LP-0180Finalpqpulsarml-dsathresholdnist

LP-180: Pulsar — NIST MPTC submission package

Abstract

LP-180 tracks the **NIST Multi-Party Threshold Cryptography (MPTC)

submission package** for Pulsar, the Module-LWE threshold ML-DSA

construction Lux runs on the primary network's Q-Chain finality.

It is the document/code/proof artifact NIST receives at the

2026-Nov-16 first-call deadline.

LP-171 is the protocol-side LP (how Lux consumes Pulsar). LP-073

is the production-library LP (how Lux ships it). LP-180 is the

NIST-submission LP (what we hand NIST).

> Naming. The earlier Pulsar-M (with -M for Module-LWE)

> qualifier was retired in luxfi/pulsar commit af3d669

> (2026-05-16). Pulsar is now the family name; the Module-LWE

> instantiation IS Pulsar. The Module-LWE sibling is Corona. All

> code paths, module paths, and identifiers below use the

> post-rename pulsar form.

NIST MPTC categories targeted

| Class | Property | Pulsar evidence |

|---|---|---|

| N1 | Single-party-compatible threshold signing — output verifies under unmodified single-party verifier | Spec §6 Theorem 6.1; Lean Crypto/Pulsar/OutputInterchange.lean (zero sorry); E2E test test/interoperability/n1_class_test.go verifies every KAT through cloudflare/circl FIPS 204 (19/19 subtests) |

| N4 | Multi-party key generation with public-key preservation across resharing | Spec §4.5 (Reshare protocol); Lean Crypto/Pulsar/Shamir.lean (zero sorry); transcript KATs vectors/transcripts/n*-t*-reshare.jsonl |

Submission package contents

Repository: <https://github.com/luxfi/pulsar>. Module path

inside: github.com/luxfi/pulsar (shared with the production

library luxfi/pulsar; the submission tarball is a tag-frozen

snapshot, the production library evolves under the same module

path).

| Artifact | Location | Status |

|---|---|---|

| Cover sheet | SUBMISSION.md | drafted (v0.1) |

| 1-page executive summary | NIST-SUBMISSION.md | drafted (v0.1) |

| Standalone protocol spec | SPEC.md | drafted (v0.1) |

| Hanzo PQ Threshold Suite index | SUITE.md | drafted (v0.1) |

| Cross-repo information architecture | INFORMATION-ARCHITECTURE.md | drafted (v0.1) |

| Full Lux/Hanzo crypto inventory | HANZO-CRYPTO-SUITE.md | drafted (v0.1) |

| Royalty-free patent grant | PATENTS.md | drafted (v0.1) |

| Patent claim drafts (21 claims, 5 groups) | docs/patent-claims.md | drafted (v0.1) |

| Trust accounting | AXIOM-INVENTORY.md + PROOF-CLAIMS.md + TRUSTED-COMPUTING-BASE.md | drafted (v0.1) |

| Op → FIPS 204 § map | FIPS-TRACEABILITY.md | drafted (v0.1) |

| Per-version proof artifact log | CHANGELOG.md | drafted through v13 |

| Multi-year crypto roadmap | ROADMAP.md | drafted (v0.1) |

| Cross-repo sync status | SYNC-STATUS.md | drafted (v0.1) |

| Technical Specification (LaTeX) | spec/pulsar.tex → spec/pulsar.pdf | drafted; encoding freeze 2026-Aug |

| Reference Implementation | ref/go/pkg/pulsar/ (Go, no asm) | shipped; 89.7% coverage |

| KAT vectors | vectors/{dkg,keygen,sign,threshold-sign,verify}.json + vectors/transcripts/ | deterministic from 32-byte seed |

| Class N1 cross-validation | test/interoperability/n1_class_test.go (3rd-party FIPS 204 verifier: cloudflare/circl) | 19/19 subtests pass |

| Symbolic / Lean proofs | ~/work/lux/proofs/lean/Crypto/Pulsar/{OutputInterchange,Unforgeability,Shamir,dkg2}.lean | zero sorry |

| Lean ↔ EasyCrypt bridge map | proofs/lean-easycrypt-bridge.md | 5/5 bridges; CI-guarded |

| Constant-time analysis | ct/dudect/ harness | scaffolded; final results pinned at submission tag |

| Jasmin high-assurance | jasmin/{lib,ml-dsa-65,threshold}/ | libjade fetch script + threshold layer + 3/3 jasmin-ct CI green |

| EasyCrypt theories | proofs/easycrypt/{Pulsar_N1,Pulsar_N4}.ec + supporting modules + lemmas/{Pulsar_CT,MLDSA65_Functional}.ec | 13/13 compile, 0 admits, v4-v13 decomposition complete |

| Experimental evaluation report | docs/evaluation.md + bench/results/REPORT.md | populated on Apple M1 Max; reproducible via scripts/bench.sh |

| IETF / CFRG Internet-Draft | docs/ietf-draft-skeleton.md (draft-hanzo-pulsar-threshold-mldsa-00) | drafted, no TBDs |

| License | LICENSE (Apache-2.0) | ✓ |

| Build/test/bench/vector-gen/SBOM scripts | scripts/ | shipped; reproducibility CI gate |

Cross-LP relationships

LP-070 ML-DSA — establishes the FIPS 204 primitive Pulsar's

output is byte-equal to.

LP-073 Pulsar — the production Module-LWE library

(github.com/luxfi/pulsar) consuming the algorithm Pulsar

specifies. Live at v1.0.1.

LP-076 Universal threshold framework — Lux's chain-agnostic

threshold-orchestration layer that consumes Pulsar as a kernel

(alongside Corona M-LWE per LP-073-corona, FROST per LP-098,

CGGMP21 per LP-099).

LP-105 Quasar Consensus — composes Pulsar with BLS aggregate

+ Z-Chain Groth16 in the QuasarCert structure. Production

consumer.

LP-171 Pulsar threshold DKG + signing protocol — the

Lux-protocol-side specification. LP-180 (this) is the

NIST-submission-side specification.

HIP-0084 Hanzo mirror of LP-171. Pulsar is the algorithm

both Lux and Hanzo deploy.

Schedule

| Date | Milestone |

|---|---|

| 2026-Mar-03 | PQ Consensus Architecture Freeze (consensus / quasar APIs locked) |

| 2026-May-12 | LP-180 drafted; reference impl + KATs + Class N1 interop green |

| 2026-Jul-20 | NIST MPTC third preview deadline — submit a writeup-only preview |

| 2026-Aug-31 | Encoding section freeze (DD-008): wire formats pinned in spec/pulsar.tex |

| 2026-Sep-30 | EasyCrypt theory shells discharged (admit markers replaced with mechanized proofs); Jasmin threshold-layer round-1/round-2/combine implementations land |

| 2026-Oct-31 | dudect constant-time results pinned; final cross-validation against BoringSSL FIPS / AWS-LC / OpenSSL 3.0 PQ provider |

| 2026-Nov-16 | NIST MPTC first-call submission: cut submission-2026-11-16 tag from main, produce reviewer tarball, file with NIST |

Open submission risks

1. Encoding section (spec/pulsar.tex) explicitly declared

"intentionally structural only — byte-level wire formats freeze

at DD-008 (end of August 2026)". A reviewer who clones today

sees that flag. Must close before submission.

2. EasyCrypt admit markers in proofs/easycrypt/. Three

theory shells with admit standing in for the proof body.

Without discharge, the high-assurance track is a roadmap. NIST

accepts this for the first submission; reviewers will note it.

3. Threshold-layer Jasmin (jasmin/threshold/{round1,round2,combine}.jazz)

are stubs with function signatures + TODO markers. The

single-party ML-DSA-65 baseline is covered by libjade (fetched

via jasmin/ml-dsa-65/fetch.sh); the threshold-specific work

is months of formal-methods engineering.

4. Red-team audit findings (2026-05) — all 13 CLOSED —

a 4-red-agent + 1-scientist swarm against the nation-state

threat model originally found 13 production go-live blockers.

The CR-{1..13} list is now fully discharged across

pulsar + consensus + node + evm + geth + pq; see

BLOCKERS.md at the repository root for per-entry landing

commit attribution. Lux mainnet deployment as a strict-PQ

chain is no longer gated on the audit: every wire from the

profile-banner to the EVM precompile boundary to the

peer-handshake to the threshold-DKG to the consensus

envelope is now enforced. Per the scientist audit, the

following five algorithmic claims still need spec caveats

added before submission (these are about the paper, not the

code): adaptive corruption (UNSUPPORTED → spec must say

static-only); cross-domain isolation Pulsar/Corona (WEAK →

both Pulsar and Corona (Module-LWE) share algebraic-lattice hardness, not

defense-in-depth); constant-time Verify (WEAK → assertion not

measurement; dudect harness wired but submission-grade run

still pending); Z-Chain Groth16 / P3Q migration (WEAK →

implementation does not match doc claim of "192-byte Groth16

rollup"); 2-round optimality (WEAK → clarify v0.1

reconstruction-aggregator trust model vs Raccoon's 3-round

true-threshold combine).

5. No 1-round signing variant. ML-DSA rejection sampling

precludes 1-round threshold without a non-NIST-standard

preprocessing oracle. NIST is aware; this is shared with

Raccoon and Corona submissions.

Acceptance criteria for "ready to submit"

The submission tarball at submission-2026-11-16 must pass:

[x] scripts/build.sh exits 0 on fresh clone (Go ref + spec PDF)
[x] scripts/test.sh exits 0 (unit + no-secret-logs + KAT replay + Class N1 interop)
[x] scripts/gen_vectors.sh produces byte-identical KAT output across runs
[x] Lean Crypto/Pulsar/ files compile with zero sorry
[x] bench/results/REPORT.md populated with reproducible numbers
[x] SUBMISSION.md cover sheet present
[x] EasyCrypt theories compile (13/13) with zero admit; per-stage decomposition complete through v13
[x] Jasmin threshold-layer constant-time guard green (3/3)
[x] IETF / CFRG Internet-Draft skeleton landed (docs/ietf-draft-skeleton.md)
[x] Cross-repo sync status written (SYNC-STATUS.md)
[ ] Encoding section finalized in spec/pulsar.tex
[ ] dudect timing-channel results pinned in ct/dudect/results/
[ ] Cross-validation against ≥2 of {BoringSSL FIPS, AWS-LC, OpenSSL 3.0 PQ provider, pq-crystals Dilithium reference} in test/interoperability/

References

NIST IR 8214C: *First Call for Multi-Party Threshold Schemes*

(January 2026)

FIPS 204: *Module-Lattice-Based Digital Signature Standard*

(August 2024)

Boschini, Kaviani, Lai, Malavolta, Takahashi, Tibouchi.

*Corona: Practical two-round threshold signatures from learning

with errors*. IACR ePrint 2024/1113.

del Pino, Prest, Rossi, Saarinen. *Raccoon*: NIST PQC additional

digital signatures submission, 2024.

libjade: <https://github.com/formosa-crypto/libjade> —

Jasmin/EasyCrypt verified ML-DSA / Kyber.

Pulsar (NIST submission) repository: <https://github.com/luxfi/pulsar>
Pulsar (production library) repository: <https://github.com/luxfi/pulsar>