finish protocol transcription to Ed25519

1 files changed, 26 insertions, 6 deletions

diff --git a/tex-stuff/math.tex b/tex-stuff/math.tex
index 7585cdc..b01febc 100644
--- a/tex-stuff/math.tex
+++ b/tex-stuff/math.tex
@@ -1,6 +1,7 @@
 \documentclass{article}
 \usepackage[a4paper, margin=2cm]{geometry}
 \usepackage{amsmath}
+\usepackage{amsfonts}
 \begin{document}
 \section{first price auction with tie breaking and private outcome (EC-Version)}
 \subsection{Zero Knowledge Proofs}
@@ -58,36 +59,55 @@ Then regardless of the value of $m$:
 
 \subsection{Protocol}
 
+Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
+the amount of possible valuations/prices for the sold good.  Let $g$ be the
+generator of Ed25519 and $q = ord(g)$ the order of it. $0$ is the neutral point
+for addition on Ed25519. $a \in \left\{1,2,\dots,n\right\}$ is the index of the
+agent executing the protocol, while $i, h \in \left\{1, 2, \dots, n\right\}$ are
+other agent indizes. $j, b_a \in \left\{1,2,\dots,k\right\}$ with $b_a$ denoting
+the price $p_{b_a}$ bidder $a$ is willing to pay. $\forall j: p_j < p_{j+1}$.
+
 \subsubsection{Generate public key}
 
 \begin{enumerate}
-	\item Choose $x_a$ and $m_{ij}, r_{aj}$ for each $i$ and $j$ at random.
-	\item Publish $y_a=g^{x_a}$ along with a zero-knowledge proof of knowledge of $y_a$'s EC DL.
-	\item Compute $y=\sum_{i=1}^ny_i$.
+	\item Choose $x_{+a} \in \mathbb{Z}_q$ and $m_{ij}^{\times a}, r_{aj} \in \mathbb{Z}_q$ for each $i$ and $j$ at random.
+	\item Publish $y_{\times a}={x_{+a}}g$ along with a zero-knowledge proof of knowledge of $y_{\times a}$'s EC DL.
+	\item Compute $y=\sum_{i=1}^ny_{\times i}$.
 \end{enumerate}
 
 \subsubsection{Round 1: Encrypt bid}
 
 \begin{enumerate}
 	\item Set $b_{aj}=\begin{cases}g & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=b_{aj}+r_{aj}y$ and $\beta_{aj}=r_{aj}g$ for each j.
+	\item Prove that $\forall j:(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $g$.
+	\item Prove that $\forall j: ECDL_y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - g\right) = ECDL_g\left(\sum_{j=1}^k\beta_{aj}\right)$
 \end{enumerate}
 
 \subsubsection{Round 2: Compute outcome}
 
 \begin{enumerate}
-	\item 
+	\item Compute and publish for each $i$ and $j$: \\[2.0ex]
+		$\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\left(\sum_{d=1}^{j-1}\alpha_{id}\right)+\left(\sum_{h=1}^{i-1}\alpha_{hj}\right)\right)$ and \\[2.0ex]
+		$\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\beta_{hd}\right)+\left(\sum_{d=1}^{j-1}\beta_{id}\right)+\left(\sum_{h=1}^{i-1}\beta_{hj}\right)\right)$ \\[2.0ex]
+		with a proof of correctness.
 \end{enumerate}
 
 \subsubsection{Round 3: Decrypt outcome}
 
 \begin{enumerate}
-	\item 
+	\item Send $\varphi_{ij}^{\times a} =
+		x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ for each $i$ and
+		$j$ with a proof of correctness (ECDL is known \textbf{and} equal to the
+		ECDL used for $y_{\times a}$) to the seller who publishes all
+		$\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
+		each $i, j$ and $h \neq i$ after having received all of them.
 \end{enumerate}
 
 \subsubsection{Epilogue: Outcome determination}
 
 \begin{enumerate}
-	\item 
+	\item Compute $v_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$ for each $j$.
+	\item If $v_{aw} = 1$ for any $w$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
 \end{enumerate}