use curve25519_dalek::edwards::EdwardsPoint; use curve25519_dalek::scalar::Scalar; use curve25519_dalek::constants::ED25519_BASEPOINT_POINT; use rand::rngs::ThreadRng; pub type Secret = Scalar; #[derive(Copy, Clone)] pub struct Share { index: u32, value: Scalar, } pub struct Commitment { coms: Vec, } /// Create secret shares for a given secret. pub fn generate_shares(secret: Secret, numshares: u32, threshold: u32) -> Result<(Commitment, Vec), &'static str> { if threshold < 1 { return Err("Threshold cannot be 0") } if numshares < 1 { return Err("Number of shares cannot be 0") } if threshold > numshares { return Err("Threshold cannot exceed numshares") } let numcoeffs = (threshold-1) as usize; let mut coeffs: Vec = Vec::with_capacity(numcoeffs); let mut rng: ThreadRng = rand::thread_rng(); let mut shares: Vec = Vec::with_capacity(numshares as usize); let mut comm: Commitment = Commitment { coms: Vec::with_capacity(threshold as usize) }; for _ in 0..numcoeffs { coeffs.push(Scalar::random(&mut rng)); } for share_index in 1..numshares+1 { // Evaluate the polynomial with `secret` as the constant term // and `coeffs` as the other coefficients at the point x=share_index // using Horner's method let scalar_index = Scalar::from(share_index); let mut value = Scalar::zero(); for i in (0..numcoeffs).rev() { value += coeffs[i]; value *= scalar_index; } value += secret; shares.push(Share{ index: share_index, value: value }); } comm.coms.push(ED25519_BASEPOINT_POINT * secret); for c in coeffs { comm.coms.push(ED25519_BASEPOINT_POINT * c); } Ok((comm, shares)) } /// Verify that a share is consistent with a commitment. pub fn verify_share(share: Share, commitment: &Commitment) -> Result { let f_result = ED25519_BASEPOINT_POINT * share.value; // always calculate at least the first share let mut result = commitment.coms[0]; for i in 1..share.index+1 { // check in case of the last share if (i as usize) >= commitment.coms.len() { break; } let next_comm = commitment.coms[i as usize]; let x_raised_to_threshold = share.index.pow(i as u32); result += next_comm * Scalar::from(x_raised_to_threshold); } let is_valid = f_result == result; Ok(is_valid) } /// Reconstruct the secret from enough (at least the threshold) already-verified shares. pub fn reconstruct_secret(shares: &Vec) -> Result { let numshares = shares.len(); if numshares < 1 { return Err("No shares provided"); } let mut lagrange_coeffs: Vec = Vec::with_capacity(numshares); for i in 0..numshares { let mut num = Scalar::one(); let mut den = Scalar::one(); for j in 0..numshares { if j==i { continue; } num *= Scalar::from(shares[j].index); den *= Scalar::from(shares[j].index) - Scalar::from(shares[i].index); } if den == Scalar::zero() { return Err("Duplicate shares provided"); } lagrange_coeffs.push(num * den.invert()); } let mut secret = Scalar::zero(); for i in 0..numshares { secret += lagrange_coeffs[i] * shares[i].value; } return Ok(secret) } /// Create and apply a proactive update to a master commitment. pub fn update_shares(old_commitment: &Commitment, old_shares: &Vec) -> Result<(Commitment, Vec), &'static str> { let num_shares = old_shares.len() as u32; let threshold = old_commitment.coms.len() as u32; let res = generate_shares(Scalar::zero(), num_shares, threshold); if !res.is_ok() { return res; } let (update_commitments, update_shares) = res.unwrap(); let mut new_shares: Vec = Vec::with_capacity(num_shares as usize); for old_share in old_shares { let update_share = update_shares[(old_share.index-1) as usize]; let new_share = Share{ index: old_share.index, value: old_share.value + update_share.value, }; new_shares.push(new_share); } let mut new_commitments: Commitment = Commitment { coms: Vec::with_capacity(threshold as usize) }; for i in 0..old_commitment.coms.len() { let new_commitment = old_commitment.coms[i] + update_commitments.coms[i]; new_commitments.coms.push(new_commitment); } Ok((new_commitments, new_shares)) } #[cfg(test)] mod tests { use crate::vss::*; #[test] fn share_simple() { let s = Secret::from(42u32); let res = generate_shares(s, 5, 2); assert!(res.is_ok()); let (com, shares) = res.unwrap(); assert!(shares.len() == 5); assert!(com.coms.len() == 2); let mut recshares: Vec = Vec::new(); recshares.push(shares[1]); recshares.push(shares[3]); let recres = reconstruct_secret(&recshares); assert!(recres.is_ok()); assert_eq!(recres.unwrap(), s); } #[test] fn share_not_enough() { let s = Secret::from(42u32); let res = generate_shares(s, 5, 2); assert!(res.is_ok()); let (_, shares) = res.unwrap(); let mut recshares: Vec = Vec::new(); recshares.push(shares[1]); let recres = reconstruct_secret(&recshares); assert!(recres.is_ok()); assert_ne!(recres.unwrap(), s); } #[test] fn share_dup() { let s = Secret::from(42u32); let res = generate_shares(s, 5, 2); assert!(res.is_ok()); let (_, shares) = res.unwrap(); let mut recshares: Vec = Vec::new(); recshares.push(shares[1]); recshares.push(shares[1]); let recres = reconstruct_secret(&recshares); assert!(recres.is_err()); assert_eq!(recres.err(), Some("Duplicate shares provided")); } #[test] fn share_badparams() { let s = Secret::from(42u32); { let res = generate_shares(s, 5, 0); assert!(res.is_err()); assert_eq!(res.err(), Some("Threshold cannot be 0")); } { let res = generate_shares(s, 0, 3); assert!(res.is_err()); assert_eq!(res.err(), Some("Number of shares cannot be 0")); } { let res = generate_shares(s, 1, 3); assert!(res.is_err()); assert_eq!(res.err(), Some("Threshold cannot exceed numshares")); } } #[test] fn share_commitment_valid() { let s = Secret::from(42u32); let res = generate_shares(s, 5, 2); assert!(res.is_ok()); let (com, shares) = res.unwrap(); for share in shares { let is_valid = verify_share(share, &com); assert!(is_valid.is_ok()); assert!(is_valid.unwrap()); } } #[test] fn share_commitment_invalid() { let s1 = Secret::from(42u32); let s2 = Secret::from(43u32); let res1 = generate_shares(s1, 5, 2); assert!(res1.is_ok()); let (_, shares1) = res1.unwrap(); let res2 = generate_shares(s2, 5, 2); assert!(res2.is_ok()); let (com2, _) = res2.unwrap(); for share in shares1 { // test that commitments to a different set of shares fails let is_valid = verify_share(share, &com2); assert!(is_valid.is_ok()); assert_ne!(is_valid.unwrap(), true); } } #[test] fn share_update_valid() { let s = Secret::from(42u32); let res = generate_shares(s, 5, 2); assert!(res.is_ok()); let (com, shares) = res.unwrap(); let update_res = update_shares(&com, &shares); assert!(update_res.is_ok()); let (update_com, update_shares) = update_res.unwrap(); for share in update_shares { let is_valid = verify_share(share, &update_com); assert!(is_valid.is_ok()); assert!(is_valid.unwrap()); } } #[test] fn share_update_invalid() { let s = Secret::from(42u32); let res = generate_shares(s, 5, 2); assert!(res.is_ok()); let (com, shares) = res.unwrap(); let update_res = update_shares(&com, &shares); assert!(update_res.is_ok()); let (update_com, update_shares) = update_res.unwrap(); // test that the old shares are not valid with the updated commitment for share in shares { let is_valid = verify_share(share, &update_com); assert!(is_valid.is_ok()); assert!(!is_valid.unwrap()); } // assert that we can recover the original secret using the updated shares let recres = reconstruct_secret(&update_shares); assert!(recres.is_ok()); assert_eq!(recres.unwrap(), s); } }