Threshold Validator for Tendermint
Since the launch of Cosmos, Unit 410 has operated one of the largest validators. Proof-of-stake networks, like Cosmos, typically levy financial consequences, colloquially known as slashing, for validators who misbehave either by double-signing blocks or by being offline for too long. This creates a trade-off between uptime and security for validator operators when managing their infrastructure.
An operator optimizing for uptime by running multiple validators with the same key runs the risk of double signing. On the other hand, a validator optimizing for security, by keeping the key attached to a single machine, must be prepared to respond promptly to any downtime on their validator to avoid penalties.
At Unit 410 we are always iterating on our infrastructure and looking for novel ways to improve its functionality while reducing exposure to incumbent risk. This spirit of iteration and improvement has led us to aggregate signatures which allow for a set of cosigners to privately sign a message, share their individual signatures, and combine these to form a single signature for the message. This idea is further extended by the implementation of threshold signatures. Whereas aggregate signatures require all cosigners to provide an individual signature, threshold signatures require only some subset of cosigners to provide an individual signature.
These properties of threshold signatures make them ideal for validator operators. Using threshold signatures, we can deploy a set of cosigners distributed across different datacenters. Each cosigner protects their personal secret and provides double-signing protection. To sign a block, each checks the block against their personal double-sign protection and only then provides their individual signature. If enough cosigners provide their signature part, a valid block signature is formed and published to other p2p participants.
This distributed, redundant set of cosigners is more robust to any single cosigner failure, providing better uptime than using a single key validator, while providing the additional benefit of insulating the validator from double signing risk. Additionally, unlike hot-hot distributed systems using raft or similar consensus protocols, no single cosigner has enough key material to unilaterally produce a signature.
We are excited to announce that we have successfully deployed our threshold validator on Cosmos mainnet under the Cybernetic Destiny moniker with plans to migrate our primary validator to a similar threshold scheme.
While our threshold validator is in private testing, we’ve taken the first steps to open source our single key validator and threshold Ed25519 bits.
If you would like to discuss or collaborate with us on threshold validation, please reach out to us at our address below.