Generate SSS shares from mnemonic words

2026-01-30 16:31:09 -08:00
parent c07f1f20d5
commit fb1377eb4b
3 changed files with 334 additions and 20 deletions
--- a/src/utils/sss.ts
+++ b/src/utils/sss.ts
@@ -0,0 +1,263 @@
+/**
+ * Shamir's Secret Sharing (SSS) Implementation
+ * 
+ * This implements a (3,2) threshold scheme where:
+ * - Secret is split into 3 shares
+ * - Any 2 shares can recover the original secret
+ * 
+ * Based on the Sentinel crypto_core_demo Python implementation.
+ */
+
+// Use a large prime for the finite field
+// We use 2^127 - 1 (a Mersenne prime) which fits well in BigInt
+// This is smaller than the Python version's 2^521 - 1 but sufficient for our 128-bit entropy
+const PRIME = BigInt('170141183460469231731687303715884105727'); // 2^127 - 1
+
+/**
+ * Represents an SSS share as a coordinate point (x, y)
+ */
+export interface SSSShare {
+  x: number;
+  y: bigint;
+  label: string; // 'device' | 'cloud' | 'heir'
+}
+
+/**
+ * Generate a cryptographically secure random BigInt in range [0, max)
+ */
+function secureRandomBigInt(max: bigint): bigint {
+  // Get the number of bytes needed
+  const byteLength = Math.ceil(max.toString(2).length / 8);
+  const randomBytes = new Uint8Array(byteLength);
+  
+  // Use crypto.getRandomValues for secure randomness
+  if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+    crypto.getRandomValues(randomBytes);
+  } else {
+    // Fallback for environments without crypto
+    for (let i = 0; i < byteLength; i++) {
+      randomBytes[i] = Math.floor(Math.random() * 256);
+    }
+  }
+  
+  // Convert to BigInt
+  let result = BigInt(0);
+  for (let i = 0; i < randomBytes.length; i++) {
+    result = (result << BigInt(8)) + BigInt(randomBytes[i]);
+  }
+  
+  // Ensure result is within range
+  return result % max;
+}
+
+/**
+ * Convert mnemonic words to entropy (as BigInt)
+ * Each word is mapped to its index, then combined into a single large number
+ */
+export function mnemonicToEntropy(words: string[], wordList: readonly string[]): bigint {
+  let entropy = BigInt(0);
+  const wordListLength = BigInt(wordList.length);
+  
+  for (const word of words) {
+    const index = wordList.indexOf(word);
+    if (index === -1) {
+      throw new Error(`Word "${word}" not found in word list`);
+    }
+    entropy = entropy * wordListLength + BigInt(index);
+  }
+  
+  return entropy;
+}
+
+/**
+ * Convert entropy back to mnemonic words
+ */
+export function entropyToMnemonic(entropy: bigint, wordCount: number, wordList: readonly string[]): string[] {
+  const words: string[] = [];
+  const wordListLength = BigInt(wordList.length);
+  let remaining = entropy;
+  
+  for (let i = 0; i < wordCount; i++) {
+    const index = Number(remaining % wordListLength);
+    words.unshift(wordList[index]);
+    remaining = remaining / wordListLength;
+  }
+  
+  return words;
+}
+
+/**
+ * Modular inverse using extended Euclidean algorithm
+ * Returns x such that (a * x) % p === 1
+ */
+function modInverse(a: bigint, p: bigint): bigint {
+  let [oldR, r] = [a % p, p];
+  let [oldS, s] = [BigInt(1), BigInt(0)];
+  
+  while (r !== BigInt(0)) {
+    const quotient = oldR / r;
+    [oldR, r] = [r, oldR - quotient * r];
+    [oldS, s] = [s, oldS - quotient * s];
+  }
+  
+  // Ensure positive result
+  return ((oldS % p) + p) % p;
+}
+
+/**
+ * Modular arithmetic helper to ensure positive results
+ */
+function mod(n: bigint, p: bigint): bigint {
+  return ((n % p) + p) % p;
+}
+
+/**
+ * Split a secret into 3 shares using SSS (3,2) threshold scheme
+ * 
+ * Uses linear polynomial: f(x) = secret + a*x (mod p)
+ * where 'a' is a random coefficient
+ * 
+ * Any 2 points on this line can recover the y-intercept (secret)
+ */
+export function splitSecret(secret: bigint): SSSShare[] {
+  // Generate random coefficient for the polynomial
+  const a = secureRandomBigInt(PRIME);
+  
+  // Polynomial: f(x) = secret + a*x (mod PRIME)
+  const f = (x: number): bigint => {
+    return mod(secret + a * BigInt(x), PRIME);
+  };
+  
+  // Generate 3 shares at x = 1, 2, 3
+  return [
+    { x: 1, y: f(1), label: 'device' },
+    { x: 2, y: f(2), label: 'cloud' },
+    { x: 3, y: f(3), label: 'heir' },
+  ];
+}
+
+/**
+ * Recover the secret from any 2 shares using Lagrange interpolation
+ * 
+ * For 2 points (x1, y1) and (x2, y2), the secret (y-intercept) is:
+ * S = (x2*y1 - x1*y2) / (x2 - x1) (mod p)
+ */
+export function recoverSecret(shareA: SSSShare, shareB: SSSShare): bigint {
+  const { x: x1, y: y1 } = shareA;
+  const { x: x2, y: y2 } = shareB;
+  
+  // Numerator: x2*y1 - x1*y2
+  const numerator = mod(
+    BigInt(x2) * y1 - BigInt(x1) * y2,
+    PRIME
+  );
+  
+  // Denominator: x2 - x1
+  const denominator = mod(BigInt(x2 - x1), PRIME);
+  
+  // Division in modular arithmetic = multiply by modular inverse
+  const invDenominator = modInverse(denominator, PRIME);
+  
+  return mod(numerator * invDenominator, PRIME);
+}
+
+/**
+ * Format a share for display (truncated for readability)
+ * Shows first 8 and last 4 characters of the y-value
+ */
+export function formatShareForDisplay(share: SSSShare): string {
+  const yStr = share.y.toString();
+  if (yStr.length <= 16) {
+    return `(${share.x}, ${yStr})`;
+  }
+  return `(${share.x}, ${yStr.slice(0, 8)}...${yStr.slice(-4)})`;
+}
+
+/**
+ * Format a share as a compact display string (for UI cards)
+ * Returns a shorter format showing the share index and a hash-like preview
+ */
+export function formatShareCompact(share: SSSShare): string {
+  const yStr = share.y.toString();
+  // Create a "fingerprint" from the y value
+  const fingerprint = yStr.slice(0, 4) + '-' + yStr.slice(4, 8) + '-' + yStr.slice(-4);
+  return fingerprint;
+}
+
+/**
+ * Serialize a share to a string for storage/transmission
+ */
+export function serializeShare(share: SSSShare): string {
+  return JSON.stringify({
+    x: share.x,
+    y: share.y.toString(),
+    label: share.label,
+  });
+}
+
+/**
+ * Deserialize a share from a string
+ */
+export function deserializeShare(str: string): SSSShare {
+  const parsed = JSON.parse(str);
+  return {
+    x: parsed.x,
+    y: BigInt(parsed.y),
+    label: parsed.label,
+  };
+}
+
+/**
+ * Main function to generate mnemonic and SSS shares
+ * This is the entry point for the vault initialization flow
+ */
+export interface VaultKeyData {
+  mnemonic: string[];
+  shares: SSSShare[];
+  entropy: bigint;
+}
+
+export function generateVaultKeys(
+  wordList: readonly string[],
+  wordCount: number = 12
+): VaultKeyData {
+  // Generate random mnemonic
+  const mnemonic: string[] = [];
+  for (let i = 0; i < wordCount; i++) {
+    const index = Math.floor(Math.random() * wordList.length);
+    mnemonic.push(wordList[index]);
+  }
+  
+  // Convert to entropy
+  const entropy = mnemonicToEntropy(mnemonic, wordList);
+  
+  // Split into shares
+  const shares = splitSecret(entropy);
+  
+  return { mnemonic, shares, entropy };
+}
+
+/**
+ * Verify that shares can recover the original entropy
+ * Useful for testing and validation
+ */
+export function verifyShares(
+  shares: SSSShare[],
+  originalEntropy: bigint
+): boolean {
+  // Test all 3 combinations of 2 shares
+  const combinations = [
+    [shares[0], shares[1]], // Device + Cloud
+    [shares[1], shares[2]], // Cloud + Heir
+    [shares[0], shares[2]], // Device + Heir
+  ];
+  
+  for (const [a, b] of combinations) {
+    const recovered = recoverSecret(a, b);
+    if (recovered !== originalEntropy) {
+      return false;
+    }
+  }
+  
+  return true;
+}