feldman

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

README

Feldman Verifiable Secret Sharing

Extends Shamir's scheme with public verification of shares.

Security

  • Computational hiding: secret hidden under discrete log assumption
  • Public verifiability: shareholders can verify their shares without interaction

Usage

scheme, _ := feldman.NewScheme(basePoint, threshold, shareholders)

// Deal shares with verification vector
output, _ := scheme.Deal(secret, prng)
shares := output.Shares()
verificationVector := output.VerificationMaterial()

// Verify a share
err := scheme.Verify(share, verificationVector)

// Reconstruct
recovered, _ := scheme.Reconstruct(share1, share2, ..., shareT)

How It Works

The dealer publishes commitments C_j = g^{a_j} for each coefficient a_j of the dealing polynomial. Shareholders verify their share s_i by checking g^{s_i} = product of C_j^{i^j}.

Reference

Feldman, P. "A Practical Scheme for Non-interactive Verifiable Secret Sharing." FOCS, 1987.

Documentation

Overview

Package feldman implements Feldman's verifiable secret sharing (VSS) scheme.

Feldman VSS extends Shamir's scheme with public verification. The dealer publishes commitments C_j = g^{a_j} for each coefficient a_j of the dealing polynomial. Shareholders can verify their share s_i by checking that g^{s_i} = ∏_j C_j^{i^j}.

This provides computational hiding (secret is hidden under DLog assumption) but only computational binding (dealer can potentially equivocate).

Index

Constants

View Source 
const Name sharing.Name = "Feldman's Verifiable Secret Sharing Scheme"

Name is the canonical name of this secret sharing scheme.

Variables

View Source 
var (
	ErrIsNil        = errs.New("is nil")
	ErrMembership   = errs.New("membership error")
	ErrFailed       = errs.New("failed")
	ErrArgument     = errs.New("invalid argument")
	ErrVerification = errs.New("verification failed")
)

Functions

This section is empty.

Types

type DealerFunc 

type DealerFunc[FE algebra.PrimeFieldElement[FE]] = shamir.DealerFunc[FE]

DealerFunc is the polynomial used to generate shares (same as Shamir).

type DealerOutput 

type DealerOutput[E algebra.PrimeGroupElement[E, FE], FE algebra.PrimeFieldElement[FE]] struct {
	// contains filtered or unexported fields
}

DealerOutput contains the result of a Feldman VSS dealing operation: a map of shares and the verification vector for share verification.

func (*DealerOutput[E, FE]) Shares 

func (d *DealerOutput[E, FE]) Shares() ds.Map[sharing.ID, *Share[FE]]

Shares returns the map of shareholder IDs to their corresponding shares.

func (*DealerOutput[E, FE]) VerificationMaterial 

func (d *DealerOutput[E, FE]) VerificationMaterial() VerificationVector[E, FE]

VerificationMaterial returns the verification vector V = (g^{a_0}, g^{a_1}, ..., g^{a_{t-1}}) which allows shareholders to verify their shares without revealing the secret.

type LiftedShare 

type LiftedShare[E algebra.PrimeGroupElement[E, FE], FE algebra.PrimeFieldElement[FE]] struct {
	// contains filtered or unexported fields
}

LiftedShare represents a share lifted to the exponent: g^{f(i)} where f(i) is the underlying Shamir share value. This is used when shares need to be verified or combined in the group rather than the field.

func NewLiftedShare 

func NewLiftedShare[E algebra.PrimeGroupElement[E, FE], FE algebra.PrimeFieldElement[FE]](id sharing.ID, v E) (*LiftedShare[E, FE], error)

NewLiftedShare creates a new lifted share with the given ID and group element value.

func (*LiftedShare[E, FE]) ID 

func (s *LiftedShare[E, FE]) ID() sharing.ID

ID returns the shareholder identifier for this lifted share.

func (*LiftedShare[E, FE]) MarshalCBOR 

func (s *LiftedShare[E, FE]) MarshalCBOR() ([]byte, error)

func (*LiftedShare[E, FE]) ToAdditive 

func (s *LiftedShare[E, FE]) ToAdditive(qualifiedSet *sharing.MinimalQualifiedAccessStructure) (*additive.Share[E], error)

ToAdditive converts this lifted share to an additive share by exponentiating with the appropriate Lagrange coefficient. For shareholder i in qualified set S, the result is g^{λ_i · f(i)} where λ_i is the Lagrange coefficient. The resulting additive shares can be multiplied together to reconstruct g^s.

func (*LiftedShare[E, FE]) UnmarshalCBOR 

func (s *LiftedShare[E, FE]) UnmarshalCBOR(data []byte) error

func (*LiftedShare[E, FE]) Value 

func (s *LiftedShare[E, FE]) Value() E

Value returns the group element value g^{f(i)} of this lifted share.

type Scheme 

type Scheme[E algebra.PrimeGroupElement[E, FE], FE algebra.PrimeFieldElement[FE]] struct {
	// contains filtered or unexported fields
}

Scheme implements Feldman's verifiable secret sharing.

func NewScheme 

func NewScheme[E algebra.PrimeGroupElement[E, FE], FE algebra.PrimeFieldElement[FE]](basePoint E, threshold uint, shareholders ds.Set[sharing.ID]) (*Scheme[E, FE], error)

NewScheme creates a new Feldman VSS scheme.

Parameters:

  • basePoint: Generator g of the group used for verification commitments
  • threshold: Minimum shares required for reconstruction (must be ≥ 2)
  • shareholders: Set of shareholder IDs

func (*Scheme[E, FE]) AccessStructure 

func (d *Scheme[E, FE]) AccessStructure() *sharing.ThresholdAccessStructure

AccessStructure returns the threshold access structure.

func (*Scheme[E, FE]) Deal 

func (d *Scheme[E, FE]) Deal(secret *Secret[FE], prng io.Reader) (*DealerOutput[E, FE], error)

Deal creates shares for the given secret along with a verification vector.

func (*Scheme[E, FE]) DealAndRevealDealerFunc 

func (d *Scheme[E, FE]) DealAndRevealDealerFunc(secret *Secret[FE], prng io.Reader) (*DealerOutput[E, FE], DealerFunc[FE], error)

DealAndRevealDealerFunc creates shares and returns the dealing polynomial. The verification vector is computed as g^{f(x)} where f is the polynomial.

func (*Scheme[E, FE]) DealRandom 

func (d *Scheme[E, FE]) DealRandom(prng io.Reader) (*DealerOutput[E, FE], *Secret[FE], error)

DealRandom generates shares for a randomly sampled secret.

func (*Scheme[E, FE]) DealRandomAndRevealDealerFunc 

func (d *Scheme[E, FE]) DealRandomAndRevealDealerFunc(prng io.Reader) (output *DealerOutput[E, FE], secret *Secret[FE], dealerFunc DealerFunc[FE], err error)

DealRandomAndRevealDealerFunc generates shares for a random secret and returns the dealing polynomial.

func (*Scheme[E, FE]) Name 

func (*Scheme[E, FE]) Name() sharing.Name

Name returns the canonical name of this scheme.

func (*Scheme[E, FE]) Reconstruct 

func (d *Scheme[E, FE]) Reconstruct(shares ...*Share[FE]) (*Secret[FE], error)

Reconstruct recovers the secret from a set of shares using Lagrange interpolation.

func (*Scheme[E, FE]) ReconstructAndVerify 

func (d *Scheme[E, FE]) ReconstructAndVerify(reference VerificationVector[E, FE], shares ...*Share[FE]) (*Secret[FE], error)

ReconstructAndVerify recovers the secret and verifies each share against the verification vector before reconstruction.

func (*Scheme[E, FE]) Verify 

func (d *Scheme[E, FE]) Verify(share *Share[FE], reference VerificationVector[E, FE]) error

Verify checks that a share is consistent with the verification vector. Returns nil if g^{share} equals the evaluation of the verification vector at the share's ID.

type Secret 

type Secret[FE algebra.PrimeFieldElement[FE]] = shamir.Secret[FE]

Secret is a Feldman VSS secret, which is identical to a Shamir secret. This is the value s = f(0) that is shared among the shareholders.

func NewSecret 

func NewSecret[FE algebra.PrimeFieldElement[FE]](value FE) *Secret[FE]

NewSecret creates a new secret from a field element.

type Share 

type Share[FE algebra.PrimeFieldElement[FE]] = shamir.Share[FE]

Share is a Feldman VSS share, which is identical to a Shamir share. The share value is f(i) where f is the dealing polynomial and i is the shareholder ID.

func NewShare 

func NewShare[FE algebra.PrimeFieldElement[FE]](id sharing.ID, v FE, ac *sharing.ThresholdAccessStructure) (*Share[FE], error)

NewShare creates a new Feldman share with the given ID and value. If an access structure is provided, validates that the ID is a valid shareholder.

type SharesInExponent 

type SharesInExponent[E algebra.PrimeGroupElement[E, FE], FE algebra.PrimeFieldElement[FE]] []*LiftedShare[E, FE]

SharesInExponent is a collection of lifted shares that can be used to reconstruct the secret in the exponent (i.e., g^s) without revealing s.

func (SharesInExponent[E, FE]) ReconstructAsAdditive 

func (s SharesInExponent[E, FE]) ReconstructAsAdditive() (E, error)

ReconstructAsAdditive reconstructs g^s from a set of lifted shares using Lagrange interpolation in the exponent. Each share g^{f(i)} is raised to its Lagrange coefficient λ_i, and the results are multiplied together: g^s = ∏_i (g^{f(i)})^{λ_i} = g^{∑_i λ_i·f(i)} = g^{f(0)} = g^s.

type VerificationVector 

type VerificationVector[E algebra.PrimeGroupElement[E, FE], FE algebra.PrimeFieldElement[FE]] = *polynomials.ModuleValuedPolynomial[E, FE]

VerificationVector is the public commitment to the dealing polynomial, where each coefficient is lifted to the exponent: V_j = g^{a_j}.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.