[FAB-8921] add idemix revocation authority

Manu Drijvers · Manu Drijvers · commit 9570d473f572 · 2018-05-14T14:27:34.000+02:00
This commit adds the idemix revocaiton authority,
which creates the 'whitelist' idemix users will
use to prove that they are unrevoked.

Change-Id: Ie59a06acd9a3550ae36595875b1ca71106369a05
Signed-off-by: Manu Drijvers &lt;mdr@zurich.ibm.com&gt;
diff --git a/idemix/idemix.pb.go b/idemix/idemix.pb.go
diff --git a/idemix/idemix_test.go b/idemix/idemix_test.go
@@ -108,6 +108,27 @@ func TestIdemix(t *testing.T) {
 	assert.Error(t, cred.Ver(sk, key.IPk), "credential with nil attribute should be invalid")
 	cred.Attrs = attrsBackup
 
+	// Generate a revocation key pair
+	revocationKey, err := GenerateLongTermRevocationKey()
+	assert.NoError(t, err)
+
+	// Create CRI that contains no revocation mechanism
+	epoch := 0
+	cri, err := CreateCRI(revocationKey, []*FP256BN.BIG{}, epoch, ALG_NO_REVOCATION, rng)
+	assert.NoError(t, err)
+	err = VerifyEpochPK(&revocationKey.PublicKey, cri.EpochPK, cri.EpochPKSig, int(cri.Epoch), RevocationAlgorithm(cri.RevocationAlg))
+	assert.NoError(t, err)
+
+	// make sure that epoch pk is not valid in future epoch
+	err = VerifyEpochPK(&revocationKey.PublicKey, cri.EpochPK, cri.EpochPKSig, int(cri.Epoch)+1, RevocationAlgorithm(cri.RevocationAlg))
+	assert.Error(t, err)
+
+	// Test bad input
+	_, err = CreateCRI(nil, []*FP256BN.BIG{}, epoch, ALG_NO_REVOCATION, rng)
+	assert.Error(t, err)
+	_, err = CreateCRI(revocationKey, []*FP256BN.BIG{}, epoch, ALG_NO_REVOCATION, nil)
+	assert.Error(t, err)
+
 	// Test signing no disclosure
 	Nym, RandNym := MakeNym(sk, key.IPk, rng)
 
diff --git a/idemix/revocation_authority.go b/idemix/revocation_authority.go
@@ -0,0 +1,104 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package idemix
+
+import (
+	"crypto/ecdsa"
+
+	"crypto/rand"
+	"crypto/sha256"
+
+	"crypto/elliptic"
+
+	"math/big"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric-amcl/amcl"
+	"github.com/hyperledger/fabric-amcl/amcl/FP256BN"
+	"github.com/pkg/errors"
+)
+
+type RevocationAlgorithm int32
+
+const (
+	ALG_NO_REVOCATION RevocationAlgorithm = iota
+)
+
+var ProofBytes = map[RevocationAlgorithm]int{
+	ALG_NO_REVOCATION: 0,
+}
+
+// GenerateLongTermRevocationKey generates a long term signing key that will be used for revocation
+func GenerateLongTermRevocationKey() (*ecdsa.PrivateKey, error) {
+	return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+}
+
+// CreateCRI creates the Credential Revocation Information for a certain time period (epoch).
+// Users can use the CRI to prove that they are not revoked.
+func CreateCRI(key *ecdsa.PrivateKey, unrevokedHandles []*FP256BN.BIG, epoch int, alg RevocationAlgorithm, rng *amcl.RAND) (*CredentialRevocationInformation, error) {
+	if key == nil || rng == nil {
+		return nil, errors.Errorf("CreateCRI received nil input")
+	}
+	cri := &CredentialRevocationInformation{}
+	cri.RevocationAlg = int32(alg)
+	cri.Epoch = int64(epoch)
+
+	if alg == ALG_NO_REVOCATION {
+		// put a dummy PK in the proto
+		cri.EpochPK = Ecp2ToProto(GenG2)
+	} else {
+		// create epoch key
+		_, epochPk := WBBKeyGen(rng)
+		cri.EpochPK = Ecp2ToProto(epochPk)
+	}
+
+	// sign epoch + epoch key with long term key
+	bytesToSign, err := proto.Marshal(cri)
+	digest := sha256.New().Sum(bytesToSign)
+
+	pkSigR, pkSigS, err := ecdsa.Sign(rand.Reader, key, digest)
+	if err != nil {
+		return nil, err
+	}
+	cri.EpochPKSig = append(pkSigR.Bytes(), pkSigS.Bytes()...)
+
+	if alg == ALG_NO_REVOCATION {
+		return cri, nil
+	} else {
+		return nil, errors.Errorf("the specified revocation algorithm is not supported.")
+	}
+}
+
+// VerifyEpochPK verifies that the revocation PK for a certain epoch is valid,
+// by checking that it was signed with the long term revocation key.
+// Note that even if we use no revocation (i.e., alg = ALG_NO_REVOCATION), we need
+// to verify the signature to make sure the issuer indeed signed that no revocation
+// is used in this epoch.
+func VerifyEpochPK(pk *ecdsa.PublicKey, epochPK *ECP2, epochPkSig []byte, epoch int, alg RevocationAlgorithm) error {
+	if pk == nil || epochPK == nil {
+		return errors.Errorf("EpochPK invalid: received nil input")
+	}
+	cri := &CredentialRevocationInformation{}
+	cri.RevocationAlg = int32(alg)
+	cri.EpochPK = epochPK
+	cri.Epoch = int64(epoch)
+	bytesToSign, err := proto.Marshal(cri)
+	if err != nil {
+		return err
+	}
+	digest := sha256.New().Sum(bytesToSign)
+	sigR := &big.Int{}
+	sigR.SetBytes(epochPkSig[0 : len(epochPkSig)/2])
+	sigS := &big.Int{}
+	sigS.SetBytes(epochPkSig[len(epochPkSig)/2:])
+
+	if !ecdsa.Verify(pk, digest, sigR, sigS) {
+		return errors.Errorf("EpochPKSig invalid")
+	}
+
+	return nil
+}
diff --git a/protos/idemix/idemix.proto b/protos/idemix/idemix.proto
@@ -117,4 +117,21 @@ message NymSignature {
     bytes ProofSRNym = 3;
     // Nonce is a fresh nonce used for the signature
     bytes Nonce = 4;
+}
+
+message CredentialRevocationInformation {
+	// Epoch contains the epoch (time window) in which this CRI is valid
+	int64 Epoch = 1;
+
+	// EpochPK is the public key that is used by the revocation authority in this epoch
+	ECP2 EpochPK = 2;
+
+	// EpochPKSig is a signature on the EpochPK valid under the revocation authority's long term key
+	bytes EpochPKSig = 3;
+
+	// RevocationAlg denotes which revocation algorithm is used
+	int32 RevocationAlg = 4;
+
+	// RevocationData contains data specific to the revocation algorithm used
+	bytes RevocationData = 5;
 }
