Rust Lab
All articles
Building a Threshold Cryptography Library in Rust
Cryptography & Blockchain

Building a Threshold Cryptography Library in Rust

Threshold cryptography allows secure splitting of a secret into multiple pieces, called “shares.”

By Luis SoaresNovember 11, 2024Original on Medium

Threshold cryptography allows secure splitting of a secret into multiple pieces, called “shares.”

Using a technique like Shamir’s Secret Sharing, we can split a secret so that only a minimum number of shares (a threshold) are needed to reconstruct it. This method is useful for secure data sharing across multiple parties without relying on a single, central key.

In this article, we’ll build a simple threshold cryptography library in Rust that includes modular arithmetic for secure calculations.

We’ll use Shamir’s Secret Sharing to split a secret into shares and a prime modulus for modular arithmetic. This setup makes our calculations secure within a finite field, preventing overflow and adding security.

Dependencies

First, set up a new Rust project and add dependencies to handle large integers and randomness. In your Cargo.toml file, add:

[dependencies]
num-bigint = "0.4"
rand = "0.8"
  • num-bigint: Handles big integers needed for secure cryptography.
  • rand: Helps generate random numbers securely.

Define the Large Prime Modulus

In cryptography, calculations often use a prime modulus to stay within a fixed-size number range. We’ll use a large 256-bit prime, similar to those in elliptic curve cryptography. Here’s the constant definition in the code:

use num_bigint::{BigInt, RandBigInt, ModInverse};
use rand::rngs::OsRng;

// Define a large prime modulus
const PRIME_MODULUS: &str = "115792089237316195423570985008687907853269984665640564039457584007913129639319";
lazy_static::lazy_static! {
    static ref PRIME: BigInt = PRIME_MODULUS.parse().unwrap();
}

This constant, PRIME, will be used in all calculations to ensure they stay within a safe range.

Setting Up the Structs for Threshold Secret Sharing

We’ll create a ThresholdSecretSharing struct to manage secret splitting and reconstruction. Each share will have two parts: x and y. The secret is a point at x = 0 on a polynomial we’ll generate randomly.

Here’s the struct setup:

pub struct Share {
    pub x: BigInt,
    pub y: BigInt,
}

pub struct ThresholdSecretSharing {
    threshold: usize,
    total_shares: usize,
}

impl ThresholdSecretSharing {
    pub fn new(threshold: usize, total_shares: usize) -> Self {
        assert!(threshold <= total_shares, "Threshold must be <= total shares.");
        ThresholdSecretSharing {
            threshold,
            total_shares,
        }
    }
}

This setup includes a Share struct to hold each piece of the secret and the ThresholdSecretSharing struct to manage operations like splitting and reconstructing the secret.

Split the Secret

In Shamir’s Secret Sharing, a secret is split by generating a random polynomial. Each share is a point on this polynomial, and the polynomial’s constant term is the secret.

impl ThresholdSecretSharing {
    pub fn split_secret(&self, secret: &BigInt) -> Vec<Share> {
        let mut rng = OsRng;
        let mut coefficients = vec![secret.clone() % &*PRIME]; // Secret as the constant term
        for _ in 1..self.threshold {
            coefficients.push(rng.gen_bigint(256) % &*PRIME); // Random coefficients
        }

        (1..=self.total_shares)
            .map(|x| {
                let x_val = BigInt::from(x);
                let y_val = evaluate_polynomial(&coefficients, &x_val);
                Share { x: x_val, y: y_val }
            })
            .collect()
    }
}

// Helper function to evaluate polynomial at x with modular arithmetic
fn evaluate_polynomial(coefficients: &[BigInt], x: &BigInt) -> BigInt {
    coefficients.iter().rev().fold(BigInt::from(0), |acc, coeff| {
        (acc * x + coeff) % &*PRIME
    })
}

The split_secret function generates random coefficients and evaluates the polynomial at different x-values, giving us shares. Each y value in the shares is calculated using modular arithmetic with our PRIME.

Reconstruct the Secret

We can reconstruct the secret using Lagrange interpolation. Given t shares, we calculate the polynomial’s constant term (the secret) using modular arithmetic to stay within the finite field.

impl ThresholdSecretSharing {
    pub fn reconstruct_secret(&self, shares: &[Share]) -> BigInt {
        assert!(shares.len() >= self.threshold, "Insufficient shares to reconstruct the secret.");

        let mut secret = BigInt::from(0);

        for i in 0..shares.len() {
            let mut num = BigInt::from(1);
            let mut denom = BigInt::from(1);
            for j in 0..shares.len() {
                if i != j {
                    num = (num * &shares[j].x) % &*PRIME;
                    denom = (denom * (&shares[j].x - &shares[i].x)) % &*PRIME;
                }
            }
            let denom_inv = denom.mod_inverse(&*PRIME).unwrap(); // Modular inverse
            let lagrange_coeff = (num * denom_inv) % &*PRIME;
            secret = (secret + (&shares[i].y * lagrange_coeff)) % &*PRIME;
        }
        secret
    }
}

The reconstruct_secret function uses modular arithmetic and Lagrange interpolation. The mod_inverse function calculates the inverse modulo PRIME, ensuring we stay within the finite field.

Example Usage

Now we can split and reconstruct a secret using the following code:

fn main() {
    let secret = BigInt::from(1234567890);
    let threshold = 3;
    let total_shares = 5;

let tss = ThresholdSecretSharing::new(threshold, total_shares);
    let shares = tss.split_secret(&secret);
    // Select 3 shares to reconstruct the secret
    let selected_shares = vec![shares[0].clone(), shares[1].clone(), shares[2].clone()];
    let reconstructed_secret = tss.reconstruct_secret(&selected_shares);
    println!("Original Secret: {}", secret);
    println!("Reconstructed Secret: {}", reconstructed_secret);
}

Adding a few more useful features

Let’s now enhance the foundational implementation by adding:

Hash-Based Commitments for Share Verification

Adding a hash-based commitment allows each party to verify that a share is valid without reconstructing the secret. By storing the hash of each share, any recipient can check if their share has been tampered with. This feature enhances security, especially when shares are distributed over untrusted channels.

A Share Expiration Mechanism

To increase security, we could add an expiration mechanism to the shares. For instance, a timestamp can be embedded in each share, making them invalid after a certain period. This helps prevent stale shares from being used in sensitive applications where data access should expire.

Encrypting Shares for Secure Distribution

By encrypting each share before distribution, you can ensure that only authorized recipients can use their respective shares. This feature is especially useful when distributing shares over untrusted networks. We’ll use symmetric encryption to protect each share.

Enhanced Implementation

1. Add Hash-Based Commitments

First, let’s modify the Share struct to include a hash commitment for each share. We’ll use SHA-256 as the hash function for simplicity.

Practice what you learned

Reinforce this article with hands-on coding exercises and AI-powered feedback.

Build a Simple Hash ChainAdvancedProof of Work SimulatorAdvancedBuild a Merkle TreeAdvanced
View all exercises

Modify Share Struct and Add a Hash Commitment

use num_bigint::{BigInt, RandBigInt, ModInverse};
use rand::rngs::OsRng;
use sha2::{Sha256, Digest};

// Define a large prime modulus for our field
const PRIME_MODULUS: &str = "115792089237316195423570985008687907853269984665640564039457584007913129639319";
lazy_static::lazy_static! {
    static ref PRIME: BigInt = PRIME_MODULUS.parse().unwrap();
}

pub struct Share {
    pub x: BigInt,
    pub y: BigInt,
    pub commitment: Vec<u8>, // New field for hash commitment
}

// Generate hash commitment for each share
fn generate_commitment(share: &Share) -> Vec<u8> {
    let mut hasher = Sha256::new();
    hasher.update(share.x.to_bytes_be());
    hasher.update(share.y.to_bytes_be());
    hasher.finalize().to_vec()
}

Update the split_secret Function to Include Commitments

When generating shares, we’ll compute the hash for each share and store it in the commitment field. This hash will act as a fingerprint for share verification.

impl ThresholdSecretSharing {
    pub fn split_secret(&self, secret: &BigInt) -> Vec<Share> {
        let mut rng = OsRng;
        let mut coefficients = vec![secret.clone() % &*PRIME]; // Secret as the constant term
        for _ in 1..self.threshold {
            coefficients.push(rng.gen_bigint(256) % &*PRIME); // Random coefficients
        }

        // Generate shares with hash commitments
        (1..=self.total_shares)
            .map(|x| {
                let x_val = BigInt::from(x);
                let y_val = evaluate_polynomial(&coefficients, &x_val);
                let share = Share { x: x_val, y: y_val, commitment: vec![] }; // Initialize with empty commitment
                let commitment = generate_commitment(&share); // Generate the hash commitment
                Share { x: x_val, y: y_val, commitment } // Return the share with commitment
            })
            .collect()
    }
}

Verify Share Integrity

Add a function to verify if a given share’s commitment matches the actual x and y values. This function will be useful to check if a share has been tampered with.

impl Share {
    pub fn verify_commitment(&self) -> bool {
        let computed_commitment = generate_commitment(self);
        computed_commitment == self.commitment
    }
}

2. Implement Expiration Mechanism for Shares

To add an expiration feature, we can include a timestamp in each share and verify if the share is still valid based on the current time.

Modify Share Struct to Include Expiration

Add a timestamp field to the Share struct to store the creation time.

use std::time::{SystemTime, UNIX_EPOCH};

pub struct Share {
    pub x: BigInt,
    pub y: BigInt,
    pub commitment: Vec<u8>,
    pub timestamp: u64, // New field for timestamp
}

// Get current Unix timestamp
fn current_timestamp() -> u64 {
    SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs()
}

Update split_secret to Include Timestamps

Each share will now have a timestamp set at the time of creation.

impl ThresholdSecretSharing {
    pub fn split_secret(&self, secret: &BigInt) -> Vec<Share> {
        let mut rng = OsRng;
        let mut coefficients = vec![secret.clone() % &*PRIME];
        for _ in 1..self.threshold {
            coefficients.push(rng.gen_bigint(256) % &*PRIME);
        }

        // Generate shares with hash commitments and timestamps
        (1..=self.total_shares)
            .map(|x| {
                let x_val = BigInt::from(x);
                let y_val = evaluate_polynomial(&coefficients, &x_val);
                let share = Share { x: x_val, y: y_val, commitment: vec![], timestamp: current_timestamp() };
                let commitment = generate_commitment(&share);
                Share { x: x_val, y: y_val, commitment, timestamp: share.timestamp }
            })
            .collect()
    }
}

Add Expiration Check

To verify that a share is still valid, add a method to check if the timestamp is within an allowed duration.

impl Share {
    pub fn is_valid(&self, max_age_secs: u64) -> bool {
        let current_time = current_timestamp();
        current_time - self.timestamp <= max_age_secs
    }
}

3. Encrypt Shares for Secure Distribution

Encrypting each share with a symmetric key adds another layer of security. We’ll use a simple symmetric encryption with AES-256 (you can use a crate like aes).

Encrypt and Decrypt Functions

use aes::Aes256;
use aes::cipher::{KeyIvInit, StreamCipher, StreamCipherSeek};
use rand::Rng;

type Aes256Ctr = ctr::Ctr64BE<Aes256>;

// Encrypt share data with a given key
fn encrypt_share(share: &Share, key: &[u8; 32]) -> Vec<u8> {
    let mut share_bytes = bincode::serialize(share).unwrap(); // Serialize the share to bytes
    let mut cipher = Aes256Ctr::new(key.into(), &[0u8; 16].into());
    cipher.apply_keystream(&mut share_bytes);
    share_bytes
}

// Decrypt share data with a given key
fn decrypt_share(encrypted_share: &[u8], key: &[u8; 32]) -> Share {
    let mut share_bytes = encrypted_share.to_vec();
    let mut cipher = Aes256Ctr::new(key.into(), &[0u8; 16].into());
    cipher.apply_keystream(&mut share_bytes);
    bincode::deserialize(&share_bytes).unwrap() // Deserialize bytes back into Share
}

Now, when you generate and distribute shares, encrypt each one with a unique symmetric key known to the intended recipient.

Updated main function:

fn main() {
    let secret = BigInt::from(1234567890); // Example secret
    let threshold = 3; // Minimum number of shares needed to reconstruct the secret
    let total_shares = 5; // Total number of shares generated

    // Initialize the Threshold Secret Sharing instance
    let tss = ThresholdSecretSharing::new(threshold, total_shares);

    // Split the secret into shares
    let shares = tss.split_secret(&secret);

    // Log each generated share to demonstrate it working
    println!("Generated Shares:");
    for (i, share) in shares.iter().enumerate() {
        println!(
            "Share {}: x = {}, y = {}, commitment = {:?}, timestamp = {}",
            i + 1,
            share.x,
            share.y,
            share.commitment,
            share.timestamp
        );
    }

    // Encrypt each share with a symmetric key (for example purposes, we use a static key)
    let key = [0u8; 32]; // Replace with a securely generated key in a real application
    let encrypted_shares: Vec<Vec<u8>> = shares.iter().map(|share| share.encrypt(&key)).collect();

    // Log encrypted shares
    println!("\nEncrypted Shares:");
    for (i, encrypted_share) in encrypted_shares.iter().enumerate() {
        println!("Encrypted Share {}: {:?}", i + 1, encrypted_share);
    }

    // Decrypt one share and verify its integrity
    let decrypted_share = Share::decrypt(&encrypted_shares[0], &key);
    println!("\nDecrypted and Verified Share:");
    println!(
        "x = {}, y = {}, commitment = {:?}, timestamp = {}, valid = {}",
        decrypted_share.x,
        decrypted_share.y,
        decrypted_share.commitment,
        decrypted_share.timestamp,
        decrypted_share.verify_commitment()
    );

    // Check if the decrypted share is still valid based on a set expiration time
    let max_age_secs = 60 * 60; // 1 hour
    println!("Is the decrypted share still valid? {}", decrypted_share.is_valid(max_age_secs));

    // Reconstruct the secret from a subset of valid, decrypted shares
    let reconstructed_secret = tss.reconstruct_secret(&[decrypted_share.clone(), shares[1].clone(), shares[2].clone()]);
    println!("\nOriginal Secret: {}", secret);
    println!("Reconstructed Secret: {}", reconstructed_secret);
}

Here is the link to the Git repo for the project.

Practice what you learned

Reinforce this article with hands-on coding exercises and AI-powered feedback.

Build a Simple Hash ChainAdvancedProof of Work SimulatorAdvancedBuild a Merkle TreeAdvanced
View all exercises

Go deeper with these books

Written by the author of these articles — take your Rust skills to the next level.

From OOP to Idiomatic Rust cover
From OOP to Idiomatic RustA Mental Model Shift for Experienced Developers
Hands-On Rust Ownership cover
Hands-On Rust OwnershipFrom Basics to Real-World Projects
Rust Book BundleSave 37%
Both Rust books as PDFs for €25 €40
Browse all books

Want to practice Rust hands-on?

Go beyond reading — solve interactive exercises with AI-powered code review on Rust Lab.