threshold-elgamal 1.0.9 → 2.0.0

package/dist/core/validation.js

@@ -1,6 +1,17 @@
+/**
+ * Shared invariant checks for points, scalars, thresholds, and participant
+ * indices.
+ *
+ * These helpers sit underneath every higher-level subsystem: proofs, VSS, DKG,
+ * ballot handling, and the full ceremony verifier all route through them.
+ */
 import { IndexOutOfRangeError, InvalidGroupElementError, InvalidScalarError, PlaintextDomainError, ThresholdViolationError, } from './errors.js';
 import { decodePoint, RISTRETTO_ORDER } from './ristretto.js';
-/** Returns `true` when the value is a non-identity valid Ristretto point. */
+/**
+ * Returns `true` when the value is a canonical non-identity Ristretto point.
+ *
+ * This is the predicate used for public keys and most commitment elements.
+ */
 export const isInSubgroup = (value) => {
     try {
         return !decodePoint(value).is0();
@@ -9,7 +20,13 @@ export const isInSubgroup = (value) => {
         return false;
     }
 };
-/** Returns `true` when the value is a valid Ristretto point, including identity. */
+/**
+ * Returns `true` when the value is a canonical Ristretto point, including the
+ * identity element.
+ *
+ * This variant is used for ciphertext components and transcript values that
+ * are allowed to land on the identity.
+ */
 export const isInSubgroupOrIdentity = (value) => {
     try {
         decodePoint(value);
@@ -70,11 +87,11 @@ export const assertThreshold = (threshold, participantCount) => {
     }
 };
 /**
- * Derives the shipped GJKR honest-majority threshold `ceil(n / 2)`.
+ * Derives the supported honest-majority threshold `ceil(n / 2)`.
  *
- * For odd `n` this matches the usual strict-majority value. For even `n` the
- * shipped protocol uses the maximal honest-majority instantiation proved for
- * GJKR, which yields `k = n / 2`.
+ * This is the threshold policy used by the package's DKG and full voting flow.
+ * Callers do not choose a custom `k`; the verifier derives it from the
+ * accepted registration roster.
  */
 export const majorityThreshold = (participantCount) => {
     if (!Number.isInteger(participantCount) || participantCount < 1) {
@@ -83,7 +100,7 @@ export const majorityThreshold = (participantCount) => {
     return Math.ceil(participantCount / 2);
 };
 /**
- * Validates that the supplied threshold matches the shipped GJKR
+ * Validates that the supplied threshold matches the library's GJKR
  * honest-majority policy.
  */
 export const assertMajorityThreshold = (threshold, participantCount) => {
@@ -97,7 +114,12 @@ export const assertMajorityThreshold = (threshold, participantCount) => {
     }
     return threshold;
 };
-/** Validates a 1-based participant index without assuming a fixed count. */
+/**
+ * Validates a 1-based participant index without assuming a fixed participant
+ * count.
+ *
+ * The package consistently numbers trustees and voters from `1`.
+ */
 export const assertPositiveParticipantIndex = (index) => {
     if (!Number.isInteger(index)) {
         throw new IndexOutOfRangeError('Participant index must be an integer');
@@ -106,7 +128,12 @@ export const assertPositiveParticipantIndex = (index) => {
         throw new IndexOutOfRangeError('Participant index must be a positive integer');
     }
 };
-/** Validates a 1-based participant index for a fixed participant count. */
+/**
+ * Validates a 1-based participant index against a fixed participant count.
+ *
+ * This is the usual check for published payloads that already sit inside a
+ * frozen roster.
+ */
 export const assertValidParticipantIndex = (index, participantCount) => {
     if (!Number.isInteger(index) || !Number.isInteger(participantCount)) {
         throw new IndexOutOfRangeError('Participant index and count must be integers');
@@ -118,19 +145,32 @@ export const assertValidParticipantIndex = (index, participantCount) => {
         throw new IndexOutOfRangeError(`Participant index ${index} must satisfy 1 <= j <= n (n = ${participantCount})`);
     }
 };
-/** Validates that a value is a non-identity valid Ristretto point. */
+/**
+ * Validates that a value is a canonical non-identity Ristretto point.
+ *
+ * This is the assertion form of {@link isInSubgroup}.
+ */
 export const assertInSubgroup = (value) => {
     if (!isInSubgroup(value)) {
         throw new InvalidGroupElementError('Element is not a valid non-identity Ristretto point');
     }
 };
-/** Validates that a value is a valid Ristretto point, including identity. */
+/**
+ * Validates that a value is a canonical Ristretto point, including identity.
+ *
+ * This is the assertion form of {@link isInSubgroupOrIdentity}.
+ */
 export const assertInSubgroupOrIdentity = (value) => {
     if (!isInSubgroupOrIdentity(value)) {
         throw new InvalidGroupElementError('Element is not a valid Ristretto point');
     }
 };
-/** Validates a public key as a non-identity Ristretto point. */
+/**
+ * Validates a public key as a canonical non-identity Ristretto point.
+ *
+ * Public keys, verification keys, and commitment generators all route through
+ * this helper.
+ */
 export const assertValidPublicKey = (value) => {
     if (!isInSubgroup(value)) {
         throw new InvalidGroupElementError('Public key must be a valid non-identity Ristretto point');

package/dist/dkg/pedersen-share-codec.d.ts

@@ -1,5 +1,15 @@
 import type { PedersenShare } from '../vss/types.js';
-/** Encodes one Pedersen share pair for encrypted dealer-to-recipient transport. */
+/**
+ * Encodes one Pedersen share pair for encrypted dealer-to-recipient transport.
+ *
+ * The output is canonical JSON so the decrypted plaintext can later be audited
+ * byte-for-byte.
+ */
 export declare const encodePedersenShareEnvelope: (share: PedersenShare, byteLength: number) => string;
-/** Decodes one encrypted Pedersen share pair after envelope decryption. */
+/**
+ * Decodes one encrypted Pedersen share pair after envelope decryption.
+ *
+ * Recipients use this after envelope decryption, and transcript verification
+ * uses the same rules when resolving complaints.
+ */
 export declare const decodePedersenShareEnvelope: (plaintext: Uint8Array, expectedParticipantIndex: number, label: string) => PedersenShare;

package/dist/dkg/pedersen-share-codec.js

@@ -1,3 +1,10 @@
+/**
+ * Deterministic encoding for Pedersen share pairs before transport encryption.
+ *
+ * Dealers use this module to turn one recipient's share pair into canonical
+ * JSON bytes that can be encrypted into an envelope and later revalidated by
+ * the recipient or the verifier.
+ */
 import { InvalidPayloadError, RISTRETTO_GROUP } from '../core/index.js';
 import { canonicalizeJson } from '../protocol/canonical-json.js';
 import { bigintToFixedHex, fixedHexToBigInt } from '../serialize/encoding.js';
@@ -48,7 +55,12 @@ const parsePedersenShareEnvelopeRecord = (parsed, expectedParticipantIndex, labe
         secretValue: bigintToFixedHex(parseCanonicalFixedHex(record.secretValue, RISTRETTO_GROUP.scalarByteLength, `${label} secret value`), RISTRETTO_GROUP.scalarByteLength),
     };
 };
-/** Encodes one Pedersen share pair for encrypted dealer-to-recipient transport. */
+/**
+ * Encodes one Pedersen share pair for encrypted dealer-to-recipient transport.
+ *
+ * The output is canonical JSON so the decrypted plaintext can later be audited
+ * byte-for-byte.
+ */
 export const encodePedersenShareEnvelope = (share, byteLength) => canonicalizeJson({
     index: share.index,
     secretValue: bigintToFixedHex(share.secretValue, byteLength),
@@ -56,7 +68,12 @@ export const encodePedersenShareEnvelope = (share, byteLength) => canonicalizeJs
 }, {
     bigintByteLength: byteLength,
 });
-/** Decodes one encrypted Pedersen share pair after envelope decryption. */
+/**
+ * Decodes one encrypted Pedersen share pair after envelope decryption.
+ *
+ * Recipients use this after envelope decryption, and transcript verification
+ * uses the same rules when resolving complaints.
+ */
 export const decodePedersenShareEnvelope = (plaintext, expectedParticipantIndex, label) => {
     let decodedPlaintext;
     try {

package/dist/dkg/public.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Public DKG transcript helpers and share-envelope codecs.
+ *
+ * Use this module when you need direct access to transcript replay, derived
+ * trustee verification keys, or encrypted share-envelope encoding.
+ *
+ * @module threshold-elgamal/dkg
+ * @packageDocumentation
+ */
+export { deriveJointPublicKey, deriveTranscriptVerificationKey, verifyDKGTranscript, } from './verification.js';
+export { decodePedersenShareEnvelope, encodePedersenShareEnvelope, } from './pedersen-share-codec.js';
+export type { VerifyDKGTranscriptInput, VerifiedDKGTranscript, } from './verification.js';

package/dist/dkg/public.js

@@ -0,0 +1,11 @@
+/**
+ * Public DKG transcript helpers and share-envelope codecs.
+ *
+ * Use this module when you need direct access to transcript replay, derived
+ * trustee verification keys, or encrypted share-envelope encoding.
+ *
+ * @module threshold-elgamal/dkg
+ * @packageDocumentation
+ */
+export { deriveJointPublicKey, deriveTranscriptVerificationKey, verifyDKGTranscript, } from './verification.js';
+export { decodePedersenShareEnvelope, encodePedersenShareEnvelope, } from './pedersen-share-codec.js';

package/dist/dkg/verification.d.ts

@@ -1,13 +1,30 @@
+/**
+ * Full GJKR DKG transcript verification and derived-key extraction.
+ *
+ * This module is responsible for turning a signed public DKG transcript into a
+ * qualified participant set, transcript-derived trustee verification keys, and
+ * the final joint public key used by the voting flow.
+ */
 import { type CryptoGroup } from '../core/index.js';
 import type { EncodedPoint } from '../core/types.js';
 import type { ComplaintPayload, ElectionManifest, PhaseCheckpointPayload, RegistrationPayload, SignedPayload } from '../protocol/types.js';
-/** Input bundle for verifying a DKG transcript. */
+/**
+ * Input bundle for verifying a DKG transcript.
+ *
+ * This is the DKG-only verifier input used directly by advanced consumers and
+ * indirectly by the full ceremony verifier.
+ */
 export type VerifyDKGTranscriptInput = {
     readonly transcript: readonly SignedPayload[];
     readonly manifest: ElectionManifest;
     readonly sessionId: string;
 };
-/** Verified DKG transcript result with reusable derived ceremony material. */
+/**
+ * Verified DKG transcript result with reusable derived ceremony material.
+ *
+ * Later ballot and decryption verification stages consume this output rather
+ * than replaying the DKG from scratch.
+ */
 export type VerifiedDKGTranscript = {
     readonly acceptedComplaints: readonly ComplaintPayload[];
     readonly jointPublicKey: EncodedPoint;
@@ -25,7 +42,12 @@ export type VerifiedDKGTranscript = {
     readonly rosterHash: string;
     readonly threshold: number;
 };
-/** Finalized threshold-supported checkpoint for one DKG phase. */
+/**
+ * Finalized threshold-supported checkpoint for one DKG phase.
+ *
+ * This represents the accepted checkpoint record after signer-set and
+ * transcript-hash validation.
+ */
 export type FinalizedPhaseCheckpoint = {
     readonly payload: PhaseCheckpointPayload;
     readonly signatures: readonly SignedPayload<PhaseCheckpointPayload>[];
@@ -35,10 +57,8 @@ export type FinalizedPhaseCheckpoint = {
  * Derives the transcript verification key `Y_j` for one participant index from
  * published Feldman commitments.
  *
- * @param feldmanCommitments Qualified dealer commitment vectors.
- * @param participantIndex Participant index whose key will be derived.
- * @param group Selected group.
- * @returns Transcript-derived verification key `Y_j`.
+ * Decryption-share verification uses this key as the public statement side of
+ * each trustee's DLEQ proof.
  */
 export declare const deriveTranscriptVerificationKey: (feldmanCommitments: readonly {
     readonly dealerIndex: number;
@@ -48,20 +68,19 @@ export declare const deriveTranscriptVerificationKey: (feldmanCommitments: reado
  * Derives the qualified joint public key from the constant Feldman
  * commitments.
  *
- * @param feldmanCommitments Qualified dealer commitment vectors.
- * @param group Selected group.
- * @returns Derived joint public key.
+ * Ballot encryption and tally verification both depend on this derived public
+ * key.
  */
 export declare const deriveJointPublicKey: (feldmanCommitments: readonly {
     readonly dealerIndex: number;
     readonly commitments: readonly EncodedPoint[];
 }[], group: CryptoGroup) => EncodedPoint;
 /**
- * Verifies a DKG transcript, its signatures, Feldman extraction proofs,
- * the exact claimed threshold degree, accepted complaint outcomes, the DKG
+ * Verifies a DKG transcript, its signatures, Feldman extraction proofs, the
+ * exact claimed threshold degree, accepted complaint outcomes, the DKG
  * transcript hash, and the announced joint public key.
  *
- * @param input Transcript verification input.
- * @returns Verified transcript metadata and derived ceremony material.
+ * This is the DKG-specific verifier that the full ceremony verifier delegates
+ * to before it touches ballots or tally material.
  */
 export declare const verifyDKGTranscript: (input: VerifyDKGTranscriptInput) => Promise<VerifiedDKGTranscript>;

package/dist/dkg/verification.js

@@ -1,3 +1,10 @@
+/**
+ * Full GJKR DKG transcript verification and derived-key extraction.
+ *
+ * This module is responsible for turning a signed public DKG transcript into a
+ * qualified participant set, transcript-derived trustee verification keys, and
+ * the final joint public key used by the voting flow.
+ */
 import { InvalidPayloadError, RISTRETTO_GROUP, ThresholdViolationError, assertCanonicalRistrettoGroup, assertInSubgroupOrIdentity, assertPositiveParticipantIndex, majorityThreshold, modQ, } from '../core/index.js';
 import { RISTRETTO_ZERO, decodePoint, decodeScalar, encodePoint, pointAdd, pointMultiply, } from '../core/ristretto.js';
 import { verifySchnorrProof } from '../proofs/schnorr.js';
@@ -152,7 +159,7 @@ const collectCheckpointVariants = (transcript, checkpointPhase) => {
     });
 };
 /**
- * Rejects phase-checkpoint payloads outside the shipped GJKR checkpoint plan.
+ * Rejects phase-checkpoint payloads outside the GJKR checkpoint plan.
  */
 const assertSupportedCheckpointPayloads = (transcript) => {
     for (const signedPayload of transcript) {
@@ -374,19 +381,16 @@ const deriveTranscriptVerificationKeyInternal = (commitmentSets, participantInde
  * Derives the transcript verification key `Y_j` for one participant index from
  * published Feldman commitments.
  *
- * @param feldmanCommitments Qualified dealer commitment vectors.
- * @param participantIndex Participant index whose key will be derived.
- * @param group Selected group.
- * @returns Transcript-derived verification key `Y_j`.
+ * Decryption-share verification uses this key as the public statement side of
+ * each trustee's DLEQ proof.
  */
 export const deriveTranscriptVerificationKey = (feldmanCommitments, participantIndex, group) => deriveTranscriptVerificationKeyInternal(feldmanCommitments.map((entry) => entry.commitments), participantIndex, group);
 /**
  * Derives the qualified joint public key from the constant Feldman
  * commitments.
  *
- * @param feldmanCommitments Qualified dealer commitment vectors.
- * @param group Selected group.
- * @returns Derived joint public key.
+ * Ballot encryption and tally verification both depend on this derived public
+ * key.
  */
 export const deriveJointPublicKey = (feldmanCommitments, group) => {
     assertCanonicalRistrettoGroup(group, 'Joint public-key derivation group');
@@ -653,12 +657,12 @@ const verifyCheckpointedDKGTranscript = async (input, setup) => {
     return finalizeVerifiedTranscript(input, setup.verifiedSignatures, setup.manifestPublication.participantIndex, acceptedComplaints, setup.manifestAccepted, phaseCheckpoints, finalQualifiedParticipantIndices, RISTRETTO_GROUP, setup.threshold);
 };
 /**
- * Verifies a DKG transcript, its signatures, Feldman extraction proofs,
- * the exact claimed threshold degree, accepted complaint outcomes, the DKG
+ * Verifies a DKG transcript, its signatures, Feldman extraction proofs, the
+ * exact claimed threshold degree, accepted complaint outcomes, the DKG
  * transcript hash, and the announced joint public key.
  *
- * @param input Transcript verification input.
- * @returns Verified transcript metadata and derived ceremony material.
+ * This is the DKG-specific verifier that the full ceremony verifier delegates
+ * to before it touches ballots or tally material.
  */
 export const verifyDKGTranscript = async (input) => {
     const auditedTranscript = await auditSignedPayloads(input.transcript);

package/dist/elgamal/additive.d.ts

@@ -1,11 +1,23 @@
 import type { ElGamalCiphertext } from './types.js';
-/** Validates an additive ciphertext that may already be an aggregate. */
+/**
+ * Validates an additive ciphertext that may already represent an aggregate.
+ *
+ * Both raw ballot ciphertexts and summed ciphertexts share the same structural
+ * requirements.
+ */
 export declare const assertValidAdditiveCiphertext: (ciphertext: ElGamalCiphertext) => void;
 /**
- * Adds two additive-mode ciphertexts component-wise.
+ * Adds two additive ciphertexts component-wise.
+ *
+ * This is the homomorphic step behind ballot aggregation and tally
+ * recomputation.
  */
 export declare const addEncryptedValues: (left: ElGamalCiphertext, right: ElGamalCiphertext) => ElGamalCiphertext;
 /**
- * Encrypts an additive plaintext with caller-supplied randomness.
+ * Encrypts one additive plaintext with caller-supplied randomness.
+ *
+ * Public ballot builders usually sit one layer above this helper, but advanced
+ * consumers and tests can use it directly when they need explicit control over
+ * the randomness input and plaintext bound.
  */
 export declare const encryptAdditiveWithRandomness: (message: bigint, publicKey: string, randomness: bigint, bound: bigint) => ElGamalCiphertext;

package/dist/elgamal/additive.js

@@ -1,31 +1,27 @@
+/**
+ * Additive ElGamal primitives over the built-in Ristretto255 suite.
+ *
+ * Ballot payload construction, ciphertext aggregation, and threshold decryption
+ * all depend on this layer.
+ */
 import { RISTRETTO_GROUP, assertAdditiveBound, assertInSubgroupOrIdentity, assertPlaintextAdditive, assertValidPublicKey, InvalidScalarError, } from '../core/index.js';
 import { decodePoint, encodePoint, multiplyBase, pointAdd, pointMultiply, } from '../core/ristretto.js';
-/** Validates an additive-mode public key against the shipped suite. */
-const assertValidAdditivePublicKey = (publicKey) => {
-    assertValidPublicKey(publicKey);
-};
-/** Validates the caller-supplied additive plaintext bound. */
-const assertValidAdditiveBound = (bound) => assertAdditiveBound(bound, RISTRETTO_GROUP.q);
-/** Validates the plaintext domain and caller-supplied bound for additive mode. */
-const assertValidAdditivePlaintext = (value, bound) => assertPlaintextAdditive(value, bound, RISTRETTO_GROUP.q);
-/** Validates an additive ciphertext that may already be an aggregate. */
+/**
+ * Validates an additive ciphertext that may already represent an aggregate.
+ *
+ * Both raw ballot ciphertexts and summed ciphertexts share the same structural
+ * requirements.
+ */
 export const assertValidAdditiveCiphertext = (ciphertext) => {
     assertInSubgroupOrIdentity(ciphertext.c1);
     assertInSubgroupOrIdentity(ciphertext.c2);
 };
-const resolveAdditiveBound = (bound, operation) => {
+const requireAdditiveBound = (bound) => {
     if (typeof bound !== 'bigint') {
-        throw new InvalidScalarError(`Additive ${operation} requires an explicit plaintext bound`);
+        throw new InvalidScalarError('Additive encryption requires an explicit plaintext bound');
     }
     return bound;
 };
-const resolveAdditiveContext = (bound, operation) => {
-    const resolvedBound = resolveAdditiveBound(bound, operation);
-    assertValidAdditiveBound(resolvedBound);
-    return {
-        bound: resolvedBound,
-    };
-};
 const assertEncryptionRandomness = (randomness) => {
     if (randomness <= 0n || randomness >= RISTRETTO_GROUP.q) {
         throw new InvalidScalarError('Encryption randomness must be in the range 1..q-1');
@@ -43,7 +39,10 @@ const encryptAdditiveWithValidatedInputs = (message, publicKey, randomness) => {
     };
 };
 /**
- * Adds two additive-mode ciphertexts component-wise.
+ * Adds two additive ciphertexts component-wise.
+ *
+ * This is the homomorphic step behind ballot aggregation and tally
+ * recomputation.
  */
 export const addEncryptedValues = (left, right) => {
     assertValidAdditiveCiphertext(left);
@@ -54,12 +53,17 @@ export const addEncryptedValues = (left, right) => {
     };
 };
 /**
- * Encrypts an additive plaintext with caller-supplied randomness.
+ * Encrypts one additive plaintext with caller-supplied randomness.
+ *
+ * Public ballot builders usually sit one layer above this helper, but advanced
+ * consumers and tests can use it directly when they need explicit control over
+ * the randomness input and plaintext bound.
  */
 export const encryptAdditiveWithRandomness = (message, publicKey, randomness, bound) => {
-    const context = resolveAdditiveContext(bound, 'encryption');
-    assertValidAdditivePlaintext(message, context.bound);
-    assertValidAdditivePublicKey(publicKey);
+    const resolvedBound = requireAdditiveBound(bound);
+    assertAdditiveBound(resolvedBound, RISTRETTO_GROUP.q);
+    assertPlaintextAdditive(message, resolvedBound, RISTRETTO_GROUP.q);
+    assertValidPublicKey(publicKey);
     assertEncryptionRandomness(randomness);
     return encryptAdditiveWithValidatedInputs(message, publicKey, randomness);
 };

package/dist/elgamal/bsgs.js

@@ -1,3 +1,10 @@
+/**
+ * Bounded baby-step giant-step discrete-log solver for additive ElGamal
+ * plaintext recovery.
+ *
+ * The threshold reconstruction path uses this only after all cryptographic
+ * checks have passed and only within an explicit caller-supplied bound.
+ */
 import { InvalidScalarError } from '../core/index.js';
 import { decodePoint, encodePoint, pointAdd, pointSubtract, pointMultiply, } from '../core/ristretto.js';
 const integerSquareRootCeil = (value) => {

package/dist/elgamal/public.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Low-level additive ElGamal helpers.
+ *
+ * Use this module when you need direct ciphertext construction primitives
+ * instead of the higher-level protocol payload builders.
+ *
+ * @module threshold-elgamal/elgamal
+ * @packageDocumentation
+ */
+export { encryptAdditiveWithRandomness } from './additive.js';
+export type { ElGamalCiphertext } from './types.js';

package/dist/elgamal/public.js

@@ -0,0 +1,10 @@
+/**
+ * Low-level additive ElGamal helpers.
+ *
+ * Use this module when you need direct ciphertext construction primitives
+ * instead of the higher-level protocol payload builders.
+ *
+ * @module threshold-elgamal/elgamal
+ * @packageDocumentation
+ */
+export { encryptAdditiveWithRandomness } from './additive.js';

package/dist/elgamal/types.d.ts

@@ -1,3 +1,9 @@
+/**
+ * Ciphertext types for additive ElGamal.
+ *
+ * These types are shared by low-level encryption helpers, ballot codecs,
+ * threshold decryption, and the generated API reference.
+ */
 import type { EncodedPoint } from '../core/types.js';
 /** Standard additive ElGamal ciphertext pair `(c1, c2)` encoded as points. */
 export type ElGamalCiphertext = {

package/dist/index.d.ts

@@ -1,39 +1,41 @@
 /**
- * Safe root package exports for the current surface.
+ * Root package exports for the supported public API.
  *
- * Use this entry point for group definitions, additive ElGamal, validation
- * helpers, and serialization helpers that are safe for the shipped package.
+ * Use this entry point for the full supported voting workflow: manifest and
+ * roster setup, transport keys and envelopes, DKG commitments and share
+ * handling, ballot encryption and proofs, decryption-share publication, tally
+ * reconstruction, and full ceremony verification.
+ *
+ * Public subpath modules such as `threshold-elgamal/proofs`,
+ * `threshold-elgamal/threshold`, and `threshold-elgamal/dkg` remain available
+ * when you prefer grouped imports by subsystem, but the supported ceremony can
+ * be implemented from this root package alone.
  *
  * @module threshold-elgamal
  * @packageDocumentation
  */
-export { IndexOutOfRangeError, InvalidGroupElementError, InvalidPayloadError, InvalidProofError, InvalidScalarError, InvalidShareError, PhaseViolationError, PlaintextDomainError, ThresholdViolationError, TranscriptMismatchError, UnsupportedSuiteError, } from './core/errors.js';
-export { modQ } from './core/bigint.js';
-export { RISTRETTO_GROUP } from './core/groups.js';
-export type { EncodedPoint } from './core/types.js';
+export { RISTRETTO_GROUP, modQ } from './core/public.js';
+export type { EncodedPoint } from './core/public.js';
 export { majorityThreshold } from './core/validation.js';
-export { encryptAdditiveWithRandomness } from './elgamal/additive.js';
-export { createDisjunctiveProof, verifyDisjunctiveProof, } from './proofs/disjunctive.js';
-export { createDLEQProof, type DLEQStatement, verifyDLEQProof, } from './proofs/dleq.js';
-export { createSchnorrProof, verifySchnorrProof } from './proofs/schnorr.js';
-export type { DLEQProof, DisjunctiveProof, ProofContext, SchnorrProof, } from './proofs/types.js';
+export { encryptAdditiveWithRandomness } from './elgamal/public.js';
+export type { ElGamalCiphertext } from './elgamal/public.js';
+export { deriveJointPublicKey, deriveTranscriptVerificationKey, encodePedersenShareEnvelope, decodePedersenShareEnvelope, verifyDKGTranscript, } from './dkg/public.js';
+export type { VerifyDKGTranscriptInput, VerifiedDKGTranscript, } from './dkg/public.js';
+export { createDisjunctiveProof, createDLEQProof, createSchnorrProof, verifyDisjunctiveProof, verifyDLEQProof, verifySchnorrProof, } from './proofs/public.js';
+export type { DLEQProof, DisjunctiveProof, DLEQStatement, ProofContext, SchnorrProof, } from './proofs/public.js';
 export { decryptEnvelope, encryptEnvelope } from './transport/envelopes.js';
 export { exportAuthPublicKey, generateAuthKeyPair } from './transport/auth.js';
 export { exportTransportPublicKey, generateTransportKeyPair, } from './transport/key-agreement.js';
 export type { EncodedAuthPublicKey, EncodedTransportPublicKey, EncryptedEnvelope, EnvelopeContext, TransportKeyPair, } from './transport/types.js';
-export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/decrypt.js';
-export type { AggregateDecryptionPreparationInput, DecryptionShare, Share, VerifiedAggregateCiphertext, } from './threshold/types.js';
-export { deriveJointPublicKey, deriveTranscriptVerificationKey, verifyDKGTranscript, } from './dkg/verification.js';
-export { decodePedersenShareEnvelope, encodePedersenShareEnvelope, } from './dkg/pedersen-share-codec.js';
-export type { VerifyDKGTranscriptInput, VerifiedDKGTranscript, } from './dkg/verification.js';
-export { generateFeldmanCommitments, verifyFeldmanShare } from './vss/feldman.js';
-export { derivePedersenShares, generatePedersenCommitments, verifyPedersenShare, } from './vss/pedersen.js';
-export type { FeldmanCommitments, PedersenCommitments, PedersenShare, } from './vss/types.js';
-export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, createTallyPublicationPayload, signProtocolPayload, } from './protocol/builders.js';
+export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, signProtocolPayload, createTallyPublicationPayload, } from './protocol/builders.js';
 export { canonicalizeElectionManifest, createElectionManifest, deriveSessionId, hashElectionManifest, SHIPPED_PROTOCOL_VERSION, validateElectionManifest, } from './protocol/manifest.js';
-export { hashRosterEntries } from './protocol/verification.js';
+export { hashRosterEntries, verifySignedProtocolPayloads, type RosterEntry, type VerifiedProtocolSignatures, } from './protocol/verification.js';
 export { hashProtocolTranscript } from './protocol/transcript.js';
-export { verifyElectionCeremony, tryVerifyElectionCeremony, type ElectionVerificationErrorCode, type ElectionVerificationFailure, type ElectionVerificationResult, type ElectionVerificationStage, type VerifiedElectionCeremony, } from './protocol/voting-verification.js';
 export { verifyBallotSubmissionPayloadsByOption } from './protocol/voting-ballots.js';
-export { scoreVotingDomain } from './protocol/voting-codecs.js';
-export type { BallotClosePayload, BallotSubmissionPayload, DecryptionSharePayload, ElectionManifest, EncodedCiphertext, EncodedCompactProof, EncodedDisjunctiveProof, EncryptedDualSharePayload, FeldmanCommitmentPayload, KeyDerivationConfirmation, ManifestAcceptancePayload, ManifestPublicationPayload, PedersenCommitmentPayload, PhaseCheckpointPayload, ProtocolMessageType, ProtocolPayload, RegistrationPayload, SignedPayload, TallyPublicationPayload, VerifyElectionCeremonyInput, } from './protocol/types.js';
+export { scoreRangeDomain } from './protocol/voting-codecs.js';
+export { verifyElectionCeremony, tryVerifyElectionCeremony, type ElectionVerificationErrorCode, type ElectionVerificationFailure, type ElectionVerificationResult, type ElectionVerificationStage, type VerifiedElectionCeremony, } from './protocol/voting-verification.js';
+export type { BallotClosePayload, BallotSubmissionPayload, DecryptionSharePayload, ElectionManifest, EncodedCiphertext, EncodedCompactProof, EncodedDisjunctiveProof, EncryptedDualSharePayload, FeldmanCommitmentPayload, KeyDerivationConfirmation, ManifestAcceptancePayload, ManifestPublicationPayload, PedersenCommitmentPayload, PhaseCheckpointPayload, ProtocolMessageType, ProtocolPayload, RegistrationPayload, ScoreRange, SignedPayload, TallyPublicationPayload, VerifyElectionCeremonyInput, } from './protocol/types.js';
+export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/public.js';
+export type { AggregateDecryptionPreparationInput, DecryptionShare, Share, VerifiedAggregateCiphertext, } from './threshold/public.js';
+export { derivePedersenShares, generateFeldmanCommitments, generatePedersenCommitments, verifyFeldmanShare, verifyPedersenShare, } from './vss/public.js';
+export type { FeldmanCommitments, PedersenCommitments, PedersenShare, } from './vss/public.js';

package/dist/index.js

@@ -1,32 +1,33 @@
 /**
- * Safe root package exports for the current surface.
+ * Root package exports for the supported public API.
  *
- * Use this entry point for group definitions, additive ElGamal, validation
- * helpers, and serialization helpers that are safe for the shipped package.
+ * Use this entry point for the full supported voting workflow: manifest and
+ * roster setup, transport keys and envelopes, DKG commitments and share
+ * handling, ballot encryption and proofs, decryption-share publication, tally
+ * reconstruction, and full ceremony verification.
+ *
+ * Public subpath modules such as `threshold-elgamal/proofs`,
+ * `threshold-elgamal/threshold`, and `threshold-elgamal/dkg` remain available
+ * when you prefer grouped imports by subsystem, but the supported ceremony can
+ * be implemented from this root package alone.
  *
  * @module threshold-elgamal
  * @packageDocumentation
  */
-export { IndexOutOfRangeError, InvalidGroupElementError, InvalidPayloadError, InvalidProofError, InvalidScalarError, InvalidShareError, PhaseViolationError, PlaintextDomainError, ThresholdViolationError, TranscriptMismatchError, UnsupportedSuiteError, } from './core/errors.js';
-export { modQ } from './core/bigint.js';
-export { RISTRETTO_GROUP } from './core/groups.js';
+export { RISTRETTO_GROUP, modQ } from './core/public.js';
 export { majorityThreshold } from './core/validation.js';
-export { encryptAdditiveWithRandomness } from './elgamal/additive.js';
-export { createDisjunctiveProof, verifyDisjunctiveProof, } from './proofs/disjunctive.js';
-export { createDLEQProof, verifyDLEQProof, } from './proofs/dleq.js';
-export { createSchnorrProof, verifySchnorrProof } from './proofs/schnorr.js';
+export { encryptAdditiveWithRandomness } from './elgamal/public.js';
+export { deriveJointPublicKey, deriveTranscriptVerificationKey, encodePedersenShareEnvelope, decodePedersenShareEnvelope, verifyDKGTranscript, } from './dkg/public.js';
+export { createDisjunctiveProof, createDLEQProof, createSchnorrProof, verifyDisjunctiveProof, verifyDLEQProof, verifySchnorrProof, } from './proofs/public.js';
 export { decryptEnvelope, encryptEnvelope } from './transport/envelopes.js';
 export { exportAuthPublicKey, generateAuthKeyPair } from './transport/auth.js';
 export { exportTransportPublicKey, generateTransportKeyPair, } from './transport/key-agreement.js';
-export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/decrypt.js';
-export { deriveJointPublicKey, deriveTranscriptVerificationKey, verifyDKGTranscript, } from './dkg/verification.js';
-export { decodePedersenShareEnvelope, encodePedersenShareEnvelope, } from './dkg/pedersen-share-codec.js';
-export { generateFeldmanCommitments, verifyFeldmanShare } from './vss/feldman.js';
-export { derivePedersenShares, generatePedersenCommitments, verifyPedersenShare, } from './vss/pedersen.js';
-export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, createTallyPublicationPayload, signProtocolPayload, } from './protocol/builders.js';
+export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, signProtocolPayload, createTallyPublicationPayload, } from './protocol/builders.js';
 export { canonicalizeElectionManifest, createElectionManifest, deriveSessionId, hashElectionManifest, SHIPPED_PROTOCOL_VERSION, validateElectionManifest, } from './protocol/manifest.js';
-export { hashRosterEntries } from './protocol/verification.js';
+export { hashRosterEntries, verifySignedProtocolPayloads, } from './protocol/verification.js';
 export { hashProtocolTranscript } from './protocol/transcript.js';
-export { verifyElectionCeremony, tryVerifyElectionCeremony, } from './protocol/voting-verification.js';
 export { verifyBallotSubmissionPayloadsByOption } from './protocol/voting-ballots.js';
-export { scoreVotingDomain } from './protocol/voting-codecs.js';
+export { scoreRangeDomain } from './protocol/voting-codecs.js';
+export { verifyElectionCeremony, tryVerifyElectionCeremony, } from './protocol/voting-verification.js';
+export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/public.js';
+export { derivePedersenShares, generateFeldmanCommitments, generatePedersenCommitments, verifyFeldmanShare, verifyPedersenShare, } from './vss/public.js';