Add SplitSecret.recombine

Author: gefeili

…threshold/ShamirTableSecretSplitter.java …ycastle/crypto/threshold/Polynomial.javacore/src/main/java/org/bouncycastle/crypto/threshold/ShamirTableSecretSplitter.java renamed to core/src/main/java/org/bouncycastle/crypto/threshold/Polynomial.java core/src/main/java/org/bouncycastle/crypto/threshold/ShamirTableSecretSplitter.java renamed to core/src/main/java/org/bouncycastle/crypto/threshold/Polynomial.java

@@ -1,9 +1,56 @@
 package org.bouncycastle.crypto.threshold;
 
-import java.security.SecureRandom;
+abstract class Polynomial
+{
+    public static Polynomial newInstance(ShamirSecretSplitter.Algorithm algorithm, ShamirSecretSplitter.Mode mode)
+    {
+        if (mode == ShamirSecretSplitter.Mode.Native)
+        {
+            return new PolynomialNative(algorithm);
+        }
+        else
+        {
+            return new PolynomialTable(algorithm);
+        }
+    }
+
+    protected abstract int gfMul(int x, int y);
+
+    protected abstract byte gfDiv(int x, int y);
 
-public class ShamirTableSecretSplitter
-    extends ShamirSecretSplitter
+    protected byte gfPow(int n, byte k)
+    {
+        int result = 1;
+        for (int i = 0; i < 8; i++)
+        {
+            if ((k & (1 << i)) != 0)
+            {
+                result = (byte)gfMul(result & 0xff, n & 0xff);
+            }
+            n = gfMul(n & 0xff, n & 0xff);
+        }
+        return (byte)result;
+    }
+
+    public byte[] gfVecMul(byte[] xs, byte[][] yss)
+    {
+        byte[] result = new byte[yss[0].length];
+        int sum;
+        for (int j = 0; j < yss[0].length; j++)
+        {
+            sum = 0;
+            for (int k = 0; k < xs.length; k++)
+            {
+                sum ^= gfMul(xs[k] & 0xff, yss[k][j] & 0xff);
+            }
+            result[j] = (byte)sum;
+        }
+        return result;
+    }
+}
+
+class PolynomialTable
+    extends Polynomial
 {
     private final byte[] LOG;
     private final byte[] EXP;
@@ -148,9 +195,8 @@ public class ShamirTableSecretSplitter
         (byte)0x1b, (byte)0x36, (byte)0x6c, (byte)0xd8, (byte)0xad, (byte)0x47, (byte)0x8e, (byte)0x01
     };
 
-    public ShamirTableSecretSplitter(int algorithm, int l, int m, int n, SecureRandom random)
+    public PolynomialTable(ShamirSecretSplitter.Algorithm algorithm)
     {
-        super(l, m, n, random);
         switch (algorithm)
         {
         case AES:
@@ -164,7 +210,6 @@ public ShamirTableSecretSplitter(int algorithm, int l, int m, int n, SecureRando
         default:
             throw new IllegalArgumentException("The algorithm is not correct");
         }
-        init();
     }
 
     protected int gfMul(int x, int y)
@@ -173,7 +218,7 @@ protected int gfMul(int x, int y)
         {
             return 0;
         }
-        return EXP[((LOG[x] &0xff) + (LOG[y] & 0xff)) % 255] & 0xff;
+        return EXP[((LOG[x] & 0xff) + (LOG[y] & 0xff)) % 255] & 0xff;
     }
 
     protected byte gfDiv(int x, int y)
@@ -182,6 +227,61 @@ protected byte gfDiv(int x, int y)
         {
             return 0;
         }
-        return EXP[((LOG[x] &0xff) - (LOG[y] & 0xff) + 255) % 255];
+        return EXP[((LOG[x] & 0xff) - (LOG[y] & 0xff) + 255) % 255];
     }
 }
+
+class PolynomialNative
+    extends Polynomial
+{
+    private final int IRREDUCIBLE;
+
+    public PolynomialNative(ShamirSecretSplitter.Algorithm algorithm)
+    {
+        switch (algorithm)
+        {
+        case AES:
+            IRREDUCIBLE = 0x11B;
+            break;
+        case RSA:
+            IRREDUCIBLE = 0x11D;
+            break;
+        default:
+            throw new IllegalArgumentException("The algorithm is not correct");
+        }
+    }
+
+    protected int gfMul(int x, int y)
+    {
+        //pmult
+        int result = 0;
+        while (y > 0)
+        {
+            if ((y & 1) != 0)
+            {  // If the lowest bit of y is 1
+                result ^= x;     // XOR x into the result
+            }
+            x <<= 1;             // Shift x left (multiply by 2 in GF)
+            if ((x & 0x100) != 0)
+            {  // If x is larger than 8 bits, reduce
+                x ^= IRREDUCIBLE;  // XOR with the irreducible polynomial
+            }
+            y >>= 1;             // Shift y right
+        }
+        //mod
+        while (result >= (1 << 8))
+        {
+            if ((result & (1 << 8)) != 0)
+            {
+                result ^= IRREDUCIBLE;
+            }
+            result <<= 1;
+        }
+        return result & 0xFF;
+    }
+
+    protected byte gfDiv(int x, int y)
+    {
+        return (byte)gfMul(x, gfPow((byte)y, (byte)254) & 0xff);
+    }
+}

core/src/main/java/org/bouncycastle/crypto/threshold/ShamirNativeSecretSplitter.java

@@ -2,11 +2,22 @@
 
 import java.security.SecureRandom;
 
-public abstract class ShamirSecretSplitter
+public class ShamirSecretSplitter
     implements SecretSplitter
 {
-    public static final int AES = 0;
-    public static final int RSA = 1;
+    public enum Algorithm
+    {
+        AES,
+        RSA
+    }
+
+    public enum Mode
+    {
+        Native,
+        Table
+    }
+
+    private Polynomial poly;
     /**
      * Length of the secret
      */
@@ -23,7 +34,7 @@ public abstract class ShamirSecretSplitter
     protected byte[][] p;
     protected SecureRandom random;
 
-    protected ShamirSecretSplitter(int l, int m, int n, SecureRandom random)
+    public ShamirSecretSplitter(Algorithm algorithm, Mode mode, int l, int m, int n, SecureRandom random)
     {
         if (l < 0 || l > 65534)
         {
@@ -37,20 +48,17 @@ protected ShamirSecretSplitter(int l, int m, int n, SecureRandom random)
         {
             throw new IllegalArgumentException("Invalid input: n must be less than 256 and greater than or equal to n.");
         }
+        poly = Polynomial.newInstance(algorithm, mode);
         this.l = l;
         this.m = m;
         this.n = n;
         this.random = random;
-    }
-
-    protected void init()
-    {
         p = new byte[n][m];
         for (int i = 0; i < n; i++)
         {
             for (int j = 0; j < m; j++)
             {
-                p[i][j] = gfPow((byte)(i + 1), (byte)j);
+                p[i][j] = poly.gfPow((byte)(i + 1), (byte)j);
             }
         }
     }
@@ -66,9 +74,9 @@ public ShamirSplitSecret split()
         }
         for (i = 0; i < p.length; i++)
         {
-            secretShares[i] = new ShamirSplitSecretShare(gfVecMul(p[i], sr), i + 1);
+            secretShares[i] = new ShamirSplitSecretShare(poly.gfVecMul(p[i], sr), i + 1);
         }
-        return new ShamirSplitSecret(secretShares);
+        return new ShamirSplitSecret(poly, secretShares);
     }
 
     public byte[] recombineShares(int[] rr, byte[]... splits)
@@ -84,52 +92,18 @@ public byte[] recombineShares(int[] rr, byte[]... splits)
             {
                 if (j != i)
                 {
-                    products[tmp++] = gfDiv(rr[j], rr[i] ^ rr[j]);
+                    products[tmp++] = poly.gfDiv(rr[j], rr[i] ^ rr[j]);
                 }
             }
 
             tmp = 1;
             for (byte p : products)
             {
-                tmp = (byte)gfMul(tmp & 0xff, p & 0xff);
+                tmp = (byte)poly.gfMul(tmp & 0xff, p & 0xff);
             }
             r[i] = tmp;
         }
 
-        return gfVecMul(r, splits);
-    }
-
-    protected abstract int gfMul(int x, int y);
-
-    protected abstract byte gfDiv(int x, int y);
-
-    protected byte gfPow(int n, byte k)
-    {
-        int result = 1;
-        for (int i = 0; i < 8; i++)
-        {
-            if ((k & (1 << i)) != 0)
-            {
-                result = (byte)gfMul(result & 0xff, n & 0xff);
-            }
-            n = gfMul(n & 0xff, n & 0xff);
-        }
-        return (byte)result;
-    }
-
-    private byte[] gfVecMul(byte[] xs, byte[][] yss)
-    {
-        byte[] result = new byte[yss[0].length];
-        int sum;
-        for (int j = 0; j < yss[0].length; j++)
-        {
-            sum = 0;
-            for (int k = 0; k < xs.length; k++)
-            {
-                sum ^= gfMul(xs[k] & 0xff, yss[k][j] & 0xff);
-            }
-            result[j] = (byte)sum;
-        }
-        return result;
+        return poly.gfVecMul(r, splits);
     }
 }

core/src/main/java/org/bouncycastle/crypto/threshold/ShamirSecretSplitter.java

@@ -3,15 +3,55 @@
 public class ShamirSplitSecret
     implements SplitSecret
 {
-    private ShamirSplitSecretShare[] secretShares;
+    private final ShamirSplitSecretShare[] secretShares;
+    private final Polynomial poly;
 
-    public ShamirSplitSecret(ShamirSplitSecretShare[] secretShares)
+    public ShamirSplitSecret(ShamirSecretSplitter.Algorithm algorithm, ShamirSecretSplitter.Mode mode, ShamirSplitSecretShare[] secretShares)
     {
         this.secretShares = secretShares;
+        this.poly = Polynomial.newInstance(algorithm, mode);
+    }
+
+    ShamirSplitSecret(Polynomial poly, ShamirSplitSecretShare[] secretShares)
+    {
+        this.secretShares = secretShares;
+        this.poly = poly;
     }
 
     public ShamirSplitSecretShare[] getSecretShare()
     {
         return secretShares;
     }
+
+    @Override
+    public byte[] recombine()
+    {
+        int n = secretShares.length;
+        byte[] r = new byte[n];
+        byte tmp;
+        byte[] products = new byte[n - 1];
+        byte[][] splits = new byte[n][secretShares[0].getSecretShare().length];
+        for (int i = 0; i < n; i++)
+        {
+            splits[i] = secretShares[i].getSecretShare();
+            tmp = 0;
+            for (int j = 0; j < n; j++)
+            {
+                if (j != i)
+                {
+                    products[tmp++] = poly.gfDiv(secretShares[j].r, secretShares[i].r ^ secretShares[j].r);
+                }
+
+            }
+
+            tmp = 1;
+            for (byte p : products)
+            {
+                tmp = (byte)poly.gfMul(tmp & 0xff, p & 0xff);
+            }
+            r[i] = tmp;
+        }
+
+        return poly.gfVecMul(r, splits);
+    }
 }