1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package anonymous_tokens; 18 19message Timestamp { 20 int64 seconds = 1; 21 int32 nanos = 2; 22} 23 24// Different use cases for the Anonymous Tokens service. 25// Next ID: 11 26enum AnonymousTokensUseCase { 27 // Test use cases here. 28 ANONYMOUS_TOKENS_USE_CASE_UNDEFINED = 0; 29 TEST_USE_CASE = 1; 30 TEST_USE_CASE_2 = 2; 31 TEST_USE_CASE_3 = 4; 32 TEST_USE_CASE_4 = 5; 33 TEST_USE_CASE_5 = 6; 34 TEST_USE_CASE_6 = 9; 35 36 PROVABLY_PRIVATE_NETWORK = 3; 37 CHROME_IP_BLINDING = 7; 38 NOCTOGRAM_PPISSUER = 8; 39 CHROME_IP_BLINDING_DARKLAUNCH = 10; 40} 41 42// An enum describing different types of available hash functions. 43enum HashType { 44 AT_HASH_TYPE_UNDEFINED = 0; 45 AT_TEST_HASH_TYPE = 1; 46 AT_HASH_TYPE_SHA256 = 2; 47 AT_HASH_TYPE_SHA384 = 3; 48 // Add more hash types if necessary. 49} 50 51// An enum describing different types of hash functions that can be used by the 52// mask generation function. 53enum MaskGenFunction { 54 AT_MGF_UNDEFINED = 0; 55 AT_TEST_MGF = 1; 56 AT_MGF_SHA256 = 2; 57 AT_MGF_SHA384 = 3; 58 // Add more hash types if necessary. 59} 60 61// An enum describing different types of message masking. 62enum MessageMaskType { 63 AT_MESSAGE_MASK_TYPE_UNDEFINED = 0; 64 AT_MESSAGE_MASK_XOR = 1; 65 AT_MESSAGE_MASK_CONCAT = 2; 66 AT_MESSAGE_MASK_NO_MASK = 3; 67} 68 69// Proto representation for RSA private key. 70message RSAPrivateKey { 71 // Modulus. 72 bytes n = 1; 73 // Public exponent. 74 bytes e = 2; 75 // Private exponent. 76 bytes d = 3; 77 // The prime factor p of n. 78 bytes p = 4; 79 // The prime factor q of n. 80 bytes q = 5; 81 // d mod (p - 1). 82 bytes dp = 6; 83 // d mod (q - 1). 84 bytes dq = 7; 85 // Chinese Remainder Theorem coefficient q^(-1) mod p. 86 bytes crt = 8; 87} 88 89// Proto representation for RSA public key. 90message RSAPublicKey { 91 // Modulus. 92 bytes n = 1; 93 // Public exponent. 94 bytes e = 2; 95} 96 97// Next ID: 13 98message RSABlindSignaturePublicKey { 99 // Use case associated with this public key. 100 bytes use_case = 9; 101 102 // Version number of public key. 103 int64 key_version = 1; 104 105 // Serialization of the public key. 106 bytes serialized_public_key = 2; 107 108 // Timestamp of expiration. 109 // 110 // Note that we will not return keys whose expiration times are in the past. 111 Timestamp expiration_time = 3; 112 113 // Key becomes valid at key_validity_start_time. 114 Timestamp key_validity_start_time = 8; 115 116 // Hash function used in computing hash of the signing message 117 // (see https://tools.ietf.org/html/rfc8017#section-9.1.1) 118 HashType sig_hash_type = 4; 119 120 // Hash function used in MGF1 (a mask generation function based on a 121 // hash function) (see https://tools.ietf.org/html/rfc8017#appendix-B.2.1). 122 MaskGenFunction mask_gen_function = 5; 123 124 // Length in bytes of the salt (see 125 // https://tools.ietf.org/html/rfc8017#section-9.1.1) 126 int64 salt_length = 6; 127 128 // Key size: bytes of RSA key. 129 int64 key_size = 7; 130 131 // Type of masking of message (see https://eprint.iacr.org/2022/895.pdf). 132 MessageMaskType message_mask_type = 10; 133 134 // Length of message mask in bytes. 135 int64 message_mask_size = 11; 136 137 // Conveys whether public metadata support is enabled and RSA blind signatures 138 // with public metadata protocol should be used. If false, standard RSA blind 139 // signatures are used and all public metadata inputs are ignored. 140 bool public_metadata_support = 12; 141} 142 143message AnonymousTokensPublicKeysGetRequest { 144 // Use case associated with this request. 145 // 146 // Returns an error if the token type does not support public key verification 147 // for the requested use_case. 148 bytes use_case = 1; 149 150 // Key version associated with this request. 151 // 152 // Returns an error if the token type does not support public key verification 153 // for the requested use_case and key_version combination. 154 // 155 // If unset, all valid possibilities for the key are returned. 156 int64 key_version = 2; 157 158 // Public key that becomes valid at or before this requested time and not 159 // after. More explicitly, we need the requested key to be valid at the 160 // requested key_validity_start_time. 161 // 162 // If unset it will be set to current time. 163 Timestamp key_validity_start_time = 3 164 ; 165 166 // Public key that is definitely not valid after this particular time. If 167 // unset / null, only keys that are indefinitely valid are returned. 168 // 169 // Note: It is possible that the key becomes invalid before this time. But the 170 // key should not be valid after this time. 171 Timestamp key_validity_end_time = 4 172 ; 173} 174 175message AnonymousTokensPublicKeysGetResponse { 176 // List of currently valid RSA public keys. 177 repeated RSABlindSignaturePublicKey rsa_public_keys = 1; 178} 179 180message AnonymousTokensSignRequest { 181 // Next ID: 6 182 message BlindedToken { 183 // Use case associated with this request. 184 bytes use_case = 1; 185 186 // Version of key used to sign and generate the token. 187 int64 key_version = 2; 188 189 // Public metadata to be tied to the `blinded message` (serialized_token). 190 // 191 // The length of public metadata must be at most 2^32 bytes. 192 bytes public_metadata = 4; 193 194 // This value is disregarded for standard blind RSA signatures. 195 // 196 // For the public metadata protocol, if this value is set to false, the 197 // final public exponent is derived by using the RSA public exponent, the 198 // RSA modulus and the public metadata. If this value is set to true, only 199 // the RSA modulus and the public metadata will be used. 200 bool do_not_use_rsa_public_exponent = 5; 201 202 // Serialization of the token. 203 bytes serialized_token = 3; 204 } 205 206 // Token(s) that have been blinded by the user, not yet signed 207 repeated BlindedToken blinded_tokens = 1; 208} 209 210message AnonymousTokensSignResponse { 211 // Next ID: 7 212 message AnonymousToken { 213 // Use case associated with this anonymous token. 214 bytes use_case = 1; 215 216 // Version of key used to sign and generate the token. 217 int64 key_version = 2; 218 219 // Public metadata tied to the input (serialized_blinded_message) and the 220 // `blinded` signature (serialized_token). 221 // 222 // The length of public metadata must fit in 4 bytes. 223 bytes public_metadata = 4; 224 225 // This value is disregarded for standard blind RSA signatures. 226 // 227 // For the public metadata protocol, if this value is set to false, the 228 // final public exponent is derived by using the RSA public exponent, the 229 // RSA modulus and the public metadata. If this value is set to true, only 230 // the RSA modulus and the public metadata will be used. 231 bool do_not_use_rsa_public_exponent = 6; 232 233 // The serialized_token in BlindedToken in the AnonymousTokensSignRequest. 234 bytes serialized_blinded_message = 5; 235 236 // Serialization of the signed token. This will have to be `unblinded` by 237 // the user before it can be used / redeemed. 238 bytes serialized_token = 3; 239 } 240 241 // Returned anonymous token(s) 242 repeated AnonymousToken anonymous_tokens = 1; 243} 244 245message AnonymousTokensRedemptionRequest { 246 // Next ID: 7 247 message AnonymousTokenToRedeem { 248 // Use case associated with this anonymous token that needs to be redeemed. 249 bytes use_case = 1; 250 251 // Version of key associated with this anonymous token that needs to be 252 // redeemed. 253 int64 key_version = 2; 254 255 // Public metadata to be used for redeeming the signature 256 // (serialized_unblinded_token). 257 // 258 // The length of public metadata must fit in 4 bytes. 259 bytes public_metadata = 4; 260 261 // Serialization of the unblinded anonymous token that needs to be redeemed. 262 bytes serialized_unblinded_token = 3; 263 264 // Plaintext input message to verify the signature for. 265 bytes plaintext_message = 5; 266 267 // Nonce used to mask plaintext message before cryptographic verification. 268 bytes message_mask = 6; 269 } 270 271 // One or more anonymous tokens to redeem. 272 repeated AnonymousTokenToRedeem anonymous_tokens_to_redeem = 1; 273} 274 275message AnonymousTokensRedemptionResponse { 276 // Next ID: 9 277 message AnonymousTokenRedemptionResult { 278 // Use case associated with this redeemed anonymous token. 279 bytes use_case = 3; 280 281 // Version of key associated with this redeemed anonymous token. 282 int64 key_version = 4; 283 284 // Public metadata used for verifying the signature 285 // (serialized_unblinded_token). 286 // 287 // The length of public metadata must fit in 4 bytes. 288 bytes public_metadata = 5; 289 290 // Serialization of this redeemed unblinded anonymous token. 291 bytes serialized_unblinded_token = 6; 292 293 // Unblinded input message that the signature was verified against. 294 bytes plaintext_message = 7; 295 296 // Nonce used to mask plaintext message before cryptographic verification. 297 bytes message_mask = 8; 298 299 // Returns true if and only if the anonymous token was redeemed 300 // successfully i.e. token was cryptographically verified, all relevant 301 // state in the server was updated successfully and the token was not 302 // redeemed already. 303 // 304 bool verified = 1; 305 306 // Returns true if and only if the anonymous token has already been 307 // redeemed. 308 bool double_spent = 2; 309 } 310 311 // Redemption response for requested anonymous tokens. 312 repeated AnonymousTokenRedemptionResult anonymous_token_redemption_results = 313 1; 314} 315 316// Plaintext message with public metadata. 317message PlaintextMessageWithPublicMetadata { 318 // Message to be signed. 319 bytes plaintext_message = 1; 320 321 // Public metadata to be tied to the signature. 322 bytes public_metadata = 2; 323} 324 325// Proto representing a token created during the blind signing protocol. 326message RSABlindSignatureToken { 327 // Resulting token from the blind signing protocol. 328 bytes token = 1; 329 330 // Nonce used to mask messages. 331 bytes message_mask = 2; 332} 333 334// Proto representing a token along with the input. 335message RSABlindSignatureTokenWithInput { 336 // Input consisting of plaintext message and public metadata. 337 PlaintextMessageWithPublicMetadata input = 1; 338 339 // Resulting token after blind signing protocol. 340 RSABlindSignatureToken token = 2; 341} 342 343// Proto representing redemption result along with the token and the token 344// input. 345message RSABlindSignatureRedemptionResult { 346 // Proto representing a token along with the input. 347 RSABlindSignatureTokenWithInput token_with_input = 1; 348 349 // This is set to true if and only if the anonymous token was redeemed 350 // successfully i.e. token was cryptographically verified, all relevant 351 // state in the redemption server was updated successfully and the token was 352 // not redeemed already. 353 bool redeemed = 2; 354 355 // True if and only if the token was redeemed before. 356 bool double_spent = 3; 357} 358