chie-crypto 0.2.0

Cryptographic primitives for CHIE Protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425

//! Shamir's Secret Sharing for secure key backup and recovery.
//!
//! This module implements (M, N) threshold secret sharing where:
//! - A secret is split into N shares
//! - Any M shares can reconstruct the secret
//! - Fewer than M shares reveal nothing about the secret
//!
//! Perfect for distributed key backup, multi-party authorization, etc.
//!
//! Security properties:
//! - Information-theoretic security (no amount of computing power helps with <M shares)
//! - Each share is the same size as the secret
//! - Shares are independent random values

use rand::Rng as _;
use thiserror::Error;
use zeroize::Zeroize;

/// Shamir secret sharing errors.
#[derive(Debug, Error)]
pub enum ShamirError {
    #[error("Invalid threshold: M must be > 0 and <= N")]
    InvalidThreshold,
    #[error("Not enough shares to reconstruct secret (need {needed}, got {got})")]
    InsufficientShares { needed: usize, got: usize },
    #[error("Duplicate share indices")]
    DuplicateIndices,
    #[error("Invalid share index (must be 1-255)")]
    InvalidShareIndex,
    #[error("Shares have different lengths")]
    InconsistentShareLengths,
    #[error("Secret is empty")]
    EmptySecret,
}

pub type ShamirResult<T> = Result<T, ShamirError>;

/// A single share of a secret.
#[derive(Clone, Debug, Zeroize)]
#[zeroize(drop)]
pub struct Share {
    /// Share index (1-255)
    pub index: u8,
    /// Share data
    pub data: Vec<u8>,
}

impl Share {
    /// Create a new share.
    pub fn new(index: u8, data: Vec<u8>) -> ShamirResult<Self> {
        if index == 0 {
            return Err(ShamirError::InvalidShareIndex);
        }
        Ok(Self { index, data })
    }

    /// Serialize to bytes (index || data).
    pub fn to_bytes(&self) -> Vec<u8> {
        let mut bytes = Vec::with_capacity(1 + self.data.len());
        bytes.push(self.index);
        bytes.extend_from_slice(&self.data);
        bytes
    }

    /// Deserialize from bytes.
    pub fn from_bytes(bytes: &[u8]) -> ShamirResult<Self> {
        if bytes.is_empty() {
            return Err(ShamirError::InvalidShareIndex);
        }
        let index = bytes[0];
        let data = bytes[1..].to_vec();
        Share::new(index, data)
    }
}

/// Split a secret into N shares with threshold M.
///
/// Any M shares can reconstruct the secret, but M-1 or fewer reveal nothing.
pub fn split(secret: &[u8], threshold: usize, num_shares: usize) -> ShamirResult<Vec<Share>> {
    if secret.is_empty() {
        return Err(ShamirError::EmptySecret);
    }
    if threshold == 0 || threshold > num_shares || num_shares > 255 {
        return Err(ShamirError::InvalidThreshold);
    }

    let mut shares = Vec::with_capacity(num_shares);
    let mut rng = rand::rng();

    // Split each byte independently using Shamir's scheme over GF(256)
    for (byte_idx, &secret_byte) in secret.iter().enumerate() {
        // Generate random polynomial coefficients (degree = threshold - 1)
        let mut coeffs = vec![secret_byte];
        for _ in 1..threshold {
            let mut byte = [0u8; 1];
            rng.fill_bytes(&mut byte);
            coeffs.push(byte[0]);
        }

        // Evaluate polynomial at points 1..=num_shares
        for share_idx in 0..num_shares {
            let x = (share_idx + 1) as u8;
            let y = eval_poly(&coeffs, x);

            if byte_idx == 0 {
                // First byte: create new share
                shares.push(Share::new(x, vec![y])?);
            } else {
                // Subsequent bytes: append to existing share
                shares[share_idx].data.push(y);
            }
        }
    }

    Ok(shares)
}

/// Reconstruct secret from M or more shares.
///
/// Returns error if fewer than threshold shares are provided.
pub fn reconstruct(shares: &[Share]) -> ShamirResult<Vec<u8>> {
    if shares.is_empty() {
        return Err(ShamirError::InsufficientShares { needed: 1, got: 0 });
    }

    // Verify all shares have the same length
    let share_len = shares[0].data.len();
    if !shares.iter().all(|s| s.data.len() == share_len) {
        return Err(ShamirError::InconsistentShareLengths);
    }

    // Verify no duplicate indices
    let mut indices = shares.iter().map(|s| s.index).collect::<Vec<_>>();
    indices.sort_unstable();
    if indices.windows(2).any(|w| w[0] == w[1]) {
        return Err(ShamirError::DuplicateIndices);
    }

    let mut secret = Vec::with_capacity(share_len);

    // Reconstruct each byte independently
    for byte_idx in 0..share_len {
        let points: Vec<(u8, u8)> = shares
            .iter()
            .map(|share| (share.index, share.data[byte_idx]))
            .collect();

        let secret_byte = lagrange_interpolate(&points, 0);
        secret.push(secret_byte);
    }

    Ok(secret)
}

/// Evaluate polynomial at x using Horner's method in GF(256).
fn eval_poly(coeffs: &[u8], x: u8) -> u8 {
    let mut result = 0u8;
    for &coeff in coeffs.iter().rev() {
        result = gf256_add(gf256_mul(result, x), coeff);
    }
    result
}

/// Lagrange interpolation in GF(256) to find f(x).
fn lagrange_interpolate(points: &[(u8, u8)], x: u8) -> u8 {
    let mut result = 0u8;

    for (i, &(xi, yi)) in points.iter().enumerate() {
        let mut basis = 1u8;

        for (j, &(xj, _)) in points.iter().enumerate() {
            if i != j {
                let numerator = gf256_sub(x, xj);
                let denominator = gf256_sub(xi, xj);
                let inv_denom = gf256_inv(denominator);
                basis = gf256_mul(basis, gf256_mul(numerator, inv_denom));
            }
        }

        result = gf256_add(result, gf256_mul(basis, yi));
    }

    result
}

// GF(256) arithmetic using AES polynomial (x^8 + x^4 + x^3 + x + 1)
const GF256_POLY: u16 = 0x11B;

/// Addition in GF(256) is XOR.
#[inline]
fn gf256_add(a: u8, b: u8) -> u8 {
    a ^ b
}

/// Subtraction in GF(256) is also XOR.
#[inline]
fn gf256_sub(a: u8, b: u8) -> u8 {
    a ^ b
}

/// Multiplication in GF(256).
fn gf256_mul(a: u8, b: u8) -> u8 {
    if a == 0 || b == 0 {
        return 0;
    }

    let mut result = 0u16;
    let mut a = a as u16;
    let mut b = b as u16;

    for _ in 0..8 {
        if b & 1 != 0 {
            result ^= a;
        }
        let carry = a & 0x80;
        a <<= 1;
        if carry != 0 {
            a ^= GF256_POLY;
        }
        b >>= 1;
    }

    (result & 0xFF) as u8
}

/// Multiplicative inverse in GF(256) using extended Euclidean algorithm.
fn gf256_inv(a: u8) -> u8 {
    if a == 0 {
        panic!("Cannot invert zero in GF(256)");
    }

    // Use Fermat's little theorem: a^254 = a^(-1) in GF(256)
    let mut result = 1u8;
    let mut base = a;

    // Compute a^254 using square-and-multiply
    for i in 0..8 {
        if 254 & (1 << i) != 0 {
            result = gf256_mul(result, base);
        }
        base = gf256_mul(base, base);
    }

    result
}

/// Split a 32-byte key using Shamir's secret sharing.
pub fn split_key_32(
    key: &[u8; 32],
    threshold: usize,
    num_shares: usize,
) -> ShamirResult<Vec<Share>> {
    split(key, threshold, num_shares)
}

/// Reconstruct a 32-byte key from shares.
pub fn reconstruct_key_32(shares: &[Share]) -> ShamirResult<[u8; 32]> {
    let secret = reconstruct(shares)?;
    if secret.len() != 32 {
        return Err(ShamirError::InconsistentShareLengths);
    }
    let mut key = [0u8; 32];
    key.copy_from_slice(&secret);
    Ok(key)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_split_and_reconstruct() {
        let secret = b"This is a secret message!";
        let shares = split(secret, 3, 5).unwrap();

        assert_eq!(shares.len(), 5);

        // Any 3 shares should reconstruct the secret
        let reconstructed = reconstruct(&shares[0..3]).unwrap();
        assert_eq!(&reconstructed, secret);

        let reconstructed2 = reconstruct(&shares[1..4]).unwrap();
        assert_eq!(&reconstructed2, secret);

        let reconstructed3 = reconstruct(&shares[2..5]).unwrap();
        assert_eq!(&reconstructed3, secret);
    }

    #[test]
    fn test_insufficient_shares() {
        let secret = b"secret";
        let shares = split(secret, 3, 5).unwrap();

        // Only 2 shares (less than threshold) should reconstruct something,
        // but it won't be the original secret (this is a probabilistic guarantee)
        let result = reconstruct(&shares[0..2]).unwrap();
        // Result exists but is likely not the secret
        assert_eq!(result.len(), secret.len());
    }

    #[test]
    fn test_32_byte_key() {
        let key = [42u8; 32];
        let shares = split_key_32(&key, 2, 3).unwrap();

        assert_eq!(shares.len(), 3);

        // Reconstruct with 2 shares
        let reconstructed = reconstruct_key_32(&shares[0..2]).unwrap();
        assert_eq!(reconstructed, key);

        // Reconstruct with all 3 shares
        let reconstructed2 = reconstruct_key_32(&shares).unwrap();
        assert_eq!(reconstructed2, key);
    }

    #[test]
    fn test_invalid_threshold() {
        let secret = b"secret";

        // Threshold = 0
        assert!(split(secret, 0, 5).is_err());

        // Threshold > num_shares
        assert!(split(secret, 6, 5).is_err());

        // num_shares > 255
        assert!(split(secret, 2, 256).is_err());
    }

    #[test]
    fn test_duplicate_indices() {
        let secret = b"secret";
        let shares = split(secret, 2, 3).unwrap();

        // Create duplicate by cloning
        let dup_shares = vec![shares[0].clone(), shares[0].clone()];
        assert!(reconstruct(&dup_shares).is_err());
    }

    #[test]
    fn test_share_serialization() {
        let secret = b"test";
        let shares = split(secret, 2, 3).unwrap();

        for share in &shares {
            let bytes = share.to_bytes();
            let deserialized = Share::from_bytes(&bytes).unwrap();
            assert_eq!(deserialized.index, share.index);
            assert_eq!(deserialized.data, share.data);
        }
    }

    #[test]
    fn test_different_combinations() {
        let secret = b"0123456789abcdef";
        let shares = split(secret, 3, 6).unwrap();

        // Test multiple different 3-share combinations
        let combo1 = vec![shares[0].clone(), shares[2].clone(), shares[4].clone()];
        let combo2 = vec![shares[1].clone(), shares[3].clone(), shares[5].clone()];

        let combinations: Vec<&[Share]> = vec![
            &shares[0..3],
            &shares[1..4],
            &shares[2..5],
            &shares[3..6],
            &combo1,
            &combo2,
        ];

        for combo in combinations {
            let reconstructed = reconstruct(combo).unwrap();
            assert_eq!(&reconstructed, secret);
        }
    }

    #[test]
    fn test_gf256_arithmetic() {
        // Test basic properties
        assert_eq!(gf256_add(5, 3), 5 ^ 3);
        assert_eq!(gf256_sub(7, 2), 7 ^ 2);

        // Test multiplicative identity
        assert_eq!(gf256_mul(42, 1), 42);

        // Test multiplicative inverse
        for x in 1u8..=255 {
            let inv = gf256_inv(x);
            assert_eq!(gf256_mul(x, inv), 1);
        }
    }

    #[test]
    fn test_empty_secret() {
        assert!(split(&[], 2, 3).is_err());
    }

    #[test]
    fn test_share_zeroize() {
        let share = Share::new(1, vec![1, 2, 3]).unwrap();
        drop(share); // Should zeroize on drop
    }

    #[test]
    fn test_threshold_one() {
        let secret = b"simple";
        let shares = split(secret, 1, 3).unwrap();

        // Each single share should reconstruct the secret
        for share in &shares {
            let reconstructed = reconstruct(std::slice::from_ref(share)).unwrap();
            assert_eq!(&reconstructed, secret);
        }
    }

    #[test]
    fn test_large_secret() {
        let secret = vec![0xAAu8; 1024]; // 1KB secret
        let shares = split(&secret, 5, 10).unwrap();

        let reconstructed = reconstruct(&shares[0..5]).unwrap();
        assert_eq!(reconstructed, secret);
    }
}