diff --git a/src/shamira/core.py b/src/shamira/core.py --- a/src/shamira/core.py +++ b/src/shamira/core.py @@ -6,6 +6,7 @@ import base64 import binascii from . import gf256 +from . import fft class SException(Exception): pass @@ -15,13 +16,17 @@ class DecodingException(SException): pas class MalformedShare(SException): pass +def compute_x(n): + return fft.precompute_x(fft.ceil_size(n))[:n] + + def _share_byte(secret_b, k, n): if not k<=n<255: raise InvalidParams("Failed k<=n<255, k={0}, n={1}".format(k, n)) - # we might be concerned with zero coefficients degenerating our polynomial, but there's no reason - we still need k shares to determine it is the case - coefs = [int(b) for b in os.urandom(k-1)]+[int(secret_b)] - points = [gf256.evaluate(coefs, i) for i in range(1, n+1)] - return points + # we might be concerned with zero coefficients degenerating our polynomial, + # but there's no reason - we still need k shares to determine it is the case + coefs = [int(secret_b)]+[int(b) for b in os.urandom(k-1)] + return fft.evaluate(coefs, n) def generate_raw(secret, k, n): @@ -31,8 +36,9 @@ def generate_raw(secret, k, n): :param k: number of shares necessary for secret recovery. 1 <= k <= n :param n: (int) number of shares generated. 1 <= n < 255 :return: [(i, (bytes) share), ...]""" + xs = compute_x(n) shares = [_share_byte(b, k, n) for b in secret] - return [(i+1, bytes([s[i] for s in shares])) for i in range(n)] + return [(xi, bytes([s[i] for s in shares])) for (i, xi) in enumerate(xs)] def reconstruct_raw(*shares): diff --git a/src/shamira/fft.py b/src/shamira/fft.py new file mode 100644 --- /dev/null +++ b/src/shamira/fft.py @@ -0,0 +1,95 @@ +import math +import cmath +import itertools + +from .gf256 import gfmul, gfpow + +# divisors of 255 and their factors in natural numbers +DIVISORS = [3, 5, 15, 17, 51, 85, 255] +FACTORS = {3: [3], 5: [5], 15: [3, 5], 17: [17], 51: [3, 17], 85: [5, 17], 255: [3, 5, 17]} +# values of n-th square roots in GF256 +SQUARE_ROOTS = {3: 189, 5: 12, 15: 225, 17: 53, 51: 51, 85: 15, 255: 3} + + +def ceil_size(n): + assert n <= DIVISORS[-1] + for (i, ni) in enumerate(DIVISORS): + if ni >= n: + break + + return ni + + +def precompute_x(n): + """Return a geometric sequence [1, w, w**2, ..., w**(n-1)], where w**n==1. + This can be done only for certain values of n.""" + assert n in SQUARE_ROOTS, n + w = SQUARE_ROOTS[n] # primitive N-th square root of 1 + return list(itertools.accumulate([1]+[w]*(n-1), gfmul)) + + +def complex_dft(p): + """Quadratic formula from the definition. The basic case in complex numbers.""" + N = len(p) + w = cmath.exp(-2*math.pi*1j/N) # primitive N-th square root of 1 + y = [0]*N + for k in range(N): + xk = w**k + for n in range(N): + y[k] += p[n] * xk**n + return y + + +def dft(p): + """Quadratic formula from the definition. In GF256.""" + N = len(p) + x = precompute_x(N) + y = [0]*N + for k in range(N): + for n in range(N): + y[k] ^= gfmul(p[n], gfpow(x[k], n)) + return y + + +def compute_inverse(N1, N2): + for i in range(N2): + if N1*i % N2 == 1: + return i + raise ValueError("Failed to find an inverse to {0} mod {1}.".format(N1, N2)) + + +def prime_fft(p, divisors, basic_dft=dft): + """https://en.wikipedia.org/wiki/Prime-factor_FFT_algorithm""" + if len(divisors) == 1: + return basic_dft(p) + N = len(p) + N1 = divisors[0] + N2 = N//N1 + N1_inv = compute_inverse(N1, N2) + N2_inv = compute_inverse(N2, N1) + + ys = [] + for n1 in range(N1): # compute rows + p_ = [p[(n2*N1+n1*N2) % N] for n2 in range(N2)] + ys.append(prime_fft(p_, divisors[1:], basic_dft)) + + for k2 in range(N2): # compute cols + p_ = [row[k2] for row in ys] + y_ = basic_dft(p_) + for (yi, row) in zip(y_, ys): # update col + row[k2] = yi + + # remap and output + res = [0]*N + for k1 in range(N1): + for k2 in range(N2): + res[(k1*N2*N2_inv+k2*N1*N1_inv) % N] = ys[k1][k2] + return res + + +def evaluate(coefs, n): + ni = ceil_size(n) + extended_coefs = coefs + [0]*(ni-len(coefs)) + ys = prime_fft(extended_coefs, FACTORS[ni]) + + return ys[:n] diff --git a/src/shamira/gf256.py b/src/shamira/gf256.py --- a/src/shamira/gf256.py +++ b/src/shamira/gf256.py @@ -29,7 +29,6 @@ L[1] = 0 INV = [E[255-L[i]] if i!=0 else None for i in range(256)] # multiplicative inverse -@cache def gfmul(a, b): """Fast multiplication. Basic multiplication is expensive. a*b==g**(log(a)+log(b))""" assert 0<=a<=255, 0<=b<=255 @@ -39,6 +38,19 @@ def gfmul(a, b): return E[t] +def gfpow(x, k): + """Compute x**k.""" + i = 1 + res = 1 + while i <= k: + if k&i: + res = gfmul(res, x) + x = gfmul(x, x) + i <<= 1 + + return res + + def evaluate(coefs, x): """Evaluate polynomial's value at x. diff --git a/src/shamira/tests/test_fft.py b/src/shamira/tests/test_fft.py new file mode 100644 --- /dev/null +++ b/src/shamira/tests/test_fft.py @@ -0,0 +1,56 @@ +# GNU GPLv3, see LICENSE + +import random +import functools +import operator +from unittest import TestCase + +from .. import gf256 +from ..fft import * + + +def batch_evaluate(coefs, xs): + return [gf256.evaluate(coefs, x) for x in xs] + + +class TestFFT(TestCase): + def test_complex_dft(self): + self.assertEqual(complex_dft([0]), [0+0j]) + self.assertEqual(complex_dft([1]), [1+0j]) + self.assertEqual(complex_dft([2]), [2+0j]) + all(self.assertAlmostEqual(a, b) for (a, b) in zip(complex_dft([3, 1]), [4+0j, 2+0j])) + all(self.assertAlmostEqual(a, b) for (a, b) in zip(complex_dft([3, 1, 4]), [8+0j, 0.5+2.59807621j, 0.5-2.59807621j])) + all(self.assertAlmostEqual(a, b) for (a, b) in zip(complex_dft([3, 1, 4, 1]), [9+0j, -1+0j, 5+0j, -1+0j])) + all(self.assertAlmostEqual(a, b) for (a, b) in zip( + complex_dft([3, 1, 4, 1, 5]), + [14+0j, 0.80901699+2.04087031j, -0.30901699+5.20431056j, -0.30901699-5.20431056j, 0.80901699-2.04087031j] + )) + + def test_complex_prime_fft(self): + random.seed(1918) + for divisors in [[3], [2, 3], [3, 5], [3, 5, 17], [2, 3, 5, 7, 11]]: + n = functools.reduce(operator.mul, divisors) + coefficients = [random.randint(-128, 127) for i in range(n)] + a = prime_fft(coefficients, divisors, complex_dft) + b = complex_dft(coefficients) + all(self.assertAlmostEqual(ai, bi) for (ai, bi) in zip(a, b)) + + def test_finite_dft(self): + random.seed(1918) + x = {i: precompute_x(i) for i in [3, 5, 15, 17]} # all sets of xs + + for n in [3, 5, 15, 17]: + coefficients = [random.randint(0, 255) for i in range(n)] + self.assertEqual( + dft(coefficients), + batch_evaluate(coefficients[::-1], x[n]) + ) + + def test_finite_prime_fft(self): + random.seed(1918) + for divisors in [[3], [3, 5], [3, 17], [5, 17], [3, 5, 17]]: + n = functools.reduce(operator.mul, divisors) + coefficients = [random.randint(0, 255) for i in range(n)] + a = prime_fft(coefficients, divisors) + b = dft(coefficients) + all(self.assertAlmostEqual(ai, bi) for (ai, bi) in zip(a, b)) diff --git a/src/shamira/tests/test_gf256.py b/src/shamira/tests/test_gf256.py --- a/src/shamira/tests/test_gf256.py +++ b/src/shamira/tests/test_gf256.py @@ -22,6 +22,26 @@ class TestGF256(TestCase): for b in range(256): self.assertEqual(_gfmul(a, b), gfmul(a, b)) + def test_gfpow(self): + self.assertEqual(gfpow(0, 0), 1) + + for i in range(1, 256): + self.assertEqual(gfpow(i, 0), 1) + self.assertEqual(gfpow(i, 1), i) + self.assertEqual(gfpow(0, i), 0) + self.assertEqual(gfpow(1, i), 1) + self.assertEqual(gfpow(i, 256), i) + self.assertEqual(gfpow(i, 2), gfmul(i, i)) + + random.seed(1918) + for i in range(256): + j = random.randint(2, 255) + k = random.randint(3, 255) + y = 1 + for m in range(k): + y = gfmul(y, j) + self.assertEqual(gfpow(j, k), y) + def test_evaluate(self): for x in range(256): (a0, a1, a2, a3) = (x, x>>1, x>>2, x>>3) diff --git a/src/shamira/tests/test_shamira.py b/src/shamira/tests/test_shamira.py --- a/src/shamira/tests/test_shamira.py +++ b/src/shamira/tests/test_shamira.py @@ -5,7 +5,7 @@ from unittest import TestCase from .. import * from .. import gf256 -from ..core import encode, decode,detect_encoding, _share_byte +from ..core import encode, decode, detect_encoding, _share_byte, compute_x class TestShamira(TestCase): @@ -29,7 +29,7 @@ class TestShamira(TestCase): _share_byte("x", 2, 3) ys = _share_byte(ord(b"a"), 2, 3) - xs = list(range(1, 4)) + xs = compute_x(3) weights = gf256.compute_weights(xs) self.assertEqual(gf256.get_constant_coef(weights, ys), ord(b"a"))