From d44d35a4c0270eda91e86741664a7a1cdf4bb5a0 Mon Sep 17 00:00:00 2001 From: swcurran Date: Tue, 12 Mar 2024 15:40:13 +0000 Subject: [PATCH] =?UTF-8?q?Deploying=20to=20gh-pages=20from=20@=20hyperled?= =?UTF-8?q?ger/anoncreds-spec@9a87fb851052d5da8bf441f54267dae440f8f08e=20?= =?UTF-8?q?=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/index.html | 152 ++++++++++++++++++++++++---------------- spec/data_flow_setup.md | 124 ++++++++++++++++++++------------ 2 files changed, 172 insertions(+), 104 deletions(-) diff --git a/docs/index.html b/docs/index.html index 46566e6..e6a30c2 100644 --- a/docs/index.html +++ b/docs/index.html @@ -585,22 +585,47 @@

§ Generating a Credential Definition With Revocation Support

The issuer enables the ability to revoke credentials produced from a Credential Definition by passing to the Credential Definition generation process the flag support_revocation as -true. When revocation is to enabled for a Credential Definition, additional data related to -revocation is generated and added to the Credential Definition JSON objects defined above. In -the following the additional steps in the Credential Definition generation process to enable -revocation are described, along with the additional data produced in that -process.

-

The following describes the process for generating the revocation portion of the -Credential Definition data. This process extends the process for generating a Credential Definition in the -previous section of this document.

-

The revocation scheme uses a pairing-based dynamic accumulator based on the CKS scheme.

-

Pairing cryptography makes use of two pairing-friendly elliptic curve groups (G1, G2) with a known, computable pairing function e(G1,G2) -> Gt that maps any two group elements from G1 and G2 respectively to an element in the third group Gt. All groups have the same order, q, the number of elements in the group. The accumulator scheme implemented uses Type-3 pairings such that G1 != G2 and there are no efficiently computable homomorphisms between G1 and G2. An introduction to pairings can be found here.

-

NOTE: This scheme must use a specific pairing friendly elliptic curve. Believe it will be using BLS-381. But should confirm. For implementations to be interoperable they must use the same curve (or possibly support multiple, but then would have to identify the curve in this data somewhere. Feels like unnecessary complexity)

-
TODO

Formally define a type-3 bilinear curve setup? Should this go in the appendix?

+true. +When using revocation in a credential, private key material is added +to the Private Credential Definition to allow the issuer to +revoke credentials, and public key material is added to the +Credential Definition to allow a verifier to check revocation +status. The following describes the fields added to the Private Credential Definition and the +Credential Definition.

+

The revocation scheme uses a pairing-based dynamic accumulator defined +as a variant of the CKS scheme but with a +Type 3 elliptic curve pairing instead of a Type 1 pairing. The curve +EE is BN254, which is defined +over a 254-bit prime pp. The pairing is an Ate pairing e:G1×G2GTe : G_1 +\times G_2 \rightarrow G_T where G1=E(Fp)G_1 = E(\mathbb{F}_p), G2=E(Fp2)G_2 = +E(\mathbb{F}_{p^2}), and GTG_T is the group of qthq^{\text{th}} roots +of unity in Fp12\mathbb{F}_{p^{12}} where q=E(Fp)q=|E(\mathbb{F}_p)|, which +is another 254-bit prime.

+

In the amcl library used for the elliptic curve arithmetic, points are +represented using projective co-ordinates, i.e. a point (X/Z,Y/Z)(X/Z,Y/Z) on +the curve EE is mapped to a projective point (X:Y:Z)(X: Y: Z). +Additionally, the big-integer co-ordinates are strings of 64 +hexadecimal characters, meaning there are up to 64 * 4 - 254 = 2 bits of +‘excess’ in each encoding. The library includes the excess number of +bits as an integer (i.e. 1 or 2) before the hexadecimal +string. The upshot is:

+ +
NOTE

In this section, multiplicative notation is used: a point PP +on an elliptic curve EE is considered an element gg in the group GG +of points on the curve EE, and for an integer kk modulo the group +order qq, we write gkg^k to mean the point kPk \cdot P.

+
§ Private Revocation Keys

A Private Credential Definition with revocation enabled has the following format. In this, the -details of the p_key element are hidden, as they are the same as was covered -above.

+details of the p_key element are omitted, as they are the same as was covered +in the section above. The implementation can be found in the anoncreds-clsignatures-rs repository.

{
   "p_key": {
     "p": "123...782",
@@ -613,17 +638,25 @@ 
}
    -
  • r_key is an object defining the private key for the CKS revocation scheme. +
  • r_key is an object defining the revocation private key for the credential.
      -
    • x is a Big (128-bit?) integer selected at random from the the group of integers defined by the order of the bilinear groups q
      • -
    • sk is a Big (128-bit?) integer selected at random from the the group of integers defined by the order of the bilinear groups q
      • +
    • x is an integer modulo qq
      • +
    • sk is an integer modulo qq
-

x and sk are used as part of the revocation public key generation as defined below.

+

The value qq is the order of the group G1=E(Fp)G_1=E(\mathbb{F}_p) on the curve BN254 (see above: qq is a 254-bit prime). +x and sk are used to generate parts of the revocation public key as described below.

+
NOTE

The issuer additionally holds a secret value gamma used to construct +the accumulator. This is inside the RevocationKeyPrivate object in +anoncreds-clsignatures-rs, +which is separate from the CredentialRevocationPrivateKey object +that stores sk and x.

+
+
§ Public Revocation Keys

A Credential Definition with revocation enabled has the following format (from this example Credential Definition on the -Sovrin MainNet). In this, the details of the primary element are hidden, as +Sovrin MainNet). In this, the details of the primary element are omitted, as they are the same as was covered above.

{
   "issuerId": "did:indy:sovrin:F72i3Y3Q4i466efjYJYCHM",
@@ -634,37 +667,36 @@ 
"primary": {...},
     "revocation": {
       "g": "1 154...813 1 11C...D0D 2 095..8A8",
-      "g_dash": "1 1F0...000",
-      "h": "1 131...8A8",
-      "h0": "1 1AF...8A8",
-      "h1": "1 242...8A8",
-      "h2": "1 072...8A8",
-      "h_cap": "1 196...000",
-      "htilde": "1 1D5...8A8",
-      "pk": "1 0E7...8A8",
-      "u": "1 18E...000",
-      "y": "1 068...000"
+      "g_dash": "1 1F0...3B5 1 229...41D 1 04B...F7D 1 061...8B7 2 095...8A8 1 000...000",
+      "h": "1 131...0DD 1 0D5...66E 2 095...8A8",
+      "h0": "1 1AF...246 1 127...361 2 095...8A8",
+      "h1": "1 242...F14 1 1AC...2FF 2 095...8A8",
+      "h2": "1 072...7A1 1 09E...622 2 095...8A8",
+      "h_cap": "1 196...C53 1 238...38B 1 196...C7E 1 198...D31 2 095...8A8 1 000...000",
+      "htilde": "1 1D5...797 1 034...232 2 095...8A8",
+      "pk": "1 0E7...A88 1 007...4B8 2 095...8A8",
+      "u": "1 18E...44B 1 018...F71 1 0D8...2C2 1 003...4CF 2 095...8A8 1 000...000",
+      "y": "1 068...F6B 1 16C...F7E 1 01F...68A 1 1E3...9F9 2 095...8A8 1 000...000"
     }
   }
 }
-

All attributes in the revocation item represent elliptic curve points that are members of either G1 or G2. Group elements of G1 are represented using 3 64 digit hex integers, wheras G2 elements are represented using 6 64 digit hex integers. The revocation attributes define a CKS public key that can be used to authenticate updates from the issuer to the accumulator.

In the following, only the revocation item is described, as the rest of items (primary, ref, etc.) are described in the previous section of this document.