Skip to content

Latest commit

 

History

History
63 lines (35 loc) · 3.19 KB

README.md

File metadata and controls

63 lines (35 loc) · 3.19 KB

Horcrux

Horcrux is a multi-party-computation (MPC) signing service for Tendermint nodes

Why use Horcrux?

Take your validator infrastructure to the next level of security and availability

  • Composed of a cluster of signer nodes in place of the remote signer, enabling High Availability (HA) for block signing through fault tolerance.
  • Secure your validator private key by splitting it across multiple private signer nodes using threshold Ed25519 signatures
  • Add security and availability without sacrificing block sign performance.

Design

Validator operators for tendermint chains balance operational and risk tradeoffs to avoid penalties via slashing for liveliness faults or double signing blocks.

Traditional high-availability systems where the keys exist on hot spares risk double signing if there are failover detection bugs. Low-availability systems, or manual failover, risk downtime if manual intervention cannot respond in a timely manner.

Multi-party computation using threshold signatures is able to provide high-availability while maintaining high security and avoiding double signing via consensus and failover detection mechanisms.

For more on how the Horcrux MPC signing flow works, see docs/signing.md

Screenshot from 2022-03-07 18-09-49

Raft

Horcrux v2.x introduces Raft For leader election and high watermark consensus.

Benchmarks

Screenshot from 2022-01-31 13-50-36

Demo

Horcrux signer cluster configured with 5 total nodes, threshold 3.

Demo

Running Horcrux

See documentation in docs/migrating.md to learn how to upgrade your validator infrastructure with Horcrux.

Security

Security and management of any key material is outside the scope of this service. Always consider your own security and risk profile when dealing with sensitive keys, services, or infrastructure.

No Liability

As far as the law allows, this software comes as is, without any warranty or condition, and no contributor will be liable to anyone for any damages related to this software or this license, under any kind of legal claim.

References

Acknowledgement

The initial threshold signing code in this project was developed by Roman Shtylman (@defunctzombie). The work here improves the cluster reliability and performance, adds a nice CLI experience and additional documentation to make operating this software easier and more reliable.