ba621c6934
|
||
|---|---|---|
| .. | ||
| bccsp | ||
| common/flogging | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| idemix_roles.go | ||
| idemixmsp.go | ||
| msp.go | ||
README.md
Idemix
This project is a Go implementation of an anonymous identity stack for blockchain systems.
- Protocol
Protocol
Here we describe the cryptographic protocol that is implemented.
Preliminaries
TBD (Group etc.)
Generation of issue certificate
The input for this step are the 4 attributes that are certified, namely OU, Role, EnrollmentID and RevocationHandle (call them ).
Given these attributes, the CA samples the issuer secret key at random
And then computes
For each attribute the CA picks a random element and generates a base for that attribute
The CA randomly selects and computes bases
Then the CA randomly selects and computes
It also generates
The issuer public key is
where is a hash of all fields of the public key.
and the issuer private key is is
Generation of client certificate
Given a client with attributes , the client samples the secret key
and random elements
and then computes
The credential request sent to the CA is .
The CA computes
and checks whether
If so, the CA picks random elements
and computes
The CA returns the credential to the user.
The user verifies the credential by computing
If the user aborts. Otherwise it verifies the signature by checking whether the following equality
holds. If so, the user accepts private key and the user public key is .
Generation of signature
To sign message and simultaneously disclose a subset of attributes (tracked by the bits such that if the bit is one the corresponding attribute is disclosed; notationally, ), the client chooses a new random element and generates a new pseudonym
And then generates the new signature as follows
The client then generates random elements
and then generates
and for each attribute that requires disclosure, it generates
The signature is .
Verification of a signature
Upon receipt of a signature is over message
the verifier checks whether the following equality holds
If so, it recomputes
and accepts the signature if
This verification also verifies the disclosed subset of attributes.
Generation of a pseudonymous signature
Differently from a standard signature, a pseudonymous signature does not prove that the pseudonym possesses a user certificate signed by a CA. It only proves that the pseudonym signed message
. The signature is generated starting from the pseudonym (as generated in the section above) together with secret key
and randomness
as follows: at first it picks random elements
Then it generates
The signature is .
Verification of a pseudonymous signature
Upon receipt of a pseudonymous signature over message the verifier recomputes
and accepts the signature if
Extensions
Adding a pseudonym as a function of the Enrollment ID (eid)
The enrollment id is one of the cerified attributes ( with value
). This extension introduces a pseudonym which is a function of the enrollment ID, together with a proof that it was correclty generated.
Signature generation
The pseudonym is computed by sampling
and by generating the pseudonym
Signature generation is similar to the scheme above; in particular, the term is the same used by the original sign algorithm. The extensions include:
-
the client computes an additional value ;
-
the client includes in the challenge computation: (if
is included, it should always be set to 0 otherwise the value of the enrollment ID would be revealed);
-
the client computes an additional proof ;
-
The signature includes the additional proof
and pseudonym
.
Signature verification
Signature verification is the same as above except that
-
verifier computes ;
-
verifier checks if .
Auditing NymEid
To Audit NymEid the client reveals pair and the auditor checks if .