+ GNUNET_MQ_send (ks->cs->mq,
+ ev);
+}
+
+
+static void
+restore_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
+ const struct GNUNET_SECRETSHARING_FairEncryption *fe,
+ gcry_mpi_t x, gcry_mpi_t xres)
+{
+ gcry_mpi_t a_1;
+ gcry_mpi_t a_2;
+ gcry_mpi_t b_1;
+ gcry_mpi_t b_2;
+ gcry_mpi_t big_a;
+ gcry_mpi_t big_b;
+ gcry_mpi_t big_t;
+ gcry_mpi_t n;
+ gcry_mpi_t t_1;
+ gcry_mpi_t t_2;
+ gcry_mpi_t t;
+ gcry_mpi_t r;
+ gcry_mpi_t v;
+
+
+ GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t_1 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t_2 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (big_t = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (v = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (big_a = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (big_b = gcry_mpi_new (0)));
+
+ // a = (N,0)^T
+ GNUNET_CRYPTO_mpi_scan_unsigned (&a_1,
+ ppub,
+ sizeof(struct
+ GNUNET_CRYPTO_PaillierPublicKey));
+ GNUNET_assert (NULL != (a_2 = gcry_mpi_new (0)));
+ gcry_mpi_set_ui (a_2, 0);
+ // b = (x,1)^T
+ GNUNET_assert (NULL != (b_1 = gcry_mpi_new (0)));
+ gcry_mpi_set (b_1, x);
+ GNUNET_assert (NULL != (b_2 = gcry_mpi_new (0)));
+ gcry_mpi_set_ui (b_2, 1);
+
+ // A = a DOT a
+ gcry_mpi_mul (t, a_1, a_1);
+ gcry_mpi_mul (big_a, a_2, a_2);
+ gcry_mpi_add (big_a, big_a, t);
+
+ // B = b DOT b
+ gcry_mpi_mul (t, b_1, b_1);
+ gcry_mpi_mul (big_b, b_2, b_2);
+ gcry_mpi_add (big_b, big_b, t);
+
+ while (1)
+ {
+ // n = a DOT b
+ gcry_mpi_mul (t, a_1, b_1);
+ gcry_mpi_mul (n, a_2, b_2);
+ gcry_mpi_add (n, n, t);
+
+ // r = nearest(n/B)
+ gcry_mpi_div (r, NULL, n, big_b, 0);
+
+ // T := A - 2rn + rrB
+ gcry_mpi_mul (v, r, n);
+ gcry_mpi_mul_ui (v, v, 2);
+ gcry_mpi_sub (big_t, big_a, v);
+ gcry_mpi_mul (v, r, r);
+ gcry_mpi_mul (v, v, big_b);
+ gcry_mpi_add (big_t, big_t, v);
+
+ if (gcry_mpi_cmp (big_t, big_b) >= 0)
+ {
+ break;
+ }
+
+ // t = a - rb
+ gcry_mpi_mul (v, r, b_1);
+ gcry_mpi_sub (t_1, a_1, v);
+ gcry_mpi_mul (v, r, b_2);
+ gcry_mpi_sub (t_2, a_2, v);
+
+ // a = b
+ gcry_mpi_set (a_1, b_1);
+ gcry_mpi_set (a_2, b_2);
+ // b = t
+ gcry_mpi_set (b_1, t_1);
+ gcry_mpi_set (b_2, t_2);
+
+ gcry_mpi_set (big_a, big_b);
+ gcry_mpi_set (big_b, big_t);
+ }
+
+ gcry_mpi_set (xres, b_2);
+ gcry_mpi_invm (xres, xres, elgamal_q);
+ gcry_mpi_mulm (xres, xres, b_1, elgamal_q);
+
+ gcry_mpi_release (a_1);
+ gcry_mpi_release (a_2);
+ gcry_mpi_release (b_1);
+ gcry_mpi_release (b_2);
+ gcry_mpi_release (big_a);
+ gcry_mpi_release (big_b);
+ gcry_mpi_release (big_t);
+ gcry_mpi_release (n);
+ gcry_mpi_release (t_1);
+ gcry_mpi_release (t_2);
+ gcry_mpi_release (t);
+ gcry_mpi_release (r);
+ gcry_mpi_release (v);
+}
+
+
+static void
+get_fair_encryption_challenge (const struct
+ GNUNET_SECRETSHARING_FairEncryption *fe,
+ gcry_mpi_t *e)
+{
+ struct
+ {
+ struct GNUNET_CRYPTO_PaillierCiphertext c;
+ char h[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
+ char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
+ char t2[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
+ } hash_data;
+ struct GNUNET_HashCode e_hash;
+
+ memset (&hash_data,
+ 0,
+ sizeof(hash_data));
+ GNUNET_memcpy (&hash_data.c, &fe->c, sizeof(struct
+ GNUNET_CRYPTO_PaillierCiphertext));
+ GNUNET_memcpy (&hash_data.h, &fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ GNUNET_memcpy (&hash_data.t1, &fe->t1, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ GNUNET_memcpy (&hash_data.t2, &fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
+ GNUNET_CRYPTO_hash (&hash_data,
+ sizeof(hash_data),
+ &e_hash);
+ /* This allocates "e" */
+ GNUNET_CRYPTO_mpi_scan_unsigned (e,
+ &e_hash,
+ sizeof(struct GNUNET_HashCode));
+ gcry_mpi_mod (*e, *e, elgamal_q);
+}
+
+
+static int
+verify_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
+ const struct GNUNET_SECRETSHARING_FairEncryption *fe)
+{
+ gcry_mpi_t n;
+ gcry_mpi_t n_sq;
+ gcry_mpi_t z;
+ gcry_mpi_t t1;
+ gcry_mpi_t t2;
+ gcry_mpi_t e;
+ gcry_mpi_t w;
+ gcry_mpi_t tmp1;
+ gcry_mpi_t tmp2;
+ gcry_mpi_t y;
+ gcry_mpi_t big_y;
+ int res;
+
+ GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
+
+ get_fair_encryption_challenge (fe,
+ &e /* this allocates e */);
+
+ GNUNET_CRYPTO_mpi_scan_unsigned (&n,
+ ppub,
+ sizeof(struct
+ GNUNET_CRYPTO_PaillierPublicKey));
+ GNUNET_CRYPTO_mpi_scan_unsigned (&t1, fe->t1, GNUNET_CRYPTO_PAILLIER_BITS
+ / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&z, fe->z,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&y, fe->h,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&w, fe->w, GNUNET_CRYPTO_PAILLIER_BITS / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&big_y, fe->c.bits,
+ GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&t2, fe->t2, GNUNET_CRYPTO_PAILLIER_BITS
+ * 2 / 8);
+ gcry_mpi_mul (n_sq, n, n);
+
+ // tmp1 = g^z
+ gcry_mpi_powm (tmp1, elgamal_g, z, elgamal_p);
+ // tmp2 = y^{-e}
+ gcry_mpi_powm (tmp1, y, e, elgamal_p);
+ gcry_mpi_invm (tmp1, tmp1, elgamal_p);
+ // tmp1 = tmp1 * tmp2
+ gcry_mpi_mulm (tmp1, tmp1, tmp2, elgamal_p);
+
+ if (0 == gcry_mpi_cmp (t1, tmp1))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t1)\n");
+ res = GNUNET_NO;
+ goto cleanup;
+ }
+
+ gcry_mpi_powm (big_y, big_y, e, n_sq);
+ gcry_mpi_invm (big_y, big_y, n_sq);
+
+ gcry_mpi_add_ui (tmp1, n, 1);
+ gcry_mpi_powm (tmp1, tmp1, z, n_sq);
+
+ gcry_mpi_powm (tmp2, w, n, n_sq);
+
+ gcry_mpi_mulm (tmp1, tmp1, tmp2, n_sq);
+ gcry_mpi_mulm (tmp1, tmp1, big_y, n_sq);
+
+
+ if (0 == gcry_mpi_cmp (t2, tmp1))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t2)\n");
+ res = GNUNET_NO;
+ goto cleanup;
+ }
+
+ res = GNUNET_YES;
+
+cleanup:
+
+ gcry_mpi_release (n);
+ gcry_mpi_release (n_sq);
+ gcry_mpi_release (z);
+ gcry_mpi_release (t1);
+ gcry_mpi_release (t2);
+ gcry_mpi_release (e);
+ gcry_mpi_release (w);
+ gcry_mpi_release (tmp1);
+ gcry_mpi_release (tmp2);
+ gcry_mpi_release (y);
+ gcry_mpi_release (big_y);
+ return res;
+}
+
+
+/**
+ * Create a fair Paillier encryption of then given ciphertext.
+ *
+ * @param v the ciphertext
+ * @param[out] fe the fair encryption
+ */
+static void
+encrypt_fair (gcry_mpi_t v,
+ const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
+ struct GNUNET_SECRETSHARING_FairEncryption *fe)
+{
+ gcry_mpi_t r;
+ gcry_mpi_t s;
+ gcry_mpi_t t1;
+ gcry_mpi_t t2;
+ gcry_mpi_t z;
+ gcry_mpi_t w;
+ gcry_mpi_t n;
+ gcry_mpi_t e;
+ gcry_mpi_t n_sq;
+ gcry_mpi_t u;
+ gcry_mpi_t Y;
+ gcry_mpi_t G;
+ gcry_mpi_t h;
+
+ GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (s = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t1 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t2 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (z = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (u = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (Y = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (G = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
+
+ GNUNET_CRYPTO_mpi_scan_unsigned (&n,
+ ppub,
+ sizeof(struct
+ GNUNET_CRYPTO_PaillierPublicKey));
+ gcry_mpi_mul (n_sq, n, n);
+ gcry_mpi_add_ui (G, n, 1);
+
+ do
+ {
+ gcry_mpi_randomize (u, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
+ }
+ while (gcry_mpi_cmp (u, n) >= 0);
+
+ gcry_mpi_powm (t1, G, v, n_sq);
+ gcry_mpi_powm (t2, u, n, n_sq);
+ gcry_mpi_mulm (Y, t1, t2, n_sq);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->c.bits,
+ sizeof fe->c.bits,
+ Y);
+
+
+ gcry_mpi_randomize (r, 2048, GCRY_WEAK_RANDOM);
+ do
+ {
+ gcry_mpi_randomize (s, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
+ }
+ while (gcry_mpi_cmp (s, n) >= 0);
+
+ // compute t1
+ gcry_mpi_mulm (t1, elgamal_g, r, elgamal_p);
+ // compute t2 (use z and w as temp)
+ gcry_mpi_powm (z, G, r, n_sq);
+ gcry_mpi_powm (w, s, n, n_sq);
+ gcry_mpi_mulm (t2, z, w, n_sq);
+
+
+ gcry_mpi_powm (h, elgamal_g, v, elgamal_p);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->h,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
+ h);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->t1,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
+ t1);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->t2,
+ GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8,
+ t2);
+
+ get_fair_encryption_challenge (fe,
+ &e /* This allocates "e" */);
+
+ // compute z
+ gcry_mpi_mul (z, e, v);
+ gcry_mpi_addm (z, z, r, elgamal_q);
+ // compute w
+ gcry_mpi_powm (w, u, e, n);
+ gcry_mpi_mulm (w, w, s, n);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->z,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
+ z);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->w,
+ GNUNET_CRYPTO_PAILLIER_BITS / 8,
+ w);
+
+ gcry_mpi_release (n);
+ gcry_mpi_release (r);
+ gcry_mpi_release (s);
+ gcry_mpi_release (t1);
+ gcry_mpi_release (t2);
+ gcry_mpi_release (z);
+ gcry_mpi_release (w);
+ gcry_mpi_release (e);
+ gcry_mpi_release (n_sq);
+ gcry_mpi_release (u);
+ gcry_mpi_release (Y);
+ gcry_mpi_release (G);
+ gcry_mpi_release (h);