AttributeNames
, the issuer's key pair is generated in the following manner:r
: A random element t1
: Computed as t2
: Computed as C
: s
: AttributeNames
. Next, calculate HAttrs[i] = random(G1)
for each attribute in AttributeNames
HRand
And HSk
from ipk = (w, _g1, _g2, π, HAttrs, AttributeNames, HRand, HSk)
, and the private key is set to isk = x
7. Return isk
and ipk
zk-PoK
of the BBS+signature
on the attributes and the Nym
B = g1 · HRand^s · Nym · MulAll(HAttrs[i]^(Attrs[i]))
A = B^(1/(e+x))
(A, B, e, s)
D[j] == 1
, I[j] = attrs[j] = aj
, else I[j] = null
_A/B' = A'^(-e) · HRand^r2
g1 · MulAll(hi^ai_reveal) = (B')^r3 · HRand^(-s') · HSk^(-sk) ·MulAll(hi^(-ai_hidden))
, where hi
stands for HAttrs[i]
A' != 1
in G1; if false, return false
.e(A', w) == e(_A, g2)
; if false, return false
. This is {c, s_sk, {s_ai}, s_e, s_r2, s_r3, s_s', nonce} <- π
; if failed, return false
.~t1 = A'^s_e · HRand^s_r2 · (_A/B')^(-c)
. This is (B')^s_r3 · HRand^s_s' · HSk^(-s_sk) · MulAll(hi^(-s_ai)) · (g1·MulAll(hi^ai))^(-c)
i
above, first MulAll( )
belongs to _D
, where D[i]==0(false)
i
above, second MulAll( )
belongs to D
, where D[i]==1(true)
c' = H(nonce, H(A', _A, B', nym, ~t1, ~t2, g1, HRand, h1, ... , hL, w), (D, I))
c == c'
: if false, return false
. Otherwise return true
.