Add randomness to rcm1 (rcm1 in created by the client, so it's deterministic)

Author: yontyon

utt/include/client.hpp

@@ -69,7 +69,7 @@ class Client {
    *
    * @return Commitment
    */
-  Commitment generateInputRCM();
+  Commitment generateInputRCM(uint64_t nonce = 0);
 
   /**
    * @brief The full PRF key is composed by a client secret (s1) and an unpredictable s2 (choose by the bank). This

utt/include/commitment.hpp

@@ -51,7 +51,8 @@ class Commitment {
    * @param withG2 Indicates if we want to have the commitment in the G2 group. In the regular case this should be
    * always true
    */
-  Commitment(const UTTParams& p, Type t, const std::vector<types::CurvePoint>& messages, bool withG2);
+  Commitment(
+      const UTTParams& p, Type t, const std::vector<types::CurvePoint>& messages, bool withG2, uint64_t nonce = 0);
   Commitment(const Commitment& comm);
   Commitment();
   Commitment& operator=(const Commitment&);

utt/libutt/src/api/client.cpp

@@ -13,6 +13,7 @@
 #include <utt/DataUtils.hpp>
 #include <vector>
 #include <sstream>
+#include <random>
 namespace libutt::api {
 Client::Client(const std::string& pid, const std::string& bpk, const std::string& rvk, const std::string& rsaSk) {
   if (pid.empty() || bpk.empty() || rvk.empty() || rsaSk.empty())
@@ -68,9 +69,17 @@ Client& Client::operator=(Client&& other) {
   pImpl_->decryptor_ = std::move(other.pImpl_->decryptor_);
   return *this;
 }
-Commitment Client::generateInputRCM() {
+Commitment Client::generateInputRCM(uint64_t nonce) {
   Commitment comm;
-  auto h1 = hashToHex(getPidHash());
+  if (nonce == 0) {
+    std::random_device rd;
+    std::mt19937_64 gen(rd());
+    std::uniform_int_distribution<uint64_t> dis;
+    comm.pImpl_->nonce = dis(gen);
+  }
+  auto hash_base = getPidHash();
+  hash_base.push_back(comm.pImpl_->nonce);
+  auto h1 = hashToHex(hash_base);
   G1 H = libutt::hashToGroup<G1>("ps16base|" + h1);
   comm.pImpl_->comm_ = (pImpl_->ask_.s * H);
   return comm;

utt/libutt/src/api/commitment.cpp

@@ -10,11 +10,15 @@ libutt::api::Commitment operator+(libutt::api::Commitment lhs, const libutt::api
 }
 
 std::ostream& operator<<(std::ostream& out, const libutt::api::Commitment& comm) {
-  out << comm.pImpl_->comm_;
+  out << comm.pImpl_->comm_ << endl;
+  out << comm.pImpl_->nonce << endl;
   return out;
 }
 std::istream& operator>>(std::istream& in, libutt::api::Commitment& comm) {
   in >> comm.pImpl_->comm_;
+  libff::consume_OUTPUT_NEWLINE(in);
+  in >> comm.pImpl_->nonce;
+  libff::consume_OUTPUT_NEWLINE(in);
   return in;
 }
 
@@ -25,12 +29,14 @@ bool operator==(const libutt::api::Commitment& comm1, const libutt::api::Commitm
 }
 namespace libutt::api {
 
-Commitment::Commitment(const UTTParams& d, Type t, const std::vector<types::CurvePoint>& messages, bool withG2) {
+Commitment::Commitment(
+    const UTTParams& d, Type t, const std::vector<types::CurvePoint>& messages, bool withG2, uint64_t nonce) {
   std::vector<Fr> fr_messages(messages.size());
   for (size_t i = 0; i < messages.size(); i++) {
     fr_messages[i].from_words(messages.at(i));
   }
   pImpl_ = new Commitment::Impl();
+  pImpl_->nonce = nonce;
   pImpl_->comm_ =
       libutt::Comm::create(Impl::getCommitmentKey(d.pImpl_->p, (Commitment::Impl::Type)t), fr_messages, withG2);
 }

utt/libutt/src/api/include/commitment.impl.hpp

@@ -6,6 +6,7 @@ namespace libutt::api {
 struct Commitment::Impl {
   enum Type { REGISTRATION = 0, COIN };
   libutt::Comm comm_;
+  uint64_t nonce = 0;
   static const libutt::CommKey& getCommitmentKey(const libutt::Params& d, Type t) {
     switch (t) {
       case Type::REGISTRATION:

utt/libutt/src/api/registrator.cpp

@@ -47,7 +47,9 @@ std::pair<types::CurvePoint, types::Signature> Registrator::signRCM(const types:
   fr_pid.from_words(pid_hash);
   Fr fr_s2;
   fr_s2.from_words(s2);
-  auto h1 = hashToHex(pid_hash);
+  auto hash_base = pid_hash;
+  hash_base.push_back(rcm1.pImpl_->nonce);
+  auto h1 = hashToHex(hash_base);
   G1 H = libutt::hashToGroup<G1>("ps16base|" + h1);
   auto res = pImpl_->rsk_.sk.shareSign({(fr_pid * H), (fr_s2 * H) + rcm1.pImpl_->comm_}, H);
   auto res_str = libutt::serialize<libutt::RandSigShare>(res);
@@ -62,7 +64,9 @@ bool Registrator::validatePartialRCMSig(uint16_t id,
   fr_pid.from_words(pid_hash);
   Fr fr_s2;
   fr_s2.from_words(s2);
-  auto h1 = hashToHex(pid_hash);
+  auto hash_base = pid_hash;
+  hash_base.push_back(rcm1.pImpl_->nonce);
+  auto h1 = hashToHex(hash_base);
   G1 H = libutt::hashToGroup<G1>("ps16base|" + h1);
   libutt::RandSigShare rsig = libutt::deserialize<libutt::RandSigShare>(sig);
   return rsig.verify({(fr_pid * H), (fr_s2 * H) + rcm1.pImpl_->comm_}, pImpl_->validation_keys_.at(id).vk);