1 files changed, 90 insertions, 55 deletions

diff --git a/crypto.c b/crypto.c
index afa72d4..edd51ad 100644
--- a/crypto.c
+++ b/crypto.c
@@ -1237,21 +1237,9 @@ struct BRANDT_Result *fp_pub_determine_outcome (struct BRANDT_Auction *ad,
 }
 
 
-/**
- * fp_priv_compute_outcome computes encrypted outcome shares and packs them into
- * a message buffer together with proofs of correctnes.
- *
- * @param[in] ad Pointer to the BRANDT_Auction struct to operate on
- * @param[out] buflen Size of the returned message buffer in bytes
- * @return A buffer containing the encrypted outcome vectors
- * which needs to be broadcast
- */
-unsigned char *
-fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
+void
+fp_priv_prep_outcome (struct BRANDT_Auction *ad)
 {
-	unsigned char     *ret;
-	unsigned char     *cur;
-	struct msg_head   *head;
 	gcry_mpi_point_t  tmpa = gcry_mpi_point_new (0);
 	gcry_mpi_point_t  tmpb = gcry_mpi_point_new (0);
 	gcry_mpi_point_t  *tlta1;
@@ -1260,27 +1248,12 @@ fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
 	gcry_mpi_point_t  **tltb2;
 	gcry_mpi_point_t  **tlta3;
 	gcry_mpi_point_t  **tltb3;
-	struct ec_mpi     *gamma;
-	struct ec_mpi     *delta;
-	struct proof_2dle *proof2;
-
-	brandt_assert (ad && buflen);
 
-	*buflen = (sizeof (*head) +                /* msg header */
-	           ad->n * ad->k *                 /* nk * (gamma, delta, proof2) */
-	           (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
-	ret = GNUNET_new_array (*buflen, unsigned char);
-	if (NULL == (ad->gamma3 = smc_init3 (ad->n, ad->n, ad->k)) ||
-	    NULL == (ad->delta3 = smc_init3 (ad->n, ad->n, ad->k)))
-	{
-		weprintf ("unable to alloc memory for first price outcome computation");
-		return NULL;
-	}
+	ad->gamma3 = smc_init3 (ad->n, ad->n, ad->k);
+	brandt_assert (ad->gamma3);
 
-	head = (struct msg_head *)ret;
-	head->prot_version = htonl (0);
-	head->msg_type = htonl (msg_outcome);
-	cur = ret + sizeof (*head);
+	ad->delta3 = smc_init3 (ad->n, ad->n, ad->k);
+	brandt_assert (ad->delta3);
 
 	/* create temporary lookup tables with partial sums */
 	tlta1 = smc_init1 (ad->k);
@@ -1349,10 +1322,6 @@ fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
 	{
 		for (uint16_t j = 0; j < ad->k; j++)
 		{
-			gamma = (struct ec_mpi *)cur;
-			delta = &((struct ec_mpi *)cur)[1];
-			proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
-
 			/* compute inner gamma */
 			gcry_mpi_ec_add (tmpa, tlta1[j], tlta2[i][j], ec_ctx);
 			gcry_mpi_ec_add (tmpa, tmpa, tlta3[i][j], ec_ctx);
@@ -1369,6 +1338,63 @@ fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
 				ec_point_copy (ad->gamma3[a][i][j], tmpa);
 				ec_point_copy (ad->delta3[a][i][j], tmpb);
 			}
+		}
+	}
+
+	gcry_mpi_point_release (tmpa);
+	gcry_mpi_point_release (tmpb);
+	smc_free1 (tlta1, ad->k);
+	smc_free1 (tltb1, ad->k);
+	smc_free2 (tlta2, ad->n, ad->k);
+	smc_free2 (tltb2, ad->n, ad->k);
+	smc_free2 (tlta3, ad->n, ad->k);
+	smc_free2 (tltb3, ad->n, ad->k);
+}
+
+
+/**
+ * fp_priv_compute_outcome computes encrypted outcome shares and packs them into
+ * a message buffer together with proofs of correctnes.
+ *
+ * @param[in] ad Pointer to the BRANDT_Auction struct to operate on
+ * @param[out] buflen Size of the returned message buffer in bytes
+ * @return A buffer containing the encrypted outcome vectors
+ * which needs to be broadcast
+ */
+unsigned char *
+fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
+{
+	unsigned char     *ret;
+	unsigned char     *cur;
+	struct msg_head   *head;
+	gcry_mpi_point_t  tmpa = gcry_mpi_point_new (0);
+	gcry_mpi_point_t  tmpb = gcry_mpi_point_new (0);
+	struct ec_mpi     *gamma;
+	struct ec_mpi     *delta;
+	struct proof_2dle *proof2;
+
+	brandt_assert (ad && buflen);
+
+	*buflen = (sizeof (*head) +                /* msg header */
+	           ad->n * ad->k *                 /* nk * (gamma, delta, proof2) */
+	           (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
+	ret = GNUNET_new_array (*buflen, unsigned char);
+
+	head = (struct msg_head *)ret;
+	head->prot_version = htonl (0);
+	head->msg_type = htonl (msg_outcome);
+	cur = ret + sizeof (*head);
+
+	for (uint16_t i = 0; i < ad->n; i++)
+	{
+		for (uint16_t j = 0; j < ad->k; j++)
+		{
+			gamma = (struct ec_mpi *)cur;
+			delta = &((struct ec_mpi *)cur)[1];
+			proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
+
+			ec_point_copy (tmpa, ad->gamma3[ad->i][i][j]);
+			ec_point_copy (tmpb, ad->delta3[ad->i][i][j]);
 
 			/* apply random masking for losing bidders */
 			smc_zkp_2dle (ad->gamma3[ad->i][i][j],
@@ -1387,12 +1413,6 @@ fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
 
 	gcry_mpi_point_release (tmpa);
 	gcry_mpi_point_release (tmpb);
-	smc_free1 (tlta1, ad->k);
-	smc_free1 (tltb1, ad->k);
-	smc_free2 (tlta2, ad->n, ad->k);
-	smc_free2 (tltb2, ad->n, ad->k);
-	smc_free2 (tlta3, ad->n, ad->k);
-	smc_free2 (tltb3, ad->n, ad->k);
 	return ret;
 }
 
@@ -1448,6 +1468,32 @@ quit:
 }
 
 
+void
+fp_priv_prep_decryption (struct BRANDT_Auction *ad)
+{
+	gcry_mpi_point_t  tmp = gcry_mpi_point_new (0);
+
+	ad->phi3 = smc_init3 (ad->n, ad->n, ad->k);
+	brandt_assert (ad->phi3);
+
+	for (uint16_t i = 0; i < ad->n; i++)
+	{
+		for (uint16_t j = 0; j < ad->k; j++)
+		{
+			smc_sum (tmp, &ad->delta3[0][i][j], ad->n, ad->n * ad->k);
+
+			/* copy still encrypted outcome to all other bidder layers so they
+			 * don't have to be recomputed to check the ZK proof_2dle's from
+			 * other bidders when receiving their outcome decryption messages */
+			for (uint16_t a = 0; a < ad->n; a++)
+				ec_point_copy (ad->phi3[a][i][j], tmp);
+		}
+	}
+
+	gcry_mpi_point_release (tmp);
+}
+
+
 /**
  * fp_priv_decrypt_outcome decrypts the own shares of the outcome and packs them
  * into a message buffer together with proofs of correctnes.
@@ -1472,11 +1518,6 @@ fp_priv_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
 	*buflen = (sizeof (*head) +
 	           ad->n * ad->k * (sizeof (*phi) + sizeof (*proof2)));
 	ret = GNUNET_new_array (*buflen, unsigned char);
-	if (NULL == (ad->phi3 = smc_init3 (ad->n, ad->n, ad->k)))
-	{
-		weprintf ("unable to alloc memory for first price outcome decryption");
-		return NULL;
-	}
 
 	head = (struct msg_head *)ret;
 	head->prot_version = htonl (0);
@@ -1490,13 +1531,7 @@ fp_priv_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
 			phi = (struct ec_mpi *)cur;
 			proof2 = (struct proof_2dle *)(cur + sizeof (*phi));
 
-			smc_sum (tmp, &ad->delta3[0][i][j], ad->n, ad->n * ad->k);
-
-			/* copy still encrypted outcome to all other bidder layers so they
-			 * don't have to be recomputed to check the ZK proof_2dle's from
-			 * other bidders when receiving their outcome decryption messages */
-			for (uint16_t a = 0; a < ad->n; a++)
-				ec_point_copy (ad->phi3[a][i][j], tmp);
+			ec_point_copy (tmp, ad->phi3[ad->i][i][j]);
 
 			/* decrypt outcome component and prove the correct key was used */
 			smc_zkp_2dle (ad->phi3[ad->i][i][j],