1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package private_membership.anonymous_tokens; 18 19import "quiche/blind_sign_auth/proto/timestamp.proto"; 20 21// Different use cases for the Anonymous Tokens service. 22// Next ID: 9 23enum AnonymousTokensUseCase { 24 // Test use cases here. 25 ANONYMOUS_TOKENS_USE_CASE_UNDEFINED = 0; 26 TEST_USE_CASE = 1; 27 TEST_USE_CASE_2 = 2; 28 TEST_USE_CASE_3 = 4; 29 TEST_USE_CASE_4 = 5; 30 TEST_USE_CASE_5 = 6; 31 32 PROVABLY_PRIVATE_NETWORK = 3; 33 CHROME_IP_BLINDING = 7; 34 NOCTOGRAM_PPISSUER = 8; 35} 36 37// An enum describing different types of available hash functions. 38enum HashType { 39 AT_HASH_TYPE_UNDEFINED = 0; 40 AT_TEST_HASH_TYPE = 1; 41 AT_HASH_TYPE_SHA256 = 2; 42 AT_HASH_TYPE_SHA384 = 3; 43 // Add more hash types if necessary. 44} 45 46// An enum describing different types of hash functions that can be used by the 47// mask generation function. 48enum MaskGenFunction { 49 AT_MGF_UNDEFINED = 0; 50 AT_TEST_MGF = 1; 51 AT_MGF_SHA256 = 2; 52 AT_MGF_SHA384 = 3; 53 // Add more hash types if necessary. 54} 55 56// An enum describing different types of message masking. 57enum MessageMaskType { 58 AT_MESSAGE_MASK_TYPE_UNDEFINED = 0; 59 AT_MESSAGE_MASK_XOR = 1; 60 AT_MESSAGE_MASK_CONCAT = 2; 61} 62 63// Proto representation for RSA private key. 64message RSAPrivateKey { 65 // Modulus. 66 bytes n = 1; 67 // Public exponent. 68 bytes e = 2; 69 // Private exponent. 70 bytes d = 3; 71 // The prime factor p of n. 72 bytes p = 4; 73 // The prime factor q of n. 74 bytes q = 5; 75 // d mod (p - 1). 76 bytes dp = 6; 77 // d mod (q - 1). 78 bytes dq = 7; 79 // Chinese Remainder Theorem coefficient q^(-1) mod p. 80 bytes crt = 8; 81} 82 83// Proto representation for RSA public key. 84message RSAPublicKey { 85 // Modulus. 86 bytes n = 1; 87 // Public exponent. 88 bytes e = 2; 89} 90 91// Next ID: 13 92message RSABlindSignaturePublicKey { 93 // Use case associated with this public key. 94 bytes use_case = 9; 95 96 // Version number of public key. 97 int64 key_version = 1; 98 99 // Serialization of the public key. 100 bytes serialized_public_key = 2; 101 102 // Timestamp of expiration. 103 // 104 // Note that we will not return keys whose expiration times are in the past. 105 quiche.protobuf.Timestamp expiration_time = 3; 106 107 // Key becomes valid at key_validity_start_time. 108 quiche.protobuf.Timestamp key_validity_start_time = 8; 109 110 // Hash function used in computing hash of the signing message 111 // (see https://tools.ietf.org/html/rfc8017#section-9.1.1) 112 HashType sig_hash_type = 4; 113 114 // Hash function used in MGF1 (a mask generation function based on a 115 // hash function) (see https://tools.ietf.org/html/rfc8017#appendix-B.2.1). 116 MaskGenFunction mask_gen_function = 5; 117 118 // Length in bytes of the salt (see 119 // https://tools.ietf.org/html/rfc8017#section-9.1.1) 120 int64 salt_length = 6; 121 122 // Key size: bytes of RSA key. 123 int64 key_size = 7; 124 125 // Type of masking of message (see https://eprint.iacr.org/2022/895.pdf). 126 MessageMaskType message_mask_type = 10; 127 128 // Length of message mask in bytes. 129 int64 message_mask_size = 11; 130 131 // Conveys whether public metadata support is enabled and RSA blind signatures 132 // with public metadata protocol should be used. If false, standard RSA blind 133 // signatures are used and all public metadata inputs are ignored. 134 bool public_metadata_support = 12; 135} 136 137message AnonymousTokensPublicKeysGetRequest { 138 // Use case associated with this request. 139 // 140 // Returns an error if the token type does not support public key verification 141 // for the requested use_case. 142 bytes use_case = 1; 143 144 // Key version associated with this request. 145 // 146 // Returns an error if the token type does not support public key verification 147 // for the requested use_case and key_version combination. 148 // 149 // If unset, all valid possibilities for the key are returned. 150 int64 key_version = 2; 151 152 // Public key that becomes valid at or before this requested time and not 153 // after. More explicitly, we need the requested key to be valid at the 154 // requested key_validity_start_time. 155 // 156 // If unset it will be set to current time. 157 quiche.protobuf.Timestamp key_validity_start_time = 3 158 ; 159 160 // Public key that is definitely not valid after this particular time. If 161 // unset / null, only keys that are indefinitely valid are returned. 162 // 163 // Note: It is possible that the key becomes invalid before this time. But the 164 // key should not be valid after this time. 165 quiche.protobuf.Timestamp key_validity_end_time = 4 166 ; 167} 168 169message AnonymousTokensPublicKeysGetResponse { 170 // List of currently valid RSA public keys. 171 repeated RSABlindSignaturePublicKey rsa_public_keys = 1; 172} 173 174message AnonymousTokensSignRequest { 175 // Next ID: 5 176 message BlindedToken { 177 // Use case associated with this request. 178 bytes use_case = 1; 179 180 // Version of key used to sign and generate the token. 181 int64 key_version = 2; 182 183 // Public metadata to be tied to the `blinded message` (serialized_token). 184 // 185 // The length of public metadata must fit in 4 bytes. 186 bytes public_metadata = 4; 187 188 // Serialization of the token. 189 bytes serialized_token = 3; 190 } 191 192 // Token(s) that have been blinded by the user, not yet signed 193 repeated BlindedToken blinded_tokens = 1; 194} 195 196message AnonymousTokensSignResponse { 197 // Next ID: 6 198 message AnonymousToken { 199 // Use case associated with this anonymous token. 200 bytes use_case = 1; 201 202 // Version of key used to sign and generate the token. 203 int64 key_version = 2; 204 205 // Public metadata tied to the input (serialized_blinded_message) and the 206 // `blinded` signature (serialized_token). 207 // 208 // The length of public metadata must fit in 4 bytes. 209 bytes public_metadata = 4; 210 211 // The serialized_token in BlindedToken in the AnonymousTokensSignRequest. 212 bytes serialized_blinded_message = 5; 213 214 // Serialization of the signed token. This will have to be `unblinded` by 215 // the user before it can be used / redeemed. 216 bytes serialized_token = 3; 217 } 218 219 // Returned anonymous token(s) 220 repeated AnonymousToken anonymous_tokens = 1; 221} 222 223message AnonymousTokensRedemptionRequest { 224 // Next ID: 7 225 message AnonymousTokenToRedeem { 226 // Use case associated with this anonymous token that needs to be redeemed. 227 bytes use_case = 1; 228 229 // Version of key associated with this anonymous token that needs to be 230 // redeemed. 231 int64 key_version = 2; 232 233 // Public metadata to be used for redeeming the signature 234 // (serialized_unblinded_token). 235 // 236 // The length of public metadata must fit in 4 bytes. 237 bytes public_metadata = 4; 238 239 // Serialization of the unblinded anonymous token that needs to be redeemed. 240 bytes serialized_unblinded_token = 3; 241 242 // Plaintext input message to verify the signature for. 243 bytes plaintext_message = 5; 244 245 // Nonce used to mask plaintext message before cryptographic verification. 246 bytes message_mask = 6; 247 } 248 249 // One or more anonymous tokens to redeem. 250 repeated AnonymousTokenToRedeem anonymous_tokens_to_redeem = 1; 251} 252 253message AnonymousTokensRedemptionResponse { 254 // Next ID: 9 255 message AnonymousTokenRedemptionResult { 256 // Use case associated with this redeemed anonymous token. 257 bytes use_case = 3; 258 259 // Version of key associated with this redeemed anonymous token. 260 int64 key_version = 4; 261 262 // Public metadata used for verifying the signature 263 // (serialized_unblinded_token). 264 // 265 // The length of public metadata must fit in 4 bytes. 266 bytes public_metadata = 5; 267 268 // Serialization of this redeemed unblinded anonymous token. 269 bytes serialized_unblinded_token = 6; 270 271 // Unblinded input message that the signature was verified against. 272 bytes plaintext_message = 7; 273 274 // Nonce used to mask plaintext message before cryptographic verification. 275 bytes message_mask = 8; 276 277 // Returns true if and only if the anonymous token was redeemed 278 // successfully i.e. token was cryptographically verified, all relevant 279 // state in the server was updated successfully and the token was not 280 // redeemed already. 281 // 282 bool verified = 1; 283 284 // Returns true if and only if the anonymous token has already been 285 // redeemed. 286 bool double_spent = 2; 287 } 288 289 // Redemption response for requested anonymous tokens. 290 repeated AnonymousTokenRedemptionResult anonymous_token_redemption_results = 291 1; 292} 293 294// Plaintext message with public metadata. 295message PlaintextMessageWithPublicMetadata { 296 // Message to be signed. 297 bytes plaintext_message = 1; 298 299 // Public metadata to be tied to the signature. 300 bytes public_metadata = 2; 301} 302 303// Proto representing a token created during the blind signing protocol. 304message RSABlindSignatureToken { 305 // Resulting token from the blind signing protocol. 306 bytes token = 1; 307 308 // Nonce used to mask messages. 309 bytes message_mask = 2; 310} 311 312// Proto representing a token along with the input. 313message RSABlindSignatureTokenWithInput { 314 // Input consisting of plaintext message and public metadata. 315 PlaintextMessageWithPublicMetadata input = 1; 316 317 // Resulting token after blind signing protocol. 318 RSABlindSignatureToken token = 2; 319} 320 321// Proto representing redemption result along with the token and the token 322// input. 323message RSABlindSignatureRedemptionResult { 324 // Proto representing a token along with the input. 325 RSABlindSignatureTokenWithInput token_with_input = 1; 326 327 // This is set to true if and only if the anonymous token was redeemed 328 // successfully i.e. token was cryptographically verified, all relevant 329 // state in the redemption server was updated successfully and the token was 330 // not redeemed already. 331 bool redeemed = 2; 332 333 // True if and only if the token was redeemed before. 334 bool double_spent = 3; 335} 336