aboutsummaryrefslogtreecommitdiff
path: root/crypto.c
diff options
context:
space:
mode:
authorMarkus Teich <markus.teich@stusta.mhn.de>2016-07-13 14:01:24 +0200
committerMarkus Teich <markus.teich@stusta.mhn.de>2016-07-13 14:01:24 +0200
commit99e5a11de13a3283c07f353471e08df241511d19 (patch)
treea92cce7ff2f96bbd0e096f6a3a267dacaa362a3d /crypto.c
parent8c7bd0fda283f8c529e5a582182b08150d875736 (diff)
downloadlibbrandt-99e5a11de13a3283c07f353471e08df241511d19.tar.gz
libbrandt-99e5a11de13a3283c07f353471e08df241511d19.zip
major random stuff
Diffstat (limited to 'crypto.c')
-rw-r--r--crypto.c577
1 files changed, 440 insertions, 137 deletions
diff --git a/crypto.c b/crypto.c
index 9c2e272..3140ec6 100644
--- a/crypto.c
+++ b/crypto.c
@@ -20,6 +20,7 @@
20 * @author Markus Teich 20 * @author Markus Teich
21 */ 21 */
22 22
23#include "brandt_config.h"
23 24
24#include <arpa/inet.h> 25#include <arpa/inet.h>
25#include <gcrypt.h> 26#include <gcrypt.h>
@@ -61,17 +62,22 @@ static gcry_ctx_t ec_ctx;
61static gcry_mpi_point_t ec_gen; 62static gcry_mpi_point_t ec_gen;
62static gcry_mpi_point_t ec_zero; 63static gcry_mpi_point_t ec_zero;
63static gcry_mpi_t ec_n; 64static gcry_mpi_t ec_n;
65static GNUNET_CRYPTO_EccDlogContext *ec_dlogctx;
64 66
65 67
66/** 68/**
67 * brandt_crypto_init initializes the crypto system and must be called before 69 * brandt_crypto_init initializes the crypto system and must be called before
68 * any other function from this file. 70 * any other function from this file.
71 *
72 * @param[in] dlogctx Pointer to the prepared dlog context.
69 */ 73 */
70void 74void
71brandt_crypto_init () 75brandt_crypto_init (GNUNET_CRYPTO_EccDlogContext *dlogctx)
72{ 76{
73 gcry_error_t rc; 77 gcry_error_t rc;
74 78
79 ec_dlogctx = dlogctx;
80
75 rc = gcry_mpi_ec_new (&ec_ctx, NULL, CURVE); 81 rc = gcry_mpi_ec_new (&ec_ctx, NULL, CURVE);
76 brandt_assert_gpgerr (rc); 82 brandt_assert_gpgerr (rc);
77 83
@@ -159,7 +165,7 @@ ec_keypair_create (gcry_mpi_point_t pkey, gcry_mpi_t skey)
159 gcry_mpi_t sk; 165 gcry_mpi_t sk;
160 166
161 brandt_assert (NULL != pkey); 167 brandt_assert (NULL != pkey);
162 sk = (NULL == skey) ? gcry_mpi_new (0) : skey; 168 sk = (NULL == skey) ? gcry_mpi_new (256) : skey;
163 169
164 ec_skey_create (sk); 170 ec_skey_create (sk);
165 gcry_mpi_ec_mul (pkey, sk, ec_gen, ec_ctx); 171 gcry_mpi_ec_mul (pkey, sk, ec_gen, ec_ctx);
@@ -191,6 +197,25 @@ ec_keypair_create_base (gcry_mpi_point_t pkey,
191 197
192 198
193/** 199/**
200 * ec_point_copy creates a copy of one curve point
201 *
202 * @param[out] dst where to store the copy
203 * @param[in] src the input point to be copied
204 */
205void
206ec_point_copy (gcry_mpi_point_t dst, const gcry_mpi_point_t src)
207{
208 gcry_mpi_t x = gcry_mpi_new (256);
209 gcry_mpi_t y = gcry_mpi_new (256);
210 gcry_mpi_t z = gcry_mpi_new (256);
211
212 brandt_assert (dst && src);
213 gcry_mpi_point_get (x, y, z, src);
214 gcry_mpi_point_snatch_set (dst, x, y, z);
215}
216
217
218/**
194 * ec_point_cmp compares two curve points 219 * ec_point_cmp compares two curve points
195 * 220 *
196 * @param[in] a the first point 221 * @param[in] a the first point
@@ -202,10 +227,10 @@ int
202ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b) 227ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b)
203{ 228{
204 int ret = 1; 229 int ret = 1;
205 gcry_mpi_t ax = gcry_mpi_new (0); 230 gcry_mpi_t ax = gcry_mpi_new (256);
206 gcry_mpi_t bx = gcry_mpi_new (0); 231 gcry_mpi_t bx = gcry_mpi_new (256);
207 gcry_mpi_t ay = gcry_mpi_new (0); 232 gcry_mpi_t ay = gcry_mpi_new (256);
208 gcry_mpi_t by = gcry_mpi_new (0); 233 gcry_mpi_t by = gcry_mpi_new (256);
209 234
210 brandt_assert (a && b); 235 brandt_assert (a && b);
211 if (!ax || !bx || !ay || !by) 236 if (!ax || !bx || !ay || !by)
@@ -592,8 +617,7 @@ smc_sum (gcry_mpi_point_t out,
592 uint16_t step) 617 uint16_t step)
593{ 618{
594 brandt_assert (NULL != out); 619 brandt_assert (NULL != out);
595 /**\todo: how to copy a point more efficiently? */ 620 ec_point_copy (out, ec_zero);
596 gcry_mpi_ec_add (out, ec_zero, ec_zero, ec_ctx);
597 for (uint16_t i = 0; i < len * step; i += step) 621 for (uint16_t i = 0; i < len * step; i += step)
598 gcry_mpi_ec_add (out, out, in[i], ec_ctx); 622 gcry_mpi_ec_add (out, out, in[i], ec_ctx);
599} 623}
@@ -603,12 +627,12 @@ smc_sum (gcry_mpi_point_t out,
603 * smc_gen_keyshare creates the private additive keyshare and computes the 627 * smc_gen_keyshare creates the private additive keyshare and computes the
604 * public multiplicative key share 628 * public multiplicative key share
605 * 629 *
606 * @param[in,out] ad Pointer to the AuctionData struct to operate on 630 * @param[in,out] ad Pointer to the BRANDT_Auction struct to operate on
607 * @param[out] buflen \todo 631 * @param[out] buflen \todo
608 * @return \todo 632 * @return \todo
609 */ 633 */
610unsigned char * 634unsigned char *
611smc_gen_keyshare (struct AuctionData *ad, size_t *buflen) 635smc_gen_keyshare (struct BRANDT_Auction *ad, size_t *buflen)
612{ 636{
613 unsigned char *ret; 637 unsigned char *ret;
614 struct proof_dl *proof1; 638 struct proof_dl *proof1;
@@ -624,7 +648,7 @@ smc_gen_keyshare (struct AuctionData *ad, size_t *buflen)
624 648
625 proof1 = (struct proof_dl *)(ret + sizeof (struct ec_mpi)); 649 proof1 = (struct proof_dl *)(ret + sizeof (struct ec_mpi));
626 650
627 ad->x = gcry_mpi_new (0); 651 ad->x = gcry_mpi_new (256);
628 ec_skey_create (ad->x); 652 ec_skey_create (ad->x);
629 smc_zkp_dl (ad->y[ad->i], ad->x, proof1); 653 smc_zkp_dl (ad->y[ad->i], ad->x, proof1);
630 ec_point_serialize ((struct ec_mpi *)ret, ad->y[ad->i]); 654 ec_point_serialize ((struct ec_mpi *)ret, ad->y[ad->i]);
@@ -633,8 +657,8 @@ smc_gen_keyshare (struct AuctionData *ad, size_t *buflen)
633 657
634 658
635int 659int
636smc_recv_keyshare (struct AuctionData *ad, 660smc_recv_keyshare (struct BRANDT_Auction *ad,
637 unsigned char *buf, 661 const unsigned char *buf,
638 size_t buflen, 662 size_t buflen,
639 uint16_t sender) 663 uint16_t sender)
640{ 664{
@@ -658,8 +682,7 @@ smc_recv_keyshare (struct AuctionData *ad,
658 goto quit; 682 goto quit;
659 } 683 }
660 684
661 /**\todo: how to copy a point more efficiently? */ 685 ec_point_copy (ad->y[sender], y);
662 gcry_mpi_ec_add (ad->y[sender], ec_zero, y, ec_ctx);
663 686
664 ret = 1; 687 ret = 1;
665quit: 688quit:
@@ -675,7 +698,7 @@ quit:
675 * @param buflen TODO 698 * @param buflen TODO
676 */ 699 */
677unsigned char * 700unsigned char *
678smc_encrypt_bid (struct AuctionData *ad, size_t *buflen) 701smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen)
679{ 702{
680 unsigned char *ret; 703 unsigned char *ret;
681 unsigned char *cur; 704 unsigned char *cur;
@@ -699,8 +722,8 @@ smc_encrypt_bid (struct AuctionData *ad, size_t *buflen)
699 ad->Y = gcry_mpi_point_new (0); 722 ad->Y = gcry_mpi_point_new (0);
700 smc_sum (ad->Y, ad->y, ad->n, 1); 723 smc_sum (ad->Y, ad->y, ad->n, 1);
701 724
702 r_sum = gcry_mpi_new (0); 725 r_sum = gcry_mpi_new (256);
703 r_part = gcry_mpi_new (0); 726 r_part = gcry_mpi_new (256);
704 727
705 for (uint16_t j = 0; j < ad->k; j++) 728 for (uint16_t j = 0; j < ad->k; j++)
706 { 729 {
@@ -726,13 +749,13 @@ smc_encrypt_bid (struct AuctionData *ad, size_t *buflen)
726 749
727 750
728int 751int
729smc_recv_encrypted_bid (struct AuctionData *ad, 752smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
730 unsigned char *buf, 753 const unsigned char *buf,
731 size_t buflen, 754 size_t buflen,
732 uint16_t sender) 755 uint16_t sender)
733{ 756{
734 int ret = 0; 757 int ret = 0;
735 unsigned char *cur = buf; 758 const unsigned char *cur = buf;
736 struct proof_0og *proof3; 759 struct proof_0og *proof3;
737 gcry_mpi_point_t **ct; /* ciphertexts */ 760 gcry_mpi_point_t **ct; /* ciphertexts */
738 gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0); 761 gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0);
@@ -748,8 +771,8 @@ smc_recv_encrypted_bid (struct AuctionData *ad,
748 goto quit; 771 goto quit;
749 } 772 }
750 773
751 gcry_mpi_ec_mul (alpha_sum, GCRYMPI_CONST_ONE, ec_zero, ec_ctx); 774 ec_point_copy (alpha_sum, ec_zero);
752 gcry_mpi_ec_mul (beta_sum, GCRYMPI_CONST_ONE, ec_zero, ec_ctx); 775 ec_point_copy (beta_sum, ec_zero);
753 776
754 for (uint16_t j = 0; j < ad->k; j++) 777 for (uint16_t j = 0; j < ad->k; j++)
755 { 778 {
@@ -779,9 +802,8 @@ smc_recv_encrypted_bid (struct AuctionData *ad,
779 802
780 for (uint16_t j = 0; j < ad->k; j++) 803 for (uint16_t j = 0; j < ad->k; j++)
781 { 804 {
782 /**\todo: how to copy a point more efficiently? */ 805 ec_point_copy (ad->alpha[sender][j], ct[0][j]);
783 gcry_mpi_ec_add (ad->alpha[sender][j], ec_zero, ct[0][j], ec_ctx); 806 ec_point_copy (ad->beta[sender][j], ct[1][j]);
784 gcry_mpi_ec_add (ad->beta[sender][j], ec_zero, ct[1][j], ec_ctx);
785 } 807 }
786 smc_free2 (ct, 2, ad->k); 808 smc_free2 (ct, 2, ad->k);
787 809
@@ -794,13 +816,345 @@ quit:
794 816
795 817
796/** 818/**
797 * smc_compute_outcome \todo 819 * fp_pub_compute_outcome \todo
820 *
821 * @param ad TODO
822 * @param buflen TODO
823 */
824unsigned char *
825fp_pub_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
826{
827 unsigned char *ret;
828 unsigned char *cur;
829 gcry_mpi_t coeff = gcry_mpi_copy (GCRYMPI_CONST_ONE);
830 gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
831 gcry_mpi_point_t *tlta1;
832 gcry_mpi_point_t *tltb1;
833 gcry_mpi_point_t **tlta2;
834 gcry_mpi_point_t **tltb2;
835 struct ec_mpi *gamma;
836 struct ec_mpi *delta;
837 struct proof_2dle *proof2;
838
839 brandt_assert (ad && buflen);
840
841 *buflen = (ad->k * (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
842 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
843 NULL == (ad->gamma2 = smc_init2 (ad->n, ad->k)) ||
844 NULL == (ad->delta2 = smc_init2 (ad->n, ad->k)) ||
845 NULL == (ad->tmpa1 = smc_init1 (ad->k)) ||
846 NULL == (ad->tmpb1 = smc_init1 (ad->k)))
847 {
848 weprintf ("unable to alloc memory for first price outcome computation");
849 return NULL;
850 }
851
852 /* create temporary lookup tables with partial sums */
853 tlta1 = smc_init1 (ad->k);
854 tltb1 = smc_init1 (ad->k);
855 tlta2 = smc_init2 (ad->n, ad->k);
856 tltb2 = smc_init2 (ad->n, ad->k);
857
858 /* temporary lookup table for sum of bid vectors */
859 for (uint16_t i = 0; i < ad->n; i++)
860 {
861 smc_sums_partial (tlta2[i], ad->alpha[i], ad->k, 1, 1);
862 smc_sums_partial (tltb2[i], ad->beta[i], ad->k, 1, 1);
863 for (uint16_t j = 0; j < ad->k; j++)
864 {
865 gcry_mpi_ec_sub (tlta2[i][j],
866 tlta2[i][ad->k - 1],
867 tlta2[i][j],
868 ec_ctx);
869 gcry_mpi_ec_sub (tltb2[i][j],
870 tltb2[i][ad->k - 1],
871 tltb2[i][j],
872 ec_ctx);
873 }
874 brandt_assert (!ec_point_cmp (ec_zero, tlta2[i][ad->k - 1]));
875 brandt_assert (!ec_point_cmp (ec_zero, tltb2[i][ad->k - 1]));
876 }
877 for (uint16_t j = 0; j < ad->k; j++)
878 {
879 smc_sum (tlta1[j], &tlta2[0][j], ad->n, ad->k);
880 smc_sum (tltb1[j], &tltb2[0][j], ad->n, ad->k);
881 }
882 smc_free2 (tlta2, ad->n, ad->k);
883 smc_free2 (tltb2, ad->n, ad->k);
884 brandt_assert (!ec_point_cmp (ec_zero, tlta1[ad->k - 1]));
885 brandt_assert (!ec_point_cmp (ec_zero, tltb1[ad->k - 1]));
886
887 /* temporarily store the \sum_{i=1}^n2^{i-1}b_i in tmp1, since it is needed
888 * each time a gamma,delta pair is received from another bidder */
889 for (uint16_t i = 0; i < ad->n; i++)
890 {
891 for (uint16_t j = 0; j < ad->k; j++)
892 {
893 gcry_mpi_ec_mul (tmp, coeff, ad->alpha[i][j], ec_ctx);
894 gcry_mpi_ec_add (ad->tmpa1[j], ad->tmpa1[j], tmp, ec_ctx);
895 gcry_mpi_ec_mul (tmp, coeff, ad->beta[i][j], ec_ctx);
896 gcry_mpi_ec_add (ad->tmpb1[j], ad->tmpb1[j], tmp, ec_ctx);
897 }
898 gcry_mpi_mul_ui (coeff, coeff, 2);
899 }
900
901 for (uint16_t j = 0; j < ad->k; j++)
902 {
903 gamma = (struct ec_mpi *)cur;
904 delta = &((struct ec_mpi *)cur)[1];
905 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
906
907 /* copy unmasked outcome to all other bidder layers so they don't
908 * have to be recomputed to check the ZK proof_2dle's from other
909 * bidders when receiving their outcome messages */
910 for (uint16_t a = 0; a < ad->n; a++)
911 {
912 ec_point_copy (ad->gamma2[a][j], tlta1[j]);
913 ec_point_copy (ad->delta2[a][j], tltb1[j]);
914 }
915
916 /* apply random masking for losing bidders */
917 smc_zkp_2dle (ad->gamma2[ad->i][j],
918 ad->delta2[ad->i][j],
919 tlta1[j],
920 tltb1[j],
921 NULL,
922 proof2);
923
924 ec_point_serialize (gamma, ad->gamma2[ad->i][j]);
925 ec_point_serialize (delta, ad->delta2[ad->i][j]);
926
927 /* add winner determination for own gamma,delta */
928 gcry_mpi_ec_add (ad->gamma2[ad->i][j],
929 ad->gamma2[ad->i][j],
930 ad->tmpa1[j],
931 ec_ctx);
932 gcry_mpi_ec_add (ad->delta2[ad->i][j],
933 ad->delta2[ad->i][j],
934 ad->tmpb1[j],
935 ec_ctx);
936
937 cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2);
938 }
939
940 gcry_mpi_release (coeff);
941 gcry_mpi_point_release (tmp);
942 smc_free1 (tlta1, ad->k);
943 smc_free1 (tltb1, ad->k);
944 return ret;
945}
946
947
948int
949fp_pub_recv_outcome (struct BRANDT_Auction *ad,
950 const unsigned char *buf,
951 size_t buflen,
952 uint16_t sender)
953{
954 int ret = 0;
955 const unsigned char *cur = buf;
956 struct proof_2dle *proof2;
957 gcry_mpi_point_t gamma = gcry_mpi_point_new (0);
958 gcry_mpi_point_t delta = gcry_mpi_point_new (0);
959
960 brandt_assert (ad && buf);
961
962 if (buflen != (ad->k * (2 * sizeof (struct ec_mpi) + sizeof (*proof2))))
963 {
964 weprintf ("wrong size of received outcome");
965 goto quit;
966 }
967
968 for (uint16_t j = 0; j < ad->k; j++)
969 {
970 ec_point_parse (gamma, (struct ec_mpi *)cur);
971 ec_point_parse (delta, &((struct ec_mpi *)cur)[1]);
972 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
973 if (smc_zkp_2dle_check (gamma,
974 delta,
975 ad->gamma2[sender][j],
976 ad->delta2[sender][j],
977 proof2))
978 {
979 weprintf ("wrong zkp2 for gamma, delta received");
980 goto quit;
981 }
982 ec_point_copy (ad->gamma2[sender][j], gamma);
983 ec_point_copy (ad->delta2[sender][j], delta);
984
985 /* add winner determination summand */
986 gcry_mpi_ec_add (ad->gamma2[sender][j],
987 ad->gamma2[sender][j],
988 ad->tmpa1[j],
989 ec_ctx);
990 gcry_mpi_ec_add (ad->delta2[sender][j],
991 ad->delta2[sender][j],
992 ad->tmpb1[j],
993 ec_ctx);
994
995 cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2);
996 }
997
998 ret = 1;
999quit:
1000 gcry_mpi_point_release (gamma);
1001 gcry_mpi_point_release (delta);
1002 return ret;
1003}
1004
1005
1006/**
1007 * fp_pub_decrypt_outcome \todo
1008 *
1009 * @param ad TODO
1010 * @param buflen TODO
1011 */
1012unsigned char *
1013fp_pub_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
1014{
1015 unsigned char *ret;
1016 unsigned char *cur;
1017 gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
1018 struct ec_mpi *phi;
1019 struct proof_2dle *proof2;
1020
1021 brandt_assert (ad && buflen);
1022
1023 *buflen = (ad->k * (sizeof (*phi) + sizeof (*proof2)));
1024 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
1025 NULL == (ad->phi2 = smc_init2 (ad->n, ad->k)))
1026 {
1027 weprintf ("unable to alloc memory for first price outcome decryption");
1028 return NULL;
1029 }
1030
1031 for (uint16_t j = 0; j < ad->k; j++)
1032 {
1033 phi = (struct ec_mpi *)cur;
1034 proof2 = (struct proof_2dle *)(cur + sizeof (*phi));
1035
1036 smc_sum (tmp, &ad->delta2[0][j], ad->n, ad->n * ad->k);
1037
1038 /* copy still encrypted outcome to all other bidder layers so they
1039 * don't have to be recomputed to check the ZK proof_2dle's from
1040 * other bidders when receiving their outcome decryption messages */
1041 for (uint16_t a = 0; a < ad->n; a++)
1042 ec_point_copy (ad->phi2[a][j], tmp);
1043
1044 /* decrypt outcome component and prove the correct key was used */
1045 smc_zkp_2dle (ad->phi2[ad->i][j],
1046 NULL,
1047 tmp,
1048 ec_gen,
1049 ad->x,
1050 proof2);
1051
1052 ec_point_serialize (phi, ad->phi2[ad->i][j]);
1053
1054 cur += sizeof (*phi) + sizeof (*proof2);
1055 }
1056
1057 gcry_mpi_point_release (tmp);
1058 return ret;
1059}
1060
1061
1062int
1063fp_pub_recv_decryption (struct BRANDT_Auction *ad,
1064 const unsigned char *buf,
1065 size_t buflen,
1066 uint16_t sender)
1067{
1068 int ret = 0;
1069 const unsigned char *cur = buf;
1070 struct proof_2dle *proof2;
1071 gcry_mpi_point_t phi = gcry_mpi_point_new (0);
1072
1073 brandt_assert (ad && buf);
1074
1075 if (buflen != (ad->k * (sizeof (struct ec_mpi) + sizeof (*proof2))))
1076 {
1077 weprintf ("wrong size of received outcome decryption");
1078 goto quit;
1079 }
1080
1081 for (uint16_t j = 0; j < ad->k; j++)
1082 {
1083 ec_point_parse (phi, (struct ec_mpi *)cur);
1084 proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi));
1085 if (smc_zkp_2dle_check (phi,
1086 ad->y[sender],
1087 ad->phi2[sender][j],
1088 ec_gen,
1089 proof2))
1090 {
1091 weprintf ("wrong zkp2 for phi, y received");
1092 goto quit;
1093 }
1094 ec_point_copy (ad->phi2[sender][j], phi);
1095 cur += sizeof (struct ec_mpi) + sizeof (*proof2);
1096 }
1097
1098 ret = 1;
1099quit:
1100 gcry_mpi_point_release (phi);
1101 return ret;
1102}
1103
1104
1105int32_t
1106fp_pub_determine_outcome (struct BRANDT_Auction *ad, uint16_t *winner)
1107{
1108 int32_t ret = -1;
1109 int dlogi = -1;
1110 gcry_mpi_t dlog = gcry_mpi_new (256);
1111 gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0);
1112 gcry_mpi_point_t sum_phi = gcry_mpi_point_new (0);
1113
1114 brandt_assert (ad);
1115
1116 for (uint16_t j = ad->k - 1; j >= 0; j--)
1117 {
1118 smc_sum (sum_gamma, &ad->gamma2[0][j], ad->n, ad->k);
1119 smc_sum (sum_phi, &ad->phi2[0][j], ad->n, ad->k);
1120 gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx);
1121 /* first non-zero component determines the price */
1122 if (ec_point_cmp (sum_gamma, ec_zero))
1123 {
1124 ret = j;
1125 break;
1126 }
1127 }
1128
1129 dlogi = GNUNET_CRYPTO_ecc_dlog (ec_dlogctx, sum_gamma);
1130 brandt_assert (dlogi > 0);
1131 gcry_mpi_set_ui (dlog, (unsigned long)dlogi);
1132
1133 for (uint16_t i = 0; i < ad->n; i++)
1134 {
1135 if (gcry_mpi_test_bit (dlog, i))
1136 {
1137 if (winner)
1138 winner = i;
1139 break;
1140 }
1141 }
1142
1143 gcry_mpi_release (dlog);
1144 gcry_mpi_point_release (sum_gamma);
1145 gcry_mpi_point_release (sum_phi);
1146 return ret;
1147}
1148
1149
1150/**
1151 * fp_priv_compute_outcome \todo
798 * 1152 *
799 * @param ad TODO 1153 * @param ad TODO
800 * @param buflen TODO 1154 * @param buflen TODO
801 */ 1155 */
802unsigned char * 1156unsigned char *
803smc_compute_outcome (struct AuctionData *ad, size_t *buflen) 1157fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
804{ 1158{
805 unsigned char *ret; 1159 unsigned char *ret;
806 unsigned char *cur; 1160 unsigned char *cur;
@@ -821,8 +1175,8 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
821 *buflen = (ad->n * ad->k * /* nk * (gamma, delta, proof2) */ 1175 *buflen = (ad->n * ad->k * /* nk * (gamma, delta, proof2) */
822 (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2))); 1176 (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
823 if (NULL == (cur = (ret = calloc (1, *buflen))) || 1177 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
824 NULL == (ad->gamma = smc_init3 (ad->n, ad->n, ad->k)) || 1178 NULL == (ad->gamma3 = smc_init3 (ad->n, ad->n, ad->k)) ||
825 NULL == (ad->delta = smc_init3 (ad->n, ad->n, ad->k))) 1179 NULL == (ad->delta3 = smc_init3 (ad->n, ad->n, ad->k)))
826 { 1180 {
827 weprintf ("unable to alloc memory for first price outcome computation"); 1181 weprintf ("unable to alloc memory for first price outcome computation");
828 return NULL; 1182 return NULL;
@@ -912,21 +1266,20 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
912 * bidders when receiving their outcome messages */ 1266 * bidders when receiving their outcome messages */
913 for (uint16_t a = 0; a < ad->n; a++) 1267 for (uint16_t a = 0; a < ad->n; a++)
914 { 1268 {
915 /**\todo: how to copy a point more efficiently? */ 1269 ec_point_copy (ad->gamma3[a][i][j], tmpa);
916 gcry_mpi_ec_add (ad->gamma[a][i][j], ec_zero, tmpa, ec_ctx); 1270 ec_point_copy (ad->delta3[a][i][j], tmpb);
917 gcry_mpi_ec_add (ad->delta[a][i][j], ec_zero, tmpb, ec_ctx);
918 } 1271 }
919 1272
920 /* apply random masking for losing bidders */ 1273 /* apply random masking for losing bidders */
921 smc_zkp_2dle (ad->gamma[ad->i][i][j], 1274 smc_zkp_2dle (ad->gamma3[ad->i][i][j],
922 ad->delta[ad->i][i][j], 1275 ad->delta3[ad->i][i][j],
923 tmpa, 1276 tmpa,
924 tmpb, 1277 tmpb,
925 NULL, 1278 NULL,
926 proof2); 1279 proof2);
927 1280
928 ec_point_serialize (gamma, ad->gamma[ad->i][i][j]); 1281 ec_point_serialize (gamma, ad->gamma3[ad->i][i][j]);
929 ec_point_serialize (delta, ad->delta[ad->i][i][j]); 1282 ec_point_serialize (delta, ad->delta3[ad->i][i][j]);
930 1283
931 cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2); 1284 cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2);
932 } 1285 }
@@ -945,13 +1298,13 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
945 1298
946 1299
947int 1300int
948smc_recv_outcome (struct AuctionData *ad, 1301fp_priv_recv_outcome (struct BRANDT_Auction *ad,
949 unsigned char *buf, 1302 const unsigned char *buf,
950 size_t buflen, 1303 size_t buflen,
951 uint16_t sender) 1304 uint16_t sender)
952{ 1305{
953 int ret = 0; 1306 int ret = 0;
954 unsigned char *cur = buf; 1307 const unsigned char *cur = buf;
955 struct proof_2dle *proof2; 1308 struct proof_2dle *proof2;
956 gcry_mpi_point_t gamma = gcry_mpi_point_new (0); 1309 gcry_mpi_point_t gamma = gcry_mpi_point_new (0);
957 gcry_mpi_point_t delta = gcry_mpi_point_new (0); 1310 gcry_mpi_point_t delta = gcry_mpi_point_new (0);
@@ -974,15 +1327,15 @@ smc_recv_outcome (struct AuctionData *ad,
974 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi)); 1327 proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
975 if (smc_zkp_2dle_check (gamma, 1328 if (smc_zkp_2dle_check (gamma,
976 delta, 1329 delta,
977 ad->gamma[sender][i][j], 1330 ad->gamma3[sender][i][j],
978 ad->delta[sender][i][j], 1331 ad->delta3[sender][i][j],
979 proof2)) 1332 proof2))
980 { 1333 {
981 weprintf ("wrong zkp2 for gamma, delta received"); 1334 weprintf ("wrong zkp2 for gamma, delta received");
982 goto quit; 1335 goto quit;
983 } 1336 }
984 gcry_mpi_ec_add (ad->gamma[sender][i][j], gamma, ec_zero, ec_ctx); 1337 ec_point_copy (ad->gamma3[sender][i][j], gamma);
985 gcry_mpi_ec_add (ad->delta[sender][i][j], delta, ec_zero, ec_ctx); 1338 ec_point_copy (ad->delta3[sender][i][j], delta);
986 cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2); 1339 cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2);
987 } 1340 }
988 } 1341 }
@@ -996,13 +1349,13 @@ quit:
996 1349
997 1350
998/** 1351/**
999 * smc_decrypt_outcome \todo 1352 * fp_priv_decrypt_outcome \todo
1000 * 1353 *
1001 * @param ad TODO 1354 * @param ad TODO
1002 * @param buflen TODO 1355 * @param buflen TODO
1003 */ 1356 */
1004unsigned char * 1357unsigned char *
1005smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen) 1358fp_priv_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
1006{ 1359{
1007 unsigned char *ret; 1360 unsigned char *ret;
1008 unsigned char *cur; 1361 unsigned char *cur;
@@ -1014,7 +1367,7 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
1014 1367
1015 *buflen = (ad->n * ad->k * (sizeof (*phi) + sizeof (*proof2))); 1368 *buflen = (ad->n * ad->k * (sizeof (*phi) + sizeof (*proof2)));
1016 if (NULL == (cur = (ret = calloc (1, *buflen))) || 1369 if (NULL == (cur = (ret = calloc (1, *buflen))) ||
1017 NULL == (ad->phi = smc_init3 (ad->n, ad->n, ad->k))) 1370 NULL == (ad->phi3 = smc_init3 (ad->n, ad->n, ad->k)))
1018 { 1371 {
1019 weprintf ("unable to alloc memory for first price outcome decryption"); 1372 weprintf ("unable to alloc memory for first price outcome decryption");
1020 return NULL; 1373 return NULL;
@@ -1027,24 +1380,23 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
1027 phi = (struct ec_mpi *)cur; 1380 phi = (struct ec_mpi *)cur;
1028 proof2 = (struct proof_2dle *)(cur + sizeof (*phi)); 1381 proof2 = (struct proof_2dle *)(cur + sizeof (*phi));
1029 1382
1030 smc_sum (tmp, &ad->delta[0][i][j], ad->n, ad->n * ad->k); 1383 smc_sum (tmp, &ad->delta3[0][i][j], ad->n, ad->n * ad->k);
1031 1384
1032 /* copy still encrypted outcome to all other bidder layers so they 1385 /* copy still encrypted outcome to all other bidder layers so they
1033 * don't have to be recomputed to check the ZK proof_2dle's from 1386 * don't have to be recomputed to check the ZK proof_2dle's from
1034 * other bidders when receiving their outcome decryption messages */ 1387 * other bidders when receiving their outcome decryption messages */
1035 for (uint16_t a = 0; a < ad->n; a++) 1388 for (uint16_t a = 0; a < ad->n; a++)
1036 /**\todo: how to copy a point more efficiently? */ 1389 ec_point_copy (ad->phi3[a][i][j], tmp);
1037 gcry_mpi_ec_add (ad->phi[a][i][j], ec_zero, tmp, ec_ctx);
1038 1390
1039 /* decrypt outcome component and prove the correct key was used */ 1391 /* decrypt outcome component and prove the correct key was used */
1040 smc_zkp_2dle (ad->phi[ad->i][i][j], 1392 smc_zkp_2dle (ad->phi3[ad->i][i][j],
1041 NULL, 1393 NULL,
1042 tmp, 1394 tmp,
1043 ec_gen, 1395 ec_gen,
1044 ad->x, 1396 ad->x,
1045 proof2); 1397 proof2);
1046 1398
1047 ec_point_serialize (phi, ad->phi[ad->i][i][j]); 1399 ec_point_serialize (phi, ad->phi3[ad->i][i][j]);
1048 1400
1049 cur += sizeof (*phi) + sizeof (*proof2); 1401 cur += sizeof (*phi) + sizeof (*proof2);
1050 } 1402 }
@@ -1056,13 +1408,13 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
1056 1408
1057 1409
1058int 1410int
1059smc_recv_decryption (struct AuctionData *ad, 1411fp_priv_recv_decryption (struct BRANDT_Auction *ad,
1060 unsigned char *buf, 1412 const unsigned char *buf,
1061 size_t buflen, 1413 size_t buflen,
1062 uint16_t sender) 1414 uint16_t sender)
1063{ 1415{
1064 int ret = 0; 1416 int ret = 0;
1065 unsigned char *cur = buf; 1417 const unsigned char *cur = buf;
1066 struct proof_2dle *proof2; 1418 struct proof_2dle *proof2;
1067 gcry_mpi_point_t phi = gcry_mpi_point_new (0); 1419 gcry_mpi_point_t phi = gcry_mpi_point_new (0);
1068 1420
@@ -1082,14 +1434,14 @@ smc_recv_decryption (struct AuctionData *ad,
1082 proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi)); 1434 proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi));
1083 if (smc_zkp_2dle_check (phi, 1435 if (smc_zkp_2dle_check (phi,
1084 ad->y[sender], 1436 ad->y[sender],
1085 ad->phi[sender][i][j], 1437 ad->phi3[sender][i][j],
1086 ec_gen, 1438 ec_gen,
1087 proof2)) 1439 proof2))
1088 { 1440 {
1089 weprintf ("wrong zkp2 for phi, y received"); 1441 weprintf ("wrong zkp2 for phi, y received");
1090 goto quit; 1442 goto quit;
1091 } 1443 }
1092 gcry_mpi_ec_add (ad->phi[sender][i][j], phi, ec_zero, ec_ctx); 1444 ec_point_copy (ad->phi3[sender][i][j], phi);
1093 cur += sizeof (struct ec_mpi) + sizeof (*proof2); 1445 cur += sizeof (struct ec_mpi) + sizeof (*proof2);
1094 } 1446 }
1095 } 1447 }
@@ -1102,7 +1454,7 @@ quit:
1102 1454
1103 1455
1104int32_t 1456int32_t
1105smc_determine_outcome (struct AuctionData *ad) 1457fp_priv_determine_outcome (struct BRANDT_Auction *ad)
1106{ 1458{
1107 int32_t ret = -1; 1459 int32_t ret = -1;
1108 gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0); 1460 gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0);
@@ -1112,8 +1464,8 @@ smc_determine_outcome (struct AuctionData *ad)
1112 1464
1113 for (uint16_t j = 0; j < ad->k; j++) 1465 for (uint16_t j = 0; j < ad->k; j++)
1114 { 1466 {
1115 smc_sum (sum_gamma, &ad->gamma[0][ad->i][j], ad->n, ad->n * ad->k); 1467 smc_sum (sum_gamma, &ad->gamma3[0][ad->i][j], ad->n, ad->n * ad->k);
1116 smc_sum (sum_phi, &ad->phi[0][ad->i][j], ad->n, ad->n * ad->k); 1468 smc_sum (sum_phi, &ad->phi3[0][ad->i][j], ad->n, ad->n * ad->k);
1117 gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx); 1469 gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx);
1118 if (!ec_point_cmp (sum_gamma, ec_zero)) 1470 if (!ec_point_cmp (sum_gamma, ec_zero))
1119 { 1471 {
@@ -1149,9 +1501,9 @@ smc_zkp_dl (gcry_mpi_point_t v,
1149 struct zkp_challenge_dl challenge; 1501 struct zkp_challenge_dl challenge;
1150 struct brandt_hash_code challhash; 1502 struct brandt_hash_code challhash;
1151 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1503 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1152 gcry_mpi_t r = gcry_mpi_new (0); 1504 gcry_mpi_t r = gcry_mpi_new (256);
1153 gcry_mpi_t c = gcry_mpi_new (0); 1505 gcry_mpi_t c = gcry_mpi_new (256);
1154 gcry_mpi_t z = gcry_mpi_new (0); 1506 gcry_mpi_t z = gcry_mpi_new (256);
1155 1507
1156 /* v = xg */ 1508 /* v = xg */
1157 gcry_mpi_ec_mul (v, x, ec_gen, ec_ctx); 1509 gcry_mpi_ec_mul (v, x, ec_gen, ec_ctx);
@@ -1197,8 +1549,8 @@ smc_zkp_dl_check (const gcry_mpi_point_t v,
1197 struct zkp_challenge_dl challenge; 1549 struct zkp_challenge_dl challenge;
1198 struct brandt_hash_code challhash; 1550 struct brandt_hash_code challhash;
1199 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1551 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1200 gcry_mpi_t r = gcry_mpi_new (0); 1552 gcry_mpi_t r = gcry_mpi_new (256);
1201 gcry_mpi_t c = gcry_mpi_new (0); 1553 gcry_mpi_t c = gcry_mpi_new (256);
1202 gcry_mpi_point_t left = gcry_mpi_point_new (0); 1554 gcry_mpi_point_t left = gcry_mpi_point_new (0);
1203 gcry_mpi_point_t right = gcry_mpi_point_new (0); 1555 gcry_mpi_point_t right = gcry_mpi_point_new (0);
1204 1556
@@ -1260,13 +1612,13 @@ smc_zkp_2dle (gcry_mpi_point_t v,
1260 gcry_mpi_t rx; 1612 gcry_mpi_t rx;
1261 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1613 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1262 gcry_mpi_point_t b = gcry_mpi_point_new (0); 1614 gcry_mpi_point_t b = gcry_mpi_point_new (0);
1263 gcry_mpi_t r = gcry_mpi_new (0); 1615 gcry_mpi_t r = gcry_mpi_new (256);
1264 gcry_mpi_t c = gcry_mpi_new (0); 1616 gcry_mpi_t c = gcry_mpi_new (256);
1265 gcry_mpi_t z = gcry_mpi_new (0); 1617 gcry_mpi_t z = gcry_mpi_new (256);
1266 1618
1267 rv = (NULL == v) ? gcry_mpi_point_new (0) : v; 1619 rv = (NULL == v) ? gcry_mpi_point_new (0) : v;
1268 rw = (NULL == w) ? gcry_mpi_point_new (0) : w; 1620 rw = (NULL == w) ? gcry_mpi_point_new (0) : w;
1269 rx = (NULL == x) ? gcry_mpi_new (0) : x; 1621 rx = (NULL == x) ? gcry_mpi_new (256) : x;
1270 1622
1271 if (NULL == x) 1623 if (NULL == x)
1272 ec_skey_create (rx); 1624 ec_skey_create (rx);
@@ -1339,8 +1691,8 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
1339 struct brandt_hash_code challhash; 1691 struct brandt_hash_code challhash;
1340 gcry_mpi_point_t a = gcry_mpi_point_new (0); 1692 gcry_mpi_point_t a = gcry_mpi_point_new (0);
1341 gcry_mpi_point_t b = gcry_mpi_point_new (0); 1693 gcry_mpi_point_t b = gcry_mpi_point_new (0);
1342 gcry_mpi_t r = gcry_mpi_new (0); 1694 gcry_mpi_t r = gcry_mpi_new (256);
1343 gcry_mpi_t c = gcry_mpi_new (0); 1695 gcry_mpi_t c = gcry_mpi_new (256);
1344 gcry_mpi_point_t left = gcry_mpi_point_new (0); 1696 gcry_mpi_point_t left = gcry_mpi_point_new (0);
1345 gcry_mpi_point_t right = gcry_mpi_point_new (0); 1697 gcry_mpi_point_t right = gcry_mpi_point_new (0);
1346 1698
@@ -1415,15 +1767,15 @@ smc_zkp_0og (int m_is_gen,
1415 gcry_mpi_point_t a2 = gcry_mpi_point_new (0); 1767 gcry_mpi_point_t a2 = gcry_mpi_point_new (0);
1416 gcry_mpi_point_t b1 = gcry_mpi_point_new (0); 1768 gcry_mpi_point_t b1 = gcry_mpi_point_new (0);
1417 gcry_mpi_point_t b2 = gcry_mpi_point_new (0); 1769 gcry_mpi_point_t b2 = gcry_mpi_point_new (0);
1418 gcry_mpi_t d1 = gcry_mpi_new (0); 1770 gcry_mpi_t d1 = gcry_mpi_new (256);
1419 gcry_mpi_t d2 = gcry_mpi_new (0); 1771 gcry_mpi_t d2 = gcry_mpi_new (256);
1420 gcry_mpi_t r1 = gcry_mpi_new (0); 1772 gcry_mpi_t r1 = gcry_mpi_new (256);
1421 gcry_mpi_t r2 = gcry_mpi_new (0); 1773 gcry_mpi_t r2 = gcry_mpi_new (256);
1422 gcry_mpi_t c = gcry_mpi_new (0); 1774 gcry_mpi_t c = gcry_mpi_new (256);
1423 gcry_mpi_t rr; 1775 gcry_mpi_t rr;
1424 gcry_mpi_t w = gcry_mpi_new (0); 1776 gcry_mpi_t w = gcry_mpi_new (256);
1425 1777
1426 rr = (NULL == r) ? gcry_mpi_new (0) : r; 1778 rr = (NULL == r) ? gcry_mpi_new (256) : r;
1427 1779
1428 /* beta = r*g */ 1780 /* beta = r*g */
1429 ec_keypair_create (beta, rr); 1781 ec_keypair_create (beta, rr);
@@ -1559,12 +1911,12 @@ smc_zkp_0og_check (const gcry_mpi_point_t y,
1559 gcry_mpi_point_t a2 = gcry_mpi_point_new (0); 1911 gcry_mpi_point_t a2 = gcry_mpi_point_new (0);
1560 gcry_mpi_point_t b1 = gcry_mpi_point_new (0); 1912 gcry_mpi_point_t b1 = gcry_mpi_point_new (0);
1561 gcry_mpi_point_t b2 = gcry_mpi_point_new (0); 1913 gcry_mpi_point_t b2 = gcry_mpi_point_new (0);
1562 gcry_mpi_t d1 = gcry_mpi_new (0); 1914 gcry_mpi_t d1 = gcry_mpi_new (256);
1563 gcry_mpi_t d2 = gcry_mpi_new (0); 1915 gcry_mpi_t d2 = gcry_mpi_new (256);
1564 gcry_mpi_t r1 = gcry_mpi_new (0); 1916 gcry_mpi_t r1 = gcry_mpi_new (256);
1565 gcry_mpi_t r2 = gcry_mpi_new (0); 1917 gcry_mpi_t r2 = gcry_mpi_new (256);
1566 gcry_mpi_t c = gcry_mpi_new (0); 1918 gcry_mpi_t c = gcry_mpi_new (256);
1567 gcry_mpi_t sum = gcry_mpi_new (0); 1919 gcry_mpi_t sum = gcry_mpi_new (256);
1568 gcry_mpi_point_t right = gcry_mpi_point_new (0); 1920 gcry_mpi_point_t right = gcry_mpi_point_new (0);
1569 gcry_mpi_point_t tmp = gcry_mpi_point_new (0); 1921 gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
1570 1922
@@ -1635,52 +1987,3 @@ smc_zkp_0og_check (const gcry_mpi_point_t y,
1635 weprintf ("ret: 0x%x", ret); 1987 weprintf ("ret: 0x%x", ret);
1636 return ret; 1988 return ret;
1637} 1989}
1638
1639
1640/* --- unused stuff, might become useful later --- */
1641
1642///**
1643// * Clear memory that was used to store a private key.
1644// *
1645// * @param skey the key
1646// */
1647//void
1648//brandt_ec_key_clear (gcry_mpi_t skey)
1649//{
1650// gcry_mpi_randomize (skey, 256, GCRY_WEAK_RANDOM);
1651// gcry_mpi_release (skey);
1652//}
1653
1654
1655///**
1656// * Generate a random value mod n.
1657// *
1658// * @param edc ECC context
1659// * @return random value mod n.
1660// */
1661//gcry_mpi_t
1662//GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc)
1663//{
1664// gcry_mpi_t n;
1665// unsigned int highbit;
1666// gcry_mpi_t r;
1667//
1668// n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
1669//
1670// /* check public key for number of bits, bail out if key is all zeros */
1671// highbit = 256; /* Curve25519 */
1672// while ( (! gcry_mpi_test_bit (n, highbit)) &&
1673// (0 != highbit) )
1674// highbit--;
1675// GNUNET_assert (0 != highbit);
1676// /* generate fact < n (without bias) */
1677// GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
1678// do {
1679// gcry_mpi_randomize (r,
1680// highbit + 1,
1681// GCRY_STRONG_RANDOM);
1682// }
1683// while (gcry_mpi_cmp (r, n) >= 0);
1684// gcry_mpi_release (n);
1685// return r;
1686//}
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-28 10:03:40 +0000