Release v0.0.12

Features

• Added secp256r1 (NIST P-256) curve support in FROST & GG20 signatures and ECIES cipher ops.

Fixes

• Replaced static domain separation with dynamic cipher & curve id based HKDF

Release v0.0.11

FROST

• Aligned Ed25519 and secp256k1 ciphersuites with RFC 9591: correct H1 binding factor computation (group public key, H4/H5 pre-hashing, identifier placement)
• Fixed SerializeScalar encoding: 32-byte little-endian for Ed25519, 32-byte big-endian for secp256k1 (was 4-byte int32be for both)
• H2 for Ed25519 now correctly omits domain separator for RFC 8032 compatibility
• Implemented H3 hedged nonce generation (H3(random_bytes(32) || SerializeScalar(sk_i))) per RFC 9591 Section 4.1
• Added RFC 9591 Appendix E test vectors for both ciphersuites (H1–H5, nonce generation, binding factors, signature aggregation)

GG20

• Fixed tau reuse in MtAwc respondent proof
• Added EC-point binding to MtAwc respondent proof

ECIES

• Added ChaCha20Poly1305 cipher

Release v0.0.10

Security Fixes

• GG20: Corrected MtA proof flow for peer-specific ZK setups

Improvements

• Paillier: Optimized modular arithmetic

Release v0.0.9

Features

• ECIES: Added protocol context binding to KEM with legacy ciphertext format support
• Point Ops: Added parse method

Fixes

• GG20: Fxed lambda computation from Gamma; added offline consistency round

Security

• [!] Fixed Frozen Heart vulnerability in Paillier Range and Respondent proofs: all public statements are now bound into the Fiat-Shamir hash
• HKDF domain separation and protocol context binding across all protocols
• Random BigInt generation now guaranteed non-zero
• Parameter validation in Lagrange coefficient computations

Release v0.0.8

• Implement hash-to-curve suite (secp256k1_xmd:SHA-256_SSWU_RO)
• Fix point creation from coords

Release v0.0.7

Destroying BigInt constants (e.g BigInt.ONE) is now forbidden.

Release v0.0.5

Add support for default Secp256k1 FROST signatures

Release v0.0.4

Support for BIP340 & Taproot Secp256k1 signatures for FROST protocol

Release 0.0.3

[GG20 / Paillier]

• Parallelized Paillier proofs
  • Generation and verification run in parallel across independent rounds.
  • Deterministic outputs; no shared mutable state.
• ZKSetup → Blum integers
  • ĤN = p·q with p ≡ q ≡ 3 (mod 4).
  • h1, h2 sampled as squares of units ⇒ h1,h2 ∈ QR(ĤN); gcd checks enforced.
• BiPrimeProof (new)
  • Proves Blum & square-free modulus.
  • Validator binds proof.N to PaillierPublicKey.n; rejects mismatches.
• NoSmallFactorProof (new)
  • Proves absence of small factors; challenge length l=256.
  • Validators reject N < 2048 bits and commitments not coprime to ĤN.

[FROST]

• AAD (additionalContext)
  • Included in all transcript hashes for the signing session.
• Domain tags
  • H1/H2 use explicit tags ("FROST.H1", "FROST.H2") + AAD.
  • PoP challenge uses "FROST.POP" || AAD || Y_i || R.

Release 0.0.2

v0.0.2

Add Threshold ECIES encryption, update chaum pedersen proofs