Issuance

Following CMZ13, this description of blinded issuance denotes the set of hidden attribute indexes by \(\mathcal H \subseteq \{1,\ldots,n\}\). At a high level, the issuer computes a MAC on the requested attributes, then returns it, together with a proof that it was computed with respect to the expected issuance parameters. To handle blinded attributes, the client generates an ephemeral ElGamal key, encrypts the attributes to be blinded, and proves that the encryptions were well-formed. Because ElGamal encryptions are homomorphic, a MAC on encrypted attributes can be converted into an encryption of a MAC on the plaintext attributes.

Issuance is an online protocol with the following steps.

  1. Client. The client proceeds as follows.

    1. The client generates an ephemeral ElGamal secret \( d \xleftarrow{\$} \mathbb F_p \) and computes the ephemeral public key \( D \gets d B \).

    2. For each blinded attribute \(m_i\) indexed by \(i \in \mathcal H\), the client chooses \( r_i \xleftarrow{\$} \mathbb F_p \) and computes \( \operatorname{Enc}_D(m_i B) \gets (r_i B, m_i B + r_i D) \).1

    3. The client proves that the encryptions were well-formed: \[ \begin{aligned} \pi &\gets \operatorname{PK}\{ \\ &\mathtt{CorrectElGamal}, \\ &(d, (r_i, m_i)_{i \in \mathcal H}), \\ &(D, (\operatorname{Enc}_D(m_i B))_{i \in \mathcal H}), \\ &(B) \; : \\ &\operatorname{Enc}_D(m_i B) = (r_i B, m_i B + r_i D) \; \forall i \in \mathcal H \\ \} \end{aligned} \]

    4. The client sends \(D\), \((m_i)_{i \in \mathcal H}\), \((\operatorname{Enc}_D(m_i B))_{i \in \mathcal H}\) and \(\pi\) to the server.

  2. Issuer. The issuer verifies the client's proof and optionally performs other policy checks related to issuance. Now the issuer would like to select \( P \xleftarrow{\$} \mathbb G \) and compute \( Q \gets \langle \mathbf x, (1) || \mathbf m \rangle P \), but this cannot be done directly as the attributes \( (m_i)_{i \in \mathcal H} \) are not available. Instead, the issuer will compute \( \operatorname{Enc}_D(Q) \) as follows, decomposing \(Q\) as \( Q = Q_c + Q_b\) and considering the contributions from cleartext attributes \(Q_c\) and blinded attributes \(Q_b\) separately:

    1. The issuer selects \( b \xleftarrow{\$} \mathbb F_p \) and computes \( P \gets bB \).
    2. The issuer computes2 a partial MAC on the cleartext attributes \[ %Q_c \gets \langle % (x_0) || (x_i)_{i \not\in \mathcal H}, % (1) || (m_i)_{i \not\in \mathcal H}, %\rangle P. Q_c \gets \Big( x_0 + \sum_{i \not\in \mathcal H} x_i m_i \Big) P. \]
    3. The issuer selects randomness \( r \xleftarrow{\$} \mathbb F_p \) to compute \[ \operatorname{Enc}_D(Q_c) \gets (rB, Q_c + rD). \]
    4. The issuer uses \(E_i = \operatorname{Enc}_D(m_i B) \) to compute \[ \operatorname{Enc}_D(Q_b) \gets \sum_{i \in \mathcal H} b x_i \operatorname{Enc}_D(m_i B). \]
    5. The issuer computes \[ \operatorname{Enc}_D(Q) \gets \operatorname{Enc}_D(Q_c) + \operatorname{Enc}_D(Q_b). \]
    6. The issuer proves that it performed its steps correctly and issued a credential with respect to the correct issuance parameters: \[ \begin{aligned} \pi &\gets \operatorname{PK}\{ \\ &\mathtt{CorrectBlindIssuance}, \\ &( b, r, \mathbf x, \widetilde x_0, \mathbf t ), \\ &( P, D, (\operatorname{Enc}_D(m_i B))_{i \in \mathcal H}, \operatorname{Enc}_D(Q), \mathbf T ), \\ &(\mathbf X, B, \widetilde B) \; : \\ & X_0 = x_0 B + \widetilde x_0 \widetilde B, \\ & X_i = x_i \widetilde B \quad i = 1, \ldots, n, \\ & P = bB, \\ & T_i = bX_i, T_i = t_i \widetilde B \quad \forall i \in \mathcal H, \\ & \operatorname{Enc}_D(Q) = \Big( rB, \Big( x_0 + \sum_{i \not\in \mathcal H} x_i m_i \Big) P + rD \Big) + \sum_{i \in \mathcal H} t_i \operatorname{Enc}_D(m_i B) \\ \} \end{aligned} \] where \(t_i = bx_i\), \(T_i = t_i\widetilde B\) are auxiliary variables used to avoid writing statements involving secret products.
    7. The issuer sends \(P\), \(\operatorname{Enc}_D(Q)\), \(T_i\), and \(\pi\) to the client.
  3. Client. The client verifies the issuer's proof using the expected issuance parameters and decrypts \(\operatorname{Enc}_D(Q)\) to obtain the tag \((P,Q)\).

FIXME: the notation in this description is hard to follow.

1

Because the client knows their own ephemeral secret, assuming an optimized fixed-base scalar multiplication is available, this can be optimized as \[ (E_{i,0}, E_{i,1}) \gets (r_i B, (m_i + r_i d)B) = (r_i B, m_i B + r_i D). \]

2

Since \( P = pB \), this can also be optimized as a fixed-base scalar multiplication.