jmg
/
shamirss
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
A Pure Python implementation of Shamir's Secret Sharing
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13 Commits
1 Branch
269 KiB
 
Tree: 9391c8ce41
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9391c8ce41'
${ noResults }
shamirss/shamirss.py

371 lines
10 KiB
Raw Blame History 

  1. # Copyright 2023 John-Mark Gurney.

  2. #

  3. # Redistribution and use in source and binary forms, with or without

  4. # modification, are permitted provided that the following conditions

  5. # are met:

  6. # 1. Redistributions of source code must retain the above copyright

  7. #    notice, this list of conditions and the following disclaimer.

  8. # 2. Redistributions in binary form must reproduce the above copyright

  9. #    notice, this list of conditions and the following disclaimer in the

  10. #    documentation and/or other materials provided with the distribution.

  11. #

  12. # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

  13. # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  14. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  15. # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  16. # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  17. # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  18. # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  19. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  20. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  21. # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  22. # SUCH DAMAGE.

  23. #

  24. 

  25. #

  26. # ls shamirss.py | entr sh -c ' date; python -m coverage run -m unittest shamirss && coverage report -m'

  27. #

  28. 

  29. '''

  30. An implementation of Shamir's Secret Sharing.

  31. 

  32. This is over GF(2^256), so unlike some other implementations that are

  33. over primes, it is valid for ALL values, and the output will be exactly

  34. the same length as the secret.  This limits the number of shares to

  35. 255.

  36. 

  37. Sample usage:

  38. ```

  39. import random

  40. from shamirss import *

  41. data = random.SystemRandom().randbytes(32)

  42. shares = create_shares(data, 3, 5)

  43. rdata = recover_data([ shares[1], shares[2], shares[4] ], 3)

  44. print(rdata == data)

  45. ```

  46. '''

  47. 

  48. import functools

  49. import itertools

  50. import operator

  51. import secrets

  52. import unittest.mock

  53. 

  54. random = secrets.SystemRandom()

  55. 

  56. __all__ = [

  57. 	'create_shares',

  58. 	'recover_data',

  59. 	'GF2p8',

  60. ]

  61. 

  62. def _makered(x, y):

  63. 	'''Make reduction table entry.

  64. 

  65. 	given x * 2^8, reduce it assuming polynomial y.

  66. 	'''

  67. 

  68. 	x = x << 8

  69. 

  70. 	for i in range(3, -1, -1):

  71. 		if x & (1 << (i + 8)):

  72. 			x ^= (0x100 + y) << i

  73. 

  74. 	assert x < 256

  75. 

  76. 	return x

  77. 

  78. def evalpoly(polynomial, powers):

  79. 	return sum(( x * y for x, y in zip(polynomial, powers,

  80. 	    strict=True)), 0)

  81. 

  82. def create_shares(data, k, nshares):

  83. 	'''Given data, create nshares, such that given any k shares,

  84. 	data can be recovered.

  85. 

  86. 	data must be bytes, or able to be converted to bytes, e.g. a list

  87. 	of ints in the range [ 0, 255 ].

  88. 

  89. 	The return value will be a list of length nshares.  Each element

  90. 	will be a tuple of (<int in range [ 1, nshares ]>, <bytes>).'''

  91. 

  92. 	data = bytes(data)

  93. 

  94. 	#print(repr(data), repr(k), repr(nshares))

  95. 

  96. 	powers = (None, ) + tuple(GF2p8(x).powerseries(k - 1) for x in

  97. 	    range(1, nshares + 1))

  98. 

  99. 	coeffs = [ [ x ] + [ random.randint(0, 255) for y in

  100. 	    range(k - 1) ] for idx, x in enumerate(data) ]

  101. 

  102. 	return [ (x, bytes([ int(evalpoly(coeffs[idx],

  103. 	    powers[x])) for idx, val in enumerate(data) ])) for x in

  104. 	    range(1, nshares + 1) ]

  105. 

  106. def recover_data(shares, k):

  107. 	'''Recover the value given shares, where k is the number of

  108. 	shares needed.

  109. 

  110. 	shares must be as least length of k.

  111. 

  112. 	Each element of shares is from one returned by create_shares,

  113. 	that is a tuple of an int and bytes.'''

  114. 

  115. 	if len(shares) < k:

  116. 		raise ValueError('not enough shares to recover')

  117. 

  118. 	return bytes([ int(sum(( GF2p8(y[idx]) *

  119. 	    functools.reduce(operator.mul, ( pix * ((GF2p8(pix) - x) ** -1) for

  120. 	    pix, piy in shares[:k] if pix != x ), 1) for x, y in shares[:k] ),

  121. 	    0)) for idx in range(len(shares[0][1]))])

  122. 

  123. class GF2p8:

  124. 	# polynomial 0x187

  125. 	'''An implementation of GF(2^8).  It uses the polynomial 0x187

  126. 	or x^8 + x^7 + x^2 + x + 1.

  127. 	'''

  128. 

  129. 	_invcache = (None, 1, 195, 130, 162, 126, 65, 90, 81, 54, 63, 172, 227, 104, 45, 42, 235, 155, 27, 53, 220, 30, 86, 165, 178, 116, 52, 18, 213, 100, 21, 221, 182, 75, 142, 251, 206, 233, 217, 161, 110, 219, 15, 44, 43, 14, 145, 241, 89, 215, 58, 244, 26, 19, 9, 80, 169, 99, 50, 245, 201, 204, 173, 10, 91, 6, 230, 247, 71, 191, 190, 68, 103, 123, 183, 33, 175, 83, 147, 255, 55, 8, 174, 77, 196, 209, 22, 164, 214, 48, 7, 64, 139, 157, 187, 140, 239, 129, 168, 57, 29, 212, 122, 72, 13, 226, 202, 176, 199, 222, 40, 218, 151, 210, 242, 132, 25, 179, 185, 135, 167, 228, 102, 73, 149, 153, 5, 163, 238, 97, 3, 194, 115, 243, 184, 119, 224, 248, 156, 92, 95, 186, 34, 250, 240, 46, 254, 78, 152, 124, 211, 112, 148, 125, 234, 17, 138, 93, 188, 236, 216, 39, 4, 127, 87, 23, 229, 120, 98, 56, 171, 170, 11, 62, 82, 76, 107, 203, 24, 117, 192, 253, 32, 74, 134, 118, 141, 94, 158, 237, 70, 69, 180, 252, 131, 2, 84, 208, 223, 108, 205, 60, 106, 177, 61, 200, 36, 232, 197, 85, 113, 150, 101, 28, 88, 49, 160, 38, 111, 41, 20, 31, 109, 198, 136, 249, 105, 12, 121, 166, 66, 246, 207, 37, 154, 16, 159, 189, 128, 96, 144, 47, 114, 133, 51, 59, 231, 67, 137, 225, 143, 35, 193, 181, 146, 79)

  130. 

  131. 	@staticmethod

  132. 	def _primativemul(a, b):

  133. 		masks = [ 0, 0xff ]

  134. 

  135. 		r = 0

  136. 

  137. 		for i in range(0, 8):

  138. 			mask = a & 1

  139. 			r ^= (masks[mask] & b) << i

  140. 			a = a >> 1

  141. 

  142. 		return r

  143. 

  144. 	_reduce = (0, 135, 137, 14, 149, 18, 28, 155, 173, 42, 36, 163, 56, 191, 177, 54)

  145. 

  146. 	def __init__(self, v):

  147. 		'''v must be in the range [ 0, 255 ].

  148. 

  149. 		Create an element of GF(2^8).

  150. 

  151. 		The operators have been overloaded, so most normal math works.

  152. 

  153. 		It will also automatically promote non-GF2p8 numbers if

  154. 		possible, e.g. GF2p8(5) + 10 works.

  155. 		'''

  156. 

  157. 		if v >= 256 or v < 0:

  158. 			raise ValueError('%d is not a member of GF(2^8)' % v)

  159. 

  160. 		self._v = int(v)

  161. 

  162. 		if self._v != v:

  163. 			raise ValueError('%d is not a member of GF(2^8)' % v)

  164. 

  165. 	# basic operations

  166. 	def __add__(self, o):

  167. 		if isinstance(o, int):

  168. 			return self + self.__class__(o)

  169. 

  170. 		return self.__class__(self._v ^ o._v)

  171. 

  172. 	def __radd__(self, o):

  173. 		return self.__add__(o)

  174. 

  175. 	def __sub__(self, o):

  176. 		return self.__add__(o)

  177. 

  178. 	def __rsub__(self, o):

  179. 		return self.__sub__(o)

  180. 

  181. 	def __mul__(self, o):

  182. 

  183. 		if isinstance(o, int):

  184. 			o = self.__class__(o)

  185. 

  186. 		m = o._v

  187. 

  188. 		# multiply

  189. 		r = self._primativemul(self._v, m)

  190. 

  191. 		# reduce

  192. 		r ^= self._reduce[r >> 12] << 4

  193. 		r ^= self._reduce[(r >> 8) & 0xf ]

  194. 

  195. 		r &= 0xff

  196. 

  197. 		return self.__class__(r)

  198. 

  199. 	def __rmul__(self, o):

  200. 		return self.__mul__(o)

  201. 

  202. 	def __pow__(self, x):

  203. 		if x == -1 and self._invcache:

  204. 			return GF2p8(self._invcache[self._v])

  205. 

  206. 		if x < 0:

  207. 			x += 255

  208. 

  209. 		v = self.__class__(1)

  210. 

  211. 		# TODO - make faster via caching and squaring

  212. 		for i in range(x):

  213. 			v *= self

  214. 

  215. 		return v

  216. 

  217. 	def powerseries(self, cnt):

  218. 		'''Generate [ self ** 0, self ** 1, ..., self ** cnt ].'''

  219. 

  220. 		r = [ self.__class__(1) ]

  221. 

  222. 		for i in range(1, cnt + 1):

  223. 			r.append(r[-1] * self)

  224. 

  225. 		return r

  226. 

  227. 	def __eq__(self, o):

  228. 		if isinstance(o, int):

  229. 			return self._v == o

  230. 

  231. 		return self._v == o._v

  232. 

  233. 	def __int__(self):

  234. 		return self._v

  235. 

  236. 	def __repr__(self):

  237. 		return '%s(%d)' % (self.__class__.__name__, self._v)

  238. 

  239. class TestShamirSS(unittest.TestCase):

  240. 	def test_evalpoly(self):

  241. 		a = GF2p8(random.randint(0, 255))

  242. 

  243. 		powers = a.powerseries(4)

  244. 

  245. 		self.assertTrue(all(isinstance(x, GF2p8) for x in powers))

  246. 

  247. 		vals = [ GF2p8(random.randint(0, 255)) for x in range(5) ]

  248. 

  249. 		r = evalpoly(vals, powers)

  250. 		self.assertEqual(r, vals[0] + vals[1] * powers[1] + vals[2] *

  251. 		    powers[2] + vals[3] * powers[3] + vals[4] * powers[4])

  252. 

  253. 		r = evalpoly(vals[:3], powers[:3])

  254. 		self.assertEqual(r, vals[0] + vals[1] * powers[1] + vals[2] *

  255. 		    powers[2])

  256. 

  257. 		self.assertRaises(ValueError, evalpoly, [1], [1, 2])

  258. 

  259. 	def test_create_shares(self):

  260. 		self.assertRaises(TypeError, create_shares, '', 1, 1)

  261. 

  262. 		val = bytes([ random.randint(0, 255) for x in range(100) ])

  263. 		#val = b'this is a test of english text.'

  264. 		#val = b'1234'

  265. 

  266. 		a = create_shares(val, 2, 3)

  267. 

  268. 		self.assertNotIn(val, set(x[1] for x in a))

  269. 

  270. 		# that it has the number of shares

  271. 		self.assertEqual(len(a), 3)

  272. 

  273. 		# that the length of the share data matches passed in data

  274. 		self.assertEqual(len(a[0][1]), len(val))

  275. 

  276. 		# that one share isn't enough

  277. 		self.assertRaises(ValueError, recover_data, [ a[0] ], 2)

  278. 

  279. 		for i, j in itertools.combinations(range(3), 2):

  280. 			self.assertEqual(val, recover_data([ a[i], a[j] ], 2))

  281. 			self.assertEqual(val, recover_data([ a[j], a[i] ], 2))

  282. 

  283. 		a = create_shares(val, 15, 30)

  284. 

  285. 		for i in range(5):

  286. 			self.assertEqual(val, recover_data([ a[j] for j in random.sample(range(30), 15) ], 15))

  287. 

  288. 	def test_gf2p8_reduce(self):

  289. 		reduce = tuple(_makered(x, 0x87) for x in range(0, 16))

  290. 

  291. 		if GF2p8._reduce != reduce: # pragma: no cover

  292. 			print('reduce:', repr(reduce))

  293. 			self.assertEqual(GF2p8._reduce, reduce)

  294. 

  295. 

  296. 	def test_gf2p8_inv(self):

  297. 

  298. 		a = GF2p8(random.randint(0, 255))

  299. 

  300. 		with unittest.mock.patch.object(GF2p8, '_invcache', ()) as pinvc:

  301. 			ainv = a ** -1

  302. 

  303. 			self.assertEqual(a * ainv, 1)

  304. 

  305. 			invcache = (None, ) + \

  306. 			    tuple(int(GF2p8(x) ** -1) for x in range(1, 256))

  307. 

  308. 		if GF2p8._invcache != invcache: # pragma: no cover

  309. 			print('inv cache:', repr(invcache))

  310. 			self.assertEqual(GF2p8._invcache, invcache)

  311. 

  312. 	def test_gf2p8_power(self):

  313. 		a = GF2p8(random.randint(0, 255))

  314. 

  315. 		v = GF2p8(1)

  316. 		for i in range(10):

  317. 			self.assertEqual(a ** i, v)

  318. 

  319. 			v = v * a

  320. 

  321. 		for i in range(10):

  322. 			a = GF2p8(random.randint(0, 255))

  323. 

  324. 			powers = a.powerseries(10)

  325. 			for j in range(11):

  326. 				self.assertEqual(powers[j], a ** j)

  327. 

  328. 	def test_gf2p8_errors(self):

  329. 		self.assertRaises(ValueError, GF2p8, 1000)

  330. 		self.assertRaises(ValueError, GF2p8, 40.5)

  331. 		self.assertRaises(ValueError, GF2p8, -1)

  332. 

  333. 	def test_gf2p8(self):

  334. 		self.assertEqual(int(GF2p8(5)), 5)

  335. 		self.assertEqual(repr(GF2p8(5)), 'GF2p8(5)')

  336. 

  337. 		for i in range(10):

  338. 			a = GF2p8(random.randint(0, 255))

  339. 			b = GF2p8(random.randint(0, 255))

  340. 			c = GF2p8(random.randint(0, 255))

  341. 

  342. 			self.assertEqual(a * 0, 0)

  343. 

  344. 			# Identity

  345. 			self.assertEqual(a + 0, a)

  346. 			self.assertEqual(a * 1, a)

  347. 			self.assertEqual(0 + a, a)

  348. 			self.assertEqual(1 * a, a)

  349. 			self.assertEqual(0 - a, a)

  350. 

  351. 			# Associativity

  352. 			self.assertEqual((a + b) + c, a + (b + c))

  353. 			self.assertEqual((a * b) * c, a * (b * c))

  354. 

  355. 			# Communitative

  356. 			self.assertEqual(a + b, b + a)

  357. 			self.assertEqual(a * b, b * a)

  358. 

  359. 			# Distributive

  360. 			self.assertEqual(a * (b + c), a * b + a * c)

  361. 			self.assertEqual((b + c) * a, b * a + c * a)

  362. 

  363. 			# Basic mul

  364. 			self.assertEqual(GF2p8(0x80) * 2, 0x87)

  365. 			self.assertEqual(GF2p8(0x80) * 6,

  366. 			    (0x80 * 6) ^ (0x187 << 1))

  367. 			self.assertEqual(GF2p8(0x80) * 8,

  368. 			    (0x80 * 8) ^ (0x187 << 2) ^ (0x187 << 1) ^ 0x187)

  369. 

  370. 			self.assertEqual(a + b - b, a)