Wavestar Technology · Attestation architecture

Twelve independent eyes on every orbital fact.

Every settlement input — a downlink completed, fuel transferred, a slot commissioned, a manoeuvre executed — is co-signed by a quorum of independent observers. The network runs 12 seats across six categories. BLS12-381 threshold signatures aggregate to a single 96-byte proof verified with one pairing. Diversity rules prevent cartel capture; slashing conditions enforce them.

Apply for an observer seat Attest product overview

Observers: 12 seats
Quorum: 8-of-12 threshold
Curve: BLS12-381
Quorum latency p99: 420 ms

Why threshold cryptography

A 12-observer quorum beats a single commercial oracle.

A single SSA vendor is a single point of failure — commercial, technical, and legal. A 12-seat federation with explicit diversity constraints is not. Threshold BLS signatures make the verification trivial on the receiving side.

01
One signature, many signers
Each observer produces a BLS12-381 signature share over the canonicalised attestation payload. Shares aggregate arithmetically to a single 96-byte group-element signature — the same size as a single-signer signature. Verification is one pairing.
02
Threshold instead of unanimous
8-of-12 is a Byzantine-tolerant majority with margin. Up to 4 observers can be offline, adversarial, or wrong, and the quorum still forms correctly. The remaining 8 produce a signature indistinguishable from a unanimous 12.
03
Aggregatable public keys
Observer public keys are aggregated into a single group element per quorum generation. A client holds one aggregate key; rotations produce a new one. Key material scales O(1) on the verifier side regardless of quorum size.
04
Pairing-friendly curve
BLS12-381 was chosen over BN254 because it offers 128-bit security and is the industry standard (Ethereum consensus, Filecoin, Chainlink). Implementations (blst, @noble/curves) are audited and fast.

Observer categories

Six classes. No single class can carry the quorum.

The 12 seats are split across six categories so no single class — ground stations, SSA vendors, operators — can hit threshold alone. A cartel on one vector cannot co-opt the network.

Observer seat allocation · v1

Ground stations: 3 seats
KSAT, Viasat RTE, AWS Ground Station or equivalent. RF completion telemetry is their operating reality.
SSA providers: 2 seats
LeoLabs, Slingshot, NorthStar, Kayhan, or Privateer. Conjunction and orbital-state truth.
Fleet operators: 2 seats
Operators of major constellations attesting to their own telemetry. Diversity caps prevent self-attestation majorities.
Academic consortia: 1 seat
University radio-astronomy networks (e.g. LOFAR, SKA affiliates) under independent-observation MoUs.
National regulators: 1 seat
FCC, Ofcom, ITU-BR, or equivalent. Permissioned signature-only role — never a commercial position.
Independent commercial: 3 seats
Specialist firms contracted by Wavestar and the OIF for neutrality. Run periodic random audits of the other five categories.

Diversity rules

No single operator, no single region, no cartel.

D1
≤ 2 seats per operator
A corporate group (parent plus subsidiaries) can hold at most two observer seats across all categories. Enforced at onboarding and verified at every quorum formation — violating quorums are automatically rejected.
D2
≤ 4 seats per region
Regions are defined as ITU coordination zones grouped by continent. No more than four seats can sit in a single region — ensuring geopolitical diversity even in the extreme case where one jurisdiction pressures its nationals.
D3
≤ 1 seat per category per operator
An operator can hold at most one ground-station seat, one SSA seat, etc. Prevents stacking within a single observer category to force a class majority.
D4
Rotation cadence
At minimum 10% of seats rotate quarterly. The OIF attestation committee schedules rotations to avoid clustering at Wavestar fiscal events.

Signature aggregation pipeline

Four stages, measured end-to-end in under 450ms.

The pipeline below runs on every settlement input. Each stage has an explicit timeout, an explicit retry policy, and a published latency target. No stage blocks on a single observer.

ascii

  Wavestar ORCH -- attestation request for settlement input X
       |
       v
  +-----------------------------------------------------------+
  |  Stage 1: FANOUT                        target: < 50 ms   |
  |  - Canonicalise payload (RFC 8785 JCS)                    |
  |  - Hash SHA-256 -> challenge digest                       |
  |  - NATS publish attest.request.{X} to all 12 observers    |
  +-----------------------------------------------------------+
       |
       v
  +-----------------------------------------------------------+
  |  Stage 2: INDEPENDENT SIGNING           target: < 200 ms  |
  |  - Observers compute their own evidence                   |
  |  - If evidence matches digest, sign with BLS12-381 share  |
  |  - If mismatch, publish a signed DISSENT on attest.dissent|
  |  - Timeout on an observer after 250 ms                    |
  +-----------------------------------------------------------+
       |
       v
  +-----------------------------------------------------------+
  |  Stage 3: AGGREGATION                   target: < 120 ms  |
  |  - Collect shares on attest.response.{X}                  |
  |  - As soon as >= 8 arrive, aggregate via BLS sum          |
  |  - Reject duplicates, wrong-group points, mismatches      |
  |  - Verify aggregate against aggregate public key          |
  +-----------------------------------------------------------+
       |
       v
  +-----------------------------------------------------------+
  |  Stage 4: PUBLICATION                   target: < 80 ms   |
  |  - Append to Trillian log as leaf (payload + agg sig)     |
  |  - Record leaf index, return to ORCH                      |
  |  - Emit NATS attest.settled.{X}                           |
  +-----------------------------------------------------------+
       |
       v
  Wavestar ORCH -- clears the trade.
                   Counterparty receives verification bundle.

  End-to-end target: p99 < 450 ms (measured: 420 ms Q1 2026)

Slashing conditions

Equivocation, absenteeism, invalidity — each with a price.

Observers post a performance bond at onboarding. Violations trigger escrow deductions and, at a threshold, removal. The rulebook names the conditions explicitly; nothing is discretionary.

Equivocation: Sign two conflicting attestations at the same height
Fatal. 100% of bond slashed, immediate revocation, seat opens for a replacement.
Invalid signature share: Share fails verification against aggregate key
3 occurrences within 90 days: 25% of bond slashed and removal.
Missed quorums: Below 80% attendance over a rolling 30-day window
Formal review. 10% of bond slashed at the first breach; second breach triggers removal.
Diversity violation: Corporate restructure pushes category over cap
90-day grace period to divest. Non-compliance = removal, no slash if disclosed.
Private key compromise: Disclosed or detected exfiltration
No slash if disclosed proactively. Key rotation executed within 15 minutes of disclosure.
Regulatory sanction: OFAC / UK / EU sanction on the observer or a beneficial owner
Automatic suspension pending OIF review. Seat may be permanently revoked.

Signed evidence envelope

What an observer actually co-signs.

cbor/cose

COSE_Sign1 (observer signature share)
  protected:
    alg: "BLS12381G1_XMD:SHA-256_SSWU_RO_" (IETF draft-irtf-cfrg-bls)
    kid: "did:orbit:observer:wavestar:leolabs-primary#key-2026-q2"
  unprotected:
    ctyp: "application/vnd.wavestar.attestation+cbor"
  payload (CBOR, after RFC 8785 JCS canonicalisation):
    attestationId:  "att_01HXX..."
    instrument:     "DLM"
    contract:       "did:orbit:contract:wavestar:dlm-2026-04-22-1400z-..."
    claim:          "downlink_completed"
    evidence:
      bytes:        1_072_481_320
      windowStart:  "2026-04-22T14:00:00Z"
      windowEnd:    "2026-04-22T14:10:00Z"
      station:      "did:orbit:ground:fcc:ksat-svalbard-sg1"
      satellite:    "did:orbit:satellite:itu:usa-starlink-1043"
      signalReport:
        ebno:       14.2
        modulation: "QPSK-1/2"
    observerNotes:  "Telemetry cross-matched with local doppler; nominal."
    timestamp:      "2026-04-22T14:10:03.412Z"
  signature:        48 bytes (G1 curve point)

AGGREGATE (8-of-12)
  aggregateSignature: 96 bytes (G2 curve point, BLS threshold aggregation)
  signers:            [ kid-0, kid-3, kid-4, kid-5, kid-6, kid-8, kid-10, kid-11 ]
  committeeEpoch:     "2026-q2"

Charter principle

Every input to a settlement decision must be able to withstand an adversarial court subpoena.

Attest charter·§ 1.2

Targets

Observer seats

Seven seats open — Q3 2026.

Three ground stations, two SSA providers, and two independent commercial specialists. Onboarding requires a performance bond, a signing HSM, and an MoU committing to the diversity rules.

Request an observer seat Attest product page

Twelve independent eyes on every orbital fact.

A 12-observer quorum beats a single commercial oracle.

One signature, many signers

Threshold instead of unanimous

Aggregatable public keys

Pairing-friendly curve

Six classes. No single class can carry the quorum.

No single operator, no single region, no cartel.

≤ 2 seats per operator

≤ 4 seats per region

≤ 1 seat per category per operator

Rotation cadence

Four stages, measured end-to-end in under 450ms.

Equivocation, absenteeism, invalidity — each with a price.

What an observer actually co-signs.

The attestation network, by the numbers.

Seven seats open — Q3 2026.