Fortanix Ignite
One-Time Signer
Secure your Ignite nodes with secure, non-slashing signer plugin with Fortanix
Introduction
As the world leader in the deployment of Trusted Execution Environments, Fortanix provides operators of Ignite (formerly Tendermint) validator nodes a mechanism to prevent double-signing of Ignite proposals and votes. The main component of the solution is a Fortanix DSM plugin which validates that the proposals and votes are well formed, tracks the state of the protocol, and ensures that double-signing is prevented. The solution forms part of the Fortanix Secure Web3 Infrastructure suite of tools and is provided as a managed
service.
In this briefing document, we outline the motivations behind our design choices and highlight how our design choices improve the security of Proof-of-Stake blockchains such as Ignite.
In Proof-of-Stake (POS) blockchains such as Ignite, validator nodes do not expend resources to “mine” the next block. Rather, they validate and sign proposals and votes. Since no resources are expended in signing, validators are incentivised to double-sign or equivocate. This creates forks in the blockchain. To avoid forks, it is important to ensure that validators maintain high integrity signers which track the state of the consensus protocol and only sign proposals and votes while ensuring that proposals and votes are not getting double-signed.
Nothing at Stake
In Proof-of-Work blockchains, if a miner misbehaves, for example, by trying to fork the blockchain, it ends up hurting itself. Mining on top of an incorrect block is a waste of effort. This is not true in Proof-of-Stake blockchains. If there is a fork in the blockchain, a validator node is in fact incentivized to support both the main chain and the fork. This is because there is always some small probability that the forked chain turns out to be the main chain in the long term. This is known as the “Nothing at Stake” problem, where deviation from the prescribed protocol is incentivized.
One mechanism to solve this problem is for the validator to use a signer that tracks the state of the protocol and ensures that double-signing is prevented. Developing such a signer is quite challenging. It needs to ensure that the code used to validate proposals and votes and to ensure double sign prevention is executed with high integrity. Also, the signer needs to be always online, and should operate in cluster mode to be able to recover from failures.
Secure One Time Signer
Fortanix DSM SaaS is a FIPS 140-2 Level 3 compliant platform for secure key management. It offers a unique security architecture where custom plugins can be developed and deployed to run inside the hardware protected secure environment. The plugin can be protected with a quorum policy that involves multiple admin users. Once deployed, a plugin code cannot be modified without explicit permissions from multiple administrators.
The Fortanix One Time Signer solution includes a plugin which validates proposals and votes, tracks the state of the protocol and signs proposals and votes while ensuring that double-signing is prevented.
.
Figure 1: A quorum protected Fortanix DSM Plugin which includes logic for validating Ignite proposals and votes and is a critical component of the Fortanix Ignite One Time Signer solution.
Benefits
The main benefit of the Fortanix One Time Signer solution is that it ensures that Ignite validators do not deviate from the prescribed protocol and indulge in selfish behaviour which could lead to forks in the blockchain. Moving forward, Fortanix intends to support One Time Signers for other Proof-of-Stake protocols such as Ethereum 2.0, Solana, Cardano, etc.
