diff --git a/crypto.c b/crypto.c index 3b5205a..ed3cfb3 100644 --- a/crypto.c +++ b/crypto.c @@ -705,6 +705,7 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen) struct msg_head *head; struct proof_0og *proof3; gcry_mpi_t r_sum; + gcry_mpi_t r_sum2; gcry_mpi_t r_part; brandt_assert (ad && buflen); @@ -721,6 +722,7 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen) cur = ret + sizeof (*head); r_sum = gcry_mpi_new (256); + r_sum2 = gcry_mpi_new (256); r_part = gcry_mpi_new (256); for (uint16_t j = 0; j < ad->k; j++) @@ -735,11 +737,29 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen) ec_point_serialize ((struct ec_mpi *)cur, ad->alpha[ad->i][j]); ec_point_serialize (&((struct ec_mpi *)cur)[1], ad->beta[ad->i][j]); gcry_mpi_addm (r_sum, r_sum, r_part, ec_n); + + /* prepare sum for additional M+1st price auction proof (see below) */ + if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n) + gcry_mpi_addm (r_sum2, r_sum2, r_part, ec_n); + cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og); } smc_zkp_2dle (NULL, NULL, ad->Y, ec_gen, r_sum, (struct proof_2dle *)cur); + /* in M+1st price auctions we need to prove that our bid is from the valid + * subset of bids as well */ + if (0 < ad->m) + { + struct proof_2dle *proof2; + *buflen += sizeof (struct proof_2dle); + ret = GNUNET_realloc (ret, *buflen); + proof2 = (struct proof_2dle *)(ret + *buflen - + sizeof (struct proof_2dle)); + smc_zkp_2dle (NULL, NULL, ad->Y, ec_gen, r_sum2, proof2); + } + gcry_mpi_release (r_sum); + gcry_mpi_release (r_sum2); gcry_mpi_release (r_part); return ret; @@ -758,11 +778,13 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, gcry_mpi_point_t **ct; /* ciphertexts */ gcry_mpi_point_t alpha_sum = gcry_mpi_point_new (0); gcry_mpi_point_t beta_sum = gcry_mpi_point_new (0); + gcry_mpi_point_t alpha_sum2 = gcry_mpi_point_new (0); + gcry_mpi_point_t beta_sum2 = gcry_mpi_point_new (0); brandt_assert (ad && buf); if (buflen != (ad->k * (sizeof (struct ec_mpi) * 2 + sizeof (*proof3)) + - sizeof (struct proof_2dle)) || + (0 < ad->m ? 2 : 1) * sizeof (struct proof_2dle)) || NULL == (ct = smc_init2 (2, ad->k))) { weprintf ("wrong size of received encrypted bid"); @@ -771,6 +793,8 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, ec_point_copy (alpha_sum, ec_zero); ec_point_copy (beta_sum, ec_zero); + ec_point_copy (alpha_sum2, ec_zero); + ec_point_copy (beta_sum2, ec_zero); for (uint16_t j = 0; j < ad->k; j++) { @@ -784,6 +808,15 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, } gcry_mpi_ec_add (alpha_sum, alpha_sum, ct[0][j], ec_ctx); gcry_mpi_ec_add (beta_sum, beta_sum, ct[1][j], ec_ctx); + + /* precalculate ciphertext sums for second 2dle proof needed in M+1st + * price auctions */ + if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n) + { + gcry_mpi_ec_add (alpha_sum2, alpha_sum2, ct[0][j], ec_ctx); + gcry_mpi_ec_add (beta_sum2, beta_sum2, ct[1][j], ec_ctx); + } + cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og); } @@ -798,6 +831,24 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, goto quit; } + /* On M+1st price auctions check with the second 2dle proof if the bidder + * only bid on one of his allowed indizes */ + if (0 < ad->m) + { + cur += sizeof (struct proof_2dle); + gcry_mpi_ec_sub (alpha_sum2, alpha_sum2, ec_gen, ec_ctx); + if (smc_zkp_2dle_check (alpha_sum2, + beta_sum2, + ad->Y, + ec_gen, + (struct proof_2dle *)cur)) + { + weprintf ("wrong second zkp2 for alpha, beta received. " + "bid not allowed for this user in M+1st price auctions."); + goto quit; + } + } + for (uint16_t j = 0; j < ad->k; j++) { ec_point_copy (ad->alpha[sender][j], ct[0][j]); @@ -809,6 +860,8 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad, quit: gcry_mpi_point_release (alpha_sum); gcry_mpi_point_release (beta_sum); + gcry_mpi_point_release (alpha_sum2); + gcry_mpi_point_release (beta_sum2); return ret; }