- make mpi scan/print public

- secretsharing key generation and decryption fixed

11 files changed, 1001 insertions, 327 deletions

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index a82b2fdd6..a5ee98092 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -55,6 +55,7 @@ struct GNUNET_PeerIdentity;
 
 #include "gnunet_common.h"
 #include "gnunet_scheduler_lib.h"
+#include <gcrypt.h>
 
 
 /**
@@ -1232,6 +1233,35 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey
                                        struct GNUNET_CRYPTO_EcdsaPublicKey *result);
 
 
+/**
+ * Output the given MPI value to the given buffer in network
+ * byte order.  The MPI @a val may not be negative.
+ *
+ * @param buf where to output to
+ * @param size number of bytes in @a buf
+ * @param val value to write to @a buf
+ */
+void
+GNUNET_CRYPTO_mpi_print_unsigned (void *buf,
+                                  size_t size,
+                                  gcry_mpi_t val);
+
+
+/**
+ * Convert data buffer into MPI value.
+ * The buffer is interpreted as network
+ * byte order, unsigned integer.
+ *
+ * @param result where to store MPI value (allocated)
+ * @param data raw data (GCRYMPI_FMT_USG)
+ * @param size number of bytes in @a data
+ */
+void
+GNUNET_CRYPTO_mpi_scan_unsigned (gcry_mpi_t *result,
+                                 const void *data,
+                                 size_t size);
+
+
 #if 0                           /* keep Emacsens' auto-indent happy */
 {
 #endif
diff --git a/src/include/gnunet_secretsharing_service.h b/src/include/gnunet_secretsharing_service.h
index 8569e15ea..1524c79fe 100644
--- a/src/include/gnunet_secretsharing_service.h
+++ b/src/include/gnunet_secretsharing_service.h
@@ -43,13 +43,53 @@ extern "C"
 
 
 /**
- * Number of bits for secretsharing keys.
+ * Number of bits for secretsharing elements.
  * Must be smaller than the Pallier key size used internally
  * by the secretsharing service.
  * When changing this value, other internal parameters must also
  * be adjusted.
  */
-#define GNUNET_SECRETSHARING_KEY_BITS 1024
+#define GNUNET_SECRETSHARING_ELGAMAL_BITS 1024
+
+
+/**
+ * The q-parameter for ElGamal encryption, a 1024-bit safe prime.
+ */
+#define GNUNET_SECRETSHARING_ELGAMAL_P_HEX  \
+      "0x08a347d3d69e8b2dd7d1b12a08dfbccbebf4ca" \
+      "6f4269a0814e158a34312964d946b3ef22882317" \
+      "2bcf30fc08f772774cb404f9bc002a6f66b09a79" \
+      "d810d67c4f8cb3bedc6060e3c8ef874b1b64df71" \
+      "6c7d2b002da880e269438d5a776e6b5f253c8df5" \
+      "6a16b1c7ce58def07c03db48238aadfc52a354a2" \
+      "7ed285b0c1675cad3f3"
+
+/**
+ * The q-parameter for ElGamal encryption,
+ * a 1023-bit Sophie Germain prime, q = (p-1)/2
+ */
+#define GNUNET_SECRETSHARING_ELGAMAL_Q_HEX  \
+      "0x0451a3e9eb4f4596ebe8d895046fde65f5fa65" \
+      "37a134d040a70ac51a1894b26ca359f79144118b" \
+      "95e7987e047bb93ba65a027cde001537b3584d3c" \
+      "ec086b3e27c659df6e303071e477c3a58db26fb8" \
+      "b63e958016d4407134a1c6ad3bb735af929e46fa" \
+      "b50b58e3e72c6f783e01eda411c556fe2951aa51" \
+      "3f6942d860b3ae569f9"
+
+/**
+ * The g-parameter for ElGamal encryption,
+ * a generator of the unique size q subgroup of Z_p^*
+ */
+#define GNUNET_SECRETSHARING_ELGAMAL_G_HEX  \
+      "0x05c00c36d2e822950087ef09d8252994adc4e4" \
+      "8fe3ec70269f035b46063aff0c99b633fd64df43" \
+      "02442e1914c829a41505a275438871f365e91c12" \
+      "3d5303ef9e90f4b8cb89bf86cc9b513e74a72634" \
+      "9cfd9f953674fab5d511e1c078fc72d72b34086f" \
+      "c82b4b951989eb85325cb203ff98df76bc366bba" \
+      "1d7024c3650f60d0da"
+
 
 
 /**
@@ -77,7 +117,7 @@ struct GNUNET_SECRETSHARING_DecryptionHandle;
  */
 struct GNUNET_SECRETSHARING_PublicKey
 {
-  uint32_t bits[GNUNET_SECRETSHARING_KEY_BITS / 8 / sizeof (uint32_t)];
+  uint32_t bits[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 / sizeof (uint32_t)];
 };
 
 
@@ -86,21 +126,23 @@ struct GNUNET_SECRETSHARING_PublicKey
  */
 struct GNUNET_SECRETSHARING_Ciphertext
 {
-  uint32_t c1_bits[GNUNET_SECRETSHARING_KEY_BITS / 8 / sizeof (uint32_t)];
-  uint32_t c2_bits[GNUNET_SECRETSHARING_KEY_BITS / 8 / sizeof (uint32_t)];
+  uint32_t c1_bits[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 / sizeof (uint32_t)];
+  uint32_t c2_bits[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 / sizeof (uint32_t)];
 };
 
 
 /**
  * Plain, unencrypted message that can be encrypted with
  * a group public key.
+ * Note that we are not operating in GF(2^n), thus not every
+ * bit pattern is a valid plain text.
  */
-struct GNUNET_SECRETSHARING_Message
+struct GNUNET_SECRETSHARING_Plaintext
 {
   /**
    * Value of the message.
    */
-  uint32_t bits[GNUNET_SECRETSHARING_KEY_BITS / 8 / sizeof (uint32_t)];
+  uint32_t bits[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 / sizeof (uint32_t)];
 };
 
 
@@ -113,6 +155,8 @@ struct GNUNET_SECRETSHARING_Message
  *
  * If the secret sharing failed, num_ready_peers is 0 and my_share and public_key is NULL.
  *
+ * After this callback has been called, the secretsharing session will be invalid.
+ *
  * @param cls closure
  * @param my_share the share of this peer
  * @param public_key public key of the session
@@ -121,10 +165,10 @@ struct GNUNET_SECRETSHARING_Message
  *                    the shared secret
  */
 typedef void (*GNUNET_SECRETSHARING_SecretReadyCallback) (void *cls,
-                                                          const struct GNUNET_SECRETSHARING_Share *my_share,
-                                                          const struct GNUNET_SECRETSHARING_PublicKey *public_key,
+                                                          struct GNUNET_SECRETSHARING_Share *my_share,
+                                                          struct GNUNET_SECRETSHARING_PublicKey *public_key,
                                                           unsigned int num_ready_peers,
-                                                          const struct GNUNET_PeerIdentity *ready_peers);
+                                                          struct GNUNET_PeerIdentity *ready_peers);
 
 
 /**
@@ -135,8 +179,7 @@ typedef void (*GNUNET_SECRETSHARING_SecretReadyCallback) (void *cls,
  * @param data_size number of bytes in @a data
  */
 typedef void (*GNUNET_SECRETSHARING_DecryptCallback) (void *cls,
-                                                      const void *data,
-                                                      size_t data_size);
+                                                      const struct GNUNET_SECRETSHARING_Plaintext *plaintext);
 
 
 /**
@@ -165,21 +208,13 @@ GNUNET_SECRETSHARING_create_session (const struct GNUNET_CONFIGURATION_Handle *c
 
 
 /**
- * Destroy a secret share.
- *
- * @param share secret share to destroy
- */
-void
-GNUNET_SECRETSHARING_share_destroy (const struct GNUNET_SECRETSHARING_Share *share);
-
-
-/**
  * Destroy a secret sharing session.
+ * The secret ready callback will not be called.
  *
  * @param session session to destroy
  */
 void
-GNUNET_SECRETSHARING_destroy_session (struct GNUNET_SECRETSHARING_Session *session);
+GNUNET_SECRETSHARING_session_destroy (struct GNUNET_SECRETSHARING_Session *session);
 
 
 /**
@@ -196,9 +231,8 @@ GNUNET_SECRETSHARING_destroy_session (struct GNUNET_SECRETSHARING_Session *sessi
  * @return #GNUNET_YES on succes, #GNUNET_SYSERR if the message is invalid (invalid range)
  */
 int
-GNUNET_SECRETSHARING_encrypt (struct GNUNET_SECRETSHARING_PublicKey *public_key,
-                              const void *message,
-                              size_t message_size,
+GNUNET_SECRETSHARING_encrypt (const struct GNUNET_SECRETSHARING_PublicKey *public_key,
+                              const struct GNUNET_SECRETSHARING_Plaintext *plaintext,
                               struct GNUNET_SECRETSHARING_Ciphertext *result_ciphertext);
 
 
@@ -218,9 +252,9 @@ GNUNET_SECRETSHARING_encrypt (struct GNUNET_SECRETSHARING_PublicKey *public_key,
  * @return handle to cancel the operation
  */
 struct GNUNET_SECRETSHARING_DecryptionHandle *
-GNUNET_SECRETSHARING_decrypt (struct GNUNET_CONFIGURATION_Handle *cfg,
+GNUNET_SECRETSHARING_decrypt (const struct GNUNET_CONFIGURATION_Handle *cfg,
                               struct GNUNET_SECRETSHARING_Share *share,
-                              struct GNUNET_SECRETSHARING_Ciphertext *ciphertext,
+                              const struct GNUNET_SECRETSHARING_Ciphertext *ciphertext,
                               struct GNUNET_TIME_Absolute deadline,
                               GNUNET_SECRETSHARING_DecryptCallback decrypt_cb,
                               void *decrypt_cb_cls);
@@ -267,6 +301,20 @@ GNUNET_SECRETSHARING_share_write (const struct GNUNET_SECRETSHARING_Share *share
                                   void *buf, size_t buflen, size_t *writelen);
 
 
+void
+GNUNET_SECRETSHARING_share_destroy (struct GNUNET_SECRETSHARING_Share *share);
+
+
+int
+GNUNET_SECRETSHARING_plaintext_generate (struct GNUNET_SECRETSHARING_Plaintext *plaintext,
+                                         gcry_mpi_t exponent);
+
+int
+GNUNET_SECRETSHARING_plaintext_generate_i (struct GNUNET_SECRETSHARING_Plaintext *plaintext,
+                                           int64_t exponent);
+
+
+
 
 #if 0                           /* keep Emacsens' auto-indent happy */
 {
diff --git a/src/secretsharing/gnunet-secretsharing-profiler.c b/src/secretsharing/gnunet-secretsharing-profiler.c
index 01eb49a2d..b718e8a27 100755
--- a/src/secretsharing/gnunet-secretsharing-profiler.c
+++ b/src/secretsharing/gnunet-secretsharing-profiler.c
@@ -28,17 +28,48 @@
 #include "gnunet_secretsharing_service.h"
 #include "gnunet_testbed_service.h"
 
+/**
+ * How many peers should participate in the key generation?
+ */
 static unsigned int num_peers = 3;
 
+/**
+ * What should the threshold for then key be?
+ */
 static unsigned int threshold = 2;
 
+/**
+ * Should we try to decrypt a value after the key generation?
+ */
+static unsigned int decrypt = GNUNET_NO;
+
+/**
+ * When would we like to see the operation finished?
+ */
 static struct GNUNET_TIME_Relative timeout;
 
+/**
+ * Handles for secretsharing sessions.
+ */
 static struct GNUNET_SECRETSHARING_Session **session_handles;
 
+static struct GNUNET_SECRETSHARING_DecryptionHandle **decrypt_handles;
+
+/**
+ * Shares we got from the distributed key generation.
+ */
+static struct GNUNET_SECRETSHARING_Share **shares;
+
+static struct GNUNET_SECRETSHARING_PublicKey common_pubkey;
+
+/**
+ * ???
+ */
 static struct GNUNET_TESTBED_Operation **testbed_operations;
 
-static unsigned int num_connected_handles;
+static unsigned int num_connected_sessions;
+
+static unsigned int num_connected_decrypt;
 
 static struct GNUNET_TESTBED_Peer **peers;
 
@@ -46,10 +77,18 @@ static struct GNUNET_PeerIdentity *peer_ids;
 
 static unsigned int num_retrieved_peer_ids;
 
+static unsigned int num_generated;
+
+static unsigned int num_decrypted;
+
 static struct GNUNET_HashCode session_id;
 
 static int verbose;
 
+struct GNUNET_SECRETSHARING_Plaintext reference_plaintext;
+
+struct GNUNET_SECRETSHARING_Ciphertext ciphertext;
+
 
 /**
  * Signature of the event handler function called by the
@@ -76,10 +115,47 @@ controller_cb (void *cls,
  *          operation has executed successfully.
  */
 static void
-connect_complete (void *cls,
-                  struct GNUNET_TESTBED_Operation *op,
-                  void *ca_result,
-                  const char *emsg)
+session_connect_complete (void *cls,
+                          struct GNUNET_TESTBED_Operation *op,
+                          void *ca_result,
+                          const char *emsg)
+{
+
+  if (NULL != emsg)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "testbed connect emsg: %s\n",
+                emsg);
+    GNUNET_assert (0);
+  }
+
+  num_connected_sessions++;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "dkg: session connect complete\n");
+
+  if (num_connected_sessions == num_peers)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "dkg: all peers connected\n");
+  }
+}
+
+
+/**
+ * Callback to be called when a service connect operation is completed
+ *
+ * @param cls the callback closure from functions generating an operation
+ * @param op the operation that has been finished
+ * @param ca_result the service handle returned from GNUNET_TESTBED_ConnectAdapter()
+ * @param emsg error message in case the operation has failed; will be NULL if
+ *          operation has executed successfully.
+ */
+static void
+decrypt_connect_complete (void *cls,
+                          struct GNUNET_TESTBED_Operation *op,
+                          void *ca_result,
+                          const char *emsg)
 {
 
   if (NULL != emsg)
@@ -90,35 +166,164 @@ connect_complete (void *cls,
     GNUNET_assert (0);
   }
 
-  num_connected_handles++;
+  num_connected_decrypt++;
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-              "connect complete\n");
+              "decrypt: session connect complete\n");
 
-  if (num_connected_handles == num_peers)
+  if (num_connected_decrypt == num_peers)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-                "all peers connected\n");
+                "decrypt: all peers connected\n");
+  }
+}
+
+
+/**
+ * Called when a decryption has succeeded.
+ *
+ * @param cls Plaintext
+ * @param plaintext Plaintext
+ */
+static void decrypt_cb (void *cls,
+                        const struct GNUNET_SECRETSHARING_Plaintext *plaintext)
+{
+  struct GNUNET_SECRETSHARING_DecryptionHandle **dhp = cls;
+  unsigned int n = dhp - decrypt_handles;
+  num_decrypted++;
+
+  *dhp = NULL;
+
+  if (NULL == plaintext)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt failed for peer %u\n", n);
+    return;
+  }
+  else if (0 == memcmp (&reference_plaintext, plaintext, sizeof (struct GNUNET_SECRETSHARING_Plaintext)))
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO, "decrypt got correct result for peer %u\n", n);
+  else
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt got wrong result for peer %u\n", n);
+
+  if (num_decrypted == num_peers)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO, "every peer decrypted\n");
+    GNUNET_SCHEDULER_shutdown ();
+  }
+
+  *dhp = NULL;
+}
+
+
+
+/**
+ * Adapter function called to establish a connection to
+ * a service.
+ *
+ * @param cls closure
+ * @param cfg configuration of the peer to connect to; will be available until
+ *          GNUNET_TESTBED_operation_done() is called on the operation returned
+ *          from GNUNET_TESTBED_service_connect()
+ * @return service handle to return in 'op_result', NULL on error
+ */
+static void *
+decrypt_connect_adapter (void *cls,
+                 const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_SECRETSHARING_DecryptionHandle **hp = cls;
+  unsigned int n = hp - decrypt_handles;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "decrypt connect adapter, %d peers\n",
+              num_peers);
+  *hp = GNUNET_SECRETSHARING_decrypt (cfg, shares[n], &ciphertext,
+                                      GNUNET_TIME_relative_to_absolute (GNUNET_TIME_UNIT_MINUTES),
+                                      decrypt_cb,
+                                      hp);
+
+  return *hp;
+}
+
+
+/**
+ * Adapter function called to destroy a connection to
+ * a service.
+ *
+ * @param cls closure
+ * @param op_result service handle returned from the connect adapter
+ */
+static void
+decrypt_disconnect_adapter(void *cls, void *op_result)
+{
+  struct GNUNET_SECRETSHARING_DecryptionHandle **dh = cls;
+  if (NULL != *dh)
+  {
+    GNUNET_SECRETSHARING_decrypt_cancel (*dh);
+    *dh = NULL;
   }
 }
 
 
 static void
 secret_ready_cb (void *cls,
-                 const struct GNUNET_SECRETSHARING_Share *my_share,
-                 const struct GNUNET_SECRETSHARING_PublicKey *public_key,
+                 struct GNUNET_SECRETSHARING_Share *my_share,
+                 struct GNUNET_SECRETSHARING_PublicKey *public_key,
                  unsigned int num_ready_peers,
-                 const struct GNUNET_PeerIdentity *ready_peers)
+                 struct GNUNET_PeerIdentity *ready_peers)
 {
   struct GNUNET_SECRETSHARING_Session **sp = cls;
   unsigned int n = sp - session_handles;
-  if (NULL == my_share || NULL == public_key)
+  char pubkey_str[1024];
+  char *ret;
+
+  num_generated++;
+  *sp = NULL;
+  shares[n] = my_share;
+  if (NULL == my_share)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_INFO, "key generation failed for peer #%u\n", n);
-    return;
   }
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "secret ready for peer #%u\n", n);
-  // FIXME: end profiler or try decryption if all secrets are ready
+  else
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO, "secret ready for peer #%u\n", n);
+    /* we're the first to get the key -> store it */
+    if (num_generated == 1)
+    {
+      common_pubkey = *public_key;
+    }
+    else if (0 != memcmp (public_key, &common_pubkey, sizeof (struct GNUNET_SECRETSHARING_PublicKey)))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "generated public keys do not match\n");
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+
+  ret = GNUNET_STRINGS_data_to_string (public_key, sizeof *public_key, pubkey_str, 1024);
+  GNUNET_assert (NULL != ret);
+  *ret = '\0';
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "key generation successful for peer #%u, pubkey %s\n", n,
+              pubkey_str);
+
+  // FIXME: destroy testbed operation
+
+  if (num_generated == num_peers)
+  {
+    int i;
+    if (GNUNET_NO == decrypt)
+    {
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+
+    // compute g^42
+    GNUNET_SECRETSHARING_plaintext_generate_i (&reference_plaintext, 42);
+    GNUNET_SECRETSHARING_encrypt (&common_pubkey, &reference_plaintext, &ciphertext);
+
+    // FIXME: store the ops somewhere!
+    for (i = 0; i < num_peers; i++)
+      GNUNET_TESTBED_service_connect (NULL, peers[i], "secretsharing", &decrypt_connect_complete, NULL,
+                                      &decrypt_connect_adapter, &decrypt_disconnect_adapter, &decrypt_handles[i]);
+  }
 }
 
 
@@ -133,8 +338,8 @@ secret_ready_cb (void *cls,
  * @return service handle to return in 'op_result', NULL on error
  */
 static void *
-connect_adapter (void *cls,
-                 const struct GNUNET_CONFIGURATION_Handle *cfg)
+session_connect_adapter (void *cls,
+                         const struct GNUNET_CONFIGURATION_Handle *cfg)
 {
   struct GNUNET_SECRETSHARING_Session **sp = cls;
 
@@ -152,6 +357,7 @@ connect_adapter (void *cls,
 }
 
 
+
 /**
  * Adapter function called to destroy a connection to
  * a service.
@@ -160,9 +366,14 @@ connect_adapter (void *cls,
  * @param op_result service handle returned from the connect adapter
  */
 static void
-disconnect_adapter(void *cls, void *op_result)
+session_disconnect_adapter (void *cls, void *op_result)
 {
-  /* FIXME: what to do here? */
+  struct GNUNET_SECRETSHARING_Session **sp = cls;
+  if (NULL != *sp)
+  {
+    GNUNET_SECRETSHARING_session_destroy (*sp);
+    *sp = NULL;
+  }
 }
 
 
@@ -195,8 +406,8 @@ peer_info_cb (void *cb_cls,
     if (num_retrieved_peer_ids == num_peers)
       for (i = 0; i < num_peers; i++)
         testbed_operations[i] =
-            GNUNET_TESTBED_service_connect (NULL, peers[i], "secretsharing", connect_complete, NULL,
-                                            connect_adapter, disconnect_adapter, &session_handles[i]);
+            GNUNET_TESTBED_service_connect (NULL, peers[i], "secretsharing", session_connect_complete, NULL,
+                                            session_connect_adapter, session_disconnect_adapter, &session_handles[i]);
   }
   else
   {
@@ -238,8 +449,11 @@ test_master (void *cls,
 
   peer_ids = GNUNET_malloc (num_peers * sizeof (struct GNUNET_PeerIdentity));
 
-  session_handles = GNUNET_malloc (num_peers * sizeof (struct GNUNET_SECRETSHARING_Session *));
-  testbed_operations = GNUNET_malloc (num_peers * sizeof (struct GNUNET_TESTBED_Operation *));
+  session_handles = GNUNET_new_array (num_peers, struct GNUNET_SECRETSHARING_Session *);
+  decrypt_handles = GNUNET_new_array (num_peers, struct GNUNET_SECRETSHARING_DecryptionHandle *);
+  testbed_operations = GNUNET_new_array (num_peers, struct GNUNET_TESTBED_Operation *);
+  shares = GNUNET_new_array (num_peers, struct GNUNET_SECRETSHARING_Share *);
+
 
   for (i = 0; i < num_peers; i++)
     GNUNET_TESTBED_peer_get_information (peers[i],
@@ -305,6 +519,9 @@ main (int argc, char **argv)
       { 'k', "threshold", NULL,
         gettext_noop ("threshold"),
         GNUNET_YES, &GNUNET_GETOPT_set_uint, &threshold },
+      { 'd', "decrypt", NULL,
+        gettext_noop ("also profile decryption"),
+        GNUNET_NO, &GNUNET_GETOPT_set_one, &decrypt },
       { 'V', "verbose", NULL,
         gettext_noop ("be more verbose (print received values)"),
         GNUNET_NO, &GNUNET_GETOPT_set_one, &verbose },
diff --git a/src/secretsharing/gnunet-service-secretsharing.c b/src/secretsharing/gnunet-service-secretsharing.c
index 38dabc3a8..1fcc4e351 100644
--- a/src/secretsharing/gnunet-service-secretsharing.c
+++ b/src/secretsharing/gnunet-service-secretsharing.c
@@ -33,6 +33,9 @@
 #include <gcrypt.h>
 
 
+#define EXTRA_CHECKS 1
+
+
 /**
  * Info about a peer in a key generation session.
  */
@@ -45,6 +48,7 @@ struct KeygenPeerInfo
 
   /**
    * The peer's paillier public key.
+   * Freshly generated for each keygen session.
    */
   gcry_mpi_t paillier_n;
 
@@ -92,7 +96,7 @@ struct DecryptPeerInfo
    * Original index in the key generation round.
    * Necessary for computing the lagrange coefficients.
    */
-  unsigned int real_index;
+  unsigned int original_index;
 
   /**
    * Set to the partial decryption of
@@ -323,52 +327,11 @@ static struct GNUNET_SERVER_Handle *srv;
 
 
 /**
- * If target != size, move @a target bytes to the end of the size-sized
- * buffer and zero out the first @a target - @a size bytes.
- *
- * @param buf original buffer
- * @param size number of bytes in @a buf
- * @param target target size of the buffer
- */
-static void
-adjust (unsigned char *buf,
-        size_t size,
-        size_t target)
-{
-  if (size < target)
-  {
-    memmove (&buf[target - size], buf, size);
-    memset (buf, 0, target - size);
-  }
-}
-
-
-/**
- * Print an MPI to a buffer, so that is contains the MPI's
- * the little endian representation of size @a size.
- *
- * @param buf buffer to write to
- * @param x mpi to be written in the buffer
- * @param size how many bytes should the little endian binary
- *             representation of @a x use?
- */
-static void
-print_mpi_fixed (void *buf, gcry_mpi_t x, size_t size)
-{
-  size_t written;
-  GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG,
-                                      buf, size, &written,
-                                      x));
-  adjust (buf, written, size);
-}
-
-
-/**
  * Get the peer info belonging to a peer identity in a keygen session.
  *
- * @param ks the keygen session
- * @param peer the peer identity
- * @return the keygen peer info, or NULL if the peer could not be found
+ * @param ks The keygen session.
+ * @param peer The peer identity.
+ * @return The Keygen peer info, or NULL if the peer could not be found.
  */
 static struct KeygenPeerInfo *
 get_keygen_peer_info (const struct KeygenSession *ks,
@@ -385,13 +348,13 @@ get_keygen_peer_info (const struct KeygenSession *ks,
 /**
  * Get the peer info belonging to a peer identity in a decrypt session.
  *
- * @param ks the decrypt session
- * @param peer the peer identity
- * @return the decrypt peer info, or NULL if the peer could not be found
+ * @param ks The decrypt session.
+ * @param peer The peer identity.
+ * @return The decrypt peer info, or NULL if the peer could not be found.
  */
 static struct DecryptPeerInfo *
 get_decrypt_peer_info (const struct DecryptSession *ds,
-                      const struct GNUNET_PeerIdentity *peer)
+                       const struct GNUNET_PeerIdentity *peer)
 {
   unsigned int i;
   for (i = 0; i < ds->share->num_peers; i++)
@@ -428,8 +391,8 @@ time_between (struct GNUNET_TIME_Absolute start,
 /**
  * Compare two peer identities.  Indended to be used with qsort or bsearch.
  *
- * @param p1 some peer identity
- * @param p2 some peer identity
+ * @param p1 Some peer identity.
+ * @param p2 Some peer identity.
  * @return 1 if p1 > p2, -1 if p1 < p2 and 0 if p1 == p2.
  */
 static int
@@ -442,10 +405,10 @@ peer_id_cmp (const void *p1, const void *p2)
 /**
  * Get the index of a peer in an array of peers
  *
- * @param haystack array of peers
- * @param n size of @a haystack
- * @param needle peer to find
- * @return index of @a needle in @a haystack, or -1 if peer
+ * @param haystack Array of peers.
+ * @param n Size of @a haystack.
+ * @param needle Peer to find
+ * @return Index of @a needle in @a haystack, or -1 if peer
  *         is not in the list.
  */
 static int
@@ -464,11 +427,11 @@ peer_find (const struct GNUNET_PeerIdentity *haystack, unsigned int n,
  * Normalize the given list of peers, by including the local peer
  * (if it is missing) and sorting the peers by their identity.
  *
- * @param listed peers in the unnormalized list
- * @param num_listed peers in the un-normalized list
- * @param[out] num_normalized number of peers in the normalized list
- * @param[out] my_peer_idx index of the local peer in the normalized list
- * @return normalized list, must be free'd by the caller
+ * @param listed Peers in the unnormalized list.
+ * @param num_listed Peers in the un-normalized list.
+ * @param[out] num_normalized Number of peers in the normalized list.
+ * @param[out] my_peer_idx Index of the local peer in the normalized list.
+ * @return Normalized list, must be free'd by the caller.
  */
 static struct GNUNET_PeerIdentity *
 normalize_peers (struct GNUNET_PeerIdentity *listed,
@@ -477,6 +440,7 @@ normalize_peers (struct GNUNET_PeerIdentity *listed,
                  unsigned int *my_peer_idx)
 {
   unsigned int local_peer_in_list;
+  /* number of peers in the normalized list */
   unsigned int n;
   struct GNUNET_PeerIdentity *normalized;
 
@@ -506,10 +470,10 @@ normalize_peers (struct GNUNET_PeerIdentity *listed,
 
 
 /**
- * Get a the j-th lagrage coefficient for a set of indices.
+ * Get a the j-th lagrange coefficient for a set of indices.
  *
  * @param[out] coeff the lagrange coefficient
- * @param j lagrage coefficient we want to compute
+ * @param j lagrange coefficient we want to compute
  * @param indices indices
  * @param num number of indices in @a indices
  */
@@ -518,7 +482,7 @@ compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j,
                               unsigned int *indices,
                               unsigned int num)
 {
-  int i;
+  unsigned int i;
   /* numerator */
   gcry_mpi_t n;
   /* denominator */
@@ -535,22 +499,27 @@ compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j,
   gcry_mpi_set_ui (n, 1);
   gcry_mpi_set_ui (d, 1);
 
-  gcry_mpi_set_ui (coeff, 0);
   for (i = 0; i < num; i++)
   {
-    int l = indices[i];
+    unsigned int l = indices[i];
     if (l == j)
       continue;
-    gcry_mpi_mul_ui (n, n, l);
+    gcry_mpi_mul_ui (n, n, l + 1);
     // d <- d * (l-j)
-    gcry_mpi_set_ui (tmp, l);
-    gcry_mpi_sub_ui (tmp, tmp, j);
+    gcry_mpi_set_ui (tmp, l + 1);
+    gcry_mpi_sub_ui (tmp, tmp, j + 1);
     gcry_mpi_mul (d, d, tmp);
   }
 
+  // gcry_mpi_invm does not like negative numbers ...
+  gcry_mpi_mod (d, d, elgamal_q);
+
+  GNUNET_assert (gcry_mpi_cmp_ui (d, 0) > 0);
+
   // now we do the actual division, with everything mod q, as we
-  // are not operating on elemets from <g>, but on exponents
-  GNUNET_assert (0 == gcry_mpi_invm (d, d, elgamal_q));
+  // are not operating on elements from <g>, but on exponents
+  GNUNET_assert (0 != gcry_mpi_invm (d, d, elgamal_q));
+
   gcry_mpi_mulm (coeff, n, d, elgamal_q);
 
   gcry_mpi_release (n);
@@ -580,11 +549,22 @@ paillier_create (gcry_mpi_t n, gcry_mpi_t lambda, gcry_mpi_t mu)
   GNUNET_assert (0 != (phi = gcry_mpi_new (PAILLIER_BITS)));
   GNUNET_assert (0 != (tmp = gcry_mpi_new (PAILLIER_BITS)));
 
-  // generate rsa modulus
-  GNUNET_assert (0 == gcry_prime_generate (&p, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
-                                           GCRY_WEAK_RANDOM, 0));
-  GNUNET_assert (0 == gcry_prime_generate (&q, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
+  p = q = NULL;
+
+  // Generate two distinct primes.
+  // The probability that the loop body
+  // is executed more than once is very low.
+  do {
+    if (NULL != p)
+      gcry_mpi_release (p);
+    if (NULL != q)
+      gcry_mpi_release (q);
+    // generate rsa modulus
+    GNUNET_assert (0 == gcry_prime_generate (&p, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
+                                             GCRY_WEAK_RANDOM, 0));
+    GNUNET_assert (0 == gcry_prime_generate (&q, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
                                            GCRY_WEAK_RANDOM, 0));
+  } while (0 == gcry_mpi_cmp (p, q));
   gcry_mpi_mul (n, p, q);
   // compute phi(n) = (p-1)(q-1)
   gcry_mpi_sub_ui (phi, p, 1);
@@ -604,7 +584,7 @@ paillier_create (gcry_mpi_t n, gcry_mpi_t lambda, gcry_mpi_t mu)
 /**
  * Encrypt a value using Paillier's scheme.
  *
- * @param c resulting ciphertext
+ * @param[out] c resulting ciphertext
  * @param m plaintext to encrypt
  * @param n n-component of public key
  */
@@ -628,7 +608,7 @@ paillier_encrypt (gcry_mpi_t c, gcry_mpi_t m, gcry_mpi_t n)
   {
     gcry_mpi_randomize (r, PAILLIER_BITS, GCRY_WEAK_RANDOM);
   }
-  while (gcry_mpi_cmp (r, n) > 0);
+  while (gcry_mpi_cmp (r, n) >= 0);
 
   gcry_mpi_powm (c, g, m, n_square);
   gcry_mpi_powm (r, r, n, n_square);
@@ -636,6 +616,7 @@ paillier_encrypt (gcry_mpi_t c, gcry_mpi_t m, gcry_mpi_t n)
 
   gcry_mpi_release (n_square);
   gcry_mpi_release (r);
+  gcry_mpi_release (g);
 }
 
 
@@ -652,17 +633,69 @@ static void
 paillier_decrypt (gcry_mpi_t m, gcry_mpi_t c, gcry_mpi_t mu, gcry_mpi_t lambda, gcry_mpi_t n)
 {
   gcry_mpi_t n_square;
+
   GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
+
   gcry_mpi_mul (n_square, n, n);
+  // m = c^lambda mod n^2
   gcry_mpi_powm (m, c, lambda, n_square);
+  // m = m - 1
   gcry_mpi_sub_ui (m, m, 1);
-  // m = m/n
+  // m <- m/n
   gcry_mpi_div (m, NULL, m, n, 0);
   gcry_mpi_mulm (m, m, mu, n);
   gcry_mpi_release (n_square);
 }
 
 
+static void
+decrypt_session_destroy (struct DecryptSession *ds)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying decrypt session\n");
+
+  GNUNET_CONTAINER_DLL_remove (decrypt_sessions_head, decrypt_sessions_tail, ds);
+
+  if (NULL != ds->client_mq)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying decrypt MQ\n");
+    GNUNET_MQ_destroy (ds->client_mq);
+    ds->client_mq = NULL;
+  }
+
+  if (NULL != ds->client)
+  {
+    GNUNET_SERVER_client_disconnect (ds->client);
+    ds->client = NULL;
+  }
+
+  GNUNET_free (ds);
+}
+
+
+static void
+keygen_session_destroy (struct KeygenSession *ks)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying keygen session\n");
+
+  GNUNET_CONTAINER_DLL_remove (keygen_sessions_head, keygen_sessions_tail, ks);
+
+  if (NULL != ks->client_mq)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying keygen MQ\n");
+    GNUNET_MQ_destroy (ks->client_mq);
+    ks->client_mq = NULL;
+  }
+
+  if (NULL != ks->client)
+  {
+    GNUNET_SERVER_client_disconnect (ks->client);
+    ks->client = NULL;
+  }
+
+  GNUNET_free (ks);
+}
+
+
 /**
  * Task run during shutdown.
  *
@@ -672,7 +705,11 @@ paillier_decrypt (gcry_mpi_t m, gcry_mpi_t c, gcry_mpi_t mu, gcry_mpi_t lambda,
 static void
 cleanup_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
 {
-  /* FIXME: do clean up here */
+  while (NULL != decrypt_sessions_head)
+    decrypt_session_destroy (decrypt_sessions_head);
+
+  while (NULL != keygen_sessions_head)
+    keygen_session_destroy (keygen_sessions_head);
 }
 
 
@@ -685,23 +722,31 @@ static void
 generate_presecret_polynomial (struct KeygenSession *ks)
 {
   int i;
+  gcry_mpi_t v;
+
   GNUNET_assert (NULL == ks->presecret_polynomial);
-  ks->presecret_polynomial = GNUNET_malloc (ks->threshold * sizeof (gcry_mpi_t));
+  ks->presecret_polynomial = GNUNET_new_array (ks->threshold, gcry_mpi_t);
   for (i = 0; i < ks->threshold; i++)
   {
-    ks->presecret_polynomial[i] = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS);
-    GNUNET_assert (0 != ks->presecret_polynomial[i]);
-    gcry_mpi_randomize (ks->presecret_polynomial[i], GNUNET_SECRETSHARING_KEY_BITS,
-                        GCRY_WEAK_RANDOM);
+    v = ks->presecret_polynomial[i] = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS);
+    GNUNET_assert (NULL != v);
+    // Randomize v such that 0 < v < elgamal_q.
+    // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
+    do 
+    {
+      gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1, GCRY_WEAK_RANDOM);
+    } while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0));
   }
 }
 
 
 /**
  * Consensus element handler for round one.
+ * We should get one ephemeral key for each peer.
  *
- * @param cls closure (keygen session)
- * @param element the element from consensus
+ * @param cls Closure (keygen session).
+ * @param element The element from consensus, or
+ *                NULL if consensus failed.
  */
 static void
 keygen_round1_new_element (void *cls,
@@ -717,6 +762,7 @@ keygen_round1_new_element (void *cls,
     return;
   }
 
+  /* elements have fixed size */
   if (element->size != sizeof (struct GNUNET_SECRETSHARING_KeygenCommitData))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
@@ -729,7 +775,6 @@ keygen_round1_new_element (void *cls,
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round1 element\n");
 
   d = element->data;
-
   info = get_keygen_peer_info (ks, &d->peer);
 
   if (NULL == info)
@@ -739,6 +784,7 @@ keygen_round1_new_element (void *cls,
     return;
   }
 
+  /* Check that the right amount of data has been signed. */
   if (d->purpose.size !=
       htonl (element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenCommitData, purpose)))
   {
@@ -752,11 +798,8 @@ keygen_round1_new_element (void *cls,
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "keygen commit data with invalid signature in consensus\n");
     return;
   }
-
-  GNUNET_assert (0 == gcry_mpi_scan (&info->paillier_n, GCRYMPI_FMT_USG,
-                                     &d->pubkey.n, sizeof d->pubkey.n, NULL));
-  GNUNET_assert (0 == gcry_mpi_scan (&info->presecret_commitment, GCRYMPI_FMT_USG,
-                                     &d->commitment, sizeof d->commitment, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->paillier_n, &d->pubkey.n, PAILLIER_BITS / 8);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->presecret_commitment, &d->pubkey.n, PAILLIER_BITS / 8);
   info->round1_valid = GNUNET_YES;
 }
 
@@ -796,16 +839,20 @@ keygen_round2_conclude (void *cls)
   unsigned int i;
   unsigned int j;
   struct GNUNET_SECRETSHARING_Share *share;
+  /* our share */
   gcry_mpi_t s;
+  /* public key */
   gcry_mpi_t h;
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n");
 
-  GNUNET_assert (0 != (s = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
-  GNUNET_assert (0 != (h = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
+  GNUNET_assert (0 != (s = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
+  GNUNET_assert (0 != (h = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   // multiplicative identity
-  gcry_mpi_set_ui (s, 1);
+  gcry_mpi_set_ui (h, 1);
+  // additive identity
+  gcry_mpi_set_ui (s, 0);
 
   share = GNUNET_new (struct GNUNET_SECRETSHARING_Share);
 
@@ -820,6 +867,9 @@ keygen_round2_conclude (void *cls)
       GNUNET_new_array (share->num_peers, struct GNUNET_SECRETSHARING_FieldElement);
   share->original_indices = GNUNET_new_array (share->num_peers, uint16_t);
 
+  /* maybe we're not even in the list of peers? */
+  share->my_peer = share->num_peers;
+
   j = 0;
   for (i = 0; i < ks->num_peers; i++)
   {
@@ -829,13 +879,18 @@ keygen_round2_conclude (void *cls)
       gcry_mpi_mulm (h, h, ks->info[i].public_key_share, elgamal_p);
       share->peers[i] = ks->info[i].peer;
       share->original_indices[i] = j++;
+      if (0 == memcmp (&share->peers[i], &my_peer, sizeof (struct GNUNET_PeerIdentity)))
+        share->my_peer = i;
     }
   }
 
-  print_mpi_fixed (&share->my_share, s, GNUNET_SECRETSHARING_KEY_BITS / 8);
-  print_mpi_fixed (&share->public_key, h, GNUNET_SECRETSHARING_KEY_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (&share->my_share, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, s);
+  GNUNET_CRYPTO_mpi_print_unsigned (&share->public_key, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, h);
 
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen successful with %u peers\n", share->num_peers);
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen completed with %u peers\n", share->num_peers);
+
+  /* Write the share. If 0 peers completed the dkg, an empty
+   * share will be sent. */
 
   m = GNUNET_malloc (sizeof (struct GNUNET_SECRETSHARING_SecretReadyMessage) +
                      ks->num_peers * sizeof (struct GNUNET_PeerIdentity));
@@ -872,13 +927,19 @@ insert_round2_element (struct KeygenSession *ks)
   unsigned int i;
   gcry_mpi_t idx;
   gcry_mpi_t v;
+  gcry_mpi_t c;
 
-  GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
-  GNUNET_assert (0 != (idx = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n",
+              ks->local_peer_idx);
+
+  GNUNET_assert (NULL != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
+  GNUNET_assert (NULL != (idx = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
+  GNUNET_assert (NULL != (c = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   element_size = (sizeof (struct GNUNET_SECRETSHARING_KeygenRevealData) +
-                  2 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers +
-                  1 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->threshold);
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers +
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold +
+                  PAILLIER_BITS * 2 / 8 * ks->num_peers);
 
   element = GNUNET_malloc (sizeof (struct GNUNET_SET_Element) + element_size);
   element->size = element_size;
@@ -887,6 +948,8 @@ insert_round2_element (struct KeygenSession *ks)
   d = (void *) element->data;
   d->peer = my_peer;
 
+  // start inserting vector elements
+  // after the fixed part of the element's data
   pos = (void *) &d[1];
   last_pos = pos + element_size;
 
@@ -895,38 +958,55 @@ insert_round2_element (struct KeygenSession *ks)
   {
     ptrdiff_t remaining = last_pos - pos;
     GNUNET_assert (remaining > 0);
-    gcry_mpi_set_ui (idx, i);
+    gcry_mpi_set_ui (idx, i + 1);
     // evaluate the polynomial
-    horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_p);
+    horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_q);
     // take g to the result
     gcry_mpi_powm (v, elgamal_g, v, elgamal_p);
-    print_mpi_fixed (pos, v, GNUNET_SECRETSHARING_KEY_BITS / 8);
-    pos += GNUNET_SECRETSHARING_KEY_BITS / 8;
+    GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, v);
+    pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
   }
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n",
+              ks->local_peer_idx);
+
   // encrypted pre-shares
   for (i = 0; i < ks->num_peers; i++)
   {
     ptrdiff_t remaining = last_pos - pos;
     GNUNET_assert (remaining > 0);
     if (GNUNET_NO == ks->info[i].round1_valid)
-      gcry_mpi_set_ui (v, 0);
+    {
+      gcry_mpi_set_ui (c, 0);
+    }
     else
-      paillier_encrypt (v, ks->presecret_polynomial[0], ks->info[i].paillier_n);
-    print_mpi_fixed (pos, v, GNUNET_SECRETSHARING_KEY_BITS / 8);
-    pos += GNUNET_SECRETSHARING_KEY_BITS / 8;
+    {
+      gcry_mpi_set_ui (idx, i + 1);
+      // evaluate the polynomial
+      horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_q);
+      // encrypt the result
+      paillier_encrypt (c, v, ks->info[i].paillier_n);
+    }
+    GNUNET_CRYPTO_mpi_print_unsigned (pos, PAILLIER_BITS * 2 / 8, c);
+    pos += PAILLIER_BITS * 2 / 8;
   }
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n",
+              ks->local_peer_idx);
+
   // exponentiated coefficients
   for (i = 0; i < ks->threshold; i++)
   {
     ptrdiff_t remaining = last_pos - pos;
     GNUNET_assert (remaining > 0);
     gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[i], elgamal_p);
-    print_mpi_fixed (pos, v, GNUNET_SECRETSHARING_KEY_BITS / 8);
-    pos += GNUNET_SECRETSHARING_KEY_BITS / 8;
+    GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, v);
+    pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
   }
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n",
+              ks->local_peer_idx);
+
   d->purpose.size = htonl (element_size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose));
   d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2);
   GNUNET_CRYPTO_eddsa_sign (my_peer_private_key, &d->purpose, &d->signature);
@@ -957,8 +1037,9 @@ keygen_round2_new_element (void *cls,
   }
 
   expected_element_size = (sizeof (struct GNUNET_SECRETSHARING_KeygenRevealData) +
-                  2 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers +
-                  1 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->threshold);
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers +
+                  PAILLIER_BITS / 8 * 2 * ks->num_peers +
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold);
 
   if (element->size != expected_element_size)
   {
@@ -1001,31 +1082,28 @@ keygen_round2_new_element (void *cls,
 
   pos = (void *) &d[1];
   // skip exponentiated pre-shares
-  pos += GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers;
+  pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers;
   // skip encrypted pre-shares
-  pos += PAILLIER_BITS / 8 * ks->num_peers;
+  pos += PAILLIER_BITS * 2 / 8 * ks->num_peers;
   // the first exponentiated coefficient is the public key share
-  GNUNET_assert (0 == gcry_mpi_scan (&info->public_key_share, GCRYMPI_FMT_USG,
-                                     pos, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->public_key_share, pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
   pos = (void *) &d[1];
   // skip exp. pre-shares
-  pos += GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers;
+  pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers;
   // skip to the encrypted value for our peer
-  pos += PAILLIER_BITS / 8 * ks->local_peer_idx;
+  pos += PAILLIER_BITS * 2 / 8 * ks->local_peer_idx;
 
-  GNUNET_assert (0 == gcry_mpi_scan (&c, GCRYMPI_FMT_USG,
-                                     pos, PAILLIER_BITS / 8, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&c, pos, PAILLIER_BITS * 2 / 8);
 
   GNUNET_assert (0 != (info->decrypted_preshare = mpi_new (0)));
 
-  paillier_decrypt (info->decrypted_preshare, c, ks->paillier_lambda, ks->paillier_mu,
+  paillier_decrypt (info->decrypted_preshare, c, ks->paillier_mu, ks->paillier_lambda,
                     ks->info[ks->local_peer_idx].paillier_n);
-
   // TODO: validate zero knowledge proofs
 
-  if (d->purpose.size !=
-      htons (element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose)))
+  if (ntohl (d->purpose.size) !=
+      element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "keygen reveal data with wrong signature purpose size in consensus\n");
     return;
@@ -1082,29 +1160,25 @@ insert_round1_element (struct KeygenSession *ks)
   // g^a_{i,0}
   gcry_mpi_t v;
   // big-endian representation of 'v'
-  unsigned char v_data[GNUNET_SECRETSHARING_KEY_BITS / 8];
+  unsigned char v_data[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
 
   element = GNUNET_malloc (sizeof *element + sizeof *d);
   d = (void *) &element[1];
   element->data = d;
   element->size = sizeof *d;
 
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "alloc'd size %u\n", sizeof *element + sizeof *d);
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "element size %u\n", element->size);
-
-
   d->peer = my_peer;
 
-  GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
+  GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[0], elgamal_p);
 
-  print_mpi_fixed (v_data, v, GNUNET_SECRETSHARING_KEY_BITS);
+  GNUNET_CRYPTO_mpi_print_unsigned (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, v);
 
-  GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_KEY_BITS / 8, &d->commitment);
+  GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, &d->commitment);
 
-  print_mpi_fixed (d->pubkey.n, ks->info[ks->local_peer_idx].paillier_n,
-                   PAILLIER_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (d->pubkey.n, PAILLIER_BITS / 8,
+                                    ks->info[ks->local_peer_idx].paillier_n);
 
   d->purpose.size = htonl ((sizeof *d) - offsetof (struct GNUNET_SECRETSHARING_KeygenCommitData, purpose));
   d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1);
@@ -1158,7 +1232,7 @@ static void handle_client_keygen (void *cls,
   ks->consensus = GNUNET_CONSENSUS_create (cfg, ks->num_peers, ks->peers, &msg->session_id,
                                            keygen_round1_new_element, ks);
 
-  ks->info = GNUNET_malloc (ks->num_peers * sizeof (struct KeygenPeerInfo));
+  ks->info = GNUNET_new_array (ks->num_peers, struct KeygenPeerInfo);
 
   for (i = 0; i < ks->num_peers; i++)
     ks->info[i].peer = ks->peers[i];
@@ -1171,12 +1245,15 @@ static void handle_client_keygen (void *cls,
                    ks->paillier_lambda,
                    ks->paillier_mu);
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Generated paillier key pair\n", ks->local_peer_idx);
 
   generate_presecret_polynomial (ks);
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Generated presecret polynomial\n", ks->local_peer_idx);
+
   insert_round1_element (ks);
 
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "starting conclude of round 1\n");
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Concluding for round 1\n", ks->local_peer_idx);
 
   GNUNET_CONSENSUS_conclude (ks->consensus,
                              /* half the overall time */
@@ -1185,6 +1262,8 @@ static void handle_client_keygen (void *cls,
                              ks);
 
   GNUNET_SERVER_receive_done (client, GNUNET_OK);
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Waiting for round 1 elements ...\n", ks->local_peer_idx);
 }
 
 
@@ -1201,6 +1280,7 @@ decrypt_conclude (void *cls)
   gcry_mpi_t m;
   gcry_mpi_t tmp;
   gcry_mpi_t c_2;
+  gcry_mpi_t prod;
   unsigned int *indices;
   unsigned int num;
   unsigned int i;
@@ -1209,6 +1289,7 @@ decrypt_conclude (void *cls)
   GNUNET_assert (0 != (lagrange = gcry_mpi_new (0)));
   GNUNET_assert (0 != (m = gcry_mpi_new (0)));
   GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
+  GNUNET_assert (0 != (prod = gcry_mpi_new (0)));
 
   num = 0;
   for (i = 0; i < ds->share->num_peers; i++)
@@ -1219,30 +1300,36 @@ decrypt_conclude (void *cls)
   j = 0;
   for (i = 0; i < ds->share->num_peers; i++)
     if (NULL != ds->info[i].partial_decryption)
-      indices[j++] = ds->info[i].real_index;
+      indices[j++] = ds->info[i].original_index;
 
-  gcry_mpi_set_ui (m, 1);
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: decrypt conclude, with %u peers\n",
+              ds->share->my_peer, num);
 
+  gcry_mpi_set_ui (prod, 1);
   for (i = 0; i < num; i++)
   {
+
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: index of %u: %u\n",
+                ds->share->my_peer, i, indices[i]);
     compute_lagrange_coefficient (lagrange, indices[i], indices, num);
-    // w_j^{\lambda_j}
+    // w_i^{\lambda_i}
     gcry_mpi_powm (tmp, ds->info[indices[i]].partial_decryption, lagrange, elgamal_p);
-    gcry_mpi_mulm (m, m, tmp, elgamal_p);
-  }
 
-  GNUNET_assert (0 == gcry_mpi_scan (&c_2, GCRYMPI_FMT_USG, ds->ciphertext.c2_bits,
-                                     GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+    // product of all exponentiated partiel decryptions ...
+    gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
+  }
 
-  // m <- c_2 / m
-  gcry_mpi_invm (m, m, elgamal_p);
-  gcry_mpi_mulm (m, c_2, m, elgamal_p);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&c_2, ds->ciphertext.c2_bits, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
+  GNUNET_assert (0 != gcry_mpi_invm (prod, prod, elgamal_p));
+  gcry_mpi_mulm (m, c_2, prod, elgamal_p);
   ev = GNUNET_MQ_msg (msg, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE);
-  print_mpi_fixed (&msg->plaintext, m, GNUNET_SECRETSHARING_KEY_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (&msg->plaintext, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, m);
   msg->success = htonl (1);
   GNUNET_MQ_send (ds->client_mq, ev);
 
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n");
+
   // FIXME: what if not enough peers participated?
 }
 
@@ -1291,8 +1378,8 @@ decrypt_new_element (void *cls,
 
   // FIXME: check NIZP first
 
-  GNUNET_assert (0 == gcry_mpi_scan (&info->partial_decryption,
-                                     GCRYMPI_FMT_USG, &d->partial_decryption, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->partial_decryption, &d->partial_decryption,
+                                   GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 }
 
 static void
@@ -1303,22 +1390,37 @@ insert_decrypt_element (struct DecryptSession *ds)
   gcry_mpi_t x;
   gcry_mpi_t s;
 
-  GNUNET_assert (0 == gcry_mpi_scan (&x, GCRYMPI_FMT_USG, ds->ciphertext.c1_bits, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
-  GNUNET_assert (0 == gcry_mpi_scan (&s, GCRYMPI_FMT_USG, &ds->share->my_share, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element\n",
+              ds->share->my_peer);
+
+  GNUNET_CRYPTO_mpi_scan_unsigned (&x, &ds->ciphertext.c1_bits,
+                                   GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&s, &ds->share->my_share,
+                                   GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
   gcry_mpi_powm (x, x, s, elgamal_p);
 
   element.data = (void *) &d;
   element.size = sizeof (struct GNUNET_SECRETSHARING_DecryptData);
+  element.type = 0;
 
+  /* make vagrind happy until we implement the real deal ... */
+  memset (&d.nizk_commit1, 0, sizeof d.nizk_commit1);
+  memset (&d.nizk_commit2, 0, sizeof d.nizk_commit2);
+  memset (&d.nizk_response, 0, sizeof d.nizk_response);
+
+  d.ciphertext = ds->ciphertext;
   d.peer = my_peer;
-  d.purpose.size = htonl (element.size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose));
+  d.purpose.size = htonl (element.size - offsetof (struct GNUNET_SECRETSHARING_DecryptData, purpose));
   d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION);
+  
   GNUNET_CRYPTO_eddsa_sign (my_peer_private_key, &d.purpose, &d.signature);
 
-  print_mpi_fixed (&d.partial_decryption, x, GNUNET_SECRETSHARING_KEY_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (&d.partial_decryption, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, x);
 
   GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element done!\n",
+              ds->share->my_peer);
 }
 
 
@@ -1339,6 +1441,7 @@ static void handle_client_decrypt (void *cls,
       (const void *) message;
   struct DecryptSession *ds;
   struct GNUNET_HashCode session_id;
+  unsigned int i;
 
   ds = GNUNET_new (struct DecryptSession);
   // FIXME: check if session already exists
@@ -1359,52 +1462,82 @@ static void handle_client_decrypt (void *cls,
                                            ds->share->num_peers,
                                            ds->share->peers,
                                            &session_id,
-                                           decrypt_new_element,
+                                           &decrypt_new_element,
                                            ds);
 
+
+  ds->info = GNUNET_new_array (ds->share->num_peers, struct DecryptPeerInfo);
+  for (i = 0; i < ds->share->num_peers; i++)
+  {
+    ds->info[i].peer = ds->share->peers[i];
+    ds->info[i].original_index = ds->share->original_indices[i];
+  }
+
   insert_decrypt_element (ds);
 
   GNUNET_CONSENSUS_conclude (ds->consensus, ds->deadline, decrypt_conclude, ds);
+
+  GNUNET_SERVER_receive_done (client, GNUNET_OK);
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "decrypting with %u peers\n",
+              ds->share->num_peers);
 }
 
 
 static void
 init_crypto_constants (void)
 {
-  /* 1024-bit safe prime */
-  const char *elgamal_p_hex =
-      "0x08a347d3d69e8b2dd7d1b12a08dfbccbebf4ca"
-      "6f4269a0814e158a34312964d946b3ef22882317"
-      "2bcf30fc08f772774cb404f9bc002a6f66b09a79"
-      "d810d67c4f8cb3bedc6060e3c8ef874b1b64df71"
-      "6c7d2b002da880e269438d5a776e6b5f253c8df5"
-      "6a16b1c7ce58def07c03db48238aadfc52a354a2"
-      "7ed285b0c1675cad3f3";
-  /* 1023-bit Sophie Germain prime, q = (p-1)/2 */
-  const char *elgamal_q_hex =
-      "0x0451a3e9eb4f4596ebe8d895046fde65f5fa65"
-      "37a134d040a70ac51a1894b26ca359f79144118b"
-      "95e7987e047bb93ba65a027cde001537b3584d3c"
-      "ec086b3e27c659df6e303071e477c3a58db26fb8"
-      "b63e958016d4407134a1c6ad3bb735af929e46fa"
-      "b50b58e3e72c6f783e01eda411c556fe2951aa51"
-      "3f6942d860b3ae569f9";
-  /* generator of the unique size q subgroup of Z_p^* */
-  const char *elgamal_g_hex =
-      "0x05c00c36d2e822950087ef09d8252994adc4e4"
-      "8fe3ec70269f035b46063aff0c99b633fd64df43"
-      "02442e1914c829a41505a275438871f365e91c12"
-      "3d5303ef9e90f4b8cb89bf86cc9b513e74a72634"
-      "9cfd9f953674fab5d511e1c078fc72d72b34086f"
-      "c82b4b951989eb85325cb203ff98df76bc366bba"
-      "1d7024c3650f60d0da";
-
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
-                                     elgamal_q_hex, 0, NULL));
+                                     GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0, NULL));
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
-                                     elgamal_p_hex, 0, NULL));
+                                     GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0, NULL));
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
-                                     elgamal_g_hex, 0, NULL));
+                                     GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0, NULL));
+}
+
+
+static struct KeygenSession *
+keygen_session_get (struct GNUNET_SERVER_Client *client)
+{
+  struct KeygenSession *ks;
+  for (ks = keygen_sessions_head; NULL != ks; ks = ks->next)
+    if (ks->client == client)
+      return ks;
+  return NULL;
+}
+
+static struct DecryptSession *
+decrypt_session_get (struct GNUNET_SERVER_Client *client)
+{
+  struct DecryptSession *ds;
+  for (ds = decrypt_sessions_head; NULL != ds; ds = ds->next)
+    if (ds->client == client)
+      return ds;
+  return NULL;
+}
+
+
+/**
+ * Clean up after a client has disconnected
+ *
+ * @param cls closure, unused
+ * @param client the client to clean up after
+ */
+static void
+handle_client_disconnect (void *cls, struct GNUNET_SERVER_Client *client)
+{
+  struct KeygenSession *ks;
+  struct DecryptSession *ds;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "handling client disconnect\n");
+
+  ks = keygen_session_get (client);
+  if (NULL != ks)
+    keygen_session_destroy (ks);
+
+  ds = decrypt_session_get (client);
+  if (NULL != ds)
+    decrypt_session_destroy (ds);
 }
 
 
@@ -1443,6 +1576,7 @@ run (void *cls, struct GNUNET_SERVER_Handle *server,
     return;
   }
   GNUNET_SERVER_add_handlers (server, handlers);
+  GNUNET_SERVER_disconnect_notify (server, &handle_client_disconnect, NULL);
   GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &cleanup_task,
                                 NULL);
 }
diff --git a/src/secretsharing/secretsharing.h b/src/secretsharing/secretsharing.h
index 232721410..e94ff46b7 100644
--- a/src/secretsharing/secretsharing.h
+++ b/src/secretsharing/secretsharing.h
@@ -40,7 +40,7 @@ struct GNUNET_SECRETSHARING_FieldElement
   /**
    * Value of an element in <elgamal_g>.
    */
-  unsigned char bits[GNUNET_SECRETSHARING_KEY_BITS / 8];
+  unsigned char bits[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
 };
 
 
@@ -107,6 +107,10 @@ struct GNUNET_SECRETSHARING_ShareHeaderNBO
 };
 
 
+/**
+ * Notify the client that then threshold secret has been
+ * established.
+ */
 struct GNUNET_SECRETSHARING_SecretReadyMessage
 {
   /**
diff --git a/src/secretsharing/secretsharing_api.c b/src/secretsharing/secretsharing_api.c
index d2b53acc7..1489a5c45 100644
--- a/src/secretsharing/secretsharing_api.c
+++ b/src/secretsharing/secretsharing_api.c
@@ -27,6 +27,7 @@
 #include "gnunet_util_lib.h"
 #include "gnunet_secretsharing_service.h"
 #include "secretsharing.h"
+#include <gcrypt.h>
 
 
 #define LOG(kind,...) GNUNET_log_from (kind, "secretsharing-api",__VA_ARGS__)
@@ -83,6 +84,40 @@ struct GNUNET_SECRETSHARING_DecryptionHandle
 };
 
 
+/**
+ * The ElGamal prime field order as libgcrypt mpi.
+ * Initialized in #init_crypto_constants.
+ */
+static gcry_mpi_t elgamal_q;
+
+/**
+ * Modulus of the prime field used for ElGamal.
+ * Initialized in #init_crypto_constants.
+ */
+static gcry_mpi_t elgamal_p;
+
+/**
+ * Generator for prime field of order 'elgamal_q'.
+ * Initialized in #init_crypto_constants.
+ */
+static gcry_mpi_t elgamal_g;
+
+
+static void
+ensure_elgamal_initialized (void)
+{
+  if (NULL != elgamal_q)
+    return; /* looks like crypto is already initialized */
+
+  GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
+                                     GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0, NULL));
+  GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
+                                     GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0, NULL));
+  GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
+                                     GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0, NULL));
+}
+
+
 static void
 handle_session_client_error (void *cls, enum GNUNET_MQ_Error error)
 {
@@ -95,9 +130,12 @@ handle_session_client_error (void *cls, enum GNUNET_MQ_Error error)
 static void
 handle_decrypt_client_error (void *cls, enum GNUNET_MQ_Error error)
 {
-  GNUNET_assert (0);
+  struct GNUNET_SECRETSHARING_DecryptionHandle *dh = cls;
+  
+  dh->decrypt_cb (dh->decrypt_cls, NULL);
 }
 
+
 static void
 handle_secret_ready (void *cls, const struct GNUNET_MessageHeader *msg)
 {
@@ -116,6 +154,18 @@ handle_secret_ready (void *cls, const struct GNUNET_MessageHeader *msg)
                       share->num_peers,
                       (struct GNUNET_PeerIdentity *) &m[1]);
 
+  GNUNET_SECRETSHARING_session_destroy (session);
+}
+
+
+void
+GNUNET_SECRETSHARING_session_destroy (struct GNUNET_SECRETSHARING_Session *session)
+{
+  GNUNET_MQ_destroy (session->mq);
+  session->mq = NULL;
+  GNUNET_CLIENT_disconnect (session->client);
+  session->client = NULL;
+  GNUNET_free (session);
 }
 
 
@@ -169,7 +219,20 @@ GNUNET_SECRETSHARING_create_session (const struct GNUNET_CONFIGURATION_Handle *c
 static void
 handle_decrypt_done (void *cls, const struct GNUNET_MessageHeader *msg)
 {
-  GNUNET_assert (0);
+  struct GNUNET_SECRETSHARING_DecryptionHandle *dh = cls;
+  const struct GNUNET_SECRETSHARING_DecryptResponseMessage *m =
+      (const void *) msg;
+
+  const struct GNUNET_SECRETSHARING_Plaintext *plaintext;
+
+  if (m->success == 0)
+    plaintext = NULL;
+  else
+    plaintext = (void *) &m->plaintext;
+
+  dh->decrypt_cb (dh->decrypt_cls, plaintext);
+
+  GNUNET_SECRETSHARING_decrypt_cancel (dh);
 }
 
 
@@ -187,9 +250,9 @@ handle_decrypt_done (void *cls, const struct GNUNET_MessageHeader *msg)
  * @return handle to cancel the operation
  */
 struct GNUNET_SECRETSHARING_DecryptionHandle *
-GNUNET_SECRETSHARING_decrypt (struct GNUNET_CONFIGURATION_Handle *cfg,
+GNUNET_SECRETSHARING_decrypt (const struct GNUNET_CONFIGURATION_Handle *cfg,
                               struct GNUNET_SECRETSHARING_Share *share,
-                              struct GNUNET_SECRETSHARING_Ciphertext *ciphertext,
+                              const struct GNUNET_SECRETSHARING_Ciphertext *ciphertext,
                               struct GNUNET_TIME_Absolute deadline,
                               GNUNET_SECRETSHARING_DecryptCallback decrypt_cb,
                               void *decrypt_cb_cls)
@@ -223,6 +286,7 @@ GNUNET_SECRETSHARING_decrypt (struct GNUNET_CONFIGURATION_Handle *cfg,
   GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, &msg[1], share_size, NULL));
 
   msg->deadline = GNUNET_TIME_absolute_hton (deadline);
+  msg->ciphertext = *ciphertext;
 
   GNUNET_MQ_send (s->mq, ev);
 
@@ -231,3 +295,112 @@ GNUNET_SECRETSHARING_decrypt (struct GNUNET_CONFIGURATION_Handle *cfg,
 }
 
 
+int
+GNUNET_SECRETSHARING_plaintext_generate_i (struct GNUNET_SECRETSHARING_Plaintext *plaintext,
+                                           int64_t exponent)
+{
+  int negative;
+  gcry_mpi_t x;
+
+  ensure_elgamal_initialized ();
+
+  GNUNET_assert (NULL != (x = gcry_mpi_new (0)));
+
+  negative = GNUNET_NO;
+  if (exponent < 0)
+  {
+    negative = GNUNET_YES;
+    exponent = -exponent;
+  }
+
+  gcry_mpi_set_ui (x, exponent);
+
+  gcry_mpi_powm (x, elgamal_g, x, elgamal_p);
+
+  if (GNUNET_YES == negative)
+  {
+    int res;
+    res = gcry_mpi_invm (x, x, elgamal_p);
+    if (0 == res)
+      return GNUNET_SYSERR;
+  }
+
+  GNUNET_CRYPTO_mpi_print_unsigned (plaintext, sizeof (struct GNUNET_SECRETSHARING_Plaintext), x);
+
+  return GNUNET_OK;
+}
+
+
+/**
+ * Encrypt a value.  This operation is executed locally, no communication is
+ * necessary.
+ *
+ * This is a helper function, encryption can be done soley with a session's public key
+ * and the crypto system parameters.
+ *
+ * @param public_key public key to use for decryption
+ * @param message message to encrypt
+ * @param message_size number of bytes in @a message
+ * @param result_ciphertext pointer to store the resulting ciphertext
+ * @return #GNUNET_YES on succes, #GNUNET_SYSERR if the message is invalid (invalid range)
+ */
+int
+GNUNET_SECRETSHARING_encrypt (const struct GNUNET_SECRETSHARING_PublicKey *public_key,
+                              const struct GNUNET_SECRETSHARING_Plaintext *plaintext,
+                              struct GNUNET_SECRETSHARING_Ciphertext *result_ciphertext)
+{
+  /* pubkey */
+  gcry_mpi_t h;
+  /* nonce */
+  gcry_mpi_t y;
+  /* plaintext message */
+  gcry_mpi_t m;
+  /* temp value */
+  gcry_mpi_t tmp;
+
+  ensure_elgamal_initialized ();
+
+  GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
+  GNUNET_assert (NULL != (y = gcry_mpi_new (0)));
+  GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
+
+  GNUNET_CRYPTO_mpi_scan_unsigned (&h, public_key, sizeof *public_key);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&m, plaintext, sizeof *plaintext);
+
+  // Randomize y such that 0 < y < elgamal_q.
+  // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
+  do 
+  {
+    gcry_mpi_randomize (y, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1, GCRY_WEAK_RANDOM);
+  } while ((gcry_mpi_cmp_ui (y, 0) == 0) || (gcry_mpi_cmp (y, elgamal_q) >= 0));
+
+  // tmp <- g^y
+  gcry_mpi_powm (tmp, elgamal_g, y, elgamal_p);
+  // write tmp to c1
+  GNUNET_CRYPTO_mpi_print_unsigned (&result_ciphertext->c1_bits,
+                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
+  
+  // tmp <- h^y
+  gcry_mpi_powm (tmp, h, y, elgamal_p);
+  // tmp <- tmp * m 
+  gcry_mpi_mulm (tmp, tmp, m, elgamal_p);
+  // write tmp to c2
+  GNUNET_CRYPTO_mpi_print_unsigned (&result_ciphertext->c2_bits,
+                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
+
+  return GNUNET_OK;
+}
+
+
+void
+GNUNET_SECRETSHARING_decrypt_cancel (struct GNUNET_SECRETSHARING_DecryptionHandle *h)
+{
+  GNUNET_MQ_destroy (h->mq);
+  h->mq = NULL;
+  GNUNET_CLIENT_disconnect (h->client);
+  h->client = NULL;
+  GNUNET_free (h);
+}
+
+
+
diff --git a/src/secretsharing/secretsharing_common.c b/src/secretsharing/secretsharing_common.c
index 9f1e4900b..9f21a1102 100644
--- a/src/secretsharing/secretsharing_common.c
+++ b/src/secretsharing/secretsharing_common.c
@@ -94,7 +94,7 @@ GNUNET_SECRETSHARING_share_write (const struct GNUNET_SECRETSHARING_Share *share
   char *p;
   int n;
 
-  payload_size = ntohs (sh->num_peers) * 
+  payload_size = ntohs (share->num_peers) * 
       (sizeof (uint16_t) + sizeof (struct GNUNET_SECRETSHARING_FieldElement) + 
        sizeof (struct GNUNET_PeerIdentity));
 
@@ -134,3 +134,4 @@ GNUNET_SECRETSHARING_share_write (const struct GNUNET_SECRETSHARING_Share *share
   return GNUNET_OK;
 }
 
+
diff --git a/src/secretsharing/test_secretsharing.conf b/src/secretsharing/test_secretsharing.conf
index 9cbb95608..6ce865e3a 100644
--- a/src/secretsharing/test_secretsharing.conf
+++ b/src/secretsharing/test_secretsharing.conf
@@ -1,6 +1,6 @@
 [secretsharing]
 AUTOSTART = YES
-PREFIX = valgrind
+#PREFIX = valgrind
 
 [consensus]
 AUTOSTART = YES
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index 98af961d5..b502adb4b 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -91,6 +91,7 @@ libgnunetutil_la_SOURCES = \
   crypto_hash.c \
   crypto_hkdf.c \
   crypto_kdf.c \
+  crypto_mpi.c \
   crypto_random.c \
   disk.c \
   disk.h \
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index 6bd96b365..71b8470fe 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -133,72 +133,6 @@ adjust (unsigned char *buf,
 
 
 /**
- * Output the given MPI value to the given buffer.
- *
- * @param buf where to output to
- * @param size number of bytes in @a buf
- * @param val value to write to @a buf
- */
-static void
-mpi_print (unsigned char *buf,
-           size_t size,
-           gcry_mpi_t val)
-{
-  size_t rsize;
-
-  if (gcry_mpi_get_flag (val, GCRYMPI_FLAG_OPAQUE))
-    {
-      /* Store opaque MPIs left aligned into the buffer.  */
-      unsigned int nbits;
-      const void *p;
-
-      p = gcry_mpi_get_opaque (val, &nbits);
-      GNUNET_assert (p);
-      rsize = (nbits+7)/8;
-      if (rsize > size)
-        rsize = size;
-      memcpy (buf, p, rsize);
-      if (rsize < size)
-        memset (buf+rsize, 0, size - rsize);
-    }
-  else
-    {
-      /* Store regular MPIs as unsigned integers right aligned into
-         the buffer.  */
-      rsize = size;
-      GNUNET_assert (0 ==
-                     gcry_mpi_print (GCRYMPI_FMT_USG, buf, rsize, &rsize,
-                                     val));
-      adjust (buf, rsize, size);
-    }
-}
-
-
-/**
- * Convert data buffer into MPI value.
- *
- * @param result where to store MPI value (allocated)
- * @param data raw data (GCRYMPI_FMT_USG)
- * @param size number of bytes in @a data
- */
-static void
-mpi_scan (gcry_mpi_t *result,
-          const unsigned char *data,
-          size_t size)
-{
-  int rc;
-
-  if (0 != (rc = gcry_mpi_scan (result,
-                                GCRYMPI_FMT_USG,
-                                data, size, &size)))
-  {
-    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
-    GNUNET_assert (0);
-  }
-}
-
-
-/**
  * Convert the given private key from the network format to the
  * S-expression that can be used by libgcrypt.
  *
@@ -317,7 +251,7 @@ GNUNET_CRYPTO_ecdsa_key_get_public (const struct GNUNET_CRYPTO_EcdsaPrivateKey *
   gcry_sexp_release (sexp);
   q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
   GNUNET_assert (q);
-  mpi_print (pub->q_y, sizeof (pub->q_y), q);
+  GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof (pub->q_y), q);
   gcry_mpi_release (q);
   gcry_ctx_release (ctx);
 }
@@ -343,7 +277,7 @@ GNUNET_CRYPTO_eddsa_key_get_public (const struct GNUNET_CRYPTO_EddsaPrivateKey *
   gcry_sexp_release (sexp);
   q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
   GNUNET_assert (q);
-  mpi_print (pub->q_y, sizeof (pub->q_y), q);
+  GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof (pub->q_y), q);
   gcry_mpi_release (q);
   gcry_ctx_release (ctx);
 }
@@ -369,7 +303,7 @@ GNUNET_CRYPTO_ecdhe_key_get_public (const struct GNUNET_CRYPTO_EcdhePrivateKey *
   gcry_sexp_release (sexp);
   q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
   GNUNET_assert (q);
-  mpi_print (pub->q_y, sizeof (pub->q_y), q);
+  GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof (pub->q_y), q);
   gcry_mpi_release (q);
   gcry_ctx_release (ctx);
 }
@@ -578,7 +512,7 @@ GNUNET_CRYPTO_ecdhe_key_create ()
   }
   gcry_sexp_release (priv_sexp);
   priv = GNUNET_new (struct GNUNET_CRYPTO_EcdhePrivateKey);
-  mpi_print (priv->d, sizeof (priv->d), d);
+  GNUNET_CRYPTO_mpi_print_unsigned (priv->d, sizeof (priv->d), d);
   gcry_mpi_release (d);
   return priv;
 }
@@ -628,7 +562,7 @@ GNUNET_CRYPTO_ecdsa_key_create ()
   }
   gcry_sexp_release (priv_sexp);
   priv = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey);
-  mpi_print (priv->d, sizeof (priv->d), d);
+  GNUNET_CRYPTO_mpi_print_unsigned (priv->d, sizeof (priv->d), d);
   gcry_mpi_release (d);
   return priv;
 }
@@ -677,7 +611,7 @@ GNUNET_CRYPTO_eddsa_key_create ()
   }
   gcry_sexp_release (priv_sexp);
   priv = GNUNET_new (struct GNUNET_CRYPTO_EddsaPrivateKey);
-  mpi_print (priv->d, sizeof (priv->d), d);
+  GNUNET_CRYPTO_mpi_print_unsigned (priv->d, sizeof (priv->d), d);
   gcry_mpi_release (d);
   return priv;
 }
@@ -700,7 +634,7 @@ GNUNET_CRYPTO_ecdsa_key_get_anonymous ()
 
   if (once)
     return &anonymous;
-  mpi_print (anonymous.d,
+  GNUNET_CRYPTO_mpi_print_unsigned (anonymous.d,
              sizeof (anonymous.d),
              GCRYMPI_CONST_ONE);
   once = 1;
@@ -1222,8 +1156,8 @@ GNUNET_CRYPTO_ecdsa_sign (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
     return GNUNET_SYSERR;
   }
   gcry_sexp_release (sig_sexp);
-  mpi_print (sig->r, sizeof (sig->r), rs[0]);
-  mpi_print (sig->s, sizeof (sig->s), rs[1]);
+  GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof (sig->r), rs[0]);
+  GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof (sig->s), rs[1]);
   gcry_mpi_release (rs[0]);
   gcry_mpi_release (rs[1]);
   return GNUNET_OK;
@@ -1272,8 +1206,8 @@ GNUNET_CRYPTO_eddsa_sign (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
     return GNUNET_SYSERR;
   }
   gcry_sexp_release (sig_sexp);
-  mpi_print (sig->r, sizeof (sig->r), rs[0]);
-  mpi_print (sig->s, sizeof (sig->s), rs[1]);
+  GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof (sig->r), rs[0]);
+  GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof (sig->s), rs[1]);
   gcry_mpi_release (rs[0]);
   gcry_mpi_release (rs[1]);
   return GNUNET_OK;
@@ -1425,7 +1359,7 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
   q = gcry_mpi_ec_get_point ("q", ctx, 0);
 
   /* second, extract the d value from our private key */
-  mpi_scan (&d, priv->d, sizeof (priv->d));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d));
 
   /* then call the 'multiply' function, to compute the product */
   result = gcry_mpi_point_new (0);
@@ -1447,7 +1381,7 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
 
   rsize = sizeof (xbuf);
   GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE));
-  /* result_x can be negative here, so we do not use 'mpi_print'
+  /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned'
      as that does not include the sign bit; x should be a 255-bit
      value, so with the sign it should fit snugly into the 256-bit
      xbuf */
@@ -1484,7 +1418,7 @@ derive_h (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
                      label, strlen (label),
                      context, strlen (context),
                      NULL, 0);
-  mpi_scan (&h, (unsigned char *) &hc, sizeof (hc));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof (hc));
   return h;
 }
 
@@ -1520,7 +1454,7 @@ GNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateK
   GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);
 
   h = derive_h (&pub, label, context);
-  mpi_scan (&x, priv->d, sizeof (priv->d));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&x, priv->d, sizeof (priv->d));
   d = gcry_mpi_new (256);
   gcry_mpi_mulm (d, h, x, n);
   gcry_mpi_release (h);
@@ -1528,7 +1462,7 @@ GNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateK
   gcry_mpi_release (n);
   gcry_ctx_release (ctx);
   ret = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey);
-  mpi_print (ret->d, sizeof (ret->d), d);
+  GNUNET_CRYPTO_mpi_print_unsigned (ret->d, sizeof (ret->d), d);
   gcry_mpi_release (d);
   return ret;
 }
@@ -1588,7 +1522,7 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey
   gcry_mpi_point_release (v);
   q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
   GNUNET_assert (q_y);
-  mpi_print (result->q_y, sizeof result->q_y, q_y);
+  GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof result->q_y, q_y);
   gcry_mpi_release (q_y);
   gcry_ctx_release (ctx);
 }
diff --git a/src/util/crypto_mpi.c b/src/util/crypto_mpi.c
new file mode 100644
index 000000000..8e52424cf
--- /dev/null
+++ b/src/util/crypto_mpi.c
@@ -0,0 +1,132 @@
+/*
+     This file is part of GNUnet.
+     (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+
+     GNUnet is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published
+     by the Free Software Foundation; either version 3, or (at your
+     option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with GNUnet; see the file COPYING.  If not, write to the
+     Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+     Boston, MA 02111-1307, USA.
+*/
+
+/**
+ * @file util/crypto_mpi.c
+ * @brief Helper functions for libgcrypt MPIs
+ * @author Christian Grothoff
+ * @author Florian Dold
+ */
+#include "platform.h"
+#include <gcrypt.h>
+#include "gnunet_util_lib.h"
+
+
+#define LOG(kind,...) GNUNET_log_from (kind, "util", __VA_ARGS__)
+
+/**
+ * Log an error message at log-level 'level' that indicates
+ * a failure of the command 'cmd' with the message given
+ * by gcry_strerror(rc).
+ */
+#define LOG_GCRY(level, cmd, rc) do { LOG(level, _("`%s' failed at %s:%d with error: %s\n"), cmd, __FILE__, __LINE__, gcry_strerror(rc)); } while(0)
+
+
+/**
+ * If target != size, move @a target bytes to the end of the size-sized
+ * buffer and zero out the first @a target - @a size bytes.
+ *
+ * @param buf original buffer
+ * @param size number of bytes in @a buf
+ * @param target target size of the buffer
+ */
+static void
+adjust (void *buf,
+        size_t size,
+        size_t target)
+{
+  if (size < target)
+  {
+    memmove (&buf[target - size], buf, size);
+    memset (buf, 0, target - size);
+  }
+}
+
+
+/**
+ * Output the given MPI value to the given buffer in
+ * network byte order.
+ * The MPI @a val may not be negative.
+ *
+ * @param buf where to output to
+ * @param size number of bytes in @a buf
+ * @param val value to write to @a buf
+ */
+void
+GNUNET_CRYPTO_mpi_print_unsigned (void *buf,
+                                  size_t size,
+                                  gcry_mpi_t val)
+{
+  size_t rsize;
+
+  if (gcry_mpi_get_flag (val, GCRYMPI_FLAG_OPAQUE))
+  {
+    /* Store opaque MPIs left aligned into the buffer.  */
+    unsigned int nbits;
+    const void *p;
+
+    p = gcry_mpi_get_opaque (val, &nbits);
+    GNUNET_assert (p);
+    rsize = (nbits+7)/8;
+    if (rsize > size)
+      rsize = size;
+    memcpy (buf, p, rsize);
+    if (rsize < size)
+      memset (buf+rsize, 0, size - rsize);
+  }
+  else
+  {
+    /* Store regular MPIs as unsigned integers right aligned into
+       the buffer.  */
+    rsize = size;
+    GNUNET_assert (0 ==
+                   gcry_mpi_print (GCRYMPI_FMT_USG, buf, rsize, &rsize,
+                                   val));
+    adjust (buf, rsize, size);
+  }
+}
+
+
+/**
+ * Convert data buffer into MPI value.
+ * The buffer is interpreted as network
+ * byte order, unsigned integer.
+ *
+ * @param result where to store MPI value (allocated)
+ * @param data raw data (GCRYMPI_FMT_USG)
+ * @param size number of bytes in @a data
+ */
+void
+GNUNET_CRYPTO_mpi_scan_unsigned (gcry_mpi_t *result,
+                                 const void *data,
+                                 size_t size)
+{
+  int rc;
+
+  if (0 != (rc = gcry_mpi_scan (result,
+                                GCRYMPI_FMT_USG,
+                                data, size, &size)))
+  {
+    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
+    GNUNET_assert (0);
+  }
+}
+
+/* end of crypto_mpi.c */