# Crypto Details

Mathematics details for ZKP-CL.

[Camenisch-Lysyanskaya (CL)](https://cs.brown.edu/people/alysyans/papers/camlys02b.pdf)

[Zero knowledge proof (ZKP)](https://w3c.github.io/vc-data-model/#zero-knowledge-proofs)

## Showing Selective Disclosure Proof


Issuer defines the credential schema with $i$ attributes $m_1, m_2, . . . , m_i$. 

In Sovrin, $m_1$ is reserved for the link secret of the holder, $m_2$ is reserved for the credential index, $m_3$ is reserved for the policy address.



Let A be the set of all attribute identifiers present in the credential schema

where $A = A_r \cup A_h$

such that $A_r$ contains revealed attributes to the Verifier and $A_h$ contains unrevealed (hidden) attributes which are kept secret.
Since $A_r$ and $A_h$ are mutually exclusive, we know that

$ \prod_{i \in A}{R_i^{m_i}} = \prod_{i \in A_r}{R_i^{m_i}} \cdot \prod_{i \in A_h}{R_i^{m_i}}$

Prover has:

$$ T = A'^{\bar{e}} S^{\bar{v}} \Bigg(\prod_{i \in A_h}{R_i^{\bar{m_i}}} \Bigg) $$
$$ A' = AS^r $$
$$ v' = v - er $$
$$ \hat{v} = \bar{v} + Dv'  $$
$$ e' = e - \beta $$
$$ \hat{e} = \bar{e} + De' $$
$$ \hat{m_i} = \bar{m_i} + Dm_i $$
$$ Q = A^e $$
$$ Q = \Bigg(\frac{Z}{S^v \prod_{i \in A}{R_i^{m_i}}}\Bigg) $$

Prover Calculate:

$$
\begin{equation}
\begin{align}
  \hat{T} &= \Bigg(\frac{Z}{A'^\beta \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{-D} A'^{\hat{e}} S^{\hat{v}} \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg)\\

  &= \Bigg(\frac{Z}{A'^\beta \cdot \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{-D} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg) \\
  
    &//\quad basics: \quad (x^a)^b = (x^b)^a = x^{ab} \qquad // \\
  
  &= Z^{-D}\Bigg(\frac{1}{A'^\beta \cdot \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{-D} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg) \\
  
    &//\quad basics: \quad \Bigg(\frac{1}{x}\Bigg)^a = x^{-a} \qquad // \\

  &= Z^{-D}\Bigg({A'^\beta \cdot \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{D} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg) \\

  &= Z^{-D}\Bigg({A'^{D\beta} \cdot \prod_{i \in A_r}{R_i^{Dm_i}}}\Bigg) \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg) \\

   &//\quad were: \quad \hat{m_i} = \bar{m_i} + Dm_i \qquad // \\

  &= Z^{-D} \cdot A'^{D\beta} \cdot \prod_{i \in A_r}{R_i^{Dm_i}} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_h}{R_i^{\bar{m_i} + Dm_i}}\Bigg) \\

  &= Z^{-D} \cdot A'^{D\beta} \cdot \prod_{i \in A_r}{R_i^{Dm_i}} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_h}{R_i^{\bar{m_i}}} \cdot \prod_{i \in A_h}{R_i^{Dm_i}}\Bigg) \\

  &= Z^{-D} \cdot {A'^{D\beta} \cdot  A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_r}{R_i^{Dm_i}}} \cdot \prod_{i \in A_h}{R_i^{Dm_i}}\Bigg) \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

  &= Z^{-D} \cdot A'^{D\beta} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A}{R_i^{Dm_i}}\Bigg) \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

     &//\quad were: \quad \hat{e} = \bar{e} + De' \qquad // \\

  &= Z^{-D} \cdot A'^{D\beta} \cdot A'^{\bar{e} + De'} \cdot S^{\hat{v}} \cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

     &//\quad were: \quad e' = e - \beta \qquad // \\

  &= Z^{-D} \cdot A'^{D\beta} \cdot A'^{\bar{e} + D(e - \beta)} \cdot S^{\hat{v}} \cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\
  &= Z^{-D} \cdot A'^{D\beta} \cdot A'^{\bar{e} + De - D\beta} \cdot S^{\hat{v}} \cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

    &//\quad basics: \quad x^a \cdot x^b = x^{a+b} \qquad // \\

  &= Z^{-D} \cdot A'^{\bar{e} + De} \cdot S^{\hat{v}} \cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

  &= Z^{-D} \cdot A'^{\bar{e}} \cdot A'^{De} \cdot S^{\hat{v}} \cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

     &//\quad were: \quad \hat{v} = \bar{v} + Dv' \qquad // \\

  &= Z^{-D} \cdot A'^{\bar{e}} \cdot A'^{De} \cdot S^{\bar{v}} \cdot S^{Dv'}\cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

  &= Z^{-D} \cdot A'^{De} \cdot  S^{Dv'}\cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \Bigg(A'^{\bar{e}} \cdot S^{\bar{v}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \Bigg)\\
  
    &//\quad were: \quad T = A'^{\bar{e}} S^{\bar{v}} \Bigg(\prod_{i \in A_h}{R_i^{\bar{m_i}}} \Bigg) \qquad// \\

  &= Z^{-D} \cdot A'^{De} \cdot  S^{Dv'}\cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot T\\

  &= Z^{-D} \cdot \Bigg(A'^{De} \cdot S^{Dv'}\cdot \prod_{i \in A}{R_i^{Dm_i}} \Bigg) \cdot T\\

  &= Z^{-D} \cdot \Bigg(A'^{e} \cdot S^{v'}\cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

  

\end{align}
\end{equation}
$$

$$
\begin{equation}
\boxed{
\begin{array}{rcl}
\hat{T} = Z^{-D} \Bigg(A'^{e} S^{v'} \prod_{i \in A}{R_i^{m_i}} \Bigg)^D T\\
\end{array}
}
\end{equation}
$$


### Continue of proof - Alternative 1

$$
\begin{equation*}
\begin{align}
  \hat{T} &= \Bigg(\frac{Z}{A'^\beta \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{-D} A'^{\hat{e}} S^{\hat{v}} \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg)\\

  &= Z^{-D} \cdot \Bigg(A'^{e} \cdot S^{v'}\cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

    &//\quad were: \quad Q = \Bigg(\frac{Z}{S^v \prod_{i \in A}{R_i^{m_i}}}\Bigg) \qquad // \\

  &= \Bigg(Q \cdot S^v \cdot \prod_{i \in A}{R_i^{m_i}}\Bigg)^{-D} \cdot \Bigg(A'^{e} \cdot S^{v'}\cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

  &= \Big(Q \cdot S^v \Big)^{-D} \cdot \Big(A'^{e} \cdot S^{v'} \Big)^D \cdot T\\

    &//\quad were: \quad v' = v - er \qquad // \\

  &= \Big(Q \cdot S^v \Big)^{-D} \cdot \Big(A'^{e} \cdot S^{v - er} \Big)^D \cdot T\\

  &= \Big(Q \cdot S^v \Big)^{-D} \cdot \Big(A'^{e} \cdot S^{v} \cdot S^{-er} \Big)^D \cdot T\\

  &= \Big(Q\Big)^{-D} \cdot \Big(A'^{e} \cdot S^{-er} \Big)^D \cdot T\\

    &//\quad were: \quad A' = AS^r \qquad // \\

  &= \Big(Q\Big)^{-D} \cdot \Big((AS^r)^{e} \cdot S^{-er} \Big)^D \cdot T\\
  
  &= \Big(Q\Big)^{-D} \cdot \Big(A^e \cdot S^{er} \cdot S^{-er} \Big)^D \cdot T\\

  &= \Big(Q\Big)^{-D} \cdot \Big(A^e \Big)^D \cdot T\\

      &//\quad were: \quad Q = A^e \qquad // \\

  &= \Big(A^e \Big)^{-D} \cdot \Big(A^e \Big)^D \cdot T\\

  &= T

\end{align}
\end{equation*}
$$

### Continue of proof - Alternative 2

$$
\begin{equation*}
\begin{align}
  \hat{T} &= \Bigg(\frac{Z}{A'^\beta \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{-D} A'^{\hat{e}} S^{\hat{v}} \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg)\\

&= Z^{-D} \cdot \Bigg(A'^{e} \cdot S^{v'}\cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

    &//\quad were: \quad v' = v - er \qquad // \\

&= Z^{-D} \cdot \Bigg(A'^{e} \cdot S^{v - er} \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

&= Z^{-D} \cdot \Bigg(A'^{e} \cdot S^{v} \cdot S^{-er} \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

  &//\quad were: \quad A' = AS^r \qquad // \\

&= Z^{-D} \cdot \Bigg((AS^r)^{e} \cdot S^{v} \cdot S^{-er} \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

&= Z^{-D} \cdot \Bigg(A^e \cdot S^{er} \cdot S^{v} \cdot S^{-er} \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

&= Z^{-D} \cdot \Bigg(A^e \cdot S^{v} \cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

    &//\quad were: \quad A^e = Q = \Bigg(\frac{Z}{S^v \prod_{i \in A}{R_i^{m_i}}}\Bigg) \qquad // \\

&= Z^{-D} \cdot \Bigg(\frac{Z}{S^v \prod_{i \in A}{R_i^{m_i}}} \cdot S^{v} \cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

&= Z^{-D} \cdot Z^D \cdot T \\

&= T

\end{align}
\end{equation*}
$$

### Why it works can be summerised

$$
\begin{equation*}
\begin{align}
  \hat{T} &= \Bigg(\frac{Z}{A'^\beta \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{-D} A'^{\hat{e}} S^{\hat{v}} \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg)\\

&= Z^{-D}\Bigg({A'^\beta \cdot \prod_{i \in A_r}{R_i^{m_i}}}\Bigg)^{D} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_h}{R_i^{\hat{m_i}}}\Bigg) \\

&= Z^{-D} \cdot {A'^{D\beta} \cdot  A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A_r}{R_i^{Dm_i}}} \cdot \prod_{i \in A_h}{R_i^{Dm_i}}\Bigg) \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

&= Z^{-D} \cdot A'^{D\beta} \cdot A'^{\hat{e}} \cdot S^{\hat{v}} \cdot \Bigg(\prod_{i \in A}{R_i^{Dm_i}}\Bigg) \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

&= Z^{-D} \cdot A'^{D\beta} \cdot A'^{\bar{e} + De - D\beta} \cdot S^{\hat{v}} \cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

&= Z^{-D} \cdot A'^{\bar{e}} \cdot A'^{De} \cdot S^{\bar{v} + Dv'} \cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \\

&= Z^{-D} \cdot A'^{De} \cdot  S^{Dv'}\cdot \prod_{i \in A}{R_i^{Dm_i}} \cdot \Bigg(A'^{\bar{e}} \cdot S^{\bar{v}} \cdot \prod_{i \in A_h}{R_i^{\bar{m_i}}} \Bigg)\\

&= Z^{-D} \cdot \Bigg(A'^{e} \cdot S^{v'} \cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\



&= Z^{-D} \cdot \Bigg((AS^r)^{e} \cdot S^{v} \cdot S^{-er} \cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\


&= Z^{-D} \cdot \Bigg(A^e \cdot S^{v} \cdot \prod_{i \in A}{R_i^{m_i}} \Bigg)^D \cdot T\\

&= Z^{-D} \cdot \Bigg(\frac{1}{A^{e} \cdot S^{v} \cdot \prod_{i \in A}{R_i^{m_i}}}\Bigg)^{-D} \cdot T\\

&= Z^{-D} \cdot \Bigg(\frac{1}{Z}\Bigg)^{-D} \cdot T\\

&= T

\end{align}
\end{equation*}
$$

## Reference

- https://wiki.hyperledger.org/download/attachments/6426712/Anoncreds2.1.pdf
- https://hyperledger-indy.readthedocs.io/projects/hipe/en/latest/text/0109-anoncreds-protocol/README.html#issuance-of-credentials
- https://github.com/hyperledger-archives/indy-anoncreds/blob/master/docs/dev/anoncred.pdf
- https://github.com/hyperledger-archives/indy-anoncreds/blob/master/docs/dev/anoncred.tex
- https://github.com/WebOfTrustInfo/rwot5-boston/blob/master/final-documents/data-minimization-sd.md#crypto-details
- https://uia.brage.unit.no/uia-xmlui/bitstream/handle/11250/2593825/PhD%2BDissertation_G.%2BP.%2BHARSHA%2BSANDARUWAN_FINAL.pdf#page=64
- https://github.com/PeterAltmann/SSIdemo/blob/main/CEF_final_report.ipynb
- https://www.cs.ru.nl/~gergely/objects/ZK-AnonCred.pdf#page=25
- http://www.cs.ru.nl/~gergely/objects/u-prove.pdf
- https://eprint.iacr.org/2022/492.pdf#page=7
- https://eprint.iacr.org/2010/496.pdf#page=24
- https://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/11072/Farao_MTE1634.pdf
- https://essay.utwente.nl/65593/1/BadarinathHampiholi_Masters_EEMCS_faculty.pdf#page=63
- https://open.metu.edu.tr/bitstream/handle/11511/94321/Ahmet_SIMSEK_Master_of_Science_Thesis.pdf
- https://dominoweb.draco.res.ibm.com/reports/rz3730_revised.pdf#page=26
- https://github.com/hyperledger/indy-hipe/blob/master/text/0109-anoncreds-protocol/README.md