MCPcopy Index your code
hub / github.com/IBM/idemix

github.com/IBM/idemix @v0.1.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.1.1 ↗ · + Follow
1,348 symbols 4,942 edges 123 files 468 documented · 35% 1 cross-repo links
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Idemix

License Go Report Card Go

This project is a Go implementation of an anonymous identity stack for blockchain systems.

Protocol

Here we describe the cryptographic protocol that is implemented.

Preliminaries

TBD (Group etc.)

Generation of issue certificate

The input for this step are the 4 attributes that are certified, namely OU, Role, EnrollmentID and RevocationHandle (call them $a_{0}, \ldots, a_{3}$).

Given these attributes, the CA samples the issuer secret key at random

$ISK \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

And then computes

$W \leftarrow g_{2}^{ISK}$

For each attribute $a_{i} \in \{a_{0}, \ldots, a_{3}\}$ the CA picks a random element $r_{i} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ and generates a base for that attribute

$H_{a_{i}} \leftarrow g_{1}^{r_{i}}$

The CA randomly selects $r_{ISK}, r, \bar{r}$ and computes bases

$H_{ISK} \leftarrow g_{1}^{r_{ISK}}$

$H_{r} \leftarrow g_{1}^{r}$

$\bar{g_1} \leftarrow g_{1}^{\bar{r}}$

$\bar{g_2} \leftarrow \bar{g_1}^{ISK}$

Then the CA randomly selects $r_p$ and computes

$t_1 \leftarrow g_2^{r_p}$

$t_2 \leftarrow \bar{g_1}^{r_p}$

It also generates

$C \leftarrow H(t_1||t_2||g_2||\bar{g_1}||W||\bar{g_2})$

$s \leftarrow r_{p} %2B C \cdot ISK$

The issuer public key $PK_{I}$ is

$PK_{I} \leftarrow \{ a_{0}, \ldots, a_{3}, H_{a_{0}}, \ldots, H_{a_{3}}, H_{ISK}, H_{r}, W, \bar{g_1}, \bar{g_2}, C, s, h_{CA} \}$

where $h_{CA}$ is a hash of all fields of the public key.

and the issuer private key is $SK_{I}$ is

$SK_{I} \leftarrow \{ ISK \}$

Generation of client certificate

Given a client $c$ with attributes $a_{c0}, \ldots, a_{c3}$, the client samples the secret key

$sk_{c} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and random elements

$r_{sk} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$nonce \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and then computes

$N \leftarrow H_{ISK}^{sk_{c}}$

$t \leftarrow H_{ISK}^{r_{sk}}$

$C \leftarrow H(t||H_{ISK}||N||nonce||h_{CA})$

$s \leftarrow r_{sk} %2B C \cdot sk_{c}$

The credential request sent to the CA is $\{ N, nonce, C, s \}$.

The CA computes

$t' \leftarrow \frac{H_{ISK}^{s}}{N^C}$

and checks whether

$C = H(t'||H_{ISK}||N||nonce||h_{CA})$

If so, the CA picks random elements

$E \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$S \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and computes

$$B \leftarrow g_{1} \cdot N \cdot H_{r}^S \cdot \prod_{i=0}^{4} H_{a_{i}}^{a_{ci}}$$

$e \leftarrow \frac{1}{E %2B ISK}$

$A \leftarrow B^e$

The CA returns the credential $\{ A, B, S, E \}$ to the user.

The user verifies the credential by computing

$$B' \leftarrow g_{1} \cdot H_{ISK}^{sk_{c}} \cdot H_{r}^S \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{ci}}$$

If $B \neq B'$ the user aborts. Otherwise it verifies the signature by checking whether the following equality

$e(g_{2}^E \cdot W, A) = e(g_{2}, B)$

holds. If so, the user accepts private key $SK_{C} \leftarrow \{ sk_{c} \}$ and the user public key is $PK_{C} \leftarrow \{ A, B, E, S \}$.

Generation of signature

To sign message $m$ and simultaneously disclose a subset of attributes $a_{c0}, \ldots, a_{c3}$ (tracked by the bits $d_{0}, \ldots, d_{3}$ such that if the bit is one the corresponding attribute is disclosed; notationally, $\bar{d}_{i} = d_{i} %2B 1 mod 2$), the client chooses a new random element $r_{n} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$ and generates a new pseudonym

$Nym \leftarrow N \cdot H_{r}^{r_{n}}$

And then generates the new signature as follows

$n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_1 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_2 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_3 \leftarrow \frac{1}{r_1}$

$A' \leftarrow A^{r_1}$

$\bar{A} \leftarrow B^{r1} \cdot A'^{-E}$

$B' \leftarrow \frac{B^{r1}}{H_{r}^{r_2}}$

$S' \leftarrow S-r_2 \cdot r_3$

The client then generates random elements

$r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{e} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{r_2} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{r_3} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{S'} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{a_{0}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{a_{1}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{a_{2}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{a_{3}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and then generates

$t_1 \leftarrow A'^{r_{e}} \cdot H_{r}^{r_{r_2}}$

$$t_2 \leftarrow B'^{r_{r_3}} \cdot H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{S'}} \cdot \prod_{i=0}^4 H_{a_{i}}^{r_{a_{i}} \bar{d}_i}$$

$t_3 \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}$

$C \leftarrow H(H(t_1||t_2||t_3||A'||\bar{A}||B'||Nym||h_{CA}||d_0||\ldots||d_3||m)||n)$

$S_{sk_{c}} \leftarrow r_{sk_{c}} %2B sk_{c} C$

$S_{E} \leftarrow r_{e} - E C$

$S_{r_2} \leftarrow r_{r_2} %2B r_2 C$

$S_{r_3} \leftarrow r_{r_3} - r_3 C$

$S_{S'} \leftarrow r_{S'} %2B S' C$

$S_{r_{n}} \leftarrow r_{r_{n}} %2B r_{n} C$

and for each attribute $a_{i}$ that requires disclosure, it generates

$S_{a_{i}} \leftarrow r_{a_{i}} %2B a_{i} C$

The signature $\sigma$ is $\sigma \leftarrow \{ Nym, A', \bar{A}, B', C, S_{sk_{c}}, S_{E}, S_{r_2}, S_{r_3}, S_{S'}, S_{r_{n}}, \ldots S_{a_{i}} \ldots, d_{0}, \ldots, d_{3}, \ldots a_{i} \ldots, n \}$.

Verification of a signature

Upon receipt of a signature $\sigma$ is $\sigma \leftarrow \{ Nym, A', \bar{A}, B', C, S_{sk_{c}}, S_{E}, S_{r_2}, S_{r_3}, S_{S'}, S_{r_{n}}, \ldots S_{a_{i}} \ldots, d_{0}, \ldots, d_{3}, \ldots a_{i} \ldots, n \}$ over message $m$ the verifier checks whether the following equality holds

$e(W, A') = e(g_{2}, \bar{A})$

If so, it recomputes

$t'_1 \leftarrow \frac{A'^{S_{E}} \cdot H_{r}^{S_{r_2}}}{\left( \bar{A} \cdot B'^{-1} \right)^C}$

$t'_2 \leftarrow H_{r}^{S_{S'}} \cdot B'^{S_{r_3}} \cdot H_{ISK}^{S_{sk_{c}}} \cdot \prod_{i=0}^4 H_{a_{i}}^{S_{a_{i}} \bar{d}_i} \cdot \left(g_{1} \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{i} d_i} \right)^C$

$t'_3 \leftarrow \frac{H_{ISK}^{S_{sk_{c}}} \cdot H_{r}^{S_{r_{n}}}}{Nym^C}$

and accepts the signature if

$C = H(H(t'_1||t'_2||t'_3||A'||\bar{A}||B'||Nym||h_{CA}||d_0||\ldots||d_3||m)||n)$

This verification also verifies the disclosed subset of attributes.

Generation of a pseudonymous signature

Differently from a standard signature, a pseudonymous signature does not prove that the pseudonym possesses a user certificate signed by a CA. It only proves that the pseudonym $Nym$ signed message $m$. The signature is generated starting from the pseudonym (as generated in the section above) together with secret key $sk_{c}$ and randomness $r_{n}$ as follows: at first it picks random elements

$n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

Then it generates

$t \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}$

$C \leftarrow H(H(t||Nym||h_{CA}||m)||n)$

$S_{sk_{c}} \leftarrow r_{sk_{c}} %2B sk_{c} C$

$S_{r_{n}} \leftarrow r_{r_{n}} %2B r_{n} C$

The signature $\sigma$ is $\sigma \leftarrow \{ Nym, C, S_{sk_{c}}, S_{r_{n}}, n \}$.

Verification of a pseudonymous signature

Upon receipt of a pseudonymous signature $\sigma \leftarrow \{ Nym, C, S_{sk_{c}}, S_{r_{n}}, n \}$ over message $m$ the verifier recomputes

$t' \leftarrow \frac{H_{ISK}^{S_{sk_{c}}} \cdot H_{r}^{S_{r_{n}}}}{Nym^C}$

and accepts the signature if

$C = H(H(t'||Nym||h_{CA}||m)||n)$

Extensions

Adding a pseudonym as a function of the Enrollment ID (eid)

The enrollment id is one of the cerified attributes ($a_{2}$ with value $a_{c2}$). This extension introduces a pseudonym which is a function of the enrollment ID, together with a proof that it was correclty generated.

Signature generation

The pseudonym is computed by sampling

$r_{eid} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

$r_{r_{eid}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}$

and by generating the pseudonym

$Nym_{eid} \leftarrow H_{a_{2}}^{a_{c2}} \cdot H_{r}^{r_{eid}}$

Signature generation is similar to the scheme above; in particular, the term $r_{a_{2}}$ is the same used by the original sign algorithm. The extensions include:

  • the client computes an additional value $t_4 \leftarrow H_{a_{2}}^{r_{a_{2}}} \cdot H_{r}^{r_{r_{eid}}}$;

  • the client includes $(Nym_{eid}, t_4)$ in the challenge computation: $C \leftarrow H(H(t_1||t_2||t_3||t_4||A'||\bar{A}||B'||Nym||Nym_{eid}||h_{CA}||d_0||\ldots||d_3||m)||n)$ (if $d_2$ is included, it should always be set to 0 otherwise the value of the enrollment ID would be revealed);

  • the client computes an additional proof $S_{r_{eid}} \leftarrow r_{r_{eid}} %2B r_{eid} C$;

  • The signature includes the additional proof $S_{r_{eid}}$ and pseudonym $Nym_{eid}$.

Signature verification

Signature verification is the same as above except that

  • verifier computes $t'_4 \leftarrow \frac{H_{a_{2}}^{S_{a_2}} \cdot H_{r}^{S_{r_{eid}}}}{Nym_{eid}^C}$;

  • verifier checks if $C \leftarrow H(H(t'_1||t'_2||t'_3||t'_4||A'||\bar{A}||B'||Nym||Nym_{eid}||h_{CA}||d_0||\ldots||d_3||m)||n)$.

Auditing NymEid

To Audit NymEid the client reveals pair $a_{c2}, r_{eid}$ and the auditor checks if $Nym_{eid} \leftarrow H_{a_{2}}^{a_{c2}} \cdot H_{r}^{r_{eid}}$.

Extension points exported contracts — how you extend this code

KeyImporter (Interface)
KeyImporter is a BCCSP-like interface that provides key import algorithms [8 implementers]
bccsp/impl.go
Key (Interface)
Key represents a cryptographic key [7 implementers]
bccsp/types/crypto.go
VC2ProofVerifier (Interface)
(no doc) [32 implementers]
bbs/signature_proof.go
Translator (Interface)
(no doc) [3 implementers]
tools/idemixgen/main.go
VC2SignatureProvider (Interface)
(no doc) [3 implementers]
bbs/proof_of_knowledge.go
IdentityDeserializer (Interface)
IdentityDeserializer is implemented by both MSPManger and MSP [1 implementers]
msp/provider.go
Translator (Interface)
(no doc) [3 implementers]
bccsp/schemes/dlog/crypto/credential.go
Logger (Interface)
Logger defines the logging interface required by Idemixmsp. This interface is compatible with the Go SDK log package and
msp/idemixmsp.go

Core symbols most depended-on inside this repo

Errorf
called by 400
msp/idemixmsp.go
Error
called by 301
bccsp/types/idemixerrs.go
Bytes
called by 275
bccsp/types/crypto.go
New
called by 161
bbs/proof_of_knowledge.go
Verify
called by 131
bccsp/impl.go
Marshal
called by 127
bbs/keys.go
Add
called by 118
bbs/bbs12381g2pub.go
Verify
called by 97
bccsp/types/crypto.go

Shape

Method 791
Function 343
Struct 162
Interface 37
TypeAlias 14
FuncType 1

Languages

Go100%

Modules by API surface

bccsp/schemes/dlog/crypto/idemix.pb.go119 symbols
bccsp/schemes/aries/cred.pb.go60 symbols
bccsp/types/idemixopts.go51 symbols
msp/idemixmsp.go48 symbols
bccsp/types/idemix.go43 symbols
msp/idemixmsp_test.go34 symbols
msp/provider.go33 symbols
msp/config/msp_config.pb.go32 symbols
bccsp/types/mock/user.go32 symbols
msp/idemixmsp_aries_test.go28 symbols
bccsp/types/mock/signature_scheme.go27 symbols
bccsp/types/mock/issuer.go27 symbols

Used by 1 indexed graphs manifest dependencies, hub-wide

For agents

$ claude mcp add idemix \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page