1/* 2 * Copyright 2019 Google LLC. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * https://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16syntax = "proto3"; 17 18package private_join_and_compute.proto; 19 20import "private_join_and_compute/crypto/proto/big_num.proto"; 21import "private_join_and_compute/crypto/proto/ec_point.proto"; 22import "private_join_and_compute/crypto/proto/pedersen.proto"; 23 24 25option java_multiple_files = true; 26 27message DyVrfParameters { 28 // How many bits (more than the challenge bits) to add to each 29 // dummy opening (aka sigma protocol lambda). 30 int64 security_parameter = 1; 31 // How many bits the challenge has. 32 int64 challenge_length_bits = 2; 33 // Prefix to inject into the random oracle. 34 string random_oracle_prefix = 3; 35 // Serialized ECPoint 36 bytes dy_prf_base_g = 4; 37 // Parameters for the associated Pedersen Commitment Scheme. Implicitly 38 // determines the max number of messages that can be VRF'ed together in a 39 // single proof. 40 PedersenParameters pedersen_parameters = 5; 41} 42 43// Proof that the parameters were generated correctly. 44message DyVrfGenerateKeysProof { 45 message Statement { 46 DyVrfParameters parameters = 1; 47 DyVrfPublicKey public_key = 2; 48 } 49 message Message1 { 50 // Dummy commitment to the key in each slot of the Pedersen Commitment. 51 bytes dummy_commit_prf_key = 1; 52 } 53 54 message Message2 { 55 // Masked dummy PRF key underlying the masked dummy commitment in each slot. 56 // Serialized BigNum. 57 bytes masked_dummy_prf_key = 1; 58 // Opening to the masked dummy commitment to the PRF key. 59 bytes masked_dummy_opening = 2; 60 } 61 62 // Message 1 and Statement are used to create the challenge via FiatShamir. 63 // Serialized BigNum 64 bytes challenge = 1; 65 Message2 message_2 = 2; 66} 67 68// A public key for the Dodis-Yampolskiy Verifiable Random Function. Implicitly 69// linked to parameters for a Pedersen batch-commitment scheme. 70message DyVrfPublicKey { 71 // A commitment to a copy of the PRF key in each slot of the Pedersen 72 // Commitment. (Serialized BigNum) 73 bytes commit_prf_key = 1; 74} 75 76message DyVrfPrivateKey { 77 // The PRF key. (Serialized BigNum). 78 bytes prf_key = 1; 79 // An opening to commit_prf_key (serialized BigNum). 80 bytes open_commit_prf_key = 2; 81} 82 83message DyVrfApplyProof { 84 // Formalizes the statement being proved. This is defined only in order to 85 // be input to the random oracle, to produce the challenge. 86 message Statement { 87 DyVrfParameters parameters = 1; 88 DyVrfPublicKey public_key = 2; 89 // Serialized BigNum, corresponding to the Pedersen Commitment to the 90 // messages. 91 bytes commit_messages = 3; 92 // The actual PRF evaluations (serialized ECPoints). 93 ECPointVector prf_evaluations = 4; 94 } 95 96 // Message1 and the Statement feed into the Random Oracle to produce the 97 // proof challenge. 98 message Message1 { 99 // Serialized BigNum. 100 bytes commit_dummy_messages_plus_key = 1; 101 // Serialized ECPoints. 102 ECPointVector dummy_dy_prf_base_gs = 2; 103 } 104 105 // Second message of the ApplyProof. 106 message Message2 { 107 BigNumVector masked_dummy_messages_plus_key = 1; 108 // Serialized BigNum 109 bytes masked_dummy_opening = 2; 110 } 111 112 // The challenge will be generated using the Fiat-Shamir heuristic applied to 113 // Statement and Message1. 114 Message1 message_1 = 1; 115 Message2 message_2 = 2; 116}