vss.go

// Package pedersen implements verifiable secret sharing using Shamir's
// secret sharing algorithm and Pedersens commitment scheme.
package pedersen

import (
	"bsc-shamir/crypto/common"
	"bsc-shamir/math/polynomial"
	"bsc-shamir/math/zn"
	"math/big"
)

// Params are required parameters
type Params struct {
	Zp *zn.Zn
	Zq *zn.Zn
	G  *big.Int
	H  *big.Int
}

// NewParams returns the parameters used by pedersen
func NewParams(params *common.Params) *Params {
	return &Params{
		Zp: params.Zp,
		Zq: params.Zq,
		G:  params.G,
		H:  params.H,
	}
}

// Proof is a commitment to polynomial coefficients.
type Proof []*big.Int

// Share represents a verifiable secret share.
type Share struct {
	X *big.Int
	Y *big.Int
	T *big.Int
}

// Verify the share is valid
func (params *Params) Verify(share *Share, proof Proof) bool {
	result := big.NewInt(1)
	for j, e := range proof {
		t1 := params.Zq.Exp(share.X, big.NewInt(int64(j)))
		t2 := params.Zp.Exp(e, t1)
		result = params.Zp.Mul(result, t2)
	}
	commit := params.Commit(share.Y, share.T)
	return result.Cmp(commit) == 0
}

// Commit to s using t as witness.
func (params *Params) Commit(s, t *big.Int) *big.Int {
	t1 := params.Zp.Exp(params.G, s)
	t2 := params.Zp.Exp(params.H, t)
	return params.Zp.Mul(t1, t2)
}

// Create a (t, n) threshold scheme for secret s using Pedersens verifiable
// secret sharing scheme. Create returns n shares with t required to recover
// the value of s.
func (params *Params) Create(t int, xs []*big.Int, s, w *big.Int) ([]*Share, Proof) {
	degree := t - 1
	f := polynomial.RandomPolynomial(degree, params.Zq)
	f.A[0] = s
	g := polynomial.RandomPolynomial(degree, params.Zq)
	g.A[0] = w

	proof := make([]*big.Int, t)
	for i := range proof {
		proof[i] = params.Commit(f.A[i], g.A[i])
	}

	shares := make([]*Share, 0, len(xs))
	for _, x := range xs {
		shares = append(shares, &Share{
			X: x,
			Y: f.Evaluate(x),
			T: g.Evaluate(x),
		})
	}

	return shares, proof
}

// Combine shares to recover the secret. All shares are assumed to be valid.
// If the shares does not satisfy the threshold scheme, they were created under
// no information is revealed about the secret.
func (params *Params) Combine(shares []*Share) *big.Int {
	secret := big.NewInt(0)

	for j := range shares {
		numerator := big.NewInt(1)
		denominator := big.NewInt(1)

		for k := range shares {
			if j != k {
				numerator = params.Zq.Mul(numerator, shares[k].X)

				t1 := params.Zq.Sub(shares[k].X, shares[j].X)
				denominator = params.Zq.Mul(denominator, t1)
			}
		}

		t1 := params.Zq.Mul(shares[j].Y, numerator)
		t2 := params.Zq.Mul(t1, params.Zq.ModInverse(denominator))
		secret = params.Zq.Add(secret, t2)
	}

	return secret
}

// AddShares returns a share is is the sum of the given shares.
func (params *Params) AddShares(shares []*Share) *Share {
	result := &Share{
		X: big.NewInt(0),
		Y: big.NewInt(0),
		T: big.NewInt(0),
	}

	for _, share := range shares {
		result.X = share.X
		result.Y = params.Zq.Add(result.Y, share.Y)
		result.T = params.Zq.Add(result.T, share.T)
	}

	return result
}

// MulProofs returns a proof which is the product of the given proofs
func (params *Params) MulProofs(proofs []Proof) Proof {
	n := len(proofs[0])
	result := make([]*big.Int, n)
	for i := range result {
		result[i] = big.NewInt(1)
	}

	for _, proof := range proofs {
		for i, e := range proof {
			result[i] = params.Zp.Mul(result[i], e)
		}
	}

	return result
}

func (proof Proof) Equals(other Proof) bool {
	if len(other) != len(proof) {
		return false
	}
	for i, e := range proof {
		if other[i].Cmp(e) != 0 {
			return false
		}
	}
	return true
}