Ryan Heywood
4faab1cd33
The previously existing polynomial coefficients had an inverse bias towards `0`, only starting higher than `1`. This allows `0` to be a valid polynomial. As per an audit performed by Cure53: > The correct method to select a random polynomial would be to select all coefficients (including the most significant coefficient) uniformly in the range 0..255 (inclusive). Otherwise, knowledge that a coefficient in a polynomial cannot be 0 permits the exclusion of single byte values for the shared secret given one share less than required. [...] Exploiting this weakness necessitates sharing the same secret multiple times. In this scenario, an attacker could exclude an exponential number of values for each of the shared bytes until sufficiently few values remain for brute forcing. Cure53 estimates that under ideal circumstances (e.g., a 2-out-of-N scheme) a shared secret can be reconstructed if the same secret has been distributed 500-1500 times. |
||
|---|---|---|
| .github/workflows | ||
| benches | ||
| fuzz | ||
| src | ||
| .gitignore | ||
| CHANGELOG.md | ||
| COPYRIGHT | ||
| Cargo.toml | ||
| LICENSE-APACHE | ||
| LICENSE-MIT | ||
| README.md | ||
| codecov.yml | ||
README.md
Sharks
Fast, small and secure Shamir's Secret Sharing library crate
Documentation:
Usage
Add this to your Cargo.toml:
[dependencies]
sharks = "0.4"
If your environment doesn't support std:
[dependencies]
sharks = { version = "0.4", default-features = false }
To get started using Sharks, see the Rust docs
Features
Developer friendly
The API is simple and to the point, with minimal configuration.
Fast and small
The code is as idiomatic and clean as possible, with minimum external dependencies.
Secure by design
The implementation forbids the user to choose parameters that would result in an insecure application, like generating more shares than what's allowed by the finite field length.
Limitations
Because the Galois finite field it uses is GF256, only up to 255 shares can be generated for a given secret. A larger number would be insecure as shares would start duplicating. Nevertheless, the secret can be arbitrarily long as computations are performed on single byte chunks.
Testing
This crate contains both unit and benchmark tests (as well as the examples included in the docs).
You can run them with cargo test and cargo bench.
Benchmark results [min mean max]
| CPU | obtain_shares_dealer | step_shares_dealer | recover_secret | share_from_bytes | share_to_bytes |
|---|---|---|---|---|---|
| Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz | [1.4321 us 1.4339 us 1.4357 us] | [1.3385 ns 1.3456 ns 1.3552 ns] | [228.77 us 232.17 us 236.23 us] | [24.688 ns 25.083 ns 25.551 ns] | [22.832 ns 22.910 ns 22.995 ns] |
| Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz | [1.3439 us 1.3499 us 1.3562 us] | [1.5416 ns 1.5446 ns 1.5481 ns] | [197.46 us 198.37 us 199.22 us] | [20.455 ns 20.486 ns 20.518 ns] | [18.726 ns 18.850 ns 18.993 ns] |
| Apple M1 ARM (Macbook Air) | [3.3367 us 3.3629 us 3.4058 us] | [741.75 ps 742.65 ps 743.52 ps] | [210.14 us 210.23 us 210.34 us] | [27.567 ns 27.602 ns 27.650 ns] | [26.716 ns 26.735 ns 26.755 ns] |
Contributing
If you find a vulnerability, bug or would like a new feature, open a new issue.
To introduce your changes into the codebase, submit a Pull Request.
Many thanks!
License
Sharks is distributed under the terms of both the MIT license and the Apache License (Version 2.0).
See LICENSE-APACHE and LICENSE-MIT, and COPYRIGHT for details.