refactor: updates and cleanups

Author: BasileiosKal

src/error.rs

@@ -47,6 +47,9 @@ pub enum Error {
     /// Public key is not valid.
     InvalidPublicKey,
 
+    /// Pseudonym is not valid
+    InvalidPseudonym,
+
     /// Signature is malformed.
     MalformedSignature {
         /// Detailed cause.
@@ -126,6 +129,9 @@ impl core::fmt::Debug for Error {
             Error::InvalidPublicKey => {
                 write!(f, "public key is invalid.")
             }
+            Error::InvalidPseudonym => {
+                write!(f, "pseudonym is invalid")
+            }
             Error::MalformedSignature { ref cause } => {
                 write!(f, "signature is malformed: cause: {cause}")
             }

src/schemes/bbs/core/proof.rs

@@ -52,14 +52,24 @@ macro_rules! slicer {
     };
 }
 
-#[derive(Default)]
 pub(crate) struct RandomScalars {
     pub r1: Scalar,
     pub r2_tilde: Scalar,
     pub z_tilde: Scalar,
     pub m_tilde_scalars: Vec<Scalar>,
 }
 
+impl Default for RandomScalars {
+    fn default() -> Self {
+        Self {
+            r1: Default::default(),
+            r2_tilde: Default::default(),
+            z_tilde: Default::default(),
+            m_tilde_scalars: Vec::new() as Vec<Scalar>,
+        }
+    }
+}
+
 impl RandomScalars {
     pub fn insert_m_tilde(&mut self, m_tilde: Scalar) {
         self.m_tilde_scalars.push(m_tilde);
@@ -144,21 +154,6 @@ impl Proof {
         G: Generators,
         I: BbsInterfaceParameter,
     {
-        // Input parameter checks
-        // Error out if there is no `header` and not any `ProofMessage`
-        if header.is_none() && messages.is_empty() {
-            return Err(Error::BadParams {
-                cause: "nothing to prove".to_owned(),
-            });
-        }
-        // Error out if length of messages and generators are not equal
-        if messages.len() != generators.message_generators_length() {
-            return Err(Error::MessageGeneratorsLengthMismatch {
-                generators: generators.message_generators_length(),
-                messages: messages.len(),
-            });
-        }
-
         // (r1, r2, r3, m~_j1, ..., m~_jU) = calculate_random_scalars(3+U)
         let mut random_scalars = RandomScalars {
             r1: create_random_scalar(&mut rng)?,
@@ -258,17 +253,12 @@ impl Proof {
         // cv_for_hash = encode_for_hash(cv_array)
         //  if cv_for_hash is INVALID, return INVALID
         //  cv = hash_to_scalar(cv_for_hash, 1)
-<<<<<<< HEAD
-        let cv = compute_challenge::<_, I>(&init_res, disclosed_messages, ph)?;
-=======
-        let cv = compute_challenge::<_, C>(
+        let cv = compute_challenge::<_, I>(
             &init_res,
             disclosed_messages,
             ph,
-            api_id,
             None,
         )?;
->>>>>>> 8a6d8d2 (feat: add pseudonyms)
 
         // Check the selective disclosure proof
         // if c != cv, return INVALID
@@ -316,6 +306,19 @@ impl Proof {
         let total_no_of_messages = message_scalars.len();
 
         // Check input sizes.
+        // Error out if there is no `header` and not any `ProofMessage`
+        if header.is_none() && message_scalars.is_empty() {
+            return Err(Error::BadParams {
+                cause: "nothing to prove".to_owned(),
+            });
+        }
+        // Error out if length of messages and generators are not equal
+        if total_no_of_messages != generators.message_generators_length() {
+            return Err(Error::MessageGeneratorsLengthMismatch {
+                generators: generators.message_generators_length(),
+                messages: total_no_of_messages,
+            });
+        }
         // Number of message generators == number of messages is checked in
         // compute_domain. Checking that all the indexes are in the [0,
         // length(messages)) range is done before get_message_generator
@@ -330,7 +333,7 @@ impl Proof {
 
         // Checking that number of undisclosed messages (/indexes) <= number of
         // messages
-        if undisclosed_indexes.len() > message_scalars.len() {
+        if undisclosed_indexes.len() > total_no_of_messages {
             return Err(Error::BadParams {
                 cause: format!(
                     "Not disclosed messages number is invalid. Maximum \
@@ -345,7 +348,7 @@ impl Proof {
         let domain = compute_domain::<_, _, I>(
             PK,
             header,
-            message_scalars.len(),
+            total_no_of_messages,
             generators,
         )?;
 

src/schemes/pseudonym/api/dtos.rs

@@ -17,7 +17,7 @@ pub struct BbsSignRequest<'a, T: AsRef<[u8]> + Default> {
     /// Public key
     pub public_key: &'a [u8; BBS_BLS12381G1_PUBLIC_KEY_LENGTH],
     /// Prover unique identifier
-    pub pid: T,
+    pub prover_id: T,
     /// Header containing context and application specific information
     pub header: Option<T>,
     /// Vector of messages to sign
@@ -29,7 +29,7 @@ impl<'a, T: AsRef<[u8]> + Default> Default for BbsSignRequest<'a, T> {
         Self {
             secret_key: &[0u8; BBS_BLS12381G1_SECRET_KEY_LENGTH],
             public_key: &[0u8; BBS_BLS12381G1_PUBLIC_KEY_LENGTH],
-            pid: Default::default(),
+            prover_id: Default::default(),
             header: Default::default(),
             messages: Default::default(),
         }
@@ -42,7 +42,7 @@ pub struct BbsVerifyRequest<'a, T: AsRef<[u8]> + Default> {
     /// Public key
     pub public_key: &'a [u8; BBS_BLS12381G1_PUBLIC_KEY_LENGTH],
     /// Prover unique identifier
-    pub pid: T,
+    pub prover_id: T,
     /// Header containing context and application specific information
     pub header: Option<T>,
     /// Vector of messages to verify against a signature
@@ -55,7 +55,7 @@ impl<'a, T: AsRef<[u8]> + Default> Default for BbsVerifyRequest<'a, T> {
     fn default() -> Self {
         Self {
             public_key: &[0u8; BBS_BLS12381G1_PUBLIC_KEY_LENGTH],
-            pid: Default::default(),
+            prover_id: Default::default(),
             header: Default::default(),
             messages: Default::default(),
             signature: &[0u8; BBS_BLS12381G1_SIGNATURE_LENGTH],
@@ -70,7 +70,7 @@ pub struct BbsProofGenRequest<'a, T: AsRef<[u8]> + Default> {
     /// Public key associated to the BBS signature
     pub public_key: &'a [u8; BBS_BLS12381G1_PUBLIC_KEY_LENGTH],
     /// The Prover's unique identifier
-    pub pid: T,
+    pub prover_id: T,
     /// The Verifier's unique Identifier
     pub verifier_id: T,
     /// Point of G1 used by a Verifier to link multiple proof presentations
@@ -94,7 +94,7 @@ impl<'a, T: AsRef<[u8]> + Default> Default for BbsProofGenRequest<'a, T> {
     fn default() -> Self {
         Self {
             public_key: &[0u8; BBS_BLS12381G1_PUBLIC_KEY_LENGTH],
-            pid: Default::default(),
+            prover_id: Default::default(),
             verifier_id: Default::default(),
             pseudonym: &[0u8; OCTET_POINT_G1_LENGTH],
             header: Default::default(),

src/schemes/pseudonym/api/proof.rs

@@ -42,9 +42,8 @@ where
     let pseudonym = Pseudonym::from_octets(request.pseudonym)?;
 
     // digest the pid message
-    let pid = pid_to_message::<_, I>(&request.pid)?;
+    let pid = pid_to_message::<_, I>(&request.prover_id)?;
     digested_messages.push(pid);
-    // proof_messages.push(ProofMessage::Hidden(pid));
 
     let verify_signature = request.verify_signature.unwrap_or(true);
     if verify_signature

src/schemes/pseudonym/api/signature.rs

@@ -25,7 +25,7 @@ where
     let pk = PublicKey::from_octets(request.public_key)?;
 
     let mut messages = digest_messages::<_, I>(request.messages)?;
-    let pid_msg = digest_messages::<_, I>(Some(&[&request.pid]))?;
+    let pid_msg = digest_messages::<_, I>(Some(&[&request.prover_id]))?;
     messages.push(pid_msg[0]);
 
     let generators = MemoryCachedGenerators::<I>::new(messages.len(), None)?;
@@ -51,7 +51,7 @@ where
     let pk = PublicKey::from_octets(request.public_key)?;
 
     let mut messages = digest_messages::<_, I>(request.messages)?;
-    let pid_msg = digest_messages::<_, I>(Some(&[&request.pid]))?;
+    let pid_msg = digest_messages::<_, I>(Some(&[&request.prover_id]))?;
     messages.push(pid_msg[0]);
 
     let generators = MemoryCachedGenerators::<I>::new(messages.len(), None)?;

src/schemes/pseudonym/ciphersuites/bls12_381_g1_sha_256.rs

@@ -1,12 +1,3 @@
-#![allow(dead_code)]
-#![allow(unused)]
-#![allow(non_snake_case)]
-
-// use crate::common::ciphersuite::{
-//     CipherSuiteParameter,
-//     CipherSuiteId,
-// };
-
 use crate::{
     bbs::{
         ciphersuites::{

src/schemes/pseudonym/core/proof.rs

@@ -1,6 +1,5 @@
-#![allow(dead_code)]
-#![allow(unused)]
 #![allow(non_snake_case)]
+
 use std::collections::BTreeMap;
 
 use blstrs::{G1Projective, Scalar};
@@ -41,9 +40,9 @@ impl ProofWithNym {
     pub fn new<T, G, C>(
         PK: &PublicKey,
         signature: &Signature,
-        nym: &Pseudonym,
+        pseudonym: &Pseudonym,
         verifier_id: T,
-        pid: Message,
+        prover_id: Message,
         header: Option<T>,
         ph: Option<T>,
         generators: &G,
@@ -58,9 +57,9 @@ impl ProofWithNym {
         Self::new_with_rng::<_, _, _, C>(
             PK,
             signature,
-            nym,
+            pseudonym,
             verifier_id,
-            pid,
+            prover_id,
             header,
             ph,
             generators,
@@ -75,9 +74,9 @@ impl ProofWithNym {
     pub fn new_with_rng<T, R, G, C>(
         PK: &PublicKey,
         signature: &Signature,
-        nym: &Pseudonym,
+        pseudonym: &Pseudonym,
         verifier_id: T,
-        pid: Message,
+        prover_id: Message,
         header: Option<T>,
         ph: Option<T>,
         generators: &G,
@@ -91,24 +90,6 @@ impl ProofWithNym {
         G: Generators,
         C: BbsCiphersuiteParameters,
     {
-        if header.is_none() && messages.is_empty() {
-            return Err(Error::BadParams {
-                cause: "nothing to prove".to_owned(),
-            });
-        }
-        // Error out if length of messages and generators are not equal
-        if messages.len() + 1 != generators.message_generators_length() {
-            println!("messages.len() + 1 = {:?}", messages.len() + 1);
-            println!(
-                "generators.message_generators_length() = {:?}",
-                generators.message_generators_length()
-            );
-
-            return Err(Error::MessageGeneratorsLengthMismatch {
-                generators: generators.message_generators_length(),
-                messages: messages.len(),
-            });
-        }
         let api_id = api_id.unwrap_or([].to_vec());
 
         // (r1, r2, r3, m~_j1, ..., m~_jU) = calculate_random_scalars(3+U)
@@ -124,12 +105,12 @@ impl ProofWithNym {
         //
         // Deserialization:
         // ...(implicit steps)...
-        // 4. messages.push(pid)
+        // 4. messages.push(prover_id)
         // ...(implicit steps)...
         // 10. undisclosed_indexes = range(1, L) \ disclosed_indexes
         // 11. disclosed_messages = (messages[i1], ..., messages[iR])
         let mut messages_vec = messages.to_vec();
-        messages_vec.push(ProofMessage::Hidden(pid));
+        messages_vec.push(ProofMessage::Hidden(prover_id));
 
         let message_scalars: Vec<Scalar> =
             messages_vec.iter().map(|m| m.get_message().0).collect();
@@ -169,7 +150,7 @@ impl ProofWithNym {
 
         let pid_tilde = random_scalars.m_tilde_scalars.last().unwrap();
         let pseudonym_proof_init = CommitProofInitResult {
-            commit: nym.as_point(),
+            commit: pseudonym.as_point(),
             commit_base: OP,
             blind_commit: OP * pid_tilde,
         };
@@ -221,11 +202,35 @@ impl ProofWithNym {
         if PK.is_valid().unwrap_u8() == 0u8 {
             return Err(Error::InvalidPublicKey);
         }
+
+        // the pseudonym should be a point of G1 but not any of the constant
+        // "reserved" points (i.e., the identity of G1 or the base
+        // generator and the base point of G1).
+        if pseudonym.is_valid::<C>().unwrap_u8() == 0u8 {
+            return Err(Error::InvalidPseudonym);
+        }
+
+        // Check that the m_hat_list is not empty (the prover_id
+        // should always be undisclosed).
+        if self.0.m_hat_list.is_empty() {
+            return Err(Error::BadParams {
+                cause: "At least on message must be undisclosed".to_owned(),
+            });
+        }
+
+        // Check that the last message (the prover_id) is not revealed
+        if let Some(val) = disclosed_messages.last_key_value() {
+            if *val.0 == self.0.m_hat_list.len() + disclosed_messages.len() {
+                return Err(Error::BadParams {
+                    cause: "The last signed message should not be revealed"
+                        .to_owned(),
+                });
+            }
+        }
+
         let api_id = api_id.unwrap_or([].to_vec());
 
         // initialize the proof verification procedure
-        // TODO: Check that the last message is not revealed
-        // TODO: Check that the m_hat_list is not empty.
         let init_res = self.0.proof_verify_init::<T, G, C>(
             PK,
             header,
@@ -236,14 +241,13 @@ impl ProofWithNym {
 
         // initialize the pseudonym correctness proof verification procedure
         let OP = C::hash_to_curve(verifier_id.as_ref(), &api_id)?;
-
-        // unwrap() is safe here is we check that m_hat_list is non empty (TODO)
-        let pid_hat = self.0.m_hat_list.last().unwrap();
         let pseudonym_point = pseudonym.as_point();
         let proof_challenge = self.0.c;
+
+        // unwrap() is safe here since we check that m_hat_list is non empty
         let Uv = G1Projective::multi_exp(
             &[OP, pseudonym_point],
-            &[pid_hat.0, -proof_challenge.0],
+            &[self.0.m_hat_list.last().unwrap().0, -proof_challenge.0],
         );
 
         let pseudonym_proof_verify_init = CommitProofInitResult {