Merge pull request #5562 from oasisprotocol/peternose/feature/churp-d…

…ealer

secret-sharing/churp: Implement the dealer

.changelog/5562.feature.md

@@ -0,0 +1 @@
+secret-sharing/churp: Implement the dealer

Cargo.toml

@@ -3,6 +3,7 @@ members = [
     "runtime",
     "runtime-loader",
     "keymanager",
+    "secret-sharing",
     "tools",
 
     # Test runtimes.

secret-sharing/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "secret-sharing"
+version = "0.1.0"
+authors = ["Oasis Protocol Foundation <info@oasisprotocol.org>"]
+edition = "2018"
+
+[dependencies]
+
+# Third party.
+group = "0.13.0"
+p384 = { version = "0.13.0" }
+rand_core = "0.6.4"
+
+# Fuzzing.
+honggfuzz = "0.5.55"
+rand = "0.8.5"
+
+[[bin]]
+name = "fuzz-vss"
+path = "src/vss/fuzz/main.rs"

secret-sharing/src/churp/dealer.rs

@@ -0,0 +1,102 @@
+//! CHURP dealer.
+
+use group::{ff::PrimeField, Group, GroupEncoding};
+use rand_core::RngCore;
+
+use crate::vss::{matrix::VerificationMatrix, polynomial::BivariatePolynomial};
+
+/// Dealer parameters.
+pub trait DealerParams {
+    /// A prime field used for constructing the bivariate polynomial.
+    type PrimeField: PrimeField;
+
+    /// A group used for constructing the verification matrix.
+    type Group: Group<Scalar = Self::PrimeField> + GroupEncoding;
+}
+
+/// Dealer is responsible for generating a secret bivariate polynomial,
+/// computing a verification matrix, and deriving secret shares for other
+/// participants.
+///
+/// Shares must always be distributed over a secure channel and verified
+/// against the matrix. Reconstructing the secret bivariate polynomial
+/// requires obtaining at least a threshold number of shares from distinct
+/// participants.
+#[derive(Debug, Clone)]
+pub struct Dealer<D: DealerParams> {
+    /// Secret bivariate polynomial.
+    bp: BivariatePolynomial<D::PrimeField>,
+
+    /// Verification matrix.
+    vm: VerificationMatrix<D::Group>,
+}
+
+impl<D> Dealer<D>
+where
+    D: DealerParams,
+{
+    /// Creates a new dealer from the given bivariate polynomial.
+    pub fn new(bp: BivariatePolynomial<D::PrimeField>) -> Self {
+        let vm = VerificationMatrix::new(&bp);
+        Self { bp, vm }
+    }
+
+    /// Creates a new dealer with a random bivariate polynomial.
+    pub fn random(dx: u8, dy: u8, rng: &mut impl RngCore) -> Self {
+        let bp = BivariatePolynomial::random(dx, dy, rng);
+        Self::new(bp)
+    }
+
+    /// Creates a new dealer with a random zero-hole bivariate polynomial.
+    pub fn zero_hole(dx: u8, dy: u8, rng: &mut impl RngCore) -> Self {
+        let mut bp = BivariatePolynomial::random(dx, dy, rng);
+        bp.to_zero_hole();
+        Self::new(bp)
+    }
+
+    /// Returns the secret bivariate polynomial.
+    pub fn bivariate_polynomial(&self) -> &BivariatePolynomial<D::PrimeField> {
+        &self.bp
+    }
+
+    /// Returns the verification matrix.
+    pub fn verification_matrix(&self) -> &VerificationMatrix<D::Group> {
+        &self.vm
+    }
+}
+
+/// Dealer for NIST P-384's elliptic curve group.
+pub type NistP384Dealer = Dealer<NistP384>;
+
+/// NIST P-384 dealer parameters.
+pub struct NistP384;
+
+impl DealerParams for NistP384 {
+    type PrimeField = p384::Scalar;
+    type Group = p384::ProjectivePoint;
+}
+
+#[cfg(test)]
+mod tests {
+    use rand_core::OsRng;
+
+    use super::{BivariatePolynomial, NistP384Dealer};
+
+    #[test]
+    fn test_new() {
+        let bp = BivariatePolynomial::zero(2, 3);
+        let _ = NistP384Dealer::new(bp);
+    }
+
+    #[test]
+    fn test_random() {
+        let d = NistP384Dealer::random(2, 3, &mut OsRng);
+        assert!(!d.verification_matrix().is_zero_hole()); // Zero-hole with negligible probability.
+    }
+
+    #[test]
+    fn test_zero_hole() {
+        let d = NistP384Dealer::zero_hole(2, 3, &mut OsRng);
+        assert!(d.verification_matrix().is_zero_hole());
+    }
+}

secret-sharing/src/churp/mod.rs

@@ -0,0 +1,6 @@
+//! CHUrn-Robust Proactive secret sharing.
+
+mod dealer;
+
+// Re-exports.
+pub use self::dealer::*;

secret-sharing/src/lib.rs

@@ -0,0 +1,12 @@
+//! # Secret Sharing
+//!
+//! This library provides functionality for secret sharing, a technique used
+//! to distribute a secret among a group of participants in such a way that
+//! only a threshold number of participants can reconstruct the secret.
+//!
+//! ## Supported Schemes
+//!
+//! - CHURP (CHUrn-Robust Proactive secret sharing)
+
+pub mod churp;
+pub mod vss;