feat(release): v0.9.1 - Crypto Hardening

[imzzaidd]

v0.9.1 -- Crypto Hardening

Summary

Harden the cryptographic foundation with elliptic-curve verifiable secret sharing (EC-VSS), proactive secret sharing (PSS), VRF-driven epoch randomness, HKDF key derivation, and BLS12-381 aggregate signatures. This release brings the protocol cryptographic layer to production-grade NIST compliance and enables threshold cryptography patterns required for vault and governance operations.

Planned Changes

Elliptic Curve VSS (EC-VSS)

• Replace GF(2^8) Shamir with EC-based VSS over Curve25519
• Feldman commitment verification using Pedersen commitments on the curve
• Constant-time scalar operations throughout

Proactive Secret Sharing (PSS)

• Share refresh protocol without reconstructing the secret
• Epoch-triggered automatic share rotation
• Detection of corrupted shares via commitment verification

VRF Epoch Randomness

• VRF-based random beacon for epoch transitions
• Verifiable randomness for validator selection and committee assignment
• Chain-bound VRF outputs with domain separation (7ay:vrf:epoch:v1)

HKDF Key Derivation

• HMAC-based key derivation (RFC 5869) for all derived keys
• Replace ad-hoc key derivation with standardized HKDF-SHA256
• Domain-separated extraction and expansion phases

BLS12-381 Aggregate Signatures

• BLS signature scheme for compact multi-validator attestations
• Aggregate signature verification for presence finalization
• Batch verification optimization for block processing

Deliverables

• EC-VSS implementation with Curve25519 backend
• Proactive secret sharing protocol
• VRF epoch randomness beacon
• HKDF-SHA256 key derivation (RFC 5869)
• BLS12-381 aggregate signature support
• Migration from GF(2^8) Shamir to EC-VSS
• Vault pallet integration with new crypto primitives
• Comprehensive fuzz testing for all new crypto operations
• NIST compliance documentation
• Performance benchmarks for all new primitives

Invariants Affected

• INV69: Share distribution updated for EC-VSS scheme
• INV66-68: Vault operations updated with new threshold crypto
• INV63: Commitment scheme upgraded to Pedersen on curve
• INV14-18: Epoch transitions now include VRF randomness
• INV43: BlockRef binding extended with VRF proof

Breaking Changes

• seveny-primitives::crypto API changes for EC-VSS
• Share format change (GF(2^8) to EC point encoding)
• Commitment format change (hash-based to Pedersen curve)
• New runtime API for VRF verification

Testing

• cargo test --workspace passes
• cargo clippy --all-targets -- -D warnings clean
• cargo fmt --all -- --check passes
• no_std verification for all crates
• Fuzz testing for EC-VSS, HKDF, BLS operations
• Known-answer tests (KATs) against NIST test vectors
• Share split/reconstruct roundtrip with EC-VSS
• VRF output verification and uniqueness tests
• Aggregate signature batch verification correctness

Milestone

v0.9.1 - Crypto Hardening (due: 2026-07-31)

Checklist

• cargo fmt
• cargo clippy
• cargo test
• no_std check
• Documentation updated
• CHANGELOG.md updated
• NIST compliance matrix updated
• Fuzz targets added