Key Generation

The following procedure defines common parameters for all credentials:

  • Setup. Choose \(\mathbb G\) a group of prime order \(p\). \( \mathbb G \) should be equipped with a hash-to-group method suitable for choosing orthogonal generators. Select orthogonal generators \(B, \widetilde B\).

To issue credentials, the issuer generates issuance secrets, which are used to create and verify credentials, and issuance parameters, which commit to the issuance secrets and are used by clients to verify that their credentials are issued with respect to the same issuance secrets as all other clients, preventing key partitioning attacks.

  • Key Generation. Choose a \(\mathsf{MAC_{GGM}}\) secret \( \mathbf x = (x_0, x_1, \ldots, x_n) \xleftarrow{\$} \mathbb F_p^{n+1} \). Also select a blinding factor \( \widetilde x_0 \xleftarrow{\$} \mathbb F_p \), then compute \( X_0 = x_0 B + \widetilde x_0 \widetilde B \) and \( X_i = x_i \widetilde B \) for \( i = 1, \ldots, n\).

    The issuance secrets are \((\mathbf x, \widetilde x_0)\) and the issuance parameters are \(\mathbf X\).

FIXME: rewrite to make pedersen commitment structure more clear?