Crate threshold_pairing

Expand description

A pairing-based threshold cryptosystem for collaborative decryption and signatures.

This crate provides cryptographic primitives for threshold signatures and threshold encryption based on BLS12-381 elliptic curve pairings. It enables t+1 of n participants to collaboratively sign messages or decrypt ciphertexts, where t is the threshold.

§Features

Threshold Signatures: Any t+1 participants can produce a valid signature
Threshold Encryption: Messages can only be decrypted with t+1 decryption shares
Distributed Key Generation: Tools for generating keys without a trusted dealer
RFC 9380 Compliant: Uses standard hash-to-curve algorithms

§Quick Start

§Simple Signatures

use threshold_pairing::SecretKey;

let sk = SecretKey::random();
let pk = sk.public_key();

let message = b"Hello, world!";
let signature = sk.sign(message);

assert!(pk.verify(&signature, message));

§Threshold Signatures

use std::collections::BTreeMap;
use threshold_pairing::SecretKeySet;

// Create a key set with threshold 2 (requires 3 shares to sign)
let mut rng = rand::thread_rng();
let sk_set = SecretKeySet::random(2, &mut rng);
let pk_set = sk_set.public_keys();

let message = b"Threshold signed message";

// Collect 3 signature shares
let shares: BTreeMap<_, _> = (0..3usize)
    .map(|i| (i, sk_set.secret_key_share(i).expect("valid index").sign(message)))
    .collect();

// Combine shares into a full signature
let signature = pk_set.combine_signatures(&shares).expect("not enough shares");
assert!(pk_set.public_key().verify(&signature, message));

§Modules

poly: Polynomial and commitment types for distributed key generation
error: Error types for cryptographic operations
serde_impl: Serialization helpers, including serde_impl::SerdeSecret for secret keys

§Feature Flags

serde (enabled by default): Enables Serialize and Deserialize impls for all public types
bincode: Enables bincode serialization support (requires serde)
serialization: Convenience feature that enables both serde and bincode
expose-secret: Enables reveal() methods on secret types for debugging (dev/debug only, never use in production)

§Security

This crate follows cryptographic best practices:

Secret keys are zeroized on drop
Constant-time comparison for secret key equality
RFC 9380 hash-to-curve for BLS signatures
Domain separation between signature and encryption schemes

§Caller responsibility for returned secret material

Several methods return values that may contain sensitive material — for example, SecretKey::decrypt returns a Vec<u8> plaintext, and SecretKeySet::secret_key_share returns a SecretKeyShare. This crate zeroizes its own internal state on drop, but it cannot control what the caller does with returned values.

If you need the returned material to be erased from memory after use, wrap it in zeroize::Zeroizing yourself:

use threshold_pairing::SecretKey;
use zeroize::Zeroizing;

let sk = SecretKey::random();
let pk = sk.public_key();
let ciphertext = pk.encrypt(b"secret");

// Wrap the plaintext so it is zeroized when dropped.
let plaintext = Zeroizing::new(sk.decrypt(&ciphertext).unwrap());
// `plaintext` is zeroed when it goes out of scope.

Re-exports§

pub use bls12_381;
pub use ff;

Modules§

error: Crypto errors.
poly: Utilities for distributed key generation: uni- and bivariate polynomials and commitments.
serde_impl: Serialization and deserialization implementations for group and field elements.

Structs§

Ciphertext: An encrypted message.
DecryptionShare: A decryption share. A threshold of decryption shares can be used to decrypt a message.
G1Affine: This is an element of $\mathbb{G}_1$ represented in the affine coordinate space. It is ideal to keep elements in this representation to reduce memory usage and improve performance through the use of mixed curve model arithmetic.
G1Projective: This is an element of $\mathbb{G}_1$ represented in the projective coordinate space.
G2Affine: This is an element of $\mathbb{G}_2$ represented in the affine coordinate space. It is ideal to keep elements in this representation to reduce memory usage and improve performance through the use of mixed curve model arithmetic.
PublicKey: A public key.
PublicKeySet: A public key and an associated set of public key shares.
PublicKeyShare: A public key share.
SecretKey: A secret key; wraps a single prime field element.
SecretKeySet: A secret key and an associated set of secret key shares.
SecretKeyShare: A secret key share.
Signature: A BLS signature.
SignatureShare: A signature share.

Constants§

BLS_SIG_DST: Domain separation tag for BLS signatures following the IETF BLS draft specification. This ensures signatures cannot be replayed across different protocols.
PK_SIZE: The size of a key’s representation in bytes.
SIG_SIZE: The size of a signature’s representation in bytes.

Traits§

IntoScalar: A conversion into an element of the scalar field.
TryIntoScalarSafe: A safe conversion into a non-zero scalar field element, suitable for use as a share index.

Functions§

hash_g2: Returns a hash of the given message in G2 using the standard hash-to-curve algorithm (RFC 9380 / draft-irtf-cfrg-hash-to-curve).
pairing: Invoke the pairing function without the use of precomputation and other optimizations.