Library Usage

The public API is accessible through the Pvss class. Each instance stores the public state of a complete PVSS workflow. Messages created in one instance must be transferred somehow (network, git repo, etc.) and be imported into the other instances.

Example

The following code is equivalent to the CLI example, if it would be ran inside a single python process:

from pvss import Pvss
from pvss.ristretto_255 import create_ristretto_255_parameters

# init, genparams
pvss_init = Pvss()
params = create_ristretto_255_parameters(pvss_init)

# alice, genuser
pvss_alice = Pvss()
pvss_alice.set_params(params)
alice_priv, alice_pub = pvss_alice.create_user_keypair("Alice")

# boris, genuser
pvss_boris = Pvss()
pvss_boris.set_params(params)
boris_priv, boris_pub = pvss_boris.create_user_keypair("Boris")

# chris, genuser
pvss_chris = Pvss()
pvss_chris.set_params(params)
chris_priv, chris_pub = pvss_chris.create_user_keypair("Chris")

# dealer, splitsecret
pvss_dealer = Pvss()
pvss_dealer.set_params(params)
pvss_dealer.add_user_public_key(chris_pub)
pvss_dealer.add_user_public_key(alice_pub)
pvss_dealer.add_user_public_key(boris_pub)
secret0, shares = pvss_dealer.share_secret(2)

# receiver, genreceiver
pvss_receiver = Pvss()
pvss_receiver.set_params(params)
recv_priv, recv_pub = pvss_receiver.create_receiver_keypair("receiver")

# boris, reencrypt
pvss_boris.add_user_public_key(alice_pub)
pvss_boris.add_user_public_key(chris_pub)
pvss_boris.set_shares(shares)
pvss_boris.set_receiver_public_key(recv_pub)
reenc_boris = pvss_boris.reencrypt_share(boris_priv)

# alice, reencrypt
pvss_alice.add_user_public_key(boris_pub)
pvss_alice.add_user_public_key(chris_pub)
pvss_alice.set_shares(shares)
pvss_alice.set_receiver_public_key(recv_pub)
reenc_alice = pvss_alice.reencrypt_share(alice_priv)

# receiver, reconstruct
pvss_receiver.add_user_public_key(boris_pub)
pvss_receiver.add_user_public_key(chris_pub)
pvss_receiver.add_user_public_key(alice_pub)
pvss_receiver.set_shares(shares)
pvss_receiver.add_reencrypted_share(reenc_alice)
pvss_receiver.add_reencrypted_share(reenc_boris)
secret1 = pvss_receiver.reconstruct_secret(recv_priv)

print(secret0 == secret1)

API reference

pvss.qr.create_qr_params(pvss: Pvss, params: int | str | bytes) → bytes[source]

Create and set QR parameters.

If params is str or a bytes, assume it’s a diffie-hellman parameter file such as created by “openssl dhparam 4096”, either DER or PEM encoded.

Parameters:

pvss – Pvss object with public values
params – if int, must be a safe prime, otherwise must be a DH params file with a safe prime.

Returns:

DER encoded QR system parameters.

pvss.ristretto_255.create_ristretto_255_parameters(pvss: Pvss) → bytes[source]

Create and set Ristretto255 parameters.

Parameters:: pvss – Pvss object with public values
Returns:: DER encoded Ristretto255 system parameters.

class pvss.Pvss[source]

Main class to work with Pvss. Stores all public messages and exposes the PVSS operations.

The constructor takes no parameters.

add_reencrypted_share(data: bytes) → ReencryptedShare[source]

Add a re-encrypted share to the internal state.

Parameters:: data – DER encoded re-encrypted share.
Returns:: Decoded reencrypted share.
Raises:: ValueError – On duplicate

add_user_public_key(data: bytes) → PublicKey[source]

Add a user public key to the internal state.

Parameters:: data – DER encoded public key
Returns:: Decoded user public key.
Raises:: ValueError – On duplicate name or public key value

create_receiver_keypair(name: str) → tuple[bytes, bytes][source]

Create a random key pair for the receiver.

Parameters:: name – Name of key; will be included in the public key.
Returns:: DER encoded private key and public key

create_user_keypair(name: str) → tuple[bytes, bytes][source]

Create a random key pair for a user.

Parameters:: name – Name of key; will be included in the public key.
Returns:: DER encoded private key and public key

property params: SystemParameters

Retrieve system parameters.

Returns:: The system parameters.

property receiver_public_key: PublicKey

Retrieve receiver’s public key.

Returns:: Receiver’s public key.

reconstruct_secret(der_private_key: bytes) → bytes[source]

Decrypt the re-encrypted shares with the private key and reconstruct the secret

Parameters:: der_private_key – Receiver’s DER encoded private key
Returns:: DER encoded secret

reencrypt_share(der_private_key: bytes) → bytes[source]

Decrypt a share of the encrypted secret with the private_key and re-encrypt it with another public key

Parameters:: der_private_key – A user’s DER encoded private key
Returns:: DER encoded re-encrypted share

property reencrypted_shares: list[pvss.pvss.ReencryptedShare]

Retrieve the list of reencrypted shares.

Returns:: List of reencrypted shares.

set_params(data: bytes) → SystemParameters[source]

Set system parameters.

Args: data: DER encoded system parameters.

Returns:: Decoded system parameters.
Raises:: Exception – If already set.

set_receiver_public_key(data: bytes) → PublicKey[source]

Add the receiver’s public key to the internal state.

Parameters:: data – DER encoded receiver’s public key.
Returns:: Decoded receiver’s public key.
Raises:: Exception – On duplicate

set_shares(data: bytes) → SharedSecret[source]

Set the shares of the secret.

Parameters:: data – DER encoded secret shares.
Returns:: Decoded secret shares.
Raises:: Exception – If already set.

share_secret(qualified_size: int) → tuple[bytes, bytes][source]

Create a secret, split it and compute the encrypted shares.

Parameters:: qualified_size – Number of shares required to reconstruct the secret
Returns:: DER encoded shared secret and the DER encoded encrypted shares

property shares: SharedSecret

Retrieve the shares of the secret.

Returns:: Shares of the secret.

property user_public_keys: dict[str, pvss.pvss.PublicKey]

Retrieve all user public keys, as mapping from username to PublicKey.

Returns:: Mapping of username to PublicKey.