bbs_plus

Module proof

Source
Expand description

Proof of knowledge of BBS+ signature and corresponding messages as per section 4.5 of the BBS+ paper

§Examples

Creating proof of knowledge of signature and verifying it:

use ark_bls12_381::Bls12_381;
use bbs_plus::setup::{SignatureParamsG1, KeypairG2};
use bbs_plus::signature::SignatureG1;
use bbs_plus::proof::PoKOfSignatureG1Protocol;
use ark_std::collections::{BTreeSet, BTreeMap};

let params_g1 = SignatureParamsG1::<Bls12_381>::generate_using_rng(&mut rng, 5);
let keypair_g2 = KeypairG2::<Bls12_381>::generate(&mut rng, &params_g1);

let pk_g2 = &keypair_g2.public_key;

// Verifiers should check that the signature parameters and public key are valid before verifying
// any signatures. This just needs to be done once when the verifier fetches/receives them.

assert!(params_g1.is_valid());
assert!(pk_g2.is_valid());

// `messages` contains elements of the scalar field
let sig_g1 = SignatureG1::<Bls12_381>::new(&mut rng, &messages, &keypair_g2.secret_key, &params_g1).unwrap();

let mut blindings = BTreeMap::new();
let mut revealed_indices = BTreeSet::new();

// Populate `blindings` with message index and corresponding blinding
// Populate `revealed_indices` with 0-based indices of revealed messages

let pok = PoKOfSignatureG1Protocol::init(
            &mut rng,
            &sig_g1,
            &params_g1,
            &messages,
            blindings,
            &revealed_indices,
        )
        .unwrap();

// challenge is generated (see tests)
let proof = pok.gen_proof(&challenge).unwrap();

let mut revealed_msgs = BTreeMap::new();
proof
            .verify(
                &revealed_msgs,
                &challenge,
                pk_g2,
                &params_g1,
            )
            .unwrap();

// See tests for more examples

Structs§

PoKOfSignatureG1Proof
Proof of knowledge of BBS+ signature in G1. It contains the randomized signature, commitment (Schnorr step 1) and response (Schnorr step 3) to both Schnorr protocols in T_ and sc_resp_
PoKOfSignatureG1Protocol
Protocol to prove knowledge of BBS+ signature in group G1. The BBS+ signature proves validity of a set of messages m_i, i in I. This stateful protocol proves knowledge of such a signature whilst selectively disclosing only a subset of the messages, m_i for i in a disclosed set D. The protocol randomizes the initial BBS+ signature, then conducts 2 Schnorr PoK protocols to prove exponent knowledge for the relations in section 4.5 of the paper (refer to top). It contains commitments (Schnorr step 1; refer to schnorr_pok) and witnesses to both Schnorr protocols in sc_comm_ and sc_wits_ respectively. The protocol executes in 2 phases, pre-challenge (init) which is used to create the challenge and post-challenge (gen_proof). Thus, several instances of the protocol can be used together where the pre-challenge phase of all protocols is used to create a combined challenge and then that challenge is used in post-challenge phase of all protocols.