implement type-3 pairing (#58)

anoncreds/protocol/repo/public_repo.py

@@ -2,7 +2,7 @@
 from typing import Dict, Any
 
 from anoncreds.protocol.types import ID, PublicKey, RevocationPublicKey, \
-    Schema, TailsType, Accumulator, \
+    Schema, Tails, Accumulator, \
     AccumulatorPublicKey, TimestampType, SchemaKey
 
 
@@ -35,7 +35,7 @@ async def getAccumulator(self, schemaId: ID) -> Accumulator:
         raise NotImplementedError
 
     @abstractmethod
-    async def getTails(self, schemaId: ID) -> TailsType:
+    async def getTails(self, schemaId: ID) -> Tails:
         raise NotImplementedError
 
     # SUBMIT
@@ -57,7 +57,7 @@ async def submitPublicKeys(self,
     @abstractmethod
     async def submitAccumulator(self, schemaId: ID,
                                 accumPK: AccumulatorPublicKey,
-                                accum: Accumulator, tails: TailsType) -> \
+                                accum: Accumulator, tails: Tails) -> \
             AccumulatorPublicKey:
         raise NotImplementedError
 
@@ -112,7 +112,7 @@ async def getPublicKeyAccumulator(self,
     async def getAccumulator(self, schemaId: ID) -> Accumulator:
         return await self._getValueForId(self._accums, schemaId)
 
-    async def getTails(self, schemaId: ID) -> TailsType:
+    async def getTails(self, schemaId: ID) -> Tails:
         return await self._getValueForId(self._tails, schemaId)
 
     # SUBMIT
@@ -145,7 +145,7 @@ async def submitPublicKeys(self,
     async def submitAccumulator(self, schemaId: ID,
                                 accumPK: AccumulatorPublicKey,
                                 accum: Accumulator,
-                                tails: TailsType) -> AccumulatorPublicKey:
+                                tails: Tails) -> AccumulatorPublicKey:
         accumPK = accumPK._replace(seqId=self._acumPkId)
         self._acumPkId += 1
         await self._cacheValueForId(self._accums, schemaId, accum)

anoncreds/protocol/revocation/accumulators/non_revocation_claim_issuer.py

@@ -1,9 +1,9 @@
 from anoncreds.protocol.globals import PAIRING_GROUP
 from anoncreds.protocol.types import NonRevocationClaim, RevocationPublicKey, \
     RevocationSecretKey, \
-    Accumulator, TailsType, AccumulatorPublicKey, AccumulatorSecretKey, Witness, \
-    ID, TimestampType
-from anoncreds.protocol.utils import currentTimestampMillisec, groupIdentityG1
+    Accumulator, AccumulatorPublicKey, AccumulatorSecretKey, Witness, \
+    ID, TimestampType, Tails
+from anoncreds.protocol.utils import currentTimestampMillisec, groupIdentityG1, groupIdentityG2
 from anoncreds.protocol.wallet.issuer_wallet import IssuerWallet
 from config.config import cmod
 
@@ -17,54 +17,59 @@ async def genRevocationKeys(self) -> (
         group = cmod.PairingGroup(
             PAIRING_GROUP)  # super singular curve, 1024 bits
 
+        g = group.random(cmod.G1)
+        gprime = group.random(cmod.G2)
+
         h = group.random(cmod.G1)  # random element of the group G
         h0 = group.random(cmod.G1)
         h1 = group.random(cmod.G1)
         h2 = group.random(cmod.G1)
-        g = group.random(cmod.G1)
         htilde = group.random(cmod.G1)
-        u = group.random(cmod.G1)
+
+        u = group.random(cmod.G2)
+        hhat = group.random(cmod.G2)
 
         qr = group.order()  # order q_R of the group
 
         x = group.random(cmod.ZR)  # random(qr)
         sk = group.random(cmod.ZR)  # random(qr)
 
         pk = g ** sk
-        y = h ** x
+        y = hhat ** x
 
-        return (RevocationPublicKey(qr, g, h, h0, h1, h2, htilde, u, pk, y, x),
+        return (RevocationPublicKey(qr, g, gprime, h, h0, h1, h2, htilde, hhat, u, pk, y),
                 RevocationSecretKey(x, sk))
 
     async def issueAccumulator(self, schemaId, iA, L) \
-            -> (
-                    Accumulator, TailsType, AccumulatorPublicKey,
+            -> (Accumulator, Tails, AccumulatorPublicKey,
                     AccumulatorSecretKey):
         pkR = await self._wallet.getPublicKeyRevocation(schemaId)
         group = cmod.PairingGroup(PAIRING_GROUP)
         gamma = group.random(cmod.ZR)
 
-        g = {}
+        tails = Tails()
         gCount = 2 * L
         for i in range(gCount):
             if i != L + 1:
-                g[i] = pkR.g ** (gamma ** i)
-        z = cmod.pair(pkR.g, pkR.g) ** (gamma ** (L + 1))
+                gVal = pkR.g ** (gamma ** i)
+                gPrimeVal = pkR.gprime ** (gamma ** i)
+                tails.addValue(i, gVal, gPrimeVal)
+        z = cmod.pair(pkR.g, pkR.gprime) ** (gamma ** (L + 1))
 
         acc = 1
         V = set()
 
         accPK = AccumulatorPublicKey(z)
         accSK = AccumulatorSecretKey(gamma)
         accum = Accumulator(iA, acc, V, L)
-        return accum, g, accPK, accSK
+        return accum, tails, accPK, accSK
 
     async def issueNonRevocationClaim(self, schemaId: ID, Ur, iA, i) -> (
             NonRevocationClaim, Accumulator, TimestampType):
         accum = await self._wallet.getAccumulator(schemaId)
         pkR = await self._wallet.getPublicKeyRevocation(schemaId)
         skR = await self._wallet.getSecretKeyRevocation(schemaId)
-        g = await self._wallet.getTails(schemaId)
+        tails = await self._wallet.getTails(schemaId)
         skAccum = await self._wallet.getSecretKeyAccumulator(schemaId)
         m2 = await self._wallet.getContextAttr(schemaId)
 
@@ -81,23 +86,23 @@ async def issueNonRevocationClaim(self, schemaId: ID, Ur, iA, i) -> (
         c = group.random(cmod.ZR)
 
         m2 = group.init(cmod.ZR, int(m2))
-        sigma = (pkR.h0 * (pkR.h1 ** m2) * Ur * g[i] * (
+        sigma = (pkR.h0 * (pkR.h1 ** m2) * Ur * tails.g[i] * (
             pkR.h2 ** vrPrimeprime)) ** (1 / (skR.x + c))
-        omega = groupIdentityG1()
+        omega = groupIdentityG2()
         for j in accum.V:
-            omega *= g[accum.L + 1 - j + i]
+            omega *= tails.gprime[accum.L + 1 - j + i]
 
-        sigmai = pkR.g ** (1 / (skR.sk + (skAccum.gamma ** i)))
+        sigmai = pkR.gprime ** (1 / (skR.sk + (skAccum.gamma ** i)))
         ui = pkR.u ** (skAccum.gamma ** i)
 
-        accum.acc *= g[accum.L + 1 - i]
+        accum.acc *= tails.gprime[accum.L + 1 - i]
         accum.V.add(i)
 
-        witness = Witness(sigmai, ui, g[i], omega, accum.V.copy())
+        witness = Witness(sigmai, ui, tails.g[i], omega, accum.V.copy())
 
         ts = currentTimestampMillisec()
         return (
-            NonRevocationClaim(accum.iA, sigma, c, vrPrimeprime, witness, g[i],
+            NonRevocationClaim(accum.iA, sigma, c, vrPrimeprime, witness,
                                i,
                                m2), accum, ts)
 
@@ -106,7 +111,7 @@ async def revoke(self, schemaId: ID, i) -> (Accumulator, TimestampType):
         tails = await self._wallet.getTails(schemaId)
 
         accum.V.discard(i)
-        accum.acc /= tails[accum.L + 1 - i]
+        accum.acc /= tails.gprime[accum.L + 1 - i]
 
         ts = currentTimestampMillisec()
 

anoncreds/protocol/revocation/accumulators/non_revocation_common.py

@@ -11,22 +11,22 @@ def createTauListValues(pk: RevocationPublicKey, accum: Accumulator,
     T1 = (pk.h ** params.rho) * (pk.htilde ** params.o)
     T2 = (proofC.E ** params.c) * (pk.h ** (-params.m)) * (
         pk.htilde ** (-params.t))
-    T3 = ((cmod.pair(proofC.A, pk.h) ** params.c) *
-          (cmod.pair(pk.htilde, pk.h) ** params.r)) / \
+    T3 = ((cmod.pair(proofC.A, pk.hhat) ** params.c) *
+          (cmod.pair(pk.htilde, pk.hhat) ** params.r)) / \
          ((cmod.pair(pk.htilde, pk.y) ** params.rho) *
-          (cmod.pair(pk.htilde, pk.h) ** params.m) *
-          (cmod.pair(pk.h1, pk.h) ** params.m2) *
-          (cmod.pair(pk.h2, pk.h) ** params.s))
+          (cmod.pair(pk.htilde, pk.hhat) ** params.m) *
+          (cmod.pair(pk.h1, pk.hhat) ** params.m2) *
+          (cmod.pair(pk.h2, pk.hhat) ** params.s))
     T4 = (cmod.pair(pk.htilde, accum.acc) ** params.r) * \
-         (cmod.pair(1 / pk.g, pk.htilde) ** params.rPrime)
+         (cmod.pair(1 / pk.g, pk.hhat) ** params.rPrime)
     T5 = (pk.g ** params.r) * (pk.htilde ** params.oPrime)
     T6 = (proofC.D ** params.rPrimePrime) * (pk.g ** -params.mPrime) * (
         pk.htilde ** -params.tPrime)
-    T7 = (cmod.pair(pk.pk * proofC.G, pk.htilde) ** params.rPrimePrime) * \
-         (cmod.pair(pk.htilde, pk.htilde) ** -params.mPrime) * \
+    T7 = (cmod.pair(pk.pk * proofC.G, pk.hhat) ** params.rPrimePrime) * \
+         (cmod.pair(pk.htilde, pk.hhat) ** -params.mPrime) * \
          (cmod.pair(pk.htilde, proofC.S) ** params.r)
     T8 = (cmod.pair(pk.htilde, pk.u) ** params.r) * \
-         (cmod.pair(1 / pk.g, pk.htilde) ** params.rPrimePrimePrime)
+         (cmod.pair(1 / pk.g, pk.hhat) ** params.rPrimePrimePrime)
     return NonRevocProofTauList(T1, T2, T3, T4, T5, T6, T7, T8)
 
 
@@ -35,11 +35,11 @@ def createTauListExpectedValues(pk: RevocationPublicKey, accum: Accumulator,
                                 proofC: NonRevocProofCList) -> NonRevocProofTauList:
     T1 = proofC.E
     T2 = groupIdentityG1()
-    T3 = cmod.pair(pk.h0 * proofC.G, pk.h) / cmod.pair(proofC.A, pk.y)
+    T3 = cmod.pair(pk.h0 * proofC.G, pk.hhat) / cmod.pair(proofC.A, pk.y)
     T4 = cmod.pair(proofC.G, accum.acc) / (
         cmod.pair(pk.g, proofC.W) * accumPk.z)
     T5 = proofC.D
     T6 = groupIdentityG1()
-    T7 = cmod.pair(pk.pk * proofC.G, proofC.S) / cmod.pair(pk.g, pk.g)
+    T7 = cmod.pair(pk.pk * proofC.G, proofC.S) / cmod.pair(pk.g, pk.gprime)
     T8 = cmod.pair(proofC.G, pk.u) / cmod.pair(pk.g, proofC.U)
     return NonRevocProofTauList(T1, T2, T3, T4, T5, T6, T7, T8)

anoncreds/protocol/revocation/accumulators/non_revocation_proof_builder.py

@@ -40,19 +40,19 @@ async def _testWitnessCredential(self, schemaid: ID,
         accPk = await self._wallet.getPublicKeyAccumulator(schemaid)
         m2 = int(await self._wallet.getContextAttr(schemaid))
 
-        zCalc = cmod.pair(claim.gi, acc.acc) / cmod.pair(pkR.g,
+        zCalc = cmod.pair(claim.witness.gi, acc.acc) / cmod.pair(pkR.g,
                                                          claim.witness.omega)
         if zCalc != accPk.z:
             raise ValueError("issuer is sending incorrect data")
 
-        pairGGCalc = cmod.pair(pkR.pk * claim.gi, claim.witness.sigmai)
-        pairGG = cmod.pair(pkR.g, pkR.g)
+        pairGGCalc = cmod.pair(pkR.pk * claim.witness.gi, claim.witness.sigmai)
+        pairGG = cmod.pair(pkR.g, pkR.gprime)
         if pairGGCalc != pairGG:
             raise ValueError("issuer is sending incorrect data")
 
-        pairH1 = cmod.pair(claim.sigma, pkR.y * (pkR.h ** claim.c))
+        pairH1 = cmod.pair(claim.sigma, pkR.y * (pkR.hhat ** claim.c))
         pairH2 = cmod.pair(
-            pkR.h0 * (pkR.h1 ** m2) * (pkR.h2 ** claim.v) * claim.gi, pkR.h)
+            pkR.h0 * (pkR.h1 ** m2) * (pkR.h2 ** claim.v) * claim.witness.gi, pkR.hhat)
         if pairH1 != pairH2:
             raise ValueError("issuer is sending incorrect data")
 
@@ -87,11 +87,11 @@ async def updateNonRevocationClaim(self, schemaId,
             vNewMinusOld = newV - oldV
             omegaDenom = 1
             for j in vOldMinusNew:
-                omegaDenom *= tails[newAccum.L + 1 - j + c2.i]
+                omegaDenom *= tails.gprime[newAccum.L + 1 - j + c2.i]
             omegaNum = 1
             newOmega = c2.witness.omega
             for j in vNewMinusOld:
-                omegaNum *= tails[newAccum.L + 1 - j + c2.i]
+                omegaNum *= tails.gprime[newAccum.L + 1 - j + c2.i]
                 newOmega *= omegaNum / omegaDenom
 
             newWitness = c2.witness._replace(V=newV, omega=newOmega)
@@ -168,10 +168,10 @@ def _createCListValues(self, schemaId, c2: NonRevocationClaim,
         E = (pkR.h ** params.rho) * (pkR.htilde ** params.o)
         D = (pkR.g ** params.r) * (pkR.htilde ** params.oPrime)
         A = c2.sigma * (pkR.htilde ** params.rho)
-        G = c2.gi * (pkR.htilde ** params.r)
-        W = c2.witness.omega * (pkR.htilde ** params.rPrime)
-        S = c2.witness.sigmai * (pkR.htilde ** params.rPrimePrime)
-        U = c2.witness.ui * (pkR.htilde ** params.rPrimePrimePrime)
+        G = c2.witness.gi * (pkR.htilde ** params.r)
+        W = c2.witness.omega * (pkR.hhat ** params.rPrime)
+        S = c2.witness.sigmai * (pkR.hhat ** params.rPrimePrime)
+        U = c2.witness.ui * (pkR.hhat ** params.rPrimePrimePrime)
         return NonRevocProofCList(E, D, A, G, W, S, U)
 
     def _genTauListParams(self, schemaId) -> NonRevocProofXList:

anoncreds/protocol/types.py

@@ -122,9 +122,18 @@ def __eq__(x, y):
 
 T = TypeVar('T')
 VType = Set[int]
-TailsType = Dict[int, cmod.integer]
 TimestampType = int
 
+class Tails:
+
+    def __init__(self):
+        self.g = {}
+        self.gprime = {}
+
+    def addValue(self, index, gVal, gprimeVal):
+        self.g[index] = gVal
+        self.gprime[index] = gprimeVal
+
 
 class NamedTupleStrSerializer:
     def toStrDict(self):
@@ -228,11 +237,11 @@ class SecretKey(namedtuple('SecretKey', 'pPrime, qPrime'),
 
 
 class RevocationPublicKey(namedtuple('RevocationPublicKey',
-                                     'qr, g, h, h0, h1, h2, htilde, u, pk, y, x, seqId'),
+                                     'qr, g, gprime, h, h0, h1, h2, htilde, hhat, u, pk, y, seqId'),
                           NamedTupleStrSerializer):
-    def __new__(cls, qr, g, h, h0, h1, h2, htilde, u, pk, y, x, seqId=None):
-        return super(RevocationPublicKey, cls).__new__(cls, qr, g, h, h0, h1,
-                                                       h2, htilde, u, pk, y, x,
+    def __new__(cls, qr, g, gprime, h, h0, h1, h2, htilde, hhat, u, pk, y, seqId=None):
+        return super(RevocationPublicKey, cls).__new__(cls, qr, g, gprime, h, h0, h1,
+                                                       h2, htilde, hhat, u, pk, y,
                                                        seqId)
 
 
@@ -369,7 +378,7 @@ class Witness(namedtuple('Witness', 'sigmai, ui, gi, omega, V'),
 
 
 class NonRevocationClaim(
-    namedtuple('NonRevocationClaim', 'iA, sigma, c, v, witness, gi, i, m2'),
+    namedtuple('NonRevocationClaim', 'iA, sigma, c, v, witness,i, m2'),
     NamedTupleStrSerializer):
     @classmethod
     def fromStrDict(cls, d):

anoncreds/protocol/utils.py

@@ -159,6 +159,8 @@ def int_to_ZR(intHash, group):
 def groupIdentityG1():
     return cmod.PairingGroup(PAIRING_GROUP).init(cmod.G1, 0)
 
+def groupIdentityG2():
+    return cmod.PairingGroup(PAIRING_GROUP).init(cmod.G2, 0)
 
 def get_values_of_dicts(*args):
     l = list()

anoncreds/protocol/wallet/issuer_wallet.py

@@ -2,7 +2,7 @@
 
 from anoncreds.protocol.repo.public_repo import PublicRepo
 from anoncreds.protocol.types import Schema, PublicKey, SecretKey, ID, \
-    RevocationPublicKey, AccumulatorPublicKey, Accumulator, TailsType, \
+    RevocationPublicKey, AccumulatorPublicKey, Accumulator, Tails, \
     RevocationSecretKey, AccumulatorSecretKey, \
     TimestampType
 from anoncreds.protocol.wallet.wallet import Wallet, WalletInMemory
@@ -33,7 +33,7 @@ async def submitSecretKeys(self, schemaId: ID, sk: SecretKey,
     @abstractmethod
     async def submitAccumPublic(self, schemaId: ID,
                                 accumPK: AccumulatorPublicKey,
-                                accum: Accumulator, tails: TailsType):
+                                accum: Accumulator, tails: Tails):
         raise NotImplementedError
 
     @abstractmethod
@@ -109,7 +109,7 @@ async def submitSecretKeys(self, schemaId: ID, sk: SecretKey,
     async def submitAccumPublic(self, schemaId: ID,
                                 accumPK: AccumulatorPublicKey,
                                 accum: Accumulator,
-                                tails: TailsType) -> AccumulatorPublicKey:
+                                tails: Tails) -> AccumulatorPublicKey:
         accumPK = await self._repo.submitAccumulator(schemaId, accumPK, accum,
                                                      tails)
         await self._cacheValueForId(self._accums, schemaId, accum)

anoncreds/protocol/wallet/wallet.py

@@ -4,7 +4,7 @@
 from anoncreds.protocol.repo.public_repo import PublicRepo
 from anoncreds.protocol.types import Schema, SchemaKey, \
     PublicKey, ID, \
-    RevocationPublicKey, AccumulatorPublicKey, Accumulator, TailsType
+    RevocationPublicKey, AccumulatorPublicKey, Accumulator, Tails
 
 
 class Wallet:
@@ -54,7 +54,7 @@ async def shouldUpdateAccumulator(self, schemaId: ID, ts=None,
         raise NotImplementedError
 
     @abstractmethod
-    async def getTails(self, schemaId: ID) -> TailsType:
+    async def getTails(self, schemaId: ID) -> Tails:
         raise NotImplementedError
 
 
@@ -111,7 +111,7 @@ async def getAccumulator(self, schemaId: ID) -> Accumulator:
         return await self._getValueForId(self._accums, schemaId,
                                          self._repo.getAccumulator)
 
-    async def getTails(self, schemaId: ID) -> TailsType:
+    async def getTails(self, schemaId: ID) -> Tails:
         return await self._getValueForId(self._tails, schemaId,
                                          self._repo.getTails)
 

anoncreds/test/test_non_revocation.py

@@ -16,7 +16,7 @@ async def testIssueRevocationCredential(claimsProver1Gvt, issuerGvt,
     assert nonRevocClaimGvtProver1.witness
     assert nonRevocClaimGvtProver1.witness.V
     assert nonRevocClaimGvtProver1.i == 1
-    assert nonRevocClaimGvtProver1.witness.gi == tails[1]
+    assert nonRevocClaimGvtProver1.witness.gi == tails.g[1]
 
     assert acc.V
     assert acc.acc != 1

config/config-crypto-example1.py

@@ -11,4 +11,4 @@
 from charm.toolbox.conversion import Conversion
 
 # noinspection PyUnresolvedReferences
-from charm.toolbox.pairinggroup import PairingGroup, ZR, G1, pair, pc_element
+from charm.toolbox.pairinggroup import PairingGroup, ZR, G1, G2, pair, pc_element