Table of Contents

Class ShamirSecretSharing

Namespace
PostQuantum.SecretSharing
Assembly
PostQuantum.SecretSharing.dll

The public facade for Shamir's Secret Sharing over GF(2⁸) with strict-CBOR .pqss shares. Provides splitting (with or without dealer authentication) and exactly-k reconstruction.

public static class ShamirSecretSharing
Inheritance
ShamirSecretSharing
Inherited Members

Methods

Reconstruct(IReadOnlyList<SecretShare>, ReadOnlyMemory<byte>?)

Reconstructs the secret from exactly k shares.

public static ZeroizingBuffer Reconstruct(IReadOnlyList<SecretShare> shares, ReadOnlyMemory<byte>? expectedDealerPublicKey = null)

Parameters

shares IReadOnlyList<SecretShare>

Exactly k distinct shares from one split. Supplying more than k is rejected so operator errors are not silently masked by quietly choosing a subset.

expectedDealerPublicKey ReadOnlyMemory<byte>?

If supplied, every share must be authenticated (authAlgorithm ≠ 0), carry exactly this key, and verify — otherwise ShareAuthenticationException. This is your pin: it is the only thing that proves the shares came from your dealer.

If null and the shares nonetheless carry signatures, those signatures are still verified against the embedded dealer key as defense in depth. Be warned: embedded-key-only verification is self-attestation, not authority — a forged share set can embed and sign with any key. Pass the pin to get a real authenticity guarantee.

Returns

ZeroizingBuffer

A ZeroizingBuffer holding the reconstructed secret.

Exceptions

SharePolicyException

If the share count is not exactly k, or indices are out of range.

ShareConsistencyException

If the shares cannot belong to one split, or the check value mismatches.

ShareAuthenticationException

If authentication is required or present and fails.

Refresh(IReadOnlyList<SecretShare>, SharePolicy?, ReadOnlyMemory<byte>?, IShareAuthenticator?)

Re-splits the secret into a brand-new set of shares (with a new splitId), so that shares from the previous split can no longer be combined with the new ones. Use this to rotate custody — e.g. when a trustee departs — without changing the underlying secret.

public static SecretShare[] Refresh(IReadOnlyList<SecretShare> shares, SharePolicy? newPolicy = null, ReadOnlyMemory<byte>? expectedDealerPublicKey = null, IShareAuthenticator? newDealer = null)

Parameters

shares IReadOnlyList<SecretShare>

Exactly k shares of the current split.

newPolicy SharePolicy

The policy for the new split; defaults to the current (k, n).

expectedDealerPublicKey ReadOnlyMemory<byte>?

Optional pin verified against the incoming shares.

newDealer IShareAuthenticator

If supplied, the new shares are authenticated by this dealer.

Returns

SecretShare[]

Remarks

This is quorum-mediated refresh: the secret is briefly reconstructed in a ZeroizingBuffer (wiped before return) and re-split. It is not proactive secret sharing (which re-randomizes shares across parties without ever reconstructing) — that distributed protocol is out of scope.

Because the secret is unchanged, old shares still reconstruct it among themselves. If you are rotating because a share may be compromised, rotate the underlying secret instead (see OPERATIONS.md, "revocation always rotates").

Split(ReadOnlySpan<byte>, SharePolicy)

Splits secret into policy.TotalShares shares with threshold policy.Threshold, with no dealer authentication. Integrity rests on the HKDF check value embedded in each share.

public static SecretShare[] Split(ReadOnlySpan<byte> secret, SharePolicy policy)

Parameters

secret ReadOnlySpan<byte>
policy SharePolicy

Returns

SecretShare[]

Exceptions

SharePolicyException

If the policy or secret length is out of range.

Split(ReadOnlySpan<byte>, SharePolicy, IShareAuthenticator)

Splits secret and authenticates every share with the given dealer: each share embeds the dealer public key and a signature over its canonical bytes (keys 0–10).

public static SecretShare[] Split(ReadOnlySpan<byte> secret, SharePolicy policy, IShareAuthenticator dealer)

Parameters

secret ReadOnlySpan<byte>
policy SharePolicy
dealer IShareAuthenticator

Returns

SecretShare[]

Exceptions

SharePolicyException

If the policy or secret length is out of range.

ArgumentNullException

If dealer is null.