package private_join_and_compute.proto

Get desktop application:
View/edit binary Protocol Buffers messages

Used in: BbObliviousSignatureRequestProof.Statement, BbObliviousSignatureResponseProof.Statement

int64 security_parameter = 1
How many bits (more than the challenge bits) to add to each dummy opening (aka sigma protocol lambda). This also impacts the sizes of some masks in the protocol.
int64 challenge_length_bits = 2
How many bits the challenge has.
bytes random_oracle_prefix = 3
bytes base_g = 4
Serialized ECPoint. Base to use for the Signature.
optional CamenischShoupPublicKey camenisch_shoup_public_key = 5
Public key for the associated CamenischShoup keypair.
optional PedersenParameters pedersen_parameters = 6
PedersenParameters for the associated commitment scheme. The batch size for the Pedersen parameters is effectively the max number of messages that can be simultaneously requested. The vector_encryption_length of camenisch_shoup_public_key must divide the pedersen batch size.

A private key for the Boneh-Boyen oblivious signature. To be used by the "Sender" in the scheme. The secret key for the associated Camenisch-Shoup keypair is implicitly part of the Private Key.

bytes k = 1
Serialized BigNum.
bytes y = 2

Implicitly linked to commitment-parameters for a Pedersen batch-commitment scheme and a keypair for the Camenisch Shoup encryption scheme. The Pedersen commitment parameters and Camenisch-Shoup public key are implicitly part of the Public Key.

Used in: BbObliviousSignatureRequestProof.Statement, BbObliviousSignatureResponseProof.Statement

repeated CamenischShoupCiphertext encrypted_k = 1
The i'th ciphertext contains an encryption of the secret value in the i'th component of the vector-encryption, and 0 elsewhere.
repeated CamenischShoupCiphertext encrypted_y = 2

Used in: BbObliviousSignatureRequestProof.Statement, BbObliviousSignatureResponseProof.Statement

uint64 num_messages = 1
repeated CamenischShoupCiphertext repeated_encrypted_masked_messages = 3
There will be as many Camenisch-Shoup ciphertexts as needed to fit the messages.

optional BigNumVector private_as = 1
Masks needed in order to recover the signature from the response.

optional BigNumVector commit_as = 1
bytes commit_bs = 2
bytes commit_alphas = 3
bytes commit_gammas = 4
bytes challenge = 5
optional BbObliviousSignatureRequestProof.Message2 message_2 = 6

bytes dummy_commit_messages = 1
bytes dummy_commit_rs = 2
optional BigNumVector dummy_commit_as = 3
Serialized BigNum corresponding to a Pedersen Commitment.
bytes dummy_commit_bs = 4
Serialized BigNum corresponding to a Pedersen Commitment.
bytes dummy_commit_alphas_1 = 5
Serialized BigNum corresponding to a Pedersen Commitment. Computed as a standard dummy commitment.
bytes dummy_commit_alphas_2 = 6
Serialized BigNum corresponding to a Pedersen Commitment. Computed as Prod_i commit_as[i]^dummy_bs[i] * Com(0, dummy_alpha_opening_2).
bytes dummy_commit_gammas_1 = 7
Serialized BigNum corresponding to a Pedersen Commitment. Computed as a standard dummy commitment.
bytes dummy_commit_gammas_2 = 8
Serialized BigNum corresponding to a Pedersen Commitment. Computed as Prod_i commit_as[i]^dummy_rs[i] * Com(0, dummy_gamma_opening_2).
repeated CamenischShoupCiphertext repeated_dummy_encrypted_masked_messages = 10
One dummy ciphertext per ciphertext in the request.

Used in: BbObliviousSignatureRequestProof

optional BigNumVector masked_dummy_messages = 1
bytes masked_dummy_messages_opening = 2
Serialized BigNum corresponding to a Pedersen Commitment Opening.
optional BigNumVector masked_dummy_rs = 3
bytes masked_dummy_rs_opening = 4
Serialized BigNum corresponding to a Pedersen Commitment Opening.
optional BigNumVector masked_dummy_as = 5
optional BigNumVector masked_dummy_as_opening = 6
BigNumVector corresponding to each Pedersen Commitment Opening.
optional BigNumVector masked_dummy_bs = 7
bytes masked_dummy_bs_opening = 8
Serialized BigNum corresponding to a Pedersen Commitment Opening.
optional BigNumVector masked_dummy_alphas = 9
bytes masked_dummy_alphas_opening_1 = 10
The Pedersen Commitment opening corresponding to dummy_commit_alphas_1.
bytes masked_dummy_alphas_opening_2 = 11
The Pedersen Commitment opening corresponding to dummy_commit_alphas_2.
optional BigNumVector masked_dummy_gammas = 12
bytes masked_dummy_gammas_opening_1 = 13
The Pedersen Commitment opening corresponding to dummy_commit_gammas_1.
bytes masked_dummy_gammas_opening_2 = 14
The Pedersen Commitment opening corresponding to dummy_commit_gammas_2.
optional BigNumVector masked_dummy_encryption_randomness_per_ciphertext = 16
One dummy encryption randomness for each ciphertext in the request.

optional BbObliviousSignatureParameters parameters = 1
optional BbObliviousSignaturePublicKey public_key = 2
bytes commit_messages = 3
Serialized BigNum, corresponding to the Pedersen Commitment to the messages.
bytes commit_rs = 4
Serialized BigNum, corresponding to the Pedersen Commitment to the rs.
optional BigNumVector commit_as = 5
The Pedersen commitments to mask values a. The i'th commitment contains a commitment to as[i] in the i'th batch-position, and 0 elsewhere.
bytes commit_bs = 6
The batch-commitment to mask values b.
bytes commit_alphas = 7
The batch commitment to alphas. alphas[i] = messages[i] * as[i]. Computed as (Prod_i Com(as[i])^bs[i]) * Com(0, alpha_opening).
bytes commit_gammas = 8
The batch Pedersen commitment to gammas. gammas[i] = rs[i] * as[i]. Computed as (Prod_i Com(as[i])^rs[i]) * Com(0, gamma_opening).
optional BbObliviousSignatureRequest request = 9

Used in: BbObliviousSignatureResponseProof.Statement

optional ECPointVector masked_signature_values = 1

bytes commit_betas = 1
Commitment to the values decrypted from the Request. Serialized BigNum.
bytes challenge = 2
Message 1 and Statement are used to create the challenge via FiatShamir. Serialized BigNum
optional BbObliviousSignatureResponseProof.Message2 message_2 = 3

optional BigNumVector dummy_camenisch_shoup_ys = 1
Dummy version of the Camenisch Shoup public key ys.
bytes dummy_commit_betas = 2
Serialized BigNum corresponding to a dummy Pedersen Commitment.
optional ECPointVector dummy_base_gs = 4
For each masked_signature_value, we show that masked_signature_value^beta = base_g. Serialized ECPoints.
repeated BigNumVector repeated_dummy_encrypted_masked_messages_es = 5
One dummy_encrypted_masked_messages_es for each ciphertext in the request.

Used in: BbObliviousSignatureResponseProof

optional BigNumVector masked_dummy_camenisch_shoup_xs = 1
optional BigNumVector masked_dummy_betas = 2
bytes masked_dummy_beta_opening = 3

optional BbObliviousSignatureParameters parameters = 1
optional BbObliviousSignaturePublicKey public_key = 2
bytes commit_messages = 3
Serialized BigNum, corresponding to the Pedersen Commitment to the messages.
bytes commit_rs = 4
Serialized BigNum, corresponding to the Pedersen Commitment to rs.
optional BbObliviousSignatureRequest request = 5
optional BbObliviousSignatureResponse response = 6
bytes commit_betas = 7
Commitment to the values decrypted from the Request.

Convenient container for a vector of serialized BigNums.

Used in: BbObliviousSignatureRequestPrivateState, BbObliviousSignatureRequestProof, BbObliviousSignatureRequestProof.Message1, BbObliviousSignatureRequestProof.Message2, BbObliviousSignatureRequestProof.Statement, BbObliviousSignatureResponseProof.Message1, BbObliviousSignatureResponseProof.Message2, CamenischShoupCiphertext, CamenischShoupPrivateKey, CamenischShoupPublicKey, DyVrfApplyProof.Message2, PedersenParameters

repeated bytes serialized_big_nums = 1

Ciphertext of Camenisch-Shoup encryption scheme. All the fields are serialized BigNums. For public key (n, s, g, ys), messages ms, and randomness r: u = g^r mod n^(s+1); es[i] = (1 + n)^ms[i] * ys[i]^r mod n^(s+1).

Used in: BbObliviousSignaturePublicKey, BbObliviousSignatureRequest, BbObliviousSignatureRequestProof.Message1

bytes u = 1
optional BigNumVector es = 2

Secret key for Camenisch-Shoup encryption scheme. All the fields are serialized BigNums. For public key (n, s, g, ys): ys[i] = g^xs[i] mod n^(s+1). To decrypt a ciphertext (u,es): ms[i] = ((es[i]/u^xs[i] - 1) mod n^(s+1)) / n.

optional BigNumVector xs = 1

Public key for Camenisch-Shoup encryption scheme. All the fields are serialized BigNums. n is a strong RSA modulus: n = p * q where p, q are large safe primes. g is a random n^s-th residue mod n^(s+1): g = r^n mod n^(s+1) for a random r. ys[i] = g^xs[i] mod n^(s+1) for a random x, where x is the secret key. We allow multiple ys, thereby enabling encrypting multiple messages in a single ciphertext. To encrypt a batch of messages ms, where each ms[i] < n^s: u = g^r mod n^(s+1) for a random r; es[i] = (1 + n)^m * ys[i]^r mod n^(s+1); Ciphertext = (u, e).

Used in: BbObliviousSignatureParameters

bytes n = 1
bytes g = 2
optional BigNumVector ys = 3
The public key for each component. There will be one secret key in xs for each ys, and one ciphertext component es (though optionally fewer).
uint64 s = 4
n^(s+1) is the modulus for the scheme. n^s is the message space.

optional DyVrfApplyProof.Message1 message_1 = 1
The challenge will be generated using the Fiat-Shamir heuristic applied to Statement and Message1.
optional DyVrfApplyProof.Message2 message_2 = 2

Message1 and the Statement feed into the Random Oracle to produce the proof challenge.

Used in: DyVrfApplyProof

bytes commit_dummy_messages_plus_key = 1
Serialized BigNum.
optional ECPointVector dummy_dy_prf_base_gs = 2
Serialized ECPoints.

Second message of the ApplyProof.

Used in: DyVrfApplyProof

optional BigNumVector masked_dummy_messages_plus_key = 1
bytes masked_dummy_opening = 2
Serialized BigNum

Formalizes the statement being proved. This is defined only in order to be input to the random oracle, to produce the challenge.

optional DyVrfParameters parameters = 1
optional DyVrfPublicKey public_key = 2
bytes commit_messages = 3
Serialized BigNum, corresponding to the Pedersen Commitment to the messages.
optional ECPointVector prf_evaluations = 4
The actual PRF evaluations (serialized ECPoints).

Proof that the parameters were generated correctly.

bytes challenge = 1
Message 1 and Statement are used to create the challenge via FiatShamir. Serialized BigNum
optional DyVrfGenerateKeysProof.Message2 message_2 = 2

bytes dummy_commit_prf_key = 1
Dummy commitment to the key in each slot of the Pedersen Commitment.

Used in: DyVrfGenerateKeysProof

bytes masked_dummy_prf_key = 1
Masked dummy PRF key underlying the masked dummy commitment in each slot. Serialized BigNum.
bytes masked_dummy_opening = 2
Opening to the masked dummy commitment to the PRF key.

optional DyVrfParameters parameters = 1
optional DyVrfPublicKey public_key = 2

Used in: DyVrfApplyProof.Statement, DyVrfGenerateKeysProof.Statement

int64 security_parameter = 1
How many bits (more than the challenge bits) to add to each dummy opening (aka sigma protocol lambda).
int64 challenge_length_bits = 2
How many bits the challenge has.
string random_oracle_prefix = 3
Prefix to inject into the random oracle.
bytes dy_prf_base_g = 4
Serialized ECPoint
optional PedersenParameters pedersen_parameters = 5
Parameters for the associated Pedersen Commitment Scheme. Implicitly determines the max number of messages that can be VRF'ed together in a single proof.

bytes prf_key = 1
The PRF key. (Serialized BigNum).
bytes open_commit_prf_key = 2
An opening to commit_prf_key (serialized BigNum).

A public key for the Dodis-Yampolskiy Verifiable Random Function. Implicitly linked to parameters for a Pedersen batch-commitment scheme.

Used in: DyVrfApplyProof.Statement, DyVrfGenerateKeysProof.Statement

bytes commit_prf_key = 1
A commitment to a copy of the PRF key in each slot of the Pedersen Commitment. (Serialized BigNum)

Convenient container for a vector of serialized ECPoints.

Used in: BbObliviousSignatureResponse, BbObliviousSignatureResponseProof.Message1, DyVrfApplyProof.Message1, DyVrfApplyProof.Statement

repeated bytes serialized_ec_points = 1

Parameters key for Pedersen commitment scheme. All the fields are serialized BigNums. To commit to a set of messages m1, ... , mk < ord(h): c = g1^m1 * ... * gk^mk * * h^r mod n for a random r. n may be a prime or an RSA modulus. For "hiding", each element of gs should be in the subgroup generated by h. For "binding", the discrete log of each element of gs with respect to h should be hidden.

Used in: BbObliviousSignatureParameters, DyVrfParameters

bytes n = 1
Serialized BigNum.
optional BigNumVector gs = 2
bytes h = 3
Serialized BigNum.

package private_join_and_compute.proto

message BbObliviousSignatureParameters

int64 security_parameter = 1

int64 challenge_length_bits = 2

bytes random_oracle_prefix = 3

bytes base_g = 4

optional CamenischShoupPublicKey camenisch_shoup_public_key = 5

optional PedersenParameters pedersen_parameters = 6

message BbObliviousSignaturePrivateKey

bytes k = 1

bytes y = 2

message BbObliviousSignaturePublicKey

repeated CamenischShoupCiphertext encrypted_k = 1

repeated CamenischShoupCiphertext encrypted_y = 2

message BbObliviousSignatureRequest

uint64 num_messages = 1

repeated CamenischShoupCiphertext repeated_encrypted_masked_messages = 3

message BbObliviousSignatureRequestPrivateState

optional BigNumVector private_as = 1

message BbObliviousSignatureRequestProof

optional BigNumVector commit_as = 1

bytes commit_bs = 2

bytes commit_alphas = 3

bytes commit_gammas = 4

bytes challenge = 5

optional BbObliviousSignatureRequestProof.Message2 message_2 = 6

message BbObliviousSignatureRequestProof.Message1

bytes dummy_commit_messages = 1

bytes dummy_commit_rs = 2

optional BigNumVector dummy_commit_as = 3

bytes dummy_commit_bs = 4

bytes dummy_commit_alphas_1 = 5

bytes dummy_commit_alphas_2 = 6

bytes dummy_commit_gammas_1 = 7

bytes dummy_commit_gammas_2 = 8

repeated CamenischShoupCiphertext repeated_dummy_encrypted_masked_messages = 10

message BbObliviousSignatureRequestProof.Message2

optional BigNumVector masked_dummy_messages = 1

bytes masked_dummy_messages_opening = 2

optional BigNumVector masked_dummy_rs = 3

bytes masked_dummy_rs_opening = 4

optional BigNumVector masked_dummy_as = 5

optional BigNumVector masked_dummy_as_opening = 6

optional BigNumVector masked_dummy_bs = 7

bytes masked_dummy_bs_opening = 8

optional BigNumVector masked_dummy_alphas = 9

bytes masked_dummy_alphas_opening_1 = 10

bytes masked_dummy_alphas_opening_2 = 11

optional BigNumVector masked_dummy_gammas = 12

bytes masked_dummy_gammas_opening_1 = 13

bytes masked_dummy_gammas_opening_2 = 14

optional BigNumVector masked_dummy_encryption_randomness_per_ciphertext = 16

message BbObliviousSignatureRequestProof.Statement

optional BbObliviousSignatureParameters parameters = 1

optional BbObliviousSignaturePublicKey public_key = 2

bytes commit_messages = 3

bytes commit_rs = 4

optional BigNumVector commit_as = 5

bytes commit_bs = 6

bytes commit_alphas = 7

bytes commit_gammas = 8

optional BbObliviousSignatureRequest request = 9

message BbObliviousSignatureResponse

optional ECPointVector masked_signature_values = 1

message BbObliviousSignatureResponseProof

bytes commit_betas = 1

bytes challenge = 2

optional BbObliviousSignatureResponseProof.Message2 message_2 = 3

message BbObliviousSignatureResponseProof.Message1

optional BigNumVector dummy_camenisch_shoup_ys = 1

bytes dummy_commit_betas = 2

optional ECPointVector dummy_base_gs = 4

repeated BigNumVector repeated_dummy_encrypted_masked_messages_es = 5

message BbObliviousSignatureResponseProof.Message2

optional BigNumVector masked_dummy_camenisch_shoup_xs = 1

optional BigNumVector masked_dummy_betas = 2

bytes masked_dummy_beta_opening = 3

message BbObliviousSignatureResponseProof.Statement

optional BbObliviousSignatureParameters parameters = 1

optional BbObliviousSignaturePublicKey public_key = 2