threshold_pairing/

lib.rs

//! A pairing-based threshold cryptosystem for collaborative decryption and signatures.
//!
//! This crate provides cryptographic primitives for threshold signatures and threshold
//! encryption based on BLS12-381 elliptic curve pairings. It enables `t+1` of `n` participants
//! to collaboratively sign messages or decrypt ciphertexts, where `t` is the threshold.
//!
//! # Features
//!
//! - **Threshold Signatures**: Any `t+1` participants can produce a valid signature
//! - **Threshold Encryption**: Messages can only be decrypted with `t+1` decryption shares
//! - **Distributed Key Generation**: Tools for generating keys without a trusted dealer
//! - **RFC 9380 Compliant**: Uses standard hash-to-curve algorithms
//!
//! # Quick Start
//!
//! ## Simple Signatures
//!
//! ```
//! use threshold_pairing::SecretKey;
//!
//! let sk = SecretKey::random();
//! let pk = sk.public_key();
//!
//! let message = b"Hello, world!";
//! let signature = sk.sign(message);
//!
//! assert!(pk.verify(&signature, message));
//! ```
//!
//! ## Threshold Signatures
//!
//! ```
//! use std::collections::BTreeMap;
//! use threshold_pairing::SecretKeySet;
//!
//! // Create a key set with threshold 2 (requires 3 shares to sign)
//! let mut rng = rand::thread_rng();
//! let sk_set = SecretKeySet::random(2, &mut rng);
//! let pk_set = sk_set.public_keys();
//!
//! let message = b"Threshold signed message";
//!
//! // Collect 3 signature shares
//! let shares: BTreeMap<_, _> = (0..3usize)
//!     .map(|i| (i, sk_set.secret_key_share(i).expect("valid index").sign(message)))
//!     .collect();
//!
//! // Combine shares into a full signature
//! let signature = pk_set.combine_signatures(&shares).expect("not enough shares");
//! assert!(pk_set.public_key().verify(&signature, message));
//! ```
//!
//! # Modules
//!
//! - [`poly`]: Polynomial and commitment types for distributed key generation
//! - [`error`]: Error types for cryptographic operations
//! - [`serde_impl`]: Serialization helpers, including [`serde_impl::SerdeSecret`] for secret keys
//!
//! # Feature Flags
//!
//! - `serde` (enabled by default): Enables `Serialize` and `Deserialize` impls for all public types
//! - `bincode`: Enables bincode serialization support (requires `serde`)
//! - `serialization`: Convenience feature that enables both `serde` and `bincode`
//! - `expose-secret`: Enables `reveal()` methods on secret types for debugging (dev/debug only, never use in production)
//!
//! # Security
//!
//! This crate follows cryptographic best practices:
//! - Secret keys are zeroized on drop
//! - Constant-time comparison for secret key equality
//! - RFC 9380 hash-to-curve for BLS signatures
//! - Domain separation between signature and encryption schemes
//!
//! ## Caller responsibility for returned secret material
//!
//! Several methods return values that may contain sensitive material — for example,
//! [`SecretKey::decrypt`] returns a `Vec<u8>` plaintext, and [`SecretKeySet::secret_key_share`]
//! returns a [`SecretKeyShare`]. This crate zeroizes its own internal state on drop, but it
//! **cannot control what the caller does with returned values**.
//!
//! If you need the returned material to be erased from memory after use, wrap it in
//! [`zeroize::Zeroizing`] yourself:
//!
//! ```
//! use threshold_pairing::SecretKey;
//! use zeroize::Zeroizing;
//!
//! let sk = SecretKey::random();
//! let pk = sk.public_key();
//! let ciphertext = pk.encrypt(b"secret");
//!
//! // Wrap the plaintext so it is zeroized when dropped.
//! let plaintext = Zeroizing::new(sk.decrypt(&ciphertext).unwrap());
//! // `plaintext` is zeroed when it goes out of scope.
//! ```

// Clippy warns that it's dangerous to derive `PartialEq` and explicitly implement `Hash`, but the
// `pairing::bls12_381` types don't implement `Hash`, so we can't derive it.
#![allow(clippy::derived_hash_with_manual_eq)]
#![warn(missing_docs)]

use core::ops::{AddAssign, Mul, MulAssign, SubAssign};

pub use bls12_381;
use bls12_381::hash_to_curve::{ExpandMsgXmd, HashToCurve};
use bls12_381::{G2Projective, Scalar};
pub use ff;
use group::prime::PrimeCurve;
use rand::rngs::OsRng;

mod cmp_pairing;
mod into_fr;

pub mod error;
pub mod poly;

#[cfg(feature = "serde")]
pub mod serde_impl;

use std::borrow::Borrow;
use std::cmp::Ordering;
use std::convert::TryFrom;
use std::fmt;
use std::hash::{Hash, Hasher};
use std::vec::Vec;

use ff::Field;
use group::{Curve, Group};
use hex_fmt::HexFmt;
use rand::distributions::{Distribution, Standard};
use rand::Rng;
use rand_chacha::rand_core::{RngCore, SeedableRng};
use rand_chacha::ChaChaRng;
#[cfg(feature = "serde")]
use serde::{Deserialize, Serialize};
use sha2::Sha256;
use subtle::ConstantTimeEq;
use zeroize::{Zeroize, Zeroizing};

use crate::cmp_pairing::cmp_projective;
use crate::error::{Error, FromBytesError, FromBytesResult, Result};
use crate::poly::{Commitment, Poly};

pub use crate::into_fr::{IntoScalar, TryIntoScalarSafe};

mod util;
use util::sha3_256;

pub use bls12_381::{pairing, G1Affine, G1Projective, G2Affine};

/// The size of a key's representation in bytes.
pub const PK_SIZE: usize = 48;

/// The size of a signature's representation in bytes.
pub const SIG_SIZE: usize = 96;

/// A public key.
///
/// Public keys are used to verify signatures and encrypt messages.
///
/// # Example
///
/// ```
/// use threshold_pairing::SecretKey;
///
/// let sk = SecretKey::random();
/// let pk = sk.public_key();
///
/// // Verify a signature
/// let sig = sk.sign(b"message");
/// assert!(pk.verify(&sig, b"message"));
///
/// // Encrypt a message
/// let ciphertext = pk.encrypt(b"secret message");
/// let decrypted = sk.decrypt(&ciphertext).unwrap();
/// assert_eq!(b"secret message".to_vec(), decrypted);
/// ```
#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
#[derive(Copy, Clone, PartialEq, Eq)]
pub struct PublicKey(
    #[cfg_attr(feature = "serde", serde(with = "serde_impl::projective"))] G1Projective,
);

impl Hash for PublicKey {
    fn hash<H: Hasher>(&self, state: &mut H) {
        self.0.to_affine().to_compressed().as_ref().hash(state);
    }
}

impl fmt::Debug for PublicKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let uncomp = self.0.to_affine().to_uncompressed();
        write!(f, "PublicKey({:0.10})", HexFmt(uncomp))
    }
}

impl PartialOrd for PublicKey {
    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
        Some(self.cmp(other))
    }
}

impl Ord for PublicKey {
    fn cmp(&self, other: &Self) -> Ordering {
        cmp_projective(&self.0, &other.0)
    }
}

impl PublicKey {
    /// Returns `true` if the signature matches the element of `G2`.
    #[must_use = "verification result must be checked"]
    pub fn verify_g2<H: Into<G2Affine>>(&self, sig: &Signature, hash: H) -> bool {
        pairing(&self.0.into(), &hash.into()) == pairing(&G1Affine::generator(), &sig.0.into())
    }

    /// Returns `true` if the signature matches the message.
    ///
    /// This is equivalent to [`verify_g2`](Self::verify_g2)`(sig, `[`hash_g2`]`(msg))`.
    #[must_use = "verification result must be checked"]
    pub fn verify<M: AsRef<[u8]>>(&self, sig: &Signature, msg: M) -> bool {
        self.verify_g2(sig, hash_g2(msg))
    }

    /// Encrypts the message using the OS random number generator.
    ///
    /// Uses the `OsRng` by default. To pass in a custom random number generator, use
    /// `encrypt_with_rng()`.
    pub fn encrypt<M: AsRef<[u8]>>(&self, msg: M) -> Ciphertext {
        self.encrypt_with_rng(&mut OsRng, msg)
    }

    /// Encrypts the message.
    pub fn encrypt_with_rng<R: RngCore, M: AsRef<[u8]>>(&self, rng: &mut R, msg: M) -> Ciphertext {
        let mut r: Scalar = Scalar::random(rng);
        let u = G1Affine::generator().mul(r);
        let v: Vec<u8> = {
            let g = self.0.to_affine().mul(r);
            xor_with_hash(g, msg.as_ref())
        };
        let w = hash_g1_g2(u, &v).to_affine().mul(r);
        r.zeroize();
        Ciphertext(u, v, w)
    }

    /// Returns the key with the given representation, if valid.
    ///
    /// The `from_compressed` method performs full validation including subgroup
    /// checks to prevent small subgroup attacks.
    ///
    /// # Errors
    ///
    /// Returns [`FromBytesError::Invalid`] if:
    /// - The bytes do not represent a valid compressed G1 point
    /// - The point is not on the curve
    /// - The point is not in the correct subgroup
    ///
    /// # Example
    ///
    /// ```
    /// use threshold_pairing::{PublicKey, SecretKey, PK_SIZE};
    ///
    /// let sk = SecretKey::random();
    /// let pk = sk.public_key();
    ///
    /// // Round-trip through bytes
    /// let bytes: [u8; PK_SIZE] = pk.to_bytes();
    /// let pk2 = PublicKey::from_bytes(&bytes).expect("valid bytes");
    /// assert_eq!(pk, pk2);
    /// ```
    pub fn from_bytes<B: Borrow<[u8; PK_SIZE]>>(bytes: B) -> FromBytesResult<Self> {
        let affine: Option<G1Affine> = G1Affine::from_compressed(bytes.borrow()).into();
        let affine = affine.ok_or(FromBytesError::Invalid)?;
        Ok(PublicKey(affine.into()))
    }

    /// Returns a byte string representation of the public key.
    pub fn to_bytes(&self) -> [u8; PK_SIZE] {
        let mut bytes = [0u8; PK_SIZE];
        bytes.copy_from_slice(self.0.to_affine().to_compressed().as_ref());
        bytes
    }
}

impl TryFrom<&[u8; PK_SIZE]> for PublicKey {
    type Error = FromBytesError;

    fn try_from(bytes: &[u8; PK_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl TryFrom<[u8; PK_SIZE]> for PublicKey {
    type Error = FromBytesError;

    fn try_from(bytes: [u8; PK_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl fmt::LowerHex for PublicKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        for byte in self.to_bytes() {
            write!(f, "{:02x}", byte)?;
        }
        Ok(())
    }
}

impl fmt::UpperHex for PublicKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        for byte in self.to_bytes() {
            write!(f, "{:02X}", byte)?;
        }
        Ok(())
    }
}

impl fmt::Display for PublicKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{:x}", self)
    }
}

/// A public key share.
#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
#[derive(Clone, Copy, PartialEq, Eq, Hash, Ord, PartialOrd)]
pub struct PublicKeyShare(PublicKey);

impl fmt::Debug for PublicKeyShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let uncomp = (self.0).0.to_affine().to_uncompressed();
        write!(f, "PublicKeyShare({:0.10})", HexFmt(uncomp))
    }
}

impl PublicKeyShare {
    /// Returns `true` if the signature matches the element of `G2`.
    #[must_use = "verification result must be checked"]
    pub fn verify_g2<H: Into<G2Affine>>(&self, sig: &SignatureShare, hash: H) -> bool {
        self.0.verify_g2(&sig.0, hash)
    }

    /// Returns `true` if the signature matches the message.
    ///
    /// This is equivalent to [`verify_g2`](Self::verify_g2)`(sig, `[`hash_g2`]`(msg))`.
    #[must_use = "verification result must be checked"]
    pub fn verify<M: AsRef<[u8]>>(&self, sig: &SignatureShare, msg: M) -> bool {
        self.verify_g2(sig, hash_g2(msg))
    }

    /// Returns `true` if the decryption share matches the ciphertext.
    #[must_use = "verification result must be checked"]
    pub fn verify_decryption_share(&self, share: &DecryptionShare, ct: &Ciphertext) -> bool {
        let Ciphertext(ref u, ref v, ref w) = *ct;
        let hash = hash_g1_g2(*u, v);
        pairing(&share.0.into(), &hash.into()) == pairing(&(self.0).0.into(), &w.into())
    }

    /// Returns the key share with the given representation, if valid.
    pub fn from_bytes<B: Borrow<[u8; PK_SIZE]>>(bytes: B) -> FromBytesResult<Self> {
        Ok(PublicKeyShare(PublicKey::from_bytes(bytes)?))
    }

    /// Returns a byte string representation of the public key share.
    pub fn to_bytes(&self) -> [u8; PK_SIZE] {
        self.0.to_bytes()
    }
}

impl TryFrom<&[u8; PK_SIZE]> for PublicKeyShare {
    type Error = FromBytesError;

    fn try_from(bytes: &[u8; PK_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl TryFrom<[u8; PK_SIZE]> for PublicKeyShare {
    type Error = FromBytesError;

    fn try_from(bytes: [u8; PK_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl fmt::LowerHex for PublicKeyShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::LowerHex::fmt(&self.0, f)
    }
}

impl fmt::UpperHex for PublicKeyShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::UpperHex::fmt(&self.0, f)
    }
}

impl fmt::Display for PublicKeyShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::Display::fmt(&self.0, f)
    }
}

/// A BLS signature.
///
/// Signatures are created by signing a message with a [`SecretKey`] and can be verified
/// using the corresponding [`PublicKey`].
///
/// # Example
///
/// ```
/// use threshold_pairing::{SecretKey, Signature, SIG_SIZE};
///
/// let sk = SecretKey::random();
/// let pk = sk.public_key();
///
/// let sig = sk.sign(b"message");
/// assert!(pk.verify(&sig, b"message"));
///
/// // Serialize and deserialize
/// let bytes: [u8; SIG_SIZE] = sig.to_bytes();
/// let sig2 = Signature::from_bytes(&bytes).unwrap();
/// assert_eq!(sig, sig2);
/// ```
// Note: Random signatures can be generated for testing.
#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
#[derive(Clone, PartialEq, Eq)]
pub struct Signature(
    #[cfg_attr(feature = "serde", serde(with = "serde_impl::projective"))] G2Projective,
);

impl PartialOrd for Signature {
    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
        Some(self.cmp(other))
    }
}

impl Ord for Signature {
    fn cmp(&self, other: &Self) -> Ordering {
        cmp_projective(&self.0, &other.0)
    }
}

impl Distribution<Signature> for Standard {
    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> Signature {
        Signature(G2Projective::random(rng))
    }
}

impl fmt::Debug for Signature {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let uncomp = self.0.to_affine().to_uncompressed();
        write!(f, "Signature({:0.10})", HexFmt(uncomp))
    }
}

impl Hash for Signature {
    fn hash<H: Hasher>(&self, state: &mut H) {
        self.0.to_affine().to_compressed().as_ref().hash(state);
    }
}

impl Signature {
    /// Returns `true` if the signature contains an odd number of ones.
    pub fn parity(&self) -> bool {
        let uncomp = self.0.to_affine().to_uncompressed();
        let xor_bytes: u8 = uncomp.as_ref().iter().fold(0, |result, byte| result ^ byte);
        xor_bytes.count_ones() % 2 != 0
    }

    /// Returns the signature with the given representation, if valid.
    ///
    /// The `from_compressed` method performs full validation including subgroup
    /// checks to prevent small subgroup attacks.
    ///
    /// # Errors
    ///
    /// Returns [`FromBytesError::Invalid`] if:
    /// - The bytes do not represent a valid compressed G2 point
    /// - The point is not on the curve
    /// - The point is not in the correct subgroup
    ///
    /// # Example
    ///
    /// ```
    /// use threshold_pairing::{SecretKey, Signature, SIG_SIZE};
    ///
    /// let sk = SecretKey::random();
    /// let sig = sk.sign(b"message");
    ///
    /// // Round-trip through bytes
    /// let bytes: [u8; SIG_SIZE] = sig.to_bytes();
    /// let sig2 = Signature::from_bytes(&bytes).expect("valid bytes");
    /// assert_eq!(sig, sig2);
    /// ```
    pub fn from_bytes<B: Borrow<[u8; SIG_SIZE]>>(bytes: B) -> FromBytesResult<Self> {
        let affine: Option<G2Affine> = G2Affine::from_compressed(bytes.borrow()).into();
        let affine = affine.ok_or(FromBytesError::Invalid)?;
        Ok(Signature(affine.into()))
    }

    /// Returns a byte string representation of the signature.
    pub fn to_bytes(&self) -> [u8; SIG_SIZE] {
        let mut bytes = [0u8; SIG_SIZE];
        bytes.copy_from_slice(self.0.to_affine().to_compressed().as_ref());
        bytes
    }
}

impl TryFrom<&[u8; SIG_SIZE]> for Signature {
    type Error = FromBytesError;

    fn try_from(bytes: &[u8; SIG_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl TryFrom<[u8; SIG_SIZE]> for Signature {
    type Error = FromBytesError;

    fn try_from(bytes: [u8; SIG_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl fmt::LowerHex for Signature {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        for byte in self.to_bytes() {
            write!(f, "{:02x}", byte)?;
        }
        Ok(())
    }
}

impl fmt::UpperHex for Signature {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        for byte in self.to_bytes() {
            write!(f, "{:02X}", byte)?;
        }
        Ok(())
    }
}

impl fmt::Display for Signature {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{:x}", self)
    }
}

/// A signature share.
// Note: Random signature shares can be generated for testing.
#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
#[derive(Clone, PartialEq, Eq, Hash, Ord, PartialOrd)]
pub struct SignatureShare(Signature);

impl SignatureShare {
    /// Returns a reference to the inner signature.
    pub fn inner(&self) -> &Signature {
        &self.0
    }
}

impl Distribution<SignatureShare> for Standard {
    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> SignatureShare {
        SignatureShare(rng.gen())
    }
}

impl fmt::Debug for SignatureShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let uncomp = (self.0).0.to_affine().to_uncompressed();
        write!(f, "SignatureShare({:0.10})", HexFmt(uncomp))
    }
}

impl SignatureShare {
    /// Returns the signature share with the given representation, if valid.
    pub fn from_bytes<B: Borrow<[u8; SIG_SIZE]>>(bytes: B) -> FromBytesResult<Self> {
        Ok(SignatureShare(Signature::from_bytes(bytes)?))
    }

    /// Returns a byte string representation of the signature share.
    pub fn to_bytes(&self) -> [u8; SIG_SIZE] {
        self.0.to_bytes()
    }
}

impl TryFrom<&[u8; SIG_SIZE]> for SignatureShare {
    type Error = FromBytesError;

    fn try_from(bytes: &[u8; SIG_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl TryFrom<[u8; SIG_SIZE]> for SignatureShare {
    type Error = FromBytesError;

    fn try_from(bytes: [u8; SIG_SIZE]) -> FromBytesResult<Self> {
        Self::from_bytes(bytes)
    }
}

impl fmt::LowerHex for SignatureShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::LowerHex::fmt(&self.0, f)
    }
}

impl fmt::UpperHex for SignatureShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::UpperHex::fmt(&self.0, f)
    }
}

impl fmt::Display for SignatureShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::Display::fmt(&self.0, f)
    }
}

/// A secret key; wraps a single prime field element.
///
/// # Example
///
/// ```
/// use threshold_pairing::SecretKey;
///
/// // Generate a new random secret key
/// let sk = SecretKey::random();
///
/// // Sign a message
/// let signature = sk.sign(b"Hello, world!");
///
/// // Get the corresponding public key
/// let pk = sk.public_key();
/// assert!(pk.verify(&signature, b"Hello, world!"));
/// ```
///
/// # Serde integration
///
/// `SecretKey` implements `Deserialize` but not `Serialize` to avoid accidental
/// serialization in insecure contexts. To enable both use the [`serde_impl::SerdeSecret`]
/// wrapper which implements both `Deserialize` and `Serialize`.
///
/// # Security
///
/// - The secret key is zeroized on drop to prevent secret leakage.
/// - Equality comparison is performed in constant time to prevent timing attacks.
#[derive(Clone)]
pub struct SecretKey(Scalar);

impl PartialEq for SecretKey {
    fn eq(&self, other: &Self) -> bool {
        // Use constant-time comparison to prevent timing attacks
        self.0.to_bytes().ct_eq(&other.0.to_bytes()).into()
    }
}

impl Eq for SecretKey {}

impl Zeroize for SecretKey {
    fn zeroize(&mut self) {
        self.0.zeroize();
    }
}

impl Drop for SecretKey {
    fn drop(&mut self) {
        self.zeroize();
    }
}

impl Distribution<SecretKey> for Standard {
    /// Creates a new random instance of `SecretKey`. If you do not need to specify your own RNG,
    /// you should use the [`SecretKey::random()`](struct.SecretKey.html#method.random) constructor,
    /// which uses [`rand::thread_rng()`](https://docs.rs/rand/0.8.5/rand/fn.thread_rng.html)
    /// internally as its RNG.
    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> SecretKey {
        SecretKey(Scalar::random(rng))
    }
}

/// A debug statement where the secret prime field element is redacted.
impl fmt::Debug for SecretKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_tuple("SecretKey").field(&DebugDots).finish()
    }
}

impl SecretKey {
    /// Creates a new `SecretKey` from a mutable reference to a field element. This constructor
    /// takes a reference to avoid unnecessary stack copying/moving of secrets (i.e. the field
    /// element). The field element is copied into the SecretKey and the source is zeroized.
    ///
    /// # Security
    /// The source scalar is zeroized after copying to prevent secret leakage.
    pub fn from_mut(s: &mut Scalar) -> Self {
        let sk = SecretKey(*s);
        s.zeroize();
        sk
    }

    /// Creates a new random instance of `SecretKey`.
    ///
    /// If you want to use/define your own random number generator, you should use
    /// [`rand::Rng::gen()`] instead. This method uses
    /// [`rand::thread_rng()`](https://docs.rs/rand/0.8.5/rand/fn.thread_rng.html)
    /// internally as its RNG.
    pub fn random() -> Self {
        rand::random()
    }

    /// Returns the matching public key.
    pub fn public_key(&self) -> PublicKey {
        PublicKey(G1Affine::generator().mul(self.0))
    }

    /// Signs the given element of `G2`.
    pub fn sign_g2<H: Into<G2Affine>>(&self, hash: H) -> Signature {
        Signature(hash.into().mul(self.0))
    }

    /// Signs the given message.
    ///
    /// This is equivalent to `sign_g2(hash_g2(msg))`.
    pub fn sign<M: AsRef<[u8]>>(&self, msg: M) -> Signature {
        self.sign_g2(hash_g2(msg))
    }

    /// Returns the decrypted plaintext, or an error if the ciphertext is invalid.
    ///
    /// This method first verifies the ciphertext using [`Ciphertext::verify`] to prevent
    /// chosen-ciphertext attacks. If verification fails, [`Error::InvalidCiphertext`] is
    /// returned. The error gives no information about the decryption key, preventing
    /// oracle attacks.
    ///
    /// # Errors
    ///
    /// Returns [`Error::InvalidCiphertext`] if the ciphertext fails the pairing-based
    /// integrity check. This may indicate tampering, corruption, or a chosen-ciphertext
    /// attack attempt.
    ///
    /// # Example
    ///
    /// ```
    /// use threshold_pairing::SecretKey;
    ///
    /// let sk = SecretKey::random();
    /// let pk = sk.public_key();
    ///
    /// let message = b"secret message";
    /// let ciphertext = pk.encrypt(message);
    ///
    /// let decrypted = sk.decrypt(&ciphertext).expect("valid ciphertext");
    /// assert_eq!(message.to_vec(), decrypted);
    /// ```
    pub fn decrypt(&self, ct: &Ciphertext) -> Result<Vec<u8>> {
        if !ct.verify() {
            return Err(Error::InvalidCiphertext);
        }
        let Ciphertext(ref u, ref v, _) = *ct;
        let g = u.to_affine().mul(self.0);
        Ok(xor_with_hash(g, v))
    }

    /// Generates a non-redacted debug string. This method differs from
    /// the `Debug` implementation in that it *does* leak the secret prime
    /// field element.
    ///
    /// # Security
    ///
    /// This method is intended for debugging purposes only. The output
    /// contains sensitive key material and should never be logged in
    /// production or exposed to untrusted parties.
    ///
    /// Requires the `expose-secret` feature flag to be enabled. This forces
    /// an explicit opt-in and prevents accidental inclusion in production builds.
    #[cfg(feature = "expose-secret")]
    pub fn reveal(&self) -> String {
        format!("SecretKey({:?})", self.0)
    }
}

/// A secret key share.
///
/// # Serde integration
/// `SecretKeyShare` implements `Deserialize` but not `Serialize` to avoid accidental
/// serialization in insecure contexts. To enable both use the `::serde_impl::SerdeSecret`
/// wrapper which implements both `Deserialize` and `Serialize`.
#[derive(Clone, PartialEq, Eq)]
pub struct SecretKeyShare(SecretKey);

/// Can be used to create a new random instance of `SecretKeyShare`. This is only useful for testing
/// purposes as such a key has not been derived from a `SecretKeySet`.
impl Distribution<SecretKeyShare> for Standard {
    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> SecretKeyShare {
        SecretKeyShare(rng.gen())
    }
}

impl fmt::Debug for SecretKeyShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_tuple("SecretKeyShare").field(&DebugDots).finish()
    }
}

impl SecretKeyShare {
    /// Creates a new `SecretKeyShare` from a mutable reference to a field element.
    ///
    /// # Security
    /// The source scalar is zeroized after copying to prevent secret leakage.
    pub fn from_mut(s: &mut Scalar) -> Self {
        SecretKeyShare(SecretKey::from_mut(s))
    }

    /// Returns the matching public key share.
    pub fn public_key_share(&self) -> PublicKeyShare {
        PublicKeyShare(self.0.public_key())
    }

    /// Signs the given element of `G2`.
    pub fn sign_g2<H: Into<G2Affine>>(&self, hash: H) -> SignatureShare {
        SignatureShare(self.0.sign_g2(hash))
    }

    /// Signs the given message.
    pub fn sign<M: AsRef<[u8]>>(&self, msg: M) -> SignatureShare {
        SignatureShare(self.0.sign(msg))
    }

    /// Returns a decryption share, or `None`, if the ciphertext isn't valid.
    pub fn decrypt_share(&self, ct: &Ciphertext) -> Option<DecryptionShare> {
        if !ct.verify() {
            return None;
        }
        Some(self.decrypt_share_no_verify(ct))
    }

    /// Returns a decryption share, without validating the ciphertext.
    ///
    /// # Security
    ///
    /// This method skips ciphertext integrity verification and is therefore **not** safe
    /// to call on ciphertexts received from untrusted parties. Producing a decryption share
    /// for an unverified ciphertext breaks the CCA2 security of the threshold encryption
    /// scheme: an attacker can submit crafted ciphertexts and exploit the resulting shares
    /// to extract plaintext information.
    ///
    /// Use [`decrypt_share`](Self::decrypt_share) for all network-facing code.
    /// This method is intentionally restricted to crate-internal use.
    pub(crate) fn decrypt_share_no_verify(&self, ct: &Ciphertext) -> DecryptionShare {
        DecryptionShare(ct.0.to_affine().mul((self.0).0))
    }

    /// Generates a non-redacted debug string. This method differs from
    /// the `Debug` implementation in that it *does* leak the secret prime
    /// field element.
    ///
    /// # Security
    ///
    /// This method is intended for debugging purposes only. The output
    /// contains sensitive key material and should never be logged in
    /// production or exposed to untrusted parties.
    ///
    /// Requires the `expose-secret` feature flag to be enabled. This forces
    /// an explicit opt-in and prevents accidental inclusion in production builds.
    #[cfg(feature = "expose-secret")]
    pub fn reveal(&self) -> String {
        format!("SecretKeyShare({:?})", (self.0).0)
    }
}

/// An encrypted message.
///
/// Ciphertexts are created by encrypting a message with a [`PublicKey`] and can be
/// decrypted using the corresponding [`SecretKey`].
///
/// # Security
///
/// Always call [`Ciphertext::verify`] before processing a ciphertext from an untrusted
/// source to prevent chosen-ciphertext attacks. The [`SecretKey::decrypt`] method
/// performs this check automatically.
///
/// # Known Limitations
///
/// **Plaintext length is not hidden.** The ciphertext `v` component is an XOR-encrypted
/// byte string of exactly the same length as the plaintext. An observer can therefore
/// determine the exact length of any encrypted message from the ciphertext size alone.
/// If message length is sensitive in your protocol, pad all messages to a uniform length
/// before encrypting.
///
/// # Example
///
/// ```
/// use threshold_pairing::SecretKey;
///
/// let sk = SecretKey::random();
/// let pk = sk.public_key();
///
/// let message = b"secret message";
/// let ciphertext = pk.encrypt(message);
///
/// // Verify the ciphertext is valid
/// assert!(ciphertext.verify());
///
/// let decrypted = sk.decrypt(&ciphertext).unwrap();
/// assert_eq!(message.to_vec(), decrypted);
/// ```
#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Ciphertext(
    #[cfg_attr(feature = "serde", serde(with = "serde_impl::projective"))] G1Projective,
    Vec<u8>,
    #[cfg_attr(feature = "serde", serde(with = "serde_impl::projective"))] G2Projective,
);

impl Hash for Ciphertext {
    fn hash<H: Hasher>(&self, state: &mut H) {
        let Ciphertext(ref u, ref v, ref w) = *self;
        u.to_affine().to_compressed().as_ref().hash(state);
        v.hash(state);
        w.to_affine().to_compressed().as_ref().hash(state);
    }
}

impl PartialOrd for Ciphertext {
    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
        Some(self.cmp(other))
    }
}

impl Ord for Ciphertext {
    fn cmp(&self, other: &Self) -> Ordering {
        let Ciphertext(ref u0, ref v0, ref w0) = self;
        let Ciphertext(ref u1, ref v1, ref w1) = other;
        cmp_projective(u0, u1)
            .then(v0.cmp(v1))
            .then(cmp_projective(w0, w1))
    }
}

impl Ciphertext {
    /// Returns `true` if this is a valid ciphertext. This check is necessary to prevent
    /// chosen-ciphertext attacks. Implementation treats ciphertexts with either `u` or
    /// `v` as the identity point as invalid.
    #[must_use = "verification result must be checked"]
    pub fn verify(&self) -> bool {
        let Ciphertext(ref u, ref v, ref w) = *self;
        if bool::from(u.is_identity()) || bool::from(w.is_identity()) {
            return false;
        }
        let hash = hash_g1_g2(*u, v);
        pairing(&G1Affine::generator(), &w.into()) == pairing(&u.into(), &hash.into())
    }
}

/// A decryption share. A threshold of decryption shares can be used to decrypt a message.
///
/// Decryption shares are created by calling [`SecretKeyShare::decrypt_share`] on a
/// [`Ciphertext`]. Once `threshold + 1` shares are collected, they can be combined
/// using [`PublicKeySet::decrypt`] to recover the original plaintext.
///
/// # Example
///
/// ```
/// use std::collections::BTreeMap;
/// use threshold_pairing::SecretKeySet;
///
/// let mut rng = rand::thread_rng();
/// let sk_set = SecretKeySet::random(2, &mut rng);
/// let pk_set = sk_set.public_keys();
///
/// let message = b"secret";
/// let ciphertext = pk_set.public_key().encrypt(message);
///
/// // Each participant creates a decryption share
/// let shares: BTreeMap<_, _> = (0..3usize)
///     .map(|i| {
///         let share = sk_set.secret_key_share(i).unwrap()
///             .decrypt_share(&ciphertext).unwrap();
///         (i, share)
///     })
///     .collect();
///
/// // Combine shares to decrypt
/// let decrypted = pk_set.decrypt(&shares, &ciphertext).unwrap();
/// assert_eq!(message.to_vec(), decrypted);
/// ```
#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
#[derive(Clone, PartialEq, Eq)]
pub struct DecryptionShare(
    #[cfg_attr(feature = "serde", serde(with = "serde_impl::projective"))] G1Projective,
);

impl PartialOrd for DecryptionShare {
    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
        Some(self.cmp(other))
    }
}

impl Ord for DecryptionShare {
    fn cmp(&self, other: &Self) -> Ordering {
        cmp_projective(&self.0, &other.0)
    }
}

impl Distribution<DecryptionShare> for Standard {
    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> DecryptionShare {
        DecryptionShare(G1Projective::random(rng))
    }
}

impl Hash for DecryptionShare {
    fn hash<H: Hasher>(&self, state: &mut H) {
        self.0.to_affine().to_compressed().as_ref().hash(state);
    }
}

impl fmt::Debug for DecryptionShare {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_tuple("DecryptionShare").field(&DebugDots).finish()
    }
}

/// A public key and an associated set of public key shares.
#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
#[derive(Clone, Debug, PartialEq, Eq, Ord, PartialOrd)]
pub struct PublicKeySet {
    /// The coefficients of a polynomial whose value at `0` is the "master key", and value at
    /// `i + 1` is key share number `i`.
    commit: Commitment,
}

impl Hash for PublicKeySet {
    fn hash<H: Hasher>(&self, state: &mut H) {
        self.commit.hash(state);
    }
}

impl From<Commitment> for PublicKeySet {
    fn from(commit: Commitment) -> PublicKeySet {
        PublicKeySet { commit }
    }
}

impl PublicKeySet {
    /// Returns the threshold `t`: any set of `t + 1` signature shares can be combined into a full
    /// signature.
    pub fn threshold(&self) -> usize {
        self.commit.degree()
    }

    /// Returns the public key.
    pub fn public_key(&self) -> PublicKey {
        PublicKey(self.commit.coeff[0])
    }

    /// Returns the `i`-th public key share.
    ///
    /// # Errors
    ///
    /// Returns [`Error::IndexMapsToZero`] if `i` maps to the zero scalar after the internal
    /// `index + 1` offset (e.g. `-1i32`). This prevents a caller from accidentally
    /// retrieving the master public key through an out-of-range signed index.
    pub fn public_key_share<T: TryIntoScalarSafe>(&self, i: T) -> Result<PublicKeyShare> {
        let value = self.commit.evaluate(into_scalar_plus_1(i)?);
        Ok(PublicKeyShare(PublicKey(value)))
    }

    /// Combines the shares into a signature that can be verified with the main public key.
    ///
    /// The validity of the shares is not checked: If one of them is invalid, the resulting
    /// signature also is. Only returns an error if there is a duplicate index or too few shares.
    ///
    /// Validity of signature shares should be checked beforehand, or validity of the result
    /// afterwards.
    ///
    /// # Errors
    ///
    /// - [`Error::NotEnoughShares`]: Fewer than `threshold + 1` shares were provided
    /// - [`Error::DuplicateEntry`]: Two shares have the same index
    ///
    /// # Example
    ///
    /// ```
    /// # extern crate rand;
    /// #
    /// # use std::collections::BTreeMap;
    /// # use threshold_pairing::SecretKeySet;
    /// #
    /// let sk_set = SecretKeySet::random(3, &mut rand::thread_rng());
    /// let sk_shares: Vec<_> = (0..6usize)
    ///     .map(|i| sk_set.secret_key_share(i).expect("valid index"))
    ///     .collect();
    /// let pk_set = sk_set.public_keys();
    /// let msg = "Happy birthday! If this is signed, at least four people remembered!";
    ///
    /// // Create four signature shares for the message.
    /// let sig_shares: BTreeMap<_, _> = (0..4).map(|i| (i, sk_shares[i].sign(msg))).collect();
    ///
    /// // Validate the signature shares.
    /// for (i, sig_share) in &sig_shares {
    ///     assert!(pk_set.public_key_share(*i).expect("valid index").verify(sig_share, msg));
    /// }
    ///
    /// // Combine them to produce the main signature.
    /// let sig = pk_set.combine_signatures(&sig_shares).expect("not enough shares");
    ///
    /// // Validate the main signature. If the shares were valid, this can't fail.
    /// assert!(pk_set.public_key().verify(&sig, msg));
    /// ```
    ///
    /// # Security
    ///
    /// Signature share validity is **not** checked by this method. A single invalid or
    /// maliciously crafted share silently produces an invalid combined signature. In
    /// adversarial settings, callers **must** verify each share against its corresponding
    /// [`PublicKeyShare`] before combining:
    ///
    /// ```
    /// # use std::collections::BTreeMap;
    /// # use threshold_pairing::SecretKeySet;
    /// # let sk_set = SecretKeySet::random(2, &mut rand::thread_rng());
    /// # let pk_set = sk_set.public_keys();
    /// # let msg = b"msg";
    /// # let sig_shares: BTreeMap<usize, _> = (0..3usize)
    /// #     .map(|i| (i, sk_set.secret_key_share(i).unwrap().sign(msg)))
    /// #     .collect();
    /// for (i, sig_share) in &sig_shares {
    ///     assert!(pk_set.public_key_share(*i).expect("valid index").verify(sig_share, msg));
    /// }
    /// ```
    ///
    /// Validity of the result can also be checked afterwards by verifying the combined
    /// signature against [`PublicKeySet::public_key`].
    pub fn combine_signatures<'a, T, I>(&self, shares: I) -> Result<Signature>
    where
        I: IntoIterator<Item = (T, &'a SignatureShare)>,
        T: TryIntoScalarSafe,
    {
        let samples = shares.into_iter().map(|(i, share)| (i, &(share.0).0));
        Ok(Signature(interpolate(self.commit.degree(), samples)?))
    }

    /// Combines the shares to decrypt the ciphertext.
    ///
    /// The ciphertext is verified before interpolation. Decryption share validity is
    /// **not** checked; use [`decrypt_with_verification`](Self::decrypt_with_verification)
    /// if you need per-share verification in adversarial settings.
    ///
    /// # Errors
    ///
    /// - [`Error::InvalidCiphertext`]: The ciphertext failed integrity verification
    /// - [`Error::NotEnoughShares`]: Fewer than `threshold + 1` shares were provided
    /// - [`Error::DuplicateEntry`]: Two shares have the same index
    ///
    /// # Example
    ///
    /// ```
    /// use std::collections::BTreeMap;
    /// use threshold_pairing::SecretKeySet;
    ///
    /// let mut rng = rand::thread_rng();
    /// let sk_set = SecretKeySet::random(2, &mut rng);
    /// let pk_set = sk_set.public_keys();
    ///
    /// let message = b"secret message";
    /// let ciphertext = pk_set.public_key().encrypt(message);
    ///
    /// // Collect 3 decryption shares
    /// let shares: BTreeMap<_, _> = (0..3usize)
    ///     .map(|i| {
    ///         let share = sk_set.secret_key_share(i).unwrap()
    ///             .decrypt_share(&ciphertext).unwrap();
    ///         (i, share)
    ///     })
    ///     .collect();
    ///
    /// let decrypted = pk_set.decrypt(&shares, &ciphertext).expect("valid shares");
    /// assert_eq!(message.to_vec(), decrypted);
    /// ```
    pub fn decrypt<'a, T, I>(&self, shares: I, ct: &Ciphertext) -> Result<Vec<u8>>
    where
        I: IntoIterator<Item = (T, &'a DecryptionShare)>,
        T: TryIntoScalarSafe,
    {
        if !ct.verify() {
            return Err(Error::InvalidCiphertext);
        }
        let samples = shares.into_iter().map(|(i, share)| (i, &share.0));
        let g = interpolate(self.commit.degree(), samples)?;
        Ok(xor_with_hash(g, &ct.1))
    }

    /// Combines the shares to decrypt the ciphertext, verifying each decryption share
    /// against its corresponding public key share before interpolation.
    ///
    /// This is the recommended method in adversarial settings where individual participants
    /// may submit invalid or malicious decryption shares.
    ///
    /// # Errors
    ///
    /// - [`Error::InvalidCiphertext`]: The ciphertext failed integrity verification
    /// - [`Error::NotEnoughShares`]: Fewer than `threshold + 1` shares were provided
    /// - [`Error::DuplicateEntry`]: Two shares have the same index
    /// - [`Error::InvalidShare`]: A decryption share failed verification against its
    ///   public key share
    ///
    /// # Example
    ///
    /// ```
    /// use std::collections::BTreeMap;
    /// use threshold_pairing::SecretKeySet;
    ///
    /// let mut rng = rand::thread_rng();
    /// let sk_set = SecretKeySet::random(2, &mut rng);
    /// let pk_set = sk_set.public_keys();
    ///
    /// let message = b"secret message";
    /// let ciphertext = pk_set.public_key().encrypt(message);
    ///
    /// // Collect 3 decryption shares together with their public key shares
    /// let shares: BTreeMap<_, _> = (0..3usize)
    ///     .map(|i| {
    ///         let sk_share = sk_set.secret_key_share(i).unwrap();
    ///         let pk_share = pk_set.public_key_share(i).unwrap();
    ///         let dec_share = sk_share.decrypt_share(&ciphertext).unwrap();
    ///         (i, (dec_share, pk_share))
    ///     })
    ///     .collect();
    ///
    /// let decrypted = pk_set
    ///     .decrypt_with_verification(
    ///         shares.iter().map(|(i, (d, p))| (*i, d, p)),
    ///         &ciphertext,
    ///     )
    ///     .expect("valid shares");
    /// assert_eq!(message.to_vec(), decrypted);
    /// ```
    pub fn decrypt_with_verification<'a, T, I>(&self, shares: I, ct: &Ciphertext) -> Result<Vec<u8>>
    where
        I: IntoIterator<Item = (T, &'a DecryptionShare, &'a PublicKeyShare)>,
        T: TryIntoScalarSafe,
    {
        if !ct.verify() {
            return Err(Error::InvalidCiphertext);
        }
        let verified: Vec<_> = shares
            .into_iter()
            .map(|(i, dec_share, pk_share)| {
                if !pk_share.verify_decryption_share(dec_share, ct) {
                    return Err(Error::InvalidShare);
                }
                Ok((i, dec_share))
            })
            .collect::<Result<_>>()?;
        let samples = verified.into_iter().map(|(i, share)| (i, &share.0));
        let g = interpolate(self.commit.degree(), samples)?;
        Ok(xor_with_hash(g, &ct.1))
    }
}

/// A secret key and an associated set of secret key shares.
#[derive(Clone, PartialEq, Eq)]
pub struct SecretKeySet {
    /// The coefficients of a polynomial whose value at `0` is the "master key", and value at
    /// `i + 1` is key share number `i`.
    poly: Poly,
}

impl From<Poly> for SecretKeySet {
    fn from(poly: Poly) -> SecretKeySet {
        SecretKeySet { poly }
    }
}

impl SecretKeySet {
    /// Creates a set of secret key shares, where any `threshold + 1` of them can collaboratively
    /// sign and decrypt. This constructor is identical to [`SecretKeySet::try_random`] in every
    /// way except that this constructor panics if the other returns an error.
    ///
    /// # Panics
    ///
    /// Panics if the `threshold` is too large for the coefficients to fit into a `Vec`.
    /// For fallible construction, use [`SecretKeySet::try_random`] instead.
    ///
    /// # Example
    ///
    /// ```
    /// use threshold_pairing::SecretKeySet;
    ///
    /// let mut rng = rand::thread_rng();
    /// let sk_set = SecretKeySet::random(2, &mut rng);
    ///
    /// // Get shares for participants
    /// let share_0 = sk_set.secret_key_share(0usize).expect("valid index");
    /// let share_1 = sk_set.secret_key_share(1usize).expect("valid index");
    /// ```
    pub fn random<R: Rng>(threshold: usize, rng: &mut R) -> Self {
        SecretKeySet::try_random(threshold, rng)
            .unwrap_or_else(|e| panic!("Failed to create random `SecretKeySet`: {}", e))
    }

    /// Creates a set of secret key shares, where any `threshold + 1` of them can collaboratively
    /// sign and decrypt. This constructor is identical to [`SecretKeySet::random`] in every
    /// way except that this constructor returns an `Err` where `random` would panic.
    ///
    /// # Errors
    ///
    /// Returns [`Error::DegreeTooHigh`] if the `threshold` is too large for the
    /// coefficients to fit into a `Vec`.
    pub fn try_random<R: Rng>(threshold: usize, rng: &mut R) -> Result<Self> {
        Poly::try_random(threshold, rng).map(SecretKeySet::from)
    }

    /// Returns the threshold `t`: any set of `t + 1` signature shares can be combined into a full
    /// signature.
    pub fn threshold(&self) -> usize {
        self.poly.degree()
    }

    /// Returns the `i`-th secret key share.
    ///
    /// # Errors
    ///
    /// Returns [`Error::IndexMapsToZero`] if `i` maps to the zero scalar after the internal
    /// `index + 1` offset (e.g. `-1i32`). This prevents a caller from accidentally
    /// retrieving the master secret key through an out-of-range signed index.
    pub fn secret_key_share<T: TryIntoScalarSafe>(&self, i: T) -> Result<SecretKeyShare> {
        let mut fr = self.poly.evaluate(into_scalar_plus_1(i)?);
        Ok(SecretKeyShare::from_mut(&mut fr))
    }

    /// Returns the corresponding public key set. That information can be shared publicly.
    pub fn public_keys(&self) -> PublicKeySet {
        PublicKeySet {
            commit: self.poly.commitment(),
        }
    }

    /// Returns the secret master key.
    #[cfg(test)]
    fn secret_key(&self) -> SecretKey {
        let mut fr = self.poly.evaluate(0);
        SecretKey::from_mut(&mut fr)
    }
}

/// Domain separation tag for BLS signatures following the IETF BLS draft specification.
/// This ensures signatures cannot be replayed across different protocols.
pub const BLS_SIG_DST: &[u8] = b"BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_";

/// Returns a hash of the given message in `G2` using the standard hash-to-curve
/// algorithm (RFC 9380 / draft-irtf-cfrg-hash-to-curve).
///
/// This implementation uses the recommended domain separation tag and provides
/// proper security properties required for BLS signatures.
///
/// This function is useful when you need to pre-hash a message for use with
/// [`PublicKey::verify_g2`] or [`SecretKey::sign_g2`], or when implementing
/// custom signature schemes.
///
/// # Example
///
/// ```
/// use threshold_pairing::{hash_g2, SecretKey};
///
/// let sk = SecretKey::random();
/// let pk = sk.public_key();
///
/// let message = b"Hello, world!";
/// let hash = hash_g2(message);
///
/// // Sign using the pre-computed hash
/// let sig = sk.sign_g2(hash);
///
/// // Verify using the same hash
/// assert!(pk.verify_g2(&sig, hash));
/// ```
pub fn hash_g2<M: AsRef<[u8]>>(msg: M) -> G2Projective {
    <G2Projective as HashToCurve<ExpandMsgXmd<Sha256>>>::hash_to_curve(msg, BLS_SIG_DST)
}

/// Domain separation tag for threshold encryption hash function.
/// This ensures separation from the signature scheme.
const THRESHOLD_ENC_DST: &[u8] = b"THRESHOLD_ENC_BLS12381G2_XMD:SHA-256_SSWU_RO_";

/// Returns a hash of the group element and message, in the second group.
///
/// Uses proper domain separation to ensure cryptographic independence from
/// the signature scheme.
fn hash_g1_g2<M: AsRef<[u8]>>(g1: G1Projective, msg: M) -> G2Projective {
    // Concatenate the compressed G1 point with the message for hashing
    let mut data = g1.to_affine().to_compressed().as_ref().to_vec();
    data.extend_from_slice(msg.as_ref());
    <G2Projective as HashToCurve<ExpandMsgXmd<Sha256>>>::hash_to_curve(&data, THRESHOLD_ENC_DST)
}

/// Returns the bitwise xor of `bytes` with a sequence of pseudorandom bytes determined by `g1`.
fn xor_with_hash(g1: G1Projective, bytes: &[u8]) -> Vec<u8> {
    let digest = sha3_256(g1.to_affine().to_compressed().as_ref());
    let rng = ChaChaRng::from_seed(digest);
    let xor = |(a, b): (u8, &u8)| a ^ b;
    rng.sample_iter(&Standard).zip(bytes).map(xor).collect()
}

/// Given a list of `t + 1` samples `(i - 1, f(i) * g)` for a polynomial `f` of degree `t`, and a
/// group generator `g`, returns `f(0) * g`.
fn interpolate<C, B, T, I>(t: usize, items: I) -> Result<C>
where
    C: PrimeCurve<Scalar = Scalar>,
    I: IntoIterator<Item = (T, B)>,
    T: TryIntoScalarSafe,
    B: Borrow<C>,
{
    let samples: Vec<_> = items
        .into_iter()
        .take(t + 1)
        .map(|(i, sample)| -> Result<_> { Ok((into_scalar_plus_1(i)?, sample)) })
        .collect::<Result<_>>()?;
    if samples.len() <= t {
        return Err(Error::NotEnoughShares);
    }

    if t == 0 {
        return Ok(*samples[0].1.borrow());
    }

    // Compute the products `x_prod[i]` of all but the `i`-th entry.
    let mut x_prod: Vec<Zeroizing<C::Scalar>> = Vec::with_capacity(t);
    let mut tmp = Zeroizing::new(C::Scalar::one());
    x_prod.push(Zeroizing::new(*tmp));
    for (x, _) in samples.iter().take(t) {
        tmp.mul_assign(x);
        x_prod.push(Zeroizing::new(*tmp));
    }
    *tmp = C::Scalar::one();
    for (i, (x, _)) in samples[1..].iter().enumerate().rev() {
        tmp.mul_assign(x);
        x_prod[i].mul_assign(&*tmp);
    }

    let mut result = C::identity();
    for (mut l0, (x, sample)) in x_prod.into_iter().zip(&samples) {
        // Compute the value at 0 of the Lagrange polynomial that is `0` at the other data
        // points but `1` at `x`.
        let mut denom = Zeroizing::new(C::Scalar::one());
        for (x0, _) in samples.iter().filter(|(x0, _)| x0 != x) {
            let mut diff = Zeroizing::new(*x0);
            diff.sub_assign(x);
            denom.mul_assign(&*diff);
        }
        l0.mul_assign(&Option::from(denom.invert()).ok_or(Error::DuplicateEntry)?);
        result.add_assign(&sample.borrow().to_affine().mul(*l0));
    }
    Ok(result)
}

/// Converts a share index to the scalar used as the polynomial evaluation point (`index + 1`),
/// rejecting any index that would map to zero (which would expose the master secret).
///
/// # Errors
///
/// Returns [`Error::IndexMapsToZero`] when `x + 1 ≡ 0 (mod p)` (e.g. `x = -1i32`).
fn into_scalar_plus_1<I: TryIntoScalarSafe>(x: I) -> Result<Scalar> {
    let s = x.try_into_scalar_safe()?;
    let mut result = Scalar::one();
    result.add_assign(&s);
    Ok(result)
}

/// Type that implements `Debug` printing three dots. This can be used to hide the contents of a
/// field in a `Debug` implementation.
struct DebugDots;

impl fmt::Debug for DebugDots {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "...")
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    use std::collections::BTreeMap;

    use rand::{self, distributions::Standard, random, Rng};

    #[test]
    fn test_simple_sig() {
        let sk0 = SecretKey::random();
        let sk1 = SecretKey::random();
        let pk0 = sk0.public_key();
        let msg0 = b"Real news";
        let msg1 = b"Fake news";
        assert!(pk0.verify(&sk0.sign(msg0), msg0));
        assert!(!pk0.verify(&sk1.sign(msg0), msg0)); // Wrong key.
        assert!(!pk0.verify(&sk0.sign(msg1), msg0)); // Wrong message.
    }

    #[test]
    fn test_threshold_sig() {
        let mut rng = rand::thread_rng();
        let sk_set = SecretKeySet::random(3, &mut rng);
        let pk_set = sk_set.public_keys();
        let pk_master = pk_set.public_key();

        // Make sure the keys are different, and the first coefficient is the main key.
        assert_ne!(pk_master, pk_set.public_key_share(0usize).unwrap().0);
        assert_ne!(pk_master, pk_set.public_key_share(1usize).unwrap().0);
        assert_ne!(pk_master, pk_set.public_key_share(2usize).unwrap().0);

        // Make sure we don't hand out the main secret key to anyone.
        let sk_master = sk_set.secret_key();
        let sk_share_0 = sk_set.secret_key_share(0usize).unwrap().0;
        let sk_share_1 = sk_set.secret_key_share(1usize).unwrap().0;
        let sk_share_2 = sk_set.secret_key_share(2usize).unwrap().0;
        assert_ne!(sk_master, sk_share_0);
        assert_ne!(sk_master, sk_share_1);
        assert_ne!(sk_master, sk_share_2);

        let msg = "Totally real news";

        // The threshold is 3, so 4 signature shares will suffice to recreate the share.
        let sigs: BTreeMap<_, _> = [5usize, 8, 7, 10]
            .iter()
            .map(|&i| {
                let sig = sk_set.secret_key_share(i).unwrap().sign(msg);
                (i, sig)
            })
            .collect();

        // Each of the shares is a valid signature matching its public key share.
        for (i, sig) in &sigs {
            assert!(pk_set.public_key_share(*i).unwrap().verify(sig, msg));
        }

        // Combined, they produce a signature matching the main public key.
        let sig = pk_set.combine_signatures(&sigs).expect("signatures match");
        assert!(pk_set.public_key().verify(&sig, msg));

        // A different set of signatories produces the same signature.
        let sigs2: BTreeMap<_, _> = [42usize, 43, 44, 45]
            .iter()
            .map(|&i| {
                let sig = sk_set.secret_key_share(i).unwrap().sign(msg);
                (i, sig)
            })
            .collect();
        let sig2 = pk_set.combine_signatures(&sigs2).expect("signatures match");
        assert_eq!(sig, sig2);
    }

    #[test]
    fn test_simple_enc() {
        let sk_bob: SecretKey = random();
        let sk_eve: SecretKey = random();
        let pk_bob = sk_bob.public_key();
        let msg = b"Muffins in the canteen today! Don't tell Eve!";
        let ciphertext = pk_bob.encrypt(&msg[..]);
        assert!(ciphertext.verify());

        // Bob can decrypt the message.
        let decrypted = sk_bob.decrypt(&ciphertext).expect("invalid ciphertext");
        assert_eq!(msg[..], decrypted[..]);

        // Eve decrypts the ciphertext with her key — the ciphertext is valid (verification
        // is key-independent), but she gets garbage plaintext because she has the wrong key.
        let decrypted_eve = sk_eve
            .decrypt(&ciphertext)
            .expect("ciphertext verifies fine");
        assert_ne!(msg[..], decrypted_eve[..]);

        // Eve tries to trick Bob into decrypting `msg` xor `v`, but it doesn't validate.
        let Ciphertext(u, v, w) = ciphertext;
        let fake_ciphertext = Ciphertext(u, vec![0; v.len()], w);
        assert!(!fake_ciphertext.verify());
        assert!(sk_bob.decrypt(&fake_ciphertext).is_err());
    }

    #[test]
    fn test_random_extreme_thresholds() {
        let mut rng = rand::thread_rng();
        let sks = SecretKeySet::random(0, &mut rng);
        assert_eq!(0, sks.threshold());
        assert!(SecretKeySet::try_random(usize::MAX, &mut rng).is_err());
    }

    #[test]
    fn test_threshold_enc() {
        let mut rng = rand::thread_rng();
        let sk_set = SecretKeySet::random(3, &mut rng);
        let pk_set = sk_set.public_keys();
        let msg = b"Totally real news";
        let ciphertext = pk_set.public_key().encrypt(&msg[..]);

        // The threshold is 3, so 4 signature shares will suffice to decrypt.
        let shares: BTreeMap<_, _> = [5usize, 8, 7, 10]
            .iter()
            .map(|&i| {
                let dec_share = sk_set
                    .secret_key_share(i)
                    .unwrap()
                    .decrypt_share(&ciphertext)
                    .expect("ciphertext is invalid");
                (i, dec_share)
            })
            .collect();

        // Each of the shares is valid matching its public key share.
        for (i, share) in &shares {
            assert!(pk_set
                .public_key_share(*i)
                .unwrap()
                .verify_decryption_share(share, &ciphertext));
        }

        // Combined, they can decrypt the message.
        let decrypted = pk_set
            .decrypt(&shares, &ciphertext)
            .expect("decryption shares match");
        assert_eq!(msg[..], decrypted[..]);
    }

    /// Some basic sanity checks for the `hash_g2` function.
    #[test]
    fn test_hash_g2() {
        let rng = rand::thread_rng();
        let msg: Vec<u8> = rng.sample_iter(&Standard).take(1000).collect();
        let msg_end0: Vec<u8> = msg.iter().chain(b"end0").cloned().collect();
        let msg_end1: Vec<u8> = msg.iter().chain(b"end1").cloned().collect();

        assert_eq!(hash_g2(&msg), hash_g2(&msg));
        assert_ne!(hash_g2(&msg), hash_g2(&msg_end0));
        assert_ne!(hash_g2(&msg_end0), hash_g2(msg_end1));
    }

    /// Some basic sanity checks for the `hash_g1_g2` function.
    #[test]
    fn test_hash_g1_g2() {
        let mut rng = rand::thread_rng();
        let msg: Vec<u8> = (&mut rng).sample_iter(&Standard).take(1000).collect();
        let msg_end0: Vec<u8> = msg.iter().chain(b"end0").cloned().collect();
        let msg_end1: Vec<u8> = msg.iter().chain(b"end1").cloned().collect();
        let g0 = G1Projective::random(&mut rng);
        let g1 = G1Projective::random(&mut rng);

        assert_eq!(hash_g1_g2(g0, &msg), hash_g1_g2(g0, &msg));
        assert_ne!(hash_g1_g2(g0, &msg), hash_g1_g2(g0, &msg_end0));
        assert_ne!(hash_g1_g2(g0, &msg_end0), hash_g1_g2(g0, msg_end1));
        assert_ne!(hash_g1_g2(g0, &msg), hash_g1_g2(g1, &msg));
    }

    /// Some basic sanity checks for the `hash_bytes` function.
    #[test]
    fn test_xor_with_hash() {
        let mut rng = rand::thread_rng();
        let g0 = G1Projective::random(&mut rng);
        let g1 = G1Projective::random(&mut rng);
        let xwh = xor_with_hash;
        assert_eq!(xwh(g0, &[0; 5]), xwh(g0, &[0; 5]));
        assert_ne!(xwh(g0, &[0; 5]), xwh(g1, &[0; 5]));
        assert_eq!(5, xwh(g0, &[0; 5]).len());
        assert_eq!(6, xwh(g0, &[0; 6]).len());
        assert_eq!(20, xwh(g0, &[0; 20]).len());
    }

    #[test]
    fn test_from_to_bytes() {
        let sk: SecretKey = random();
        let sig = sk.sign("Please sign here: ______");
        let pk = sk.public_key();
        let pk2 = PublicKey::from_bytes(pk.to_bytes()).expect("invalid pk representation");
        assert_eq!(pk, pk2);
        let sig2 = Signature::from_bytes(sig.to_bytes()).expect("invalid sig representation");
        assert_eq!(sig, sig2);
    }

    #[test]
    #[cfg(feature = "bincode")]
    fn test_serde() {
        let sk = SecretKey::random();
        let sig = sk.sign("Please sign here: ______");
        let pk = sk.public_key();
        let ser_pk = bincode::serde::encode_to_vec(pk, bincode::config::legacy())
            .expect("serialize public key");
        let (deser_pk, _) = bincode::serde::decode_from_slice(&ser_pk, bincode::config::legacy())
            .expect("deserialize public key");
        assert_eq!(ser_pk.len(), PK_SIZE);
        assert_eq!(pk, deser_pk);
        let ser_sig = bincode::serde::encode_to_vec(&sig, bincode::config::legacy())
            .expect("serialize signature");
        let (deser_sig, _) = bincode::serde::decode_from_slice(&ser_sig, bincode::config::legacy())
            .expect("deserialize signature");
        assert_eq!(ser_sig.len(), SIG_SIZE);
        assert_eq!(sig, deser_sig);
    }

    #[test]
    fn test_zeroize() {
        let zero_sk = SecretKey::from_mut(&mut Scalar::zero());

        let mut sk = SecretKey::random();
        assert_ne!(zero_sk, sk);

        sk.zeroize();
        assert_eq!(zero_sk, sk);
    }

    #[test]
    fn test_rng_seed() {
        let sk1 = SecretKey::random();
        let sk2 = SecretKey::random();

        assert_ne!(sk1, sk2);
        let mut seed = [0u8; 32];
        rand::thread_rng().fill_bytes(&mut seed);

        let mut rng = ChaChaRng::from_seed(seed);
        let sk3: SecretKey = rng.sample(Standard);

        let mut rng = ChaChaRng::from_seed(seed);
        let sk4: SecretKey = rng.sample(Standard);
        assert_eq!(sk3, sk4);
    }

    /// Compile-time check that a type is `Send + Sync`.
    fn assert_send_sync<T: Send + Sync>() {}

    /// Verify all public types are `Send + Sync`.
    #[test]
    fn types_are_send_and_sync() {
        assert_send_sync::<PublicKey>();
        assert_send_sync::<PublicKeyShare>();
        assert_send_sync::<Signature>();
        assert_send_sync::<SignatureShare>();
        assert_send_sync::<SecretKey>();
        assert_send_sync::<SecretKeyShare>();
        assert_send_sync::<Ciphertext>();
        assert_send_sync::<DecryptionShare>();
        assert_send_sync::<PublicKeySet>();
        assert_send_sync::<SecretKeySet>();
    }
}