1 files changed, 320 insertions, 186 deletions

diff --git a/src/secretsharing/gnunet-service-secretsharing.c b/src/secretsharing/gnunet-service-secretsharing.c
index 38dabc3a8..1fcc4e351 100644
--- a/src/secretsharing/gnunet-service-secretsharing.c
+++ b/src/secretsharing/gnunet-service-secretsharing.c
@@ -33,6 +33,9 @@
 #include <gcrypt.h>
 
 
+#define EXTRA_CHECKS 1
+
+
 /**
  * Info about a peer in a key generation session.
  */
@@ -45,6 +48,7 @@ struct KeygenPeerInfo
 
   /**
    * The peer's paillier public key.
+   * Freshly generated for each keygen session.
    */
   gcry_mpi_t paillier_n;
 
@@ -92,7 +96,7 @@ struct DecryptPeerInfo
    * Original index in the key generation round.
    * Necessary for computing the lagrange coefficients.
    */
-  unsigned int real_index;
+  unsigned int original_index;
 
   /**
    * Set to the partial decryption of
@@ -323,52 +327,11 @@ static struct GNUNET_SERVER_Handle *srv;
 
 
 /**
- * If target != size, move @a target bytes to the end of the size-sized
- * buffer and zero out the first @a target - @a size bytes.
- *
- * @param buf original buffer
- * @param size number of bytes in @a buf
- * @param target target size of the buffer
- */
-static void
-adjust (unsigned char *buf,
-        size_t size,
-        size_t target)
-{
-  if (size < target)
-  {
-    memmove (&buf[target - size], buf, size);
-    memset (buf, 0, target - size);
-  }
-}
-
-
-/**
- * Print an MPI to a buffer, so that is contains the MPI's
- * the little endian representation of size @a size.
- *
- * @param buf buffer to write to
- * @param x mpi to be written in the buffer
- * @param size how many bytes should the little endian binary
- *             representation of @a x use?
- */
-static void
-print_mpi_fixed (void *buf, gcry_mpi_t x, size_t size)
-{
-  size_t written;
-  GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG,
-                                      buf, size, &written,
-                                      x));
-  adjust (buf, written, size);
-}
-
-
-/**
  * Get the peer info belonging to a peer identity in a keygen session.
  *
- * @param ks the keygen session
- * @param peer the peer identity
- * @return the keygen peer info, or NULL if the peer could not be found
+ * @param ks The keygen session.
+ * @param peer The peer identity.
+ * @return The Keygen peer info, or NULL if the peer could not be found.
  */
 static struct KeygenPeerInfo *
 get_keygen_peer_info (const struct KeygenSession *ks,
@@ -385,13 +348,13 @@ get_keygen_peer_info (const struct KeygenSession *ks,
 /**
  * Get the peer info belonging to a peer identity in a decrypt session.
  *
- * @param ks the decrypt session
- * @param peer the peer identity
- * @return the decrypt peer info, or NULL if the peer could not be found
+ * @param ks The decrypt session.
+ * @param peer The peer identity.
+ * @return The decrypt peer info, or NULL if the peer could not be found.
  */
 static struct DecryptPeerInfo *
 get_decrypt_peer_info (const struct DecryptSession *ds,
-                      const struct GNUNET_PeerIdentity *peer)
+                       const struct GNUNET_PeerIdentity *peer)
 {
   unsigned int i;
   for (i = 0; i < ds->share->num_peers; i++)
@@ -428,8 +391,8 @@ time_between (struct GNUNET_TIME_Absolute start,
 /**
  * Compare two peer identities.  Indended to be used with qsort or bsearch.
  *
- * @param p1 some peer identity
- * @param p2 some peer identity
+ * @param p1 Some peer identity.
+ * @param p2 Some peer identity.
  * @return 1 if p1 > p2, -1 if p1 < p2 and 0 if p1 == p2.
  */
 static int
@@ -442,10 +405,10 @@ peer_id_cmp (const void *p1, const void *p2)
 /**
  * Get the index of a peer in an array of peers
  *
- * @param haystack array of peers
- * @param n size of @a haystack
- * @param needle peer to find
- * @return index of @a needle in @a haystack, or -1 if peer
+ * @param haystack Array of peers.
+ * @param n Size of @a haystack.
+ * @param needle Peer to find
+ * @return Index of @a needle in @a haystack, or -1 if peer
  *         is not in the list.
  */
 static int
@@ -464,11 +427,11 @@ peer_find (const struct GNUNET_PeerIdentity *haystack, unsigned int n,
  * Normalize the given list of peers, by including the local peer
  * (if it is missing) and sorting the peers by their identity.
  *
- * @param listed peers in the unnormalized list
- * @param num_listed peers in the un-normalized list
- * @param[out] num_normalized number of peers in the normalized list
- * @param[out] my_peer_idx index of the local peer in the normalized list
- * @return normalized list, must be free'd by the caller
+ * @param listed Peers in the unnormalized list.
+ * @param num_listed Peers in the un-normalized list.
+ * @param[out] num_normalized Number of peers in the normalized list.
+ * @param[out] my_peer_idx Index of the local peer in the normalized list.
+ * @return Normalized list, must be free'd by the caller.
  */
 static struct GNUNET_PeerIdentity *
 normalize_peers (struct GNUNET_PeerIdentity *listed,
@@ -477,6 +440,7 @@ normalize_peers (struct GNUNET_PeerIdentity *listed,
                  unsigned int *my_peer_idx)
 {
   unsigned int local_peer_in_list;
+  /* number of peers in the normalized list */
   unsigned int n;
   struct GNUNET_PeerIdentity *normalized;
 
@@ -506,10 +470,10 @@ normalize_peers (struct GNUNET_PeerIdentity *listed,
 
 
 /**
- * Get a the j-th lagrage coefficient for a set of indices.
+ * Get a the j-th lagrange coefficient for a set of indices.
  *
  * @param[out] coeff the lagrange coefficient
- * @param j lagrage coefficient we want to compute
+ * @param j lagrange coefficient we want to compute
  * @param indices indices
  * @param num number of indices in @a indices
  */
@@ -518,7 +482,7 @@ compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j,
                               unsigned int *indices,
                               unsigned int num)
 {
-  int i;
+  unsigned int i;
   /* numerator */
   gcry_mpi_t n;
   /* denominator */
@@ -535,22 +499,27 @@ compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j,
   gcry_mpi_set_ui (n, 1);
   gcry_mpi_set_ui (d, 1);
 
-  gcry_mpi_set_ui (coeff, 0);
   for (i = 0; i < num; i++)
   {
-    int l = indices[i];
+    unsigned int l = indices[i];
     if (l == j)
       continue;
-    gcry_mpi_mul_ui (n, n, l);
+    gcry_mpi_mul_ui (n, n, l + 1);
     // d <- d * (l-j)
-    gcry_mpi_set_ui (tmp, l);
-    gcry_mpi_sub_ui (tmp, tmp, j);
+    gcry_mpi_set_ui (tmp, l + 1);
+    gcry_mpi_sub_ui (tmp, tmp, j + 1);
     gcry_mpi_mul (d, d, tmp);
   }
 
+  // gcry_mpi_invm does not like negative numbers ...
+  gcry_mpi_mod (d, d, elgamal_q);
+
+  GNUNET_assert (gcry_mpi_cmp_ui (d, 0) > 0);
+
   // now we do the actual division, with everything mod q, as we
-  // are not operating on elemets from <g>, but on exponents
-  GNUNET_assert (0 == gcry_mpi_invm (d, d, elgamal_q));
+  // are not operating on elements from <g>, but on exponents
+  GNUNET_assert (0 != gcry_mpi_invm (d, d, elgamal_q));
+
   gcry_mpi_mulm (coeff, n, d, elgamal_q);
 
   gcry_mpi_release (n);
@@ -580,11 +549,22 @@ paillier_create (gcry_mpi_t n, gcry_mpi_t lambda, gcry_mpi_t mu)
   GNUNET_assert (0 != (phi = gcry_mpi_new (PAILLIER_BITS)));
   GNUNET_assert (0 != (tmp = gcry_mpi_new (PAILLIER_BITS)));
 
-  // generate rsa modulus
-  GNUNET_assert (0 == gcry_prime_generate (&p, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
-                                           GCRY_WEAK_RANDOM, 0));
-  GNUNET_assert (0 == gcry_prime_generate (&q, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
+  p = q = NULL;
+
+  // Generate two distinct primes.
+  // The probability that the loop body
+  // is executed more than once is very low.
+  do {
+    if (NULL != p)
+      gcry_mpi_release (p);
+    if (NULL != q)
+      gcry_mpi_release (q);
+    // generate rsa modulus
+    GNUNET_assert (0 == gcry_prime_generate (&p, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
+                                             GCRY_WEAK_RANDOM, 0));
+    GNUNET_assert (0 == gcry_prime_generate (&q, PAILLIER_BITS / 2, 0, NULL, NULL, NULL,
                                            GCRY_WEAK_RANDOM, 0));
+  } while (0 == gcry_mpi_cmp (p, q));
   gcry_mpi_mul (n, p, q);
   // compute phi(n) = (p-1)(q-1)
   gcry_mpi_sub_ui (phi, p, 1);
@@ -604,7 +584,7 @@ paillier_create (gcry_mpi_t n, gcry_mpi_t lambda, gcry_mpi_t mu)
 /**
  * Encrypt a value using Paillier's scheme.
  *
- * @param c resulting ciphertext
+ * @param[out] c resulting ciphertext
  * @param m plaintext to encrypt
  * @param n n-component of public key
  */
@@ -628,7 +608,7 @@ paillier_encrypt (gcry_mpi_t c, gcry_mpi_t m, gcry_mpi_t n)
   {
     gcry_mpi_randomize (r, PAILLIER_BITS, GCRY_WEAK_RANDOM);
   }
-  while (gcry_mpi_cmp (r, n) > 0);
+  while (gcry_mpi_cmp (r, n) >= 0);
 
   gcry_mpi_powm (c, g, m, n_square);
   gcry_mpi_powm (r, r, n, n_square);
@@ -636,6 +616,7 @@ paillier_encrypt (gcry_mpi_t c, gcry_mpi_t m, gcry_mpi_t n)
 
   gcry_mpi_release (n_square);
   gcry_mpi_release (r);
+  gcry_mpi_release (g);
 }
 
 
@@ -652,17 +633,69 @@ static void
 paillier_decrypt (gcry_mpi_t m, gcry_mpi_t c, gcry_mpi_t mu, gcry_mpi_t lambda, gcry_mpi_t n)
 {
   gcry_mpi_t n_square;
+
   GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
+
   gcry_mpi_mul (n_square, n, n);
+  // m = c^lambda mod n^2
   gcry_mpi_powm (m, c, lambda, n_square);
+  // m = m - 1
   gcry_mpi_sub_ui (m, m, 1);
-  // m = m/n
+  // m <- m/n
   gcry_mpi_div (m, NULL, m, n, 0);
   gcry_mpi_mulm (m, m, mu, n);
   gcry_mpi_release (n_square);
 }
 
 
+static void
+decrypt_session_destroy (struct DecryptSession *ds)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying decrypt session\n");
+
+  GNUNET_CONTAINER_DLL_remove (decrypt_sessions_head, decrypt_sessions_tail, ds);
+
+  if (NULL != ds->client_mq)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying decrypt MQ\n");
+    GNUNET_MQ_destroy (ds->client_mq);
+    ds->client_mq = NULL;
+  }
+
+  if (NULL != ds->client)
+  {
+    GNUNET_SERVER_client_disconnect (ds->client);
+    ds->client = NULL;
+  }
+
+  GNUNET_free (ds);
+}
+
+
+static void
+keygen_session_destroy (struct KeygenSession *ks)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying keygen session\n");
+
+  GNUNET_CONTAINER_DLL_remove (keygen_sessions_head, keygen_sessions_tail, ks);
+
+  if (NULL != ks->client_mq)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying keygen MQ\n");
+    GNUNET_MQ_destroy (ks->client_mq);
+    ks->client_mq = NULL;
+  }
+
+  if (NULL != ks->client)
+  {
+    GNUNET_SERVER_client_disconnect (ks->client);
+    ks->client = NULL;
+  }
+
+  GNUNET_free (ks);
+}
+
+
 /**
  * Task run during shutdown.
  *
@@ -672,7 +705,11 @@ paillier_decrypt (gcry_mpi_t m, gcry_mpi_t c, gcry_mpi_t mu, gcry_mpi_t lambda,
 static void
 cleanup_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
 {
-  /* FIXME: do clean up here */
+  while (NULL != decrypt_sessions_head)
+    decrypt_session_destroy (decrypt_sessions_head);
+
+  while (NULL != keygen_sessions_head)
+    keygen_session_destroy (keygen_sessions_head);
 }
 
 
@@ -685,23 +722,31 @@ static void
 generate_presecret_polynomial (struct KeygenSession *ks)
 {
   int i;
+  gcry_mpi_t v;
+
   GNUNET_assert (NULL == ks->presecret_polynomial);
-  ks->presecret_polynomial = GNUNET_malloc (ks->threshold * sizeof (gcry_mpi_t));
+  ks->presecret_polynomial = GNUNET_new_array (ks->threshold, gcry_mpi_t);
   for (i = 0; i < ks->threshold; i++)
   {
-    ks->presecret_polynomial[i] = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS);
-    GNUNET_assert (0 != ks->presecret_polynomial[i]);
-    gcry_mpi_randomize (ks->presecret_polynomial[i], GNUNET_SECRETSHARING_KEY_BITS,
-                        GCRY_WEAK_RANDOM);
+    v = ks->presecret_polynomial[i] = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS);
+    GNUNET_assert (NULL != v);
+    // Randomize v such that 0 < v < elgamal_q.
+    // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
+    do 
+    {
+      gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1, GCRY_WEAK_RANDOM);
+    } while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0));
   }
 }
 
 
 /**
  * Consensus element handler for round one.
+ * We should get one ephemeral key for each peer.
  *
- * @param cls closure (keygen session)
- * @param element the element from consensus
+ * @param cls Closure (keygen session).
+ * @param element The element from consensus, or
+ *                NULL if consensus failed.
  */
 static void
 keygen_round1_new_element (void *cls,
@@ -717,6 +762,7 @@ keygen_round1_new_element (void *cls,
     return;
   }
 
+  /* elements have fixed size */
   if (element->size != sizeof (struct GNUNET_SECRETSHARING_KeygenCommitData))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
@@ -729,7 +775,6 @@ keygen_round1_new_element (void *cls,
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round1 element\n");
 
   d = element->data;
-
   info = get_keygen_peer_info (ks, &d->peer);
 
   if (NULL == info)
@@ -739,6 +784,7 @@ keygen_round1_new_element (void *cls,
     return;
   }
 
+  /* Check that the right amount of data has been signed. */
   if (d->purpose.size !=
       htonl (element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenCommitData, purpose)))
   {
@@ -752,11 +798,8 @@ keygen_round1_new_element (void *cls,
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "keygen commit data with invalid signature in consensus\n");
     return;
   }
-
-  GNUNET_assert (0 == gcry_mpi_scan (&info->paillier_n, GCRYMPI_FMT_USG,
-                                     &d->pubkey.n, sizeof d->pubkey.n, NULL));
-  GNUNET_assert (0 == gcry_mpi_scan (&info->presecret_commitment, GCRYMPI_FMT_USG,
-                                     &d->commitment, sizeof d->commitment, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->paillier_n, &d->pubkey.n, PAILLIER_BITS / 8);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->presecret_commitment, &d->pubkey.n, PAILLIER_BITS / 8);
   info->round1_valid = GNUNET_YES;
 }
 
@@ -796,16 +839,20 @@ keygen_round2_conclude (void *cls)
   unsigned int i;
   unsigned int j;
   struct GNUNET_SECRETSHARING_Share *share;
+  /* our share */
   gcry_mpi_t s;
+  /* public key */
   gcry_mpi_t h;
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n");
 
-  GNUNET_assert (0 != (s = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
-  GNUNET_assert (0 != (h = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
+  GNUNET_assert (0 != (s = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
+  GNUNET_assert (0 != (h = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   // multiplicative identity
-  gcry_mpi_set_ui (s, 1);
+  gcry_mpi_set_ui (h, 1);
+  // additive identity
+  gcry_mpi_set_ui (s, 0);
 
   share = GNUNET_new (struct GNUNET_SECRETSHARING_Share);
 
@@ -820,6 +867,9 @@ keygen_round2_conclude (void *cls)
       GNUNET_new_array (share->num_peers, struct GNUNET_SECRETSHARING_FieldElement);
   share->original_indices = GNUNET_new_array (share->num_peers, uint16_t);
 
+  /* maybe we're not even in the list of peers? */
+  share->my_peer = share->num_peers;
+
   j = 0;
   for (i = 0; i < ks->num_peers; i++)
   {
@@ -829,13 +879,18 @@ keygen_round2_conclude (void *cls)
       gcry_mpi_mulm (h, h, ks->info[i].public_key_share, elgamal_p);
       share->peers[i] = ks->info[i].peer;
       share->original_indices[i] = j++;
+      if (0 == memcmp (&share->peers[i], &my_peer, sizeof (struct GNUNET_PeerIdentity)))
+        share->my_peer = i;
     }
   }
 
-  print_mpi_fixed (&share->my_share, s, GNUNET_SECRETSHARING_KEY_BITS / 8);
-  print_mpi_fixed (&share->public_key, h, GNUNET_SECRETSHARING_KEY_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (&share->my_share, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, s);
+  GNUNET_CRYPTO_mpi_print_unsigned (&share->public_key, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, h);
 
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen successful with %u peers\n", share->num_peers);
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen completed with %u peers\n", share->num_peers);
+
+  /* Write the share. If 0 peers completed the dkg, an empty
+   * share will be sent. */
 
   m = GNUNET_malloc (sizeof (struct GNUNET_SECRETSHARING_SecretReadyMessage) +
                      ks->num_peers * sizeof (struct GNUNET_PeerIdentity));
@@ -872,13 +927,19 @@ insert_round2_element (struct KeygenSession *ks)
   unsigned int i;
   gcry_mpi_t idx;
   gcry_mpi_t v;
+  gcry_mpi_t c;
 
-  GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
-  GNUNET_assert (0 != (idx = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n",
+              ks->local_peer_idx);
+
+  GNUNET_assert (NULL != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
+  GNUNET_assert (NULL != (idx = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
+  GNUNET_assert (NULL != (c = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   element_size = (sizeof (struct GNUNET_SECRETSHARING_KeygenRevealData) +
-                  2 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers +
-                  1 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->threshold);
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers +
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold +
+                  PAILLIER_BITS * 2 / 8 * ks->num_peers);
 
   element = GNUNET_malloc (sizeof (struct GNUNET_SET_Element) + element_size);
   element->size = element_size;
@@ -887,6 +948,8 @@ insert_round2_element (struct KeygenSession *ks)
   d = (void *) element->data;
   d->peer = my_peer;
 
+  // start inserting vector elements
+  // after the fixed part of the element's data
   pos = (void *) &d[1];
   last_pos = pos + element_size;
 
@@ -895,38 +958,55 @@ insert_round2_element (struct KeygenSession *ks)
   {
     ptrdiff_t remaining = last_pos - pos;
     GNUNET_assert (remaining > 0);
-    gcry_mpi_set_ui (idx, i);
+    gcry_mpi_set_ui (idx, i + 1);
     // evaluate the polynomial
-    horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_p);
+    horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_q);
     // take g to the result
     gcry_mpi_powm (v, elgamal_g, v, elgamal_p);
-    print_mpi_fixed (pos, v, GNUNET_SECRETSHARING_KEY_BITS / 8);
-    pos += GNUNET_SECRETSHARING_KEY_BITS / 8;
+    GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, v);
+    pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
   }
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n",
+              ks->local_peer_idx);
+
   // encrypted pre-shares
   for (i = 0; i < ks->num_peers; i++)
   {
     ptrdiff_t remaining = last_pos - pos;
     GNUNET_assert (remaining > 0);
     if (GNUNET_NO == ks->info[i].round1_valid)
-      gcry_mpi_set_ui (v, 0);
+    {
+      gcry_mpi_set_ui (c, 0);
+    }
     else
-      paillier_encrypt (v, ks->presecret_polynomial[0], ks->info[i].paillier_n);
-    print_mpi_fixed (pos, v, GNUNET_SECRETSHARING_KEY_BITS / 8);
-    pos += GNUNET_SECRETSHARING_KEY_BITS / 8;
+    {
+      gcry_mpi_set_ui (idx, i + 1);
+      // evaluate the polynomial
+      horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_q);
+      // encrypt the result
+      paillier_encrypt (c, v, ks->info[i].paillier_n);
+    }
+    GNUNET_CRYPTO_mpi_print_unsigned (pos, PAILLIER_BITS * 2 / 8, c);
+    pos += PAILLIER_BITS * 2 / 8;
   }
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n",
+              ks->local_peer_idx);
+
   // exponentiated coefficients
   for (i = 0; i < ks->threshold; i++)
   {
     ptrdiff_t remaining = last_pos - pos;
     GNUNET_assert (remaining > 0);
     gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[i], elgamal_p);
-    print_mpi_fixed (pos, v, GNUNET_SECRETSHARING_KEY_BITS / 8);
-    pos += GNUNET_SECRETSHARING_KEY_BITS / 8;
+    GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, v);
+    pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
   }
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n",
+              ks->local_peer_idx);
+
   d->purpose.size = htonl (element_size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose));
   d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2);
   GNUNET_CRYPTO_eddsa_sign (my_peer_private_key, &d->purpose, &d->signature);
@@ -957,8 +1037,9 @@ keygen_round2_new_element (void *cls,
   }
 
   expected_element_size = (sizeof (struct GNUNET_SECRETSHARING_KeygenRevealData) +
-                  2 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers +
-                  1 * GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->threshold);
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers +
+                  PAILLIER_BITS / 8 * 2 * ks->num_peers +
+                  GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold);
 
   if (element->size != expected_element_size)
   {
@@ -1001,31 +1082,28 @@ keygen_round2_new_element (void *cls,
 
   pos = (void *) &d[1];
   // skip exponentiated pre-shares
-  pos += GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers;
+  pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers;
   // skip encrypted pre-shares
-  pos += PAILLIER_BITS / 8 * ks->num_peers;
+  pos += PAILLIER_BITS * 2 / 8 * ks->num_peers;
   // the first exponentiated coefficient is the public key share
-  GNUNET_assert (0 == gcry_mpi_scan (&info->public_key_share, GCRYMPI_FMT_USG,
-                                     pos, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->public_key_share, pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
   pos = (void *) &d[1];
   // skip exp. pre-shares
-  pos += GNUNET_SECRETSHARING_KEY_BITS / 8 * ks->num_peers;
+  pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers;
   // skip to the encrypted value for our peer
-  pos += PAILLIER_BITS / 8 * ks->local_peer_idx;
+  pos += PAILLIER_BITS * 2 / 8 * ks->local_peer_idx;
 
-  GNUNET_assert (0 == gcry_mpi_scan (&c, GCRYMPI_FMT_USG,
-                                     pos, PAILLIER_BITS / 8, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&c, pos, PAILLIER_BITS * 2 / 8);
 
   GNUNET_assert (0 != (info->decrypted_preshare = mpi_new (0)));
 
-  paillier_decrypt (info->decrypted_preshare, c, ks->paillier_lambda, ks->paillier_mu,
+  paillier_decrypt (info->decrypted_preshare, c, ks->paillier_mu, ks->paillier_lambda,
                     ks->info[ks->local_peer_idx].paillier_n);
-
   // TODO: validate zero knowledge proofs
 
-  if (d->purpose.size !=
-      htons (element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose)))
+  if (ntohl (d->purpose.size) !=
+      element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "keygen reveal data with wrong signature purpose size in consensus\n");
     return;
@@ -1082,29 +1160,25 @@ insert_round1_element (struct KeygenSession *ks)
   // g^a_{i,0}
   gcry_mpi_t v;
   // big-endian representation of 'v'
-  unsigned char v_data[GNUNET_SECRETSHARING_KEY_BITS / 8];
+  unsigned char v_data[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
 
   element = GNUNET_malloc (sizeof *element + sizeof *d);
   d = (void *) &element[1];
   element->data = d;
   element->size = sizeof *d;
 
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "alloc'd size %u\n", sizeof *element + sizeof *d);
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "element size %u\n", element->size);
-
-
   d->peer = my_peer;
 
-  GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_KEY_BITS)));
+  GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[0], elgamal_p);
 
-  print_mpi_fixed (v_data, v, GNUNET_SECRETSHARING_KEY_BITS);
+  GNUNET_CRYPTO_mpi_print_unsigned (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, v);
 
-  GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_KEY_BITS / 8, &d->commitment);
+  GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, &d->commitment);
 
-  print_mpi_fixed (d->pubkey.n, ks->info[ks->local_peer_idx].paillier_n,
-                   PAILLIER_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (d->pubkey.n, PAILLIER_BITS / 8,
+                                    ks->info[ks->local_peer_idx].paillier_n);
 
   d->purpose.size = htonl ((sizeof *d) - offsetof (struct GNUNET_SECRETSHARING_KeygenCommitData, purpose));
   d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1);
@@ -1158,7 +1232,7 @@ static void handle_client_keygen (void *cls,
   ks->consensus = GNUNET_CONSENSUS_create (cfg, ks->num_peers, ks->peers, &msg->session_id,
                                            keygen_round1_new_element, ks);
 
-  ks->info = GNUNET_malloc (ks->num_peers * sizeof (struct KeygenPeerInfo));
+  ks->info = GNUNET_new_array (ks->num_peers, struct KeygenPeerInfo);
 
   for (i = 0; i < ks->num_peers; i++)
     ks->info[i].peer = ks->peers[i];
@@ -1171,12 +1245,15 @@ static void handle_client_keygen (void *cls,
                    ks->paillier_lambda,
                    ks->paillier_mu);
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Generated paillier key pair\n", ks->local_peer_idx);
 
   generate_presecret_polynomial (ks);
 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Generated presecret polynomial\n", ks->local_peer_idx);
+
   insert_round1_element (ks);
 
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "starting conclude of round 1\n");
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Concluding for round 1\n", ks->local_peer_idx);
 
   GNUNET_CONSENSUS_conclude (ks->consensus,
                              /* half the overall time */
@@ -1185,6 +1262,8 @@ static void handle_client_keygen (void *cls,
                              ks);
 
   GNUNET_SERVER_receive_done (client, GNUNET_OK);
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Waiting for round 1 elements ...\n", ks->local_peer_idx);
 }
 
 
@@ -1201,6 +1280,7 @@ decrypt_conclude (void *cls)
   gcry_mpi_t m;
   gcry_mpi_t tmp;
   gcry_mpi_t c_2;
+  gcry_mpi_t prod;
   unsigned int *indices;
   unsigned int num;
   unsigned int i;
@@ -1209,6 +1289,7 @@ decrypt_conclude (void *cls)
   GNUNET_assert (0 != (lagrange = gcry_mpi_new (0)));
   GNUNET_assert (0 != (m = gcry_mpi_new (0)));
   GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
+  GNUNET_assert (0 != (prod = gcry_mpi_new (0)));
 
   num = 0;
   for (i = 0; i < ds->share->num_peers; i++)
@@ -1219,30 +1300,36 @@ decrypt_conclude (void *cls)
   j = 0;
   for (i = 0; i < ds->share->num_peers; i++)
     if (NULL != ds->info[i].partial_decryption)
-      indices[j++] = ds->info[i].real_index;
+      indices[j++] = ds->info[i].original_index;
 
-  gcry_mpi_set_ui (m, 1);
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: decrypt conclude, with %u peers\n",
+              ds->share->my_peer, num);
 
+  gcry_mpi_set_ui (prod, 1);
   for (i = 0; i < num; i++)
   {
+
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: index of %u: %u\n",
+                ds->share->my_peer, i, indices[i]);
     compute_lagrange_coefficient (lagrange, indices[i], indices, num);
-    // w_j^{\lambda_j}
+    // w_i^{\lambda_i}
     gcry_mpi_powm (tmp, ds->info[indices[i]].partial_decryption, lagrange, elgamal_p);
-    gcry_mpi_mulm (m, m, tmp, elgamal_p);
-  }
 
-  GNUNET_assert (0 == gcry_mpi_scan (&c_2, GCRYMPI_FMT_USG, ds->ciphertext.c2_bits,
-                                     GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+    // product of all exponentiated partiel decryptions ...
+    gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
+  }
 
-  // m <- c_2 / m
-  gcry_mpi_invm (m, m, elgamal_p);
-  gcry_mpi_mulm (m, c_2, m, elgamal_p);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&c_2, ds->ciphertext.c2_bits, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
+  GNUNET_assert (0 != gcry_mpi_invm (prod, prod, elgamal_p));
+  gcry_mpi_mulm (m, c_2, prod, elgamal_p);
   ev = GNUNET_MQ_msg (msg, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE);
-  print_mpi_fixed (&msg->plaintext, m, GNUNET_SECRETSHARING_KEY_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (&msg->plaintext, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, m);
   msg->success = htonl (1);
   GNUNET_MQ_send (ds->client_mq, ev);
 
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n");
+
   // FIXME: what if not enough peers participated?
 }
 
@@ -1291,8 +1378,8 @@ decrypt_new_element (void *cls,
 
   // FIXME: check NIZP first
 
-  GNUNET_assert (0 == gcry_mpi_scan (&info->partial_decryption,
-                                     GCRYMPI_FMT_USG, &d->partial_decryption, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&info->partial_decryption, &d->partial_decryption,
+                                   GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 }
 
 static void
@@ -1303,22 +1390,37 @@ insert_decrypt_element (struct DecryptSession *ds)
   gcry_mpi_t x;
   gcry_mpi_t s;
 
-  GNUNET_assert (0 == gcry_mpi_scan (&x, GCRYMPI_FMT_USG, ds->ciphertext.c1_bits, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
-  GNUNET_assert (0 == gcry_mpi_scan (&s, GCRYMPI_FMT_USG, &ds->share->my_share, GNUNET_SECRETSHARING_KEY_BITS / 8, NULL));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element\n",
+              ds->share->my_peer);
+
+  GNUNET_CRYPTO_mpi_scan_unsigned (&x, &ds->ciphertext.c1_bits,
+                                   GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&s, &ds->share->my_share,
+                                   GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
   gcry_mpi_powm (x, x, s, elgamal_p);
 
   element.data = (void *) &d;
   element.size = sizeof (struct GNUNET_SECRETSHARING_DecryptData);
+  element.type = 0;
 
+  /* make vagrind happy until we implement the real deal ... */
+  memset (&d.nizk_commit1, 0, sizeof d.nizk_commit1);
+  memset (&d.nizk_commit2, 0, sizeof d.nizk_commit2);
+  memset (&d.nizk_response, 0, sizeof d.nizk_response);
+
+  d.ciphertext = ds->ciphertext;
   d.peer = my_peer;
-  d.purpose.size = htonl (element.size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose));
+  d.purpose.size = htonl (element.size - offsetof (struct GNUNET_SECRETSHARING_DecryptData, purpose));
   d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION);
+  
   GNUNET_CRYPTO_eddsa_sign (my_peer_private_key, &d.purpose, &d.signature);
 
-  print_mpi_fixed (&d.partial_decryption, x, GNUNET_SECRETSHARING_KEY_BITS / 8);
+  GNUNET_CRYPTO_mpi_print_unsigned (&d.partial_decryption, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, x);
 
   GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element done!\n",
+              ds->share->my_peer);
 }
 
 
@@ -1339,6 +1441,7 @@ static void handle_client_decrypt (void *cls,
       (const void *) message;
   struct DecryptSession *ds;
   struct GNUNET_HashCode session_id;
+  unsigned int i;
 
   ds = GNUNET_new (struct DecryptSession);
   // FIXME: check if session already exists
@@ -1359,52 +1462,82 @@ static void handle_client_decrypt (void *cls,
                                            ds->share->num_peers,
                                            ds->share->peers,
                                            &session_id,
-                                           decrypt_new_element,
+                                           &decrypt_new_element,
                                            ds);
 
+
+  ds->info = GNUNET_new_array (ds->share->num_peers, struct DecryptPeerInfo);
+  for (i = 0; i < ds->share->num_peers; i++)
+  {
+    ds->info[i].peer = ds->share->peers[i];
+    ds->info[i].original_index = ds->share->original_indices[i];
+  }
+
   insert_decrypt_element (ds);
 
   GNUNET_CONSENSUS_conclude (ds->consensus, ds->deadline, decrypt_conclude, ds);
+
+  GNUNET_SERVER_receive_done (client, GNUNET_OK);
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "decrypting with %u peers\n",
+              ds->share->num_peers);
 }
 
 
 static void
 init_crypto_constants (void)
 {
-  /* 1024-bit safe prime */
-  const char *elgamal_p_hex =
-      "0x08a347d3d69e8b2dd7d1b12a08dfbccbebf4ca"
-      "6f4269a0814e158a34312964d946b3ef22882317"
-      "2bcf30fc08f772774cb404f9bc002a6f66b09a79"
-      "d810d67c4f8cb3bedc6060e3c8ef874b1b64df71"
-      "6c7d2b002da880e269438d5a776e6b5f253c8df5"
-      "6a16b1c7ce58def07c03db48238aadfc52a354a2"
-      "7ed285b0c1675cad3f3";
-  /* 1023-bit Sophie Germain prime, q = (p-1)/2 */
-  const char *elgamal_q_hex =
-      "0x0451a3e9eb4f4596ebe8d895046fde65f5fa65"
-      "37a134d040a70ac51a1894b26ca359f79144118b"
-      "95e7987e047bb93ba65a027cde001537b3584d3c"
-      "ec086b3e27c659df6e303071e477c3a58db26fb8"
-      "b63e958016d4407134a1c6ad3bb735af929e46fa"
-      "b50b58e3e72c6f783e01eda411c556fe2951aa51"
-      "3f6942d860b3ae569f9";
-  /* generator of the unique size q subgroup of Z_p^* */
-  const char *elgamal_g_hex =
-      "0x05c00c36d2e822950087ef09d8252994adc4e4"
-      "8fe3ec70269f035b46063aff0c99b633fd64df43"
-      "02442e1914c829a41505a275438871f365e91c12"
-      "3d5303ef9e90f4b8cb89bf86cc9b513e74a72634"
-      "9cfd9f953674fab5d511e1c078fc72d72b34086f"
-      "c82b4b951989eb85325cb203ff98df76bc366bba"
-      "1d7024c3650f60d0da";
-
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
-                                     elgamal_q_hex, 0, NULL));
+                                     GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0, NULL));
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
-                                     elgamal_p_hex, 0, NULL));
+                                     GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0, NULL));
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
-                                     elgamal_g_hex, 0, NULL));
+                                     GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0, NULL));
+}
+
+
+static struct KeygenSession *
+keygen_session_get (struct GNUNET_SERVER_Client *client)
+{
+  struct KeygenSession *ks;
+  for (ks = keygen_sessions_head; NULL != ks; ks = ks->next)
+    if (ks->client == client)
+      return ks;
+  return NULL;
+}
+
+static struct DecryptSession *
+decrypt_session_get (struct GNUNET_SERVER_Client *client)
+{
+  struct DecryptSession *ds;
+  for (ds = decrypt_sessions_head; NULL != ds; ds = ds->next)
+    if (ds->client == client)
+      return ds;
+  return NULL;
+}
+
+
+/**
+ * Clean up after a client has disconnected
+ *
+ * @param cls closure, unused
+ * @param client the client to clean up after
+ */
+static void
+handle_client_disconnect (void *cls, struct GNUNET_SERVER_Client *client)
+{
+  struct KeygenSession *ks;
+  struct DecryptSession *ds;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "handling client disconnect\n");
+
+  ks = keygen_session_get (client);
+  if (NULL != ks)
+    keygen_session_destroy (ks);
+
+  ds = decrypt_session_get (client);
+  if (NULL != ds)
+    decrypt_session_destroy (ds);
 }
 
 
@@ -1443,6 +1576,7 @@ run (void *cls, struct GNUNET_SERVER_Handle *server,
     return;
   }
   GNUNET_SERVER_add_handlers (server, handlers);
+  GNUNET_SERVER_disconnect_notify (server, &handle_client_disconnect, NULL);
   GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &cleanup_task,
                                 NULL);
 }