Merge pull request #2 from rarimo/fix/salted-dg2-hash

add blinder to the document nullifier
rarimo · Feb 14, 2024 · 8cd094d · 8cd094d
2 parents bb9e5a7 + 1f1f97d
commit 8cd094d
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 5 deletions.
diff --git a/config.yaml b/config.yaml
@@ -2,6 +2,7 @@ verifier:
   verification_key_path: "./verification_key.json"
   master_certs_path: "./masterList.dev.pem"
   allowed_age: 18
+  blinder: 1 # big value required
 
 issuer:
   base_url: "http://localhost:3002/v1"

diff --git a/internal/config/verifier.go b/internal/config/verifier.go
@@ -4,6 +4,8 @@ import (
 	"gitlab.com/distributed_lab/figure/v3"
 	"gitlab.com/distributed_lab/kit/comfig"
 	"gitlab.com/distributed_lab/kit/kv"
+	"gitlab.com/distributed_lab/logan/v3/errors"
+	"math/big"
 	"os"
 )
 
@@ -15,6 +17,7 @@ type VerifierConfig struct {
 	VerificationKey []byte
 	MasterCerts     []byte
 	AllowedAge      int
+	Blinder         *big.Int
 }
 
 type verifier struct {
@@ -34,6 +37,7 @@ func (v *verifier) VerifierConfig() *VerifierConfig {
 			VerificationKeyPath string `fig:"verification_key_path,required"`
 			MasterCertsPath     string `fig:"master_certs_path,required"`
 			AllowedAge          int    `fig:"allowed_age,required"`
+			Blinder             string `fig:"blinder,required"`
 		}{}
 
 		err := figure.
@@ -54,10 +58,16 @@ func (v *verifier) VerifierConfig() *VerifierConfig {
 			panic(err)
 		}
 
+		blinder, ok := new(big.Int).SetString(newCfg.Blinder, 10)
+		if !ok {
+			panic(errors.New("failed to set blinder string to big.Int"))
+		}
+
 		return &VerifierConfig{
 			VerificationKey: verificationKey,
 			MasterCerts:     masterCerts,
 			AllowedAge:      newCfg.AllowedAge,
+			Blinder:         blinder,
 		}
 	}).(*VerifierConfig)
 }
diff --git a/internal/service/api/handlers/create_identity.go b/internal/service/api/handlers/create_identity.go
@@ -150,9 +150,9 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) {
 			return errors.Wrap(err, "failed to convert string to int")
 		}
 
-		claimID, err = iss.IssueClaim(
+		claimID, err = iss.IssueVotingClaim(
 			req.Data.ID, int64(issuingAuthority), true, identityExpiration,
-			encapsulatedData.PrivateKey.El2.OctetStr.Bytes,
+			encapsulatedData.PrivateKey.El2.OctetStr.Bytes, cfg.Blinder,
 		)
 		if err != nil {
 			ape.RenderErr(w, problems.InternalError())

diff --git a/internal/service/issuer/main.go b/internal/service/issuer/main.go
@@ -34,12 +34,22 @@ func (is *Issuer) DID() string {
 	return is.did
 }
 
-func (is *Issuer) IssueClaim(
-	id string, issuingAuthority int64, isAdult bool, expiration *time.Time, dg2 []byte,
+func (is *Issuer) IssueVotingClaim(
+	id string, issuingAuthority int64, isAdult bool, expiration *time.Time, dg2 []byte, blinder *big.Int,
 ) (string, error) {
 	var result UUIDResponse
 
-	nullifierHash, err := poseidon.HashBytes(dg2)
+	nullifierHashInput := make([]*big.Int, 0)
+	if len(dg2) >= 32 {
+		// break data in a half
+		nullifierHashInput = append(nullifierHashInput, new(big.Int).SetBytes(dg2[:len(dg2)/2]))
+		nullifierHashInput = append(nullifierHashInput, new(big.Int).SetBytes(dg2[len(dg2)/2:]))
+	} else {
+		nullifierHashInput = append(nullifierHashInput, new(big.Int).SetBytes(dg2))
+	}
+	nullifierHashInput = append(nullifierHashInput, blinder)
+
+	nullifierHash, err := poseidon.Hash(nullifierHashInput)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to hash bytes")
 	}