• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/*
2 * Copyright 2019 Google LLC.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     https://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16syntax = "proto3";
17
18package private_join_and_compute.proto;
19
20import "private_join_and_compute/crypto/proto/big_num.proto";
21import "private_join_and_compute/crypto/proto/camenisch_shoup.proto";
22import "private_join_and_compute/crypto/proto/ec_point.proto";
23import "private_join_and_compute/crypto/proto/pedersen.proto";
24
25
26option java_multiple_files = true;
27
28message BbObliviousSignatureParameters {
29  // How many bits (more than the challenge bits) to add to each
30  // dummy opening (aka sigma protocol lambda). This also impacts the sizes of
31  // some masks in the protocol.
32  int64 security_parameter = 1;
33  // How many bits the challenge has.
34  int64 challenge_length_bits = 2;
35  bytes random_oracle_prefix = 3;
36  // Serialized ECPoint. Base to use for the Signature.
37  bytes base_g = 4;
38  // Public key for the associated CamenischShoup keypair.
39  CamenischShoupPublicKey camenisch_shoup_public_key = 5;
40  // PedersenParameters for the associated commitment scheme. The batch size
41  // for the Pedersen parameters is effectively the max number of messages that
42  // can be simultaneously requested. The vector_encryption_length of
43  // camenisch_shoup_public_key must divide the pedersen batch size.
44  PedersenParameters pedersen_parameters = 6;
45}
46
47// Implicitly linked to commitment-parameters for a Pedersen batch-commitment
48// scheme and a keypair for the Camenisch Shoup encryption scheme. The Pedersen
49// commitment parameters and Camenisch-Shoup public key are implicitly part of
50// the Public Key.
51message BbObliviousSignaturePublicKey {
52  // The i'th ciphertext contains an encryption of the secret value in the i'th
53  // component of the vector-encryption, and 0 elsewhere.
54  repeated CamenischShoupCiphertext encrypted_k = 1;
55  repeated CamenischShoupCiphertext encrypted_y = 2;
56}
57
58// A private key for the Boneh-Boyen oblivious signature. To be used by the
59// "Sender" in the scheme. The secret key for the associated Camenisch-Shoup
60// keypair is implicitly part of the Private Key.
61message BbObliviousSignaturePrivateKey {
62  // Serialized BigNum.
63  bytes k = 1;
64  bytes y = 2;
65}
66
67message BbObliviousSignatureRequest {
68  reserved 2;
69  uint64 num_messages = 1;
70  // There will be as many Camenisch-Shoup ciphertexts as needed to fit the
71  // messages.
72  repeated CamenischShoupCiphertext repeated_encrypted_masked_messages = 3;
73}
74
75message BbObliviousSignatureRequestProof {
76  message Statement {
77    BbObliviousSignatureParameters parameters = 1;
78    BbObliviousSignaturePublicKey public_key = 2;
79    // Serialized BigNum, corresponding to the Pedersen Commitment to the
80    // messages.
81    bytes commit_messages = 3;
82    // Serialized BigNum, corresponding to the Pedersen Commitment to the
83    // rs.
84    bytes commit_rs = 4;
85    // The Pedersen commitments to mask values a. The i'th commitment contains a
86    // commitment to as[i] in the i'th batch-position, and 0 elsewhere.
87    BigNumVector commit_as = 5;
88    // The batch-commitment to mask values b.
89    bytes commit_bs = 6;
90    // The batch commitment to alphas. alphas[i] = messages[i] * as[i]. Computed
91    // as (Prod_i Com(as[i])^bs[i]) * Com(0, alpha_opening).
92    bytes commit_alphas = 7;
93    // The batch Pedersen commitment to gammas. gammas[i] = rs[i] * as[i].
94    // Computed as (Prod_i Com(as[i])^rs[i]) * Com(0, gamma_opening).
95    bytes commit_gammas = 8;
96    BbObliviousSignatureRequest request = 9;
97  }
98
99  message Message1 {
100    reserved 9;
101    bytes dummy_commit_messages = 1;
102    bytes dummy_commit_rs = 2;
103    // Serialized BigNum corresponding to a Pedersen Commitment.
104    BigNumVector dummy_commit_as = 3;
105    // Serialized BigNum corresponding to a Pedersen Commitment.
106    bytes dummy_commit_bs = 4;
107    // Serialized BigNum corresponding to a Pedersen Commitment. Computed as a
108    // standard dummy commitment.
109    bytes dummy_commit_alphas_1 = 5;
110    // Serialized BigNum corresponding to a Pedersen Commitment. Computed as
111    // Prod_i commit_as[i]^dummy_bs[i] * Com(0, dummy_alpha_opening_2).
112    bytes dummy_commit_alphas_2 = 6;
113    // Serialized BigNum corresponding to a Pedersen Commitment. Computed as a
114    // standard dummy commitment.
115    bytes dummy_commit_gammas_1 = 7;
116    // Serialized BigNum corresponding to a Pedersen Commitment. Computed as
117    // Prod_i commit_as[i]^dummy_rs[i] * Com(0, dummy_gamma_opening_2).
118    bytes dummy_commit_gammas_2 = 8;
119    // One dummy ciphertext per ciphertext in the request.
120    repeated CamenischShoupCiphertext repeated_dummy_encrypted_masked_messages =
121        10;
122  }
123
124  message Message2 {
125    reserved 15;
126    BigNumVector masked_dummy_messages = 1;
127    // Serialized BigNum corresponding to a Pedersen Commitment Opening.
128    bytes masked_dummy_messages_opening = 2;
129    BigNumVector masked_dummy_rs = 3;
130    // Serialized BigNum corresponding to a Pedersen Commitment Opening.
131    bytes masked_dummy_rs_opening = 4;
132    BigNumVector masked_dummy_as = 5;
133    // BigNumVector corresponding to each Pedersen Commitment Opening.
134    BigNumVector masked_dummy_as_opening = 6;
135    BigNumVector masked_dummy_bs = 7;
136    // Serialized BigNum corresponding to a Pedersen Commitment Opening.
137    bytes masked_dummy_bs_opening = 8;
138    BigNumVector masked_dummy_alphas = 9;
139    // The Pedersen Commitment opening corresponding to dummy_commit_alphas_1.
140    bytes masked_dummy_alphas_opening_1 = 10;
141    // The Pedersen Commitment opening corresponding to dummy_commit_alphas_2.
142    bytes masked_dummy_alphas_opening_2 = 11;
143    BigNumVector masked_dummy_gammas = 12;
144    // The Pedersen Commitment opening corresponding to dummy_commit_gammas_1.
145    bytes masked_dummy_gammas_opening_1 = 13;
146    // The Pedersen Commitment opening corresponding to dummy_commit_gammas_2.
147    bytes masked_dummy_gammas_opening_2 = 14;
148    // One dummy encryption randomness for each ciphertext in the request.
149    BigNumVector masked_dummy_encryption_randomness_per_ciphertext = 16;
150  }
151
152  BigNumVector commit_as = 1;
153  bytes commit_bs = 2;
154  bytes commit_alphas = 3;
155  bytes commit_gammas = 4;
156
157  bytes challenge = 5;
158  Message2 message_2 = 6;
159}
160
161message BbObliviousSignatureRequestPrivateState {
162  // Masks needed in order to recover the signature from the response.
163  BigNumVector private_as = 1;
164}
165
166message BbObliviousSignatureResponse {
167  ECPointVector masked_signature_values = 1;
168}
169
170message BbObliviousSignatureResponseProof {
171  message Statement {
172    BbObliviousSignatureParameters parameters = 1;
173    BbObliviousSignaturePublicKey public_key = 2;
174    // Serialized BigNum, corresponding to the Pedersen Commitment to the
175    // messages.
176    bytes commit_messages = 3;
177    // Serialized BigNum, corresponding to the Pedersen Commitment to rs.
178    bytes commit_rs = 4;
179    BbObliviousSignatureRequest request = 5;
180    BbObliviousSignatureResponse response = 6;
181    // Commitment to the values decrypted from the Request.
182    bytes commit_betas = 7;
183  }
184
185  message Message1 {
186    reserved 3;
187    // Dummy version of the Camenisch Shoup public key ys.
188    BigNumVector dummy_camenisch_shoup_ys = 1;
189    // Serialized BigNum corresponding to a dummy Pedersen Commitment.
190    bytes dummy_commit_betas = 2;
191    // For each masked_signature_value, we show that
192    // masked_signature_value^beta = base_g. Serialized ECPoints.
193    ECPointVector dummy_base_gs = 4;
194    // One dummy_encrypted_masked_messages_es for each ciphertext in the
195    // request.
196    repeated BigNumVector repeated_dummy_encrypted_masked_messages_es = 5;
197  }
198
199  message Message2 {
200    BigNumVector masked_dummy_camenisch_shoup_xs = 1;
201    BigNumVector masked_dummy_betas = 2;
202    bytes masked_dummy_beta_opening = 3;
203  }
204
205  // Commitment to the values decrypted from the Request. Serialized BigNum.
206  bytes commit_betas = 1;
207  // Message 1 and Statement are used to create the challenge via FiatShamir.
208  // Serialized BigNum
209  bytes challenge = 2;
210  Message2 message_2 = 3;
211}
212