- support mesh's new NACK message

- remove 
- python test skeleton for voting
- encrypted votes
- establish threshold key during ballot registration
- ballot tool can request threshold public keys from authorities

24 files changed, 867 insertions, 163 deletions

diff --git a/src/main/java/org/gnunet/construct/Construct.java b/src/main/java/org/gnunet/construct/Construct.java
index ac3c804..82e6fcb 100644
--- a/src/main/java/org/gnunet/construct/Construct.java
+++ b/src/main/java/org/gnunet/construct/Construct.java
@@ -85,15 +85,21 @@ public class Construct {
      * @return instance of the desired object type
      */
     public static <T extends Message> T parseAs(ByteBuffer srcBuf, Class<T> c) {
-        T m = ReflectUtil.justInstantiate(c);
-
         try {
-            getParser(c).parse(srcBuf, 0, m, m, null);
-        } catch (ProtocolViolationException e) {
-            e.augmentPath("on " + c);
-        }
+            T m = ReflectUtil.justInstantiate(c);
+
+            try {
+                getParser(c).parse(srcBuf, 0, m, m, null);
+            } catch (ProtocolViolationException e) {
+                e.augmentPath("on " + c);
+            }
 
-        return m;
+            return m;
+        } catch (Error e) {
+            System.err.println(
+                    String.format("Exception while parsing message for class '%s':", c.getCanonicalName()));
+            throw e;
+        }
     }
 
     /**
diff --git a/src/main/java/org/gnunet/construct/parsers/NestedParser.java b/src/main/java/org/gnunet/construct/parsers/NestedParser.java
index 76aa397..476225b 100644
--- a/src/main/java/org/gnunet/construct/parsers/NestedParser.java
+++ b/src/main/java/org/gnunet/construct/parsers/NestedParser.java
@@ -80,7 +80,9 @@ public class NestedParser implements Parser {
                 return 0;
             }
         }
-
+        if (targetField.getType().isInterface()) {
+            throw new AssertionError(String.format("Target field '%s' is an interface, not a class.", targetField));
+        }
         ReflectUtil.justSet(dstObj, targetField, ReflectUtil.justInstantiate(targetField.getType()));
 
         try {
diff --git a/src/main/java/org/gnunet/dht/ClientGetStopMessage.java b/src/main/java/org/gnunet/dht/ClientGetStopMessage.java
index 39915de..5aa5cc4 100644
--- a/src/main/java/org/gnunet/dht/ClientGetStopMessage.java
+++ b/src/main/java/org/gnunet/dht/ClientGetStopMessage.java
@@ -28,12 +28,9 @@ import org.gnunet.util.GnunetMessage;
 import org.gnunet.util.HashCode;
 
 /**
-* Created with IntelliJ IDEA.
-* User: dold
-* Date: 5/2/12
-* Time: 7:05 PM
-* To change this template use File | Settings | File Templates.
-*/
+ * Sent by the client to the service.
+ * Requests that the service stops a 'get' operation.
+ */
 @UnionCase(144)
 public class ClientGetStopMessage implements GnunetMessage.Body {
     @UInt32
diff --git a/src/main/java/org/gnunet/mesh/Mesh.java b/src/main/java/org/gnunet/mesh/Mesh.java
index 6f8f4b3..0a7369b 100644
--- a/src/main/java/org/gnunet/mesh/Mesh.java
+++ b/src/main/java/org/gnunet/mesh/Mesh.java
@@ -133,8 +133,7 @@ public class Mesh {
          * @param nobuffer Flag for disabling buffering on relay nodes.
          * @param reliable Flag for end-to-end reliability.
          */
-        public Tunnel(PeerIdentity peer, int port, boolean nobuffer, boolean reliable, T context)
-        {
+        public Tunnel(PeerIdentity peer, int port, boolean nobuffer, boolean reliable, T context) {
             this(peer, 0, port, nobuffer, reliable);
             TunnelCreateMessage tcm = new TunnelCreateMessage();
             tcm.otherEnd = peer;
@@ -144,6 +143,7 @@ public class Mesh {
             client.send(tcm);
         }
 
+
         /**
          * Private tunnel constructor, for creating tunnel objects for
          * incoming tunnels.
@@ -188,7 +188,7 @@ public class Mesh {
             if (!destroyedByService) {
                 TunnelDestroyMessage m = new TunnelDestroyMessage();
                 m.tunnelId = tunnelId;
-                m.reserved = new byte[64];
+                m.reserved = new byte[32];
                 client.send(m);
             }
             tunnelMap.remove(tunnelId);
@@ -258,7 +258,10 @@ public class Mesh {
                     logger.warn("got unexpected message from service");
                 t.receiveDoneExpected = true;
                 messageReceiver.setSender(t);
-                messageReceiver.visitAppropriate(Construct.parseAs(m.payload, GnunetMessage.class).body);
+                GnunetMessage gnunetMessage = Construct.parseAs(m.payload, GnunetMessage.class);
+                logger.debug("received message of size {} and type {}",
+                        gnunetMessage.header.messageSize, gnunetMessage.header.messageType);
+                messageReceiver.visitAppropriate(gnunetMessage.body);
                 messageReceiver.setSender(null);
             }
         }
@@ -286,6 +289,20 @@ public class Mesh {
             }
         }
 
+        public void visit(RejectMessage m) {
+            // FIXME: C code indicates that the nack/reject message might change ...
+            Tunnel t = tunnelMap.get(m.tunnelId);
+            if (null == t) {
+                logger.warn("server got confused with tunnel IDs on destroy, ignoring message");
+                return;
+            }
+            t.destroyedByService = true;
+            t.destroy();
+            if (null != tunnelEndHandler) {
+                tunnelEndHandler.onTunnelEnd(t);
+            }
+        }
+
         @Override
         public void handleError() {
             logger.warn("lost connection to mesh service, reconnecting");
diff --git a/src/main/java/org/gnunet/mesh/RejectMessage.java b/src/main/java/org/gnunet/mesh/RejectMessage.java
new file mode 100644
index 0000000..aaf63c7
--- /dev/null
+++ b/src/main/java/org/gnunet/mesh/RejectMessage.java
@@ -0,0 +1,49 @@
+/*
+ This file is part of GNUnet.
+ (C) 2014 Christian Grothoff (and other contributing authors)
+
+ GNUnet is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published
+ by the Free Software Foundation; either version 3, or (at your
+ option) any later version.
+
+ GNUnet is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with GNUnet; see the file COPYING.  If not, write to the
+ Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+ */
+
+package org.gnunet.mesh;
+
+import org.gnunet.construct.FixedSizeIntegerArray;
+import org.gnunet.construct.UInt32;
+import org.gnunet.construct.UnionCase;
+import org.gnunet.util.GnunetMessage;
+
+/**
+ * Message sent by the server to indicate that a tunnel could not
+ * be created.
+ *
+ * (GNUNET_MESSAGE_TYPE_MESH_CHANNEL_NACK)
+ *
+ * @author Florian Dold
+ */
+@UnionCase(276)
+public class RejectMessage implements GnunetMessage.Body {
+    @UInt32
+    public long tunnelId;
+
+    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
+    public byte[] reserved;
+    
+    @UInt32
+    public int port;
+
+    @UInt32
+    public int opt;
+}
diff --git a/src/main/java/org/gnunet/mesh/TunnelDestroyMessage.java b/src/main/java/org/gnunet/mesh/TunnelDestroyMessage.java
index 81472bf..b6e2fc9 100644
--- a/src/main/java/org/gnunet/mesh/TunnelDestroyMessage.java
+++ b/src/main/java/org/gnunet/mesh/TunnelDestroyMessage.java
@@ -17,8 +17,9 @@ public class TunnelDestroyMessage implements GnunetMessage.Body {
     @UInt32
     public long tunnelId;
 
-    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 64)
+    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
     public byte[] reserved;
+
     @UInt32
     public int port;
 
diff --git a/src/main/java/org/gnunet/secretsharing/Ciphertext.java b/src/main/java/org/gnunet/secretsharing/Ciphertext.java
index bb2962e..b940f21 100644
--- a/src/main/java/org/gnunet/secretsharing/Ciphertext.java
+++ b/src/main/java/org/gnunet/secretsharing/Ciphertext.java
@@ -22,6 +22,10 @@ package org.gnunet.secretsharing;
 
 import org.gnunet.construct.FixedSizeIntegerArray;
 import org.gnunet.construct.Message;
+import org.gnunet.util.BigIntegers;
+import org.gnunet.util.Strings;
+
+import java.math.BigInteger;
 
 /**
  * ElGamal ciphertext
@@ -32,4 +36,50 @@ public class Ciphertext implements Message {
 
     @FixedSizeIntegerArray(signed = true, bitSize = 8, length = Parameters.elgamalBits / 8)
     public byte[] c_2;
+
+    /**
+     * Allocate the ciphertext with zeros.
+     */
+    public void allocate() {
+        c_1 = new byte[Parameters.elgamalBits / 8];
+        c_2 = new byte[Parameters.elgamalBits / 8];
+    }
+
+    @Override
+    public String toString() {
+        byte[] allBytes = new byte[c_1.length + c_2.length];
+        System.arraycopy(c_1, 0, allBytes, 0, c_1.length);
+        System.arraycopy(c_2, 0, allBytes, c_1.length, c_2.length);
+        return Strings.dataToString(allBytes);
+    }
+
+    public static Ciphertext fromString(String s) {
+        byte[] allBytes = new byte[2 * Parameters.elgamalBits / 8];
+        if (!Strings.stringToData(s, allBytes))
+            return null;
+        Ciphertext ciphertext = new Ciphertext();
+        ciphertext.allocate();
+        System.arraycopy(allBytes, 0, ciphertext.c_1, 0, ciphertext.c_1.length);
+        System.arraycopy(allBytes, ciphertext.c_1.length, ciphertext.c_2, 0, ciphertext.c_2.length);
+        return ciphertext;
+    }
+
+    /**
+     * Multiply two elgamal ciphertexts.
+     *
+     * @param v the other ciphertext
+     * @return the product of two ciphertexts
+     */
+    public Ciphertext multiply(Ciphertext v) {
+        BigInteger xc_1 = new BigInteger(1, this.c_1);
+        BigInteger xc_2 = new BigInteger(1, this.c_2);
+        BigInteger yc_1 = new BigInteger(1, v.c_1);
+        BigInteger yc_2 = new BigInteger(1, v.c_2);
+        Ciphertext ciphertext = new Ciphertext();
+        ciphertext.c_1 = BigIntegers.serializeUnsigned(xc_1.multiply(yc_1).mod(Parameters.elgamalP),
+                Parameters.elgamalBits);
+        ciphertext.c_2 = BigIntegers.serializeUnsigned(xc_2.multiply(yc_2).mod(Parameters.elgamalP),
+                Parameters.elgamalBits);
+        return ciphertext;
+    }
 }
diff --git a/src/main/java/org/gnunet/secretsharing/Plaintext.java b/src/main/java/org/gnunet/secretsharing/Plaintext.java
index c4fdd3e..c2eacc2 100644
--- a/src/main/java/org/gnunet/secretsharing/Plaintext.java
+++ b/src/main/java/org/gnunet/secretsharing/Plaintext.java
@@ -23,6 +23,7 @@ package org.gnunet.secretsharing;
 import com.google.common.base.Preconditions;
 import org.gnunet.construct.FixedSizeIntegerArray;
 import org.gnunet.construct.Message;
+import org.gnunet.util.BigIntegers;
 
 import java.math.BigInteger;
 import java.security.SecureRandom;
@@ -35,32 +36,19 @@ public class Plaintext implements Message {
         BigInteger val;
         val = Parameters.elgamalG.modPow(exp, Parameters.elgamalP);
         Plaintext plaintext = new Plaintext();
-        plaintext.bits = serializeBigIntUnsigned(val, Parameters.elgamalBits);
+        plaintext.bits = BigIntegers.serializeUnsigned(val, Parameters.elgamalBits);
         return plaintext;
     }
 
-    /**
-     * Serialize a BigInteger, but do not add an extra bit for a
-     * sign.
-     *
-     * @param bigInteger
-     * @param bits
-     * @return
-     */
-    private static byte[] serializeBigIntUnsigned(BigInteger bigInteger, int bits) {
-        byte[] bytes = bigInteger.toByteArray();
-        int start;
-        Preconditions.checkArgument(bigInteger.bitCount() <= bits);
-        // skip byte that was only added to fit the sign
-        if (bytes[0] == 0) {
-            start = 1;
-        } else {
-            start = 0;
+    public long bruteForceDiscreteLog(final long l) {
+        BigInteger needle = new BigInteger(1, bits);
+        for (long i = -l; i < l; i++) {
+            BigInteger val;
+            val = Parameters.elgamalG.modPow(BigInteger.valueOf(l), Parameters.elgamalP);
+            if (val.equals(needle))
+                return i;
         }
-        byte[] fixedBytes = new byte[(bits + 7) / 8];
-        System.arraycopy(bytes, start, fixedBytes,
-                fixedBytes.length - bytes.length + start, bytes.length - start);
-        return fixedBytes;
+        throw new ArithmeticException("discrete log has no solution in given range");
     }
 
     public Ciphertext encrypt(ThresholdPublicKey publicKey) {
@@ -82,8 +70,8 @@ public class Plaintext implements Message {
         c_2 = m.multiply(h.modPow(y, Parameters.elgamalP)).mod(Parameters.elgamalP);
 
         Ciphertext ciphertext = new Ciphertext();
-        ciphertext.c_1 = serializeBigIntUnsigned(c_1, Parameters.elgamalBits);
-        ciphertext.c_2 = serializeBigIntUnsigned(c_2, Parameters.elgamalBits);
+        ciphertext.c_1 = BigIntegers.serializeUnsigned(c_1, Parameters.elgamalBits);
+        ciphertext.c_2 = BigIntegers.serializeUnsigned(c_2, Parameters.elgamalBits);
 
         return ciphertext;
     }
diff --git a/src/main/java/org/gnunet/secretsharing/ThresholdPublicKey.java b/src/main/java/org/gnunet/secretsharing/ThresholdPublicKey.java
index b7075be..4560788 100644
--- a/src/main/java/org/gnunet/secretsharing/ThresholdPublicKey.java
+++ b/src/main/java/org/gnunet/secretsharing/ThresholdPublicKey.java
@@ -22,11 +22,40 @@ package org.gnunet.secretsharing;
 
 import org.gnunet.construct.FixedSizeIntegerArray;
 import org.gnunet.construct.Message;
+import org.gnunet.util.Strings;
+
+import java.util.Arrays;
 
 /**
  * Threshold public key.
  */
 public class ThresholdPublicKey implements Message {
+
     @FixedSizeIntegerArray(signed = true, bitSize = 8, length = Parameters.elgamalBits / 8)
     public byte[] bits;
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        ThresholdPublicKey that = (ThresholdPublicKey) o;
+        return Arrays.equals(bits, that.bits);
+    }
+
+    @Override
+    public int hashCode() {
+        return bits != null ? Arrays.hashCode(bits) : 0;
+    }
+
+    public static ThresholdPublicKey fromString(String value) {
+        ThresholdPublicKey pk = new ThresholdPublicKey();
+        pk.bits = new byte[Parameters.elgamalBits / 8];
+        Strings.stringToData(value, pk.bits);
+        return pk;
+    }
+
+    @Override
+    public String toString() {
+        return Strings.dataToString(bits);
+    }
 }
diff --git a/src/main/java/org/gnunet/secretsharing/messages/DecryptDoneMessage.java b/src/main/java/org/gnunet/secretsharing/messages/DecryptDoneMessage.java
index 71f24da..488e28b 100644
--- a/src/main/java/org/gnunet/secretsharing/messages/DecryptDoneMessage.java
+++ b/src/main/java/org/gnunet/secretsharing/messages/DecryptDoneMessage.java
@@ -1,5 +1,4 @@
 /*
-
   This file is part of GNUnet.
    (C) 2014 Christian Grothoff (and other contributing authors)
 
@@ -17,7 +16,6 @@
    along with GNUnet; see the file COPYING.  If not, write to the
    Free Software Foundation, Inc., 59 Temple Place - Suite 330,
    Boston, MA 02111-1307, USA.
-
  */
 
 package org.gnunet.secretsharing.messages;
@@ -29,7 +27,8 @@ import org.gnunet.secretsharing.Plaintext;
 import org.gnunet.util.GnunetMessage;
 
 /**
- * Created by dold on 2/2/14.
+ * Sent by the service to the client.
+ * Contains the plaintext for a successfully decrypted ciphertext.
  */
 @UnionCase(782)
 public class DecryptDoneMessage implements GnunetMessage.Body{
diff --git a/src/main/java/org/gnunet/util/BigIntegers.java b/src/main/java/org/gnunet/util/BigIntegers.java
new file mode 100644
index 0000000..473534f
--- /dev/null
+++ b/src/main/java/org/gnunet/util/BigIntegers.java
@@ -0,0 +1,56 @@
+/*
+ This file is part of GNUnet.
+ (C) 2014 Christian Grothoff (and other contributing authors)
+
+ GNUnet is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published
+ by the Free Software Foundation; either version 3, or (at your
+ option) any later version.
+
+ GNUnet is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with GNUnet; see the file COPYING.  If not, write to the
+ Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+ */
+
+package org.gnunet.util;
+
+import com.google.common.base.Preconditions;
+
+import java.math.BigInteger;
+
+/**
+ * Helper class for BigIntegers.
+ */
+public class BigIntegers {
+
+    /**
+     * Serialize a BigInteger, but do not add an extra bit for a
+     * sign.
+     *
+     * @param bigInteger big integer to serialize
+     * @param bits how many bits should the binary representation have?
+     *             rounded up to the next multiple of 8.
+     * @return big endian representation of the given BigInteger, without a sign bit
+     */
+    public static byte[] serializeUnsigned(BigInteger bigInteger, int bits) {
+        byte[] bytes = bigInteger.toByteArray();
+        int start;
+        Preconditions.checkArgument(bigInteger.bitCount() <= bits);
+        // skip byte that was only added to fit the sign
+        if (bytes[0] == 0) {
+            start = 1;
+        } else {
+            start = 0;
+        }
+        byte[] fixedBytes = new byte[(bits + 7) / 8];
+        System.arraycopy(bytes, start, fixedBytes,
+                fixedBytes.length - bytes.length + start, bytes.length - start);
+        return fixedBytes;
+    }
+}
diff --git a/src/main/java/org/gnunet/util/MessageStreamTokenizer.java b/src/main/java/org/gnunet/util/MessageStreamTokenizer.java
index d4a9910..a2da4c9 100644
--- a/src/main/java/org/gnunet/util/MessageStreamTokenizer.java
+++ b/src/main/java/org/gnunet/util/MessageStreamTokenizer.java
@@ -70,8 +70,9 @@ public class MessageStreamTokenizer {
             }
             int parsedSize = buffer.position() - oldPos;
             if (parsedSize != msg.header.messageSize) {
-                throw new AssertionError("mismatch between parsed message and header for " +
-                  msg.body.getClass());
+                throw new AssertionError(
+                        String.format("mismatch between parsed message and header for %s: parsed size %s, header size %s",
+                                msg.body.getClass(), parsedSize, msg.header.messageSize));
             }
             mstCalllback.onKnownMessage(msg);
         } else {
diff --git a/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java b/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java
index eebcd4d..9142164 100644
--- a/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java
+++ b/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java
@@ -65,6 +65,7 @@ public class EcdsaPublicKey implements Message {
      */
     public static EcdsaPublicKey fromString(String s) {
         EcdsaPublicKey publicKey = new EcdsaPublicKey();
+        publicKey.y = new byte[32];
         if (Strings.stringToData(s, publicKey.y))
             return publicKey;
         return null;
diff --git a/src/main/java/org/gnunet/voting/Ballot.java b/src/main/java/org/gnunet/voting/Ballot.java
index e300010..10bf25a 100644
--- a/src/main/java/org/gnunet/voting/Ballot.java
+++ b/src/main/java/org/gnunet/voting/Ballot.java
@@ -25,12 +25,12 @@ import com.google.common.base.Optional;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.BiMap;
 import com.google.common.collect.HashBiMap;
+import com.google.common.collect.Maps;
 import com.google.common.primitives.Longs;
+import org.gnunet.secretsharing.ThresholdPublicKey;
 import org.gnunet.util.*;
-import org.gnunet.util.crypto.EcdsaPrivateKey;
-import org.gnunet.util.crypto.EcdsaPublicKey;
-import org.gnunet.util.crypto.EcdsaSignature;
-import org.gnunet.util.crypto.EddsaSignature;
+import org.gnunet.util.crypto.*;
+import org.gnunet.voting.messages.KeyQueryResponseMessage;
 
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -51,6 +51,14 @@ public class Ballot {
      */
     String group;
     /**
+     * When will the distributed key generation among the authorities start?
+     */
+    AbsoluteTime keygenStartTime;
+    /**
+     * When will the distributed key generation among the authorities be finished?
+     */
+    AbsoluteTime keygenEndTime;
+    /**
      * List of choices for the election.
      */
     List<String> choices;
@@ -74,20 +82,52 @@ public class Ballot {
      * When are the election results discarded by the authority?
      */
     AbsoluteTime endTime;
+    /**
+     * Mapping from authority alias to peer identity.
+     */
     BiMap<String,PeerIdentity> authorities;
+    /**
+     * Signatures from the authority certifying that it
+     * will be available for this election.
+     */
     SortedMap<String,EddsaSignature> registrationSigs;
+    /**
+     * Public key of the certificate authority for group membership.
+     */
     EcdsaPublicKey caPub;
+    /**
+     * Public key of the issues.
+     */
     EcdsaPublicKey issuerPub;
+    /**
+     * Signature of the issuer on the basic data of the ballot.
+     */
     EcdsaSignature issuerSig;
+    /**
+     * Public key of the voter that fills out this ballot.
+     */
     EcdsaPublicKey voterPub;
+    /**
+     * Confirmation for the fact that a vote was accepted by an authority.
+     */
     SortedMap<String,EddsaSignature> confirmationSigs;
+    /**
+     * Certificate that a voter belongs to a certain group.
+     */
     GroupCert groupCert;
+    /**
+     * Threshold public keys per authority alias.
+     * Ideally this should be the same for each authority, but with malicious authorities
+     * we can't trust that, so we must collect all the keys.
+     */
+    SortedMap<String,KeyQueryResponseMessage> thresholdPublicKeys;
 
     /**
-     * Choice in plaintext.
-     * This field would be encrypted in a secure version.
+     * Threshold for the election.
      */
-    int choiceId = -1;
+    public int threshold;
+
+    EncryptedVote encryptedVote;
 
     /**
      * Load a ballot from file.
@@ -163,6 +203,14 @@ public class Ballot {
             throw new InvalidBallotException("ballot must have elegibility group");
         }
         group = optGroup.get();
+        Optional<Long> optThreshold = cfg.getValueNumber("election", "THRESHOLD");
+        if (!optThreshold.isPresent()) {
+            throw new InvalidBallotException("ballot must have threshold");
+        }
+        if (optThreshold.get() <= 0) {
+            throw new InvalidBallotException("threshold must be positive");
+        }
+        threshold = optThreshold.get().intValue();
         authorities = HashBiMap.create();
         for (Map.Entry<String,String> e : cfg.getSection("authorities").entrySet()) {
             String alias = e.getKey();
@@ -215,16 +263,7 @@ public class Ballot {
             }
             confirmationSigs.put(e.getKey(), sig);
         }
-        Optional<String> optChoiceId = cfg.getValueString("vote", "CHOICE_ID");
-        if (optChoiceId.isPresent()) {
-            choiceId = Integer.parseInt(optChoiceId.get());
-            if (choiceId < 0 || choiceId >= choices.size()) {
-                throw new InvalidBallotException("invalid choice in vote");
-            }
-        } else {
-            choiceId = -1;
-        }
-
+        encryptedVote = EncryptedVote.parseFromConfiguration(cfg);
         Optional<String> optVoterPub = cfg.getValueString("vote", "VOTER_PUB");
         if (optVoterPub.isPresent()) {
             voterPub = EcdsaPublicKey.fromString(optVoterPub.get());
@@ -238,10 +277,33 @@ public class Ballot {
         concludeTime = getTime(cfg, "CONCLUDE");
         queryTime = getTime(cfg, "QUERY");
         endTime = getTime(cfg, "END");
+        keygenStartTime = getTime(cfg, "KEYGEN_START");
+        keygenEndTime = getTime(cfg, "KEYGEN_END");
 
         if (cfg.haveValue("vote", "GROUP_SIG")) {
             groupCert = GroupCert.fromBallotConfig(this, cfg);
         }
+
+        thresholdPublicKeys = new TreeMap<String, KeyQueryResponseMessage>();
+        for (Map.Entry<String,String> e : cfg.getSection("threshold-pubkeys").entrySet()) {
+            String alias = e.getKey();
+            if (!authorities.containsKey(alias)) {
+                throw new InvalidBallotException(String.format(
+                        "Alias '%s' has threshold pubkey, but alias does not belong to any authority.", alias));
+            }
+            Optional<String> optSig = cfg.getValueString("threshold-pubkey-sigs", alias);
+            if (!optSig.isPresent()) {
+                throw new InvalidBallotException(String.format(
+                        "no signature present for threshold pubkey from authority '%s'", alias));
+            }
+
+            KeyQueryResponseMessage m = new KeyQueryResponseMessage();
+            m.signature = EddsaSignature.fromString(optSig.get());
+            m.signedGuidKey = new KeyQueryResponseMessage.BallotPublicKey();
+            m.signedGuidKey.ballotGuid = getBallotGuid();
+            m.signedGuidKey.publicKey = ThresholdPublicKey.fromString(e.getValue());
+        }
+
     }
 
     /**
@@ -270,6 +332,8 @@ public class Ballot {
         }
         digest.update(issuerPub.y);
         digest.update(caPub.y);
+        digest.update(Longs.toByteArray(keygenStartTime.getSeconds()));
+        digest.update(Longs.toByteArray(keygenEndTime.getSeconds()));
         digest.update(Longs.toByteArray(startTime.getSeconds()));
         digest.update(Longs.toByteArray(endTime.getSeconds()));
         digest.update(Longs.toByteArray(closingTime.getSeconds()));
@@ -278,14 +342,46 @@ public class Ballot {
     }
 
     /**
+     * Get the threshold public key that the majority of authorities
+     * advertise.  The majority key must have at least 'threshold' peers that
+     * advertise it in order to be valid
+     *
+     * @return the majority threshold public key
+     */
+    public ThresholdPublicKey getMajorityThresholdPublicKey() {
+        HashMap<ThresholdPublicKey,Integer> counts = Maps.newHashMap();
+        for (Map.Entry<String,KeyQueryResponseMessage> e : thresholdPublicKeys.entrySet()) {
+            ThresholdPublicKey pk = e.getValue().signedGuidKey.publicKey;
+            if (counts.containsKey(pk)) {
+                counts.put(pk, counts.get(pk) + 1);
+            } else {
+                counts.put(pk, 0);
+            }
+        }
+        int maxCount = 0;
+        ThresholdPublicKey bestKey = null;
+        for (Map.Entry<ThresholdPublicKey, Integer> e : counts.entrySet()) {
+            if (e.getValue() > maxCount) {
+                maxCount = e.getValue();
+                bestKey = e.getKey();
+            }
+        }
+        if (maxCount < threshold) {
+            return null;
+        }
+        return bestKey;
+    }
+
+    /**
      * Encode the given choice permanently in the ballot.
      * Also encodes the voter's public key.
      *
      * @param choice the choice to encode the ballot
-     * @param privateKey the private key to use for encoding
+     * @param voterPrivateKey the private key to use for encoding
      */
-    public void encodeChoice(String choice, EcdsaPrivateKey privateKey) {
-        choiceId = -1;
+    public void encodeChoice(String choice, ThresholdPublicKey thresholdPublicKey,
+                             EcdsaPrivateKey voterPrivateKey) {
+        int choiceId = -1;
         int i = 0;
         for (String possibleChoice : choices) {
             if (choice.equals(possibleChoice)) {
@@ -293,10 +389,12 @@ public class Ballot {
             }
             i++;
         }
-        voterPub = privateKey.getPublicKey();
-        if (choiceId == -1) {
+        voterPub = voterPrivateKey.getPublicKey();
+        if (choiceId < 0 || choiceId > 1) {
             throw new InvalidBallotException(String.format("choice '%s' not valid", choice));
         }
+
+        encryptedVote = EncryptedVote.fromChoice(choiceId, thresholdPublicKey, voterPrivateKey);
     }
 
     /**
@@ -310,6 +408,9 @@ public class Ballot {
         cfg.setValueString("election", "GROUP", group);
         cfg.setValueString("election", "CHOICES", Joiner.on("//").join(choices));
         cfg.setValueString("election", "CA_PUB", caPub.toString());
+        cfg.setValueNumber("election", "THRESHOLD", threshold);
+        cfg.setValueNumber("election", "TIMESTAMP_KEYGEN_START", keygenStartTime.getSeconds());
+        cfg.setValueNumber("election", "TIMESTAMP_KEYGEN_END", keygenEndTime.getSeconds());
         cfg.setValueNumber("election", "TIMESTAMP_START", startTime.getSeconds());
         cfg.setValueNumber("election", "TIMESTAMP_CLOSING", closingTime.getSeconds());
         cfg.setValueNumber("election", "TIMESTAMP_QUERY", queryTime.getSeconds());
@@ -332,8 +433,8 @@ public class Ballot {
             cfg.setValueString("election", "ISSUER_PUB", issuerPub.toString());
             cfg.setValueString("election", "ISSUER_SIG", issuerSig.toString());
         }
-        if (-1 != choiceId) {
-            cfg.setValueNumber("vote", "CHOICE_ID", choiceId);
+        if (null != encryptedVote) {
+            encryptedVote.writeToConfiguration(cfg);
         }
         if (null != voterPub) {
             cfg.setValueString("vote", "VOTER_PUB", voterPub.toString());
@@ -341,6 +442,14 @@ public class Ballot {
         if (null != groupCert) {
             groupCert.writeBallotConfig(cfg);
         }
+        System.out.println("thresh set when writing: " + thresholdPublicKeys.size());
+        for (Map.Entry<String,KeyQueryResponseMessage> e : thresholdPublicKeys.entrySet()) {
+            System.out.println("writing tresh");
+            cfg.setValueString("threshold-pubkeys", e.getKey(),
+                    e.getValue().signedGuidKey.publicKey.toString());
+            cfg.setValueString("threshold-pubkey-sigs", e.getKey(),
+                    e.getValue().signature.toString());
+        }
         return cfg;
     }
 
@@ -371,6 +480,10 @@ public class Ballot {
         buf.append(group);
         buf.append("\n");
 
+        buf.append("Threshold: ");
+        buf.append(threshold);
+        buf.append("\n");
+
         buf.append("Start Time: ");
         buf.append(startTime.toFancyString());
         buf.append("\n");
@@ -389,7 +502,7 @@ public class Ballot {
 
         buf.append("Choices:\n");
         for (int i = 0; i < choices.size(); i++) {
-            buf.append(""+(i+1));
+            buf.append(i + 1);
             buf.append(". '");
             buf.append(choices.get(i));
             buf.append("'\n");
@@ -430,7 +543,7 @@ public class Ballot {
         else {
             buf.append("ballot not submitted\n");
         }
-        if (choiceId != -1) {
+        if (encryptedVote != null) {
             buf.append("choice selected\n");
         } else {
             buf.append("no choice selected\n");
@@ -538,4 +651,22 @@ public class Ballot {
         voterPub = groupCert.getMemberPublicKey();
         this.groupCert = groupCert;
     }
+
+    /**
+     * Get the list of authorities that this ballot does not have a signature
+     * on the threshold key from.
+     */
+    public List<PeerIdentity> getRemainingKeyAuthorities() {
+        LinkedList<PeerIdentity> remaining = new LinkedList<PeerIdentity>();
+        for (Map.Entry<String,PeerIdentity> x : authorities.entrySet()) {
+            if (!thresholdPublicKeys.containsKey(x.getKey()))
+                remaining.add(x.getValue());
+        }
+        return remaining;
+    }
+
+    public void addThresholdPublicKey(PeerIdentity currentAuthority, KeyQueryResponseMessage m) {
+        String alias = authorities.inverse().get(currentAuthority);
+        thresholdPublicKeys.put(alias, m);
+    }
 }
diff --git a/src/main/java/org/gnunet/voting/BallotTool.java b/src/main/java/org/gnunet/voting/BallotTool.java
index 0047d0e..c0767a4 100644
--- a/src/main/java/org/gnunet/voting/BallotTool.java
+++ b/src/main/java/org/gnunet/voting/BallotTool.java
@@ -30,14 +30,14 @@ import org.gnunet.identity.IdentityCallback;
 import org.gnunet.mesh.Mesh;
 import org.gnunet.mesh.MeshRunabout;
 import org.gnunet.mesh.TunnelEndHandler;
+import org.gnunet.secretsharing.ThresholdPublicKey;
 import org.gnunet.testbed.CompressedConfig;
-import org.gnunet.util.AbsoluteTime;
-import org.gnunet.util.Configuration;
-import org.gnunet.util.PeerIdentity;
-import org.gnunet.util.Program;
+import org.gnunet.util.*;
 import org.gnunet.util.getopt.Argument;
 import org.gnunet.util.getopt.ArgumentAction;
 import org.gnunet.voting.messages.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -50,6 +50,9 @@ import java.util.Random;
  * Tool for creating, manipulating and submitting ballot files.
  */
 public class BallotTool extends Program {
+    private static final Logger logger = LoggerFactory
+            .getLogger(BallotTool.class);
+
     @Argument(
             shortname = "e",
             longname = "ego",
@@ -107,6 +110,12 @@ public class BallotTool extends Program {
             description = "incorporate the group cert into the ballot")
     String groupCertFile = null;
 
+    @Argument(
+            shortname = "k",
+            longname = "request-key",
+            action = ArgumentAction.SET,
+            description = "request the threshold public key from authorities")
+    boolean requestKey = false;
 
     @Argument(
             shortname = "t",
@@ -115,14 +124,35 @@ public class BallotTool extends Program {
             description = "write a template ballot to the give ballot file")
     boolean template = false;
 
+    /**
+     * The ego to use for the currently executing action.
+     */
     private Identity.Ego ego;
 
+    /**
+     * The (possibly modified) ballot originally loaded
+     * from 'ballotFilename'
+     */
     private Ballot ballot;
+
+    /**
+     * Filename to read the ballot from, and write modifications to.
+     */
     private String ballotFilename;
 
+    /**
+     * Our handle to MESH.
+     */
     private Mesh mesh;
+
+    /**
+     * A tunnel to 'currentAuthority' or null.
+     */
     private Mesh.Tunnel tunnel;
 
+    /**
+     * The authority we are currently communicating with.
+     */
     private PeerIdentity currentAuthority;
 
     /**
@@ -131,10 +161,39 @@ public class BallotTool extends Program {
      */
     private boolean tunnelCommunicationFinished;
 
+    private RelativeTime tunnelReconnectBackoff = RelativeTime.STD_BACKOFF;
+
     public class BallotTunnelEndHandler implements TunnelEndHandler {
         @Override
-        public void onTunnelEnd(Mesh.Tunnel tunnel) {
-            // FIXME
+        public void onTunnelEnd(final Mesh.Tunnel tunnel) {
+            // FIXME: just re-running 'doCommands' is a bit of a hack
+            BallotTool.this.tunnel = null;
+            if (!tunnelCommunicationFinished) {
+                logger.warn("mesh tunnel disconnected, but operation not finished");
+                Scheduler.addDelayed(tunnelReconnectBackoff, new Scheduler.Task() {
+                    @Override
+                    public void run(Scheduler.RunContext ctx) {
+                        doCommands();
+                    }
+                });
+                tunnelReconnectBackoff = tunnelReconnectBackoff.backoff();
+            }
+        }
+    }
+
+    /**
+     * Destroy the tunnel to the authority as well
+     * as the mesh handle.
+     */
+    private void endMesh() {
+        tunnelCommunicationFinished = true;
+        if (null != tunnel) {
+            tunnel.destroy();
+            tunnel = null;
+        }
+        if (null != mesh) {
+            mesh.destroy();
+            mesh = null;
         }
     }
 
@@ -143,20 +202,18 @@ public class BallotTool extends Program {
             System.out.println("ballot successfully registered");
             ballot.addRegistrationSignature(currentAuthority, m.registrationSignature);
             writeBallot();
-            tunnel.destroy();
-            mesh.destroy();
+            endMesh();
         }
 
         public void visit(BallotRegisterFailureMessage m) {
             System.out.println("registering failed: " + m.reason);
-            tunnel.destroy();
-            mesh.destroy();
+            endMesh();
+            setReturnValue(1);
         }
-
     }
 
     public class QueryReceiver extends MeshRunabout {
-        public void visit(QueryResponseMessage m) {
+        public void visit(ResultQueryResponseMessage m) {
             if (m.results.length != ballot.choices.size()) {
                 System.out.println("failure to query result: malformed response");
             } else {
@@ -165,16 +222,30 @@ public class BallotTool extends Program {
                     System.out.println("'" + ballot.choices.get(i) + "': " + m.results[i]);
                 }
             }
+            endMesh();
+        }
 
-            tunnel.destroy();
-            mesh.destroy();
+        public void visit(ResultQueryFailureMessage m) {
+            System.out.println("failure to query result: " + m.reason);
+            endMesh();
+            setReturnValue(1);
         }
+    }
+
 
-        public void visit(QueryFailureMessage m) {
+    public class PublicKeyReceiver extends MeshRunabout {
+        public void visit(KeyQueryResponseMessage m) {
+            System.out.println("got threshold public key!");
+            ballot.addThresholdPublicKey(currentAuthority, m);
+            writeBallot();
+            endMesh();
+        }
+        public void visit(KeyQueryFailureMessage m) {
             System.out.println("failure to query result: " + m.reason);
-            tunnel.destroy();
-            mesh.destroy();
+            endMesh();
+            setReturnValue(1);
         }
+
     }
 
     public class SubmitReceiver extends MeshRunabout {
@@ -183,19 +254,18 @@ public class BallotTool extends Program {
             System.out.println("vote successfully submitted");
             ballot.addConfirmation(currentAuthority, m.confirmationSig);
             writeBallot();
-            tunnel.destroy();
-            mesh.destroy();
+            endMesh();
         }
 
         public void visit(SubmitFailureMessage m) {
             System.out.println("vote not submitted: " + m.reason);
-            if (m.authorityTime != null) {
+            if (m.signedAuthorityTime != null) {
                 // FIXME: verify
                 System.out.println("authority time: " +
-                        AbsoluteTime.fromNetwork(m.authorityTime.innerMessage).toFancyString());
+                        AbsoluteTime.fromNetwork(m.signedAuthorityTime.time).toFancyString());
             }
-            tunnel.destroy();
-            mesh.destroy();
+            endMesh();
+            setReturnValue(1);
         }
     }
 
@@ -220,6 +290,9 @@ public class BallotTool extends Program {
         }
     }
 
+    /**
+     * Write the ballot back to disk.
+     */
     private void writeBallot() {
         try {
             Files.write(ballot.serialize(), new File(ballotFilename), Charsets.UTF_8);
@@ -228,6 +301,9 @@ public class BallotTool extends Program {
         }
     }
 
+    /**
+     * Actually execute the action the user requested.
+     */
     void doCommands() {
         if (null != groupCertFile) {
             Configuration groupCertConfig = new Configuration();
@@ -270,7 +346,13 @@ public class BallotTool extends Program {
                 setReturnValue(1);
                 return;
             }
-            ballot.encodeChoice(select, ego.getPrivateKey());
+            ThresholdPublicKey thresholdPublicKey = ballot.getMajorityThresholdPublicKey();
+            if (null == thresholdPublicKey) {
+                System.err.println("no threshold public key in ballot");
+                setReturnValue(1);
+                return;
+            }
+            ballot.encodeChoice(select, thresholdPublicKey, ego.getPrivateKey());
             writeBallot();
             return;
         }
@@ -297,7 +379,10 @@ public class BallotTool extends Program {
             m.groupCertExpiration = ballot.groupCert.getExpiration().asMessage();
             m.groupCert = ballot.groupCert.getSignature();
             m.ballotGuid = ballot.getBallotGuid();
-            m.choiceId = ballot.choiceId;
+            if (null == ballot.encryptedVote) {
+                throw new InvalidBallotException("no encrypted vote in ballot");
+            }
+            m.encryptedVote = ballot.encryptedVote;
             tunnel.send(m);
             return;
         }
@@ -313,15 +398,33 @@ public class BallotTool extends Program {
                 return;
             }
             Random r = new Random();
-            PeerIdentity authority = remainingAuthorities.get(r.nextInt(remainingAuthorities.size()));
-            System.out.println("querying authority" + authority.toString());
+            currentAuthority = remainingAuthorities.get(r.nextInt(remainingAuthorities.size()));
+            System.out.println("querying authority " + currentAuthority.toString());
             mesh = new Mesh(cfg, new BallotTunnelEndHandler(), new QueryReceiver());
-            tunnel = mesh.createTunnel(authority, TallyAuthorityDaemon.MESH_PORT, true, true, null);
-            QueryMessage m = new QueryMessage();
-            m.ballotGUID = ballot.getBallotGuid();
+            tunnel = mesh.createTunnel(currentAuthority, TallyAuthorityDaemon.MESH_PORT, true, true, null);
+            ResultQueryMessage m = new ResultQueryMessage();
+            m.ballotGuid = ballot.getBallotGuid();
             tunnel.send(m);
             return;
         }
+        if (requestKey) {
+            List<PeerIdentity> remainingAuthorities = ballot.getRemainingKeyAuthorities();
+            if (remainingAuthorities.isEmpty()) {
+                System.err.println("all authorities already signed group key");
+                return;
+            }
+            Random r = new Random();
+            currentAuthority = remainingAuthorities.get(r.nextInt(remainingAuthorities.size()));
+            System.out.println("asking authority for key " + currentAuthority.toString());
+            mesh = new Mesh(cfg, new BallotTunnelEndHandler(), new PublicKeyReceiver());
+            tunnel = mesh.createTunnel(currentAuthority, TallyAuthorityDaemon.MESH_PORT, true, true, null);
+            KeyQueryMessage m = new KeyQueryMessage();
+            m.ballotGuid = ballot.getBallotGuid();
+            tunnel.send(m);
+            return;
+        }
+        setReturnValue(1);
+        System.err.println("no action specified");
     }
 
     @Override
@@ -342,7 +445,15 @@ public class BallotTool extends Program {
             System.err.println("ballot file does not exist");
             return;
         }
-        ballot = new Ballot(ballotFilename);
+        try {
+            ballot = new Ballot(ballotFilename);
+        } catch (InvalidBallotException e) {
+            System.err.println("Invalid or incomplete ballot:");
+            System.err.println(e.getMessage());
+            setReturnValue(1);
+            return;
+        }
+        // if there's an ego name, look it up ...
         if (null != egoName) {
             Identity.lookup(getConfiguration(), egoName, new IdentityCallback() {
                 @Override
diff --git a/src/main/java/org/gnunet/voting/TallyAuthorityDaemon.java b/src/main/java/org/gnunet/voting/TallyAuthorityDaemon.java
index 5fd21ba..6fa6b8e 100644
--- a/src/main/java/org/gnunet/voting/TallyAuthorityDaemon.java
+++ b/src/main/java/org/gnunet/voting/TallyAuthorityDaemon.java
@@ -30,6 +30,9 @@ import org.gnunet.construct.NestedMessage;
 import org.gnunet.construct.UInt32;
 import org.gnunet.mesh.Mesh;
 import org.gnunet.mesh.MeshRunabout;
+import org.gnunet.secretsharing.*;
+import org.gnunet.secretsharing.callbacks.DecryptCallback;
+import org.gnunet.secretsharing.callbacks.SecretReadyCallback;
 import org.gnunet.testbed.CompressedConfig;
 import org.gnunet.util.*;
 import org.gnunet.util.crypto.*;
@@ -37,27 +40,36 @@ import org.gnunet.voting.messages.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.math.BigInteger;
 import java.util.*;
 
 
 /**
- * Daemon that is responsible for counting votes.
+ * Daemon that is responsible for accepting and counting votes.
  */
 public class TallyAuthorityDaemon extends Program {
     private static final Logger logger = LoggerFactory
             .getLogger(TallyAuthorityDaemon.class);
 
+    /**
+     * Mesh port used to connect to to the tally authority daemon.
+     */
     public static final int MESH_PORT = 1002;
+
+    /**
+     * Mesh handle.
+     */
     private Mesh mesh;
+
+    /**
+     * Private key of the local peer.
+     */
     private EddsaPrivateKey authorityPrivateKey;
-    private EddsaPublicKey authorityPublicKey;
 
-    public static class Vote implements Message {
-        @UInt32
-        public int choice;
-        @NestedMessage
-        public EcdsaPublicKey voterPub;
-    }
+    /**
+     * Public key of the local peer.
+     */
+    private EddsaPublicKey authorityPublicKey;
 
     /**
      * All elections known to this authority
@@ -74,24 +86,53 @@ public class TallyAuthorityDaemon extends Program {
         Ballot ballot;
 
         /**
-         * Set of voters that have submitted their ballot.
+         * The threshold crypto share, null if the key has not yet been
+         * established.
+         */
+        Share share;
+
+        /**
+         * A voter is in this set if its vote has been in the consensus.
+         */
+        Set<EcdsaPublicKey> countedVoters = new HashSet<EcdsaPublicKey>();
+
+        /**
+         * Key generation session.
          */
-        Set<EcdsaPublicKey> voters = new HashSet<EcdsaPublicKey>();
+        KeyGeneration keyGeneration;
 
         /**
          * Consensus with the other authorities on the set of ballots.
          */
         Consensus consensus;
 
+        /**
+         * Are we done with the vote consensus?
+         */
         boolean consensusDone;
 
         /**
+         * Product of all encrypted votes (mod q), used to compute the final tally.
+         */
+        Ciphertext voteProduct;
+
+        /**
          * Maping from choice to number of votes for that choice.
+         * In our currently simplified implementation, tally.length is always 2.
+         * If the tally has not been counted yet, 'tally' is null.
          */
-        int[] tally;
+        long[] tally;
+
+        /**
+         * The decrypt session.
+         */
+        Decryption decryption;
     }
 
-    static class ElectionConsensusConclude implements ConsensusCallback {
+    /**
+     * Callbacks for the vote consensus.
+     */
+    class ElectionConsensusConclude implements ConsensusCallback {
         private final ElectionState electionState;
 
         public ElectionConsensusConclude(ElectionState electionState) {
@@ -100,22 +141,39 @@ public class TallyAuthorityDaemon extends Program {
         @Override
         public void onElement(ConsensusElement element) {
             System.out.println("got element from consensus");
-            Vote vote = Construct.parseAs(element.data, Vote.class);
-            if (vote.choice >= 0 && vote.choice < electionState.tally.length) {
-                electionState.tally[vote.choice] += 1;
-            }
+            EncryptedVote vote = Construct.parseAs(element.data, EncryptedVote.class);
+            electionState.voteProduct = electionState.voteProduct.multiply(vote.v);
         }
 
         @Override
         public void onDone() {
-            System.out.println("got element from consensus");
+            System.out.println("consensus concluded");
             electionState.consensusDone = true;
             electionState.consensus.destroy();
             electionState.consensus = null;
+
+            electionState.decryption = new Decryption(
+                    getConfiguration(),
+                    electionState.share,
+                    electionState.voteProduct,
+                    electionState.ballot.concludeTime,
+                    electionState.ballot.queryTime,
+                    new DecryptCallback() {
+                        @Override
+                        public void onResult(Plaintext plaintext) {
+                            logger.info("got decypt result");
+                            long l = electionState.countedVoters.size();
+                            long t = plaintext.bruteForceDiscreteLog(l);
+                            logger.info("brute-forced result");
+                            electionState.tally = new long[2];
+                            electionState.tally[0] = (l - t) / 2;
+                            electionState.tally[1] = l - electionState.tally[0];
+                        }
+                    });
         }
     }
 
-    static class ConsensusConcludeTask implements Scheduler.Task {
+    class ConsensusConcludeTask implements Scheduler.Task {
         /**
          * Which election on this authority is the consensus conclude for?
          */
@@ -130,9 +188,28 @@ public class TallyAuthorityDaemon extends Program {
         }
     }
 
-    private EddsaSignedMessage<AbsoluteTimeMessage> getTimeSigMessage() {
-        AbsoluteTimeMessage m = AbsoluteTime.now().asMessage();
-        return EddsaSignedMessage.signMessage(m, 0, authorityPrivateKey, authorityPublicKey);
+    static class SecretReady implements SecretReadyCallback {
+        private final ElectionState electionState;
+
+        public SecretReady(ElectionState electionState) {
+            this.electionState = electionState;
+        }
+
+        @Override
+        public void onSecretReady(Share share) {
+            electionState.keyGeneration = null;
+            electionState.share = share;
+        }
+    }
+
+    private SubmitFailureMessage.SignedAuthorityTime getTimeSigMessage() {
+        SubmitFailureMessage.SignedAuthorityTime tm = new SubmitFailureMessage.SignedAuthorityTime();
+        // FIXME!
+        tm.purpose = 0;
+        tm.time = AbsoluteTime.now().asMessage();
+        tm.signature = authorityPrivateKey.sign(authorityPublicKey, tm.purpose,
+                Construct.toBinary(tm.time));
+        return tm;
     }
 
     private class TallyMeshReceiver extends MeshRunabout {
@@ -143,32 +220,23 @@ public class TallyAuthorityDaemon extends Program {
                 SubmitFailureMessage fm = new SubmitFailureMessage();
                 fm.reason = "no matching ballot found";
                 getSender().send(fm);
-            } else if (m.choiceId < 0 || m.choiceId >= electionState.tally.length) {
-                SubmitFailureMessage fm = new SubmitFailureMessage();
-                fm.reason = "invalid vote";
-                getSender().send(fm);
-            } else if (electionState.voters.contains(m.voterPub)) {
-                SubmitFailureMessage fm = new SubmitFailureMessage();
-                fm.reason = "duplicate vote detected";
-                getSender().send(fm);
             } else if (!electionState.ballot.startTime.isDue()) {
                 SubmitFailureMessage fm = new SubmitFailureMessage();
                 fm.reason = "too early to submit vote";
-                fm.authorityTime = getTimeSigMessage();
+                fm.signedAuthorityTime = getTimeSigMessage();
                 getSender().send(fm);
             } else if (electionState.ballot.closingTime.isDue()) {
                 SubmitFailureMessage fm = new SubmitFailureMessage();
                 fm.reason = "too late to submit vote";
-                fm.authorityTime = getTimeSigMessage();
+                fm.signedAuthorityTime = getTimeSigMessage();
                 getSender().send(fm);
             }
             // FIXME: check signatures of voter and CA
             else {
-                electionState.voters.add(m.voterPub);
-                Vote vote = new Vote();
-                vote.choice = m.choiceId;
-                vote.voterPub = m.voterPub;
-                byte[] elem = Construct.toBinary(vote);
+                // we do *not* check for duplicate votes here,
+                // as consensus takes care of this, and there is no harm in sending
+                // exact duplicates
+                byte[] elem = Construct.toBinary(m.encryptedVote);
                 electionState.consensus.insertElement(new ConsensusElement(elem, 0));
                 SubmitSuccessMessage sm = new SubmitSuccessMessage();
                 sm.confirmationSig = EddsaSignature.randomGarbage();
@@ -200,11 +268,11 @@ public class TallyAuthorityDaemon extends Program {
                 return;
             }
             ElectionState electionState = new ElectionState();
-            electionState.tally = new int[b.choices.size()];
             electionState.ballot = b;
             PeerIdentity[] ids = new PeerIdentity[b.getAuthorities().size()];
             ids = b.getAuthorities().toArray(ids);
-            electionState.consensus = new Consensus(getConfiguration(),
+            electionState.consensus = new Consensus(
+                    getConfiguration(),
                     ids,
                     b.getBallotGuid(),
                     electionState.ballot.closingTime,
@@ -218,37 +286,83 @@ public class TallyAuthorityDaemon extends Program {
                 logger.info("concluding in {}", b.closingTime.getRemaining().getSeconds());
                 Scheduler.addDelayed(b.closingTime.getRemaining(), t);
             }
+            // we hash the GUID a second time, so that there's no
+            // collision with the consensus (as secretsharing also uses consensus internally)
+            electionState.keyGeneration = new KeyGeneration(
+                    getConfiguration(),
+                    ids,
+                    HashCode.hash(b.getBallotGuid().data),
+                    electionState.ballot.keygenStartTime,
+                    electionState.ballot.keygenEndTime,
+                    electionState.ballot.threshold, new SecretReady(electionState));
             elections.put(guid, electionState);
+
             BallotRegisterSuccessMessage rm = new BallotRegisterSuccessMessage();
             rm.registrationSignature = EddsaSignature.randomGarbage();
             getSender().send(rm);
-
         }
 
-        public void visit(QueryMessage m) {
-            ElectionState electionState = elections.get(m.ballotGUID);
+        public void visit(ResultQueryMessage m) {
+            logger.debug("got result query message");
+            ElectionState electionState = elections.get(m.ballotGuid);
             if (null == electionState) {
-                QueryFailureMessage rm = new QueryFailureMessage();
+                ResultQueryFailureMessage rm = new ResultQueryFailureMessage();
                 rm.reason = "no matching ballot found";
                 getSender().send(rm);
             } else {
-                if (!electionState.consensusDone) {
-                    QueryFailureMessage rm = new QueryFailureMessage();
-                    rm.reason = "consensus not finished (sorry...)";
+                if (!electionState.ballot.queryTime.isDue()) {
+                    ResultQueryFailureMessage rm = new ResultQueryFailureMessage();
+                    rm.reason = "result query not allowed yet";
                     getSender().send(rm);
                 }
-                else if (electionState.ballot.queryTime.isDue()) {
-                    QueryResponseMessage rm = new QueryResponseMessage();
-                    rm.results = electionState.tally;
+                else if (null == electionState.tally) {
+                    ResultQueryFailureMessage rm = new ResultQueryFailureMessage();
+                    rm.reason = "tally not yet available";
                     getSender().send(rm);
-                } else {
-                    QueryFailureMessage rm = new QueryFailureMessage();
-                    rm.reason = "result query not allowed yet";
+                }
+                else {
+                    ResultQueryResponseMessage rm = new ResultQueryResponseMessage();
+                    rm.results = electionState.tally;
                     getSender().send(rm);
                 }
             }
             getSender().receiveDone();
         }
+
+        public void visit(KeyQueryMessage m) {
+            logger.debug("got key query message");
+            getSender().receiveDone();
+            ElectionState electionState = elections.get(m.ballotGuid);
+            if (null == electionState) {
+                KeyQueryFailureMessage rm = new KeyQueryFailureMessage();
+                rm.reason = "no matching ballot found";
+                getSender().send(rm);
+                return;
+            }
+            if (!electionState.ballot.keygenEndTime.isDue()) {
+                KeyQueryFailureMessage rm = new KeyQueryFailureMessage();
+                rm.reason = "key query not allowed yet";
+                getSender().send(rm);
+                return;
+            }
+            if (null == electionState.share) {
+                KeyQueryFailureMessage rm = new KeyQueryFailureMessage();
+                rm.reason = "key not yet established";
+                getSender().send(rm);
+                return;
+            }
+            KeyQueryResponseMessage.BallotPublicKey ballotPublicKey = new KeyQueryResponseMessage.BallotPublicKey();
+            ballotPublicKey.ballotGuid = electionState.ballot.getBallotGuid();
+            ballotPublicKey.publicKey = electionState.share.publicKey;
+
+            KeyQueryResponseMessage rm = new KeyQueryResponseMessage();
+            rm.signedGuidKey = ballotPublicKey;
+            // FIXME!
+            rm.purpose = 0;
+            rm.signature = authorityPrivateKey.sign(authorityPublicKey, rm.purpose,
+                    Construct.toBinary(rm.signedGuidKey));
+            getSender().send(rm);
+        }
     }
 
     public TallyAuthorityDaemon(String[] args) {
@@ -266,5 +380,15 @@ public class TallyAuthorityDaemon extends Program {
     public void run() {
         logger.info("running tally daemon");
         mesh = new Mesh(getConfiguration(), null, null, new TallyMeshReceiver(), MESH_PORT);
+
+        Scheduler.addDelayed(RelativeTime.FOREVER, new Scheduler.Task() {
+            @Override
+            public void run(Scheduler.RunContext ctx) {
+                if (null != mesh) {
+                    mesh.destroy();
+                    mesh = null;
+                }
+            }
+        });
     }
 }
diff --git a/src/main/java/org/gnunet/voting/messages/KeyQueryFailureMessage.java b/src/main/java/org/gnunet/voting/messages/KeyQueryFailureMessage.java
new file mode 100644
index 0000000..ae48bad
--- /dev/null
+++ b/src/main/java/org/gnunet/voting/messages/KeyQueryFailureMessage.java
@@ -0,0 +1,11 @@
+package org.gnunet.voting.messages;
+
+import org.gnunet.construct.UnionCase;
+import org.gnunet.construct.ZeroTerminatedString;
+import org.gnunet.util.GnunetMessage;
+
+@UnionCase(42015)
+public class KeyQueryFailureMessage implements GnunetMessage.Body {
+    @ZeroTerminatedString
+    public String reason;
+}
diff --git a/src/main/java/org/gnunet/voting/messages/KeyQueryMessage.java b/src/main/java/org/gnunet/voting/messages/KeyQueryMessage.java
new file mode 100644
index 0000000..37da763
--- /dev/null
+++ b/src/main/java/org/gnunet/voting/messages/KeyQueryMessage.java
@@ -0,0 +1,12 @@
+package org.gnunet.voting.messages;
+
+import org.gnunet.construct.NestedMessage;
+import org.gnunet.construct.UnionCase;
+import org.gnunet.util.GnunetMessage;
+import org.gnunet.util.HashCode;
+
+@UnionCase(42013)
+public class KeyQueryMessage implements GnunetMessage.Body {
+    @NestedMessage
+    public HashCode ballotGuid;
+}
diff --git a/src/main/java/org/gnunet/voting/messages/KeyQueryResponseMessage.java b/src/main/java/org/gnunet/voting/messages/KeyQueryResponseMessage.java
new file mode 100644
index 0000000..c94332a
--- /dev/null
+++ b/src/main/java/org/gnunet/voting/messages/KeyQueryResponseMessage.java
@@ -0,0 +1,51 @@
+/*
+ This file is part of GNUnet.
+ (C) 2014 Christian Grothoff (and other contributing authors)
+
+ GNUnet is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published
+ by the Free Software Foundation; either version 3, or (at your
+ option) any later version.
+
+ GNUnet is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with GNUnet; see the file COPYING.  If not, write to the
+ Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+ */
+
+package org.gnunet.voting.messages;
+
+import org.gnunet.construct.Message;
+import org.gnunet.construct.NestedMessage;
+import org.gnunet.construct.UInt32;
+import org.gnunet.construct.UnionCase;
+import org.gnunet.secretsharing.ThresholdPublicKey;
+import org.gnunet.util.GnunetMessage;
+import org.gnunet.util.HashCode;
+import org.gnunet.util.crypto.EddsaSignature;
+
+@UnionCase(42014)
+public class KeyQueryResponseMessage implements GnunetMessage.Body {
+
+    public static class BallotPublicKey implements Message {
+        @NestedMessage
+        public HashCode ballotGuid;
+
+        @NestedMessage
+        public ThresholdPublicKey publicKey;
+    }
+
+    @NestedMessage
+    public EddsaSignature signature;
+
+    @UInt32
+    public int purpose;
+
+    @NestedMessage
+    public BallotPublicKey signedGuidKey;
+}
diff --git a/src/main/java/org/gnunet/voting/messages/ResultQueryFailureMessage.java b/src/main/java/org/gnunet/voting/messages/ResultQueryFailureMessage.java
new file mode 100644
index 0000000..9b9ef49
--- /dev/null
+++ b/src/main/java/org/gnunet/voting/messages/ResultQueryFailureMessage.java
@@ -0,0 +1,31 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
+
+package org.gnunet.voting.messages;
+
+import org.gnunet.construct.UnionCase;
+import org.gnunet.construct.ZeroTerminatedString;
+import org.gnunet.util.GnunetMessage;
+
+@UnionCase(42009)
+public class ResultQueryFailureMessage implements GnunetMessage.Body {
+    @ZeroTerminatedString
+    public String reason;
+}
diff --git a/src/main/java/org/gnunet/voting/messages/ResultQueryMessage.java b/src/main/java/org/gnunet/voting/messages/ResultQueryMessage.java
new file mode 100644
index 0000000..13f0b04
--- /dev/null
+++ b/src/main/java/org/gnunet/voting/messages/ResultQueryMessage.java
@@ -0,0 +1,12 @@
+package org.gnunet.voting.messages;
+
+import org.gnunet.construct.NestedMessage;
+import org.gnunet.construct.UnionCase;
+import org.gnunet.util.GnunetMessage;
+import org.gnunet.util.HashCode;
+
+@UnionCase(42005)
+public class ResultQueryMessage implements GnunetMessage.Body {
+    @NestedMessage
+    public HashCode ballotGuid;
+}
diff --git a/src/main/java/org/gnunet/voting/messages/ResultQueryResponseMessage.java b/src/main/java/org/gnunet/voting/messages/ResultQueryResponseMessage.java
new file mode 100644
index 0000000..96ad4b5
--- /dev/null
+++ b/src/main/java/org/gnunet/voting/messages/ResultQueryResponseMessage.java
@@ -0,0 +1,12 @@
+package org.gnunet.voting.messages;
+
+
+import org.gnunet.construct.*;
+import org.gnunet.util.GnunetMessage;
+import org.gnunet.util.HashCode;
+
+@UnionCase(42006)
+public class ResultQueryResponseMessage implements GnunetMessage.Body {
+    @IntegerFill(signed = false, bitSize = 32)
+    public long[] results;
+}
diff --git a/src/main/java/org/gnunet/voting/messages/SubmitFailureMessage.java b/src/main/java/org/gnunet/voting/messages/SubmitFailureMessage.java
index 50751fb..9aec8b2 100644
--- a/src/main/java/org/gnunet/voting/messages/SubmitFailureMessage.java
+++ b/src/main/java/org/gnunet/voting/messages/SubmitFailureMessage.java
@@ -22,17 +22,27 @@ package org.gnunet.voting.messages;
 
 
 import org.gnunet.construct.NestedMessage;
+import org.gnunet.construct.UInt32;
 import org.gnunet.construct.UnionCase;
 import org.gnunet.construct.ZeroTerminatedString;
 import org.gnunet.util.AbsoluteTimeMessage;
 import org.gnunet.util.GnunetMessage;
-import org.gnunet.util.crypto.EcdsaSignedMessage;
-import org.gnunet.util.crypto.EddsaSignedMessage;
+import org.gnunet.util.crypto.EddsaSignature;
 
 @UnionCase(42010)
 public class SubmitFailureMessage implements GnunetMessage.Body {
+    public static class SignedAuthorityTime {
+        @NestedMessage
+        public EddsaSignature signature;
+        @UInt32
+        public int purpose;
+        @NestedMessage
+        public AbsoluteTimeMessage time;
+    }
+
     @ZeroTerminatedString
     public String reason;
+
     @NestedMessage(optional = true)
-    public EddsaSignedMessage<AbsoluteTimeMessage> authorityTime;
+    public SignedAuthorityTime signedAuthorityTime;
 }
diff --git a/src/main/java/org/gnunet/voting/messages/SubmitMessage.java b/src/main/java/org/gnunet/voting/messages/SubmitMessage.java
index 52bf894..342aa0b 100644
--- a/src/main/java/org/gnunet/voting/messages/SubmitMessage.java
+++ b/src/main/java/org/gnunet/voting/messages/SubmitMessage.java
@@ -7,6 +7,7 @@ import org.gnunet.util.*;
 import org.gnunet.util.crypto.EcdsaPublicKey;
 import org.gnunet.util.crypto.EcdsaSignature;
 import org.gnunet.util.crypto.EddsaSignature;
+import org.gnunet.voting.EncryptedVote;
 
 /**
  * Message send by the voter to the election authority to submit a vote.
@@ -33,10 +34,12 @@ public class SubmitMessage implements GnunetMessage.Body {
      */
     @NestedMessage
     public AbsoluteTimeMessage groupCertExpiration;
+
     /**
-     * The actual vote.
-     * FIXME: this will be encrypted!
+     * The encrypted vote, including zero knowledge proofs
+     * for correctness.
+     * FIXME: wrap in a signature container
      */
-    @UInt32
-    public int choiceId;
+    @NestedMessage
+    public EncryptedVote encryptedVote;
 }