1
//! # Module 12: Multi-Party Computation — Exercises
2
//!
3
//! ## Progression
4
//! 1. `shamir_share`          — signature + doc
5
//! 2. `shamir_reconstruct`    — signature + doc
6
//! 3. `additive_share`        — signature + doc
7
//! 4. `additive_reconstruct`  — signature + doc
8
//! 5. `beaver_triple_mul`     — signature only
9

10
/// Create Shamir secret shares for a given secret.
11
///
12
/// Constructs a random polynomial f of degree `t - 1` where f(0) = secret,
13
/// then evaluates at points 1, 2, ..., n.
14
///
15
/// Returns `n` shares as (x, y) pairs.
16
///
17
/// - `t`: threshold (minimum shares needed to reconstruct)
18
/// - `n`: total number of shares
19
/// - `prime`: field modulus (must be > secret and > n)
20
pub fn shamir_share(secret: u64, t: usize, n: usize, prime: u64) -> Vec<(u64, u64)> {
21
    todo!("Generate Shamir secret shares using random polynomial")
22
}
23

24
/// Reconstruct a secret from `t` or more Shamir shares using Lagrange interpolation.
25
///
26
/// Evaluates the Lagrange interpolating polynomial at x = 0.
27
pub fn shamir_reconstruct(shares: &[(u64, u64)], prime: u64) -> u64 {
28
    todo!("Lagrange interpolation at x=0 to recover secret")
29
}
30

31
/// Create additive secret shares: split `secret` into `n` random shares
32
/// that sum to `secret` (mod 2^64).
33
pub fn additive_share(secret: u64, n: usize) -> Vec<u64> {
34
    todo!("Random additive shares summing to secret")
35
}
36

37
/// Reconstruct a secret from additive shares: just sum them.
38
pub fn additive_reconstruct(shares: &[u64]) -> u64 {
39
    todo!("Sum all shares (wrapping)")
40
}
41

42
/// Beaver triple-based multiplication of shared values.
43
///
44
/// Given:
45
/// - Party's share of `a` and `b` (the values to multiply)
46
/// - A pre-computed Beaver triple share `(u, v, w)` where u*v = w
47
/// - `p`: field modulus
48
///
49
/// The protocol:
50
/// 1. Compute d = a - u, e = b - v (open these)
51
/// 2. Party's share of a*b = w + e*u + d*v + d*e
52
///
53
/// Here we simulate a single party's computation given opened d and e.
54
#[allow(clippy::too_many_arguments)]
55
pub fn beaver_triple_mul(
56
    a_share: u64,
57
    b_share: u64,
58
    u_share: u64,
59
    v_share: u64,
60
    w_share: u64,
61
    d: u64,
62
    e: u64,
63
    p: u64,
64
) -> u64 {
65
    todo!("Compute party's share of a*b using Beaver triple")
66
}
67

68
#[cfg(test)]
69
mod tests {
70
    use super::*;
71

72
    #[test]
73
    #[ignore]
74
    fn test_shamir_roundtrip() {
75
        let secret = 42_u64;
76
        let shares = shamir_share(secret, 3, 5, 97);
77
        assert_eq!(shares.len(), 5);
78
        // Any 3 shares should reconstruct the secret
79
        let reconstructed = shamir_reconstruct(&shares[0..3], 97);
80
        assert_eq!(reconstructed, secret);
81
        // Different subset of 3 should also work
82
        let reconstructed2 = shamir_reconstruct(&shares[2..5], 97);
83
        assert_eq!(reconstructed2, secret);
84
    }
85

86
    #[test]
87
    #[ignore]
88
    fn test_shamir_insufficient_shares() {
89
        let secret = 42_u64;
90
        let shares = shamir_share(secret, 3, 5, 97);
91
        // Only 2 shares should NOT reconstruct correctly (with high probability)
92
        let wrong = shamir_reconstruct(&shares[0..2], 97);
93
        // We can't assert != because there's a small chance it's correct,
94
        // but for t=3 it almost certainly won't be.
95
        let _ = wrong; // Just verify it doesn't panic
96
    }
97

98
    #[test]
99
    #[ignore]
100
    fn test_additive_roundtrip() {
101
        let secret = 12345_u64;
102
        let shares = additive_share(secret, 5);
103
        assert_eq!(shares.len(), 5);
104
        let reconstructed = additive_reconstruct(&shares);
105
        assert_eq!(reconstructed, secret);
106
    }
107
}
108

109