Group traits for abelian groups in additive notation, designed to resemble the cryptographic/mathematics definition as accurately as possible. Traits are hierarchical in nature, and higher-level traits embody more specific properties on top of the ones below. This allows us to capture shared logic between cryptographic groups in the most generic way possible, so that schemes and protocols could be designed (e.g. maurer) to work with any group, including dynamic, unknown order groups like Paillier, and static, prime-order groups like elliptic curves (e.g., secp256k1.)

These traits were designed while keeping the security concern of high-level protocols in mind, and as such are constant-time by default.

Another key addition is GroupElement::PublicParameters which captures the relevant information to hash into the transcript, as required by Fiat-Shamir transforms. Another important security (and functionality) aspect of the public parameters is the fact they allow us to separate the group element GroupElement from its value GroupElement::Value; the former is a runtime representation which encodes necessary information for group operations whereas the latter solely represents the value which can be serialized and transported over the wire, to later be instantiated into the former using the group's public parameter GroupElement::PublicParameters. This is important since group operation must always succeed, however, we must also prevent malicious players from forcing us to use the wrong groups. For example, if a malicious prover can force the verifier to use a Paillier group for a modulus, they generated themselves (and thus know how to factor) they can bypass verification for incorrect claims, or even derive secrets of other parties. Instead, the verifier should only receive the value of group elements, and instantiate the group element using their own public parameters, which assures operating in the correct group.

We have gone through a rigorous internal auditing process throughout development, requiring the approval of two additional cryptographers and one additional programmer in every pull request. That being said, this code has not been audited by a third party yet; use it at your own risk.

This code has no official releases yet, and we reserve the right to change some of the public API until then.