nym-compact-ecash 1.20.4

Nym's ecash implementation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624

// Copyright 2024 - Nym Technologies SA <contact@nymtech.net>
// SPDX-License-Identifier: Apache-2.0

use crate::common_types::{BlindedSignature, Signature, SignerIndex};
use crate::error::{CompactEcashError, Result};
use crate::helpers::{date_scalar, type_scalar};
use crate::proofs::proof_withdrawal::{
    WithdrawalReqInstance, WithdrawalReqProof, WithdrawalReqWitness,
};
use crate::scheme::keygen::{PublicKeyUser, SecretKeyAuth, SecretKeyUser, VerificationKeyAuth};
use crate::scheme::setup::GroupParameters;
use crate::scheme::PartialWallet;
use crate::utils::{check_bilinear_pairing, hash_g1};
use crate::{constants, ecash_group_parameters, Attribute, EncodedDate, EncodedTicketType};
use group::{Curve, Group, GroupEncoding};
use nym_bls12_381_fork::{multi_miller_loop, G1Projective, G2Prepared, G2Projective, Scalar};
use serde::{Deserialize, Serialize};
use std::ops::Neg;
use zeroize::{Zeroize, ZeroizeOnDrop};

/// Represents a withdrawal request generate by the client who wants to obtain a zk-nym credential.
///
/// This struct encapsulates the necessary components for a withdrawal request, including the joined commitment hash, the joined commitment,
/// individual Pedersen commitments for private attributes, and a zero-knowledge proof for the withdrawal request.
///
/// # Fields
///
/// * `joined_commitment_hash` - The joined commitment hash represented as a G1Projective element.
/// * `joined_commitment` - The joined commitment represented as a G1Projective element.
/// * `private_attributes_commitments` - A vector of individual Pedersen commitments for private attributes represented as G1Projective elements.
/// * `zk_proof` - The zero-knowledge proof for the withdrawal request.
///
/// # Derives
///
/// The struct derives `Debug` and `PartialEq` to provide debug output and basic comparison functionality.
///
#[derive(Debug, PartialEq, Clone, Serialize, Deserialize)]
pub struct WithdrawalRequest {
    joined_commitment_hash: G1Projective,
    joined_commitment: G1Projective,
    private_attributes_commitments: Vec<G1Projective>,
    zk_proof: WithdrawalReqProof,
}

impl WithdrawalRequest {
    pub fn get_private_attributes_commitments(&self) -> &[G1Projective] {
        &self.private_attributes_commitments
    }
}

/// Represents information associated with a withdrawal request.
///
/// This structure holds the commitment hash, commitment opening, private attributes openings,
/// the wallet secret (scalar), and the expiration date related to a withdrawal request.
#[derive(Debug, Clone, Serialize, Deserialize, Zeroize, ZeroizeOnDrop)]
pub struct RequestInfo {
    joined_commitment_hash: G1Projective,
    joined_commitment_opening: Scalar,
    private_attributes_openings: Vec<Scalar>,
    wallet_secret: Scalar,
    expiration_date: Scalar,
    t_type: Scalar,
}

impl RequestInfo {
    pub fn get_joined_commitment_hash(&self) -> &G1Projective {
        &self.joined_commitment_hash
    }
    pub fn get_joined_commitment_opening(&self) -> &Scalar {
        &self.joined_commitment_opening
    }
    pub fn get_private_attributes_openings(&self) -> &[Scalar] {
        &self.private_attributes_openings
    }
    pub fn get_v(&self) -> &Scalar {
        &self.wallet_secret
    }
    pub fn get_expiration_date(&self) -> &Scalar {
        &self.expiration_date
    }
    pub fn get_t_type(&self) -> &Scalar {
        &self.t_type
    }
}

/// Computes Pedersen commitments for private attributes.
///
/// Given a set of private attributes and the commitment hash for all attributes,
/// this function generates random blinding factors (`openings`) and computes corresponding
/// Pedersen commitments for each private attribute.
/// Pedersen commitments have the hiding and binding properties, providing a secure way
/// to represent private values in a commitment scheme.
///
/// # Arguments
///
/// * `params` - Group parameters for the cryptographic group.
/// * `joined_commitment_hash` - The commitment hash to be used in the Pedersen commitments.
/// * `private_attributes` - A slice of private attributes to be committed.
///
/// # Returns
///
/// A tuple containing vectors of blinding factors (`openings`) and corresponding
/// Pedersen commitments for each private attribute.
fn compute_private_attribute_commitments(
    params: &GroupParameters,
    joined_commitment_hash: &G1Projective,
    private_attributes: &[&Scalar],
) -> (Vec<Scalar>, Vec<G1Projective>) {
    let (openings, commitments): (Vec<Scalar>, Vec<G1Projective>) = private_attributes
        .iter()
        .map(|&m_j| {
            let o_j = params.random_scalar();
            (o_j, params.gen1() * o_j + joined_commitment_hash * m_j)
        })
        .unzip();

    (openings, commitments)
}
/// Generates a non-identity hash of joined commitment.
///
/// This function attempts to create a valid joined commitment and hash by
/// repeatedly generating a random `joined_commitment_opening` and computing
/// the corresponding `joined_commitment` and `joined_commitment_hash`.
/// It continues this process until the `joined_commitment_hash` is not the
/// identity element.
fn generate_non_identity_h(
    params: &GroupParameters,
    sk_user: &SecretKeyUser,
    v: &Scalar,
    expiration_date: Scalar,
    t_type: Scalar,
) -> (G1Projective, G1Projective, Scalar) {
    let gamma = params.gammas();

    loop {
        let joined_commitment_opening = params.random_scalar();

        // Compute joined commitment for all attributes (public and private)
        let joined_commitment =
            params.gen1() * joined_commitment_opening + gamma[0] * sk_user.sk + gamma[1] * v;

        // Compute commitment hash h
        let joined_commitment_hash = hash_g1(
            (joined_commitment + gamma[2] * expiration_date + gamma[3] * t_type).to_bytes(),
        );

        // Check if the joined_commitment_hash is not the identity element
        if !bool::from(joined_commitment_hash.is_identity()) {
            return (
                joined_commitment,
                joined_commitment_hash,
                joined_commitment_opening,
            );
        }
    }
}
/// Generates a withdrawal request for the given user to request a zk-nym credential wallet.
///
/// # Arguments
///
/// * `sk_user` - A reference to the user's secret key.
/// * `expiration_date` - The expiration date for the withdrawal request.
/// * `t_type` - The type of the ticket book
///
/// # Returns
///
/// A tuple containing the generated `WithdrawalRequest` and `RequestInfo`, or an error if the operation fails.
///
/// # Details
///
/// The function starts by generating a random, unique wallet secret `v` and computing the joined commitment for all attributes,
/// including public (expiration date) and private ones (user secret key and wallet secret).
/// It then calculates the commitment hash (`joined_commitment_hash`) and computes Pedersen commitments for private attributes.
/// A zero-knowledge proof of knowledge is constructed to prove possession of specific attributes.
///
/// The resulting `WithdrawalRequest` includes the commitment hash, joined commitment, commitments for private
/// attributes, and the constructed zero-knowledge proof.
///
/// The associated `RequestInfo` includes information such as commitment hash, commitment opening,
/// openings for private attributes, `v`, and the expiration date.
pub fn withdrawal_request(
    sk_user: &SecretKeyUser,
    expiration_date: EncodedDate,
    t_type: EncodedTicketType,
) -> Result<(WithdrawalRequest, RequestInfo)> {
    let params = ecash_group_parameters();
    // Generate random and unique wallet secret
    let v = params.random_scalar();
    let expiration_date = date_scalar(expiration_date);
    let t_type = type_scalar(t_type);

    // Generate a non-identity commitment hash
    let (joined_commitment, joined_commitment_hash, joined_commitment_opening) =
        generate_non_identity_h(params, sk_user, &v, expiration_date, t_type);

    // Compute Pedersen commitments for private attributes (wallet secret and user's secret)
    let private_attributes = vec![&sk_user.sk, &v];
    let (private_attributes_openings, private_attributes_commitments) =
        compute_private_attribute_commitments(params, &joined_commitment_hash, &private_attributes);

    // construct a NIZK proof of knowledge proving possession of m1, m2, o, o1, o2
    let instance = WithdrawalReqInstance {
        joined_commitment,
        joined_commitment_hash,
        private_attributes_commitments: private_attributes_commitments.clone(),
        pk_user: PublicKeyUser {
            pk: params.gen1() * sk_user.sk,
        },
    };

    let witness = WithdrawalReqWitness {
        private_attributes,
        joined_commitment_opening: &joined_commitment_opening,
        private_attributes_openings: &private_attributes_openings,
    };
    let zk_proof = WithdrawalReqProof::construct(&instance, &witness);

    // Create and return WithdrawalRequest and RequestInfo
    Ok((
        WithdrawalRequest {
            joined_commitment_hash,
            joined_commitment,
            private_attributes_commitments,
            zk_proof,
        },
        RequestInfo {
            joined_commitment_hash,
            joined_commitment_opening,
            private_attributes_openings,
            wallet_secret: v,
            expiration_date,
            t_type,
        },
    ))
}

/// Verifies the integrity of a withdrawal request, including the joined commitment hash
/// and the zero-knowledge proof of knowledge.
///
/// # Arguments
///
/// * `req` - The withdrawal request to be verified.
/// * `pk_user` - Public key of the user associated with the withdrawal request.
/// * `expiration_date` - Expiration date for the ticket book.
/// * `t_type` - The type of the ticket book
///
/// # Returns
///
/// Returns `Ok(true)` if the verification is successful, otherwise returns an error
/// with a specific message indicating the verification failure.
pub fn request_verify(
    req: &WithdrawalRequest,
    pk_user: PublicKeyUser,
    expiration_date: EncodedDate,
    t_type: EncodedTicketType,
) -> Result<()> {
    let params = ecash_group_parameters();

    let gamma = params.gammas();
    let expiration_date = date_scalar(expiration_date);
    let t_type = type_scalar(t_type);

    if bool::from(req.joined_commitment_hash.is_identity()) {
        return Err(CompactEcashError::IdentityCommitmentHash);
    }

    let expected_commitment_hash = hash_g1(
        (req.joined_commitment + gamma[2] * expiration_date + gamma[3] * t_type).to_bytes(),
    );
    if req.joined_commitment_hash != expected_commitment_hash {
        return Err(CompactEcashError::WithdrawalRequestVerification);
    }
    // Verify zk proof
    let instance = WithdrawalReqInstance {
        joined_commitment: req.joined_commitment,
        joined_commitment_hash: req.joined_commitment_hash,
        private_attributes_commitments: req.private_attributes_commitments.clone(),
        pk_user,
    };
    if !req.zk_proof.verify(&instance) {
        return Err(CompactEcashError::WithdrawalRequestVerification);
    }
    Ok(())
}

/// Signs an expiration date using a joined commitment hash and a secret key.
///
/// Given a joined commitment hash (`joined_commitment_hash`), an expiration date (`expiration_date`),
/// and a secret key for authentication (`sk_auth`), this function computes the signature of the
/// expiration date by multiplying the commitment hash with the blinding factor derived from the secret key
/// and the expiration date.
///
/// # Arguments
///
/// * `joined_commitment_hash` - The G1Projective point representing the joined commitment hash.
/// * `expiration_date` - The expiration date timestamp to be signed.
/// * `sk_auth` - The secret key of the signing authority. Assumes key is long enough.
///
/// # Returns
///
/// A `Result` containing the resulting G1Projective point if successful, or an error if the
/// authentication secret key index is out of bounds.
fn sign_expiration_date(
    joined_commitment_hash: &G1Projective,
    expiration_date: EncodedDate,
    sk_auth: &SecretKeyAuth,
) -> G1Projective {
    joined_commitment_hash * (sk_auth.ys[2] * date_scalar(expiration_date))
}

/// Signs a transaction type using a joined commitment hash and a secret key.
///
/// Given a joined commitment hash (`joined_commitment_hash`), a ticket type (`t_type`),
/// and a secret key for authentication (`sk_auth`), this function computes the signature of the
/// ticket type.
///
/// # Arguments
///
/// * `joined_commitment_hash` - The G1Projective point representing the joined commitment hash.
/// * `t_type` - The ticket type identifier to be signed.
/// * `sk_auth` - The secret key of the signing authority.
///
/// # Returns
///
/// The resulting G1Projective point representing the signed ticket type.
fn sign_t_type(
    joined_commitment_hash: &G1Projective,
    t_type: EncodedTicketType,
    sk_auth: &SecretKeyAuth,
) -> G1Projective {
    joined_commitment_hash * (sk_auth.ys[3] * type_scalar(t_type))
}

/// Issues a blinded signature for a withdrawal request, after verifying its integrity.
///
/// This function first verifies the withdrawal request using the provided group parameters,
/// user's public key, and expiration date. If the verification is successful,
/// the function proceeds to blind sign the private attributes and sign the expiration date,
/// combining both signatures into a final signature.
///
/// # Arguments
///
/// * `sk_auth` - Secret key of the signing authority.
/// * `pk_user` - Public key of the user associated with the withdrawal request.
/// * `withdrawal_req` - The withdrawal request to be signed.
/// * `expiration_date` - Expiration date for the withdrawal request.
///
/// # Returns
///
/// Returns a `BlindedSignature` if the issuance process is successful, otherwise returns an error
/// with a specific message indicating the failure.
pub fn issue(
    sk_auth: &SecretKeyAuth,
    pk_user: PublicKeyUser,
    withdrawal_req: &WithdrawalRequest,
    expiration_date: EncodedDate,
    t_type: EncodedTicketType,
) -> Result<BlindedSignature> {
    // Verify the withdrawal request
    request_verify(withdrawal_req, pk_user, expiration_date, t_type)?;
    // Verify `sk_auth` is long enough
    if sk_auth.ys.len() < constants::ATTRIBUTES_LEN {
        return Err(CompactEcashError::KeyTooShort);
    }
    // Blind sign the private attributes
    let blind_signatures: G1Projective = withdrawal_req
        .private_attributes_commitments
        .iter()
        .zip(sk_auth.ys.iter().take(2))
        .map(|(pc, yi)| pc * yi)
        .sum();
    // Sign the expiration date
    //SAFETY: key length was verified before
    let expiration_date_sign = sign_expiration_date(
        &withdrawal_req.joined_commitment_hash,
        expiration_date,
        sk_auth,
    );
    // Sign the type
    let t_type_sign = sign_t_type(&withdrawal_req.joined_commitment_hash, t_type, sk_auth);
    // Combine both signatures
    let signature = blind_signatures
        + withdrawal_req.joined_commitment_hash * sk_auth.x
        + expiration_date_sign
        + t_type_sign;

    Ok(BlindedSignature {
        h: withdrawal_req.joined_commitment_hash,
        c: signature,
    })
}

/// Verifies the integrity and correctness of a blinded signature
/// and returns an unblinded partial zk-nym wallet.
///
/// This function first verifies the integrity of the received blinded signature by checking
/// if the joined commitment hash matches the one provided in the `req_info`. If the verification
/// is successful, it proceeds to unblind the blinded signature and verify its correctness.
///
/// # Arguments
///
/// * `vk_auth` - Verification key of the signing authority.
/// * `sk_user` - Secret key of the user.
/// * `blind_signature` - Blinded signature received from the authority.
/// * `req_info` - Information associated with the request, including the joined commitment hash,
///   private attributes openings, v, and expiration date.
///
/// # Returns
///
/// Returns a `PartialWallet` if the verification process is successful, otherwise returns an error
/// with a specific message indicating the failure.
pub fn issue_verify(
    vk_auth: &VerificationKeyAuth,
    sk_user: &SecretKeyUser,
    blind_signature: &BlindedSignature,
    req_info: &RequestInfo,
    signer_index: SignerIndex,
) -> Result<PartialWallet> {
    let params = ecash_group_parameters();
    // Verify the integrity of the response from the authority
    if req_info.joined_commitment_hash != blind_signature.h {
        return Err(CompactEcashError::IssuanceVerification);
    }
    if bool::from(blind_signature.h.is_identity()) {
        return Err(CompactEcashError::IdentitySignature);
    }

    // Unblind the blinded signature on the partial signature
    let blinding_removers = vk_auth
        .beta_g1
        .iter()
        .zip(&req_info.private_attributes_openings)
        .map(|(beta, opening)| beta * opening)
        .sum::<G1Projective>();
    let unblinded_c = blind_signature.c - blinding_removers;

    let attr = [
        sk_user.sk,
        req_info.wallet_secret,
        req_info.expiration_date,
        req_info.t_type,
    ];

    let signed_attributes = attr
        .iter()
        .zip(vk_auth.beta_g2.iter())
        .map(|(attr, beta_i)| beta_i * attr)
        .sum::<G2Projective>();

    // Verify the signature correctness on the wallet share
    if !check_bilinear_pairing(
        &blind_signature.h.to_affine(),
        &G2Prepared::from((vk_auth.alpha + signed_attributes).to_affine()),
        &unblinded_c.to_affine(),
        params.prepared_miller_g2(),
    ) {
        return Err(CompactEcashError::IssuanceVerification);
    }

    Ok(PartialWallet {
        sig: Signature {
            h: blind_signature.h,
            s: unblinded_c,
        },
        v: req_info.wallet_secret,
        idx: signer_index,
        expiration_date: req_info.expiration_date,
        t_type: req_info.t_type,
    })
}

/// Verifies a partial blind signature using the provided parameters and validator's verification key.
///
/// # Arguments
///
/// * `blind_sign_request` - A reference to the blind signature request signed by the client.
/// * `public_attributes` - A reference to the public attributes included in the client's request.
/// * `blind_sig` - A reference to the issued partial blinded signature to be verified.
/// * `partial_verification_key` - A reference to the validator's partial verification key.
///
/// # Returns
///
/// A boolean indicating whether the partial blind signature is valid (`true`) or not (`false`).
///
/// # Remarks
///
/// This function verifies the correctness and validity of a partial blind signature using
/// the provided cryptographic parameters, blind signature request, blinded signature,
/// and partial verification key.
/// It calculates pairings based on the provided values and checks whether the partial blind signature
/// is consistent with the verification key and commitments in the blind signature request.
/// The function returns `true` if the partial blind signature is valid, and `false` otherwise.
pub fn verify_partial_blind_signature(
    private_attribute_commitments: &[G1Projective],
    public_attributes: &[&Attribute],
    blind_sig: &BlindedSignature,
    partial_verification_key: &VerificationKeyAuth,
) -> bool {
    let params = ecash_group_parameters();
    let num_private_attributes = private_attribute_commitments.len();
    if num_private_attributes + public_attributes.len() > partial_verification_key.beta_g2.len() {
        return false;
    }
    // Note: This check is useful if someone uses the code of those functions
    // to verify Pointcheval-Sanders signatures in a context different for their use
    // in zk-nyms
    if bool::from(blind_sig.h.is_identity()) {
        return false;
    }
    // TODO: we're losing some memory here due to extra allocation,
    // but worst-case scenario (given SANE amount of attributes), it's just few kb at most
    let c_neg = blind_sig.c.to_affine().neg();
    let g2_prep = params.prepared_miller_g2();

    let mut terms = vec![
        // (c^{-1}, g2)
        (c_neg, g2_prep.clone()),
        // (s, alpha)
        (
            blind_sig.h.to_affine(),
            G2Prepared::from(partial_verification_key.alpha.to_affine()),
        ),
    ];

    // for each private attribute, add (cm_i, beta_i) to the miller terms
    for (private_attr_commit, beta_g2) in private_attribute_commitments
        .iter()
        .zip(&partial_verification_key.beta_g2)
    {
        // (cm_i, beta_i)
        terms.push((
            private_attr_commit.to_affine(),
            G2Prepared::from(beta_g2.to_affine()),
        ))
    }

    // for each public attribute, add (s^pub_j, beta_{priv + j}) to the miller terms
    for (&pub_attr, beta_g2) in public_attributes.iter().zip(
        partial_verification_key
            .beta_g2
            .iter()
            .skip(num_private_attributes),
    ) {
        // (s^pub_j, beta_j)
        terms.push((
            (blind_sig.h * pub_attr).to_affine(),
            G2Prepared::from(beta_g2.to_affine()),
        ))
    }

    // get the references to all the terms to get the arguments the miller loop expects
    #[allow(clippy::map_identity)]
    let terms_refs = terms.iter().map(|(g1, g2)| (g1, g2)).collect::<Vec<_>>();

    // since checking whether e(a, b) == e(c, d)
    // is equivalent to checking e(a, b) • e(c, d)^{-1} == id
    // and thus to e(a, b) • e(c^{-1}, d) == id
    //
    // compute e(c^{-1}, g2) • e(s, alpha) • e(cm_0, beta_0) • e(cm_i, beta_i) • (s^pub_0, beta_{i+1}) (s^pub_j, beta_{i + j})
    multi_miller_loop(&terms_refs)
        .final_exponentiation()
        .is_identity()
        .into()
}

#[cfg(test)]
mod tests {
    use super::{generate_non_identity_h, verify_partial_blind_signature};
    use crate::common_types::BlindedSignature;
    use crate::ecash_group_parameters;
    use crate::scheme::keygen::{SecretKeyUser, VerificationKeyAuth};
    use nym_bls12_381_fork::G1Projective;

    #[test]
    fn test_generate_non_identity_h() {
        let params = ecash_group_parameters();
        // Create dummy values for testing
        let sk_user = SecretKeyUser {
            sk: params.random_scalar(),
        };
        let v = params.random_scalar();
        let expiration_date = params.random_scalar();
        let t_type = params.random_scalar();

        // Generate the commitment and hash
        let (_, joined_commitment_hash, _) =
            generate_non_identity_h(params, &sk_user, &v, expiration_date, t_type);

        // Ensure that the joined_commitment_hash is not the identity element
        assert!(
            !bool::from(joined_commitment_hash.is_identity()),
            "Joined commitment hash should not be the identity element"
        );
    }

    #[test]
    fn test_verify_partial_blind_signature_blind_sig_identity() {
        let params = ecash_group_parameters();
        let private_attribute_commitments = vec![params.gen1() * params.random_scalar()];
        let public_attributes = vec![];
        // Create a blinded signature with h being the identity element
        let blind_sig = BlindedSignature {
            h: G1Projective::identity(),
            c: params.gen1() * params.random_scalar(),
        };
        // Create a mock partial verification key
        let partial_verification_key = VerificationKeyAuth {
            alpha: params.gen2() * params.random_scalar(),
            beta_g1: vec![params.gen1() * params.random_scalar()],
            beta_g2: vec![params.gen2() * params.random_scalar()],
        };

        // Test with identity h, expecting false
        assert!(
            !verify_partial_blind_signature(
                &private_attribute_commitments,
                &public_attributes,
                &blind_sig,
                &partial_verification_key
            ),
            "Expected verification to return false for identity h in blind signature"
        );
    }
}