threshold-elgamal 1.0.5 → 1.0.8

package/README.md

@@ -193,12 +193,13 @@ The root package also exposes builders for the signed protocol payloads used acr
 - decryption shares
 - tally publication
 
-For the reveal path, the public root surface is intentionally two-step:
+For the reveal path, the public root surface is intentionally three-step:
 
+- prepare the accepted aggregate with `prepareAggregateForDecryption(...)`
 - compute each partial share with `createDecryptionShare(...)`
 - prove and publish it with `createDLEQProof(...)` and `createDecryptionSharePayload(...)`
 
-After collecting a threshold subset, recover the tally with `combineDecryptionShares(...)`.
+After collecting a threshold subset, recover the tally with `combineDecryptionShares(...)` against the prepared aggregate ciphertext.
 
 For concrete posted JSON shapes, use [Published payload examples](https://tenemo.github.io/threshold-elgamal/guides/published-payload-examples/).
 

package/dist/core/index.d.ts

@@ -1,4 +1,4 @@
-export * from './bigint.js';
+export { modInvQ, modQ } from './bigint.js';
 export * from './crypto.js';
 export * from './errors.js';
 export * from './groups.js';

package/dist/core/index.js

@@ -1,4 +1,4 @@
-export * from './bigint.js';
+export { modInvQ, modQ } from './bigint.js';
 export * from './crypto.js';
 export * from './errors.js';
 export * from './groups.js';

package/dist/dkg/pedersen-share-codec.js

@@ -1,6 +1,6 @@
 import { InvalidPayloadError, RISTRETTO_GROUP } from '../core/index.js';
 import { canonicalizeJson } from '../protocol/canonical-json.js';
-import { bigintToFixedHex, fixedHexToBigInt } from '../serialize/index.js';
+import { bigintToFixedHex, fixedHexToBigInt } from '../serialize/encoding.js';
 const pedersenShareEnvelopeKeys = [
     'blindingValue',
     'index',

package/dist/dkg/verification.d.ts

@@ -1,7 +1,6 @@
 import { type CryptoGroup } from '../core/index.js';
 import type { EncodedPoint } from '../core/types.js';
-import type { ComplaintPayload, ElectionManifest, EncryptedDualSharePayload, RegistrationPayload, SignedPayload } from '../protocol/types.js';
-import { type FinalizedPhaseCheckpoint } from './checkpoints.js';
+import type { ComplaintPayload, ElectionManifest, PhaseCheckpointPayload, RegistrationPayload, SignedPayload } from '../protocol/types.js';
 /** Input bundle for verifying a DKG transcript. */
 export type VerifyDKGTranscriptInput = {
     readonly transcript: readonly SignedPayload[];
@@ -26,25 +25,12 @@ export type VerifiedDKGTranscript = {
     readonly rosterHash: string;
     readonly threshold: number;
 };
-export type EncryptedShareMatrix = {
-    readonly encryptedShares: readonly SignedPayload<EncryptedDualSharePayload>[];
-    readonly bySlot: ReadonlyMap<string, SignedPayload<EncryptedDualSharePayload>>;
-    readonly byComplaintKey: ReadonlyMap<string, SignedPayload<EncryptedDualSharePayload>>;
+/** Finalized threshold-supported checkpoint for one DKG phase. */
+export type FinalizedPhaseCheckpoint = {
+    readonly payload: PhaseCheckpointPayload;
+    readonly signatures: readonly SignedPayload<PhaseCheckpointPayload>[];
+    readonly signers: readonly number[];
 };
-export type ResolvePhaseCheckpointInput = {
-    readonly transcript: readonly SignedPayload[];
-    readonly checkpointPhase: number;
-    readonly threshold: number;
-    readonly participantCount: number;
-    readonly expectedQualifiedParticipantIndices: readonly number[];
-    readonly signerUniverse: ReadonlySet<number>;
-};
-export declare const parseCommitmentVector: (commitments: readonly string[], expectedLength: number, label: string) => readonly EncodedPoint[];
-export declare const complaintResolutionKey: (complainantIndex: number, dealerIndex: number, envelopeId: string) => string;
-export declare const encryptedShareSlotKey: (dealerIndex: number, recipientIndex: number) => string;
-export declare const validateParticipantIndex: (index: number, participantCount: number, label: string) => void;
-export declare const assertUniqueSortedParticipantIndices: (indices: readonly number[], participantCount: number, label: string) => void;
-export declare const assertIndexSubset: (indices: readonly number[], allowed: ReadonlySet<number>, label: string) => void;
 /**
  * Derives the transcript verification key `Y_j` for one participant index from
  * published Feldman commitments.

package/dist/dkg/verification.js

@@ -1,12 +1,13 @@
 import { InvalidPayloadError, RISTRETTO_GROUP, ThresholdViolationError, assertCanonicalRistrettoGroup, assertInSubgroupOrIdentity, assertPositiveParticipantIndex, majorityThreshold, modQ, } from '../core/index.js';
 import { RISTRETTO_ZERO, decodePoint, decodeScalar, encodePoint, pointAdd, pointMultiply, } from '../core/ristretto.js';
-import { verifySchnorrProof } from '../proofs/index.js';
+import { verifySchnorrProof } from '../proofs/schnorr.js';
 import { auditSignedPayloads } from '../protocol/board-audit.js';
 import { hashElectionManifest, SHIPPED_PROTOCOL_VERSION, } from '../protocol/manifest.js';
-import { hashProtocolTranscript } from '../protocol/transcript.js';
+import { hashProtocolPhaseSnapshot, hashProtocolTranscript, } from '../protocol/transcript.js';
 import { verifySignedProtocolPayloads, } from '../protocol/verification.js';
-import { assertSupportedCheckpointPayloads, isPhaseCheckpointPayload, resolveVerifiedPhaseCheckpoint, } from './checkpoints.js';
-import { assertEncryptedShareCoverage, assertPedersenCommitmentCoverage, buildEncryptedShareMatrix, parsePedersenCommitmentMap, verifyComplaintOutcomes, } from './verification-complaints.js';
+import { resolveDealerChallengeFromPublicKey } from '../transport/complaints.js';
+import { verifyPedersenShare } from '../vss/pedersen.js';
+import { decodePedersenShareEnvelope } from './pedersen-share-codec.js';
 const GJKR_PHASE_PLAN = {
     'manifest-publication': 0,
     registration: 0,
@@ -41,7 +42,7 @@ const requireExactlyOnePayload = (payloads, label) => {
     }
     return payloads[0];
 };
-export const parseCommitmentVector = (commitments, expectedLength, label) => {
+const parseCommitmentVector = (commitments, expectedLength, label) => {
     if (commitments.length !== expectedLength) {
         throw new InvalidPayloadError(`${label} must contain exactly ${expectedLength} commitments`);
     }
@@ -63,15 +64,15 @@ const buildSchnorrContext = (payload, protocolVersion, coefficientIndex) => ({
     participantIndex: payload.participantIndex,
     coefficientIndex,
 });
-export const complaintResolutionKey = (complainantIndex, dealerIndex, envelopeId) => `${complainantIndex}:${dealerIndex}:${envelopeId}`;
-export const encryptedShareSlotKey = (dealerIndex, recipientIndex) => `${dealerIndex}:${recipientIndex}`;
+const complaintResolutionKey = (complainantIndex, dealerIndex, envelopeId) => `${complainantIndex}:${dealerIndex}:${envelopeId}`;
+const encryptedShareSlotKey = (dealerIndex, recipientIndex) => `${dealerIndex}:${recipientIndex}`;
 const allParticipantIndices = (participantCount) => Array.from({ length: participantCount }, (_value, index) => index + 1);
-export const validateParticipantIndex = (index, participantCount, label) => {
+const validateParticipantIndex = (index, participantCount, label) => {
     if (!Number.isInteger(index) || index < 1 || index > participantCount) {
         throw new InvalidPayloadError(`${label} ${index} must satisfy 1 <= j <= n (n = ${participantCount})`);
     }
 };
-export const assertUniqueSortedParticipantIndices = (indices, participantCount, label) => {
+const assertUniqueSortedParticipantIndices = (indices, participantCount, label) => {
     let previous = 0;
     const seen = new Set();
     for (const index of indices) {
@@ -86,6 +87,10 @@ export const assertUniqueSortedParticipantIndices = (indices, participantCount,
         previous = index;
     }
 };
+/** Returns `true` when the signed payload is a phase checkpoint. */
+function isPhaseCheckpointPayload(payload) {
+    return payload.payload.messageType === 'phase-checkpoint';
+}
 const validateTranscriptShape = (input, manifestHash) => {
     for (const signedPayload of input.transcript) {
         const expected = expectedDKGPhase(signedPayload.payload.messageType, isPhaseCheckpointPayload(signedPayload)
@@ -102,13 +107,255 @@ const validateTranscriptShape = (input, manifestHash) => {
         }
     }
 };
-export const assertIndexSubset = (indices, allowed, label) => {
+const assertIndexSubset = (indices, allowed, label) => {
     for (const index of indices) {
         if (!allowed.has(index)) {
             throw new InvalidPayloadError(`${label} ${index} is not part of the allowed participant set`);
         }
     }
 };
+const checkpointKey = (payload) => JSON.stringify({
+    sessionId: payload.sessionId,
+    manifestHash: payload.manifestHash,
+    phase: payload.phase,
+    messageType: payload.messageType,
+    checkpointPhase: payload.checkpointPhase,
+    checkpointTranscriptHash: payload.checkpointTranscriptHash,
+    qualifiedParticipantIndices: payload.qualifiedParticipantIndices,
+});
+const compareNumbers = (left, right) => left - right;
+const sameParticipantIndexList = (left, right) => left.length === right.length &&
+    left.every((participantIndex, index) => participantIndex === right[index]);
+const requiredCheckpointPhases = () => [0, 1, 2, 3];
+const collectCheckpointVariants = (transcript, checkpointPhase) => {
+    const grouped = new Map();
+    for (const signedPayload of transcript) {
+        if (!isPhaseCheckpointPayload(signedPayload) ||
+            signedPayload.payload.checkpointPhase !== checkpointPhase) {
+            continue;
+        }
+        const key = checkpointKey(signedPayload.payload);
+        const existing = grouped.get(key) ??
+            new Map();
+        existing.set(signedPayload.payload.participantIndex, signedPayload);
+        grouped.set(key, existing);
+    }
+    return [...grouped.values()].map((signatureMap) => {
+        const signatures = [...signatureMap.values()];
+        return {
+            payload: signatures[0].payload,
+            signatures,
+            signers: signatures
+                .map((entry) => entry.payload.participantIndex)
+                .sort(compareNumbers),
+        };
+    });
+};
+/**
+ * Rejects phase-checkpoint payloads outside the shipped GJKR checkpoint plan.
+ */
+const assertSupportedCheckpointPayloads = (transcript) => {
+    for (const signedPayload of transcript) {
+        if (isPhaseCheckpointPayload(signedPayload) &&
+            !requiredCheckpointPhases().includes(signedPayload.payload.checkpointPhase)) {
+            throw new InvalidPayloadError(`Checkpoint phase ${signedPayload.payload.checkpointPhase} is not part of the GJKR phase plan`);
+        }
+    }
+};
+/**
+ * Resolves and validates the unique threshold-supported checkpoint for one
+ * closed DKG phase.
+ */
+const resolveVerifiedPhaseCheckpoint = async (input) => {
+    const supported = collectCheckpointVariants(input.transcript, input.checkpointPhase).filter((entry) => entry.signatures.length >= input.threshold);
+    if (supported.length === 0) {
+        throw new InvalidPayloadError(`Missing threshold-supported phase checkpoint for phase ${input.checkpointPhase}`);
+    }
+    if (supported.length > 1) {
+        throw new InvalidPayloadError(`Observed multiple threshold-supported phase checkpoints for phase ${input.checkpointPhase}`);
+    }
+    const checkpoint = supported[0];
+    const qualifiedParticipantIndices = checkpoint.payload.qualifiedParticipantIndices;
+    assertUniqueSortedParticipantIndices(qualifiedParticipantIndices, input.participantCount, `Phase ${input.checkpointPhase} checkpoint qualified participant`);
+    if (!sameParticipantIndexList(qualifiedParticipantIndices, input.expectedQualifiedParticipantIndices)) {
+        throw new InvalidPayloadError(`Phase ${input.checkpointPhase} checkpoint qualified participant set does not match the verifier-computed active participant set`);
+    }
+    if (qualifiedParticipantIndices.length < input.threshold) {
+        throw new InvalidPayloadError(`Checkpoint qualified participant set for phase ${input.checkpointPhase} must contain at least ${input.threshold} participants`);
+    }
+    const expectedSnapshotHash = await hashProtocolPhaseSnapshot(input.transcript.map((entry) => entry.payload), input.checkpointPhase);
+    if (checkpoint.payload.checkpointTranscriptHash !== expectedSnapshotHash) {
+        throw new InvalidPayloadError(`Phase ${input.checkpointPhase} checkpoint transcript hash does not match the signed transcript snapshot`);
+    }
+    assertIndexSubset(checkpoint.signers, input.signerUniverse, `Phase ${input.checkpointPhase} checkpoint signer`);
+    const qualifiedParticipantSet = new Set(qualifiedParticipantIndices);
+    for (const signer of checkpoint.signers) {
+        if (!qualifiedParticipantSet.has(signer)) {
+            throw new InvalidPayloadError(`Phase ${input.checkpointPhase} checkpoint signer ${signer} is not part of the checkpoint qualified participant set`);
+        }
+    }
+    return checkpoint;
+};
+const buildEncryptedShareMatrix = (transcript, participantCount) => {
+    const encryptedShares = transcript.filter((payload) => payload.payload.messageType === 'encrypted-dual-share');
+    const bySlot = new Map();
+    const byComplaintKey = new Map();
+    for (const payload of encryptedShares) {
+        const dealerIndex = payload.payload.participantIndex;
+        const recipientIndex = payload.payload.recipientIndex;
+        validateParticipantIndex(dealerIndex, participantCount, 'Encrypted share dealer index');
+        validateParticipantIndex(recipientIndex, participantCount, 'Encrypted share recipient index');
+        if (dealerIndex === recipientIndex) {
+            throw new InvalidPayloadError(`Encrypted share payload for dealer ${dealerIndex} must target a different recipient`);
+        }
+        const slotKey = encryptedShareSlotKey(dealerIndex, recipientIndex);
+        if (bySlot.has(slotKey)) {
+            throw new InvalidPayloadError(`Duplicate encrypted share payload for dealer ${dealerIndex} and recipient ${recipientIndex}`);
+        }
+        bySlot.set(slotKey, payload);
+        const complaintKey = complaintResolutionKey(recipientIndex, dealerIndex, payload.payload.envelopeId);
+        if (byComplaintKey.has(complaintKey)) {
+            throw new InvalidPayloadError(`Duplicate encrypted share envelope ${payload.payload.envelopeId} for dealer ${dealerIndex} and recipient ${recipientIndex}`);
+        }
+        byComplaintKey.set(complaintKey, payload);
+    }
+    return {
+        encryptedShares,
+        bySlot,
+        byComplaintKey,
+    };
+};
+const assertEncryptedShareCoverage = (encryptedShareMatrix, participantIndices) => {
+    for (const dealerIndex of participantIndices) {
+        for (const recipientIndex of participantIndices) {
+            if (dealerIndex === recipientIndex) {
+                continue;
+            }
+            if (!encryptedShareMatrix.bySlot.has(encryptedShareSlotKey(dealerIndex, recipientIndex))) {
+                throw new InvalidPayloadError(`Missing encrypted share payload for dealer ${dealerIndex} and recipient ${recipientIndex}`);
+            }
+        }
+    }
+};
+const parsePedersenCommitmentMap = (transcript, threshold) => {
+    const pedersenCommitments = transcript.filter((payload) => payload.payload.messageType === 'pedersen-commitment');
+    const pedersenCommitmentMap = new Map();
+    for (const payload of pedersenCommitments) {
+        if (pedersenCommitmentMap.has(payload.payload.participantIndex)) {
+            throw new InvalidPayloadError(`Pedersen commitment requires exactly one payload for participant ${payload.payload.participantIndex}`);
+        }
+        pedersenCommitmentMap.set(payload.payload.participantIndex, parseCommitmentVector(payload.payload.commitments, threshold, 'Pedersen commitment payload'));
+    }
+    return pedersenCommitmentMap;
+};
+const assertPedersenCommitmentCoverage = (pedersenCommitmentMap, dealerIndices) => {
+    for (const dealerIndex of dealerIndices) {
+        if (!pedersenCommitmentMap.has(dealerIndex)) {
+            throw new InvalidPayloadError(`Missing Pedersen commitment payload for dealer ${dealerIndex}`);
+        }
+    }
+};
+const buildComplaintResolutionPayloadMap = (transcript) => {
+    const complaintResolutionPayloads = transcript
+        .filter((payload) => payload.payload.messageType === 'complaint-resolution')
+        .map((payload) => payload.payload);
+    const resolutionPayloadMap = new Map();
+    for (const resolutionPayload of complaintResolutionPayloads) {
+        if (resolutionPayload.participantIndex !== resolutionPayload.dealerIndex) {
+            throw new InvalidPayloadError(`Complaint resolution for envelope ${resolutionPayload.envelopeId} must be authored by dealer ${resolutionPayload.dealerIndex}`);
+        }
+        const key = complaintResolutionKey(resolutionPayload.complainantIndex, resolutionPayload.dealerIndex, resolutionPayload.envelopeId);
+        if (resolutionPayloadMap.has(key)) {
+            throw new InvalidPayloadError(`Duplicate complaint resolution for envelope ${resolutionPayload.envelopeId}`);
+        }
+        resolutionPayloadMap.set(key, resolutionPayload);
+    }
+    return {
+        complaintResolutionPayloads,
+        resolutionPayloadMap,
+    };
+};
+const verifyComplaintOutcomes = async (input, verifiedSignatures, encryptedShareMatrix, pedersenCommitmentMap, group, allowedParticipants) => {
+    const complaints = input.transcript
+        .filter((payload) => payload.payload.messageType === 'complaint')
+        .map((payload) => payload.payload);
+    const { complaintResolutionPayloads, resolutionPayloadMap } = buildComplaintResolutionPayloadMap(input.transcript);
+    const rosterEntryMap = new Map(verifiedSignatures.rosterEntries.map((entry) => [
+        entry.participantIndex,
+        entry,
+    ]));
+    const acceptedComplaints = [];
+    const usedResolutionKeys = new Set();
+    for (const complaint of complaints) {
+        if (!allowedParticipants.has(complaint.participantIndex) ||
+            !allowedParticipants.has(complaint.dealerIndex)) {
+            throw new InvalidPayloadError(`Complaint participants must belong to the active DKG set for phase ${complaint.phase}`);
+        }
+        const resolutionKey = complaintResolutionKey(complaint.participantIndex, complaint.dealerIndex, complaint.envelopeId);
+        const matchingEnvelope = encryptedShareMatrix.byComplaintKey.get(resolutionKey);
+        if (matchingEnvelope === undefined) {
+            throw new InvalidPayloadError(`Complaint references an unknown envelope ${complaint.envelopeId} for dealer ${complaint.dealerIndex} and complainant ${complaint.participantIndex}`);
+        }
+        const resolutionPayload = resolutionPayloadMap.get(resolutionKey);
+        if (resolutionPayload === undefined) {
+            acceptedComplaints.push(complaint);
+            continue;
+        }
+        usedResolutionKeys.add(resolutionKey);
+        if (resolutionPayload.suite !== matchingEnvelope.payload.suite) {
+            acceptedComplaints.push(complaint);
+            continue;
+        }
+        const complainantRosterEntry = rosterEntryMap.get(complaint.participantIndex);
+        if (complainantRosterEntry === undefined) {
+            throw new InvalidPayloadError(`Missing roster entry for complainant ${complaint.participantIndex}`);
+        }
+        const dealerCommitments = pedersenCommitmentMap.get(complaint.dealerIndex);
+        if (dealerCommitments === undefined) {
+            throw new InvalidPayloadError(`Missing Pedersen commitments for dealer ${complaint.dealerIndex}`);
+        }
+        try {
+            const resolution = await resolveDealerChallengeFromPublicKey({
+                ...matchingEnvelope.payload,
+                dealerIndex: matchingEnvelope.payload.participantIndex,
+                rosterHash: input.manifest.rosterHash,
+                payloadType: 'encrypted-dual-share',
+                protocolVersion: SHIPPED_PROTOCOL_VERSION,
+            }, complainantRosterEntry.transportPublicKey, resolutionPayload.revealedEphemeralPrivateKey);
+            if (resolution.valid !== true ||
+                resolution.plaintext === undefined) {
+                acceptedComplaints.push(complaint);
+                continue;
+            }
+            const decryptedShare = decodePedersenShareEnvelope(resolution.plaintext, complaint.participantIndex, 'Complaint resolution');
+            if (!verifyPedersenShare(decryptedShare, {
+                commitments: dealerCommitments,
+            }, group)) {
+                acceptedComplaints.push(complaint);
+                continue;
+            }
+        }
+        catch (error) {
+            if (error instanceof InvalidPayloadError) {
+                acceptedComplaints.push(complaint);
+                continue;
+            }
+            throw error;
+        }
+    }
+    for (const resolutionPayload of complaintResolutionPayloads) {
+        if (!allowedParticipants.has(resolutionPayload.participantIndex) ||
+            !allowedParticipants.has(resolutionPayload.dealerIndex) ||
+            !allowedParticipants.has(resolutionPayload.complainantIndex)) {
+            throw new InvalidPayloadError(`Complaint resolution participants must belong to the active DKG set for phase ${resolutionPayload.phase}`);
+        }
+        const key = complaintResolutionKey(resolutionPayload.complainantIndex, resolutionPayload.dealerIndex, resolutionPayload.envelopeId);
+        if (!usedResolutionKeys.has(key)) {
+            throw new InvalidPayloadError(`Complaint resolution for envelope ${resolutionPayload.envelopeId} does not match any complaint`);
+        }
+    }
+    return acceptedComplaints;
+};
 const deriveTranscriptVerificationKeyInternal = (commitmentSets, participantIndex, group) => {
     assertCanonicalRistrettoGroup(group, 'Transcript verification-key derivation group');
     assertPositiveParticipantIndex(participantIndex);

package/dist/elgamal/additive.d.ts

@@ -1,14 +1,4 @@
 import type { ElGamalCiphertext } from './types.js';
-/**
- * Validates that a private key lies in the range `1..q-1`.
- */
-export declare const assertValidPrivateKey: (privateKey: bigint) => void;
-/** Validates an additive-mode public key against the shipped suite. */
-export declare const assertValidAdditivePublicKey: (publicKey: string) => void;
-/** Validates the caller-supplied additive plaintext bound. */
-export declare const assertValidAdditiveBound: (bound: bigint) => void;
-/** Validates the plaintext domain and caller-supplied bound for additive mode. */
-export declare const assertValidAdditivePlaintext: (value: bigint, bound: bigint) => void;
 /** Validates an additive ciphertext that may already be an aggregate. */
 export declare const assertValidAdditiveCiphertext: (ciphertext: ElGamalCiphertext) => void;
 /**

package/dist/elgamal/additive.js

@@ -1,21 +1,13 @@
 import { RISTRETTO_GROUP, assertAdditiveBound, assertInSubgroupOrIdentity, assertPlaintextAdditive, assertValidPublicKey, InvalidScalarError, } from '../core/index.js';
 import { decodePoint, encodePoint, multiplyBase, pointAdd, pointMultiply, } from '../core/ristretto.js';
-/**
- * Validates that a private key lies in the range `1..q-1`.
- */
-export const assertValidPrivateKey = (privateKey) => {
-    if (privateKey <= 0n || privateKey >= RISTRETTO_GROUP.q) {
-        throw new InvalidScalarError('Private key must be in the range 1..q-1');
-    }
-};
 /** Validates an additive-mode public key against the shipped suite. */
-export const assertValidAdditivePublicKey = (publicKey) => {
+const assertValidAdditivePublicKey = (publicKey) => {
     assertValidPublicKey(publicKey);
 };
 /** Validates the caller-supplied additive plaintext bound. */
-export const assertValidAdditiveBound = (bound) => assertAdditiveBound(bound, RISTRETTO_GROUP.q);
+const assertValidAdditiveBound = (bound) => assertAdditiveBound(bound, RISTRETTO_GROUP.q);
 /** Validates the plaintext domain and caller-supplied bound for additive mode. */
-export const assertValidAdditivePlaintext = (value, bound) => assertPlaintextAdditive(value, bound, RISTRETTO_GROUP.q);
+const assertValidAdditivePlaintext = (value, bound) => assertPlaintextAdditive(value, bound, RISTRETTO_GROUP.q);
 /** Validates an additive ciphertext that may already be an aggregate. */
 export const assertValidAdditiveCiphertext = (ciphertext) => {
     assertInSubgroupOrIdentity(ciphertext.c1);

package/dist/elgamal/types.d.ts

@@ -1,11 +1,4 @@
 import type { EncodedPoint } from '../core/types.js';
-/** Public and private key pair for the shipped Ristretto255 suite. */
-export type ElGamalKeyPair = {
-    /** Public key `Y = xG` encoded as a canonical Ristretto point. */
-    readonly publicKey: EncodedPoint;
-    /** Private scalar `x` in the range `1..q-1`. */
-    readonly privateKey: bigint;
-};
 /** Standard additive ElGamal ciphertext pair `(c1, c2)` encoded as points. */
 export type ElGamalCiphertext = {
     /** Ephemeral component `rG`. */

package/dist/index.d.ts

@@ -1,3 +1,12 @@
+/**
+ * Safe root package exports for the current surface.
+ *
+ * Use this entry point for group definitions, additive ElGamal, validation
+ * helpers, and serialization helpers that are safe for the shipped package.
+ *
+ * @module threshold-elgamal
+ * @packageDocumentation
+ */
 export { IndexOutOfRangeError, InvalidGroupElementError, InvalidPayloadError, InvalidProofError, InvalidScalarError, InvalidShareError, PhaseViolationError, PlaintextDomainError, ThresholdViolationError, TranscriptMismatchError, UnsupportedSuiteError, } from './core/errors.js';
 export { modQ } from './core/bigint.js';
 export { RISTRETTO_GROUP } from './core/groups.js';
@@ -12,8 +21,8 @@ export { decryptEnvelope, encryptEnvelope } from './transport/envelopes.js';
 export { exportAuthPublicKey, generateAuthKeyPair } from './transport/auth.js';
 export { exportTransportPublicKey, generateTransportKeyPair, } from './transport/key-agreement.js';
 export type { EncodedAuthPublicKey, EncodedTransportPublicKey, EncryptedEnvelope, EnvelopeContext, TransportKeyPair, } from './transport/types.js';
-export { combineDecryptionShares, createDecryptionShare, } from './threshold/decrypt.js';
-export type { DecryptionShare, Share, VerifiedAggregateCiphertext, } from './threshold/types.js';
+export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/decrypt.js';
+export type { AggregateDecryptionPreparationInput, DecryptionShare, Share, VerifiedAggregateCiphertext, } from './threshold/types.js';
 export { deriveJointPublicKey, deriveTranscriptVerificationKey, verifyDKGTranscript, } from './dkg/verification.js';
 export { decodePedersenShareEnvelope, encodePedersenShareEnvelope, } from './dkg/pedersen-share-codec.js';
 export type { VerifyDKGTranscriptInput, VerifiedDKGTranscript, } from './dkg/verification.js';

package/dist/index.js

@@ -1,3 +1,12 @@
+/**
+ * Safe root package exports for the current surface.
+ *
+ * Use this entry point for group definitions, additive ElGamal, validation
+ * helpers, and serialization helpers that are safe for the shipped package.
+ *
+ * @module threshold-elgamal
+ * @packageDocumentation
+ */
 export { IndexOutOfRangeError, InvalidGroupElementError, InvalidPayloadError, InvalidProofError, InvalidScalarError, InvalidShareError, PhaseViolationError, PlaintextDomainError, ThresholdViolationError, TranscriptMismatchError, UnsupportedSuiteError, } from './core/errors.js';
 export { modQ } from './core/bigint.js';
 export { RISTRETTO_GROUP } from './core/groups.js';
@@ -9,7 +18,7 @@ export { createSchnorrProof, verifySchnorrProof } from './proofs/schnorr.js';
 export { decryptEnvelope, encryptEnvelope } from './transport/envelopes.js';
 export { exportAuthPublicKey, generateAuthKeyPair } from './transport/auth.js';
 export { exportTransportPublicKey, generateTransportKeyPair, } from './transport/key-agreement.js';
-export { combineDecryptionShares, createDecryptionShare, } from './threshold/decrypt.js';
+export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/decrypt.js';
 export { deriveJointPublicKey, deriveTranscriptVerificationKey, verifyDKGTranscript, } from './dkg/verification.js';
 export { decodePedersenShareEnvelope, encodePedersenShareEnvelope, } from './dkg/pedersen-share-codec.js';
 export { generateFeldmanCommitments, verifyFeldmanShare } from './vss/feldman.js';

package/dist/proofs/disjunctive.js

@@ -1,6 +1,6 @@
 import { assertInSubgroup, assertInSubgroupOrIdentity, assertScalarInZq, InvalidProofError, modQ, randomScalarBelow, } from '../core/index.js';
 import { decodePoint, encodePoint, multiplyBase, pointMultiply, pointSubtract, } from '../core/ristretto.js';
-import { concatBytes, encodeForChallenge, encodeSequenceForChallenge, } from '../serialize/index.js';
+import { concatBytes, encodeForChallenge, encodeSequenceForChallenge, } from '../serialize/encoding.js';
 import { assertProofContext, contextElements, fixedPoint, fixedScalar, hashChallenge, sumChallenges, } from './helpers.js';
 import { hedgedNonce } from './nonces.js';
 const candidateEncoding = (ciphertext, candidateValue, group) => encodePoint(pointSubtract(decodePoint(ciphertext.c2, 'Ciphertext c2'), multiplyBase(modQ(candidateValue, group.q))));

package/dist/proofs/dleq.js

@@ -1,6 +1,6 @@
 import { assertInSubgroup, assertInSubgroupOrIdentity, assertScalarInZq, modQ, } from '../core/index.js';
 import { decodePoint, encodePoint, multiplyBase, pointMultiply, pointSubtract, } from '../core/ristretto.js';
-import { encodeForChallenge } from '../serialize/index.js';
+import { encodeForChallenge } from '../serialize/encoding.js';
 import { assertProofContext, contextElements, fixedPoint, hashChallenge, } from './helpers.js';
 import { hedgedNonce } from './nonces.js';
 const nonceContext = (statement, group, context) => encodeForChallenge(...contextElements(context), fixedPoint(group.g), fixedPoint(statement.ciphertext.c1), fixedPoint(statement.ciphertext.c2), fixedPoint(statement.publicKey), fixedPoint(statement.decryptionShare));

package/dist/proofs/nonces.js

@@ -1,6 +1,6 @@
 import { bytesToBigInt } from '../core/bytes.js';
 import { modQ, randomBytes, sha256, } from '../core/index.js';
-import { bigintToFixedBytes, concatBytes, domainSeparator, } from '../serialize/index.js';
+import { bigintToFixedBytes, concatBytes, domainSeparator, } from '../serialize/encoding.js';
 const bitLength = (value) => value === 0n ? 0 : value.toString(2).length;
 const encodeCounter = (value) => {
     const bytes = new Uint8Array(4);

package/dist/proofs/schnorr.js

@@ -1,6 +1,6 @@
 import { assertInSubgroup, assertScalarInZq, modQ, } from '../core/index.js';
 import { decodePoint, encodePoint, multiplyBase, pointMultiply, pointSubtract, } from '../core/ristretto.js';
-import { encodeForChallenge } from '../serialize/index.js';
+import { encodeForChallenge } from '../serialize/encoding.js';
 import { assertProofContext, contextElements, fixedPoint, hashChallenge, } from './helpers.js';
 import { hedgedNonce } from './nonces.js';
 const nonceContext = (statement, group, context) => encodeForChallenge(...contextElements(context), fixedPoint(group.g), fixedPoint(statement));

package/dist/protocol/builders.d.ts

@@ -1,14 +1,21 @@
 import type { ElGamalCiphertext } from '../elgamal/types.js';
 import type { DLEQProof, DisjunctiveProof } from '../proofs/types.js';
 import type { EncodedAuthPublicKey, EncodedTransportPublicKey } from '../transport/types.js';
-import type { BallotClosePayload, BallotSubmissionPayload, DecryptionSharePayload, ElectionManifest, EncodedCompactProof, EncryptedDualSharePayload, FeldmanCommitmentPayload, KeyDerivationConfirmation, ManifestAcceptancePayload, ManifestPublicationPayload, PedersenCommitmentPayload, PhaseCheckpointPayload, ProtocolPayload, RegistrationPayload, SignedPayload, TallyPublicationPayload } from './types.js';
+import type { ProtocolPayloadInput } from './payloads.js';
+import type { BallotClosePayload, BallotSubmissionPayload, DecryptionSharePayload, ElectionManifest, EncodedCompactProof, EncryptedDualSharePayload, FeldmanCommitmentPayload, KeyDerivationConfirmation, ManifestAcceptancePayload, ManifestPublicationPayload, PedersenCommitmentPayload, PhaseCheckpointPayload, ProtocolMessageType, ProtocolPayload, RegistrationPayload, SignedPayload, TallyPublicationPayload } from './types.js';
+type ProtocolPayloadByMessageType<TMessageType extends ProtocolMessageType> = Extract<ProtocolPayload, {
+    readonly messageType: TMessageType;
+}>;
 /** Signs one canonical protocol payload with a participant auth key. */
-export declare const signProtocolPayload: <TPayload extends ProtocolPayload>(privateKey: CryptoKey, payload: TPayload) => Promise<SignedPayload<TPayload>>;
+export declare const signProtocolPayload: <TMessageType extends ProtocolMessageType>(privateKey: CryptoKey, payload: ProtocolPayloadInput<ProtocolPayloadByMessageType<TMessageType>> & {
+    readonly messageType: TMessageType;
+}) => Promise<SignedPayload<ProtocolPayloadByMessageType<TMessageType>>>;
 /** Creates a signed manifest-publication payload. */
 export declare const createManifestPublicationPayload: (privateKey: CryptoKey, input: {
     readonly manifest: ElectionManifest;
     readonly manifestHash: string;
     readonly participantIndex: number;
+    readonly protocolVersion?: string;
     readonly sessionId: string;
 }) => Promise<SignedPayload<ManifestPublicationPayload>>;
 /** Creates a signed registration payload for one participant. */
@@ -16,6 +23,7 @@ export declare const createRegistrationPayload: (privateKey: CryptoKey, input: {
     readonly authPublicKey: EncodedAuthPublicKey;
     readonly manifestHash: string;
     readonly participantIndex: number;
+    readonly protocolVersion?: string;
     readonly rosterHash: string;
     readonly sessionId: string;
     readonly transportPublicKey: EncodedTransportPublicKey;
@@ -26,6 +34,7 @@ export declare const createManifestAcceptancePayload: (privateKey: CryptoKey, in
     readonly assignedParticipantIndex: number;
     readonly manifestHash: string;
     readonly participantIndex: number;
+    readonly protocolVersion?: string;
     readonly rosterHash: string;
     readonly sessionId: string;
 }) => Promise<SignedPayload<ManifestAcceptancePayload>>;
@@ -34,16 +43,22 @@ export declare const createPhaseCheckpointPayload: (privateKey: CryptoKey, input
     readonly checkpointPhase: 0 | 1 | 2 | 3;
     readonly manifestHash: string;
     readonly participantIndex: number;
+    readonly protocolVersion?: string;
     readonly qualifiedParticipantIndices: readonly number[];
     readonly sessionId: string;
     readonly transcript: readonly SignedPayload[];
 }) => Promise<SignedPayload<PhaseCheckpointPayload>>;
 /** Creates a signed Pedersen-commitment payload for DKG phase 1. */
-export declare const createPedersenCommitmentPayload: (privateKey: CryptoKey, input: Omit<PedersenCommitmentPayload, "messageType" | "phase">) => Promise<SignedPayload<PedersenCommitmentPayload>>;
+export declare const createPedersenCommitmentPayload: (privateKey: CryptoKey, input: Omit<PedersenCommitmentPayload, "messageType" | "phase" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
+}) => Promise<SignedPayload<PedersenCommitmentPayload>>;
 /** Creates a signed encrypted dual-share payload for DKG phase 1. */
-export declare const createEncryptedDualSharePayload: (privateKey: CryptoKey, input: Omit<EncryptedDualSharePayload, "messageType" | "phase">) => Promise<SignedPayload<EncryptedDualSharePayload>>;
+export declare const createEncryptedDualSharePayload: (privateKey: CryptoKey, input: Omit<EncryptedDualSharePayload, "messageType" | "phase" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
+}) => Promise<SignedPayload<EncryptedDualSharePayload>>;
 /** Creates a signed Feldman-commitment payload for DKG phase 3. */
-export declare const createFeldmanCommitmentPayload: (privateKey: CryptoKey, input: Omit<FeldmanCommitmentPayload, "messageType" | "phase" | "proofs"> & {
+export declare const createFeldmanCommitmentPayload: (privateKey: CryptoKey, input: Omit<FeldmanCommitmentPayload, "messageType" | "phase" | "proofs" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
     readonly proofs: FeldmanCommitmentPayload["proofs"] | readonly ({
         readonly coefficientIndex: number;
         readonly challenge: bigint;
@@ -53,19 +68,27 @@ export declare const createFeldmanCommitmentPayload: (privateKey: CryptoKey, inp
     } & EncodedCompactProof))[];
 }) => Promise<SignedPayload<FeldmanCommitmentPayload>>;
 /** Creates a signed key-derivation-confirmation payload for DKG phase 4. */
-export declare const createKeyDerivationConfirmationPayload: (privateKey: CryptoKey, input: Omit<KeyDerivationConfirmation, "messageType" | "phase">) => Promise<SignedPayload<KeyDerivationConfirmation>>;
+export declare const createKeyDerivationConfirmationPayload: (privateKey: CryptoKey, input: Omit<KeyDerivationConfirmation, "messageType" | "phase" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
+}) => Promise<SignedPayload<KeyDerivationConfirmation>>;
 /** Creates a signed ballot payload for one participant and one option slot. */
-export declare const createBallotSubmissionPayload: (privateKey: CryptoKey, input: Omit<BallotSubmissionPayload, "messageType" | "phase" | "ciphertext" | "proof"> & {
+export declare const createBallotSubmissionPayload: (privateKey: CryptoKey, input: Omit<BallotSubmissionPayload, "messageType" | "phase" | "ciphertext" | "proof" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
     readonly ciphertext: BallotSubmissionPayload["ciphertext"] | ElGamalCiphertext;
     readonly proof: BallotSubmissionPayload["proof"] | DisjunctiveProof;
 }) => Promise<SignedPayload<BallotSubmissionPayload>>;
 /** Creates the organizer-signed ballot cutoff payload. */
-export declare const createBallotClosePayload: (privateKey: CryptoKey, input: Omit<BallotClosePayload, "messageType" | "phase">) => Promise<SignedPayload<BallotClosePayload>>;
+export declare const createBallotClosePayload: (privateKey: CryptoKey, input: Omit<BallotClosePayload, "messageType" | "phase" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
+}) => Promise<SignedPayload<BallotClosePayload>>;
 /** Creates a signed threshold decryption-share payload for one option slot. */
-export declare const createDecryptionSharePayload: (privateKey: CryptoKey, input: Omit<DecryptionSharePayload, "messageType" | "phase" | "proof"> & {
+export declare const createDecryptionSharePayload: (privateKey: CryptoKey, input: Omit<DecryptionSharePayload, "messageType" | "phase" | "proof" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
     readonly proof: DecryptionSharePayload["proof"] | DLEQProof;
 }) => Promise<SignedPayload<DecryptionSharePayload>>;
 /** Creates a signed tally-publication payload for one option slot. */
-export declare const createTallyPublicationPayload: (privateKey: CryptoKey, input: Omit<TallyPublicationPayload, "messageType" | "phase" | "tally"> & {
+export declare const createTallyPublicationPayload: (privateKey: CryptoKey, input: Omit<TallyPublicationPayload, "messageType" | "phase" | "tally" | "protocolVersion"> & {
+    readonly protocolVersion?: string;
     readonly tally: TallyPublicationPayload["tally"] | bigint;
 }) => Promise<SignedPayload<TallyPublicationPayload>>;
+export {};