sskr 0.12.0

Sharded Secret Key Reconstruction (SSKR) for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312

use bc_rand::RandomNumberGenerator;
use bc_shamir::{recover_secret, split_secret};

use crate::{
    Error, METADATA_SIZE_BYTES, Result, Secret, Spec, share::SSKRShare,
};

/// Generates SSKR shares for the given `Spec` and `Secret`.
///
/// # Arguments
///
/// * `spec` - The `Spec` instance that defines the group and member thresholds.
/// * `master_secret` - The `Secret` instance to be split into shares.
pub fn sskr_generate(
    spec: &Spec,
    master_secret: &Secret,
) -> Result<Vec<Vec<Vec<u8>>>> {
    let mut rng = bc_rand::SecureRandomNumberGenerator;
    sskr_generate_using(spec, master_secret, &mut rng)
}

/// Generates SSKR shares for the given `Spec` and `Secret` using the provided
/// random number generator.
///
/// # Arguments
///
/// * `spec` - The `Spec` instance that defines the group and member thresholds.
/// * `master_secret` - The `Secret` instance to be split into shares.
/// * `random_generator` - The random number generator to use for generating
///   shares.
pub fn sskr_generate_using(
    spec: &Spec,
    master_secret: &Secret,
    random_generator: &mut impl RandomNumberGenerator,
) -> Result<Vec<Vec<Vec<u8>>>> {
    let groups_shares = generate_shares(spec, master_secret, random_generator)?;

    let result: Vec<Vec<Vec<u8>>> = groups_shares
        .iter()
        .map(|group| group.iter().map(serialize_share).collect())
        .collect();

    Ok(result)
}

/// Combines the given SSKR shares into a `Secret`.
///
/// # Arguments
///
/// * `shares` - A slice of SSKR shares to be combined.
///
/// # Errors
///
/// Returns an error if the shares do not meet the necessary quorum of groups
/// and member shares within each group.
pub fn sskr_combine<T>(shares: &[T]) -> Result<Secret>
where
    T: AsRef<[u8]>,
{
    let mut sskr_shares = Vec::with_capacity(shares.len());

    for share in shares {
        let sskr_share = deserialize_share(share.as_ref())?;
        sskr_shares.push(sskr_share);
    }

    combine_shares(&sskr_shares)
}

fn serialize_share(share: &SSKRShare) -> Vec<u8> {
    // pack the id, group and member data into 5 bytes:
    // 76543210        76543210        76543210
    //         76543210        76543210
    // ----------------====----====----====----
    // identifier: 16
    //                 group-threshold: 4
    //                     group-count: 4
    //                         group-index: 4
    //                             member-threshold: 4
    //                                 reserved (MUST be zero): 4
    //                                     member-index: 4

    let mut result =
        Vec::with_capacity(share.value().len() + METADATA_SIZE_BYTES);
    let id = share.identifier();
    let gt = (share.group_threshold() - 1) & 0xf;
    let gc = (share.group_count() - 1) & 0xf;
    let gi = share.group_index() & 0xf;
    let mt = (share.member_threshold() - 1) & 0xf;
    let mi = share.member_index() & 0xf;

    let id1 = id >> 8;
    let id2 = id & 0xff;

    result.push(id1 as u8);
    result.push(id2 as u8);
    result.push(((gt << 4) | gc) as u8);
    result.push(((gi << 4) | mt) as u8);
    result.push(mi as u8);
    result.extend_from_slice(share.value().data());

    result
}

fn deserialize_share(source: &[u8]) -> Result<SSKRShare> {
    if source.len() < METADATA_SIZE_BYTES {
        return Err(Error::ShareLengthInvalid);
    }

    let group_threshold = ((source[2] >> 4) + 1) as usize;
    let group_count = ((source[2] & 0xf) + 1) as usize;

    if group_threshold > group_count {
        return Err(Error::GroupThresholdInvalid);
    }

    let identifier = ((source[0] as u16) << 8) | source[1] as u16;
    let group_index = (source[3] >> 4) as usize;
    let member_threshold = ((source[3] & 0xf) + 1) as usize;
    let reserved = source[4] >> 4;
    if reserved != 0 {
        return Err(Error::ShareReservedBitsInvalid);
    }
    let member_index = (source[4] & 0xf) as usize;
    let value = Secret::new(&source[METADATA_SIZE_BYTES..])?;

    Ok(SSKRShare::new(
        identifier,
        group_index,
        group_threshold,
        group_count,
        member_index,
        member_threshold,
        value,
    ))
}

fn generate_shares(
    spec: &Spec,
    master_secret: &Secret,
    random_generator: &mut impl RandomNumberGenerator,
) -> Result<Vec<Vec<SSKRShare>>> {
    // assign a random identifier
    let mut identifier = [0u8; 2];
    random_generator.fill_random_data(&mut identifier);
    let identifier: u16 = ((identifier[0] as u16) << 8) | identifier[1] as u16;

    let mut groups_shares: Vec<Vec<SSKRShare>> =
        Vec::with_capacity(spec.group_count());

    let group_secrets = split_secret(
        spec.group_threshold(),
        spec.group_count(),
        master_secret.data(),
        random_generator,
    )
    .map_err(Error::ShamirError)?;

    for (group_index, group) in spec.groups().iter().enumerate() {
        let group_secret = &group_secrets[group_index];
        let member_secrets = split_secret(
            group.member_threshold(),
            group.member_count(),
            group_secret,
            random_generator,
        )
        .map_err(Error::ShamirError)?
        .into_iter()
        .map(Secret::new)
        .collect::<Result<Vec<Secret>>>()?;
        let member_sskr_shares: Vec<SSKRShare> = member_secrets
            .into_iter()
            .enumerate()
            .map(|(member_index, member_secret)| {
                SSKRShare::new(
                    identifier,
                    group_index,
                    spec.group_threshold(),
                    spec.group_count(),
                    member_index,
                    group.member_threshold(),
                    member_secret,
                )
            })
            .collect();
        groups_shares.push(member_sskr_shares);
    }

    Ok(groups_shares)
}

#[derive(Debug)]
struct Group {
    group_index: usize,
    member_threshold: usize,
    member_indexes: Vec<usize>,
    member_shares: Vec<Secret>,
}

impl Group {
    fn new(group_index: usize, member_threshold: usize) -> Self {
        Self {
            group_index,
            member_threshold,
            member_indexes: Vec::with_capacity(16),
            member_shares: Vec::with_capacity(16),
        }
    }
}

fn combine_shares(shares: &[SSKRShare]) -> Result<Secret> {
    let mut identifier = 0;
    let mut group_threshold = 0;
    let mut group_count = 0;

    if shares.is_empty() {
        return Err(Error::SharesEmpty);
    }

    let mut next_group = 0;
    let mut groups: Vec<Group> = Vec::with_capacity(16);
    let mut secret_len = 0;

    for (i, share) in shares.iter().enumerate() {
        if i == 0 {
            // on the first one, establish expected values for common metadata
            identifier = share.identifier();
            group_count = share.group_count();
            group_threshold = share.group_threshold();
            secret_len = share.value().len();
        } else {
            // on subsequent shares, check that common metadata matches
            if share.identifier() != identifier
                || share.group_threshold() != group_threshold
                || share.group_count() != group_count
                || share.value().len() != secret_len
            {
                return Err(Error::ShareSetInvalid);
            }
        }

        // sort shares into member groups
        let mut group_found = false;
        for group in groups.iter_mut() {
            if share.group_index() == group.group_index {
                group_found = true;
                if share.member_threshold() != group.member_threshold {
                    return Err(Error::MemberThresholdInvalid);
                }
                for k in 0..group.member_indexes.len() {
                    if share.member_index() == group.member_indexes[k] {
                        return Err(Error::DuplicateMemberIndex);
                    }
                }
                if group.member_indexes.len() < group.member_threshold {
                    group.member_indexes.push(share.member_index());
                    group.member_shares.push(share.value().clone());
                }
            }
        }

        if !group_found {
            let mut g =
                Group::new(share.group_index(), share.member_threshold());
            g.member_indexes.push(share.member_index());
            g.member_shares.push(share.value().clone());
            groups.push(g);
            next_group += 1;
        }
    }

    // Check that we have enough groups to recover the master secret
    if next_group < group_threshold {
        return Err(Error::NotEnoughGroups);
    }

    // Here, all of the shares are unpacked into member groups. Now we go
    // through each group and recover the group secret, and then use the
    // result to recover the master secret
    let mut master_indexes = Vec::with_capacity(16);
    let mut master_shares = Vec::with_capacity(16);

    for group in groups {
        // Only attempt to recover the group secret if we have enough shares
        if group.member_indexes.len() < group.member_threshold {
            continue;
        }
        // Recover the group secret
        if let Ok(group_secret) =
            recover_secret(&group.member_indexes, &group.member_shares)
        {
            master_indexes.push(group.group_index);
            master_shares.push(group_secret);
        }
        // Stop if we have enough groups to recover the master secret
        if master_indexes.len() == group_threshold {
            break;
        }
    }

    // If we don't have enough groups to recover the master secret, return an
    // error
    if master_indexes.len() < group_threshold {
        return Err(Error::NotEnoughGroups);
    }

    // Recover the master secret
    let master_secret = recover_secret(&master_indexes, &master_shares)?;
    let master_secret = Secret::new(master_secret)?;

    Ok(master_secret)
}