threshold-elgamal 1.0.0-beta.7 → 1.0.0

package/README.md

@@ -2,9 +2,15 @@
 
 [![npm version](https://badge.fury.io/js/threshold-elgamal.svg)](https://www.npmjs.com/package/threshold-elgamal)
 [![npm downloads](https://img.shields.io/npm/dm/threshold-elgamal)](https://www.npmjs.com/package/threshold-elgamal)
+
+---
+
 [![CI](https://img.shields.io/github/actions/workflow/status/Tenemo/threshold-elgamal/ci.yml?branch=master&label=passing%20tests)](https://github.com/Tenemo/threshold-elgamal/actions/workflows/ci.yml)
-[![Tests coverage](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Tenemo/threshold-elgamal/master/docs/public/coverage-badge.json)](docs/public/coverage-summary.json)
+[![Tests coverage](https://img.shields.io/endpoint?url=https://tenemo.github.io/threshold-elgamal/coverage-badge.json)](https://tenemo.github.io/threshold-elgamal/coverage-summary.json)
 [![Documentation build](https://img.shields.io/github/actions/workflow/status/Tenemo/threshold-elgamal/pages.yml?branch=master&label=docs)](https://github.com/Tenemo/threshold-elgamal/actions/workflows/pages.yml)
+
+---
+
 [![Node version](https://img.shields.io/badge/node-%E2%89%A524.14.1-5FA04E?logo=node.js&logoColor=white)](https://nodejs.org/)
 [![License](https://img.shields.io/github/license/Tenemo/threshold-elgamal)](LICENSE)
 
@@ -24,7 +30,7 @@ This is a hardened research prototype. It has not been audited.
 ## Installation
 
 ```bash
-pnpm add threshold-elgamal
+npm install threshold-elgamal
 ```
 
 ## Runtime requirements
@@ -35,6 +41,18 @@ pnpm add threshold-elgamal
 - Authentication signatures require Web Crypto `Ed25519`.
 - Transport share exchange requires Web Crypto `X25519`.
 
+## Documentation
+
+- Hosted documentation site: [tenemo.github.io/threshold-elgamal](https://tenemo.github.io/threshold-elgamal/)
+- Get started: [tenemo.github.io/threshold-elgamal/guides/getting-started](https://tenemo.github.io/threshold-elgamal/guides/getting-started/)
+- Verifying a public board: [tenemo.github.io/threshold-elgamal/guides/verifying-a-public-board](https://tenemo.github.io/threshold-elgamal/guides/verifying-a-public-board/)
+- Browser and worker usage: [tenemo.github.io/threshold-elgamal/guides/browser-and-worker-usage](https://tenemo.github.io/threshold-elgamal/guides/browser-and-worker-usage/)
+- Published payload examples: [tenemo.github.io/threshold-elgamal/guides/published-payload-examples](https://tenemo.github.io/threshold-elgamal/guides/published-payload-examples/)
+- Honest-majority voting flow: [tenemo.github.io/threshold-elgamal/guides/three-participant-voting-flow](https://tenemo.github.io/threshold-elgamal/guides/three-participant-voting-flow/)
+- Security boundary: [tenemo.github.io/threshold-elgamal/guides/security-and-non-goals](https://tenemo.github.io/threshold-elgamal/guides/security-and-non-goals/)
+- Production voting safety review: [tenemo.github.io/threshold-elgamal/guides/production-voting-safety-review](https://tenemo.github.io/threshold-elgamal/guides/production-voting-safety-review/)
+- API docs: [tenemo.github.io/threshold-elgamal/api](https://tenemo.github.io/threshold-elgamal/api/)
+
 ## Browser support
 
 The shipped cryptographic browser path is fixed:
@@ -62,7 +80,7 @@ The supported boardroom flow is:
 5. Post ballot payloads for complete `1..10` score ballots.
 6. Post one organizer-signed `ballot-close` payload that freezes which complete ballots are counted.
 7. Post threshold decryption shares and tally publications for the close-selected ballot set.
-8. Verify the whole ceremony with `verifyElectionCeremonyDetailed(...)`.
+8. Verify the whole ceremony with `verifyElectionCeremony(...)`.
 
 The cryptographic threshold is derived internally from the accepted registration roster:
 
@@ -72,6 +90,14 @@ The cryptographic threshold is derived internally from the accepted registration
 
 There is no supported `n-of-n` mode and no supported public `k-of-n` configuration.
 
+Transcript verification requires key-derivation confirmations from every qualified participant.
+
+## Choose your entry point
+
+- Verifying a public board: start with the hosted guide for `tryVerifyElectionCeremony(...)` and `verifyElectionCeremony(...)`.
+- Browser and worker usage: start with the browser guide for key generation, manifest setup, and encrypted transport envelopes.
+- Payload shapes and storage: start with the payload examples guide if you need concrete JSON, posting, or persistence patterns.
+
 ## Getting started
 
 ```typescript
@@ -118,6 +144,34 @@ console.log(majorityThreshold(3)); // 2
 console.log(sessionId.length); // 64
 ```
 
+If your application consumes a complete public board, the shortest safe verifier entry point is:
+
+```typescript
+import {
+    tryVerifyElectionCeremony,
+    type VerifyElectionCeremonyInput,
+} from "threshold-elgamal";
+
+const bundle: VerifyElectionCeremonyInput = {
+    manifest,
+    sessionId,
+    dkgTranscript,
+    ballotPayloads,
+    ballotClosePayload,
+    decryptionSharePayloads,
+    tallyPublications,
+};
+
+const result = await tryVerifyElectionCeremony(bundle);
+
+if (!result.ok) {
+    console.error(result.error.stage, result.error.code, result.error.reason);
+} else {
+    console.log(result.verified.perOptionTallies);
+    console.log(result.verified.boardAudit.overall.fingerprint);
+}
+```
+
 The root package also exposes public builders for:
 
 - manifest publication
@@ -132,7 +186,7 @@ The root package also exposes public builders for:
 - decryption shares
 - tally publication
 
-For a full executable ceremony example, use the public node integration tests in this repository.
+For concrete integration examples, start with the hosted guides below. The repository integration harness exercises the same workflow, but it is not part of the supported public API.
 
 ## Security boundary
 
@@ -157,19 +211,16 @@ What it does not claim:
 
 `ballot-close` is an auditable administrative cutoff, not a fairness proof about board arrival order. The library proves what was counted, not whether the organizer waited long enough before closing.
 
-## Documentation
-
-- Hosted documentation site: [tenemo.github.io/threshold-elgamal](https://tenemo.github.io/threshold-elgamal/)
-- Get started: [tenemo.github.io/threshold-elgamal/guides/getting-started](https://tenemo.github.io/threshold-elgamal/guides/getting-started/)
-- Honest-majority voting flow: [tenemo.github.io/threshold-elgamal/guides/three-participant-voting-flow](https://tenemo.github.io/threshold-elgamal/guides/three-participant-voting-flow/)
-- Security boundary: [tenemo.github.io/threshold-elgamal/guides/security-and-non-goals](https://tenemo.github.io/threshold-elgamal/guides/security-and-non-goals/)
-- API docs: [tenemo.github.io/threshold-elgamal/api](https://tenemo.github.io/threshold-elgamal/api/)
+For a production-threat-model verdict that maps these boundaries to the shipped verifier and tests, read the production voting safety review in the hosted docs.
 
 ## Development
 
 ```bash
 pnpm install
-pnpm run ci
+pnpm run lint
+pnpm run tsc
+pnpm run test
+pnpm run build
 ```
 
 ## License

package/dist/core/bigint.d.ts

@@ -4,25 +4,12 @@
  * @throws {@link InvalidScalarError} When `modulus` is not positive.
  */
 export declare const mod: (value: bigint, modulus: bigint) => bigint;
-/**
- * Reduces a value into the range `0..p-1`.
- *
- * @throws {@link InvalidScalarError} When `p` is not positive.
- */
-export declare const modP: (value: bigint, p: bigint) => bigint;
 /**
  * Reduces a value into the range `0..q-1`.
  *
  * @throws {@link InvalidScalarError} When `q` is not positive.
  */
 export declare const modQ: (value: bigint, q: bigint) => bigint;
-/**
- * Computes the multiplicative inverse of a value modulo `p`.
- *
- * @throws {@link InvalidScalarError} When `p` is not positive or the inverse
- * does not exist.
- */
-export declare const modInvP: (value: bigint, p: bigint) => bigint;
 /**
  * Computes the multiplicative inverse of a value modulo `q`.
  *

package/dist/core/bigint.js

@@ -62,23 +62,13 @@ export const mod = (value, modulus) => {
  *
  * @throws {@link InvalidScalarError} When `p` is not positive.
  */
-export const modP = (value, p) => mod(value, p);
+const modP = (value, p) => mod(value, p);
 /**
  * Reduces a value into the range `0..q-1`.
  *
  * @throws {@link InvalidScalarError} When `q` is not positive.
  */
 export const modQ = (value, q) => mod(value, q);
-/**
- * Computes the multiplicative inverse of a value modulo `p`.
- *
- * @throws {@link InvalidScalarError} When `p` is not positive or the inverse
- * does not exist.
- */
-export const modInvP = (value, p) => {
-    assertPositiveModulus(p);
-    return modInv(modP(value, p), p);
-};
 /**
  * Computes the multiplicative inverse of a value modulo `q`.
  *

package/dist/core/bytes.d.ts

@@ -1,5 +1,5 @@
 export declare const bytesToHex: (bytes: Uint8Array) => string;
-export declare const hexToBytes: (hex: string) => Uint8Array;
+export declare const hexToBytes: (hex: string, errorMessage?: string) => Uint8Array;
 export declare const bytesToBigInt: (bytes: Uint8Array) => bigint;
 export declare const bytesToBigIntLE: (bytes: Uint8Array) => bigint;
 export declare const toBufferSource: (bytes: Uint8Array) => ArrayBuffer;

package/dist/core/bytes.js

@@ -1,3 +1,6 @@
+import { InvalidPayloadError } from './errors.js';
+const hexPattern = /^[0-9a-f]+$/i;
+const defaultHexErrorMessage = 'Hex input must be a non-empty even-length hexadecimal string';
 export const bytesToHex = (bytes) => {
     let hex = '';
     for (const byte of bytes) {
@@ -5,9 +8,9 @@ export const bytesToHex = (bytes) => {
     }
     return hex;
 };
-export const hexToBytes = (hex) => {
-    if (hex.length === 0 || hex.length % 2 !== 0 || !/^[0-9a-f]+$/i.test(hex)) {
-        throw new Error('Hex input must be a non-empty even-length string');
+export const hexToBytes = (hex, errorMessage = defaultHexErrorMessage) => {
+    if (hex.length === 0 || hex.length % 2 !== 0 || !hexPattern.test(hex)) {
+        throw new InvalidPayloadError(errorMessage);
     }
     const bytes = new Uint8Array(hex.length / 2);
     for (let index = 0; index < hex.length; index += 2) {

package/dist/core/errors.d.ts

@@ -1,37 +1,37 @@
-declare class ThresholdElgamalError extends Error {
+declare class ThresholdElGamalError extends Error {
     constructor(message: string);
 }
 /** Raised when a scalar value falls outside the expected mathematical domain. */
-export declare class InvalidScalarError extends ThresholdElgamalError {
+export declare class InvalidScalarError extends ThresholdElGamalError {
 }
 /** Raised when a group element is not valid for the selected suite. */
-export declare class InvalidGroupElementError extends ThresholdElgamalError {
+export declare class InvalidGroupElementError extends ThresholdElGamalError {
 }
 /** Raised when a participant index falls outside the valid `1..n` range. */
-export declare class IndexOutOfRangeError extends ThresholdElgamalError {
+export declare class IndexOutOfRangeError extends ThresholdElGamalError {
 }
 /** Raised when serialized payload bytes do not satisfy the required encoding. */
-export declare class InvalidPayloadError extends ThresholdElgamalError {
+export declare class InvalidPayloadError extends ThresholdElGamalError {
 }
 /** Raised when a proof transcript or response fails verification. */
-export declare class InvalidProofError extends ThresholdElgamalError {
+export declare class InvalidProofError extends ThresholdElGamalError {
 }
 /** Raised when the requested suite or runtime capability is unavailable. */
-export declare class UnsupportedSuiteError extends ThresholdElgamalError {
+export declare class UnsupportedSuiteError extends ThresholdElGamalError {
 }
 /** Raised when a plaintext lies outside the allowed domain for the chosen mode. */
-export declare class PlaintextDomainError extends ThresholdElgamalError {
+export declare class PlaintextDomainError extends ThresholdElGamalError {
 }
 /** Raised when a serialized or reconstructed share fails validation. */
-export declare class InvalidShareError extends ThresholdElgamalError {
+export declare class InvalidShareError extends ThresholdElGamalError {
 }
 /** Raised when a protocol step transition violates the state machine rules. */
-export declare class PhaseViolationError extends ThresholdElgamalError {
+export declare class PhaseViolationError extends ThresholdElGamalError {
 }
 /** Raised when threshold parameters do not satisfy `1 <= k <= n`. */
-export declare class ThresholdViolationError extends ThresholdElgamalError {
+export declare class ThresholdViolationError extends ThresholdElGamalError {
 }
 /** Raised when transcript hashes or canonical bytes do not match expectations. */
-export declare class TranscriptMismatchError extends ThresholdElgamalError {
+export declare class TranscriptMismatchError extends ThresholdElGamalError {
 }
 export {};

package/dist/core/errors.js

@@ -1,4 +1,4 @@
-class ThresholdElgamalError extends Error {
+class ThresholdElGamalError extends Error {
     constructor(message) {
         super(message);
         this.name = new.target.name;
@@ -6,35 +6,35 @@ class ThresholdElgamalError extends Error {
     }
 }
 /** Raised when a scalar value falls outside the expected mathematical domain. */
-export class InvalidScalarError extends ThresholdElgamalError {
+export class InvalidScalarError extends ThresholdElGamalError {
 }
 /** Raised when a group element is not valid for the selected suite. */
-export class InvalidGroupElementError extends ThresholdElgamalError {
+export class InvalidGroupElementError extends ThresholdElGamalError {
 }
 /** Raised when a participant index falls outside the valid `1..n` range. */
-export class IndexOutOfRangeError extends ThresholdElgamalError {
+export class IndexOutOfRangeError extends ThresholdElGamalError {
 }
 /** Raised when serialized payload bytes do not satisfy the required encoding. */
-export class InvalidPayloadError extends ThresholdElgamalError {
+export class InvalidPayloadError extends ThresholdElGamalError {
 }
 /** Raised when a proof transcript or response fails verification. */
-export class InvalidProofError extends ThresholdElgamalError {
+export class InvalidProofError extends ThresholdElGamalError {
 }
 /** Raised when the requested suite or runtime capability is unavailable. */
-export class UnsupportedSuiteError extends ThresholdElgamalError {
+export class UnsupportedSuiteError extends ThresholdElGamalError {
 }
 /** Raised when a plaintext lies outside the allowed domain for the chosen mode. */
-export class PlaintextDomainError extends ThresholdElgamalError {
+export class PlaintextDomainError extends ThresholdElGamalError {
 }
 /** Raised when a serialized or reconstructed share fails validation. */
-export class InvalidShareError extends ThresholdElgamalError {
+export class InvalidShareError extends ThresholdElGamalError {
 }
 /** Raised when a protocol step transition violates the state machine rules. */
-export class PhaseViolationError extends ThresholdElgamalError {
+export class PhaseViolationError extends ThresholdElGamalError {
 }
 /** Raised when threshold parameters do not satisfy `1 <= k <= n`. */
-export class ThresholdViolationError extends ThresholdElgamalError {
+export class ThresholdViolationError extends ThresholdElGamalError {
 }
 /** Raised when transcript hashes or canonical bytes do not match expectations. */
-export class TranscriptMismatchError extends ThresholdElgamalError {
+export class TranscriptMismatchError extends ThresholdElGamalError {
 }

package/dist/core/groups.d.ts

@@ -1,9 +1,4 @@
-import type { CryptoGroup, GroupIdentifier } from './types.js';
+import type { CryptoGroup } from './types.js';
 /** Immutable definition of the shipped Ristretto255 tally group. */
 export declare const RISTRETTO_GROUP: CryptoGroup;
-/** @internal Returns the immutable built-in Ristretto255 group definition. */
-export declare const getGroup: (identifier: GroupIdentifier) => CryptoGroup;
-/** @internal Lists the immutable built-in group definitions. */
-export declare const listGroups: () => readonly CryptoGroup[];
-/** Returns the canonical deterministic secondary generator encoding. */
-export declare const deriveH: () => string;
+export declare const assertCanonicalRistrettoGroup: (group: CryptoGroup, label?: string) => void;

package/dist/core/groups.js

@@ -10,15 +10,16 @@ export const RISTRETTO_GROUP = Object.freeze({
     h: derivePedersenGenerator(),
     securityEstimate: 128,
 });
-const GROUPS = Object.freeze([RISTRETTO_GROUP]);
-/** @internal Returns the immutable built-in Ristretto255 group definition. */
-export const getGroup = (identifier) => {
-    if (identifier !== RISTRETTO_GROUP.name) {
-        throw new UnsupportedSuiteError(`Unsupported group: ${String(identifier)}`);
+const sameCanonicalRistrettoGroup = (group) => group.name === RISTRETTO_GROUP.name &&
+    group.byteLength === RISTRETTO_GROUP.byteLength &&
+    group.scalarByteLength === RISTRETTO_GROUP.scalarByteLength &&
+    group.q === RISTRETTO_GROUP.q &&
+    group.g === RISTRETTO_GROUP.g &&
+    group.h === RISTRETTO_GROUP.h &&
+    group.securityEstimate === RISTRETTO_GROUP.securityEstimate;
+export const assertCanonicalRistrettoGroup = (group, label = 'Group') => {
+    const normalizedLabel = label.length > 0 ? `${label[0].toLowerCase()}${label.slice(1)}` : label;
+    if (!sameCanonicalRistrettoGroup(group)) {
+        throw new UnsupportedSuiteError(`${normalizedLabel} must match the shipped canonical ristretto255 group definition`);
     }
-    return RISTRETTO_GROUP;
 };
-/** @internal Lists the immutable built-in group definitions. */
-export const listGroups = () => GROUPS;
-/** Returns the canonical deterministic secondary generator encoding. */
-export const deriveH = () => RISTRETTO_GROUP.h;

package/dist/core/ristretto.d.ts

@@ -1,21 +1,17 @@
 import { ristretto255 } from '@noble/curves/ed25519.js';
 import type { EncodedPoint } from './types.js';
-export type InternalPoint = InstanceType<typeof ristretto255.Point>;
-export declare const RISTRETTO_GROUP_NAME = "ristretto255";
+type InternalPoint = InstanceType<typeof ristretto255.Point>;
 export declare const RISTRETTO_ORDER: bigint;
 export declare const RISTRETTO_BYTE_LENGTH = 32;
-export declare const RISTRETTO_SECURITY_ESTIMATE = 128;
-export declare const RISTRETTO_BASE: InternalPoint;
 export declare const RISTRETTO_ZERO: InternalPoint;
 export declare const encodePoint: (point: InternalPoint) => EncodedPoint;
 export declare const decodePoint: (value: string, label?: string) => InternalPoint;
 export declare const encodeScalar: (value: bigint) => string;
 export declare const decodeScalar: (value: string, label?: string) => bigint;
-export declare const assertValidPoint: (value: string, label?: string) => void;
-export declare const assertNonIdentityPoint: (value: string, label?: string) => void;
 export declare const pointAdd: (left: InternalPoint, right: InternalPoint) => InternalPoint;
 export declare const pointSubtract: (left: InternalPoint, right: InternalPoint) => InternalPoint;
 export declare const pointMultiply: (point: InternalPoint, scalar: bigint) => InternalPoint;
 export declare const multiplyBase: (scalar: bigint) => InternalPoint;
 export declare const derivePedersenGenerator: () => EncodedPoint;
 export declare const hashChallengeToScalar: (payload: Uint8Array) => bigint;
+export {};

package/dist/core/ristretto.js

@@ -3,12 +3,10 @@ import { sha512 } from '@noble/hashes/sha2.js';
 import { bytesToBigInt, bytesToBigIntLE, bytesToHex, hexToBytes, } from './bytes.js';
 import { utf8ToBytes } from './crypto.js';
 import { InvalidGroupElementError, InvalidPayloadError, InvalidScalarError, } from './errors.js';
-export const RISTRETTO_GROUP_NAME = 'ristretto255';
 const RISTRETTO_POINT = ristretto255.Point;
 export const RISTRETTO_ORDER = ristretto255.Point.Fn.ORDER;
 export const RISTRETTO_BYTE_LENGTH = 32;
-export const RISTRETTO_SECURITY_ESTIMATE = 128;
-export const RISTRETTO_BASE = ristretto255.Point.BASE;
+const RISTRETTO_BASE = ristretto255.Point.BASE;
 export const RISTRETTO_ZERO = ristretto255.Point.ZERO;
 const scalarByteLength = RISTRETTO_BYTE_LENGTH;
 const pointHexLength = RISTRETTO_BYTE_LENGTH * 2;
@@ -48,14 +46,6 @@ export const decodeScalar = (value, label = 'Scalar encoding') => {
     }
     return scalar;
 };
-export const assertValidPoint = (value, label = 'Point') => {
-    decodePoint(value, label);
-};
-export const assertNonIdentityPoint = (value, label = 'Point') => {
-    if (decodePoint(value, label).is0()) {
-        throw new InvalidGroupElementError(`${label} must not be the identity`);
-    }
-};
 export const pointAdd = (left, right) => left.add(right);
 export const pointSubtract = (left, right) => left.subtract(right);
 export const pointMultiply = (point, scalar) => {

package/dist/core/types.d.ts

@@ -11,8 +11,6 @@ export type GroupName = 'ristretto255';
 export type GroupIdentifier = GroupName;
 /** Canonical 32-byte Ristretto point encoding exposed at the public boundary. */
 export type EncodedPoint = Brand<string, 'EncodedPoint'>;
-/** Scalar value intended to live in the prime-order field `Z_q`. */
-export type ScalarQ = Brand<bigint, 'ScalarQ'>;
 /** @internal Immutable built-in group definition for the shipped suite. */
 export type CryptoGroup = {
     /** Canonical suite name. */

package/dist/dkg/checkpoints.d.ts

@@ -1,4 +1,5 @@
 import type { PhaseCheckpointPayload, SignedPayload } from '../protocol/types.js';
+import { type ResolvePhaseCheckpointInput } from './verification.js';
 /** Finalized threshold-supported checkpoint for one DKG phase. */
 export type FinalizedPhaseCheckpoint = {
     readonly payload: PhaseCheckpointPayload;
@@ -7,14 +8,12 @@ export type FinalizedPhaseCheckpoint = {
 };
 /** Returns `true` when the signed payload is a phase checkpoint. */
 export declare const isPhaseCheckpointPayload: (payload: SignedPayload) => payload is SignedPayload<PhaseCheckpointPayload>;
-/** Returns the required checkpoint phases for the shipped GJKR reducer. */
-export declare const requiredCheckpointPhases: () => readonly number[];
-/** Returns the last required checkpoint phase for the shipped GJKR reducer. */
-export declare const finalCheckpointPhase: () => number;
-/** Groups all checkpoint variants observed for one closed DKG phase. */
-export declare const collectCheckpointVariants: (transcript: readonly SignedPayload[], checkpointPhase: number) => readonly FinalizedPhaseCheckpoint[];
 /**
- * Returns the unique threshold-supported checkpoint variant for one phase, or
- * `null` when no unique threshold-supported checkpoint exists yet.
+ * Rejects phase-checkpoint payloads outside the shipped GJKR checkpoint plan.
  */
-export declare const resolveFinalizedPhaseCheckpoint: (transcript: readonly SignedPayload[], checkpointPhase: number, threshold: number) => FinalizedPhaseCheckpoint | null;
+export declare const assertSupportedCheckpointPayloads: (transcript: readonly SignedPayload[]) => void;
+/**
+ * Resolves and validates the unique threshold-supported checkpoint for one
+ * closed DKG phase.
+ */
+export declare const resolveVerifiedPhaseCheckpoint: (input: ResolvePhaseCheckpointInput) => Promise<FinalizedPhaseCheckpoint>;

package/dist/dkg/checkpoints.js

@@ -1,3 +1,6 @@
+import { InvalidPayloadError } from '../core/index.js';
+import { hashProtocolPhaseSnapshot } from '../protocol/transcript.js';
+import { assertIndexSubset, assertUniqueSortedParticipantIndices, } from './verification.js';
 const checkpointKey = (payload) => JSON.stringify({
     sessionId: payload.sessionId,
     manifestHash: payload.manifestHash,
@@ -5,17 +8,15 @@ const checkpointKey = (payload) => JSON.stringify({
     messageType: payload.messageType,
     checkpointPhase: payload.checkpointPhase,
     checkpointTranscriptHash: payload.checkpointTranscriptHash,
-    qualParticipantIndices: payload.qualParticipantIndices,
+    qualifiedParticipantIndices: payload.qualifiedParticipantIndices,
 });
 const compareNumbers = (left, right) => left - right;
+const sameParticipantIndexList = (left, right) => left.length === right.length &&
+    left.every((participantIndex, index) => participantIndex === right[index]);
 /** Returns `true` when the signed payload is a phase checkpoint. */
 export const isPhaseCheckpointPayload = (payload) => payload.payload.messageType === 'phase-checkpoint';
-/** Returns the required checkpoint phases for the shipped GJKR reducer. */
-export const requiredCheckpointPhases = () => [0, 1, 2, 3];
-/** Returns the last required checkpoint phase for the shipped GJKR reducer. */
-export const finalCheckpointPhase = () => requiredCheckpointPhases()[requiredCheckpointPhases().length - 1] ?? 0;
-/** Groups all checkpoint variants observed for one closed DKG phase. */
-export const collectCheckpointVariants = (transcript, checkpointPhase) => {
+const requiredCheckpointPhases = () => [0, 1, 2, 3];
+const collectCheckpointVariants = (transcript, checkpointPhase) => {
     const grouped = new Map();
     for (const signedPayload of transcript) {
         if (!isPhaseCheckpointPayload(signedPayload) ||
@@ -40,10 +41,47 @@ export const collectCheckpointVariants = (transcript, checkpointPhase) => {
     });
 };
 /**
- * Returns the unique threshold-supported checkpoint variant for one phase, or
- * `null` when no unique threshold-supported checkpoint exists yet.
+ * Rejects phase-checkpoint payloads outside the shipped GJKR checkpoint plan.
  */
-export const resolveFinalizedPhaseCheckpoint = (transcript, checkpointPhase, threshold) => {
-    const supported = collectCheckpointVariants(transcript, checkpointPhase).filter((entry) => entry.signatures.length >= threshold);
-    return supported.length === 1 ? supported[0] : null;
+export const assertSupportedCheckpointPayloads = (transcript) => {
+    for (const signedPayload of transcript) {
+        if (isPhaseCheckpointPayload(signedPayload) &&
+            !requiredCheckpointPhases().includes(signedPayload.payload.checkpointPhase)) {
+            throw new InvalidPayloadError(`Checkpoint phase ${signedPayload.payload.checkpointPhase} is not part of the GJKR phase plan`);
+        }
+    }
+};
+/**
+ * Resolves and validates the unique threshold-supported checkpoint for one
+ * closed DKG phase.
+ */
+export const resolveVerifiedPhaseCheckpoint = async (input) => {
+    const supported = collectCheckpointVariants(input.transcript, input.checkpointPhase).filter((entry) => entry.signatures.length >= input.threshold);
+    if (supported.length === 0) {
+        throw new InvalidPayloadError(`Missing threshold-supported phase checkpoint for phase ${input.checkpointPhase}`);
+    }
+    if (supported.length > 1) {
+        throw new InvalidPayloadError(`Observed multiple threshold-supported phase checkpoints for phase ${input.checkpointPhase}`);
+    }
+    const checkpoint = supported[0];
+    const qualifiedParticipantIndices = checkpoint.payload.qualifiedParticipantIndices;
+    assertUniqueSortedParticipantIndices(qualifiedParticipantIndices, input.participantCount, `Phase ${input.checkpointPhase} checkpoint qualified participant`);
+    if (!sameParticipantIndexList(qualifiedParticipantIndices, input.expectedQualifiedParticipantIndices)) {
+        throw new InvalidPayloadError(`Phase ${input.checkpointPhase} checkpoint qualified participant set does not match the verifier-computed active participant set`);
+    }
+    if (qualifiedParticipantIndices.length < input.threshold) {
+        throw new InvalidPayloadError(`Checkpoint qualified participant set for phase ${input.checkpointPhase} must contain at least ${input.threshold} participants`);
+    }
+    const expectedSnapshotHash = await hashProtocolPhaseSnapshot(input.transcript.map((entry) => entry.payload), input.checkpointPhase);
+    if (checkpoint.payload.checkpointTranscriptHash !== expectedSnapshotHash) {
+        throw new InvalidPayloadError(`Phase ${input.checkpointPhase} checkpoint transcript hash does not match the signed transcript snapshot`);
+    }
+    assertIndexSubset(checkpoint.signers, input.signerUniverse, `Phase ${input.checkpointPhase} checkpoint signer`);
+    const qualifiedParticipantSet = new Set(qualifiedParticipantIndices);
+    for (const signer of checkpoint.signers) {
+        if (!qualifiedParticipantSet.has(signer)) {
+            throw new InvalidPayloadError(`Phase ${input.checkpointPhase} checkpoint signer ${signer} is not part of the checkpoint qualified participant set`);
+        }
+    }
+    return checkpoint;
 };

package/dist/dkg/pedersen-share-codec.js

@@ -1,6 +1,53 @@
-import { InvalidPayloadError } from '../core/index.js';
+import { InvalidPayloadError, RISTRETTO_GROUP } from '../core/index.js';
 import { canonicalizeJson } from '../protocol/canonical-json.js';
-import { bigintToFixedHex, fixedHexToBigint } from '../serialize/index.js';
+import { bigintToFixedHex, fixedHexToBigInt } from '../serialize/index.js';
+const pedersenShareEnvelopeKeys = [
+    'blindingValue',
+    'index',
+    'secretValue',
+];
+const fixedLowercaseHexPattern = /^[0-9a-f]+$/;
+const pedersenShareTextDecoder = new TextDecoder('utf-8', { fatal: true });
+const assertCanonicalEnvelopeIndex = (value, expectedParticipantIndex, label) => {
+    if (typeof value !== 'number' || !Number.isInteger(value) || value < 1) {
+        throw new InvalidPayloadError(`${label} share index must be a positive integer`);
+    }
+    if (value !== expectedParticipantIndex) {
+        throw new InvalidPayloadError(`${label} share index mismatch: expected ${expectedParticipantIndex}, received ${value}`);
+    }
+    return value;
+};
+const parseCanonicalFixedHex = (value, byteLength, label) => {
+    const expectedLength = byteLength * 2;
+    if (typeof value !== 'string' ||
+        value.length !== expectedLength ||
+        !fixedLowercaseHexPattern.test(value)) {
+        throw new InvalidPayloadError(`${label} must be a lowercase fixed-width hexadecimal string of length ${expectedLength}`);
+    }
+    const decoded = fixedHexToBigInt(value);
+    if (bigintToFixedHex(decoded, byteLength) !== value) {
+        throw new InvalidPayloadError(`${label} must use canonical fixed-width hexadecimal encoding`);
+    }
+    return decoded;
+};
+const parsePedersenShareEnvelopeRecord = (parsed, expectedParticipantIndex, label) => {
+    if (parsed === null ||
+        Array.isArray(parsed) ||
+        typeof parsed !== 'object') {
+        throw new InvalidPayloadError(`${label} plaintext must be a JSON object`);
+    }
+    const record = parsed;
+    const keys = Object.keys(record).sort();
+    if (keys.length !== pedersenShareEnvelopeKeys.length ||
+        !keys.every((key, index) => key === pedersenShareEnvelopeKeys[index])) {
+        throw new InvalidPayloadError(`${label} plaintext must contain only blindingValue, index, and secretValue`);
+    }
+    return {
+        blindingValue: bigintToFixedHex(parseCanonicalFixedHex(record.blindingValue, RISTRETTO_GROUP.scalarByteLength, `${label} blinding value`), RISTRETTO_GROUP.scalarByteLength),
+        index: assertCanonicalEnvelopeIndex(record.index, expectedParticipantIndex, label),
+        secretValue: bigintToFixedHex(parseCanonicalFixedHex(record.secretValue, RISTRETTO_GROUP.scalarByteLength, `${label} secret value`), RISTRETTO_GROUP.scalarByteLength),
+    };
+};
 /** Encodes one Pedersen share pair for encrypted dealer-to-recipient transport. */
 export const encodePedersenShareEnvelope = (share, byteLength) => canonicalizeJson({
     index: share.index,
@@ -11,19 +58,29 @@ export const encodePedersenShareEnvelope = (share, byteLength) => canonicalizeJs
 });
 /** Decodes one encrypted Pedersen share pair after envelope decryption. */
 export const decodePedersenShareEnvelope = (plaintext, expectedParticipantIndex, label) => {
-    let parsed;
+    let decodedPlaintext;
     try {
-        parsed = JSON.parse(new TextDecoder().decode(plaintext));
+        decodedPlaintext = pedersenShareTextDecoder.decode(plaintext);
     }
     catch {
         throw new InvalidPayloadError(`${label} plaintext is not valid canonical JSON`);
     }
-    if (parsed.index !== expectedParticipantIndex) {
-        throw new InvalidPayloadError(`${label} share index mismatch: expected ${expectedParticipantIndex}, received ${parsed.index}`);
+    let parsed;
+    try {
+        parsed = parsePedersenShareEnvelopeRecord(JSON.parse(decodedPlaintext), expectedParticipantIndex, label);
+    }
+    catch (error) {
+        if (error instanceof InvalidPayloadError) {
+            throw error;
+        }
+        throw new InvalidPayloadError(`${label} plaintext is not valid canonical JSON`);
+    }
+    if (canonicalizeJson(parsed) !== decodedPlaintext) {
+        throw new InvalidPayloadError(`${label} plaintext must use canonical JSON encoding`);
     }
     return {
         index: parsed.index,
-        secretValue: fixedHexToBigint(parsed.secretValue),
-        blindingValue: fixedHexToBigint(parsed.blindingValue),
+        secretValue: fixedHexToBigInt(parsed.secretValue),
+        blindingValue: fixedHexToBigInt(parsed.blindingValue),
     };
 };

package/dist/dkg/verification-complaints.d.ts

@@ -2,9 +2,9 @@ import { type CryptoGroup } from '../core/index.js';
 import type { EncodedPoint } from '../core/types.js';
 import type { ComplaintPayload, SignedPayload } from '../protocol/types.js';
 import type { VerifiedProtocolSignatures } from '../protocol/verification.js';
-import type { EncryptedShareMatrix, VerifyDKGTranscriptInput } from './verification-types.js';
+import type { EncryptedShareMatrix, VerifyDKGTranscriptInput } from './verification.js';
 export declare const buildEncryptedShareMatrix: (transcript: readonly SignedPayload[], participantCount: number) => EncryptedShareMatrix;
 export declare const assertEncryptedShareCoverage: (encryptedShareMatrix: EncryptedShareMatrix, participantIndices: readonly number[]) => void;
-export declare const parsePedersenCommitmentMap: (transcript: readonly SignedPayload[], threshold: number, group: CryptoGroup) => ReadonlyMap<number, readonly EncodedPoint[]>;
+export declare const parsePedersenCommitmentMap: (transcript: readonly SignedPayload[], threshold: number) => ReadonlyMap<number, readonly EncodedPoint[]>;
 export declare const assertPedersenCommitmentCoverage: (pedersenCommitmentMap: ReadonlyMap<number, readonly EncodedPoint[]>, dealerIndices: readonly number[]) => void;
 export declare const verifyComplaintOutcomes: (input: VerifyDKGTranscriptInput, verifiedSignatures: VerifiedProtocolSignatures, encryptedShareMatrix: EncryptedShareMatrix, pedersenCommitmentMap: ReadonlyMap<number, readonly EncodedPoint[]>, group: CryptoGroup, allowedParticipants: ReadonlySet<number>) => Promise<readonly ComplaintPayload[]>;