Table of Contents

Class WrappedSecret

Namespace
PostQuantum.SecretSharing
Assembly
PostQuantum.SecretSharing.dll

Helpers for the wrap pattern: the correct way to apply threshold custody to data that may be low-entropy (passphrases, PINs) or large.

public static class WrappedSecret
Inheritance
WrappedSecret
Inherited Members

Remarks

Splitting a low-entropy secret directly is unsafe — the per-share check value is an offline guessing oracle (see THREAT-MODEL.md). These helpers instead generate a random 256-bit KEK, seal your real secret under it with AES-256-GCM, and split the KEK (which is always high-entropy, so the oracle is harmless). The sealed envelope is not secret and can be stored beside the shares.

Methods

Reconstruct(IReadOnlyList<SecretShare>, ReadOnlyMemory<byte>, ReadOnlyMemory<byte>?)

Reconstructs the KEK from exactly k shares, then decrypts and authenticates the envelope, returning the original secret in a ZeroizingBuffer.

public static ZeroizingBuffer Reconstruct(IReadOnlyList<SecretShare> shares, ReadOnlyMemory<byte> envelope, ReadOnlyMemory<byte>? expectedDealerPublicKey = null)

Parameters

shares IReadOnlyList<SecretShare>
envelope ReadOnlyMemory<byte>
expectedDealerPublicKey ReadOnlyMemory<byte>?

Returns

ZeroizingBuffer

Exceptions

ShareConsistencyException

If the envelope is malformed or fails authentication (tampered or wrong KEK).

Split(ReadOnlySpan<byte>, SharePolicy)

Wrap-splits secret with no dealer authentication.

public static WrappedSplit Split(ReadOnlySpan<byte> secret, SharePolicy policy)

Parameters

secret ReadOnlySpan<byte>
policy SharePolicy

Returns

WrappedSplit

Split(ReadOnlySpan<byte>, SharePolicy, IShareAuthenticator)

Wrap-splits secret and dealer-signs the KEK shares.

public static WrappedSplit Split(ReadOnlySpan<byte> secret, SharePolicy policy, IShareAuthenticator dealer)

Parameters

secret ReadOnlySpan<byte>
policy SharePolicy
dealer IShareAuthenticator

Returns

WrappedSplit