1/* 2 * Copyright 2023 Google LLC. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * https://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16syntax = "proto3"; 17 18package private_join_and_compute.anonymous_counting_tokens; 19 20import "private_join_and_compute/crypto/dodis_yampolskiy_prf/bb_oblivious_signature.proto"; 21import "private_join_and_compute/crypto/dodis_yampolskiy_prf/dy_verifiable_random_function.proto"; 22import "private_join_and_compute/crypto/proto/big_num.proto"; 23import "private_join_and_compute/crypto/proto/camenisch_shoup.proto"; 24import "private_join_and_compute/crypto/proto/pedersen.proto"; 25 26option java_multiple_files = true; 27 28// The parameters for ACTv0. 29message SchemeParametersV0 { 30 // How many masking bits (more than the challenge bits) to add in the sigma 31 // protocols. 32 uint64 security_parameter = 1; 33 // How many bits the challenge has. 34 uint64 challenge_length_bits = 2; 35 // Length for the RSA modulus. 36 uint64 modulus_length_bits = 3; 37 // Camenisch Shoup Damgard-Jurik parameter (message space is n^s). 38 uint64 camenisch_shoup_s = 4; 39 // Camenisch-Shoup vector-encryption parameter. 40 uint64 vector_encryption_length = 5; 41 // Number of messages that can be committed in a single Pedersen commitment. 42 uint64 pedersen_batch_size = 6; 43 // Specification of the EC Group in which the DY-PRF and Boneh Boyen Oblivious 44 // Signature will be computed. 45 uint64 prf_ec_group = 7; 46 // Prefix to attach to any random oracle query (optional). 47 string random_oracle_prefix = 8; 48} 49 50// The Server's public parameters for the ACTv0 scheme. 51message ServerPublicParametersV0 { 52 reserved 1, 4, 5; 53 54 // Parameters to use for commitments. 55 private_join_and_compute.proto.PedersenParameters pedersen_parameters = 2; 56 // Camenisch Shoup public key (for the Boneh-Boyen Oblivious Signature). 57 private_join_and_compute.proto.CamenischShoupPublicKey camenisch_shoup_public_key = 3; 58 // Public key for the Boneh-Boyen oblivious signature. 59 private_join_and_compute.proto.BbObliviousSignaturePublicKey 60 bb_oblivious_signature_public_key = 6; 61 62 // Serialized ECPoint corresponding to the base g to use for the DY PRF and 63 // Boneh-Boyen oblivious signature. 64 bytes prf_base_g = 7; 65 66} 67 68// The Server's private parameters for the ACTv0 scheme. 69message ServerPrivateParametersV0 { 70 reserved 2, 3; 71 // Camenisch Shoup private key (for the Boneh-Boyen Oblivious Signature). 72 private_join_and_compute.proto.CamenischShoupPrivateKey camenisch_shoup_private_key = 1; 73 // Private key for the Boneh-Boyen Oblivious Signature. 74 private_join_and_compute.proto.BbObliviousSignaturePrivateKey 75 bb_oblivious_signature_private_key = 4; 76} 77 78// The Client's public parameters for the ACT scheme. 79message ClientPublicParametersV0 { 80 // Public key for the DY Verifiable Random Function. 81 private_join_and_compute.proto.DyVrfPublicKey dy_vrf_public_key = 1; 82 private_join_and_compute.proto.DyVrfGenerateKeysProof dy_vrf_generate_keys_proof = 2; 83} 84 85// The Client's private parameters for the ACT scheme. 86message ClientPrivateParametersV0 { 87 // Private key for the DY Verifiable Random Function. 88 private_join_and_compute.proto.DyVrfPrivateKey dy_vrf_private_key = 1; 89} 90 91// The Client's token request. Can correspond to a batch of tokens. 92message TokensRequestV0 { 93 message Part1 { 94 bytes commit_messages = 1; 95 bytes commit_client_nonces = 2; 96 97 // Proofs that the fingerprints on the messages were generated correctly. 98 // The fingerprints correspond to PRF evaluations on the messages. 99 private_join_and_compute.proto.DyVrfApplyProof fingerprints_proof = 3; 100 } 101 102 // Part1 of the tokens request feeds into the Random Oracle to produce the 103 // client-independent portion of the nonces. (The nonce per-token consists 104 // of a client-chosen part, and a client-independent/not-chosen part. The 105 // latter is generated by a random oracle call.) 106 Part1 part_1 = 1; 107 108 // Boneh-Boyen Oblivious Signature request and proof for nonces. 109 private_join_and_compute.proto.BbObliviousSignatureRequest bb_oblivious_signature_request = 2; 110 private_join_and_compute.proto.BbObliviousSignatureRequestProof 111 bb_oblivious_signature_request_proof = 3; 112} 113 114// Private state corresponding to the Client's token request, needed to recover 115// the tokens from the server's response. 116message TokensRequestPrivateStateV0 { 117 private_join_and_compute.proto.BbObliviousSignatureRequestPrivateState 118 bb_oblivious_signature_request_private_state = 1; 119 // Stores the nonces generated as part of the request (includes the 120 // client-generated and random-oracle-generated portions combined). 121 private_join_and_compute.proto.BigNumVector nonces = 2; 122} 123 124// The Server's response to a TokensRequest. Can correspond to a batch of 125// tokens. 126message TokensResponseV0 { 127 // Boneh-Boyen Oblivious signature response and proof. 128 private_join_and_compute.proto.BbObliviousSignatureResponse bb_oblivious_signature_response = 129 1; 130 private_join_and_compute.proto.BbObliviousSignatureResponseProof 131 bb_oblivious_signature_response_proof = 2; 132} 133 134// An actual token recovered from the TokenResponse. 135message TokenV0 { 136 // The nonce is stored in the enclosing Token proto. 137 138 // Serialized Boneh-Boyen signature on the message and nonce. Serialized 139 // ECPoint. 140 bytes bb_signature = 1; 141} 142