libbbs/doc/man3/bbs_blind_commit.3 at d4288a4a761601e7fe6ed7cf05cb84b58b4e9f8f · Fraunhofer-AISEC/libbbs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
.TH bbs_blind_commit 3 2026-03-10 libbbs
.SH NAME
bbs_blind_commit \- create a commitment for blind BBS signatures
.SH LIBRARY
BBS Signatures
.RI ( libbbs ,\~ \-lbbs )
.SH SYNOPSIS
.nf
.B #include <bbs_blind.h>
.P
.BR "int bbs_blind_commit(" "size_t num_messages;"
.BI "                     const bbs_ciphersuite * " ciphersuite ","
.BI "                     void * " commitment_with_proof ","
.BI "                     uint8_t " secret_prover_blind "[BBS_BLIND_SECRET_PROVER_BLIND_LEN],"
.BI "                     size_t " num_messages ","
.BI "                     const void *const " messages [ num_messages "],"
.BI "                     const size_t " message_lens [ num_messages "]);"
.fi
.SH DESCRIPTION
The
.BR bbs_blind_commit ()
function creates a commitment over the
.I num_messages
messages in
.I messages,
whose lengths in bytes are given in
.I message_lens.
The commitment is the first step of the blind BBS protocol and is performed by
the prover before requesting a signature from the signer.
.P
The function produces two outputs.
The
.I commitment_with_proof
is sent to the signer as input to
.BR bbs_blind_sign (3).
It does not reveal the committed messages.
The caller must allocate
.I BBS_BLIND_COMMITMENT_LEN(num_messages)
bytes for this buffer.
.P
The
.I secret_prover_blind
is a
.B BBS_BLIND_SECRET_PROVER_BLIND_LEN
byte value that must be kept secret by the prover.
It is required later by
.BR bbs_blind_proof_gen (3)
and must be erased with
.BR memset_explicit (3)
after proof generation is complete.
Disclosing the
.I secret_prover_blind
allows recovery of the committed messages from the blind signature.
.P
This function takes a pointer to a
.BR bbs_ciphersuite (3type)
to use, which determines several parameters for the scheme.
This function is compatible with
.B bbs_blind_sha256_ciphersuite
and
.B bbs_blind_shake256_ciphersuite
only.
Using a ciphersuite from
.I <bbs.h>
or
.I <bbs_blind_with_nym.h>
will produce an error.
Keys generated with any ciphersuite may be used here; see
.BR bbs_keygen (3).
.SH RETURN VALUE
Returns
.B BBS_OK
on success.
All other return values denote an error, the exact meaning of which may change
in the future.
.SH ATTRIBUTES
For an explanation of the terms used in this section, see
.BR attribute (7).
.TS
allbox;
lbx lb lb
l l l.
Interface	Attribute	Value
T{
.na
.nh
.BR bbs_blind_commit ()
T}	Thread safety	MT-Safe
.TE
.SH STANDARDS
The
.BR bbs_blind_commit ()
function implements the algorithm from
.I draft-irtf-cfrg-bbs-blind-signatures-02.
.SH CAVEATS
The
.BR bbs_blind_commit ()
function emits a call to the POSIX 2024.1-2024 function
.BR getentropy (3).
On non-POSIX systems, this function has to be provided by the application at
link-time.
.SH SEE ALSO
.BR bbs_blind (7),
.BR bbs_ciphersuite (3type),
.BR bbs_blind_sign (3),
.BR bbs_blind_proof_gen (3),
.BR getentropy (3)