Lux Docs
Ringtail

Ringtail

Post-quantum threshold signatures from Module-LWE with 2-round signing

Ringtail (github.com/luxfi/ringtail) implements a practical post-quantum threshold signature scheme based on the Module Learning-With-Errors (Module-LWE) problem. It is described in eprint.iacr.org/2024/1113.

Security Properties

PropertyValue
Security basisModule-LWE (lattice)
Post-quantum security128-bit
Signing rounds2
Threshold modelt-of-n (configurable)
Key generationTrusted dealer with Shamir secret sharing

Comparison with Classical Schemes

SchemeQuantum-safeRoundsAggregatableBasis
RingtailYes2NoModule-LWE
FROSTNo2NoDiscrete log
BLSNo1YesBilinear pairing
CGGMP21NoMultiNoECDSA

Ringtail is the only post-quantum option. It provides comparable round complexity to FROST while offering security against quantum adversaries.

Architecture

ringtail/
├── sign/           # Core signing protocol (Gen, SignRound1, SignRound2, Verify)
├── primitives/     # Shamir secret sharing, hash, MAC, PRF
├── utils/          # NTT/Montgomery conversions, matrix/vector ops
├── threshold/      # threshold.Scheme interface implementation
├── networking/     # TCP peer-to-peer message transport
└── main.go         # CLI runner for benchmarking

Parameters

Ringtail uses a 48-bit NTT-friendly prime and discrete Gaussian sampling:

ParameterValueDescription
M8Public matrix rows
N7Secret vector dimension
Q2^48 + 0x4A01Ring modulus (NTT-friendly)
Kappa23Challenge weight
Key size256 bitsSeed and MAC key size
ThresholdConfigurableDefault: full-threshold (n-of-n)

Use in Lux

Ringtail is used alongside BLS in Lux Quasar consensus. BLS provides fast 1-round classical signatures for block finality at 500ms intervals. Ringtail provides post-quantum security via 3-second quantum bundles that anchor groups of BLS-signed blocks with lattice-based threshold signatures.

BLS:      [B1]--[B2]--[B3]--[B4]--[B5]--[B6]--...
           500ms finality per block

Ringtail: [─────────QB1: Merkle(B1..B6)─────────]
           3-second quantum bundle, async 2-round signing

Threshold API Reference

RegisterScheme, GetScheme, SchemeAdapter, and QuickSign helpers

Signing Protocol

Key generation, 2-round threshold signing, and verification

On this page

Security PropertiesComparison with Classical SchemesArchitectureParametersUse in Lux