@forgesworn/shamir-words 1.0.3 → 1.1.0

package/README.md

@@ -1,5 +1,10 @@
 # shamir-words
 
+**Nostr:** [`npub1mgvlrnf5hm9yf0n5mf9nqmvarhvxkc6remu5ec3vf8r0txqkuk7su0e7q2`](https://njump.me/npub1mgvlrnf5hm9yf0n5mf9nqmvarhvxkc6remu5ec3vf8r0txqkuk7su0e7q2)
+
+[![npm](https://img.shields.io/npm/v/@forgesworn/shamir-words)](https://www.npmjs.com/package/@forgesworn/shamir-words)
+[![CI](https://github.com/forgesworn/shamir-words/actions/workflows/ci.yml/badge.svg)](https://github.com/forgesworn/shamir-words/actions/workflows/ci.yml)
+
 **Split secrets into human-readable word shares that can be spoken, written down, or stored separately.**
 
 Backing up cryptographic keys is hard. Raw byte shares are error-prone to transcribe and impossible to read over the phone. shamir-words combines [Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing) over GF(256) with [BIP-39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) word encoding, so each share becomes a list of familiar English words — just like a Bitcoin seed phrase.
@@ -116,6 +121,22 @@ The byte stream is split into 11-bit groups, each mapped to a BIP-39 word. The c
 - Share count: up to 255 (the GF(256) field size minus zero)
 - Threshold: 2-255 (single-share schemes are just copying, not secret sharing)
 
+## Part of the ForgeSworn Toolkit
+
+[ForgeSworn](https://forgesworn.dev) builds open-source cryptographic identity, payments, and coordination tools for Nostr.
+
+| Library | What it does |
+|---------|-------------|
+| [nsec-tree](https://github.com/forgesworn/nsec-tree) | Deterministic sub-identity derivation (uses shamir-words for recovery) |
+| [dominion](https://github.com/forgesworn/dominion) | Epoch-based encrypted access control (Shamir key distribution) |
+| [ring-sig](https://github.com/forgesworn/ring-sig) | SAG/LSAG ring signatures on secp256k1 |
+| [range-proof](https://github.com/forgesworn/range-proof) | Pedersen commitment range proofs |
+| [canary-kit](https://github.com/forgesworn/canary-kit) | Coercion-resistant spoken verification |
+| [spoken-token](https://github.com/forgesworn/spoken-token) | Human-speakable verification tokens |
+| [toll-booth](https://github.com/forgesworn/toll-booth) | L402 payment middleware |
+| [nostr-attestations](https://github.com/forgesworn/nostr-attestations) | NIP-VA verifiable attestations |
+| [geohash-kit](https://github.com/forgesworn/geohash-kit) | Geohash toolkit with polygon coverage |
+
 ## Licence
 
 [MIT](LICENCE)

package/dist/index.d.ts

@@ -1,34 +1,6 @@
-export declare class ShamirError extends Error {
-    constructor(message: string);
-}
-export declare class ShamirValidationError extends ShamirError {
-    constructor(message: string);
-}
-export declare class ShamirCryptoError extends ShamirError {
-    constructor(message: string);
-}
-export interface ShamirShare {
-    id: number;
-    threshold: number;
-    data: Uint8Array;
-}
-/**
- * Split a secret into shares using Shamir's Secret Sharing over GF(256).
- *
- * @param secret    The secret bytes to split
- * @param threshold Minimum shares needed to reconstruct (>= 2)
- * @param shares    Total number of shares to create (>= threshold, <= 255)
- * @returns Array of ShamirShare objects (each includes the threshold for encoding)
- */
-export declare function splitSecret(secret: Uint8Array, threshold: number, shares: number): ShamirShare[];
-/**
- * Reconstruct a secret from shares using Lagrange interpolation over GF(256).
- *
- * @param shares    Array of shares (at least `threshold` shares)
- * @param threshold The threshold used during splitting
- * @returns The reconstructed secret bytes
- */
-export declare function reconstructSecret(shares: ShamirShare[], threshold: number): Uint8Array;
+export { splitSecret, reconstructSecret, ShamirError, ShamirValidationError, ShamirCryptoError, } from '@forgesworn/shamir-core';
+export type { ShamirShare } from '@forgesworn/shamir-core';
+import type { ShamirShare } from '@forgesworn/shamir-core';
 /**
  * Encode a share as BIP-39 words.
  * Format: [data_length, threshold, share_id, ...data, checksum] → 11-bit groups → BIP-39 words.

package/dist/index.js

@@ -1,226 +1,16 @@
-// Shamir's Secret Sharing over GF(256)
-// Split secrets into threshold-of-n shares using polynomial interpolation
-// Shares can be encoded as BIP-39 words for human-readable exchange
+// BIP-39 word encoding for Shamir's Secret Sharing shares
+// Core split/reconstruct logic is provided by @forgesworn/shamir-core
 import { sha256 } from '@noble/hashes/sha2.js';
 import { wordlist as BIP39_WORDLIST } from '@scure/bip39/wordlists/english.js';
+// Re-export core Shamir functionality
+export { splitSecret, reconstructSecret, ShamirError, ShamirValidationError, ShamirCryptoError, } from '@forgesworn/shamir-core';
+import { ShamirValidationError } from '@forgesworn/shamir-core';
 /** O(1) word-to-index lookup, built once at module load */
 const BIP39_INDEX = new Map();
 for (let i = 0; i < BIP39_WORDLIST.length; i++) {
     BIP39_INDEX.set(BIP39_WORDLIST[i], i);
 }
 // ---------------------------------------------------------------------------
-// Errors
-// ---------------------------------------------------------------------------
-export class ShamirError extends Error {
-    constructor(message) {
-        super(message);
-        this.name = 'ShamirError';
-    }
-}
-export class ShamirValidationError extends ShamirError {
-    constructor(message) {
-        super(message);
-        this.name = 'ShamirValidationError';
-    }
-}
-export class ShamirCryptoError extends ShamirError {
-    constructor(message) {
-        super(message);
-        this.name = 'ShamirCryptoError';
-    }
-}
-// ---------------------------------------------------------------------------
-// GF(256) Arithmetic — irreducible polynomial 0x11b (same as AES)
-// ---------------------------------------------------------------------------
-const IRREDUCIBLE = 0x11b;
-const GENERATOR = 0x03;
-/** Log table: log_g(i) for i in [0..255]. LOG[0] is unused. */
-const LOG = new Uint8Array(256);
-/** Exp table: g^i for i in [0..255]. EXP[255] wraps to EXP[0]. */
-const EXP = new Uint8Array(256);
-/** Carryless multiplication used only during table construction */
-function gf256MulSlow(a, b) {
-    let result = 0;
-    let aa = a;
-    let bb = b;
-    while (bb > 0) {
-        if (bb & 1)
-            result ^= aa;
-        aa <<= 1;
-        if (aa & 0x100)
-            aa ^= IRREDUCIBLE;
-        bb >>= 1;
-    }
-    return result;
-}
-// Build log/exp tables at module load time using generator 0x03
-{
-    let val = 1;
-    for (let i = 0; i < 255; i++) {
-        EXP[i] = val;
-        LOG[val] = i;
-        val = gf256MulSlow(val, GENERATOR);
-    }
-    // Wrap: makes modular indexing simpler
-    EXP[255] = EXP[0];
-}
-/** Addition in GF(256) is XOR */
-function gf256Add(a, b) {
-    return a ^ b;
-}
-/** Multiplication in GF(256) using log/exp tables */
-function gf256Mul(a, b) {
-    if (a === 0 || b === 0)
-        return 0;
-    return EXP[(LOG[a] + LOG[b]) % 255];
-}
-/** Multiplicative inverse in GF(256) */
-function gf256Inv(a) {
-    if (a === 0)
-        throw new ShamirCryptoError('No inverse for zero in GF(256)');
-    return EXP[(255 - LOG[a]) % 255];
-}
-// ---------------------------------------------------------------------------
-// Shamir's Secret Sharing
-// ---------------------------------------------------------------------------
-/**
- * Evaluate a polynomial at x in GF(256) using Horner's method.
- * coeffs[0] is the constant term (the secret byte).
- */
-function evalPoly(coeffs, x) {
-    let result = 0;
-    for (let i = coeffs.length - 1; i >= 0; i--) {
-        result = gf256Add(gf256Mul(result, x), coeffs[i]);
-    }
-    return result;
-}
-/** Zero a byte array (defence-in-depth for secret material) */
-function zeroBytes(arr) {
-    arr.fill(0);
-}
-/**
- * Split a secret into shares using Shamir's Secret Sharing over GF(256).
- *
- * @param secret    The secret bytes to split
- * @param threshold Minimum shares needed to reconstruct (>= 2)
- * @param shares    Total number of shares to create (>= threshold, <= 255)
- * @returns Array of ShamirShare objects (each includes the threshold for encoding)
- */
-export function splitSecret(secret, threshold, shares) {
-    if (!(secret instanceof Uint8Array)) {
-        throw new ShamirValidationError('Secret must be a Uint8Array');
-    }
-    if (secret.length === 0) {
-        throw new ShamirValidationError('Secret must not be empty');
-    }
-    if (!Number.isSafeInteger(threshold) || !Number.isSafeInteger(shares)) {
-        throw new ShamirValidationError('Threshold and shares must be safe integers');
-    }
-    if (threshold < 2) {
-        throw new ShamirValidationError('Threshold must be at least 2');
-    }
-    if (shares < threshold) {
-        throw new ShamirValidationError('Number of shares must be >= threshold');
-    }
-    if (shares > 255) {
-        throw new ShamirValidationError('Number of shares must be <= 255');
-    }
-    if (secret.length > 255) {
-        throw new ShamirValidationError('Secret must be at most 255 bytes for BIP-39 word encoding');
-    }
-    const secretLen = secret.length;
-    const result = [];
-    // Initialize share data arrays
-    for (let i = 0; i < shares; i++) {
-        result.push({ id: i + 1, threshold, data: new Uint8Array(secretLen) });
-    }
-    // For each byte of the secret, build a random polynomial and evaluate
-    for (let byteIdx = 0; byteIdx < secretLen; byteIdx++) {
-        // coeffs[0] = secret byte, coeffs[1..threshold-1] = random
-        const coeffs = new Uint8Array(threshold);
-        coeffs[0] = secret[byteIdx];
-        const rand = new Uint8Array(threshold - 1);
-        crypto.getRandomValues(rand);
-        for (let j = 1; j < threshold; j++) {
-            coeffs[j] = rand[j - 1];
-        }
-        // Evaluate at x = 1, 2, ..., shares
-        for (let i = 0; i < shares; i++) {
-            result[i].data[byteIdx] = evalPoly(coeffs, i + 1);
-        }
-        zeroBytes(coeffs);
-        zeroBytes(rand);
-    }
-    return result;
-}
-/**
- * Reconstruct a secret from shares using Lagrange interpolation over GF(256).
- *
- * @param shares    Array of shares (at least `threshold` shares)
- * @param threshold The threshold used during splitting
- * @returns The reconstructed secret bytes
- */
-export function reconstructSecret(shares, threshold) {
-    if (!Number.isSafeInteger(threshold) || threshold < 2) {
-        throw new ShamirValidationError('Threshold must be an integer >= 2');
-    }
-    if (!Array.isArray(shares) || shares.length < threshold) {
-        throw new ShamirValidationError(`Need at least ${threshold} shares, got ${Array.isArray(shares) ? shares.length : 0}`);
-    }
-    // Use only the first `threshold` shares
-    const used = shares.slice(0, threshold);
-    // Validate share structure, IDs, and check for duplicates
-    const ids = new Set();
-    for (const share of used) {
-        if (!share || typeof share !== 'object') {
-            throw new ShamirValidationError('Each share must be an object with id and data properties');
-        }
-        if (!Number.isInteger(share.id) || share.id < 1 || share.id > 255) {
-            throw new ShamirValidationError('Invalid share ID: must be an integer in [1, 255]');
-        }
-        if (!(share.data instanceof Uint8Array)) {
-            throw new ShamirValidationError('Share data must be a Uint8Array');
-        }
-        if (ids.has(share.id)) {
-            throw new ShamirValidationError('Duplicate share IDs detected — each share must have a unique ID');
-        }
-        if (Number.isInteger(share.threshold) && share.threshold !== threshold) {
-            throw new ShamirValidationError(`Share threshold (${share.threshold}) does not match supplied threshold (${threshold})`);
-        }
-        ids.add(share.id);
-    }
-    const secretLen = used[0].data.length;
-    if (secretLen === 0) {
-        throw new ShamirValidationError('Share data must not be empty');
-    }
-    for (const share of used) {
-        if (share.data.length !== secretLen) {
-            throw new ShamirValidationError('Inconsistent share lengths — shares may be from different secrets');
-        }
-    }
-    const result = new Uint8Array(secretLen);
-    // Lagrange interpolation at x = 0 for each byte position
-    for (let byteIdx = 0; byteIdx < secretLen; byteIdx++) {
-        let value = 0;
-        for (let i = 0; i < threshold; i++) {
-            const xi = used[i].id;
-            const yi = used[i].data[byteIdx];
-            // Lagrange basis l_i(0) = product of x_j / (x_i ^ x_j) for j != i
-            // In GF(256): subtraction = addition = XOR
-            let basis = 1;
-            for (let j = 0; j < threshold; j++) {
-                if (i === j)
-                    continue;
-                const xj = used[j].id;
-                basis = gf256Mul(basis, gf256Mul(xj, gf256Inv(gf256Add(xi, xj))));
-            }
-            value = gf256Add(value, gf256Mul(yi, basis));
-        }
-        result[byteIdx] = value;
-    }
-    return result;
-}
-// ---------------------------------------------------------------------------
 // BIP-39 Word Encoding
 // ---------------------------------------------------------------------------
 /**
@@ -243,7 +33,7 @@ export function shareToWords(share) {
         throw new ShamirValidationError('Share data must be a non-empty Uint8Array');
     }
     if (share.data.length > 255) {
-        throw new ShamirValidationError('Share data exceeds maximum length (255 bytes)');
+        throw new ShamirValidationError('Share data exceeds maximum length (255 bytes) for BIP-39 word encoding');
     }
     // Build payload: [data_length, threshold, share_id, ...data]
     const payloadLen = 3 + share.data.length;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forgesworn/shamir-words",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "Shamir's Secret Sharing over GF(256) with BIP-39 word encoding for human-readable share exchange",
   "type": "module",
   "main": "./dist/index.js",
@@ -34,7 +34,8 @@
     "key-splitting"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "sideEffects": false,
   "license": "MIT",
@@ -47,15 +48,17 @@
     "url": "https://github.com/forgesworn/shamir-words.git"
   },
   "dependencies": {
+    "@forgesworn/shamir-core": "^1.0.0",
     "@noble/hashes": "^2.0.1",
     "@scure/bip39": "^2.0.1"
   },
   "devDependencies": {
-    "@semantic-release/changelog": "^6.0.3",
-    "@semantic-release/git": "^10.0.1",
     "@types/node": "^25.5.0",
-    "semantic-release": "^25.0.3",
     "typescript": "^5.7.0",
     "vitest": "^3.0.0"
+  },
+  "funding": {
+    "type": "lightning",
+    "url": "lightning:thedonkey@strike.me"
   }
 }

package/src/index.ts

@@ -1,275 +1,28 @@
-// Shamir's Secret Sharing over GF(256)
-// Split secrets into threshold-of-n shares using polynomial interpolation
-// Shares can be encoded as BIP-39 words for human-readable exchange
+// BIP-39 word encoding for Shamir's Secret Sharing shares
+// Core split/reconstruct logic is provided by @forgesworn/shamir-core
 
 import { sha256 } from '@noble/hashes/sha2.js';
 import { wordlist as BIP39_WORDLIST } from '@scure/bip39/wordlists/english.js';
 
+// Re-export core Shamir functionality
+export {
+  splitSecret,
+  reconstructSecret,
+  ShamirError,
+  ShamirValidationError,
+  ShamirCryptoError,
+} from '@forgesworn/shamir-core';
+export type { ShamirShare } from '@forgesworn/shamir-core';
+
+import { ShamirValidationError } from '@forgesworn/shamir-core';
+import type { ShamirShare } from '@forgesworn/shamir-core';
+
 /** O(1) word-to-index lookup, built once at module load */
 const BIP39_INDEX = new Map<string, number>();
 for (let i = 0; i < BIP39_WORDLIST.length; i++) {
   BIP39_INDEX.set(BIP39_WORDLIST[i]!, i);
 }
 
-// ---------------------------------------------------------------------------
-// Errors
-// ---------------------------------------------------------------------------
-
-export class ShamirError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = 'ShamirError';
-  }
-}
-
-export class ShamirValidationError extends ShamirError {
-  constructor(message: string) {
-    super(message);
-    this.name = 'ShamirValidationError';
-  }
-}
-
-export class ShamirCryptoError extends ShamirError {
-  constructor(message: string) {
-    super(message);
-    this.name = 'ShamirCryptoError';
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Types
-// ---------------------------------------------------------------------------
-
-export interface ShamirShare {
-  id: number;          // 1-255 (the x coordinate)
-  threshold: number;   // 2-255 (minimum shares needed to reconstruct)
-  data: Uint8Array;    // evaluated polynomial bytes
-}
-
-// ---------------------------------------------------------------------------
-// GF(256) Arithmetic — irreducible polynomial 0x11b (same as AES)
-// ---------------------------------------------------------------------------
-
-const IRREDUCIBLE = 0x11b;
-const GENERATOR = 0x03;
-
-/** Log table: log_g(i) for i in [0..255]. LOG[0] is unused. */
-const LOG = new Uint8Array(256);
-/** Exp table: g^i for i in [0..255]. EXP[255] wraps to EXP[0]. */
-const EXP = new Uint8Array(256);
-
-/** Carryless multiplication used only during table construction */
-function gf256MulSlow(a: number, b: number): number {
-  let result = 0;
-  let aa = a;
-  let bb = b;
-  while (bb > 0) {
-    if (bb & 1) result ^= aa;
-    aa <<= 1;
-    if (aa & 0x100) aa ^= IRREDUCIBLE;
-    bb >>= 1;
-  }
-  return result;
-}
-
-// Build log/exp tables at module load time using generator 0x03
-{
-  let val = 1;
-  for (let i = 0; i < 255; i++) {
-    EXP[i] = val;
-    LOG[val] = i;
-    val = gf256MulSlow(val, GENERATOR);
-  }
-  // Wrap: makes modular indexing simpler
-  EXP[255] = EXP[0]!;
-}
-
-/** Addition in GF(256) is XOR */
-function gf256Add(a: number, b: number): number {
-  return a ^ b;
-}
-
-/** Multiplication in GF(256) using log/exp tables */
-function gf256Mul(a: number, b: number): number {
-  if (a === 0 || b === 0) return 0;
-  return EXP[(LOG[a]! + LOG[b]!) % 255]!;
-}
-
-/** Multiplicative inverse in GF(256) */
-function gf256Inv(a: number): number {
-  if (a === 0) throw new ShamirCryptoError('No inverse for zero in GF(256)');
-  return EXP[(255 - LOG[a]!) % 255]!;
-}
-
-// ---------------------------------------------------------------------------
-// Shamir's Secret Sharing
-// ---------------------------------------------------------------------------
-
-/**
- * Evaluate a polynomial at x in GF(256) using Horner's method.
- * coeffs[0] is the constant term (the secret byte).
- */
-function evalPoly(coeffs: Uint8Array, x: number): number {
-  let result = 0;
-  for (let i = coeffs.length - 1; i >= 0; i--) {
-    result = gf256Add(gf256Mul(result, x), coeffs[i]!);
-  }
-  return result;
-}
-
-/** Zero a byte array (defence-in-depth for secret material) */
-function zeroBytes(arr: Uint8Array): void {
-  arr.fill(0);
-}
-
-/**
- * Split a secret into shares using Shamir's Secret Sharing over GF(256).
- *
- * @param secret    The secret bytes to split
- * @param threshold Minimum shares needed to reconstruct (>= 2)
- * @param shares    Total number of shares to create (>= threshold, <= 255)
- * @returns Array of ShamirShare objects (each includes the threshold for encoding)
- */
-export function splitSecret(
-  secret: Uint8Array,
-  threshold: number,
-  shares: number,
-): ShamirShare[] {
-  if (!(secret instanceof Uint8Array)) {
-    throw new ShamirValidationError('Secret must be a Uint8Array');
-  }
-  if (secret.length === 0) {
-    throw new ShamirValidationError('Secret must not be empty');
-  }
-  if (!Number.isSafeInteger(threshold) || !Number.isSafeInteger(shares)) {
-    throw new ShamirValidationError('Threshold and shares must be safe integers');
-  }
-  if (threshold < 2) {
-    throw new ShamirValidationError('Threshold must be at least 2');
-  }
-  if (shares < threshold) {
-    throw new ShamirValidationError('Number of shares must be >= threshold');
-  }
-  if (shares > 255) {
-    throw new ShamirValidationError('Number of shares must be <= 255');
-  }
-  if (secret.length > 255) {
-    throw new ShamirValidationError('Secret must be at most 255 bytes for BIP-39 word encoding');
-  }
-
-  const secretLen = secret.length;
-  const result: ShamirShare[] = [];
-
-  // Initialize share data arrays
-  for (let i = 0; i < shares; i++) {
-    result.push({ id: i + 1, threshold, data: new Uint8Array(secretLen) });
-  }
-
-  // For each byte of the secret, build a random polynomial and evaluate
-  for (let byteIdx = 0; byteIdx < secretLen; byteIdx++) {
-    // coeffs[0] = secret byte, coeffs[1..threshold-1] = random
-    const coeffs = new Uint8Array(threshold);
-    coeffs[0] = secret[byteIdx]!;
-
-    const rand = new Uint8Array(threshold - 1);
-    crypto.getRandomValues(rand);
-    for (let j = 1; j < threshold; j++) {
-      coeffs[j] = rand[j - 1]!;
-    }
-
-    // Evaluate at x = 1, 2, ..., shares
-    for (let i = 0; i < shares; i++) {
-      result[i]!.data[byteIdx] = evalPoly(coeffs, i + 1);
-    }
-
-    zeroBytes(coeffs);
-    zeroBytes(rand);
-  }
-
-  return result;
-}
-
-/**
- * Reconstruct a secret from shares using Lagrange interpolation over GF(256).
- *
- * @param shares    Array of shares (at least `threshold` shares)
- * @param threshold The threshold used during splitting
- * @returns The reconstructed secret bytes
- */
-export function reconstructSecret(
-  shares: ShamirShare[],
-  threshold: number,
-): Uint8Array {
-  if (!Number.isSafeInteger(threshold) || threshold < 2) {
-    throw new ShamirValidationError('Threshold must be an integer >= 2');
-  }
-  if (!Array.isArray(shares) || shares.length < threshold) {
-    throw new ShamirValidationError(`Need at least ${threshold} shares, got ${Array.isArray(shares) ? shares.length : 0}`);
-  }
-
-  // Use only the first `threshold` shares
-  const used = shares.slice(0, threshold);
-
-  // Validate share structure, IDs, and check for duplicates
-  const ids = new Set<number>();
-  for (const share of used) {
-    if (!share || typeof share !== 'object') {
-      throw new ShamirValidationError('Each share must be an object with id and data properties');
-    }
-    if (!Number.isInteger(share.id) || share.id < 1 || share.id > 255) {
-      throw new ShamirValidationError('Invalid share ID: must be an integer in [1, 255]');
-    }
-    if (!(share.data instanceof Uint8Array)) {
-      throw new ShamirValidationError('Share data must be a Uint8Array');
-    }
-    if (ids.has(share.id)) {
-      throw new ShamirValidationError('Duplicate share IDs detected — each share must have a unique ID');
-    }
-    if (Number.isInteger(share.threshold) && share.threshold !== threshold) {
-      throw new ShamirValidationError(
-        `Share threshold (${share.threshold}) does not match supplied threshold (${threshold})`,
-      );
-    }
-    ids.add(share.id);
-  }
-
-  const secretLen = used[0]!.data.length;
-  if (secretLen === 0) {
-    throw new ShamirValidationError('Share data must not be empty');
-  }
-  for (const share of used) {
-    if (share.data.length !== secretLen) {
-      throw new ShamirValidationError('Inconsistent share lengths — shares may be from different secrets');
-    }
-  }
-  const result = new Uint8Array(secretLen);
-
-  // Lagrange interpolation at x = 0 for each byte position
-  for (let byteIdx = 0; byteIdx < secretLen; byteIdx++) {
-    let value = 0;
-
-    for (let i = 0; i < threshold; i++) {
-      const xi = used[i]!.id;
-      const yi = used[i]!.data[byteIdx]!;
-
-      // Lagrange basis l_i(0) = product of x_j / (x_i ^ x_j) for j != i
-      // In GF(256): subtraction = addition = XOR
-      let basis = 1;
-      for (let j = 0; j < threshold; j++) {
-        if (i === j) continue;
-        const xj = used[j]!.id;
-        basis = gf256Mul(basis, gf256Mul(xj, gf256Inv(gf256Add(xi, xj))));
-      }
-
-      value = gf256Add(value, gf256Mul(yi, basis));
-    }
-
-    result[byteIdx] = value;
-  }
-
-  return result;
-}
-
 // ---------------------------------------------------------------------------
 // BIP-39 Word Encoding
 // ---------------------------------------------------------------------------
@@ -294,7 +47,7 @@ export function shareToWords(share: ShamirShare): string[] {
     throw new ShamirValidationError('Share data must be a non-empty Uint8Array');
   }
   if (share.data.length > 255) {
-    throw new ShamirValidationError('Share data exceeds maximum length (255 bytes)');
+    throw new ShamirValidationError('Share data exceeds maximum length (255 bytes) for BIP-39 word encoding');
   }
 
   // Build payload: [data_length, threshold, share_id, ...data]