secure_vector<byte> RTSS_Share::reconstruct(const std::vector<RTSS_Share>& shares) { const size_t RTSS_HEADER_SIZE = 20; for(size_t i = 0; i != shares.size(); ++i) { if(shares[i].size() != shares[0].size()) throw Decoding_Error("Different sized RTSS shares detected"); if(shares[i].share_id() == 0) throw Decoding_Error("Invalid (id = 0) RTSS share detected"); if(shares[i].size() < RTSS_HEADER_SIZE) throw Decoding_Error("Missing or malformed RTSS header"); if(!same_mem(&shares[0].m_contents[0], &shares[i].m_contents[0], RTSS_HEADER_SIZE)) throw Decoding_Error("Different RTSS headers detected"); } if(shares.size() < shares[0].m_contents[17]) throw Decoding_Error("Insufficient shares to do TSS reconstruction"); u16bit secret_len = make_u16bit(shares[0].m_contents[18], shares[0].m_contents[19]); byte hash_id = shares[0].m_contents[16]; std::unique_ptr<HashFunction> hash(get_rtss_hash_by_id(hash_id)); if(shares[0].size() != secret_len + hash->output_length() + RTSS_HEADER_SIZE + 1) throw Decoding_Error("Bad RTSS length field in header"); std::vector<byte> V(shares.size()); secure_vector<byte> secret; for(size_t i = RTSS_HEADER_SIZE + 1; i != shares[0].size(); ++i) { for(size_t j = 0; j != V.size(); ++j) V[j] = shares[j].m_contents[i]; byte r = 0; for(size_t k = 0; k != shares.size(); ++k) { // L_i function: byte r2 = 1; for(size_t l = 0; l != shares.size(); ++l) { if(k == l) continue; byte share_k = shares[k].share_id(); byte share_l = shares[l].share_id(); if(share_k == share_l) throw Decoding_Error("Duplicate shares found in RTSS recovery"); byte div = RTSS_EXP[(255 + RTSS_LOG[share_l] - RTSS_LOG[share_k ^ share_l]) % 255]; r2 = gfp_mul(r2, div); } r ^= gfp_mul(V[k], r2); } secret.push_back(r); } if(secret.size() != secret_len + hash->output_length()) throw Decoding_Error("Bad length in RTSS output"); hash->update(secret.data(), secret_len); secure_vector<byte> hash_check = hash->final(); if(!same_mem(hash_check.data(), &secret[secret_len], hash->output_length())) throw Decoding_Error("RTSS hash check failed"); return secure_vector<byte>(secret.cbegin(), secret.cbegin() + secret_len); }
secure_vector<uint8_t> RTSS_Share::reconstruct(const std::vector<RTSS_Share>& shares) { if(shares.size() <= 1) throw Decoding_Error("Insufficient shares to do TSS reconstruction"); for(size_t i = 0; i != shares.size(); ++i) { if(shares[i].size() < RTSS_HEADER_SIZE + 1) throw Decoding_Error("Missing or malformed RTSS header"); if(shares[i].share_id() == 0) throw Decoding_Error("Invalid (id = 0) RTSS share detected"); if(i > 0) { if(shares[i].size() != shares[0].size()) throw Decoding_Error("Different sized RTSS shares detected"); if(!same_mem(&shares[0].m_contents[0], &shares[i].m_contents[0], RTSS_HEADER_SIZE)) throw Decoding_Error("Different RTSS headers detected"); } } const uint8_t N = shares[0].m_contents[17]; if(shares.size() < N) throw Decoding_Error("Insufficient shares to do TSS reconstruction"); const uint16_t share_len = make_uint16(shares[0].m_contents[18], shares[0].m_contents[19]); const uint8_t hash_id = shares[0].m_contents[16]; std::unique_ptr<HashFunction> hash(get_rtss_hash_by_id(hash_id)); const size_t hash_len = (hash ? hash->output_length() : 0); if(shares[0].size() != RTSS_HEADER_SIZE + share_len) { /* * This second (laxer) check accomodates a bug in TSS that was * fixed in 2.9.0 - previous versions used the length of the * *secret* here, instead of the length of the *share*, which is * precisely 1 + hash_len longer. */ if(shares[0].size() <= RTSS_HEADER_SIZE + 1 + hash_len) throw Decoding_Error("Bad RTSS length field in header"); } std::vector<uint8_t> V(shares.size()); secure_vector<uint8_t> recovered; for(size_t i = RTSS_HEADER_SIZE + 1; i != shares[0].size(); ++i) { for(size_t j = 0; j != V.size(); ++j) V[j] = shares[j].m_contents[i]; uint8_t r = 0; for(size_t k = 0; k != shares.size(); ++k) { // L_i function: uint8_t r2 = 1; for(size_t l = 0; l != shares.size(); ++l) { if(k == l) continue; uint8_t share_k = shares[k].share_id(); uint8_t share_l = shares[l].share_id(); if(share_k == share_l) throw Decoding_Error("Duplicate shares found in RTSS recovery"); uint8_t div = RTSS_EXP[(255 + RTSS_LOG[share_l] - RTSS_LOG[share_k ^ share_l]) % 255]; r2 = gfp_mul(r2, div); } r ^= gfp_mul(V[k], r2); } recovered.push_back(r); } if(hash) { if(recovered.size() < hash->output_length()) throw Decoding_Error("RTSS recovered value too short to be valid"); const size_t secret_len = recovered.size() - hash->output_length(); hash->update(recovered.data(), secret_len); secure_vector<uint8_t> hash_check = hash->final(); if(!constant_time_compare(hash_check.data(), &recovered[secret_len], hash->output_length())) { throw Decoding_Error("RTSS hash check failed"); } // remove the trailing hash value recovered.resize(secret_len); } return recovered; }