DKG Finalization Optimizations

[cronokirby]

Stacked on top of #3312.

Closes #2536.
Closes #3212.

This adds a new structure for containing dealer logs, allowing them to be verified in advance.

We also implement optimizations for a given dealer, batching signature checks, and reveal checks.

One big win is implementing parallelism to check multiple dealers at once (while preserving the order we select dealers in), which allows the method to actually scale, whereas it was bottlenecked previously.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	commonware-mcp	f85722d	Mar 06 2026, 11:16 PM

[cloudflare-workers-and-pages]

Deploying monorepo with    Cloudflare Pages

Latest commit:	f85722d
Status:	✅  Deploy successful!
Preview URL:	https://540a7e0d.monorepo-eu0.pages.dev
Branch Preview URL:	https://ck-dkg-finalize-opts.monorepo-eu0.pages.dev

View logs

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Shared mutable RNG across test assertions may cause nondeterminism

Low Severity

The test's rng is now mutably shared across select, observe, and multiple finalize calls in a loop. Each call consumes RNG state for batch verification, changing downstream randomness. Previously, select and observe didn't take &mut rng, so the RNG stream was unaffected. Now, the number of RNG draws varies depending on the number of dealers/reveals, making the test's determinism fragile — future changes to batch verification internals could shift the RNG state and alter subsequent test behavior.

Additional Locations (2)

• cryptography/src/bls12381/dkg.rs#L2607-L2612
• cryptography/src/bls12381/dkg.rs#L2704-L2709

 

[cronokirby]

It's still deterministic though, even if "fragile" which is fine, it's random.

[codecov]

Codecov Report

❌ Patch coverage is 92.09040% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.03%. Comparing base (ddcb81d) to head (f85722d).

Files with missing lines	Patch %	Lines
cryptography/src/bls12381/dkg.rs	91.71%	8 Missing and 6 partials ⚠️

@@                 Coverage Diff                  @@
##           ck/lin_comb_eval    #3328      +/-   ##
====================================================
- Coverage             93.03%   93.03%   -0.01%     
====================================================
  Files                   418      418              
  Lines                143564   143686     +122     
  Branches               3435     3442       +7     
====================================================
+ Hits                 133571   133682     +111     
- Misses                 8900     8907       +7     
- Partials               1093     1097       +4     

Files with missing lines	Coverage Δ
cryptography/src/bls12381/scheme.rs	69.95% <100.00%> (+5.62%)	⬆️
cryptography/src/ed25519/scheme.rs	97.00% <100.00%> (+0.02%)	⬆️
cryptography/src/bls12381/dkg.rs	92.53% <91.71%> (-0.10%)	⬇️

... and 7 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ddcb81d...f85722d. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.