adds additional parameters, updates protos

8 files changed, 103 insertions, 23 deletions

diff --git a/act/act.proto b/act/act.proto
index f40f608..1c39823 100644
--- a/act/act.proto
+++ b/act/act.proto
@@ -91,10 +91,12 @@ message TokensResponse {
 
 // An actual token recovered from the TokenResponse.
 message Token {
-  // Serialized BigNum corresponding to the nonce for this token.
-  string nonce = 1;
+  reserved 1;
 
   oneof token_oneof {
     TokenV0 token_v0 = 2;
   }
+
+  // Serialized BigNum corresponding to the nonce for this token.
+  bytes nonce_bytes = 3;
 }
diff --git a/act/act_v0/BUILD b/act/act_v0/BUILD
index 64dacac..073d2fa 100644
--- a/act/act_v0/BUILD
+++ b/act/act_v0/BUILD
@@ -50,10 +50,7 @@ cc_library(
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:bb_oblivious_signature_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/proto:big_num_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/proto:camenisch_shoup_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:ec_point_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/proto:pedersen_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:proto_util",
         "@private_join_and_compute//private_join_and_compute/util:status_includes",
     ],
@@ -69,14 +66,11 @@ cc_test(
         "//act",
         "//act:act_cc_proto",
         "@com_github_google_googletest//:gtest_main",
-        "@com_google_absl//absl/strings",
         "@private_join_and_compute//private_join_and_compute/crypto:bn_util",
         "@private_join_and_compute//private_join_and_compute/crypto:camenisch_shoup",
         "@private_join_and_compute//private_join_and_compute/crypto:ec_util",
         "@private_join_and_compute//private_join_and_compute/crypto:pedersen_over_zn",
-        "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:bb_oblivious_signature",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:bb_oblivious_signature_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:big_num_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:camenisch_shoup_cc_proto",
diff --git a/act/act_v0/act_v0.cc b/act/act_v0/act_v0.cc
index a0bab22..01921a5 100644
--- a/act/act_v0/act_v0.cc
+++ b/act/act_v0/act_v0.cc
@@ -77,6 +77,8 @@ StatusOr<std::unique_ptr<DyVerifiableRandomFunction>> CreateDyVrf(
   dy_vrf_parameters.set_random_oracle_prefix(
       scheme_parameters_v0.random_oracle_prefix());
   dy_vrf_parameters.set_dy_prf_base_g(server_public_parameters_v0.prf_base_g());
+  *dy_vrf_parameters.mutable_pedersen_parameters() =
+      server_public_parameters_v0.pedersen_parameters();
 
   return DyVerifiableRandomFunction::Create(std::move(dy_vrf_parameters), ctx,
                                             ec_group, pedersen);
@@ -846,7 +848,7 @@ StatusOr<std::vector<Token>> AnonymousCountingTokensV0::RecoverTokens(
   for (size_t i = 0; i < messages.size(); ++i) {
     Token token;
     TokenV0* token_v0 = token.mutable_token_v0();
-    token.set_nonce(nonces[i].ToBytes());
+    token.set_nonce_bytes(nonces[i].ToBytes());
     ASSIGN_OR_RETURN(*token_v0->mutable_bb_signature(),
                      signatures[i].ToBytesCompressed());
     tokens.push_back(std::move(token));
@@ -890,10 +892,10 @@ Status AnonymousCountingTokensV0::VerifyToken(
       server_private_parameters_v0.bb_oblivious_signature_private_key().y());
 
   BigNum hashed_message = ctx.RandomOracleSha512(m, ec_group.GetOrder());
-  BigNum nonce = ctx.CreateBigNum(token.nonce());
+  BigNum nonce = ctx.CreateBigNum(token.nonce_bytes());
 
   // Verify that reserializing the nonce comes out to the same value.
-  if (nonce.ToBytes() != token.nonce()) {
+  if (nonce.ToBytes() != token.nonce_bytes()) {
     return absl::InvalidArgumentError(
         "AnonymousCountingTokensV0::VerifyToken: nonce comes out to different "
         "value when serialized and deserialized.");
diff --git a/act/act_v0/act_v0_test.cc b/act/act_v0/act_v0_test.cc
index 387a993..2c17471 100644
--- a/act/act_v0/act_v0_test.cc
+++ b/act/act_v0/act_v0_test.cc
@@ -677,7 +677,8 @@ TEST_F(AnonymousCountingTokensV0Test, TokensHaveUniqueNonces) {
   std::vector<std::string> messages = {"message_1", "message_2"};
   ASSERT_OK_AND_ASSIGN(Transcript transcript, GenerateTranscript(messages));
 
-  EXPECT_NE(transcript.tokens[0].nonce(), transcript.tokens[1].nonce());
+  EXPECT_NE(transcript.tokens[0].nonce_bytes(),
+            transcript.tokens[1].nonce_bytes());
 }
 
 }  // namespace
diff --git a/act/act_v0/parameters.cc b/act/act_v0/parameters.cc
index 8a2e6c5..e585177 100644
--- a/act/act_v0/parameters.cc
+++ b/act/act_v0/parameters.cc
@@ -80,5 +80,42 @@ SchemeParameters ActV0Batch32SchemeParameters() {
   return scheme_parameters;
 }
 
+// Returns parameters supporting 32 messages in a batch, with CS vector
+// encryption length set to 2, and modulus length 2048.
+SchemeParameters
+ActV0SchemeParametersPedersen32Modulus2048CamenischShoupVector2() {
+  int pedersen_batch_size = 32;
+  int modulus_length = 2048;
+  int camensich_shoup_vector_encryption_length = 2;
+
+  return ActV0SchemeParameters(pedersen_batch_size, modulus_length,
+                               camensich_shoup_vector_encryption_length);
+}
+
+// Returns custom parameters.
+SchemeParameters ActV0SchemeParameters(int pedersen_batch_size,
+                                       int modulus_length_bits,
+                                       int camenisch_shoup_vector_length) {
+  std::string random_oracle_prefix = absl::StrCat(
+      "ActV0SchemeParametersPedersenBatchSize", pedersen_batch_size,
+      "ModulusLengthBits", modulus_length_bits, "CamenischShoupVectorLength",
+      camenisch_shoup_vector_length);
+
+  SchemeParameters scheme_parameters;
+  SchemeParametersV0* scheme_parameters_v0 =
+      scheme_parameters.mutable_scheme_parameters_v0();
+  scheme_parameters_v0->set_security_parameter(kDefaultSecurityParameter);
+  scheme_parameters_v0->set_challenge_length_bits(kDefaultChallengeLength);
+  scheme_parameters_v0->set_modulus_length_bits(modulus_length_bits);
+  scheme_parameters_v0->set_camenisch_shoup_s(kDefaultCamenischShoupS);
+  scheme_parameters_v0->set_vector_encryption_length(
+      camenisch_shoup_vector_length);
+  scheme_parameters_v0->set_pedersen_batch_size(pedersen_batch_size);
+  scheme_parameters_v0->set_prf_ec_group(kDefaultCurveId);
+  scheme_parameters_v0->set_random_oracle_prefix(random_oracle_prefix);
+
+  return scheme_parameters;
+}
+
 }  // namespace anonymous_counting_tokens
 }  // namespace private_join_and_compute
diff --git a/act/act_v0/parameters.h b/act/act_v0/parameters.h
index 288f237..5583adc 100644
--- a/act/act_v0/parameters.h
+++ b/act/act_v0/parameters.h
@@ -34,12 +34,26 @@ const int kDefaultModulusLengthBits = 3072;
 // bits, smaller batch size of 3).
 SchemeParameters ActV0TestSchemeParameters();
 
-// Returns parameters supporting 16 messages in a batch.
+// Returns parameters supporting 16 messages in a batch, with both Pedersen and
+// CS parameters set to 16, and modulus length 3072.
 SchemeParameters ActV0Batch16SchemeParameters();
 
-// Returns parameters supporting 32 messages in a batch.
+// Returns parameters supporting 32 messages in a batch, with both Pedersen and
+// CS parameters set to 32, and modulus length 3072.
 SchemeParameters ActV0Batch32SchemeParameters();
 
+// Returns parameters supporting 32 messages in a batch, with CS vector
+// encryption length set to 2, and modulus length 2048.
+//
+// These parameters are currently the best-optimized for performance.
+SchemeParameters
+ActV0SchemeParametersPedersen32Modulus2048CamenischShoupVector2();
+
+// Returns custom parameters.
+SchemeParameters ActV0SchemeParameters(int pedersen_batch_size,
+                                       int modulus_length_bits,
+                                       int camenisch_shoup_vector_length);
+
 }  // namespace anonymous_counting_tokens
 }  // namespace private_join_and_compute
 
diff --git a/act/act_v0/parameters_test.cc b/act/act_v0/parameters_test.cc
index 04927e5..b275c00 100644
--- a/act/act_v0/parameters_test.cc
+++ b/act/act_v0/parameters_test.cc
@@ -33,8 +33,7 @@ namespace private_join_and_compute {
 namespace anonymous_counting_tokens {
 namespace {
 
-Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
-                                  int num_messages) {
+Status EndToEndTest(SchemeParameters scheme_parameters, int num_messages) {
   std::unique_ptr<AnonymousCountingTokens> act =
       AnonymousCountingTokensV0::Create();
 
@@ -42,12 +41,17 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
   ASSIGN_OR_RETURN(ServerParameters server_parameters,
                    act->GenerateServerParameters(scheme_parameters));
 
-  // Generate client parameters.
+  // Generate client parameters and check them.
   ASSIGN_OR_RETURN(
       ClientParameters client_parameters,
       act->GenerateClientParameters(scheme_parameters,
                                     server_parameters.public_parameters()));
 
+  RETURN_IF_ERROR(act->CheckClientParameters(
+      scheme_parameters, client_parameters.public_parameters(),
+      server_parameters.public_parameters(),
+      server_parameters.private_parameters()));
+
   // Generate messages.
   std::vector<std::string> messages;
   messages.reserve(num_messages);
@@ -55,7 +59,7 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
     messages.push_back(absl::StrCat("message", i));
   }
 
-  // Generate Tokens Request.
+  // Generate Tokens Request and check it.
   std::vector<std::string> client_fingerprints;
   TokensRequest tokens_request;
   TokensRequestPrivateState tokens_request_private_state;
@@ -66,14 +70,24 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
                                  client_parameters.public_parameters(),
                                  client_parameters.private_parameters(),
                                  server_parameters.public_parameters()));
+  RETURN_IF_ERROR(act->CheckTokensRequest(
+      client_fingerprints, tokens_request, scheme_parameters,
+      client_parameters.public_parameters(),
+      server_parameters.public_parameters(),
+      server_parameters.private_parameters()));
 
-  // Generate Tokens Response.
+  // Generate Tokens Response and check it.
   ASSIGN_OR_RETURN(
       TokensResponse tokens_response,
       act->GenerateTokensResponse(tokens_request, scheme_parameters,
                                   client_parameters.public_parameters(),
                                   server_parameters.public_parameters(),
                                   server_parameters.private_parameters()));
+  RETURN_IF_ERROR(act->VerifyTokensResponse(
+      messages, tokens_request, tokens_request_private_state, tokens_response,
+      scheme_parameters, client_parameters.public_parameters(),
+      client_parameters.private_parameters(),
+      server_parameters.public_parameters()));
 
   // Extract Tokens.
   ASSIGN_OR_RETURN(
@@ -97,15 +111,30 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
 }
 
 TEST(ActV0ParametersTest, EndToEndWithTestParameters) {
-  EXPECT_OK(EndToEndTestNoVerification(ActV0TestSchemeParameters(), 3));
+  EXPECT_OK(EndToEndTest(ActV0TestSchemeParameters(), 3));
 }
 
 TEST(ActV0ParametersTest, EndToEndWithBatch16Parameters) {
-  EXPECT_OK(EndToEndTestNoVerification(ActV0Batch16SchemeParameters(), 16));
+  EXPECT_OK(EndToEndTest(ActV0Batch16SchemeParameters(), 16));
 }
 
 TEST(ActV0ParametersTest, EndToEndWithBatch32Parameters) {
-  EXPECT_OK(EndToEndTestNoVerification(ActV0Batch32SchemeParameters(), 32));
+  EXPECT_OK(EndToEndTest(ActV0Batch32SchemeParameters(), 32));
+}
+
+TEST(ActV0ParametersTest, EndToEndWithBatch32Cs2Modulus2048Parameters) {
+  EXPECT_OK(EndToEndTest(
+      ActV0SchemeParametersPedersen32Modulus2048CamenischShoupVector2(), 32));
+}
+
+TEST(ActV0ParametersTest, EndToEndWithCustomParameters) {
+  int pedersen_batch_size = 32;
+  int modulus_length_bits = 1576;
+  int camenisch_shoup_vector_length = 2;
+  EXPECT_OK(EndToEndTest(
+      ActV0SchemeParameters(pedersen_batch_size, modulus_length_bits,
+                            camenisch_shoup_vector_length),
+      32));
 }
 
 // More extensive tests are in act_v0_test.cc. These tests simply ensure that
diff --git a/act/fake_act.cc b/act/fake_act.cc
index 349a1cb..48cf40f 100644
--- a/act/fake_act.cc
+++ b/act/fake_act.cc
@@ -123,7 +123,8 @@ StatusOr<std::vector<Token>> FakeAnonymousCountingTokens::RecoverTokens(
   result.reserve(messages.size());
   for (size_t i = 0; i < messages.size(); ++i) {
     Token fake_token;
-    fake_token.set_nonce(context.GenerateRandLessThan(nonce_bound).ToBytes());
+    fake_token.set_nonce_bytes(
+        context.GenerateRandLessThan(nonce_bound).ToBytes());
     result.push_back(fake_token);
   }