/*
 * Copyright 2023 Google LLC.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

syntax = "proto3";

package private_join_and_compute.anonymous_counting_tokens;

import "private_join_and_compute/crypto/dodis_yampolskiy_prf/bb_oblivious_signature.proto";
import "private_join_and_compute/crypto/dodis_yampolskiy_prf/dy_verifiable_random_function.proto";
import "private_join_and_compute/crypto/proto/big_num.proto";
import "private_join_and_compute/crypto/proto/camenisch_shoup.proto";
import "private_join_and_compute/crypto/proto/pedersen.proto";

option java_multiple_files = true;

// The parameters for ACTv0.
message SchemeParametersV0 {
  // How many masking bits (more than the challenge bits) to add in the sigma
  // protocols.
  uint64 security_parameter = 1;
  // How many bits the challenge has.
  uint64 challenge_length_bits = 2;
  // Length for the RSA modulus.
  uint64 modulus_length_bits = 3;
  // Camenisch Shoup Damgard-Jurik parameter (message space is n^s).
  uint64 camenisch_shoup_s = 4;
  // Camenisch-Shoup vector-encryption parameter.
  uint64 vector_encryption_length = 5;
  // Number of messages that can be committed in a single Pedersen commitment.
  uint64 pedersen_batch_size = 6;
  // Specification of the EC Group in which the DY-PRF and Boneh Boyen Oblivious
  // Signature will be computed.
  uint64 prf_ec_group = 7;
  // Prefix to attach to any random oracle query (optional).
  string random_oracle_prefix = 8;
}

// The Server's public parameters for the ACTv0 scheme.
message ServerPublicParametersV0 {
  reserved 1, 4, 5;

  // Parameters to use for commitments.
  private_join_and_compute.proto.PedersenParameters pedersen_parameters = 2;
  // Camenisch Shoup public key (for the Boneh-Boyen Oblivious Signature).
  private_join_and_compute.proto.CamenischShoupPublicKey camenisch_shoup_public_key = 3;
  // Public key for the Boneh-Boyen oblivious signature.
  private_join_and_compute.proto.BbObliviousSignaturePublicKey
      bb_oblivious_signature_public_key = 6;

  // Serialized ECPoint corresponding to the base g to use for the DY PRF and
  // Boneh-Boyen oblivious signature.
  bytes prf_base_g = 7;

}

// The Server's private parameters for the ACTv0 scheme.
message ServerPrivateParametersV0 {
  reserved 2, 3;
  // Camenisch Shoup private key (for the Boneh-Boyen Oblivious Signature).
  private_join_and_compute.proto.CamenischShoupPrivateKey camenisch_shoup_private_key = 1;
  // Private key for the Boneh-Boyen Oblivious Signature.
  private_join_and_compute.proto.BbObliviousSignaturePrivateKey
      bb_oblivious_signature_private_key = 4;
}

// The Client's public parameters for the ACT scheme.
message ClientPublicParametersV0 {
  // Public key for the DY Verifiable Random Function.
  private_join_and_compute.proto.DyVrfPublicKey dy_vrf_public_key = 1;
  private_join_and_compute.proto.DyVrfGenerateKeysProof dy_vrf_generate_keys_proof = 2;
}

// The Client's private parameters for the ACT scheme.
message ClientPrivateParametersV0 {
  // Private key for the DY Verifiable Random Function.
  private_join_and_compute.proto.DyVrfPrivateKey dy_vrf_private_key = 1;
}

// The Client's token request. Can correspond to a batch of tokens.
message TokensRequestV0 {
  message Part1 {
    bytes commit_messages = 1;
    bytes commit_client_nonces = 2;

    // Proofs that the fingerprints on the messages were generated correctly.
    // The fingerprints correspond to PRF evaluations on the messages.
    private_join_and_compute.proto.DyVrfApplyProof fingerprints_proof = 3;
  }

  // Part1 of the tokens request feeds into the Random Oracle to produce the
  // client-independent portion of the nonces. (The nonce per-token consists
  // of a client-chosen part, and a client-independent/not-chosen part. The
  // latter is generated by a random oracle call.)
  Part1 part_1 = 1;

  // Boneh-Boyen Oblivious Signature request and proof for nonces.
  private_join_and_compute.proto.BbObliviousSignatureRequest bb_oblivious_signature_request = 2;
  private_join_and_compute.proto.BbObliviousSignatureRequestProof
      bb_oblivious_signature_request_proof = 3;
}

// Private state corresponding to the Client's token request, needed to recover
// the tokens from the server's response.
message TokensRequestPrivateStateV0 {
  private_join_and_compute.proto.BbObliviousSignatureRequestPrivateState
      bb_oblivious_signature_request_private_state = 1;
  // Stores the nonces generated as part of the request (includes the
  // client-generated and random-oracle-generated portions combined).
  private_join_and_compute.proto.BigNumVector nonces = 2;
}

// The Server's response to a TokensRequest. Can correspond to a batch of
// tokens.
message TokensResponseV0 {
  // Boneh-Boyen Oblivious signature response and proof.
  private_join_and_compute.proto.BbObliviousSignatureResponse bb_oblivious_signature_response =
      1;
  private_join_and_compute.proto.BbObliviousSignatureResponseProof
      bb_oblivious_signature_response_proof = 2;
}

// An actual token recovered from the TokenResponse.
message TokenV0 {
  // The nonce is stored in the enclosing Token proto.

  // Serialized Boneh-Boyen signature on the message and nonce. Serialized
  // ECPoint.
  bytes bb_signature = 1;
}