From 7ca8df6c16f2eee446c2682787925e146ad5dec2 Mon Sep 17 00:00:00 2001
From: "J. Ayo Akinyele" <ayo@zeutro.com>
Date: Sun, 8 Apr 2018 03:46:17 -0400
Subject: [PATCH] more tweaks to design \& implementation

---
 bin/bolt.rs          | 12 ++++++++++++
 docs/bolt_design.tex | 34 ++++++++++++++++++++++++++++++++++
 src/lib.rs           | 10 +++++++++-
 src/ote.rs           |  4 ++--
 4 files changed, 57 insertions(+), 3 deletions(-)

diff --git a/bin/bolt.rs b/bin/bolt.rs
index bca1464..c68d0ca 100644
--- a/bin/bolt.rs
+++ b/bin/bolt.rs
@@ -318,6 +318,7 @@ fn main() {
 
     println!("******************************************");
 
+    // Test the PRF
     let s = Fr::random(rng);
     let key = prf::initPRF(s, None);
 
@@ -326,6 +327,17 @@ fn main() {
 
     println!("Compute y = 0x{}", libbolt::print(&y));
 
+    // Test the OTE scheme
+    let k = ote::keygen();
+    let X = G1::random(rng);
+    let Y = G1::random(rng);
+    let m = ote::OTMessage { m1: X, m2: Y };
+    let c = ote::otenc(k, &m);
+    let orig_m = ote::otdec(k, &c);
+
+    assert!(m.m1 == orig_m.m1 && m.m2 == orig_m.m2);
+    println!("OTE scheme works as expected!");
+
 //    let rng = &mut rand::thread_rng();
 //    let G = G1::random(rng); // &dalek_constants::RISTRETTO_BASEPOINT_POINT;
 //    let H = G1::random(rng); // RistrettoPoint::hash_from_bytes::<Sha256>(G.compress().as_bytes());
diff --git a/docs/bolt_design.tex b/docs/bolt_design.tex
index d2bf008..4d33eee 100644
--- a/docs/bolt_design.tex
+++ b/docs/bolt_design.tex
@@ -269,6 +269,40 @@ ${\sf Init_{M}}(PP, \BC, \BM, pk_m, sk_m) \rightarrow {\sf T}_m, csk_m$. On inpu
 \item Output ${\sf T}_m = pk_m$ and $csk_m = (sk_m, \BM)$.
 \end{itemize}
 
+\medskip \noindent
+${\sf Establish}( C\{PP, {\sf T}_m, csk_c)\}, \{M(PP, {\sf T}_c, csk_{m})\}$. On input public parameters and each of the initial
channel tokens, the {\sf Establish} protocol activates a channel between customer and merchant who have previously
escrowed funds. If the interaction succeeds, the merchant receives {\sf established} message and the customer
receives a wallet $w$. Either party may receive an error denoted by $\bot$.
+
+\medskip \noindent
+The customer executes the following algorithm:
+\begin{itemize}
+\item Parse $csk_c$ as $(pk_c, sk_c, k_1, k_2, r, \BC)$.
+\item Sample $sk_0 \in \{0,1\}^\ell$.
+\item Generate $\pi_1 = PK\{ (sk_c, k_1, k_2, r) : {\sf wCom} = {\sf Commit}(sk_c, k_1, k_2; r) \wedge (pk_c, sk_c) \in {\sf KeyGen}(1^\lambda)\}$
+% breakdown Proof of knowledge statement
+\begin{itemize}
+\item Proof of statement: ${\sf wCom} = g^m \cdot h^r \wedge X = g^x \wedge Y = g^y$ where $m = H(sk_c, k_1, k_2)$
+\end{itemize}
+\item For $j  = 1$ to $B$:
+\begin{enumerate}
+\item Compute $s_j  \leftarrow F_{k_1}(j), u_j \leftarrow F_{k_2}(j)$.
+\item $\pi_{j}^r = PK\{ (sk_c, k_1, k_2, r) : s_j  \leftarrow F_{k_1}(j) \wedge u_j \leftarrow F_{k_2}(j) \\ \wedge {\sf wCom} = {\sf Commit}(sk_c, k_1, k_2; r)  \\ \wedge (pk_c, sk_c) \in {\sf KeyGen}(1^\lambda)\}$
+\item Compute internal signature $\sigma_j = {\sf Sign}(sk_c, {\sf spend}||j||s_j||u_j||\pi_{j}^r||ck_{j+1})$.
+\item Compute $C_j = {\sf SymEnc}(ck_j, j||s_j||u_j||\pi_{j}^r||\sigma_j||ck_{j+1})$
+\item Compute external signature $\sigma_j = {\sf Sign}(sk_c, {\sf coin}||j||C_j)$.
+\end{enumerate}
+\item Customer sends ${\sf wCom}, \pi, (C_1, \sigma_1,\dots,C_B,\sigma_B)$ to the merchant.
+\end{itemize}
+
+\noindent
+The merchant executes the following algorithm in response:
+\begin{itemize}
+\item Verify the signature on ${\sf T}_c$.
+\item Check that $\BC = B$.
+\item Verify $\pi_1$.
+\item For $i = 1$ to $B$, verify the signature $\sigma_j$ on $C_j$.
+\item If any of the above conditions do not hold, abort and output $\bot$.
+\item Return a blind signature $\sigma_w$ on the contents of {\sf wCom}.
+\end{itemize}
 
 \subsection{Bidirectional Scheme}
 
diff --git a/src/lib.rs b/src/lib.rs
index e554d2d..13b3e2d 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -9,6 +9,7 @@ use std::default;
 use bn::{Group, Fr, G1, G2, pairing};
 use bincode::SizeLimit::Infinite;
 use bincode::rustc_serialize::{encode, decode};
+use sodiumoxide::randombytes;
 use sodiumoxide::crypto::hash::sha512;
 
 pub mod prf;
@@ -542,6 +543,7 @@ pub mod unidirectional {
     use commit_scheme;
     use clsigs;
     use Message;
+    use sodiumoxide::randombytes;
 
     pub struct PublicParams {
         cm_mpk: commit_scheme::PublicKey,
@@ -626,10 +628,16 @@ pub mod unidirectional {
     }
 
     // TODO: requires NIZK proof system
-    pub fn establish_customer(pp: &PublicParams, t_m: &clsigs::PublicKey, csk_c: &CustSecretKey) {
+    pub fn establish_customer_send(pp: &PublicParams, t_m: &clsigs::PublicKey, csk_c: &CustSecretKey) {
         println ! ("Run establish_customer algorithm...");
         // set sk_0 to random bytes of length l
         // let sk_0 = random_bytes(pp.l);
+        let buf_len: usize = pp.l_bits as usize;
+        let mut sk0 = vec![0; buf_len];
+        randombytes::randombytes_into(&mut sk0);
+    }
+
+    pub fn estalibsh_mercahnt_send() {
 
     }
 
diff --git a/src/ote.rs b/src/ote.rs
index 81af44f..ea228d4 100644
--- a/src/ote.rs
+++ b/src/ote.rs
@@ -7,8 +7,8 @@ use bn::{Group, Fr, G1};
 use rand;
 
 pub struct OTMessage {
-    m1: G1,
-    m2: G1
+    pub m1: G1,
+    pub m2: G1
 }
 
 pub struct OTCiphertext {