README
¶
Pedersen Verifiable Secret Sharing
Extends Feldman VSS with information-theoretic hiding.
Security
- Information-theoretic hiding: secret hidden even against unbounded adversaries
- Public verifiability: shareholders can verify shares using Pedersen commitments
Usage
scheme, _ := pedersen.NewScheme(pedersenKey, threshold, shareholders)
// Deal shares with verification vector
output, _ := scheme.Deal(secret, prng)
shares := output.Shares() // each share has (secret, blinding) components
verificationVector := output.VerificationVector()
// Verify a share
err := scheme.Verify(share, verificationVector)
// Reconstruct
recovered, _ := scheme.Reconstruct(share1, share2, ..., shareT)
How It Works
Uses two random polynomials: f(x) for the secret and r(x) for blinding. Each share consists of (f(i), r(i)). The verification vector contains Pedersen commitments C_j = g^{a_j} * h^{b_j}. Verification checks g^{s_i} * h^{t_i} against the evaluation of the verification vector.
Reference
Pedersen, T. "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing." CRYPTO, 1991.
Documentation
¶
Overview ¶
Package pedersen implements Pedersen's verifiable secret sharing (VSS) scheme.
Pedersen VSS extends Feldman VSS with information-theoretic hiding. The dealer uses two random polynomials: f(x) for the secret and r(x) for blinding. Each share consists of (f(i), r(i)). The verification vector contains Pedersen commitments C_j = g^{a_j}·h^{b_j} where a_j, b_j are coefficients of f and r.
Shareholders verify their share (s_i, t_i) by checking that g^{s_i}·h^{t_i} equals the evaluation of the verification vector at their ID. Unlike Feldman, the secret remains hidden even to an unbounded adversary (information-theoretic hiding), assuming the discrete log relation between g and h is unknown.
Index ¶
- Constants
- Variables
- type DealerFunc
- type DealerOutput
- type LiftedDealerFunc
- type Scheme
- func (s *Scheme[E, S]) AccessStructure() *sharing.ThresholdAccessStructure
- func (s *Scheme[E, S]) Deal(secret *Secret[S], prng io.Reader) (*DealerOutput[E, S], error)
- func (s *Scheme[E, S]) DealAndRevealDealerFunc(secret *Secret[S], prng io.Reader) (*DealerOutput[E, S], *DealerFunc[S], error)
- func (s *Scheme[E, S]) DealRandom(prng io.Reader) (*DealerOutput[E, S], *Secret[S], error)
- func (s *Scheme[E, S]) DealRandomAndRevealDealerFunc(prng io.Reader) (*DealerOutput[E, S], *Secret[S], *DealerFunc[S], error)
- func (*Scheme[E, S]) Name() sharing.Name
- func (s *Scheme[E, S]) Reconstruct(shares ...*Share[S]) (*Secret[S], error)
- func (s *Scheme[E, S]) ReconstructAndVerify(vector VerificationVector[E, S], shares ...*Share[S]) (*Secret[S], error)
- func (s *Scheme[E, S]) Verify(share *Share[S], vector VerificationVector[E, S]) error
- type Secret
- type Share
- func (s *Share[S]) Add(other *Share[S]) *Share[S]
- func (s *Share[S]) Blinding() *pedcom.Witness[S]
- func (s *Share[S]) Bytes() []byte
- func (s *Share[S]) Equal(other *Share[S]) bool
- func (s *Share[S]) HashCode() base.HashCode
- func (s *Share[S]) ID() sharing.ID
- func (s *Share[S]) MarshalCBOR() ([]byte, error)
- func (s *Share[S]) Op(other *Share[S]) *Share[S]
- func (s *Share[S]) ScalarMul(scalar S) *Share[S]
- func (s *Share[S]) ScalarOp(scalar S) *Share[S]
- func (s *Share[S]) Secret() *pedcom.Message[S]
- func (s *Share[S]) ToAdditive(qualifiedSet *sharing.MinimalQualifiedAccessStructure) (*additive.Share[S], error)
- func (s *Share[S]) UnmarshalCBOR(data []byte) error
- func (s *Share[S]) Value() S
- type VerificationVector
Constants ¶
const Name sharing.Name = "Pedersen Verifiable Secret Sharing Scheme"
Name is the canonical name of this secret sharing scheme.
Variables ¶
Functions ¶
This section is empty.
Types ¶
type DealerFunc ¶
type DealerFunc[S algebra.PrimeFieldElement[S]] struct { G *polynomials.Polynomial[S] H *polynomials.Polynomial[S] }
DealerFunc represents the pair of polynomials (f, r) used for Pedersen VSS. f(x) is the secret polynomial with f(0) = s, and r(x) is the blinding polynomial.
func NewDealerFunc ¶
func NewDealerFunc[S algebra.PrimeFieldElement[S]](g, h *polynomials.Polynomial[S]) *DealerFunc[S]
NewDealerFunc creates a new dealer function from the secret and blinding polynomials.
type DealerOutput ¶
type DealerOutput[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] struct { // contains filtered or unexported fields }
DealerOutput contains the result of a Pedersen VSS dealing operation: a map of shares (each with secret and blinding components) and the verification vector.
func (*DealerOutput[E, S]) Shares ¶
Shares returns the map of shareholder IDs to their corresponding shares.
func (*DealerOutput[E, S]) VerificationVector ¶
func (d *DealerOutput[E, S]) VerificationVector() VerificationVector[E, S]
VerificationVector returns the verification vector V = (g^{a_0}·h^{b_0}, ..., g^{a_{t-1}}·h^{b_{t-1}}) which allows shareholders to verify their shares without revealing the secret.
type LiftedDealerFunc ¶
type LiftedDealerFunc[G algebra.PrimeGroupElement[G, S], S algebra.PrimeFieldElement[S]] struct { G *polynomials.ModuleValuedPolynomial[G, S] H *polynomials.ModuleValuedPolynomial[G, S] }
LiftedDealerFunc represents the dealer polynomials lifted to the exponent: (g^{f(x)}, h^{r(x)}). Used internally to compute the verification vector.
func (*LiftedDealerFunc[G, S]) VerificationVector ¶
func (df *LiftedDealerFunc[G, S]) VerificationVector() VerificationVector[G, S]
VerificationVector computes the verification vector by multiplying the lifted polynomials coefficient-wise: V_j = g^{a_j}·h^{b_j}.
type Scheme ¶
type Scheme[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] struct { // contains filtered or unexported fields }
Scheme implements Pedersen's verifiable secret sharing with information-theoretic hiding.
func NewScheme ¶
func NewScheme[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]](key *pedcom.Key[E, S], threshold uint, shareholders ds.Set[sharing.ID]) (*Scheme[E, S], error)
NewScheme creates a new Pedersen VSS scheme.
Parameters:
- key: Pedersen commitment key containing generators g and h
- threshold: Minimum shares required for reconstruction (must be ≥ 2)
- shareholders: Set of shareholder IDs who will receive shares
func (*Scheme[E, S]) AccessStructure ¶
func (s *Scheme[E, S]) AccessStructure() *sharing.ThresholdAccessStructure
AccessStructure returns the threshold access structure.
func (*Scheme[E, S]) Deal ¶
Deal creates shares for the given secret along with a verification vector.
func (*Scheme[E, S]) DealAndRevealDealerFunc ¶
func (s *Scheme[E, S]) DealAndRevealDealerFunc(secret *Secret[S], prng io.Reader) (*DealerOutput[E, S], *DealerFunc[S], error)
DealAndRevealDealerFunc creates shares for the given secret and returns the dealing polynomials. Uses two polynomials: f(x) for the secret and r(x) for blinding. The verification vector contains Pedersen commitments g^{a_j}·h^{b_j}.
func (*Scheme[E, S]) DealRandom ¶
DealRandom generates shares for a randomly sampled secret.
func (*Scheme[E, S]) DealRandomAndRevealDealerFunc ¶
func (s *Scheme[E, S]) DealRandomAndRevealDealerFunc(prng io.Reader) (*DealerOutput[E, S], *Secret[S], *DealerFunc[S], error)
DealRandomAndRevealDealerFunc generates shares for a random secret and returns the dealing polynomials.
func (*Scheme[E, S]) Reconstruct ¶
Reconstruct recovers the secret from a set of shares using Lagrange interpolation. Only the secret component f(i) of each share is used; blinding factors are discarded.
func (*Scheme[E, S]) ReconstructAndVerify ¶
func (s *Scheme[E, S]) ReconstructAndVerify(vector VerificationVector[E, S], shares ...*Share[S]) (*Secret[S], error)
ReconstructAndVerify recovers the secret and verifies each share against the verification vector before reconstruction.
type Secret ¶
type Secret[S algebra.PrimeFieldElement[S]] = shamir.Secret[S]
Secret is a Pedersen VSS secret, which is identical to a Shamir secret. This is the value s = f(0) that is shared among the shareholders.
func NewSecret ¶
func NewSecret[S algebra.PrimeFieldElement[S]](value S) *Secret[S]
NewSecret creates a new secret from a field element.
type Share ¶
type Share[S algebra.PrimeFieldElement[S]] struct { // contains filtered or unexported fields }
Share represents a Pedersen VSS share consisting of a secret component f(i) and a blinding component r(i), where f and r are the dealing polynomials.
func NewShare ¶
func NewShare[S algebra.PrimeFieldElement[S]](id sharing.ID, secret *pedcom.Message[S], blinding *pedcom.Witness[S], ac *sharing.ThresholdAccessStructure) (*Share[S], error)
NewShare creates a new Pedersen share with the given ID, secret, and blinding value. If an access structure is provided, validates that the ID is a valid shareholder.
func (*Share[S]) Add ¶
Add returns a new share that is the component-wise sum of two shares. Both the secret and blinding components are added separately.
func (*Share[S]) Equal ¶
Equal returns true if two shares have the same secret and blinding components.
func (*Share[S]) HashCode ¶
HashCode returns a hash code for this share, for use in hash-based collections.
func (*Share[S]) MarshalCBOR ¶
func (*Share[S]) ScalarMul ¶
ScalarMul returns a new share with both components multiplied by a scalar.
func (*Share[S]) ScalarOp ¶
ScalarOp is an alias for ScalarMul. Panics if scalar is zero since Pedersen requires non-zero blinding factors.
func (*Share[S]) ToAdditive ¶
func (s *Share[S]) ToAdditive(qualifiedSet *sharing.MinimalQualifiedAccessStructure) (*additive.Share[S], error)
ToAdditive converts this Pedersen share to an additive share by multiplying the secret component by the appropriate Lagrange coefficient. The blinding component is discarded. The resulting additive shares can be summed to reconstruct the secret.
func (*Share[S]) UnmarshalCBOR ¶
type VerificationVector ¶
type VerificationVector[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] = *polynomials.ModuleValuedPolynomial[E, S]
VerificationVector is the public commitment to the dealing polynomials, where each coefficient is a Pedersen commitment: V_j = g^{a_j}·h^{b_j}.
Source Files