FROST Ed25519 TypeScript Library - v0.2.2-alpha.3
    Preparing search index...

    Interface Ed25519Sha512Impl

    An implementation of the FROST(Ed25519, SHA-512) ciphersuite.

    This ciphersuite uses:

    • Ed25519 group for group operations
    • SHA-512 for hashing
    • 32-byte serialization for both scalars and points

    The ciphersuite follows RFC 9591 Section 6.1 specification.

    interface Ed25519Sha512Impl {
        ID: "FROST-ED25519-SHA512-v1";
        group: Ed25519GroupImpl;
        Scalar: Ed25519Scalar;
        Element: Ed25519Point;
        VerifyingKey: VerifyingKey<Ed25519Sha512Impl>;
        SigningKey: SigningKey<Ed25519Sha512Impl>;
        scalarZero(): Ed25519Scalar;
        scalarOne(): Ed25519Scalar;
        scalarInvert(scalar: Ed25519Scalar): Ed25519Scalar;
        scalarRandom(rng: { fill(array: Uint8Array): void }): Ed25519Scalar;
        serializeScalar(scalar: Ed25519Scalar): Uint8Array;
        deserializeScalar(bytes: Uint8Array): Ed25519Scalar;
        scalarAdd(a: Ed25519Scalar, b: Ed25519Scalar): Ed25519Scalar;
        scalarSub(a: Ed25519Scalar, b: Ed25519Scalar): Ed25519Scalar;
        scalarMul(a: Ed25519Scalar, b: Ed25519Scalar): Ed25519Scalar;
        scalarsEqual(a: Ed25519Scalar, b: Ed25519Scalar): boolean;
        elementSize(): number;
        scalarSize(): number;
        cofactor(): Ed25519Scalar;
        identity(): Ed25519Point;
        generator(): Ed25519Point;
        serializeElement(element: Ed25519Point): Uint8Array;
        deserializeElement(bytes: Uint8Array): Ed25519Point;
        elementAdd(a: Ed25519Point, b: Ed25519Point): Ed25519Point;
        elementSub(a: Ed25519Point, b: Ed25519Point): Ed25519Point;
        elementMul(element: Ed25519Point, scalar: Ed25519Scalar): Ed25519Point;
        scalarBaseMult(scalar: Ed25519Scalar): Ed25519Point;
        elementsEqual(a: Ed25519Point, b: Ed25519Point): boolean;
        isIdentity(element: Ed25519Point): boolean;
        H1(m: Uint8Array): Ed25519Scalar;
        H2(m: Uint8Array): Ed25519Scalar;
        H3(m: Uint8Array): Ed25519Scalar;
        H4(m: Uint8Array): Uint8Array;
        H5(m: Uint8Array): Uint8Array;
        HDKG(m: Uint8Array): Ed25519Scalar | null;
        HID(m: Uint8Array): Ed25519Scalar | null;
        hashRandomizer(m: Uint8Array): Ed25519Scalar | null;
        challenge(
            R: Ed25519Point,
            verifyingKey: unknown,
            message: Uint8Array,
        ): Challenge<Ed25519Sha512Impl>;
        computeBindingFactorList<C extends Ciphersuite>(
            signingPackage: SigningPackage<C>,
            verifyingKey: unknown,
            additionalPrefix: Uint8Array,
        ): BindingFactorList<C>;
        computeGroupCommitment<C extends Ciphersuite>(
            signingPackage: SigningPackage<C>,
            bindingFactorList: BindingFactorList<C>,
        ): GroupCommitment<C>;
        deriveInterpolatingValue<C extends Ciphersuite>(
            signerId: {
                toScalar(): unknown;
                serialize(): Uint8Array;
                clone(): unknown;
            },
            signingPackage: SigningPackage<C>,
        ): Ed25519Scalar;
    }

    Implements

    • RandomizedCiphersuite
    Index

    Properties

    ID group Scalar Element VerifyingKey SigningKey

    Methods

    scalarZero scalarOne scalarInvert scalarRandom serializeScalar deserializeScalar scalarAdd scalarSub scalarMul scalarsEqual elementSize scalarSize cofactor identity generator serializeElement deserializeElement elementAdd elementSub elementMul scalarBaseMult elementsEqual isIdentity H1 H2 H3 H4 H5 HDKG HID hashRandomizer challenge computeBindingFactorList computeGroupCommitment deriveInterpolatingValue

    Properties

    ID: "FROST-ED25519-SHA512-v1" = CONTEXT_STRING

    The ciphersuite ID string. It should be equal to the contextString in the spec. For new ciphersuites, this should be a string that identifies the ciphersuite; it's recommended to use a similar format to the ciphersuites in the FROST spec, e.g. "FROST-RISTRETTO255-SHA512-v1".

    group: Ed25519GroupImpl

    The prime order group (or subgroup) that this ciphersuite operates over. Provides access to Field and Group operations in a hierarchical manner.

    Scalar: Ed25519Scalar

    The scalar type for this ciphersuite

    Element: Ed25519Point

    The element type for this ciphersuite

    VerifyingKey: VerifyingKey<Ed25519Sha512Impl>

    The verifying key type

    SigningKey: SigningKey<Ed25519Sha512Impl>

    The signing key type

    Methods

    • Returns the zero element of the field, the additive identity.

      Returns Ed25519Scalar

    • Returns the one element of the field, the multiplicative identity.

      Returns Ed25519Scalar

    • Computes the multiplicative inverse of an element of the scalar field.

      Parameters

      • scalar: Ed25519Scalar

      Returns Ed25519Scalar

      Error if the element is zero

    • Generate a random scalar from the entire space [0, l-1]

      Parameters

      • rng: { fill(array: Uint8Array): void }

      Returns Ed25519Scalar

    • Serialize a scalar to bytes.

      Parameters

      • scalar: Ed25519Scalar

      Returns Uint8Array

    • Deserialize a scalar from bytes.

      Parameters

      • bytes: Uint8Array

      Returns Ed25519Scalar

      Error if the bytes are not a valid scalar encoding

    • Add two scalars.

      Parameters

      • a: Ed25519Scalar
      • b: Ed25519Scalar

      Returns Ed25519Scalar

    • Subtract two scalars.

      Parameters

      • a: Ed25519Scalar
      • b: Ed25519Scalar

      Returns Ed25519Scalar

    • Multiply two scalars.

      Parameters

      • a: Ed25519Scalar
      • b: Ed25519Scalar

      Returns Ed25519Scalar

    • Check if two scalars are equal.

      Parameters

      • a: Ed25519Scalar
      • b: Ed25519Scalar

      Returns boolean

    • Returns the size in bytes of a serialized element.

      Returns number

    • Returns the size in bytes of a serialized scalar.

      Returns number

    • The order of the quotient group when the prime order subgroup divides the order of the full curve group. For prime order curves, this should return 1.

      Returns Ed25519Scalar

    • Additive identity of the prime order group.

      Returns Ed25519Point

    • The fixed generator element of the prime order group.

      Returns Ed25519Point

    • Serialize an element to bytes.

      Parameters

      • element: Ed25519Point

      Returns Uint8Array

      Error if the element is the identity

    • Deserialize an element from bytes.

      Parameters

      • bytes: Uint8Array

      Returns Ed25519Point

      Error if the bytes are not a valid element encoding or represent the identity

    • Add two group elements.

      Parameters

      • a: Ed25519Point
      • b: Ed25519Point

      Returns Ed25519Point

    • Subtract two group elements.

      Parameters

      • a: Ed25519Point
      • b: Ed25519Point

      Returns Ed25519Point

    • Multiply a group element by a scalar.

      Parameters

      • element: Ed25519Point
      • scalar: Ed25519Scalar

      Returns Ed25519Point

    • Scalar multiplication with the generator (g * scalar).

      Parameters

      • scalar: Ed25519Scalar

      Returns Ed25519Point

    • Check if two elements are equal.

      Parameters

      • a: Ed25519Point
      • b: Ed25519Point

      Returns boolean

    • Check if an element is the identity.

      Parameters

      • element: Ed25519Point

      Returns boolean

    • H2 for FROST(Ed25519, SHA-512)

      H2(m) = SHA-512(m)

      Note: Unlike other hash functions, H2 for Ed25519 does NOT include the context string or any domain separator. This matches the Rust implementation and RFC 9591 Section 6.1.

      Parameters

      • m: Uint8Array

      Returns Ed25519Scalar

      https://datatracker.ietf.org/doc/html/rfc9591#section-6.1-2.4.2.4

    • HDKG for FROST(Ed25519, SHA-512)

      HDKG(m) = SHA-512("FROST-ED25519-SHA512-v1" || "dkg" || m)

      Used for distributed key generation.

      Parameters

      • m: Uint8Array

      Returns Ed25519Scalar | null

    • HID for FROST(Ed25519, SHA-512)

      HID(m) = SHA-512("FROST-ED25519-SHA512-v1" || "id" || m)

      Used for deriving identifiers from arbitrary byte strings.

      Parameters

      • m: Uint8Array

      Returns Ed25519Scalar | null

    • hashRandomizer for RandomizedCiphersuite

      hashRandomizer(m) = SHA-512("FROST-ED25519-SHA512-v1" || "randomizer" || m)

      Used for re-randomized FROST signatures.

      Parameters

      • m: Uint8Array

      Returns Ed25519Scalar | null

    • Compute the signature challenge.

      For Ed25519, this follows the FROST challenge computation from RFC 9591 Section 6.1.

      Parameters

      • R: Ed25519Point
      • verifyingKey: unknown
      • message: Uint8Array

      Returns Challenge<Ed25519Sha512Impl>

    • Compute binding factors for all participants.

      Type Parameters

      Parameters

      • signingPackage: SigningPackage<C>
      • verifyingKey: unknown
      • additionalPrefix: Uint8Array

      Returns BindingFactorList<C>

    • Compute the group commitment from all signing commitments.

      Type Parameters

      Parameters

      • signingPackage: SigningPackage<C>
      • bindingFactorList: BindingFactorList<C>

      Returns GroupCommitment<C>

    • Derive the interpolating value (Lagrange coefficient) for a participant.

      Type Parameters

      Parameters

      • signerId: { toScalar(): unknown; serialize(): Uint8Array; clone(): unknown }
      • signingPackage: SigningPackage<C>

      Returns Ed25519Scalar

    Settings

    Member Visibility

    On This Page

    Properties
    Methods