Merge pull request #274 from decentralized-identity/vasilis/no-header…

…-ph-fixtures

Add no header/ph fixtures

draft-irtf-cfrg-bbs-signatures.md

@@ -542,14 +542,14 @@ Procedure:
 7.  B = P1 + Q_1 * domain + H_1 * msg_1 + ... + H_L * msg_L
 8.  Abar = A * r1
 9.  Bbar = B * r1 - Abar * e
-10. C = Bbar * r2 + Abar * r3 + H_j1 * m~_j1 + ... + H_jU * m~_jU
+10. C =  Abar * r2 + Bbar * r3 + H_j1 * m~_j1 + ... + H_jU * m~_jU
 11. c = calculate_challenge(Abar, Bbar, C, (i1, ..., iR),
                             (msg_i1, ..., msg_iR), domain, ph)
 12. r4 = - r1^-1 (mod r)
-13. r2^ = r2 + r4 * c (mod r)
-14. r3^ = r3 + e * r4 * c (mod r)
+13. r2^ = r2 + e * r4 * c (mod r)
+14. r3^ = r3 + r4 * c (mod r)
 15. for j in (j1, ..., jU): m^_j = m~_j + msg_j * c (mod r)
-16. proof = (Abar, Bbar, c, r2^, r3^, (m^_j1, ..., m^_jU))
+16. proof = (Abar, Bbar, r2^, r3^, (m^_j1, ..., m^_jU), c)
 17. return proof_to_octets(proof)
 ```
 
@@ -606,7 +606,7 @@ Deserialization:
 
 1.  proof_result = octets_to_proof(proof)
 2.  if proof_result is INVALID, return INVALID
-3.  (Abar, Bbar, c, r2^, r3^, commitments) = proof_result
+3.  (Abar, Bbar, r2^, r3^, commitments, c) = proof_result
 4.  W = octets_to_pubkey(PK)
 5.  if W is INVALID, return INVALID
 6.  U = length(commitments)
@@ -630,7 +630,7 @@ Procedure:
 4.  (H_j1, ..., H_jU) = (MsgGenerators[j1], ..., MsgGenerators[jU])
 5.  domain = calculate_domain(PK, Q_1, (H_1, ..., H_L), header)
 6.  D = P1 + Q_1 * domain + H_i1 * msg_i1 + ... + H_iR * msg_iR
-7.  C = Bbar * r2^ + Abar * r3^ + H_j1 * m^_j1 + ... + H_jU * m^_jU + D * c
+7.  C = Abar * r2^ + Bbar * r3^ + H_j1 * m^_j1 + ... +  H_jU * m^_jU + D * c
 8.  cv = calculate_challenge(Abar, Bbar, C, (i1, ..., iR),
                              (msg_i1, ..., msg_iR), domain, ph)
 9.  if c != cv, return INVALID
@@ -1129,8 +1129,8 @@ Outputs:
 
 Procedure:
 
-1. (Abar, Bbar, c, r2^, r3^, (m^_1, ..., m^_U)) = proof
-2. return serialize((Abar, Bbar, c, r2^, r3^, m^_1, ..., m^_U))
+1. (Abar, Bbar, r2^, r3^, (m^_1, ..., m^_U), c) = proof
+2. return serialize((Abar, Bbar, r2^, r3^, m^_1, ..., m^_U, c))
 ```
 
 ### Octets to Proof
@@ -1140,8 +1140,9 @@ This operation describes how to decode an octet string representing a proof, val
 The proof value outputted by this operation consists of the following components, in that order:
 
 1. Two (2) valid points of the G1 subgroup, each of which must not equal the identity point.
-2. Three (3) integers representing scalars in the range of 1 to r-1 inclusive.
+2. Two (2) integers representing scalars in the range of 1 to r-1 inclusive.
 3. A set of integers representing scalars in the range of 1 to r-1 inclusive, corresponding to the undisclosed from the proof message commitments. This set can be empty (i.e., "()").
+4. One (1) integer representing a scalar in the range of 1 to r-1 inclusive, corresponding to the proof's challenge (`c`).
 
 ```
 proof = octets_to_proof(proof_octets)
@@ -1179,7 +1180,7 @@ Procedure:
 7.      if A_i is INVALID or Identity_G1, return INVALID
 8.      index += octet_point_length
 
-// Scalars (i.e., (c, r2^, r3^, (m^_j1, ..., m^_jU)) in
+// Scalars (i.e., (r2^, r3^, m^_j1, ..., m^_jU, c) in
 // ProofGen) de-serialization.
 9.  j = 0
 10. while index < length(proof_octets):
@@ -1191,8 +1192,8 @@ Procedure:
 
 16. if index != length(proof_octets), return INVALID
 17. msg_commitments = ()
-18. If j > 3, set msg_commitments = (s_3, ..., s_(j-1))
-19. return (A_0, A_1, s_0, s_1, s_2, msg_commitments)
+18. If j > 3, set msg_commitments = (s_2, ..., s_(j-2))
+19. return (A_0, A_1, s_0, s_1, msg_commitments, s_(j-1))
 ```
 
 ### Octets to Public Key
@@ -1995,7 +1996,17 @@ BBS signatures when applied to the problem space of identity credentials can hel
 
 ## BLS12-381-SHAKE-256 Ciphersuite
 
-### Modified Message Signature
+### Signature Test Vectors
+
+#### No Header Valid Signature
+
+Using the messages defined in (#messages), with no header, along with the SK and PK values defined in (#key-pair) results in the following signature value
+
+```
+{{ $signatureFixtures.bls12-381-shake-256.signature010.signature }}
+```
+
+#### Modified Message Signature
 
 Using the following header
 
@@ -2017,7 +2028,7 @@ With the following signature
 
 Along with the PK value as defined in (#key-pair) as inputs into the Verify operation should fail signature validation due to the message value being different from what was signed
 
-### Extra Unsigned Message Signature
+#### Extra Unsigned Message Signature
 
 Using the following header
 
@@ -2041,7 +2052,7 @@ With the following signature (which is a signature to only the first of the abov
 
 Along with the PK value as defined in (#key-pair) as inputs into the Verify operation should fail signature validation due to an additional message being supplied that was not signed.
 
-### Missing Message Signature
+#### Missing Message Signature
 
 Using the following header
 
@@ -2065,7 +2076,7 @@ With the following signature (which is a signature on all the messages defined i
 
 Along with the PK value as defined in (#key-pair) as inputs into the Verify operation should fail signature validation due to missing messages that were originally present during the signing.
 
-### Reordered Message Signature
+#### Reordered Message Signature
 
 Using the following header
 
@@ -2105,7 +2116,7 @@ With the following signature
 
 Along with the PK value as defined in (#key-pair) as inputs into the Verify operation should fail signature validation due to messages being re-ordered from the order in which they were signed
 
-### Wrong Public Key Signature
+#### Wrong Public Key Signature
 
 Using the following header
 
@@ -2121,7 +2132,7 @@ And the messages as defined in (#messages), mapped to the scalars in (#map-messa
 
 Along with the PK value as defined in (#key-pair) as inputs into the Verify operation should fail signature validation due to public key used to verify is in-correct
 
-### Wrong Header Signature
+#### Wrong Header Signature
 
 Using the following header
 
@@ -2137,6 +2148,31 @@ And the messages as defined in (#messages) and with the following signature
 
 Along with the PK value as defined in (#key-pair) as inputs into the Verify operation should fail signature validation due to header value being modified from what was originally signed
 
+### Proof Test Vectors
+
+#### No Header Valid Proof
+
+Using messages, PK and signature as in [No Header Valid Signature](#no-header-valid-signature), with only every other messages disclosed (messages in index 0, 2, 4 and 6, in that order), with no header and the following presentation header
+
+```
+{{ $proofFixtures.bls12-381-shake-256.proof014.presentationHeader }}
+```
+
+while using the mocked rng defined in (#mocked-random-scalars), will result to the following proof value
+
+```
+{{ $proofFixtures.bls12-381-shake-256.proof014.proof }}
+```
+
+#### No Presentation Header Valid Proof
+
+Using the same header, PK, messages and signature as in [Multi-Message, All Messages Disclosed Proof](#valid-multi-message-all-messages-disclosed-proof), with every other message disclosed (messages in index 0, 2, 4 and 6, in that order), with no presentation header, while using the mocked rng defined in (#mocked-random-scalars), will result to the following proof value
+
+```
+{{ $proofFixtures.bls12-381-shake-256.proof015.proof }}
+```
+
+
 ### Hash to Scalar Test Vectors
 
 Using the following input message,
@@ -2159,7 +2195,17 @@ We get the following scalar, encoded with I2OSP and represented in big endian or
 
 ## BLS12-381-SHA-256 Ciphersuite
 
-### Modified Message Signature
+### Signature Test Vectors
+
+#### No Header Valid Signature
+
+Using the messages defined in (#messages), with no header, along with the SK and PK values defined in (#key-pair-1) results in the following signature value
+
+```
+{{ $signatureFixtures.bls12-381-sha-256.signature010.signature }}
+```
+
+#### Modified Message Signature
 
 Using the following header
 
@@ -2181,7 +2227,7 @@ With the following signature
 
 Along with the PK value as defined in (#key-pair-1) as inputs into the Verify operation should fail signature validation due to the message value being different from what was signed.
 
-### Extra Unsigned Message Signature
+#### Extra Unsigned Message Signature
 
 Using the following header
 
@@ -2205,7 +2251,7 @@ With the following signature (which is a signature to only the first of the abov
 
 Along with the PK value as defined in (#key-pair-1) as inputs into the Verify operation should fail signature validation due to an additional message being supplied that was not signed.
 
-### Missing Message Signature
+#### Missing Message Signature
 
 Using the following header
 
@@ -2229,7 +2275,7 @@ With the following signature (which is a signature on all the messages defined i
 
 Along with the PK value as defined in (#key-pair-1) as inputs into the Verify operation should fail signature validation due to missing messages that were originally present during the signing.
 
-### Reordered Message Signature
+#### Reordered Message Signature
 
 Using the following header
 
@@ -2269,7 +2315,7 @@ With the following signature
 
 Along with the PK value as defined in (#key-pair-1) as inputs into the Verify operation should fail signature validation due to messages being re-ordered from the order in which they were signed.
 
-### Wrong Public Key Signature
+#### Wrong Public Key Signature
 
 Using the following header
 
@@ -2285,7 +2331,7 @@ And the messages as defined in (#messages) and with the following signature
 
 Along with the PK value as defined in (#key-pair-1) as inputs into the Verify operation should fail signature validation due to public key used to verify is in-correct.
 
-### Wrong Header Signature
+#### Wrong Header Signature
 
 Using the following header
 
@@ -2301,6 +2347,30 @@ And the messages as defined in (#messages) and with the following signature
 
 Along with the PK value as defined in (#key-pair-1) as inputs into the Verify operation should fail signature validation due to header value being modified from what was originally signed.
 
+### Proof Test Vectors
+
+#### No Header Valid Proof
+
+Using messages, PK and signature as in [No Header Valid Signature](#no-header-valid-signature-1), with only every other messages disclosed (messages in index 0, 2, 4 and 6, in that order), with no header and the following presentation header
+
+```
+{{ $proofFixtures.bls12-381-sha-256.proof014.presentationHeader }}
+```
+
+while using the mocked rng defined in (#mocked-random-scalars), will result to the following proof value
+
+```
+{{ $proofFixtures.bls12-381-sha-256.proof014.proof }}
+```
+
+#### No Presentation Header Valid Proof
+
+Using the same header, PK, messages and signature as in [Multi-Message, All Messages Disclosed Proof](#valid-multi-message-all-messages-disclosed-proof-1), with every other message disclosed (messages in index 0, 2, 4 and 6, in that order), with no presentation header, while using the mocked rng defined in (#mocked-random-scalars), will result to the following proof value
+
+```
+{{ $proofFixtures.bls12-381-sha-256.proof015.proof }}
+```
+
 ### Hash to Scalar Test Vectors
 
 Using the following input message,

tooling/fixtures/fixture_data/bls12-381-sha-256/proof/proof001.json

@@ -6,7 +6,7 @@
   "revealedMessages": {
     "0": "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a45f02"
   },
-  "proof": "8e9bc91d68151e4b105ec0d46ca95fe1526672bed27b26541a648ec990b3b11b8905e671fb981f1b9cd1ed64167a7ba18b7697d9bd6f3cac02f75551f2db95bf2707e3790c10d815346a96198327cc7048f220bdc7d6fc5ec41c6d9f89d607ff6e5d45c7116e54ebbb28aaf71154ee7126ec5592ae6cc373e3477d45a0a409585277a3f99826146887ac6f7cb39acd837e987e2db04d07383062edd741c83eb439c52e4ae9fce2b1a882f2df186eec8c9451a2e2fc5cf494146918c587a12e75",
+  "proof": "8e9bc91d68151e4b105ec0d46ca95fe1526672bed27b26541a648ec990b3b11b8905e671fb981f1b9cd1ed64167a7ba18b7697d9bd6f3cac02f75551f2db95bf2707e3790c10d815346a96198327cc7048f220bdc7d6fc5ec41c6d9f89d607ff6ef2eef19447b3e34a14660eedb8b4f6189f202a4fef22e60dd23041e2761a9f18701019b520ed3ccf07a298e349222ab059e7ebd84c65e3a2127ec42f5f357c27d5601b2193b697a576fd9bd896c25a75004f6604a98707741916769c49175f",
   "result": {
     "valid": true
   }

tooling/fixtures/fixture_data/bls12-381-sha-256/proof/proof002.json

@@ -15,7 +15,7 @@
     "8": "96012096",
     "9": ""
   },
-  "proof": "89910f223320044fe6342b8dabfeac786f35cc98bb64c95ecb39348281d5a8c84e975581b5f37ec45c8bc4cda486d5e2a20e007d0dd0fba77f846dfe3458fc01ff94a49c058550684638e1b88b61e8d69a1453652477af005d42cdb2d57e86b071951a701909a2fcadf08304f7d17495e03c07ea5854cd18c969063eced31c42345ccb154cefbf42eca0f0dcfd3d2370d56c247955f0b0ea6fd97bfd29cbe9755e902bf83ecf5949a9a4b4351814e5b2a7ebe74da74ec7c61ac4975a085cefb6",
+  "proof": "89910f223320044fe6342b8dabfeac786f35cc98bb64c95ecb39348281d5a8c84e975581b5f37ec45c8bc4cda486d5e2a20e007d0dd0fba77f846dfe3458fc01ff94a49c058550684638e1b88b61e8d69a1453652477af005d42cdb2d57e86b03a2cf88bc0bac5a3d12a1c0717b9ea8d42ecdb746f522edfc15910574b289faa0438d6516504a7a66ce180b2271101d87519cad823f03f266f66649b388e680a58a6e7ae4982ae797890d5d0b574fa73a7ae7023d4dd9f8a9b3a11f208256d7c",
   "result": {
     "valid": true
   }

tooling/fixtures/fixture_data/bls12-381-sha-256/proof/proof003.json

@@ -9,7 +9,7 @@
     "4": "496694774c5604ab1b2544eababcf0f53278ff50",
     "6": "d183ddc6e2665aa4e2f088af"
   },
-  "proof": "812a204f66c9084feed7383894d910f2c17399b3c4b4bed05660921de8539f5042318c356609496a6ca0a26626661be78ca723b7182ccd314924b93a3997654fcd77e29e3847dc881f422a751017705173ec094d2997221e134710d4fff1bd335141e3727ea61ede2644833a1153c11e79737b75afd2b94729d00be2e5faa5ab47e0deff12c70e1be2bab6c1a663fc28f8aa37ae7c1f8494b72dd8ad430da4561c64e9e11c2f4283e8e25282d4a5c9d72d2d856a0b3141668c9304467f403d9a06448d69c21da1822d9a857e66fcbf6bb2884e0aaa4e2e78295d63c1304968230ac5f09570f76affa7eaed15709a8fa361aeccda9cfb50c8fed9844f1fab9645033f7d923b46d193107cb8b7064e4f21c536a6528635d5b78dc721b1ca7f296918fd8430f8d647aecb7d1ed7d123dc8514027bdcb093340797e4d72cc35f9c111c06100844d2498bdc1106847e373143267a325d10ebca86fb71fbc066fa41dd32b2f1e0cf27a7c1bd17c09963d32ff3e05bcf547e91828e52738624618791ab",
+  "proof": "812a204f66c9084feed7383894d910f2c17399b3c4b4bed05660921de8539f5042318c356609496a6ca0a26626661be78ca723b7182ccd314924b93a3997654fcd77e29e3847dc881f422a751017705173ec094d2997221e134710d4fff1bd33111a4b4fc79a2201d18b5cc63fab1252def0d4f020129c7e022f56f505aa977a7240da430bc60a2d4d17897b42228054a2fb4f780fb710268ebea24c9fb0e15e2ac415b99a232b13bfd215af3fb35f5518953eaccc200555eaa69ae434eb623f0a83bb57a8a8e70ba37761ffaeb756d9115c1177ce929f04be23b5636120c7ac0a73546f177a3c3be2d233b3253f31c3468260723c1afa2d0febd38161e16ed0147369bda8b05ec3f6183239c6ecb9fb54b0989160e8cdf8b9f0cf4a46a2150232d96c466fad2d60ff067492c52cc6af1d16e62364ed6d3dc19feaf1fcf9c12750301c2de6541c0edce5ede7425f75e01fd94a7e6137ebf23460bf3f1afec9f21767c467fdd882eb038492a390ee5d0c0f72f50f2ac5cedb705fc465f7bc093b",
   "result": {
     "valid": true
   }

tooling/fixtures/fixture_data/bls12-381-sha-256/proof/proof004.json

@@ -9,7 +9,7 @@
     "4": "496694774c5604ab1b2544eababcf0f53278ff50",
     "6": "d183ddc6e2665aa4e2f088af"
   },
-  "proof": "812a204f66c9084feed7383894d910f2c17399b3c4b4bed05660921de8539f5042318c356609496a6ca0a26626661be78ca723b7182ccd314924b93a3997654fcd77e29e3847dc881f422a751017705173ec094d2997221e134710d4fff1bd335141e3727ea61ede2644833a1153c11e79737b75afd2b94729d00be2e5faa5ab47e0deff12c70e1be2bab6c1a663fc28f8aa37ae7c1f8494b72dd8ad430da4561c64e9e11c2f4283e8e25282d4a5c9d72d2d856a0b3141668c9304467f403d9a06448d69c21da1822d9a857e66fcbf6bb2884e0aaa4e2e78295d63c1304968230ac5f09570f76affa7eaed15709a8fa361aeccda9cfb50c8fed9844f1fab9645033f7d923b46d193107cb8b7064e4f21c536a6528635d5b78dc721b1ca7f296918fd8430f8d647aecb7d1ed7d123dc8514027bdcb093340797e4d72cc35f9c111c06100844d2498bdc1106847e373143267a325d10ebca86fb71fbc066fa41dd32b2f1e0cf27a7c1bd17c09963d32ff3e05bcf547e91828e52738624618791ab",
+  "proof": "812a204f66c9084feed7383894d910f2c17399b3c4b4bed05660921de8539f5042318c356609496a6ca0a26626661be78ca723b7182ccd314924b93a3997654fcd77e29e3847dc881f422a751017705173ec094d2997221e134710d4fff1bd33111a4b4fc79a2201d18b5cc63fab1252def0d4f020129c7e022f56f505aa977a7240da430bc60a2d4d17897b42228054a2fb4f780fb710268ebea24c9fb0e15e2ac415b99a232b13bfd215af3fb35f5518953eaccc200555eaa69ae434eb623f0a83bb57a8a8e70ba37761ffaeb756d9115c1177ce929f04be23b5636120c7ac0a73546f177a3c3be2d233b3253f31c3468260723c1afa2d0febd38161e16ed0147369bda8b05ec3f6183239c6ecb9fb54b0989160e8cdf8b9f0cf4a46a2150232d96c466fad2d60ff067492c52cc6af1d16e62364ed6d3dc19feaf1fcf9c12750301c2de6541c0edce5ede7425f75e01fd94a7e6137ebf23460bf3f1afec9f21767c467fdd882eb038492a390ee5d0c0f72f50f2ac5cedb705fc465f7bc093b",
   "result": {
     "valid": false,
     "reason": "different presentation header"

tooling/fixtures/fixture_data/bls12-381-sha-256/proof/proof005.json

@@ -9,7 +9,7 @@
     "4": "496694774c5604ab1b2544eababcf0f53278ff50",
     "6": "d183ddc6e2665aa4e2f088af"
   },
-  "proof": "812a204f66c9084feed7383894d910f2c17399b3c4b4bed05660921de8539f5042318c356609496a6ca0a26626661be78ca723b7182ccd314924b93a3997654fcd77e29e3847dc881f422a751017705173ec094d2997221e134710d4fff1bd335141e3727ea61ede2644833a1153c11e79737b75afd2b94729d00be2e5faa5ab47e0deff12c70e1be2bab6c1a663fc28f8aa37ae7c1f8494b72dd8ad430da4561c64e9e11c2f4283e8e25282d4a5c9d72d2d856a0b3141668c9304467f403d9a06448d69c21da1822d9a857e66fcbf6bb2884e0aaa4e2e78295d63c1304968230ac5f09570f76affa7eaed15709a8fa361aeccda9cfb50c8fed9844f1fab9645033f7d923b46d193107cb8b7064e4f21c536a6528635d5b78dc721b1ca7f296918fd8430f8d647aecb7d1ed7d123dc8514027bdcb093340797e4d72cc35f9c111c06100844d2498bdc1106847e373143267a325d10ebca86fb71fbc066fa41dd32b2f1e0cf27a7c1bd17c09963d32ff3e05bcf547e91828e52738624618791ab",
+  "proof": "812a204f66c9084feed7383894d910f2c17399b3c4b4bed05660921de8539f5042318c356609496a6ca0a26626661be78ca723b7182ccd314924b93a3997654fcd77e29e3847dc881f422a751017705173ec094d2997221e134710d4fff1bd33111a4b4fc79a2201d18b5cc63fab1252def0d4f020129c7e022f56f505aa977a7240da430bc60a2d4d17897b42228054a2fb4f780fb710268ebea24c9fb0e15e2ac415b99a232b13bfd215af3fb35f5518953eaccc200555eaa69ae434eb623f0a83bb57a8a8e70ba37761ffaeb756d9115c1177ce929f04be23b5636120c7ac0a73546f177a3c3be2d233b3253f31c3468260723c1afa2d0febd38161e16ed0147369bda8b05ec3f6183239c6ecb9fb54b0989160e8cdf8b9f0cf4a46a2150232d96c466fad2d60ff067492c52cc6af1d16e62364ed6d3dc19feaf1fcf9c12750301c2de6541c0edce5ede7425f75e01fd94a7e6137ebf23460bf3f1afec9f21767c467fdd882eb038492a390ee5d0c0f72f50f2ac5cedb705fc465f7bc093b",
   "result": {
     "valid": false,
     "reason": "wrong public key"