Enforcing required-reveal statements

[andrewwhitehead]

Rather than adding required-reveal statements at a higher level (like linked data proofs) where they are difficult or impossible to enforce, for the next draft I think it would be beneficial to tie signature generation and verification to this information.

There are a few ways that this could be done, but I think that adding a required-reveal flag to the message generators is a good approach. For example, at the moment h[i] is defined as hash_to_curve_g1( w || I2OSP(0, 1) || I2OSP(i + 1, 4) || I2OSP(0, 1) || I2OSP(count, 4) ). The input to the hash could be extended with the required-reveal state of that message index, I2OSP(ri, 1) where ri is 0 or 1. For use cases where required-reveal statements are not important, the set of indices would be omitted and default to 0 for each index.

SpkVerify would be updated to take the required-reveal indices into account and reject verification when the message input is not provided.