From e0b379840829124ee7b2f89a5aad16730f9455e1 Mon Sep 17 00:00:00 2001 From: aritroCoder Date: Thu, 19 Oct 2023 14:09:17 +0530 Subject: [PATCH 1/5] some edits Signed-off-by: aritroCoder --- ...a_flow_presentation_create_presentation.md | 53 ++++++++++--------- 1 file changed, 28 insertions(+), 25 deletions(-) diff --git a/spec/data_flow_presentation_create_presentation.md b/spec/data_flow_presentation_create_presentation.md index 50f6719..faf474d 100644 --- a/spec/data_flow_presentation_create_presentation.md +++ b/spec/data_flow_presentation_create_presentation.md @@ -504,31 +504,34 @@ used as input to the generate presentation process. ##### Non-Revocation Proof Generation Steps -Given the data collected by the [[ref: holder]] to produce the NRP, the -following calculations are performed. - -Once the witness (`u`), the accumulator from the ledger (`e`) and the value of -the tails file entry for the credential of interest (`b`) are known, the NRP can -be generated as follows: - -::: todo - -To Do: Add more detail about the calculation of `C``u` and -`C``b` in the following. - -::: - -- The [[ref: holder]] calculates `u*b = e`, where e is the accumulator. -- The [[ref: holder]] derives two values (in cryptograhic terms - - [commitments](https://en.wikipedia.org/wiki/Commitment_scheme)) - `C``u` and `C``b` based on `u` and `b`. -- The [[ref: holder]] then calculates `T` from `C``u` and - `C``b` and sends all three to the [[ref: verifier]]. -- The [[ref: verifier]] uses `e` (the accumulator from the ledger), - `C``u` and `C``b` to calculate its own `T'` and confirms - that `T` and `T'` are the same. - -This is the zero knowledge non-revocation proof. +Init proof generation: +- Load issuer’s public revocation key $p = (h, h_1, h_2, \tilde{h}, \cap{h}, u, pk, y)$ +- Load the non-revocation credential $C_{NR} \leftarrow (I_A, \sigma, c, s, wit_i, g_i, g'_i, i)$ +- Obtain recent V, acc (from Verifier, Sovrin link, or elsewhere). +- Update $C_{NR}$: +$$ w \leftarrow w. \frac{\prod_{j \in V \backslash V_{old}} g'_{L+1-j+i}}{\prod_{j \in V_{old} \backslash V} g'_{L+1-j+i}} $$ +Here $V_{old}$ is taken from $wit_i$ and updated there. +- Select random $ρ, ρ′ , r, r′ , r′′ , r′′′ , o, o′\ mod\ q$; +- Compute: +$$ E \leftarrow h_{ρ}\tilde{h^o}$$ +$$ D \leftarrow g^r\tilde{h}^{o'} $$ +$$ A \leftarrow \sigma\tilde{h}^\rho $$ +$$ \mathcal{G} \leftarrow g_i\tilde{h}^r $$ +$$ \mathcal{W} \leftarrow w\hat{h}^{r'} $$ +$$ \mathcal{S} \leftarrow \sigma _i\hat{h}^{r''} $$ +$$ \mathcal{U} \leftarrow u_i\hat{h}^{r'''} $$ +and adds these values to $\mathcal{C}$ +- Generate random $\tilde{\rho}, \tilde{o}, \tilde{o'}, \tilde{c}, \tilde{m}, \tilde{m'}, \tilde{t}, \tilde{t'}, \tilde{m_2}, \tilde{s}, \tilde{r}, \tilde{r'}, \tilde{r''}, \tilde{r'''}$ +- Compute: +$$ \bar{T_1} \leftarrow h^{\tilde{\rho}} \tilde{h} ^ {\tilde{o}} $$ +$$ \bar{T_2} \leftarrow E^{\tilde{c}}h^{-\tilde{m}}\tilde{h}^{-\tilde{t}} $$ +$$ \bar{T_3} \leftarrow e(A,\hat{h})^{\tilde{c}}.e(\tilde{h}, \hat{h})^{\tilde{r}}.e(\tilde{h}, y)^{-\tilde{\rho}}.e(\tilde{h}, y)^{-\tilde{m}}.e(\tilde{h}, y)^{-\tilde{m_2}}.e(\tilde{h}, y)^{-{\tilde{s}}} $$ +$$ \bar{T_4} \leftarrow e(\tilde{h}, acc)^{\tilde{r}}.e(1/g, \hat{h})^{\tilde{r'''}} $$ +$$ \bar{T_5} \leftarrow g^{\tilde{r}}\tilde{h}^{\tilde{o'}}$$ +$$ \bar{T_6} \leftarrow D^{\tilde{r''}}g^{-\tilde{m'}}\tilde{h}^{-\tilde{t'}} $$ +$$ \bar{T_7} \leftarrow e(pk. \mathcal{G}, \hat{h})^{\tilde{r''}}.e(\tilde{h}, \hat{h})^{-\tilde{m'}}.e(\tilde{h}, \mathcal{S})^{\tilde{r}} $$ +$$ \bar{T_8} \leftarrow e(\tilde{h}, u)^{\tilde{r}}.e(1/g, \hat{h})^{\tilde{r'''}} $$ +and add these values to $\mathcal{T}$. Each NRP is added alongside the credential to which the NRP is applied, to the presentation generated by the [[ref: holder]] using this data From 8ff3deb0f5c7d0553e84b9345b7de657d84f7a25 Mon Sep 17 00:00:00 2001 From: aritroCoder Date: Thu, 19 Oct 2023 18:38:48 +0530 Subject: [PATCH 2/5] added non revocation presentation proofs Signed-off-by: aritroCoder --- ...a_flow_presentation_create_presentation.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/spec/data_flow_presentation_create_presentation.md b/spec/data_flow_presentation_create_presentation.md index faf474d..5ac8608 100644 --- a/spec/data_flow_presentation_create_presentation.md +++ b/spec/data_flow_presentation_create_presentation.md @@ -505,7 +505,7 @@ used as input to the generate presentation process. ##### Non-Revocation Proof Generation Steps Init proof generation: -- Load issuer’s public revocation key $p = (h, h_1, h_2, \tilde{h}, \cap{h}, u, pk, y)$ +- Load issuer’s public revocation key $p = (h, h_1, h_2, \tilde{h}, \hat{h}, u, pk, y)$ - Load the non-revocation credential $C_{NR} \leftarrow (I_A, \sigma, c, s, wit_i, g_i, g'_i, i)$ - Obtain recent V, acc (from Verifier, Sovrin link, or elsewhere). - Update $C_{NR}$: @@ -532,6 +532,23 @@ $$ \bar{T_6} \leftarrow D^{\tilde{r''}}g^{-\tilde{m'}}\tilde{h}^{-\tilde{t'}} $$ $$ \bar{T_7} \leftarrow e(pk. \mathcal{G}, \hat{h})^{\tilde{r''}}.e(\tilde{h}, \hat{h})^{-\tilde{m'}}.e(\tilde{h}, \mathcal{S})^{\tilde{r}} $$ $$ \bar{T_8} \leftarrow e(\tilde{h}, u)^{\tilde{r}}.e(1/g, \hat{h})^{\tilde{r'''}} $$ and add these values to $\mathcal{T}$. +- For non-revocation credential $C_{NR}$ compute: +$$ \widehat{\rho} \leftarrow \widetilde{\rho} - c_H\rho\bmod{q} $$ +$$ \widehat{o} \leftarrow \widetilde{o} - c_H\cdot o\bmod{q}\\ $$ +$$ \widehat{c} \leftarrow \widetilde{c} - c_H\cdot c\bmod{q} $$ +$$ \widehat{o'} \leftarrow \widetilde{o'} - c_H\cdot o'\bmod{q}\\ $$ +$$ \widehat{m} \leftarrow \widetilde{m} - c_H m\bmod{q} $$ +$$ \widehat{m'} \leftarrow \widetilde{m'} - c_H m'\bmod{q}\\ $$ +$$ \widehat{t} \leftarrow \widetilde{t} - c_H t\bmod{q} $$ +$$ \widehat{t'} \leftarrow \widetilde{t'} - c_H t'\bmod{q}\\ $$ +$$ \widehat{m_2} \leftarrow \widetilde{m_2} - c_H m_2\bmod{q} $$ +$$ \widehat{s} \leftarrow \widetilde{s} - c_H s\bmod{q}\\ $$ +$$ \widehat{r} \leftarrow \widetilde{r} - c_H r\bmod{q} $$ +$$ \widehat{r'} \leftarrow \widetilde{r'} - c_H r'\bmod{q}\\ $$ +$$ \widehat{r''} \leftarrow \widetilde{r''} - c_H r''\bmod{q} $$ +$$ \widehat{r'''} \leftarrow \widetilde{r'''} - c_H r'''\bmod{q}. $$ +and add them to $\mathcal{X}$. + Each NRP is added alongside the credential to which the NRP is applied, to the presentation generated by the [[ref: holder]] using this data From a5232b451dcc6ffc95ce64e3b80e81292ae1487f Mon Sep 17 00:00:00 2001 From: aritroCoder Date: Thu, 19 Oct 2023 22:02:25 +0530 Subject: [PATCH 3/5] added non revocation proof data item details Signed-off-by: aritroCoder --- ...a_flow_presentation_create_presentation.md | 50 +++++++++---------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/spec/data_flow_presentation_create_presentation.md b/spec/data_flow_presentation_create_presentation.md index 5ac8608..6b58c6c 100644 --- a/spec/data_flow_presentation_create_presentation.md +++ b/spec/data_flow_presentation_create_presentation.md @@ -586,33 +586,29 @@ model: The values in the data model are: -:::todo -To Do: Enumerate each of the items in each NRP section of the presentation. -::: - -- `x_list`" is ... - - `rho`" is ... - - `r`" is ... - - `r_prime`" is ... - - `r_prime_prime`" is ... - - `r_prime_prime_prime`" is ... - - `o`" is ... - - `o_prime`" is ... - - `m`" is ... - - `m_prime`" is ... - - `t`" is ... - - `t_prime`" is ... - - `m2`" is ... - - `s`" is ... - - `c`" is ... -- `c_list`" is ... - - `e`" is ... - - `d`" is ... - - `a`" is ... - - `g`" is ... - - `w`" is ... - - `s`" is ... - - `u`" is ... +- `x_list` is the list of the schnorr proofs. + - `rho` is the value of $\widehat{\rho}$ + - `r` is the value of $\widehat{r}$ + - `r_prime` is the value of $\widehat{r'}$ + - `r_prime_prime` is the value of $\widehat{r''}$ + - `r_prime_prime_prime` is the value of $\widehat{r'''}$ + - `o` is the value of $\widehat{o}$ + - `o_prime` is the value of $\widehat{o'}$ + - `m` is the value of $\widehat{m}$ + - `m_prime` is the value of $\widehat{m'}$ + - `t` is the value of $\widehat{t}$ + - `t_prime` is the value of $\widehat{t}$ + - `m2` is the value of $\widehat{m_2}$ + - `s` is the value of $\widehat{s}$ + - `c` is the value of $\widehat{c}$ +- `c_list` is the list of commitments. + - `e` is the value of $E$ + - `d` is the value of $D$ + - `a` is the value of $A$ + - `g` is the value of $\mathcal{G}$ + - `w` is the value of $\mathcal{W}$ + - `s` is the value of $\mathcal{S}$ + - `u` is the value of $\mathcal{U}$ As well, in the presentation data model, added to the `identifiers` item, is the timestamp (Unix epoch format) of the [[ref: RevRegEntry]] used to construct the NRP From b1379adfeb379cf137f89c40fea00cb4d4b5b03e Mon Sep 17 00:00:00 2001 From: aritroCoder Date: Thu, 19 Oct 2023 22:04:09 +0530 Subject: [PATCH 4/5] removed incompatible characters Signed-off-by: aritroCoder --- spec/data_flow_presentation_create_presentation.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/spec/data_flow_presentation_create_presentation.md b/spec/data_flow_presentation_create_presentation.md index 6b58c6c..e0dd784 100644 --- a/spec/data_flow_presentation_create_presentation.md +++ b/spec/data_flow_presentation_create_presentation.md @@ -511,7 +511,7 @@ Init proof generation: - Update $C_{NR}$: $$ w \leftarrow w. \frac{\prod_{j \in V \backslash V_{old}} g'_{L+1-j+i}}{\prod_{j \in V_{old} \backslash V} g'_{L+1-j+i}} $$ Here $V_{old}$ is taken from $wit_i$ and updated there. -- Select random $ρ, ρ′ , r, r′ , r′′ , r′′′ , o, o′\ mod\ q$; +- Select random $\rho, \rho' , r, r' , r'' , r''' , o, o'\ mod\ q$; - Compute: $$ E \leftarrow h_{ρ}\tilde{h^o}$$ $$ D \leftarrow g^r\tilde{h}^{o'} $$ @@ -534,17 +534,17 @@ $$ \bar{T_8} \leftarrow e(\tilde{h}, u)^{\tilde{r}}.e(1/g, \hat{h})^{\tilde{r''' and add these values to $\mathcal{T}$. - For non-revocation credential $C_{NR}$ compute: $$ \widehat{\rho} \leftarrow \widetilde{\rho} - c_H\rho\bmod{q} $$ -$$ \widehat{o} \leftarrow \widetilde{o} - c_H\cdot o\bmod{q}\\ $$ +$$ \widehat{o} \leftarrow \widetilde{o} - c_H\cdot o\bmod{q} $$ $$ \widehat{c} \leftarrow \widetilde{c} - c_H\cdot c\bmod{q} $$ -$$ \widehat{o'} \leftarrow \widetilde{o'} - c_H\cdot o'\bmod{q}\\ $$ +$$ \widehat{o'} \leftarrow \widetilde{o'} - c_H\cdot o'\bmod{q} $$ $$ \widehat{m} \leftarrow \widetilde{m} - c_H m\bmod{q} $$ -$$ \widehat{m'} \leftarrow \widetilde{m'} - c_H m'\bmod{q}\\ $$ +$$ \widehat{m'} \leftarrow \widetilde{m'} - c_H m'\bmod{q} $$ $$ \widehat{t} \leftarrow \widetilde{t} - c_H t\bmod{q} $$ -$$ \widehat{t'} \leftarrow \widetilde{t'} - c_H t'\bmod{q}\\ $$ +$$ \widehat{t'} \leftarrow \widetilde{t'} - c_H t'\bmod{q} $$ $$ \widehat{m_2} \leftarrow \widetilde{m_2} - c_H m_2\bmod{q} $$ -$$ \widehat{s} \leftarrow \widetilde{s} - c_H s\bmod{q}\\ $$ +$$ \widehat{s} \leftarrow \widetilde{s} - c_H s\bmod{q} $$ $$ \widehat{r} \leftarrow \widetilde{r} - c_H r\bmod{q} $$ -$$ \widehat{r'} \leftarrow \widetilde{r'} - c_H r'\bmod{q}\\ $$ +$$ \widehat{r'} \leftarrow \widetilde{r'} - c_H r'\bmod{q} $$ $$ \widehat{r''} \leftarrow \widetilde{r''} - c_H r''\bmod{q} $$ $$ \widehat{r'''} \leftarrow \widetilde{r'''} - c_H r'''\bmod{q}. $$ and add them to $\mathcal{X}$. From 30ab5709d631dae0b8aa6a151bd6170bdc6c9eaf Mon Sep 17 00:00:00 2001 From: Stephen Curran Date: Thu, 9 Nov 2023 00:20:14 +0000 Subject: [PATCH 5/5] Note about lack of creddef key correctness proof Signed-off-by: Stephen Curran --- spec/data_flow_setup.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/spec/data_flow_setup.md b/spec/data_flow_setup.md index d5e3451..b3a6805 100644 --- a/spec/data_flow_setup.md +++ b/spec/data_flow_setup.md @@ -198,6 +198,37 @@ The [[ref: Private Credential Definition]] produced by the generation process ha } ``` +::: warning + +A weakness in this specification is that the [[ref: Issuer]] does not provide a +key correctness proof to demonstrate that the generated private key is +sufficiently strong enough to meet the unlinkability guarantees of AnonCreds. + +The proof should demonstrate that: + +- `p` and `q` are both prime numbers +- `p` and `q` are not equal +- `p` and `q` are the same, sufficiently large, size + - For example, using two values both 1024 bits long is sufficient, whereas + using one value 2040 bits long and the other 8 bits long is not. + +The [[ref: Issuer]] **SHOULD** provide a published key correctness proof based +on the approach described in [Jan Camenisch and Markus Michels. Proving in +zero-knowledge that a number is the product of two safe primes] (pages 12-13). +In a future version of AnonCreds, the additional key correctness proof could be +published separately or added to the [[ref: Credential Definition]] prior to +publication. In the meantime, [[ref: Issuers]] in existing ecosystems can share +such a proof with their ecosystem co-participants in an ad hoc manner. + +[Jan Camenisch and Markus Michels. Proving in zero-knowledge that a number is the product of two safe primes]: https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf + +The lack of such a published key correctness proof allows a malicious [[ref: +Issuer]] to deliberately generate a private key that lacks the requirements +listed above, enabling the potential of a brute force attack that breaks the +unlinkability guarantee of AnonCreds. + +::: + The [[ref: Credential Definition]] has the following format (based on this [example Credential Definition](https://indyscan.io/tx/SOVRIN_MAINNET/domain/99654) on the Sovrin MainNet):