search

xaptum / ecdaa

A C implementation of elliptic-curve-based Direct Anonymous Attestation (DAA) signatures. Created to support the Xaptum Edge Network Fabric, an IoT Network Solution.
https://www.xaptum.com
Apache License 2.0
45 stars 8 forks source link

Enable signing a message without a basename. #135

Closed preisacm closed 4 years ago

preisacm commented 4 years ago

To support the unlinkability feature of ECDAA, signing a message should be possible without adding a basename to it. This shortens the resulting signature and is already supported by ecdaa_signature_ZZZ_serialize and ecdaa_signature_ZZZ_deserialize.

When I use ecdaa_signature_ZZZ_sign with a valid basename, it succeeds. By providing an empty basename (basename length = 0), the function fails and the signature is not valid afterwards. Tested with FP256BN.

zanebeckwith commented 4 years ago

This is definitely the intended functionality, to be able to sign a message without a basename. So I want to make sure we get it working!

I'm able to create an unlinkable signature, using the following:

... define "randomness" function ...

struct ecdaa_member_secret_key_FP256BN sk;
struct ecdaa_credential_FP256BN cred;
struct ecdaa_group_public_key_FP256BN gpk;

... create secret key and credential and group public key...

struct ecdaa_signature_FP256BN sig;                                                                    
int sign_ret = ecdaa_signature_FP256BN_sign(&sig, (uint8_t*)"foo", 3, NULL, 0, &sk, &cred, randomness);
assert(0 == sign_ret);

struct ecdaa_revocations_FP256BN revocations = {.sk_length=0, .sk_list=NULL, .bsn_length=0, .bsn_list=NULL};
int verify_ret = ecdaa_signature_FP256Bn_verify(&sig, &gpk, &revocations, (uint8_t*)"foo", 3, NULL, 0);
assert(0 == verify_ret);

The asserts all succeed for the above code.

However, if I don't pass the NULL to the _sign function, and instead call it like:

ecdaa_signature_FP256BN_sign(&sig, (uint8_t*)"foo", 3, (uint8_t*)"some basename", 0, &sk, &cred, test_randomness);

then the assert(0 == sign_ret) fails.

This is because it's required that, if either basename is NULL or basename_len is 0 then both must be (see line 475 of libecdaa/schnorr/schnorr_ZZZ.c for where that check occurs).

Is it possible that's the cause of the failures you see? You mention you set basename length = 0, but don't specify if you're also setting basename to NULL.

That's certainly a failure of the (non-existent) documentation for the ecdaa_signature_ZZZ_sign function. I'll fix that now, to add a mention that you can create unlinkable signatures by not specifying a basename and that you must use a NULL basename and 0 basename_length in such a case.

preisacm commented 4 years ago

Indeed I provided as basename an empty buffer (filled with zero-bytes) and set the basename length to 0, hoping that this would be enough for detecting the empty basename.

preisacm commented 4 years ago

It works now, thanks for your support!

zanebeckwith commented 4 years ago

Great, glad to hear it! Thanks for bringing this to our attention!