bitcoinrb 0.2.9 → 0.3.0

data/lib/bitcoin/psbt/input.rb

@@ -156,7 +156,7 @@ module Bitcoin
       # @param [String] pubkey a public key with hex format.
       # @param [String] sig a signature.
       def add_sig(pubkey, sig)
-        raise ArgumentError, 'The sighash in signature is invalid.' unless sig.unpack('C*')[-1] == sighash_type
+        raise ArgumentError, 'The sighash in signature is invalid.' if sighash_type && sig.unpack('C*')[-1] != sighash_type
         raise ArgumentError, 'Duplicate Key, input partial signature for pubkey already provided.' if partial_sigs[pubkey]
         partial_sigs[pubkey] = sig
       end
@@ -168,7 +168,7 @@ module Bitcoin
         raise ArgumentError, 'The argument psbt must be an instance of Bitcoin::PSBT::Input.' unless psbi.is_a?(Bitcoin::PSBT::Input)
         raise ArgumentError, 'The Partially Signed Input\'s non_witness_utxo are different.' unless non_witness_utxo == psbi.non_witness_utxo
         raise ArgumentError, 'The Partially Signed Input\'s witness_utxo are different.' unless witness_utxo == psbi.witness_utxo
-        raise ArgumentError, 'The Partially Signed Input\'s sighash_type are different.' unless sighash_type == psbi.sighash_type
+        raise ArgumentError, 'The Partially Signed Input\'s sighash_type are different.' if sighash_type && psbi.sighash_type && sighash_type != psbi.sighash_type
         raise ArgumentError, 'The Partially Signed Input\'s redeem_script are different.' unless redeem_script == psbi.redeem_script
         raise ArgumentError, 'The Partially Signed Input\'s witness_script are different.' unless witness_script == psbi.witness_script
         combined = Bitcoin::PSBT::Input.new(non_witness_utxo: non_witness_utxo, witness_utxo: witness_utxo)

data/lib/bitcoin/psbt/tx.rb

@@ -30,6 +30,7 @@ module Bitcoin
       attr_reader :inputs
       attr_reader :outputs
       attr_accessor :unknowns
+      attr_accessor :version_number
 
       def initialize(tx = nil)
         @tx = tx
@@ -82,6 +83,9 @@ module Bitcoin
             info = Bitcoin::PSBT::KeyOriginInfo.parse_from_payload(value)
             raise ArgumentError, "global xpub's depth and the number of indexes not matched." unless xpub.depth == info.key_paths.size
             partial_tx.xpubs << Bitcoin::PSBT::GlobalXpub.new(xpub, info)
+          when PSBT_GLOBAL_TYPES[:ver]
+            partial_tx.version_number = value.unpack('V').first
+            raise ArgumentError, "An unsupported version was detected." if SUPPORT_VERSION < partial_tx.version_number
           else
             raise ArgumentError, 'Duplicate Key, key for unknown value already provided.' if partial_tx.unknowns[key]
             partial_tx.unknowns[([key_type].pack('C') + key).bth] = value
@@ -120,6 +124,12 @@ module Bitcoin
         partial_tx
       end
 
+      # get PSBT version
+      # @return [Integer] PSBT version number
+      def version
+        version_number ? version_number : 0
+      end
+
       # Finds the UTXO for a given input index
       # @param [Integer] index input_index Index of the input to retrieve the UTXO of
       # @return [Bitcoin::TxOut] The UTXO of the input if found.
@@ -138,6 +148,7 @@ module Bitcoin
 
         payload << PSBT.serialize_to_vector(PSBT_GLOBAL_TYPES[:unsigned_tx], value: tx.to_payload)
         payload << xpubs.map(&:to_payload).join
+        payload << PSBT.serialize_to_vector(PSBT_GLOBAL_TYPES[:ver], value: [version_number].pack('V')) if version_number
 
         payload << unknowns.map {|k,v|Bitcoin.pack_var_int(k.htb.bytesize) << k.htb << Bitcoin.pack_var_int(v.bytesize) << v}.join
 

data/lib/bitcoin/rpc/request_handler.rb

@@ -49,7 +49,7 @@ module Bitcoin
       # Returns connected peer information.
       def getpeerinfo
         node.pool.peers.map do |peer|
-          local_addr = peer.remote_version.remote_addr[0..peer.remote_version.remote_addr.rindex(':')] + '18333'
+          local_addr = "#{peer.remote_version.remote_addr.ip}:18333"
           {
             id: peer.id,
             addr: "#{peer.host}:#{peer.port}",

data/lib/bitcoin/script/script.rb

@@ -54,7 +54,8 @@ module Bitcoin
     # @param [String] m the number of signatures required for multisig
     # @param [Array] pubkeys array of public keys that compose multisig
     # @return [Script] multisig script.
-    def self.to_multisig_script(m, pubkeys)
+    def self.to_multisig_script(m, pubkeys, sort: false)
+      pubkeys = pubkeys.sort if sort
       new << m << pubkeys << pubkeys.size << OP_CHECKMULTISIG
     end
 

data/lib/bitcoin/slip39.rb

@@ -0,0 +1,93 @@
+module Bitcoin
+  module SLIP39
+
+    WORDS = File.readlines("#{__dir__}/slip39/wordlist/english.txt").map(&:strip)
+
+    module_function
+
+    def bits_to_bytes(n)
+      (n + 7) / 8
+    end
+
+    def bits_to_words(n)
+      (n + RADIX_BITS - 1) / RADIX_BITS
+    end
+
+    # The length of the radix in bits.
+    RADIX_BITS = 10
+    # The number of words in the wordlist.
+    RADIX = 2 ** RADIX_BITS
+    # The length of the random identifier in bits.
+    ID_LENGTH_BITS = 15
+    # The length of the iteration exponent in bits.
+    ITERATION_EXP_LENGTH_BITS = 5
+    # The length of the random identifier and iteration exponent in words.
+    ID_EXP_LENGTH_WORDS = bits_to_words(ID_LENGTH_BITS + ITERATION_EXP_LENGTH_BITS)
+    # The maximum number of shares that can be created.
+    MAX_SHARE_COUNT = 16
+    # The length of the RS1024 checksum in words.
+    CHECKSUM_LENGTH_WORDS = 3
+    # The length of the digest of the shared secret in bytes.
+    DIGEST_LENGTH_BYTES = 4
+    # The customization string used in the RS1024 checksum and in the PBKDF2 salt.
+    CUSTOMIZATION_STRING = 'shamir'.bytes
+    # The length of the mnemonic in words without the share value.
+    METADATA_LENGTH_WORDS = ID_EXP_LENGTH_WORDS + 2 + CHECKSUM_LENGTH_WORDS
+    # The minimum allowed entropy of the master secret.
+    MIN_STRENGTH_BITS = 128
+    # The minimum allowed length of the mnemonic in words.
+    MIN_MNEMONIC_LENGTH_WORDS = METADATA_LENGTH_WORDS + bits_to_words(MIN_STRENGTH_BITS)
+    # The minimum number of iterations to use in PBKDF2.
+    BASE_ITERATION_COUNT = 10000
+    # The number of rounds to use in the Feistel cipher.
+    ROUND_COUNT = 4
+    # The index of the share containing the shared secret.
+    SECRET_INDEX = 255
+    # The index of the share containing the digest of the shared secret.
+    DIGEST_INDEX = 254
+
+    EXP_TABLE = [
+        1, 3, 5, 15, 17, 51, 85, 255, 26, 46, 114, 150, 161, 248, 19,
+        53, 95, 225, 56, 72, 216, 115, 149, 164, 247, 2, 6, 10, 30, 34,
+        102, 170, 229, 52, 92, 228, 55, 89, 235, 38, 106, 190, 217, 112, 144,
+        171, 230, 49, 83, 245, 4, 12, 20, 60, 68, 204, 79, 209, 104, 184,
+        211, 110, 178, 205, 76, 212, 103, 169, 224, 59, 77, 215, 98, 166, 241,
+        8, 24, 40, 120, 136, 131, 158, 185, 208, 107, 189, 220, 127, 129, 152,
+        179, 206, 73, 219, 118, 154, 181, 196, 87, 249, 16, 48, 80, 240, 11,
+        29, 39, 105, 187, 214, 97, 163, 254, 25, 43, 125, 135, 146, 173, 236,
+        47, 113, 147, 174, 233, 32, 96, 160, 251, 22, 58, 78, 210, 109, 183,
+        194, 93, 231, 50, 86, 250, 21, 63, 65, 195, 94, 226, 61, 71, 201,
+        64, 192, 91, 237, 44, 116, 156, 191, 218, 117, 159, 186, 213, 100, 172,
+        239, 42, 126, 130, 157, 188, 223, 122, 142, 137, 128, 155, 182, 193, 88,
+        232, 35, 101, 175, 234, 37, 111, 177, 200, 67, 197, 84, 252, 31, 33,
+        99, 165, 244, 7, 9, 27, 45, 119, 153, 176, 203, 70, 202, 69, 207,
+        74, 222, 121, 139, 134, 145, 168, 227, 62, 66, 198, 81, 243, 14, 18,
+        54, 90, 238, 41, 123, 141, 140, 143, 138, 133, 148, 167, 242, 13, 23,
+        57, 75, 221, 124, 132, 151, 162, 253, 28, 36, 108, 180, 199, 82, 246
+    ]
+
+    LOG_TABLE = [
+        0, 0, 25, 1, 50, 2, 26, 198, 75, 199, 27, 104, 51, 238, 223, 3,
+        100, 4, 224, 14, 52, 141, 129, 239, 76, 113, 8, 200, 248, 105, 28,
+        193, 125, 194, 29, 181, 249, 185, 39, 106, 77, 228, 166, 114, 154, 201,
+        9, 120, 101, 47, 138, 5, 33, 15, 225, 36, 18, 240, 130, 69, 53,
+        147, 218, 142, 150, 143, 219, 189, 54, 208, 206, 148, 19, 92, 210, 241,
+        64, 70, 131, 56, 102, 221, 253, 48, 191, 6, 139, 98, 179, 37, 226,
+        152, 34, 136, 145, 16, 126, 110, 72, 195, 163, 182, 30, 66, 58, 107,
+        40, 84, 250, 133, 61, 186, 43, 121, 10, 21, 155, 159, 94, 202, 78,
+        212, 172, 229, 243, 115, 167, 87, 175, 88, 168, 80, 244, 234, 214, 116,
+        79, 174, 233, 213, 231, 230, 173, 232, 44, 215, 117, 122, 235, 22, 11,
+        245, 89, 203, 95, 176, 156, 169, 81, 160, 127, 12, 246, 111, 23, 196,
+        73, 236, 216, 67, 31, 45, 164, 118, 123, 183, 204, 187, 62, 90, 251,
+        96, 177, 134, 59, 82, 161, 108, 170, 85, 41, 157, 151, 178, 135, 144,
+        97, 190, 220, 252, 188, 149, 207, 205, 55, 63, 91, 209, 83, 57, 132,
+        60, 65, 162, 109, 71, 20, 42, 158, 93, 86, 242, 211, 171, 68, 17, 146,
+        217, 35, 32, 46, 137, 180, 124, 184, 38, 119, 153, 227, 165, 103, 74, 237,
+        222, 197, 49, 254, 24, 13, 99, 140, 128, 192, 247, 112, 7
+    ]
+
+    autoload :SSS, 'bitcoin/slip39/sss'
+    autoload :Share, 'bitcoin/slip39/share'
+
+  end
+end

data/lib/bitcoin/slip39/share.rb

@@ -0,0 +1,122 @@
+module Bitcoin
+  module SLIP39
+
+    # Share of Shamir's Secret Sharing Scheme
+    class Share
+
+      attr_accessor :id               # 15 bits, Integer
+      attr_accessor :iteration_exp    # 5 bits, Integer
+      attr_accessor :group_index      # 4 bits, Integer
+      attr_accessor :group_threshold  # 4 bits, Integer
+      attr_accessor :group_count      # 4 bits, Integer
+      attr_accessor :member_index     # 4 bits, Integer
+      attr_accessor :member_threshold # 4 bits, Integer
+      attr_accessor :value            # 8n bits, hex string.
+      attr_accessor :checksum         # 30 bits, Integer
+
+      # Recover Share from the mnemonic words
+      # @param [Array{String}] words the mnemonic words
+      # @return [Bitcoin::SLIP39::Share] a share
+      def self.from_words(words)
+        raise ArgumentError, 'Mnemonics should be an array of strings' unless words.is_a?(Array)
+        indices = words.map do |word|
+          index = Bitcoin::SLIP39::WORDS.index(word.downcase)
+          raise IndexError, 'word not found in words list.' unless index
+          index
+        end
+
+        raise ArgumentError, 'Invalid mnemonic length.' if indices.size < MIN_MNEMONIC_LENGTH_WORDS
+        raise ArgumentError, 'Invalid mnemonic checksum.' unless verify_rs1024_checksum(indices)
+
+        padding_length = (RADIX_BITS * (indices.size - METADATA_LENGTH_WORDS)) % 16
+        raise ArgumentError, 'Invalid mnemonic length.' if padding_length > 8
+        data = indices.map{|i|i.to_s(2).rjust(10, '0')}.join
+
+        s = self.new
+        s.id = data[0...ID_LENGTH_BITS].to_i(2)
+        s.iteration_exp = data[ID_LENGTH_BITS...(ID_LENGTH_BITS + ITERATION_EXP_LENGTH_BITS)].to_i(2)
+        s.group_index = data[20...24].to_i(2)
+        s.group_threshold = data[24...28].to_i(2) + 1
+        s.group_count = data[28...32].to_i(2) + 1
+        raise ArgumentError, "Invalid mnemonic. Group threshold(#{s.group_threshold}) cannot be greater than group count(#{s.group_count})." if s.group_threshold > s.group_count
+        s.member_index = data[32...36].to_i(2)
+        s.member_threshold = data[36...40].to_i(2) + 1
+        value_length = data.length - 70
+        start_index = 40 + padding_length
+        end_index = start_index + value_length - padding_length
+        padding_value = data[40...(40 + padding_length)]
+        raise ArgumentError, "Invalid mnemonic. padding must only zero." unless padding_value.to_i(2) == 0
+        s.value = data[start_index...end_index].to_i(2).to_even_length_hex
+        s.checksum = data[(40 + value_length)..-1].to_i(2)
+        s
+      end
+
+      # Generate mnemonic words
+      # @return [Array[String]] array of mnemonic word.
+      def to_words
+        indices = build_word_indices
+        indices.map{|index| Bitcoin::SLIP39::WORDS[index]}
+      end
+
+      # Calculate checksum using current fields
+      # @return [Integer] checksum
+      def calculate_checksum
+        indices = build_word_indices(false)
+        create_rs1024_checksum(indices).map{|i|i.to_bits(10)}.join.to_i(2)
+      end
+
+      def self.rs1024_polymod(values)
+        gen = [0xe0e040, 0x1c1c080, 0x3838100, 0x7070200, 0xe0e0009, 0x1c0c2412, 0x38086c24, 0x3090fc48, 0x21b1f890, 0x3f3f120]
+        chk = 1
+        values.each do |v|
+          b = (chk >> 20)
+          chk = (chk & 0xfffff) << 10 ^ v
+          10.times do |i|
+            chk ^= (((b >> i) & 1 == 1) ? gen[i] : 0)
+          end
+        end
+        chk
+      end
+
+      private
+
+      # Create word indices from this share.
+      # @param [Boolean] include_checksum whether include checksum when creating indices.
+      # @param [Array[Integer]] the array of index
+      def build_word_indices(include_checksum = true)
+        s = id.to_bits(ID_LENGTH_BITS)
+        s << iteration_exp.to_bits(ITERATION_EXP_LENGTH_BITS)
+        s << group_index.to_bits(4)
+        s << (group_threshold - 1).to_bits(4)
+        s << (group_count - 1).to_bits(4)
+        raise StandardError, "Group threshold(#{group_threshold}) cannot be greater than group count(#{group_count})." if group_threshold > group_count
+        s << member_index.to_bits(4)
+        s << (member_threshold - 1).to_bits(4)
+        value_length = value.to_i(16).bit_length
+        padding_length = RADIX_BITS - (value_length % RADIX_BITS)
+        s << value.to_i(16).to_bits(value_length + padding_length)
+        s << checksum.to_bits(30) if include_checksum
+        s.chars.each_slice(10).map{|index| index.join.to_i(2)}
+      end
+
+      # Verify RS1024 checksum
+      # @param [Array[Integer] data the array of mnemonic word index
+      # @return [Boolean] verify result
+      def self.verify_rs1024_checksum(data)
+        rs1024_polymod(CUSTOMIZATION_STRING + data) == 1
+      end
+
+      # Create RS1024 checksum
+      # @param [Array[Integer] data the array of mnemonic word index without checksum
+      # @return [Array[Integer]] the array of checksum integer
+      def create_rs1024_checksum(data)
+        values = CUSTOMIZATION_STRING + data + Array.new(CHECKSUM_LENGTH_WORDS, 0)
+        polymod = Bitcoin::SLIP39::Share.rs1024_polymod(values) ^ 1
+        CHECKSUM_LENGTH_WORDS.times.to_a.reverse.map {|i|(polymod >> (10 * i)) & 1023 }
+      end
+
+      private_class_method :verify_rs1024_checksum
+
+    end
+  end
+end

data/lib/bitcoin/slip39/sss.rb

@@ -0,0 +1,242 @@
+require 'securerandom'
+
+module Bitcoin
+  module SLIP39
+
+    # Shamir's Secret Sharing
+    class SSS
+
+      # Create SSS shares.
+      #
+      # [Usage]
+      # 4 groups shares.
+      # = two for Alice
+      # = one for friends(required 3 of her 5 friends) and
+      # = one for family members(required 2 of her 6 family)
+      #
+      # Two of these group shares are required to reconstruct the master secret.
+      # groups = [1, 1], [1, 1], [3, 5], [2, 6]
+      #
+      # group_shares = Bitcoin::SLIP39::SSS.setup_shares(group_threshold: 2, groups: groups, secret: 'secret with hex format', passphrase: 'xxx')
+      # return 4 group array of Bitcoin::SLIP39::Share
+      #
+      # Get each share word
+      # groups[0][1].to_words
+      # => ["shadow", "pistol", "academic", "always", "adequate", "wildlife", "fancy", "gross", "oasis", "cylinder", "mustang", "wrist", "rescue", "view", "short", "owner", "flip", "making", "coding", "armed"]
+      #
+      # @param [Array[Array[Integer, Integer]]] groups
+      # @param [Integer] group_threshold threshold number of group shares required to reconstruct the master secret.
+      # @param [Integer] exp Iteration exponent. default is 0.
+      # @param [String] secret master secret with hex format.
+      # @param [String] passphrase the passphrase used for encryption/decryption.
+      # @return [Array[Array[Bitcoin::SLIP39::Share]]] array of group shares.
+      def self.setup_shares(groups: [], group_threshold: nil, exp: 0, secret: nil, passphrase: '')
+        raise ArgumentError, 'Groups is empty.' if groups.empty?
+        raise ArgumentError, 'Group threshold must be greater than 0.' if group_threshold.nil? || group_threshold < 1
+        raise ArgumentError, 'Master secret does not specified.' unless secret
+        raise ArgumentError, "The length of the master secret (#{secret.htb.bytesize} bytes) must be at least #{MIN_STRENGTH_BITS / 8} bytes." if (secret.htb.bytesize * 8) < MIN_STRENGTH_BITS
+        raise ArgumentError, 'The length of the master secret in bytes must be an even number.' unless secret.bytesize.even?
+        raise ArgumentError, 'The passphrase must contain only printable ASCII characters (code points 32-126).' unless passphrase.ascii_only?
+        raise ArgumentError, "The requested group threshold (#{group_threshold}) must not exceed the number of groups (#{groups.length})." if group_threshold > groups.length
+        groups.each do |threshold, count|
+          raise ArgumentError, 'Group threshold must be greater than 0.' if threshold.nil? || threshold < 1
+          raise ArgumentError, "The requested member threshold (#{threshold}) must not exceed the number of share (#{count})." if threshold > count
+          raise ArgumentError, "Creating multiple member shares with member threshold 1 is not allowed. Use 1-of-1 member sharing instead." if threshold == 1 && count > 1
+        end
+
+        id = SecureRandom.random_number(32767) # 32767 is max number for 15 bits.
+        ems = encrypt(secret, passphrase, exp, id)
+
+        group_shares = split_secret(group_threshold, groups.length, ems)
+
+        shares = group_shares.map.with_index do |s, i|
+          group_index, group_share = s[0], s[1]
+          member_threshold, member_count = groups[i][0], groups[i][1]
+          shares = split_secret(member_threshold, member_count, group_share)
+          shares.map do |member_index, member_share|
+            share = Bitcoin::SLIP39::Share.new
+            share.id = id
+            share.iteration_exp = exp
+            share.group_index = group_index
+            share.group_threshold = group_threshold
+            share.group_count = groups.length
+            share.member_index = member_index
+            share.member_threshold = member_threshold
+            share.value = member_share
+            share.checksum = share.calculate_checksum
+            share
+          end
+        end
+        shares
+      end
+
+      # recovery master secret form shares.
+      #
+      # [Usage]
+      # shares: An array of shares required for recovery.
+      # master_secret = Bitcoin::SLIP39::SSS.recover_secret(shares, passphrase: 'xxx')
+      #
+      # @param [Array[Bitcoin::SLIP30::Share]] shares an array of shares.
+      # @param [String] passphrase the passphrase using decrypt master secret.
+      # @return [String] a master secret.
+      def self.recover_secret(shares, passphrase: '')
+        raise ArgumentError, 'share is empty.' if shares.nil? || shares.empty?
+        groups = {}
+        id = shares[0].id
+        exp = shares[0].iteration_exp
+        group_threshold = shares.first.group_threshold
+        group_count = shares.first.group_count
+
+        shares.each do |share|
+          raise ArgumentError, 'Invalid set of shares. All shares must have the same id.' unless id == share.id
+          raise ArgumentError, 'Invalid set of shares. All shares must have the same group threshold.' unless group_threshold == share.group_threshold
+          raise ArgumentError, 'Invalid set of shares. All shares must have the same group count.' unless group_count == share.group_count
+          raise ArgumentError, 'Invalid set of shares. All Shares must have the same iteration exponent.' unless exp == share.iteration_exp
+          groups[share.group_index] ||= []
+          groups[share.group_index] << share
+        end
+
+        group_shares = {}
+        groups.each do |group_index, shares|
+          member_threshold = shares.first.member_threshold
+          raise ArgumentError, "Wrong number of mnemonics. Threshold is #{member_threshold}, but share count is #{shares.length}" if shares.length < member_threshold
+          if shares.length == 1 && member_threshold == 1
+            group_shares[group_index] = shares.first.value
+          else
+            value_length = shares.first.value.length
+            x_coordinates = []
+            shares.each do |share|
+              raise ArgumentError, 'Invalid set of shares. All shares in a group must have the same member threshold.' unless member_threshold == share.member_threshold
+              raise ArgumentError, 'Invalid set of shares. All share values must have the same length.' unless value_length == share.value.length
+              x_coordinates << share.member_index
+            end
+            x_coordinates.uniq!
+            raise ArgumentError, 'Invalid set of shares. Share indices must be unique.' unless x_coordinates.size == shares.size
+            interpolate_shares = shares.map{|s|[s.member_index, s.value]}
+
+            secret = interpolate(interpolate_shares, SECRET_INDEX)
+            digest_value = interpolate(interpolate_shares, DIGEST_INDEX).htb
+            digest, random_value = digest_value[0...DIGEST_LENGTH_BYTES].bth, digest_value[DIGEST_LENGTH_BYTES..-1].bth
+            recover_digest = create_digest(secret, random_value)
+            raise ArgumentError, 'Invalid digest of the shared secret.' unless digest == recover_digest
+
+            group_shares[group_index] = secret
+          end
+        end
+
+        return decrypt(group_shares.values.first, passphrase, exp, id) if group_threshold == 1
+
+        raise ArgumentError, "Wrong number of mnemonics. Group threshold is #{group_threshold}, but share count is #{group_shares.length}" if group_shares.length < group_threshold
+
+        interpolate_shares = group_shares.map{|k, v|[k, v]}
+        secret = interpolate(interpolate_shares, SECRET_INDEX)
+        digest_value = interpolate(interpolate_shares, DIGEST_INDEX).htb
+        digest, random_value = digest_value[0...DIGEST_LENGTH_BYTES].bth, digest_value[DIGEST_LENGTH_BYTES..-1].bth
+        recover_digest = create_digest(secret, random_value)
+        raise ArgumentError, 'Invalid digest of the shared secret.' unless digest == recover_digest
+
+        decrypt(secret, passphrase, exp, id)
+      end
+
+      private
+
+      # Calculate f(x) from given shamir shares.
+      # @param [Array[index, value]] shares the array of shamir shares.
+      # @param [Integer] x the x coordinate of the result.
+      # @return [String] f(x) value with hex format.
+      def self.interpolate(shares, x)
+        s = shares.find{|s|s[0] == x}
+        return s[1] if s
+
+        log_prod = shares.sum{|s|LOG_TABLE[s[0] ^ x]}
+
+        result = ('00' * shares.first[1].length).htb
+        shares.each do |share|
+          log_basis_eval = (log_prod - LOG_TABLE[share[0] ^ x] - shares.sum{|s|LOG_TABLE[share[0] ^ s[0]]}) % 255
+          result = share[1].htb.bytes.each.map.with_index do |v, i|
+            (result[i].bti ^ (v == 0 ? 0 : (EXP_TABLE[(LOG_TABLE[v] + log_basis_eval) % 255]))).itb
+          end.join
+        end
+        result.bth
+      end
+
+      # Decrypt encrypted master secret using passphrase.
+      # @param [String] ems an encrypted master secret with hex format.
+      # @param [String] passphrase the passphrase when using encrypt master secret with binary format.
+      # @param [Integer] exp iteration exponent
+      # @param [Integer] id identifier
+      def self.decrypt(ems, passphrase, exp, id)
+        l, r = ems[0...(ems.length / 2)].htb, ems[(ems.length / 2)..-1].htb
+        salt = get_salt(id)
+        e = (Bitcoin::SLIP39::BASE_ITERATION_COUNT << exp) / Bitcoin::SLIP39::ROUND_COUNT
+        Bitcoin::SLIP39::ROUND_COUNT.times.to_a.reverse.each do |i|
+          f = OpenSSL::PKCS5.pbkdf2_hmac((i.itb + passphrase), salt + r, e, r.bytesize, 'sha256')
+          l, r = r, (l.bti ^ f.bti).itb
+        end
+        (r + l).bth
+      end
+
+      # Encrypt master secret using passphrase
+      # @param [String] secret master secret with hex format.
+      # @param [String] passphrase the passphrase when using encrypt master secret with binary format.
+      # @param [Integer] exp iteration exponent
+      # @param [Integer] id identifier
+      # @return [String] encrypted master secret with hex format.
+      def self.encrypt(secret, passphrase, exp, id)
+        s = secret.htb
+        l, r = s[0...(s.bytesize / 2)], s[(s.bytesize / 2)..-1]
+        salt = get_salt(id)
+        e = (Bitcoin::SLIP39::BASE_ITERATION_COUNT << exp) / Bitcoin::SLIP39::ROUND_COUNT
+        Bitcoin::SLIP39::ROUND_COUNT.times.to_a.each do |i|
+          f = OpenSSL::PKCS5.pbkdf2_hmac((i.itb + passphrase), salt + r, e, r.bytesize, 'sha256')
+          l, r = r, (l.bti ^ f.bti).itb
+        end
+        (r + l).bth
+      end
+
+      # Create digest of the shared secret.
+      # @param [String] secret the shared secret with hex format.
+      # @param [String] random value (n-4 bytes) with hex format.
+      # @return [String] digest value(4 bytes) with hex format.
+      def self.create_digest(secret, random)
+        h = Bitcoin.hmac_sha256(random.htb, secret.htb)
+        h[0...4].bth
+      end
+
+      # get salt using encryption/decryption form id.
+      # @param [Integer] id id
+      # @return [String] salt with binary format.
+      def self.get_salt(id)
+        (Bitcoin::SLIP39::CUSTOMIZATION_STRING.pack('c*') + id.itb)
+      end
+
+      # Split the share into +count+ with threshold +threshold+.
+      # @param [Integer] threshold the threshold.
+      # @param [Integer] count split count.
+      # @param [Integer] secret the secret to be split.
+      # @return [Array[Integer, String]] the array of split secret.
+      def self.split_secret(threshold, count, secret)
+        raise ArgumentError, "The requested threshold (#{threshold}) must be a positive integer." if threshold < 1
+        raise ArgumentError, "The requested threshold (#{threshold}) must not exceed the number of shares (#{count})." if threshold > count
+        raise ArgumentError, "The requested number of shares (#{count}) must not exceed #{MAX_SHARE_COUNT}." if count > MAX_SHARE_COUNT
+
+        return count.times.map{|i|[i, secret]} if threshold == 1 # if the threshold is 1, digest of the share is not used.
+
+        random_share_count = threshold - 2
+
+        shares = random_share_count.times.map{|i|[i, SecureRandom.hex(secret.htb.bytesize)]}
+        random_part = SecureRandom.hex(secret.htb.bytesize - DIGEST_LENGTH_BYTES)
+        digest = create_digest(secret, random_part)
+
+        base_shares = shares + [[DIGEST_INDEX, digest + random_part], [SECRET_INDEX, secret]]
+
+        (random_share_count...count).each { |i| shares << [i, interpolate(base_shares, i)]}
+
+        shares
+      end
+
+      private_class_method :split_secret, :get_salt, :interpolate, :encrypt, :decrypt, :create_digest
+
+    end
+  end
+end