sharing

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

README

Secret Sharing

This package contains various subpackages implementing a variety of secret sharing algorithms.

Documentation

Overview

Package sharing defines interfaces and types for secret sharing schemes.

Secret sharing allows a dealer to distribute a secret among n shareholders such that only authorized subsets can reconstruct it. This package provides the common abstractions used by concrete implementations (Shamir, Feldman, Pedersen, additive).

The main interface hierarchy is:

  • SSS: Basic secret sharing scheme
  • VSSS: Verifiable secret sharing (adds share verification)
  • LSSS: Linear secret sharing (shares form a vector space)
  • PolynomialLSSS: Polynomial-based LSSS (e.g., Shamir)

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrIsNil      = errs.New("is nil")
	ErrValue      = errs.New("invalid value")
	ErrMembership = errs.New("membership error")
)

Functions

func NewOrdinalShareholderSet 

func NewOrdinalShareholderSet(count uint) ds.Set[ID]

NewOrdinalShareholderSet creates a set of shareholder IDs {1, 2, ..., count}. This is a convenience function for creating standard shareholder sets where IDs are sequential integers starting from 1.

Types

type AccessStructure 

type AccessStructure interface {
	IsAuthorized(...ID) bool
	Shareholders() ds.Set[ID]
}

AccessStructure defines which subsets of shareholders are authorized to reconstruct the secret. Common examples include threshold (any t-of-n) and minimal qualified (exactly these n shareholders).

type AdditiveSSS 

type AdditiveSSS[
	S AdditiveShare[S, SV, AC], SV algebra.GroupElement[SV],
	W AdditivelyShareableSecret[W, WV], WV algebra.GroupElement[WV],
	DO DealerOutput[S], AC AccessStructure,
] SSS[S, W, DO, AC]

AdditiveSSS is a secret sharing scheme with additive homomorphism.

type AdditiveShare 

type AdditiveShare[S interface {
	Share[S]
	algebra.HomomorphicLike[S, SV]
}, SV algebra.GroupElement[SV], AC AccessStructure,
] interface {
	Share[S]
	algebra.HomomorphicLike[S, SV]
}

AdditiveShare is a share that supports the group operation, allowing shares to be combined homomorphically. If parties hold shares of secrets a and b, they can locally compute shares of a+b.

type AdditivelyShareableSecret 

type AdditivelyShareableSecret[W Secret[W], WV algebra.GroupElement[WV]] interface {
	Secret[W]
	base.Transparent[WV]
}

AdditivelyShareableSecret is a secret whose underlying value is a group element, enabling additive homomorphism on the shared secret.

type DealerOutput 

type DealerOutput[S Share[S]] interface {
	Shares() ds.Map[ID, S]
}

DealerOutput contains the result of a dealing operation.

type ID 

type ID uint64

ID uniquely identifies a shareholder. IDs must be non-zero for polynomial-based schemes since they serve as evaluation points.

func CollectIDs 

func CollectIDs[S Share[S]](shares ...S) ([]ID, error)

CollectIDs extracts the shareholder IDs from a slice of shares. Returns an error if any share is nil.

type LSSS 

type LSSS[
	S LinearShare[S, SV, SA, SC, AC], SV algebra.AdditiveGroupElement[SV], SA AdditiveShare[SA, SV, *MinimalQualifiedAccessStructure],
	W LinearlyShareableSecret[W, WV], WV algebra.PrimeFieldElement[WV], DO DealerOutput[S], SC any, AC AccessStructure, DF any,
] interface {
	AdditiveSSS[S, SV, W, WV, DO, AC]
	DealAndRevealDealerFunc(secret W, prng io.Reader) (DO, DF, error)
	DealRandomAndRevealDealerFunc(prng io.Reader) (DO, W, DF, error)
}

LSSS (Linear Secret Sharing Scheme) is a scheme where shares form a vector space. It supports revealing the dealer function (polynomial) for protocols that need it.

type LinearShare 

type LinearShare[S interface {
	AdditiveShare[S, SV, AC]
	algebra.AdditivelyHomomorphicLike[S, SV]
	algebra.AdditivelyActable[S, SC]
	ToAdditive(*MinimalQualifiedAccessStructure) (SA, error)
}, SV algebra.AdditiveGroupElement[SV], SA AdditiveShare[SA, SV, *MinimalQualifiedAccessStructure],
	SC any,
	AC AccessStructure,
] interface {
	AdditiveShare[S, SV, AC]
	algebra.AdditivelyHomomorphicLike[S, SV]
	algebra.AdditivelyActable[S, SC]
	ToAdditive(*MinimalQualifiedAccessStructure) (SA, error)
}

LinearShare extends AdditiveShare with scalar multiplication and conversion to additive shares. This enables threshold-to-additive share conversion using Lagrange coefficients, which is essential for many MPC protocols.

type LinearlyShareableSecret 

type LinearlyShareableSecret[W Secret[W], WV algebra.PrimeFieldElement[WV]] AdditivelyShareableSecret[W, WV]

LinearlyShareableSecret is a secret over a prime field, enabling linear operations on shares.

type MinimalQualifiedAccessStructure 

type MinimalQualifiedAccessStructure struct {
	// contains filtered or unexported fields
}

MinimalQualifiedAccessStructure represents an n-of-n access structure where all shareholders must participate to reconstruct the secret. This is the access structure for additive secret sharing.

func NewMinimalQualifiedAccessStructure 

func NewMinimalQualifiedAccessStructure(shareholders ds.Set[ID]) (*MinimalQualifiedAccessStructure, error)

NewMinimalQualifiedAccessStructure creates a new n-of-n access structure.

Parameters:

  • shareholders: The set of shareholder IDs (must have at least 2 members)

Returns an error if shareholders is nil or has fewer than 2 members.

func (*MinimalQualifiedAccessStructure) IsAuthorized 

func (a *MinimalQualifiedAccessStructure) IsAuthorized(ids ...ID) bool

IsAuthorized returns true only if the given IDs exactly match all shareholders. Unlike threshold access structures, partial subsets are never authorized.

func (*MinimalQualifiedAccessStructure) MarshalCBOR 

func (a *MinimalQualifiedAccessStructure) MarshalCBOR() ([]byte, error)

func (*MinimalQualifiedAccessStructure) Shareholders 

func (a *MinimalQualifiedAccessStructure) Shareholders() ds.Set[ID]

Shareholders returns the set of all shareholder IDs.

func (*MinimalQualifiedAccessStructure) UnmarshalCBOR 

func (a *MinimalQualifiedAccessStructure) UnmarshalCBOR(data []byte) error

type Name 

type Name string

Name is a human-readable identifier for a secret sharing scheme.

type PolynomialLSSS 

type PolynomialLSSS[
	S LinearShare[S, SV, SA, SC, AC], SV algebra.PrimeFieldElement[SV], SA AdditiveShare[SA, SV, *MinimalQualifiedAccessStructure],
	W LinearlyShareableSecret[W, WV], WV algebra.PrimeFieldElement[WV], DO DealerOutput[S], SC any, AC AccessStructure,
] LSSS[S, SV, SA, W, WV, DO, SC, AC, *polynomials.Polynomial[SV]]

PolynomialLSSS is an LSSS based on polynomial evaluation, such as Shamir's scheme. The dealer function is a polynomial f(x) where f(0) is the secret and f(i) is shareholder i's share.

type SSS 

type SSS[S Share[S], W Secret[W], DO DealerOutput[S], AC AccessStructure] interface {
	Name() Name
	Deal(secret W, prng io.Reader) (DO, error)
	DealRandom(prng io.Reader) (DO, W, error)
	Reconstruct(shares ...S) (secret W, err error)
	AccessStructure() AC
}

SSS (Secret Sharing Scheme) is the base interface for all secret sharing schemes. It provides dealing (splitting a secret into shares) and reconstruction (recovering the secret from authorized shares).

type Secret 

type Secret[W any] base.Equatable[W]

Secret is a value that can be shared among shareholders.

type Share 

type Share[S any] interface {
	ID() ID
	base.Hashable[S]
}

Share represents a single shareholder's portion of a shared secret.

type ThresholdAccessStructure 

type ThresholdAccessStructure struct {
	// contains filtered or unexported fields
}

ThresholdAccessStructure represents a (t,n) threshold access structure where any subset of at least t shareholders (out of n total) is authorized to reconstruct the secret.

func NewThresholdAccessStructure 

func NewThresholdAccessStructure(t uint, ps ds.Set[ID]) (*ThresholdAccessStructure, error)

NewThresholdAccessStructure creates a new threshold access structure.

Parameters:

  • t: The threshold (minimum shares required), must be at least 2
  • ps: The set of shareholder IDs, must not contain 0

Returns an error if t < 2, t > |ps|, ps is nil, or ps contains 0.

func (*ThresholdAccessStructure) Clone 

func (a *ThresholdAccessStructure) Clone() *ThresholdAccessStructure

Clone returns a deep copy of this access structure.

func (*ThresholdAccessStructure) Equal 

func (a *ThresholdAccessStructure) Equal(other *ThresholdAccessStructure) bool

Equal returns true if two access structures have the same threshold and shareholders.

func (*ThresholdAccessStructure) IsAuthorized 

func (a *ThresholdAccessStructure) IsAuthorized(ids ...ID) bool

IsAuthorized returns true if the given set of shareholder IDs forms an authorized subset (i.e., has at least t members, all from the shareholder set).

func (*ThresholdAccessStructure) MarshalCBOR 

func (a *ThresholdAccessStructure) MarshalCBOR() ([]byte, error)

func (*ThresholdAccessStructure) Shareholders 

func (a *ThresholdAccessStructure) Shareholders() ds.Set[ID]

Shareholders returns the set of all valid shareholder IDs.

func (*ThresholdAccessStructure) Threshold 

func (a *ThresholdAccessStructure) Threshold() uint

Threshold returns the minimum number of shares required for reconstruction.

func (*ThresholdAccessStructure) UnmarshalCBOR 

func (a *ThresholdAccessStructure) UnmarshalCBOR(data []byte) error

type ThresholdSSS 

type ThresholdSSS[S Share[S], W Secret[W], DO DealerOutput[S]] SSS[S, W, DO, *ThresholdAccessStructure]

ThresholdSSS is a secret sharing scheme with a threshold access structure.

type VSSS 

type VSSS[S Share[S], W Secret[W], V VerificationMaterial, DO VerifiableDealerOutput[S, V], AC AccessStructure] interface {
	SSS[S, W, DO, AC]
	Reconstruct(shares ...S) (secret W, err error)
	ReconstructAndVerify(reference V, shares ...S) (secret W, err error)
	Verify(share S, reference V) (err error)
}

VSSS (Verifiable Secret Sharing Scheme) extends SSS with the ability to verify shares against public verification material. This allows shareholders to detect a malicious dealer who distributes inconsistent shares.

type VerifiableDealerOutput 

type VerifiableDealerOutput[S Share[S], V VerificationMaterial] DealerOutput[S]

VerifiableDealerOutput extends DealerOutput with verification material.

type VerificationMaterial 

type VerificationMaterial any

VerificationMaterial is public information that allows shareholders to verify their shares without interaction. For Feldman/Pedersen VSS, this is the verification vector of group element commitments.

Source Files

View all Source files

Directories

Path Synopsis
Package additive implements additive secret sharing over arbitrary groups.
 Package additive implements additive secret sharing over arbitrary groups.
Package feldman implements Feldman's verifiable secret sharing (VSS) scheme.
 Package feldman implements Feldman's verifiable secret sharing (VSS) scheme.
Package pedersen implements Pedersen's verifiable secret sharing (VSS) scheme.
 Package pedersen implements Pedersen's verifiable secret sharing (VSS) scheme.
Package shamir implements Shamir's (t,n) threshold secret sharing scheme.
 Package shamir implements Shamir's (t,n) threshold secret sharing scheme.
zero
hjky
Package hjky provides zero-sum sharing protocol.
 Package hjky provides zero-sum sharing protocol.
przs
Package przs provides pseudorandom (non-interactive) zero sharing.
 Package przs provides pseudorandom (non-interactive) zero sharing.
przs/setup
Package przssetup provides commit-and-reveal setup for pairwise seeds used by the PRZS sampler.
 Package przssetup provides commit-and-reveal setup for pairwise seeds used by the PRZS sampler.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.