Categorygithub.com/IBM/idemix

modulepackage

0.0.1

Repository: https://github.com/ibm/idemix.git

Documentation: pkg.go.dev

# README

Idemix

This project is a Go implementation of an anonymous identity stack for blockchain systems.

Protocol

Protocol

Here we describe the cryptographic protocol that is implemented.

Preliminaries

TBD (Group etc.)

Generation of issue certificate

The input for this step are the 4 attributes that are certified, namely OU, Role, EnrollmentID and RevocationHandle (call them $a_{0}, \ldots, a_{3}$ ).

Given these attributes, the CA samples the issuer secret key at random

$ISK \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

And then computes

$W \leftarrow g_{2}^{ISK}$

For each attribute $a_{i} \in \{a_{0}, \ldots, a_{3}\}$ the CA picks a random element $r_{i} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ and generates a base for that attribute

$H_{a_{i}} \leftarrow g_{1}^{r_{i}}$

The CA randomly selects $r_{ISK}, r, \bar{r}$ and computes bases

$H_{ISK} \leftarrow g_{1}^{r_{ISK}}$ $H_{r} \leftarrow g_{1}^{r}$ $\bar{g_1} \leftarrow g_{1}^{\bar{r}}$ $\bar{g_2} \leftarrow \bar{g_1}^{ISK}$

Then the CA randomly selects $r_p$ and computes

$t_1 \leftarrow g_2^{r_p}$ $t_2 \leftarrow \bar{g_1}^{r_p}$

It also generates

$C \leftarrow H(t_1||t_2||g_2||\bar{g_1}||W||\bar{g_2})$ $s \leftarrow r_{p} + C \cdot ISK$

The issuer public key $PK_{I}$ is

$PK_{I} \leftarrow \{ a_{0}, \ldots, a_{3}, H_{a_{0}}, \ldots, H_{a_{3}}, H_{ISK}, H_{r}, W, \bar{g_1}, \bar{g_2}, C, s, h_{CA} \}$

where $h_{CA}$ is a hash of all fields of the public key.

and the issuer private key is $SK_{I}$ is

$SK_{I} \leftarrow \{ ISK \}$

Generation of client certificate

Given a client $c$ with attributes $a_{c0}, \ldots, a_{c3}$ , the client samples the secret key

$sk_{c} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and random elements

$r_{sk} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $nonce \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and then computes

$N \leftarrow H_{ISK}^{sk_{c}}$ $t \leftarrow H_{ISK}^{r_{sk}}$ $C \leftarrow H(t||H_{ISK}||N||nonce||h_{CA})$ $s \leftarrow r_{sk} + C \cdot sk_{c}$

The credential request sent to the CA is $\{ N, nonce, C, s \}$ .

The CA computes

$t' \leftarrow \frac{H_{ISK}^{s}}{N^C}$

and checks whether

$C = H(t'||H_{ISK}||N||nonce||h_{CA})$

If so, the CA picks random elements

$E \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $S \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and computes

$B \leftarrow g_{1} \cdot N \cdot H_{r}^S \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{ci}}$ $e \leftarrow \frac{1}{E + ISK}$ $A \leftarrow B^e$

The CA returns the credential $\{ A, B, S, E \}$ to the user.

The user verifies the credential by computing

$B' \leftarrow g_{1} \cdot H_{ISK}^{sk_{c}} \cdot H_{r}^S \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{ci}}$

If $B \neq B'$ the user aborts. Otherwise it verifies the signature by checking whether the following equality

$e(g_{2}^E \cdot W, A) = e(g_{2}, B)$

holds. If so, the user accepts private key $SK_{C} \leftarrow \{ sk_{c} \}$ and the user public key is $PK_{C} \leftarrow \{ A, B, E, S \}$ .

Generation of signature

To sign message $m$ and simultaneously disclose a subset of attributes $a_{c0}, \ldots, a_{c3}$ (tracked by the bits $d_{0}, \ldots, d_{3}$ such that if the bit is one the corresponding attribute is disclosed; notationally, $\bar{d}_{i} = d_{i} + 1 mod 2$ ), the client chooses a new random element $r_{n} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ and generates a new pseudonym

$Nym \leftarrow N \cdot H_{r}^{r_{n}}$

And then generates the new signature as follows

$n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_1 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_2 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_3 \leftarrow \frac{1}{r_1}$ $A' \leftarrow A^{r_1}$ $\bar{A} \leftarrow B^{r1} \cdot A'^{-E}$ $B' \leftarrow \frac{B^{r1}}{H_{r}^{r_2}}$ $S' \leftarrow S-r_2 \cdot r_3$

The client then generates random elements

$r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{e} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{r_2} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{r_3} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{S'} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{a_{0}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{a_{1}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{a_{2}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{a_{3}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and then generates

$t_1 \leftarrow A'^{r_{e}} \cdot H_{r}^{r_{r_2}}$ $t_2 \leftarrow B'^{r_{r_3}} \cdot H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{S'}} \cdot \prod_{i=0}^4 H_{a_{i}}^{r_{a_{i}} \bar{d}_i}$ $t_3 \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}$ $C \leftarrow H(H(t_1||t_2||t_3||A'||\bar{A}||B'||Nym||h_{CA}||d_0||\ldots||d_3||m)||n)$ $S_{sk_{c}} \leftarrow r_{sk_{c}} + sk_{c} C$ $S_{E} \leftarrow r_{e} - E C$ $S_{r_2} \leftarrow r_{r_2} + r_2 C$ $S_{r_3} \leftarrow r_{r_3} - r_3 C$ $S_{S'} \leftarrow r_{S'} + S' C$ $S_{r_{n}} \leftarrow r_{r_{n}} + r_{n} C$

and for each attribute $a_{i}$ that requires disclosure, it generates

$S_{a_{i}} \leftarrow r_{a_{i}} + a_{i} C$

The signature $\sigma$ is $\sigma \leftarrow \{ Nym, A', \bar{A}, B', C, S_{sk_{c}}, S_{E}, S_{r_2}, S_{r_3}, S_{S'}, S_{r_{n}}, \ldots S_{a_{i}} \ldots, d_{0}, \ldots, d_{3}, \ldots a_{i} \ldots, n \}$ .

Verification of a signature

Upon receipt of a signature $\sigma$ is $\sigma \leftarrow \{ Nym, A', \bar{A}, B', C, S_{sk_{c}}, S_{E}, S_{r_2}, S_{r_3}, S_{S'}, S_{r_{n}}, \ldots S_{a_{i}} \ldots, d_{0}, \ldots, d_{3}, \ldots a_{i} \ldots, n \}$ over message $m$ the verifier checks whether the following equality holds

$e(W, A') = e(g_{2}, \bar{A})$

If so, it recomputes

$t'_1 \leftarrow \frac{A'^{S_{E}} \cdot H_{r}^{S_{r_2}}}{\left( \bar{A} \cdot B'^{-1} \right)^C}$ $t'_2 \leftarrow H_{r}^{S_{S'}} \cdot B'^{S_{r_3}} \cdot H_{ISK}^{S_{sk_{c}}} \cdot \prod_{i=0}^4 H_{a_{i}}^{S_{a_{i}} \bar{d}_i} \cdot \left(g_{1} \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{i} d_i} \right)^C$ $t'_3 \leftarrow \frac{H_{ISK}^{S_{sk_{c}}} \cdot H_{r}^{S_{r_{n}}}}{Nym^C}$

and accepts the signature if

$C = H(H(t'_1||t'_2||t'_3||A'||\bar{A}||B'||Nym||h_{CA}||d_0||\ldots||d_3||m)||n)$

This verification also verifies the disclosed subset of attributes.

Generation of a pseudonymous signature

Differently from a standard signature, a pseudonymous signature does not prove that the pseudonym possesses a user certificate signed by a CA. It only proves that the pseudonym $Nym$ signed message $m$ . The signature is generated starting from the pseudonym (as generated in the section above) together with secret key $sk_{c}$ and randomness $r_{n}$ as follows: at first it picks random elements

$n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

Then it generates

$t \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}$ $C \leftarrow H(H(t||Nym||h_{CA}||m)||n)$ $S_{sk_{c}} \leftarrow r_{sk_{c}} + sk_{c} C$ $S_{r_{n}} \leftarrow r_{r_{n}} + r_{n} C$

The signature $\sigma$ is $\sigma \leftarrow \{ Nym, C, S_{sk_{c}}, S_{r_{n}}, n \}$ .

Verification of a pseudonymous signature

Upon receipt of a pseudonymous signature $\sigma \leftarrow \{ Nym, C, S_{sk_{c}}, S_{r_{n}}, n \}$ over message $m$ the verifier recomputes

$t' \leftarrow \frac{H_{ISK}^{S_{sk_{c}}} \cdot H_{r}^{S_{r_{n}}}}{Nym^C}$

and accepts the signature if

$C = H(H(t'||Nym||h_{CA}||m)||n)$

Extensions

Adding a pseudonym as a function of the Enrollment ID (eid)

The enrollment id is one of the cerified attributes ( $a_{2}$ with value $a_{c2}$ ). This extension introduces a pseudonym which is a function of the enrollment ID, together with a proof that it was correclty generated.

Signature generation

The pseudonym is computed by sampling

$r_{eid} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ $r_{r_{eid}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and by generating the pseudonym

$Nym_{eid} \leftarrow H_{a_{2}}^{a_{c2}} \cdot H_{r}^{r_{eid}}$

Signature generation is similar to the scheme above; in particular, the term $r_{a_{2}}$ is the same used by the original sign algorithm. The extensions include:

the client computes an additional value $t_4 \leftarrow H_{a_{2}}^{r_{a_{2}}} \cdot H_{r}^{r_{r_{eid}}}$ ;
the client includes $(Nym_{eid}, t_4)$ in the challenge computation: $C \leftarrow H(H(t_1||t_2||t_3||t_4||A'||\bar{A}||B'||Nym||Nym_{eid}||h_{CA}||d_0||\ldots||d_3||m)||n)$ (if $d_2$ is included, it should always be set to 0 otherwise the value of the enrollment ID would be revealed);
the client computes an additional proof $S_{r_{eid}} \leftarrow r_{r_{eid}} + r_{eid} C$ ;
The signature includes the additional proof $S_{r_{eid}}$ and pseudonym $Nym_{eid}$ .

Signature verification

Signature verification is the same as above except that

verifier computes $t'_4 \leftarrow \frac{H_{a_{2}}^{S_{a_2}} \cdot H_{r}^{S_{r_{eid}}}}{Nym_{eid}^C}$ ;
verifier checks if $C \leftarrow H(H(t'_1||t'_2||t'_3||t'_4||A'||\bar{A}||B'||Nym||Nym_{eid}||h_{CA}||d_0||\ldots||d_3||m)||n)$ .

Auditing NymEid

To Audit NymEid the client reveals pair $a_{c2}, r_{eid}$ and the auditor checks if $Nym_{eid} \leftarrow H_{a_{2}}^{a_{c2}} \cdot H_{r}^{r_{eid}}$ .

# Packages

bccsp

common

No description provided by the author

tools

No description provided by the author

# Functions

GetIdemixMspConfig

GetIdemixMspConfig returns the configuration for the Idemix MSP.

GetRoleMaskFromIdemixRole

GetRoleMaskFromIdemixRole return a bitmask for one role.

NewIdemixMsp

NewIdemixMsp creates a new instance of idemixmsp.

ProviderTypeToString

ProviderTypeToString returns a string that represents the ProviderType integer.

# Constants

ADMIN

The expected roles are 4; We can combine them using a bitmask.

AttributeIndexEnrollmentId

AttributeIndexEnrollmentId contains the index of the Enrollment ID attribute in the idemix credential attributes.

AttributeIndexOU

AttributeIndexOU contains the index of the OU attribute in the idemix credential attributes.

AttributeIndexRevocationHandle

AttributeIndexRevocationHandle contains the index of the Revocation Handle attribute in the idemix credential attributes.

AttributeIndexRole

AttributeIndexRole contains the index of the Role attribute in the idemix credential attributes.

AttributeNameEnrollmentId

AttributeNameEnrollmentId is the attribute name of the Enrollment ID attribute.

AttributeNameOU

AttributeNameOU is the attribute name of the Organization Unit attribute.

AttributeNameRevocationHandle

AttributeNameRevocationHandle is the attribute name of the revocation handle attribute.

AttributeNameRole

AttributeNameRole is the attribute name of the Role attribute.

CLIENT

The expected roles are 4; We can combine them using a bitmask.

FABRIC

MSP is of FABRIC type.

IDEMIX

MSP is of IDEMIX type.

IdemixConfigDirMsp

No description provided by the author

IdemixConfigDirUser

No description provided by the author

IdemixConfigFileIssuerPublicKey

No description provided by the author

IdemixConfigFileRevocationPublicKey

No description provided by the author

IdemixConfigFileSigner

No description provided by the author

MEMBER

The expected roles are 4; We can combine them using a bitmask.

MSPv1_0

No description provided by the author

MSPv1_1

No description provided by the author

MSPv1_3

No description provided by the author

MSPv1_4_3

No description provided by the author

OTHER

MSP is of OTHER TYPE.

PEER

The expected roles are 4; We can combine them using a bitmask.

# Structs

Idemixidentity

No description provided by the author

Idemixmsp

No description provided by the author

IdemixSigningIdentity

No description provided by the author

IdentityIdentifier

IdentityIdentifier is a holder for the identifier of a specific identity, naturally namespaced, by its provider identifier.

OUIdentifier

OUIdentifier represents an organizational unit and its related chain of trust identifier.

# Interfaces

Identity

Identity interface defining operations associated to a "certificate".

IdentityDeserializer

IdentityDeserializer is implemented by both MSPManger and MSP.

MSP

MSP is the minimal Membership Service Provider Interface to be implemented to accommodate peer functionality.

MSPManager

MSPManager is an interface defining a manager of one or more MSPs.

SigningIdentity

SigningIdentity is an extension of Identity to cover signing capabilities.

# Type aliases

MSPVersion

No description provided by the author

ProviderType

ProviderType indicates the type of an identity provider.

Role

Role : Represents a IdemixRole.