threshold-elgamal 2.0.0 → 2.1.0

package/README.md

@@ -94,7 +94,7 @@ The cryptographic threshold is derived internally from the accepted registration
 
 There is no supported `n-of-n` mode and no supported public `k-of-n` configuration.
 
-Transcript verification requires key-derivation confirmations from every qualified participant.
+Transcript verification requires `key-derivation-confirmation` payloads from every qualified participant. In the current design those unanimous confirmations are part of verifier soundness: the library does not implement a public post-Feldman complaint/reconstruction phase, so the DKG verifier is participant-confirmed rather than fully public-data-only. Lowering confirmation acceptance to threshold-many is out of scope unless that missing public consistency machinery is added.
 
 See [Honest-majority voting flow](https://tenemo.github.io/threshold-elgamal/guides/three-participant-voting-flow/) for the full phase-by-phase transcript.
 
@@ -130,7 +130,7 @@ const rosterHash = await hashRosterEntries([
 const manifest = createElectionManifest({
     rosterHash,
     optionList: ["Option A", "Option B"],
-    scoreRange: { min: 1, max: 10 },
+    scoreRange: { min: 0, max: 5 },
 });
 
 const manifestHash = await hashElectionManifest(manifest);
@@ -145,6 +145,10 @@ console.log(majorityThreshold(3)); // 2
 console.log(sessionId.length); // 64
 ```
 
+The example uses `0..5` only as one concrete score range. The supported rule is
+one manifest-declared contiguous range with non-negative bounds and
+`scoreRange.max <= 100`.
+
 If your application consumes a complete public board, start with [Verifying a public board](https://tenemo.github.io/threshold-elgamal/guides/verifying-a-public-board/) and then move directly to the verifier entry point:
 
 ```typescript
@@ -158,7 +162,7 @@ const bundle: VerifyElectionCeremonyInput = {
     sessionId,
     dkgTranscript,
     ballotPayloads,
-    ballotClosePayload,
+    ballotClosePayloads: [ballotClosePayload],
     decryptionSharePayloads,
     tallyPublications,
 };
@@ -173,6 +177,8 @@ if (!result.ok) {
 }
 ```
 
+Pass the full published `ballot-close` slot in `ballotClosePayloads`, even when the normal case is one organizer payload. The verifier audits that slot, collapses only exact retransmissions, and requires exactly one accepted close record.
+
 The root package exposes the builders and lower-level helpers required for the documented ceremony, including:
 
 - manifest publication

package/dist/dkg/verification.d.ts

@@ -78,9 +78,16 @@ export declare const deriveJointPublicKey: (feldmanCommitments: readonly {
 /**
  * Verifies a DKG transcript, its signatures, Feldman extraction proofs, the
  * exact claimed threshold degree, accepted complaint outcomes, the DKG
- * transcript hash, and the announced joint public key.
+ * transcript hash, the announced joint public key, and unanimous qualified
+ * participant key confirmations.
  *
  * This is the DKG-specific verifier that the full ceremony verifier delegates
- * to before it touches ballots or tally material.
+ * to before it touches ballots or tally material. It consumes a public signed
+ * transcript plus `key-derivation-confirmation` payloads from every qualified
+ * participant. It does not implement a public post-Feldman
+ * complaint/reconstruction phase, so it is a participant-confirmed transcript
+ * verifier rather than a fully public-data-only GJKR verifier. Lowering this
+ * requirement to threshold-many confirmations is out of scope unless that
+ * missing public consistency machinery is added.
  */
 export declare const verifyDKGTranscript: (input: VerifyDKGTranscriptInput) => Promise<VerifiedDKGTranscript>;

package/dist/dkg/verification.js

@@ -659,10 +659,17 @@ const verifyCheckpointedDKGTranscript = async (input, setup) => {
 /**
  * Verifies a DKG transcript, its signatures, Feldman extraction proofs, the
  * exact claimed threshold degree, accepted complaint outcomes, the DKG
- * transcript hash, and the announced joint public key.
+ * transcript hash, the announced joint public key, and unanimous qualified
+ * participant key confirmations.
  *
  * This is the DKG-specific verifier that the full ceremony verifier delegates
- * to before it touches ballots or tally material.
+ * to before it touches ballots or tally material. It consumes a public signed
+ * transcript plus `key-derivation-confirmation` payloads from every qualified
+ * participant. It does not implement a public post-Feldman
+ * complaint/reconstruction phase, so it is a participant-confirmed transcript
+ * verifier rather than a fully public-data-only GJKR verifier. Lowering this
+ * requirement to threshold-many confirmations is out of scope unless that
+ * missing public consistency machinery is added.
  */
 export const verifyDKGTranscript = async (input) => {
     const auditedTranscript = await auditSignedPayloads(input.transcript);

package/dist/protocol/types.d.ts

@@ -136,7 +136,7 @@ export type FeldmanCommitmentPayload = BaseProtocolPayload & {
     }[];
 };
 /**
- * Final key-derivation confirmation payload for the derived joint key.
+ * Final participant confirmation payload for the derived joint key.
  */
 export type KeyDerivationConfirmation = BaseProtocolPayload & {
     readonly messageType: 'key-derivation-confirmation';
@@ -279,14 +279,15 @@ export type VerifyDecryptionSharePayloadsByOptionInput = {
  * Input bundle for full ceremony verification across all published options.
  *
  * This is the top-level verifier input that an auditor or bulletin-board
- * reader supplies when replaying a full ceremony.
+ * reader supplies when replaying a full ceremony from the published board,
+ * including the full ballot-close slot instead of a preselected close record.
  */
 export type VerifyElectionCeremonyInput = {
     readonly manifest: ElectionManifest;
     readonly sessionId: string;
     readonly dkgTranscript: readonly SignedPayload[];
     readonly ballotPayloads: readonly SignedPayload<BallotSubmissionPayload>[];
-    readonly ballotClosePayload: SignedPayload<BallotClosePayload>;
+    readonly ballotClosePayloads: readonly SignedPayload<BallotClosePayload>[];
     readonly decryptionSharePayloads: readonly SignedPayload<DecryptionSharePayload>[];
     readonly tallyPublications?: readonly SignedPayload<TallyPublicationPayload>[];
 };

package/dist/protocol/voting-ballots.d.ts

@@ -4,8 +4,9 @@ import { type VerifiedOptionBallotAggregation } from './voting-ballot-aggregatio
  * Verifies typed ballot-submission payloads and recomputes one aggregate tally
  * ciphertext per manifest option.
  *
- * This is the public entry point for applications that already have
- * signature-checked ballot payloads and want the per-option verified
- * ciphertext aggregates that feed threshold decryption.
+ * This is the public entry point for applications that already collected
+ * signed ballot payloads and want the per-option verified ciphertext
+ * aggregates that feed threshold decryption. The helper re-audits the signed
+ * payloads before it decodes and aggregates them.
  */
 export declare const verifyBallotSubmissionPayloadsByOption: (input: VerifyBallotSubmissionPayloadsByOptionInput) => Promise<readonly VerifiedOptionBallotAggregation[]>;

package/dist/protocol/voting-ballots.js

@@ -40,9 +40,10 @@ const verifyAuditedBallotSubmissionPayloadsByOption = async (input) => {
  * Verifies typed ballot-submission payloads and recomputes one aggregate tally
  * ciphertext per manifest option.
  *
- * This is the public entry point for applications that already have
- * signature-checked ballot payloads and want the per-option verified
- * ciphertext aggregates that feed threshold decryption.
+ * This is the public entry point for applications that already collected
+ * signed ballot payloads and want the per-option verified ciphertext
+ * aggregates that feed threshold decryption. The helper re-audits the signed
+ * payloads before it decodes and aggregates them.
  */
 export const verifyBallotSubmissionPayloadsByOption = async (input) => {
     const context = await buildVotingManifestContext(input.manifest, input.sessionId);

package/dist/protocol/voting-decryption.d.ts

@@ -5,6 +5,7 @@ import type { VerifiedOptionDecryptionShares, VerifyDecryptionSharePayloadsByOpt
  *
  * This is the public entry point for applications that have already accepted a
  * DKG transcript and verified ballot aggregates and now need to validate the
- * published threshold shares.
+ * published threshold shares. The helper re-audits the signed share payloads
+ * before it groups and verifies them.
  */
 export declare const verifyDecryptionSharePayloadsByOption: (input: VerifyDecryptionSharePayloadsByOptionInput) => Promise<readonly VerifiedOptionDecryptionShares[]>;

package/dist/protocol/voting-decryption.js

@@ -98,7 +98,8 @@ const verifyAuditedDecryptionSharePayloadsByOption = async (input) => {
  *
  * This is the public entry point for applications that have already accepted a
  * DKG transcript and verified ballot aggregates and now need to validate the
- * published threshold shares.
+ * published threshold shares. The helper re-audits the signed share payloads
+ * before it groups and verifies them.
  */
 export const verifyDecryptionSharePayloadsByOption = async (input) => {
     const context = await buildVotingManifestContext(input.manifest, input.sessionId);

package/dist/protocol/voting-verification.d.ts

@@ -66,8 +66,8 @@ export type ElectionVerificationResult = {
 };
 /**
  * Replays the published ceremony from manifest to tally, including board audit,
- * DKG verification, ballot verification, decryption-share verification, and
- * per-option tally checks.
+ * DKG verification, full ballot-close-slot audit, ballot verification,
+ * decryption-share verification, and per-option tally checks.
  *
  * This is the main verifier entry point for callers that want failures to
  * abort immediately.

package/dist/protocol/voting-verification.js

@@ -3,7 +3,7 @@
  *
  * This module is the shortest path for auditors and bulletin-board readers who
  * want one call that replays manifest validation, board audit, DKG, ballots,
- * decryption shares, and tally checks.
+ * the full ballot-close slot, decryption shares, and tally checks.
  */
 import { InvalidPayloadError } from '../core/index.js';
 import { decodeScalar } from '../core/ristretto.js';
@@ -127,8 +127,8 @@ const verifyBallotClosePayload = (input) => {
 };
 /**
  * Replays the published ceremony from manifest to tally, including board audit,
- * DKG verification, ballot verification, decryption-share verification, and
- * per-option tally checks.
+ * DKG verification, full ballot-close-slot audit, ballot verification,
+ * decryption-share verification, and per-option tally checks.
  *
  * This is the main verifier entry point for callers that want failures to
  * abort immediately.
@@ -150,9 +150,7 @@ export const verifyElectionCeremony = async (input) => {
     try {
         dkgAudit = await auditSignedPayloads(input.dkgTranscript);
         ballotAudit = await auditSignedPayloads(input.ballotPayloads);
-        ballotCloseAudit = await auditSignedPayloads([
-            input.ballotClosePayload,
-        ]);
+        ballotCloseAudit = await auditSignedPayloads(input.ballotClosePayloads);
         decryptionAudit = await auditSignedPayloads(input.decryptionSharePayloads);
         tallyAudit =
             input.tallyPublications === undefined ||

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "threshold-elgamal",
-    "version": "2.0.0",
+    "version": "2.1.0",
     "description": "A browser-native TypeScript ElGamal library for Ristretto255-based research prototypes, shipping additive ElGamal, threshold decryption, protocol helpers, board auditing, transport primitives, and log-driven DKG state machines.",
     "author": "Piotr Piech <piotr@piech.dev>",
     "license": "MPL-2.0",