[GG20 / Paillier]
- Parallelized Paillier proofs
- Generation and verification run in parallel across independent rounds.
- Deterministic outputs; no shared mutable state.
- ZKSetup → Blum integers
- ĤN = p·q with p ≡ q ≡ 3 (mod 4).
- h1, h2 sampled as squares of units ⇒ h1,h2 ∈ QR(ĤN); gcd checks enforced.
- BiPrimeProof (new)
- Proves Blum & square-free modulus.
- Validator binds proof.N to PaillierPublicKey.n; rejects mismatches.
- NoSmallFactorProof (new)
- Proves absence of small factors; challenge length l=256.
- Validators reject N < 2048 bits and commitments not coprime to ĤN.
[FROST]
- AAD (additionalContext)
- Included in all transcript hashes for the signing session.
- Domain tags
- H1/H2 use explicit tags ("FROST.H1", "FROST.H2") + AAD.
- PoP challenge uses "FROST.POP" || AAD || Y_i || R.