signer

package
v1.22.87 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 18, 2026 License: BSD-3-Clause Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source 
const RTKeyLen = 1952

RTKeyLen is the length of Ringtail public keys (ML-DSA-65 public key)

View Source 
const RTSigLen = 3309

RTSigLen is the length of Ringtail signatures (ML-DSA-65 signature)

Variables

View Source 
var (
	ErrMissingBLSKey  = errors.New("missing BLS public key")
	ErrMissingRTKey   = errors.New("missing Ringtail public key for Q-Chain validator")
	ErrHybridRequired = errors.New("both BLS and RT keys required for Q-Chain validators")
)
View Source 
var (
	ErrInvalidRTProofOfPossession = errors.New("invalid Ringtail proof of possession")
	ErrRTKeyRequired              = errors.New("Ringtail public key required for Q-Chain validators")
	ErrInvalidRTKeyLength         = errors.New("invalid Ringtail public key length")
	ErrInvalidRTSigLength         = errors.New("invalid Ringtail signature length")
)
View Source 
var (
	ErrInvalidProofOfPossession = errors.New("invalid proof of possession")
)

Functions

This section is empty.

Types

type Empty 

type Empty struct{}

func (*Empty) Key 

func (*Empty) Key() *bls.PublicKey

func (*Empty) Verify 

func (*Empty) Verify() error

type HybridProofOfPossession added in v1.22.86 

type HybridProofOfPossession struct {
	BLS *ProofOfPossession   `serialize:"true" json:"bls"`
	RT  *RTProofOfPossession `serialize:"true" json:"rt"`
}

HybridProofOfPossession combines BLS and Ringtail proofs of possession. This is REQUIRED for all Q-Chain validators to bind both classical and post-quantum keys to their validator identity.

Wire format:

  • BLS PublicKey: 48 bytes (compressed)
  • BLS ProofOfPossession: 96 bytes
  • RT PublicKey: 1952 bytes (ML-DSA-65)
  • RT ProofOfPossession: 3309 bytes (ML-DSA-65 signature)

func NewHybridProofOfPossession added in v1.22.86 

func NewHybridProofOfPossession(
	blsSigner bls.Signer,
	rtPublicKey []byte,
	rtSign func(msg []byte) ([]byte, error),
) (*HybridProofOfPossession, error)

NewHybridProofOfPossession creates a new hybrid proof combining BLS and RT.

func (*HybridProofOfPossession) HasRT added in v1.22.86 

func (h *HybridProofOfPossession) HasRT() bool

HasRT returns true if this hybrid signer has an RT key.

func (*HybridProofOfPossession) Key added in v1.22.86 

func (h *HybridProofOfPossession) Key() *bls.PublicKey

Key returns the BLS public key (implements Signer).

func (*HybridProofOfPossession) MarshalJSON added in v1.22.86 

func (h *HybridProofOfPossession) MarshalJSON() ([]byte, error)

func (*HybridProofOfPossession) RTKey added in v1.22.86 

func (h *HybridProofOfPossession) RTKey() []byte

RTKey returns the Ringtail public key (implements RTSigner).

func (*HybridProofOfPossession) UnmarshalJSON added in v1.22.86 

func (h *HybridProofOfPossession) UnmarshalJSON(b []byte) error

func (*HybridProofOfPossession) ValidateForQChain added in v1.22.86 

func (h *HybridProofOfPossession) ValidateForQChain() error

ValidateForQChain verifies that this hybrid signer has all required key material for Q-Chain validation. This enforces: - BLS key present and valid - RT key present and valid

func (*HybridProofOfPossession) Verify added in v1.22.86 

func (h *HybridProofOfPossession) Verify() error

Verify verifies both BLS and RT proofs of possession.

type HybridSigner added in v1.22.86 

type HybridSigner interface {
	Signer
	RTSigner

	// HasRT returns true if this signer has a Ringtail key.
	// For Q-Chain validators, this MUST return true.
	HasRT() bool
}

HybridSigner extends Signer with post-quantum Ringtail key support. This is the key material binding interface for Q-Chain validators.

NodeID X corresponds to:

  • TLS pubkey A (staking certificate) - established during TLS handshake
  • BLS pubkey B (aggregate signatures) - from ProofOfPossession
  • RT pubkey C (post-quantum security) - from RTProofOfPossession

All three keys must be bound to the same validator identity for Q-Chain consensus to be secure against both classical and quantum attacks.

type ProofOfPossession 

type ProofOfPossession struct {
	PublicKey [bls.PublicKeyLen]byte `serialize:"true" json:"publicKey"`
	// BLS signature proving ownership of [PublicKey]. The signed message is the
	// [PublicKey].
	ProofOfPossession [bls.SignatureLen]byte `serialize:"true" json:"proofOfPossession"`
	// contains filtered or unexported fields
}

func NewProofOfPossession 

func NewProofOfPossession(sk bls.Signer) (*ProofOfPossession, error)

func (*ProofOfPossession) Key 

func (p *ProofOfPossession) Key() *bls.PublicKey

func (*ProofOfPossession) MarshalJSON 

func (p *ProofOfPossession) MarshalJSON() ([]byte, error)

func (*ProofOfPossession) UnmarshalJSON 

func (p *ProofOfPossession) UnmarshalJSON(b []byte) error

func (*ProofOfPossession) Verify 

func (p *ProofOfPossession) Verify() error

type RTProofOfPossession added in v1.22.86 

type RTProofOfPossession struct {
	// PublicKey is the ML-DSA-65 public key (1952 bytes)
	PublicKey []byte `serialize:"true" json:"publicKey"`
	// ProofOfPossession is the ML-DSA signature over PublicKey, proving ownership
	ProofOfPossession []byte `serialize:"true" json:"proofOfPossession"`
}

RTProofOfPossession proves ownership of a Ringtail (ML-DSA) keypair. This is REQUIRED for all Q-Chain validators.

Key material binding: NodeID X corresponds to:

  • TLS pubkey A (staking certificate)
  • BLS pubkey B (aggregate signatures)
  • RT pubkey C (post-quantum security)

The RTProofOfPossession binds the RT public key to the validator identity by requiring a signature over the public key itself.

func NewRTProofOfPossession added in v1.22.86 

func NewRTProofOfPossession(publicKey []byte, sign func(msg []byte) ([]byte, error)) (*RTProofOfPossession, error)

NewRTProofOfPossession creates a new RTProofOfPossession from a private key. The signature is created over the public key bytes.

func (*RTProofOfPossession) MarshalJSON added in v1.22.86 

func (p *RTProofOfPossession) MarshalJSON() ([]byte, error)

func (*RTProofOfPossession) RTKey added in v1.22.86 

func (p *RTProofOfPossession) RTKey() []byte

RTKey returns the Ringtail public key.

func (*RTProofOfPossession) UnmarshalJSON added in v1.22.86 

func (p *RTProofOfPossession) UnmarshalJSON(b []byte) error

func (*RTProofOfPossession) Verify added in v1.22.86 

func (p *RTProofOfPossession) Verify() error

Verify verifies the proof of possession signature.

type RTSigner added in v1.22.86 

type RTSigner interface {
	Verify() error
	RTKey() []byte
}

RTSigner interface for Ringtail proof of possession

type Signer 

type Signer interface {
	verify.Verifiable

	// Key returns the public BLS key if it exists.
	// Note: [nil] will be returned if the key does not exist.
	// Invariant: Only called after [Verify] returns [nil].
	Key() *bls.PublicKey
}

Source Files

View all Source files

Directories

Path Synopsis
Package signermock is a generated GoMock package.
 Package signermock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.