← All proposals

LP-017: Quasar Consensus + Polaris Cert Profile

Deprecation Notice

Status: Historical. This LP's codenames (Pulsar / Aurora / Polaris)

are deprecated. Operator-facing cert mode selection is canonical at

LP-217 (Cert Profile Modes — PQ-off / PQ-fast / PQ-strict / PQ-heavy).

The technical content of this LP (cert composition rules, ZK leg

specification, multi-leg verification semantics) is preserved as

historical reference. New deployments and new chains MUST use LP-217's

operator-facing naming. The v1 codenames remain as INTERNAL identifiers

in code only — see LP-217 §"Mode-to-internal mapping."

This LP is retained for code archaeology and is not amended further.

Abstract

Quasar is the v1 consensus protocol that drives every Lux primary

network and every sovereign L1 spawned from it. Polaris is the

production cert profile validators emit at the end of each round.

Polaris composes three independently auditable post-quantum primitives

(Magnetar, Pulsar, Corona) over a classical BLS fast-path, with a

zero-knowledge proof leg available for execution-side certification.

Each primitive ships its own wire codec, its own external verifier

surface via cloudflare/circl, and its own EasyCrypt mechanized

security proof; Polaris is the pure-function layering that combines

them.

Motivation

A v1 consensus cert is two distinct concerns braided into one bytes

blob: (1) the cryptographic primitives that produce signatures, and

(2) the policy that decides which primitives MUST appear for the

cert to be accepted by a given environment. Decomplecting these is

the central design move:

• Each primitive owns its own ceremony, its own wire codec, its own

Lean / EasyCrypt artifact, and its own KAT suite.

• Polaris is a pure function over already-produced signatures from

those primitives. It does not orchestrate the ceremonies; it

composes their outputs.

• The composition predicate (IsPolaris, IsDoubleLattice,

HasHashBased) names what is present. The environment's profile

setting picks the predicate the cert must satisfy.

This shape lets each primitive evolve on its own cadence (new

parameter set, new wire version, new KAT vectors) without rippling

through the others.

Specification

Quasar protocol surface

The Quasar protocol package lives at

~/work/lux/consensus/protocol/quasar/. The v1 surface is:

quasar.go         - protocol entry point
polaris.go        - Polaris cert profile composition + wire helpers
wave_signer.go    - wave (per-validator) signing logic
round_digest.go   - canonical round digest derivation
core.go           - per-round state machine
engine.go         - engine entry point
types.go          - QuasarCert and the four primitive-leg structs

Each Quasar round produces ONE QuasarCert (see types.go). The

cert struct is the same shape across all three production profiles

(Pulsar / Aurora / Polaris from polaris.go:9-18); the profile

selector decides which legs are populated:

Cert scheme byte: CertSchemeQuasar = 0x05 across all three

profiles. Absent legs are encoded as zero-length frames. A relying

party calls IsPolaris(cert) / IsDoubleLattice(cert) /

HasHashBased(cert) to learn what is present without re-parsing.

Polaris cert composition

ComposePolaris is the pure function the consensus engine calls

at round end. It takes the already-produced signatures from each

primitive and emits the cert. The PolarisLegs input struct is

declared at ~/work/lux/consensus/protocol/quasar/polaris.go:57

and carries:

• BLS — the BLS-12-381 G1 aggregate signature
• Pulsar — the threshold ML-DSA-65 signature (LP-073 / FIPS 204)
• Corona — the threshold M-LWE signature (FIPS-track lattice

sibling for defense-in-depth, eprint 2024/1113)

• Magnetar — the per-validator standalone SLH-DSA signatures

(FIPS 205) OR the THBS-SE selected-element threshold output

(LP-021)

ErrPolarisMissingLeg (declared at line 45) is the error returned

when Polaris is requested but any of Pulsar / Corona / Magnetar

is empty.

Wire codecs

Every PQ primitive ships its own wire codec. Each codec is an

11-byte header (magic(4) ‖ version(2) ‖ mode(1) ‖ len(4))

followed by the primitive's canonical wire-format payload. The

header bytes are domain-separated so that a frame from one

primitive fed into another's parser is rejected at first

dispatch:

Bounded reads: every length prefix is checked against the remaining

bytes BEFORE allocation. The declared payload length is also pinned

to the canonical FIPS-mandated size for the declared mode (e.g. a

PULS frame claiming a 4 GiB payload for ModeP65 is refused before

any buffer allocation).

Trailing-garbage policy: STRICT across all three primitives.

UnmarshalBinary returns an error if any byte remains after the

declared frame.

External verifier paths

The cryptographic content of each PQ primitive's wire payload is

byte-identical to the corresponding FIPS-204 / FIPS-205 / FIPS-203

single-party signature on the same (message, group_public_key)

tuple. This is the v1 Class-N1 manifesto.

A relying party that strips the 11-byte header obtains the

underlying FIPS wire bytes that the unmodified

cloudflare/circl verifier accepts. This means:

• A Pulsar signature can be verified by

cloudflare/circl/sign/mldsa/mldsa65.Verify (with the parallel

branch for ModeP44 / ModeP87) without any Lux-specific code.

• A Magnetar signature can be verified by

cloudflare/circl/sign/slhdsa.Verify (across all three modes:

M192s / M192f / M256s).

• A Corona signature has its own M-LWE verifier; the byte-identity

claim is to the threshold-emitted Corona reference impl, NOT to

a NIST FIPS sibling (Corona is FIPS-track-aligned but not a FIPS

standard).

This external verifier path is the surface

luxfi/threshold/pkg/thresholdd publishes over JSON-RPC and the

surface that independent verifiers (other mpcd, bridge nodes, L1

verifier contracts) consume.

Test gates

The v1 wire byte-identity is pinned by these tests:

• ~/work/lux/pulsar/ref/go/pkg/pulsar/wire_test.go::TestPulsar_Wire_FIPS204Verifiable

— declared at line 126. Round-trips a PULS frame, then strips

the header and feeds the payload to

cloudflare/circl/sign/mldsa/mldsa65.Verify (and the parallel

modes). Failure means a Pulsar wire change has broken FIPS 204

parity.

• ~/work/lux/magnetar/ref/go/pkg/magnetar/wire_test.go::TestMagnetar_Wire_FIPS205Verifiable

— declared at line 129. Round-trips a MAGS frame, strips, feeds

to cloudflare/circl/sign/slhdsa.Verify across M192s / M192f /

M256s.

• ~/work/lux/corona/wire/wire_test.go — wire round-trip suite

for CORS / CORG.

• ~/work/lux/magnetar/ref/go/pkg/magnetar/thbsse_test.go::TestThbsSE_Wire_FIPS205Verifiable

— declared at line 99. The THBS-SE byte-identity gate (LP-021).

Lean ↔ EasyCrypt bridge

Each PQ primitive ships an EasyCrypt mechanized security proof

under proofs/easycrypt/. The bridge into Lean (where the higher-

level consensus invariants live) is via axiom citations: a Lean

theorem cites N EasyCrypt lemmas, each of which has been verified

under the EasyCrypt elaboration.

The v1 invariant: 5/5 axiom citations resolved for each of pulsar,

corona, and magnetar. Specifically:

• Pulsar EasyCrypt artifacts at

~/work/lux/pulsar/proofs/easycrypt/Pulsar_N1*.ec. The N1

manifesto (FIPS 204 byte-identity) is Pulsar_N1.ec and its

sign / combine refinements at Pulsar_N1_Sign_Refinement.ec /

Pulsar_N1_Combine_Refinement.ec.

• Corona EasyCrypt artifacts at

~/work/lux/corona/proofs/easycrypt/Corona_N1*.ec. Symmetric

shape to pulsar.

• Magnetar EasyCrypt artifacts at

~/work/lux/magnetar/proofs/easycrypt/ (proofs directory exists;

artifacts land alongside the magnetar v1.0 paper rewrite at

~/work/lux/papers/lux-magnetar-pq/).

The Lean side ingests these as axioms keyed on the EasyCrypt

artifact name. Adding a new primitive to the cert profile family

requires adding the corresponding EasyCrypt artifacts and Lean

axiom citations; otherwise the cert profile is rejected at the

formal-verification gate.

Rationale

Why one cert struct, three profiles

Three production profiles share one wire shape because relying

parties (bridge contracts, light clients, external verifiers)

should not need to know the profile to parse the cert. They parse

the cert, then apply the composition predicate (IsPolaris,

HasHashBased) against the policy they enforce. Profile policy is

the relying party's concern; profile shape is invariant.

Why pure-function composition

Each primitive's threshold ceremony is non-trivial: Pulsar's

algebraic threshold sign has its own three-round protocol,

Corona's Pedersen DKG has its own bootstrap dance, Magnetar's

THBS-SE has its own commit / reveal layout. Braiding the ceremonies

in a single composition orchestrator would tie the orchestrator's

release cadence to the slowest primitive.

ComposePolaris instead takes signatures as inputs. The consensus

engine waits on whichever ceremonies the profile requires, then

calls compose at the end. New primitives slot in by adding a new

field to PolarisLegs and a new wire frame; existing primitives

do not change.

Why external verifier byte-identity

A relying party that can call cloudflare/circl/sign/{mldsa,slhdsa}

needs no Lux-specific code to verify a Quasar cert leg. This is

the strongest possible composability statement: a smart contract on

any chain that exposes a PQ verifier precompile can check a Lux

cert leg without depending on Lux.

Backwards Compatibility

None. v1 is the lock-in. Polaris is the cert profile; Pulsar and

Aurora profiles are subsets of the same wire format.

Test Cases

The four headline test gates listed in §Specification.Test-gates

are run on every change to any PQ primitive. A wire-format change

that breaks any of them is a v1 regression.

Cross-primitive composition is tested at

~/work/lux/consensus/protocol/quasar/cert_roundtrip_test.go and

~/work/lux/consensus/protocol/quasar/triple_sign_test.go. These

exercise the full ComposePolaris path with synthetic per-leg

signatures.

Reference Implementation

• ~/work/lux/consensus/protocol/quasar/polaris.go:4-39 — the

Polaris cert profile composition contract.

• ~/work/lux/consensus/protocol/quasar/polaris.go:45 —

ErrPolarisMissingLeg.

• ~/work/lux/consensus/protocol/quasar/polaris.go:57 — the

PolarisLegs input struct.

• ~/work/lux/pulsar/ref/go/pkg/pulsar/wire.go:30-44 — PULS / PULG

frame layout.

• ~/work/lux/magnetar/ref/go/pkg/magnetar/wire.go:32-46 — MAGS /

MAGG frame layout.

• ~/work/lux/corona/wire/wire.go — CORS / CORG frame layout.
• ~/work/lux/pulsar/ref/go/pkg/pulsar/wire_test.go:126 —

TestPulsar_Wire_FIPS204Verifiable.

• ~/work/lux/magnetar/ref/go/pkg/magnetar/wire_test.go:129 —

TestMagnetar_Wire_FIPS205Verifiable.

• ~/work/lux/magnetar/ref/go/pkg/magnetar/thbsse_test.go:99 —

TestThbsSE_Wire_FIPS205Verifiable.

• ~/work/lux/pulsar/proofs/easycrypt/Pulsar_N1.ec — N1 manifesto

artifact.

• ~/work/lux/corona/proofs/easycrypt/Corona_N1.ec — N1 manifesto

artifact.

• ~/work/lux/magnetar/proofs/easycrypt/ — proofs directory (the

N1 artifact lands alongside the v1.0.0 paper rewrite).

Security Considerations

The Polaris cert's security floor is the SECOND-WEAKEST primitive

in the composition. A single broken primitive does not break the

cert; the relying party simply switches its enforced profile down.

This is the operational value of cross-family diversity (hash-based

Magnetar AND lattice-based Pulsar) AND intra-lattice diversity

(Pulsar and Corona, both Module-LWE).

The wire codec's strict trailing-garbage policy closes a

malleability vector: a relying party that accepted trailing bytes

would accept two distinct frames that decode to the same payload,

breaking equality semantics in downstream consensus state.

The pure-function compose contract is a non-trivial assertion of

non-equivocation: each primitive's threshold ceremony binds to the

round digest, and the round digest is a function of the proposer's

block and the validator-set commitment. A primitive that emits a

signature on a different digest is producing a signature on a

different message, and the relying party's verifier will reject

it.

Copyright

Copyright and related rights waived via CC0.