feat(dkg): FROST implementation (#328)

* Move code as-is from private repo

* Rename dir

* Add crate

* Fix crate toml

* Fix imports and compiler issues

- Adjust `&` handling in patterns

* Apply formatting

* Apply clippy suggestions

* Adjust docs

* Inline readme

* Remove bench-specific configs

* Reduce attribute usage

* Use std imports

* Add proper permalinks

* Adjust test names

* Enable lints

* Use derive macros when possible

- Replaces custom deserialization code

* Inline const

* Simplify fixture parsing

- Use vec directly

* Fix clippy lints

- Infallible conversions
- Disable arithmetic checks

* Assert conversions

- Use `assert!` over `debug_assert!`
- Reference RFC when required

* Update lockfile

* fix: address comments / review on frost, more tests (#364)

* fix: address comments and reviews in FROST impl

* fix: refine error

* fix: more tests on frost core

* fix: add tests for curve

* fix: add and refactor tests on kryptology

* fix: simplify tests

* fix: address comments

* fix: ignore RUSTSEC-2026-0118 and RUSTSEC-2026-0119 because libp2p

---------

Co-authored-by: Quang Le <iamquang95@gmail.com>

Author: emlautarom1

Cargo.lock

@@ -18,6 +18,7 @@ members = [
     "crates/testutil",
     "crates/tracing",
     "crates/peerinfo",
+    "crates/frost",
 ]
 resolver = "3"
 
@@ -69,6 +70,7 @@ pbkdf2 = "0.12.2"
 pin-project = "1"
 sha2 = "0.10.9"
 scrypt = "0.11.0"
+subtle = "2.6"
 unicode-normalization = "0.1.25"
 zeroize = "1.8.2"
 uuid = { version = "1.19", features = ["serde", "v4"] }
@@ -123,6 +125,7 @@ pluto-testutil = { path = "crates/testutil" }
 pluto-tracing = { path = "crates/tracing" }
 pluto-p2p = { path = "crates/p2p" }
 pluto-peerinfo = { path = "crates/peerinfo" }
+pluto-frost = { path = "crates/frost" }
 
 [workspace.lints.rust]
 missing_docs = "deny"

Cargo.toml

@@ -0,0 +1,37 @@
+[package]
+name = "pluto-frost"
+version.workspace = true
+edition.workspace = true
+repository.workspace = true
+license.workspace = true
+publish.workspace = true
+
+[dependencies]
+blst.workspace = true
+rand_core.workspace = true
+sha2.workspace = true
+subtle.workspace = true
+thiserror.workspace = true
+zeroize = { workspace = true, features = ["derive"] }
+
+[dev-dependencies]
+hex.workspace = true
+rand.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+
+[lints.rust]
+missing_docs = "deny"
+# Allow unsafe code for blst C bindings (overrides workspace forbid)
+unsafe_code = "allow"
+
+[lints.clippy]
+arithmetic_side_effects = "deny"
+cast_lossless = "deny"
+cast_possible_truncation = "deny"
+cast_possible_wrap = "deny"
+cast_precision_loss = "deny"
+cast_sign_loss = "deny"
+needless_return = "deny"
+panicking_overflow_checks = "deny"
+unwrap_used = "deny"

crates/frost/Cargo.toml

@@ -0,0 +1,72 @@
+# Kryptology-Compatible Distributed Key Generation (DKG)
+
+The kryptology DKG module supports generating FROST key shares in a distributed
+manner compatible with Go's Coinbase Kryptology FROST DKG.
+
+The output types ([`KeyPackage`], [`PublicKeyPackage`]) are standard frost-core
+types. The key shares can be used for BLS threshold signing via the
+`bls_partial_sign`, `bls_combine_signatures`, and `bls_verify` functions.
+
+## Wire contract
+
+The supported cross-language contract is the raw field encoding used by the
+fixtures and round helpers in this module:
+
+- Scalars are 32-byte big-endian field elements.
+- G1 points are 48-byte compressed encodings.
+- Participant identifiers are transported as `u32` values.
+- The DKG context is transported as a single `u8` byte.
+
+Gob encoding is not part of this interoperability contract.
+
+## Example
+
+```rust
+use std::collections::BTreeMap;
+
+use pluto_frost::kryptology;
+
+let mut rng = rand::rngs::OsRng;
+
+let threshold = 3u16;
+let max_signers = 5u16;
+let ctx = 0u8;
+
+// Round 1: each participant generates broadcast data and shares.
+let mut bcasts: BTreeMap<u32, kryptology::Round1Bcast> = BTreeMap::new();
+let mut all_shares: BTreeMap<u32, BTreeMap<u32, kryptology::ShamirShare>> = BTreeMap::new();
+let mut secrets: BTreeMap<u32, kryptology::Round1Secret> = BTreeMap::new();
+
+for id in 1..=max_signers as u32 {
+    let (bcast, shares, secret) =
+        kryptology::round1(id, threshold, max_signers, ctx, &mut rng)
+            .expect("round1 should succeed");
+    bcasts.insert(id, bcast);
+    secrets.insert(id, secret);
+    for (&target_id, share) in &shares {
+        all_shares.entry(target_id).or_default().insert(id, share.clone());
+    }
+}
+
+// Round 2: each participant verifies broadcasts and aggregates shares.
+let mut key_packages = BTreeMap::new();
+let mut public_key_packages = Vec::new();
+
+for id in 1..=max_signers as u32 {
+    let received_bcasts: BTreeMap<_, _> = bcasts
+        .iter()
+        .filter(|(k, _)| **k != id)
+        .map(|(k, v)| (*k, v.clone()))
+        .collect();
+    let received_shares = all_shares.remove(&id).unwrap();
+    let secret = secrets.remove(&id).unwrap();
+
+    let (_r2_bcast, key_package, pub_package) =
+        kryptology::round2(secret, &received_bcasts, &received_shares)
+            .expect("round2 should succeed");
+    key_packages.insert(id, key_package);
+    public_key_packages.push(pub_package);
+}
+
+// Each participant now has a KeyPackage and PublicKeyPackage for BLS threshold signing.
+```