Merge branch 'main' into verify-presentation

spec/data_flow_presentation_create_presentation.md

@@ -658,31 +658,51 @@ used as input to the generate presentation process.
 
 ##### Non-Revocation Proof Generation Steps
 
-Given the data collected by the [[ref: holder]] to produce the NRP, the
-following calculations are performed.
+Init proof generation:
+- Load issuer’s public revocation key $p = (h, h_1, h_2, \tilde{h}, \hat{h}, u, pk, y)$
+- Load the non-revocation credential $C_{NR} \leftarrow (I_A, \sigma, c, s, wit_i, g_i, g'_i, i)$
+- Obtain recent V, acc (from Verifier, Sovrin link, or elsewhere).
+- Update $C_{NR}$:
+$$ w \leftarrow w. \frac{\prod_{j \in V \backslash V_{old}} g'_{L+1-j+i}}{\prod_{j \in V_{old} \backslash V} g'_{L+1-j+i}} $$
+Here $V_{old}$ is taken from $wit_i$ and updated there.
+- Select random $\rho, \rho' , r, r' , r'' , r''' , o, o'\ mod\ q$;
+- Compute:
+$$ E \leftarrow h_{ρ}\tilde{h^o}$$
+$$ D \leftarrow g^r\tilde{h}^{o'} $$
+$$ A \leftarrow \sigma\tilde{h}^\rho $$
+$$ \mathcal{G} \leftarrow g_i\tilde{h}^r $$
+$$ \mathcal{W} \leftarrow w\hat{h}^{r'} $$
+$$ \mathcal{S} \leftarrow \sigma _i\hat{h}^{r''} $$
+$$ \mathcal{U} \leftarrow u_i\hat{h}^{r'''} $$
+and adds these values to $\mathcal{C}$
+- Generate random $\tilde{\rho}, \tilde{o}, \tilde{o'}, \tilde{c}, \tilde{m}, \tilde{m'}, \tilde{t}, \tilde{t'}, \tilde{m_2}, \tilde{s}, \tilde{r}, \tilde{r'}, \tilde{r''}, \tilde{r'''}$
+- Compute:
+$$ \bar{T_1} \leftarrow h^{\tilde{\rho}} \tilde{h} ^ {\tilde{o}} $$
+$$ \bar{T_2} \leftarrow E^{\tilde{c}}h^{-\tilde{m}}\tilde{h}^{-\tilde{t}} $$
+$$ \bar{T_3} \leftarrow e(A,\hat{h})^{\tilde{c}}.e(\tilde{h}, \hat{h})^{\tilde{r}}.e(\tilde{h}, y)^{-\tilde{\rho}}.e(\tilde{h}, y)^{-\tilde{m}}.e(\tilde{h}, y)^{-\tilde{m_2}}.e(\tilde{h}, y)^{-{\tilde{s}}} $$
+$$ \bar{T_4} \leftarrow e(\tilde{h}, acc)^{\tilde{r}}.e(1/g, \hat{h})^{\tilde{r'''}} $$
+$$ \bar{T_5} \leftarrow g^{\tilde{r}}\tilde{h}^{\tilde{o'}}$$
+$$ \bar{T_6} \leftarrow D^{\tilde{r''}}g^{-\tilde{m'}}\tilde{h}^{-\tilde{t'}} $$
+$$ \bar{T_7} \leftarrow e(pk. \mathcal{G}, \hat{h})^{\tilde{r''}}.e(\tilde{h}, \hat{h})^{-\tilde{m'}}.e(\tilde{h}, \mathcal{S})^{\tilde{r}} $$
+$$ \bar{T_8} \leftarrow e(\tilde{h}, u)^{\tilde{r}}.e(1/g, \hat{h})^{\tilde{r'''}} $$
+and add these values to $\mathcal{T}$.
+- For non-revocation credential $C_{NR}$ compute:
+$$ \widehat{\rho} \leftarrow \widetilde{\rho} - c_H\rho\bmod{q} $$
+$$ \widehat{o} \leftarrow \widetilde{o} - c_H\cdot o\bmod{q} $$
+$$ \widehat{c} \leftarrow \widetilde{c} - c_H\cdot c\bmod{q} $$
+$$ \widehat{o'} \leftarrow \widetilde{o'} - c_H\cdot o'\bmod{q} $$
+$$ \widehat{m} \leftarrow \widetilde{m} - c_H m\bmod{q} $$
+$$ \widehat{m'} \leftarrow \widetilde{m'} - c_H m'\bmod{q} $$
+$$ \widehat{t} \leftarrow \widetilde{t} - c_H t\bmod{q} $$
+$$ \widehat{t'} \leftarrow \widetilde{t'} - c_H t'\bmod{q} $$
+$$ \widehat{m_2} \leftarrow \widetilde{m_2} - c_H m_2\bmod{q} $$
+$$ \widehat{s} \leftarrow \widetilde{s} - c_H s\bmod{q} $$
+$$ \widehat{r} \leftarrow \widetilde{r} - c_H r\bmod{q} $$
+$$ \widehat{r'} \leftarrow \widetilde{r'} - c_H r'\bmod{q} $$
+$$ \widehat{r''} \leftarrow \widetilde{r''} - c_H r''\bmod{q} $$
+$$ \widehat{r'''} \leftarrow \widetilde{r'''} - c_H r'''\bmod{q}. $$
+and add them to $\mathcal{X}$.
 
-Once the witness (`u`), the accumulator from the ledger (`e`) and the value of
-the tails file entry for the credential of interest (`b`) are known, the NRP can
-be generated as follows:
-
-::: todo
-
-To Do: Add more detail about the calculation of `C`<sub>`u`</sub> and
-`C`<sub>`b`</sub> in the following.
-
-:::
-
-- The [[ref: holder]] calculates `u*b = e`, where e is the accumulator.
-- The [[ref: holder]] derives two values (in cryptograhic terms -
-  [commitments](https://en.wikipedia.org/wiki/Commitment_scheme))
-  `C`<sub>`u`</sub> and `C`<sub>`b`</sub> based on `u` and `b`.
-- The [[ref: holder]] then calculates `T` from `C`<sub>`u`</sub> and
-  `C`<sub>`b`</sub> and sends all three to the [[ref: verifier]].
-- The [[ref: verifier]] uses `e` (the accumulator from the ledger),
-  `C`<sub>`u`</sub> and `C`<sub>`b`</sub> to calculate its own `T'` and confirms
-  that `T` and `T'` are the same.
-
-This is the zero knowledge non-revocation proof.
 
 Each NRP is added alongside the credential to which the NRP is applied, to the
 presentation generated by the [[ref: holder]] using this data
@@ -720,33 +740,29 @@ model:
 
 The values in the data model are:
 
-:::todo
-To Do: Enumerate each of the items in each NRP section of the presentation.
-:::
-
-- `x_list`" is ...
-  - `rho`" is ...
-  - `r`" is ...
-  - `r_prime`" is ...
-  - `r_prime_prime`" is ...
-  - `r_prime_prime_prime`" is ...
-  - `o`" is ...
-  - `o_prime`" is ...
-  - `m`" is ...
-  - `m_prime`" is ...
-  - `t`" is ...
-  - `t_prime`" is ...
-  - `m2`" is ...
-  - `s`" is ...
-  - `c`" is ...
-- `c_list`" is ...
-  - `e`" is ...
-  - `d`" is ...
-  - `a`" is ...
-  - `g`" is ...
-  - `w`" is ...
-  - `s`" is ...
-  - `u`" is ...
+- `x_list` is the list of the schnorr proofs.
+  - `rho` is the value of $\widehat{\rho}$
+  - `r` is the value of $\widehat{r}$
+  - `r_prime` is the value of $\widehat{r'}$
+  - `r_prime_prime` is the value of $\widehat{r''}$
+  - `r_prime_prime_prime` is the value of $\widehat{r'''}$
+  - `o` is the value of $\widehat{o}$
+  - `o_prime` is the value of $\widehat{o'}$
+  - `m` is the value of $\widehat{m}$
+  - `m_prime` is the value of $\widehat{m'}$
+  - `t` is the value of $\widehat{t}$
+  - `t_prime` is the value of $\widehat{t}$
+  - `m2` is the value of $\widehat{m_2}$
+  - `s` is the value of $\widehat{s}$
+  - `c` is the value of $\widehat{c}$
+- `c_list` is the list of commitments.
+  - `e` is the value of $E$
+  - `d` is the value of $D$
+  - `a` is the value of $A$
+  - `g` is the value of $\mathcal{G}$
+  - `w` is the value of $\mathcal{W}$
+  - `s` is the value of $\mathcal{S}$
+  - `u` is the value of $\mathcal{U}$
 
 As well, in the presentation data model, added to the `identifiers` item, is the
 timestamp (Unix epoch format) of the [[ref: RevRegEntry]] used to construct the NRP

spec/data_flow_setup.md

@@ -198,6 +198,37 @@ The [[ref: Private Credential Definition]] produced by the generation process ha
 }
 ```
 
+::: warning
+
+A weakness in this specification is that the [[ref: Issuer]] does not provide a
+key correctness proof to demonstrate that the generated private key is
+sufficiently strong enough to meet the unlinkability guarantees of AnonCreds.
+
+The proof should demonstrate that:
+
+- `p` and `q` are both prime numbers
+- `p` and `q` are not equal
+- `p` and `q` are the same, sufficiently large, size
+  - For example, using two values both 1024 bits long is sufficient, whereas
+  using one value 2040 bits long and the other 8 bits long is not.
+
+The [[ref: Issuer]] **SHOULD** provide a published key correctness proof based
+on the approach described in [Jan Camenisch and Markus Michels. Proving in
+zero-knowledge that a number is the product of two safe primes] (pages 12-13).
+In a future version of AnonCreds, the additional key correctness proof could be
+published separately or added to the [[ref: Credential Definition]] prior to
+publication. In the meantime, [[ref: Issuers]] in existing ecosystems can share
+such a proof with their ecosystem co-participants in an ad hoc manner.
+
+[Jan Camenisch and Markus Michels. Proving in zero-knowledge that a number is the product of two safe primes]: https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf
+
+The lack of such a published key correctness proof allows a malicious [[ref:
+Issuer]] to deliberately generate a private key that lacks the requirements
+listed above, enabling the potential of a brute force attack that breaks the
+unlinkability guarantee of AnonCreds.
+
+:::
+
 The [[ref: Credential Definition]] has the following format (based on this [example
 Credential Definition](https://indyscan.io/tx/SOVRIN_MAINNET/domain/99654) on the Sovrin
 MainNet):