Improve secret reconstruction -- compute coefficients as needed rather

[catacomb] / gfshare.c

/* -*-c-*-
 *
 * $Id: gfshare.c,v 1.3 2000/06/22 18:04:13 mdw Exp $
 *
 * Secret sharing over %$\gf(2^8)$%
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: gfshare.c,v $
 * Revision 1.3  2000/06/22 18:04:13  mdw
 * Improve secret reconstruction -- compute coefficients as needed rather
 * than making a big array of them.
 *
 * Revision 1.2  2000/06/18 23:12:15  mdw
 * Change typesetting of Galois Field names.
 *
 * Revision 1.1  2000/06/17 10:56:30  mdw
 * Fast but nonstandard secret sharing system.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include <assert.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>

#include <mLib/alloc.h>
#include <mLib/bits.h>

#include "arena.h"
#include "gfshare.h"
#include "gfshare-tab.h"
#include "grand.h"

/*----- Static variables --------------------------------------------------*/

static octet gflog[] = GFSHARE_LOG, gfexp[] = GFSHARE_EXP;

/*----- Main code ---------------------------------------------------------*/

/* --- @gfshare_create@ --- *
 *
 * Arguments:   @gfshare *s@ = pointer to share context to initialize
 *              @unsigned t, n@ = threshold parameters for the system
 *              @size_t sz@ = size of the secret
 *
 * Returns:     ---
 *
 * Use:         Initializes a sharing context.
 */

void gfshare_create(gfshare *s, unsigned t, unsigned n, size_t sz)
{
  s->t = t;
  s->n = n;
  s->i = 0;
  s->sz = sz;
  s->s = 0;
  s->v = 0;
}

/* --- @gfshare_destroy@ --- *
 *
 * Arguments:   @gfshare *s@ = pointer to share context to destroy
 *
 * Returns:     ---
 *
 * Use:         Disposes of a sharing context.  The allocations for the
 *              individual shares and the vector @v@ are freed; the secret is
 *              left alone.
 */

void gfshare_destroy(gfshare *s)
{
  unsigned n;
  unsigned i;

  /* --- Dispose of the share vector --- */

  if (s->v) {
    if (s->i)
      n = s->i;
    else if (s->n)
      n = s->n;
    else
      n = s->t;
    for (i = 0; i < n; i++) {
      if (s->v[i].y)
        XS_FREE(s->v[i].y);
    }
    xfree(s->v);
  }
}

/* --- @gfshare_mkshares@ --- *
 *
 * Arguments:   @gfshare *s@ = pointer to share context to fill in
 *              @grand *r@ = pointer to random number source
 *
 * Returns:     ---
 *
 * Use:         Generates @c->n@ secret shares, such that any @c->t@ of them
 *              may be used to recover the secret.
 *
 *              The context structure is expected to be mostly filled in.  In
 *              particular, @t@, @n@, @ssz@ and @s@ must be initialized.  If
 *              @v@ is zero, a vector of appropriate size is allocated.  You
 *              should use the macro @GFSHARE_INIT@ or @gfshare_create@ to
 *              construct sharing contexts.
 */

void gfshare_mkshares(gfshare *s, grand *r)
{
  octet *v;
  unsigned i;

  /* --- Construct the coefficients --- */

  v = XS_ALLOC(s->sz * s->t);
  r->ops->fill(r, v, s->sz * (s->t - 1));
  memcpy(v + s->sz * (s->t - 1), s->s, s->sz);


  /* --- Construct the shares --- */

  if (!s->v)
    s->v = xmalloc(s->n * sizeof(gfshare_pt));

  for (i = 0; i < s->n; i++) {
    unsigned j;
    const octet *p = v;
    unsigned ilog = gflog[i + 1];

    /* --- Evaluate the polynomial at %$x = i + 1$% --- */

    s->v[i].y = XS_ALLOC(s->sz);
    memcpy(s->v[i].y, p, s->sz);
    p += s->sz;
    for (j = 1; j < s->t; j++) {
      octet *q = s->v[i].y;
      unsigned k;
      for (k = 0; k < s->sz; k++) {
        unsigned qq = *q;
        if (qq)
          qq = gfexp[ilog + gflog[qq]];
        *q++ = qq ^ *p++;
      }
    }
    s->v[i].x = i;
  }

  /* --- Dispose of various bits of old rubbish --- */

  XS_FREE(v);
}

/* --- @gfshare_add@ --- *
 *
 * Arguments:   @gfshare *s@ = pointer to sharing context
 *              @unsigned x@ = which share number this is
 *              @const octet *y@ = the share value
 *
 * Returns:     Number of shares required before recovery may be performed.
 *
 * Use:         Adds a share to the context.  The context must have been
 *              initialized with the correct threshold @t@.
 */

unsigned gfshare_add(gfshare *s, unsigned x, const octet *y)
{
  /* --- If no vector has been allocated, create one --- */

  if (!s->v) {
    s->v = xmalloc(s->t * sizeof(gfshare_pt));
    s->i = 0;
  }

  assert(((void)"Share context is full", s->i < s->t));

  /* --- Store the share in the vector --- */

  s->v[s->i].x = x;
  s->v[s->i].y = XS_ALLOC(s->sz);
  memcpy(s->v[s->i].y, y, s->sz);
  s->i++;

  /* --- Done --- */

  return (s->t - s->i);
}

/* --- @gfshare_combine@ --- *
 *
 * Arguments:   @gfshare *s@ = pointer to share context
 *              @octet *buf@ = pointer to output buffer for the secret
 *
 * Returns:     ---
 *
 * Use:         Reconstructs a secret, given enough shares.
 */

void gfshare_combine(gfshare *s, octet *buf)
{
  unsigned i, j;

  /* --- Sanity checking --- */

  assert(((void)"Not enough shares yet", s->i == s->t));

  /* --- Grind through the shares --- */

  memset(buf, 0, s->sz);

  for (i = 0; i < s->t; i++) {
    unsigned c = 0, ci = 0;

    /* --- Compute the magic coefficient --- */

    for (j = 0; j < s->t; j++) {
      if (i == j)
        continue;
      c += gflog[s->v[j].x + 1];
      if (c >= 0xff)
        c -= 0xff;
      ci += gflog[(s->v[i].x + 1) ^ (s->v[j].x + 1)];
      if (ci >= 0xff)
        ci -= 0xff;
    }
    if (ci > c)
      c += 0xff;
    c -= ci;

    /* --- Work out another layer of the secret --- */

    for (j = 0; j < s->sz; j++) {
      if (s->v[i].y[j])
        buf[j] ^= gfexp[c + gflog[s->v[i].y[j]]];
    }
  }
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include "fibrand.h"

static int verify(grand *r)
{
  unsigned n = r->ops->range(r, 16) + 8;
  unsigned t = r->ops->range(r, n - 1) + 1;
  unsigned len = r->ops->range(r, 32) + 1;

  gfshare_pt *v = xmalloc(t * sizeof(gfshare_pt));
  unsigned *p = xmalloc(n * sizeof(unsigned));
  octet *sec = xmalloc(len), *sbuf = xmalloc(len);
  gfshare s;
  unsigned i;

  int ok = 1;

  for (i = 0; i < n; i++)
    p[i] = i;
  for (i = 0; i < t; i++) {
    unsigned long j = r->ops->range(r, n - i);
    unsigned x = p[i];
    p[i] = p[i + j];
    p[i + j] = x;
  }

  r->ops->fill(r, sec, len);

  gfshare_create(&s, t, n, len);
  s.s = sec;

  gfshare_mkshares(&s, r);
  for (i = 0; i < t; i++) {
    v[i].x = s.v[p[i]].x;
    v[i].y = xmalloc(len);
    memcpy(v[i].y, s.v[p[i]].y, len);
  }
  gfshare_destroy(&s);

  gfshare_create(&s, t, n, len);
  for (i = 0; i < t; i++) {
    gfshare_add(&s, v[i].x, v[i].y);
  }
  gfshare_combine(&s, sbuf);
  gfshare_destroy(&s);

  if (memcmp(sec, sbuf, len) != 0) {
    ok = 0;
    fprintf(stderr, "\nbad recombination of shares\n");
  };

  xfree(sec);
  xfree(sbuf);

  for (i = 0; i < t; i++)
    xfree(v[i].y);
  xfree(v);
  xfree(p);

  return (ok);
}

int main(void)
{
  grand *r = fibrand_create(0);
  unsigned i;
  int ok = 1;

  fputs("gfshare: ", stdout);
  for (i = 0; i < 40; i++) {
    if (!verify(r))
      ok = 0;
    fputc('.', stdout);
    fflush(stdout);
  }

  if (ok)
    fputs(" ok\n", stdout);
  else
    fputs(" failed\n", stdout);
  return (ok ? EXIT_SUCCESS : EXIT_FAILURE);
}

#endif

/*----- That's all, folks -------------------------------------------------*/