Expand description
Cryptographic primitives for generating and verifying certificates.
This module provides the Scheme trait and implementations for producing
signatures, validating them (individually or in batches), assembling
certificates, and verifying recovered certificates.
§Pluggable Cryptography
Certificates are generic over the signing scheme, allowing users to choose the scheme best suited for their requirements:
-
ed25519: Attributable signatures with individual verification. HSM-friendly, no trusted setup required, and widely supported. Certificates contain individual signatures from each signer. -
bls12381_multisig: Attributable signatures with aggregated verification. Signatures can be aggregated into a single multi-signature for compact certificates while preserving attribution (signer indices are stored alongside the aggregated signature). -
bls12381_threshold: Non-attributable threshold signatures. Produces succinct certificates that are constant-size regardless of committee size. Requires a trusted setup (distributed key generation) and cannot attribute signatures to individual signers.
§Attributable Schemes and Fault Evidence
Signing schemes differ in whether per-participant activities can be used as evidence of either liveness or of committing a fault:
-
Attributable Schemes (
ed25519,bls12381_multisig): Individual signatures can be presented to some third party as evidence of either liveness or of committing a fault. Certificates contain signer indices alongside individual signatures, enabling secure per-participant activity tracking and conflict detection. -
Non-Attributable Schemes (
bls12381_threshold): Individual signatures cannot be presented to some third party as evidence of either liveness or of committing a fault because they can be forged by other players (often after some quorum of partial signatures are collected). Withbls12381_threshold, possession of anytvalid partial signatures can be used to forge a partial signature for any other player. Because peer connections are authenticated, evidence can be used locally (as it must be sent by said participant) but cannot be used by an external observer.
The Scheme::is_attributable() method signals whether evidence can be safely exposed to
third parties.
§Identity Keys vs Signing Keys
A participant may supply both an identity key and a signing key. The identity key is used for assigning a unique order to the participant set and authenticating connections whereas the signing key is used for producing and verifying signatures/certificates.
This flexibility is supported because some cryptographic schemes are only performant when used in batch verification (like bls12381_multisig) and/or are refreshed frequently (like bls12381_threshold). Refer to ed25519 for an example of a scheme that uses the same key for both purposes.
Re-exports§
pub use crate::bls12381::certificate::multisig as bls12381_multisig;pub use crate::bls12381::certificate::threshold as bls12381_threshold;pub use crate::ed25519::certificate as ed25519;
Macros§
- impl_
certificate_ bls12381_ multisig - Generates a BLS12-381 multisig signing scheme wrapper for a specific protocol.
- impl_
certificate_ bls12381_ threshold - Generates a BLS12-381 threshold signing scheme wrapper for a specific protocol.
- impl_
certificate_ ed25519 - Generates an Ed25519 signing scheme wrapper for a specific protocol.
Structs§
- Attestation
- A participant’s attestation for a certificate.
- Constant
Provider - A scheme provider that always returns the same scheme regardless of scope.
- Signers
- Bitmap wrapper that tracks which participants signed a certificate.
- Verification
- Result of batch-verifying attestations.