IBM · ale-linux · Aug 26, 2024 · Nov 7, 2023
diff --git a/bccsp/handlers/nymsigner.go b/bccsp/handlers/nymsigner.go
@@ -132,7 +132,8 @@ func (v *NymVerifier) Verify(k types.Key, signature, digest []byte, opts types.S
 		ipk.pk,
 		nymPublicKey.pk,
 		signature,
-		digest)
+		digest,
+		signerOpts.SKIndex)
 	if err != nil {
 		return false, err
 	}

diff --git a/bccsp/handlers/signer.go b/bccsp/handlers/signer.go
@@ -7,23 +7,22 @@ package handlers
 
 import (
 	"crypto/ecdsa"
-	"github.com/pkg/errors"
 
 	"github.com/IBM/idemix/bccsp/types"
-	bccsp "github.com/IBM/idemix/bccsp/types"
+	"github.com/pkg/errors"
 )
 
 type Signer struct {
 	SignatureScheme types.SignatureScheme
 }
 
-func (s *Signer) Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) ([]byte, error) {
+func (s *Signer) Sign(k types.Key, digest []byte, opts types.SignerOpts) ([]byte, error) {
 	userSecretKey, ok := k.(*UserSecretKey)
 	if !ok {
 		return nil, errors.New("invalid key, expected *userSecretKey")
 	}
 
-	signerOpts, ok := opts.(*bccsp.IdemixSignerOpts)
+	signerOpts, ok := opts.(*types.IdemixSignerOpts)
 	if !ok {
 		return nil, errors.New("invalid options, expected *IdemixSignerOpts")
 	}
@@ -73,13 +72,13 @@ type Verifier struct {
 	SignatureScheme types.SignatureScheme
 }
 
-func (v *Verifier) AuditNymEid(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
+func (v *Verifier) AuditNymEid(k types.Key, signature, digest []byte, opts types.SignerOpts) (bool, error) {
 	issuerPublicKey, ok := k.(*issuerPublicKey)
 	if !ok {
 		return false, errors.New("invalid key, expected *issuerPublicKey")
 	}
 
-	signerOpts, ok := opts.(*bccsp.EidNymAuditOpts)
+	signerOpts, ok := opts.(*types.EidNymAuditOpts)
 	if !ok {
 		return false, errors.New("invalid options, expected *EidNymAuditOpts")
 	}
@@ -91,6 +90,7 @@ func (v *Verifier) AuditNymEid(k bccsp.Key, signature, digest []byte, opts bccsp
 	err := v.SignatureScheme.AuditNymEid(
 		issuerPublicKey.pk,
 		signerOpts.EidIndex,
+		signerOpts.SKIndex,
 		signature,
 		signerOpts.EnrollmentID,
 		signerOpts.RNymEid,
@@ -103,13 +103,13 @@ func (v *Verifier) AuditNymEid(k bccsp.Key, signature, digest []byte, opts bccsp
 	return true, nil
 }
 
-func (v *Verifier) AuditNymRh(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
+func (v *Verifier) AuditNymRh(k types.Key, signature, digest []byte, opts types.SignerOpts) (bool, error) {
 	issuerPublicKey, ok := k.(*issuerPublicKey)
 	if !ok {
 		return false, errors.New("invalid key, expected *issuerPublicKey")
 	}
 
-	signerOpts, ok := opts.(*bccsp.RhNymAuditOpts)
+	signerOpts, ok := opts.(*types.RhNymAuditOpts)
 	if !ok {
 		return false, errors.New("invalid options, expected *RhNymAuditOpts")
 	}
@@ -121,6 +121,7 @@ func (v *Verifier) AuditNymRh(k bccsp.Key, signature, digest []byte, opts bccsp.
 	err := v.SignatureScheme.AuditNymRh(
 		issuerPublicKey.pk,
 		signerOpts.RhIndex,
+		signerOpts.SKIndex,
 		signature,
 		signerOpts.RevocationHandle,
 		signerOpts.RNymRh,
@@ -133,13 +134,13 @@ func (v *Verifier) AuditNymRh(k bccsp.Key, signature, digest []byte, opts bccsp.
 	return true, nil
 }
 
-func (v *Verifier) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
+func (v *Verifier) Verify(k types.Key, signature, digest []byte, opts types.SignerOpts) (bool, error) {
 	issuerPublicKey, ok := k.(*issuerPublicKey)
 	if !ok {
 		return false, errors.New("invalid key, expected *issuerPublicKey")
 	}
 
-	signerOpts, ok := opts.(*bccsp.IdemixSignerOpts)
+	signerOpts, ok := opts.(*types.IdemixSignerOpts)
 	if !ok {
 		return false, errors.New("invalid options, expected *IdemixSignerOpts")
 	}
@@ -163,6 +164,7 @@ func (v *Verifier) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.Sign
 		signerOpts.Attributes,
 		signerOpts.RhIndex,
 		signerOpts.EidIndex,
+		signerOpts.SKIndex,
 		rPK,
 		signerOpts.Epoch,
 		signerOpts.VerificationType,

diff --git a/bccsp/schemes/aries/cred.go b/bccsp/schemes/aries/cred.go
@@ -16,8 +16,9 @@ import (
 )
 
 type Cred struct {
-	Bls   *bbs12381g2pub.BBSG2Pub
-	Curve *math.Curve
+	Bls                *bbs12381g2pub.BBSG2Pub
+	Curve              *math.Curve
+	UserSecretKeyIndex int
 }
 
 // Sign issues a new credential, which is the last step of the interactive issuance protocol
@@ -34,7 +35,7 @@ func (c *Cred) Sign(key types.IssuerSecretKey, credentialRequest []byte, attribu
 		return nil, fmt.Errorf("ParseBlindedMessages failed [%w]", err)
 	}
 
-	msgsZr := attributesToSignatureMessage(nil, attributes, c.Curve)
+	msgsZr := attributesToSignatureMessage(attributes, c.Curve, c.UserSecretKeyIndex)
 
 	sig, err := BlindSign(msgsZr, len(attributes)+1, blindedMsg.C, isk.SK.FR.Bytes(), c.Curve)
 	if err != nil {
@@ -78,31 +79,39 @@ func (c *Cred) Verify(sk *math.Zr, key types.IssuerPublicKey, credBytes []byte,
 		return fmt.Errorf("ParseSignature failed [%w]", err)
 	}
 
-	sm := make([]*bbs12381g2pub.SignatureMessage, len(credential.Attrs)+1)
-	sm[0] = &bbs12381g2pub.SignatureMessage{
-		FR:  sk,
-		Idx: 0,
-	}
-	for i, v := range credential.Attrs {
-		sm[i+1] = &bbs12381g2pub.SignatureMessage{
-			FR:  c.Curve.NewZrFromBytes(v),
-			Idx: i + 1,
+	i := 0
+	sm := make([]*bbs12381g2pub.SignatureMessage, len(ipk.PKwG.H))
+	for j := range ipk.PKwG.H {
+		if j == int(credential.SkPos) {
+			sm[j] = &bbs12381g2pub.SignatureMessage{
+				FR:  sk,
+				Idx: j,
+			}
+
+			continue
+		}
+
+		sm[j] = &bbs12381g2pub.SignatureMessage{
+			FR:  c.Curve.NewZrFromBytes(credential.Attrs[i]),
+			Idx: j,
 		}
 
 		switch attributes[i].Type {
 		case types.IdemixHiddenAttribute:
 			continue
 		case types.IdemixBytesAttribute:
 			fr := bbs12381g2pub.FrFromOKM(attributes[i].Value.([]byte), c.Curve)
-			if !fr.Equals(sm[i+1].FR) {
+			if !fr.Equals(sm[j].FR) {
 				return errors.Errorf("credential does not contain the correct attribute value at position [%d]", i)
 			}
 		case types.IdemixIntAttribute:
 			fr := c.Curve.NewZrFromInt(int64(attributes[i].Value.(int)))
-			if !fr.Equals(sm[i+1].FR) {
+			if !fr.Equals(sm[j].FR) {
 				return errors.Errorf("credential does not contain the correct attribute value at position [%d]", i)
 			}
 		}
+
+		i++
 	}
 
 	return sigma.Verify(sm, ipk.PKwG)

diff --git a/bccsp/schemes/aries/cred.pb.go b/bccsp/schemes/aries/cred.pb.go
diff --git a/bccsp/schemes/aries/cred.proto b/bccsp/schemes/aries/cred.proto
@@ -14,6 +14,7 @@ package aries;
 message Credential {
 	bytes cred = 1;
 	repeated bytes attrs = 2;
+	int32 sk_pos = 3;
 }
 
 // Signature is a PoK of a BBS+ signature (a credential)

diff --git a/bccsp/schemes/aries/credrequest.go b/bccsp/schemes/aries/credrequest.go
@@ -15,7 +15,8 @@ import (
 )
 
 type CredRequest struct {
-	Curve *math.Curve
+	Curve              *math.Curve
+	UserSecretKeyIndex int
 }
 
 // Sign creates a new Credential Request, the first message of the interactive credential issuance protocol
@@ -27,7 +28,7 @@ func (c *CredRequest) Blind(sk *math.Zr, key types.IssuerPublicKey, nonce []byte
 	}
 
 	zrs := make([]*math.Zr, ipk.N+1)
-	zrs[UserSecretKeyIndex] = sk
+	zrs[c.UserSecretKeyIndex] = sk
 
 	blindedMsg, err := BlindMessagesZr(zrs, ipk.PK, 1, nonce, c.Curve)
 	if err != nil {
@@ -45,7 +46,7 @@ func (c *CredRequest) BlindVerify(credRequest []byte, key types.IssuerPublicKey,
 	}
 
 	bitmap := make([]bool, ipk.N+1)
-	bitmap[UserSecretKeyIndex] = true
+	bitmap[c.UserSecretKeyIndex] = true
 
 	blindedMsg, err := ParseBlindedMessages(credRequest, c.Curve)
 	if err != nil {

diff --git a/bccsp/schemes/aries/issuer.go b/bccsp/schemes/aries/issuer.go
@@ -18,9 +18,6 @@ import (
 // TODO:
 // * expose curve from aries so we can use always that curve
 
-// UserSecretKeyIndex is the index of `sk` among the attributes
-const UserSecretKeyIndex = 0
-
 // IssuerPublicKey is the issuer public key
 type IssuerPublicKey struct {
 	PK   *bbs12381g2pub.PublicKey

diff --git a/bccsp/schemes/aries/nymsigner.go b/bccsp/schemes/aries/nymsigner.go
@@ -18,8 +18,9 @@ import (
 const nymSigLabel = "nym-sig"
 
 type NymSigner struct {
-	Curve *math.Curve
-	Rng   io.Reader
+	Curve              *math.Curve
+	Rng                io.Reader
+	UserSecretKeyIndex int
 }
 
 // Sign creates a new idemix pseudonym signature
@@ -39,7 +40,7 @@ func (s *NymSigner) Sign(
 
 	commit := bbs12381g2pub.NewBBSLib(s.Curve).NewProverCommittingG1()
 	commit.Commit(ipk.PKwG.H0)
-	commit.Commit(ipk.PKwG.H[0])
+	commit.Commit(ipk.PKwG.H[s.UserSecretKeyIndex])
 	commitNym := commit.Finish()
 
 	challengeBytes := []byte(nymSigLabel)
@@ -68,6 +69,7 @@ func (s *NymSigner) Verify(
 	key types.IssuerPublicKey,
 	Nym *math.G1,
 	sigBytes, digest []byte,
+	skIndex int,
 ) error {
 	ipk, ok := key.(*IssuerPublicKey)
 	if !ok {
@@ -88,7 +90,7 @@ func (s *NymSigner) Verify(
 	challengeBytes := []byte(nymSigLabel)
 	challengeBytes = append(challengeBytes, Nym.Bytes()...)
 	challengeBytes = append(challengeBytes, ipk.PKwG.H0.Bytes()...)
-	challengeBytes = append(challengeBytes, ipk.PKwG.H[0].Bytes()...)
+	challengeBytes = append(challengeBytes, ipk.PKwG.H[skIndex].Bytes()...)
 	challengeBytes = append(challengeBytes, nymProof.Commitment.Bytes()...)
 	challengeBytes = append(challengeBytes, digest...)
 
@@ -98,5 +100,5 @@ func (s *NymSigner) Verify(
 	challengeBytes = append(challengeBytes, sig.Nonce...)
 	proofChallenge = bbs12381g2pub.FrFromOKM(challengeBytes, s.Curve)
 
-	return nymProof.Verify([]*math.G1{ipk.PKwG.H0, ipk.PKwG.H[0]}, Nym, proofChallenge)
+	return nymProof.Verify([]*math.G1{ipk.PKwG.H0, ipk.PKwG.H[skIndex]}, Nym, proofChallenge)
 }