-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPOC.lua
185 lines (164 loc) · 4.67 KB
/
POC.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
G1 = ECP.generator()
G2 = ECP2.generator()
-- H = hash to point function to ECP1
HG1 = ECP.hashtopoint
Miller = PAIR.ate
function keygen()
-- δ = r.O
-- γ = δ.G2
local sk = INT.random()
return { sk = sk,
pk = G2 * sk }
end
function sign(sk, msg)
-- σ = δ * ( H(m)*G1 )
return HG1(msg) * sk
end
function verify(pk, msg, sig)
-- e(γ,H(m)) == e(G2,σ)
return(
Miller(pk, HG1(msg))
==
Miller(G2, sig)
)
end
function issuer_sign(claims)
local signed = { }
local revs= { }
for k,v in pairs(CLAIMS) do
local rSK = BIG.random()
local m = k..'='..v
local o = { }
o.r = (G2 * rSK):to_zcash()
o.H = sha256(m..o.r)
o.s = sign(A.sk, o.H..o.r) + sign(rSK, o.H..o.r)
signed[m] = o
revs['HolderID/'..m] = rSK
end
return signed, revs
end
function issuer_revoke(revocations, torevoke)
local revs = { }
for _,v in pairs(torevoke) do
-- revokers will keep a database of HolderIDs with revocations; the
-- privacy of such databases can be enhanced by not holding values
-- in such a database.
local m = strtok(v,'/')[2]
local r = (G2*revocations[v]):to_zcash()
local h = sha256(m..r)
-- I.warn(r)
revs[h] = revocations[v]
end
return revs
end
function holder_prove(signed_claims, disclosures)
local res = { }
for m,v in pairs(signed_claims) do
local claim = strtok(m, '=')
if array_contains(disclosures, claim[1]) then
local obj = {
m = m,
H = v.H,
r = v.r
}
local tSK = BIG.random()
obj.s = v.s + sign(tSK, obj.H..obj.r)
obj.t = os.date()
obj.p = (G2*tSK):to_zcash()
obj.c = sign(tSK, obj.H .. obj.r .. obj.s:octet() .. obj.t)
table.insert(res, obj)
end
end
return res
end
function verify_proof(APK, proof)
local res = true and
verify(ECP2.from_zcash(proof.p),
(proof.H .. proof.r .. proof.s:octet() .. proof.t),
proof.c)
return res and verify(ECP2.from_zcash(proof.r) +
ECP2.from_zcash(proof.p) +
APK, proof.H..proof.r, proof.s)
end
function revocation_contains(revocations, proof)
local res = false -- store here result for constant time operations
local h = proof.H
-- assert(revocations[h])
-- TODO: for some reason revocations[proof.H] doesn't works
for k,v in pairs(revocations) do
if k==proof.H and proof.r == (G2*v):to_zcash() then
res = true
end
end
return res
end
-- Issuer's keyring hardcoded 0x0 seed
A = {sk = BIG.new(sha256(OCTET.zero(32)))}
A.pk = G2*A.sk
-- Holder sends claims to issuer and proves them
CLAIMS = {
name = "Pasqualino",
surname = "Frafuso",
nickname = "Settebellezze",
born_in = "Napoli",
gender = "male",
above_18 = 'true',
nationality = "italian"
}
SIGNED_CLAIMS, REVOCATIONS = issuer_sign(CLAIMS)
local TOREVOKE = {
'HolderID/born_in=Napoli',
'HolderID/gender=male',
'HolderID/nationality=italian'}
REVOKED = issuer_revoke(REVOCATIONS, TOREVOKE)
DISCLOSE = { 'name', 'gender', 'above_18' }
CREDENTIAL_PROOF = holder_prove(SIGNED_CLAIMS, DISCLOSE)
for _,proof in pairs(CREDENTIAL_PROOF) do
assert(verify_proof(A.pk, proof) )
end
for _,proof in pairs(CREDENTIAL_PROOF) do
local H = sha256(proof.m..proof.r)
assert(H == proof.H, "Invalid proof hash")
assert(verify_proof(A.pk, proof) )
if proof.m == 'gender=male' then
assert(revocation_contains(REVOKED, proof), "Not revoked: "..proof.m)
else
assert(not revocation_contains(REVOKED, proof), "Revoked: "..proof.m)
end
end
warn('random proof.s')
for _,proof in pairs(CREDENTIAL_PROOF) do
proof.s = ECP.random() -- FUZZ
assert( not verify_proof(A.pk, proof) )
if proof.m == 'gender=male' then
assert(revocation_contains(REVOKED, proof), "Not revoked: "..proof.m)
else
assert(not revocation_contains(REVOKED, proof), "Revoked: "..proof.m)
end
end
warn('random proof.p')
for _,proof in pairs(CREDENTIAL_PROOF) do
proof.p = ECP2.random():to_zcash() -- FUZZ
assert(not verify_proof(A.pk, proof) )
end
warn('random proof.t')
for _,proof in pairs(CREDENTIAL_PROOF) do
proof.t = OCTET.random(32)
assert(not verify_proof(A.pk, proof) )
end
warn('random proof.c')
for _,proof in pairs(CREDENTIAL_PROOF) do
proof.c = sign(BIG.random(), OCTET.random(32))
assert(not verify_proof(A.pk, proof) )
end
warn('random proof.r')
for _,proof in pairs(CREDENTIAL_PROOF) do
proof.r = ECP2.random():to_zcash() -- FUZZ
assert(not verify_proof(A.pk, proof) )
assert(not revocation_contains(REVOKED, proof), "Revoked: "..proof.m)
end
warn('random A.pk')
for _,proof in pairs(CREDENTIAL_PROOF) do
assert(not verify_proof(ECP2.random(), proof) )
assert(not revocation_contains(REVOKED, proof), "Revoked: "..proof.m)
end