Squashed 'psiphon/common/sss/' content from commit 0cb9f6d

git-subtree-dir: psiphon/common/sss
git-subtree-split: 0cb9f6d3f7f14abe7801e400be78df63f17db52d

.gitignore

@@ -0,0 +1 @@
+*.test

.travis.yml

@@ -0,0 +1,9 @@
+language: go
+go:
+  - 1.3.3
+notifications:
+  # See http://about.travis-ci.org/docs/user/build-configuration/ to learn more
+  # about configuring notification recipients and more.
+  email:
+    recipients:
+      - coda.hale@gmail.com

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Coda Hale
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,11 @@
+# sss (Shamir's Secret Sharing)
+
+[![Build Status](https://travis-ci.org/codahale/sss.png?branch=master)](https://travis-ci.org/codahale/sss)
+
+A pure Go implementation of
+[Shamir's Secret Sharing algorithm](http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
+over GF(2^8).
+
+Inspired by @hbs's [Python implementation](https://github.com/hbs/PySSSS).
+
+For documentation, check [godoc](http://godoc.org/github.com/codahale/sss).

gf256.go

@@ -0,0 +1,81 @@
+package sss
+
+func mul(e, a byte) byte {
+	if e == 0 || a == 0 {
+		return 0
+	}
+	return exp[(int(log[e])+int(log[a]))%255]
+}
+
+func div(e, a byte) byte {
+	if a == 0 {
+		panic("div by zero")
+	}
+
+	if e == 0 {
+		return 0
+	}
+
+	p := (int(log[e]) - int(log[a])) % 255
+	if p < 0 {
+		p += 255
+	}
+
+	return exp[p]
+}
+
+const (
+	fieldSize = 256 // 2^8
+)
+
+var (
+	// 0x11b prime polynomial and 0x03 as generator
+	exp = [fieldSize]byte{
+		0x01, 0x03, 0x05, 0x0f, 0x11, 0x33, 0x55, 0xff, 0x1a, 0x2e, 0x72, 0x96,
+		0xa1, 0xf8, 0x13, 0x35, 0x5f, 0xe1, 0x38, 0x48, 0xd8, 0x73, 0x95, 0xa4,
+		0xf7, 0x02, 0x06, 0x0a, 0x1e, 0x22, 0x66, 0xaa, 0xe5, 0x34, 0x5c, 0xe4,
+		0x37, 0x59, 0xeb, 0x26, 0x6a, 0xbe, 0xd9, 0x70, 0x90, 0xab, 0xe6, 0x31,
+		0x53, 0xf5, 0x04, 0x0c, 0x14, 0x3c, 0x44, 0xcc, 0x4f, 0xd1, 0x68, 0xb8,
+		0xd3, 0x6e, 0xb2, 0xcd, 0x4c, 0xd4, 0x67, 0xa9, 0xe0, 0x3b, 0x4d, 0xd7,
+		0x62, 0xa6, 0xf1, 0x08, 0x18, 0x28, 0x78, 0x88, 0x83, 0x9e, 0xb9, 0xd0,
+		0x6b, 0xbd, 0xdc, 0x7f, 0x81, 0x98, 0xb3, 0xce, 0x49, 0xdb, 0x76, 0x9a,
+		0xb5, 0xc4, 0x57, 0xf9, 0x10, 0x30, 0x50, 0xf0, 0x0b, 0x1d, 0x27, 0x69,
+		0xbb, 0xd6, 0x61, 0xa3, 0xfe, 0x19, 0x2b, 0x7d, 0x87, 0x92, 0xad, 0xec,
+		0x2f, 0x71, 0x93, 0xae, 0xe9, 0x20, 0x60, 0xa0, 0xfb, 0x16, 0x3a, 0x4e,
+		0xd2, 0x6d, 0xb7, 0xc2, 0x5d, 0xe7, 0x32, 0x56, 0xfa, 0x15, 0x3f, 0x41,
+		0xc3, 0x5e, 0xe2, 0x3d, 0x47, 0xc9, 0x40, 0xc0, 0x5b, 0xed, 0x2c, 0x74,
+		0x9c, 0xbf, 0xda, 0x75, 0x9f, 0xba, 0xd5, 0x64, 0xac, 0xef, 0x2a, 0x7e,
+		0x82, 0x9d, 0xbc, 0xdf, 0x7a, 0x8e, 0x89, 0x80, 0x9b, 0xb6, 0xc1, 0x58,
+		0xe8, 0x23, 0x65, 0xaf, 0xea, 0x25, 0x6f, 0xb1, 0xc8, 0x43, 0xc5, 0x54,
+		0xfc, 0x1f, 0x21, 0x63, 0xa5, 0xf4, 0x07, 0x09, 0x1b, 0x2d, 0x77, 0x99,
+		0xb0, 0xcb, 0x46, 0xca, 0x45, 0xcf, 0x4a, 0xde, 0x79, 0x8b, 0x86, 0x91,
+		0xa8, 0xe3, 0x3e, 0x42, 0xc6, 0x51, 0xf3, 0x0e, 0x12, 0x36, 0x5a, 0xee,
+		0x29, 0x7b, 0x8d, 0x8c, 0x8f, 0x8a, 0x85, 0x94, 0xa7, 0xf2, 0x0d, 0x17,
+		0x39, 0x4b, 0xdd, 0x7c, 0x84, 0x97, 0xa2, 0xfd, 0x1c, 0x24, 0x6c, 0xb4,
+		0xc7, 0x52, 0xf6, 0x01,
+	}
+	log = [fieldSize]byte{
+		0x00, 0x00, 0x19, 0x01, 0x32, 0x02, 0x1a, 0xc6, 0x4b, 0xc7, 0x1b, 0x68,
+		0x33, 0xee, 0xdf, 0x03, 0x64, 0x04, 0xe0, 0x0e, 0x34, 0x8d, 0x81, 0xef,
+		0x4c, 0x71, 0x08, 0xc8, 0xf8, 0x69, 0x1c, 0xc1, 0x7d, 0xc2, 0x1d, 0xb5,
+		0xf9, 0xb9, 0x27, 0x6a, 0x4d, 0xe4, 0xa6, 0x72, 0x9a, 0xc9, 0x09, 0x78,
+		0x65, 0x2f, 0x8a, 0x05, 0x21, 0x0f, 0xe1, 0x24, 0x12, 0xf0, 0x82, 0x45,
+		0x35, 0x93, 0xda, 0x8e, 0x96, 0x8f, 0xdb, 0xbd, 0x36, 0xd0, 0xce, 0x94,
+		0x13, 0x5c, 0xd2, 0xf1, 0x40, 0x46, 0x83, 0x38, 0x66, 0xdd, 0xfd, 0x30,
+		0xbf, 0x06, 0x8b, 0x62, 0xb3, 0x25, 0xe2, 0x98, 0x22, 0x88, 0x91, 0x10,
+		0x7e, 0x6e, 0x48, 0xc3, 0xa3, 0xb6, 0x1e, 0x42, 0x3a, 0x6b, 0x28, 0x54,
+		0xfa, 0x85, 0x3d, 0xba, 0x2b, 0x79, 0x0a, 0x15, 0x9b, 0x9f, 0x5e, 0xca,
+		0x4e, 0xd4, 0xac, 0xe5, 0xf3, 0x73, 0xa7, 0x57, 0xaf, 0x58, 0xa8, 0x50,
+		0xf4, 0xea, 0xd6, 0x74, 0x4f, 0xae, 0xe9, 0xd5, 0xe7, 0xe6, 0xad, 0xe8,
+		0x2c, 0xd7, 0x75, 0x7a, 0xeb, 0x16, 0x0b, 0xf5, 0x59, 0xcb, 0x5f, 0xb0,
+		0x9c, 0xa9, 0x51, 0xa0, 0x7f, 0x0c, 0xf6, 0x6f, 0x17, 0xc4, 0x49, 0xec,
+		0xd8, 0x43, 0x1f, 0x2d, 0xa4, 0x76, 0x7b, 0xb7, 0xcc, 0xbb, 0x3e, 0x5a,
+		0xfb, 0x60, 0xb1, 0x86, 0x3b, 0x52, 0xa1, 0x6c, 0xaa, 0x55, 0x29, 0x9d,
+		0x97, 0xb2, 0x87, 0x90, 0x61, 0xbe, 0xdc, 0xfc, 0xbc, 0x95, 0xcf, 0xcd,
+		0x37, 0x3f, 0x5b, 0xd1, 0x53, 0x39, 0x84, 0x3c, 0x41, 0xa2, 0x6d, 0x47,
+		0x14, 0x2a, 0x9e, 0x5d, 0x56, 0xf2, 0xd3, 0xab, 0x44, 0x11, 0x92, 0xd9,
+		0x23, 0x20, 0x2e, 0x89, 0xb4, 0x7c, 0xb8, 0x26, 0x77, 0x99, 0xe3, 0xa5,
+		0x67, 0x4a, 0xed, 0xde, 0xc5, 0x31, 0xfe, 0x18, 0x0d, 0x63, 0x8c, 0x80,
+		0xc0, 0xf7, 0x70, 0x07,
+	}
+)

gf256_test.go

@@ -0,0 +1,35 @@
+package sss
+
+import (
+	"testing"
+)
+
+func TestMul(t *testing.T) {
+	if v, want := mul(90, 21), byte(254); v != want {
+		t.Errorf("Was %v, but expected %v", v, want)
+	}
+}
+
+func TestDiv(t *testing.T) {
+	if v, want := div(90, 21), byte(189); v != want {
+		t.Errorf("Was %v, but expected %v", v, want)
+	}
+}
+
+func TestDivZero(t *testing.T) {
+	if v, want := div(0, 2), byte(0); v != want {
+		t.Errorf("Was %v, but expected %v", v, want)
+	}
+}
+
+func TestDivByZero(t *testing.T) {
+	defer func() {
+		m := recover()
+		if m != "div by zero" {
+			t.Error(m)
+		}
+	}()
+
+	div(2, 0)
+	t.Error("Shouldn't have been able to divide those")
+}

polynomial.go

@@ -0,0 +1,67 @@
+package sss
+
+import "io"
+
+// the degree of the polynomial
+func degree(p []byte) int {
+	return len(p) - 1
+}
+
+// evaluate the polynomial at the given point
+func eval(p []byte, x byte) (result byte) {
+	// Horner's scheme
+	for i := 1; i <= len(p); i++ {
+		result = mul(result, x) ^ p[len(p)-i]
+	}
+	return
+}
+
+// generates a random n-degree polynomial w/ a given x-intercept
+func generate(degree byte, x byte, rand io.Reader) ([]byte, error) {
+	result := make([]byte, degree+1)
+	result[0] = x
+
+	buf := make([]byte, degree-1)
+	if _, err := io.ReadFull(rand, buf); err != nil {
+		return nil, err
+	}
+
+	for i := byte(1); i < degree; i++ {
+		result[i] = buf[i-1]
+	}
+
+	// the Nth term can't be zero, or else it's a (N-1) degree polynomial
+	for {
+		buf = make([]byte, 1)
+		if _, err := io.ReadFull(rand, buf); err != nil {
+			return nil, err
+		}
+
+		if buf[0] != 0 {
+			result[degree] = buf[0]
+			return result, nil
+		}
+	}
+}
+
+// an input/output pair
+type pair struct {
+	x, y byte
+}
+
+// Lagrange interpolation
+func interpolate(points []pair, x byte) (value byte) {
+	for i, a := range points {
+		weight := byte(1)
+		for j, b := range points {
+			if i != j {
+				top := x ^ b.x
+				bottom := a.x ^ b.x
+				factor := div(top, bottom)
+				weight = mul(weight, factor)
+			}
+		}
+		value = value ^ mul(weight, a.y)
+	}
+	return
+}

polynomial_test.go

@@ -0,0 +1,89 @@
+package sss
+
+import (
+	"bytes"
+	"testing"
+)
+
+var (
+	p  = []byte{1, 0, 2, 3}
+	p2 = []byte{70, 32, 6}
+)
+
+func TestDegree(t *testing.T) {
+	if v, want := degree(p), 3; v != want {
+		t.Errorf("Was %v, but expected %v", v, want)
+	}
+}
+
+func TestEval(t *testing.T) {
+	if v, want := eval(p, 2), byte(17); v != want {
+		t.Errorf("Was %v, but expected %v", v, want)
+	}
+}
+
+func TestGenerate(t *testing.T) {
+	b := []byte{1, 2, 3}
+
+	expected := []byte{10, 1, 2, 3}
+	actual, err := generate(3, 10, bytes.NewReader(b))
+	if err != nil {
+		t.Error(err)
+	}
+
+	if !bytes.Equal(actual, expected) {
+		t.Errorf("Was %v, but expected %v", actual, expected)
+	}
+}
+
+func TestGenerateEOF(t *testing.T) {
+	b := []byte{1}
+
+	p, err := generate(3, 10, bytes.NewReader(b))
+	if p != nil {
+		t.Errorf("Was %v, but expected an error", p)
+	}
+
+	if err == nil {
+		t.Error("No error returned")
+	}
+}
+
+func TestGeneratePolyEOFFullSize(t *testing.T) {
+	b := []byte{1, 2, 0, 0, 0, 0}
+
+	p, err := generate(3, 10, bytes.NewReader(b))
+	if p != nil {
+		t.Errorf("Was %v, but xpected an error", p)
+	}
+
+	if err == nil {
+		t.Error("No error returned")
+	}
+}
+
+func TestGenerateFullSize(t *testing.T) {
+	b := []byte{1, 2, 0, 4}
+
+	expected := []byte{10, 1, 2, 4}
+	actual, err := generate(3, 10, bytes.NewReader(b))
+	if err != nil {
+		t.Error(err)
+	}
+
+	if !bytes.Equal(actual, expected) {
+		t.Errorf("Was %v but expected %v", actual, expected)
+	}
+}
+
+func TestInterpolate(t *testing.T) {
+	in := []pair{
+		pair{x: 1, y: 1},
+		pair{x: 2, y: 2},
+		pair{x: 3, y: 3},
+	}
+
+	if v, want := interpolate(in, 0), byte(0); v != want {
+		t.Errorf("Was %v, but expected %v", v, want)
+	}
+}

sss.go

@@ -0,0 +1,102 @@
+// Package sss implements Shamir's Secret Sharing algorithm over GF(2^8).
+//
+// Shamir's Secret Sharing algorithm allows you to securely share a secret with
+// N people, allowing the recovery of that secret if K of those people combine
+// their shares.
+//
+// It begins by encoding a secret as a number (e.g., 42), and generating N
+// random polynomial equations of degree K-1 which have an X-intercept equal to
+// the secret. Given K=3, the following equations might be generated:
+//
+//     f1(x) =  78x^2 +  19x + 42
+//     f2(x) = 128x^2 + 171x + 42
+//     f3(x) = 121x^2 +   3x + 42
+//     f4(x) =  91x^2 +  95x + 42
+//     etc.
+//
+// These polynomials are then evaluated for values of X > 0:
+//
+//     f1(1) =  139
+//     f2(2) =  896
+//     f3(3) = 1140
+//     f4(4) = 1783
+//     etc.
+//
+// These (x, y) pairs are the shares given to the parties. In order to combine
+// shares to recover the secret, these (x, y) pairs are used as the input points
+// for Lagrange interpolation, which produces a polynomial which matches the
+// given points. This polynomial can be evaluated for f(0), producing the secret
+// value--the common x-intercept for all the generated polynomials.
+//
+// If fewer than K shares are combined, the interpolated polynomial will be
+// wrong, and the result of f(0) will not be the secret.
+//
+// This package constructs polynomials over the field GF(2^8) for each byte of
+// the secret, allowing for fast splitting and combining of anything which can
+// be encoded as bytes.
+//
+// This package has not been audited by cryptography or security professionals.
+package sss
+
+import (
+	"crypto/rand"
+	"errors"
+)
+
+var (
+	// ErrInvalidCount is returned when the count parameter is invalid.
+	ErrInvalidCount = errors.New("N must be >= K")
+	// ErrInvalidThreshold is returned when the threshold parameter is invalid.
+	ErrInvalidThreshold = errors.New("K must be > 1")
+)
+
+// Split the given secret into N shares of which K are required to recover the
+// secret. Returns a map of share IDs (1-255) to shares.
+func Split(n, k byte, secret []byte) (map[byte][]byte, error) {
+	if k <= 1 {
+		return nil, ErrInvalidThreshold
+	}
+
+	if n < k {
+		return nil, ErrInvalidCount
+	}
+
+	shares := make(map[byte][]byte, n)
+
+	for _, b := range secret {
+		p, err := generate(k-1, b, rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+
+		for x := byte(1); x <= n; x++ {
+			shares[x] = append(shares[x], eval(p, x))
+		}
+	}
+
+	return shares, nil
+}
+
+// Combine the given shares into the original secret.
+//
+// N.B.: There is no way to know whether the returned value is, in fact, the
+// original secret.
+func Combine(shares map[byte][]byte) []byte {
+	var secret []byte
+	for _, v := range shares {
+		secret = make([]byte, len(v))
+		break
+	}
+
+	points := make([]pair, len(shares))
+	for i := range secret {
+		p := 0
+		for k, v := range shares {
+			points[p] = pair{x: k, y: v[i]}
+			p++
+		}
+		secret[i] = interpolate(points, 0)
+	}
+
+	return secret
+}

sss_test.go

@@ -0,0 +1,32 @@
+package sss
+
+import (
+	"fmt"
+)
+
+func Example() {
+	secret := "well hello there!" // our secret
+	n := byte(30)                 // create 30 shares
+	k := byte(2)                  // require 2 of them to combine
+
+	shares, err := Split(n, k, []byte(secret)) // split into 30 shares
+	if err != nil {
+		fmt.Println(err)
+		return
+	}
+
+	// select a random subset of the total shares
+	subset := make(map[byte][]byte, k)
+	for x, y := range shares { // just iterate since maps are randomized
+		subset[x] = y
+		if len(subset) == int(k) {
+			break
+		}
+	}
+
+	// combine two shares and recover the secret
+	recovered := string(Combine(subset))
+	fmt.Println(recovered)
+
+	// Output: well hello there!
+}