improve spec

1 files changed, 53 insertions, 39 deletions

diff --git a/tex-stuff/math.tex b/tex-stuff/math.tex
index 2d2c1f7..6502f0b 100644
--- a/tex-stuff/math.tex
+++ b/tex-stuff/math.tex
@@ -5,58 +5,77 @@
 \begin{document}
 \section{first price auction with tie breaking and private outcome (EC-Version)}
 \subsection{Zero Knowledge Proofs}
-\subsubsection{Proof of Knowledge of a EC DL}
+\subsubsection{Proof 1: Knowledge of an ECDL}
 
-Alice and Bob know $v$ and $g$ with $|g| = n$, but only Alice knows $x$, so that $v = xg$.
+Alice and Bob know $v$ and $g$ with $q = |g|$, but only Alice knows $x$, so that
+$v = xg$.
 
 \begin{enumerate}
 	\item Alice chooses $z$ at random and calculates $a = zg$.
-	\item Alice computes $c = HASH(g,v,a)$ mod n.
-	\item Alice sends $r = (z + cx)$ mod n and $a$ to Bob.
+	\item Alice computes $c = HASH(g,v,a)$ mod $q$.
+	\item Alice sends $r = (z + cx)$ mod $q$ and $a$ to Bob.
 	\item Bob checks that $rg = a + cv$.
 \end{enumerate}
 
-\subsubsection{Proof of equality of two EC DL}
+\begin{tabular}{r l}
+	Prover only knowledge: & $x$ \\
+	Common knowledge: & $v, g$ \\
+	Proof: & $r, a$
+\end{tabular}
+
+\subsubsection{Proof 2: Equality of two ECDL}
 
 Alice and Bob know $v$, $w$, $g_1$ and $g_2$, but only Alice knows $x$, so that
 $v = xg_1$ and $w = xg_2$.
 
 \begin{enumerate}
 	\item Alice chooses $z$ at random and calculates $a = zg_1$ and $b = zg_2$.
-	\item Alice computes $c = HASH(g_1,g_2,v,w,a,b)$ mod n.
-	\item Alice sends $r = (z + cx)$ mod n, $a$ and $b$ to Bob.
+	\item Alice computes $c = HASH(g_1,g_2,v,w,a,b)$ mod $q$.
+	\item Alice sends $r = (z + cx)$ mod $q$, $a$ and $b$ to Bob.
 	\item Bob checks that $rg_1 = a + cv$ and $rg_2 = b + cw$.
 \end{enumerate}
 
-\subsubsection{Proof that an encrypted value is one out of two values}
+\begin{tabular}{r l}
+	Prover only knowledge: & $x$ \\
+	Common knowledge: & $v, w, g_1, g_2$ \\
+	Proof: & $r, a, b$
+\end{tabular}
+
+\subsubsection{Proof 3: An encrypted value is one out of two values}
 
 Alice proves that an El Gamal encrypted value $(\alpha, \beta) = (m + ry, rg)$
 either decrypts to $0$ or to the fixed value $g$ without revealing which is the
-case, in other words, it is shown that $m \in \{0, g\}$.
+case, in other words, it is shown that $m \in \{0, g\}$. \\
 
-If $m = 0$:
+\noindent If $m = 0$:
 
 \begin{enumerate}
 	\item Alice chooses $r_1$, $d_1$, $w$ at random and calculates $a_1 = r_1g + d_1\beta$, $b_1 = r_1y + d_1(\alpha - g)$, $a_2=wg$ and $b_2=wy$.
-	\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod n.
-	\item Alice chooses $d_2=c-d_1$ mod n and $r_2=w-rd_2$ mod n.
+	\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod $q$.
+	\item Alice chooses $d_2=c-d_1$ mod $q$ and $r_2=w-rd_2$ mod $q$.
 \end{enumerate}
 
-If $m = g$:
+\noindent If $m = g$:
 
 \begin{enumerate}
 	\item Alice chooses $r_2$, $d_2$, $w$ at random and calculates $a_1=wg$, $b_1=wy$, $a_2=r_2g + d_2\beta$ and $b_2=r_2y + d_2\alpha$.
-	\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod n.
-	\item Alice chooses $d_1=c-d_2$ mod n and $r_1=w-rd_1$ mod n.
+	\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod $q$.
+	\item Alice chooses $d_1=c-d_2$ mod $q$ and $r_1=w-rd_1$ mod $q$.
 \end{enumerate}
 
-Then regardless of the value of $m$:
+\noindent Then regardless of the value of $m$:
 
 \begin{enumerate}
-	\item Alice sends $(\alpha, \beta), a_1, b_1, a_2, b_2, c, d_1, d_2, r_1, r_2$ to Bob.
-	\item Bob checks that $c=d_1+d_2$ mod n, $a_1=r_1g+d_1\beta$, $b_1=r_1y+d_1(\alpha-g)$, $a_2=r_2g+d_2\beta$ and $b_2=r_2y+d_2\alpha$.
+	\item Alice sends $(\alpha, \beta), a_1, b_1, a_2, b_2, d_1, d_2, r_1, r_2$ to Bob.
+	\item Bob checks that $c=d_1+d_2$ mod $q$, $a_1=r_1g+d_1\beta$, $b_1=r_1y+d_1(\alpha-g)$, $a_2=r_2g+d_2\beta$ and $b_2=r_2y+d_2\alpha$.
 \end{enumerate}
 
+\begin{tabular}{r l}
+	Prover only knowledge: & $r, x$ \\
+	Common knowledge: & $\alpha, \beta$ \\
+	Proof: & $a_1, a_2, b_1, b_2, d_1, d_2, r_1, r_2$
+\end{tabular}
+
 \subsection{Protocol}
 
 Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
@@ -70,8 +89,8 @@ the price $p_{b_a}$ bidder $a$ is willing to pay. $\forall j: p_j < p_{j+1}$.
 \subsubsection{Generate public key}
 
 \begin{enumerate}
-	\item Choose $x_{+a} \in \mathbb{Z}_q$ and $m_{ij}^{\times a}, r_{aj} \in \mathbb{Z}_q$ for each $i$ and $j$ at random.
-	\item Publish $y_{\times a}={x_{+a}}g$ along with a zero-knowledge proof of knowledge of $y_{\times a}$'s EC DL.
+	\item Choose $x_{+a} \in \mathbb{Z}_q$ and $\forall i,j: m_{ij}^{\times a}, r_{aj} \in \mathbb{Z}_q$ at random.
+	\item Publish $y_{\times a}={x_{+a}}g$ along with Proof 1 of $y_{\times a}$'s ECDL.
 	\item Compute $y=\sum_{i=1}^ny_{\times i}$.
 \end{enumerate}
 
@@ -82,9 +101,9 @@ Points for the last proof. Therefore the message is $10k*32 + 3*32 = 320k + 96$
 bytes large.
 
 \begin{enumerate}
-	\item $\forall j:$ Set $b_{aj}=\begin{cases}g & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=b_{aj}+r_{aj}y$ and $\beta_{aj}=r_{aj}g$ for each j.
-	\item $\forall j:$ Prove that $(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $g$.
-	\item Prove that $ ECDL_y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - g\right) = ECDL_g\left(\sum_{j=1}^k\beta_{aj}\right)$
+	\item $\forall j:$ Set $b_{aj}=\begin{cases}g & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=b_{aj}+r_{aj}y$ and $\beta_{aj}=r_{aj}g$.
+	\item $\forall j:$ Use Proof 3 to show that $(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $g$.
+	\item Use Proof 2 to show that $ ECDL_y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - g\right) = ECDL_g\left(\sum_{j=1}^k\beta_{aj}\right)$.
 \end{enumerate}
 
 \subsubsection{Round 2: Compute outcome}
@@ -92,29 +111,24 @@ bytes large.
 The message has $nk$ parts, each consisting of $5$ Points. Therefore the message
 is $5nk*32 = 160nk$ bytes large.
 
-\begin{enumerate}
-	\item Compute and publish for each $i$ and $j$: \\[2.0ex]
-		$\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\left(\sum_{d=1}^{j-1}\alpha_{id}\right)+\left(\sum_{h=1}^{i-1}\alpha_{hj}\right)\right)$ and \\[2.0ex]
-		$\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\beta_{hd}\right)+\left(\sum_{d=1}^{j-1}\beta_{id}\right)+\left(\sum_{h=1}^{i-1}\beta_{hj}\right)\right)$ \\[2.0ex]
-		with a proof of correctness.
-\end{enumerate}
+$\forall i,j:$ Compute and publish \\[2.0ex]
+$\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\left(\sum_{d=1}^{j-1}\alpha_{id}\right)+\left(\sum_{h=1}^{i-1}\alpha_{hj}\right)\right)$ and \\[2.0ex]
+$\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\beta_{hd}\right)+\left(\sum_{d=1}^{j-1}\beta_{id}\right)+\left(\sum_{h=1}^{i-1}\beta_{hj}\right)\right)$ \\[2.0ex]
+with a corresponding Proof 2 for $ECDL(\gamma_{ij}^{\times a}) = ECDL(\delta_{ij}^{\times a})$.
 
 \subsubsection{Round 3: Decrypt outcome}
 
-\begin{enumerate}
-	\item Send $\varphi_{ij}^{\times a} =
-		x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ for each $i$ and
-		$j$ with a proof of correctness (ECDL is known \textbf{and} equal to the
-		ECDL used for $y_{\times a}$) to the seller who publishes all
-		$\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
-		each $i, j$ and $h \neq i$ after having received all of them.
-\end{enumerate}
+$\forall i,j:$ Send $\varphi_{ij}^{\times a} =
+x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2
+$ECDL(\varphi_{ij}^{\times a}) = ECDL(y_{\times a})$ to the seller who publishes
+all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
+each $i, j$ and $h \neq i$ after having received all of them.
 
 \subsubsection{Epilogue: Outcome determination}
 
 \begin{enumerate}
-	\item Compute $v_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$ for each $j$.
-	\item If $v_{aw} = 1$ for any $w$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
+	\item $\forall j:$ Compute $v_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$.
+	\item If $\exists w: v_{aw} = 1$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
 \end{enumerate}