diff options
| author | Markus Teich <markus.teich@stusta.mhn.de> | 2016-10-09 14:16:53 +0200 |
|---|---|---|
| committer | Markus Teich <markus.teich@stusta.mhn.de> | 2016-10-09 14:16:53 +0200 |
| commit | ebd955858f8f6b9bce4838e2ece05d353422b45d (patch) | |
| tree | 916c07dce687dabade29040056934cfb4dfed7ee | |
| parent | d4932019ad8b382c6948f660a0038f2cfbe7fa89 (diff) | |
| download | libbrandt-ebd955858f8f6b9bce4838e2ece05d353422b45d.tar.gz libbrandt-ebd955858f8f6b9bce4838e2ece05d353422b45d.zip | |
add additional proof on encrypt_bid for M+1st price auctions
This is needed to ensure bidders are only chosing bids from the subset which is
allowed to them. This prevents ties and keeps the protocol way more simple for
M+1st price auctions.
| -rw-r--r-- | crypto.c | 55 |
1 files changed, 54 insertions, 1 deletions
| @@ -705,6 +705,7 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen) | |||
| 705 | struct msg_head *head; | 705 | struct msg_head *head; |
| 706 | struct proof_0og *proof3; | 706 | struct proof_0og *proof3; |
| 707 | gcry_mpi_t r_sum; | 707 | gcry_mpi_t r_sum; |
| 708 | gcry_mpi_t r_sum2; | ||
| 708 | gcry_mpi_t r_part; | 709 | gcry_mpi_t r_part; |
| 709 | 710 | ||
| 710 | brandt_assert (ad && buflen); | 711 | brandt_assert (ad && buflen); |
| @@ -721,6 +722,7 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen) | |||
| 721 | cur = ret + sizeof (*head); | 722 | cur = ret + sizeof (*head); |
| 722 | 723 | ||
| 723 | r_sum = gcry_mpi_new (256); | 724 | r_sum = gcry_mpi_new (256); |
| 725 | r_sum2 = gcry_mpi_new (256); | ||
| 724 | r_part = gcry_mpi_new (256); | 726 | r_part = gcry_mpi_new (256); |
| 725 | 727 | ||
| 726 | for (uint16_t j = 0; j < ad->k; j++) | 728 | for (uint16_t j = 0; j < ad->k; j++) |
| @@ -735,11 +737,29 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen) | |||
| 735 | ec_point_serialize ((struct ec_mpi *)cur, ad->alpha[ad->i][j]); | 737 | ec_point_serialize ((struct ec_mpi *)cur, ad->alpha[ad->i][j]); |
| 736 | ec_point_serialize (&((struct ec_mpi *)cur)[1], ad->beta[ad->i][j]); | 738 | ec_point_serialize (&((struct ec_mpi *)cur)[1], ad->beta[ad->i][j]); |
| 737 | gcry_mpi_addm (r_sum, r_sum, r_part, ec_n); | 739 | gcry_mpi_addm (r_sum, r_sum, r_part, ec_n); |
| 740 | |||
| 741 | /* prepare sum for additional M+1st price auction proof (see below) */ | ||
| 742 | if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n) | ||
| 743 | gcry_mpi_addm (r_sum2, r_sum2, r_part, ec_n); | ||
| 744 | |||
| 738 | cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og); | 745 | cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og); |
| 739 | } | 746 | } |
| 740 | smc_zkp_2dle (NULL, NULL, ad->Y, ec_gen, r_sum, (struct proof_2dle *)cur); | 747 | smc_zkp_2dle (NULL, NULL, ad->Y, ec_gen, r_sum, (struct proof_2dle *)cur); |
| 741 | 748 | ||
| 749 | /* in M+1st price auctions we need to prove that our bid is from the valid | ||
| 750 | * subset of bids as well */ | ||
| 751 | if (0 < ad->m) | ||
| 752 | { | ||
| 753 | struct proof_2dle *proof2; | ||
| 754 | *buflen += sizeof (struct proof_2dle); | ||
| 755 | ret = GNUNET_realloc (ret, *buflen); | ||
| 756 | proof2 = (struct proof_2dle *)(ret + *buflen - | ||
| 757 | sizeof (struct proof_2dle)); | ||
| 758 | smc_zkp_2dle (NULL, NULL, ad->Y, ec_gen, r_sum2, proof2); | ||
| 759 | } | ||
| 760 | |||
| 742 | gcry_mpi_release (r_sum); | 761 | gcry_mpi_release (r_sum); |
| 762 | gcry_mpi_release (r_sum2); | ||
| 743 | gcry_mpi_release (r_part); | 763 | gcry_mpi_release (r_part); |
| 744 | 764 | ||
| 745 | return ret; | 765 | return ret; |
| @@ -758,11 +778,13 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, | |||
| 758 | gcry_mpi_point_t **ct; /* ciphertexts */ | 778 | gcry_mpi_point_t **ct; /* ciphertexts */ |
| 759 | gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0); | 779 | gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0); |
| 760 | gcry_mpi_point_t beta_sum = gcry_mpi_point_new (0); | 780 | gcry_mpi_point_t beta_sum = gcry_mpi_point_new (0); |
| 781 | gcry_mpi_point_t alpha_sum2 = gcry_mpi_point_new (0); | ||
| 782 | gcry_mpi_point_t beta_sum2 = gcry_mpi_point_new (0); | ||
| 761 | 783 | ||
| 762 | brandt_assert (ad && buf); | 784 | brandt_assert (ad && buf); |
| 763 | 785 | ||
| 764 | if (buflen != (ad->k * (sizeof (struct ec_mpi) * 2 + sizeof (*proof3)) + | 786 | if (buflen != (ad->k * (sizeof (struct ec_mpi) * 2 + sizeof (*proof3)) + |
| 765 | sizeof (struct proof_2dle)) || | 787 | (0 < ad->m ? 2 : 1) * sizeof (struct proof_2dle)) || |
| 766 | NULL == (ct = smc_init2 (2, ad->k))) | 788 | NULL == (ct = smc_init2 (2, ad->k))) |
| 767 | { | 789 | { |
| 768 | weprintf ("wrong size of received encrypted bid"); | 790 | weprintf ("wrong size of received encrypted bid"); |
| @@ -771,6 +793,8 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, | |||
| 771 | 793 | ||
| 772 | ec_point_copy (alpha_sum, ec_zero); | 794 | ec_point_copy (alpha_sum, ec_zero); |
| 773 | ec_point_copy (beta_sum, ec_zero); | 795 | ec_point_copy (beta_sum, ec_zero); |
| 796 | ec_point_copy (alpha_sum2, ec_zero); | ||
| 797 | ec_point_copy (beta_sum2, ec_zero); | ||
| 774 | 798 | ||
| 775 | for (uint16_t j = 0; j < ad->k; j++) | 799 | for (uint16_t j = 0; j < ad->k; j++) |
| 776 | { | 800 | { |
| @@ -784,6 +808,15 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, | |||
| 784 | } | 808 | } |
| 785 | gcry_mpi_ec_add (alpha_sum, alpha_sum, ct[0][j], ec_ctx); | 809 | gcry_mpi_ec_add (alpha_sum, alpha_sum, ct[0][j], ec_ctx); |
| 786 | gcry_mpi_ec_add (beta_sum, beta_sum, ct[1][j], ec_ctx); | 810 | gcry_mpi_ec_add (beta_sum, beta_sum, ct[1][j], ec_ctx); |
| 811 | |||
| 812 | /* precalculate ciphertext sums for second 2dle proof needed in M+1st | ||
| 813 | * price auctions */ | ||
| 814 | if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n) | ||
| 815 | { | ||
| 816 | gcry_mpi_ec_add (alpha_sum2, alpha_sum2, ct[0][j], ec_ctx); | ||
| 817 | gcry_mpi_ec_add (beta_sum2, beta_sum2, ct[1][j], ec_ctx); | ||
| 818 | } | ||
| 819 | |||
| 787 | cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og); | 820 | cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og); |
| 788 | } | 821 | } |
| 789 | 822 | ||
| @@ -798,6 +831,24 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, | |||
| 798 | goto quit; | 831 | goto quit; |
| 799 | } | 832 | } |
| 800 | 833 | ||
| 834 | /* On M+1st price auctions check with the second 2dle proof if the bidder | ||
| 835 | * only bid on one of his allowed indizes */ | ||
| 836 | if (0 < ad->m) | ||
| 837 | { | ||
| 838 | cur += sizeof (struct proof_2dle); | ||
| 839 | gcry_mpi_ec_sub (alpha_sum2, alpha_sum2, ec_gen, ec_ctx); | ||
| 840 | if (smc_zkp_2dle_check (alpha_sum2, | ||
| 841 | beta_sum2, | ||
| 842 | ad->Y, | ||
| 843 | ec_gen, | ||
| 844 | (struct proof_2dle *)cur)) | ||
| 845 | { | ||
| 846 | weprintf ("wrong second zkp2 for alpha, beta received. " | ||
| 847 | "bid not allowed for this user in M+1st price auctions."); | ||
| 848 | goto quit; | ||
| 849 | } | ||
| 850 | } | ||
| 851 | |||
| 801 | for (uint16_t j = 0; j < ad->k; j++) | 852 | for (uint16_t j = 0; j < ad->k; j++) |
| 802 | { | 853 | { |
| 803 | ec_point_copy (ad->alpha[sender][j], ct[0][j]); | 854 | ec_point_copy (ad->alpha[sender][j], ct[0][j]); |
| @@ -809,6 +860,8 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, | |||
| 809 | quit: | 860 | quit: |
| 810 | gcry_mpi_point_release (alpha_sum); | 861 | gcry_mpi_point_release (alpha_sum); |
| 811 | gcry_mpi_point_release (beta_sum); | 862 | gcry_mpi_point_release (beta_sum); |
| 863 | gcry_mpi_point_release (alpha_sum2); | ||
| 864 | gcry_mpi_point_release (beta_sum2); | ||
| 812 | return ret; | 865 | return ret; |
| 813 | } | 866 | } |
| 814 | 867 | ||