microsoft
diff --git a/‎.github/workflows/CI.yml
Lines changed: 25 additions & 0 deletions b/‎.github/workflows/CI.yml
Lines changed: 25 additions & 0 deletions
diff --git a/‎.gitignore
Lines changed: 2 additions & 0 deletions b/‎.gitignore
Lines changed: 2 additions & 0 deletions
diff --git a/‎NOTICE.md
Lines changed: 103 additions & 0 deletions b/‎NOTICE.md
Lines changed: 103 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 14 additions & 17 deletions b/‎README.md
Lines changed: 14 additions & 17 deletions
diff --git a/‎circuit_setup/README.md
Lines changed: 17 additions & 1 deletion b/‎circuit_setup/README.md
Lines changed: 17 additions & 1 deletion
diff --git a/‎circuit_setup/inputs/rs256-db/claims.json
Lines changed: 36 additions & 0 deletions b/‎circuit_setup/inputs/rs256-db/claims.json
Lines changed: 36 additions & 0 deletions
diff --git a/‎circuit_setup/inputs/rs256-db/config.json
Lines changed: 45 additions & 0 deletions b/‎circuit_setup/inputs/rs256-db/config.json
Lines changed: 45 additions & 0 deletions
diff --git a/‎circuit_setup/inputs/rs256-db/proof_spec.json
Lines changed: 5 additions & 0 deletions b/‎circuit_setup/inputs/rs256-db/proof_spec.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎circuit_setup/scripts/crescent_helper.py
Lines changed: 27 additions & 4 deletions b/‎circuit_setup/scripts/crescent_helper.py
Lines changed: 27 additions & 4 deletions
@@ -58,6 +58,10 @@ jobs:
           cd circuit_setup/scripts
           ./run_setup.sh rs256-sd
 
+      - name: Run circuit setup for rs256-db
+        run: |
+          cd circuit_setup/scripts
+          ./run_setup.sh rs256-db
 
       - name: Run circuit setup for mDL
         run: |
@@ -116,6 +120,27 @@ jobs:
           cd creds
           cargo run --bin crescent --release --features print-trace verify --name rs256-sd
 
+# RS256-db Commands
+      - name: Run ZKSetup for rs256-db
+        run: |
+          cd creds
+          cargo run --bin crescent --release --features print-trace zksetup --name rs256-db
+
+      - name: Run Prove for rs256-db
+        run: |
+          cd creds
+          cargo run --bin crescent --release --features print-trace prove --name rs256-db
+
+      - name: Run Show for rs256-db
+        run: |
+          cd creds
+          cargo run --bin crescent --release --features print-trace show --name rs256-db
+
+      - name: Run Verify for rs256-db
+        run: |
+          cd creds
+          cargo run --bin crescent --release --features print-trace verify --name rs256-db
+
 # mDL Commands
       - name: Run ZKSetup for mDL
         run: |
 
@@ -19,6 +19,8 @@ sample/verifier/data
 circuit_setup/inputs/*/issuer.prv
 circuit_setup/inputs/*/issuer.pub
 circuit_setup/inputs/*/token.jwt
+circuit_setup/inputs/*/device.prv
+circuit_setup/inputs/*/device.pub
 
 setup/generated_files/
 circuit_setup/circuits-mdl/circomlib
@@ -1765,3 +1765,106 @@ SOFTWARE.
 ### Additional Attribution
 None  
 
+---
+
+### Component
+circ_fields
+https://github.com/circify/circ/tree/master/circ_fields
+Note: forked to support the T-256 curve 
+Path: forks/Spartan-t256/
+
+### Open Source License/Copyright Notice
+MIT 
+https://github.com/circify/circ/blob/master/LICENSE-MIT
+
+### Additional Attribution
+Fork created by the authors of the paper:
+Efficient Proofs of Possession for Legacy Signatures. 
+Anna Pui Yung Woo, University of Michigan  
+Alex Ozdemir, Stanford University  
+Chad Sharp, University of Michigan  
+Thomas Pornin, NCC Group  
+Paul Grubbs, University of Michigan
+Published at IEEE S&P 2025
+
+---
+
+
+### Component
+ff-derive-num
+https://github.com/kwantam/ff-derive-num/pull/1
+Note: Fork that includes PR#1 
+Path: forks/Spartan-t256/circ_fields/  
+
+### Open Source License/Copyright Notice
+MIT
+https://github.com/kwantam/ff-derive-num/blob/main/LICENSE-mit
+
+### Additional Attribution
+Riad S. Wahby
+
+---
+
+### Component
+Spartan, Spartan2
+https://github.com/microsoft/Spartan
+https://github.com/microsoft/Spartan2
+Path: forks/Spartan-t256
+Note: Forked to support curve T-256 and include support for bellpepper circuits
+
+### Open Source License/Copyright Notice
+MIT 
+https://github.com/microsoft/Spartan/blob/master/LICENSE
+https://github.com/microsoft/Spartan2/blob/master/LICENSE
+
+### Additional Attributions
+Sritnath Setty
+Github contributors
+
+---
+
+### Component
+Nova
+https://github.com/microsoft/Nova/blob/main/src/provider/poseidon.rs
+https://github.com/microsoft/Nova/blob/b7f5be7bb5d8cc4a93d1363347359743fa30d161/src/gadgets/ecc.rs#L1
+Path: creds/src/device_binding/ecdsa-pop/
+Note: Poseidon wrapper and ECC gadgets 
+
+### Open Source License/Copyright Notice
+MIT
+https://github.com/microsoft/Nova/blob/main/LICENSE
+
+### Additional Attributions
+Sritnath Setty
+Github contributors
+
+---
+
+### Component
+bellpepper-gadgets/emulated
+https://github.com/lurk-lab/bellpepper-gadgets/tree/main/crates/emulated
+Path: creds/src/device_binding/ecdsa-pop/
+Note: Non-native arithmetic gadgets
+
+### Open Source License/Copyright Notice
+MIT 
+https://github.com/lurk-lab/bellpepper-gadgets/blob/main/LICENSE-MIT
+
+### Additional Attributions
+François Garillot (huitseeker)
+
+---
+
+### Component
+Neptune
+https://github.com/lurk-lab/neptune
+Path: creds/src/device_binding/ecdsa-pop/
+Note: forked to support older version of bellpepper-core 
+
+### Open Source License/Copyright Notice
+MIT 
+https://github.com/lurk-lab/neptune/blob/main/LICENSE-MIT
+
+### Additional Attributions
+None
+
@@ -33,23 +33,6 @@ cd creds
 cargo test --release
 ```
 
-### Enabling symlinks with git on Windows
-
-This project uses symlinks to share directories within the project. On Windows, symlinks require administrator privileges. Git can be configured to create project symlinks when cloning the repository.
-To enable symlinks with git, run the following command:
-
-```bash
-git config --global core.symlinks true
-```
-
-If you have already cloned the repository, you can delete and re-clone the repository for the symlinks to be created or manually create the link by running the following CMD command in the project root directory:
-
-```cmd
-mklink /J circuit_setup\circuits-mdl\circomlib circuit_setup\circuits\circomlib
-```
-
-Verify `circuit_setup\circuits-mdl\circomlib` is now a directory.
-
 ## Running the demo steps from the command line
 
 There is a command line tool that can be used to run the individual parts of the demo separately.  This clearly separates the roles of prover and verifier, and shows what parameters are required by each.  The filesystem is used to store data between steps, and also to "communicate" show proofs from prover to verifier.
@@ -99,6 +82,20 @@ The `reveal_digest` option is used for values that may be larger than 31 bytes;
 
 As example ways to experiment with selective disclosure, try removing `aud` from the list of revealed attributes, or adding `given_name` to the list of revealed attributes in the proof specification file. 
 
+### Device-Bound Credentials
+The example `rs256-db` demonstrates a JWT credential that is *device bound*.  This means that the JWT encodes the public key of an ECDSA signing key, where the private key is stored by a device (such as a hardware security module), and the device exposes only a signing API. 
+When the credential is used, the verifier expects the holder to demonstrate possession of the device key, by signing a challenge.  During circuit setup, the file `circuit_setup/inputs/rs256-db/config.json` has the line `"device_bound": true`, which indicates the sample credential should be generated with a device key.  In the demo, a fresh ECDSA key pair is generated in software, no special hardware is required.
+
+For show proofs, The file `creds/test-vectors/rs256-db/proof_spec.json` contains 
+```
+{
+    "revealed" : ["family_name", "tenant_ctry", "auth_time", "aud"],
+    "device_bound" : true, 
+    "presentation_message" : [1, 2, 3, 4]
+}
+```
+which specifies a subset of attributes to disclose, as in the `rs256-sd` example.  The `device-bound` flag is also set here, and the `presentation_message` is a byte string that that encodes a challenge from the verifier. The `presentation_message` is sent to the device, then the show proof creates a proof of knowledge of the device signature (unlinkably). 
+
 ## Contributing
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a
 
@@ -68,7 +68,6 @@ cd pyMDL-MDOC
 sed -i "s|i.replace(f'{_pkg_name}/', '')|i.replace(f'{_pkg_name}\\\\\\\\', '')|g" setup.py
 pip install .
 ```
-
 ## Sample JWT and mDL
 
 To work with Crescent, the prover and verifier both need the issuer's public key, and the prover needs a JWT.
@@ -99,6 +98,23 @@ Overall this is slow, but only needs to be run once for a given token issuer and
 
 Once this script completes, all files required for showing and verifying proofs will have copied to `creds/test-vectors/rs256`.
 
+## Enabling symlinks with git on Windows
+
+This project uses symlinks to share directories within the project. On Windows, symlinks require administrator privileges. Git can be configured to create project symlinks when cloning the repository.
+To enable symlinks with git, run the following command:
+
+```bash
+git config --global core.symlinks true
+```
+
+If you have already cloned the repository, you can delete and re-clone the repository for the symlinks to be created or manually create the link by running the following CMD command in the project root directory:
+
+```cmd
+mklink /J circuit_setup\circuits-mdl\circomlib circuit_setup\circuits\circomlib
+```
+
+Verify `circuit_setup\circuits-mdl\circomlib` is now a directory.
+
 # Troubleshooting
 
 For some large circuits, Circom may use a large amount of RAM and be killed.
 
@@ -0,0 +1,36 @@
+{
+  "acct": 0,
+  "aud": "12345678-1234-abcd-1234-abcdef124567",
+  "auth_time": 1725917899,
+  "email": "matthew@example.com",
+  "exp": 1759517346,
+  "family_name": "Matthew",
+  "given_name": "Matthewson",
+  "iat": 1728067746,
+  "ipaddr": "203.0.113.0",
+  "iss": "https://login.microsoftonline.com/12345678-1234-abcd-1234-abcdef124567/v2.0",
+  "jti": "AUJNzY3Cwon7pL_3k0-fdw",
+  "login_hint": "O.aaaaabbbbbbbbbcccccccdddddddeeeeeeeffffffgggggggghhhhhhiiiiiiijjjjjjjkkkkkkklllllllmmmmmmnnnnnnnnnnooooooopppppppqqqqrrrrrrsssssdddd",
+  "name": "Matthew Matthewson",
+  "nbf": 1728067746,
+  "oid": "12345678-1234-abcd-1234-abcdef124567",
+  "onprem_sid": "S-1-2-34-5678901234-1234567890-1234567890-1234567",
+  "preferred_username": "matthew@example.com",
+  "rh": "0.aaaaabbbbbccccddddeeeffff12345gggg12345_124_aaaaaaa.",
+  "sid": "12345678-1234-abcd-1234-abcdef124567",
+  "sub": "aaabbbbccccddddeeeeffffgggghhhh123456789012",
+  "tenant_ctry": "US",
+  "tenant_region_scope": "WW",
+  "tid": "12345678-1234-abcd-1234-abcdef124567",
+  "upn": "matthew@example.com",
+  "uti": "AAABBBBccccdddd1234567",
+  "ver": "2.0",
+  "verified_primary_email": [
+    "matthew@example.com"
+  ],
+  "verified_secondary_email": [
+    "matthew@service.example.com"
+  ],
+  "xms_pdl": "NAM",
+  "xms_tpl": "en"
+}
@@ -0,0 +1,45 @@
+{
+    "alg": "RS256",
+    "device_bound": true,
+    "exp": {
+        "type" : "number",
+        "reveal" : true,
+        "max_claim_byte_len" : 31
+    },
+    "email": {
+        "type" : "string",
+        "reveal" : true,
+        "max_claim_byte_len" : 31
+    },
+    "family_name": {
+        "type" : "string",
+        "reveal" : true,
+        "max_claim_byte_len" : 31
+    },
+    "given_name": {
+        "type" : "string",
+        "reveal" : true,
+        "max_claim_byte_len" : 31
+    },
+    "tenant_ctry": {
+        "type" : "string",
+        "reveal" : true,
+        "max_claim_byte_len" : 31
+    },    
+    "tenant_region_scope": {
+        "type" : "string",
+        "reveal" : true,
+        "max_claim_byte_len" : 31
+    }, 
+    "aud": {
+        "type" : "string",
+        "reveal_digest" : true,
+        "max_claim_byte_len" : 62
+    },
+    "auth_time": {
+        "type" : "number",
+        "reveal_digest" : true,
+        "max_claim_byte_len" : 31
+    }
+
+}
@@ -0,0 +1,5 @@
+{
+    "revealed" : ["family_name", "tenant_ctry", "auth_time", "aud"],
+    "device_bound" : true, 
+    "presentation_message" : [1, 2, 3, 4]
+}
@@ -10,11 +10,12 @@
 import json, math, string
 
 ##### Constants ######
-MAX_FIELD_BYTE_LEN = 31        # Maximum length of a field element
+MAX_FIELD_BYTE_LEN = 31        # Maximum length of a field element (for BN254)
+MAX_FIELD_BASE10_LEN = 77
 CIRCOM_RS256_LIMB_BITS = 121
 CIRCOM_ES256K_LIMB_BITS = 64 
 CIRCOM_ES256_LIMB_BITS = 43     # Required by the ecdsa-p256 circuit we use
-CRESCENT_CONFIG_KEYS = ['alg', 'credtype', 'reveal_all_claims', 'defer_sig_ver', 'max_cred_len']     # fields in config.json that are for crescent configuration and do not refer to claims in the token
+CRESCENT_CONFIG_KEYS = ['alg', 'credtype', 'reveal_all_claims', 'defer_sig_ver', 'max_cred_len', 'device_bound']     # fields in config.json that are for crescent configuration and do not refer to claims in the token
 CRESCENT_SUPPORTED_ALGS = ['RS256', 'ES256', 'ES256K']     # Signature algorithms used to sign JWT/mDL
 
 
@@ -190,6 +191,9 @@ def check_config(config):
 
     if 'credtype' not in config:
         config['credtype'] = 'jwt'
+
+    if 'device_bound' not in config:
+        config['device_bound'] = False        
 
     if 'max_cred_len' not in config:
         config['max_cred_len'] = 2048  # Maximum length of JWT, excluding the
@@ -209,6 +213,20 @@ def check_config(config):
         if config['alg'] != 'ES256K':
             print_debug("Error: the 'defer_sig_ver' option is only valid with the ES256K algorithm")
             return False
+        
+    # If the token is device bound, assume it has the claims "device_key_0" and "device_key_1", and ensure
+    # they will be revealed
+    if config['device_bound']:
+        config['device_key_0'] = {
+            "type": "number",
+            "reveal": True,
+            "max_claim_byte_len": 2*MAX_FIELD_BYTE_LEN
+        }
+        config['device_key_1'] = {
+                "type": "number",
+                "reveal": True,
+                "max_claim_byte_len": 2*MAX_FIELD_BYTE_LEN
+        }        
 
 
     # For all the config entries about claims (e.g, "email", "exp", etc.) make sure that if the claim 
@@ -226,9 +244,14 @@ def check_config(config):
                 return False        
         if claim_reveal_unhashed(config[key]):
             max_claim_byte_len = config[key].get("max_claim_byte_len")
-            if max_claim_byte_len > MAX_FIELD_BYTE_LEN:
-                print_debug("Error: claim '{}' has reveal flag set but max_claim_byte_len={} exceeds MAX_FIELD_BYTE_LEN={}. To reveal larger claims use reveal_digest".format(key, max_claim_byte_len))
+            if max_claim_byte_len > MAX_FIELD_BYTE_LEN and config[key].get("type") != "number":
+                print_debug("Error: claim '{}' has reveal flag set but max_claim_byte_len={} exceeds MAX_FIELD_BYTE_LEN={}. To reveal larger claims use reveal_digest".format(key, max_claim_byte_len, MAX_FIELD_BYTE_LEN))
                 return False
+            # For number types, the number of bytes is the number of base-10 digits, which can
+            #  exceed the number bytes to represent the field (base-256 digits)            
+            if max_claim_byte_len > MAX_FIELD_BASE10_LEN and config[key].get("type") == "number":
+                print_debug("Error: claim '{}' has reveal flag set but max_claim_byte_len={} exceeds MAX_FIELD_BASE10_LEN={}. To reveal larger claims use reveal_digest".format(key, max_claim_byte_len, MAX_FIELD_BASE10_LEN))
+                return False            
 
     return True