From becabb40e9b6e3cea15480256576627ccc2419ba Mon Sep 17 00:00:00 2001
From: Brendan Mc <brendanmcmillion@gmail.com>
Date: Tue, 26 May 2015 21:06:08 -0700
Subject: [PATCH 01/14] Integration with Bren2010/MSP

---
 core/core.go         |   2 +
 cryptor/cryptor.go   | 162 ++++++++++++++++++++++++++++++++-----------
 keycache/keycache.go |  57 +++++++++++++--
 3 files changed, 178 insertions(+), 43 deletions(-)

diff --git a/core/core.go b/core/core.go
index fa487c2..e3fccb1 100644
--- a/core/core.go
+++ b/core/core.go
@@ -72,6 +72,7 @@ type EncryptRequest struct {
 	Owners      []string
 	LeftOwners  []string
 	RightOwners []string
+	Predicate   string
 
 	Data []byte
 
@@ -454,6 +455,7 @@ func Encrypt(jsonIn []byte) ([]byte, error) {
 		Names:      s.Owners,
 		LeftNames:  s.LeftOwners,
 		RightNames: s.RightOwners,
+		Predicate:  s.Predicate,
 	}
 
 	resp, err := crypt.Encrypt(s.Data, s.Labels, access)
diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 830b188..65aa035 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -15,6 +15,7 @@ import (
 	"sort"
 	"strconv"
 
+	"github.com/Bren2010/msp"
 	"github.com/cloudflare/redoctober/keycache"
 	"github.com/cloudflare/redoctober/padding"
 	"github.com/cloudflare/redoctober/passvault"
@@ -44,6 +45,39 @@ type AccessStructure struct {
 
 	LeftNames  []string
 	RightNames []string
+
+	Predicate string
+}
+
+// Implements msp.UserDatabase
+type UserDatabase struct {
+	records *passvault.Records
+	cache *keycache.Cache
+
+	user string
+	labels []string
+	keySet map[string]SingleWrappedKey
+	shareSet map[string][][]byte
+}
+
+func (u UserDatabase) ValidUser(name string) bool {
+	_, ok := u.records.GetRecord(name)
+	return ok
+}
+
+func (u UserDatabase) CanGetShare(name string) bool {
+	_, _, ok := u.cache.MatchUser(name, u.user, u.labels)
+	return ok
+}
+
+func (u UserDatabase) GetShare(name string) ([][]byte, error) {
+	return u.cache.DecryptShares(
+		u.shareSet[name],
+		name,
+		u.user,
+		u.labels,
+		u.keySet[name].Key,
+	)
 }
 
 // MultiWrappedKey is a structure containing a 16-byte key encrypted
@@ -67,8 +101,10 @@ type EncryptedData struct {
 	Version   int
 	VaultId   int                         `json:",omitempty"`
 	Labels    []string                    `json:",omitempty"`
+	Predicate string                      `json:",omitempty"`
 	KeySet    []MultiWrappedKey           `json:",omitempty"`
 	KeySetRSA map[string]SingleWrappedKey `json:",omitempty"`
+	ShareSet  map[string][][]byte         `json:",omitempty"`
 	IV        []byte                      `json:",omitempty"`
 	Data      []byte
 	Signature []byte
@@ -259,8 +295,6 @@ func (encrypted *EncryptedData) wrapKey(records *passvault.Records, clearKey []b
 				encrypted.KeySet = append(encrypted.KeySet, out)
 			}
 		}
-
-		return nil
 	} else if len(access.LeftNames) > 0 && len(access.RightNames) > 0 {
 		// Generate a random AES key for each user and RSA/ECIES encrypt it
 		encrypted.KeySetRSA = make(map[string]SingleWrappedKey)
@@ -301,11 +335,41 @@ func (encrypted *EncryptedData) wrapKey(records *passvault.Records, clearKey []b
 				encrypted.KeySet = append(encrypted.KeySet, out)
 			}
 		}
+	} else if len(access.Predicate) > 0 {
+		encrypted.KeySetRSA = make(map[string]SingleWrappedKey)
 
-		return nil
+		sss, err := msp.StringToMSP(access.Predicate)
+		if err != nil {
+			return err
+		}
+
+		db := msp.UserDatabase(UserDatabase{records: records})
+		shareSet, err := sss.DistributeShares(clearKey, msp.Modulus(127), &db)
+		if err != nil {
+			return err
+		}
+
+		for name, _ := range shareSet {
+			encrypted.KeySetRSA[name], err = generateRandomKey(name)
+			crypt, err := aes.NewCipher(encrypted.KeySetRSA[name].aesKey)
+			if err != nil {
+				return err
+			}
+
+			for i, _ := range shareSet[name] {
+				tmp := make([]byte, 16)
+				crypt.Encrypt(tmp, shareSet[name][i])
+				shareSet[name][i] = tmp
+			}
+		}
+
+		encrypted.ShareSet = shareSet
+		encrypted.Predicate = access.Predicate
 	} else {
 		return errors.New("Invalid access structure.")
 	}
+
+	return nil
 }
 
 // unwrapKey decrypts first key in keys whose encryption keys are in keycache
@@ -316,50 +380,70 @@ func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (u
 		nameSet        = map[string]bool{}
 	)
 
-	for _, mwKey := range encrypted.KeySet {
-		// validate the size of the keys
-		if len(mwKey.Key) != 16 {
-			err = errors.New("Invalid Input")
+	if len(encrypted.Predicate) == 0 {
+		for _, mwKey := range encrypted.KeySet {
+			// validate the size of the keys
+			if len(mwKey.Key) != 16 {
+				err = errors.New("Invalid Input")
+			}
+
+			if err != nil {
+				return nil, nil, err
+			}
+
+			// loop through users to see if they are all delegated
+			fullMatch = true
+			for _, mwName := range mwKey.Name {
+				if valid := cache.Valid(mwName, user, encrypted.Labels); !valid {
+					fullMatch = false
+					break
+				}
+				nameSet[mwName] = true
+			}
+
+			// if the keys are delegated, decrypt the mwKey with them
+			if fullMatch == true {
+				tmpKeyValue := mwKey.Key
+				for _, mwName := range mwKey.Name {
+					pubEncrypted := encrypted.KeySetRSA[mwName]
+					if tmpKeyValue, keyFound = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); keyFound != nil {
+						break
+					}
+				}
+				unwrappedKey = tmpKeyValue
+				break
+			}
 		}
 
+		if !fullMatch {
+			err = errors.New("Need more delegated keys")
+			names = nil
+		}
+
+		names = make([]string, 0, len(nameSet))
+		for name := range nameSet {
+			names = append(names, name)
+		}
+		return
+	} else {
+		var sss msp.MSP
+		sss, err = msp.StringToMSP(encrypted.Predicate)
 		if err != nil {
 			return nil, nil, err
 		}
 
-		// loop through users to see if they are all delegated
-		fullMatch = true
-		for _, mwName := range mwKey.Name {
-			if valid := cache.Valid(mwName, user, encrypted.Labels); !valid {
-				fullMatch = false
-				break
-			}
-			nameSet[mwName] = true
-		}
+		db := msp.UserDatabase(UserDatabase{
+			cache: cache,
+			user: user,
+			labels: encrypted.Labels,
+			keySet: encrypted.KeySetRSA,
+			shareSet: encrypted.ShareSet,
+		})
+		unwrappedKey, err = sss.RecoverSecret(msp.Modulus(127), &db)
+		names = []string{"Shares"}
 
-		// if the keys are delegated, decrypt the mwKey with them
-		if fullMatch == true {
-			tmpKeyValue := mwKey.Key
-			for _, mwName := range mwKey.Name {
-				pubEncrypted := encrypted.KeySetRSA[mwName]
-				if tmpKeyValue, keyFound = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); keyFound != nil {
-					break
-				}
-			}
-			unwrappedKey = tmpKeyValue
-			break
-		}
+		return
 	}
-
-	if !fullMatch {
-		err = errors.New("Need more delegated keys")
-		names = nil
-	}
-
-	names = make([]string, 0, len(nameSet))
-	for name := range nameSet {
-		names = append(names, name)
-	}
-	return
 }
 
 // Encrypt encrypts data with the keys associated with names. This
diff --git a/keycache/keycache.go b/keycache/keycache.go
index 2c1082f..4e6df4f 100644
--- a/keycache/keycache.go
+++ b/keycache/keycache.go
@@ -112,9 +112,9 @@ func (cache *Cache) Valid(name, user string, labels []string) (present bool) {
 	return false
 }
 
-// matchUser returns the matching active user if present
+// MatchUser returns the matching active user if present
 // and a boolean to indicate its presence.
-func (cache *Cache) matchUser(name, user string, labels []string) (ActiveUser, string, bool) {
+func (cache *Cache) MatchUser(name, user string, labels []string) (ActiveUser, string, bool) {
 	var key ActiveUser
 	for d, key := range cache.UserKeys {
 		if d.Name != name {
@@ -131,7 +131,7 @@ func (cache *Cache) matchUser(name, user string, labels []string) (ActiveUser, s
 // useKey decrements the counter on an active key
 // for decryption or symmetric encryption
 func (cache *Cache) useKey(name, user, slot string, labels []string) {
-	if val, slot, present := cache.matchUser(name, user, labels); present {
+	if val, slot, present := cache.MatchUser(name, user, labels); present {
 		val.Usage.Uses -= 1
 		cache.setUser(val, name, slot)
 	}
@@ -214,7 +214,7 @@ func (cache *Cache) AddKeyFromRecord(record passvault.PasswordRecord, name, pass
 func (cache *Cache) DecryptKey(in []byte, name, user string, labels []string, pubEncryptedKey []byte) (out []byte, err error) {
 	cache.Refresh()
 
-	decryptKey, slot, ok := cache.matchUser(name, user, labels)
+	decryptKey, slot, ok := cache.MatchUser(name, user, labels)
 	if !ok {
 		return nil, errors.New("Key not delegated")
 	}
@@ -252,3 +252,52 @@ func (cache *Cache) DecryptKey(in []byte, name, user string, labels []string, pu
 
 	return
 }
+
+// DecryptShares decrypts an array of 16 byte shares using the key corresponding
+// to the name parameter.
+func (cache *Cache) DecryptShares(in [][]byte, name, user string, labels []string, pubEncryptedKey []byte) (out [][]byte, err error) {
+	cache.Refresh()
+
+	decryptKey, slot, ok := cache.MatchUser(name, user, labels)
+	if !ok {
+		return nil, errors.New("Key not delegated")
+	}
+
+	var aesKey []byte
+
+	// pick the aesKey to use for decryption
+	switch decryptKey.Type {
+	case passvault.RSARecord:
+		// extract the aes key from the pubEncryptedKey
+		aesKey, err = rsa.DecryptOAEP(sha1.New(), rand.Reader, &decryptKey.rsaKey, pubEncryptedKey, nil)
+		if err != nil {
+			return
+		}
+	case passvault.ECCRecord:
+		// extract the aes key from the pubEncryptedKey
+		aesKey, err = ecdh.Decrypt(decryptKey.eccKey, pubEncryptedKey)
+
+		if err != nil {
+			return
+		}
+	default:
+		return nil, errors.New("unknown type")
+	}
+
+	// decrypt
+	aesSession, err := aes.NewCipher(aesKey)
+	if err != nil {
+		return
+	}
+
+	for _, encShare := range in {
+		tmp := make([]byte, 16)
+		aesSession.Decrypt(tmp, encShare)
+
+		out = append(out, tmp)
+	}
+
+	cache.useKey(name, user, slot, labels)
+
+	return
+}

From e652300f430f6802c77e519d26dc17749164d21f Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Wed, 27 May 2015 11:29:36 -0700
Subject: [PATCH 02/14] Vendored in Bren2010/MSP

---
 cryptor/cryptor.go    |  18 +--
 msp/README.md         | 153 ++++++++++++++++++
 msp/formatted.go      | 189 ++++++++++++++++++++++
 msp/formatted_test.go |  89 ++++++++++
 msp/msp.go            | 369 ++++++++++++++++++++++++++++++++++++++++++
 msp/msp_test.go       |  72 +++++++++
 msp/raw.go            | 218 +++++++++++++++++++++++++
 msp/raw_test.go       |  74 +++++++++
 8 files changed, 1173 insertions(+), 9 deletions(-)
 create mode 100644 msp/README.md
 create mode 100644 msp/formatted.go
 create mode 100644 msp/formatted_test.go
 create mode 100644 msp/msp.go
 create mode 100644 msp/msp_test.go
 create mode 100644 msp/raw.go
 create mode 100644 msp/raw_test.go

diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 65aa035..5d0e701 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -15,8 +15,8 @@ import (
 	"sort"
 	"strconv"
 
-	"github.com/Bren2010/msp"
 	"github.com/cloudflare/redoctober/keycache"
+	"github.com/cloudflare/redoctober/msp"
 	"github.com/cloudflare/redoctober/padding"
 	"github.com/cloudflare/redoctober/passvault"
 	"github.com/cloudflare/redoctober/symcrypt"
@@ -52,11 +52,11 @@ type AccessStructure struct {
 // Implements msp.UserDatabase
 type UserDatabase struct {
 	records *passvault.Records
-	cache *keycache.Cache
+	cache   *keycache.Cache
 
-	user string
-	labels []string
-	keySet map[string]SingleWrappedKey
+	user     string
+	labels   []string
+	keySet   map[string]SingleWrappedKey
 	shareSet map[string][][]byte
 }
 
@@ -433,10 +433,10 @@ func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (u
 		}
 
 		db := msp.UserDatabase(UserDatabase{
-			cache: cache,
-			user: user,
-			labels: encrypted.Labels,
-			keySet: encrypted.KeySetRSA,
+			cache:    cache,
+			user:     user,
+			labels:   encrypted.Labels,
+			keySet:   encrypted.KeySetRSA,
 			shareSet: encrypted.ShareSet,
 		})
 		unwrappedKey, err = sss.RecoverSecret(msp.Modulus(127), &db)
diff --git a/msp/README.md b/msp/README.md
new file mode 100644
index 0000000..051ec26
--- /dev/null
+++ b/msp/README.md
@@ -0,0 +1,153 @@
+Monotone Span Programs
+======================
+
+- [Introduction](#monotone-span-programs)
+  - [Types of Predicates](#types-of-predicates)
+- [Documentation](#documentation)
+  - [User Databases](#user-databases)
+  - [Building Predicates](#building-predicates)
+  - [Splitting & Reconstructing Secrets](#splitting--reconstructing-secrets)
+
+A *Monotone Span Program* (or *MSP*) is a cryptographic technique for splitting
+a secret into several *shares* that are then distributed to *parties* or
+*users*.  (Have you heard of [Shamir's Secret Sharing](http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing)?  It's like that.)
+
+Unlike Shamir's Secret Sharing, MSPs allow *arbitrary monotone access
+structures*.  An access structure is just a boolean predicate on a set of users
+that tells us whether or not that set is allowed to recover the secret.  A
+monotone access structure is the same thing, but with the invariant that adding
+a user to a set will never turn the predicate's output from `true` to
+`false`--negations or boolean `nots` are disallowed.
+
+**Example:**  `(Alice or Bob) and Carl` is good, but `(Alice or Bob) and !Carl`
+is not because excluding people is rude.
+
+MSPs are fundamental and powerful primitives.  They're well-suited for
+distributed commitments (DC), verifiable secret sharing (VSS) and multi-party
+computation (MPC).
+
+
+#### Types of Predicates
+
+An MSP itself is a type of predicate and the reader is probably familiar with
+raw boolean predicates like in the example above, but another important type is
+a *formatted boolean predicate*.
+
+Formatted boolean predicates are isomorphic to all MSPs and therefore all
+monotone raw boolean predicates.  They're built by nesting threshold gates.
+
+**Example:**  Let `(2, Alice, Bob, Carl)` denote that at least 2 members of the
+set `{Alice, Bob, Carl}` must be present to recover the secret.  Then,
+`(2, (1, Alice, Bob), Carl)` is the formatted version of
+`(Alice or Bob) and Carl`.
+
+It is possible to convert between different types of predicates (and its one of
+the fundamental operations of splitting secrets with an MSP), but circuit
+minimization is a non-trivial and computationally complex problem.  The code can
+do a small amount of compression, but the onus is on the user to design
+efficiently computable predicates.
+
+
+#### To Do
+
+1. Anonymous secret generation / secret homomorphisms
+2. Non-interactive verifiable secret sharing / distributed commitments
+
+
+Documentation
+-------------
+
+### User Databases
+
+```go
+type UserDatabase interface {
+	ValidUser(string) bool // Is this the name of an existing user?
+	CanGetShare(string) bool // Can I get this user's share?
+	GetShare(string) ([][]byte, error) // Retrieves a user's shares.
+}
+```
+
+User databases are an abstraction over the primitive name -> share map that
+hopefully offer a bit more flexibility in implementing secret sharing schemes.
+`CanGetShare(name)` should be faster and less binding than `GetShare(name)`.
+`CanGetShare(name)` may be called a large number of times, but `GetShare(name)`
+will be called the absolute minimum number of times possible.
+
+Depending on the predicate used, a name may be associated to multiple shares of
+a secret, hence `[][]byte` as opposed to one share (`[]byte`).
+
+For test/play purposes there's a cheaty implementation of `UserDatabase` in
+`msp_test.go` that just wraps the `map[string][][]byte` returned by
+`DistributeShares(...)`
+
+### Building Predicates
+
+```go
+type Raw struct { ... }
+
+func StringToRaw(string) (Raw, error) { ... }
+func (r Raw) String() string { .. .}
+func (r Raw) Formatted() Formatted { ... }
+
+
+type Formatted struct { ... }
+
+func StringToFormatted(string) (Formatted, error)
+func (f Formatted) String() string
+```
+
+Building predicates is extremely easy--just write it out in a string and have
+one of the package methods parse it.
+
+Raw predicates take the `&` (logical AND) and `|` (logical OR) operators, but
+are otherwise the same as discussed above.  Formatted predicates are exactly the
+same as above--just nested threshold gates.
+
+```go
+r1, _ := msp.StringToRaw("(Alice | Bob) & Carl")
+r2, _ := msp.StringToRaw("Alice & Bob & Carl")
+
+fmt.Printf("%v\n", r1.Formatted()) // (2, (1, Alice, Bob), Carl)
+fmt.Printf("%v\n", r2.Formatted()) // (3, Alice, Bob, Carl)
+```
+
+### Splitting & Reconstructing Secrets
+
+```go
+type MSP Formatted
+
+func Modulus(n int) *big.Int {}
+func (m MSP) DistributeShares(sec []byte, modulus *big.Int, db *UserDatabase) (map[string][][]byte, error) {}
+func (m MSP) RecoverSecret(modulus *big.Int, db *UserDatabase) ([]byte, error) {}
+```
+
+To switch from predicate-mode to secret-sharing-mode, just cast your formatted
+predicate into an MSP something like this:
+```go
+predicate := msp.StringToFormatted("(3, Alice, Bob, Carl)")
+sss := msp.MSP(predicate)
+```
+
+Calling `DistributeShares` on it returns a map from a party's name to their set
+of shares which should be given to that party and integrated into the
+`UserDatabase` somehow.  When you're ready to reconstruct the secret, you call
+`RecoverSecret`, which does some prodding about and hopefully gives you back
+what you put in.
+
+The modulus determines the size of the secret shares.  It must be prime, larger
+than the secret, and larger than n<sup>k</sup> where `n` is the number of
+parties and `k` is the depth of the circuit.  (For each path from the root to a
+gate with only leaf nodes, sum the thresholds of all the gates along that path.
+`k` is the maximum of these values--a safe overestimation is to sum the
+thresholds of all gates in the circuit)  Because this form of secret sharing
+is *information-theoretically secure*, as long as the modulus satisfies those
+requirements, it can be as small or as large as you'd like (there's no
+bonus/reduction in security).  An excessively small modulus is restrictive, but
+saves a *lot* of bandwidth.  However, there's no sensible reason for a modulus
+over about 256 bits--by that point, it's easier to generate a random AES key,
+encrypt your secret with *that*, and distribute shares of the decryption key
+instead.
+
+For convenience, the `Modulus` function has some hard coded moduli that are
+useful.  The choices are currently: `127`, `224`, and `256` for a 127-bit,
+224-bit, or 256-bit modulus, respectively.
diff --git a/msp/formatted.go b/msp/formatted.go
new file mode 100644
index 0000000..c4d16c2
--- /dev/null
+++ b/msp/formatted.go
@@ -0,0 +1,189 @@
+package msp
+
+import (
+	"container/list"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+type Formatted struct { // Represents threshold gate (also type of condition)
+	Min   int
+	Conds []Condition
+}
+
+func StringToFormatted(f string) (out Formatted, err error) {
+	// Automaton.  Modification of Dijkstra's Two-Stack Algorithm for parsing
+	// infix notation.  Running time linear in the size of the predicate?
+	//
+	// Steps either to the next comma or the next unparenthesis.
+	//     (     -> Push new queue onto staging stack
+	//     value -> Push onto back of queue at top of staging stack.
+	//     )     -> Pop queue off top of staging stack, build threshold gate,
+	//              and push gate onto the back of the top queue.
+	//
+	// Staging stack is empty on initialization and should have exactly 1 built
+	// threshold gate at the end of the string.
+	if f[0] != '(' || f[len(f)-1] != ')' {
+		return out, errors.New("Invalid string--wrong format.")
+	}
+
+	getNext := func(f string) (string, string) { // f -> (next, rest)
+		f = strings.TrimSpace(f)
+
+		if f[0] == '(' {
+			return f[0:1], f[1:]
+		}
+
+		nextComma := strings.Index(f, ",")
+		if f[0] == ')' {
+			if nextComma == -1 {
+				return f[0:1], ""
+			}
+			return f[0:1], f[nextComma+1:]
+		} else if nextComma == -1 {
+			return f[0 : len(f)-1], f[len(f)-1:]
+		}
+
+		nextUnParen := strings.Index(f, ")")
+		if nextComma < nextUnParen {
+			return strings.TrimSpace(f[0:nextComma]), f[nextComma+1:]
+		}
+
+		return strings.TrimSpace(f[0:nextUnParen]), f[nextUnParen:]
+	}
+
+	staging := list.New()
+	indices := make(map[string]int, 0)
+
+	var nxt string
+	for len(f) > 0 {
+		nxt, f = getNext(f)
+
+		switch nxt {
+		case "(":
+			staging.PushFront(list.New())
+		case ")":
+			top := staging.Remove(staging.Front()).(*list.List)
+
+			var min int
+			minStr := top.Front()
+			min, err = strconv.Atoi(minStr.Value.(String).string)
+			if err != nil {
+				return
+			}
+
+			built := Formatted{
+				Min:   min,
+				Conds: []Condition{},
+			}
+
+			for cond := minStr.Next(); cond != nil; cond = cond.Next() {
+				built.Conds = append(built.Conds, cond.Value.(Condition))
+			}
+
+			if staging.Len() == 0 {
+				if len(f) == 0 {
+					return built, nil
+				}
+				return built, errors.New("Invalid string--terminated early.")
+			}
+
+			staging.Front().Value.(*list.List).PushBack(built)
+
+		default:
+			if _, there := indices[nxt]; !there {
+				indices[nxt] = 0
+			}
+
+			staging.Front().Value.(*list.List).PushBack(String{nxt, indices[nxt]})
+			indices[nxt]++
+		}
+	}
+
+	return out, errors.New("Invalid string--never terminated.")
+}
+
+func (f Formatted) String() string {
+	out := fmt.Sprintf("(%v", f.Min)
+
+	for _, cond := range f.Conds {
+		switch cond.(type) {
+		case String:
+			out += fmt.Sprintf(", %v", cond.(String).string)
+		case Formatted:
+			out += fmt.Sprintf(", %v", (cond.(Formatted)).String())
+		}
+	}
+
+	return out + ")"
+}
+
+func (f Formatted) Ok(db *UserDatabase) bool {
+	// Goes through the smallest number of conditions possible to check if the
+	// threshold gate returns true.  Sometimes requires recursing down to check
+	// nested threshold gates.
+	rest := f.Min
+
+	for _, cond := range f.Conds {
+		if cond.Ok(db) {
+			rest--
+		}
+
+		if rest == 0 {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (f *Formatted) Compress() {
+	if f.Min == len(f.Conds) {
+		// AND Compression:  (n, ..., (m, ...), ...) = (n + m, ...)
+		skip := 0
+		for i, cond := range f.Conds {
+			if skip > 0 {
+				skip--
+				continue
+			}
+
+			switch cond.(type) {
+			case Formatted:
+				cond := cond.(Formatted)
+				cond.Compress()
+				f.Conds[i] = cond
+
+				if cond.Min == len(cond.Conds) {
+					f.Min += cond.Min - 1
+					f.Conds = append(f.Conds[0:i],
+						append(cond.Conds, f.Conds[i+1:]...)...)
+					skip = len(cond.Conds) - 1
+				}
+			}
+		}
+	} else if f.Min == 1 {
+		// OR Compression: (1, ..., (1, ...), ...) = (1, ...)
+		skip := 0
+		for i, cond := range f.Conds {
+			if skip > 0 {
+				skip--
+				continue
+			}
+
+			switch cond.(type) {
+			case Formatted:
+				cond := cond.(Formatted)
+				cond.Compress()
+				f.Conds[i] = cond
+
+				if cond.Min == 1 {
+					f.Conds = append(f.Conds[0:i],
+						append(cond.Conds, f.Conds[i+1:]...)...)
+					skip = len(cond.Conds) - 1
+				}
+			}
+		}
+	}
+}
diff --git a/msp/formatted_test.go b/msp/formatted_test.go
new file mode 100644
index 0000000..a693cee
--- /dev/null
+++ b/msp/formatted_test.go
@@ -0,0 +1,89 @@
+package msp
+
+import (
+	"testing"
+)
+
+func TestFormatted(t *testing.T) {
+	query1 := Formatted{
+		Min: 2,
+		Conds: []Condition{
+			String{"Alice", 0}, String{"Bob", 0}, String{"Carl", 0},
+		},
+	}
+
+	query2 := Formatted{
+		Min: 3,
+		Conds: []Condition{
+			String{"Alice", 0}, String{"Bob", 0}, String{"Carl", 0},
+		},
+	}
+
+	query3 := Formatted{
+		Min: 2,
+		Conds: []Condition{
+			Formatted{
+				Min: 1,
+				Conds: []Condition{
+					String{"Alice", 0}, String{"Bob", 0},
+				},
+			},
+			String{"Carl", 0},
+		},
+	}
+
+	query4 := Formatted{
+		Min: 2,
+		Conds: []Condition{
+			Formatted{
+				Min: 1,
+				Conds: []Condition{
+					String{"Alice", 0}, String{"Carl", 0},
+				},
+			},
+			String{"Bob", 0},
+		},
+	}
+
+	db := UserDatabase(Database(map[string][][]byte{
+		"Alice": [][]byte{[]byte("blah")},
+		"Carl":  [][]byte{[]byte("herp")},
+	}))
+
+	if query1.Ok(&db) != true {
+		t.Fatalf("Query #1 was wrong.")
+	}
+
+	if query2.Ok(&db) != false {
+		t.Fatalf("Query #2 was wrong.")
+	}
+
+	if query3.Ok(&db) != true {
+		t.Fatalf("Query #3 was wrong.")
+	}
+
+	if query4.Ok(&db) != false {
+		t.Fatalf("Query #4 was wrong.")
+	}
+
+	query1String := "(2, Alice, Bob, Carl)"
+	query3String := "(2, (1, Alice, Bob), Carl)"
+
+	if query1.String() != query1String {
+		t.Fatalf("Query #1 String was wrong; %v", query1.String())
+	}
+
+	if query3.String() != query3String {
+		t.Fatalf("Query #3 String was wrong; %v", query3.String())
+	}
+
+	decQuery1, err := StringToFormatted(query1String)
+	if err != nil || decQuery1.String() != query1String {
+		t.Fatalf("Query #1 decoded wrong: %v %v", decQuery1.String(), err)
+	}
+
+	decQuery3, err := StringToFormatted(query3String)
+	if err != nil || decQuery3.String() != query3String {
+		t.Fatalf("Query #3 decoded wrong: %v %v", decQuery3.String(), err)
+	}
+}
diff --git a/msp/msp.go b/msp/msp.go
new file mode 100644
index 0000000..3642593
--- /dev/null
+++ b/msp/msp.go
@@ -0,0 +1,369 @@
+package msp
+
+import (
+	"container/heap"
+	"crypto/rand"
+	"errors"
+	"math/big"
+	"strings"
+)
+
+// A UserDatabase is an abstraction over the name -> share map returned by the
+// secret splitter that allows an application to only decrypt or request shares
+// when needed, rather than re-build a partial map of known data.
+type UserDatabase interface {
+	ValidUser(name string) bool
+	CanGetShare(string) bool
+	GetShare(string) ([][]byte, error)
+}
+
+type Condition interface { // Represents one condition in a predicate
+	Ok(*UserDatabase) bool
+}
+
+type String struct { // Type of condition
+	string
+	index int
+}
+
+func (s String) Ok(db *UserDatabase) bool {
+	return (*db).CanGetShare(s.string)
+}
+
+type TraceElem struct {
+	loc   int
+	names []string
+	trace []string
+}
+
+type TraceSlice []TraceElem
+
+func (ts TraceSlice) Len() int      { return len(ts) }
+func (ts TraceSlice) Swap(i, j int) { ts[i], ts[j] = ts[j], ts[i] }
+
+func (ts TraceSlice) Less(i, j int) bool {
+	return len(ts[i].trace) < len(ts[j].trace)
+}
+
+func (ts *TraceSlice) Push(te interface{}) { *ts = append(*ts, te.(TraceElem)) }
+func (ts *TraceSlice) Pop() interface{} {
+	out := (*ts)[0]
+	*ts = (*ts)[1 : len(*ts)-1]
+
+	return out
+}
+
+func (ts TraceSlice) Compact() (index []int, names []string, trace []string) {
+	for _, te := range ts {
+		index = append(index, te.loc)
+		names = append(names, te.names...)
+		trace = append(trace, te.trace...)
+	}
+
+	ptr, cutoff := 0, len(trace)
+
+TopLoop:
+	for ptr < cutoff {
+		for i := 0; i < ptr; i++ {
+			if trace[i] == trace[ptr] {
+				trace[ptr], trace[cutoff-1] = trace[cutoff-1], trace[ptr]
+				cutoff--
+
+				continue TopLoop
+			}
+		}
+
+		ptr++
+	}
+	trace = trace[0:cutoff]
+
+	return
+}
+
+type MSP Formatted
+
+func Modulus(n int) (modulus *big.Int) {
+	switch n {
+	case 256:
+		modulus = big.NewInt(1) // 2^256 - 2^224 + 2^192 + 2^96 - 1
+		modulus.Lsh(modulus, 256)
+		modulus.Sub(modulus, big.NewInt(0).Lsh(big.NewInt(1), 224))
+		modulus.Add(modulus, big.NewInt(0).Lsh(big.NewInt(1), 192))
+		modulus.Add(modulus, big.NewInt(0).Lsh(big.NewInt(1), 96))
+		modulus.Sub(modulus, big.NewInt(1))
+
+	case 224:
+		modulus = big.NewInt(1) // 2^224 - 2^96 + 1
+		modulus.Lsh(modulus, 224)
+		modulus.Sub(modulus, big.NewInt(0).Lsh(big.NewInt(1), 96))
+		modulus.Add(modulus, big.NewInt(1))
+
+	default: // Silent fail.
+		modulus = big.NewInt(1) // 2^127 - 1
+		modulus.Lsh(modulus, 127)
+		modulus.Sub(modulus, big.NewInt(1))
+	}
+
+	return
+}
+
+func StringToMSP(pred string) (m MSP, err error) {
+	var f Formatted
+
+	if -1 == strings.Index(pred, ",") {
+		var r Raw
+		r, err = StringToRaw(pred)
+		if err != nil {
+			return
+		}
+
+		f = r.Formatted()
+	} else {
+		f, err = StringToFormatted(pred)
+		if err != nil {
+			return
+		}
+	}
+
+	return MSP(f), nil
+}
+
+func (m MSP) DerivePath(db *UserDatabase) (ok bool, names []string, locs []int, trace []string) {
+	ts := &TraceSlice{}
+
+	for i, cond := range m.Conds {
+		switch cond.(type) {
+		case String:
+			if (*db).CanGetShare(cond.(String).string) {
+				heap.Push(ts, TraceElem{
+					i,
+					[]string{cond.(String).string},
+					[]string{cond.(String).string},
+				})
+			}
+
+		case Formatted:
+			sok, _, _, strace := MSP(cond.(Formatted)).DerivePath(db)
+			if !sok {
+				continue
+			}
+
+			heap.Push(ts, TraceElem{i, []string{}, strace})
+		}
+
+		if (*ts).Len() > m.Min {
+			*ts = (*ts)[0:m.Min]
+		}
+	}
+
+	ok = (*ts).Len() >= m.Min
+	locs, names, trace = ts.Compact()
+	return
+}
+
+func (m MSP) DistributeShares(sec []byte, modulus *big.Int, db *UserDatabase) (map[string][][]byte, error) {
+	out := make(map[string][][]byte)
+
+	// Math to distribute shares.
+	secInt := big.NewInt(0).SetBytes(sec) // Convert secret to number.
+	secInt.Mod(secInt, modulus)
+
+	var junk []*big.Int // Generate junk numbers.
+	for i := 1; i < m.Min; i++ {
+		r := make([]byte, (modulus.BitLen()/8)+1)
+		_, err := rand.Read(r)
+		if err != nil {
+			return out, err
+		}
+
+		s := big.NewInt(0).SetBytes(r)
+		s.Mod(s, modulus)
+
+		junk = append(junk, s)
+	}
+
+	for i, cond := range m.Conds { // Calculate shares.
+		share := big.NewInt(1)
+		share.Mul(share, secInt)
+
+		for j := 2; j <= m.Min; j++ {
+			cell := big.NewInt(int64(i + 1))
+			cell.Exp(cell, big.NewInt(int64(j-1)), modulus)
+			// CELL SHOULD ALWAYS BE LESS THAN MODULUS
+
+			share.Add(share, cell.Mul(cell, junk[j-2])).Mod(share, modulus)
+		}
+
+		switch cond.(type) {
+		case String:
+			name := cond.(String).string
+			if _, ok := out[name]; ok {
+				out[name] = append(out[name], share.Bytes())
+			} else if (*db).ValidUser(name) {
+				out[name] = [][]byte{share.Bytes()}
+			} else {
+				return out, errors.New("Unknown user in predicate.")
+			}
+
+		default:
+			below := MSP(cond.(Formatted))
+			subOut, err := below.DistributeShares(share.Bytes(), modulus, db)
+			if err != nil {
+				return out, err
+			}
+
+			for name, shares := range subOut {
+				if _, ok := out[name]; ok {
+					out[name] = append(out[name], shares...)
+				} else {
+					out[name] = shares
+				}
+
+			}
+		}
+	}
+
+	return out, nil
+}
+
+func (m MSP) RecoverSecret(modulus *big.Int, db *UserDatabase) ([]byte, error) {
+	cache := make(map[string][][]byte, 0) // Caches un-used shares for a user.
+	return m.recoverSecret(modulus, db, cache)
+}
+
+func (m MSP) recoverSecret(modulus *big.Int, db *UserDatabase, cache map[string][][]byte) ([]byte, error) {
+	var (
+		index  = []int{}    // Indexes where given shares were in the matrix.
+		shares = [][]byte{} // Contains shares that will be used in reconstruction.
+	)
+
+	ok, names, locs, _ := m.DerivePath(db)
+	if !ok {
+		return nil, errors.New("Not enough shares to recover.")
+	}
+
+	for _, name := range names {
+		if _, cached := cache[name]; !cached {
+			out, err := (*db).GetShare(name)
+			if err != nil {
+				return nil, err
+			}
+
+			cache[name] = out
+		}
+	}
+
+	for _, loc := range locs {
+		gate := m.Conds[loc]
+		index = append(index, loc+1)
+
+		switch gate.(type) {
+		case String:
+			if len(cache[gate.(String).string]) <= gate.(String).index {
+				return nil, errors.New("Predicate / database mismatch!")
+			}
+
+			shares = append(shares, cache[gate.(String).string][gate.(String).index])
+
+		case Formatted:
+			share, err := MSP(gate.(Formatted)).recoverSecret(modulus, db, cache)
+			if err != nil {
+				return nil, err
+			}
+
+			shares = append(shares, share)
+		}
+	}
+
+	// Calculate the reconstruction vector.  We only need the top row of the
+	// matrix's inverse, so we augment M transposed with u1 transposed and
+	// eliminate Gauss-Jordan style.
+	matrix := [][][2]int{}              // 2d grid of (numerator, denominator)
+	matrix = append(matrix, [][2]int{}) // Create first row of all 1s
+
+	for j := 0; j < m.Min; j++ {
+		matrix[0] = append(matrix[0], [2]int{1, 1})
+	}
+
+	for j := 1; j < m.Min; j++ { // Fill in rest of matrix.
+		row := [][2]int{}
+
+		for k, idx := range index {
+			row = append(row, [2]int{int(idx) * matrix[j-1][k][0], matrix[j-1][k][1]})
+		}
+
+		matrix = append(matrix, row)
+	}
+
+	matrix[0] = append(matrix[0], [2]int{1, 1}) // Stick on last column.
+	for j := 1; j < m.Min; j++ {
+		matrix[j] = append(matrix[j], [2]int{0, 1})
+	}
+
+	// Reduce matrix.
+	for i := 0; i < len(matrix); i++ {
+		for j := 0; j < len(matrix[i]); j++ { // Make row unary.
+			if i == j {
+				continue
+			}
+
+			matrix[i][j][0] *= matrix[i][i][1]
+			matrix[i][j][1] *= matrix[i][i][0]
+		}
+		matrix[i][i] = [2]int{1, 1}
+
+		for j := 0; j < len(matrix); j++ { // Remove this row from the others.
+			if i == j {
+				continue
+			}
+
+			top := matrix[j][i][0]
+			bot := matrix[j][i][1]
+
+			for k := 0; k < len(matrix[j]); k++ {
+				// matrix[j][k] = matrix[j][k] - matrix[j][i] * matrix[i][k]
+				temp := [2]int{0, 0}
+				temp[0] = top * matrix[i][k][0]
+				temp[1] = bot * matrix[i][k][1]
+
+				if matrix[j][k][0] == 0 {
+					matrix[j][k][0] = -temp[0]
+					matrix[j][k][1] = temp[1]
+				} else {
+					matrix[j][k][0] = (matrix[j][k][0] * temp[1]) - (temp[0] * matrix[j][k][1])
+					matrix[j][k][1] *= temp[1]
+				}
+
+				if matrix[j][k][0] == 0 {
+					matrix[j][k][1] = 1
+				}
+			}
+		}
+	}
+
+	// Compute dot product of the shares vector and the reconstruction vector to
+	// reconstruct the secret.
+	size := len(modulus.Bytes())
+	out := make([]byte, size)
+	secInt := big.NewInt(0)
+
+	for i, share := range shares {
+		lst := len(matrix[i]) - 1
+
+		num := big.NewInt(int64(matrix[i][lst][0]))
+		den := big.NewInt(int64(matrix[i][lst][1]))
+		num.Mod(num, modulus)
+		den.Mod(den, modulus)
+
+		coeff := big.NewInt(0).ModInverse(den, modulus)
+		coeff.Mul(coeff, num).Mod(coeff, modulus)
+
+		shareInt := big.NewInt(0).SetBytes(share)
+		shareInt.Mul(shareInt, coeff).Mod(shareInt, modulus)
+
+		secInt.Add(secInt, shareInt).Mod(secInt, modulus)
+	}
+
+	out = append(out, secInt.Bytes()...)
+	return out[len(out)-size:], nil
+}
diff --git a/msp/msp_test.go b/msp/msp_test.go
new file mode 100644
index 0000000..bf3e460
--- /dev/null
+++ b/msp/msp_test.go
@@ -0,0 +1,72 @@
+package msp
+
+import (
+	"bytes"
+	"crypto/rand"
+	"errors"
+	"testing"
+)
+
+type Database map[string][][]byte
+
+func (d Database) ValidUser(name string) bool {
+	_, ok := d[name]
+	return ok
+}
+
+func (d Database) CanGetShare(name string) bool {
+	_, ok := d[name]
+	return ok
+}
+
+func (d Database) GetShare(name string) ([][]byte, error) {
+	out, ok := d[name]
+
+	if ok {
+		return out, nil
+	} else {
+		return nil, errors.New("Not found!")
+	}
+}
+
+func TestMSP(t *testing.T) {
+	db := UserDatabase(Database(map[string][][]byte{
+		"Alice": [][]byte{},
+		"Bob":   [][]byte{},
+		"Carl":  [][]byte{},
+	}))
+
+	sec := make([]byte, 16)
+	rand.Read(sec)
+	sec[0] &= 63 // Removes first 2 bits of key.
+
+	predicate, _ := StringToMSP("(2, (1, Alice, Bob), Carl)")
+
+	shares1, _ := predicate.DistributeShares(sec, Modulus(127), &db)
+	shares2, _ := predicate.DistributeShares(sec, Modulus(127), &db)
+
+	alice := bytes.Compare(shares1["Alice"][0], shares2["Alice"][0])
+	bob := bytes.Compare(shares1["Bob"][0], shares2["Bob"][0])
+	carl := bytes.Compare(shares1["Carl"][0], shares2["Carl"][0])
+
+	if alice == 0 && bob == 0 && carl == 0 {
+		t.Fatalf("Key splitting isn't random! %v %v", shares1, shares2)
+	}
+
+	db1 := UserDatabase(Database(shares1))
+	db2 := UserDatabase(Database(shares2))
+
+	sec1, err := predicate.RecoverSecret(Modulus(127), &db1)
+	if err != nil {
+		t.Fatalf("#1: %v", err)
+	}
+
+	sec2, err := predicate.RecoverSecret(Modulus(127), &db2)
+	if err != nil {
+		t.Fatalf("#2: %v", err)
+	}
+
+	if !(bytes.Compare(sec, sec1) == 0 && bytes.Compare(sec, sec2) == 0) {
+		t.Fatalf("Secrets derived differed:  %v %v %v", sec, sec1, sec2)
+	}
+}
diff --git a/msp/raw.go b/msp/raw.go
new file mode 100644
index 0000000..cd2506b
--- /dev/null
+++ b/msp/raw.go
@@ -0,0 +1,218 @@
+package msp
+
+import (
+	"container/list"
+	"errors"
+	"strings"
+)
+
+type NodeType int // Types of node in the binary expression tree.
+
+const (
+	NodeAnd NodeType = iota
+	NodeOr
+)
+
+func (t NodeType) Type() NodeType {
+	return t
+}
+
+type Raw struct { // Represents one node in the tree.
+	NodeType
+
+	Left  *Condition
+	Right *Condition
+}
+
+func StringToRaw(r string) (out Raw, err error) {
+	// Automaton.  Modification of Dijkstra's Two-Stack Algorithm for parsing
+	// infix notation.  Reads one long unbroken expression (several operators and
+	// operands with no parentheses) at a time and parses it into a binary
+	// expression tree (giving AND operators precedence).  Running time linear in
+	// the size of the predicate?
+	//
+	// Steps to the next (un)parenthesis.
+	//     (     -> Push new queue onto staging stack
+	//     value -> Push onto back of queue at top of staging stack.
+	//     )     -> Pop queue off top of staging stack, build BET, and push tree
+	//              onto the back of the top queue.
+	//
+	// To build the binary expression tree, for each type of operation we iterate
+	// through the (Condition, operator) lists compacting where that operation
+	// occurs into tree nodes.
+	//
+	// Staging stack is empty on initialization and should have exactly 1 node
+	// (the root node) at the end of the string.
+	r = "(" + r + ")"
+
+	min := func(a, b, c int) int { // Return smallest non-negative argument.
+		if a > b { // Sort {a, b, c}
+			a, b = b, a
+		}
+		if b > c {
+			b, c = c, b
+		}
+		if a > b {
+			a, b = b, a
+		}
+
+		if a != -1 {
+			return a
+		} else if b != -1 {
+			return b
+		} else {
+			return c
+		}
+	}
+
+	getNext := func(r string) (string, string) { // r -> (next, rest)
+		r = strings.TrimSpace(r)
+
+		if r[0] == '(' || r[0] == ')' || r[0] == '&' || r[0] == '|' {
+			return r[0:1], r[1:]
+		}
+
+		nextOper := min(
+			strings.Index(r, "&"),
+			strings.Index(r, "|"),
+			strings.Index(r, ")"),
+		)
+
+		if nextOper == -1 {
+			return r, ""
+		}
+		return strings.TrimSpace(r[0:nextOper]), r[nextOper:]
+	}
+
+	staging := list.New() // Stack of (Condition list, operator list)
+	indices := make(map[string]int, 0)
+
+	var nxt string
+	for len(r) > 0 {
+		nxt, r = getNext(r)
+
+		switch nxt {
+		case "(":
+			staging.PushFront([2]*list.List{list.New(), list.New()})
+		case ")":
+			top := staging.Remove(staging.Front()).([2]*list.List)
+			if top[0].Len() != (top[1].Len() + 1) {
+				return out, errors.New("Stacks are invalid size.")
+			}
+
+			for typ := NodeAnd; typ <= NodeOr; typ++ {
+				var step *list.Element
+				leftOperand := top[0].Front()
+
+				for oper := top[1].Front(); oper != nil; oper = step {
+					step = oper.Next()
+
+					if oper.Value.(NodeType) == typ {
+						left := leftOperand.Value.(Condition)
+						right := leftOperand.Next().Value.(Condition)
+
+						leftOperand.Next().Value = Raw{
+							NodeType: typ,
+							Left:     &left,
+							Right:    &right,
+						}
+
+						leftOperand = leftOperand.Next()
+
+						top[0].Remove(leftOperand.Prev())
+						top[1].Remove(oper)
+					} else {
+						leftOperand = leftOperand.Next()
+					}
+				}
+			}
+
+			if top[0].Len() != 1 || top[1].Len() != 0 {
+				return out, errors.New("Invalid expression--couldn't evaluate.")
+			}
+
+			if staging.Len() == 0 {
+				if len(r) == 0 {
+					return top[0].Front().Value.(Raw), nil
+				}
+				return out, errors.New("Invalid string--terminated early.")
+			}
+			staging.Front().Value.([2]*list.List)[0].PushBack(top[0].Front().Value)
+
+		case "&":
+			staging.Front().Value.([2]*list.List)[1].PushBack(NodeAnd)
+		case "|":
+			staging.Front().Value.([2]*list.List)[1].PushBack(NodeOr)
+		default:
+			if _, there := indices[nxt]; !there {
+				indices[nxt] = 0
+			}
+
+			staging.Front().Value.([2]*list.List)[0].PushBack(String{nxt, indices[nxt]})
+			indices[nxt]++
+		}
+	}
+
+	return out, errors.New("Invalid string--never terminated.")
+}
+
+func (r Raw) String() string {
+	out := ""
+
+	switch (*r.Left).(type) {
+	case String:
+		out += (*r.Left).(String).string
+	default:
+		out += "(" + (*r.Left).(Raw).String() + ")"
+	}
+
+	if r.Type() == NodeAnd {
+		out += " & "
+	} else {
+		out += " | "
+	}
+
+	switch (*r.Right).(type) {
+	case String:
+		out += (*r.Right).(String).string
+	default:
+		out += "(" + (*r.Right).(Raw).String() + ")"
+	}
+
+	return out
+}
+
+func (r Raw) Formatted() (out Formatted) {
+	// Recursively maps a raw predicate to a formatted predicate by mapping AND
+	// gates to (2, A, B) treshold gates and OR gates to (1, A, B) gates.
+	if r.Type() == NodeAnd {
+		out.Min = 2
+	} else {
+		out.Min = 1
+	}
+
+	switch (*r.Left).(type) {
+	case String:
+		out.Conds = []Condition{(*r.Left).(String)}
+	default:
+		out.Conds = []Condition{(*r.Left).(Raw).Formatted()}
+	}
+
+	switch (*r.Right).(type) {
+	case String:
+		out.Conds = append(out.Conds, (*r.Right).(String))
+	default:
+		out.Conds = append(out.Conds, (*r.Right).(Raw).Formatted())
+	}
+
+	out.Compress() // Small amount of predicate compression.
+	return
+}
+
+func (r Raw) Ok(db *UserDatabase) bool {
+	if r.Type() == NodeAnd {
+		return (*r.Left).Ok(db) && (*r.Right).Ok(db)
+	} else {
+		return (*r.Left).Ok(db) || (*r.Right).Ok(db)
+	}
+}
diff --git a/msp/raw_test.go b/msp/raw_test.go
new file mode 100644
index 0000000..c9e69ab
--- /dev/null
+++ b/msp/raw_test.go
@@ -0,0 +1,74 @@
+package msp
+
+import (
+	"testing"
+)
+
+func TestRaw(t *testing.T) {
+	alice := Condition(String{"Alice", 0})
+	bob := Condition(String{"Bob", 0})
+	carl := Condition(String{"Carl", 0})
+
+	query1 := Raw{
+		NodeType: NodeAnd,
+		Left:     &alice,
+		Right:    &bob,
+	}
+
+	aliceOrBob := Condition(Raw{
+		NodeType: NodeOr,
+		Left:     &alice,
+		Right:    &bob,
+	})
+
+	query2 := Raw{
+		NodeType: NodeAnd,
+		Left:     &aliceOrBob,
+		Right:    &carl,
+	}
+
+	db := UserDatabase(Database(map[string][][]byte{
+		"Alice": [][]byte{[]byte("blah")},
+		"Carl":  [][]byte{[]byte("herp")},
+	}))
+
+	if query1.Ok(&db) != false {
+		t.Fatalf("Query #1 was wrong.")
+	}
+
+	if query2.Ok(&db) != true {
+		t.Fatalf("Query #2 was wrong.")
+	}
+
+	query1String := "Alice & Bob"
+	query2String := "(Alice | Bob) & Carl"
+
+	if query1.String() != query1String {
+		t.Fatalf("Query #1 String was wrong; %v", query1.String())
+	}
+
+	if query2.String() != query2String {
+		t.Fatalf("Query #2 String was wrong; %v", query2.String())
+	}
+
+	decQuery1, err := StringToRaw(query1String)
+	if err != nil || decQuery1.String() != query1String {
+		t.Fatalf("Query #1 decoded wrong: %v %v", decQuery1.String(), err)
+	}
+
+	decQuery2, err := StringToRaw(query2String)
+	if err != nil || decQuery2.String() != query2String {
+		t.Fatalf("Query #2 decoded wrong: %v %v", decQuery2.String(), err)
+	}
+
+	formattedQuery1String := "(2, Alice, Bob)"
+	formattedQuery2String := "(2, (1, Alice, Bob), Carl)"
+
+	if query1.Formatted().String() != formattedQuery1String {
+		t.Fatalf("Query #1 formatted wrong: %v", query1.Formatted().String())
+	}
+
+	if query2.Formatted().String() != formattedQuery2String {
+		t.Fatalf("Query #2 formatted wrong: %v", query2.Formatted().String())
+	}
+}

From 9e514e902abc6f1631d8f7f29f9570fb76194a29 Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Wed, 27 May 2015 12:05:39 -0700
Subject: [PATCH 03/14] Shorten key by 2 bits.

---
 cryptor/cryptor.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 5d0e701..400c371 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -466,6 +466,11 @@ func (c *Cryptor) Encrypt(in []byte, labels []string, access AccessStructure) (r
 	if err != nil {
 		return
 	}
+	if len(access.Predicate) > 0 {
+		// The first two bits of the key need to be removed to prevent wrapping
+		// because the modulus is slightly too small.
+		clearKey[0] &= 63
+	}
 
 	err = encrypted.wrapKey(c.records, clearKey, access)
 	if err != nil {

From 4c161e343cd6ca64206fc59bcac338b75691ef1d Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Mon, 10 Aug 2015 14:58:57 -0700
Subject: [PATCH 04/14] Write better error messages.

---
 msp/formatted.go | 6 +++---
 msp/raw.go       | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/msp/formatted.go b/msp/formatted.go
index c4d16c2..2414bf7 100644
--- a/msp/formatted.go
+++ b/msp/formatted.go
@@ -26,7 +26,7 @@ func StringToFormatted(f string) (out Formatted, err error) {
 	// Staging stack is empty on initialization and should have exactly 1 built
 	// threshold gate at the end of the string.
 	if f[0] != '(' || f[len(f)-1] != ')' {
-		return out, errors.New("Invalid string--wrong format.")
+		return out, errors.New("Invalid string: Needs to begin and end with parentheses.")
 	}
 
 	getNext := func(f string) (string, string) { // f -> (next, rest)
@@ -87,7 +87,7 @@ func StringToFormatted(f string) (out Formatted, err error) {
 				if len(f) == 0 {
 					return built, nil
 				}
-				return built, errors.New("Invalid string--terminated early.")
+				return built, errors.New("Invalid string: Can't parse anymore, but there's still data. Too many closing parentheses or too few opening parentheses?")
 			}
 
 			staging.Front().Value.(*list.List).PushBack(built)
@@ -102,7 +102,7 @@ func StringToFormatted(f string) (out Formatted, err error) {
 		}
 	}
 
-	return out, errors.New("Invalid string--never terminated.")
+	return out, errors.New("Invalid string: Not finished parsing, but out of data. Too many opening parentheses or too few closing parentheses?")
 }
 
 func (f Formatted) String() string {
diff --git a/msp/raw.go b/msp/raw.go
index cd2506b..baae187 100644
--- a/msp/raw.go
+++ b/msp/raw.go
@@ -97,7 +97,7 @@ func StringToRaw(r string) (out Raw, err error) {
 		case ")":
 			top := staging.Remove(staging.Front()).([2]*list.List)
 			if top[0].Len() != (top[1].Len() + 1) {
-				return out, errors.New("Stacks are invalid size.")
+				return out, errors.New("Invalid string: There needs to be an operator (& or |) for every pair of operands.")
 			}
 
 			for typ := NodeAnd; typ <= NodeOr; typ++ {
@@ -128,14 +128,14 @@ func StringToRaw(r string) (out Raw, err error) {
 			}
 
 			if top[0].Len() != 1 || top[1].Len() != 0 {
-				return out, errors.New("Invalid expression--couldn't evaluate.")
+				return out, errors.New("Invalid string: Couldn't evaluate all of the operators.")
 			}
 
 			if staging.Len() == 0 {
 				if len(r) == 0 {
 					return top[0].Front().Value.(Raw), nil
 				}
-				return out, errors.New("Invalid string--terminated early.")
+				return out, errors.New("Invalid string: Can't parse anymore, but there's still data. Too many closing parentheses or too few opening parentheses?")
 			}
 			staging.Front().Value.([2]*list.List)[0].PushBack(top[0].Front().Value)
 
@@ -153,7 +153,7 @@ func StringToRaw(r string) (out Raw, err error) {
 		}
 	}
 
-	return out, errors.New("Invalid string--never terminated.")
+	return out, errors.New("Invalid string: Not finished parsing, but out of data. Too many opening parentheses or too few closing parentheses?")
 }
 
 func (r Raw) String() string {

From 701b938562e61e337637be60d3fc9681f117eaa3 Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Wed, 4 Nov 2015 11:45:32 -0800
Subject: [PATCH 05/14] Import bug fixes from MSP.

---
 msp/msp.go      | 25 ++++++++++++++++++-------
 msp/raw.go      |  9 ++++++++-
 msp/raw_test.go |  8 ++++++++
 3 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/msp/msp.go b/msp/msp.go
index 3642593..c7e3db3 100644
--- a/msp/msp.go
+++ b/msp/msp.go
@@ -198,16 +198,16 @@ func (m MSP) DistributeShares(sec []byte, modulus *big.Int, db *UserDatabase) (m
 		case String:
 			name := cond.(String).string
 			if _, ok := out[name]; ok {
-				out[name] = append(out[name], share.Bytes())
+				out[name] = append(out[name], m.encode(share, modulus))
 			} else if (*db).ValidUser(name) {
-				out[name] = [][]byte{share.Bytes()}
+				out[name] = [][]byte{m.encode(share, modulus)}
 			} else {
 				return out, errors.New("Unknown user in predicate.")
 			}
 
 		default:
 			below := MSP(cond.(Formatted))
-			subOut, err := below.DistributeShares(share.Bytes(), modulus, db)
+			subOut, err := below.DistributeShares(m.encode(share, modulus), modulus, db)
 			if err != nil {
 				return out, err
 			}
@@ -343,8 +343,6 @@ func (m MSP) recoverSecret(modulus *big.Int, db *UserDatabase, cache map[string]
 
 	// Compute dot product of the shares vector and the reconstruction vector to
 	// reconstruct the secret.
-	size := len(modulus.Bytes())
-	out := make([]byte, size)
 	secInt := big.NewInt(0)
 
 	for i, share := range shares {
@@ -364,6 +362,19 @@ func (m MSP) recoverSecret(modulus *big.Int, db *UserDatabase, cache map[string]
 		secInt.Add(secInt, shareInt).Mod(secInt, modulus)
 	}
 
-	out = append(out, secInt.Bytes()...)
-	return out[len(out)-size:], nil
+	return m.encode(secInt, modulus), nil
+}
+
+func (m MSP) encode(x *big.Int, modulus *big.Int) (out []byte) {
+	tmp := x.Bytes()
+	tmpSize := len(tmp)
+
+	modSize := len(modulus.Bytes())
+	out = make([]byte, modSize)
+
+	for pos := 0; pos < tmpSize; pos++ {
+		out[modSize-pos-1] = tmp[tmpSize-pos-1]
+	}
+
+	return out
 }
diff --git a/msp/raw.go b/msp/raw.go
index baae187..cc939b4 100644
--- a/msp/raw.go
+++ b/msp/raw.go
@@ -133,7 +133,14 @@ func StringToRaw(r string) (out Raw, err error) {
 
 			if staging.Len() == 0 {
 				if len(r) == 0 {
-					return top[0].Front().Value.(Raw), nil
+					res := top[0].Front().Value
+
+					switch res.(type) {
+					case Raw:
+						return res.(Raw), nil
+					default:
+						return out, errors.New("Invalid string: Only one condition was found.")
+					}
 				}
 				return out, errors.New("Invalid string: Can't parse anymore, but there's still data. Too many closing parentheses or too few opening parentheses?")
 			}
diff --git a/msp/raw_test.go b/msp/raw_test.go
index c9e69ab..1343c10 100644
--- a/msp/raw_test.go
+++ b/msp/raw_test.go
@@ -72,3 +72,11 @@ func TestRaw(t *testing.T) {
 		t.Fatalf("Query #2 formatted wrong: %v", query2.Formatted().String())
 	}
 }
+
+func TestOneCondition(t *testing.T) {
+	_, err := StringToRaw("(Alice or Bob)")
+
+	if err == nil {
+		t.Fatalf("A predicate with only one condition should fail to parse!")
+	}
+}

From d93709973e3365c7f89365e125b273c9a971e908 Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Wed, 4 Nov 2015 14:31:04 -0800
Subject: [PATCH 06/14] Track delegates when decrypting with shares.

---
 cryptor/cryptor.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 400c371..3289eb6 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -51,6 +51,8 @@ type AccessStructure struct {
 
 // Implements msp.UserDatabase
 type UserDatabase struct {
+	names *[]string
+
 	records *passvault.Records
 	cache   *keycache.Cache
 
@@ -71,6 +73,8 @@ func (u UserDatabase) CanGetShare(name string) bool {
 }
 
 func (u UserDatabase) GetShare(name string) ([][]byte, error) {
+	*u.names = append(*u.names, name)
+
 	return u.cache.DecryptShares(
 		u.shareSet[name],
 		name,
@@ -433,6 +437,7 @@ func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (u
 		}
 
 		db := msp.UserDatabase(UserDatabase{
+			names:    &names,
 			cache:    cache,
 			user:     user,
 			labels:   encrypted.Labels,
@@ -440,7 +445,6 @@ func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (u
 			shareSet: encrypted.ShareSet,
 		})
 		unwrappedKey, err = sss.RecoverSecret(msp.Modulus(127), &db)
-		names = []string{"Shares"}
 
 		return
 	}

From 68e5403a7b83331629c8a4f018fd4637a427bb98 Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Wed, 4 Nov 2015 15:01:19 -0800
Subject: [PATCH 07/14] Add predicate section to UI.

---
 index.html    | 117 +++++++++++++++++++++++++++++++++-----------------
 redoctober.go |  10 ++++-
 2 files changed, 86 insertions(+), 41 deletions(-)

diff --git a/index.html b/index.html
index c0fb819..4788736 100644
--- a/index.html
+++ b/index.html
@@ -22,13 +22,11 @@
 			<div class="collapse navbar-collapse">
 				<ul class="nav navbar-nav">
 					<li><a href="#delegate">Delegate</a></li>
-					<li><a href="#admin">Admin</a></li>
-					<li><a href="#create">Create</a></li>
 					<li><a href="#summary">Summary</a></li>
-					<li><a href="#change-password">Change Password</a></li>
-					<li><a href="#modify-user">Modify User</a></li>
+					<li><a href="#admin">Admin</a></li>
 					<li><a href="#encrypt">Encrypt</a></li>
 					<li><a href="#decrypt">Decrypt</a></li>
+					<li><a href="#owners">Owners</a></li>
 				</ul>
 			</div>
 		</div>
@@ -80,31 +78,13 @@
 					<button type="submit" class="btn btn-primary">Delegate</button>
 				</form>
 			</div>
-
 		</section>
 
 		<hr />
 
 		<section class="row">
-			<div class="col-md-6">
-				<h3 id="admin">Create vault/admin</h3>
-				<form id="vault-create" class="form-inline ro-admin-create" role="form" action="/create" method="post">
-					<div class="feedback admin-feedback"></div>
-
-					<div class="form-group">
-						<label class="sr-only" for="admin-create-user">User name</label>
-						<input type="text" name="Name" class="form-control" id="admin-create-user" placeholder="User name" required />
-					</div>
-					<div class="form-group">
-						<label class="sr-only" for="admin-create-pass">Password</label>
-						<input type="password" name="Password" class="form-control" id="admin-create-pass" placeholder="Password" required />
-					</div>
-					<button type="submit" class="btn btn-primary">Create Admin</button>
-				</form>
-
-				<hr />
-
-				<h3 id="summary">User summary / delegation list</h3> 
+			<div id="summary" class="col-md-6">
+				<h3>User summary / delegation list</h3>
 
 				<form id="vault-summary" class="form-inline ro-summary" role="form" action="/summary" method="post">
 					<div class="feedback summary-feedback"></div>
@@ -128,11 +108,32 @@
 					<ul class="list-group summary-all-users"></ul>
 				</div>
 			</div>
+		</section>
 
-			<div class="col-md-6">
-				<h3 id="create">Create</h3>
+		<hr />
 
-				<form id="user-create" class="ro-user-create" role="form" action="/delegate" method="post">
+		<section class="row">
+			<div class="col-md-6" id="admin">
+				<h3>Create vault</h3>
+				<form id="vault-create" class="form-inline ro-admin-create" role="form" action="/create" method="post">
+					<div class="feedback admin-feedback"></div>
+
+					<div class="form-group">
+						<label class="sr-only" for="admin-create-user">User name</label>
+						<input type="text" name="Name" class="form-control" id="admin-create-user" placeholder="User name" required />
+					</div>
+					<div class="form-group">
+						<label class="sr-only" for="admin-create-pass">Password</label>
+						<input type="password" name="Password" class="form-control" id="admin-create-pass" placeholder="Password" required />
+					</div>
+					<button type="submit" class="btn btn-primary">Create Admin</button>
+				</form>
+
+				<hr />
+
+				<h3>Create User</h3>
+
+				<form id="user-create" class="ro-user-create" role="form" action="/create-user" method="post">
 					<div class="feedback create-feedback"></div>
 
 					<div class="form-group row">
@@ -146,11 +147,12 @@
 						</div>
 					</div>
 					<div class="form-group row">
-						<div class="col-md-6">
-							<input type="hidden" name="Time" class="form-control" id="create-user-time" value="0h" required />
-						</div>
-						<div class="col-md-6">
-							<input type="hidden" name="Uses" class="form-control" id="create-uses" value="0" required />
+						<div class="col-md-12">
+							<label for="create-user-type">User Type</label>
+							<select name="UserType" class="form-control" id="create-user-type">
+								<option value="RSA">RSA</option>
+								<option value="ECC">ECC</option>
+							</select>
 						</div>
 					</div>
 					<button type="submit" class="btn btn-primary">Create</button>
@@ -183,9 +185,7 @@
 					</div>
 					<button type="submit" class="btn btn-primary">Change password</button>
 				</form>
-			</div>
 
-			<div id="modify" class="col-md-6">
 				<h3>Modify user</h3>
 
 				<form id="user-modify" class="ro-user-modify" role="form" action="/modify" method="post">
@@ -221,7 +221,7 @@
 		</section>
 		<hr />
 		<section class="row">
-			<div id="encrypt-data" class="col-md-6">
+			<div id="encrypt" class="col-md-6">
 				<h3>Encrypt data</h3>
 
 				<form id="encrypt" class="ro-user-encrypt" role="form" action="/encrypt" method="post">
@@ -240,11 +240,17 @@
 					<div class="form-group row">
 						<div class="col-md-6">
 							<label for="encrypt-minimum">Minimum number of users for access</label>
-							<input type="number" name="Minimum" class="form-control" id="encrypt-minimum" placeholder="2" required />
+							<input type="number" name="Minimum" class="form-control" id="encrypt-minimum" placeholder="2" />
 						</div>
 						<div class="col-md-6">
 							<label for="encrypt-owners">Owners <small>(comma separated users)</small></label>
-							<input type="text" name="Owners" class="form-control" id="encrypt-owners" placeholder="e.g., Carol, Bob" required />
+							<input type="text" name="Owners" class="form-control" id="encrypt-owners" placeholder="e.g., Carol, Bob" />
+						</div>
+					</div>
+					<div class="form-group row">
+						<div class="col-md-12">
+							<label for="encrypt-predicate">(OR) Predicate for decryption</label>
+							<input type="text" name="Predicate" class="form-control" id="encrypt-predicate" placeholder="(Alice | Bob) & Carol" />
 						</div>
 					</div>
 					<div class="form-group row">
@@ -260,7 +266,10 @@
 					<button type="submit" class="btn btn-primary">Encrypt!</button>
 				</form>
 			</div>
-			<div id="decrypt-data" class="col-md-6">
+		</section>
+		<hr />
+		<section class="row">
+			<div id="decrypt" class="col-md-6">
 				<h3>Decrypt data</h3>
 
 				<form id="decrypt" class="ro-user-decrypt" role="form" action="/decrypt" method="post">
@@ -284,6 +293,22 @@
 				</form>
 			</div>
 		</section>
+		<hr />
+		<section class="row">
+			<div id="owners" class="col-md-6">
+				<h3>Get owners</h3>
+
+				<form id="owners" class="ro-user-owners" role="form" action="/owners" method="post">
+					<div class="feedback owners-feedback"></div>
+
+					<div class="form-group">
+						<label for="owners-data">Data</label>
+						<textarea name="Data" class="form-control" id="owners-data" rows="5" required></textarea>
+					</div>
+					<button type="submit" class="btn btn-primary">Get Owners</button>
+				</form>
+			</div>
+		</section>
 	</div>
 
 	<footer id="footer" class="footer">
@@ -480,7 +505,7 @@
 			});
 
 			// Decrypt data
-			$('body').on('submit', '#decrypt', function(evt){
+			$('body').on('submit', 'form#decrypt', function(evt){
 				evt.preventDefault();
 				var $form = $(evt.currentTarget),
 					data = serialize($form);
@@ -493,6 +518,20 @@
 					}
 				});
 			});
+
+			// Get owners
+			$('body').on('submit', 'form#owners', function(evt){
+				evt.preventDefault();
+				var $form = $(evt.currentTarget),
+					data = serialize($form);
+
+				submit( $form, {
+					data : data,
+					success : function(d){
+					$form.find('.feedback').empty().append( makeAlert({ type: 'success', message: '<p>Owners: '+d.Owners.sort().join(', ')+'</p>' }) );
+					}
+				});
+			});
 		});
 	</script>
 </body>
diff --git a/redoctober.go b/redoctober.go
index 9c26a06..c933556 100644
--- a/redoctober.go
+++ b/redoctober.go
@@ -513,11 +513,17 @@ var indexHtml = []byte(`<!DOCTYPE html>
 					<div class="form-group row">
 						<div class="col-md-6">
 							<label for="encrypt-minimum">Minimum number of users for access</label>
-							<input type="number" name="Minimum" class="form-control" id="encrypt-minimum" placeholder="2" required />
+							<input type="number" name="Minimum" class="form-control" id="encrypt-minimum" placeholder="2" />
 						</div>
 						<div class="col-md-6">
 							<label for="encrypt-owners">Owners <small>(comma separated users)</small></label>
-							<input type="text" name="Owners" class="form-control" id="encrypt-owners" placeholder="e.g., Carol, Bob" required />
+							<input type="text" name="Owners" class="form-control" id="encrypt-owners" placeholder="e.g., Carol, Bob" />
+						</div>
+					</div>
+					<div class="form-group row">
+						<div class="col-md-12">
+							<label for="encrypt-predicate">(OR) Predicate for decryption</label>
+							<input type="text" name="Predicate" class="form-control" id="encrypt-predicate" placeholder="(Alice | Bob) & Carol" />
 						</div>
 					</div>
 					<div class="form-group row">

From 2422b2920d1406aeb28267f262a20253dbbd660e Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Thu, 5 Nov 2015 09:52:55 -0800
Subject: [PATCH 08/14] Update owners API and README with predicates.

---
 README.md          |  9 ++++++++-
 core/core.go       |  9 +++++----
 cryptor/cryptor.go | 13 +++++++++++--
 index.html         |  2 +-
 redoctober.go      |  2 +-
 5 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 8fbeb5f..73ae2f5 100644
--- a/README.md
+++ b/README.md
@@ -110,7 +110,7 @@ Example query:
     $ curl --cacert cert/server.crt https://localhost:8080/delegate \
            -d '{"Name":"Dodo","Password":"Dodgson","Time":"2h34m","Uses":3}'
     {"Status":"ok"}
-    
+
 ### Create User
 
 Create Users creates a new user account. Allows an optional "UserType"
@@ -174,6 +174,13 @@ Example query:
             -d '{"Name":"Alice","Password":"Lewis","Minimum":2, "Owners":["Alice","Bill","Cat","Dodo"],"Data":"V2h5IGlzIGEgcmF2ZW4gbGlrZSBhIHdyaXRpbmcgZGVzaz8K"}'
     {"Status":"ok","Response":"eyJWZXJzaW9uIj...NSSllzPSJ9"}
 
+Example query with a predicate:
+
+    $ curl --cacert cert/server.crt https://localhost:8080/encrypt  \
+            -d '{"Name":"Alice","Password":"Lewis","Predicate":"Alice & (Bob | Carl)",
+            Data":"V2h5IGlzIGEgcmF2ZW4gbGlrZSBhIHdyaXRpbmcgZGVzaz8K"}'
+    {"Status":"ok","Response":"eyJWZXJzaW9uIj...NSSllzPSJ9"}
+
 The data expansion is not tied to the size of the input.
 
 ### Decrypt
diff --git a/core/core.go b/core/core.go
index e3fccb1..0362703 100644
--- a/core/core.go
+++ b/core/core.go
@@ -125,8 +125,9 @@ type DecryptWithDelegates struct {
 }
 
 type OwnersData struct {
-	Status string
-	Owners []string
+	Status    string
+	Owners    []string
+	Predicate string
 }
 
 // Helper functions that create JSON responses sent by core
@@ -619,12 +620,12 @@ func Owners(jsonIn []byte) ([]byte, error) {
 		return jsonStatusError(err)
 	}
 
-	names, err := crypt.GetOwners(s.Data)
+	names, predicate, err := crypt.GetOwners(s.Data)
 	if err != nil {
 		return jsonStatusError(err)
 	}
 
-	return json.Marshal(OwnersData{Status: "ok", Owners: names})
+	return json.Marshal(OwnersData{Status: "ok", Owners: names, Predicate: predicate})
 }
 
 // Export returns a backed up vault.
diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 3289eb6..b749e87 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -567,7 +567,7 @@ func (c *Cryptor) Decrypt(in []byte, user string) (resp []byte, names []string,
 
 // GetOwners returns the list of users that can delegate their passwords
 // to decrypt the given encrypted secret.
-func (c *Cryptor) GetOwners(in []byte) (names []string, err error) {
+func (c *Cryptor) GetOwners(in []byte) (names []string, predicate string, err error) {
 	// unwrap encrypted file
 	var encrypted EncryptedData
 	if err = json.Unmarshal(in, &encrypted); err != nil {
@@ -605,7 +605,7 @@ func (c *Cryptor) GetOwners(in []byte) (names []string, err error) {
 	}
 
 	addedNames := make(map[string]bool)
-	for _, mwKey := range encrypted.KeySet {
+	for _, mwKey := range encrypted.KeySet { // names from the combinatorial method
 		for _, mwName := range mwKey.Name {
 			if !addedNames[mwName] {
 				names = append(names, mwName)
@@ -614,5 +614,14 @@ func (c *Cryptor) GetOwners(in []byte) (names []string, err error) {
 		}
 	}
 
+	for name, _ := range encrypted.ShareSet { // names from the secret splitting method
+		if !addedNames[name] {
+			names = append(names, name)
+			addedNames[name] = true
+		}
+	}
+
+	predicate = encrypted.Predicate
+
 	return
 }
diff --git a/index.html b/index.html
index 4788736..ea9ef7e 100644
--- a/index.html
+++ b/index.html
@@ -528,7 +528,7 @@
 				submit( $form, {
 					data : data,
 					success : function(d){
-					$form.find('.feedback').empty().append( makeAlert({ type: 'success', message: '<p>Owners: '+d.Owners.sort().join(', ')+'</p>' }) );
+					$form.find('.feedback').empty().append( makeAlert({ type: 'success', message: '<p>Owners: '+d.Owners.sort().join(', ')+(d.Predicate == '' ? '' : '<br />Predicate: '+d.Predicate)+'</p>' }) );
 					}
 				});
 			});
diff --git a/redoctober.go b/redoctober.go
index c933556..cadb6c2 100644
--- a/redoctober.go
+++ b/redoctober.go
@@ -801,7 +801,7 @@ var indexHtml = []byte(`<!DOCTYPE html>
 				submit( $form, {
 					data : data,
 					success : function(d){
-					$form.find('.feedback').empty().append( makeAlert({ type: 'success', message: '<p>Owners: '+d.Owners.sort().join(', ')+'</p>' }) );
+					$form.find('.feedback').empty().append( makeAlert({ type: 'success', message: '<p>Owners: '+d.Owners.sort().join(', ')+(d.Predicate == '' ? '' : '<br />Predicate: '+d.Predicate)+'</p>' }) );
 					}
 				});
 			});

From 362e20533af73dc717254f27ddd2c124ad841015 Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Thu, 12 Nov 2015 09:10:26 -0800
Subject: [PATCH 09/14] Respond to PR requests. - Type String renamed Name. -
 Panic if an invalid modulus size is chosen rather. - Name the interface
 arguments for the UserDatabase.

---
 msp/formatted.go      |  8 ++++----
 msp/formatted_test.go | 12 ++++++------
 msp/msp.go            | 33 ++++++++++++++++++---------------
 msp/raw.go            | 18 +++++++++---------
 msp/raw_test.go       |  6 +++---
 5 files changed, 40 insertions(+), 37 deletions(-)

diff --git a/msp/formatted.go b/msp/formatted.go
index 2414bf7..770d77f 100644
--- a/msp/formatted.go
+++ b/msp/formatted.go
@@ -69,7 +69,7 @@ func StringToFormatted(f string) (out Formatted, err error) {
 
 			var min int
 			minStr := top.Front()
-			min, err = strconv.Atoi(minStr.Value.(String).string)
+			min, err = strconv.Atoi(minStr.Value.(Name).string)
 			if err != nil {
 				return
 			}
@@ -97,7 +97,7 @@ func StringToFormatted(f string) (out Formatted, err error) {
 				indices[nxt] = 0
 			}
 
-			staging.Front().Value.(*list.List).PushBack(String{nxt, indices[nxt]})
+			staging.Front().Value.(*list.List).PushBack(Name{nxt, indices[nxt]})
 			indices[nxt]++
 		}
 	}
@@ -110,8 +110,8 @@ func (f Formatted) String() string {
 
 	for _, cond := range f.Conds {
 		switch cond.(type) {
-		case String:
-			out += fmt.Sprintf(", %v", cond.(String).string)
+		case Name:
+			out += fmt.Sprintf(", %v", cond.(Name).string)
 		case Formatted:
 			out += fmt.Sprintf(", %v", (cond.(Formatted)).String())
 		}
diff --git a/msp/formatted_test.go b/msp/formatted_test.go
index a693cee..da97c3c 100644
--- a/msp/formatted_test.go
+++ b/msp/formatted_test.go
@@ -8,14 +8,14 @@ func TestFormatted(t *testing.T) {
 	query1 := Formatted{
 		Min: 2,
 		Conds: []Condition{
-			String{"Alice", 0}, String{"Bob", 0}, String{"Carl", 0},
+			Name{"Alice", 0}, Name{"Bob", 0}, Name{"Carl", 0},
 		},
 	}
 
 	query2 := Formatted{
 		Min: 3,
 		Conds: []Condition{
-			String{"Alice", 0}, String{"Bob", 0}, String{"Carl", 0},
+			Name{"Alice", 0}, Name{"Bob", 0}, Name{"Carl", 0},
 		},
 	}
 
@@ -25,10 +25,10 @@ func TestFormatted(t *testing.T) {
 			Formatted{
 				Min: 1,
 				Conds: []Condition{
-					String{"Alice", 0}, String{"Bob", 0},
+					Name{"Alice", 0}, Name{"Bob", 0},
 				},
 			},
-			String{"Carl", 0},
+			Name{"Carl", 0},
 		},
 	}
 
@@ -38,10 +38,10 @@ func TestFormatted(t *testing.T) {
 			Formatted{
 				Min: 1,
 				Conds: []Condition{
-					String{"Alice", 0}, String{"Carl", 0},
+					Name{"Alice", 0}, Name{"Carl", 0},
 				},
 			},
-			String{"Bob", 0},
+			Name{"Bob", 0},
 		},
 	}
 
diff --git a/msp/msp.go b/msp/msp.go
index c7e3db3..7574a6f 100644
--- a/msp/msp.go
+++ b/msp/msp.go
@@ -13,21 +13,21 @@ import (
 // when needed, rather than re-build a partial map of known data.
 type UserDatabase interface {
 	ValidUser(name string) bool
-	CanGetShare(string) bool
-	GetShare(string) ([][]byte, error)
+	CanGetShare(name string) bool
+	GetShare(name string) ([][]byte, error)
 }
 
 type Condition interface { // Represents one condition in a predicate
 	Ok(*UserDatabase) bool
 }
 
-type String struct { // Type of condition
+type Name struct { // Type of condition
 	string
 	index int
 }
 
-func (s String) Ok(db *UserDatabase) bool {
-	return (*db).CanGetShare(s.string)
+func (n Name) Ok(db *UserDatabase) bool {
+	return (*db).CanGetShare(n.string)
 }
 
 type TraceElem struct {
@@ -98,10 +98,13 @@ func Modulus(n int) (modulus *big.Int) {
 		modulus.Sub(modulus, big.NewInt(0).Lsh(big.NewInt(1), 96))
 		modulus.Add(modulus, big.NewInt(1))
 
-	default: // Silent fail.
+	case 127:
 		modulus = big.NewInt(1) // 2^127 - 1
 		modulus.Lsh(modulus, 127)
 		modulus.Sub(modulus, big.NewInt(1))
+
+	default:
+		panic("Invalid modulus size chosen!")
 	}
 
 	return
@@ -133,12 +136,12 @@ func (m MSP) DerivePath(db *UserDatabase) (ok bool, names []string, locs []int,
 
 	for i, cond := range m.Conds {
 		switch cond.(type) {
-		case String:
-			if (*db).CanGetShare(cond.(String).string) {
+		case Name:
+			if (*db).CanGetShare(cond.(Name).string) {
 				heap.Push(ts, TraceElem{
 					i,
-					[]string{cond.(String).string},
-					[]string{cond.(String).string},
+					[]string{cond.(Name).string},
+					[]string{cond.(Name).string},
 				})
 			}
 
@@ -195,8 +198,8 @@ func (m MSP) DistributeShares(sec []byte, modulus *big.Int, db *UserDatabase) (m
 		}
 
 		switch cond.(type) {
-		case String:
-			name := cond.(String).string
+		case Name:
+			name := cond.(Name).string
 			if _, ok := out[name]; ok {
 				out[name] = append(out[name], m.encode(share, modulus))
 			} else if (*db).ValidUser(name) {
@@ -258,12 +261,12 @@ func (m MSP) recoverSecret(modulus *big.Int, db *UserDatabase, cache map[string]
 		index = append(index, loc+1)
 
 		switch gate.(type) {
-		case String:
-			if len(cache[gate.(String).string]) <= gate.(String).index {
+		case Name:
+			if len(cache[gate.(Name).string]) <= gate.(Name).index {
 				return nil, errors.New("Predicate / database mismatch!")
 			}
 
-			shares = append(shares, cache[gate.(String).string][gate.(String).index])
+			shares = append(shares, cache[gate.(Name).string][gate.(Name).index])
 
 		case Formatted:
 			share, err := MSP(gate.(Formatted)).recoverSecret(modulus, db, cache)
diff --git a/msp/raw.go b/msp/raw.go
index cc939b4..12bee10 100644
--- a/msp/raw.go
+++ b/msp/raw.go
@@ -155,7 +155,7 @@ func StringToRaw(r string) (out Raw, err error) {
 				indices[nxt] = 0
 			}
 
-			staging.Front().Value.([2]*list.List)[0].PushBack(String{nxt, indices[nxt]})
+			staging.Front().Value.([2]*list.List)[0].PushBack(Name{nxt, indices[nxt]})
 			indices[nxt]++
 		}
 	}
@@ -167,8 +167,8 @@ func (r Raw) String() string {
 	out := ""
 
 	switch (*r.Left).(type) {
-	case String:
-		out += (*r.Left).(String).string
+	case Name:
+		out += (*r.Left).(Name).string
 	default:
 		out += "(" + (*r.Left).(Raw).String() + ")"
 	}
@@ -180,8 +180,8 @@ func (r Raw) String() string {
 	}
 
 	switch (*r.Right).(type) {
-	case String:
-		out += (*r.Right).(String).string
+	case Name:
+		out += (*r.Right).(Name).string
 	default:
 		out += "(" + (*r.Right).(Raw).String() + ")"
 	}
@@ -199,15 +199,15 @@ func (r Raw) Formatted() (out Formatted) {
 	}
 
 	switch (*r.Left).(type) {
-	case String:
-		out.Conds = []Condition{(*r.Left).(String)}
+	case Name:
+		out.Conds = []Condition{(*r.Left).(Name)}
 	default:
 		out.Conds = []Condition{(*r.Left).(Raw).Formatted()}
 	}
 
 	switch (*r.Right).(type) {
-	case String:
-		out.Conds = append(out.Conds, (*r.Right).(String))
+	case Name:
+		out.Conds = append(out.Conds, (*r.Right).(Name))
 	default:
 		out.Conds = append(out.Conds, (*r.Right).(Raw).Formatted())
 	}
diff --git a/msp/raw_test.go b/msp/raw_test.go
index 1343c10..81ae66b 100644
--- a/msp/raw_test.go
+++ b/msp/raw_test.go
@@ -5,9 +5,9 @@ import (
 )
 
 func TestRaw(t *testing.T) {
-	alice := Condition(String{"Alice", 0})
-	bob := Condition(String{"Bob", 0})
-	carl := Condition(String{"Carl", 0})
+	alice := Condition(Name{"Alice", 0})
+	bob := Condition(Name{"Bob", 0})
+	carl := Condition(Name{"Carl", 0})
 
 	query1 := Raw{
 		NodeType: NodeAnd,

From 61540eca4e955be4753fa7d01b2511ac33be52dd Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Fri, 13 Nov 2015 16:19:41 -0800
Subject: [PATCH 10/14] Bug fixes from code audit. - Catch ignored error. -
 Make sure that key data exists in the EncryptedData object as well as in the
 key cache.

---
 cryptor/cryptor.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index b749e87..662aa57 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -68,8 +68,11 @@ func (u UserDatabase) ValidUser(name string) bool {
 }
 
 func (u UserDatabase) CanGetShare(name string) bool {
-	_, _, ok := u.cache.MatchUser(name, u.user, u.labels)
-	return ok
+	_, _, ok1 := u.cache.MatchUser(name, u.user, u.labels)
+	_, ok2 := u.shareSet[name]
+	_, ok3 := u.keySet[name]
+
+	return ok1 && ok2 && ok3
 }
 
 func (u UserDatabase) GetShare(name string) ([][]byte, error) {
@@ -355,6 +358,9 @@ func (encrypted *EncryptedData) wrapKey(records *passvault.Records, clearKey []b
 
 		for name, _ := range shareSet {
 			encrypted.KeySetRSA[name], err = generateRandomKey(name)
+			if err != nil {
+				return err
+			}
 			crypt, err := aes.NewCipher(encrypted.KeySetRSA[name].aesKey)
 			if err != nil {
 				return err

From 07b99b15f39486b9ce8dc4145d433f16aae0dabe Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Fri, 20 Nov 2015 10:22:59 -0800
Subject: [PATCH 11/14] Update comments.

---
 cryptor/cryptor.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 662aa57..22acc22 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -39,7 +39,8 @@ func New(records *passvault.Records, cache *keycache.Cache) Cryptor {
 // encrypted data.  If len(Names) > 0, then at least 2 of the users in the list
 // must be delegated to decrypt.  If len(LeftNames) > 0 & len(RightNames) > 0,
 // then at least one from each list must be delegated (if the same user is in
-// both, then he can decrypt it alone).
+// both, then he can decrypt it alone).  If a predicate is present, it must be
+// satisfied to decrypt.
 type AccessStructure struct {
 	Names []string
 
@@ -232,8 +233,7 @@ func (encrypted *EncryptedData) unlock(key []byte) (err error) {
 	return json.Unmarshal(encrypted.Data, encrypted)
 }
 
-// wrapKey encrypts the clear key such that a minimum number of delegated keys
-// are required to decrypt.  NOTE:  Currently the max value for min is 2.
+// wrapKey encrypts the clear key according to an access structure.
 func (encrypted *EncryptedData) wrapKey(records *passvault.Records, clearKey []byte, access AccessStructure) (err error) {
 	generateRandomKey := func(name string) (singleWrappedKey SingleWrappedKey, err error) {
 		rec, ok := records.GetRecord(name)

From 7e56983fa602cb6601ae63f934624be7aea74f7f Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Sat, 21 Nov 2015 09:23:55 -0800
Subject: [PATCH 12/14] Move field and matrix logic into their own files and
 abstractions. - Instead of using GF(2^127-1) as one of many options, move to
 GF(2^128) exclusively. - Don't clear the first two bits of every secret key.

---
 cryptor/cryptor.go |   9 +-
 msp/README.md      |  23 +----
 msp/matrix.go      | 149 +++++++++++++++++++++++++++++++
 msp/matrix_test.go |  44 ++++++++++
 msp/msp.go         | 214 ++++++++++++---------------------------------
 msp/msp_test.go    |   8 +-
 msp/number.go      | 116 ++++++++++++++++++++++++
 msp/number_test.go |  50 +++++++++++
 8 files changed, 422 insertions(+), 191 deletions(-)
 create mode 100644 msp/matrix.go
 create mode 100644 msp/matrix_test.go
 create mode 100644 msp/number.go
 create mode 100644 msp/number_test.go

diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 22acc22..fbdf556 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -351,7 +351,7 @@ func (encrypted *EncryptedData) wrapKey(records *passvault.Records, clearKey []b
 		}
 
 		db := msp.UserDatabase(UserDatabase{records: records})
-		shareSet, err := sss.DistributeShares(clearKey, msp.Modulus(127), &db)
+		shareSet, err := sss.DistributeShares(clearKey, &db)
 		if err != nil {
 			return err
 		}
@@ -450,7 +450,7 @@ func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (u
 			keySet:   encrypted.KeySetRSA,
 			shareSet: encrypted.ShareSet,
 		})
-		unwrappedKey, err = sss.RecoverSecret(msp.Modulus(127), &db)
+		unwrappedKey, err = sss.RecoverSecret(&db)
 
 		return
 	}
@@ -476,11 +476,6 @@ func (c *Cryptor) Encrypt(in []byte, labels []string, access AccessStructure) (r
 	if err != nil {
 		return
 	}
-	if len(access.Predicate) > 0 {
-		// The first two bits of the key need to be removed to prevent wrapping
-		// because the modulus is slightly too small.
-		clearKey[0] &= 63
-	}
 
 	err = encrypted.wrapKey(c.records, clearKey, access)
 	if err != nil {
diff --git a/msp/README.md b/msp/README.md
index 051ec26..a88c4bc 100644
--- a/msp/README.md
+++ b/msp/README.md
@@ -116,9 +116,8 @@ fmt.Printf("%v\n", r2.Formatted()) // (3, Alice, Bob, Carl)
 ```go
 type MSP Formatted
 
-func Modulus(n int) *big.Int {}
-func (m MSP) DistributeShares(sec []byte, modulus *big.Int, db *UserDatabase) (map[string][][]byte, error) {}
-func (m MSP) RecoverSecret(modulus *big.Int, db *UserDatabase) ([]byte, error) {}
+func (m MSP) DistributeShares(sec []byte, db *UserDatabase) (map[string][][]byte, error) {}
+func (m MSP) RecoverSecret(db *UserDatabase) ([]byte, error) {}
 ```
 
 To switch from predicate-mode to secret-sharing-mode, just cast your formatted
@@ -133,21 +132,3 @@ of shares which should be given to that party and integrated into the
 `UserDatabase` somehow.  When you're ready to reconstruct the secret, you call
 `RecoverSecret`, which does some prodding about and hopefully gives you back
 what you put in.
-
-The modulus determines the size of the secret shares.  It must be prime, larger
-than the secret, and larger than n<sup>k</sup> where `n` is the number of
-parties and `k` is the depth of the circuit.  (For each path from the root to a
-gate with only leaf nodes, sum the thresholds of all the gates along that path.
-`k` is the maximum of these values--a safe overestimation is to sum the
-thresholds of all gates in the circuit)  Because this form of secret sharing
-is *information-theoretically secure*, as long as the modulus satisfies those
-requirements, it can be as small or as large as you'd like (there's no
-bonus/reduction in security).  An excessively small modulus is restrictive, but
-saves a *lot* of bandwidth.  However, there's no sensible reason for a modulus
-over about 256 bits--by that point, it's easier to generate a random AES key,
-encrypt your secret with *that*, and distribute shares of the decryption key
-instead.
-
-For convenience, the `Modulus` function has some hard coded moduli that are
-useful.  The choices are currently: `127`, `224`, and `256` for a 127-bit,
-224-bit, or 256-bit modulus, respectively.
diff --git a/msp/matrix.go b/msp/matrix.go
new file mode 100644
index 0000000..6c82141
--- /dev/null
+++ b/msp/matrix.go
@@ -0,0 +1,149 @@
+// Matrix operations for elements in GF(2^128).
+package msp
+
+type Row []FieldElem
+
+// NewRow returns a row of length s with all zero entries.
+func NewRow(s int) Row {
+	out := Row(make([]FieldElem, s))
+
+	for i := 0; i < s; i++ {
+		out[i] = NewFieldElem()
+	}
+
+	return out
+}
+
+// AddM adds two vectors.
+func (e Row) AddM(f Row) {
+	le, lf := e.Size(), f.Size()
+	if le != lf {
+		panic("Can't add rows that are different sizes!")
+	}
+
+	for i, f_i := range f {
+		e[i].AddM(f_i)
+	}
+
+	return
+}
+
+// MulM multiplies the row by a scalar.
+func (e Row) MulM(f FieldElem) {
+	for i, _ := range e {
+		e[i] = e[i].Mul(f)
+	}
+}
+
+func (e Row) Mul(f FieldElem) Row {
+	out := NewRow(e.Size())
+
+	for i := 0; i < e.Size(); i++ {
+		out[i] = e[i].Mul(f)
+	}
+
+	return out
+}
+
+// DotProduct computes the dot product of two vectors.
+func (e Row) DotProduct(f Row) FieldElem {
+	if e.Size() != f.Size() {
+		panic("Can't get dot product of rows of different length!")
+	}
+
+	out := NewFieldElem()
+
+	for i := 0; i < e.Size(); i++ {
+		out.AddM(e[i].Mul(f[i]))
+	}
+
+	return out
+}
+
+func (e Row) Size() int {
+	return len(e)
+}
+
+type Matrix []Row
+
+// Mul right-multiplies a matrix by a row.
+func (e Matrix) Mul(f Row) Row {
+	out, in := e.Size()
+	if in != f.Size() {
+		panic("Can't multiply by row that is wrong size!")
+	}
+
+	res := NewRow(out)
+
+	for i := 0; i < out; i++ {
+		res[i] = e[i].DotProduct(f)
+	}
+
+	return res
+}
+
+// Recovery returns the row vector that takes this matrix to the target vector [1 0 0 ... 0].
+func (e Matrix) Recovery() (Row, bool) {
+	a, b := e.Size()
+
+	// aug is the target vector.
+	aug := NewRow(a)
+	aug[0] = One.Dup()
+
+	// Duplicate e away so we don't mutate it; transpose it at the same time.
+	f := make([]Row, b)
+	for i, _ := range f {
+		f[i] = NewRow(a)
+	}
+
+	for i := 0; i < a; i++ {
+		for j := 0; j < b; j++ {
+			f[j][i] = e[i][j].Dup()
+		}
+	}
+
+	for row, _ := range f {
+		if row >= b { // The matrix is tall and thin--we've finished before exhausting all the rows.
+			break
+		}
+
+		// Find a row with a non-zero entry in the (row)th position
+		candId := -1
+		for j, f_j := range f[row:] {
+			if !f_j[row].IsZero() {
+				candId = j + row
+				break
+			}
+		}
+
+		if candId == -1 { // If we can't find one, fail and return our partial work.
+			return aug, false
+		}
+
+		// Move it to the top
+		f[row], f[candId] = f[candId], f[row]
+		aug[row], aug[candId] = aug[candId], aug[row]
+
+		// Make the pivot 1.
+		fInv := f[row][row].Invert()
+
+		f[row].MulM(fInv)
+		aug[row] = aug[row].Mul(fInv)
+
+		// Cancel out the (row)th position for every row above and below it.
+		for i, _ := range f {
+			if i != row && !f[i][row].IsZero() {
+				c := f[i][row].Dup()
+
+				f[i].AddM(f[row].Mul(c))
+				aug[i].AddM(aug[row].Mul(c))
+			}
+		}
+	}
+
+	return aug, true
+}
+
+func (e Matrix) Size() (int, int) {
+	return len(e), e[0].Size()
+}
diff --git a/msp/matrix_test.go b/msp/matrix_test.go
new file mode 100644
index 0000000..f345c16
--- /dev/null
+++ b/msp/matrix_test.go
@@ -0,0 +1,44 @@
+package msp
+
+import (
+	"testing"
+)
+
+func TestRecovery(t *testing.T) {
+	// Generate the matrix.
+	height, width := 10, 10
+	M := Matrix(make([]Row, height))
+
+	for i := 0; i < height; i++ {
+		M[i] = NewRow(width)
+
+		for j := 0; j < width; j++ {
+			M[i][j][0] = byte(i + 1)
+			M[i][j] = M[i][j].Exp(j)
+		}
+	}
+
+	// Find the recovery vector.
+	r, ok := M.Recovery()
+	if !ok {
+		t.Fatalf("Failed to find the recovery vector!")
+	}
+
+	// Find the output vector.
+	out := NewRow(width)
+
+	for i := 0; i < height; i++ {
+		out.AddM(M[i].Mul(r[i]))
+	}
+
+	// Check that it is the target vector.
+	if !out[0].IsOne() {
+		t.Fatalf("Output is not the target vector!")
+	}
+
+	for i := 1; i < width; i++ {
+		if !out[i].IsZero() {
+			t.Fatalf("Output is not the target vector!")
+		}
+	}
+}
diff --git a/msp/msp.go b/msp/msp.go
index 7574a6f..7d4aaff 100644
--- a/msp/msp.go
+++ b/msp/msp.go
@@ -4,7 +4,6 @@ import (
 	"container/heap"
 	"crypto/rand"
 	"errors"
-	"math/big"
 	"strings"
 )
 
@@ -82,34 +81,6 @@ TopLoop:
 
 type MSP Formatted
 
-func Modulus(n int) (modulus *big.Int) {
-	switch n {
-	case 256:
-		modulus = big.NewInt(1) // 2^256 - 2^224 + 2^192 + 2^96 - 1
-		modulus.Lsh(modulus, 256)
-		modulus.Sub(modulus, big.NewInt(0).Lsh(big.NewInt(1), 224))
-		modulus.Add(modulus, big.NewInt(0).Lsh(big.NewInt(1), 192))
-		modulus.Add(modulus, big.NewInt(0).Lsh(big.NewInt(1), 96))
-		modulus.Sub(modulus, big.NewInt(1))
-
-	case 224:
-		modulus = big.NewInt(1) // 2^224 - 2^96 + 1
-		modulus.Lsh(modulus, 224)
-		modulus.Sub(modulus, big.NewInt(0).Lsh(big.NewInt(1), 96))
-		modulus.Add(modulus, big.NewInt(1))
-
-	case 127:
-		modulus = big.NewInt(1) // 2^127 - 1
-		modulus.Lsh(modulus, 127)
-		modulus.Sub(modulus, big.NewInt(1))
-
-	default:
-		panic("Invalid modulus size chosen!")
-	}
-
-	return
-}
-
 func StringToMSP(pred string) (m MSP, err error) {
 	var f Formatted
 
@@ -164,53 +135,56 @@ func (m MSP) DerivePath(db *UserDatabase) (ok bool, names []string, locs []int,
 	return
 }
 
-func (m MSP) DistributeShares(sec []byte, modulus *big.Int, db *UserDatabase) (map[string][][]byte, error) {
+// DistributeShares takes as input a secret and a user database and returns secret shares according to access structure
+// described by the MSP.
+func (m MSP) DistributeShares(sec []byte, db *UserDatabase) (map[string][][]byte, error) {
 	out := make(map[string][][]byte)
 
-	// Math to distribute shares.
-	secInt := big.NewInt(0).SetBytes(sec) // Convert secret to number.
-	secInt.Mod(secInt, modulus)
+	// Generate a Vandermonde matrix.
+	height, width := len(m.Conds), m.Min
+	M := Matrix(make([]Row, height))
 
-	var junk []*big.Int // Generate junk numbers.
-	for i := 1; i < m.Min; i++ {
-		r := make([]byte, (modulus.BitLen()/8)+1)
-		_, err := rand.Read(r)
-		if err != nil {
-			return out, err
+	for i := 0; i < height; i++ {
+		M[i] = NewRow(width)
+
+		for j := 0; j < width; j++ {
+			M[i][j][0] = byte(i + 1)
+			M[i][j] = M[i][j].Exp(j)
 		}
-
-		s := big.NewInt(0).SetBytes(r)
-		s.Mod(s, modulus)
-
-		junk = append(junk, s)
 	}
 
-	for i, cond := range m.Conds { // Calculate shares.
-		share := big.NewInt(1)
-		share.Mul(share, secInt)
+	// Convert secret vector.
+	s := NewRow(width)
+	s[0] = FieldElem(sec)
 
-		for j := 2; j <= m.Min; j++ {
-			cell := big.NewInt(int64(i + 1))
-			cell.Exp(cell, big.NewInt(int64(j-1)), modulus)
-			// CELL SHOULD ALWAYS BE LESS THAN MODULUS
+	for i := 1; i < width; i++ {
+		r := NewFieldElem()
+		rand.Read(r)
 
-			share.Add(share, cell.Mul(cell, junk[j-2])).Mod(share, modulus)
-		}
+		s[i] = FieldElem(r)
+	}
+
+	// Calculate shares.
+	shares := M.Mul(s)
+
+	// Distribute the shares.
+	for i, cond := range m.Conds {
+		share := shares[i]
 
 		switch cond.(type) {
 		case Name:
 			name := cond.(Name).string
 			if _, ok := out[name]; ok {
-				out[name] = append(out[name], m.encode(share, modulus))
+				out[name] = append(out[name], share)
 			} else if (*db).ValidUser(name) {
-				out[name] = [][]byte{m.encode(share, modulus)}
+				out[name] = [][]byte{share}
 			} else {
 				return out, errors.New("Unknown user in predicate.")
 			}
 
 		default:
 			below := MSP(cond.(Formatted))
-			subOut, err := below.DistributeShares(m.encode(share, modulus), modulus, db)
+			subOut, err := below.DistributeShares(share, db)
 			if err != nil {
 				return out, err
 			}
@@ -229,15 +203,16 @@ func (m MSP) DistributeShares(sec []byte, modulus *big.Int, db *UserDatabase) (m
 	return out, nil
 }
 
-func (m MSP) RecoverSecret(modulus *big.Int, db *UserDatabase) ([]byte, error) {
+// RecoverSecret takes a user database storing secret shares as input and returns the original secret.
+func (m MSP) RecoverSecret(db *UserDatabase) ([]byte, error) {
 	cache := make(map[string][][]byte, 0) // Caches un-used shares for a user.
-	return m.recoverSecret(modulus, db, cache)
+	return m.recoverSecret(db, cache)
 }
 
-func (m MSP) recoverSecret(modulus *big.Int, db *UserDatabase, cache map[string][][]byte) ([]byte, error) {
+func (m MSP) recoverSecret(db *UserDatabase, cache map[string][][]byte) ([]byte, error) {
 	var (
-		index  = []int{}    // Indexes where given shares were in the matrix.
-		shares = [][]byte{} // Contains shares that will be used in reconstruction.
+		index  = []int{}       // Indexes where given shares were in the matrix.
+		shares = []FieldElem{} // Contains shares that will be used in reconstruction.
 	)
 
 	ok, names, locs, _ := m.DerivePath(db)
@@ -266,118 +241,39 @@ func (m MSP) recoverSecret(modulus *big.Int, db *UserDatabase, cache map[string]
 				return nil, errors.New("Predicate / database mismatch!")
 			}
 
-			shares = append(shares, cache[gate.(Name).string][gate.(Name).index])
+			shares = append(shares, FieldElem(cache[gate.(Name).string][gate.(Name).index]))
 
 		case Formatted:
-			share, err := MSP(gate.(Formatted)).recoverSecret(modulus, db, cache)
+			share, err := MSP(gate.(Formatted)).recoverSecret(db, cache)
 			if err != nil {
 				return nil, err
 			}
 
-			shares = append(shares, share)
+			shares = append(shares, FieldElem(share))
 		}
 	}
 
-	// Calculate the reconstruction vector.  We only need the top row of the
-	// matrix's inverse, so we augment M transposed with u1 transposed and
-	// eliminate Gauss-Jordan style.
-	matrix := [][][2]int{}              // 2d grid of (numerator, denominator)
-	matrix = append(matrix, [][2]int{}) // Create first row of all 1s
+	// Generate the Vandermonde matrix specific to whichever users' shares we're using.
+	MSub := Matrix(make([]Row, m.Min))
 
-	for j := 0; j < m.Min; j++ {
-		matrix[0] = append(matrix[0], [2]int{1, 1})
+	for i := 0; i < m.Min; i++ {
+		MSub[i] = NewRow(m.Min)
+
+		for j := 0; j < m.Min; j++ {
+			MSub[i][j][0] = byte(index[i])
+			MSub[i][j] = MSub[i][j].Exp(j)
+		}
 	}
 
-	for j := 1; j < m.Min; j++ { // Fill in rest of matrix.
-		row := [][2]int{}
-
-		for k, idx := range index {
-			row = append(row, [2]int{int(idx) * matrix[j-1][k][0], matrix[j-1][k][1]})
-		}
-
-		matrix = append(matrix, row)
-	}
-
-	matrix[0] = append(matrix[0], [2]int{1, 1}) // Stick on last column.
-	for j := 1; j < m.Min; j++ {
-		matrix[j] = append(matrix[j], [2]int{0, 1})
-	}
-
-	// Reduce matrix.
-	for i := 0; i < len(matrix); i++ {
-		for j := 0; j < len(matrix[i]); j++ { // Make row unary.
-			if i == j {
-				continue
-			}
-
-			matrix[i][j][0] *= matrix[i][i][1]
-			matrix[i][j][1] *= matrix[i][i][0]
-		}
-		matrix[i][i] = [2]int{1, 1}
-
-		for j := 0; j < len(matrix); j++ { // Remove this row from the others.
-			if i == j {
-				continue
-			}
-
-			top := matrix[j][i][0]
-			bot := matrix[j][i][1]
-
-			for k := 0; k < len(matrix[j]); k++ {
-				// matrix[j][k] = matrix[j][k] - matrix[j][i] * matrix[i][k]
-				temp := [2]int{0, 0}
-				temp[0] = top * matrix[i][k][0]
-				temp[1] = bot * matrix[i][k][1]
-
-				if matrix[j][k][0] == 0 {
-					matrix[j][k][0] = -temp[0]
-					matrix[j][k][1] = temp[1]
-				} else {
-					matrix[j][k][0] = (matrix[j][k][0] * temp[1]) - (temp[0] * matrix[j][k][1])
-					matrix[j][k][1] *= temp[1]
-				}
-
-				if matrix[j][k][0] == 0 {
-					matrix[j][k][1] = 1
-				}
-			}
-		}
+	// Calculate the reconstruction vector and use it to recover the secret.
+	r, ok := MSub.Recovery()
+	if !ok {
+		return nil, errors.New("Unable to find a reconstruction vector!")
 	}
 
 	// Compute dot product of the shares vector and the reconstruction vector to
-	// reconstruct the secret.
-	secInt := big.NewInt(0)
+	// recover the secret.
+	s := Row(shares).DotProduct(r)
 
-	for i, share := range shares {
-		lst := len(matrix[i]) - 1
-
-		num := big.NewInt(int64(matrix[i][lst][0]))
-		den := big.NewInt(int64(matrix[i][lst][1]))
-		num.Mod(num, modulus)
-		den.Mod(den, modulus)
-
-		coeff := big.NewInt(0).ModInverse(den, modulus)
-		coeff.Mul(coeff, num).Mod(coeff, modulus)
-
-		shareInt := big.NewInt(0).SetBytes(share)
-		shareInt.Mul(shareInt, coeff).Mod(shareInt, modulus)
-
-		secInt.Add(secInt, shareInt).Mod(secInt, modulus)
-	}
-
-	return m.encode(secInt, modulus), nil
-}
-
-func (m MSP) encode(x *big.Int, modulus *big.Int) (out []byte) {
-	tmp := x.Bytes()
-	tmpSize := len(tmp)
-
-	modSize := len(modulus.Bytes())
-	out = make([]byte, modSize)
-
-	for pos := 0; pos < tmpSize; pos++ {
-		out[modSize-pos-1] = tmp[tmpSize-pos-1]
-	}
-
-	return out
+	return []byte(s), nil
 }
diff --git a/msp/msp_test.go b/msp/msp_test.go
index bf3e460..a8751fa 100644
--- a/msp/msp_test.go
+++ b/msp/msp_test.go
@@ -42,8 +42,8 @@ func TestMSP(t *testing.T) {
 
 	predicate, _ := StringToMSP("(2, (1, Alice, Bob), Carl)")
 
-	shares1, _ := predicate.DistributeShares(sec, Modulus(127), &db)
-	shares2, _ := predicate.DistributeShares(sec, Modulus(127), &db)
+	shares1, _ := predicate.DistributeShares(sec, &db)
+	shares2, _ := predicate.DistributeShares(sec, &db)
 
 	alice := bytes.Compare(shares1["Alice"][0], shares2["Alice"][0])
 	bob := bytes.Compare(shares1["Bob"][0], shares2["Bob"][0])
@@ -56,12 +56,12 @@ func TestMSP(t *testing.T) {
 	db1 := UserDatabase(Database(shares1))
 	db2 := UserDatabase(Database(shares2))
 
-	sec1, err := predicate.RecoverSecret(Modulus(127), &db1)
+	sec1, err := predicate.RecoverSecret(&db1)
 	if err != nil {
 		t.Fatalf("#1: %v", err)
 	}
 
-	sec2, err := predicate.RecoverSecret(Modulus(127), &db2)
+	sec2, err := predicate.RecoverSecret(&db2)
 	if err != nil {
 		t.Fatalf("#2: %v", err)
 	}
diff --git a/msp/number.go b/msp/number.go
new file mode 100644
index 0000000..739305d
--- /dev/null
+++ b/msp/number.go
@@ -0,0 +1,116 @@
+// Polynomial fields with coefficients in GF(2)
+package msp
+
+import (
+	"bytes"
+)
+
+type FieldElem []byte
+
+var (
+	Modulus        FieldElem = []byte{135, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} // x^128 + x^7 + x^2 + x + 1
+	ModulusSize    int       = 16
+	ModulusBitSize int       = 128
+
+	Zero FieldElem = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+	One  FieldElem = []byte{1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+)
+
+// NewFieldElem returns a new zero element.
+func NewFieldElem() FieldElem {
+	return FieldElem(make([]byte, ModulusSize))
+}
+
+// AddM mutates e into e+f.
+func (e FieldElem) AddM(f FieldElem) {
+	for i := 0; i < ModulusSize; i++ {
+		e[i] ^= f[i]
+	}
+}
+
+// Add returns e+f.
+func (e FieldElem) Add(f FieldElem) FieldElem {
+	out := e.Dup()
+	out.AddM(f)
+
+	return out
+}
+
+// Mul returns e*f.
+func (e FieldElem) Mul(f FieldElem) FieldElem {
+	out := NewFieldElem()
+
+	for i := 0; i < ModulusBitSize; i++ { // Foreach bit e_i in e:
+		if e.getCoeff(i) == 1 { // where e_i equals 1:
+			temp := f.Dup() // Multiply f * x^i mod M(x):
+
+			for j := 0; j < i; j++ { // Multiply f by x mod M(x), i times.
+				carry := temp.shift()
+
+				if carry {
+					temp[0] ^= Modulus[0]
+				}
+			}
+
+			out.AddM(temp) // Add f * x^i to the output
+		}
+	}
+
+	return out
+}
+
+// Exp returns e^i.
+func (e FieldElem) Exp(i int) FieldElem {
+	out := One.Dup()
+
+	for j := 0; j < i; j++ {
+		out = out.Mul(e)
+	}
+
+	return out
+}
+
+// Invert returns the multiplicative inverse of e.
+func (e FieldElem) Invert() FieldElem {
+	out, temp := e.Dup(), e.Dup()
+
+	for i := 0; i < 126; i++ {
+		temp = temp.Mul(temp)
+		out = out.Mul(temp)
+	}
+
+	return out.Mul(out)
+}
+
+// getCoeff returns the ith coefficient of the field element: either 0 or 1.
+func (e FieldElem) getCoeff(i int) byte {
+	return (e[i/8] >> (uint(i) % 8)) & 1
+}
+
+// shift multiplies e by 2 and returns true if there was overflow and false if there wasn't.
+func (e FieldElem) shift() bool {
+	carry := false
+
+	for i := 0; i < ModulusSize; i++ {
+		nextCarry := e[i] >= 128
+
+		e[i] = e[i] << 1
+		if carry {
+			e[i]++
+		}
+		carry = nextCarry
+	}
+
+	return carry
+}
+
+func (e FieldElem) IsZero() bool { return bytes.Compare(e, Zero) == 0 }
+func (e FieldElem) IsOne() bool  { return bytes.Compare(e, One) == 0 }
+
+// Dup returns a duplicate of e.
+func (e FieldElem) Dup() FieldElem {
+	out := FieldElem(make([]byte, ModulusSize))
+	copy(out, e)
+
+	return out
+}
diff --git a/msp/number_test.go b/msp/number_test.go
new file mode 100644
index 0000000..280cfd7
--- /dev/null
+++ b/msp/number_test.go
@@ -0,0 +1,50 @@
+package msp
+
+import (
+	"bytes"
+	"crypto/rand"
+	"testing"
+)
+
+func TestFieldElemMultiplicationOne(t *testing.T) {
+	x := FieldElem(make([]byte, ModulusSize))
+	rand.Read(x)
+
+	xy, yx := x.Mul(One), One.Mul(x)
+
+	if !One.IsOne() {
+		t.Fatalf("One is not one?")
+	}
+
+	if bytes.Compare(xy, x) != 0 || bytes.Compare(yx, x) != 0 {
+		t.Fatalf("Multiplication by 1 failed!\nx = %x\n1*x = %x\nx*1 = %x", x, yx, xy)
+	}
+}
+
+func TestFieldElemMultiplicationZero(t *testing.T) {
+	x := FieldElem(make([]byte, ModulusSize))
+	rand.Read(x)
+
+	xy, yx := x.Mul(Zero), Zero.Mul(x)
+
+	if !Zero.IsZero() {
+		t.Fatalf("Zero is not zero?")
+	}
+
+	if !xy.IsZero() || !yx.IsZero() {
+		t.Fatalf("Multiplication by 0 failed!\nx = %x\n0*x = %x\nx*0 = %x", x, yx, xy)
+	}
+}
+
+func TestFieldElemInvert(t *testing.T) {
+	x := FieldElem(make([]byte, ModulusSize))
+	rand.Read(x)
+
+	xInv := x.Invert()
+
+	xy, yx := x.Mul(xInv), xInv.Mul(x)
+
+	if !xy.IsOne() || !yx.IsOne() {
+		t.Fatalf("Multiplication by inverse failed!\nx = %x\nxInv = %x\nxInv*x = %x\nx*xInv = %x", x, yx, xy)
+	}
+}

From c5da2f748e057e2f4219befcc2cda8182b65ddbb Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Mon, 23 Nov 2015 10:24:36 -0800
Subject: [PATCH 13/14] Comment the DerivePath logic.

---
 msp/msp.go | 48 ++++++++++++++++++++++++++++++++----------------
 1 file changed, 32 insertions(+), 16 deletions(-)

diff --git a/msp/msp.go b/msp/msp.go
index 7d4aaff..6bd021d 100644
--- a/msp/msp.go
+++ b/msp/msp.go
@@ -41,17 +41,25 @@ func (ts TraceSlice) Len() int      { return len(ts) }
 func (ts TraceSlice) Swap(i, j int) { ts[i], ts[j] = ts[j], ts[i] }
 
 func (ts TraceSlice) Less(i, j int) bool {
-	return len(ts[i].trace) < len(ts[j].trace)
+	return len(ts[i].trace) > len(ts[j].trace)
 }
 
 func (ts *TraceSlice) Push(te interface{}) { *ts = append(*ts, te.(TraceElem)) }
 func (ts *TraceSlice) Pop() interface{} {
-	out := (*ts)[0]
-	*ts = (*ts)[1 : len(*ts)-1]
+	old := *ts
+	n := len(old)
+
+	*ts = old[0 : n-1]
+	out := old[n-1]
 
 	return out
 }
 
+// Compact takes a trace slice and merges all of its fields.
+//
+// index: Union of all locations in the slice.
+// names: Union of all names in the slice.
+// trace: Union of all the traces in the slice.
 func (ts TraceSlice) Compact() (index []int, names []string, trace []string) {
 	for _, te := range ts {
 		index = append(index, te.loc)
@@ -59,20 +67,24 @@ func (ts TraceSlice) Compact() (index []int, names []string, trace []string) {
 		trace = append(trace, te.trace...)
 	}
 
+	// This is a QuickSort related algorithm.  It makes all the names in the trace unique so we don't double-count people.
+	//
+	// Invariant:  There are no duplicates in trace[0:ptr]
+	// Algorithm:  Advance ptr by 1 and enforce the invariant.
 	ptr, cutoff := 0, len(trace)
 
 TopLoop:
-	for ptr < cutoff {
-		for i := 0; i < ptr; i++ {
-			if trace[i] == trace[ptr] {
-				trace[ptr], trace[cutoff-1] = trace[cutoff-1], trace[ptr]
-				cutoff--
+	for ptr < cutoff { // Choose the next un-checked element of the slice.
+		for i := 0; i < ptr; i++ { // Compare it to all elements before it.
+			if trace[i] == trace[ptr] { // If we find a duplicate...
+				trace[ptr], trace[cutoff-1] = trace[cutoff-1], trace[ptr] // Push the dup to the end of the surviving slice.
+				cutoff--                                                  // Mark it for removal.
 
-				continue TopLoop
+				continue TopLoop // Because trace[ptr] has been mutated, try to verify the invariant again w/o advancing ptr.
 			}
 		}
 
-		ptr++
+		ptr++ // There are no duplicates; move the ptr forward and start again.
 	}
 	trace = trace[0:cutoff]
 
@@ -102,6 +114,12 @@ func StringToMSP(pred string) (m MSP, err error) {
 	return MSP(f), nil
 }
 
+// DerivePath returns the cheapest way to satisfy the MSP (the one with the minimal number of delegations).
+//
+// ok:    True if the MSP can be satisfied with current delegations; false if not.
+// names: The names in the top-level threshold gate that need to be delegated.
+// locs:  The index in the treshold gate for each name.
+// trace: All names that must be delegated for for this gate to be satisfied.
 func (m MSP) DerivePath(db *UserDatabase) (ok bool, names []string, locs []int, trace []string) {
 	ts := &TraceSlice{}
 
@@ -118,15 +136,13 @@ func (m MSP) DerivePath(db *UserDatabase) (ok bool, names []string, locs []int,
 
 		case Formatted:
 			sok, _, _, strace := MSP(cond.(Formatted)).DerivePath(db)
-			if !sok {
-				continue
+			if sok {
+				heap.Push(ts, TraceElem{i, []string{}, strace})
 			}
-
-			heap.Push(ts, TraceElem{i, []string{}, strace})
 		}
 
-		if (*ts).Len() > m.Min {
-			*ts = (*ts)[0:m.Min]
+		if (*ts).Len() > m.Min { // If we can otherwise satisfy the threshold gate
+			heap.Pop(ts) // Drop the TraceElem with the heaviest trace (the one that requires the most delegations).
 		}
 	}
 

From 95e414474abfafef5b225d9b8e55ea03f1f150d4 Mon Sep 17 00:00:00 2001
From: Brendan McMillion <brendan@cloudflare.com>
Date: Mon, 23 Nov 2015 10:43:39 -0800
Subject: [PATCH 14/14] Bugfix: Not enough arguments to Fatalf.

---
 msp/number_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/msp/number_test.go b/msp/number_test.go
index 280cfd7..6e86870 100644
--- a/msp/number_test.go
+++ b/msp/number_test.go
@@ -45,6 +45,6 @@ func TestFieldElemInvert(t *testing.T) {
 	xy, yx := x.Mul(xInv), xInv.Mul(x)
 
 	if !xy.IsOne() || !yx.IsOne() {
-		t.Fatalf("Multiplication by inverse failed!\nx = %x\nxInv = %x\nxInv*x = %x\nx*xInv = %x", x, yx, xy)
+		t.Fatalf("Multiplication by inverse failed!\nx = %x\nxInv = %x\nxInv*x = %x\nx*xInv = %x", x, xInv, yx, xy)
 	}
 }