(rSPrime, FP256BN.Modmul(ProofC, sPrime, GroupOrder), GroupOrder) // s_S' = rSPrime + C \cdot sPrime 202 ProofSRNym := Modadd(rRNym, FP256BN.Modmul(ProofC, RNym, GroupOrder), GroupOrder) // s_RNym = rRNym + C \cdot RNym 203 ProofSAttrs := make([][]byte, len(HiddenIndices)) 204 for i, j := range HiddenIndices { 205 ProofSAttrs[i] = BigToBytes( 206 // s_attrsi = rAttrsi + C \cdot cred.Attrs[j] 207 Modadd(rAttrs[i], FP256BN.Modmul(ProofC, FP256BN.FromBytes(cred.Attrs[j]), GroupOrder), GroupOrder), 208 ) 209 } 210 211 // Compute the revocation part 212 nonRevokedProof, err := prover.getNonRevokedProof(ProofC) 213 if err != nil { 214 return nil, err 215 } 216 217 // We are done. Return signature 218 return &Signature{ 219 APrime: EcpToProto(APrime), 220 ABar: EcpToProto(ABar), 221 BPrime: EcpToProto(BPrime), 222 ProofC: BigToBytes(ProofC), 223 ProofSSk: BigToBytes(ProofSSk), 224 ProofSE: BigToBytes(ProofSE), 225 ProofSR2: BigToBytes(ProofSR2), 226 ProofSR3: BigToBytes(ProofSR3), 227 ProofSSPrime: BigToBytes(ProofSSPrime), 228 ProofSAttrs: ProofSAttrs, 229 Nonce: BigToBytes(Nonce), 230 Nym: EcpToProto(Nym), 231 ProofSRNym: BigToBytes(ProofSRNym), 232 RevocationEpochPk: cri.EpochPk, 233 RevocationPkSig: cri.EpochPkSig, 234 Epoch: cri.Epoch, 235 NonRevocationProof: nonRevokedProof}, 236 nil 237 } 238 239 // Ver verifies an idemix signature 240 // Disclosure steers which attributes it expects to be disclosed 241 // attributeValues contains the desired attribute values. 242 // This function will check that if attribute i is disclosed, the i-th attribute equals attributeValues[i]. 243 func (sig *Signature) Ver(Disclosure []byte, ipk *IssuerPublicKey, msg []byte, attributeValues []*FP256BN.BIG, rhIndex int, revPk *ecdsa.PublicKey, epoch int) error { 244 // Validate inputs 245 if ipk == nil || revPk == nil { 246 return errors.Errorf("cannot verify idemix signature: received nil input") 247 } 248 249 if rhIndex < 0 || rhIndex >= len(ipk.AttributeNames) || len(Disclosure) != len(ipk.AttributeNames) { 250 return errors.Errorf("cannot verify idemix signature: received invalid input") 251 } 252 253 if sig.NonRevocationProof.RevocationAlg != int32(ALG_NO_REVOCATION) && Disclosure[rhIndex] == 1 { 254 return errors.Errorf("Attribute %d is disclosed but is also used as revocation handle, which should remain hidden.", rhIndex) 255 } 256 257 HiddenIndices := hiddenIndices(Disclosure) 258 259 // Parse signature 260 APrime := EcpFromProto(sig.GetAPrime()) 261 ABar := EcpFromProto(sig.GetABar()) 262 BPrime := EcpFromProto(sig.GetBPrime()) 263 Nym := EcpFromProto(sig.GetNym()) 264 ProofC := FP256BN.FromBytes(sig.GetProofC()) 265 ProofSSk := FP256BN.FromBytes(sig.GetProofSSk()) 266 ProofSE := FP256BN.FromBytes(sig.GetProofSE()) 267 ProofSR2 := FP256BN.FromBytes(sig.GetProofSR2()) 268 ProofSR3 := FP256BN.FromBytes(sig.GetProofSR3()) 269 ProofSSPrime := FP256BN.FromBytes(sig.GetProofSSPrime()) 270 ProofSRNym := FP256BN.FromBytes(sig.GetProofSRNym()) 271 ProofSAttrs := make([]*FP256BN.BIG, len(sig.GetProofSAttrs())) 272 273 if len(sig.ProofSAttrs) != len(HiddenIndices) { 274 return errors.Errorf("signature invalid: incorrect amount of s-values for AttributeProofSpec") 275 } 276 for i, b := range sig.ProofSAttrs { 277 ProofSAttrs[i] = FP256BN.FromBytes(b) 278 } 279 Nonce := FP256BN.FromBytes(sig.GetNonce()) 280 281 // Parse issuer public key 282 W := Ecp2FromProto(ipk.W) 283 HRand := EcpFromProto(ipk.HRand) 284 HSk := EcpFromProto(ipk.HSk) 285 286 // Verify signature 287 if APrime.Is_infinity() { 288 return errors.Errorf("signature invalid: APrime = 1") 289 } 290 temp1 := FP256BN.Ate(W, APrime) 291 temp2 := FP256BN.Ate(GenG2, ABar) 292 temp2.Inverse() 293 temp1.Mul(temp2) 294 if !FP256BN.Fexp(temp1).Isunity() { 295 return errors.Errorf("signature invalid: APrime and ABar don't have the expected structure") 296 } 297 298 // Verify ZK proof 299 300 // Recover t-values 301 302 // Recompute t1 303 t1 := APrime.Mul2(ProofSE, HRand, ProofSR2) 304 temp := FP256BN.NewECP() 305 temp.Copy(ABar) 306 temp.Sub(BPrime) 307 t1.Sub(FP256BN.G1mul(temp, ProofC)) 308 309 // Recompute t2 310 t2 := FP256BN.G1mul(HRand, ProofSSPrime) 311 t2.Add(BPrime.Mul2(ProofSR3, HSk, ProofSSk)) 312 for i := 0; i < len(HiddenIndices)/2; i++ { 313 t2.Add(EcpFromProto(ipk.HAttrs[HiddenIndices[2*i]]).Mul2(ProofSAttrs[2*i], EcpFromProto(ipk.HAttrs[HiddenIndices[2*i+1]]), ProofSAttrs[2*i+1])) 314 } 315 if len(HiddenIndices)%2 != 0 { 316 t2.Add(FP256BN.G1mul(EcpFromProto(ipk.HAttrs[HiddenIndices[len(HiddenIndices)-1]]), ProofSAttrs[len(HiddenIndices)-1])) 317 } 318 temp = FP256BN.NewECP() 319 temp.Copy(GenG1) 320 for index, disclose := range Disclosure { 321 if disclose != 0 { 322 temp.Add(FP256BN.G1mul(EcpFromProto(ipk.HAttrs[index]), attributeValues[index])) 323 } 324 } 325 t2.Add(FP256BN.G1mul(temp, ProofC)) 326 327 // Recompute t3 328 t3 := HSk.Mul2(ProofSSk, HRand, ProofSRNym) 329 t3.Sub(Nym.Mul(ProofC)) 330 331 // add contribution from the non-revocation proof 332 nonRevokedVer, err := getNonRevocationVerifier(RevocationAlgorithm(sig.NonRevocationProof.RevocationAlg)) 333 if err != nil { 334 return err 335 } 336 337 i := sort.SearchInts(HiddenIndices, rhIndex) 338 proofSRh := ProofSAttrs[i] 339 nonRevokedProofBytes, err := nonRevokedVer.recomputeFSContribution(sig.NonRevocationProof, ProofC, Ecp2FromProto(sig.RevocationEpochPk), proofSRh) 340 if err != nil { 341 return err 342 } 343 344 // Recompute challenge 345 // proofData is the data being hashed, it consists of: 346 // the signature label 347 // 7 elements of G1 each taking 2*FieldBytes+1 bytes 348 // one bigint (hash of the issuer public key) of length FieldBytes 349 // disclosed attributes 350 // message that was signed 351 proofData := make([]byte, len([]byte(signLabel))+7*(2*FieldBytes+1)+FieldBytes+len(Disclosure)+len(msg)+ProofBytes[RevocationAlgorithm(sig.NonRevocationProof.RevocationAlg)]) 352 index := 0 353 index = appendBytesString(proofData, index, signLabel) 354 index = appendBytesG1(proofData, index, t1) 355 index = appendBytesG1(proofData, index, t2) 356 index = appendBytesG1(proofData, index, t3) 357 index = appendBytesG1(proofData, index, APrime) 358 index = appendBytesG1(proofData, index, ABar) 359 index = appendBytesG1(proofData, index, BPrime) 360 index = appendBytesG1(proofData, index, Nym) 361 index = appendBytes(proofData, index, nonRevokedProofBytes) 362 copy(proofData[index:], ipk.Hash) 363 index = index + FieldBytes 364 copy(proofData[index:], Disclosure) 365 index = index + len(Disclosure) 366 copy(proofData[index:], msg) 367 368 c := HashModOrder(proofData) 369 index = 0 370 proofData = proofData[:2*FieldBytes] 371 index = appendBytesBig(proofData, index, c) 372 index = appendBytesBig(proofData, index, Nonce) 373 374 if *ProofC != *HashModOrder(proofData) { 375 // This debug line helps identify where the mismatch happened 376 logger.Printf("Signature Verification : \n"+ 377 " [t1:%v]\n,"+ 378 " [t2:%v]\n,"+ 379 " [t3:%v]\n,"+ 380 " [APrime:%v]\n,"+ 381 " [ABar:%v]\n,"+ 382 " [BPrime:%v]\n,"+ 383 " [Nym:%v]\n,"+ 384 " [nonRevokedProofBytes:%v]\n,"+ 385 " [ipk.Hash:%v]\n,"+ 386 " [Disclosure:%v]\n,"+ 387 " [msg:%v]\n,", 388 EcpToBytes(t1), 389 EcpToBytes(t2), 390 EcpToBytes(t3), 391 EcpToBytes(APrime), 392 EcpToBytes(ABar), 393 EcpToBytes(BPrime), 394 EcpToBytes(Nym), 395 nonRevokedProofBytes, 396 ipk.Hash, 397 Disclosure, 398 msg, 399 ) 400 return errors.Errorf("signature invalid: zero-knowledge proof is invalid") 401 } 402 403 // Signature is valid 404 return nil 405 }