aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Teich <markus.teich@stusta.mhn.de>2016-07-13 14:01:24 +0200
committerMarkus Teich <markus.teich@stusta.mhn.de>2016-07-13 14:01:24 +0200
commit99e5a11de13a3283c07f353471e08df241511d19 (patch)
treea92cce7ff2f96bbd0e096f6a3a267dacaa362a3d
parent8c7bd0fda283f8c529e5a582182b08150d875736 (diff)
downloadlibbrandt-99e5a11de13a3283c07f353471e08df241511d19.tar.gz
libbrandt-99e5a11de13a3283c07f353471e08df241511d19.zip
major random stuff
Diffstat
-rw-r--r--Makefile.am2
-rw-r--r--brandt.c83
-rw-r--r--brandt.h4
-rw-r--r--crypto.c577
-rw-r--r--crypto.h55
-rw-r--r--internals.h10
-rw-r--r--test_crypto.c40
-rw-r--r--tex-stuff/math.tex4
-rw-r--r--util.c3
9 files changed, 568 insertions, 210 deletions
diff --git a/Makefile.am b/Makefile.am
index 0f9dd23..615870f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -10,7 +10,7 @@ libbrandt_la_SOURCES = \
10 util.c 10 util.c
11 11
12libbrandt_la_LIBADD = \ 12libbrandt_la_LIBADD = \
13 -lgcrypt -lgpg-error 13 -lgcrypt -lgpg-error -lgnunetutil
14 14
15libbrandt_la_LDFLAGS = \ 15libbrandt_la_LDFLAGS = \
16 -version-info 0:0:0 16 -version-info 0:0:0
diff --git a/brandt.c b/brandt.c
index d56a607..1f53b43 100644
--- a/brandt.c
+++ b/brandt.c
@@ -16,9 +16,12 @@
16 16
17/** 17/**
18 * @file brandt.c 18 * @file brandt.c
19 * @brief \todo 19 * @brief Implementation of the high level libbrandt interface.
20 * @author Markus Teich 20 * @author Markus Teich
21 */ 21 */
22
23#include "brandt_config.h"
24
22#include <gcrypt.h> 25#include <gcrypt.h>
23 26
24#include "crypto.h" 27#include "crypto.h"
@@ -33,6 +36,20 @@ typedef int
33 uint16_t sender); 36 uint16_t sender);
34 37
35 38
39enum {
40 auction_firstPrice,
41 auction_mPlusFirstPrice,
42 auction_last
43};
44
45
46enum {
47 outcome_private,
48 outcome_public,
49 outcome_last
50};
51
52
36/** 53/**
37 * stores the function pointers to receive functions for each state. 54 * stores the function pointers to receive functions for each state.
38 * 55 *
@@ -43,43 +60,43 @@ typedef int
43 * The second index denotes if the outcome should be public or private. A value 60 * The second index denotes if the outcome should be public or private. A value
44 * of 0 means a private outcome, while a value of 1 means public outcome. 61 * of 0 means a private outcome, while a value of 1 means public outcome.
45 */ 62 */
46static msg_recv handler_in[2][2][msg_last] = 63static msg_recv handler_in[auction_last][outcome_last][msg_last] =
47{ 64{
48 [0] = 65 [auction_firstPrice] =
49 { 66 {
50 [0] = 67 [outcome_private] =
51 { 68 {
52 [msg_init] = smc_recv_keyshare, 69 [msg_init] = &smc_recv_keyshare,
53 [msg_bid] = smc_recv_encrypted_bid, 70 [msg_bid] = &smc_recv_encrypted_bid,
54 [msg_outcome] = fp_priv_recv_outcome, 71 [msg_outcome] = &fp_priv_recv_outcome,
55 [msg_decrypt] = fp_priv_recv_decryption, 72 [msg_decrypt] = &fp_priv_recv_decryption,
56 }, 73 },
57 [1] = 74 [outcome_public] =
58 { 75 {
59 [msg_init] = smc_recv_keyshare, 76 [msg_init] = &smc_recv_keyshare,
60 [msg_bid] = smc_recv_encrypted_bid, 77 [msg_bid] = &smc_recv_encrypted_bid,
61 [msg_outcome] = fp_pub_recv_outcome, 78 [msg_outcome] = &fp_pub_recv_outcome,
62 [msg_decrypt] = fp_pub_recv_decryption, 79 [msg_decrypt] = &fp_pub_recv_decryption,
63 } 80 }
64 }, 81 },
65 [1] = 82 [auction_mPlusFirstPrice] =
66 { 83 {
67 [0] = 84 [outcome_private] =
68 { 85 {
69 [msg_init] = smc_recv_keyshare, 86 [msg_init] = &smc_recv_keyshare,
70 [msg_bid] = smc_recv_encrypted_bid, 87 [msg_bid] = &smc_recv_encrypted_bid,
71 }, 88 },
72 [1] = 89 [outcome_public] =
73 { 90 {
74 [msg_init] = smc_recv_keyshare, 91 [msg_init] = &smc_recv_keyshare,
75 [msg_bid] = smc_recv_encrypted_bid, 92 [msg_bid] = &smc_recv_encrypted_bid,
76 } 93 }
77 } 94 }
78}; 95};
79 96
80 97
81void 98void
82BRANDT_init () 99BRANDT_init (struct GNUNET_CRYPTO_EccDlogContext *dlogctx)
83{ 100{
84 gcry_error_t err = 0; 101 gcry_error_t err = 0;
85 102
@@ -97,7 +114,7 @@ BRANDT_init ()
97 gcry_strerror (err)); 114 gcry_strerror (err));
98 115
99 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); 116 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
100 brandt_crypto_init (); 117 brandt_crypto_init (dlogctx);
101} 118}
102 119
103 120
@@ -107,21 +124,23 @@ BRANDT_got_message (struct BRANDT_Auction *auction,
107 const unsigned char *msg, 124 const unsigned char *msg,
108 size_t msg_len) 125 size_t msg_len)
109{ 126{
110 uint16_t type = *(uint16_t *)msg; 127 uint16_t mtype = *(uint16_t *)msg;
111 int m = !!auction->desc->m; 128 int atype;
112 int pub = !!auction->desc->outcome_public; 129 int outcome;
113 enum rounds round = auction->cur_round; 130 enum rounds round = auction->cur_round;
114 131
115 /** todo: cache out of order messages */ 132 atype = auction->desc->m > 0 ? auction_mPlusFirstPrice : auction_firstPrice;
133 outcome = auction->desc->outcome_public ? outcome_public : outcome_private;
134
135 /** \todo: cache out of order messages */
116 136
117 if (!handler_in[m][pub][round] || 137 if (!handler_in[atype][outcome][round] ||
118 !handler_in[m][pub][round](auction, 138 !handler_in[atype][outcome][round](auction,
119 msg + sizeof (type), 139 msg + sizeof (mtype),
120 msg_len - sizeof (type), 140 msg_len - sizeof (mtype),
121 sender)) 141 sender))
122 { 142 {
123 /** \todo */ 143 /** \todo */
124 weprintf ("wow fail"); 144 weprintf ("wow fail");
125 } 145 }
126 msg + sizeof (type);
127} 146}
diff --git a/brandt.h b/brandt.h
index dd1c8a0..fe50896 100644
--- a/brandt.h
+++ b/brandt.h
@@ -26,6 +26,8 @@
26#include <stdint.h> 26#include <stdint.h>
27#include <unistd.h> 27#include <unistd.h>
28 28
29#include <gnunet/gnunet_util_lib.h>
30
29/** defined in internals.h */ 31/** defined in internals.h */
30struct BRANDT_Auction; 32struct BRANDT_Auction;
31 33
@@ -86,7 +88,7 @@ typedef void
86 88
87 89
88void 90void
89BRANDT_init (); 91BRANDT_init (struct GNUNET_CRYPTO_EccDlogContext *dlogctx);
90 92
91/** 93/**
92 * Join an auction described by the @a auction_data parameter. 94 * Join an auction described by the @a auction_data parameter.
diff --git a/crypto.c b/crypto.c
index 9c2e272..3140ec6 100644
--- a/crypto.c
+++ b/crypto.c
@@ -20,6 +20,7 @@
20 * @author Markus Teich 20 * @author Markus Teich
21 */ 21 */
22 22
23#include "brandt_config.h"
23 24
24#include <arpa/inet.h> 25#include <arpa/inet.h>
25#include <gcrypt.h> 26#include <gcrypt.h>
@@ -61,17 +62,22 @@ static gcry_ctx_t ec_ctx;
61static gcry_mpi_point_t ec_gen; 62static gcry_mpi_point_t ec_gen;
62static gcry_mpi_point_t ec_zero; 63static gcry_mpi_point_t ec_zero;
63static gcry_mpi_t ec_n; 64static gcry_mpi_t ec_n;
65static GNUNET_CRYPTO_EccDlogContext *ec_dlogctx;
64 66
65 67
66/** 68/**
67 * brandt_crypto_init initializes the crypto system and must be called before 69 * brandt_crypto_init initializes the crypto system and must be called before
68 * any other function from this file. 70 * any other function from this file.
71 *
72 * @param[in] dlogctx Pointer to the prepared dlog context.
69 */ 73 */
70void 74void
71brandt_crypto_init () 75brandt_crypto_init (GNUNET_CRYPTO_EccDlogContext *dlogctx)
72{ 76{
73 gcry_error_t rc; 77 gcry_error_t rc;
74 78
79 ec_dlogctx = dlogctx;
80
75 rc = gcry_mpi_ec_new (&ec_ctx, NULL, CURVE); 81 rc = gcry_mpi_ec_new (&ec_ctx, NULL, CURVE);
76 brandt_assert_gpgerr (rc); 82 brandt_assert_gpgerr (rc);
77 83
@@ -159,7 +165,7 @@ ec_keypair_create (gcry_mpi_point_t pkey, gcry_mpi_t skey)
159 gcry_mpi_t sk; 165 gcry_mpi_t sk;
160 166
161 brandt_assert (NULL != pkey); 167 brandt_assert (NULL != pkey);
162 sk = (NULL == skey) ? gcry_mpi_new (0) : skey; 168 sk = (NULL == skey) ? gcry_mpi_new (256) : skey;
163 169
164 ec_skey_create (sk); 170 ec_skey_create (sk);
165 gcry_mpi_ec_mul (pkey, sk, ec_gen, ec_ctx); 171 gcry_mpi_ec_mul (pkey, sk, ec_gen, ec_ctx);
@@ -191,6 +197,25 @@ ec_keypair_create_base (gcry_mpi_point_t pkey,
191 197
192 198
193/** 199/**
200 * ec_point_copy creates a copy of one curve point
201 *
202 * @param[out] dst where to store the copy
203 * @param[in] src the input point to be copied
204 */
205void
206ec_point_copy (gcry_mpi_point_t dst, const gcry_mpi_point_t src)
207{
208 gcry_mpi_t x = gcry_mpi_new (256);
209 gcry_mpi_t y = gcry_mpi_new (256);
210 gcry_mpi_t z = gcry_mpi_new (256);
211
212 brandt_assert (dst && src);
213 gcry_mpi_point_get (x, y, z, src);
214 gcry_mpi_point_snatch_set (dst, x, y, z);
215}
216
217
218/**
194 * ec_point_cmp compares two curve points 219 * ec_point_cmp compares two curve points
195 * 220 *
196 * @param[in] a the first point 221 * @param[in] a the first point
@@ -202,10 +227,10 @@ int
202ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b) 227ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b)
203{ 228{
204 int ret = 1; 229 int ret = 1;
205 gcry_mpi_t ax = gcry_mpi_new (0); 230 gcry_mpi_t ax = gcry_mpi_new (256);
206 gcry_mpi_t bx = gcry_mpi_new (0); 231 gcry_mpi_t bx = gcry_mpi_new (256);
207 gcry_mpi_t ay = gcry_mpi_new (0); 232 gcry_mpi_t ay = gcry_mpi_new (256);
208 gcry_mpi_t by = gcry_mpi_new (0); 233 gcry_mpi_t by = gcry_mpi_new (256);
209 234
210 brandt_assert (a && b); 235 brandt_assert (a && b);
211 if (!ax || !bx || !ay || !by) 236 if (!ax || !bx || !ay || !by)
@@ -592,8 +617,7 @@ smc_sum (gcry_mpi_point_t out,
592 uint16_t step) 617 uint16_t step)
593{ 618{
594 brandt_assert (NULL != out); 619 brandt_assert (NULL != out);
595 /**\todo: how to copy a point more efficiently? */ 620 ec_point_copy (out, ec_zero);
596 gcry_mpi_ec_add (out, ec_zero, ec_zero, ec_ctx);
597 for (uint16_t i = 0; i < len * step; i += step) 621 for (uint16_t i = 0; i < len * step; i += step)
598 gcry_mpi_ec_add (out, out, in[i], ec_ctx); 622 gcry_mpi_ec_add (out, out, in[i], ec_ctx);
599} 623}
@@ -603,12 +627,12 @@ smc_sum (gcry_mpi_point_t out,
603 * smc_gen_keyshare creates the private additive keyshare and computes the 627 * smc_gen_keyshare creates the private additive keyshare and computes the
604 * public multiplicative key share 628 * public multiplicative key share
605 * 629 *
606 * @param[in,out] ad Pointer to the AuctionData struct to operate on 630 * @param[in,out] ad Pointer to the BRANDT_Auction struct to operate on
607 * @param[out] buflen \todo 631 * @param[out] buflen \todo
608 * @return \todo 632 * @return \todo
609 */ 633 */
610unsigned char * 634unsigned char *
611smc_gen_keyshare (struct AuctionData *ad, size_t *buflen) 635smc_gen_keyshare (struct BRANDT_Auction *ad, size_t *buflen)
612{ 636{
613 unsigned char *ret; 637 unsigned char *ret;
614 struct proof_dl *proof1; 638 struct proof_dl *proof1;
@@ -624,7 +648,7 @@ smc_gen_keyshare (struct AuctionData *ad, size_t *buflen)
624 648
625 proof1 = (struct proof_dl *)(ret + sizeof (struct ec_mpi)); 649 proof1 = (struct proof_dl *)(ret + sizeof (struct ec_mpi));
626 650
627 ad->x = gcry_mpi_new (0); 651 ad->x = gcry_mpi_new (256);
628 ec_skey_create (ad->x); 652 ec_skey_create (ad->x);
629 smc_zkp_dl (ad->y[ad->i], ad->x, proof1); 653 smc_zkp_dl (ad->y[ad->i], ad->x, proof1);
630 ec_point_serialize ((struct ec_mpi *)ret, ad->y[ad->i]); 654 ec_point_serialize ((struct ec_mpi *)ret, ad->y[ad->i]);
@@ -633,8 +657,8 @@ smc_gen_keyshare (struct AuctionData *ad, size_t *buflen)
633 657
634 658
635int 659int
636smc_recv_keyshare (struct AuctionData *ad, 660smc_recv_keyshare (struct BRANDT_Auction *ad,
637 unsigned char *buf, 661 const unsigned char *buf,
638 size_t buflen, 662 size_t buflen,
639 uint16_t sender) 663 uint16_t sender)
640{ 664{
@@ -658,8 +682,7 @@ smc_recv_keyshare (struct AuctionData *ad,
658 goto quit; 682 goto quit;
659 } 683 }
660 684
661 /**\todo: how to copy a point more efficiently? */ 685 ec_point_copy (ad->y[sender], y);
662 gcry_mpi_ec_add (ad->y[sender], ec_zero, y, ec_ctx);
663 686
664 ret = 1; 687 ret = 1;
665quit: 688quit:
@@ -675,7 +698,7 @@ quit:
675 * @param buflen TODO 698 * @param buflen TODO
676 */ 699 */
677unsigned char * 700unsigned char *
678smc_encrypt_bid (struct AuctionData *ad, size_t *buflen) 701smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen)
679{ 702{
680 unsigned char *ret; 703 unsigned char *ret;
681 unsigned char *cur; 704 unsigned char *cur;
@@ -699,8 +722,8 @@ smc_encrypt_bid (struct AuctionData *ad, size_t *buflen)
699 ad->Y = gcry_mpi_point_new (0); 722 ad->Y = gcry_mpi_point_new (0);
700 smc_sum (ad->Y, ad->y, ad->n, 1); 723 smc_sum (ad->Y, ad->y, ad->n, 1);
701 724
702 r_sum = gcry_mpi_new (0); 725 r_sum = gcry_mpi_new (256);
703 r_part = gcry_mpi_new (0); 726 r_part = gcry_mpi_new (256);
704 727
705 for (uint16_t j = 0; j < ad->k; j++) 728 for (uint16_t j = 0; j < ad->k; j++)
706 { 729 {
@@ -726,13 +749,13 @@ smc_encrypt_bid (struct AuctionData *ad, size_t *buflen)
726 749
727 750
728int 751int
729smc_recv_encrypted_bid (struct AuctionData *ad, 752smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
730 unsigned char *buf, 753 const unsigned char *buf,
731 size_t buflen, 754 size_t buflen,
732 uint16_t sender) 755 uint16_t sender)
733{ 756{
734 int ret = 0; 757 int ret = 0;
735 unsigned char *cur = buf; 758 const unsigned char *cur = buf;
736 struct proof_0og *proof3; 759 struct proof_0og *proof3;
737 gcry_mpi_point_t **ct; /* ciphertexts */ 760 gcry_mpi_point_t **ct; /* ciphertexts */
738 gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0); 761 gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0);
@@ -748,8 +771,8 @@ smc_recv_encrypted_bid (struct AuctionData *ad,
748 goto quit; 771 goto quit;
749 } 772 }
750 773
751 gcry_mpi_ec_mul (alpha_sum, GCRYMPI_CONST_ONE, ec_zero, ec_ctx); 774 ec_point_copy (alpha_sum, ec_zero);
752 gcry_mpi_ec_mul (beta_sum, GCRYMPI_CONST_ONE, ec_zero, ec_ctx); 775 ec_point_copy (beta_sum, ec_zero);
753 776
754 for (uint16_t j = 0; j < ad->k; j++) 777 for (uint16_t j = 0; j < ad->k; j++)
755 { 778 {
@@ -779,9 +802,8 @@ smc_recv_encrypted_bid (struct AuctionData *ad,
779 802
780 for (uint16_t j = 0; j < ad->k; j++) 803 for (uint16_t j = 0; j < ad->k; j++)
781 { 804 {
782 /**\todo: how to copy a point more efficiently? */ 805 ec_point_copy (ad->alpha[sender][j], ct[0][j]);
783 gcry_mpi_ec_add (ad->alpha[sender][j], ec_zero, ct[0][j], ec_ctx); 806 ec_point_copy (ad->beta[sender][j], ct[1][j]);
784 gcry_mpi_ec_add (ad->beta[sender][j], ec_zero, ct[1][j], ec_ctx);
785 } 807 }
786 smc_free2 (ct, 2, ad->k); 808 smc_free2 (ct, 2, ad->k);
787 809
@@ -794,13 +816,345 @@ quit:
794 816
795 817
796/** 818/**
797 * smc_compute_outcome \todo 819 * fp_pub_compute_outcome \todo
820 *
821 * @param ad TODO
822 * @param buflen TODO
823 */
824unsigned char *
825fp_pub_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
826{
827 unsigned char *ret;
828 unsigned char *cur;
829 gcry_mpi_t coeff = gcry_mpi_copy (GCRYMPI_CONST_ONE);
830 gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
831 gcry_mpi_point_t *tlta1;
832 gcry_mpi_point_t *tltb1;
833 gcry_mpi_point_t **tlta2;
834 gcry_mpi_point_t **tltb2;
835 struct ec_mpi *gamma;
836 struct ec_mpi *delta;
837 struct proof_2dle *proof2;
838
839 brandt_assert (ad && buflen);
840
841 *buflen = (ad->k * (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
842 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
843 NULL == (ad->gamma2 = smc_init2 (ad->n, ad->k)) ||
844 NULL == (ad->delta2 = smc_init2 (ad->n, ad->k)) ||
845 NULL == (ad->tmpa1 = smc_init1 (ad->k)) ||
846 NULL == (ad->tmpb1 = smc_init1 (ad->k)))
847 {
848 weprintf ("unable to alloc memory for first price outcome computation");
849 return NULL;
850 }
851
852 /* create temporary lookup tables with partial sums */
853 tlta1 = smc_init1 (ad->k);
854 tltb1 = smc_init1 (ad->k);
855 tlta2 = smc_init2 (ad->n, ad->k);
856 tltb2 = smc_init2 (ad->n, ad->k);
857
858 /* temporary lookup table for sum of bid vectors */
859 for (uint16_t i = 0; i < ad->n; i++)
860 {
861 smc_sums_partial (tlta2[i], ad->alpha[i], ad->k, 1, 1);
862 smc_sums_partial (tltb2[i], ad->beta[i], ad->k, 1, 1);
863 for (uint16_t j = 0; j < ad->k; j++)
864 {
865 gcry_mpi_ec_sub (tlta2[i][j],
866 tlta2[i][ad->k - 1],
867 tlta2[i][j],
868 ec_ctx);
869 gcry_mpi_ec_sub (tltb2[i][j],
870 tltb2[i][ad->k - 1],
871 tltb2[i][j],
872 ec_ctx);
873 }
874 brandt_assert (!ec_point_cmp (ec_zero, tlta2[i][ad->k - 1]));
875 brandt_assert (!ec_point_cmp (ec_zero, tltb2[i][ad->k - 1]));
876 }
877 for (uint16_t j = 0; j < ad->k; j++)
878 {
879 smc_sum (tlta1[j], &tlta2[0][j], ad->n, ad->k);
880 smc_sum (tltb1[j], &tltb2[0][j], ad->n, ad->k);
881 }
882 smc_free2 (tlta2, ad->n, ad->k);
883 smc_free2 (tltb2, ad->n, ad->k);
884 brandt_assert (!ec_point_cmp (ec_zero, tlta1[ad->k - 1]));
885 brandt_assert (!ec_point_cmp (ec_zero, tltb1[ad->k - 1]));
886
887 /* temporarily store the \sum_{i=1}^n2^{i-1}b_i in tmp1, since it is needed
888 * each time a gamma,delta pair is received from another bidder */
889 for (uint16_t i = 0; i < ad->n; i++)
890 {
891 for (uint16_t j = 0; j < ad->k; j++)
892 {
893 gcry_mpi_ec_mul (tmp, coeff, ad->alpha[i][j], ec_ctx);
894 gcry_mpi_ec_add (ad->tmpa1[j], ad->tmpa1[j], tmp, ec_ctx);
895 gcry_mpi_ec_mul (tmp, coeff, ad->beta[i][j], ec_ctx);
896 gcry_mpi_ec_add (ad->tmpb1[j], ad->tmpb1[j], tmp, ec_ctx);
897 }
898 gcry_mpi_mul_ui (coeff, coeff, 2);
899 }
900
901 for (uint16_t j = 0; j < ad->k; j++)
902 {
903 gamma = (struct ec_mpi *)cur;
904 delta = &((struct ec_mpi *)cur)[1];
905 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
906
907 /* copy unmasked outcome to all other bidder layers so they don't
908 * have to be recomputed to check the ZK proof_2dle's from other
909 * bidders when receiving their outcome messages */
910 for (uint16_t a = 0; a < ad->n; a++)
911 {
912 ec_point_copy (ad->gamma2[a][j], tlta1[j]);
913 ec_point_copy (ad->delta2[a][j], tltb1[j]);
914 }
915
916 /* apply random masking for losing bidders */
917 smc_zkp_2dle (ad->gamma2[ad->i][j],
918 ad->delta2[ad->i][j],
919 tlta1[j],
920 tltb1[j],
921 NULL,
922 proof2);
923
924 ec_point_serialize (gamma, ad->gamma2[ad->i][j]);
925 ec_point_serialize (delta, ad->delta2[ad->i][j]);
926
927 /* add winner determination for own gamma,delta */
928 gcry_mpi_ec_add (ad->gamma2[ad->i][j],
929 ad->gamma2[ad->i][j],
930 ad->tmpa1[j],
931 ec_ctx);
932 gcry_mpi_ec_add (ad->delta2[ad->i][j],
933 ad->delta2[ad->i][j],
934 ad->tmpb1[j],
935 ec_ctx);
936
937 cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2);
938 }
939
940 gcry_mpi_release (coeff);
941 gcry_mpi_point_release (tmp);
942 smc_free1 (tlta1, ad->k);
943 smc_free1 (tltb1, ad->k);
944 return ret;
945}
946
947
948int
949fp_pub_recv_outcome (struct BRANDT_Auction *ad,
950 const unsigned char *buf,
951 size_t buflen,
952 uint16_t sender)
953{
954 int ret = 0;
955 const unsigned char *cur = buf;
956 struct proof_2dle *proof2;
957 gcry_mpi_point_t gamma = gcry_mpi_point_new (0);
958 gcry_mpi_point_t delta = gcry_mpi_point_new (0);
959
960 brandt_assert (ad && buf);
961
962 if (buflen != (ad->k * (2 * sizeof (struct ec_mpi) + sizeof (*proof2))))
963 {
964 weprintf ("wrong size of received outcome");
965 goto quit;
966 }
967
968 for (uint16_t j = 0; j < ad->k; j++)
969 {
970 ec_point_parse (gamma, (struct ec_mpi *)cur);
971 ec_point_parse (delta, &((struct ec_mpi *)cur)[1]);
972 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
973 if (smc_zkp_2dle_check (gamma,
974 delta,
975 ad->gamma2[sender][j],
976 ad->delta2[sender][j],
977 proof2))
978 {
979 weprintf ("wrong zkp2 for gamma, delta received");
980 goto quit;
981 }
982 ec_point_copy (ad->gamma2[sender][j], gamma);
983 ec_point_copy (ad->delta2[sender][j], delta);
984
985 /* add winner determination summand */
986 gcry_mpi_ec_add (ad->gamma2[sender][j],
987 ad->gamma2[sender][j],
988 ad->tmpa1[j],
989 ec_ctx);
990 gcry_mpi_ec_add (ad->delta2[sender][j],
991 ad->delta2[sender][j],
992 ad->tmpb1[j],
993 ec_ctx);
994
995 cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2);
996 }
997
998 ret = 1;
999quit:
1000 gcry_mpi_point_release (gamma);
1001 gcry_mpi_point_release (delta);
1002 return ret;
1003}
1004
1005
1006/**
1007 * fp_pub_decrypt_outcome \todo
1008 *
1009 * @param ad TODO
1010 * @param buflen TODO
1011 */
1012unsigned char *
1013fp_pub_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
1014{
1015 unsigned char *ret;
1016 unsigned char *cur;
1017 gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
1018 struct ec_mpi *phi;
1019 struct proof_2dle *proof2;
1020
1021 brandt_assert (ad && buflen);
1022
1023 *buflen = (ad->k * (sizeof (*phi) + sizeof (*proof2)));
1024 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
1025 NULL == (ad->phi2 = smc_init2 (ad->n, ad->k)))
1026 {
1027 weprintf ("unable to alloc memory for first price outcome decryption");
1028 return NULL;
1029 }
1030
1031 for (uint16_t j = 0; j < ad->k; j++)
1032 {
1033 phi = (struct ec_mpi *)cur;
1034 proof2 = (struct proof_2dle *)(cur + sizeof (*phi));
1035
1036 smc_sum (tmp, &ad->delta2[0][j], ad->n, ad->n * ad->k);
1037
1038 /* copy still encrypted outcome to all other bidder layers so they
1039 * don't have to be recomputed to check the ZK proof_2dle's from
1040 * other bidders when receiving their outcome decryption messages */
1041 for (uint16_t a = 0; a < ad->n; a++)
1042 ec_point_copy (ad->phi2[a][j], tmp);
1043
1044 /* decrypt outcome component and prove the correct key was used */
1045 smc_zkp_2dle (ad->phi2[ad->i][j],
1046 NULL,
1047 tmp,
1048 ec_gen,
1049 ad->x,
1050 proof2);
1051
1052 ec_point_serialize (phi, ad->phi2[ad->i][j]);
1053
1054 cur += sizeof (*phi) + sizeof (*proof2);
1055 }
1056
1057 gcry_mpi_point_release (tmp);
1058 return ret;
1059}
1060
1061
1062int
1063fp_pub_recv_decryption (struct BRANDT_Auction *ad,
1064 const unsigned char *buf,
1065 size_t buflen,
1066 uint16_t sender)
1067{
1068 int ret = 0;
1069 const unsigned char *cur = buf;
1070 struct proof_2dle *proof2;
1071 gcry_mpi_point_t phi = gcry_mpi_point_new (0);
1072
1073 brandt_assert (ad && buf);
1074
1075 if (buflen != (ad->k * (sizeof (struct ec_mpi) + sizeof (*proof2))))
1076 {
1077 weprintf ("wrong size of received outcome decryption");
1078 goto quit;
1079 }
1080
1081 for (uint16_t j = 0; j < ad->k; j++)
1082 {
1083 ec_point_parse (phi, (struct ec_mpi *)cur);
1084 proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi));
1085 if (smc_zkp_2dle_check (phi,
1086 ad->y[sender],
1087 ad->phi2[sender][j],
1088 ec_gen,
1089 proof2))
1090 {
1091 weprintf ("wrong zkp2 for phi, y received");
1092 goto quit;
1093 }
1094 ec_point_copy (ad->phi2[sender][j], phi);
1095 cur += sizeof (struct ec_mpi) + sizeof (*proof2);
1096 }
1097
1098 ret = 1;
1099quit:
1100 gcry_mpi_point_release (phi);
1101 return ret;
1102}
1103
1104
1105int32_t
1106fp_pub_determine_outcome (struct BRANDT_Auction *ad, uint16_t *winner)
1107{
1108 int32_t ret = -1;
1109 int dlogi = -1;
1110 gcry_mpi_t dlog = gcry_mpi_new (256);
1111 gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0);
1112 gcry_mpi_point_t sum_phi = gcry_mpi_point_new (0);
1113
1114 brandt_assert (ad);
1115
1116 for (uint16_t j = ad->k - 1; j >= 0; j--)
1117 {
1118 smc_sum (sum_gamma, &ad->gamma2[0][j], ad->n, ad->k);
1119 smc_sum (sum_phi, &ad->phi2[0][j], ad->n, ad->k);
1120 gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx);
1121 /* first non-zero component determines the price */
1122 if (ec_point_cmp (sum_gamma, ec_zero))
1123 {
1124 ret = j;
1125 break;
1126 }
1127 }
1128
1129 dlogi = GNUNET_CRYPTO_ecc_dlog (ec_dlogctx, sum_gamma);
1130 brandt_assert (dlogi > 0);
1131 gcry_mpi_set_ui (dlog, (unsigned long)dlogi);
1132
1133 for (uint16_t i = 0; i < ad->n; i++)
1134 {
1135 if (gcry_mpi_test_bit (dlog, i))
1136 {
1137 if (winner)
1138 winner = i;
1139 break;
1140 }
1141 }
1142
1143 gcry_mpi_release (dlog);
1144 gcry_mpi_point_release (sum_gamma);
1145 gcry_mpi_point_release (sum_phi);
1146 return ret;
1147}
1148
1149
1150/**
1151 * fp_priv_compute_outcome \todo
798 * 1152 *
799 * @param ad TODO 1153 * @param ad TODO
800 * @param buflen TODO 1154 * @param buflen TODO
801 */ 1155 */
802unsigned char * 1156unsigned char *
803smc_compute_outcome (struct AuctionData *ad, size_t *buflen) 1157fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
804{ 1158{
805 unsigned char *ret; 1159 unsigned char *ret;
806 unsigned char *cur; 1160 unsigned char *cur;
@@ -821,8 +1175,8 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
821 *buflen = (ad->n * ad->k * /* nk * (gamma, delta, proof2) */ 1175 *buflen = (ad->n * ad->k * /* nk * (gamma, delta, proof2) */
822 (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2))); 1176 (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
823 if (NULL == (cur = (ret = calloc (1, *buflen))) || 1177 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
824 NULL == (ad->gamma = smc_init3 (ad->n, ad->n, ad->k)) || 1178 NULL == (ad->gamma3 = smc_init3 (ad->n, ad->n, ad->k)) ||
825 NULL == (ad->delta = smc_init3 (ad->n, ad->n, ad->k))) 1179 NULL == (ad->delta3 = smc_init3 (ad->n, ad->n, ad->k)))
826 { 1180 {
827 weprintf ("unable to alloc memory for first price outcome computation"); 1181 weprintf ("unable to alloc memory for first price outcome computation");
828 return NULL; 1182 return NULL;
@@ -912,21 +1266,20 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
912 * bidders when receiving their outcome messages */ 1266 * bidders when receiving their outcome messages */
913 for (uint16_t a = 0; a < ad->n; a++) 1267 for (uint16_t a = 0; a < ad->n; a++)
914 { 1268 {
915 /**\todo: how to copy a point more efficiently? */ 1269 ec_point_copy (ad->gamma3[a][i][j], tmpa);
916 gcry_mpi_ec_add (ad->gamma[a][i][j], ec_zero, tmpa, ec_ctx); 1270 ec_point_copy (ad->delta3[a][i][j], tmpb);
917 gcry_mpi_ec_add (ad->delta[a][i][j], ec_zero, tmpb, ec_ctx);
918 } 1271 }
919 1272
920 /* apply random masking for losing bidders */ 1273 /* apply random masking for losing bidders */
921 smc_zkp_2dle (ad->gamma[ad->i][i][j], 1274 smc_zkp_2dle (ad->gamma3[ad->i][i][j],
922 ad->delta[ad->i][i][j], 1275 ad->delta3[ad->i][i][j],
923 tmpa, 1276 tmpa,
924 tmpb, 1277 tmpb,
925 NULL, 1278 NULL,
926 proof2); 1279 proof2);
927 1280
928 ec_point_serialize (gamma, ad->gamma[ad->i][i][j]); 1281 ec_point_serialize (gamma, ad->gamma3[ad->i][i][j]);
929 ec_point_serialize (delta, ad->delta[ad->i][i][j]); 1282 ec_point_serialize (delta, ad->delta3[ad->i][i][j]);
930 1283
931 cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2); 1284 cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2);
932 } 1285 }
@@ -945,13 +1298,13 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
945 1298
946 1299
947int 1300int
948smc_recv_outcome (struct AuctionData *ad, 1301fp_priv_recv_outcome (struct BRANDT_Auction *ad,
949 unsigned char *buf, 1302 const unsigned char *buf,
950 size_t buflen, 1303 size_t buflen,
951 uint16_t sender) 1304 uint16_t sender)
952{ 1305{
953 int ret = 0; 1306 int ret = 0;
954 unsigned char *cur = buf; 1307 const unsigned char *cur = buf;
955 struct proof_2dle *proof2; 1308 struct proof_2dle *proof2;
956 gcry_mpi_point_t gamma = gcry_mpi_point_new (0); 1309 gcry_mpi_point_t gamma = gcry_mpi_point_new (0);
957 gcry_mpi_point_t delta = gcry_mpi_point_new (0); 1310 gcry_mpi_point_t delta = gcry_mpi_point_new (0);
@@ -974,15 +1327,15 @@ smc_recv_outcome (struct AuctionData *ad,
974 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi)); 1327 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
975 if (smc_zkp_2dle_check (gamma, 1328 if (smc_zkp_2dle_check (gamma,
976 delta, 1329 delta,
977 ad->gamma[sender][i][j], 1330 ad->gamma3[sender][i][j],
978 ad->delta[sender][i][j], 1331 ad->delta3[sender][i][j],
979 proof2)) 1332 proof2))
980 { 1333 {
981 weprintf ("wrong zkp2 for gamma, delta received"); 1334 weprintf ("wrong zkp2 for gamma, delta received");
982 goto quit; 1335 goto quit;
983 } 1336 }
984 gcry_mpi_ec_add (ad->gamma[sender][i][j], gamma, ec_zero, ec_ctx); 1337 ec_point_copy (ad->gamma3[sender][i][j], gamma);
985 gcry_mpi_ec_add (ad->delta[sender][i][j], delta, ec_zero, ec_ctx); 1338 ec_point_copy (ad->delta3[sender][i][j], delta);
986 cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2); 1339 cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2);
987 } 1340 }
988 } 1341 }
@@ -996,13 +1349,13 @@ quit:
996 1349
997 1350
998/** 1351/**
999 * smc_decrypt_outcome \todo 1352 * fp_priv_decrypt_outcome \todo
1000 * 1353 *
1001 * @param ad TODO 1354 * @param ad TODO
1002 * @param buflen TODO 1355 * @param buflen TODO
1003 */ 1356 */
1004unsigned char * 1357unsigned char *
1005smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen) 1358fp_priv_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
1006{ 1359{
1007 unsigned char *ret; 1360 unsigned char *ret;
1008 unsigned char *cur; 1361 unsigned char *cur;
@@ -1014,7 +1367,7 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
1014 1367
1015 *buflen = (ad->n * ad->k * (sizeof (*phi) + sizeof (*proof2))); 1368 *buflen = (ad->n * ad->k * (sizeof (*phi) + sizeof (*proof2)));
1016 if (NULL == (cur = (ret = calloc (1, *buflen))) || 1369 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
1017 NULL == (ad->phi = smc_init3 (ad->n, ad->n, ad->k))) 1370 NULL == (ad->phi3 = smc_init3 (ad->n, ad->n, ad->k)))
1018 { 1371 {
1019 weprintf ("unable to alloc memory for first price outcome decryption"); 1372 weprintf ("unable to alloc memory for first price outcome decryption");
1020 return NULL; 1373 return NULL;
@@ -1027,24 +1380,23 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
1027 phi = (struct ec_mpi *)cur; 1380 phi = (struct ec_mpi *)cur;
1028 proof2 = (struct proof_2dle *)(cur + sizeof (*phi)); 1381 proof2 = (struct proof_2dle *)(cur + sizeof (*phi));
1029 1382
1030 smc_sum (tmp, &ad->delta[0][i][j], ad->n, ad->n * ad->k); 1383 smc_sum (tmp, &ad->delta3[0][i][j], ad->n, ad->n * ad->k);
1031 1384
1032 /* copy still encrypted outcome to all other bidder layers so they 1385 /* copy still encrypted outcome to all other bidder layers so they
1033 * don't have to be recomputed to check the ZK proof_2dle's from 1386 * don't have to be recomputed to check the ZK proof_2dle's from
1034 * other bidders when receiving their outcome decryption messages */ 1387 * other bidders when receiving their outcome decryption messages */
1035 for (uint16_t a = 0; a < ad->n; a++) 1388 for (uint16_t a = 0; a < ad->n; a++)
1036 /**\todo: how to copy a point more efficiently? */ 1389 ec_point_copy (ad->phi3[a][i][j], tmp);
1037 gcry_mpi_ec_add (ad->phi[a][i][j], ec_zero, tmp, ec_ctx);
1038 1390
1039 /* decrypt outcome component and prove the correct key was used */ 1391 /* decrypt outcome component and prove the correct key was used */
1040 smc_zkp_2dle (ad->phi[ad->i][i][j], 1392 smc_zkp_2dle (ad->phi3[ad->i][i][j],
1041 NULL, 1393 NULL,
1042 tmp, 1394 tmp,
1043 ec_gen, 1395 ec_gen,
1044 ad->x, 1396 ad->x,
1045 proof2); 1397 proof2);
1046 1398
1047 ec_point_serialize (phi, ad->phi[ad->i][i][j]); 1399 ec_point_serialize (phi, ad->phi3[ad->i][i][j]);
1048 1400
1049 cur += sizeof (*phi) + sizeof (*proof2); 1401 cur += sizeof (*phi) + sizeof (*proof2);
1050 } 1402 }
@@ -1056,13 +1408,13 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
1056 1408
1057 1409
1058int 1410int
1059smc_recv_decryption (struct AuctionData *ad, 1411fp_priv_recv_decryption (struct BRANDT_Auction *ad,
1060 unsigned char *buf, 1412 const unsigned char *buf,
1061 size_t buflen, 1413 size_t buflen,
1062 uint16_t sender) 1414 uint16_t sender)
1063{ 1415{
1064 int ret = 0; 1416 int ret = 0;
1065 unsigned char *cur = buf; 1417 const unsigned char *cur = buf;
1066 struct proof_2dle *proof2; 1418 struct proof_2dle *proof2;
1067 gcry_mpi_point_t phi = gcry_mpi_point_new (0); 1419 gcry_mpi_point_t phi = gcry_mpi_point_new (0);
1068 1420
@@ -1082,14 +1434,14 @@ smc_recv_decryption (struct AuctionData *ad,
1082 proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi)); 1434 proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi));
1083 if (smc_zkp_2dle_check (phi, 1435 if (smc_zkp_2dle_check (phi,
1084 ad->y[sender], 1436 ad->y[sender],
1085 ad->phi[sender][i][j], 1437 ad->phi3[sender][i][j],
1086 ec_gen, 1438 ec_gen,
1087 proof2)) 1439 proof2))
1088 { 1440 {
1089 weprintf ("wrong zkp2 for phi, y received"); 1441 weprintf ("wrong zkp2 for phi, y received");
1090 goto quit; 1442 goto quit;
1091 } 1443 }
1092 gcry_mpi_ec_add (ad->phi[sender][i][j], phi, ec_zero, ec_ctx); 1444 ec_point_copy (ad->phi3[sender][i][j], phi);
1093 cur += sizeof (struct ec_mpi) + sizeof (*proof2); 1445 cur += sizeof (struct ec_mpi) + sizeof (*proof2);
1094 } 1446 }
1095 } 1447 }
@@ -1102,7 +1454,7 @@ quit:
1102 1454
1103 1455
1104int32_t 1456int32_t
1105smc_determine_outcome (struct AuctionData *ad) 1457fp_priv_determine_outcome (struct BRANDT_Auction *ad)
1106{ 1458{
1107 int32_t ret = -1; 1459 int32_t ret = -1;
1108 gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0); 1460 gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0);
@@ -1112,8 +1464,8 @@ smc_determine_outcome (struct AuctionData *ad)
1112 1464
1113 for (uint16_t j = 0; j < ad->k; j++) 1465 for (uint16_t j = 0; j < ad->k; j++)
1114 { 1466 {
1115 smc_sum (sum_gamma, &ad->gamma[0][ad->i][j], ad->n, ad->n * ad->k); 1467 smc_sum (sum_gamma, &ad->gamma3[0][ad->i][j], ad->n, ad->n * ad->k);
1116 smc_sum (sum_phi, &ad->phi[0][ad->i][j], ad->n, ad->n * ad->k); 1468 smc_sum (sum_phi, &ad->phi3[0][ad->i][j], ad->n, ad->n * ad->k);
1117 gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx); 1469 gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx);
1118 if (!ec_point_cmp (sum_gamma, ec_zero)) 1470 if (!ec_point_cmp (sum_gamma, ec_zero))
1119 { 1471 {
@@ -1149,9 +1501,9 @@ smc_zkp_dl (gcry_mpi_point_t v,
1149 struct zkp_challenge_dl challenge; 1501 struct zkp_challenge_dl challenge;
1150 struct brandt_hash_code challhash; 1502 struct brandt_hash_code challhash;
1151 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1503 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1152 gcry_mpi_t r = gcry_mpi_new (0); 1504 gcry_mpi_t r = gcry_mpi_new (256);
1153 gcry_mpi_t c = gcry_mpi_new (0); 1505 gcry_mpi_t c = gcry_mpi_new (256);
1154 gcry_mpi_t z = gcry_mpi_new (0); 1506 gcry_mpi_t z = gcry_mpi_new (256);
1155 1507
1156 /* v = xg */ 1508 /* v = xg */
1157 gcry_mpi_ec_mul (v, x, ec_gen, ec_ctx); 1509 gcry_mpi_ec_mul (v, x, ec_gen, ec_ctx);
@@ -1197,8 +1549,8 @@ smc_zkp_dl_check (const gcry_mpi_point_t v,
1197 struct zkp_challenge_dl challenge; 1549 struct zkp_challenge_dl challenge;
1198 struct brandt_hash_code challhash; 1550 struct brandt_hash_code challhash;
1199 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1551 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1200 gcry_mpi_t r = gcry_mpi_new (0); 1552 gcry_mpi_t r = gcry_mpi_new (256);
1201 gcry_mpi_t c = gcry_mpi_new (0); 1553 gcry_mpi_t c = gcry_mpi_new (256);
1202 gcry_mpi_point_t left = gcry_mpi_point_new (0); 1554 gcry_mpi_point_t left = gcry_mpi_point_new (0);
1203 gcry_mpi_point_t right = gcry_mpi_point_new (0); 1555 gcry_mpi_point_t right = gcry_mpi_point_new (0);
1204 1556
@@ -1260,13 +1612,13 @@ smc_zkp_2dle (gcry_mpi_point_t v,
1260 gcry_mpi_t rx; 1612 gcry_mpi_t rx;
1261 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1613 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1262 gcry_mpi_point_t b = gcry_mpi_point_new (0); 1614 gcry_mpi_point_t b = gcry_mpi_point_new (0);
1263 gcry_mpi_t r = gcry_mpi_new (0); 1615 gcry_mpi_t r = gcry_mpi_new (256);
1264 gcry_mpi_t c = gcry_mpi_new (0); 1616 gcry_mpi_t c = gcry_mpi_new (256);
1265 gcry_mpi_t z = gcry_mpi_new (0); 1617 gcry_mpi_t z = gcry_mpi_new (256);
1266 1618
1267 rv = (NULL == v) ? gcry_mpi_point_new (0) : v; 1619 rv = (NULL == v) ? gcry_mpi_point_new (0) : v;
1268 rw = (NULL == w) ? gcry_mpi_point_new (0) : w; 1620 rw = (NULL == w) ? gcry_mpi_point_new (0) : w;
1269 rx = (NULL == x) ? gcry_mpi_new (0) : x; 1621 rx = (NULL == x) ? gcry_mpi_new (256) : x;
1270 1622
1271 if (NULL == x) 1623 if (NULL == x)
1272 ec_skey_create (rx); 1624 ec_skey_create (rx);
@@ -1339,8 +1691,8 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
1339 struct brandt_hash_code challhash; 1691 struct brandt_hash_code challhash;
1340 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1692 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1341 gcry_mpi_point_t b = gcry_mpi_point_new (0); 1693 gcry_mpi_point_t b = gcry_mpi_point_new (0);
1342 gcry_mpi_t r = gcry_mpi_new (0); 1694 gcry_mpi_t r = gcry_mpi_new (256);
1343 gcry_mpi_t c = gcry_mpi_new (0); 1695 gcry_mpi_t c = gcry_mpi_new (256);
1344 gcry_mpi_point_t left = gcry_mpi_point_new (0); 1696 gcry_mpi_point_t left = gcry_mpi_point_new (0);
1345 gcry_mpi_point_t right = gcry_mpi_point_new (0); 1697 gcry_mpi_point_t right = gcry_mpi_point_new (0);
1346 1698
@@ -1415,15 +1767,15 @@ smc_zkp_0og (int m_is_gen,
1415 gcry_mpi_point_t a2 = gcry_mpi_point_new (0); 1767 gcry_mpi_point_t a2 = gcry_mpi_point_new (0);
1416 gcry_mpi_point_t b1 = gcry_mpi_point_new (0); 1768 gcry_mpi_point_t b1 = gcry_mpi_point_new (0);
1417 gcry_mpi_point_t b2 = gcry_mpi_point_new (0); 1769 gcry_mpi_point_t b2 = gcry_mpi_point_new (0);
1418 gcry_mpi_t d1 = gcry_mpi_new (0); 1770 gcry_mpi_t d1 = gcry_mpi_new (256);
1419 gcry_mpi_t d2 = gcry_mpi_new (0); 1771 gcry_mpi_t d2 = gcry_mpi_new (256);
1420 gcry_mpi_t r1 = gcry_mpi_new (0); 1772 gcry_mpi_t r1 = gcry_mpi_new (256);
1421 gcry_mpi_t r2 = gcry_mpi_new (0); 1773 gcry_mpi_t r2 = gcry_mpi_new (256);
1422 gcry_mpi_t c = gcry_mpi_new (0); 1774 gcry_mpi_t c = gcry_mpi_new (256);
1423 gcry_mpi_t rr; 1775 gcry_mpi_t rr;
1424 gcry_mpi_t w = gcry_mpi_new (0); 1776 gcry_mpi_t w = gcry_mpi_new (256);
1425 1777
1426 rr = (NULL == r) ? gcry_mpi_new (0) : r; 1778 rr = (NULL == r) ? gcry_mpi_new (256) : r;
1427 1779
1428 /* beta = r*g */ 1780 /* beta = r*g */
1429 ec_keypair_create (beta, rr); 1781 ec_keypair_create (beta, rr);
@@ -1559,12 +1911,12 @@ smc_zkp_0og_check (const gcry_mpi_point_t y,
1559 gcry_mpi_point_t a2 = gcry_mpi_point_new (0); 1911 gcry_mpi_point_t a2 = gcry_mpi_point_new (0);
1560 gcry_mpi_point_t b1 = gcry_mpi_point_new (0); 1912 gcry_mpi_point_t b1 = gcry_mpi_point_new (0);
1561 gcry_mpi_point_t b2 = gcry_mpi_point_new (0); 1913 gcry_mpi_point_t b2 = gcry_mpi_point_new (0);
1562 gcry_mpi_t d1 = gcry_mpi_new (0); 1914 gcry_mpi_t d1 = gcry_mpi_new (256);
1563 gcry_mpi_t d2 = gcry_mpi_new (0); 1915 gcry_mpi_t d2 = gcry_mpi_new (256);
1564 gcry_mpi_t r1 = gcry_mpi_new (0); 1916 gcry_mpi_t r1 = gcry_mpi_new (256);
1565 gcry_mpi_t r2 = gcry_mpi_new (0); 1917 gcry_mpi_t r2 = gcry_mpi_new (256);
1566 gcry_mpi_t c = gcry_mpi_new (0); 1918 gcry_mpi_t c = gcry_mpi_new (256);
1567 gcry_mpi_t sum = gcry_mpi_new (0); 1919 gcry_mpi_t sum = gcry_mpi_new (256);
1568 gcry_mpi_point_t right = gcry_mpi_point_new (0); 1920 gcry_mpi_point_t right = gcry_mpi_point_new (0);
1569 gcry_mpi_point_t tmp = gcry_mpi_point_new (0); 1921 gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
1570 1922
@@ -1635,52 +1987,3 @@ smc_zkp_0og_check (const gcry_mpi_point_t y,
1635 weprintf ("ret: 0x%x", ret); 1987 weprintf ("ret: 0x%x", ret);
1636 return ret; 1988 return ret;
1637} 1989}
1638
1639
1640/* --- unused stuff, might become useful later --- */
1641
1642///**
1643// * Clear memory that was used to store a private key.
1644// *
1645// * @param skey the key
1646// */
1647//void
1648//brandt_ec_key_clear (gcry_mpi_t skey)
1649//{
1650// gcry_mpi_randomize (skey, 256, GCRY_WEAK_RANDOM);
1651// gcry_mpi_release (skey);
1652//}
1653
1654
1655///**
1656// * Generate a random value mod n.
1657// *
1658// * @param edc ECC context
1659// * @return random value mod n.
1660// */
1661//gcry_mpi_t
1662//GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc)
1663//{
1664// gcry_mpi_t n;
1665// unsigned int highbit;
1666// gcry_mpi_t r;
1667//
1668// n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
1669//
1670// /* check public key for number of bits, bail out if key is all zeros */
1671// highbit = 256; /* Curve25519 */
1672// while ( (! gcry_mpi_test_bit (n, highbit)) &&
1673// (0 != highbit) )
1674// highbit--;
1675// GNUNET_assert (0 != highbit);
1676// /* generate fact < n (without bias) */
1677// GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
1678// do {
1679// gcry_mpi_randomize (r,
1680// highbit + 1,
1681// GCRY_STRONG_RANDOM);
1682// }
1683// while (gcry_mpi_cmp (r, n) >= 0);
1684// gcry_mpi_release (n);
1685// return r;
1686//}
diff --git a/crypto.h b/crypto.h
index 8d2983c..6e1d938 100644
--- a/crypto.h
+++ b/crypto.h
@@ -26,9 +26,11 @@
26#include <gcrypt.h> 26#include <gcrypt.h>
27#include <stdint.h> 27#include <stdint.h>
28 28
29#include <gnunet/gnunet_util_lib.h>
30
29#include "internals.h" 31#include "internals.h"
30 32
31void brandt_crypto_init (); 33void brandt_crypto_init (struct GNUNET_CRYPTO_EccDlogContext *dlogctx);
32 34
33 35
34/* --- HASHING --- */ 36/* --- HASHING --- */
@@ -48,6 +50,7 @@ struct ec_mpi {
48 unsigned char data[256 / 8]; 50 unsigned char data[256 / 8];
49}; 51};
50 52
53void ec_point_copy (gcry_mpi_point_t dst, const gcry_mpi_point_t src);
51int ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b); 54int ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b);
52void ec_skey_create (gcry_mpi_t skey); 55void ec_skey_create (gcry_mpi_t skey);
53void ec_keypair_create (gcry_mpi_point_t pkey, gcry_mpi_t skey); 56void ec_keypair_create (gcry_mpi_point_t pkey, gcry_mpi_t skey);
@@ -111,30 +114,42 @@ int smc_zkp_0og_check (const gcry_mpi_point_t y,
111 114
112/* --- Protocol implementation --- */ 115/* --- Protocol implementation --- */
113 116
114unsigned char *smc_gen_keyshare (struct AuctionData *ad, size_t *buflen); 117unsigned char *smc_gen_keyshare (struct BRANDT_Auction *ad, size_t *buflen);
115int smc_recv_keyshare (struct AuctionData *ad, 118int smc_recv_keyshare (struct BRANDT_Auction *ad,
116 unsigned char *buf, 119 const unsigned char *buf,
117 size_t buflen, 120 size_t buflen,
118 uint16_t sender_index); 121 uint16_t sender_index);
119 122
120unsigned char *smc_encrypt_bid (struct AuctionData *ad, size_t *buflen); 123unsigned char *smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen);
121int smc_recv_encrypted_bid (struct AuctionData *ad, 124int smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
122 unsigned char *buf, 125 const unsigned char *buf,
123 size_t buflen, 126 size_t buflen,
124 uint16_t sender_index); 127 uint16_t sender_index);
125 128
126unsigned char *smc_compute_outcome (struct AuctionData *ad, size_t *buflen); 129unsigned char *fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen);
127int smc_recv_outcome (struct AuctionData *ad, 130int fp_priv_recv_outcome (struct BRANDT_Auction *ad,
128 unsigned char *buf, 131 const unsigned char *buf,
129 size_t buflen, 132 size_t buflen,
130 uint16_t sender); 133 uint16_t sender);
131 134
132unsigned char *smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen); 135unsigned char *fp_priv_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen);
133int smc_recv_decryption (struct AuctionData *ad, 136int fp_priv_recv_decryption (struct BRANDT_Auction *ad,
134 unsigned char *buf, 137 const unsigned char *buf,
135 size_t buflen, 138 size_t buflen,
136 uint16_t sender); 139 uint16_t sender);
137 140
138int32_t smc_determine_outcome (struct AuctionData *ad); 141unsigned char *fp_pub_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen);
142int fp_pub_recv_outcome (struct BRANDT_Auction *ad,
143 const unsigned char *buf,
144 size_t buflen,
145 uint16_t sender);
146
147unsigned char *fp_pub_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen);
148int fp_pub_recv_decryption (struct BRANDT_Auction *ad,
149 const unsigned char *buf,
150 size_t buflen,
151 uint16_t sender);
152
153int32_t fp_priv_determine_outcome (struct BRANDT_Auction *ad);
139 154
140#endif /* ifndef _BRANDT_CRYPTO_H */ 155#endif /* ifndef _BRANDT_CRYPTO_H */
diff --git a/internals.h b/internals.h
index 7dab0d6..4624347 100644
--- a/internals.h
+++ b/internals.h
@@ -40,8 +40,10 @@ enum rounds {
40/** 40/**
41 * This struct describes an auction and has to be followed by #description_len 41 * This struct describes an auction and has to be followed by #description_len
42 * bytes of arbitrary data where the description of the item to be sold is 42 * bytes of arbitrary data where the description of the item to be sold is
43 * stored. */ 43 * stored.
44struct AuctionDescr { 44 *
45 * \todo: align to a multiple of 64bit */
46struct BRANDT_AuctionDescrP {
45 /** The length of the description in bytes directly following this struct */ 47 /** The length of the description in bytes directly following this struct */
46 uint32_t description_len; 48 uint32_t description_len;
47 49
@@ -55,11 +57,13 @@ struct AuctionDescr {
55 57
56 /** The amount of possible prices */ 58 /** The amount of possible prices */
57 uint16_t price_range; 59 uint16_t price_range;
60
61 /** \todo: time */
58}; 62};
59 63
60 64
61struct BRANDT_Auction { 65struct BRANDT_Auction {
62 struct AuctionDescr *desc; /** pointer to the auction information */ 66 struct BRANDT_AuctionDescrP *desc; /** pointer to the auction information */
63 67
64 BRANDT_CbBroadcast bcast; /** broadcast callback */ 68 BRANDT_CbBroadcast bcast; /** broadcast callback */
65 BRANDT_CbUnicast ucast; /** unicast callback */ 69 BRANDT_CbUnicast ucast; /** unicast callback */
diff --git a/test_crypto.c b/test_crypto.c
index c1774e4..b039011 100644
--- a/test_crypto.c
+++ b/test_crypto.c
@@ -20,6 +20,8 @@
20 * @author Markus Teich 20 * @author Markus Teich
21 */ 21 */
22 22
23#include "brandt_config.h"
24
23/* For testing static functions and variables we include the whole source */ 25/* For testing static functions and variables we include the whole source */
24#include "crypto.c" 26#include "crypto.c"
25 27
@@ -30,7 +32,7 @@
30 32
31static uint16_t bidders; 33static uint16_t bidders;
32static uint16_t prizes; 34static uint16_t prizes;
33static struct AuctionData *ad; 35static struct BRANDT_Auction *ad;
34 36
35int 37int
36test_smc_2d_array () 38test_smc_2d_array ()
@@ -79,8 +81,8 @@ test_serialization ()
79{ 81{
80 gcry_mpi_point_t oldp = gcry_mpi_point_new (0); 82 gcry_mpi_point_t oldp = gcry_mpi_point_new (0);
81 gcry_mpi_point_t newp = gcry_mpi_point_new (0); 83 gcry_mpi_point_t newp = gcry_mpi_point_new (0);
82 gcry_mpi_t oldi = gcry_mpi_new (0); 84 gcry_mpi_t oldi = gcry_mpi_new (256);
83 gcry_mpi_t newi = gcry_mpi_new (0); 85 gcry_mpi_t newi = gcry_mpi_new (256);
84 struct ec_mpi serp; 86 struct ec_mpi serp;
85 struct ec_mpi seri; 87 struct ec_mpi seri;
86 88
@@ -111,7 +113,7 @@ int
111test_smc_zkp_dl () 113test_smc_zkp_dl ()
112{ 114{
113 struct proof_dl proof; 115 struct proof_dl proof;
114 gcry_mpi_t x = gcry_mpi_new (0); 116 gcry_mpi_t x = gcry_mpi_new (256);
115 gcry_mpi_point_t v = gcry_mpi_point_new (0); 117 gcry_mpi_point_t v = gcry_mpi_point_new (0);
116 118
117 ec_skey_create (x); 119 ec_skey_create (x);
@@ -130,7 +132,7 @@ int
130test_smc_zkp_2dle () 132test_smc_zkp_2dle ()
131{ 133{
132 struct proof_2dle proof; 134 struct proof_2dle proof;
133 gcry_mpi_t x = gcry_mpi_new (0); 135 gcry_mpi_t x = gcry_mpi_new (256);
134 gcry_mpi_point_t g1 = gcry_mpi_point_new (0); 136 gcry_mpi_point_t g1 = gcry_mpi_point_new (0);
135 gcry_mpi_point_t g2 = gcry_mpi_point_new (0); 137 gcry_mpi_point_t g2 = gcry_mpi_point_new (0);
136 gcry_mpi_point_t v = gcry_mpi_point_new (0); 138 gcry_mpi_point_t v = gcry_mpi_point_new (0);
@@ -184,7 +186,7 @@ test_setup_auction_data ()
184{ 186{
185 uint16_t i; 187 uint16_t i;
186 188
187 ad = calloc (bidders, sizeof (struct AuctionData)); 189 ad = calloc (bidders, sizeof (struct BRANDT_Auction));
188 190
189 for (i = 0; i < bidders; i++) 191 for (i = 0; i < bidders; i++)
190 { 192 {
@@ -266,7 +268,7 @@ test_round2 ()
266 268
267 for (i = 0; i < bidders; i++) 269 for (i = 0; i < bidders; i++)
268 { 270 {
269 bufs[i] = smc_compute_outcome (&ad[i], &lens[i]); 271 bufs[i] = fp_priv_compute_outcome (&ad[i], &lens[i]);
270 check (bufs[i], "failed to compute outcome"); 272 check (bufs[i], "failed to compute outcome");
271 } 273 }
272 274
@@ -276,7 +278,7 @@ test_round2 ()
276 { 278 {
277 if (s == i) 279 if (s == i)
278 continue; 280 continue;
279 check (smc_recv_outcome (&ad[i], bufs[s], lens[s], s), 281 check (fp_priv_recv_outcome (&ad[i], bufs[s], lens[s], s),
280 "failed checking outcome"); 282 "failed checking outcome");
281 } 283 }
282 } 284 }
@@ -296,7 +298,7 @@ test_round3 ()
296 298
297 for (i = 0; i < bidders; i++) 299 for (i = 0; i < bidders; i++)
298 { 300 {
299 bufs[i] = smc_decrypt_outcome (&ad[i], &lens[i]); 301 bufs[i] = fp_priv_decrypt_outcome (&ad[i], &lens[i]);
300 check (bufs[i], "failed to decrypt outcome"); 302 check (bufs[i], "failed to decrypt outcome");
301 } 303 }
302 304
@@ -306,7 +308,7 @@ test_round3 ()
306 { 308 {
307 if (s == i) 309 if (s == i)
308 continue; 310 continue;
309 check (smc_recv_decryption (&ad[i], bufs[s], lens[s], s), 311 check (fp_priv_recv_decryption (&ad[i], bufs[s], lens[s], s),
310 "failed checking decrypted outcome"); 312 "failed checking decrypted outcome");
311 } 313 }
312 } 314 }
@@ -324,7 +326,7 @@ test_outcome ()
324 326
325 for (uint16_t i = 0; i < ad->n; i++) 327 for (uint16_t i = 0; i < ad->n; i++)
326 { 328 {
327 if (-1 != smc_determine_outcome (&ad[i])) 329 if (-1 != fp_priv_determine_outcome (&ad[i]))
328 { 330 {
329 check (-1 == ret, "multiple winners detected"); 331 check (-1 == ret, "multiple winners detected");
330 ret = i; 332 ret = i;
@@ -346,9 +348,14 @@ cleanup_auction_data ()
346 smc_free1 (ad[i].y, ad[i].n); 348 smc_free1 (ad[i].y, ad[i].n);
347 smc_free2 (ad[i].alpha, ad[i].n, ad[i].k); 349 smc_free2 (ad[i].alpha, ad[i].n, ad[i].k);
348 smc_free2 (ad[i].beta, ad[i].n, ad[i].k); 350 smc_free2 (ad[i].beta, ad[i].n, ad[i].k);
349 smc_free3 (ad[i].gamma, ad[i].n, ad[i].n, ad[i].k); 351 smc_free2 (ad[i].gamma2, ad[i].n, ad[i].k);
350 smc_free3 (ad[i].delta, ad[i].n, ad[i].n, ad[i].k); 352 smc_free2 (ad[i].delta2, ad[i].n, ad[i].k);
351 smc_free3 (ad[i].phi, ad[i].n, ad[i].n, ad[i].k); 353 smc_free2 (ad[i].phi2, ad[i].n, ad[i].k);
354 smc_free3 (ad[i].gamma3, ad[i].n, ad[i].n, ad[i].k);
355 smc_free3 (ad[i].delta3, ad[i].n, ad[i].n, ad[i].k);
356 smc_free3 (ad[i].phi3, ad[i].n, ad[i].n, ad[i].k);
357 smc_free1 (ad[i].tmpa1, ad[i].k);
358 smc_free1 (ad[i].tmpb1, ad[i].k);
352 } 359 }
353 free (ad); 360 free (ad);
354} 361}
@@ -358,11 +365,13 @@ int
358main (int argc, char *argv[]) 365main (int argc, char *argv[])
359{ 366{
360 int repeat = 8; 367 int repeat = 8;
368 struct GNUNET_CRYPTO_EccDlogContext *edc;
361 369
362 bidders = 2; 370 bidders = 2;
363 prizes = 2 * bidders; 371 prizes = 2 * bidders;
364 372
365 BRANDT_init (); 373 edc = GNUNET_CRYPTO_ecc_dlog_prepare (1024 * 1024, 1024);
374 BRANDT_init (edc);
366 375
367 /* tests that need to run only once */ 376 /* tests that need to run only once */
368 run (test_smc_2d_array); 377 run (test_smc_2d_array);
@@ -384,5 +393,6 @@ main (int argc, char *argv[])
384 cleanup_auction_data (); 393 cleanup_auction_data ();
385 } 394 }
386 395
396 GNUNET_CRYPTO_ecc_dlog_release (edc);
387 return ret; 397 return ret;
388} 398}
diff --git a/tex-stuff/math.tex b/tex-stuff/math.tex
index e274e39..c515973 100644
--- a/tex-stuff/math.tex
+++ b/tex-stuff/math.tex
@@ -76,7 +76,7 @@ case, in other words, it is shown that $M \in \{0, G\}$. \\
76 Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$ 76 Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$
77\end{tabular} 77\end{tabular}
78 78
79\subsection{Protocol} 79\subsection{First Price Auction Protocol With Private Outcome}
80 80
81Let $n$ be the number of participating bidders/agents in the protocol and $k$ be 81Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
82the amount of possible valuations/prices for the sold good. Let $G$ be the 82the amount of possible valuations/prices for the sold good. Let $G$ be the
@@ -131,6 +131,8 @@ each $i, j$ and $h \neq i$ after having received all of them.
131 \item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price. 131 \item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
132\end{enumerate} 132\end{enumerate}
133 133
134\subsection{First Price Auction Protocol With Public Outcome}
135
134 136
135 137
136 138
diff --git a/util.c b/util.c
index 1eff0d4..76ceab8 100644
--- a/util.c
+++ b/util.c
@@ -19,6 +19,9 @@
19 * @brief Implementation of common utility functions. 19 * @brief Implementation of common utility functions.
20 * @author Markus Teich 20 * @author Markus Teich
21 */ 21 */
22
23#include "brandt_config.h"
24
22#include <errno.h> 25#include <errno.h>
23#include <stdarg.h> 26#include <stdarg.h>
24#include <stdio.h> 27#include <stdio.h>
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-25 01:14:15 +0000