Class WrappedSecret
- Namespace
- PostQuantum.SecretSharing
- Assembly
- PostQuantum.SecretSharing.dll
Helpers for the wrap pattern: the correct way to apply threshold custody to data that may be low-entropy (passphrases, PINs) or large.
public static class WrappedSecret
- Inheritance
-
WrappedSecret
- Inherited Members
Remarks
Splitting a low-entropy secret directly is unsafe — the per-share check value is an offline guessing oracle (see THREAT-MODEL.md). These helpers instead generate a random 256-bit KEK, seal your real secret under it with AES-256-GCM, and split the KEK (which is always high-entropy, so the oracle is harmless). The sealed envelope is not secret and can be stored beside the shares.
Methods
Reconstruct(IReadOnlyList<SecretShare>, ReadOnlyMemory<byte>, ReadOnlyMemory<byte>?)
Reconstructs the KEK from exactly k shares, then decrypts and
authenticates the envelope, returning the original
secret in a ZeroizingBuffer.
public static ZeroizingBuffer Reconstruct(IReadOnlyList<SecretShare> shares, ReadOnlyMemory<byte> envelope, ReadOnlyMemory<byte>? expectedDealerPublicKey = null)
Parameters
sharesIReadOnlyList<SecretShare>envelopeReadOnlyMemory<byte>expectedDealerPublicKeyReadOnlyMemory<byte>?
Returns
Exceptions
- ShareConsistencyException
If the envelope is malformed or fails authentication (tampered or wrong KEK).
Split(ReadOnlySpan<byte>, SharePolicy)
Wrap-splits secret with no dealer authentication.
public static WrappedSplit Split(ReadOnlySpan<byte> secret, SharePolicy policy)
Parameters
secretReadOnlySpan<byte>policySharePolicy
Returns
Split(ReadOnlySpan<byte>, SharePolicy, IShareAuthenticator)
Wrap-splits secret and dealer-signs the KEK shares.
public static WrappedSplit Split(ReadOnlySpan<byte> secret, SharePolicy policy, IShareAuthenticator dealer)
Parameters
secretReadOnlySpan<byte>policySharePolicydealerIShareAuthenticator