In [None]:
from Crypto.Util import number
from Crypto.Hash import SHA256
import numpy as np
import json

# from ecpy.curves import Curve

In [None]:
def SHA256_func(a):
    assert type(a) == str, 'Input type must be string'
    tmp = SHA256.new()
    tmp.update(bytes(a, 'utf-8'))
    return tmp.hexdigest()

def SHA256_issuer(a):
    assert type(a) == dict, 'Input type must be dict'
    a = json.dumps(a)
    return SHA256_func(a)

In [None]:
## SETUP USING RSA

# Issuer does setup
p = number.getStrongPrime(512)
q = number.getStrongPrime(512)
n = p*q
e = 65537
d = pow(e, -1, (p-1)*(q-1))
assert number.GCD(d,n) == 1

In [None]:
## ISSUER PARTS
# We first create the attributes in the PID/(Q)EAA

a = {} # this is the attribute dictionary

# We add some values
a['first_name'] = 'Peter'
a['last_name'] = 'Altmann'
a['date_of_birth'] = '19850909'
a['driver_license'] = ['A','B']
a = dict(sorted(a.items()))

# The issuer now generates the SHA256 digest
h = SHA256_issuer(a)

# Print the results
print('The attribute set the issuer wishes to sign is:\n',json.dumps(a, indent=2))

# Breaking out each attribute individually since signing is individual
json_list = [dict({i: a[i]}) for i in a.keys()]

print('\nIt is important that each attribute is treated individually. Our attribute are:')
for i in json_list:
    print(i)

## The proof mechanism

We now have individual attributes. We need two things now:

1. A way to link the attributes together to show they were part of the same (Q)EAA
2. A way to blind the presentation from both the issuer and the verifier

To achieve 1, we need the ability for the holder to generate a set inclusion proof. Put differently, the issuer needs to sign an ability for the holder to generate a proof that each attribute is a part of the same (Q)EAA.

To achieve 2, we need a way to generate a signature that is blinded for both the issuer and the verifier. Thus, the issuer cannot provide the salts. I have tried various attempts to make this work with salted digests only, but no matter what I try I either:

* need Decisional DH to be easy (which would force me to use pairings),  
* need to know the order of the exponents group to do efficient inverses (but that is equivalent to being able to factorize the modulus N), or 
* end up with colluding issuers and verifiers being able to extract the holder supplied random salt

So, I started thinking of another way than salted digests. It then occured to me that thee issuer should not sign not a logical ordering of salted attribute digests (which is a trivial way to do set inclusion proofs and is the way the traditional salted digest approach does it), but instead a more dynamic structure. Ideally, we need something that allows the holder to generate multiple valid signatures for the same ability to do a set inclusion proof (as opposed to the set inclusion proof itself).

## Blinded signatures

The RSA signature is suitable for blinding. It works as follows (cf. [wiki](https://en.wikipedia.org/wiki/Blind_signature)):

* A traditional RSA signature is computed as follows: 
    1. Signer generates two distinct primes $(p,q)$ (there are some considerations for the prime generation but we ignore these for this text)
    2. The signer keeps $(p,q)$ secret but publishes $n = pq$ as a public modulus
    3. The signer computes $\phi(n)=(p-1,q-1)$ and keeps this value secret
    4. The signer selects a rather small public key $e$ s.t. $e$ and $(p-1,q-1)$ are coprime. A popular choice is $e=2^{16}+1$
    5. Knowing $(p-1,q-1)$, the issuer can generate the private key $d=e^{-1} \mod{\phi(n)}$
    6. Given a message $m$, the following applies: $(m^d)^e=m^{e^{-1}\cdot e}=m^1=m$
    
* RSA is malleable. We can use this to create a blinded version of RSA where the signer does not know $m$:
    1. The holder generates a random value $r$ coprime to $n$ and computes $m' =m \cdot r^{e}$
    2. The signer signs $s' = (m')^{d} = (m \cdot r^{e})^d = m^d \cdot r^{ed}=m^d \cdot r$
    3. The holder removes $r$ to reveal a valid RSA signature over $m$ as follows: $s = s' \cdot r^{-1} = m^d \cdot r \cdot r^{-1}=m^d$
    
The blinded RSA gives a way for us to stop issuers from being able to track the holder usign a valid signature. 

We note the following:

* The issuer would not blind sign a (Q)EAA. The issuer must trust that it contributes to a valid signature over a genuine (Q)EAA.
* The verifier still sees only $m^{d}$ which is of course a unique identifier. We need double blinding.

The first point is tricky to address and we will get back to it later. We start with the second point first.

### Double blinding
 Here we note that a user who uses a composite number $r=p_1p_2\ldots p_n$ can generate many valid RSA signatures using the blinded signature approach above. The holder does not need to remove all of $r$, only some of the prime factors. The remaining prime factors multiplied with $m^d$ is a valid RSA signature. A few examples can help to understand this concept. Using the example $r = p_1p_2p_3$ where $(p_1,p_2,p_3) \in \mathbb{P}$ we can generate the following valid RSA signatures:

1. $(mp_1 \cdot (p_2p_3)^e)^d$ is a valid RSA signature over $mp_1$ once the holder removes $(p_2p_3)$
2. $(mp_2 \cdot (p_1p_3)^e)^d$ is a valid RSA signature over $mp_2$ once the holder removes $(p_1p_3)$
3. $(mp_3 \cdot (p_1p_2)^e)^d$ is a valid RSA signature over $mp_3$ once the holder removes $(p_1p_2)$
4. $(mp_1p_2 \cdot (p_3)^e)^d$ is a valid RSA signature over $mp_1p_2$ once the holder removes $(p_3)$ and so on

With the above we have a way to decoupled the salt values from each specific attribute. Each valid RSA is blinded to the issuer and also to the verifier. For instance, one verifier sees only $mp_1$ and the other $mp_2$ and since $mp_1 \ne mp_2$, these verifiers cannot collude. Note that the holder reveals $m$, so it is important in our given example that $(p_1,p_2,p_3)$ do not act as unique identifiers, i.e., that it was not the issuer that generated them.

### Generating the prime factors for r
The issuer cannot generate the prime factors for $r$ because that would allow it to use these as a unique identifier. The verifier cannot generate the prime factors for $r$ either, because that would allow a colluding verifier and issuer to unblind the RSA signature. What we have left is the holder. However, this leaves us with a bit of a problem. Because if it is the holder that generates the prime factors of $r$ the the holder could trick the issuer to generate a signature over a fake message if a combination of $m$ and some coprimes, or any permutation of the coprimes themselves result in a meaningful message. I cannot think of a way for the issuer to prevent a malicious holder from being able to prevent a malicious holder from doing so other than forcing the holder to reveal the coprimes, which of course the holder cannot.

It is possible to solve the above problem, but it requires quite advanced cryptography. If we instead introduce a Trusted Third Party (TTP), we can simplify things a lot. This TTP would be tasked with one thing only: to generate the prime factors of $r$ and make sure that the holder cannot use these to create a valid signature over a meaningful message other than the message that the issuer wants to sign. I think it is possible to achieve this if we do the following:

1. The issuer prepares the attribute set ${a_0, a_1, \ldots, a_n}$ as shown above in executed cell 4.
2. The issuer uses a cryptographic hash function to generate a unique attribute digest for each attribute. Note that this digest is not blinded.
3. The issuer sends the list of cryptographic hash functions to a TTP
4. The TTP selects a group generator $g$ that is coprime to the prime factors $(p,q)$ using the public modulus $n$.
5. The TTP adds each attribute digest to the generator and creates an accumulator of all the attribute values, i.e., $g^{H(a_0) \cdot H(a_1) \ldots \cdot H(a_n)}\pmod n$. Note that:
    * The TTP cannot retrieve attribute values from the digests
    * The order does not matter
6. The TTP generates a number of unique prime factors of $r$.
7. The TTP blinds the accumulator $BAcc= g^{H(a_0) \cdot H(a_1) \ldots \cdot H(a_n)} \cdot (p_1 \cdot p_2 \cdot \ldots \cdot p_m \cdot Z)^e \pmod n$.
8. The TTP sends 
    * the generator and the list of the prime factors and $Z^{-1}$ to the holder
    * the blinded accumulator value to the signer
9. The signer signs the blinded accumulator value creating $s' = (g^{H(a_0) \cdot H(a_1) \ldots \cdot H(a_n)})^d \cdot (p_1 \cdot p_1 \cdot \ldots \cdot p_m \cdot Z)^{ed} \pmod n$
10. The signer sends $s'$ to the holder who now
    * can create $s = s' \cdot Z^{-1}$
    * can create a lot of unique yet valid RSA signatures with the remaining prime factors of $r$
    * can use $e$ and $r^{-1}$ to get the accumulator value 

Using the TTP, who never learns the attribute values, the issuer has signed an ability for the holder to create multiple valid RSA signatures. Next we note that the holder can reveal the attributes together with an accumulator inclusion proof.

### The holder presents a set membership proof

When the holder wishes to selectively disclose attributes, it can prepare for the disclosure of these attributes as follows:

1. Pick the attributes it wishes to disclosure. For example $a_0$.
2. Using the known generator, computes $g^{H(a_0)}$
2. Using the known generator and the known accumulator update for each of the attributes, generate a witness for accumulator inclusion for $a_0$.
    * Since the user does not know the order of $\phi(n)$ it has to generate this witness.
    * The trivial way is to compute $g^{H(a_1) \cdot H(a_2) \cdot \ldots \cdot H(a_n)} \mod n$ as a witness for the membership of $H(a_0)$ in $g^{H(a_0) \cdot H(a_1) \ldots \cdot H(a_n)} \mod n$
    * Note that the verifier can use $e$ to get the accumulator value and verify the inclusion of $a_0$ using the computed witness.

The holder now has a way to prove set inclusion of $a_0$ in the (Q)EAA that the issuer signed. The issuer cannot recognize the $BAcc$ and thus cannot collude with anyone to track the holder. The next step after the witness generation for the disclosed attribute is to generate the valid RSA signature that is unique to each verifier. The holder seeking to disclose $a_0$ would do as follows:

1. The holder picks a random permutation, say $(p_1,p_{n-2}, p_{31})$, of the prime factors of $r$, 
2. The holder computes the inverse of all the other factors and uses these to remove these factors from the blinded RSA signature.
3. The holder sends to the verifier 
    * the $a_0$ value in plaintext
    * the blinded RSA signature using the random permutation of the prime factors of $r$ selected in step 1
    * the witness for $a_0$
    * the generator $g$ 
    * the value $P = p_1 \cdot p_{n-2} \cdot p_{31}$
4. With that information, the verifier can:
    * compute the accumulator commitment $g^{a_0}$
    * verify that $a_0 \in Acc$
    * compute $P^{-1}$ to reveal a valid RSA signature for the accumulator that contains $a_0$

The two steps above results in the following and creates a valid RSA signature as follows: $g^{a_0 d} \cdot (p_1p_{n-2}p_{31})^d \mod n$

In [None]:
%%time
## THE TRUSTED THIRD PARTY PARTS

# The TTP supplies an array of random numbers where the permutations of the elements is the number of unique showings the user can do
# The issuer must trust that these numbers are random primes and that they cannot mean anything meaningful. Which is why I do bit len 257, which cannot be a valid SHA256 digest.
b = [number.getRandomNBitInteger(256) for i in range(10)] # if the issuer uses strong primes, then the dlog problem is hard.
g = number.getPrime(256)
acc = pow(g, np.sum(b),n)
acc_inputs = [pow(g,i,n) for i in b]

In [None]:
# tmp = 1 
# for i in acc_inputs:
#     tmp = tmp * i % n
# tmp == acc

In [None]:
## HOLDER
# The holder gets b from TTP and the accumulator

# We need to be able to disclose each attribute seperately

# We add the hash digest of each value to the accumulator

attribute_digests = [SHA256_func(json.dumps(i)) for i in json_list]
acc_inputs + [pow(g,i,n) for i in [int(a, base=16) for a in attribute_digests]]