1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205
/*
Copyright Michael Lodder. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
//! Verifiable Secret Sharing Schemes are using to split secrets into
//! multiple shares and distribute them among different entities,
//! with the ability to verify if the shares are correct and belong
//! to a specific set. This crate includes Shamir's secret sharing
//! scheme which does not support verification but is more of a
//! building block for the other schemes.
//!
//! This crate supports Feldman and Pedersen verifiable secret sharing
//! schemes.
//!
//! Feldman and Pedersen are similar in many ways. It's hard to describe when to use
//! one over the other. Indeed both are used in
//! <http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.134.6445&rep=rep1&type=pdf>.
//!
//! Feldman reveals the public value of the verifier whereas Pedersen's hides it.
//!
//! Feldman and Pedersen are different from Shamir when splitting the secret.
//! Combining shares back into the original secret is identical across all methods
//! and is available for each scheme for convenience.
//!
//! This crate is no-standard compliant and uses const generics to specify sizes.
//!
//! This crate supports 255 as the maximum number of shares to be requested.
//! Anything higher is pretty ridiculous but if such a use case exists please let me know.
//!
//! Shares are represented as byte arrays. Shares can represent finite fields or groups
//! depending on the use case. The first byte is reserved for the share identifier (x-coordinate)
//! and everything else is the actual value of the share (y-coordinate).
//!
//! When specifying share sizes, use the field size in bytes + 1 for the identifier.
//!
//! To split a p256 secret using Shamir
//!
//! ```
//! use vsss_rs::Shamir;
//! use ff::PrimeField;
//! use p256::{NonZeroScalar, Scalar, SecretKey};
//! use rand::rngs::OsRng;
//!
//! fn main() {
//! let mut osrng = OsRng::default();
//! let sk = SecretKey::random(&mut osrng);
//! let nzs = sk.to_secret_scalar();
//! // 32 for field size, 1 for identifier = 33
//! let res = Shamir::<2, 3>::split_secret::<Scalar, OsRng, 33>(*nzs.as_ref(), &mut osrng);
//! assert!(res.is_ok());
//! let shares = res.unwrap();
//! let res = Shamir::<2, 3>::combine_shares::<Scalar, 33>(&shares);
//! assert!(res.is_ok());
//! let scalar = res.unwrap();
//! let nzs_dup = NonZeroScalar::from_repr(scalar.to_repr()).unwrap();
//! let sk_dup = SecretKey::from(nzs_dup);
//! assert_eq!(sk_dup.to_bytes(), sk.to_bytes());
//! }
//! ```
//!
//! To split a k256 secret using Shamir
//!
//! ```
//! use vsss_rs::{Shamir, secp256k1::WrappedScalar};
//! use ff::PrimeField;
//! use k256::{NonZeroScalar, SecretKey};
//! use rand::rngs::OsRng;
//!
//! fn main() {
//! let mut osrng = OsRng::default();
//! let sk = SecretKey::random(&mut osrng);
//! let secret = WrappedScalar(*sk.to_secret_scalar());
//! let res = Shamir::<2, 3>::split_secret::<WrappedScalar, OsRng, 33>(secret, &mut osrng);
//! assert!(res.is_ok());
//! let shares = res.unwrap();
//! let res = Shamir::<2, 3>::combine_shares::<WrappedScalar, 33>(&shares);
//! assert!(res.is_ok());
//! let scalar = res.unwrap();
//! let nzs_dup = NonZeroScalar::from_repr(scalar.to_repr()).unwrap();
//! let sk_dup = SecretKey::from(nzs_dup);
//! assert_eq!(sk_dup.to_bytes(), sk.to_bytes());
//! }
//! ```
//!
//! Feldman or Pedersen return extra information for verification using their respective verifiers
//!
//! ```
//! use vsss_rs::Feldman;
//! use bls12_381_plus::{Scalar, G1Projective};
//! use ff::Field;
//! use rand::rngs::OsRng;
//!
//! fn main() {
//! let mut rng = OsRng::default();
//! let secret = Scalar::random(&mut rng);
//! let res = Feldman::<2, 3>::split_secret::<Scalar, G1Projective, OsRng, 33>(secret, None, &mut rng);
//! assert!(res.is_ok());
//! let (shares, verifier) = res.unwrap();
//! for s in &shares {
//! assert!(verifier.verify(s));
//! }
//! let res = Feldman::<2, 3>::combine_shares::<Scalar, 33>(&shares);
//! assert!(res.is_ok());
//! let secret_1 = res.unwrap();
//! assert_eq!(secret, secret_1);
//! }
//! ```
//!
//! Curve25519 is not a prime field but this crate does support it using
//! `features=["curve25519"]` which is enabled by default. This feature
//! wraps curve25519-dalek libraries so they can be used with Shamir, Feldman, and Pedersen.
//!
//! Here's an example of using Ed25519 and x25519
//!
//! ```
//! use curve25519_dalek::scalar::Scalar;
//! use ed25519_dalek::SecretKey;
//! use vsss_rs::{Shamir, curve25519::WrappedScalar};
//! use rand::rngs::OsRng;
//! use x25519_dalek::StaticSecret;
//!
//! fn main() {
//! let mut osrng = rand::rngs::OsRng::default();
//! let sc = Scalar::random(&mut osrng);
//! let sk1 = StaticSecret::from(sc.to_bytes());
//! let ske1 = SecretKey::from_bytes(&sc.to_bytes()).unwrap();
//! let res = Shamir::<2, 3>::split_secret::<WrappedScalar, OsRng, 33>(sc.into(), &mut osrng);
//! assert!(res.is_ok());
//! let shares = res.unwrap();
//! let res = Shamir::<2, 3>::combine_shares::<WrappedScalar, 33>(&shares);
//! assert!(res.is_ok());
//! let scalar = res.unwrap();
//! assert_eq!(scalar.0, sc);
//! let sk2 = StaticSecret::from(scalar.0.to_bytes());
//! let ske2 = SecretKey::from_bytes(&scalar.0.to_bytes()).unwrap();
//! assert_eq!(sk2.to_bytes(), sk1.to_bytes());
//! assert_eq!(ske1.to_bytes(), ske2.to_bytes());
//! }
//! ```
#![no_std]
#![deny(
missing_docs,
unused_import_braces,
unused_qualifications,
unused_parens,
unused_lifetimes,
unconditional_recursion,
unused_extern_crates,
trivial_casts,
trivial_numeric_casts
)]
#![cfg_attr(docsrs, feature(doc_cfg))]
#[cfg(all(feature = "alloc", not(feature = "std")))]
extern crate alloc;
#[cfg(any(feature = "std", test))]
#[macro_use]
extern crate std;
mod lib {
#[cfg(all(feature = "alloc", not(feature = "std")))]
pub use alloc::collections::BTreeSet;
#[cfg(all(feature = "alloc", not(feature = "std")))]
pub use alloc::vec::Vec;
#[cfg(feature = "std")]
pub use std::collections::BTreeSet;
#[cfg(feature = "std")]
pub use std::vec::Vec;
}
#[cfg(test)]
mod tests;
#[cfg(feature = "curve25519")]
#[cfg_attr(docsrs, doc(cfg(feature = "curve25519")))]
pub mod curve25519;
mod error;
#[cfg(all(not(feature = "std"), not(feature = "alloc")))]
mod no_std;
#[cfg(feature = "secp256k1")]
#[cfg_attr(docsrs, doc(cfg(feature = "secp256k1")))]
pub mod secp256k1;
#[cfg(any(feature = "std", feature = "alloc"))]
mod standard;
mod util;
use util::*;
pub use error::*;
#[cfg(all(not(feature = "std"), not(feature = "alloc")))]
pub use no_std::*;
#[cfg(any(feature = "std", feature = "alloc"))]
pub use standard::*;
/// Use shamir split regardless of no-std or std used
#[macro_export]
macro_rules! shamir_split {
($threshold:expr, $limit:expr, $secret:expr, $rng:expr) => {
#[cfg(all(not(feature = "std"), not(feature = "alloc")))]
Shamir::<$threshold, $limit>::split_secret($secret, $rng)
#[cfg(any(feature = "std", feature = "alloc"))]
Shamir::split_secret($secret, $rng, $threshold, $limit)
};
}