sss: add generate_shares API

Author: siv2r

Cargo.toml

@@ -8,4 +8,5 @@ edition = "2021"
 path = "src/sss.rs"
 
 [dependencies]
-hacspec-lib =  { git = "https://github.com/hacspec/hacspec/", branch = "master" }
+hacspec-lib =  { git = "https://github.com/hacspec/hacspec/", branch = "master" }
+hacspec-sha256 =  { git = "https://github.com/hacspec/hacspec/", branch = "master" }

src/sss.rs

@@ -1,7 +1,6 @@
 use hacspec_lib::*;
+use hacspec_sha256::*;
 
-// arbitrary upper bound
-const MAX_SHARES: usize = 32;
 
 // order of secp256k1 elliptic curve
 public_nat_mod!(
@@ -11,17 +10,85 @@ public_nat_mod!(
     modulo_value: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141"
 );
 
-// t & n remain const for every shares in a set
-#[allow(non_camel_case_types)]
-pub enum ShamirShare {
-    x(FieldElement),
-    y(FieldElement),
-    t(usize),
-    n(usize),
-}
+type Point = (FieldElement, FieldElement);
+
+// 2nd arg -> t, 3rd arg -> n
+//todo: use named struct instead?
+pub type ShamirShare = (Point, usize, usize);
+
+bytes!(Bytes32, 32);
+type SharedSecret = Bytes32;
 
 // APIs Planned:
-// 1. generate_shares(secret: FieldElement, t: usize, n: usize) -> &Seq<ShamirShare>
+// 1. generate_shares(secret: ByteSeq, t: usize, n: usize) -> Seq<ShamirShare>
 //    1.1 we use `usize` (instead of `FieldElement`) for t and n for simplicity
 // 2. recover_secret(shares: &Seq<ShamirShare>) -> FieldElement
-//    2.1 eval_lagrange_poly(shares &Seq<ShamirShare>) -> FieldElement
+//    2.1 lagrange_interpolate(shares &Seq<ShamirShare>) -> FieldElement
+
+// avoids tagged hash for simplicity
+fn nonce32(
+    secret: SharedSecret,
+    t: usize,
+    n: usize,
+    i: usize,
+) -> Bytes32 {
+    // convert t, n, and i into bytes of secret value
+    let t = U32::classify(t as u32);
+    let n = U32::classify(n as u32);
+    let i = U32::classify(i as u32);
+    let hash_inp = ByteSeq::from_seq(&secret)
+        .concat(&U32_to_be_bytes(t))
+        .concat(&U32_to_be_bytes(n))
+        .concat(&U32_to_be_bytes(i));
+    let hash = sha256(&hash_inp);
+    Bytes32::from_seq(&hash)
+}
+
+//todo: use hacspec internal `poly!` type instead?
+// computes poly(x)
+fn eval_poly(
+    poly: &Seq<FieldElement>,
+    x: FieldElement,
+) -> FieldElement {
+    let mut res = poly[0];
+    let len = poly.len();
+
+    for i in 1..(len-1) {
+        res = res + poly[i]*(x.pow(i as u128));
+    }
+
+    res
+}
+
+pub fn generate_shares(
+    secret: SharedSecret,
+    t: usize,
+    n: usize,
+) -> Seq<ShamirShare> {
+    //todo: hacspec prevents using `assert!`
+    //     - use `u32Word` for t, and n instead?
+    // assert!(t <= u32::MAX as usize);
+    // assert!(n <= u32::MAX as usize);
+
+    let mut out = Seq::<ShamirShare>::new(n);
+    let mut poly = Seq::<FieldElement>::new(t);
+
+    poly[0] = FieldElement::from_byte_seq_be(&secret);
+
+    // generate random coefficients for `poly`
+    for i in 1..(t-1) {
+        let entropy = nonce32(secret, t, n, i);
+        let coeff = FieldElement::from_byte_seq_be(&entropy);
+        poly[i] = coeff;
+    }
+
+    for i in 0..(n-1) {
+        let xi = FieldElement::from_literal(i as u128);
+        let yi = eval_poly(&poly, xi);
+        let si: ShamirShare = ((xi, yi), t, n);
+
+        out[i] = si;
+    }
+
+    out
+}