Skip to main content

Crate osst

Crate osst 

Source
Expand description

One-Step Schnorr Threshold Identification (OSST)

Implementation of the OSST protocol from: “One-Step Schnorr Threshold Identification” by Foteinos Mergoupis-Anagnou (GRNET)

§Properties

  • Non-interactive: provers generate proofs independently
  • Share-free: verifier only needs group public key, not individual shares
  • Asynchronous: provers submit proofs at their own pace
  • Threshold: requires t-of-n provers to verify

§Security

Proven secure under (t-1)-OMDL assumption in the random oracle model.

§Curve Backends

  • ristretto255 (default): Polkadot/sr25519 compatible
  • pallas: Zcash Orchard compatible

§Example

use osst::{SecretShare, verify};

// After DKG, each custodian has a share
let share = SecretShare::new(index, scalar);

// Generate contribution (Schnorr proof)
let contribution = share.contribute(&mut rng, &payload);

// Verifier collects t contributions and verifies
let valid = verify(&group_pubkey, &contributions, threshold, &payload)?;

Re-exports§

pub use curve::OsstCurve;
pub use curve::OsstPoint;
pub use curve::OsstScalar;
pub use curve::ristretto::Ristretto255;
pub use ristretto255::Contribution as RistrettoContribution;
pub use ristretto255::SecretShare as RistrettoSecretShare;

Modules§

curve
Curve abstraction for OSST
liveness
Liveness proofs for custodian participation
reshare
Proactive secret sharing reshare protocol
ristretto255
Ristretto255 (Polkadot-compatible) OSST types

Structs§

Contribution
A single custodian’s contribution to the threshold proof
OsstBuilder
Builder for collecting OSST contributions
OsstProof
Aggregated OSST proof ready for on-chain verification
SecretShare
A secret share from DKG

Enums§

OsstError
Errors that can occur during OSST operations

Functions§

compute_lagrange_coefficients
Compute Lagrange interpolation coefficients for a set of indices.
compute_weights
Compute weights and normalizer for OSST verification
hash_to_challenge
Hash a point and payload to a scalar challenge H(u_i || payload) -> c_i
verify
Verify an OSST proof
verify_incremental
Incremental verification: check if adding a new contribution preserves validity