Crate vsss_rs

Expand description

Verifiable Secret Sharing Schemes are using to split secrets into multiple shares and distribute them among different entities, with the ability to verify if the shares are correct and belong to a specific set. This crate includes Shamir’s secret sharing scheme which does not support verification but is more of a building block for the other schemes.

This crate supports Feldman and Pedersen verifiable secret sharing schemes.

Feldman and Pedersen are similar in many ways. It’s hard to describe when to use one over the other. Indeed both are used in http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.134.6445&rep=rep1&type=pdf.

Feldman reveals the public value of the verifier whereas Pedersen’s hides it.

Feldman and Pedersen are different from Shamir when splitting the secret. Combining shares back into the original secret is identical across all methods and is available for each scheme for convenience.

This crate is no-standard compliant and uses const generics to specify sizes.

This crate supports any number as the maximum number of shares to be requested. Anything higher than 255 is pretty ridiculous but if such a use case exists please let me know. This said, any number of shares can be requested since identifiers can be any size.

Shares are represented as byte arrays. Shares can represent finite fields or groups depending on the use case. In the simplest case, the first byte is reserved for the share identifier (x-coordinate) and everything else is the actual value of the share (y-coordinate). However, anything can be used as the identifier as long as it implements the ShareIdentifier trait.

When specifying share sizes, use the field size in bytes + 1 for the identifier in the easiest case.

To split a p256 secret using Shamir

use vsss_rs::{*, shamir};
use elliptic_curve::ff::PrimeField;
use p256::{NonZeroScalar, Scalar, SecretKey};

let mut osrng = rand_core::OsRng::default();
let sk = SecretKey::random(&mut osrng);
let nzs = sk.to_nonzero_scalar();
let res = shamir::split_secret::<Scalar, u8, Vec<u8>>(2, 3, *nzs.as_ref(), &mut osrng);
assert!(res.is_ok());
let shares = res.unwrap();
let res = combine_shares(&shares);
assert!(res.is_ok());
let scalar: Scalar = res.unwrap();
let nzs_dup =  NonZeroScalar::from_repr(scalar.to_repr()).unwrap();
let sk_dup = SecretKey::from(nzs_dup);
assert_eq!(sk_dup.to_bytes(), sk.to_bytes());

To split a k256 secret using Shamir

use vsss_rs::{*, shamir};
use elliptic_curve::ff::PrimeField;
use k256::{NonZeroScalar, Scalar, ProjectivePoint, SecretKey};

let mut osrng = rand_core::OsRng::default();
let sk = SecretKey::random(&mut osrng);
let secret = *sk.to_nonzero_scalar();
let res = shamir::split_secret::<Scalar, u8, Vec<u8>>(2, 3, secret, &mut osrng);
assert!(res.is_ok());
let shares = res.unwrap();
let res = combine_shares(&shares);
assert!(res.is_ok());
let scalar: Scalar = res.unwrap();
let nzs_dup = NonZeroScalar::from_repr(scalar.to_repr()).unwrap();
let sk_dup = SecretKey::from(nzs_dup);
assert_eq!(sk_dup.to_bytes(), sk.to_bytes());

Feldman or Pedersen return extra information for verification using their respective verifiers

use vsss_rs::{*, feldman};
use bls12_381_plus::{Scalar, G1Projective};
use elliptic_curve::ff::Field;

let mut rng = rand_core::OsRng::default();
let secret = Scalar::random(&mut rng);
let res = feldman::split_secret::<G1Projective, u8, Vec<u8>>(2, 3, secret, None, &mut rng);
assert!(res.is_ok());
let (shares, verifier) = res.unwrap();
for s in &shares {
    assert!(verifier.verify_share(s).is_ok());
}
let res = combine_shares(&shares);
assert!(res.is_ok());
let secret_1: Scalar = res.unwrap();
assert_eq!(secret, secret_1);

Curve25519 is not a prime field but this crate does support it using features=["curve25519"] which is enabled by default. This feature wraps curve25519-dalek libraries so they can be used with Shamir, Feldman, and Pedersen.

Here’s an example of using Ed25519 and x25519

#[cfg(feature = "curve25519")] {
use curve25519_dalek::scalar::Scalar;
use rand::Rng;
use ed25519_dalek::SigningKey;
use vsss_rs::{curve25519::WrappedScalar, *};
use x25519_dalek::StaticSecret;

let mut osrng = rand::rngs::OsRng::default();
let sc = Scalar::hash_from_bytes::<sha2::Sha512>(&osrng.gen::<[u8; 32]>());
let sk1 = StaticSecret::from(sc.to_bytes());
let ske1 = SigningKey::from_bytes(&sc.to_bytes());
let res = shamir::split_secret::<WrappedScalar, u8, Vec<u8>>(2, 3, sc.into(), &mut osrng);
assert!(res.is_ok());
let shares = res.unwrap();
let res = combine_shares(&shares);
assert!(res.is_ok());
let scalar: WrappedScalar = res.unwrap();
assert_eq!(scalar.0, sc);
let sk2 = StaticSecret::from(scalar.0.to_bytes());
let ske2 = SigningKey::from_bytes(&scalar.0.to_bytes());
assert_eq!(sk2.to_bytes(), sk1.to_bytes());
assert_eq!(ske1.to_bytes(), ske2.to_bytes());
}

Re-exports§

pub use feldman::Feldman;
pub use pedersen::Pedersen;
pub use pedersen::PedersenResult;
pub use shamir::Shamir;
pub use pedersen::StdPedersenResult;
pub use elliptic_curve;
pub use subtle;

Modules§

feldman
Feldman’s Verifiable secret sharing scheme. (see https://www.cs.umd.edu/~gasarch/TOPICS/secretsharing/feldmanVSS.pdf.
pedersen
Pedersen’s Verifiable secret sharing scheme. (see https://www.cs.cornell.edu/courses/cs754/2001fa/129.PDF)
shamir
Secret splitting for Shamir Secret Sharing Scheme and combine methods for field and group elements

Macros§

vsss_arr_impl
Create a no-std verifiable secret sharing scheme with size $num using fixed arrays The arguments in order are: The vsss name The name for a pedersen secret sharing scheme result The maximum threshold allowed The maximum number of shares allowed

Structs§

DefaultStdVsss
Default Standard verifiable secret sharing scheme that uses a single byte for the identifier and a Vec for the share. This is the most common use case since most secret sharing schemes don’t generate more than 255 shares.
Gf256
Represents the finite field GF(2^8) with 256 elements.
ListAndRandomParticipantNumberGenerator
A generator that creates participant identifiers from a known list and then random numbers after the list is exhausted
ListAndSequentialParticipantNumberGenerator
A generator that creates participant identifiers from a known list and then sequential numbers after the list is exhausted.
ListParticipantNumberGenerator
A generator that creates participant identifiers from a known list
RandomParticipantNumberGenerator
A generator that creates random participant identifiers
SequentialParticipantNumberGenerator
A generator that can create any number of secret shares
StdVsss
Standard verifiable secret sharing scheme

Enums§

Error
Errors during secret sharing

Traits§

CtIsNotZero
A trait for constant time indicating if a value is not zero.
CtIsZero
A trait for constant time indicating if a value is zero.
FeldmanVerifierSet
Objects that represent the ability to verify shamir shares using Feldman verifiers
ParticipantNumberGenerator
A trait for generating participant numbers
PedersenVerifierSet
Objects that represent the ability to verify shamir shares using Pedersen verifiers
Polynomial
The polynomial used for generating the shares
ReadableShareSet
Represents a readable data store for secret shares
Share
The methods necessary for a secret share
ShareIdentifier
A value used to represent the identifier for secret shares
ShareSetCombiner
A data store for reconstructing secret shares
WriteableShareSet
Represents a data store for secret shares

Functions§

combine_shares
Reconstruct a secret from shares created from split_secret. The X-coordinates operate in F The Y-coordinates operate in F
combine_shares_group
Reconstruct a secret from shares created from split_secret. The X-coordinates operate in F The Y-coordinates operate in G

Type Aliases§

VsssResult
Results returned by this crate

Crate vsss_rsCopy item path