profile

package

v1.0.0 Latest Latest Go to latest Published: May 19, 2026 License: BSD-3-Clause Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/luxfi/oracle

Links

Open Source Insights

Documentation ¶

Overview ¶

Package profile carries the oracle's signing-profile decision in ONE place.

Decomplecting principle: the oracle has TWO distinct signing surfaces.

Intra-Lux operator surface — signed Observations, OracleRecords, OracleCommits, executor attestations to O-Chain RPC. Default = ML-DSA-65 (FIPS 204, NIST Level 3). Classical Ed25519 is opt-in only via LegacyClassicalEnabled.
External-source surface — Bitcoin RPC, Ethereum RPC, Pyth, Chainlink, market data APIs. These are NOT subject to the PQ default; they ride whatever transport and authentication the external source provides. The oracle never PQ-flips a fetch against a public price feed.

All policy lives here; primitives must never re-decide the profile.

Index ¶

Constants
Variables
func Verify(p Policy, scheme Scheme, pub, msg, sig []byte) error
type Policy
- func Default() Policy
- func (p Policy) Permit(s Scheme) error
type Scheme
- func (s Scheme) String() string
type Signer

Constants ¶

View Source

const (
	MLDSA65PublicKeySize = mldsa.MLDSA65PublicKeySize
	MLDSA65SignatureSize = mldsa.MLDSA65SignatureSize
)

Default key/sig sizes for the active default scheme (ML-DSA-65).

View Source

const ContextTag = "luxfi.oracle.v1"

ContextTag is the domain-separation tag bound into every operator signature so an Oracle observation cannot be replayed as some other Lux artifact and vice versa.

Variables ¶

View Source

var ErrClassicalRefused = errors.New("profile: classical scheme refused under strict-PQ")

ErrClassicalRefused is returned when an Ed25519 signature is presented under a strict-PQ policy.

Functions ¶

func Verify ¶

func Verify(p Policy, scheme Scheme, pub, msg, sig []byte) error

Verify checks sig over msg under pub for the given scheme, gated by p. This is the SINGLE place all oracle observation/record verification flows through.

Types ¶

type Policy ¶

type Policy struct {
	// LegacyClassicalEnabled, when true, allows Ed25519 keys and verifies
	// classical observations. Production deployments inside Lux should
	// leave this off.
	LegacyClassicalEnabled bool
}

Policy carries the oracle operator's signing-profile decision.

Default value (zero-Policy) means: ML-DSA-65 only, classical refused. This is intentional — the safe default is strict-PQ.

func Default ¶

func Default() Policy

Default returns the strict-PQ policy: ML-DSA-65 only.

func (Policy) Permit ¶

func (p Policy) Permit(s Scheme) error

Permit reports whether a scheme is currently accepted under p. This is the single function classical primitives consult before doing anything with classical key material.

type Scheme ¶

type Scheme uint8

Scheme identifies the operator signing scheme. Wire-stable enum.

const (
	// SchemeMLDSA65 — ML-DSA-65 (FIPS 204). Default for intra-Lux operator
	// signatures (signed Observations, OracleRecords, OracleCommits).
	SchemeMLDSA65 Scheme = 0x01
	// SchemeEd25519 — Classical Ed25519. Opt-in only via Policy.LegacyClassicalEnabled.
	SchemeEd25519 Scheme = 0x02
)

func (Scheme) String ¶

func (s Scheme) String() string

type Signer ¶

type Signer struct {
	// contains filtered or unexported fields
}

Signer carries an operator's signing key. Construction picks the scheme; Sign always domain-separates with ContextTag.

func NewEd25519Signer ¶

func NewEd25519Signer(sk ed25519.PrivateKey) *Signer

NewEd25519Signer wraps a classical Ed25519 key. Callers must have already consulted Policy.Permit(SchemeEd25519); this constructor does not.

func NewMLDSA65Signer ¶

func NewMLDSA65Signer(rng io.Reader) (*Signer, error)

NewMLDSA65Signer returns a fresh ML-DSA-65 signer.

func NewMLDSA65SignerFromBytes ¶

func NewMLDSA65SignerFromBytes(skBytes []byte) (*Signer, error)

NewMLDSA65SignerFromBytes restores an ML-DSA-65 signer from its serialised secret-key bytes.

func (*Signer) PublicKey ¶

func (s *Signer) PublicKey() []byte

PublicKey returns the serialised public key bytes.

func (*Signer) Scheme ¶

func (s *Signer) Scheme() Scheme

Scheme returns the underlying scheme tag.

func (*Signer) Sign ¶

func (s *Signer) Sign(msg []byte) ([]byte, error)

Sign produces a signature over msg with the oracle's domain-separation context (FIPS 204 §5.2 ctx for ML-DSA, prepended-tag for Ed25519).

Source Files ¶

View all Source files

profile.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL