Snap for 11190379 from 4fd15465c364df9b8a5976ca19a99cd11f9e200a to mainline-conscrypt-releaseaml_con_341614000aml_con_341511080aml_con_341410300android14-mainline-conscrypt-release

Change-Id: I6e5a492ca78194eb848c6863887c373b7c775d80

18 files changed, 495 insertions, 47 deletions

diff --git a/Android.bp b/Android.bp
index bb4bef6..b9ccb5b 100644
--- a/Android.bp
+++ b/Android.bp
@@ -48,6 +48,9 @@ cc_library_static {
     ],
     cflags: ["-Wno-unused-parameter"],
     export_include_dirs: ["."],
+    include_dirs: [
+      "external/protobuf",
+    ],
     proto: {
       type: "lite",
       export_proto_headers: true,
@@ -56,6 +59,8 @@ cc_library_static {
       ],
       include_dirs: [
         "external/private-join-and-compute",
+        "external/protobuf",
+        
       ]
     },
     sanitize: {
diff --git a/WORKSPACE b/WORKSPACE
index 747032c..6cba449 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -20,9 +20,9 @@ load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
 # Private Join and Compute
 http_archive(
     name = "private_join_and_compute",
-    sha256 = "6026c6522b0119e48b697492d184ee60be97071344c2788095fcb2a489ad905f",
-    strip_prefix = "private-join-and-compute-e028e59420a9c36328705ed5064408de03d229a8",
-    urls = ["https://github.com/google/private-join-and-compute/archive/e028e59420a9c36328705ed5064408de03d229a8.zip"],
+    sha256 = "9304a6fe62c7227657e7cecf08c6234c14dfb558bd6a2fa778de845056fb9dd3",
+    strip_prefix = "private-join-and-compute-f77f26fab7f37e5e1e2d43250662c0281bd7fa4a",
+    urls = ["https://github.com/google/private-join-and-compute/archive/f77f26fab7f37e5e1e2d43250662c0281bd7fa4a.zip"],
 )
 
 # loads boringssl, absl, googletest, protobuf.
@@ -48,4 +48,4 @@ load("@com_github_grpc_grpc//bazel:grpc_deps.bzl", "grpc_deps")
 grpc_deps()
 
 load("@com_github_grpc_grpc//bazel:grpc_extra_deps.bzl", "grpc_extra_deps")
-grpc_extra_deps()
\ No newline at end of file
+grpc_extra_deps()
diff --git a/act/act.proto b/act/act.proto
index f40f608..1c39823 100644
--- a/act/act.proto
+++ b/act/act.proto
@@ -91,10 +91,12 @@ message TokensResponse {
 
 // An actual token recovered from the TokenResponse.
 message Token {
-  // Serialized BigNum corresponding to the nonce for this token.
-  string nonce = 1;
+  reserved 1;
 
   oneof token_oneof {
     TokenV0 token_v0 = 2;
   }
+
+  // Serialized BigNum corresponding to the nonce for this token.
+  bytes nonce_bytes = 3;
 }
diff --git a/act/act_v0/BUILD b/act/act_v0/BUILD
index 64dacac..c4d2c89 100644
--- a/act/act_v0/BUILD
+++ b/act/act_v0/BUILD
@@ -50,10 +50,7 @@ cc_library(
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:bb_oblivious_signature_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/proto:big_num_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/proto:camenisch_shoup_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:ec_point_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/proto:pedersen_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:proto_util",
         "@private_join_and_compute//private_join_and_compute/util:status_includes",
     ],
@@ -69,14 +66,12 @@ cc_test(
         "//act",
         "//act:act_cc_proto",
         "@com_github_google_googletest//:gtest_main",
-        "@com_google_absl//absl/strings",
         "@private_join_and_compute//private_join_and_compute/crypto:bn_util",
         "@private_join_and_compute//private_join_and_compute/crypto:camenisch_shoup",
         "@private_join_and_compute//private_join_and_compute/crypto:ec_util",
         "@private_join_and_compute//private_join_and_compute/crypto:pedersen_over_zn",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:bb_oblivious_signature",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:bb_oblivious_signature_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function",
         "@private_join_and_compute//private_join_and_compute/crypto/dodis_yampolskiy_prf:dy_verifiable_random_function_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:big_num_cc_proto",
         "@private_join_and_compute//private_join_and_compute/crypto/proto:camenisch_shoup_cc_proto",
@@ -93,7 +88,8 @@ cc_library(
     deps = [
         ":act_v0_cc_proto",
         "//act:act_cc_proto",
-        "@private_join_and_compute//private_join_and_compute/crypto:ec_util",
+        "@com_google_absl//absl/strings",
+        "@private_join_and_compute//private_join_and_compute/crypto:openssl_includes",
     ],
 )
 
diff --git a/act/act_v0/act_v0.cc b/act/act_v0/act_v0.cc
index 74dc1dd..d4418e7 100644
--- a/act/act_v0/act_v0.cc
+++ b/act/act_v0/act_v0.cc
@@ -78,6 +78,8 @@ StatusOr<std::unique_ptr<DyVerifiableRandomFunction>> CreateDyVrf(
   dy_vrf_parameters.set_random_oracle_prefix(
       scheme_parameters_v0.random_oracle_prefix());
   dy_vrf_parameters.set_dy_prf_base_g(server_public_parameters_v0.prf_base_g());
+  *dy_vrf_parameters.mutable_pedersen_parameters() =
+      server_public_parameters_v0.pedersen_parameters();
 
   return DyVerifiableRandomFunction::Create(std::move(dy_vrf_parameters), ctx,
                                             ec_group, pedersen);
@@ -109,28 +111,15 @@ StatusOr<std::vector<BigNum>> GetNoncesForTokenRequest(
           challenge_sos.get());
   challenge_cos->SetSerializationDeterministic(true);
   challenge_cos->WriteVarint64(scheme_parameters.ByteSizeLong());
-  if (!scheme_parameters.SerializeToCodedStream(challenge_cos.get())) {
-    return absl::InternalError(
-        "GetNoncesForTokenRequest: Failed to serialize scheme_parameters.");
-  }
+  challenge_cos->WriteString(SerializeAsStringInOrder(scheme_parameters));
   challenge_cos->WriteVarint64(server_public_parameters.ByteSizeLong());
-  if (!server_public_parameters.SerializeToCodedStream(challenge_cos.get())) {
-    return absl::InternalError(
-        "GetNoncesForTokenRequest: Failed to serialize "
-        "server_public_parameters.");
-  }
+  challenge_cos->WriteString(
+      SerializeAsStringInOrder(server_public_parameters));
   challenge_cos->WriteVarint64(client_public_parameters.ByteSizeLong());
-  if (!client_public_parameters.SerializeToCodedStream(challenge_cos.get())) {
-    return absl::InternalError(
-        "GetNoncesForTokenRequest: Failed to serialize "
-        "client_public_parameters.");
-  }
+  challenge_cos->WriteString(
+      SerializeAsStringInOrder(client_public_parameters));
   challenge_cos->WriteVarint64(tokens_request_part_1.ByteSizeLong());
-  if (!tokens_request_part_1.SerializeToCodedStream(challenge_cos.get())) {
-    return absl::InternalError(
-        "GetNoncesForTokenRequest: Failed to serialize "
-        "client_public_parameters.");
-  }
+  challenge_cos->WriteString(SerializeAsStringInOrder(tokens_request_part_1));
   challenge_cos->WriteVarint64(num_messages);
 
   // Delete the serialization objects to make sure they clean up and write.
@@ -847,7 +836,7 @@ StatusOr<std::vector<Token>> AnonymousCountingTokensV0::RecoverTokens(
   for (size_t i = 0; i < messages.size(); ++i) {
     Token token;
     TokenV0* token_v0 = token.mutable_token_v0();
-    token.set_nonce(nonces[i].ToBytes());
+    token.set_nonce_bytes(nonces[i].ToBytes());
     ASSIGN_OR_RETURN(*token_v0->mutable_bb_signature(),
                      signatures[i].ToBytesCompressed());
     tokens.push_back(std::move(token));
@@ -891,10 +880,11 @@ Status AnonymousCountingTokensV0::VerifyToken(
       server_private_parameters_v0.bb_oblivious_signature_private_key().y());
 
   BigNum hashed_message = ctx.RandomOracleSha512(m, ec_group.GetOrder());
-  BigNum nonce = ctx.CreateBigNum(token.nonce());
+
+  BigNum nonce = ctx.CreateBigNum(token.nonce_bytes());
 
   // Verify that reserializing the nonce comes out to the same value.
-  if (nonce.ToBytes() != token.nonce()) {
+  if (nonce.ToBytes() != token.nonce_bytes()) {
     return absl::InvalidArgumentError(
         "AnonymousCountingTokensV0::VerifyToken: nonce comes out to different "
         "value when serialized and deserialized.");
diff --git a/act/act_v0/act_v0_test.cc b/act/act_v0/act_v0_test.cc
index 387a993..2c17471 100644
--- a/act/act_v0/act_v0_test.cc
+++ b/act/act_v0/act_v0_test.cc
@@ -677,7 +677,8 @@ TEST_F(AnonymousCountingTokensV0Test, TokensHaveUniqueNonces) {
   std::vector<std::string> messages = {"message_1", "message_2"};
   ASSERT_OK_AND_ASSIGN(Transcript transcript, GenerateTranscript(messages));
 
-  EXPECT_NE(transcript.tokens[0].nonce(), transcript.tokens[1].nonce());
+  EXPECT_NE(transcript.tokens[0].nonce_bytes(),
+            transcript.tokens[1].nonce_bytes());
 }
 
 }  // namespace
diff --git a/act/act_v0/parameters.cc b/act/act_v0/parameters.cc
index 8a2e6c5..3f8ee7e 100644
--- a/act/act_v0/parameters.cc
+++ b/act/act_v0/parameters.cc
@@ -16,7 +16,7 @@
 #include "act/act_v0/parameters.h"
 
 #include <string>
-
+#include "absl/strings/str_cat.h"
 #include "act/act_v0/act_v0.pb.h"
 
 namespace private_join_and_compute {
@@ -80,5 +80,42 @@ SchemeParameters ActV0Batch32SchemeParameters() {
   return scheme_parameters;
 }
 
+// Returns parameters supporting 32 messages in a batch, with CS vector
+// encryption length set to 2, and modulus length 2048.
+SchemeParameters
+ActV0SchemeParametersPedersen32Modulus2048CamenischShoupVector2() {
+  int pedersen_batch_size = 32;
+  int modulus_length = 2048;
+  int camensich_shoup_vector_encryption_length = 2;
+
+  return ActV0SchemeParameters(pedersen_batch_size, modulus_length,
+                               camensich_shoup_vector_encryption_length);
+}
+
+// Returns custom parameters.
+SchemeParameters ActV0SchemeParameters(int pedersen_batch_size,
+                                       int modulus_length_bits,
+                                       int camenisch_shoup_vector_length) {
+  std::string random_oracle_prefix = absl::StrCat(
+      "ActV0SchemeParametersPedersenBatchSize", pedersen_batch_size,
+      "ModulusLengthBits", modulus_length_bits, "CamenischShoupVectorLength",
+      camenisch_shoup_vector_length);
+
+  SchemeParameters scheme_parameters;
+  SchemeParametersV0* scheme_parameters_v0 =
+      scheme_parameters.mutable_scheme_parameters_v0();
+  scheme_parameters_v0->set_security_parameter(kDefaultSecurityParameter);
+  scheme_parameters_v0->set_challenge_length_bits(kDefaultChallengeLength);
+  scheme_parameters_v0->set_modulus_length_bits(modulus_length_bits);
+  scheme_parameters_v0->set_camenisch_shoup_s(kDefaultCamenischShoupS);
+  scheme_parameters_v0->set_vector_encryption_length(
+      camenisch_shoup_vector_length);
+  scheme_parameters_v0->set_pedersen_batch_size(pedersen_batch_size);
+  scheme_parameters_v0->set_prf_ec_group(kDefaultCurveId);
+  scheme_parameters_v0->set_random_oracle_prefix(random_oracle_prefix);
+
+  return scheme_parameters;
+}
+
 }  // namespace anonymous_counting_tokens
 }  // namespace private_join_and_compute
diff --git a/act/act_v0/parameters.h b/act/act_v0/parameters.h
index 0371f7f..21cff96 100644
--- a/act/act_v0/parameters.h
+++ b/act/act_v0/parameters.h
@@ -34,12 +34,26 @@ const int kDefaultModulusLengthBits = 3072;
 // bits, smaller batch size of 3).
 SchemeParameters ActV0TestSchemeParameters();
 
-// Returns parameters supporting 16 messages in a batch.
+// Returns parameters supporting 16 messages in a batch, with both Pedersen and
+// CS parameters set to 16, and modulus length 3072.
 SchemeParameters ActV0Batch16SchemeParameters();
 
-// Returns parameters supporting 32 messages in a batch.
+// Returns parameters supporting 32 messages in a batch, with both Pedersen and
+// CS parameters set to 32, and modulus length 3072.
 SchemeParameters ActV0Batch32SchemeParameters();
 
+// Returns parameters supporting 32 messages in a batch, with CS vector
+// encryption length set to 2, and modulus length 2048.
+//
+// These parameters are currently the best-optimized for performance.
+SchemeParameters
+ActV0SchemeParametersPedersen32Modulus2048CamenischShoupVector2();
+
+// Returns custom parameters.
+SchemeParameters ActV0SchemeParameters(int pedersen_batch_size,
+                                       int modulus_length_bits,
+                                       int camenisch_shoup_vector_length);
+
 }  // namespace anonymous_counting_tokens
 }  // namespace private_join_and_compute
 
diff --git a/act/act_v0/parameters_test.cc b/act/act_v0/parameters_test.cc
index 04927e5..afbcf87 100644
--- a/act/act_v0/parameters_test.cc
+++ b/act/act_v0/parameters_test.cc
@@ -33,8 +33,8 @@ namespace private_join_and_compute {
 namespace anonymous_counting_tokens {
 namespace {
 
-Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
-                                  int num_messages) {
+
+Status EndToEndTest(SchemeParameters scheme_parameters, int num_messages) {
   std::unique_ptr<AnonymousCountingTokens> act =
       AnonymousCountingTokensV0::Create();
 
@@ -42,12 +42,18 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
   ASSIGN_OR_RETURN(ServerParameters server_parameters,
                    act->GenerateServerParameters(scheme_parameters));
 
-  // Generate client parameters.
+
+  // Generate client parameters and check them.
   ASSIGN_OR_RETURN(
       ClientParameters client_parameters,
       act->GenerateClientParameters(scheme_parameters,
                                     server_parameters.public_parameters()));
 
+  RETURN_IF_ERROR(act->CheckClientParameters(
+      scheme_parameters, client_parameters.public_parameters(),
+      server_parameters.public_parameters(),
+      server_parameters.private_parameters()));
+
   // Generate messages.
   std::vector<std::string> messages;
   messages.reserve(num_messages);
@@ -55,7 +61,7 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
     messages.push_back(absl::StrCat("message", i));
   }
 
-  // Generate Tokens Request.
+  // Generate Tokens Request and check it.
   std::vector<std::string> client_fingerprints;
   TokensRequest tokens_request;
   TokensRequestPrivateState tokens_request_private_state;
@@ -67,7 +73,13 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
                                  client_parameters.private_parameters(),
                                  server_parameters.public_parameters()));
 
-  // Generate Tokens Response.
+  RETURN_IF_ERROR(act->CheckTokensRequest(
+      client_fingerprints, tokens_request, scheme_parameters,
+      client_parameters.public_parameters(),
+      server_parameters.public_parameters(),
+      server_parameters.private_parameters()));
+
+  // Generate Tokens Response and check it.
   ASSIGN_OR_RETURN(
       TokensResponse tokens_response,
       act->GenerateTokensResponse(tokens_request, scheme_parameters,
@@ -75,6 +87,12 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
                                   server_parameters.public_parameters(),
                                   server_parameters.private_parameters()));
 
+  RETURN_IF_ERROR(act->VerifyTokensResponse(
+      messages, tokens_request, tokens_request_private_state, tokens_response,
+      scheme_parameters, client_parameters.public_parameters(),
+      client_parameters.private_parameters(),
+      server_parameters.public_parameters()));
+
   // Extract Tokens.
   ASSIGN_OR_RETURN(
       std::vector<Token> tokens,
@@ -97,15 +115,30 @@ Status EndToEndTestNoVerification(SchemeParameters scheme_parameters,
 }
 
 TEST(ActV0ParametersTest, EndToEndWithTestParameters) {
-  EXPECT_OK(EndToEndTestNoVerification(ActV0TestSchemeParameters(), 3));
+  EXPECT_OK(EndToEndTest(ActV0TestSchemeParameters(), 3));
 }
 
 TEST(ActV0ParametersTest, EndToEndWithBatch16Parameters) {
-  EXPECT_OK(EndToEndTestNoVerification(ActV0Batch16SchemeParameters(), 16));
+  EXPECT_OK(EndToEndTest(ActV0Batch16SchemeParameters(), 16));
 }
 
 TEST(ActV0ParametersTest, EndToEndWithBatch32Parameters) {
-  EXPECT_OK(EndToEndTestNoVerification(ActV0Batch32SchemeParameters(), 32));
+  EXPECT_OK(EndToEndTest(ActV0Batch32SchemeParameters(), 32));
+}
+
+TEST(ActV0ParametersTest, EndToEndWithBatch32Cs2Modulus2048Parameters) {
+  EXPECT_OK(EndToEndTest(
+      ActV0SchemeParametersPedersen32Modulus2048CamenischShoupVector2(), 32));
+}
+
+TEST(ActV0ParametersTest, EndToEndWithCustomParameters) {
+  int pedersen_batch_size = 32;
+  int modulus_length_bits = 1576;
+  int camenisch_shoup_vector_length = 2;
+  EXPECT_OK(EndToEndTest(
+      ActV0SchemeParameters(pedersen_batch_size, modulus_length_bits,
+                            camenisch_shoup_vector_length),
+      32));
 }
 
 // More extensive tests are in act_v0_test.cc. These tests simply ensure that
diff --git a/act/act_v0/testing/BUILD b/act/act_v0/testing/BUILD
new file mode 100644
index 0000000..ccb192b
--- /dev/null
+++ b/act/act_v0/testing/BUILD
@@ -0,0 +1,75 @@
+# Copyright 2023 Google LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load("@rules_cc//cc:defs.bzl", "cc_library")
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
+package(default_visibility = ["//visibility:public"])
+
+proto_library(
+    name = "transcript_proto",
+    srcs = ["transcript.proto"],
+    deps = ["//act:act_proto"],
+)
+
+cc_proto_library(
+    name = "transcript_cc_proto",
+    deps = [":transcript_proto"],
+)
+
+cc_binary(
+    name = "generate_transcript",
+    srcs = ["generate_transcript.cc"],
+    deps = [
+        ":transcript_cc_proto",
+        "//act",
+        "//act:act_cc_proto",
+        "//act/act_v0",
+        "//act/act_v0:act_v0_cc_proto",
+        "//act/act_v0:parameters",
+        "@com_google_absl//absl/flags:flag",
+        "@com_google_absl//absl/flags:parse",
+        "@com_google_absl//absl/log",
+        "@com_google_absl//absl/log:check",
+        "@com_google_absl//absl/strings",
+        "@private_join_and_compute//private_join_and_compute/util:proto_util",
+        "@private_join_and_compute//private_join_and_compute/util:status_includes",
+    ],
+)
+
+filegroup(
+    name = "transcripts",
+    testonly = 1,
+    srcs = glob(["transcripts/*"]),
+)
+
+cc_test(
+    name = "golden_transcript_test",
+    srcs = ["golden_transcript_test.cc"],
+    data = [
+        ":transcripts",
+    ],
+    deps = [
+        ":transcript_cc_proto",
+        "//act",
+        "//act:act_cc_proto",
+        "//act/act_v0",
+        "//act/act_v0:act_v0_cc_proto",
+        "//act/act_v0:parameters",
+        "@com_github_google_googletest//:gtest_main",
+        "@private_join_and_compute//private_join_and_compute/util:proto_util",
+        "@private_join_and_compute//private_join_and_compute/util:status_includes",
+        "@private_join_and_compute//private_join_and_compute/util:status_testing_includes",
+    ],
+)
diff --git a/act/act_v0/testing/generate_transcript.cc b/act/act_v0/testing/generate_transcript.cc
new file mode 100644
index 0000000..915b960
--- /dev/null
+++ b/act/act_v0/testing/generate_transcript.cc
@@ -0,0 +1,175 @@
+/*
+ * Copyright 2023 Google LLC.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <cstddef>
+#include <string>
+#include <tuple>
+#include <vector>
+
+#include "absl/flags/flag.h"
+#include "absl/flags/parse.h"
+#include "absl/log/check.h"
+#include "absl/log/log.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+#include "act/act.h"
+#include "act/act.pb.h"
+#include "act/act_v0/act_v0.h"
+#include "act/act_v0/act_v0.pb.h"
+#include "act/act_v0/parameters.h"
+#include "act/act_v0/testing/transcript.pb.h"
+#include "private_join_and_compute/util/proto_util.h"
+#include "private_join_and_compute/util/status.inc"
+
+ABSL_FLAG(std::string, transcript_path, "",
+          "Prefix of file to which the generated transcript will be "
+          "written/read from.");
+
+ABSL_FLAG(bool, verify, false,
+          "If true, will attempt to read the transcript from the specified "
+          "path to verify it.");
+
+namespace private_join_and_compute {
+namespace anonymous_counting_tokens {
+namespace {
+
+absl::Status GenerateTranscript(absl::string_view transcript_path) {
+  SchemeParameters scheme_parameters =
+      private_join_and_compute::anonymous_counting_tokens::
+          ActV0SchemeParametersPedersen32Modulus2048CamenischShoupVector2();
+  auto act = AnonymousCountingTokensV0::Create();
+
+  ASSIGN_OR_RETURN(ServerParameters server_parameters,
+                   act->GenerateServerParameters(scheme_parameters));
+  ASSIGN_OR_RETURN(
+      ClientParameters client_parameters,
+      act->GenerateClientParameters(scheme_parameters,
+                                    server_parameters.public_parameters()));
+  std::vector<std::string> messages;
+  size_t num_messages =
+      scheme_parameters.scheme_parameters_v0().pedersen_batch_size();
+  messages.reserve(num_messages);
+  for (int i = 0; i < num_messages; ++i) {
+    messages.push_back(absl::StrCat("message", i));
+  }
+  std::vector<std::string> client_fingerprints;
+  TokensRequest tokens_request;
+  TokensRequestPrivateState tokens_request_private_state;
+  ASSIGN_OR_RETURN(
+      std::tie(client_fingerprints, tokens_request,
+               tokens_request_private_state),
+      act->GenerateTokensRequest(messages, scheme_parameters,
+                                 client_parameters.public_parameters(),
+                                 client_parameters.private_parameters(),
+                                 server_parameters.public_parameters()));
+
+  ASSIGN_OR_RETURN(
+      TokensResponse tokens_response,
+      act->GenerateTokensResponse(tokens_request, scheme_parameters,
+                                  client_parameters.public_parameters(),
+                                  server_parameters.public_parameters(),
+                                  server_parameters.private_parameters()));
+
+  ASSIGN_OR_RETURN(
+      std::vector<Token> tokens,
+      act->RecoverTokens(messages, tokens_request, tokens_request_private_state,
+                         tokens_response, scheme_parameters,
+                         client_parameters.public_parameters(),
+                         client_parameters.private_parameters(),
+                         server_parameters.public_parameters()));
+
+  Transcript transcript;
+  *transcript.mutable_scheme_parameters() = scheme_parameters;
+  *transcript.mutable_server_parameters() = server_parameters;
+  *transcript.mutable_client_parameters() = client_parameters;
+  *transcript.mutable_messages() = {messages.begin(), messages.end()};
+  *transcript.mutable_fingerprints() = {client_fingerprints.begin(),
+                                        client_fingerprints.end()};
+  *transcript.mutable_tokens_request() = tokens_request;
+  *transcript.mutable_tokens_request_private_state() =
+      tokens_request_private_state;
+  *transcript.mutable_tokens_response() = tokens_response;
+  *transcript.mutable_tokens() = {tokens.begin(), tokens.end()};
+
+  return ProtoUtils::WriteProtoToFile(transcript, transcript_path);
+}
+
+absl::Status VerifyTranscript(absl::string_view transcript_path) {
+  ASSIGN_OR_RETURN(Transcript transcript,
+                   ProtoUtils::ReadProtoFromFile<Transcript>(transcript_path));
+
+  auto act = AnonymousCountingTokensV0::Create();
+
+  if (!transcript.has_scheme_parameters() ||
+      !transcript.scheme_parameters().has_scheme_parameters_v0() ||
+      transcript.scheme_parameters()
+              .scheme_parameters_v0()
+              .pedersen_batch_size() <= 0) {
+    return InvalidArgumentError(
+        "VerifyTranscript: transcript should have a SchemeParametersV0 with a "
+        "positive pedersen_batch_size.");
+  }
+
+  RETURN_IF_ERROR(act->CheckClientParameters(
+      transcript.scheme_parameters(),
+      transcript.client_parameters().public_parameters(),
+      transcript.server_parameters().public_parameters(),
+      transcript.server_parameters().private_parameters()));
+
+  std::vector<std::string> client_fingerprints(
+      transcript.fingerprints().begin(), transcript.fingerprints().end());
+  RETURN_IF_ERROR(act->CheckTokensRequest(
+      client_fingerprints, transcript.tokens_request(),
+      transcript.scheme_parameters(),
+      transcript.client_parameters().public_parameters(),
+      transcript.server_parameters().public_parameters(),
+      transcript.server_parameters().private_parameters()));
+
+  std::vector<std::string> messages(transcript.messages().begin(),
+                                    transcript.messages().end());
+  RETURN_IF_ERROR(act->VerifyTokensResponse(
+      messages, transcript.tokens_request(),
+      transcript.tokens_request_private_state(), transcript.tokens_response(),
+      transcript.scheme_parameters(),
+      transcript.client_parameters().public_parameters(),
+      transcript.client_parameters().private_parameters(),
+      transcript.server_parameters().public_parameters()));
+
+  return OkStatus();
+}
+
+}  // namespace
+}  // namespace anonymous_counting_tokens
+}  // namespace private_join_and_compute
+
+int main(int argc, char** argv) {
+  absl::ParseCommandLine(argc, argv);
+  std::string transcript_path = absl::GetFlag(FLAGS_transcript_path);
+
+  bool verify = absl::GetFlag(FLAGS_verify);
+  if (verify) {
+    CHECK_OK(
+        private_join_and_compute::anonymous_counting_tokens::VerifyTranscript(
+            transcript_path));
+    LOG(INFO) << "Successfully verified transcript.";
+  } else {
+    CHECK_OK(
+        private_join_and_compute::anonymous_counting_tokens::GenerateTranscript(
+            transcript_path));
+    LOG(INFO) << "Successfully generated transcript.";
+  }
+
+  return 0;
+}
diff --git a/act/act_v0/testing/golden_transcript_test.cc b/act/act_v0/testing/golden_transcript_test.cc
new file mode 100644
index 0000000..df4efb0
--- /dev/null
+++ b/act/act_v0/testing/golden_transcript_test.cc
@@ -0,0 +1,81 @@
+/*
+ * Copyright 2023 Google LLC.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include <filesystem>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "act/act.h"
+#include "act/act.pb.h"
+#include "act/act_v0/act_v0.h"
+#include "act/act_v0/testing/transcript.pb.h"
+#include "private_join_and_compute/util/proto_util.h"
+#include "private_join_and_compute/util/status_testing.inc"
+
+namespace private_join_and_compute {
+namespace anonymous_counting_tokens {
+namespace {
+
+const char kTranscriptPathBase[] = "act/act_v0/testing/transcripts/";
+
+TEST(GoldenTranscriptTest, TranscriptPassesValidityTests) {
+  auto act = AnonymousCountingTokensV0::Create();
+
+  std::vector<std::string> transcript_paths;
+
+  for (const auto& entry :
+       std::filesystem::directory_iterator(kTranscriptPathBase)) {
+    transcript_paths.push_back(std::string(entry.path()));
+  }
+
+  for (const auto& transcript_path : transcript_paths) {
+    ASSERT_OK_AND_ASSIGN(
+        Transcript transcript,
+        ProtoUtils::ReadProtoFromFile<Transcript>(transcript_path));
+
+    EXPECT_OK(act->CheckClientParameters(
+        transcript.scheme_parameters(),
+        transcript.client_parameters().public_parameters(),
+        transcript.server_parameters().public_parameters(),
+        transcript.server_parameters().private_parameters()));
+
+    std::vector<std::string> client_fingerprints(
+        transcript.fingerprints().begin(), transcript.fingerprints().end());
+    EXPECT_OK(act->CheckTokensRequest(
+        client_fingerprints, transcript.tokens_request(),
+        transcript.scheme_parameters(),
+        transcript.client_parameters().public_parameters(),
+        transcript.server_parameters().public_parameters(),
+        transcript.server_parameters().private_parameters()));
+
+    std::vector<std::string> messages(transcript.messages().begin(),
+                                      transcript.messages().end());
+    EXPECT_OK(act->VerifyTokensResponse(
+        messages, transcript.tokens_request(),
+        transcript.tokens_request_private_state(), transcript.tokens_response(),
+        transcript.scheme_parameters(),
+        transcript.client_parameters().public_parameters(),
+        transcript.client_parameters().private_parameters(),
+        transcript.server_parameters().public_parameters()));
+  }
+}
+
+}  // namespace
+}  // namespace anonymous_counting_tokens
+}  // namespace private_join_and_compute
diff --git a/act/act_v0/testing/transcript.proto b/act/act_v0/testing/transcript.proto
new file mode 100644
index 0000000..957335d
--- /dev/null
+++ b/act/act_v0/testing/transcript.proto
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2023 Google LLC.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package private_join_and_compute.anonymous_counting_tokens;
+
+import "act/act.proto";
+
+option java_multiple_files = true;
+
+message Transcript {
+  SchemeParameters scheme_parameters = 1;
+  ServerParameters server_parameters = 2;
+  ClientParameters client_parameters = 3;
+  repeated string messages = 4;
+  repeated bytes fingerprints = 5;
+  TokensRequest tokens_request = 6;
+  TokensRequestPrivateState tokens_request_private_state = 7;
+  TokensResponse tokens_response = 8;
+  repeated Token tokens = 9;
+}
diff --git a/act/act_v0/testing/transcripts/golden_transcript_1_09122023 b/act/act_v0/testing/transcripts/golden_transcript_1_09122023
new file mode 100644
index 0000000..8787824
--- /dev/null
+++ b/act/act_v0/testing/transcripts/golden_transcript_1_09122023
diff --git a/act/act_v0/testing/transcripts/golden_transcript_2_09122023 b/act/act_v0/testing/transcripts/golden_transcript_2_09122023
new file mode 100644
index 0000000..5e99965
--- /dev/null
+++ b/act/act_v0/testing/transcripts/golden_transcript_2_09122023
diff --git a/act/act_v0/testing/transcripts/golden_transcript_3_09122023 b/act/act_v0/testing/transcripts/golden_transcript_3_09122023
new file mode 100644
index 0000000..fcd1e82
--- /dev/null
+++ b/act/act_v0/testing/transcripts/golden_transcript_3_09122023
diff --git a/act/fake_act.cc b/act/fake_act.cc
index 349a1cb..48cf40f 100644
--- a/act/fake_act.cc
+++ b/act/fake_act.cc
@@ -123,7 +123,8 @@ StatusOr<std::vector<Token>> FakeAnonymousCountingTokens::RecoverTokens(
   result.reserve(messages.size());
   for (size_t i = 0; i < messages.size(); ++i) {
     Token fake_token;
-    fake_token.set_nonce(context.GenerateRandLessThan(nonce_bound).ToBytes());
+    fake_token.set_nonce_bytes(
+        context.GenerateRandLessThan(nonce_bound).ToBytes());
     result.push_back(fake_token);
   }
 
diff --git a/act/util.proto b/act/util.proto
index 9041c07..ca8c410 100644
--- a/act/util.proto
+++ b/act/util.proto
@@ -42,3 +42,7 @@ message GeneratedTokensRequestProto {
   TokensRequest token_request = 2;
   TokensRequestPrivateState tokens_request_private_state = 3;
 }
+
+message TokensSet {
+  repeated Token tokens = 1;
+}