Class ShamirSecretSharing
- Namespace
- PostQuantum.SecretSharing
- Assembly
- PostQuantum.SecretSharing.dll
The public facade for Shamir's Secret Sharing over GF(2⁸) with strict-CBOR
.pqss shares. Provides splitting (with or without dealer
authentication) and exactly-k reconstruction.
public static class ShamirSecretSharing
- Inheritance
-
ShamirSecretSharing
- Inherited Members
Methods
Reconstruct(IReadOnlyList<SecretShare>, ReadOnlyMemory<byte>?)
Reconstructs the secret from exactly k shares.
public static ZeroizingBuffer Reconstruct(IReadOnlyList<SecretShare> shares, ReadOnlyMemory<byte>? expectedDealerPublicKey = null)
Parameters
sharesIReadOnlyList<SecretShare>Exactly
kdistinct shares from one split. Supplying more thankis rejected so operator errors are not silently masked by quietly choosing a subset.expectedDealerPublicKeyReadOnlyMemory<byte>?If supplied, every share must be authenticated (authAlgorithm ≠ 0), carry exactly this key, and verify — otherwise ShareAuthenticationException. This is your pin: it is the only thing that proves the shares came from your dealer.
If null and the shares nonetheless carry signatures, those signatures are still verified against the embedded dealer key as defense in depth. Be warned: embedded-key-only verification is self-attestation, not authority — a forged share set can embed and sign with any key. Pass the pin to get a real authenticity guarantee.
Returns
- ZeroizingBuffer
A ZeroizingBuffer holding the reconstructed secret.
Exceptions
- SharePolicyException
If the share count is not exactly k, or indices are out of range.
- ShareConsistencyException
If the shares cannot belong to one split, or the check value mismatches.
- ShareAuthenticationException
If authentication is required or present and fails.
Refresh(IReadOnlyList<SecretShare>, SharePolicy?, ReadOnlyMemory<byte>?, IShareAuthenticator?)
Re-splits the secret into a brand-new set of shares (with a new
splitId), so that shares from the previous split can no longer be
combined with the new ones. Use this to rotate custody — e.g. when a
trustee departs — without changing the underlying secret.
public static SecretShare[] Refresh(IReadOnlyList<SecretShare> shares, SharePolicy? newPolicy = null, ReadOnlyMemory<byte>? expectedDealerPublicKey = null, IShareAuthenticator? newDealer = null)
Parameters
sharesIReadOnlyList<SecretShare>Exactly
kshares of the current split.newPolicySharePolicyThe policy for the new split; defaults to the current
(k, n).expectedDealerPublicKeyReadOnlyMemory<byte>?Optional pin verified against the incoming shares.
newDealerIShareAuthenticatorIf supplied, the new shares are authenticated by this dealer.
Returns
Remarks
This is quorum-mediated refresh: the secret is briefly reconstructed in a ZeroizingBuffer (wiped before return) and re-split. It is not proactive secret sharing (which re-randomizes shares across parties without ever reconstructing) — that distributed protocol is out of scope.
Because the secret is unchanged, old shares still reconstruct it among themselves. If you are rotating because a share may be compromised, rotate the underlying secret instead (see OPERATIONS.md, "revocation always rotates").
Split(ReadOnlySpan<byte>, SharePolicy)
Splits secret into policy.TotalShares shares with
threshold policy.Threshold, with no dealer authentication. Integrity
rests on the HKDF check value embedded in each share.
public static SecretShare[] Split(ReadOnlySpan<byte> secret, SharePolicy policy)
Parameters
secretReadOnlySpan<byte>policySharePolicy
Returns
Exceptions
- SharePolicyException
If the policy or secret length is out of range.
Split(ReadOnlySpan<byte>, SharePolicy, IShareAuthenticator)
Splits secret and authenticates every share with the
given dealer: each share embeds the dealer public key and a signature over
its canonical bytes (keys 0–10).
public static SecretShare[] Split(ReadOnlySpan<byte> secret, SharePolicy policy, IShareAuthenticator dealer)
Parameters
secretReadOnlySpan<byte>policySharePolicydealerIShareAuthenticator
Returns
Exceptions
- SharePolicyException
If the policy or secret length is out of range.
- ArgumentNullException
If
dealeris null.