ssskit 0.1.1

Fast, small and secure Shamir's Secret Sharing library crate
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358

//! Fast, small and secure [Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) library crate
//!
//! # Usage
//! ## (std)
//!
//! ```
//! use ssskit::{ SecretSharing, Share };
//!
//! # const POLY: u16 = 0x11d_u16;
//! // Set a minimum threshold of 10 shares for an irreducible polynomial POLY
//! let sss = SecretSharing::<POLY>(10);
//! // Obtain an iterator over the shares for secret [1, 2, 3, 4]
//! # #[cfg(feature = "std")]
//! # {
//! let dealer = sss.dealer(&[1, 2, 3, 4]);
//! // Get 10 shares
//! let shares = dealer.take(10).collect::<Vec<Share<POLY>>>();
//! // Recover the original secret!
//! let secret = sss.recover(shares.as_slice()).unwrap();
//! assert_eq!(secret, vec![1, 2, 3, 4]);
//! # }
//! ```
//!
//! ## (no std)
//!
//! ```
//! use ssskit::{ SecretSharing, Share };
//! use rand_chacha::{rand_core::SeedableRng, ChaCha8Rng};
//!
//! # const POLY: u16 = 0x11d_u16;
//! // Set a minimum threshold of 10 shares
//! let sss = SecretSharing::<POLY>(10);
//! // Obtain an iterator over the shares for secret [1, 2, 3, 4]
//! let mut rng = rand_chacha::ChaCha8Rng::from_seed([0x90; 32]);
//! let dealer = sss.dealer_rng::<ChaCha8Rng>(&[1, 2, 3, 4], &mut rng);
//! // Get 10 shares
//! let shares = dealer.take(10).collect::<Vec<Share<POLY>>>();
//! // Recover the original secret!
//! let secret = sss.recover(shares.as_slice()).unwrap();
//! assert_eq!(secret, vec![1, 2, 3, 4]);
//! ```
//!
//! # Irreducible Polynomials
//!
//! This crate supports all 30 degree-8 irreducible polynomials over GF(2).
//! See the exported list [`PRIMITIVE_POLYS`] (defined in `field.rs`).
//!
//! Commonly used polynomials:
//! - 0x11B — used in AES (Rijndael)
//! - 0x11D — commonly used in Reed–Solomon (e.g., QR codes)
#![cfg_attr(not(feature = "std"), no_std)]

mod field;
mod math;
mod share;

extern crate alloc;

use alloc::vec::Vec;
use hashbrown::HashSet;

use field::GF256;
pub use field::PRIMITIVE_POLYS;
pub use share::Share;

/// Tuple struct which implements methods to generate shares and recover secrets over a 256 bits Galois Field.
/// Its only parameter is the minimum shares threshold.
///
/// Usage example:
/// ```
/// # use ssskit::{ SecretSharing, Share };
/// # const POLY: u16 = 0x11d_u16;
/// // Set a minimum threshold of 10 shares
/// let sss = SecretSharing::<POLY>(10);
/// // Obtain an iterator over the shares for secret [1, 2, 3, 4]
/// # #[cfg(feature = "std")]
/// # {
/// let dealer = sss.dealer(&[1, 2, 3, 4]);
/// // Get 10 shares
/// let shares = dealer.take(10).collect::<Vec<Share<POLY>>>();
/// // Recover the original secret!
/// let secret = sss.recover(&shares).unwrap();
/// assert_eq!(secret, vec![1, 2, 3, 4]);
/// # }
/// ```
pub struct SecretSharing<const POLY: u16>(pub u8);

impl<const POLY: u16> SecretSharing<POLY> {
    /// This method is useful when `std` is not available. For typical usage
    /// see the `dealer` method.
    ///
    /// Given a `secret` byte slice, returns an `Iterator` along new shares.
    /// The maximum number of shares that can be generated is 256.
    /// A random number generator has to be provided.
    ///
    /// Example:
    /// ```
    /// # use ssskit::{ SecretSharing, Share };
    /// # use rand_chacha::{rand_core::SeedableRng, ChaCha8Rng};
    /// # const POLY: u16 = 0x11d_u16;
    /// # let sss = SecretSharing::<POLY>(3);
    /// // Obtain an iterator over the shares for secret [1, 2]
    /// let mut rng = rand_chacha::ChaCha8Rng::from_seed([0x90; 32]);
    /// let dealer = sss.dealer_rng::<ChaCha8Rng>(&[1, 2], &mut rng);
    /// // Get 3 shares
    /// let shares = dealer.take(3).collect::<Vec<Share<POLY>>>();
    pub fn dealer_rng<R: rand::Rng>(
        &self,
        secret: &[u8],
        rng: &mut R,
    ) -> impl Iterator<Item = Share<POLY>> {
        let mut polys = Vec::with_capacity(secret.len());

        for chunk in secret {
            polys.push(math::random_polynomial(GF256(*chunk), self.0, rng))
        }

        math::get_evaluator(polys)
    }

    /// Given a `secret` byte slice, returns an `Iterator` along new shares.
    /// The maximum number of shares that can be generated is 256.
    ///
    /// Example:
    /// ```
    /// # use ssskit::{ SecretSharing, Share };
    /// # const POLY: u16 = 0x11d_u16;
    /// # let sss = SecretSharing::<POLY>(3);
    /// // Obtain an iterator over the shares for secret [1, 2]
    /// let dealer = sss.dealer(&[1, 2]);
    /// // Get 3 shares
    /// let shares = dealer.take(3).collect::<Vec<Share<POLY>>>();
    #[cfg(feature = "std")]
    pub fn dealer(&self, secret: &[u8]) -> impl Iterator<Item = Share<POLY>> {
        let mut rng = rand::thread_rng();
        self.dealer_rng(secret, &mut rng)
    }

    /// Given an iterable collection of shares, recovers the original secret.
    /// If the number of distinct shares is less than the minimum threshold an `Err` is returned,
    /// otherwise an `Ok` containing the secret.
    ///
    /// Example:
    /// ```
    /// # use ssskit::{ SecretSharing, Share };
    /// # use rand_chacha::{rand_core::SeedableRng, ChaCha8Rng};
    /// # const POLY: u16 = 0x11d_u16;
    /// # let sss = SecretSharing::<POLY>(3);
    /// # let mut rng = rand_chacha::ChaCha8Rng::from_seed([0x90; 32]);
    /// # let mut shares = sss.dealer_rng::<ChaCha8Rng>(&[1], &mut rng).take(3).collect::<Vec<Share<POLY>>>();
    /// // Recover original secret from shares
    /// let mut secret = sss.recover(&shares);
    /// // Secret correctly recovered
    /// assert!(secret.is_ok());
    /// // Remove shares for demonstration purposes
    /// shares.clear();
    /// secret = sss.recover(&shares);
    /// // Not enough shares to recover secret
    /// assert!(secret.is_err());
    pub fn recover<'a, T>(&self, shares: T) -> Result<Vec<u8>, &str>
    where
        T: IntoIterator<Item = &'a Share<POLY>>,
        T::IntoIter: Iterator<Item = &'a Share<POLY>>,
    {
        let mut share_length: Option<usize> = None;
        let mut keys: HashSet<u8> = HashSet::new();
        let mut values: Vec<Share<POLY>> = Vec::new();

        for share in shares.into_iter() {
            if share_length.is_none() {
                share_length = Some(share.y.len());
            }

            if Some(share.y.len()) != share_length {
                return Err("All shares must have the same length");
            } else {
                keys.insert(share.x.0);
                values.push(share.clone());
            }
        }

        if keys.is_empty() || (keys.len() < self.0 as usize) {
            Err("Not enough shares to recover original secret")
        } else {
            Ok(math::interpolate(values.as_slice()))
        }
    }

    /// Given an iterable collection of shares, recovers the original secret.
    /// If the number of distinct shares is less than the minimum threshold an `Err` is returned,
    /// otherwise an `Ok` containing the desired number of shares.
    ///
    /// Example:
    /// ```
    /// # use ssskit::{ SecretSharing, Share };
    /// # use rand_chacha::{rand_core::SeedableRng, ChaCha8Rng};
    /// # const POLY: u16 = 0x11d_u16;
    /// # let sss = SecretSharing::<POLY>(2);
    /// # let mut rng = rand_chacha::ChaCha8Rng::from_seed([0x90; 32]);
    /// # let shares = sss.dealer_rng::<ChaCha8Rng>(&[1, 2, 3, 4], &mut rng).take(3).collect::<Vec<Share<POLY>>>();
    /// // Recover original shares from original shares up to threshold shares
    /// let recovered_shares = sss.recover_shares(
    ///     [Some(&shares[0]), None, Some(&shares[2])],
    ///     3,
    /// );
    /// // Shares correctly recovered
    /// assert!(recovered_shares.is_ok());
    /// let recovered_shares = recovered_shares.unwrap();
    /// assert_eq!(recovered_shares.len(), 3);
    /// // Remove shares for demonstration purposes
    /// let recovered_shares = sss.recover_shares([Some(&shares[0]), None, None], 3);
    /// // Not enough shares to recover shares
    /// assert!(recovered_shares.is_err());
    pub fn recover_shares<'a, T>(&self, shares: T, n: usize) -> Result<Vec<Share<POLY>>, &str>
    where
        T: IntoIterator<Item = Option<&'a Share<POLY>>>,
        T::IntoIter: Iterator<Item = Option<&'a Share<POLY>>>,
    {
        let mut share_length: Option<usize> = None;
        let mut keys: HashSet<u8> = HashSet::new();
        let mut values: Vec<Share<POLY>> = Vec::new();

        let mut count = 0;
        for share in shares.into_iter() {
            if share.is_none() {
                count += 1;
                continue;
            }

            let share = share.unwrap();

            if share_length.is_none() {
                share_length = Some(share.y.len());
            }

            if Some(share.y.len()) != share_length {
                return Err("All shares must have the same length");
            } else {
                keys.insert(share.x.0);
                values.push(share.clone());
                count += 1;
            }
        }

        if count != n {
            return Err("provide a shares array of size n; use None for unknown shares");
        }

        if keys.is_empty() || (keys.len() < self.0 as usize) {
            Err("Not enough shares to recover original shares")
        } else if self.0 == 1 {
            // if threshold is 1, return the shares as is n times
            Ok(values.iter().cloned().cycle().take(n).collect())
        } else {
            Ok((1..=n).map(|i| math::reshare(&values, i)).collect())
        }
    }
}

#[cfg(test)]
mod tests {
    use super::{SecretSharing, Share};
    use alloc::{vec, vec::Vec};

    const POLY: u16 = 0x11d_u16;

    impl<const POLY: u16> SecretSharing<POLY> {
        #[cfg(not(feature = "std"))]
        fn make_shares(&self, secret: &[u8]) -> impl Iterator<Item = Share<POLY>> {
            use rand_chacha::{rand_core::SeedableRng, ChaCha8Rng};

            let mut rng = ChaCha8Rng::from_seed([0x90; 32]);
            self.dealer_rng(secret, &mut rng)
        }

        #[cfg(feature = "std")]
        fn make_shares(&self, secret: &[u8]) -> impl Iterator<Item = Share<POLY>> {
            self.dealer(secret)
        }
    }

    #[test]
    fn test_insufficient_shares_err() {
        let sss = SecretSharing::<POLY>(255);
        let shares: Vec<Share<POLY>> = sss.make_shares(&[1]).take(254).collect();
        let secret = sss.recover(&shares);
        assert!(secret.is_err());
    }

    #[test]
    fn test_duplicate_shares_err() {
        let sss = SecretSharing::<POLY>(255);
        let mut shares: Vec<Share<POLY>> = sss.make_shares(&[1]).take(255).collect();
        shares[1] = Share {
            x: shares[0].x.clone(),
            y: shares[0].y.clone(),
        };
        let secret = sss.recover(&shares);
        assert!(secret.is_err());
    }

    #[test]
    fn test_integration_works() {
        let sss = SecretSharing::<POLY>(255);
        let shares: Vec<Share<POLY>> = sss.make_shares(&[1, 2, 3, 4]).take(255).collect();
        let secret = sss.recover(&shares).unwrap();
        assert_eq!(secret, vec![1, 2, 3, 4]);
    }

    #[test]
    fn test_reshare_works() {
        let sss = SecretSharing::<POLY>(3);
        let shares: Vec<Share<POLY>> = sss.make_shares(&[1, 2, 3, 4]).take(4).collect();

        let recovered_shares = sss
            .recover_shares(
                [Some(&shares[0]), None, Some(&shares[2]), Some(&shares[3])],
                4,
            )
            .unwrap();
        assert_eq!(recovered_shares.len(), 4);

        for (recovered_share, share) in recovered_shares.iter().zip(shares.iter()) {
            assert_eq!(recovered_share.x, share.x);
            assert_eq!(recovered_share.y, share.y);
        }

        let recovered_shares = sss
            .recover_shares(
                [None, Some(&shares[1]), Some(&shares[2]), Some(&shares[3])],
                4,
            )
            .unwrap();
        assert_eq!(recovered_shares.len(), 4);

        for (recovered_share, share) in recovered_shares.iter().zip(shares.iter()) {
            assert_eq!(recovered_share.x, share.x);
            assert_eq!(recovered_share.y, share.y);
        }

        let recovered_shares = sss
            .recover_shares(
                [Some(&shares[0]), Some(&shares[1]), Some(&shares[2]), None],
                4,
            )
            .unwrap();
        assert_eq!(recovered_shares.len(), 4);

        for (recovered_share, share) in recovered_shares.iter().zip(shares.iter()) {
            assert_eq!(recovered_share.x, share.x);
            assert_eq!(recovered_share.y, share.y);
        }

        let recovered_shares =
            sss.recover_shares([Some(&shares[0]), None, None, Some(&shares[3])], 4);
        assert!(recovered_shares.is_err());
    }
}