Six libraries. One trait. One verifier.

N signatures collapse to one 48-byte G1 point. Two pairings on-chain, 150 CU, constant in N.

The core path. Every validator committee, oracle network, governance council on Solana that needs joint authorisation runs through this. Same-message attestation reduces to exactly two pairings regardless of signer count.

Shamir secret sharing over BLS with recombination in G1. Master key never reassembles, anywhere.

Five-of-seven vaults that fail an audit if any single party can produce the joint key. The final signature is indistinguishable from a single-key BLS signature to the verifier — same 150 CU path.

Distributed key generation with verifiable shares. No trusted dealer, no setup ceremony.

Round-1 commitments published to a shared transcript, per-recipient share dispatch over any authenticated channel, per-share verification against the published commitments. No party holds the full master secret, not even momentarily.

Proof is a BLS signature on the seed. Output is SHA-512 of the proof.

Anyone with the public key can verify the output came from this seed. Unpredictable until the signer commits the signature. Aggregate variant lets a committee jointly produce a single verifiable random output.

Encrypt to any public string before the recipient even has a keypair.

An identity, a future block height, a transaction commitment — encrypt to it directly. The trusted authority issues decryption keys on demand against the identity. Threshold variant splits the authority across a committee.

Winternitz one-time signatures behind the same SignatureScheme trait.

When BLS12-381 gets quantum-broken — the question is when, not if — applications swap one line and keep shipping. Forward insurance. Cheap to ship now, catastrophic to retrofit later when a protocol has thousands of integrations to coordinate.