1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package anonymous_tokens; 18 19option java_multiple_files = true; 20option java_package = "com.google.privacy.privatemembership.anonymoustokens.proto"; 21 22message Timestamp { 23 int64 seconds = 1; 24 int32 nanos = 2; 25} 26 27// Different use cases for the Anonymous Tokens service. 28// Next ID: 11 29enum AnonymousTokensUseCase { 30 // Test use cases here. 31 ANONYMOUS_TOKENS_USE_CASE_UNDEFINED = 0; 32 TEST_USE_CASE = 1; 33 TEST_USE_CASE_2 = 2; 34 TEST_USE_CASE_3 = 4; 35 TEST_USE_CASE_4 = 5; 36 TEST_USE_CASE_5 = 6; 37 TEST_USE_CASE_6 = 9; 38 39 PROVABLY_PRIVATE_NETWORK = 3; 40 CHROME_IP_BLINDING = 7; 41 NOCTOGRAM_PPISSUER = 8; 42 CHROME_IP_BLINDING_DARKLAUNCH = 10; 43} 44 45// An enum describing different types of available hash functions. 46enum HashType { 47 AT_HASH_TYPE_UNDEFINED = 0; 48 AT_TEST_HASH_TYPE = 1; 49 AT_HASH_TYPE_SHA256 = 2; 50 AT_HASH_TYPE_SHA384 = 3; 51 // Add more hash types if necessary. 52} 53 54// An enum describing different types of hash functions that can be used by the 55// mask generation function. 56enum MaskGenFunction { 57 AT_MGF_UNDEFINED = 0; 58 AT_TEST_MGF = 1; 59 AT_MGF_SHA256 = 2; 60 AT_MGF_SHA384 = 3; 61 // Add more hash types if necessary. 62} 63 64// An enum describing different types of message masking. 65enum MessageMaskType { 66 AT_MESSAGE_MASK_TYPE_UNDEFINED = 0; 67 AT_MESSAGE_MASK_XOR = 1; 68 AT_MESSAGE_MASK_CONCAT = 2; 69 AT_MESSAGE_MASK_NO_MASK = 3; 70} 71 72// Proto representation for RSA private key. 73message RSAPrivateKey { 74 // Modulus. 75 bytes n = 1; 76 // Public exponent. 77 bytes e = 2; 78 // Private exponent. 79 bytes d = 3; 80 // The prime factor p of n. 81 bytes p = 4; 82 // The prime factor q of n. 83 bytes q = 5; 84 // d mod (p - 1). 85 bytes dp = 6; 86 // d mod (q - 1). 87 bytes dq = 7; 88 // Chinese Remainder Theorem coefficient q^(-1) mod p. 89 bytes crt = 8; 90} 91 92// Proto representation for RSA public key. 93message RSAPublicKey { 94 // Modulus. 95 bytes n = 1; 96 // Public exponent. 97 bytes e = 2; 98} 99 100// Next ID: 13 101message RSABlindSignaturePublicKey { 102 // Use case associated with this public key. 103 bytes use_case = 9; 104 105 // Version number of public key. 106 uint64 key_version = 1; 107 108 // Serialization of the public key. 109 bytes serialized_public_key = 2; 110 111 // Timestamp of expiration. 112 // 113 // Note that we will not return keys whose expiration times are in the past. 114 Timestamp expiration_time = 3; 115 116 // Key becomes valid at key_validity_start_time. 117 Timestamp key_validity_start_time = 8; 118 119 // Hash function used in computing hash of the signing message 120 // (see https://tools.ietf.org/html/rfc8017#section-9.1.1) 121 HashType sig_hash_type = 4; 122 123 // Hash function used in MGF1 (a mask generation function based on a 124 // hash function) (see https://tools.ietf.org/html/rfc8017#appendix-B.2.1). 125 MaskGenFunction mask_gen_function = 5; 126 127 // Length in bytes of the salt (see 128 // https://tools.ietf.org/html/rfc8017#section-9.1.1) 129 int64 salt_length = 6; 130 131 // Key size: bytes of RSA key. 132 int64 key_size = 7; 133 134 // Type of masking of message (see https://eprint.iacr.org/2022/895.pdf). 135 MessageMaskType message_mask_type = 10; 136 137 // Length of message mask in bytes. 138 int64 message_mask_size = 11; 139 140 // Conveys whether public metadata support is enabled and RSA blind signatures 141 // with public metadata protocol should be used. If false, standard RSA blind 142 // signatures are used and all public metadata inputs are ignored. 143 bool public_metadata_support = 12; 144} 145 146message AnonymousTokensPublicKeysGetRequest { 147 // Use case associated with this request. 148 // 149 // Returns an error if the token type does not support public key verification 150 // for the requested use_case. 151 bytes use_case = 1; 152 153 // Key version associated with this request. 154 // 155 // Returns an error if the token type does not support public key verification 156 // for the requested use_case and key_version combination. 157 // 158 // If unset, all valid possibilities for the key are returned. 159 uint64 key_version = 2; 160 161 // Public key that becomes valid at or before this requested time and not 162 // after. More explicitly, we need the requested key to be valid at the 163 // requested key_validity_start_time. 164 // 165 // If unset it will be set to current time. 166 Timestamp key_validity_start_time = 3 167 ; 168 169 // Public key that is definitely not valid after this particular time. If 170 // unset / null, only keys that are indefinitely valid are returned. 171 // 172 // Note: It is possible that the key becomes invalid before this time. But the 173 // key should not be valid after this time. 174 Timestamp key_validity_end_time = 4 175 ; 176} 177 178message AnonymousTokensPublicKeysGetResponse { 179 // List of currently valid RSA public keys. 180 repeated RSABlindSignaturePublicKey rsa_public_keys = 1; 181} 182 183message AnonymousTokensSignRequest { 184 // Next ID: 6 185 message BlindedToken { 186 // Use case associated with this request. 187 bytes use_case = 1; 188 189 // Version of key used to sign and generate the token. 190 uint64 key_version = 2; 191 192 // Public metadata to be tied to the `blinded message` (serialized_token). 193 // 194 // The length of public metadata must be at most 2^32 bytes. 195 bytes public_metadata = 4; 196 197 // This value is disregarded for standard blind RSA signatures. 198 // 199 // For the public metadata protocol, if this value is set to false, the 200 // final public exponent is derived by using the RSA public exponent, the 201 // RSA modulus and the public metadata. If this value is set to true, only 202 // the RSA modulus and the public metadata will be used. 203 bool do_not_use_rsa_public_exponent = 5; 204 205 // Serialization of the token. 206 bytes serialized_token = 3; 207 } 208 209 // Token(s) that have been blinded by the user, not yet signed 210 repeated BlindedToken blinded_tokens = 1; 211} 212 213message AnonymousTokensSignResponse { 214 // Next ID: 7 215 message AnonymousToken { 216 // Use case associated with this anonymous token. 217 bytes use_case = 1; 218 219 // Version of key used to sign and generate the token. 220 uint64 key_version = 2; 221 222 // Public metadata tied to the input (serialized_blinded_message) and the 223 // `blinded` signature (serialized_token). 224 // 225 // The length of public metadata must fit in 4 bytes. 226 bytes public_metadata = 4; 227 228 // This value is disregarded for standard blind RSA signatures. 229 // 230 // For the public metadata protocol, if this value is set to false, the 231 // final public exponent is derived by using the RSA public exponent, the 232 // RSA modulus and the public metadata. If this value is set to true, only 233 // the RSA modulus and the public metadata will be used. 234 bool do_not_use_rsa_public_exponent = 6; 235 236 // The serialized_token in BlindedToken in the AnonymousTokensSignRequest. 237 bytes serialized_blinded_message = 5; 238 239 // Serialization of the signed token. This will have to be `unblinded` by 240 // the user before it can be used / redeemed. 241 bytes serialized_token = 3; 242 } 243 244 // Returned anonymous token(s) 245 repeated AnonymousToken anonymous_tokens = 1; 246} 247 248message AnonymousTokensRedemptionRequest { 249 // Next ID: 7 250 message AnonymousTokenToRedeem { 251 // Use case associated with this anonymous token that needs to be redeemed. 252 bytes use_case = 1; 253 254 // Version of key associated with this anonymous token that needs to be 255 // redeemed. 256 uint64 key_version = 2; 257 258 // Public metadata to be used for redeeming the signature 259 // (serialized_unblinded_token). 260 // 261 // The length of public metadata must fit in 4 bytes. 262 bytes public_metadata = 4; 263 264 // Serialization of the unblinded anonymous token that needs to be redeemed. 265 bytes serialized_unblinded_token = 3; 266 267 // Plaintext input message to verify the signature for. 268 bytes plaintext_message = 5; 269 270 // Nonce used to mask plaintext message before cryptographic verification. 271 bytes message_mask = 6; 272 } 273 274 // One or more anonymous tokens to redeem. 275 repeated AnonymousTokenToRedeem anonymous_tokens_to_redeem = 1; 276} 277 278message AnonymousTokensRedemptionResponse { 279 // Next ID: 9 280 message AnonymousTokenRedemptionResult { 281 // Use case associated with this redeemed anonymous token. 282 bytes use_case = 3; 283 284 // Version of key associated with this redeemed anonymous token. 285 uint64 key_version = 4; 286 287 // Public metadata used for verifying the signature 288 // (serialized_unblinded_token). 289 // 290 // The length of public metadata must fit in 4 bytes. 291 bytes public_metadata = 5; 292 293 // Serialization of this redeemed unblinded anonymous token. 294 bytes serialized_unblinded_token = 6; 295 296 // Unblinded input message that the signature was verified against. 297 bytes plaintext_message = 7; 298 299 // Nonce used to mask plaintext message before cryptographic verification. 300 bytes message_mask = 8; 301 302 // Returns true if and only if the anonymous token was redeemed 303 // successfully i.e. token was cryptographically verified, all relevant 304 // state in the server was updated successfully and the token was not 305 // redeemed already. 306 // 307 bool verified = 1; 308 309 // Returns true if and only if the anonymous token has already been 310 // redeemed. 311 bool double_spent = 2; 312 } 313 314 // Redemption response for requested anonymous tokens. 315 repeated AnonymousTokenRedemptionResult anonymous_token_redemption_results = 316 1; 317} 318 319// Plaintext message with public metadata. 320message PlaintextMessageWithPublicMetadata { 321 // Message to be signed. 322 bytes plaintext_message = 1; 323 324 // Public metadata to be tied to the signature. 325 bytes public_metadata = 2; 326} 327 328// Proto representing a token created during the blind signing protocol. 329message RSABlindSignatureToken { 330 // Resulting token from the blind signing protocol. 331 bytes token = 1; 332 333 // Nonce used to mask messages. 334 bytes message_mask = 2; 335} 336 337// Proto representing a token along with the input. 338message RSABlindSignatureTokenWithInput { 339 // Input consisting of plaintext message and public metadata. 340 PlaintextMessageWithPublicMetadata input = 1; 341 342 // Resulting token after blind signing protocol. 343 RSABlindSignatureToken token = 2; 344} 345 346// Proto representing redemption result along with the token and the token 347// input. 348message RSABlindSignatureRedemptionResult { 349 // Proto representing a token along with the input. 350 RSABlindSignatureTokenWithInput token_with_input = 1; 351 352 // This is set to true if and only if the anonymous token was redeemed 353 // successfully i.e. token was cryptographically verified, all relevant 354 // state in the redemption server was updated successfully and the token was 355 // not redeemed already. 356 bool redeemed = 2; 357 358 // True if and only if the token was redeemed before. 359 bool double_spent = 3; 360} 361