@noble/curves 2.0.0 → 2.2.0

package/src/abstract/frost.ts

@@ -0,0 +1,1092 @@
+/**
+ * FROST: Flexible Round-Optimized Schnorr Threshold Protocol for Two-Round Schnorr Signatures.
+ *
+ * See [RFC 9591](https://datatracker.ietf.org/doc/rfc9591/) and [frost.zfnd.org](https://frost.zfnd.org).
+ * @module
+ */
+import { utf8ToBytes } from '@noble/hashes/utils.js';
+import {
+  bytesToHex,
+  bytesToNumberBE,
+  bytesToNumberLE,
+  concatBytes,
+  hexToBytes,
+  randomBytes,
+  validateObject,
+  type TArg,
+  type TRet,
+} from '../utils.ts';
+import { pippenger, validatePointCons, type CurvePoint, type CurvePointCons } from './curve.ts';
+import { poly, type RootsOfUnity } from './fft.ts';
+import { type H2CDSTOpts } from './hash-to-curve.ts';
+import { getMinHashLength, mapHashToField, type IField } from './modular.ts';
+
+export type RNG = typeof randomBytes;
+export type Identifier = string; // Identifiers are hex to make comparison easier
+export type Commitment = Uint8Array; // serialized point
+export type Coefficient = Uint8Array; // serialized scalar
+export type Signature = Uint8Array;
+export type Signers = { min: number; max: number };
+export type SecretKey = Uint8Array; // Secret key
+export type Bytes = Uint8Array;
+type Point = Uint8Array;
+
+export type DKG_Round1 = {
+  // If identifiers were assigned via fromNumber before, it is worth checking
+  // that a party doesn't impersonate another one.
+  // But we throw on duplicate identifiers.
+  identifier: Identifier;
+  commitment: TRet<Commitment[]>; // sender identifier
+  proofOfKnowledge: TRet<Signature>;
+};
+export type DKG_Round2 = {
+  identifier: Identifier; // sender identifier
+  signingShare: TRet<Bytes>;
+};
+// This is internal, so we can use bigints
+export type DKG_Secret = {
+  identifier: bigint;
+  coefficients?: bigint[];
+  commitment: TRet<Point[]>;
+  signers: Signers;
+  // Keep the local polynomial until round3 succeeds so late DKG failures can be retried.
+  step?: 1 | 2 | 3;
+};
+
+export type FrostPublic = {
+  signers: Signers;
+  commitments: TRet<Bytes[]>; // Point[], where commitments[0] is the group public key
+  verifyingShares: TRet<Record<Identifier, Bytes>>; // id -> Point
+};
+export type FrostSecret = {
+  identifier: Identifier;
+  signingShare: TRet<Bytes>; // Scalar
+};
+export type Key = { public: FrostPublic; secret: FrostSecret };
+export type DealerShares = {
+  public: FrostPublic;
+  secretShares: Record<Identifier, FrostSecret>;
+};
+// Sign stuff
+export type Nonces = {
+  hiding: TRet<Bytes>; // Scalar
+  binding: TRet<Bytes>; // Scalar
+};
+export type NonceCommitments = {
+  identifier: Identifier;
+  hiding: TRet<Bytes>; // Point
+  binding: TRet<Bytes>; // Point
+};
+export type GenNonce = {
+  nonces: Nonces;
+  commitments: NonceCommitments;
+};
+
+export interface FROSTPoint<T extends CurvePoint<any, T>> extends CurvePoint<any, T> {
+  add(rhs: T): T;
+  multiply(rhs: bigint): T;
+  equals(rhs: T): boolean;
+  toBytes(compressed?: boolean): Bytes;
+  clearCofactor(): T;
+}
+export interface FROSTPointConstructor<T extends FROSTPoint<T>> extends CurvePointCons<T> {
+  fromBytes(a: Bytes): T;
+  Fn: IField<bigint>;
+}
+
+// Opts
+export type FrostOpts<P extends FROSTPoint<P>> = {
+  readonly name: string;
+  readonly Point: FROSTPointConstructor<P>;
+  readonly Fn?: IField<bigint>;
+  /** Optional suite hook that tightens canonical decoding with subgroup / identity checks. */
+  readonly validatePoint?: (p: P) => void;
+  /** Optional public-key parser. Implementations MUST preserve the same subgroup / identity policy
+   * as `validatePoint`, because this bypasses generic canonical decoding in `parsePoint()`. */
+  readonly parsePublicKey?: (bytes: TArg<Uint8Array>) => P;
+  readonly hash: (msg: TArg<Uint8Array>) => TRet<Uint8Array>;
+  /** Custom scalar hash hook. Implementations MUST treat `msg` and `options` as read-only. */
+  readonly hashToScalar?: (msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>) => bigint;
+  // Hacks for taproot support
+  readonly adjustScalar?: (n: bigint) => bigint;
+  readonly adjustPoint?: (n: P) => P;
+  readonly challenge?: (R: P, PK: P, msg: TArg<Uint8Array>) => bigint;
+  readonly adjustNonces?: (PK: P, nonces: TArg<Nonces>) => TRet<Nonces>;
+  readonly adjustSecret?: (secret: TArg<FrostSecret>, pub: TArg<FrostPublic>) => TRet<FrostSecret>;
+  readonly adjustPublic?: (pub: TArg<FrostPublic>) => TRet<FrostPublic>;
+  readonly adjustGroupCommitmentShare?: (GC: P, GCShare: P) => P;
+  readonly adjustTx?: {
+    readonly encode: (tx: TArg<Uint8Array>) => TRet<Uint8Array>;
+    readonly decode: (tx: TArg<Uint8Array>) => TRet<Uint8Array>;
+  };
+  readonly adjustDKG?: (k: TArg<Key>) => TRet<Key>;
+  // Hash function prefixes
+  readonly H1?: string;
+  readonly H2?: string;
+  readonly H3?: string;
+  readonly H4?: string;
+  readonly H5?: string;
+  readonly HDKG?: string;
+  readonly HID?: string;
+};
+
+/**
+ * FROST: Threshold Protocol for Two‑Round Schnorr Signatures
+ * from [RFC 9591](https://datatracker.ietf.org/doc/rfc9591/).
+ */
+export type FROST = {
+  /**
+   * Methods to construct participant identifiers.
+   */
+  Identifier: {
+    /**
+     * Constructs an identifier from a numeric index.
+     * @param n - A positive integer.
+     * @returns A canonical serialized Identifier.
+     */
+    fromNumber(n: number): Identifier;
+    /**
+     * Derives an identifier deterministically from a string (e.g. an email).
+     * @param s - Arbitrary string.
+     * @returns A canonical serialized Identifier.
+     */
+    derive(s: string): Identifier;
+  };
+  /**
+   * Distributed Key Generation (DKG) protocol interface.
+   * RFC 9591 leaves DKG out of scope; Appendix C only specifies dealer/VSS key generation.
+   * These helpers follow the split-round API used by frost-rs for interoperable testing.
+   */
+  DKG: {
+    /**
+     * Generates the first round of DKG.
+     * @param id - Participant's identifier.
+     * @param signers - Set of all participants (min/max threshold).
+     * @param secret - Optional initial secret scalar.
+     * @param rng - Optional RNG for nonce generation.
+     * @returns Public broadcast and private DKG state. The returned `secret` package is mutable
+     *   round state that will be consumed by `round2()` and `round3()`.
+     */
+    round1: (
+      id: Identifier,
+      signers: Signers,
+      secret?: TArg<SecretKey>,
+      rng?: RNG
+    ) => {
+      public: DKG_Round1;
+      secret: DKG_Secret;
+    };
+    /**
+     * Executes DKG round 2 given public round1 data from others.
+     * @param secret - Private DKG state from round1. This mutates `secret.step` in place.
+     * @param others - Public round1 broadcasts from other participants.
+     * @returns A map of round2 messages to be sent to others.
+     */
+    round2: (
+      secret: TArg<DKG_Secret>,
+      others: TArg<DKG_Round1[]>
+    ) => TRet<Record<string, DKG_Round2>>;
+    /**
+     * Finalizes key generation in round3 using received round1 + round2 messages.
+     * @param secret - Private DKG state. This consumes the remaining local polynomial coefficients
+     *   and transitions the package to its final post-round3 state.
+     * @param round1 - Public round1 broadcasts from all participants.
+     * @param round2 - Round2 messages received from others.
+     * @returns Final secret/public key information for the participant.
+     * Callers MUST pass the same verified remote `round1` package set that was already
+     * accepted in `round2()`, rather than re-fetching or rebuilding it from the network.
+     */
+    round3: (
+      secret: TArg<DKG_Secret>,
+      round1: TArg<DKG_Round1[]>,
+      round2: TArg<DKG_Round2[]>
+    ) => TRet<Key>;
+    /**
+     * Best-effort erasure of internal secret state. Bigint/JIT copies may still survive outside the
+     * local object even after cleanup.
+     * @param secret - Private DKG state from round1.
+     */
+    clean(secret: TArg<DKG_Secret>): void;
+  };
+  /**
+   * Trusted dealer mode: generates key shares from a central trusted authority.
+   * Mirrors RFC 9591 Appendix C and returns one shared VSS commitment package
+   * plus per-participant shares.
+   * @param signers - Threshold parameters (min/max).
+   * @param identifiers - Optional explicit participant list.
+   * @param secret - Optional secret scalar.
+   * @param rng - Optional RNG.
+   * @returns One shared public package plus the participant secret-share packages.
+   */
+  trustedDealer(
+    signers: Signers,
+    identifiers?: Identifier[],
+    secret?: TArg<SecretKey>,
+    rng?: RNG
+  ): TRet<DealerShares>;
+  /**
+   * Validates the consistency of a secret share against the shared public commitments.
+   * This is the RFC 9591 Appendix C.2 `vss_verify` check against the shared dealer/DKG commitment.
+   * It does not relax RFC 9591 Section 3.1: public identity elements are still invalid even when
+   * the scalar/share algebra would otherwise be self-consistent.
+   * Throws if invalid.
+   * @param secret - A FrostSecret containing identifier and signing share.
+   * @param pub - Shared public package containing commitments.
+   */
+  validateSecret(secret: TArg<FrostSecret>, pub: TArg<FrostPublic>): void;
+  /**
+   * Produces nonces and public commitments used in signing.
+   * RFC 9591 Section 5.1 `commit()`.
+   * @param secret - Participant's secret share.
+   * @param rng - Optional RNG.
+   * @returns Nonce values and their public commitments.
+   * Returned nonces are one-time-use and MUST NOT be reused across signing sessions.
+   * This API does not mutate or zeroize caller-owned nonce objects.
+   */
+  commit(secret: TArg<FrostSecret>, rng?: RNG): TRet<GenNonce>;
+  /**
+   * Signs a message using the participant's secret and nonce.
+   * @param secret - Participant's secret share.
+   * @param pub - Shared public package containing commitments.
+   * @param nonces - Participant's nonce pair.
+   * @param commitmentList - Commitments from all signing participants.
+   * @param msg - Message to be signed.
+   * @returns Signature share as a byte array.
+   * RFC 9591 Sections 4.1/5.1 require round-one commitments to be one-time-use, and
+   * Section 5.2 signs with the nonce corresponding to that published commitment.
+   * The caller MUST pass fresh nonces from `commit()`. On successful signing, this helper
+   * consumes the caller-owned nonce object by zeroing both nonce byte arrays in place.
+   * Later calls reject an all-zero nonce package, so same-object reuse fails closed and an
+   * accidentally generated zero nonce package is not silently used for signing.
+   */
+  signShare(
+    secret: TArg<FrostSecret>,
+    pub: TArg<FrostPublic>,
+    nonces: TArg<Nonces>,
+    commitmentList: TArg<NonceCommitments[]>,
+    msg: TArg<Uint8Array>
+  ): TRet<Uint8Array>;
+  /**
+   * Verifies a signature share against public commitments.
+   * Matches the coordinator-side individual-share verification from RFC 9591 Section 5.4.
+   * @param pub - Group public key information.
+   * @param commitmentList - Commitments from all signing participants.
+   * @param msg - Message being signed.
+   * @param identifier - Identifier of the signer whose share is being verified.
+   * @param sigShare - Signature share to verify.
+   * @returns True if valid, false otherwise.
+   */
+  verifyShare(
+    pub: TArg<FrostPublic>,
+    commitmentList: TArg<NonceCommitments[]>,
+    msg: TArg<Uint8Array>,
+    identifier: Identifier,
+    sigShare: TArg<Uint8Array>
+  ): boolean;
+  /**
+   * Aggregates signature shares into a full signature.
+   * RFC 9591 Section 5.3 `aggregate()`.
+   * @param pub - Group public key.
+   * @param commitmentList - Nonce commitments from all signers.
+   * @param msg - Message to sign.
+   * @param sigShares - Map from identifier to their signature share.
+   * @returns Final aggregated signature.
+   */
+  aggregate(
+    pub: TArg<FrostPublic>,
+    commitmentList: TArg<NonceCommitments[]>,
+    msg: TArg<Uint8Array>,
+    sigShares: TArg<Record<Identifier, Uint8Array>>
+  ): TRet<Uint8Array>;
+  /**
+   * Signs a message using a raw secret key (e.g. from combineSecret).
+   * @param msg - Message to sign.
+   * @param secretKey - Group secret key as bytes.
+   * @returns Signature bytes.
+   */
+  sign(msg: TArg<Uint8Array>, secretKey: TArg<Uint8Array>): TRet<Uint8Array>;
+  /**
+   * Verifies a full signature against the group public key.
+   * @param sig - Signature bytes.
+   * @param msg - Message that was signed.
+   * @param publicKey - Group public key.
+   * @returns True if valid, false otherwise.
+   */
+  verify(sig: TArg<Signature>, msg: TArg<Uint8Array>, publicKey: TArg<Uint8Array>): boolean;
+  /**
+   * Combines multiple secret shares into a single secret key (e.g. for recovery).
+   * @param shares - Set of FrostSecret shares.
+   * @param signers - Threshold parameters.
+   * @returns Group secret key as bytes.
+   */
+  combineSecret(shares: TArg<FrostSecret[]>, signers: Signers): TRet<Uint8Array>;
+  /**
+   * Low-level helper utilities (field arithmetic and polynomial tools).
+   */
+  utils: {
+    /**
+     * Finite field used for scalars.
+     */
+    Fn: IField<bigint>;
+    /**
+     * Generates a random scalar (private key).
+     * @param rng - Optional RNG source.
+     * @returns Scalar as 32-byte Uint8Array.
+     */
+    randomScalar: (rng?: RNG) => TRet<Uint8Array>;
+    /**
+     * Generates a secret-sharing polynomial and its public commitments.
+     * @param signers - Threshold parameters.
+     * @param secret - Optional initial secret scalar.
+     * @param coeffs - Optional manual coefficients.
+     * @param rng - Optional RNG.
+     * @returns Polynomial coefficients, commitments, and secret value.
+     */
+    generateSecretPolynomial: (
+      signers: Signers,
+      secret?: TArg<Uint8Array>,
+      coeffs?: bigint[],
+      rng?: RNG
+    ) => {
+      coefficients: bigint[];
+      commitment: TRet<Point[]>;
+      secret: bigint;
+    };
+  };
+};
+
+// PubKey = commitments, verifyingShares
+// PrivKey = id, signingShare, commitment
+
+const validateSigners = (signers: Signers) => {
+  if (!Number.isSafeInteger(signers.min) || !Number.isSafeInteger(signers.max))
+    throw new Error('Wrong signers info: min=' + signers.min + ' max=' + signers.max);
+  // Compatibility with frost-rs intentionally narrows RFC 9591's positive-nonzero threshold rule
+  // to `min >= 2`, even though the RFC text itself allows `MIN_PARTICIPANTS = 1`.
+  // This API is for actual threshold signing across participants; 1-of-n degenerates to ordinary
+  // single-signer mode, which does not need FROST's network/coordination machinery at all.
+  if (signers.min < 2 || signers.max < 2 || signers.min > signers.max)
+    throw new Error('Wrong signers info: min=' + signers.min + ' max=' + signers.max);
+};
+const validateCommitmentsNum = (signers: Signers, len: number) => {
+  // RFC 9591 Sections 5.2/5.3 require MIN_PARTICIPANTS <= NUM_PARTICIPANTS <= MAX_PARTICIPANTS.
+  if (len < signers.min || len > signers.max) throw new Error('Wrong number of commitments=' + len);
+};
+
+class AggErr extends Error {
+  // Empty means aggregation failed before per-share verification could attribute a signer.
+  public cheaters: Identifier[];
+  constructor(msg: string, cheaters: Identifier[]) {
+    super(msg);
+    this.cheaters = cheaters;
+  }
+}
+
+export function createFROST<P extends FROSTPoint<P>>(opts: FrostOpts<P>): TRet<FROST> {
+  validateObject(
+    opts,
+    {
+      name: 'string',
+      hash: 'function',
+    },
+    {
+      hashToScalar: 'function',
+      validatePoint: 'function',
+      parsePublicKey: 'function',
+      adjustScalar: 'function',
+      adjustPoint: 'function',
+      challenge: 'function',
+      adjustNonces: 'function',
+      adjustSecret: 'function',
+      adjustPublic: 'function',
+      adjustGroupCommitmentShare: 'function',
+      adjustDKG: 'function',
+    }
+  );
+  // Cheap constructor-surface sanity check only: this verifies the generic static hooks/fields that
+  // FROST consumes, but it does not certify point semantics like BASE/ZERO correctness.
+  validatePointCons(opts.Point);
+  const { Point } = opts;
+  const Fn = opts.Fn === undefined ? Point.Fn : opts.Fn;
+  // Hashes
+  const hashBytes = opts.hash;
+  const hashToScalar =
+    opts.hashToScalar === undefined
+      ? (msg: TArg<Uint8Array>, opts: TArg<H2CDSTOpts> = { DST: new Uint8Array() }) => {
+          const t = hashBytes(concatBytes(opts.DST as Uint8Array, msg));
+          return Fn.create(Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t));
+        }
+      : opts.hashToScalar;
+  const H1Prefix = utf8ToBytes(opts.H1 !== undefined ? opts.H1 : opts.name + 'rho');
+  const H2Prefix = utf8ToBytes(opts.H2 !== undefined ? opts.H2 : opts.name + 'chal');
+  const H3Prefix = utf8ToBytes(opts.H3 !== undefined ? opts.H3 : opts.name + 'nonce');
+  const H4Prefix = utf8ToBytes(opts.H4 !== undefined ? opts.H4 : opts.name + 'msg');
+  const H5Prefix = utf8ToBytes(opts.H5 !== undefined ? opts.H5 : opts.name + 'com');
+  const HDKGPrefix = utf8ToBytes(opts.HDKG !== undefined ? opts.HDKG : opts.name + 'dkg');
+  const HIDPrefix = utf8ToBytes(opts.HID !== undefined ? opts.HID : opts.name + 'id');
+  const H1 = (msg: TArg<Uint8Array>) => hashToScalar(msg, { DST: H1Prefix });
+  // Empty H2 still passes `{ DST: new Uint8Array() }` into custom hashToScalar hooks.
+  // The built-in fallback hashes that identically to omitted DST, which is how
+  // the Ed25519 suite models RFC 9591's undecorated H2 challenge hash.
+  const H2 = (msg: TArg<Uint8Array>) => hashToScalar(msg, { DST: H2Prefix });
+  const H3 = (msg: TArg<Uint8Array>) => hashToScalar(msg, { DST: H3Prefix });
+  const H4 = (msg: TArg<Uint8Array>) => hashBytes(concatBytes(H4Prefix, msg));
+  const H5 = (msg: TArg<Uint8Array>) => hashBytes(concatBytes(H5Prefix, msg));
+  const HDKG = (msg: TArg<Uint8Array>) => hashToScalar(msg, { DST: HDKGPrefix });
+  const HID = (msg: TArg<Uint8Array>) => hashToScalar(msg, { DST: HIDPrefix });
+  // /Hashes
+  const randomScalar = (rng: RNG = randomBytes) => {
+    // Intentional divergence from RFC 9591 §4.1 / §5.1: the RFC nonce_generate helper outputs a
+    // Scalar in [0, p-1], but round-one commit publishes ScalarBaseMult(nonce) values and §3.1
+    // requires SerializeElement / DeserializeElement to reject the identity element. Keep noble's
+    // mapHashToField generation here so round-one public nonce commitments stay in 1..n-1.
+    const t = mapHashToField(rng(getMinHashLength(Fn.ORDER)), Fn.ORDER, Fn.isLE);
+    // We cannot use Fn.fromBytes here because the field can have a different
+    // byte width, like ed448.
+    return Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t);
+  };
+  const serializePoint = (p: P) => p.toBytes();
+  const parsePoint = (bytes: TArg<Uint8Array>) => {
+    // RFC 9591 Section 3.1 requires DeserializeElement validation. Suite-specific validatePoint
+    // hooks tighten this further for ciphersuites in Section 6. Bare createFROST(...) only gets
+    // canonical point decoding unless the caller installs those extra subgroup / identity checks.
+    const p = Point.fromBytes(bytes);
+    if (opts.validatePoint) opts.validatePoint(p);
+    return p;
+  };
+  // RFC 9591 Sections 4.1/5.1 model each participant's round-one output as two public commitments.
+  const nonceCommitments = (identifier: Identifier, nonces: TArg<Nonces>): TRet<NonceCommitments> =>
+    ({
+      identifier,
+      hiding: serializePoint(Point.BASE.multiply(Fn.fromBytes(nonces.hiding))),
+      binding: serializePoint(Point.BASE.multiply(Fn.fromBytes(nonces.binding))),
+    }) as TRet<NonceCommitments>;
+  const adjustPoint = opts.adjustPoint === undefined ? (n: P) => n : opts.adjustPoint;
+  // We use hex to make it easier to use inside objects
+  const validateIdentifier = (n: bigint) => {
+    // Identifiers are canonical non-zero scalars. Custom / derived identifiers are allowed, so this
+    // is intentionally not bounded by the current signers.max slot count.
+    if (!Fn.isValid(n) || Fn.is0(n)) throw new Error('Invalid identifier ' + n);
+    return n;
+  };
+  const serializeIdentifier = (id: bigint) => bytesToHex(Fn.toBytes(validateIdentifier(id)));
+  const parseIdentifier = (id: string) => {
+    const n = validateIdentifier(Fn.fromBytes(hexToBytes(id)));
+    // Keep string-keyed maps stable by accepting only the canonical serialized form.
+    if (serializeIdentifier(n) !== id) throw new Error('expected canonical identifier hex');
+    return n;
+  };
+
+  const Signature = {
+    // RFC 9591 Appendix A encodes signatures canonically as
+    // SerializeElement(R) || SerializeScalar(z).
+    encode: (R: P, z: bigint): TRet<Signature> => {
+      let res: Uint8Array = concatBytes(serializePoint(R), Fn.toBytes(z));
+      if (opts.adjustTx) res = opts.adjustTx.encode(res);
+      return res as TRet<Signature>;
+    },
+    decode: (sig: TArg<Uint8Array>) => {
+      if (opts.adjustTx) sig = opts.adjustTx.decode(sig);
+      // We don't know size of point, but we know size of scalar
+      const R = parsePoint(sig.subarray(0, -Fn.BYTES));
+      const z = Fn.fromBytes(sig.subarray(-Fn.BYTES));
+      return { R, z };
+    },
+  };
+  // Generates pair of (scalar, point)
+  const genPointScalarPair = (rng: RNG = randomBytes) => {
+    let n = randomScalar(rng);
+    if (opts.adjustScalar) n = opts.adjustScalar(n);
+    let p = Point.BASE.multiply(n);
+    return { scalar: n, point: p };
+  };
+  // No roots here: root-based methods will throw.
+  // `poly` expects a structured roots-of-unity domain, but FROST uses an
+  // arbitrary domain and only needs the non-root operations below.
+  const nrErr = 'roots are unavailable in FROST polynomial mode';
+  const noRoots: RootsOfUnity = {
+    info: { G: Fn.ZERO, oddFactor: Fn.ZERO, powerOfTwo: 0 },
+    roots() {
+      throw new Error(nrErr);
+    },
+    brp() {
+      throw new Error(nrErr);
+    },
+    inverse() {
+      throw new Error(nrErr);
+    },
+    omega() {
+      throw new Error(nrErr);
+    },
+    clear() {},
+  };
+  const Poly = poly(Fn, noRoots);
+  const msm = (points: P[], scalars: bigint[]) => pippenger(Point, points, scalars);
+
+  // Internal stuff uses bigints & Points, external Uint8Arrays
+  const polynomialEvaluate = (x: bigint, coeffs: bigint[]): bigint => {
+    if (!coeffs.length) throw new Error('empty coefficients');
+    return Poly.monomial.eval(coeffs, x);
+  };
+  const deriveInterpolatingValue = (L: bigint[], xi: bigint): bigint => {
+    const err = 'invalid parameters';
+    // Generates lagrange coefficient
+    if (!L.some((x) => Fn.eql(x, xi))) throw new Error(err);
+    // Throws error if any x-coordinate is represented more than once in L.
+    const Lset = new Set(L);
+    if (Lset.size !== L.length) throw new Error(err);
+    // Or if xi is missing
+    if (!Lset.has(xi)) throw new Error(err);
+    let num = Fn.ONE;
+    let den = Fn.ONE;
+    for (const x of L) {
+      if (Fn.eql(x, xi)) continue;
+      num = Fn.mul(num, x); // num *= x
+      den = Fn.mul(den, Fn.sub(x, xi)); // RFC 9591 §4.2: denominator *= x_j - x_i
+    }
+    return Fn.div(num, den);
+  };
+  const evalutateVSS = (identifier: bigint, commitment: P[]) => {
+    // RFC 9591 Appendix C.2: S_i' = Σ_j ScalarMult(vss_commitment[j], i^j).
+    const monomial = Poly.monomial.basis(identifier, commitment.length);
+    return msm(commitment, monomial);
+  };
+  // High-level internal stuff
+  const generateSecretPolynomial = (
+    signers: Signers,
+    secret?: TArg<Uint8Array>,
+    coeffs?: bigint[],
+    rng: RNG = randomBytes
+  ) => {
+    validateSigners(signers);
+    // Dealer/DKG polynomial sampling reuses the same hardened scalar derivation as round-one
+    // nonces: overriding `rng` only swaps the entropy source, not the non-zero `1..n-1` policy.
+    const secretScalar = secret === undefined ? randomScalar(rng) : Fn.fromBytes(secret);
+    if (!coeffs) {
+      coeffs = [];
+      for (let i = 0; i < signers.min - 1; i++) coeffs.push(randomScalar(rng));
+    }
+    if (coeffs.length !== signers.min - 1) throw new Error('wrong coefficients length');
+    const coefficients: bigint[] = [secretScalar, ...coeffs];
+    // RFC 9591 Appendix C.2 commits to every polynomial coefficient with ScalarBaseMult.
+    const commitment = coefficients.map((i) => Point.BASE.multiply(i));
+    return { coefficients, commitment, secret: secretScalar };
+  };
+  // Pretty much sign+verify, same as basic
+  const ProofOfKnowledge = {
+    challenge: (id: bigint, verKey: P, R: P) =>
+      HDKG(concatBytes(Fn.toBytes(id), serializePoint(verKey), serializePoint(R))),
+    compute(id: bigint, coefficents: bigint[], commitments: P[], rng: RNG = randomBytes) {
+      if (coefficents.length < 1) throw new Error('coefficients should have at least one element');
+      const { point: R, scalar: k } = genPointScalarPair(rng);
+      const verKey = commitments[0]; // verify key is first one
+      const c = this.challenge(id, verKey, R);
+      const mu = Fn.add(k, Fn.mul(coefficents[0], c)); // mu = k + coeff[0] * c
+      return Signature.encode(R, mu);
+    },
+    validate(id: bigint, commitment: TArg<Commitment[]>, proof: TArg<Uint8Array>) {
+      if (commitment.length < 1) throw new Error('commitment should have at least one element');
+      const { R, z } = Signature.decode(proof);
+      const phi = parsePoint(commitment[0]);
+      const c = this.challenge(id, phi, R);
+      // R === z*G - phi*c
+      if (!R.equals(Point.BASE.multiply(z).subtract(phi.multiply(c))))
+        throw new Error('invalid proof of knowledge');
+    },
+  };
+  const Basic = {
+    challenge: (R: P, PK: P, msg: TArg<Uint8Array>) => {
+      if (opts.challenge) return opts.challenge(R, PK, msg);
+      return H2(concatBytes(serializePoint(R), serializePoint(PK), msg));
+    },
+    sign(msg: TArg<Uint8Array>, sk: bigint, rng: RNG = randomBytes): [P, bigint] {
+      const { point: R, scalar: r } = genPointScalarPair(rng);
+      const PK = Point.BASE.multiply(sk); // sk*G
+      const c = this.challenge(R, PK, msg);
+      const z = Fn.add(r, Fn.mul(c, sk)); // r + c * sk
+      return [R, z];
+    },
+    verify(msg: TArg<Uint8Array>, R: P, z: bigint, PK: P): boolean {
+      if (opts.adjustPoint) PK = opts.adjustPoint(PK);
+      if (opts.adjustPoint) R = opts.adjustPoint(R);
+      const c = this.challenge(R, PK, msg);
+      const zB = Point.BASE.multiply(z); // z*G
+      const cA = PK.multiply(c); // c*PK
+      let check = zB.subtract(cA).subtract(R); // zB - cA - R
+      // No clearCoffactor on ristretto
+      if (check.clearCofactor) check = check.clearCofactor();
+      return Point.ZERO.equals(check);
+    },
+  };
+  // === vssVerify
+  const validateSecretShare = (identifier: bigint, commitment: P[], signingShare: bigint) => {
+    // RFC 9591 Appendix C.2 `vss_verify(share_i, vss_commitment)` is purely algebraic.
+    // Public FROST packages still go through Section 3.1 element encoding,
+    // which rejects identity points, so a zero share or commitment does not
+    // become valid wire data just because VSS matches.
+    if (!Point.BASE.multiply(signingShare).equals(evalutateVSS(identifier, commitment)))
+      throw new Error('invalid secret share');
+  };
+  const Identifier = {
+    fromNumber(n: number): Identifier {
+      if (!Number.isSafeInteger(n)) throw new Error('expected safe interger');
+      return serializeIdentifier(BigInt(n));
+    },
+    // Not in spec, but in FROST implementation,
+    // seems useful and nice, no need to sync identifiers (would require more interactions)
+    derive(s: string): Identifier {
+      if (typeof s !== 'string') throw new Error('wrong identifier string: ' + s);
+      // Derived identifiers may land anywhere in the scalar field; they are not restricted to
+      // sequential `1..max_signers` values.
+      return serializeIdentifier(HID(utf8ToBytes(s)));
+    },
+  };
+  // RFC 9591 §4.1: nonce_generate() hashes 32 fresh RNG bytes with SerializeScalar(secret).
+  const generateNonce = (secret: bigint, rng: RNG = randomBytes) =>
+    H3(concatBytes(rng(32), Fn.toBytes(secret)));
+
+  const getGroupCommitment = (
+    GPK: P,
+    commitmentList: TArg<NonceCommitments[]>,
+    msg: TArg<Uint8Array>
+  ) => {
+    const CL = commitmentList.map((i) => [
+      i.identifier,
+      parseIdentifier(i.identifier),
+      parsePoint(i.hiding),
+      parsePoint(i.binding),
+    ]) as [Identifier, bigint, P, P][];
+    // RFC 9591 Sections 4.3/4.4/4.5 and 5.2/5.3 treat commitment_list as sorted by identifier.
+    CL.sort((a, b) => (a[1] < b[1] ? -1 : a[1] > b[1] ? 1 : 0));
+    // Encode commitment list
+    const Cbytes = [];
+    for (const [_, id, hC, bC] of CL)
+      Cbytes.push(Fn.toBytes(id), serializePoint(hC), serializePoint(bC));
+    const encodedCommitmentHash = H5(concatBytes(...Cbytes));
+    const rhoPrefix = concatBytes(serializePoint(GPK), H4(msg), encodedCommitmentHash);
+    // Compute binding factors
+    const bindingFactors: Record<Identifier, bigint> = {};
+    for (const [i, id] of CL) {
+      bindingFactors[i] = H1(concatBytes(rhoPrefix, Fn.toBytes(id)));
+    }
+    const points: P[] = [];
+    const scalars: bigint[] = [];
+    for (const [i, _, hC, bC] of CL) {
+      if (Point.ZERO.equals(hC) || Point.ZERO.equals(bC)) throw new Error('infinity commitment');
+      points.push(hC, bC);
+      scalars.push(Fn.ONE, bindingFactors[i]);
+    }
+    const groupCommitment = msm(points, scalars); //  GC += hC + bC*bindingFactor
+    const identifiers = CL.map((i) => i[1]);
+    return { identifiers, groupCommitment, bindingFactors };
+  };
+  const prepareShare = (
+    PK: TArg<Uint8Array>,
+    commitmentList: TArg<NonceCommitments[]>,
+    msg: TArg<Uint8Array>,
+    identifier: Identifier
+  ) => {
+    // RFC 9591 Sections 4.4/4.5/4.6 feed directly into the Section 5.2 signer computation.
+    const GPK = adjustPoint(parsePoint(PK));
+    const id = parseIdentifier(identifier);
+    const { identifiers, groupCommitment, bindingFactors } = getGroupCommitment(
+      GPK,
+      commitmentList,
+      msg
+    );
+    const bindingFactor = bindingFactors[identifier];
+    const lambda = deriveInterpolatingValue(identifiers, id);
+    const challenge = Basic.challenge(groupCommitment, GPK, msg);
+    return { lambda, challenge, bindingFactor, groupCommitment };
+  };
+  Object.freeze(Identifier);
+  const frost = {
+    Identifier,
+    // DKG is Distributed Key Generation, not Trusted Dealer Key Generation.
+    DKG: Object.freeze({
+      // NOTE: we allow to pass secret scalar from user side,
+      // this way it can be derived, instead of random generation
+      round1: (
+        id: Identifier,
+        signers: Signers,
+        secret?: TArg<SecretKey>,
+        rng: RNG = randomBytes
+      ) => {
+        validateSigners(signers);
+        const idNum = parseIdentifier(id);
+        const { coefficients, commitment } = generateSecretPolynomial(
+          signers,
+          secret,
+          undefined,
+          rng
+        );
+        const proofOfKnowledge = ProofOfKnowledge.compute(idNum, coefficients, commitment, rng);
+        const commitmentBytes = commitment.map(serializePoint) as TRet<Commitment[]>;
+        const round1Public: DKG_Round1 = {
+          identifier: serializeIdentifier(idNum),
+          commitment: commitmentBytes,
+          proofOfKnowledge,
+        };
+        // store secret information for signing
+        const round1Secret: DKG_Secret = {
+          identifier: idNum,
+          coefficients,
+          commitment: commitment.map(serializePoint) as TRet<Point[]>,
+          // Copy threshold metadata instead of retaining the caller-owned object by reference.
+          signers: { min: signers.min, max: signers.max },
+          step: 1,
+        };
+        return { public: round1Public, secret: round1Secret };
+      },
+      round2: (
+        secret: TArg<DKG_Secret>,
+        others: TArg<DKG_Round1[]>
+      ): TRet<Record<string, DKG_Round2>> => {
+        if (others.length !== secret.signers.max - 1)
+          throw new Error('wrong number of round1 packages');
+        if (!secret.coefficients || secret.step === 3)
+          throw new Error('round3 package used in round2');
+        const res: Record<Identifier, DKG_Round2> = {};
+        for (const p of others) {
+          if (p.commitment.length !== secret.signers.min)
+            throw new Error('wrong number of commitments');
+          const id = parseIdentifier(p.identifier);
+          if (id === secret.identifier) throw new Error('duplicate id=' + serializeIdentifier(id));
+
+          ProofOfKnowledge.validate(id, p.commitment, p.proofOfKnowledge);
+          for (const c of p.commitment) parsePoint(c);
+          if (res[p.identifier]) throw new Error('Duplicate id=' + id);
+          const signingShare = Fn.toBytes(polynomialEvaluate(id, secret.coefficients));
+          res[p.identifier] = {
+            identifier: serializeIdentifier(secret.identifier),
+            signingShare: signingShare as TRet<Bytes>,
+          };
+        }
+        secret.step = 2;
+        return res as TRet<Record<string, DKG_Round2>>;
+      },
+      round3: (
+        secret: TArg<DKG_Secret>,
+        round1: TArg<DKG_Round1[]>,
+        round2: TArg<DKG_Round2[]>
+      ): TRet<Key> => {
+        // DKG is outside RFC 9591's signing flow; callers are expected to reuse the same
+        // remote round1 packages already accepted in round2, like frost-rs documents.
+        if (round1.length !== secret.signers.max - 1)
+          throw new Error('wrong length of round1 packages');
+        if (!secret.coefficients || secret.step !== 2)
+          throw new Error('round2 package used in round3');
+        if (round2.length !== round1.length) throw new Error('wrong length of round2 packages');
+        const merged: Record<Identifier, TArg<DKG_Round1> & { signingShare?: TArg<Bytes> }> = {};
+        for (const r1 of round1) {
+          if (!r1.identifier || !r1.commitment) throw new Error('wrong round1 share');
+          merged[r1.identifier] = { ...r1 };
+        }
+        for (const r2 of round2) {
+          if (!r2.identifier || !r2.signingShare) throw new Error('wrong round2 share');
+          if (!merged[r2.identifier])
+            throw new Error('round1 share for ' + r2.identifier + ' is missing');
+          merged[r2.identifier].signingShare = r2.signingShare;
+        }
+        if (Object.keys(merged).length !== round1.length)
+          throw new Error('mismatch identifiers between rounds');
+        let signingShare = Fn.ZERO;
+        if (secret.commitment.length !== secret.signers.min)
+          throw new Error('wrong commitments length');
+        const localCommitment = secret.commitment.map(parsePoint);
+        const localShare = polynomialEvaluate(secret.identifier, secret.coefficients);
+        validateSecretShare(secret.identifier, localCommitment, localShare);
+        const localCommitmentBytes = localCommitment.map(serializePoint);
+        const commitments: Record<Identifier, TArg<Commitment[]>> = {
+          [serializeIdentifier(secret.identifier)]: localCommitmentBytes,
+        };
+        for (const k in merged) {
+          const v = merged[k];
+          if (!v.signingShare || !v.commitment) throw new Error('mismatch identifiers');
+          const id = parseIdentifier(k); // from
+          const signingSharePart = Fn.fromBytes(v.signingShare);
+          const commitment = v.commitment.map(parsePoint);
+          validateSecretShare(secret.identifier, commitment, signingSharePart);
+          signingShare = Fn.add(signingShare, signingSharePart);
+          const idSer = serializeIdentifier(id);
+          if (commitments[idSer]) throw new Error('duplicated id=' + idSer);
+          commitments[idSer] = v.commitment;
+        }
+        signingShare = Fn.add(signingShare, localShare);
+        const mergedCommitment = new Array(secret.signers.min).fill(Point.ZERO);
+        for (const k in commitments) {
+          const v = commitments[k];
+          if (v.length !== secret.signers.min) throw new Error('wrong commitments length');
+          for (let i = 0; i < v.length; i++)
+            mergedCommitment[i] = mergedCommitment[i].add(parsePoint(v[i]));
+        }
+        const mergedCommitmentBytes = mergedCommitment.map(serializePoint) as TRet<Commitment[]>;
+        const verifyingShares: Record<Identifier, Uint8Array> = {};
+        for (const k in commitments)
+          verifyingShares[k] = serializePoint(evalutateVSS(parseIdentifier(k), mergedCommitment));
+        // This is enough to sign stuff
+        let res: TRet<Key> = {
+          public: {
+            signers: { min: secret.signers.min, max: secret.signers.max },
+            commitments: mergedCommitmentBytes,
+            verifyingShares: Object.fromEntries(
+              Object.entries(verifyingShares).map(([k, v]) => [k, v.slice()])
+            ),
+          },
+          secret: {
+            identifier: serializeIdentifier(secret.identifier),
+            signingShare: Fn.toBytes(signingShare) as TRet<Bytes>,
+          },
+        };
+        if (opts.adjustDKG) res = opts.adjustDKG(res);
+        for (let i = 0; i < secret.coefficients.length; i++)
+          secret.coefficients[i] -= secret.coefficients[i];
+        delete secret.coefficients;
+        secret.step = 3;
+        return res;
+      },
+      clean(secret: TArg<DKG_Secret>) {
+        // Instead of replacing secret bigint with another (zero?), we subtract it from itself
+        // in the hope that JIT will modify it inplace, instead of creating new value.
+        // This is unverified and may not work, but it is best we can do in regard of bigints.
+        secret.identifier -= secret.identifier;
+        if (secret.coefficients) {
+          for (let i = 0; i < secret.coefficients.length; i++)
+            secret.coefficients[i] -= secret.coefficients[i];
+        }
+        // for (const c of secret.commitment) c.fill(0);
+        secret.step = 3;
+      },
+    }),
+    // Trusted dealer setup
+    // Generates keys for all participants
+    trustedDealer(
+      signers: Signers,
+      identifiers?: Identifier[],
+      secret?: TArg<SecretKey>,
+      rng: RNG = randomBytes
+    ): TRet<DealerShares> {
+      // if no identifiers provided, we generated default identifiers
+      validateSigners(signers);
+      if (identifiers === undefined) {
+        identifiers = [];
+        for (let i = 1; i <= signers.max; i++) identifiers.push(Identifier.fromNumber(i));
+      } else {
+        if (!Array.isArray(identifiers) || identifiers.length !== signers.max)
+          throw new Error('identifiers should be array of ' + signers.max);
+      }
+      const identifierNums: Record<Identifier, bigint> = {};
+      for (const id of identifiers) {
+        const idNum = parseIdentifier(id);
+        if (id in identifierNums) throw new Error('duplicated id=' + id);
+        identifierNums[id] = idNum;
+      }
+      const sp = generateSecretPolynomial(signers, secret, undefined, rng);
+      const commitmentBytes = sp.commitment.map(serializePoint);
+      const secretShares: Record<Identifier, FrostSecret> = {};
+      const verifyingShares: Record<Identifier, Uint8Array> = {};
+      for (const id of identifiers) {
+        const signingShare = polynomialEvaluate(identifierNums[id], sp.coefficients);
+        verifyingShares[id] = serializePoint(Point.BASE.multiply(signingShare));
+        secretShares[id] = {
+          identifier: id,
+          signingShare: Fn.toBytes(signingShare) as TRet<Bytes>,
+        };
+      }
+      return {
+        public: {
+          signers: { min: signers.min, max: signers.max },
+          commitments: commitmentBytes,
+          verifyingShares,
+        },
+        secretShares,
+      } as TRet<DealerShares>;
+    },
+    // Validate secret (from trusted dealer or DKG)
+    validateSecret(secret: TArg<FrostSecret>, pub: TArg<FrostPublic>) {
+      const id = parseIdentifier(secret.identifier);
+      const commitment = pub.commitments.map(parsePoint);
+      const signingShare = Fn.fromBytes(secret.signingShare);
+      validateSecretShare(id, commitment, signingShare);
+    },
+    // Actual signing
+    // Round 1: each participant commit to nonces
+    // Nonces kept private, commitments sent to coordinator (or every other participant)
+    // NOTE: we don't need the message at this point, which lets a coordinator
+    // keep multiple nonce commitments per participant in advance and skip
+    // round1 for signing.
+    // But then each participant needs to remember generated shares
+    commit(secret: TArg<FrostSecret>, rng: RNG = randomBytes): TRet<GenNonce> {
+      const secretScalar = Fn.fromBytes(secret.signingShare);
+      const hiding = generateNonce(secretScalar, rng);
+      const binding = generateNonce(secretScalar, rng);
+      const nonces = { hiding: Fn.toBytes(hiding), binding: Fn.toBytes(binding) };
+      return { nonces, commitments: nonceCommitments(secret.identifier, nonces) } as TRet<GenNonce>;
+    },
+    // Round2: sign. Each participant creates a signature share from the secret
+    // and the selected nonce commitments.
+    signShare(
+      secret: TArg<FrostSecret>,
+      pub: TArg<FrostPublic>,
+      nonces: TArg<Nonces>,
+      commitmentList: TArg<NonceCommitments[]>,
+      msg: TArg<Uint8Array>
+    ): TRet<Uint8Array> {
+      validateCommitmentsNum(pub.signers, commitmentList.length);
+      const hidingNonce0 = Fn.fromBytes(nonces.hiding);
+      const bindingNonce0 = Fn.fromBytes(nonces.binding);
+      if (Fn.is0(hidingNonce0) || Fn.is0(bindingNonce0))
+        throw new Error('signing nonces already used');
+      // Reject a coordinator-assigned commitment pair that does not match the signer's own nonce
+      // pair. This must happen before suite-specific nonce adjustment; secp256k1-tr may negate the
+      // actual signing nonces later, but the coordinator still assigns the original commitments.
+      const expectedCommitment = {
+        identifier: secret.identifier,
+        hiding: serializePoint(Point.BASE.multiply(hidingNonce0)),
+        binding: serializePoint(Point.BASE.multiply(bindingNonce0)),
+      };
+      const commitment = commitmentList.find((i) => i.identifier === secret.identifier);
+      if (!commitment) throw new Error('missing signer commitment');
+      if (
+        bytesToHex(commitment.hiding) !== bytesToHex(expectedCommitment.hiding) ||
+        bytesToHex(commitment.binding) !== bytesToHex(expectedCommitment.binding)
+      )
+        throw new Error('incorrect signer commitment');
+      if (opts.adjustSecret) secret = opts.adjustSecret(secret, pub);
+      if (opts.adjustPublic) pub = opts.adjustPublic(pub);
+      const SK = Fn.fromBytes(secret.signingShare);
+      const { lambda, challenge, bindingFactor, groupCommitment } = prepareShare(
+        pub.commitments[0],
+        commitmentList,
+        msg,
+        secret.identifier
+      );
+      const N = opts.adjustNonces ? opts.adjustNonces(groupCommitment, nonces) : nonces;
+      const hidingNonce = opts.adjustNonces ? Fn.fromBytes(N.hiding) : hidingNonce0;
+      const bindingNonce = opts.adjustNonces ? Fn.fromBytes(N.binding) : bindingNonce0;
+      const t = Fn.mul(Fn.mul(lambda, SK), challenge); // challenge * lambda * SK
+      const t2 = Fn.mul(bindingNonce, bindingFactor); // bindingNonce * bindingFactor
+      const r = Fn.toBytes(Fn.add(Fn.add(hidingNonce, t2), t)); // t + t2 + hidingNonce
+      // RFC 9591 round-one commitments are one-time-use, and round two must use the nonce
+      // corresponding to the published commitment. This API returns mutable local nonce bytes,
+      // so consume them after a successful signShare() call: later all-zero reuse fails closed.
+      nonces.hiding.fill(0);
+      nonces.binding.fill(0);
+      return r as TRet<Uint8Array>;
+    },
+    // Each participant (or coordinator) can verify signatures from other participants
+    verifyShare(
+      pub: TArg<FrostPublic>,
+      commitmentList: TArg<NonceCommitments[]>,
+      msg: TArg<Uint8Array>,
+      identifier: Identifier,
+      sigShare: TArg<Uint8Array>
+    ) {
+      if (opts.adjustPublic) pub = opts.adjustPublic(pub);
+      const comm = commitmentList.find((i) => i.identifier === identifier);
+      if (!comm) throw new Error('cannot find identifier commitment');
+      const PK = parsePoint(pub.verifyingShares[identifier]);
+      const hidingNonceCommitment = parsePoint(comm.hiding);
+      const bindingNonceCommitment = parsePoint(comm.binding);
+      const { lambda, challenge, bindingFactor, groupCommitment } = prepareShare(
+        pub.commitments[0],
+        commitmentList,
+        msg,
+        identifier
+      );
+      // hC + bC * bF
+      let commShare = hidingNonceCommitment.add(bindingNonceCommitment.multiply(bindingFactor));
+      if (opts.adjustGroupCommitmentShare)
+        commShare = opts.adjustGroupCommitmentShare(groupCommitment, commShare);
+      const l = Point.BASE.multiply(Fn.fromBytes(sigShare)); // sigShare*G
+      // commShare + PK * (challenge * lambda)
+      const r = commShare.add(PK.multiply(Fn.mul(challenge, lambda)));
+      return l.equals(r);
+    },
+    // Aggregate multiple signature shares into groupSignature
+    aggregate(
+      pub: TArg<FrostPublic>,
+      commitmentList: TArg<NonceCommitments[]>,
+      msg: TArg<Uint8Array>,
+      sigShares: TArg<Record<Identifier, Uint8Array>>
+    ): TRet<Uint8Array> {
+      if (opts.adjustPublic) pub = opts.adjustPublic(pub);
+      try {
+        validateCommitmentsNum(pub.signers, commitmentList.length);
+      } catch {
+        throw new AggErr('aggregation failed', []);
+      }
+      const ids = commitmentList.map((i) => i.identifier);
+      if (ids.length !== Object.keys(sigShares).length) throw new AggErr('aggregation failed', []);
+      for (const id of ids) {
+        if (!(id in sigShares) || !(id in pub.verifyingShares))
+          throw new AggErr('aggregation failed', []);
+      }
+      const GPK = parsePoint(pub.commitments[0]);
+      const { groupCommitment } = getGroupCommitment(GPK, commitmentList, msg);
+      let z = Fn.ZERO;
+      // RFC 9591 Section 5.3 aggregates by summing the validated signature shares.
+      for (const id of ids) z = Fn.add(z, Fn.fromBytes(sigShares[id])); // z += zi
+      if (!Basic.verify(msg, groupCommitment, z, GPK)) {
+        const cheaters = [];
+        for (const id of ids) {
+          if (!this.verifyShare(pub, commitmentList, msg, id, sigShares[id])) cheaters.push(id);
+        }
+        throw new AggErr('aggregation failed', cheaters);
+      }
+      return Signature.encode(groupCommitment, z);
+    },
+    // Basic sign/verify using single key
+    sign(msg: TArg<Uint8Array>, secretKey: TArg<Uint8Array>): TRet<Uint8Array> {
+      let sk = Fn.fromBytes(secretKey);
+      // Taproot single-key signing needs the same scalar normalization as threshold keys.
+      if (opts.adjustScalar) sk = opts.adjustScalar(sk);
+      const [R, z] = Basic.sign(msg, sk);
+      return Signature.encode(R, z);
+    },
+    verify(sig: TArg<Signature>, msg: TArg<Uint8Array>, publicKey: TArg<Uint8Array>) {
+      const PK = opts.parsePublicKey ? opts.parsePublicKey(publicKey) : parsePoint(publicKey);
+      const { R, z } = Signature.decode(sig);
+      return Basic.verify(msg, R, z, PK);
+    },
+    // Combine multiple secret shares to restore secret
+    combineSecret(shares: TArg<FrostSecret[]>, signers: Signers): TRet<Uint8Array> {
+      validateSigners(signers);
+      if (!Array.isArray(shares) || shares.length < signers.min)
+        throw new Error('wrong secret shares array');
+      const points = [];
+      const seen: Record<Identifier, boolean> = {};
+      // Interpolate over the full provided share set and reject duplicate identifiers.
+      for (const s of shares) {
+        const idNum = parseIdentifier(s.identifier);
+        const id = serializeIdentifier(idNum);
+        if (seen[id]) throw new Error('duplicated id=' + id);
+        seen[id] = true;
+        points.push([idNum, Fn.fromBytes(s.signingShare)]);
+      }
+      const xCoords = points.map(([x]) => x);
+      let res = Fn.ZERO;
+      for (const [x, y] of points)
+        res = Fn.add(res, Fn.mul(y, deriveInterpolatingValue(xCoords, x)));
+      return Fn.toBytes(res) as TRet<Uint8Array>;
+    },
+    // Utils
+    utils: Object.freeze({
+      Fn, // NOTE: we re-export it here because it may be different from Point.Fn (ed448 is fun!)
+      // Test RNG overrides still go through noble's non-zero scalar derivation; this is not a raw
+      // "bytes become scalar" escape hatch.
+      randomScalar: (rng: RNG = randomBytes) =>
+        Fn.toBytes(genPointScalarPair(rng).scalar) as TRet<Uint8Array>,
+      generateSecretPolynomial: (
+        signers: Signers,
+        secret?: TArg<Uint8Array>,
+        coeffs?: bigint[],
+        rng?: RNG
+      ) => {
+        const res = generateSecretPolynomial(signers, secret, coeffs, rng);
+        return { ...res, commitment: res.commitment.map(serializePoint) as TRet<Point[]> };
+      },
+    }),
+  };
+  return Object.freeze(frost) as TRet<FROST>;
+}