@bcts/shamir 1.0.0-alpha.5

package/src/error.ts

@@ -0,0 +1,51 @@
+// Ported from bc-shamir-rust/src/error.rs
+
+/**
+ * Error types for Shamir secret sharing operations.
+ */
+export enum ShamirErrorType {
+  SecretTooLong = "SecretTooLong",
+  TooManyShares = "TooManyShares",
+  InterpolationFailure = "InterpolationFailure",
+  ChecksumFailure = "ChecksumFailure",
+  SecretTooShort = "SecretTooShort",
+  SecretNotEvenLen = "SecretNotEvenLen",
+  InvalidThreshold = "InvalidThreshold",
+  SharesUnequalLength = "SharesUnequalLength",
+}
+
+/**
+ * Error class for Shamir secret sharing operations.
+ */
+export class ShamirError extends Error {
+  readonly type: ShamirErrorType;
+
+  constructor(type: ShamirErrorType, message?: string) {
+    super(message ?? ShamirError.defaultMessage(type));
+    this.type = type;
+    this.name = "ShamirError";
+  }
+
+  private static defaultMessage(type: ShamirErrorType): string {
+    switch (type) {
+      case ShamirErrorType.SecretTooLong:
+        return "secret is too long";
+      case ShamirErrorType.TooManyShares:
+        return "too many shares";
+      case ShamirErrorType.InterpolationFailure:
+        return "interpolation failed";
+      case ShamirErrorType.ChecksumFailure:
+        return "checksum failure";
+      case ShamirErrorType.SecretTooShort:
+        return "secret is too short";
+      case ShamirErrorType.SecretNotEvenLen:
+        return "secret is not of even length";
+      case ShamirErrorType.InvalidThreshold:
+        return "invalid threshold";
+      case ShamirErrorType.SharesUnequalLength:
+        return "shares have unequal length";
+    }
+  }
+}
+
+export type ShamirResult<T> = T;

package/src/hazmat.ts

@@ -0,0 +1,287 @@
+// Ported from bc-shamir-rust/src/hazmat.rs
+// GF(2^8) bitsliced polynomial operations for Shamir secret sharing
+
+import { memzero } from "@bcts/crypto";
+
+/**
+ * Convert an array of bytes into a bitsliced representation.
+ * Takes the first 32 bytes from x and produces 8 u32 values.
+ *
+ * @param r - Output array of 8 u32 values (bitsliced representation)
+ * @param x - Input array of at least 32 bytes
+ */
+export function bitslice(r: Uint32Array, x: Uint8Array): void {
+  if (x.length < 32) {
+    throw new Error("bitslice: input must be at least 32 bytes");
+  }
+  if (r.length !== 8) {
+    throw new Error("bitslice: output must have 8 elements");
+  }
+
+  memzero(r);
+
+  for (let arrIdx = 0; arrIdx < 32; arrIdx++) {
+    const cur = x[arrIdx];
+    for (let bitIdx = 0; bitIdx < 8; bitIdx++) {
+      // r[bitIdx] |= ((cur & (1 << bitIdx)) >> bitIdx) << arrIdx
+      r[bitIdx] |= ((cur & (1 << bitIdx)) >>> bitIdx) << arrIdx;
+    }
+  }
+}
+
+/**
+ * Convert a bitsliced representation back to bytes.
+ *
+ * @param r - Output array of at least 32 bytes
+ * @param x - Input array of 8 u32 values (bitsliced representation)
+ */
+export function unbitslice(r: Uint8Array, x: Uint32Array): void {
+  if (r.length < 32) {
+    throw new Error("unbitslice: output must be at least 32 bytes");
+  }
+  if (x.length !== 8) {
+    throw new Error("unbitslice: input must have 8 elements");
+  }
+
+  memzero(r.subarray(0, 32));
+
+  for (let bitIdx = 0; bitIdx < 8; bitIdx++) {
+    const cur = x[bitIdx];
+    for (let arrIdx = 0; arrIdx < 32; arrIdx++) {
+      // r[arrIdx] |= ((cur & (1 << arrIdx)) >> arrIdx) << bitIdx
+      r[arrIdx] |= ((cur & (1 << arrIdx)) >>> arrIdx) << bitIdx;
+    }
+  }
+}
+
+/**
+ * Set all 32 positions in a bitsliced array to the same byte value.
+ *
+ * @param r - Output array of 8 u32 values
+ * @param x - Byte value to set in all positions
+ */
+export function bitsliceSetall(r: Uint32Array, x: number): void {
+  if (r.length !== 8) {
+    throw new Error("bitsliceSetall: output must have 8 elements");
+  }
+
+  for (let idx = 0; idx < 8; idx++) {
+    // JavaScript needs special handling for the arithmetic right shift
+    // This mirrors: *r = (((((x as u32) & (1u32.wrapping_shl(idx as u32)))
+    //                       .wrapping_shl(31 - idx as u32)) as i32)
+    //                       .wrapping_shr(31)) as u32;
+    const bit = (x >>> idx) & 1;
+    r[idx] = bit === 1 ? 0xffffffff : 0;
+  }
+}
+
+/**
+ * Add (XOR) r with x and store the result in r.
+ * In GF(2^8), addition is XOR.
+ *
+ * @param r - First operand and result
+ * @param x - Second operand
+ */
+export function gf256Add(r: Uint32Array, x: Uint32Array): void {
+  if (r.length !== 8 || x.length !== 8) {
+    throw new Error("gf256Add: arrays must have 8 elements");
+  }
+
+  for (let i = 0; i < 8; i++) {
+    r[i] ^= x[i];
+  }
+}
+
+/**
+ * Safely multiply two bitsliced polynomials in GF(2^8) reduced by
+ * x^8 + x^4 + x^3 + x + 1. r and a may overlap, but overlapping of r
+ * and b will produce an incorrect result! If you need to square a polynomial
+ * use gf256Square instead.
+ *
+ * @param r - Result array (8 u32 values)
+ * @param a - First operand (may overlap with r)
+ * @param b - Second operand (must NOT overlap with r)
+ */
+export function gf256Mul(r: Uint32Array, a: Uint32Array, b: Uint32Array): void {
+  if (r.length !== 8 || a.length !== 8 || b.length !== 8) {
+    throw new Error("gf256Mul: arrays must have 8 elements");
+  }
+
+  // Russian Peasant multiplication on two bitsliced polynomials
+  const a2 = new Uint32Array(a);
+
+  r[0] = a2[0] & b[0];
+  r[1] = a2[1] & b[0];
+  r[2] = a2[2] & b[0];
+  r[3] = a2[3] & b[0];
+  r[4] = a2[4] & b[0];
+  r[5] = a2[5] & b[0];
+  r[6] = a2[6] & b[0];
+  r[7] = a2[7] & b[0];
+  a2[0] ^= a2[7]; // reduce
+  a2[2] ^= a2[7];
+  a2[3] ^= a2[7];
+
+  r[0] ^= a2[7] & b[1]; // add
+  r[1] ^= a2[0] & b[1];
+  r[2] ^= a2[1] & b[1];
+  r[3] ^= a2[2] & b[1];
+  r[4] ^= a2[3] & b[1];
+  r[5] ^= a2[4] & b[1];
+  r[6] ^= a2[5] & b[1];
+  r[7] ^= a2[6] & b[1];
+  a2[7] ^= a2[6]; // reduce
+  a2[1] ^= a2[6];
+  a2[2] ^= a2[6];
+
+  r[0] ^= a2[6] & b[2]; // add
+  r[1] ^= a2[7] & b[2];
+  r[2] ^= a2[0] & b[2];
+  r[3] ^= a2[1] & b[2];
+  r[4] ^= a2[2] & b[2];
+  r[5] ^= a2[3] & b[2];
+  r[6] ^= a2[4] & b[2];
+  r[7] ^= a2[5] & b[2];
+  a2[6] ^= a2[5]; // reduce
+  a2[0] ^= a2[5];
+  a2[1] ^= a2[5];
+
+  r[0] ^= a2[5] & b[3]; // add
+  r[1] ^= a2[6] & b[3];
+  r[2] ^= a2[7] & b[3];
+  r[3] ^= a2[0] & b[3];
+  r[4] ^= a2[1] & b[3];
+  r[5] ^= a2[2] & b[3];
+  r[6] ^= a2[3] & b[3];
+  r[7] ^= a2[4] & b[3];
+  a2[5] ^= a2[4]; // reduce
+  a2[7] ^= a2[4];
+  a2[0] ^= a2[4];
+
+  r[0] ^= a2[4] & b[4]; // add
+  r[1] ^= a2[5] & b[4];
+  r[2] ^= a2[6] & b[4];
+  r[3] ^= a2[7] & b[4];
+  r[4] ^= a2[0] & b[4];
+  r[5] ^= a2[1] & b[4];
+  r[6] ^= a2[2] & b[4];
+  r[7] ^= a2[3] & b[4];
+  a2[4] ^= a2[3]; // reduce
+  a2[6] ^= a2[3];
+  a2[7] ^= a2[3];
+
+  r[0] ^= a2[3] & b[5]; // add
+  r[1] ^= a2[4] & b[5];
+  r[2] ^= a2[5] & b[5];
+  r[3] ^= a2[6] & b[5];
+  r[4] ^= a2[7] & b[5];
+  r[5] ^= a2[0] & b[5];
+  r[6] ^= a2[1] & b[5];
+  r[7] ^= a2[2] & b[5];
+  a2[3] ^= a2[2]; // reduce
+  a2[5] ^= a2[2];
+  a2[6] ^= a2[2];
+
+  r[0] ^= a2[2] & b[6]; // add
+  r[1] ^= a2[3] & b[6];
+  r[2] ^= a2[4] & b[6];
+  r[3] ^= a2[5] & b[6];
+  r[4] ^= a2[6] & b[6];
+  r[5] ^= a2[7] & b[6];
+  r[6] ^= a2[0] & b[6];
+  r[7] ^= a2[1] & b[6];
+  a2[2] ^= a2[1]; // reduce
+  a2[4] ^= a2[1];
+  a2[5] ^= a2[1];
+
+  r[0] ^= a2[1] & b[7]; // add
+  r[1] ^= a2[2] & b[7];
+  r[2] ^= a2[3] & b[7];
+  r[3] ^= a2[4] & b[7];
+  r[4] ^= a2[5] & b[7];
+  r[5] ^= a2[6] & b[7];
+  r[6] ^= a2[7] & b[7];
+  r[7] ^= a2[0] & b[7];
+}
+
+/**
+ * Square x in GF(2^8) and write the result to r.
+ * r and x may overlap.
+ *
+ * @param r - Result array (8 u32 values)
+ * @param x - Value to square
+ */
+export function gf256Square(r: Uint32Array, x: Uint32Array): void {
+  if (r.length !== 8 || x.length !== 8) {
+    throw new Error("gf256Square: arrays must have 8 elements");
+  }
+
+  // Use the Freshman's Dream rule to square the polynomial
+  // Assignments are done from 7 downto 0, because this allows
+  // in-place operation (e.g. gf256Square(r, r))
+  const r14 = x[7];
+  const r12 = x[6];
+  let r10 = x[5];
+  let r8 = x[4];
+  r[6] = x[3];
+  r[4] = x[2];
+  r[2] = x[1];
+  r[0] = x[0];
+
+  // Reduce with x^8 + x^4 + x^3 + x + 1 until order is less than 8
+  r[7] = r14; // r[7] was 0
+  r[6] ^= r14;
+  r10 ^= r14;
+  // Skip, because r13 is always 0
+  r[4] ^= r12;
+  r[5] = r12; // r[5] was 0
+  r[7] ^= r12;
+  r8 ^= r12;
+  // Skip, because r11 is always 0
+  r[2] ^= r10;
+  r[3] = r10; // r[3] was 0
+  r[5] ^= r10;
+  r[6] ^= r10;
+  r[1] = r14; // r[1] was 0
+  r[2] ^= r14; // Substitute r9 by r14 because they will always be equal
+  r[4] ^= r14;
+  r[5] ^= r14;
+  r[0] ^= r8;
+  r[1] ^= r8;
+  r[3] ^= r8;
+  r[4] ^= r8;
+}
+
+/**
+ * Invert x in GF(2^8) and write the result to r.
+ *
+ * @param r - Result array (8 u32 values)
+ * @param x - Value to invert (will be modified)
+ */
+export function gf256Inv(r: Uint32Array, x: Uint32Array): void {
+  if (r.length !== 8 || x.length !== 8) {
+    throw new Error("gf256Inv: arrays must have 8 elements");
+  }
+
+  const y = new Uint32Array(8);
+  const z = new Uint32Array(8);
+
+  gf256Square(y, x); // y = x^2
+  const y2 = new Uint32Array(y);
+  gf256Square(y, y2); // y = x^4
+  gf256Square(r, y); // r = x^8
+  gf256Mul(z, r, x); // z = x^9
+  const r2a = new Uint32Array(r);
+  gf256Square(r, r2a); // r = x^16
+  const r2b = new Uint32Array(r);
+  gf256Mul(r, r2b, z); // r = x^25
+  const r2c = new Uint32Array(r);
+  gf256Square(r, r2c); // r = x^50
+  gf256Square(z, r); // z = x^100
+  const z2 = new Uint32Array(z);
+  gf256Square(z, z2); // z = x^200
+  const r2d = new Uint32Array(r);
+  gf256Mul(r, r2d, z); // r = x^250
+  const r2e = new Uint32Array(r);
+  gf256Mul(r, r2e, y); // r = x^254
+}

package/src/index.ts

@@ -0,0 +1,45 @@
+// Blockchain Commons Shamir Secret Sharing
+// Ported from bc-shamir-rust
+//
+// This is a pure TypeScript implementation of Shamir's Secret Sharing (SSS),
+// a cryptographic technique in which a secret is divided into parts, called
+// shares, in such a way that a threshold of several shares are needed to
+// reconstruct the secret. The shares are distributed in a way that makes it
+// impossible for an attacker to know anything about the secret without having
+// a threshold of shares. If the number of shares is less than the threshold,
+// then no information about the secret is revealed.
+
+/**
+ * The minimum length of a secret.
+ */
+export const MIN_SECRET_LEN = 16;
+
+/**
+ * The maximum length of a secret.
+ */
+export const MAX_SECRET_LEN = 32;
+
+/**
+ * The maximum number of shares that can be generated from a secret.
+ */
+export const MAX_SHARE_COUNT = 16;
+
+// Error types
+export { ShamirError, ShamirErrorType, type ShamirResult } from "./error.js";
+
+// Main functions
+export { splitSecret, recoverSecret } from "./shamir.js";
+
+// Low-level operations (hazmat)
+export {
+  bitslice,
+  unbitslice,
+  bitsliceSetall,
+  gf256Add,
+  gf256Mul,
+  gf256Square,
+  gf256Inv,
+} from "./hazmat.js";
+
+// Interpolation
+export { interpolate } from "./interpolate.js";

package/src/interpolate.ts

@@ -0,0 +1,157 @@
+// Ported from bc-shamir-rust/src/interpolate.rs
+
+import { memzero, memzeroVecVecU8 } from "@bcts/crypto";
+import { MAX_SECRET_LEN } from "./index.js";
+import { bitslice, bitsliceSetall, gf256Add, gf256Inv, gf256Mul, unbitslice } from "./hazmat.js";
+
+/**
+ * Calculate the lagrange basis coefficients for the lagrange polynomial
+ * defined by the x coordinates xc at the value x.
+ *
+ * After the function runs, the values array should hold data satisfying:
+ *                ---     (x-xc[j])
+ *   values[i] =  | |   -------------
+ *              j != i  (xc[i]-xc[j])
+ *
+ * @param values - Output array for the lagrange basis values
+ * @param n - Number of points (length of the xc array, 0 < n <= 32)
+ * @param xc - Array of x components to use as interpolating points
+ * @param x - x coordinate to evaluate lagrange polynomials at
+ */
+function hazmatLagrangeBasis(values: Uint8Array, n: number, xc: Uint8Array, x: number): void {
+  // call the contents of xc [ x0 x1 x2 ... xn-1 ]
+  const xx = new Uint8Array(32 + 16);
+  const xSlice = new Uint32Array(8);
+  const lxi: Uint32Array[] = [];
+  for (let i = 0; i < n; i++) {
+    lxi.push(new Uint32Array(8));
+  }
+  const numerator = new Uint32Array(8);
+  const denominator = new Uint32Array(8);
+  const temp = new Uint32Array(8);
+
+  xx.set(xc.subarray(0, n), 0);
+
+  // xx now contains bitsliced [ x0 x1 x2 ... xn-1 0 0 0 ... ]
+  for (let i = 0; i < n; i++) {
+    // lxi = bitsliced [ xi xi+1 xi+2 ... xi-1 0 0 0 ]
+    bitslice(lxi[i], xx.subarray(i));
+    xx[i + n] = xx[i];
+  }
+
+  bitsliceSetall(xSlice, x);
+  bitsliceSetall(numerator, 1);
+  bitsliceSetall(denominator, 1);
+
+  for (let i = 1; i < n; i++) {
+    temp.set(xSlice);
+    gf256Add(temp, lxi[i]);
+    // temp = [ x-xi+i x-xi+2 x-xi+3 ... x-xi x x x]
+    const numerator2 = new Uint32Array(numerator);
+    gf256Mul(numerator, numerator2, temp);
+
+    temp.set(lxi[0]);
+    gf256Add(temp, lxi[i]);
+    // temp = [x0-xi+1 x1-xi+1 x2-xi+2 ... xn-x0 0 0 0]
+    const denominator2 = new Uint32Array(denominator);
+    gf256Mul(denominator, denominator2, temp);
+  }
+
+  // At this stage the numerator contains
+  // [ num0 num1 num2 ... numn 0 0 0]
+  //
+  // where numi = prod(j, j!=i, x-xj )
+  //
+  // and the denominator contains
+  // [ d0 d1 d2 ... dn 0 0 0]
+  //
+  // where di = prod(j, j!=i, xi-xj)
+
+  gf256Inv(temp, denominator);
+
+  // gf256_inv uses exponentiation to calculate inverse, so the zeros end up
+  // remaining zeros.
+
+  // tmp = [ 1/d0 1/d1 1/d2 ... 1/dn 0 0 0]
+
+  const numerator2 = new Uint32Array(numerator);
+  gf256Mul(numerator, numerator2, temp);
+
+  // numerator now contains [ l_n_0(x) l_n_1(x) ... l_n_n-1(x) 0 0 0]
+  // use the xx array to unpack it
+
+  unbitslice(xx, numerator);
+
+  // copy results to output array
+  values.set(xx.subarray(0, n), 0);
+}
+
+/**
+ * Safely interpolate the polynomial going through
+ * the points (x0 [y0_0 y0_1 y0_2 ... y0_31]) , (x1 [y1_0 ...]), ...
+ *
+ * where
+ *   xi points to [x0 x1 ... xn-1 ]
+ *   y contains an array of pointers to 32-bit arrays of y values
+ *   y contains [y0 y1 y2 ... yn-1]
+ *   and each of the yi arrays contain [yi_0 yi_i ... yi_31].
+ *
+ * @param n - Number of points to interpolate
+ * @param xi - x coordinates for points (array of length n)
+ * @param yl - Length of y coordinate arrays
+ * @param yij - Array of n arrays of length yl
+ * @param x - Coordinate to interpolate at
+ * @returns The interpolated result of length yl
+ */
+export function interpolate(
+  n: number,
+  xi: Uint8Array,
+  yl: number,
+  yij: Uint8Array[],
+  x: number,
+): Uint8Array {
+  // The hazmat gf256 implementation needs the y-coordinate data
+  // to be in 32-byte blocks
+  const y: Uint8Array[] = [];
+  for (let i = 0; i < n; i++) {
+    y.push(new Uint8Array(MAX_SECRET_LEN));
+  }
+  const values = new Uint8Array(MAX_SECRET_LEN);
+
+  for (let i = 0; i < n; i++) {
+    y[i].set(yij[i].subarray(0, yl), 0);
+  }
+
+  const lagrange = new Uint8Array(n);
+  const ySlice = new Uint32Array(8);
+  const resultSlice = new Uint32Array(8);
+  const temp = new Uint32Array(8);
+
+  hazmatLagrangeBasis(lagrange, n, xi, x);
+
+  bitsliceSetall(resultSlice, 0);
+
+  for (let i = 0; i < n; i++) {
+    bitslice(ySlice, y[i]);
+    bitsliceSetall(temp, lagrange[i]);
+    const temp2 = new Uint32Array(temp);
+    gf256Mul(temp, temp2, ySlice);
+    gf256Add(resultSlice, temp);
+  }
+
+  unbitslice(values, resultSlice);
+
+  // the calling code is only expecting yl bytes back
+  const result = new Uint8Array(yl);
+  result.set(values.subarray(0, yl), 0);
+
+  // clean up stack
+  memzero(lagrange);
+  memzero(ySlice);
+  memzero(resultSlice);
+  memzero(temp);
+  memzeroVecVecU8(y);
+  memzero(values);
+
+  return result;
+}