major random stuff

This commit is contained in:
Markus Teich 2016-07-13 14:01:24 +02:00
parent 8c7bd0fda2
commit 99e5a11de1
9 changed files with 566 additions and 208 deletions

View File

@ -10,7 +10,7 @@ libbrandt_la_SOURCES = \
util.c util.c
libbrandt_la_LIBADD = \ libbrandt_la_LIBADD = \
-lgcrypt -lgpg-error -lgcrypt -lgpg-error -lgnunetutil
libbrandt_la_LDFLAGS = \ libbrandt_la_LDFLAGS = \
-version-info 0:0:0 -version-info 0:0:0

View File

@ -16,9 +16,12 @@
/** /**
* @file brandt.c * @file brandt.c
* @brief \todo * @brief Implementation of the high level libbrandt interface.
* @author Markus Teich * @author Markus Teich
*/ */
#include "brandt_config.h"
#include <gcrypt.h> #include <gcrypt.h>
#include "crypto.h" #include "crypto.h"
@ -33,6 +36,20 @@ typedef int
uint16_t sender); uint16_t sender);
enum {
auction_firstPrice,
auction_mPlusFirstPrice,
auction_last
};
enum {
outcome_private,
outcome_public,
outcome_last
};
/** /**
* stores the function pointers to receive functions for each state. * stores the function pointers to receive functions for each state.
* *
@ -43,43 +60,43 @@ typedef int
* The second index denotes if the outcome should be public or private. A value * The second index denotes if the outcome should be public or private. A value
* of 0 means a private outcome, while a value of 1 means public outcome. * of 0 means a private outcome, while a value of 1 means public outcome.
*/ */
static msg_recv handler_in[2][2][msg_last] = static msg_recv handler_in[auction_last][outcome_last][msg_last] =
{ {
[0] = [auction_firstPrice] =
{ {
[0] = [outcome_private] =
{ {
[msg_init] = smc_recv_keyshare, [msg_init] = &smc_recv_keyshare,
[msg_bid] = smc_recv_encrypted_bid, [msg_bid] = &smc_recv_encrypted_bid,
[msg_outcome] = fp_priv_recv_outcome, [msg_outcome] = &fp_priv_recv_outcome,
[msg_decrypt] = fp_priv_recv_decryption, [msg_decrypt] = &fp_priv_recv_decryption,
}, },
[1] = [outcome_public] =
{ {
[msg_init] = smc_recv_keyshare, [msg_init] = &smc_recv_keyshare,
[msg_bid] = smc_recv_encrypted_bid, [msg_bid] = &smc_recv_encrypted_bid,
[msg_outcome] = fp_pub_recv_outcome, [msg_outcome] = &fp_pub_recv_outcome,
[msg_decrypt] = fp_pub_recv_decryption, [msg_decrypt] = &fp_pub_recv_decryption,
} }
}, },
[1] = [auction_mPlusFirstPrice] =
{ {
[0] = [outcome_private] =
{ {
[msg_init] = smc_recv_keyshare, [msg_init] = &smc_recv_keyshare,
[msg_bid] = smc_recv_encrypted_bid, [msg_bid] = &smc_recv_encrypted_bid,
}, },
[1] = [outcome_public] =
{ {
[msg_init] = smc_recv_keyshare, [msg_init] = &smc_recv_keyshare,
[msg_bid] = smc_recv_encrypted_bid, [msg_bid] = &smc_recv_encrypted_bid,
} }
} }
}; };
void void
BRANDT_init () BRANDT_init (struct GNUNET_CRYPTO_EccDlogContext *dlogctx)
{ {
gcry_error_t err = 0; gcry_error_t err = 0;
@ -97,7 +114,7 @@ BRANDT_init ()
gcry_strerror (err)); gcry_strerror (err));
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
brandt_crypto_init (); brandt_crypto_init (dlogctx);
} }
@ -107,21 +124,23 @@ BRANDT_got_message (struct BRANDT_Auction *auction,
const unsigned char *msg, const unsigned char *msg,
size_t msg_len) size_t msg_len)
{ {
uint16_t type = *(uint16_t *)msg; uint16_t mtype = *(uint16_t *)msg;
int m = !!auction->desc->m; int atype;
int pub = !!auction->desc->outcome_public; int outcome;
enum rounds round = auction->cur_round; enum rounds round = auction->cur_round;
/** todo: cache out of order messages */ atype = auction->desc->m > 0 ? auction_mPlusFirstPrice : auction_firstPrice;
outcome = auction->desc->outcome_public ? outcome_public : outcome_private;
if (!handler_in[m][pub][round] || /** \todo: cache out of order messages */
!handler_in[m][pub][round](auction,
msg + sizeof (type), if (!handler_in[atype][outcome][round] ||
msg_len - sizeof (type), !handler_in[atype][outcome][round](auction,
msg + sizeof (mtype),
msg_len - sizeof (mtype),
sender)) sender))
{ {
/** \todo */ /** \todo */
weprintf ("wow fail"); weprintf ("wow fail");
} }
msg + sizeof (type);
} }

View File

@ -26,6 +26,8 @@
#include <stdint.h> #include <stdint.h>
#include <unistd.h> #include <unistd.h>
#include <gnunet/gnunet_util_lib.h>
/** defined in internals.h */ /** defined in internals.h */
struct BRANDT_Auction; struct BRANDT_Auction;
@ -86,7 +88,7 @@ typedef void
void void
BRANDT_init (); BRANDT_init (struct GNUNET_CRYPTO_EccDlogContext *dlogctx);
/** /**
* Join an auction described by the @a auction_data parameter. * Join an auction described by the @a auction_data parameter.

569
crypto.c
View File

@ -20,6 +20,7 @@
* @author Markus Teich * @author Markus Teich
*/ */
#include "brandt_config.h"
#include <arpa/inet.h> #include <arpa/inet.h>
#include <gcrypt.h> #include <gcrypt.h>
@ -61,17 +62,22 @@ static gcry_ctx_t ec_ctx;
static gcry_mpi_point_t ec_gen; static gcry_mpi_point_t ec_gen;
static gcry_mpi_point_t ec_zero; static gcry_mpi_point_t ec_zero;
static gcry_mpi_t ec_n; static gcry_mpi_t ec_n;
static GNUNET_CRYPTO_EccDlogContext *ec_dlogctx;
/** /**
* brandt_crypto_init initializes the crypto system and must be called before * brandt_crypto_init initializes the crypto system and must be called before
* any other function from this file. * any other function from this file.
*
* @param[in] dlogctx Pointer to the prepared dlog context.
*/ */
void void
brandt_crypto_init () brandt_crypto_init (GNUNET_CRYPTO_EccDlogContext *dlogctx)
{ {
gcry_error_t rc; gcry_error_t rc;
ec_dlogctx = dlogctx;
rc = gcry_mpi_ec_new (&ec_ctx, NULL, CURVE); rc = gcry_mpi_ec_new (&ec_ctx, NULL, CURVE);
brandt_assert_gpgerr (rc); brandt_assert_gpgerr (rc);
@ -159,7 +165,7 @@ ec_keypair_create (gcry_mpi_point_t pkey, gcry_mpi_t skey)
gcry_mpi_t sk; gcry_mpi_t sk;
brandt_assert (NULL != pkey); brandt_assert (NULL != pkey);
sk = (NULL == skey) ? gcry_mpi_new (0) : skey; sk = (NULL == skey) ? gcry_mpi_new (256) : skey;
ec_skey_create (sk); ec_skey_create (sk);
gcry_mpi_ec_mul (pkey, sk, ec_gen, ec_ctx); gcry_mpi_ec_mul (pkey, sk, ec_gen, ec_ctx);
@ -190,6 +196,25 @@ ec_keypair_create_base (gcry_mpi_point_t pkey,
} }
/**
* ec_point_copy creates a copy of one curve point
*
* @param[out] dst where to store the copy
* @param[in] src the input point to be copied
*/
void
ec_point_copy (gcry_mpi_point_t dst, const gcry_mpi_point_t src)
{
gcry_mpi_t x = gcry_mpi_new (256);
gcry_mpi_t y = gcry_mpi_new (256);
gcry_mpi_t z = gcry_mpi_new (256);
brandt_assert (dst && src);
gcry_mpi_point_get (x, y, z, src);
gcry_mpi_point_snatch_set (dst, x, y, z);
}
/** /**
* ec_point_cmp compares two curve points * ec_point_cmp compares two curve points
* *
@ -202,10 +227,10 @@ int
ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b) ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b)
{ {
int ret = 1; int ret = 1;
gcry_mpi_t ax = gcry_mpi_new (0); gcry_mpi_t ax = gcry_mpi_new (256);
gcry_mpi_t bx = gcry_mpi_new (0); gcry_mpi_t bx = gcry_mpi_new (256);
gcry_mpi_t ay = gcry_mpi_new (0); gcry_mpi_t ay = gcry_mpi_new (256);
gcry_mpi_t by = gcry_mpi_new (0); gcry_mpi_t by = gcry_mpi_new (256);
brandt_assert (a && b); brandt_assert (a && b);
if (!ax || !bx || !ay || !by) if (!ax || !bx || !ay || !by)
@ -592,8 +617,7 @@ smc_sum (gcry_mpi_point_t out,
uint16_t step) uint16_t step)
{ {
brandt_assert (NULL != out); brandt_assert (NULL != out);
/**\todo: how to copy a point more efficiently? */ ec_point_copy (out, ec_zero);
gcry_mpi_ec_add (out, ec_zero, ec_zero, ec_ctx);
for (uint16_t i = 0; i < len * step; i += step) for (uint16_t i = 0; i < len * step; i += step)
gcry_mpi_ec_add (out, out, in[i], ec_ctx); gcry_mpi_ec_add (out, out, in[i], ec_ctx);
} }
@ -603,12 +627,12 @@ smc_sum (gcry_mpi_point_t out,
* smc_gen_keyshare creates the private additive keyshare and computes the * smc_gen_keyshare creates the private additive keyshare and computes the
* public multiplicative key share * public multiplicative key share
* *
* @param[in,out] ad Pointer to the AuctionData struct to operate on * @param[in,out] ad Pointer to the BRANDT_Auction struct to operate on
* @param[out] buflen \todo * @param[out] buflen \todo
* @return \todo * @return \todo
*/ */
unsigned char * unsigned char *
smc_gen_keyshare (struct AuctionData *ad, size_t *buflen) smc_gen_keyshare (struct BRANDT_Auction *ad, size_t *buflen)
{ {
unsigned char *ret; unsigned char *ret;
struct proof_dl *proof1; struct proof_dl *proof1;
@ -624,7 +648,7 @@ smc_gen_keyshare (struct AuctionData *ad, size_t *buflen)
proof1 = (struct proof_dl *)(ret + sizeof (struct ec_mpi)); proof1 = (struct proof_dl *)(ret + sizeof (struct ec_mpi));
ad->x = gcry_mpi_new (0); ad->x = gcry_mpi_new (256);
ec_skey_create (ad->x); ec_skey_create (ad->x);
smc_zkp_dl (ad->y[ad->i], ad->x, proof1); smc_zkp_dl (ad->y[ad->i], ad->x, proof1);
ec_point_serialize ((struct ec_mpi *)ret, ad->y[ad->i]); ec_point_serialize ((struct ec_mpi *)ret, ad->y[ad->i]);
@ -633,8 +657,8 @@ smc_gen_keyshare (struct AuctionData *ad, size_t *buflen)
int int
smc_recv_keyshare (struct AuctionData *ad, smc_recv_keyshare (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender) uint16_t sender)
{ {
@ -658,8 +682,7 @@ smc_recv_keyshare (struct AuctionData *ad,
goto quit; goto quit;
} }
/**\todo: how to copy a point more efficiently? */ ec_point_copy (ad->y[sender], y);
gcry_mpi_ec_add (ad->y[sender], ec_zero, y, ec_ctx);
ret = 1; ret = 1;
quit: quit:
@ -675,7 +698,7 @@ quit:
* @param buflen TODO * @param buflen TODO
*/ */
unsigned char * unsigned char *
smc_encrypt_bid (struct AuctionData *ad, size_t *buflen) smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen)
{ {
unsigned char *ret; unsigned char *ret;
unsigned char *cur; unsigned char *cur;
@ -699,8 +722,8 @@ smc_encrypt_bid (struct AuctionData *ad, size_t *buflen)
ad->Y = gcry_mpi_point_new (0); ad->Y = gcry_mpi_point_new (0);
smc_sum (ad->Y, ad->y, ad->n, 1); smc_sum (ad->Y, ad->y, ad->n, 1);
r_sum = gcry_mpi_new (0); r_sum = gcry_mpi_new (256);
r_part = gcry_mpi_new (0); r_part = gcry_mpi_new (256);
for (uint16_t j = 0; j < ad->k; j++) for (uint16_t j = 0; j < ad->k; j++)
{ {
@ -726,13 +749,13 @@ smc_encrypt_bid (struct AuctionData *ad, size_t *buflen)
int int
smc_recv_encrypted_bid (struct AuctionData *ad, smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender) uint16_t sender)
{ {
int ret = 0; int ret = 0;
unsigned char *cur = buf; const unsigned char *cur = buf;
struct proof_0og *proof3; struct proof_0og *proof3;
gcry_mpi_point_t **ct; /* ciphertexts */ gcry_mpi_point_t **ct; /* ciphertexts */
gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0); gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0);
@ -748,8 +771,8 @@ smc_recv_encrypted_bid (struct AuctionData *ad,
goto quit; goto quit;
} }
gcry_mpi_ec_mul (alpha_sum, GCRYMPI_CONST_ONE, ec_zero, ec_ctx); ec_point_copy (alpha_sum, ec_zero);
gcry_mpi_ec_mul (beta_sum, GCRYMPI_CONST_ONE, ec_zero, ec_ctx); ec_point_copy (beta_sum, ec_zero);
for (uint16_t j = 0; j < ad->k; j++) for (uint16_t j = 0; j < ad->k; j++)
{ {
@ -779,9 +802,8 @@ smc_recv_encrypted_bid (struct AuctionData *ad,
for (uint16_t j = 0; j < ad->k; j++) for (uint16_t j = 0; j < ad->k; j++)
{ {
/**\todo: how to copy a point more efficiently? */ ec_point_copy (ad->alpha[sender][j], ct[0][j]);
gcry_mpi_ec_add (ad->alpha[sender][j], ec_zero, ct[0][j], ec_ctx); ec_point_copy (ad->beta[sender][j], ct[1][j]);
gcry_mpi_ec_add (ad->beta[sender][j], ec_zero, ct[1][j], ec_ctx);
} }
smc_free2 (ct, 2, ad->k); smc_free2 (ct, 2, ad->k);
@ -794,13 +816,345 @@ quit:
/** /**
* smc_compute_outcome \todo * fp_pub_compute_outcome \todo
* *
* @param ad TODO * @param ad TODO
* @param buflen TODO * @param buflen TODO
*/ */
unsigned char * unsigned char *
smc_compute_outcome (struct AuctionData *ad, size_t *buflen) fp_pub_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
{
unsigned char *ret;
unsigned char *cur;
gcry_mpi_t coeff = gcry_mpi_copy (GCRYMPI_CONST_ONE);
gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
gcry_mpi_point_t *tlta1;
gcry_mpi_point_t *tltb1;
gcry_mpi_point_t **tlta2;
gcry_mpi_point_t **tltb2;
struct ec_mpi *gamma;
struct ec_mpi *delta;
struct proof_2dle *proof2;
brandt_assert (ad && buflen);
*buflen = (ad->k * (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
if (NULL == (cur = (ret = calloc (1, *buflen))) ||
NULL == (ad->gamma2 = smc_init2 (ad->n, ad->k)) ||
NULL == (ad->delta2 = smc_init2 (ad->n, ad->k)) ||
NULL == (ad->tmpa1 = smc_init1 (ad->k)) ||
NULL == (ad->tmpb1 = smc_init1 (ad->k)))
{
weprintf ("unable to alloc memory for first price outcome computation");
return NULL;
}
/* create temporary lookup tables with partial sums */
tlta1 = smc_init1 (ad->k);
tltb1 = smc_init1 (ad->k);
tlta2 = smc_init2 (ad->n, ad->k);
tltb2 = smc_init2 (ad->n, ad->k);
/* temporary lookup table for sum of bid vectors */
for (uint16_t i = 0; i < ad->n; i++)
{
smc_sums_partial (tlta2[i], ad->alpha[i], ad->k, 1, 1);
smc_sums_partial (tltb2[i], ad->beta[i], ad->k, 1, 1);
for (uint16_t j = 0; j < ad->k; j++)
{
gcry_mpi_ec_sub (tlta2[i][j],
tlta2[i][ad->k - 1],
tlta2[i][j],
ec_ctx);
gcry_mpi_ec_sub (tltb2[i][j],
tltb2[i][ad->k - 1],
tltb2[i][j],
ec_ctx);
}
brandt_assert (!ec_point_cmp (ec_zero, tlta2[i][ad->k - 1]));
brandt_assert (!ec_point_cmp (ec_zero, tltb2[i][ad->k - 1]));
}
for (uint16_t j = 0; j < ad->k; j++)
{
smc_sum (tlta1[j], &tlta2[0][j], ad->n, ad->k);
smc_sum (tltb1[j], &tltb2[0][j], ad->n, ad->k);
}
smc_free2 (tlta2, ad->n, ad->k);
smc_free2 (tltb2, ad->n, ad->k);
brandt_assert (!ec_point_cmp (ec_zero, tlta1[ad->k - 1]));
brandt_assert (!ec_point_cmp (ec_zero, tltb1[ad->k - 1]));
/* temporarily store the \sum_{i=1}^n2^{i-1}b_i in tmp1, since it is needed
* each time a gamma,delta pair is received from another bidder */
for (uint16_t i = 0; i < ad->n; i++)
{
for (uint16_t j = 0; j < ad->k; j++)
{
gcry_mpi_ec_mul (tmp, coeff, ad->alpha[i][j], ec_ctx);
gcry_mpi_ec_add (ad->tmpa1[j], ad->tmpa1[j], tmp, ec_ctx);
gcry_mpi_ec_mul (tmp, coeff, ad->beta[i][j], ec_ctx);
gcry_mpi_ec_add (ad->tmpb1[j], ad->tmpb1[j], tmp, ec_ctx);
}
gcry_mpi_mul_ui (coeff, coeff, 2);
}
for (uint16_t j = 0; j < ad->k; j++)
{
gamma = (struct ec_mpi *)cur;
delta = &((struct ec_mpi *)cur)[1];
proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
/* copy unmasked outcome to all other bidder layers so they don't
* have to be recomputed to check the ZK proof_2dle's from other
* bidders when receiving their outcome messages */
for (uint16_t a = 0; a < ad->n; a++)
{
ec_point_copy (ad->gamma2[a][j], tlta1[j]);
ec_point_copy (ad->delta2[a][j], tltb1[j]);
}
/* apply random masking for losing bidders */
smc_zkp_2dle (ad->gamma2[ad->i][j],
ad->delta2[ad->i][j],
tlta1[j],
tltb1[j],
NULL,
proof2);
ec_point_serialize (gamma, ad->gamma2[ad->i][j]);
ec_point_serialize (delta, ad->delta2[ad->i][j]);
/* add winner determination for own gamma,delta */
gcry_mpi_ec_add (ad->gamma2[ad->i][j],
ad->gamma2[ad->i][j],
ad->tmpa1[j],
ec_ctx);
gcry_mpi_ec_add (ad->delta2[ad->i][j],
ad->delta2[ad->i][j],
ad->tmpb1[j],
ec_ctx);
cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2);
}
gcry_mpi_release (coeff);
gcry_mpi_point_release (tmp);
smc_free1 (tlta1, ad->k);
smc_free1 (tltb1, ad->k);
return ret;
}
int
fp_pub_recv_outcome (struct BRANDT_Auction *ad,
const unsigned char *buf,
size_t buflen,
uint16_t sender)
{
int ret = 0;
const unsigned char *cur = buf;
struct proof_2dle *proof2;
gcry_mpi_point_t gamma = gcry_mpi_point_new (0);
gcry_mpi_point_t delta = gcry_mpi_point_new (0);
brandt_assert (ad && buf);
if (buflen != (ad->k * (2 * sizeof (struct ec_mpi) + sizeof (*proof2))))
{
weprintf ("wrong size of received outcome");
goto quit;
}
for (uint16_t j = 0; j < ad->k; j++)
{
ec_point_parse (gamma, (struct ec_mpi *)cur);
ec_point_parse (delta, &((struct ec_mpi *)cur)[1]);
proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
if (smc_zkp_2dle_check (gamma,
delta,
ad->gamma2[sender][j],
ad->delta2[sender][j],
proof2))
{
weprintf ("wrong zkp2 for gamma, delta received");
goto quit;
}
ec_point_copy (ad->gamma2[sender][j], gamma);
ec_point_copy (ad->delta2[sender][j], delta);
/* add winner determination summand */
gcry_mpi_ec_add (ad->gamma2[sender][j],
ad->gamma2[sender][j],
ad->tmpa1[j],
ec_ctx);
gcry_mpi_ec_add (ad->delta2[sender][j],
ad->delta2[sender][j],
ad->tmpb1[j],
ec_ctx);
cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2);
}
ret = 1;
quit:
gcry_mpi_point_release (gamma);
gcry_mpi_point_release (delta);
return ret;
}
/**
* fp_pub_decrypt_outcome \todo
*
* @param ad TODO
* @param buflen TODO
*/
unsigned char *
fp_pub_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
{
unsigned char *ret;
unsigned char *cur;
gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
struct ec_mpi *phi;
struct proof_2dle *proof2;
brandt_assert (ad && buflen);
*buflen = (ad->k * (sizeof (*phi) + sizeof (*proof2)));
if (NULL == (cur = (ret = calloc (1, *buflen))) ||
NULL == (ad->phi2 = smc_init2 (ad->n, ad->k)))
{
weprintf ("unable to alloc memory for first price outcome decryption");
return NULL;
}
for (uint16_t j = 0; j < ad->k; j++)
{
phi = (struct ec_mpi *)cur;
proof2 = (struct proof_2dle *)(cur + sizeof (*phi));
smc_sum (tmp, &ad->delta2[0][j], ad->n, ad->n * ad->k);
/* copy still encrypted outcome to all other bidder layers so they
* don't have to be recomputed to check the ZK proof_2dle's from
* other bidders when receiving their outcome decryption messages */
for (uint16_t a = 0; a < ad->n; a++)
ec_point_copy (ad->phi2[a][j], tmp);
/* decrypt outcome component and prove the correct key was used */
smc_zkp_2dle (ad->phi2[ad->i][j],
NULL,
tmp,
ec_gen,
ad->x,
proof2);
ec_point_serialize (phi, ad->phi2[ad->i][j]);
cur += sizeof (*phi) + sizeof (*proof2);
}
gcry_mpi_point_release (tmp);
return ret;
}
int
fp_pub_recv_decryption (struct BRANDT_Auction *ad,
const unsigned char *buf,
size_t buflen,
uint16_t sender)
{
int ret = 0;
const unsigned char *cur = buf;
struct proof_2dle *proof2;
gcry_mpi_point_t phi = gcry_mpi_point_new (0);
brandt_assert (ad && buf);
if (buflen != (ad->k * (sizeof (struct ec_mpi) + sizeof (*proof2))))
{
weprintf ("wrong size of received outcome decryption");
goto quit;
}
for (uint16_t j = 0; j < ad->k; j++)
{
ec_point_parse (phi, (struct ec_mpi *)cur);
proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi));
if (smc_zkp_2dle_check (phi,
ad->y[sender],
ad->phi2[sender][j],
ec_gen,
proof2))
{
weprintf ("wrong zkp2 for phi, y received");
goto quit;
}
ec_point_copy (ad->phi2[sender][j], phi);
cur += sizeof (struct ec_mpi) + sizeof (*proof2);
}
ret = 1;
quit:
gcry_mpi_point_release (phi);
return ret;
}
int32_t
fp_pub_determine_outcome (struct BRANDT_Auction *ad, uint16_t *winner)
{
int32_t ret = -1;
int dlogi = -1;
gcry_mpi_t dlog = gcry_mpi_new (256);
gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0);
gcry_mpi_point_t sum_phi = gcry_mpi_point_new (0);
brandt_assert (ad);
for (uint16_t j = ad->k - 1; j >= 0; j--)
{
smc_sum (sum_gamma, &ad->gamma2[0][j], ad->n, ad->k);
smc_sum (sum_phi, &ad->phi2[0][j], ad->n, ad->k);
gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx);
/* first non-zero component determines the price */
if (ec_point_cmp (sum_gamma, ec_zero))
{
ret = j;
break;
}
}
dlogi = GNUNET_CRYPTO_ecc_dlog (ec_dlogctx, sum_gamma);
brandt_assert (dlogi > 0);
gcry_mpi_set_ui (dlog, (unsigned long)dlogi);
for (uint16_t i = 0; i < ad->n; i++)
{
if (gcry_mpi_test_bit (dlog, i))
{
if (winner)
winner = i;
break;
}
}
gcry_mpi_release (dlog);
gcry_mpi_point_release (sum_gamma);
gcry_mpi_point_release (sum_phi);
return ret;
}
/**
* fp_priv_compute_outcome \todo
*
* @param ad TODO
* @param buflen TODO
*/
unsigned char *
fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen)
{ {
unsigned char *ret; unsigned char *ret;
unsigned char *cur; unsigned char *cur;
@ -821,8 +1175,8 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
*buflen = (ad->n * ad->k * /* nk * (gamma, delta, proof2) */ *buflen = (ad->n * ad->k * /* nk * (gamma, delta, proof2) */
(sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2))); (sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2)));
if (NULL == (cur = (ret = calloc (1, *buflen))) || if (NULL == (cur = (ret = calloc (1, *buflen))) ||
NULL == (ad->gamma = smc_init3 (ad->n, ad->n, ad->k)) || NULL == (ad->gamma3 = smc_init3 (ad->n, ad->n, ad->k)) ||
NULL == (ad->delta = smc_init3 (ad->n, ad->n, ad->k))) NULL == (ad->delta3 = smc_init3 (ad->n, ad->n, ad->k)))
{ {
weprintf ("unable to alloc memory for first price outcome computation"); weprintf ("unable to alloc memory for first price outcome computation");
return NULL; return NULL;
@ -912,21 +1266,20 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
* bidders when receiving their outcome messages */ * bidders when receiving their outcome messages */
for (uint16_t a = 0; a < ad->n; a++) for (uint16_t a = 0; a < ad->n; a++)
{ {
/**\todo: how to copy a point more efficiently? */ ec_point_copy (ad->gamma3[a][i][j], tmpa);
gcry_mpi_ec_add (ad->gamma[a][i][j], ec_zero, tmpa, ec_ctx); ec_point_copy (ad->delta3[a][i][j], tmpb);
gcry_mpi_ec_add (ad->delta[a][i][j], ec_zero, tmpb, ec_ctx);
} }
/* apply random masking for losing bidders */ /* apply random masking for losing bidders */
smc_zkp_2dle (ad->gamma[ad->i][i][j], smc_zkp_2dle (ad->gamma3[ad->i][i][j],
ad->delta[ad->i][i][j], ad->delta3[ad->i][i][j],
tmpa, tmpa,
tmpb, tmpb,
NULL, NULL,
proof2); proof2);
ec_point_serialize (gamma, ad->gamma[ad->i][i][j]); ec_point_serialize (gamma, ad->gamma3[ad->i][i][j]);
ec_point_serialize (delta, ad->delta[ad->i][i][j]); ec_point_serialize (delta, ad->delta3[ad->i][i][j]);
cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2); cur += sizeof (*gamma) + sizeof (*delta) + sizeof (*proof2);
} }
@ -945,13 +1298,13 @@ smc_compute_outcome (struct AuctionData *ad, size_t *buflen)
int int
smc_recv_outcome (struct AuctionData *ad, fp_priv_recv_outcome (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender) uint16_t sender)
{ {
int ret = 0; int ret = 0;
unsigned char *cur = buf; const unsigned char *cur = buf;
struct proof_2dle *proof2; struct proof_2dle *proof2;
gcry_mpi_point_t gamma = gcry_mpi_point_new (0); gcry_mpi_point_t gamma = gcry_mpi_point_new (0);
gcry_mpi_point_t delta = gcry_mpi_point_new (0); gcry_mpi_point_t delta = gcry_mpi_point_new (0);
@ -974,15 +1327,15 @@ smc_recv_outcome (struct AuctionData *ad,
proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi)); proof2 = (struct proof_2dle *)(cur + 2 * sizeof (struct ec_mpi));
if (smc_zkp_2dle_check (gamma, if (smc_zkp_2dle_check (gamma,
delta, delta,
ad->gamma[sender][i][j], ad->gamma3[sender][i][j],
ad->delta[sender][i][j], ad->delta3[sender][i][j],
proof2)) proof2))
{ {
weprintf ("wrong zkp2 for gamma, delta received"); weprintf ("wrong zkp2 for gamma, delta received");
goto quit; goto quit;
} }
gcry_mpi_ec_add (ad->gamma[sender][i][j], gamma, ec_zero, ec_ctx); ec_point_copy (ad->gamma3[sender][i][j], gamma);
gcry_mpi_ec_add (ad->delta[sender][i][j], delta, ec_zero, ec_ctx); ec_point_copy (ad->delta3[sender][i][j], delta);
cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2); cur += 2 * sizeof (struct ec_mpi) + sizeof (*proof2);
} }
} }
@ -996,13 +1349,13 @@ quit:
/** /**
* smc_decrypt_outcome \todo * fp_priv_decrypt_outcome \todo
* *
* @param ad TODO * @param ad TODO
* @param buflen TODO * @param buflen TODO
*/ */
unsigned char * unsigned char *
smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen) fp_priv_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen)
{ {
unsigned char *ret; unsigned char *ret;
unsigned char *cur; unsigned char *cur;
@ -1014,7 +1367,7 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
*buflen = (ad->n * ad->k * (sizeof (*phi) + sizeof (*proof2))); *buflen = (ad->n * ad->k * (sizeof (*phi) + sizeof (*proof2)));
if (NULL == (cur = (ret = calloc (1, *buflen))) || if (NULL == (cur = (ret = calloc (1, *buflen))) ||
NULL == (ad->phi = smc_init3 (ad->n, ad->n, ad->k))) NULL == (ad->phi3 = smc_init3 (ad->n, ad->n, ad->k)))
{ {
weprintf ("unable to alloc memory for first price outcome decryption"); weprintf ("unable to alloc memory for first price outcome decryption");
return NULL; return NULL;
@ -1027,24 +1380,23 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
phi = (struct ec_mpi *)cur; phi = (struct ec_mpi *)cur;
proof2 = (struct proof_2dle *)(cur + sizeof (*phi)); proof2 = (struct proof_2dle *)(cur + sizeof (*phi));
smc_sum (tmp, &ad->delta[0][i][j], ad->n, ad->n * ad->k); smc_sum (tmp, &ad->delta3[0][i][j], ad->n, ad->n * ad->k);
/* copy still encrypted outcome to all other bidder layers so they /* copy still encrypted outcome to all other bidder layers so they
* don't have to be recomputed to check the ZK proof_2dle's from * don't have to be recomputed to check the ZK proof_2dle's from
* other bidders when receiving their outcome decryption messages */ * other bidders when receiving their outcome decryption messages */
for (uint16_t a = 0; a < ad->n; a++) for (uint16_t a = 0; a < ad->n; a++)
/**\todo: how to copy a point more efficiently? */ ec_point_copy (ad->phi3[a][i][j], tmp);
gcry_mpi_ec_add (ad->phi[a][i][j], ec_zero, tmp, ec_ctx);
/* decrypt outcome component and prove the correct key was used */ /* decrypt outcome component and prove the correct key was used */
smc_zkp_2dle (ad->phi[ad->i][i][j], smc_zkp_2dle (ad->phi3[ad->i][i][j],
NULL, NULL,
tmp, tmp,
ec_gen, ec_gen,
ad->x, ad->x,
proof2); proof2);
ec_point_serialize (phi, ad->phi[ad->i][i][j]); ec_point_serialize (phi, ad->phi3[ad->i][i][j]);
cur += sizeof (*phi) + sizeof (*proof2); cur += sizeof (*phi) + sizeof (*proof2);
} }
@ -1056,13 +1408,13 @@ smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen)
int int
smc_recv_decryption (struct AuctionData *ad, fp_priv_recv_decryption (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender) uint16_t sender)
{ {
int ret = 0; int ret = 0;
unsigned char *cur = buf; const unsigned char *cur = buf;
struct proof_2dle *proof2; struct proof_2dle *proof2;
gcry_mpi_point_t phi = gcry_mpi_point_new (0); gcry_mpi_point_t phi = gcry_mpi_point_new (0);
@ -1082,14 +1434,14 @@ smc_recv_decryption (struct AuctionData *ad,
proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi)); proof2 = (struct proof_2dle *)(cur + sizeof (struct ec_mpi));
if (smc_zkp_2dle_check (phi, if (smc_zkp_2dle_check (phi,
ad->y[sender], ad->y[sender],
ad->phi[sender][i][j], ad->phi3[sender][i][j],
ec_gen, ec_gen,
proof2)) proof2))
{ {
weprintf ("wrong zkp2 for phi, y received"); weprintf ("wrong zkp2 for phi, y received");
goto quit; goto quit;
} }
gcry_mpi_ec_add (ad->phi[sender][i][j], phi, ec_zero, ec_ctx); ec_point_copy (ad->phi3[sender][i][j], phi);
cur += sizeof (struct ec_mpi) + sizeof (*proof2); cur += sizeof (struct ec_mpi) + sizeof (*proof2);
} }
} }
@ -1102,7 +1454,7 @@ quit:
int32_t int32_t
smc_determine_outcome (struct AuctionData *ad) fp_priv_determine_outcome (struct BRANDT_Auction *ad)
{ {
int32_t ret = -1; int32_t ret = -1;
gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0); gcry_mpi_point_t sum_gamma = gcry_mpi_point_new (0);
@ -1112,8 +1464,8 @@ smc_determine_outcome (struct AuctionData *ad)
for (uint16_t j = 0; j < ad->k; j++) for (uint16_t j = 0; j < ad->k; j++)
{ {
smc_sum (sum_gamma, &ad->gamma[0][ad->i][j], ad->n, ad->n * ad->k); smc_sum (sum_gamma, &ad->gamma3[0][ad->i][j], ad->n, ad->n * ad->k);
smc_sum (sum_phi, &ad->phi[0][ad->i][j], ad->n, ad->n * ad->k); smc_sum (sum_phi, &ad->phi3[0][ad->i][j], ad->n, ad->n * ad->k);
gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx); gcry_mpi_ec_sub (sum_gamma, sum_gamma, sum_phi, ec_ctx);
if (!ec_point_cmp (sum_gamma, ec_zero)) if (!ec_point_cmp (sum_gamma, ec_zero))
{ {
@ -1149,9 +1501,9 @@ smc_zkp_dl (gcry_mpi_point_t v,
struct zkp_challenge_dl challenge; struct zkp_challenge_dl challenge;
struct brandt_hash_code challhash; struct brandt_hash_code challhash;
gcry_mpi_point_t a = gcry_mpi_point_new (0); gcry_mpi_point_t a = gcry_mpi_point_new (0);
gcry_mpi_t r = gcry_mpi_new (0); gcry_mpi_t r = gcry_mpi_new (256);
gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t c = gcry_mpi_new (256);
gcry_mpi_t z = gcry_mpi_new (0); gcry_mpi_t z = gcry_mpi_new (256);
/* v = xg */ /* v = xg */
gcry_mpi_ec_mul (v, x, ec_gen, ec_ctx); gcry_mpi_ec_mul (v, x, ec_gen, ec_ctx);
@ -1197,8 +1549,8 @@ smc_zkp_dl_check (const gcry_mpi_point_t v,
struct zkp_challenge_dl challenge; struct zkp_challenge_dl challenge;
struct brandt_hash_code challhash; struct brandt_hash_code challhash;
gcry_mpi_point_t a = gcry_mpi_point_new (0); gcry_mpi_point_t a = gcry_mpi_point_new (0);
gcry_mpi_t r = gcry_mpi_new (0); gcry_mpi_t r = gcry_mpi_new (256);
gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t c = gcry_mpi_new (256);
gcry_mpi_point_t left = gcry_mpi_point_new (0); gcry_mpi_point_t left = gcry_mpi_point_new (0);
gcry_mpi_point_t right = gcry_mpi_point_new (0); gcry_mpi_point_t right = gcry_mpi_point_new (0);
@ -1260,13 +1612,13 @@ smc_zkp_2dle (gcry_mpi_point_t v,
gcry_mpi_t rx; gcry_mpi_t rx;
gcry_mpi_point_t a = gcry_mpi_point_new (0); gcry_mpi_point_t a = gcry_mpi_point_new (0);
gcry_mpi_point_t b = gcry_mpi_point_new (0); gcry_mpi_point_t b = gcry_mpi_point_new (0);
gcry_mpi_t r = gcry_mpi_new (0); gcry_mpi_t r = gcry_mpi_new (256);
gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t c = gcry_mpi_new (256);
gcry_mpi_t z = gcry_mpi_new (0); gcry_mpi_t z = gcry_mpi_new (256);
rv = (NULL == v) ? gcry_mpi_point_new (0) : v; rv = (NULL == v) ? gcry_mpi_point_new (0) : v;
rw = (NULL == w) ? gcry_mpi_point_new (0) : w; rw = (NULL == w) ? gcry_mpi_point_new (0) : w;
rx = (NULL == x) ? gcry_mpi_new (0) : x; rx = (NULL == x) ? gcry_mpi_new (256) : x;
if (NULL == x) if (NULL == x)
ec_skey_create (rx); ec_skey_create (rx);
@ -1339,8 +1691,8 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
struct brandt_hash_code challhash; struct brandt_hash_code challhash;
gcry_mpi_point_t a = gcry_mpi_point_new (0); gcry_mpi_point_t a = gcry_mpi_point_new (0);
gcry_mpi_point_t b = gcry_mpi_point_new (0); gcry_mpi_point_t b = gcry_mpi_point_new (0);
gcry_mpi_t r = gcry_mpi_new (0); gcry_mpi_t r = gcry_mpi_new (256);
gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t c = gcry_mpi_new (256);
gcry_mpi_point_t left = gcry_mpi_point_new (0); gcry_mpi_point_t left = gcry_mpi_point_new (0);
gcry_mpi_point_t right = gcry_mpi_point_new (0); gcry_mpi_point_t right = gcry_mpi_point_new (0);
@ -1415,15 +1767,15 @@ smc_zkp_0og (int m_is_gen,
gcry_mpi_point_t a2 = gcry_mpi_point_new (0); gcry_mpi_point_t a2 = gcry_mpi_point_new (0);
gcry_mpi_point_t b1 = gcry_mpi_point_new (0); gcry_mpi_point_t b1 = gcry_mpi_point_new (0);
gcry_mpi_point_t b2 = gcry_mpi_point_new (0); gcry_mpi_point_t b2 = gcry_mpi_point_new (0);
gcry_mpi_t d1 = gcry_mpi_new (0); gcry_mpi_t d1 = gcry_mpi_new (256);
gcry_mpi_t d2 = gcry_mpi_new (0); gcry_mpi_t d2 = gcry_mpi_new (256);
gcry_mpi_t r1 = gcry_mpi_new (0); gcry_mpi_t r1 = gcry_mpi_new (256);
gcry_mpi_t r2 = gcry_mpi_new (0); gcry_mpi_t r2 = gcry_mpi_new (256);
gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t c = gcry_mpi_new (256);
gcry_mpi_t rr; gcry_mpi_t rr;
gcry_mpi_t w = gcry_mpi_new (0); gcry_mpi_t w = gcry_mpi_new (256);
rr = (NULL == r) ? gcry_mpi_new (0) : r; rr = (NULL == r) ? gcry_mpi_new (256) : r;
/* beta = r*g */ /* beta = r*g */
ec_keypair_create (beta, rr); ec_keypair_create (beta, rr);
@ -1559,12 +1911,12 @@ smc_zkp_0og_check (const gcry_mpi_point_t y,
gcry_mpi_point_t a2 = gcry_mpi_point_new (0); gcry_mpi_point_t a2 = gcry_mpi_point_new (0);
gcry_mpi_point_t b1 = gcry_mpi_point_new (0); gcry_mpi_point_t b1 = gcry_mpi_point_new (0);
gcry_mpi_point_t b2 = gcry_mpi_point_new (0); gcry_mpi_point_t b2 = gcry_mpi_point_new (0);
gcry_mpi_t d1 = gcry_mpi_new (0); gcry_mpi_t d1 = gcry_mpi_new (256);
gcry_mpi_t d2 = gcry_mpi_new (0); gcry_mpi_t d2 = gcry_mpi_new (256);
gcry_mpi_t r1 = gcry_mpi_new (0); gcry_mpi_t r1 = gcry_mpi_new (256);
gcry_mpi_t r2 = gcry_mpi_new (0); gcry_mpi_t r2 = gcry_mpi_new (256);
gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t c = gcry_mpi_new (256);
gcry_mpi_t sum = gcry_mpi_new (0); gcry_mpi_t sum = gcry_mpi_new (256);
gcry_mpi_point_t right = gcry_mpi_point_new (0); gcry_mpi_point_t right = gcry_mpi_point_new (0);
gcry_mpi_point_t tmp = gcry_mpi_point_new (0); gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
@ -1635,52 +1987,3 @@ smc_zkp_0og_check (const gcry_mpi_point_t y,
weprintf ("ret: 0x%x", ret); weprintf ("ret: 0x%x", ret);
return ret; return ret;
} }
/* --- unused stuff, might become useful later --- */
///**
// * Clear memory that was used to store a private key.
// *
// * @param skey the key
// */
//void
//brandt_ec_key_clear (gcry_mpi_t skey)
//{
// gcry_mpi_randomize (skey, 256, GCRY_WEAK_RANDOM);
// gcry_mpi_release (skey);
//}
///**
// * Generate a random value mod n.
// *
// * @param edc ECC context
// * @return random value mod n.
// */
//gcry_mpi_t
//GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc)
//{
// gcry_mpi_t n;
// unsigned int highbit;
// gcry_mpi_t r;
//
// n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
//
// /* check public key for number of bits, bail out if key is all zeros */
// highbit = 256; /* Curve25519 */
// while ( (! gcry_mpi_test_bit (n, highbit)) &&
// (0 != highbit) )
// highbit--;
// GNUNET_assert (0 != highbit);
// /* generate fact < n (without bias) */
// GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
// do {
// gcry_mpi_randomize (r,
// highbit + 1,
// GCRY_STRONG_RANDOM);
// }
// while (gcry_mpi_cmp (r, n) >= 0);
// gcry_mpi_release (n);
// return r;
//}

View File

@ -26,9 +26,11 @@
#include <gcrypt.h> #include <gcrypt.h>
#include <stdint.h> #include <stdint.h>
#include <gnunet/gnunet_util_lib.h>
#include "internals.h" #include "internals.h"
void brandt_crypto_init (); void brandt_crypto_init (struct GNUNET_CRYPTO_EccDlogContext *dlogctx);
/* --- HASHING --- */ /* --- HASHING --- */
@ -48,6 +50,7 @@ struct ec_mpi {
unsigned char data[256 / 8]; unsigned char data[256 / 8];
}; };
void ec_point_copy (gcry_mpi_point_t dst, const gcry_mpi_point_t src);
int ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b); int ec_point_cmp (const gcry_mpi_point_t a, const gcry_mpi_point_t b);
void ec_skey_create (gcry_mpi_t skey); void ec_skey_create (gcry_mpi_t skey);
void ec_keypair_create (gcry_mpi_point_t pkey, gcry_mpi_t skey); void ec_keypair_create (gcry_mpi_point_t pkey, gcry_mpi_t skey);
@ -111,30 +114,42 @@ int smc_zkp_0og_check (const gcry_mpi_point_t y,
/* --- Protocol implementation --- */ /* --- Protocol implementation --- */
unsigned char *smc_gen_keyshare (struct AuctionData *ad, size_t *buflen); unsigned char *smc_gen_keyshare (struct BRANDT_Auction *ad, size_t *buflen);
int smc_recv_keyshare (struct AuctionData *ad, int smc_recv_keyshare (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender_index); uint16_t sender_index);
unsigned char *smc_encrypt_bid (struct AuctionData *ad, size_t *buflen); unsigned char *smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen);
int smc_recv_encrypted_bid (struct AuctionData *ad, int smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender_index); uint16_t sender_index);
unsigned char *smc_compute_outcome (struct AuctionData *ad, size_t *buflen); unsigned char *fp_priv_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen);
int smc_recv_outcome (struct AuctionData *ad, int fp_priv_recv_outcome (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender); uint16_t sender);
unsigned char *smc_decrypt_outcome (struct AuctionData *ad, size_t *buflen); unsigned char *fp_priv_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen);
int smc_recv_decryption (struct AuctionData *ad, int fp_priv_recv_decryption (struct BRANDT_Auction *ad,
unsigned char *buf, const unsigned char *buf,
size_t buflen, size_t buflen,
uint16_t sender); uint16_t sender);
int32_t smc_determine_outcome (struct AuctionData *ad); unsigned char *fp_pub_compute_outcome (struct BRANDT_Auction *ad, size_t *buflen);
int fp_pub_recv_outcome (struct BRANDT_Auction *ad,
const unsigned char *buf,
size_t buflen,
uint16_t sender);
unsigned char *fp_pub_decrypt_outcome (struct BRANDT_Auction *ad, size_t *buflen);
int fp_pub_recv_decryption (struct BRANDT_Auction *ad,
const unsigned char *buf,
size_t buflen,
uint16_t sender);
int32_t fp_priv_determine_outcome (struct BRANDT_Auction *ad);
#endif /* ifndef _BRANDT_CRYPTO_H */ #endif /* ifndef _BRANDT_CRYPTO_H */

View File

@ -40,8 +40,10 @@ enum rounds {
/** /**
* This struct describes an auction and has to be followed by #description_len * This struct describes an auction and has to be followed by #description_len
* bytes of arbitrary data where the description of the item to be sold is * bytes of arbitrary data where the description of the item to be sold is
* stored. */ * stored.
struct AuctionDescr { *
* \todo: align to a multiple of 64bit */
struct BRANDT_AuctionDescrP {
/** The length of the description in bytes directly following this struct */ /** The length of the description in bytes directly following this struct */
uint32_t description_len; uint32_t description_len;
@ -55,11 +57,13 @@ struct AuctionDescr {
/** The amount of possible prices */ /** The amount of possible prices */
uint16_t price_range; uint16_t price_range;
/** \todo: time */
}; };
struct BRANDT_Auction { struct BRANDT_Auction {
struct AuctionDescr *desc; /** pointer to the auction information */ struct BRANDT_AuctionDescrP *desc; /** pointer to the auction information */
BRANDT_CbBroadcast bcast; /** broadcast callback */ BRANDT_CbBroadcast bcast; /** broadcast callback */
BRANDT_CbUnicast ucast; /** unicast callback */ BRANDT_CbUnicast ucast; /** unicast callback */

View File

@ -20,6 +20,8 @@
* @author Markus Teich * @author Markus Teich
*/ */
#include "brandt_config.h"
/* For testing static functions and variables we include the whole source */ /* For testing static functions and variables we include the whole source */
#include "crypto.c" #include "crypto.c"
@ -30,7 +32,7 @@
static uint16_t bidders; static uint16_t bidders;
static uint16_t prizes; static uint16_t prizes;
static struct AuctionData *ad; static struct BRANDT_Auction *ad;
int int
test_smc_2d_array () test_smc_2d_array ()
@ -79,8 +81,8 @@ test_serialization ()
{ {
gcry_mpi_point_t oldp = gcry_mpi_point_new (0); gcry_mpi_point_t oldp = gcry_mpi_point_new (0);
gcry_mpi_point_t newp = gcry_mpi_point_new (0); gcry_mpi_point_t newp = gcry_mpi_point_new (0);
gcry_mpi_t oldi = gcry_mpi_new (0); gcry_mpi_t oldi = gcry_mpi_new (256);
gcry_mpi_t newi = gcry_mpi_new (0); gcry_mpi_t newi = gcry_mpi_new (256);
struct ec_mpi serp; struct ec_mpi serp;
struct ec_mpi seri; struct ec_mpi seri;
@ -111,7 +113,7 @@ int
test_smc_zkp_dl () test_smc_zkp_dl ()
{ {
struct proof_dl proof; struct proof_dl proof;
gcry_mpi_t x = gcry_mpi_new (0); gcry_mpi_t x = gcry_mpi_new (256);
gcry_mpi_point_t v = gcry_mpi_point_new (0); gcry_mpi_point_t v = gcry_mpi_point_new (0);
ec_skey_create (x); ec_skey_create (x);
@ -130,7 +132,7 @@ int
test_smc_zkp_2dle () test_smc_zkp_2dle ()
{ {
struct proof_2dle proof; struct proof_2dle proof;
gcry_mpi_t x = gcry_mpi_new (0); gcry_mpi_t x = gcry_mpi_new (256);
gcry_mpi_point_t g1 = gcry_mpi_point_new (0); gcry_mpi_point_t g1 = gcry_mpi_point_new (0);
gcry_mpi_point_t g2 = gcry_mpi_point_new (0); gcry_mpi_point_t g2 = gcry_mpi_point_new (0);
gcry_mpi_point_t v = gcry_mpi_point_new (0); gcry_mpi_point_t v = gcry_mpi_point_new (0);
@ -184,7 +186,7 @@ test_setup_auction_data ()
{ {
uint16_t i; uint16_t i;
ad = calloc (bidders, sizeof (struct AuctionData)); ad = calloc (bidders, sizeof (struct BRANDT_Auction));
for (i = 0; i < bidders; i++) for (i = 0; i < bidders; i++)
{ {
@ -266,7 +268,7 @@ test_round2 ()
for (i = 0; i < bidders; i++) for (i = 0; i < bidders; i++)
{ {
bufs[i] = smc_compute_outcome (&ad[i], &lens[i]); bufs[i] = fp_priv_compute_outcome (&ad[i], &lens[i]);
check (bufs[i], "failed to compute outcome"); check (bufs[i], "failed to compute outcome");
} }
@ -276,7 +278,7 @@ test_round2 ()
{ {
if (s == i) if (s == i)
continue; continue;
check (smc_recv_outcome (&ad[i], bufs[s], lens[s], s), check (fp_priv_recv_outcome (&ad[i], bufs[s], lens[s], s),
"failed checking outcome"); "failed checking outcome");
} }
} }
@ -296,7 +298,7 @@ test_round3 ()
for (i = 0; i < bidders; i++) for (i = 0; i < bidders; i++)
{ {
bufs[i] = smc_decrypt_outcome (&ad[i], &lens[i]); bufs[i] = fp_priv_decrypt_outcome (&ad[i], &lens[i]);
check (bufs[i], "failed to decrypt outcome"); check (bufs[i], "failed to decrypt outcome");
} }
@ -306,7 +308,7 @@ test_round3 ()
{ {
if (s == i) if (s == i)
continue; continue;
check (smc_recv_decryption (&ad[i], bufs[s], lens[s], s), check (fp_priv_recv_decryption (&ad[i], bufs[s], lens[s], s),
"failed checking decrypted outcome"); "failed checking decrypted outcome");
} }
} }
@ -324,7 +326,7 @@ test_outcome ()
for (uint16_t i = 0; i < ad->n; i++) for (uint16_t i = 0; i < ad->n; i++)
{ {
if (-1 != smc_determine_outcome (&ad[i])) if (-1 != fp_priv_determine_outcome (&ad[i]))
{ {
check (-1 == ret, "multiple winners detected"); check (-1 == ret, "multiple winners detected");
ret = i; ret = i;
@ -346,9 +348,14 @@ cleanup_auction_data ()
smc_free1 (ad[i].y, ad[i].n); smc_free1 (ad[i].y, ad[i].n);
smc_free2 (ad[i].alpha, ad[i].n, ad[i].k); smc_free2 (ad[i].alpha, ad[i].n, ad[i].k);
smc_free2 (ad[i].beta, ad[i].n, ad[i].k); smc_free2 (ad[i].beta, ad[i].n, ad[i].k);
smc_free3 (ad[i].gamma, ad[i].n, ad[i].n, ad[i].k); smc_free2 (ad[i].gamma2, ad[i].n, ad[i].k);
smc_free3 (ad[i].delta, ad[i].n, ad[i].n, ad[i].k); smc_free2 (ad[i].delta2, ad[i].n, ad[i].k);
smc_free3 (ad[i].phi, ad[i].n, ad[i].n, ad[i].k); smc_free2 (ad[i].phi2, ad[i].n, ad[i].k);
smc_free3 (ad[i].gamma3, ad[i].n, ad[i].n, ad[i].k);
smc_free3 (ad[i].delta3, ad[i].n, ad[i].n, ad[i].k);
smc_free3 (ad[i].phi3, ad[i].n, ad[i].n, ad[i].k);
smc_free1 (ad[i].tmpa1, ad[i].k);
smc_free1 (ad[i].tmpb1, ad[i].k);
} }
free (ad); free (ad);
} }
@ -358,11 +365,13 @@ int
main (int argc, char *argv[]) main (int argc, char *argv[])
{ {
int repeat = 8; int repeat = 8;
struct GNUNET_CRYPTO_EccDlogContext *edc;
bidders = 2; bidders = 2;
prizes = 2 * bidders; prizes = 2 * bidders;
BRANDT_init (); edc = GNUNET_CRYPTO_ecc_dlog_prepare (1024 * 1024, 1024);
BRANDT_init (edc);
/* tests that need to run only once */ /* tests that need to run only once */
run (test_smc_2d_array); run (test_smc_2d_array);
@ -384,5 +393,6 @@ main (int argc, char *argv[])
cleanup_auction_data (); cleanup_auction_data ();
} }
GNUNET_CRYPTO_ecc_dlog_release (edc);
return ret; return ret;
} }

View File

@ -76,7 +76,7 @@ case, in other words, it is shown that $M \in \{0, G\}$. \\
Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$ Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$
\end{tabular} \end{tabular}
\subsection{Protocol} \subsection{First Price Auction Protocol With Private Outcome}
Let $n$ be the number of participating bidders/agents in the protocol and $k$ be Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
the amount of possible valuations/prices for the sold good. Let $G$ be the the amount of possible valuations/prices for the sold good. Let $G$ be the
@ -131,6 +131,8 @@ each $i, j$ and $h \neq i$ after having received all of them.
\item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price. \item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
\end{enumerate} \end{enumerate}
\subsection{First Price Auction Protocol With Public Outcome}

3
util.c
View File

@ -19,6 +19,9 @@
* @brief Implementation of common utility functions. * @brief Implementation of common utility functions.
* @author Markus Teich * @author Markus Teich
*/ */
#include "brandt_config.h"
#include <errno.h> #include <errno.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>