fix preparation for M+1st price auctions

3 files changed, 18 insertions, 9 deletions

diff --git a/brandt.c b/brandt.c
index 0c7b40e..337de57 100644
--- a/brandt.c
+++ b/brandt.c
@@ -73,7 +73,10 @@ BRANDT_bidder_start (struct BRANDT_Auction *auction,
          * encrypt_bid round to show that the bidder has chosen a valid bid and the
          * outcome callback will remap the result to the original k price values. */
         if (auction_mPlusFirstPrice == atype)
+        {
                 auction->k *= n;
+                auction->b = auction->b * n + n - i - 1;
+        }
 
         if (handler_prep[atype][outcome][msg_init])
                 handler_prep[atype][outcome][msg_init] (auction);
diff --git a/crypto.c b/crypto.c
index 1d0dae3..3e4991d 100644
--- a/crypto.c
+++ b/crypto.c
@@ -741,7 +741,7 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen)
                 gcry_mpi_addm (r_sum, r_sum, r_part, ec_n);
 
                 /* prepare sum for additional  M+1st price auction proof (see below) */
-                if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n)
+                if (0 < ad->m && 1 == (ad->k - j - ad->i) % ad->n)
                         gcry_mpi_addm (r_sum2, r_sum2, r_part, ec_n);
 
                 cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og);
@@ -809,7 +809,7 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
 
                 /* precalculate ciphertext sums for second 2dle proof needed in M+1st
                  * price auctions */
-                if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n)
+                if (0 < ad->m && 1 == (ad->k - j - sender) % ad->n)
                 {
                         gcry_mpi_ec_add (alpha_sum2, alpha_sum2, ct[0][j], ec_ctx);
                         gcry_mpi_ec_add (beta_sum2, beta_sum2, ct[1][j], ec_ctx);
diff --git a/tex-stuff/math.tex b/tex-stuff/math.tex
index ae66608..60568cf 100644
--- a/tex-stuff/math.tex
+++ b/tex-stuff/math.tex
@@ -192,13 +192,19 @@ M+1st Price Auction schemes. We took the simplest one, interlacing the bids, so
 that no two bidders are allowed to bid the same price. On the application level
 we will still handle $k_{\text{app}}$ different prices, but within libbrandt we
 will multiply that by a factor of $n$ to get $k_{\text{lib}}=nk_{\text{app}}$.
-Then each bidder $i$ is only allowed to place his bid $b$ on prices $p$ with
-$\exists a\in{[1,k_{\text{app}}]}:b=an-i+1$. This condition will be checked by
-an additional proof in the first round of the protocol and ensures that the
-bidders with a lower index win in case of ties. This expansion will be done
-right at the beginning of an auction by libbrandt. In the remaining part about
-the M+1st Price Auction Protocols we will use $k$ instead of $k_{\text{lib}}$,
-so $k$ will be divisible by $n$ without remainder.
+
+The bids are scaled up as well by the mapping $\forall
+i\in{[1,n]}:b_{i,\text{lib}}=b_{i,\text{app}}n-i+1$. Therefore the set of
+allowed bids for bidder $i$ is defined as $\{j|k_{\text{lib}}-j+1\equiv
+i\pmod{n}\}$.
+
+This restriction will be checked by an additional proof in the first round of
+the protocol and ensures that the bidders with a lower index win in case of
+ties. The expansion will be done right at the beginning of an auction by
+libbrandt and the reverse mapping is applied before reporting the auction
+outcome to the application, so this expansion is transparent to the application.
+In the remaining part about the M+1st Price Auction Protocols we will use $k$
+instead of $k_{\text{lib}}$, so $k$ will be divisible by $n$ without remainder.
 
 Unfortunately this tie breaking simplification has the downside of revealing the
 identity and bid of the bidder who had the highest bid amongst the losing