[FAB-13135,FAB-13136] Idemix/Fabric-CA Integration

This change-set addresses two JIRA items to help
the idemix-bccsp integration in Fabric-ca

Change-Id: I1c202831fa43287d877340037f9bdc93f6665f0e
Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>

bccsp/idemix/bccsp_test.go

@@ -6,6 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 package idemix_test
 
 import (
+	"crypto/rand"
+
 	"github.com/hyperledger/fabric/bccsp"
 	"github.com/hyperledger/fabric/bccsp/idemix"
 	"github.com/hyperledger/fabric/bccsp/sw"
@@ -26,6 +28,7 @@ var _ = Describe("Idemix Bridge", func() {
 			NymKey       bccsp.Key
 			NymPublicKey bccsp.Key
 
+			IssuerNonce []byte
 			credRequest []byte
 
 			credential []byte
@@ -57,11 +60,16 @@ var _ = Describe("Idemix Bridge", func() {
 			NymPublicKey, err = NymKey.PublicKey()
 			Expect(err).NotTo(HaveOccurred())
 
+			IssuerNonce = make([]byte, 32)
+			n, err := rand.Read(IssuerNonce)
+			Expect(n).To(BeEquivalentTo(32))
+			Expect(err).NotTo(HaveOccurred())
+
 			// Credential Request for User
 			credRequest, err = CSP.Sign(
 				UserKey,
 				bccsp.IdemixEmptyDigest(),
-				&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: IssuerPublicKey},
+				&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: IssuerPublicKey, IssuerNonce: IssuerNonce},
 			)
 			Expect(err).NotTo(HaveOccurred())
 
@@ -103,7 +111,7 @@ var _ = Describe("Idemix Bridge", func() {
 				IssuerPublicKey,
 				credRequest,
 				bccsp.IdemixEmptyDigest(),
-				&bccsp.IdemixCredentialRequestSignerOpts{},
+				&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
 			)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(valid).To(BeTrue())

bccsp/idemix/bridge/bridge_test.go

@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 package bridge_test
 
 import (
+	"crypto/rand"
+	"fmt"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric-amcl/amcl/FP256BN"
 	"github.com/hyperledger/fabric/bccsp"
@@ -291,39 +294,56 @@ var _ = Describe("Idemix Bridge", func() {
 	Describe("credential request", func() {
 		var (
 			CredRequest *bridge.CredRequest
+			IssuerNonce []byte
 		)
 		BeforeEach(func() {
 			CredRequest = &bridge.CredRequest{NewRand: bridge.NewRandOrPanic}
+			IssuerNonce = make([]byte, 32)
+			n, err := rand.Read(IssuerNonce)
+			Expect(n).To(BeEquivalentTo(32))
+			Expect(err).NotTo(HaveOccurred())
 		})
 
 		Context("sign", func() {
 			It("fail on nil user secret key", func() {
-				raw, err := CredRequest.Sign(nil, issuerPublicKey)
+				raw, err := CredRequest.Sign(nil, issuerPublicKey, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("invalid user secret key, expected *Big, got [<nil>]"))
 				Expect(raw).To(BeNil())
 			})
 
 			It("fail on invalid user secret key", func() {
-				raw, err := CredRequest.Sign(issuerPublicKey, issuerPublicKey)
+				raw, err := CredRequest.Sign(issuerPublicKey, issuerPublicKey, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("invalid user secret key, expected *Big, got [*bridge.IssuerPublicKey]"))
 				Expect(raw).To(BeNil())
 			})
 
 			It("fail on nil issuer public key", func() {
-				raw, err := CredRequest.Sign(userSecretKey, nil)
+				raw, err := CredRequest.Sign(userSecretKey, nil, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("invalid issuer public key, expected *IssuerPublicKey, got [<nil>]"))
 				Expect(raw).To(BeNil())
 			})
 
 			It("fail on invalid issuer public key", func() {
-				raw, err := CredRequest.Sign(userSecretKey, &mock.IssuerPublicKey{})
+				raw, err := CredRequest.Sign(userSecretKey, &mock.IssuerPublicKey{}, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("invalid issuer public key, expected *IssuerPublicKey, got [*mock.IssuerPublicKey]"))
 				Expect(raw).To(BeNil())
 			})
 
+			It("fail on nil nonce", func() {
+				raw, err := CredRequest.Sign(userSecretKey, issuerPublicKey, nil)
+				Expect(err.Error()).To(BeEquivalentTo("invalid issuer nonce, expected length 32, got 0"))
+				Expect(raw).To(BeNil())
+			})
+
+			It("fail on empty nonce", func() {
+				raw, err := CredRequest.Sign(userSecretKey, issuerPublicKey, []byte{})
+				Expect(err.Error()).To(BeEquivalentTo("invalid issuer nonce, expected length 32, got 0"))
+				Expect(raw).To(BeNil())
+			})
+
 			It("panic on rand failure", func() {
 				CredRequest.NewRand = NewRandPanic
-				raw, err := CredRequest.Sign(userSecretKey, issuerPublicKey)
+				raw, err := CredRequest.Sign(userSecretKey, issuerPublicKey, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("failure [new rand panic]"))
 				Expect(raw).To(BeNil())
 			})
@@ -332,24 +352,25 @@ var _ = Describe("Idemix Bridge", func() {
 
 		Context("verify", func() {
 			It("panic on nil credential request", func() {
-				err := CredRequest.Verify(nil, issuerPublicKey)
+				err := CredRequest.Verify(nil, issuerPublicKey, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("failure [runtime error: index out of range]"))
 			})
 
 			It("fail on invalid credential request", func() {
-				err := CredRequest.Verify([]byte{0, 1, 2, 3, 4}, issuerPublicKey)
+				err := CredRequest.Verify([]byte{0, 1, 2, 3, 4}, issuerPublicKey, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("proto: idemix.CredRequest: illegal tag 0 (wire type 0)"))
 			})
 
 			It("fail on nil issuer public key", func() {
-				err := CredRequest.Verify(nil, nil)
+				err := CredRequest.Verify(nil, nil, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("invalid issuer public key, expected *IssuerPublicKey, got [<nil>]"))
 			})
 
 			It("fail on invalid issuer public key", func() {
-				err := CredRequest.Verify(nil, &mock.IssuerPublicKey{})
+				err := CredRequest.Verify(nil, &mock.IssuerPublicKey{}, IssuerNonce)
 				Expect(err.Error()).To(BeEquivalentTo("invalid issuer public key, expected *IssuerPublicKey, got [*mock.IssuerPublicKey]"))
 			})
+
 		})
 	})
 
@@ -590,6 +611,7 @@ var _ = Describe("Idemix Bridge", func() {
 			CredRequest               handlers.CredRequest
 			CredentialRequestSigner   *handlers.CredentialRequestSigner
 			CredentialRequestVerifier *handlers.CredentialRequestVerifier
+			IssuerNonce               []byte
 			credRequest               []byte
 
 			Credential         handlers.Credential
@@ -631,13 +653,18 @@ var _ = Describe("Idemix Bridge", func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			// Credential Request for User
+			IssuerNonce = make([]byte, 32)
+			n, err := rand.Read(IssuerNonce)
+			Expect(n).To(BeEquivalentTo(32))
+			Expect(err).NotTo(HaveOccurred())
+
 			CredRequest = &bridge.CredRequest{NewRand: bridge.NewRandOrPanic}
 			CredentialRequestSigner = &handlers.CredentialRequestSigner{CredRequest: CredRequest}
 			CredentialRequestVerifier = &handlers.CredentialRequestVerifier{CredRequest: CredRequest}
 			credRequest, err = CredentialRequestSigner.Sign(
 				UserKey,
 				bccsp.IdemixEmptyDigest(),
-				&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: IssuerPublicKey},
+				&bccsp.IdemixCredentialRequestSignerOpts{IssuerPK: IssuerPublicKey, IssuerNonce: IssuerNonce},
 			)
 			Expect(err).NotTo(HaveOccurred())
 
@@ -685,7 +712,7 @@ var _ = Describe("Idemix Bridge", func() {
 				IssuerPublicKey,
 				credRequest,
 				bccsp.IdemixEmptyDigest(),
-				nil,
+				&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
 			)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(valid).To(BeTrue())
@@ -722,7 +749,45 @@ var _ = Describe("Idemix Bridge", func() {
 
 		Context("the environment is not valid with the respect to different parameters", func() {
 
+			It("invalid credential request nonce", func() {
+				valid, err := CredentialRequestVerifier.Verify(
+					IssuerPublicKey,
+					credRequest,
+					bccsp.IdemixEmptyDigest(),
+					&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: []byte("pine-apple-pine-apple-pine-apple")},
+				)
+				Expect(err.Error()).To(BeEquivalentTo(fmt.Sprintf("invalid nonce, expected [%v], got [%v]", []byte("pine-apple-pine-apple-pine-apple"), IssuerNonce)))
+				Expect(valid).ToNot(BeTrue())
+			})
+
+			It("invalid credential request nonce, too short", func() {
+				valid, err := CredentialRequestVerifier.Verify(
+					IssuerPublicKey,
+					credRequest,
+					bccsp.IdemixEmptyDigest(),
+					&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: []byte("pine-aple-pine-apple-pinapple")},
+				)
+				Expect(err.Error()).To(BeEquivalentTo("invalid issuer nonce, expected length 32, got 29"))
+				Expect(valid).ToNot(BeTrue())
+			})
+
 			It("invalid credential request", func() {
+				if credRequest[4] == 0 {
+					credRequest[4] = 1
+				} else {
+					credRequest[4] = 0
+				}
+				valid, err := CredentialRequestVerifier.Verify(
+					IssuerPublicKey,
+					credRequest,
+					bccsp.IdemixEmptyDigest(),
+					&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
+				)
+				Expect(err.Error()).To(BeEquivalentTo("zero knowledge proof is invalid"))
+				Expect(valid).ToNot(BeTrue())
+			})
+
+			It("invalid credential request in verifying credential", func() {
 				credRequest[4] = 0
 				credential, err := CredentialSigner.Sign(
 					IssuerKey,

bccsp/idemix/bridge/credrequest.go

@@ -6,6 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 package bridge
 
 import (
+	"bytes"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric-amcl/amcl"
 	"github.com/hyperledger/fabric/bccsp/idemix/handlers"
@@ -22,7 +24,7 @@ type CredRequest struct {
 
 // Sign produces an idemix credential request. It takes in input a user secret key and
 // an issuer public key.
-func (cr *CredRequest) Sign(sk handlers.Big, ipk handlers.IssuerPublicKey) (res []byte, err error) {
+func (cr *CredRequest) Sign(sk handlers.Big, ipk handlers.IssuerPublicKey, nonce []byte) (res []byte, err error) {
 	defer func() {
 		if r := recover(); r != nil {
 			res = nil
@@ -38,12 +40,15 @@ func (cr *CredRequest) Sign(sk handlers.Big, ipk handlers.IssuerPublicKey) (res
 	if !ok {
 		return nil, errors.Errorf("invalid issuer public key, expected *IssuerPublicKey, got [%T]", ipk)
 	}
+	if len(nonce) != cryptolib.FieldBytes {
+		return nil, errors.Errorf("invalid issuer nonce, expected length %d, got %d", cryptolib.FieldBytes, len(nonce))
+	}
 
 	rng := cr.NewRand()
 
 	credRequest := cryptolib.NewCredRequest(
 		isk.E,
-		cryptolib.RandModOrder(rng),
+		nonce,
 		iipk.PK,
 		rng)
 
@@ -52,7 +57,7 @@ func (cr *CredRequest) Sign(sk handlers.Big, ipk handlers.IssuerPublicKey) (res
 
 // Verify checks that the passed credential request is valid with the respect to the passed
 // issuer public key.
-func (*CredRequest) Verify(credentialRequest []byte, ipk handlers.IssuerPublicKey) (err error) {
+func (*CredRequest) Verify(credentialRequest []byte, ipk handlers.IssuerPublicKey, nonce []byte) (err error) {
 	defer func() {
 		if r := recover(); r != nil {
 			err = errors.Errorf("failure [%s]", r)
@@ -70,5 +75,18 @@ func (*CredRequest) Verify(credentialRequest []byte, ipk handlers.IssuerPublicKe
 		return errors.Errorf("invalid issuer public key, expected *IssuerPublicKey, got [%T]", ipk)
 	}
 
-	return credRequest.Check(iipk.PK)
+	err = credRequest.Check(iipk.PK)
+	if err != nil {
+		return err
+	}
+
+	// Nonce checks
+	if len(nonce) != cryptolib.FieldBytes {
+		return errors.Errorf("invalid issuer nonce, expected length %d, got %d", cryptolib.FieldBytes, len(nonce))
+	}
+	if !bytes.Equal(nonce, credRequest.IssuerNonce) {
+		return errors.Errorf("invalid nonce, expected [%v], got [%v]", nonce, credRequest.IssuerNonce)
+	}
+
+	return nil
 }

bccsp/idemix/handlers/cred.go

@@ -38,7 +38,7 @@ func (c *CredentialRequestSigner) Sign(k bccsp.Key, digest []byte, opts bccsp.Si
 		return nil, errors.New("invalid digest, the idemix empty digest is expected")
 	}
 
-	return c.CredRequest.Sign(userSecretKey.sk, issuerPK.pk)
+	return c.CredRequest.Sign(userSecretKey.sk, issuerPK.pk, credentialRequestSignerOpts.IssuerNonce)
 }
 
 // CredentialRequestVerifier verifies credential requests
@@ -55,8 +55,12 @@ func (c *CredentialRequestVerifier) Verify(k bccsp.Key, signature, digest []byte
 	if !reflect.DeepEqual(digest, bccsp.IdemixEmptyDigest()) {
 		return false, errors.New("invalid digest, the idemix empty digest is expected")
 	}
+	credentialRequestSignerOpts, ok := opts.(*bccsp.IdemixCredentialRequestSignerOpts)
+	if !ok {
+		return false, errors.New("invalid options, expected *IdemixCredentialRequestSignerOpts")
+	}
 
-	err := c.CredRequest.Verify(signature, issuerPublicKey.pk)
+	err := c.CredRequest.Verify(signature, issuerPublicKey.pk, credentialRequestSignerOpts.IssuerNonce)
 	if err != nil {
 		return false, err
 	}

bccsp/idemix/handlers/cred_test.go

@@ -6,6 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 package handlers_test
 
 import (
+	"crypto/rand"
+
 	"github.com/hyperledger/fabric/bccsp"
 	"github.com/hyperledger/fabric/bccsp/idemix/handlers"
 	"github.com/hyperledger/fabric/bccsp/idemix/handlers/mock"
@@ -158,11 +160,16 @@ var _ = Describe("Credential Request", func() {
 
 		var (
 			CredentialRequestVerifier *handlers.CredentialRequestVerifier
+			IssuerNonce               []byte
 			fakeCredRequest           *mock.CredRequest
 		)
 
 		BeforeEach(func() {
 			fakeCredRequest = &mock.CredRequest{}
+			IssuerNonce = make([]byte, 32)
+			n, err := rand.Read(IssuerNonce)
+			Expect(n).To(BeEquivalentTo(32))
+			Expect(err).NotTo(HaveOccurred())
 			CredentialRequestVerifier = &handlers.CredentialRequestVerifier{CredRequest: fakeCredRequest}
 		})
 
@@ -176,7 +183,7 @@ var _ = Describe("Credential Request", func() {
 					handlers.NewIssuerPublicKey(nil),
 					[]byte("fake signature"),
 					bccsp.IdemixEmptyDigest(),
-					nil,
+					&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
 				)
 				Expect(err).NotTo(HaveOccurred())
 				Expect(valid).To(BeTrue())
@@ -193,7 +200,7 @@ var _ = Describe("Credential Request", func() {
 					handlers.NewIssuerPublicKey(nil),
 					[]byte("fake signature"),
 					bccsp.IdemixEmptyDigest(),
-					nil,
+					&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
 				)
 				Expect(err).To(MatchError("verify error"))
 				Expect(valid).To(BeFalse())
@@ -208,7 +215,7 @@ var _ = Describe("Credential Request", func() {
 						nil,
 						[]byte("fake signature"),
 						nil,
-						nil,
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
 					)
 					Expect(err).To(MatchError("invalid key, expected *issuerPublicKey"))
 					Expect(valid).To(BeFalse())
@@ -221,7 +228,7 @@ var _ = Describe("Credential Request", func() {
 						handlers.NewUserSecretKey(nil, false),
 						[]byte("fake signature"),
 						nil,
-						nil,
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
 					)
 					Expect(err).To(MatchError("invalid key, expected *issuerPublicKey"))
 					Expect(valid).To(BeFalse())
@@ -234,13 +241,38 @@ var _ = Describe("Credential Request", func() {
 						handlers.NewIssuerPublicKey(nil),
 						[]byte("fake signature"),
 						[]byte{1, 2, 3, 4},
-						nil,
+						&bccsp.IdemixCredentialRequestSignerOpts{IssuerNonce: IssuerNonce},
 					)
 					Expect(err).To(MatchError("invalid digest, the idemix empty digest is expected"))
 					Expect(valid).To(BeFalse())
 				})
 			})
 
+			Context("and nil options are passed", func() {
+				It("returns error", func() {
+					valid, err := CredentialRequestVerifier.Verify(
+						handlers.NewIssuerPublicKey(nil),
+						[]byte("fake signature"),
+						bccsp.IdemixEmptyDigest(),
+						nil,
+					)
+					Expect(err).To(MatchError("invalid options, expected *IdemixCredentialRequestSignerOpts"))
+					Expect(valid).To(BeFalse())
+				})
+			})
+
+			Context("and non-valid options are passed", func() {
+				It("returns error", func() {
+					valid, err := CredentialRequestVerifier.Verify(
+						handlers.NewIssuerPublicKey(nil),
+						[]byte("fake signature"),
+						bccsp.IdemixEmptyDigest(),
+						&bccsp.IdemixCRISignerOpts{},
+					)
+					Expect(err).To(MatchError("invalid options, expected *IdemixCredentialRequestSignerOpts"))
+					Expect(valid).To(BeFalse())
+				})
+			})
 		})
 	})
 })

bccsp/idemix/handlers/idemix.go

@@ -74,10 +74,10 @@ type User interface {
 type CredRequest interface {
 	// Sign creates a new Credential Request, the first message of the interactive credential issuance protocol
 	// (from user to issuer)
-	Sign(sk Big, ipk IssuerPublicKey) ([]byte, error)
+	Sign(sk Big, ipk IssuerPublicKey, nonce []byte) ([]byte, error)
 
 	// Verify verifies the credential request
-	Verify(credRequest []byte, ipk IssuerPublicKey) error
+	Verify(credRequest []byte, ipk IssuerPublicKey, nonce []byte) error
 }
 
 // CredRequest is a local interface to decouple from the idemix implementation

bccsp/idemix/handlers/mock/credrequest.go

@@ -8,11 +8,12 @@ import (
 )
 
 type CredRequest struct {
-	SignStub        func(sk handlers.Big, ipk handlers.IssuerPublicKey) ([]byte, error)
+	SignStub        func(sk handlers.Big, ipk handlers.IssuerPublicKey, nonce []byte) ([]byte, error)
 	signMutex       sync.RWMutex
 	signArgsForCall []struct {
-		sk  handlers.Big
-		ipk handlers.IssuerPublicKey
+		sk    handlers.Big
+		ipk   handlers.IssuerPublicKey
+		nonce []byte
 	}
 	signReturns struct {
 		result1 []byte
@@ -22,11 +23,12 @@ type CredRequest struct {
 		result1 []byte
 		result2 error
 	}
-	VerifyStub        func(credRequest []byte, ipk handlers.IssuerPublicKey) error
+	VerifyStub        func(credRequest []byte, ipk handlers.IssuerPublicKey, nonce []byte) error
 	verifyMutex       sync.RWMutex
 	verifyArgsForCall []struct {
 		credRequest []byte
 		ipk         handlers.IssuerPublicKey
+		nonce       []byte
 	}
 	verifyReturns struct {
 		result1 error
@@ -38,17 +40,23 @@ type CredRequest struct {
 	invocationsMutex sync.RWMutex
 }
 
-func (fake *CredRequest) Sign(sk handlers.Big, ipk handlers.IssuerPublicKey) ([]byte, error) {
+func (fake *CredRequest) Sign(sk handlers.Big, ipk handlers.IssuerPublicKey, nonce []byte) ([]byte, error) {
+	var nonceCopy []byte
+	if nonce != nil {
+		nonceCopy = make([]byte, len(nonce))
+		copy(nonceCopy, nonce)
+	}
 	fake.signMutex.Lock()
 	ret, specificReturn := fake.signReturnsOnCall[len(fake.signArgsForCall)]
 	fake.signArgsForCall = append(fake.signArgsForCall, struct {
-		sk  handlers.Big
-		ipk handlers.IssuerPublicKey
-	}{sk, ipk})
-	fake.recordInvocation("Sign", []interface{}{sk, ipk})
+		sk    handlers.Big
+		ipk   handlers.IssuerPublicKey
+		nonce []byte
+	}{sk, ipk, nonceCopy})
+	fake.recordInvocation("Sign", []interface{}{sk, ipk, nonceCopy})
 	fake.signMutex.Unlock()
 	if fake.SignStub != nil {
-		return fake.SignStub(sk, ipk)
+		return fake.SignStub(sk, ipk, nonce)
 	}
 	if specificReturn {
 		return ret.result1, ret.result2
@@ -62,10 +70,10 @@ func (fake *CredRequest) SignCallCount() int {
 	return len(fake.signArgsForCall)
 }
 
-func (fake *CredRequest) SignArgsForCall(i int) (handlers.Big, handlers.IssuerPublicKey) {
+func (fake *CredRequest) SignArgsForCall(i int) (handlers.Big, handlers.IssuerPublicKey, []byte) {
 	fake.signMutex.RLock()
 	defer fake.signMutex.RUnlock()
-	return fake.signArgsForCall[i].sk, fake.signArgsForCall[i].ipk
+	return fake.signArgsForCall[i].sk, fake.signArgsForCall[i].ipk, fake.signArgsForCall[i].nonce
 }
 
 func (fake *CredRequest) SignReturns(result1 []byte, result2 error) {
@@ -90,22 +98,28 @@ func (fake *CredRequest) SignReturnsOnCall(i int, result1 []byte, result2 error)
 	}{result1, result2}
 }
 
-func (fake *CredRequest) Verify(credRequest []byte, ipk handlers.IssuerPublicKey) error {
+func (fake *CredRequest) Verify(credRequest []byte, ipk handlers.IssuerPublicKey, nonce []byte) error {
 	var credRequestCopy []byte
 	if credRequest != nil {
 		credRequestCopy = make([]byte, len(credRequest))
 		copy(credRequestCopy, credRequest)
 	}
+	var nonceCopy []byte
+	if nonce != nil {
+		nonceCopy = make([]byte, len(nonce))
+		copy(nonceCopy, nonce)
+	}
 	fake.verifyMutex.Lock()
 	ret, specificReturn := fake.verifyReturnsOnCall[len(fake.verifyArgsForCall)]
 	fake.verifyArgsForCall = append(fake.verifyArgsForCall, struct {
 		credRequest []byte
 		ipk         handlers.IssuerPublicKey
-	}{credRequestCopy, ipk})
-	fake.recordInvocation("Verify", []interface{}{credRequestCopy, ipk})
+		nonce       []byte
+	}{credRequestCopy, ipk, nonceCopy})
+	fake.recordInvocation("Verify", []interface{}{credRequestCopy, ipk, nonceCopy})
 	fake.verifyMutex.Unlock()
 	if fake.VerifyStub != nil {
-		return fake.VerifyStub(credRequest, ipk)
+		return fake.VerifyStub(credRequest, ipk, nonce)
 	}
 	if specificReturn {
 		return ret.result1
@@ -119,10 +133,10 @@ func (fake *CredRequest) VerifyCallCount() int {
 	return len(fake.verifyArgsForCall)
 }
 
-func (fake *CredRequest) VerifyArgsForCall(i int) ([]byte, handlers.IssuerPublicKey) {
+func (fake *CredRequest) VerifyArgsForCall(i int) ([]byte, handlers.IssuerPublicKey, []byte) {
 	fake.verifyMutex.RLock()
 	defer fake.verifyMutex.RUnlock()
-	return fake.verifyArgsForCall[i].credRequest, fake.verifyArgsForCall[i].ipk
+	return fake.verifyArgsForCall[i].credRequest, fake.verifyArgsForCall[i].ipk, fake.verifyArgsForCall[i].nonce
 }
 
 func (fake *CredRequest) VerifyReturns(result1 error) {

bccsp/idemixopts.go

@@ -15,7 +15,9 @@ type RevocationAlgorithm int32
 const (
 	// IDEMIX constant to identify Idemix related algorithms
 	IDEMIX = "IDEMIX"
+)
 
+const (
 	// AlgNoRevocation means no revocation support
 	AlgNoRevocation RevocationAlgorithm = iota
 )
@@ -147,6 +149,9 @@ type IdemixCredentialRequestSignerOpts struct {
 	Attributes []int
 	// IssuerPK is the public-key of the issuer
 	IssuerPK Key
+	// IssuerNonce is generated by the issuer and used by the client to generate the credential request.
+	// Once the issuer gets the credential requests, it checks that the nonce is the same.
+	IssuerNonce []byte
 	// HashFun is the hash function to be used
 	H crypto.Hash
 }

common/tools/idemixgen/idemixca/idemixca.go

@@ -63,7 +63,7 @@ func GenerateSignerConfig(roleMask int, ouString string, enrollmentId string, re
 		return nil, errors.WithMessage(err, "Error getting PRNG")
 	}
 	sk := idemix.RandModOrder(rng)
-	ni := idemix.RandModOrder(rng)
+	ni := idemix.BigToBytes(idemix.RandModOrder(rng))
 	msg := idemix.NewCredRequest(sk, ni, key.Ipk, rng)
 	cred, err := idemix.NewCredential(key, msg, attrs, rng)
 	if err != nil {

idemix/credrequest.go

@@ -32,7 +32,7 @@ const credRequestLabel = "credRequest"
 
 // NewCredRequest creates a new Credential Request, the first message of the interactive credential issuance protocol
 // (from user to issuer)
-func NewCredRequest(sk *FP256BN.BIG, IssuerNonce *FP256BN.BIG, ipk *IssuerPublicKey, rng *amcl.RAND) *CredRequest {
+func NewCredRequest(sk *FP256BN.BIG, IssuerNonce []byte, ipk *IssuerPublicKey, rng *amcl.RAND) *CredRequest {
 	// Set Nym as h_{sk}^{sk}
 	HSk := EcpFromProto(ipk.HSk)
 	Nym := HSk.Mul(sk)
@@ -57,7 +57,7 @@ func NewCredRequest(sk *FP256BN.BIG, IssuerNonce *FP256BN.BIG, ipk *IssuerPublic
 	index = appendBytesG1(proofData, index, t)
 	index = appendBytesG1(proofData, index, HSk)
 	index = appendBytesG1(proofData, index, Nym)
-	index = appendBytesBig(proofData, index, IssuerNonce)
+	index = appendBytes(proofData, index, IssuerNonce)
 	copy(proofData[index:], ipk.Hash)
 	proofC := HashModOrder(proofData)
 
@@ -67,7 +67,7 @@ func NewCredRequest(sk *FP256BN.BIG, IssuerNonce *FP256BN.BIG, ipk *IssuerPublic
 	// Done
 	return &CredRequest{
 		Nym:         EcpToProto(Nym),
-		IssuerNonce: BigToBytes(IssuerNonce),
+		IssuerNonce: IssuerNonce,
 		ProofC:      BigToBytes(proofC),
 		ProofS:      BigToBytes(proofS)}
 }
@@ -75,7 +75,7 @@ func NewCredRequest(sk *FP256BN.BIG, IssuerNonce *FP256BN.BIG, ipk *IssuerPublic