Cryptography

Post‑quantum, vérifiable, attesté.

The Osage post-quantum stack, key management, and verifiable compute.

NIST-aligned post-quantum primitives

• ML-KEM (NIST FIPS 203) — lattice-based key encapsulation; replaces RSA / ECDH.
• ML-DSA (NIST FIPS 204) — lattice-based digital signatures.
• SLH-DSA (NIST FIPS 205) — stateless hash-based signatures (Sphincs+).
• Falcon — compact lattice signatures.
• Hybrid modes — classical + PQ in defence-in-depth pairs, CNSA 2.0 aligned.

The Osage post-quantum stack

On top of the NIST primitives we operate a named stack of higher-level cryptographic protocols. Each is independently complete; each can be deployed standalone or composed.

• Osage Quasar — post-quantum round-signer / consensus signing. The round-bound aggregate signature that anchors sovereign settlement on Osage Network. Lattice-backed, threshold-aware, audit-trailed.
• Osage Pulsar — threshold lattice signing. t‑of‑n key generation, signing, and rotation under post-quantum primitives, without ever reconstructing the private key. The institutional-custody and consensus signing primitive.
• Osage Magnetar — high-throughput batched signing for transaction streams. The Pulsar threshold model with amortised verification for high-volume settlement and payments rails.
• Osage Prism — sub-sampled finality / cut. The probabilistic finality primitive underlying sovereign consensus on Osage Network; cryptographically auditable.
• Osage Corona — cross-chain threshold oracle. The threshold-signed attestation primitive for bridging and external-state proofs, with Pulsar as the signing substrate.

NIST posture

The Osage cryptography team participates in NIST post-quantum standardisation activities — reference implementations, test-vector submissions, side-channel analysis, and applied-research contributions through Osage Institute. Working papers and proof artefacts are published in the open record. Federal customers receive a structured NIST‑submission and cryptographic-test-vector dossier on request.

Threshold & MPC

• Threshold signatures — t‑of‑n signing for institutional custody and consensus (Osage Pulsar).
• MPC wallets — key generation, signing, and rotation without reconstructing the private key.
• Shamir secret sharing — for break-glass recovery and offline key custody.
• Cross-chain threshold attestation — Osage Corona over Osage Pulsar.

Zero-knowledge proofs

• Groth16, PLONK, STARKs, Halo2 — verifier hosting and prover infrastructure.
• zkVM — verifiable compute for arbitrary programs.
• ZK identity — selective-disclosure credentials, attribute proofs without identifier release.

Fully homomorphic encryption

BGV / BFV / CKKS schemes for compute-on-ciphertext workloads — analytics on encrypted data, ML inference on encrypted inputs, federated learning with cryptographic privacy guarantees. Hosted on accelerated GPU/FPGA pools where the workload requires it.

Key management (Osage KMS)

• HSM-backed — FIPS 140-3 boundary; keys never leave.
• Per-org KEKs — versioned, rotatable, auditable.
• Envelope encryption — CEK‑per‑file/row with AES-256-GCM and AAD-bound nonces (the canonical Osage spec at osage.tech/docs/storage).
• Crypto-shredding — revocation as a first-class operation.
• Audit log — every unwrap is a logged KMS event.

HSM integration

Standing integration with Thales (Luna), Utimaco, and YubiHSM families. AWS CloudHSM and Google Cloud HSM available for hybrid regions. Customer-owned HSM bring-your-own for sovereign deploys.

The Chief Architect & Cryptographer holds the standing PQ brief. See osage.global/board and the federal capability statement at osage.global/capabilities.