LP-0181Draft

LP-181: Magnetar — public-DKG MPC threshold SLH-DSA

Status: draft

Author: [email protected]

Type: standards / cryptography

Motivation

Quasar's PQ-heavy cert mode (LP-217; was the Polaris profile in LP-017,

historical) reserves slot 0x012207 for Magnetar: a public-DKG MPC

threshold variant of SLH-DSA (FIPS 205). Single-party

SLH-DSA verify already has a GPU batch path

(crypto/slhdsa/gpu.go::VerifyBatchGPU). The remaining work is the

threshold primitive itself — split signing across n parties, recover

with t+1, no trusted dealer.

Why threshold SLH-DSA is hard

SLH-DSA is hash-based. Lattice signatures (ML-DSA, Pulsar) admit

linear-secret-sharing threshold variants because the underlying

operations are linear over the ring. Hash-based signatures have no such

algebraic structure: each signing party must produce a WOTS+ /

FORS-tree leaf, and combining leaves under a Merkle root requires every

party to know every other party's contribution.

GKMM 2024/447 (Goyal–Khurana–Maji–Mukherjee) gives the only known

construction for threshold hash-based signatures with non-interactive

recovery, using Pedersen-style VSS over the FORS leaf indices. The

construction is concrete and audited but heavy: signing requires n

rounds of broadcast, and the verifier must run a non-trivial proof

check on top of the FIPS 205 verify.

Construction (sketch)

1. Public DKG: every party publishes a FORS tree commitment using

Pedersen VSS over the leaf indices. Any t+1 parties' commitments

determine the group public key.

2. Signing: signer set of size ≥ t+1 runs n-round broadcast.

Round i exchanges leaf-decommitments for the i-th FORS tree.

After all rounds, any party can assemble a valid FIPS-205-compatible

signature plus a Lagrange-interpolated WOTS+ chain head.

3. Recovery: aggregator computes the group signature as

(σ, π) where σ is a standard SLH-DSA signature and π is a

Groth16 proof that the FORS tree commitments interpolate correctly

on t+1 shares.

4. Verify: standard FIPS 205 verify on σ, then Groth16 verify on

π. The Groth16 verifier reuses the existing BN254 substrate

already wired into Quasar.

Security

Per GKMM, the construction reduces to:

WOTS+ unforgeability (FIPS 205 §6.1)
FORS one-time unforgeability (FIPS 205 §7)
Pedersen VSS hiding + binding under DLOG (BN254-G1)
Groth16 soundness in the Algebraic Group Model

Quantum security: the SLH-DSA portion is post-quantum (hash-based, no

group-theoretic assumption); the Pedersen-VSS portion is classical

DLOG-hard (~128-bit BN254). For full post-quantum threshold operation,

the VSS would need to be re-instantiated over a lattice DLOG-analog

(e.g. SIS commitments) — out of scope for this LP, deferred to LP-181-PQ.

Reuse

SLH-DSA primitive: crypto/slhdsa (FIPS 205) — keys, sign, verify
Batch verify GPU: crypto/slhdsa/gpu.go::VerifyBatchGPU (already

shipped); the Magnetar verifier calls this on σ before checking π

Groth16 verify: crypto/threshold + accel.ZKOps.MSM already

expose BN254 pairings + MSM through the GPU substrate

Wire codec: corona/wire codec extended with MagnetarCert

containing (σ, π, ValidatorSet, Epoch) — matches the existing

QuasarCert shape

What this LP does NOT spec

A separate Go package (magnetar/). The implementation slots into

crypto/threshold/magnetar/ next to the existing BLS / Pulsar

schemes, registering through crypto/threshold.RegisterScheme.

A new precompile address. Magnetar-verify reuses the SLH-DSA

precompile at 0x012203 plus the BN254 pairing precompile at the

standard EVM slot.

A change to the existing single-party SLH-DSA surface — Magnetar

composes on top, no API changes downstream.

Implementation phases

| Phase | Scope | Blocker |

|-------|-------|---------|

| 0 | This LP merged + KAT vector format pinned | — |

| 1 | crypto/threshold/magnetar/scheme.go skeleton implementing threshold.Scheme; trusted-dealer path for tests | KAT format from phase 0 |

| 2 | Public DKG using Pedersen VSS over BN254-G1 | reuse crypto/threshold/bls Pedersen-VSS scaffold |

| 3 | Groth16 circuit for the share-interpolation proof | gnark circuit + trusted setup |

| 4 | GPU batch path via accel.ZKOps.MSM for the BN254 leg | inherits existing substrate |

| 5 | corona/wire codec + Quasar cert integration (PQ-heavy mode per LP-217; was Polaris profile in LP-017, historical) | LP-105 / cert-mode freeze |

| 6 | Bench + audit + NIST-MPTC submission package | mirrors Corona/Pulsar submission flow |

References

FIPS 205 — Stateless Hash-Based Digital Signature Standard
GKMM 2024/447 — Threshold Hash-Based Signatures from Pedersen VSS
LP-217 — Cert profile modes (PQ-off / PQ-fast / PQ-strict / PQ-heavy);

canonical operator-facing naming. Magnetar is the leg added at PQ-heavy.

LP-017 — Quasar Consensus + Polaris Cert Profile (Historical; v1

codenames Pulsar / Aurora / Polaris are now internal identifiers).

LP-105 — Quasar consensus + cert profiles (legacy reference; see LP-217

for the canonical operator-facing naming).

LP-180 — NIST-MPTC submission package (Corona / Pulsar)
~/work/lux/crypto/slhdsa/ — single-party SLH-DSA primitive
~/work/lux/crypto/threshold/ — threshold scheme registry