Presentation

FIXME: change description to explain why this works

Credential presentation is an online protocol with the following steps. As in the description of issuance, the the set of hidden attribute indexes is denoted by \(\mathcal H \subseteq \{1, \ldots, n\}\). However, the set \(\mathcal H\) need not be the same – different sets of attributes can be hidden or revealed between issuance and presentation.

  1. Client. Given attributes \(\mathbf m\) and a previously issued tag \(P_0, Q_0\), the client proceeds as follows.
    1. The client re-randomizes the tag by choosing \(t \xleftarrow{\$} \mathbb F_p\) and computing \((P, Q) \gets (t P_0, t Q_0)\).
    2. The client commits to the hidden attributes by choosing \( \widetilde m_i \xleftarrow{\$} \mathbb F_p \) and computing \( \operatorname{Com}(m_i) = m_i P + \widetilde m_i \widetilde B \) for each \(i \in \mathcal H\). Notice that the Pedersen commitments are made with respect to the Pedersen generators \((P, \widetilde B)\) rather than \((B, \widetilde B)\).
    3. The client commits to \(Q\) by choosing \( r_Q \xleftarrow{\$} \mathbb F_p \) and computing \( C_Q \gets Q + r_QB \).
    4. The client uses the issuance parameters to compute a correction term \( V \gets \sum_{i \in \mathcal H} \widetilde m_i X_i - r_QB \).
    5. The client proves that the commitments and the correction term were computed correctly: \[ \begin{aligned} \pi &\gets \operatorname{PK}\{ \\ &\mathtt{ClientPresentation}, \\ &(r_Q, (m_i, \widetilde m_i)_{i \in \mathcal H}), \\ &(P, V, (\operatorname{Com}(m_i))_{i \in \mathcal H}), \\ &(B, \widetilde B) \; : \\ & \operatorname{Com}(m_i) = m_i P + \widetilde m_i \widetilde B \quad \forall i \in \mathcal H \\ & V = \sum_{i \in \mathcal H} \widetilde m_i X_i - r_Q B \\ \} \end{aligned} \]
    6. The client sends \(P\), \(C_Q\), \((\operatorname{Com}(m_i))_{i \in \mathcal H}\), \((m_i)_{i \not\in \mathcal H}\), and \(\pi\) to the issuer.
  2. Issuer. The issuer computes \(V\) as \[ V \gets \Big( x_0 + \sum_{i \not\in \mathcal H} x_i m_i \Big) P + \sum_{i \in \mathcal H} x_i \operatorname{Com}(m_i)_{i \in \mathcal H} - C_Q \] and uses \(V\) to verify \(\pi\).