From ebd955858f8f6b9bce4838e2ece05d353422b45d Mon Sep 17 00:00:00 2001
From: Markus Teich <markus.teich@stusta.mhn.de>
Date: Sun, 9 Oct 2016 14:16:53 +0200
Subject: [PATCH] add additional proof on encrypt_bid for M+1st price auctions

This is needed to ensure bidders are only chosing bids from the subset which is
allowed to them. This prevents ties and keeps the protocol way more simple for
M+1st price auctions.
---
 crypto.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 54 insertions(+), 1 deletion(-)

diff --git a/crypto.c b/crypto.c
index 3b5205a..ed3cfb3 100644
--- a/crypto.c
+++ b/crypto.c
@@ -705,6 +705,7 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen)
 	struct msg_head  *head;
 	struct proof_0og *proof3;
 	gcry_mpi_t       r_sum;
+	gcry_mpi_t       r_sum2;
 	gcry_mpi_t       r_part;
 
 	brandt_assert (ad && buflen);
@@ -721,6 +722,7 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen)
 	cur = ret + sizeof (*head);
 
 	r_sum = gcry_mpi_new (256);
+	r_sum2 = gcry_mpi_new (256);
 	r_part = gcry_mpi_new (256);
 
 	for (uint16_t j = 0; j < ad->k; j++)
@@ -735,11 +737,29 @@ smc_encrypt_bid (struct BRANDT_Auction *ad, size_t *buflen)
 		ec_point_serialize ((struct ec_mpi *)cur, ad->alpha[ad->i][j]);
 		ec_point_serialize (&((struct ec_mpi *)cur)[1], ad->beta[ad->i][j]);
 		gcry_mpi_addm (r_sum, r_sum, r_part, ec_n);
+
+		/* prepare sum for additional  M+1st price auction proof (see below) */
+		if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n)
+			gcry_mpi_addm (r_sum2, r_sum2, r_part, ec_n);
+
 		cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og);
 	}
 	smc_zkp_2dle (NULL, NULL, ad->Y, ec_gen, r_sum, (struct proof_2dle *)cur);
 
+	/* in M+1st price auctions we need to prove that our bid is from the valid
+	 * subset of bids as well */
+	if (0 < ad->m)
+	{
+		struct proof_2dle *proof2;
+		*buflen += sizeof (struct proof_2dle);
+		ret = GNUNET_realloc (ret, *buflen);
+		proof2 = (struct proof_2dle *)(ret + *buflen -
+		                               sizeof (struct proof_2dle));
+		smc_zkp_2dle (NULL, NULL, ad->Y, ec_gen, r_sum2, proof2);
+	}
+
 	gcry_mpi_release (r_sum);
+	gcry_mpi_release (r_sum2);
 	gcry_mpi_release (r_part);
 
 	return ret;
@@ -758,11 +778,13 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
 	gcry_mpi_point_t    **ct; /* ciphertexts */
 	gcry_mpi_point_t    alpha_sum = gcry_mpi_point_new (0);
 	gcry_mpi_point_t    beta_sum = gcry_mpi_point_new (0);
+	gcry_mpi_point_t    alpha_sum2 = gcry_mpi_point_new (0);
+	gcry_mpi_point_t    beta_sum2 = gcry_mpi_point_new (0);
 
 	brandt_assert (ad && buf);
 
 	if (buflen != (ad->k * (sizeof (struct ec_mpi) * 2 + sizeof (*proof3)) +
-	               sizeof (struct proof_2dle)) ||
+	               (0 < ad->m ? 2 : 1) * sizeof (struct proof_2dle)) ||
 	    NULL == (ct = smc_init2 (2, ad->k)))
 	{
 		weprintf ("wrong size of received encrypted bid");
@@ -771,6 +793,8 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
 
 	ec_point_copy (alpha_sum, ec_zero);
 	ec_point_copy (beta_sum, ec_zero);
+	ec_point_copy (alpha_sum2, ec_zero);
+	ec_point_copy (beta_sum2, ec_zero);
 
 	for (uint16_t j = 0; j < ad->k; j++)
 	{
@@ -784,6 +808,15 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
 		}
 		gcry_mpi_ec_add (alpha_sum, alpha_sum, ct[0][j], ec_ctx);
 		gcry_mpi_ec_add (beta_sum, beta_sum, ct[1][j], ec_ctx);
+
+		/* precalculate ciphertext sums for second 2dle proof needed in M+1st
+		 * price auctions */
+		if (0 < ad->m && j >= ad->i && 0 == (j - ad->i) % ad->n)
+		{
+			gcry_mpi_ec_add (alpha_sum2, alpha_sum2, ct[0][j], ec_ctx);
+			gcry_mpi_ec_add (beta_sum2, beta_sum2, ct[1][j], ec_ctx);
+		}
+
 		cur += 2 * sizeof (struct ec_mpi) + sizeof (struct proof_0og);
 	}
 
@@ -798,6 +831,24 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
 		goto quit;
 	}
 
+	/* On M+1st price auctions check with the second 2dle proof if the bidder
+	 * only bid on one of his allowed indizes */
+	if (0 < ad->m)
+	{
+		cur += sizeof (struct proof_2dle);
+		gcry_mpi_ec_sub (alpha_sum2, alpha_sum2, ec_gen, ec_ctx);
+		if (smc_zkp_2dle_check (alpha_sum2,
+		                        beta_sum2,
+		                        ad->Y,
+		                        ec_gen,
+		                        (struct proof_2dle *)cur))
+		{
+			weprintf ("wrong second zkp2 for alpha, beta received. "
+			          "bid not allowed for this user in M+1st price auctions.");
+			goto quit;
+		}
+	}
+
 	for (uint16_t j = 0; j < ad->k; j++)
 	{
 		ec_point_copy (ad->alpha[sender][j], ct[0][j]);
@@ -809,6 +860,8 @@ smc_recv_encrypted_bid (struct BRANDT_Auction *ad,
 quit:
 	gcry_mpi_point_release (alpha_sum);
 	gcry_mpi_point_release (beta_sum);
+	gcry_mpi_point_release (alpha_sum2);
+	gcry_mpi_point_release (beta_sum2);
 	return ret;
 }