What happens to the nonces in the issuance flow?

[swcurran]

In the issuance flow, there is a nonce in the Credential Offer (issuer to holder) and a nonce in the credential request (holder to issuer). Likewise, there is a key_correctness_proof in the Credential Request and the Issue Credential. My guess is that:

• The Credential Offer nonce is used in the Credential Request key correctness proof.
• The Credential Request nonce is used in the Issue Credential key correctness proof.

This needs to be verified or corrected with the implementation and explained in the specification.

[swcurran]

@whalelephant -- would you be able to take a look at this issue? Trace through the implementation to see how the nonces are used? Thanks!

The current text implies that they are the same, but looking at running examples shows they are not the same.

[whalelephant]

Yes you are correct. Below is a simple flow with the nonce throughout the process

Credential Offer:

1. Issuer creates cred_offer_nonce as part of the request

Credential Request:

1. Holder uses the cred_offer_nonce to blind their link_secret with the cred_offer_nonce
2. Holder creates cred_req_nonce as part of the request

Credential Create:

1. Issuer checks the link_secret_blind_correctness_proof in the credential request with cred_offer_nonce
2. Issuer uses cred_req_nonce to construct the signature_correctness_proof

Process (Unblind) Credential:

1. Holder uses cred_req_nonce to unblind credential signature

Presentation Request:

1. Verifier creates presentation_nonce

Presentation:

1. Holder uses the presentation_nonce as input to the proof

Verification:

1. Verifier verifies proof with presentation_nonce

[swcurran]

Perfect writeup - thanks.

[swcurran]

Resolved and covered in the spec.