Botan::RTSS_Share Class Reference

#include <tss.h>

Public Member Functions
const secure_vector< uint8_t > &	data () const
bool	initialized () const
	RTSS_Share ()=default
	RTSS_Share (const uint8_t data[], size_t len)
	RTSS_Share (std::string_view hex_input)
uint8_t	share_id () const
size_t	size () const
std::string	to_string () const

Static Public Member Functions
static secure_vector< uint8_t >	reconstruct (const std::vector< RTSS_Share > &shares)
static std::vector< RTSS_Share >	split (uint8_t M, uint8_t N, const uint8_t secret[], uint16_t secret_len, const std::vector< uint8_t > &identifier, std::string_view hash_fn, RandomNumberGenerator &rng)
static std::vector< RTSS_Share >	split (uint8_t M, uint8_t N, const uint8_t secret[], uint16_t secret_len, const uint8_t identifier[16], RandomNumberGenerator &rng)

Detailed Description

A split secret, using the format from draft-mcgrew-tss-03

Definition at line 22 of file tss.h.

Constructor & Destructor Documentation

RTSS_Share() [1/3]

Botan::RTSS_Share::RTSS_Share ( )

default

RTSS_Share() [2/3]

Botan::RTSS_Share::RTSS_Share ( std::string_view  hex_input )

explicit

Parameters

hex_input

the share encoded in hexadecimal

Definition at line 111 of file tss.cpp.

   {
   m_contents = hex_decode_locked(hex_input);
   }

References Botan::hex_decode_locked().

RTSS_Share() [3/3]

Botan::RTSS_Share::RTSS_Share	(	const uint8_t	data[],
		size_t	len
	)

Parameters

data	the shared data
len	the length of data

Definition at line 116 of file tss.cpp.

   {
   m_contents.assign(bin, bin + len);
   }

Member Function Documentation

data()

const secure_vector< uint8_t > & Botan::RTSS_Share::data ( ) const

inline

Returns

binary representation

Definition at line 77 of file tss.h.

{ return m_contents; }

initialized()

bool Botan::RTSS_Share::initialized ( ) const

inline

Returns

if this TSS share was initialized or not

Definition at line 97 of file tss.h.

{ return (m_contents.size() > 0); }

Referenced by share_id().

reconstruct()

secure_vector< uint8_t > Botan::RTSS_Share::reconstruct ( const std::vector< RTSS_Share > &  shares )

static

Parameters

shares

the list of shares

Definition at line 225 of file tss.cpp.

   {
   if(shares.size() <= 1)
      throw Decoding_Error("Insufficient shares to do TSS reconstruction");
 
   for(size_t i = 0; i != shares.size(); ++i)
      {
      if(shares[i].size() < RTSS_HEADER_SIZE + 1)
         throw Decoding_Error("Missing or malformed RTSS header");
 
      if(shares[i].share_id() == 0)
         throw Decoding_Error("Invalid (id = 0) RTSS share detected");
 
      if(i > 0)
         {
         if(shares[i].size() != shares[0].size())
            throw Decoding_Error("Different sized RTSS shares detected");
 
         if(!same_mem(&shares[0].m_contents[0],
                      &shares[i].m_contents[0], RTSS_HEADER_SIZE))
            throw Decoding_Error("Different RTSS headers detected");
         }
      }
 
   const uint8_t N = shares[0].m_contents[17];
 
   if(shares.size() < N)
      throw Decoding_Error("Insufficient shares to do TSS reconstruction");
 
   const uint16_t share_len = make_uint16(shares[0].m_contents[18],
                                          shares[0].m_contents[19]);
 
   const uint8_t hash_id = shares[0].m_contents[16];
   auto hash = get_rtss_hash_by_id(hash_id);
   const size_t hash_len = (hash ? hash->output_length() : 0);
 
   if(shares[0].size() != RTSS_HEADER_SIZE + share_len)
      {
      /*
      * This second (laxer) check accomodates a bug in TSS that was
      * fixed in 2.9.0 - previous versions used the length of the
      * *secret* here, instead of the length of the *share*, which is
      * precisely 1 + hash_len longer.
      */
      if(shares[0].size() <= RTSS_HEADER_SIZE + 1 + hash_len)
         throw Decoding_Error("Bad RTSS length field in header");
      }
 
   std::vector<uint8_t> V(shares.size());
   secure_vector<uint8_t> recovered;
 
   for(size_t i = RTSS_HEADER_SIZE + 1; i != shares[0].size(); ++i)
      {
      for(size_t j = 0; j != V.size(); ++j)
         V[j] = shares[j].m_contents[i];
 
      uint8_t r = 0;
      for(size_t k = 0; k != shares.size(); ++k)
         {
         // L_i function:
         uint8_t r2 = 1;
         for(size_t l = 0; l != shares.size(); ++l)
            {
            if(k == l)
               continue;
 
            uint8_t share_k = shares[k].share_id();
            uint8_t share_l = shares[l].share_id();
 
            if(share_k == share_l)
               throw Decoding_Error("Duplicate shares found in RTSS recovery");
 
            uint8_t div = RTSS_EXP[(255 +
                                 RTSS_LOG[share_l] -
                                 RTSS_LOG[share_k ^ share_l]) % 255];
 
            r2 = gfp_mul(r2, div);
            }
 
         r ^= gfp_mul(V[k], r2);
         }
      recovered.push_back(r);
      }
 
   if(hash)
      {
      if(recovered.size() < hash->output_length())
         throw Decoding_Error("RTSS recovered value too short to be valid");
 
      const size_t secret_len = recovered.size() - hash->output_length();
 
      hash->update(recovered.data(), secret_len);
      secure_vector<uint8_t> hash_check = hash->final();
 
      if(!constant_time_compare(hash_check.data(),
                                &recovered[secret_len],
                                hash->output_length()))
         {
         throw Decoding_Error("RTSS hash check failed");
         }
 
      // remove the trailing hash value
      recovered.resize(secret_len);
      }
 
   return recovered;
   }

References Botan::constant_time_compare(), Botan::make_uint16(), Botan::same_mem(), share_id(), and size().

share_id()

uint8_t Botan::RTSS_Share::share_id

(

)

const

Returns

share identifier

Definition at line 121 of file tss.cpp.

   {
   if(!initialized())
      throw Invalid_State("RTSS_Share::share_id not initialized");
 
   if(m_contents.size() < RTSS_HEADER_SIZE + 1)
      throw Decoding_Error("RTSS_Share::share_id invalid share data");
 
   return m_contents[20];
   }

References initialized().

Referenced by reconstruct().

size()

size_t Botan::RTSS_Share::size ( ) const

inline

Returns

size of this share in bytes

Definition at line 92 of file tss.h.

{ return m_contents.size(); }

Referenced by reconstruct().

split() [1/2]

std::vector< RTSS_Share > Botan::RTSS_Share::split ( uint8_t  M, uint8_t  N, const uint8_t  secret[], uint16_t  secret_len, const std::vector< uint8_t > &  identifier, std::string_view  hash_fn, RandomNumberGenerator &  rng  )

static

Parameters

M	the number of shares needed to reconstruct
N	the number of shares generated
secret	the secret to split
secret_len	the length of the secret
identifier	the share identifier
hash_fn	the hash function to use for a checksum ("None", "SHA-1", "SHA-256")
rng	the random number generator to use

Definition at line 150 of file tss.cpp.

   {
   if(M <= 1 || N <= 1 || M > N || N >= 255)
      throw Invalid_Argument("RTSS_Share::split: Invalid N or M");
 
   if(identifier.size() > 16)
      throw Invalid_Argument("RTSS_Share::split Invalid identifier size");
 
   const uint8_t hash_id = rtss_hash_id(hash_fn);
 
   std::unique_ptr<HashFunction> hash;
   if(hash_id > 0)
      hash = HashFunction::create_or_throw(hash_fn);
 
   // secret = S || H(S)
   secure_vector<uint8_t> secret(S, S + S_len);
   if(hash)
      secret += hash->process(S, S_len);
 
   if(secret.size() >= 0xFFFE)
      throw Encoding_Error("RTSS_Share::split secret too large for TSS format");
 
   // +1 byte for the share ID
   const uint16_t share_len = static_cast<uint16_t>(secret.size() + 1);
 
   secure_vector<uint8_t> share_header(RTSS_HEADER_SIZE);
   copy_mem(&share_header[0], identifier.data(), identifier.size());
   share_header[16] = hash_id;
   share_header[17] = M;
   share_header[18] = get_byte<0>(share_len);
   share_header[19] = get_byte<1>(share_len);
 
   // Create RTSS header in each share
   std::vector<RTSS_Share> shares(N);
 
   for(uint8_t i = 0; i != N; ++i)
      {
      shares[i].m_contents.reserve(share_header.size() + share_len);
      shares[i].m_contents = share_header;
      }
 
   // Choose sequential values for X starting from 1
   for(uint8_t i = 0; i != N; ++i)
      shares[i].m_contents.push_back(i+1);
 
   for(size_t i = 0; i != secret.size(); ++i)
      {
      std::vector<uint8_t> coefficients(M-1);
      rng.randomize(coefficients.data(), coefficients.size());
 
      for(uint8_t j = 0; j != N; ++j)
         {
         const uint8_t X = j + 1;
 
         uint8_t sum = secret[i];
         uint8_t X_i = X;
 
         for(size_t k = 0; k != coefficients.size(); ++k)
            {
            sum ^= gfp_mul(X_i, coefficients[k]);
            X_i  = gfp_mul(X_i, X);
            }
 
         shares[j].m_contents.push_back(sum);
         }
      }
 
   return shares;
   }

References Botan::copy_mem(), Botan::HashFunction::create_or_throw(), Botan::RandomNumberGenerator::randomize(), and X.

split() [2/2]

std::vector< RTSS_Share > Botan::RTSS_Share::split ( uint8_t  M, uint8_t  N, const uint8_t  secret[], uint16_t  secret_len, const uint8_t  identifier[16], RandomNumberGenerator &  rng  )

static

Parameters

M	the number of shares needed to reconstruct
N	the number of shares generated
secret	the secret to split
secret_len	the length of the secret
identifier	the 16 byte share identifier
rng	the random number generator to use

Definition at line 138 of file tss.cpp.

   {
   return RTSS_Share::split(M, N, S, S_len,
                            std::vector<uint8_t>(identifier, identifier + 16),
                            "SHA-256",
                            rng);
   }

References split().

Referenced by split().

to_string()

std::string Botan::RTSS_Share::to_string

(

)

const

Returns

hex representation

Definition at line 132 of file tss.cpp.

   {
   return hex_encode(m_contents.data(), m_contents.size());
   }

References Botan::hex_encode().

---

The documentation for this class was generated from the following files:

• src/lib/misc/tss/tss.h
• src/lib/misc/tss/tss.cpp