threshold-elgamal 1.1.0 → 2.0.0

package/README.md

@@ -1,6 +1,6 @@
 # threshold-elgamal
 
-[![npm downloads](https://img.shields.io/npm/dm/threshold-elgamal?color=5FA04E)](https://www.npmjs.com/package/threshold-elgamal)
+[![npm version](https://img.shields.io/npm/v/threshold-elgamal?color=5FA04E)](https://www.npmjs.com/package/threshold-elgamal) [![npm downloads](https://img.shields.io/npm/dm/threshold-elgamal?color=5FA04E)](https://www.npmjs.com/package/threshold-elgamal)
 
 ---
 
@@ -16,8 +16,9 @@
 
 - additive ElGamal on `ristretto255`
 - honest-majority GJKR DKG
-- fixed score voting in `1..10`
-- one public manifest shape: `rosterHash` and `optionList`
+- one explicit global contiguous score range per ceremony
+- manifest `scoreRange.max` capped at `100` to keep proofs and tally recovery tractable
+- one public manifest shape: `rosterHash`, `optionList`, and `scoreRange`
 - organizer-signed `ballot-close` before decryption
 - full local recomputation and full ceremony verification from the public board
 
@@ -77,10 +78,10 @@ Older browsers, stale embedded webviews, and runtimes without Web Crypto `X25519
 The supported boardroom flow is:
 
 1. Freeze the roster in the application and hash it with `hashRosterEntries(...)`.
-2. Build the minimal manifest with `createElectionManifest({ rosterHash, optionList })`.
+2. Build the manifest with `createElectionManifest({ rosterHash, optionList, scoreRange })`.
 3. Publish the manifest, registrations, and manifest acceptances.
 4. Run the honest-majority GJKR transcript.
-5. Post ballot payloads for complete `1..10` score ballots.
+5. Post ballot payloads for complete scores inside the manifest-declared range.
 6. Post one organizer-signed `ballot-close` payload that freezes which complete ballots are counted.
 7. Post threshold decryption shares and tally publications for the close-selected ballot set.
 8. Verify the whole ceremony with `verifyElectionCeremony(...)`.
@@ -129,6 +130,7 @@ const rosterHash = await hashRosterEntries([
 const manifest = createElectionManifest({
     rosterHash,
     optionList: ["Option A", "Option B"],
+    scoreRange: { min: 1, max: 10 },
 });
 
 const manifestHash = await hashElectionManifest(manifest);
@@ -171,7 +173,7 @@ if (!result.ok) {
 }
 ```
 
-The root package exposes the workflow-facing builders for the signed protocol payloads used across the documented ceremony, including:
+The root package exposes the builders and lower-level helpers required for the documented ceremony, including:
 
 - manifest publication
 - registration
@@ -186,14 +188,16 @@ The root package exposes the workflow-facing builders for the signed protocol pa
 - decryption shares
 - tally publication
 
-For the reveal path, the workflow-facing API and the advanced public submodules split responsibilities intentionally:
+The reveal path also works from the root package:
 
-- prepare the accepted aggregate with `prepareAggregateForDecryption(...)` from `threshold-elgamal/threshold`
-- compute each partial share with `createDecryptionShare(...)` from `threshold-elgamal/threshold`
-- prove it with `createDLEQProof(...)` from `threshold-elgamal/proofs`
-- publish it with `createDecryptionSharePayload(...)` from `threshold-elgamal`
+- prepare the accepted aggregate with `prepareAggregateForDecryption(...)`
+- compute each partial share with `createDecryptionShare(...)`
+- prove it with `createDLEQProof(...)`
+- publish it with `createDecryptionSharePayload(...)`
 
-After collecting a threshold subset, recover the tally with `combineDecryptionShares(...)` from `threshold-elgamal/threshold` against the prepared aggregate ciphertext.
+After collecting a threshold subset, recover the tally with `combineDecryptionShares(...)` against the prepared aggregate ciphertext.
+
+The grouped public submodules remain available when you prefer narrower imports by subsystem, but the supported full ceremony does not require them.
 
 For concrete posted JSON shapes, use [Published payload examples](https://tenemo.github.io/threshold-elgamal/guides/published-payload-examples/).
 
@@ -204,7 +208,7 @@ The library is designed for an honest-origin, honest-client, static-adversary se
 What it tries to enforce:
 
 - additive-only tallying on `ristretto255`
-- fixed `1..10` score ballots
+- one explicit global contiguous manifest score range
 - grouped per-option ballot verification
 - mandatory local aggregate recomputation before decryption
 - organizer-visible and auditable ballot cutoff through `ballot-close`

package/dist/core/bigint.d.ts

@@ -7,7 +7,8 @@ export declare const mod: (value: bigint, modulus: bigint) => bigint;
 /**
  * Reduces a value into the range `0..q-1`.
  *
- * @throws {@link InvalidScalarError} When `q` is not positive.
+ * @throws {@link threshold-elgamal/core!InvalidScalarError | InvalidScalarError}
+ * When `q` is not positive.
  */
 export declare const modQ: (value: bigint, q: bigint) => bigint;
 /**

package/dist/core/bigint.js

@@ -70,7 +70,8 @@ const modP = (value, p) => mod(value, p);
 /**
  * Reduces a value into the range `0..q-1`.
  *
- * @throws {@link InvalidScalarError} When `q` is not positive.
+ * @throws {@link threshold-elgamal/core!InvalidScalarError | InvalidScalarError}
+ * When `q` is not positive.
  */
 export const modQ = (value, q) => mod(value, q);
 /**

package/dist/elgamal/additive.js

@@ -6,14 +6,6 @@
  */
 import { RISTRETTO_GROUP, assertAdditiveBound, assertInSubgroupOrIdentity, assertPlaintextAdditive, assertValidPublicKey, InvalidScalarError, } from '../core/index.js';
 import { decodePoint, encodePoint, multiplyBase, pointAdd, pointMultiply, } from '../core/ristretto.js';
-/** Validates an additive-mode public key against the built-in suite. */
-const assertValidAdditivePublicKey = (publicKey) => {
-    assertValidPublicKey(publicKey);
-};
-/** Validates the caller-supplied additive plaintext bound. */
-const assertValidAdditiveBound = (bound) => assertAdditiveBound(bound, RISTRETTO_GROUP.q);
-/** Validates the plaintext domain and caller-supplied bound for additive mode. */
-const assertValidAdditivePlaintext = (value, bound) => assertPlaintextAdditive(value, bound, RISTRETTO_GROUP.q);
 /**
  * Validates an additive ciphertext that may already represent an aggregate.
  *
@@ -24,19 +16,12 @@ export const assertValidAdditiveCiphertext = (ciphertext) => {
     assertInSubgroupOrIdentity(ciphertext.c1);
     assertInSubgroupOrIdentity(ciphertext.c2);
 };
-const resolveAdditiveBound = (bound, operation) => {
+const requireAdditiveBound = (bound) => {
     if (typeof bound !== 'bigint') {
-        throw new InvalidScalarError(`Additive ${operation} requires an explicit plaintext bound`);
+        throw new InvalidScalarError('Additive encryption requires an explicit plaintext bound');
     }
     return bound;
 };
-const resolveAdditiveContext = (bound, operation) => {
-    const resolvedBound = resolveAdditiveBound(bound, operation);
-    assertValidAdditiveBound(resolvedBound);
-    return {
-        bound: resolvedBound,
-    };
-};
 const assertEncryptionRandomness = (randomness) => {
     if (randomness <= 0n || randomness >= RISTRETTO_GROUP.q) {
         throw new InvalidScalarError('Encryption randomness must be in the range 1..q-1');
@@ -75,9 +60,10 @@ export const addEncryptedValues = (left, right) => {
  * the randomness input and plaintext bound.
  */
 export const encryptAdditiveWithRandomness = (message, publicKey, randomness, bound) => {
-    const context = resolveAdditiveContext(bound, 'encryption');
-    assertValidAdditivePlaintext(message, context.bound);
-    assertValidAdditivePublicKey(publicKey);
+    const resolvedBound = requireAdditiveBound(bound);
+    assertAdditiveBound(resolvedBound, RISTRETTO_GROUP.q);
+    assertPlaintextAdditive(message, resolvedBound, RISTRETTO_GROUP.q);
+    assertValidPublicKey(publicKey);
     assertEncryptionRandomness(randomness);
     return encryptAdditiveWithValidatedInputs(message, publicKey, randomness);
 };

package/dist/index.d.ts

@@ -1,25 +1,41 @@
 /**
- * Workflow-facing root package exports for the public API.
+ * Root package exports for the supported public API.
  *
- * Use this entry point for the supported voting workflow: manifest and roster
- * setup, transport keys and envelopes, standard signed protocol payload
- * builders, and the full ceremony verifier.
+ * Use this entry point for the full supported voting workflow: manifest and
+ * roster setup, transport keys and envelopes, DKG commitments and share
+ * handling, ballot encryption and proofs, decryption-share publication, tally
+ * reconstruction, and full ceremony verification.
  *
- * Lower-level math, proof, threshold, DKG, VSS, and protocol primitives are
- * available through the public subpath modules such as
- * `threshold-elgamal/proofs`, `threshold-elgamal/threshold`, and
- * `threshold-elgamal/dkg`.
+ * Public subpath modules such as `threshold-elgamal/proofs`,
+ * `threshold-elgamal/threshold`, and `threshold-elgamal/dkg` remain available
+ * when you prefer grouped imports by subsystem, but the supported ceremony can
+ * be implemented from this root package alone.
  *
  * @module threshold-elgamal
  * @packageDocumentation
  */
+export { RISTRETTO_GROUP, modQ } from './core/public.js';
+export type { EncodedPoint } from './core/public.js';
 export { majorityThreshold } from './core/validation.js';
+export { encryptAdditiveWithRandomness } from './elgamal/public.js';
+export type { ElGamalCiphertext } from './elgamal/public.js';
+export { deriveJointPublicKey, deriveTranscriptVerificationKey, encodePedersenShareEnvelope, decodePedersenShareEnvelope, verifyDKGTranscript, } from './dkg/public.js';
+export type { VerifyDKGTranscriptInput, VerifiedDKGTranscript, } from './dkg/public.js';
+export { createDisjunctiveProof, createDLEQProof, createSchnorrProof, verifyDisjunctiveProof, verifyDLEQProof, verifySchnorrProof, } from './proofs/public.js';
+export type { DLEQProof, DisjunctiveProof, DLEQStatement, ProofContext, SchnorrProof, } from './proofs/public.js';
 export { decryptEnvelope, encryptEnvelope } from './transport/envelopes.js';
 export { exportAuthPublicKey, generateAuthKeyPair } from './transport/auth.js';
 export { exportTransportPublicKey, generateTransportKeyPair, } from './transport/key-agreement.js';
 export type { EncodedAuthPublicKey, EncodedTransportPublicKey, EncryptedEnvelope, EnvelopeContext, TransportKeyPair, } from './transport/types.js';
-export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, createTallyPublicationPayload, } from './protocol/builders.js';
+export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, signProtocolPayload, createTallyPublicationPayload, } from './protocol/builders.js';
 export { canonicalizeElectionManifest, createElectionManifest, deriveSessionId, hashElectionManifest, SHIPPED_PROTOCOL_VERSION, validateElectionManifest, } from './protocol/manifest.js';
-export { hashRosterEntries } from './protocol/verification.js';
+export { hashRosterEntries, verifySignedProtocolPayloads, type RosterEntry, type VerifiedProtocolSignatures, } from './protocol/verification.js';
+export { hashProtocolTranscript } from './protocol/transcript.js';
+export { verifyBallotSubmissionPayloadsByOption } from './protocol/voting-ballots.js';
+export { scoreRangeDomain } from './protocol/voting-codecs.js';
 export { verifyElectionCeremony, tryVerifyElectionCeremony, type ElectionVerificationErrorCode, type ElectionVerificationFailure, type ElectionVerificationResult, type ElectionVerificationStage, type VerifiedElectionCeremony, } from './protocol/voting-verification.js';
-export type { BallotClosePayload, BallotSubmissionPayload, DecryptionSharePayload, ElectionManifest, EncryptedDualSharePayload, FeldmanCommitmentPayload, KeyDerivationConfirmation, ManifestAcceptancePayload, ManifestPublicationPayload, PedersenCommitmentPayload, PhaseCheckpointPayload, RegistrationPayload, SignedPayload, TallyPublicationPayload, VerifyElectionCeremonyInput, } from './protocol/types.js';
+export type { BallotClosePayload, BallotSubmissionPayload, DecryptionSharePayload, ElectionManifest, EncodedCiphertext, EncodedCompactProof, EncodedDisjunctiveProof, EncryptedDualSharePayload, FeldmanCommitmentPayload, KeyDerivationConfirmation, ManifestAcceptancePayload, ManifestPublicationPayload, PedersenCommitmentPayload, PhaseCheckpointPayload, ProtocolMessageType, ProtocolPayload, RegistrationPayload, ScoreRange, SignedPayload, TallyPublicationPayload, VerifyElectionCeremonyInput, } from './protocol/types.js';
+export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/public.js';
+export type { AggregateDecryptionPreparationInput, DecryptionShare, Share, VerifiedAggregateCiphertext, } from './threshold/public.js';
+export { derivePedersenShares, generateFeldmanCommitments, generatePedersenCommitments, verifyFeldmanShare, verifyPedersenShare, } from './vss/public.js';
+export type { FeldmanCommitments, PedersenCommitments, PedersenShare, } from './vss/public.js';

package/dist/index.js

@@ -1,23 +1,33 @@
 /**
- * Workflow-facing root package exports for the public API.
+ * Root package exports for the supported public API.
  *
- * Use this entry point for the supported voting workflow: manifest and roster
- * setup, transport keys and envelopes, standard signed protocol payload
- * builders, and the full ceremony verifier.
+ * Use this entry point for the full supported voting workflow: manifest and
+ * roster setup, transport keys and envelopes, DKG commitments and share
+ * handling, ballot encryption and proofs, decryption-share publication, tally
+ * reconstruction, and full ceremony verification.
  *
- * Lower-level math, proof, threshold, DKG, VSS, and protocol primitives are
- * available through the public subpath modules such as
- * `threshold-elgamal/proofs`, `threshold-elgamal/threshold`, and
- * `threshold-elgamal/dkg`.
+ * Public subpath modules such as `threshold-elgamal/proofs`,
+ * `threshold-elgamal/threshold`, and `threshold-elgamal/dkg` remain available
+ * when you prefer grouped imports by subsystem, but the supported ceremony can
+ * be implemented from this root package alone.
  *
  * @module threshold-elgamal
  * @packageDocumentation
  */
+export { RISTRETTO_GROUP, modQ } from './core/public.js';
 export { majorityThreshold } from './core/validation.js';
+export { encryptAdditiveWithRandomness } from './elgamal/public.js';
+export { deriveJointPublicKey, deriveTranscriptVerificationKey, encodePedersenShareEnvelope, decodePedersenShareEnvelope, verifyDKGTranscript, } from './dkg/public.js';
+export { createDisjunctiveProof, createDLEQProof, createSchnorrProof, verifyDisjunctiveProof, verifyDLEQProof, verifySchnorrProof, } from './proofs/public.js';
 export { decryptEnvelope, encryptEnvelope } from './transport/envelopes.js';
 export { exportAuthPublicKey, generateAuthKeyPair } from './transport/auth.js';
 export { exportTransportPublicKey, generateTransportKeyPair, } from './transport/key-agreement.js';
-export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, createTallyPublicationPayload, } from './protocol/builders.js';
+export { createBallotClosePayload, createBallotSubmissionPayload, createDecryptionSharePayload, createEncryptedDualSharePayload, createFeldmanCommitmentPayload, createKeyDerivationConfirmationPayload, createManifestAcceptancePayload, createManifestPublicationPayload, createPedersenCommitmentPayload, createPhaseCheckpointPayload, createRegistrationPayload, signProtocolPayload, createTallyPublicationPayload, } from './protocol/builders.js';
 export { canonicalizeElectionManifest, createElectionManifest, deriveSessionId, hashElectionManifest, SHIPPED_PROTOCOL_VERSION, validateElectionManifest, } from './protocol/manifest.js';
-export { hashRosterEntries } from './protocol/verification.js';
+export { hashRosterEntries, verifySignedProtocolPayloads, } from './protocol/verification.js';
+export { hashProtocolTranscript } from './protocol/transcript.js';
+export { verifyBallotSubmissionPayloadsByOption } from './protocol/voting-ballots.js';
+export { scoreRangeDomain } from './protocol/voting-codecs.js';
 export { verifyElectionCeremony, tryVerifyElectionCeremony, } from './protocol/voting-verification.js';
+export { combineDecryptionShares, createDecryptionShare, prepareAggregateForDecryption, } from './threshold/public.js';
+export { derivePedersenShares, generateFeldmanCommitments, generatePedersenCommitments, verifyFeldmanShare, verifyPedersenShare, } from './vss/public.js';

package/dist/proofs/disjunctive.d.ts

@@ -1,8 +1,9 @@
 /**
- * CDS94-style disjunctive proofs for additive score ballots.
+ * CDS94-style disjunctive proofs for additive ElGamal plaintexts drawn from an
+ * explicit finite value set.
  *
  * Ballot payloads use this module to prove that a ciphertext encodes one value
- * from the supported score domain without revealing which score was chosen.
+ * from the manifest-declared domain without revealing which value was chosen.
  */
 import { type CryptoGroup, type RandomBytesSource } from '../core/index.js';
 import type { ElGamalCiphertext } from '../elgamal/types.js';
@@ -18,6 +19,6 @@ export declare const createDisjunctiveProof: (plaintext: bigint, randomness: big
  * Verifies a CDS94-style disjunctive proof for additive ElGamal plaintexts.
  *
  * Ballot verification uses this to reject ciphertexts that do not encode one
- * of the allowed score values for the current option slot.
+ * of the allowed manifest-domain values for the current option slot.
  */
 export declare const verifyDisjunctiveProof: (proof: DisjunctiveProof, ciphertext: ElGamalCiphertext, publicKey: string, validValues: readonly bigint[], group: CryptoGroup, context: ProofContext) => Promise<boolean>;

package/dist/proofs/disjunctive.js

@@ -1,8 +1,9 @@
 /**
- * CDS94-style disjunctive proofs for additive score ballots.
+ * CDS94-style disjunctive proofs for additive ElGamal plaintexts drawn from an
+ * explicit finite value set.
  *
  * Ballot payloads use this module to prove that a ciphertext encodes one value
- * from the supported score domain without revealing which score was chosen.
+ * from the manifest-declared domain without revealing which value was chosen.
  */
 import { assertInSubgroup, assertInSubgroupOrIdentity, assertScalarInZq, InvalidProofError, modQ, randomScalarBelow, } from '../core/index.js';
 import { decodePoint, encodePoint, multiplyBase, pointMultiply, pointSubtract, } from '../core/ristretto.js';
@@ -11,7 +12,7 @@ import { assertProofContext, contextElements, fixedPoint, fixedScalar, hashChall
 import { hedgedNonce } from './nonces.js';
 const candidateEncoding = (ciphertext, candidateValue, group) => encodePoint(pointSubtract(decodePoint(ciphertext.c2, 'Ciphertext c2'), multiplyBase(modQ(candidateValue, group.q))));
 const commitmentSequence = (commitments) => encodeSequenceForChallenge(commitments.map((commitment) => concatBytes(encodeForChallenge(fixedPoint(commitment.a1)), encodeForChallenge(fixedPoint(commitment.a2)))));
-const challengePayload = (ciphertext, publicKey, validValues, commitments, group, context) => encodeForChallenge(...contextElements(context), fixedPoint(group.g), fixedPoint(publicKey), fixedPoint(ciphertext.c1), fixedPoint(ciphertext.c2), encodeSequenceForChallenge(validValues.map((value) => fixedScalar(modQ(value, group.q), group))), commitmentSequence(commitments));
+const challengePayload = (ciphertext, publicKey, validValues, commitments, group, context) => encodeForChallenge(...contextElements(context), fixedPoint(group.g), fixedPoint(publicKey), fixedPoint(ciphertext.c1), fixedPoint(ciphertext.c2), encodeSequenceForChallenge(validValues.map((value) => fixedScalar(modQ(value, group.q)))), commitmentSequence(commitments));
 /**
  * Creates a CDS94-style disjunctive proof for additive ElGamal plaintexts.
  *
@@ -67,7 +68,7 @@ export const createDisjunctiveProof = async (plaintext, randomness, ciphertext,
  * Verifies a CDS94-style disjunctive proof for additive ElGamal plaintexts.
  *
  * Ballot verification uses this to reject ciphertexts that do not encode one
- * of the allowed score values for the current option slot.
+ * of the allowed manifest-domain values for the current option slot.
  */
 export const verifyDisjunctiveProof = async (proof, ciphertext, publicKey, validValues, group, context) => {
     assertProofContext(context, group);

package/dist/proofs/helpers.d.ts

@@ -3,6 +3,6 @@ import type { ProofContext } from './types.js';
 export declare const assertProofContext: (context: ProofContext, group: CryptoGroup) => void;
 export declare const contextElements: (context: ProofContext) => (bigint | string | Uint8Array)[];
 export declare const fixedPoint: (value: string) => Uint8Array;
-export declare const fixedScalar: (value: bigint, group: CryptoGroup) => Uint8Array;
+export declare const fixedScalar: (value: bigint) => Uint8Array;
 export declare const hashChallenge: (payload: Uint8Array, q: bigint) => Promise<bigint>;
 export declare const sumChallenges: (values: readonly bigint[], q: bigint) => bigint;

package/dist/proofs/helpers.js

@@ -59,9 +59,6 @@ export const contextElements = (context) => {
     return fields;
 };
 export const fixedPoint = (value) => hexToBytes(value);
-export const fixedScalar = (value, group) => {
-    void group;
-    return hexToBytes(encodeScalar(value));
-};
+export const fixedScalar = (value) => hexToBytes(encodeScalar(value));
 export const hashChallenge = (payload, q) => Promise.resolve(modQ(hashChallengeToScalar(payload), q));
 export const sumChallenges = (values, q) => values.reduce((sum, value) => modQ(sum + value, q), 0n);

package/dist/proofs/types.d.ts

@@ -58,8 +58,8 @@ export type DisjunctiveBranch = {
 /**
  * A disjunctive proof over an ordered set of valid plaintext values.
  *
- * Ballot payloads use this to prove that an encrypted score came from the
- * allowed score domain without revealing which value was chosen.
+ * Ballot payloads use this to prove that an encrypted value came from the
+ * allowed manifest domain without revealing which value was chosen.
  */
 export type DisjunctiveProof = {
     readonly branches: readonly DisjunctiveBranch[];

package/dist/protocol/builders.d.ts

@@ -19,7 +19,7 @@ export declare const signProtocolPayload: <TMessageType extends ProtocolMessageT
  * Creates a signed `manifest-publication` payload.
  *
  * This is the first public payload in the supported ceremony and anchors the
- * minimal manifest on the board.
+ * explicit manifest on the board.
  */
 export declare const createManifestPublicationPayload: (privateKey: CryptoKey, input: {
     readonly manifest: ElectionManifest;

package/dist/protocol/builders.js

@@ -30,7 +30,7 @@ export const signProtocolPayload = async (privateKey, payload) => {
  * Creates a signed `manifest-publication` payload.
  *
  * This is the first public payload in the supported ceremony and anchors the
- * minimal manifest on the board.
+ * explicit manifest on the board.
  */
 export const createManifestPublicationPayload = async (privateKey, input) => signProtocolPayload(privateKey, {
     protocolVersion: input.protocolVersion,

package/dist/protocol/manifest.d.ts

@@ -25,12 +25,12 @@ export declare const assertSupportedProtocolVersion: (protocolVersion: string, l
  * workflow.
  *
  * The manifest is intentionally minimal: it fixes the frozen roster hash and
- * option list, while participant count and threshold are derived later from the
- * accepted registration roster.
+ * option list together with one explicit global score range, while participant
+ * count and threshold are derived later from the accepted registration roster.
  */
 export declare const validateElectionManifest: (manifest: ElectionManifest) => ElectionManifest;
 /**
- * Creates the minimal election manifest after validating the supported
+ * Creates the explicit election manifest after validating the supported
  * invariants.
  */
 export declare const createElectionManifest: (manifest: ElectionManifest) => ElectionManifest;

package/dist/protocol/manifest.js

@@ -8,6 +8,7 @@ import { bytesToHex } from '../core/bytes.js';
 import { InvalidPayloadError, sha256, utf8ToBytes } from '../core/index.js';
 import { encodeForChallenge } from '../serialize/encoding.js';
 import { canonicalizeJson } from './canonical-json.js';
+import { validateSupportedScoreRange } from './score-range.js';
 /**
  * Default protocol namespace used by the built-in helpers and verifier.
  *
@@ -20,6 +21,23 @@ const assertNonEmptyString = (value, label) => {
         throw new InvalidPayloadError(`${label} must be a non-empty string`);
     }
 };
+const validateScoreRange = (scoreRange) => {
+    if (typeof scoreRange !== 'object' ||
+        scoreRange === null ||
+        Array.isArray(scoreRange)) {
+        throw new InvalidPayloadError('Election manifest scoreRange must be an object with min and max bounds');
+    }
+    const scoreRangeRecord = scoreRange;
+    if (typeof scoreRangeRecord.min !== 'number' ||
+        typeof scoreRangeRecord.max !== 'number') {
+        throw new InvalidPayloadError('Election manifest scoreRange requires numeric min and max bounds');
+    }
+    return validateSupportedScoreRange(scoreRange, {
+        comparisonMax: 'scoreRange.max',
+        min: 'Election manifest scoreRange.min',
+        max: 'Election manifest scoreRange.max',
+    });
+};
 /**
  * Validates that a protocol version string is present and non-empty.
  *
@@ -48,12 +66,15 @@ export const assertSupportedProtocolVersion = (protocolVersion, label = 'Protoco
  * workflow.
  *
  * The manifest is intentionally minimal: it fixes the frozen roster hash and
- * option list, while participant count and threshold are derived later from the
- * accepted registration roster.
+ * option list together with one explicit global score range, while participant
+ * count and threshold are derived later from the accepted registration roster.
  */
 export const validateElectionManifest = (manifest) => {
     const manifestRecord = manifest;
     assertNonEmptyString(manifest.rosterHash, 'Roster hash');
+    if (!('scoreRange' in manifestRecord)) {
+        throw new InvalidPayloadError('Election manifest requires an explicit scoreRange');
+    }
     for (const legacyField of [
         'participantCount',
         'reconstructionThreshold',
@@ -71,7 +92,7 @@ export const validateElectionManifest = (manifest) => {
         'requiresAllOptions',
     ]) {
         if (legacyField in manifestRecord) {
-            throw new InvalidPayloadError(`Legacy manifest field "${legacyField}" is not supported on the Ristretto beta line`);
+            throw new InvalidPayloadError(`Legacy manifest field "${legacyField}" is not supported by the public manifest`);
         }
     }
     if (manifest.optionList.length === 0) {
@@ -85,10 +106,13 @@ export const validateElectionManifest = (manifest) => {
         }
         seenOptions.add(option);
     }
-    return manifest;
+    return {
+        ...manifest,
+        scoreRange: validateScoreRange(manifest.scoreRange),
+    };
 };
 /**
- * Creates the minimal election manifest after validating the supported
+ * Creates the explicit election manifest after validating the supported
  * invariants.
  */
 export const createElectionManifest = (manifest) => validateElectionManifest(manifest);

package/dist/protocol/public.d.ts

@@ -1,15 +1,17 @@
 /**
  * Low-level protocol helpers for transcript hashing, generic signed payloads,
- * ballot proof verification, and protocol payload types.
+ * registration-roster hashing, signature verification, ballot proof
+ * verification, and protocol payload types.
  *
- * Use this module when you need to work directly with protocol messages rather
- * than the workflow-facing builders and verifiers from the root package.
+ * Use this module when you want protocol helpers grouped by subsystem instead
+ * of importing them from the root package.
  *
  * @module threshold-elgamal/protocol
  * @packageDocumentation
  */
 export { signProtocolPayload } from './builders.js';
 export { hashProtocolTranscript } from './transcript.js';
+export { hashRosterEntries, verifySignedProtocolPayloads, type RosterEntry, type VerifiedProtocolSignatures, } from './verification.js';
 export { verifyBallotSubmissionPayloadsByOption } from './voting-ballots.js';
-export { scoreVotingDomain } from './voting-codecs.js';
-export type { EncodedCiphertext, EncodedCompactProof, EncodedDisjunctiveProof, ProtocolMessageType, ProtocolPayload, } from './types.js';
+export { scoreRangeDomain } from './voting-codecs.js';
+export type { EncodedCiphertext, EncodedCompactProof, EncodedDisjunctiveProof, ProtocolMessageType, ProtocolPayload, ScoreRange, } from './types.js';

package/dist/protocol/public.js

@@ -1,14 +1,16 @@
 /**
  * Low-level protocol helpers for transcript hashing, generic signed payloads,
- * ballot proof verification, and protocol payload types.
+ * registration-roster hashing, signature verification, ballot proof
+ * verification, and protocol payload types.
  *
- * Use this module when you need to work directly with protocol messages rather
- * than the workflow-facing builders and verifiers from the root package.
+ * Use this module when you want protocol helpers grouped by subsystem instead
+ * of importing them from the root package.
  *
  * @module threshold-elgamal/protocol
  * @packageDocumentation
  */
 export { signProtocolPayload } from './builders.js';
 export { hashProtocolTranscript } from './transcript.js';
+export { hashRosterEntries, verifySignedProtocolPayloads, } from './verification.js';
 export { verifyBallotSubmissionPayloadsByOption } from './voting-ballots.js';
-export { scoreVotingDomain } from './voting-codecs.js';
+export { scoreRangeDomain } from './voting-codecs.js';

package/dist/protocol/score-range.d.ts

@@ -0,0 +1,6 @@
+import type { ScoreRange } from './types.js';
+export declare const validateSupportedScoreRange: (scoreRange: ScoreRange, labels: {
+    readonly comparisonMax?: string;
+    readonly min: string;
+    readonly max: string;
+}) => ScoreRange;

package/dist/protocol/score-range.js

@@ -0,0 +1,24 @@
+import { InvalidPayloadError } from '../core/index.js';
+const MAX_SUPPORTED_SCORE_RANGE_MAX = 100;
+const assertSafeInteger = (value, label) => {
+    if (!Number.isSafeInteger(value)) {
+        throw new InvalidPayloadError(`${label} must be a safe integer`);
+    }
+};
+export const validateSupportedScoreRange = (scoreRange, labels) => {
+    assertSafeInteger(scoreRange.min, labels.min);
+    assertSafeInteger(scoreRange.max, labels.max);
+    if (scoreRange.min < 0) {
+        throw new InvalidPayloadError(`${labels.min} must be non-negative`);
+    }
+    if (scoreRange.max < 0) {
+        throw new InvalidPayloadError(`${labels.max} must be non-negative`);
+    }
+    if (scoreRange.min > scoreRange.max) {
+        throw new InvalidPayloadError(`${labels.min} must not exceed ${labels.comparisonMax ?? labels.max}`);
+    }
+    if (scoreRange.max > MAX_SUPPORTED_SCORE_RANGE_MAX) {
+        throw new InvalidPayloadError(`${labels.max} must not exceed ${MAX_SUPPORTED_SCORE_RANGE_MAX}`);
+    }
+    return scoreRange;
+};

package/dist/protocol/types.d.ts

@@ -217,12 +217,24 @@ export type SignedPayload<TPayload extends ProtocolPayload = ProtocolPayload> =
 /**
  * Canonical election-manifest shape bound into protocol transcripts.
  *
- * The manifest is intentionally minimal and leaves threshold derivation to the
- * accepted registration roster.
+ * The manifest is intentionally compact: it fixes the frozen roster hash,
+ * option list, and one explicit global score range, while participant count
+ * and threshold are derived later from the accepted registration roster.
+ */
+export type ScoreRange = {
+    readonly min: number;
+    readonly max: number;
+};
+/**
+ * Canonical election-manifest shape bound into protocol transcripts.
+ *
+ * The score range applies uniformly to every option slot in the supported
+ * workflow.
  */
 export type ElectionManifest = {
     readonly rosterHash: string;
     readonly optionList: readonly string[];
+    readonly scoreRange: ScoreRange;
 };
 /**
  * Input bundle for verifying typed ballot payloads.

package/dist/protocol/voting-codecs.d.ts

@@ -1,6 +1,6 @@
 import type { ElGamalCiphertext } from '../elgamal/types.js';
 import type { DLEQProof, DisjunctiveProof } from '../proofs/types.js';
-import type { EncodedCiphertext, EncodedCompactProof, EncodedDisjunctiveProof } from './types.js';
+import type { EncodedCiphertext, EncodedCompactProof, EncodedDisjunctiveProof, ScoreRange } from './types.js';
 /**
  * Encodes an additive ciphertext into fixed-width protocol hex.
  *
@@ -47,8 +47,11 @@ export declare const encodeDisjunctiveProof: (proof: DisjunctiveProof) => Encode
  */
 export declare const decodeDisjunctiveProof: (proof: EncodedDisjunctiveProof) => DisjunctiveProof;
 /**
- * Returns the fixed score-voting domain `1..10`.
+ * Expands one inclusive contiguous score range into its allowed plaintext
+ * domain.
  *
- * The supported voting workflow does not expose a configurable score range.
+ * Ballot builders and verifiers pass the resulting values into the
+ * disjunctive-proof layer so each encrypted score can be proven to belong to
+ * the manifest-declared domain.
  */
-export declare const scoreVotingDomain: () => readonly bigint[];
+export declare const scoreRangeDomain: (scoreRange: ScoreRange) => readonly bigint[];

package/dist/protocol/voting-codecs.js

@@ -3,6 +3,7 @@
  * their published protocol payload representations.
  */
 import { decodePoint, decodeScalar, encodeScalar } from '../core/ristretto.js';
+import { validateSupportedScoreRange } from './score-range.js';
 /**
  * Encodes an additive ciphertext into fixed-width protocol hex.
  *
@@ -66,8 +67,17 @@ export const decodeDisjunctiveProof = (proof) => ({
     branches: proof.branches.map((branch) => decodeCompactProof(branch)),
 });
 /**
- * Returns the fixed score-voting domain `1..10`.
+ * Expands one inclusive contiguous score range into its allowed plaintext
+ * domain.
  *
- * The supported voting workflow does not expose a configurable score range.
+ * Ballot builders and verifiers pass the resulting values into the
+ * disjunctive-proof layer so each encrypted score can be proven to belong to
+ * the manifest-declared domain.
  */
-export const scoreVotingDomain = () => Object.freeze(Array.from({ length: 10 }, (_value, index) => BigInt(index + 1)));
+export const scoreRangeDomain = (scoreRange) => {
+    validateSupportedScoreRange(scoreRange, {
+        min: 'Score range min',
+        max: 'Score range max',
+    });
+    return Object.freeze(Array.from({ length: scoreRange.max - scoreRange.min + 1 }, (_value, index) => BigInt(scoreRange.min + index)));
+};

package/dist/protocol/voting-shared.d.ts

@@ -1,5 +1,5 @@
 import type { ProofContext } from '../proofs/types.js';
-import type { DecryptionSharePayload, ElectionManifest, ProtocolPayload, RegistrationPayload, SignedPayload, OptionAggregateInput } from './types.js';
+import type { DecryptionSharePayload, ElectionManifest, RegistrationPayload, ProtocolPayload, SignedPayload, OptionAggregateInput } from './types.js';
 export declare const BALLOT_SUBMISSION_PHASE = 5;
 export declare const BALLOT_CLOSE_PHASE = 6;
 export declare const DECRYPTION_SHARE_PHASE = 7;
@@ -10,6 +10,7 @@ type VotingManifestContext = {
     readonly optionCount: number;
     readonly protocolVersion: string;
     readonly scoreDomainValues: readonly bigint[];
+    readonly scoreRangeMax: bigint;
     readonly sessionId: string;
 };
 export declare const assertPhase: (payload: ProtocolPayload, expectedPhase: number, label: string) => void;

package/dist/protocol/voting-shared.js

@@ -8,7 +8,7 @@ import { assertPositiveParticipantIndex, InvalidPayloadError, RISTRETTO_GROUP, }
 import { importAuthPublicKey, verifyPayloadSignature } from '../transport/auth.js';
 import { hashElectionManifest, assertSupportedProtocolVersion, SHIPPED_PROTOCOL_VERSION, validateElectionManifest, } from './manifest.js';
 import { signedProtocolPayloadBytes } from './payloads.js';
-import { scoreVotingDomain } from './voting-codecs.js';
+import { scoreRangeDomain } from './voting-codecs.js';
 export const BALLOT_SUBMISSION_PHASE = 5;
 export const BALLOT_CLOSE_PHASE = 6;
 export const DECRYPTION_SHARE_PHASE = 7;
@@ -53,7 +53,8 @@ export const buildVotingManifestContext = async (manifest, sessionId) => {
         manifestHash: await hashElectionManifest(validatedManifest),
         optionCount: validatedManifest.optionList.length,
         protocolVersion: SHIPPED_PROTOCOL_VERSION,
-        scoreDomainValues: scoreVotingDomain(),
+        scoreDomainValues: scoreRangeDomain(validatedManifest.scoreRange),
+        scoreRangeMax: BigInt(validatedManifest.scoreRange.max),
         sessionId,
     };
 };

package/dist/protocol/voting-verification.js

@@ -37,7 +37,7 @@ const recomputePublishedTally = (input) => {
         sessionId: input.sessionId,
         optionIndex: input.ballots.optionIndex,
     });
-    return combineDecryptionShares(preparedAggregate.ciphertext, input.decryptionShares.map((entry) => entry.share), BigInt(input.ballots.aggregate.ballotCount) * 10n);
+    return combineDecryptionShares(preparedAggregate.ciphertext, input.decryptionShares.map((entry) => entry.share), BigInt(input.ballots.aggregate.ballotCount) * input.scoreRangeMax);
 };
 const verifyPublishedTallyPayload = (payload, optionIndex, ballots, decryptionShares, tally) => {
     if (payload.transcriptHash !== ballots.aggregate.transcriptHash) {
@@ -280,6 +280,7 @@ export const verifyElectionCeremony = async (input) => {
                 jointPublicKey: dkg.jointPublicKey,
                 protocolVersion: context.protocolVersion,
                 manifestHash: context.manifestHash,
+                scoreRangeMax: context.scoreRangeMax,
                 sessionId: context.sessionId,
             });
             const publication = tallyPublicationMap.get(optionIndex);

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "threshold-elgamal",
-    "version": "1.1.0",
+    "version": "2.0.0",
     "description": "A browser-native TypeScript ElGamal library for Ristretto255-based research prototypes, shipping additive ElGamal, threshold decryption, protocol helpers, board auditing, transport primitives, and log-driven DKG state machines.",
     "author": "Piotr Piech <piotr@piech.dev>",
     "license": "MPL-2.0",
@@ -26,7 +26,8 @@
         "coverage:badge": "pnpm run coverage:node && tsx ./tools/generate-coverage-badge.ts",
         "smoke:pack": "tsx ./tools/ci/verify-packed-package.ts",
         "prebuild": "pnpm run check && pnpm run test",
-        "build": "pnpm exec del-cli dist && tsc --project tsconfig.build.json && tsx ./tools/build/rewrite-dist-relative-imports.ts",
+        "build:dist": "pnpm exec del-cli dist && tsc --project tsconfig.build.json && tsx ./tools/build/rewrite-dist-relative-imports.ts",
+        "build": "pnpm run build:dist",
         "vectors:threshold": "tsx ./tools/generate-threshold-vectors.ts",
         "vectors:protocol": "tsx ./tools/generate-protocol-vectors.ts",
         "bench:micro": "tsx ./tools/benchmarks/microbench.ts",
@@ -39,8 +40,8 @@
         "prepare": "husky"
     },
     "dependencies": {
-        "@noble/curves": "^2.0.1",
-        "@noble/hashes": "^2.0.1"
+        "@noble/curves": "^2.2.0",
+        "@noble/hashes": "^2.2.0"
     },
     "devDependencies": {
         "@astrojs/mdx": "^5.0.3",
@@ -49,25 +50,25 @@
         "@eslint/js": "^10.0.1",
         "@fontsource/ibm-plex-sans": "^5.2.8",
         "@fontsource/jetbrains-mono": "^5.2.8",
-        "@types/node": "^25.5.2",
-        "@typescript-eslint/eslint-plugin": "^8.58.1",
-        "@typescript-eslint/parser": "^8.58.1",
+        "@types/node": "^25.6.0",
+        "@typescript-eslint/eslint-plugin": "^8.58.2",
+        "@typescript-eslint/parser": "^8.58.2",
         "@vitest/browser-playwright": "^4.1.4",
         "@vitest/coverage-v8": "^4.1.4",
-        "astro": "^6.1.5",
+        "astro": "^6.1.7",
         "del-cli": "^7.0.0",
         "eslint": "^10.2.0",
         "eslint-config-prettier": "^10.1.8",
         "eslint-plugin-import-x": "^4.16.2",
         "eslint-plugin-only-error": "^1.0.2",
         "eslint-plugin-prettier": "^5.5.5",
-        "globals": "^17.4.0",
+        "globals": "^17.5.0",
         "husky": "^9.1.7",
-        "knip": "^5.67.0",
+        "knip": "^6.4.1",
         "playwright": "^1.59.1",
-        "prettier": "^3.8.1",
+        "prettier": "^3.8.3",
         "tsx": "^4.21.0",
-        "typedoc": "^0.28.18",
+        "typedoc": "^0.28.19",
         "typedoc-plugin-markdown": "^4.11.0",
         "typescript": "^6.0.2",
         "vite": "^8.0.8",