Compare commits

...

1 Commits

Author SHA1 Message Date
aniampio ffe9084566 Add public attributes into the commitment hash - security patch 2023-01-11 17:20:07 +00:00
3 changed files with 999 additions and 796 deletions
Generated
+932 -757
View File
File diff suppressed because it is too large Load Diff
+25 -6
View File
@@ -7,17 +7,18 @@ use std::borrow::Borrow;
use std::convert::TryInto;
use bls12_381::{G1Projective, G2Projective, Scalar};
use digest::generic_array::typenum::Unsigned;
use digest::Digest;
use digest::generic_array::typenum::Unsigned;
use group::GroupEncoding;
use itertools::izip;
use sha2::Sha256;
use crate::Attribute;
use crate::error::{CoconutError, Result};
use crate::scheme::issuance::compute_commitment_hash;
use crate::scheme::setup::Parameters;
use crate::scheme::VerificationKey;
use crate::utils::{hash_g1, try_deserialize_scalar, try_deserialize_scalar_vec};
use crate::Attribute;
// as per the reference python implementation
type ChallengeDigest = Sha256;
@@ -91,6 +92,7 @@ impl ProofCmCs {
commitments: &[G1Projective],
pedersen_commitments_openings: &[Scalar],
private_attributes: &[Attribute],
public_attributes: &[Attribute],
) -> Self {
// note: this is only called from `prepare_blind_sign` that already checks
// whether private attributes are non-empty and whether we don't have too many
@@ -104,7 +106,7 @@ impl ProofCmCs {
let witness_attributes = params.n_random_scalars(private_attributes.len());
// recompute h
let h = hash_g1(commitment.to_bytes());
let h = compute_commitment_hash(*commitment, public_attributes);
let hs_bytes = params
.gen_hs()
.iter()
@@ -186,7 +188,7 @@ impl ProofCmCs {
}
// recompute h
let h = hash_g1(commitment.to_bytes());
let h = compute_commitment_hash(*commitment, public_attributes);
let g1 = params.gen1();
let hs_bytes = params
@@ -529,9 +531,18 @@ mod tests {
let cms: [G1Projective; 1] = [G1Projective::random(&mut rng)];
let rs = params.n_random_scalars(1);
let private_attributes = params.n_random_scalars(1);
let public_attributes = params.n_random_scalars(1);
// 0 public 1 private
let pi_s = ProofCmCs::construct(&params, &cm, &r, &cms, &rs, &private_attributes);
let pi_s = ProofCmCs::construct(
&params,
&cm,
&r,
&cms,
&rs,
&private_attributes,
&public_attributes,
);
let bytes = pi_s.to_bytes();
assert_eq!(ProofCmCs::from_bytes(&bytes).unwrap(), pi_s);
@@ -547,7 +558,15 @@ mod tests {
let private_attributes = params.n_random_scalars(2);
// 0 public 2 privates
let pi_s = ProofCmCs::construct(&params, &cm, &r, &cms, &rs, &private_attributes);
let pi_s = ProofCmCs::construct(
&params,
&cm,
&r,
&cms,
&rs,
&private_attributes,
&public_attributes,
);
let bytes = pi_s.to_bytes();
assert_eq!(ProofCmCs::from_bytes(&bytes).unwrap(), pi_s);
+13 -4
View File
@@ -201,8 +201,16 @@ pub fn compute_pedersen_commitments_for_private_attributes(
(commitments_openings, pedersen_commitments)
}
pub fn compute_commitment_hash(commitment: G1Projective) -> G1Projective {
hash_g1(commitment.to_bytes())
pub fn compute_commitment_hash(
commitment: G1Projective,
public_attributes: &[Attribute],
) -> G1Projective {
let mut msg_bytes = Vec::with_capacity(public_attributes.len() * 32);
msg_bytes.extend_from_slice(&commitment.to_affine().to_compressed());
for attr in public_attributes {
msg_bytes.extend_from_slice(&attr.to_bytes());
}
hash_g1(msg_bytes)
}
/// Builds cryptographic material required for blind sign.
@@ -230,7 +238,7 @@ pub fn prepare_blind_sign(
compute_attributes_commitment(params, private_attributes, public_attributes, hs);
// Compute the challenge as the commitment hash
let commitment_hash = compute_commitment_hash(commitment);
let commitment_hash = compute_commitment_hash(commitment, public_attributes);
let (pedersen_commitments_openings, pedersen_commitments) =
compute_pedersen_commitments_for_private_attributes(
@@ -246,6 +254,7 @@ pub fn prepare_blind_sign(
&pedersen_commitments,
&pedersen_commitments_openings,
private_attributes,
public_attributes,
);
Ok((
@@ -276,7 +285,7 @@ pub fn blind_sign(
}
// Verify the commitment hash
let h = hash_g1(blind_sign_request.commitment.to_bytes());
let h = compute_commitment_hash(blind_sign_request.commitment, public_attributes);
if !(h == blind_sign_request.commitment_hash) {
return Err(CoconutError::Issuance(
"Failed to verify the commitment hash".to_string(),