Initial import and refactoring

lafriks · lafriks · commit 98efd7262d77 · 2021-01-05T02:42:20.000+02:00
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Coda Hale
+Copyright (c) 2021 Lauris BH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/README.md b/README.md
@@ -0,0 +1,41 @@
+# Shamir's Secret Sharing
+
+Based on [github.com/codahale/sss](https://github.com/codahale/sss)
+
+A pure Go implementation of [Shamir's Secret Sharing algorithm](http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
+
+## Usage
+
+```sh
+go get -u github.com/lafriks/go-shamir
+```
+
+## Example
+
+```go
+package main
+
+import (
+    "fmt"
+
+    "github.com/lafriks/go-shamir"
+)
+
+func main() {
+    secret := []byte("example")
+
+    // Split secret to 5 shares and require 3 shares to reconstruct secret
+    shares, err := Split(5, 3, secret)
+    if err != nil {
+        panic(err)
+    }
+
+    // Reconstruct secret from shares
+    reconstructed, err := Combine([][]byte{shares[0], shares[2], shares[4]})
+    if err != nil {
+        panic(err)
+    }
+
+    // secret == reconstructed
+}
+```
diff --git a/gf256.go b/gf256.go
@@ -0,0 +1,94 @@
+package shamir
+
+import "crypto/subtle"
+
+func mul(e, a byte) byte {
+	ret := exp[(int(log[e])+int(log[a]))%255]
+
+	ret = byte(subtle.ConstantTimeSelect(subtle.ConstantTimeByteEq(e, 0), 0, int(ret)))
+	return byte(subtle.ConstantTimeSelect(subtle.ConstantTimeByteEq(a, 0), 0, int(ret)))
+}
+
+func div(e, a byte) byte {
+	if a == 0 {
+		panic("div by zero")
+	}
+
+	p := ((int(log[e]) - int(log[a])) + 255) % 255
+
+	ret := exp[p]
+
+	return byte(subtle.ConstantTimeSelect(subtle.ConstantTimeByteEq(e, 0), 0, int(ret)))
+}
+
+var (
+	// 0x11b prime polynomial and 0x03 as generator
+	exp = [256]byte{
+		0x01, 0xe5, 0x4c, 0xb5, 0xfb, 0x9f, 0xfc, 0x12,
+		0x03, 0x34, 0xd4, 0xc4, 0x16, 0xba, 0x1f, 0x36,
+		0x05, 0x5c, 0x67, 0x57, 0x3a, 0xd5, 0x21, 0x5a,
+		0x0f, 0xe4, 0xa9, 0xf9, 0x4e, 0x64, 0x63, 0xee,
+		0x11, 0x37, 0xe0, 0x10, 0xd2, 0xac, 0xa5, 0x29,
+		0x33, 0x59, 0x3b, 0x30, 0x6d, 0xef, 0xf4, 0x7b,
+		0x55, 0xeb, 0x4d, 0x50, 0xb7, 0x2a, 0x07, 0x8d,
+		0xff, 0x26, 0xd7, 0xf0, 0xc2, 0x7e, 0x09, 0x8c,
+		0x1a, 0x6a, 0x62, 0x0b, 0x5d, 0x82, 0x1b, 0x8f,
+		0x2e, 0xbe, 0xa6, 0x1d, 0xe7, 0x9d, 0x2d, 0x8a,
+		0x72, 0xd9, 0xf1, 0x27, 0x32, 0xbc, 0x77, 0x85,
+		0x96, 0x70, 0x08, 0x69, 0x56, 0xdf, 0x99, 0x94,
+		0xa1, 0x90, 0x18, 0xbb, 0xfa, 0x7a, 0xb0, 0xa7,
+		0xf8, 0xab, 0x28, 0xd6, 0x15, 0x8e, 0xcb, 0xf2,
+		0x13, 0xe6, 0x78, 0x61, 0x3f, 0x89, 0x46, 0x0d,
+		0x35, 0x31, 0x88, 0xa3, 0x41, 0x80, 0xca, 0x17,
+		0x5f, 0x53, 0x83, 0xfe, 0xc3, 0x9b, 0x45, 0x39,
+		0xe1, 0xf5, 0x9e, 0x19, 0x5e, 0xb6, 0xcf, 0x4b,
+		0x38, 0x04, 0xb9, 0x2b, 0xe2, 0xc1, 0x4a, 0xdd,
+		0x48, 0x0c, 0xd0, 0x7d, 0x3d, 0x58, 0xde, 0x7c,
+		0xd8, 0x14, 0x6b, 0x87, 0x47, 0xe8, 0x79, 0x84,
+		0x73, 0x3c, 0xbd, 0x92, 0xc9, 0x23, 0x8b, 0x97,
+		0x95, 0x44, 0xdc, 0xad, 0x40, 0x65, 0x86, 0xa2,
+		0xa4, 0xcc, 0x7f, 0xec, 0xc0, 0xaf, 0x91, 0xfd,
+		0xf7, 0x4f, 0x81, 0x2f, 0x5b, 0xea, 0xa8, 0x1c,
+		0x02, 0xd1, 0x98, 0x71, 0xed, 0x25, 0xe3, 0x24,
+		0x06, 0x68, 0xb3, 0x93, 0x2c, 0x6f, 0x3e, 0x6c,
+		0x0a, 0xb8, 0xce, 0xae, 0x74, 0xb1, 0x42, 0xb4,
+		0x1e, 0xd3, 0x49, 0xe9, 0x9c, 0xc8, 0xc6, 0xc7,
+		0x22, 0x6e, 0xdb, 0x20, 0xbf, 0x43, 0x51, 0x52,
+		0x66, 0xb2, 0x76, 0x60, 0xda, 0xc5, 0xf3, 0xf6,
+		0xaa, 0xcd, 0x9a, 0xa0, 0x75, 0x54, 0x0e, 0x01,
+	}
+	log = [256]byte{
+		0x00, 0xff, 0xc8, 0x08, 0x91, 0x10, 0xd0, 0x36,
+		0x5a, 0x3e, 0xd8, 0x43, 0x99, 0x77, 0xfe, 0x18,
+		0x23, 0x20, 0x07, 0x70, 0xa1, 0x6c, 0x0c, 0x7f,
+		0x62, 0x8b, 0x40, 0x46, 0xc7, 0x4b, 0xe0, 0x0e,
+		0xeb, 0x16, 0xe8, 0xad, 0xcf, 0xcd, 0x39, 0x53,
+		0x6a, 0x27, 0x35, 0x93, 0xd4, 0x4e, 0x48, 0xc3,
+		0x2b, 0x79, 0x54, 0x28, 0x09, 0x78, 0x0f, 0x21,
+		0x90, 0x87, 0x14, 0x2a, 0xa9, 0x9c, 0xd6, 0x74,
+		0xb4, 0x7c, 0xde, 0xed, 0xb1, 0x86, 0x76, 0xa4,
+		0x98, 0xe2, 0x96, 0x8f, 0x02, 0x32, 0x1c, 0xc1,
+		0x33, 0xee, 0xef, 0x81, 0xfd, 0x30, 0x5c, 0x13,
+		0x9d, 0x29, 0x17, 0xc4, 0x11, 0x44, 0x8c, 0x80,
+		0xf3, 0x73, 0x42, 0x1e, 0x1d, 0xb5, 0xf0, 0x12,
+		0xd1, 0x5b, 0x41, 0xa2, 0xd7, 0x2c, 0xe9, 0xd5,
+		0x59, 0xcb, 0x50, 0xa8, 0xdc, 0xfc, 0xf2, 0x56,
+		0x72, 0xa6, 0x65, 0x2f, 0x9f, 0x9b, 0x3d, 0xba,
+		0x7d, 0xc2, 0x45, 0x82, 0xa7, 0x57, 0xb6, 0xa3,
+		0x7a, 0x75, 0x4f, 0xae, 0x3f, 0x37, 0x6d, 0x47,
+		0x61, 0xbe, 0xab, 0xd3, 0x5f, 0xb0, 0x58, 0xaf,
+		0xca, 0x5e, 0xfa, 0x85, 0xe4, 0x4d, 0x8a, 0x05,
+		0xfb, 0x60, 0xb7, 0x7b, 0xb8, 0x26, 0x4a, 0x67,
+		0xc6, 0x1a, 0xf8, 0x69, 0x25, 0xb3, 0xdb, 0xbd,
+		0x66, 0xdd, 0xf1, 0xd2, 0xdf, 0x03, 0x8d, 0x34,
+		0xd9, 0x92, 0x0d, 0x63, 0x55, 0xaa, 0x49, 0xec,
+		0xbc, 0x95, 0x3c, 0x84, 0x0b, 0xf5, 0xe6, 0xe7,
+		0xe5, 0xac, 0x7e, 0x6e, 0xb9, 0xf9, 0xda, 0x8e,
+		0x9a, 0xc9, 0x24, 0xe1, 0x0a, 0x15, 0x6b, 0x3a,
+		0xa0, 0x51, 0xf4, 0xea, 0xb2, 0x97, 0x9e, 0x5d,
+		0x22, 0x88, 0x94, 0xce, 0x19, 0x01, 0x71, 0x4c,
+		0xa5, 0xe3, 0xc5, 0x31, 0xbb, 0xcc, 0x1f, 0x2d,
+		0x3b, 0x52, 0x6f, 0xf6, 0x2e, 0x89, 0xf7, 0xc0,
+		0x68, 0x1b, 0x64, 0x04, 0x06, 0xbf, 0x83, 0x38,
+	}
+)
diff --git a/go.mod b/go.mod
@@ -0,0 +1,3 @@
+module github.com/lafriks/go-shamir
+
+go 1.14
diff --git a/polynomial.go b/polynomial.go
@@ -0,0 +1,69 @@
+package shamir
+
+import (
+	"crypto/rand"
+	"io"
+)
+
+// evaluate the polynomial at the given point
+func eval(p []byte, x byte) (result byte) {
+	if x == 0 {
+		return p[0]
+	}
+
+	// Horner's scheme
+	for i := 1; i <= len(p); i++ {
+		result = mul(result, x) ^ p[len(p)-i]
+	}
+	return
+}
+
+// generates a random n-degree polynomial w/ a given x-intercept
+func generate(degree byte, x byte) ([]byte, error) {
+	result := make([]byte, degree+1)
+	result[0] = x
+
+	buf := make([]byte, degree-1)
+	if _, err := io.ReadFull(rand.Reader, buf); err != nil {
+		return nil, err
+	}
+
+	for i := byte(1); i < degree; i++ {
+		result[i] = buf[i-1]
+	}
+
+	// the Nth term can't be zero, or else it's a (N-1) degree polynomial
+	for {
+		buf = make([]byte, 1)
+		if _, err := io.ReadFull(rand.Reader, buf); err != nil {
+			return nil, err
+		}
+
+		if buf[0] != 0 {
+			result[degree] = buf[0]
+			return result, nil
+		}
+	}
+}
+
+// an input/output pair
+type pair struct {
+	x, y byte
+}
+
+// Lagrange interpolation
+func interpolate(points []pair, x byte) (value byte) {
+	for i, a := range points {
+		weight := byte(1)
+		for j, b := range points {
+			if i != j {
+				top := x ^ b.x
+				bottom := a.x ^ b.x
+				factor := div(top, bottom)
+				weight = mul(weight, factor)
+			}
+		}
+		value = value ^ mul(weight, a.y)
+	}
+	return
+}
diff --git a/shamir.go b/shamir.go
@@ -0,0 +1,127 @@
+// Package shamir implements Shamir's Secret Sharing algorithm over GF(2^8).
+//
+// Shamir's Secret Sharing algorithm allows you to securely share a secret with
+// N people, allowing the recovery of that secret if K of those people combine
+// their shares.
+//
+// It begins by encoding a secret as a number (e.g., 42), and generating N
+// random polynomial equations of degree K-1 which have an X-intercept equal to
+// the secret. Given K=3, the following equations might be generated:
+//
+//     f1(x) =  78x^2 +  19x + 42
+//     f2(x) = 128x^2 + 171x + 42
+//     f3(x) = 121x^2 +   3x + 42
+//     f4(x) =  91x^2 +  95x + 42
+//     etc.
+//
+// These polynomials are then evaluated for values of X > 0:
+//
+//     f1(1) =  139
+//     f2(2) =  896
+//     f3(3) = 1140
+//     f4(4) = 1783
+//     etc.
+//
+// These (x, y) pairs are the shares given to the parties. In order to combine
+// shares to recover the secret, these (x, y) pairs are used as the input points
+// for Lagrange interpolation, which produces a polynomial which matches the
+// given points. This polynomial can be evaluated for f(0), producing the secret
+// value--the common x-intercept for all the generated polynomials.
+//
+// If fewer than K shares are combined, the interpolated polynomial will be
+// wrong, and the result of f(0) will not be the secret.
+//
+// This package constructs polynomials over the field GF(2^8) for each byte of
+// the secret, allowing for fast splitting and combining of anything which can
+// be encoded as bytes.
+//
+// This package has not been audited by cryptography or security professionals.
+package shamir
+
+import (
+	"errors"
+	mrand "math/rand"
+	"time"
+)
+
+var (
+	// ErrInvalidCount is returned when the count parameter is invalid.
+	ErrInvalidCount = errors.New("Shares must be more or equal to treshold but not more than 255")
+	// ErrInvalidThreshold is returned when the threshold parameter is invalid.
+	ErrInvalidThreshold = errors.New("Treshold must be at least 2 but not more than 255")
+	// ErrEmptySecret is returned when provided secret is empty.
+	ErrEmptySecret = errors.New("Secret can not be empty")
+	// ErrInvalidShares is returned when not required minimum shares are provided or shares does not have same length.
+	ErrInvalidShares = errors.New("At least 2 shares are required and must have same length")
+)
+
+// Split the given secret into N shares of which K are required to recover the
+// secret. Returns an array of shares.
+func Split(n, k int, secret []byte) ([][]byte, error) {
+	if k <= 1 || k > 255 {
+		return nil, ErrInvalidThreshold
+	}
+
+	if n < k || n > 255 {
+		return nil, ErrInvalidCount
+	}
+
+	if len(secret) == 0 {
+		return nil, ErrEmptySecret
+	}
+
+	mrand.Seed(time.Now().UnixNano())
+	cords := mrand.Perm(255)
+
+	shares := make([][]byte, n)
+	for i := range shares {
+		shares[i] = make([]byte, len(secret)+1)
+		shares[i][len(secret)] = byte(cords[i]) + 1
+	}
+
+	for i, b := range secret {
+		p, err := generate(byte(k)-1, b)
+		if err != nil {
+			return nil, err
+		}
+
+		for j := 0; j < n; j++ {
+			x := byte(cords[j]) + 1
+			shares[j][i] = eval(p, x)
+		}
+	}
+
+	return shares, nil
+}
+
+// Combine the given shares into the original secret.
+func Combine(shares [][]byte) ([]byte, error) {
+	if len(shares) < 2 || len(shares[0]) < 2 {
+		return nil, ErrInvalidShares
+	}
+
+	l := len(shares[0])
+	c := make(map[byte]bool, len(shares))
+	c[shares[0][l-1]] = true
+	for i := 1; i < len(shares); i++ {
+		if len(shares[i]) != l {
+			return nil, ErrInvalidShares
+		}
+		if ok := c[shares[i][l-1]]; ok {
+			return nil, ErrInvalidShares
+		}
+		c[shares[i][l-1]] = true
+	}
+
+	secret := make([]byte, l-1)
+
+	points := make([]pair, len(shares))
+	for i := range secret {
+		for p, v := range shares {
+			points[p] = pair{x: v[l-1], y: v[i]}
+		}
+		secret[i] = interpolate(points, 0)
+	}
+
+	return secret, nil
+}
diff --git a/shamir_test.go b/shamir_test.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+module github.com/lafriks/go-shamir`
	`2`	`+`
	`3`	`+go 1.14`