[WIP] Type-3 pairing implementation

Cargo.toml

@@ -39,7 +39,7 @@ env_logger = "0.4.2"
 libc = "0.2.21"
 log = "0.3.7"
 openssl = { version = "0.9.11", optional = true }
-milagro-crypto = { version = "0.1.7", optional = true }
+milagro-crypto = { version = "0.1.11", optional = true }
 rand = "0.3"
 rusqlite = "0.10.1"
 rust-base58 = {version = "0.0.4", optional = true}

src/commands/anoncreds/issuer.rs

@@ -269,8 +269,9 @@ impl IssuerCommandExecutor {
 
         self.anoncreds_service.issuer.revoke(
             &revocation_registry,
-            &revocation_registry_private.tails,
-            user_revoc_index)?;
+            &revocation_registry_private.tails_dash,
+            user_revoc_index
+        )?;
 
         let revoc_reg_update_json = RevocationRegistry::to_json(&revocation_registry.borrow())
             .map_err(|err| CommonError::InvalidState(format!("Invalid revocation registry: {}", err.to_string())))?;

src/commands/anoncreds/prover.rs

@@ -29,7 +29,7 @@ use services::anoncreds::types::{
     ClaimRequestJson
 };
 use std::collections::HashMap;
-use utils::crypto::pair::PointG1;
+use utils::crypto::pair::PointG2;
 use std::cell::RefCell;
 
 pub enum ProverCommand {
@@ -448,7 +448,7 @@ impl ProverCommandExecutor {
 
         let ms: BigNumber = BigNumber::from_dec(&ms)?;
 
-        let mut tails: HashMap<i32, PointG1> = HashMap::new();
+        let mut tails: HashMap<i32, PointG2> = HashMap::new();
         if revoc_regs.len() > 0 {
             let tails_json = self.wallet_service.get(wallet_handle, &format!("tails"))?;
             tails = serde_json::from_str(&tails_json)

src/services/anoncreds/issuer.rs

@@ -37,7 +37,7 @@ use services::anoncreds::helpers::{
     transform_u32_to_array_of_u8
 };
 use utils::crypto::bn::BigNumber;
-use utils::crypto::pair::{GroupOrderElement, PointG1, Pair};
+use utils::crypto::pair::{GroupOrderElement, PointG1, PointG2, Pair};
 use std::collections::{HashMap, HashSet};
 use std::cell::RefCell;
 
@@ -115,17 +115,22 @@ impl Issuer {
         let h0 = PointG1::new()?;
         let h1 = PointG1::new()?;
         let h2 = PointG1::new()?;
-        let g = PointG1::new()?;
         let htilde = PointG1::new()?;
-        let u = PointG1::new()?;
+        let g = PointG1::new()?;
+
+        let u = PointG2::new()?;
+        let hcap = PointG2::new()?;
+
         let x = GroupOrderElement::new()?;
         let sk = GroupOrderElement::new()?;
+        let gdash = PointG2::new()?;
+
         let pk = g.mul(&sk)?;
-        let y = h.mul(&x)?;
+        let y = hcap.mul(&x)?;
 
         info!(target: "anoncreds_service", "Issuer generate revocation keys -> done");
         Ok((
-            Some(RevocationPublicKey::new(g, h, h0, h1, h2, htilde, u, pk, y, x)),
+            Some(RevocationPublicKey::new(g, gdash, h, h0, h1, h2, htilde, hcap, u, pk, y, x)),
             Some(RevocationSecretKey::new(x, sk))
         ))
     }
@@ -151,6 +156,8 @@ impl Issuer {
         info!(target: "anoncreds_service", "Issuer create accumulator for claim_def_seq_no {} -> start", claim_def_seq_no);
         let gamma = GroupOrderElement::new()?;
         let mut g: HashMap<i32, PointG1> = HashMap::new();
+        let mut g_dash: HashMap<i32, PointG2> = HashMap::new();
+
         let g_count = 2 * max_claim_num;
 
         for i in 0..g_count {
@@ -159,22 +166,23 @@ impl Issuer {
                 let mut pow = GroupOrderElement::from_bytes(&i_bytes)?;
                 pow = gamma.pow_mod(&pow)?;
                 g.insert(i, pk_r.g.mul(&pow)?);
+                g_dash.insert(i, pk_r.g_dash.mul(&pow)?);
             }
         }
 
-        let mut z = Pair::pair(&pk_r.g, &pk_r.g)?;
+        let mut z = Pair::pair(&pk_r.g, &pk_r.g_dash)?;
         let mut pow = GroupOrderElement::from_bytes(&transform_u32_to_array_of_u8((max_claim_num + 1) as u32))?;
         pow = gamma.pow_mod(&pow)?;
         z = z.pow(&pow)?;
-        let acc = PointG1::new_inf()?;
+        let acc = PointG2::new_inf()?;
         let v: HashSet<i32> = HashSet::new();
 
         let acc = Accumulator::new(acc, v, max_claim_num, 1);
         let acc_pk = AccumulatorPublicKey::new(z);
         let acc_sk = AccumulatorSecretKey::new(gamma);
 
         let revocation_registry = RevocationRegistry::new(acc, acc_pk, claim_def_seq_no);
-        let revocation_registry_private = RevocationRegistryPrivate::new(acc_sk, g);
+        let revocation_registry_private = RevocationRegistryPrivate::new(acc_sk, g, g_dash);
 
         info!(target: "anoncreds_service", "Issuer create accumulator for claim_def_seq_no {} -> done", claim_def_seq_no);
         Ok((revocation_registry, revocation_registry_private))
@@ -210,6 +218,7 @@ impl Issuer {
                 &pk_r,
                 &sk_r,
                 &revoc_reg_priv.tails,
+                &revoc_reg_priv.tails_dash,
                 &revoc_reg_priv.acc_sk,
                 &context_attribute,
                 &ur,
@@ -305,7 +314,8 @@ impl Issuer {
 
     fn _issue_non_revocation_claim(revocation_registry: &RefCell<RevocationRegistry>, pk_r: &RevocationPublicKey,
                                    sk_r: &RevocationSecretKey, g: &HashMap<i32, PointG1>,
-                                   sk_accum: &AccumulatorSecretKey, context_attribute: &BigNumber,
+                                   g_dash: &HashMap<i32, PointG2>, sk_accum: &AccumulatorSecretKey,
+                                   context_attribute: &BigNumber,
                                    ur: &PointG1, seq_number: Option<i32>) ->
                                    Result<(NonRevocationClaim, i64), CryptoError> {
         info!(target: "anoncreds_service", "Issuer issue non-revocation claim -> start");
@@ -336,15 +346,15 @@ impl Issuer {
                 .add(&pk_r.h2.mul(&vr_prime_prime)?)?
                 .mul(&sk_r.x.add_mod(&c)?.inverse()?)?;
 
-        let mut omega = PointG1::new_inf()?;
+        let mut omega = PointG2::new_inf()?;
 
         for j in &accumulator.v {
             let index = accumulator.max_claim_num + 1 - j + i;
-            omega = omega.add(g.get(&index)
+            omega = omega.add(g_dash.get(&index)
                 .ok_or(CryptoError::InvalidStructure(format!("Value by key '{}' not found in g", index)))?)?;
         }
 
-        let sigma_i = pk_r.g
+        let sigma_i = pk_r.g_dash
             .mul(&sk_r.sk
                 .add_mod(&sk_accum.gamma
                     .pow_mod(&GroupOrderElement::from_bytes(&transform_u32_to_array_of_u8(i as u32))?)?)?
@@ -354,7 +364,7 @@ impl Issuer {
                 .pow_mod(&GroupOrderElement::from_bytes(&transform_u32_to_array_of_u8(i as u32))?)?)?;
 
         let index = accumulator.max_claim_num + 1 - i;
-        accumulator.acc = accumulator.acc.add(g.get(&index)
+        accumulator.acc = accumulator.acc.add(g_dash.get(&index)
             .ok_or(CryptoError::InvalidStructure(format!("Value by key '{}' not found in g", index)))?)?;
         accumulator.v.insert(i);
 
@@ -392,13 +402,13 @@ impl Issuer {
     }
 
     pub fn revoke(&self, revocation_registry: &RefCell<RevocationRegistry>,
-                  g: &HashMap<i32, PointG1>, i: i32) -> Result<i64, CryptoError> {
+                  g_dash: &HashMap<i32, PointG2>, i: i32) -> Result<i64, CryptoError> {
         info!(target: "anoncreds_service", "Issuer revoke claim by index {} -> start", i);
 
         let ref mut accumulator = revocation_registry.borrow_mut().accumulator;
         accumulator.v.remove(&i);
         let index: i32 = accumulator.max_claim_num + 1 - i;
-        let element = g.get(&index)
+        let element = g_dash.get(&index)
             .ok_or(CryptoError::InvalidStructure(format!("Value by key '{}' not found in g", index)))?;
         accumulator.acc = accumulator.acc.sub(element)?;
         let timestamp = time::now_utc().to_timespec().sec;
@@ -413,24 +423,24 @@ impl Issuer {
         let t2 = proof_c.e.mul(&params.c)?
             .add(&pk_r.h.mul(&params.m.mod_neg()?)?)?
             .add(&pk_r.htilde.mul(&params.t.mod_neg()?)?)?;
-        let t3 = Pair::pair(&proof_c.a, &pk_r.h)?.pow(&params.c)?
-            .mul(&Pair::pair(&pk_r.htilde, &pk_r.h)?.pow(&params.r)?)?
+        let t3 = Pair::pair(&proof_c.a, &pk_r.h_cap)?.pow(&params.c)?
+            .mul(&Pair::pair(&pk_r.htilde, &pk_r.h_cap)?.pow(&params.r)?)?
             .mul(&Pair::pair(&pk_r.htilde, &pk_r.y)?.pow(&params.rho)?
-                .mul(&Pair::pair(&pk_r.htilde, &pk_r.h)?.pow(&params.m)?)?
-                .mul(&Pair::pair(&pk_r.h1, &pk_r.h)?.pow(&params.m2)?)?
-                .mul(&Pair::pair(&pk_r.h2, &pk_r.h)?.pow(&params.s)?)?)?.inverse()?;
+                .mul(&Pair::pair(&pk_r.htilde, &pk_r.h_cap)?.pow(&params.m)?)?
+                .mul(&Pair::pair(&pk_r.h1, &pk_r.h_cap)?.pow(&params.m2)?)?
+                .mul(&Pair::pair(&pk_r.h2, &pk_r.h_cap)?.pow(&params.s)?)?)?.inverse()?;
         let t4 = Pair::pair(&pk_r.htilde, &accumulator.acc)?
             .pow(&params.r)?
-            .mul(&Pair::pair(&pk_r.g.neg()?, &pk_r.htilde)?.pow(&params.r_prime)?)?;
+            .mul(&Pair::pair(&pk_r.g.neg()?, &pk_r.h_cap)?.pow(&params.r_prime)?)?;
         let t5 = pk_r.g.mul(&params.r)?.add(&pk_r.htilde.mul(&params.o_prime)?)?;
         let t6 = proof_c.d.mul(&params.r_prime_prime)?
             .add(&pk_r.g.mul(&params.m_prime.mod_neg()?)?)?
             .add(&pk_r.htilde.mul(&params.t_prime.mod_neg()?)?)?;
-        let t7 = Pair::pair(&pk_r.pk.add(&proof_c.g)?, &pk_r.htilde)?.pow(&params.r_prime_prime)?
-            .mul(&Pair::pair(&pk_r.htilde, &pk_r.htilde)?.pow(&params.m_prime.mod_neg()?)?)?
+        let t7 = Pair::pair(&pk_r.pk.add(&proof_c.g)?, &pk_r.h_cap)?.pow(&params.r_prime_prime)?
+            .mul(&Pair::pair(&pk_r.htilde, &pk_r.h_cap)?.pow(&params.m_prime.mod_neg()?)?)?
             .mul(&Pair::pair(&pk_r.htilde, &proof_c.s)?.pow(&params.r)?)?;
         let t8 = Pair::pair(&pk_r.htilde, &pk_r.u)?.pow(&params.r)?
-            .mul(&Pair::pair(&pk_r.g.neg()?, &pk_r.htilde)?.pow(&params.r_prime_prime_prime)?)?;
+            .mul(&Pair::pair(&pk_r.g.neg()?, &pk_r.h_cap)?.pow(&params.r_prime_prime_prime)?)?;
 
         Ok(NonRevocProofTauList::new(t1, t2, t3, t4, t5, t6, t7, t8))
     }
@@ -439,14 +449,14 @@ impl Issuer {
                                             accum_pk: &AccumulatorPublicKey, proof_c: &NonRevocProofCList) -> Result<NonRevocProofTauList, CryptoError> {
         let t1 = proof_c.e;
         let t2 = PointG1::new_inf()?;
-        let t3 = Pair::pair(&pk_r.h0.add(&proof_c.g)?, &pk_r.h)?
+        let t3 = Pair::pair(&pk_r.h0.add(&proof_c.g)?, &pk_r.h_cap)?
             .mul(&Pair::pair(&proof_c.a, &pk_r.y)?.inverse()?)?;
         let t4 = Pair::pair(&proof_c.g, &accumulator.acc)?
             .mul(&Pair::pair(&pk_r.g, &proof_c.w)?.mul(&accum_pk.z)?.inverse()?)?;
         let t5 = proof_c.d;
         let t6 = PointG1::new_inf()?;
         let t7 = Pair::pair(&pk_r.pk.add(&proof_c.g)?, &proof_c.s)?
-            .mul(&Pair::pair(&pk_r.g, &pk_r.g)?.inverse()?)?;
+            .mul(&Pair::pair(&pk_r.g, &pk_r.g_dash)?.inverse()?)?;
         let t8 = Pair::pair(&proof_c.g, &pk_r.u)?
             .mul(&Pair::pair(&pk_r.g, &proof_c.u)?.inverse()?)?;
 

src/services/anoncreds/prover.rs

@@ -48,7 +48,6 @@ use services::anoncreds::types::{
     ProofJson
 };
 use services::anoncreds::helpers::{
-    AppendByteArray,
     get_mtilde,
     four_squares,
     get_hash_as_int,
@@ -59,7 +58,7 @@ use services::anoncreds::helpers::{
 use services::anoncreds::verifier::Verifier;
 use services::anoncreds::issuer::Issuer;
 use utils::crypto::bn::BigNumber;
-use utils::crypto::pair::{GroupOrderElement, PointG1, Pair};
+use utils::crypto::pair::{GroupOrderElement, PointG1, PointG2, Pair};
 use std::collections::{HashMap, HashSet};
 use std::cell::RefCell;
 use services::anoncreds::types::{AttributeInfo, ClaimInfo, RequestedClaimsJson, ProofRequestJson};
@@ -166,20 +165,20 @@ impl Prover {
         }
 
         let pair_gg_calc = Pair::pair(&pkr.pk.add(&claim.borrow().g_i)?, &claim.borrow().witness.sigma_i)?;
-        let pair_gg = Pair::pair(&pkr.g, &pkr.g)?;
+        let pair_gg = Pair::pair(&pkr.g, &pkr.g_dash)?;
         if pair_gg_calc != pair_gg {
             return Err(CryptoError::InvalidStructure("issuer is sending incorrect data".to_string()));
         }
 
         let m2 = GroupOrderElement::from_bytes(&context_attribute.to_bytes()?)?;
 
-        let pair_h1 = Pair::pair(&claim.borrow().sigma, &pkr.y.add(&pkr.h.mul(&claim.borrow().c)?)?)?;
+        let pair_h1 = Pair::pair(&claim.borrow().sigma, &pkr.y.add(&pkr.h_cap.mul(&claim.borrow().c)?)?)?;
         let pair_h2 = Pair::pair(
             &pkr.h0
                 .add(&pkr.h1.mul(&m2)?)?
                 .add(&pkr.h2.mul(&claim.borrow().vr_prime_prime)?)?
                 .add(&claim.borrow().g_i)?,
-            &pkr.h
+            &pkr.h_cap
         )?;
 
         if pair_h1 != pair_h2 {
@@ -323,7 +322,7 @@ impl Prover {
                         revoc_regs: &HashMap<String, RevocationRegistry>,
                         requested_claims: &RequestedClaimsJson,
                         ms: &BigNumber,
-                        tails: &HashMap<i32, PointG1>)
+                        tails: &HashMap<i32, PointG2>)
                         -> Result<ProofJson, CryptoError> {
         info!(target: "anoncreds_service", "Prover create proof -> start");
 
@@ -353,7 +352,7 @@ impl Prover {
                                                                    .ok_or(CryptoError::InvalidStructure("Field public_key_revocation not found".to_string()))?,
                                                                tails)?;
 
-                c_list.append_vec(&proof.as_c_list()?)?;
+                c_list.extend_from_slice(&proof.as_c_list()?);
                 tau_list.extend_from_slice(&proof.as_tau_list()?);
                 m2_tilde = Some(group_element_to_bignum(&proof.tau_list_params.m2)?);
                 non_revoc_init_proof = Some(proof);
@@ -448,7 +447,7 @@ impl Prover {
     }
 
     fn _init_non_revocation_proof(claim: &RefCell<NonRevocationClaim>, accum: &Accumulator,
-                                  pkr: &RevocationPublicKey, tails: &HashMap<i32, PointG1>)
+                                  pkr: &RevocationPublicKey, tails: &HashMap<i32, PointG2>)
                                   -> Result<NonRevocInitProof, CryptoError> {
         info!(target: "anoncreds_service", "Prover init non-revocation proof -> start");
         Prover::_update_non_revocation_claim(claim, accum, tails)?;
@@ -464,7 +463,7 @@ impl Prover {
     }
 
     fn _update_non_revocation_claim(claim: &RefCell<NonRevocationClaim>,
-                                    accum: &Accumulator, tails: &HashMap<i32, PointG1>)
+                                    accum: &Accumulator, tails: &HashMap<i32, PointG2>)
                                     -> Result<(), CryptoError> {
         if !accum.v.contains(&claim.borrow().i) {
             return Err(CryptoError::InvalidStructure("Can not update Witness. I'm revoced.".to_string()))
@@ -477,14 +476,14 @@ impl Prover {
                 mut_claim.witness.v.difference(&accum.v).cloned().collect();
             let v_new_minus_old: HashSet<i32> =
                 accum.v.difference(&mut_claim.witness.v).cloned().collect();
-            let mut omega_denom = PointG1::new_inf()?;
+            let mut omega_denom = PointG2::new_inf()?;
             for j in v_old_minus_new.iter() {
                 omega_denom = omega_denom.add(
                     tails.get(&(accum.max_claim_num + 1 - j + mut_claim.i))
                         .ok_or(CryptoError::InvalidStructure(format!("Key not found {} in tails", accum.max_claim_num + 1 - j + mut_claim.i)))?)?;
             }
-            let mut omega_num = PointG1::new_inf()?;
-            let mut new_omega: PointG1 = mut_claim.witness.omega.clone();
+            let mut omega_num = PointG2::new_inf()?;
+            let mut new_omega: PointG2 = mut_claim.witness.omega.clone();
             for j in v_old_minus_new.iter() {
                 omega_num = omega_num.add(
                     tails.get(&(accum.max_claim_num + 1 - j + mut_claim.i))
@@ -815,17 +814,17 @@ impl Prover {
 
         let w = claim.witness.omega
             .add(
-                &pkr.htilde.mul(&params.r_prime)?
+                &pkr.h_cap.mul(&params.r_prime)?
             )?;
 
         let s = claim.witness.sigma_i
             .add(
-                &pkr.htilde.mul(&params.r_prime_prime)?
+                &pkr.h_cap.mul(&params.r_prime_prime)?
             )?;
 
         let u = claim.witness.u_i
             .add(
-                &pkr.htilde.mul(&params.r_prime_prime_prime)?
+                &pkr.h_cap.mul(&params.r_prime_prime_prime)?
             )?;
 
         Ok(NonRevocProofCList::new(e, d, a, g, w, s, u))
@@ -1332,8 +1331,8 @@ pub mod mocks {
     pub fn get_non_revocation_proof_c_list() -> NonRevocProofCList {
         NonRevocProofCList::new(PointG1::new().unwrap(), PointG1::new().unwrap(),
                                 PointG1::new().unwrap(), PointG1::new().unwrap(),
-                                PointG1::new().unwrap(), PointG1::new().unwrap(),
-                                PointG1::new().unwrap()
+                                PointG2::new().unwrap(), PointG2::new().unwrap(),
+                                PointG2::new().unwrap()
         )
     }
 
@@ -1498,17 +1497,19 @@ pub mod mocks {
     }
 
     pub fn get_public_key_revocation() -> RevocationPublicKey {
-        RevocationPublicKey::new(PointG1::new().unwrap(), PointG1::new().unwrap(),
-                                 PointG1::new().unwrap(), PointG1::new().unwrap(),
+        RevocationPublicKey::new(PointG1::new().unwrap(), PointG2::new().unwrap(),
                                  PointG1::new().unwrap(), PointG1::new().unwrap(),
                                  PointG1::new().unwrap(), PointG1::new().unwrap(),
-                                 PointG1::new().unwrap(), GroupOrderElement::new().unwrap())
+                                 PointG1::new().unwrap(), PointG2::new().unwrap(),
+                                 PointG2::new().unwrap(), PointG1::new().unwrap(),
+                                 PointG2::new().unwrap(),
+                                 GroupOrderElement::new().unwrap())
     }
 
     pub fn get_accumulator() -> Accumulator {
         let mut v: HashSet<i32> = HashSet::new();
         v.insert(1);
-        Accumulator::new(PointG1::new().unwrap(), v, 5, 2)
+        Accumulator::new(PointG2::new().unwrap(), v, 5, 2)
     }
 
     pub fn get_tails() -> HashMap<i32, PointG1> {
@@ -1519,8 +1520,8 @@ pub mod mocks {
 
     pub fn get_witness() -> Witness {
         Witness::new(
-            PointG1::new().unwrap(), PointG1::new().unwrap(), PointG1::new().unwrap(),
-            PointG1::new().unwrap(), HashSet::from_iter(vec![1].iter().cloned()
+            PointG2::new().unwrap(), PointG2::new().unwrap(), PointG1::new().unwrap(),
+            PointG2::new().unwrap(), HashSet::from_iter(vec![1].iter().cloned()
             )
         )
     }