Skip to main content

Signing layer

The signing layer is where threshold ECDSA actually happens. This page describes the topology of a signing node, the protocol it speaks, and the two ceremonies that drive it: distributed key generation (DKG) and signing.

Node topology

A signing node is one logical unit of capacity. Each node has two zones on the same physical or logical machine (POD, VM, bare metal):

  • Orchestrator / proxy. A Go process running in the parent host. It subscribes to the messaging bus, retrieves encrypted share data from the database, forwards protocol messages between peers, and proxies KMS calls on behalf of the enclave.
  • Enclave. An AWS Nitro Enclave containing the signer. It has no internet access, no terminal, no persistent storage, and no shared memory with the parent host. The only channel between the orchestrator and the enclave is VSOCK.

The signer service inside the enclave is written in Go and consumes the DKLS23 Rust library through FFI. The protocol logic itself runs in Rust; orchestration, networking, and lifecycle around it are Go.

A typical deployment runs five nodes across independent availability zones or accounts. They register with the messaging layer as competing consumers of the signing subject, so adding a sixth node is configuration only.

Distributed key generation (DKG)

DKG is the ceremony that produces a fresh wallet. After it runs, every participating node holds one share of a Shamir secret sharing of the wallet's private key, and they all agree on the public key.

Refresh follows the same shape: a fresh polynomial is generated, shares are re-randomised, and the public key is preserved. Old shares are deleted from the database after the refresh commits.

Signing

Signing is a four-phase protocol over the t selected nodes (3-of-5 in our deployments). Phases 1 and 2 are point-to-point; phase 3 is a broadcast; phase 4 is local finalisation that produces the signature.

A few properties worth calling out:

  • Forward secrecy on share generation. The orchestrator verifies that the share each node loaded is the current generation before letting the signing protocol start. A compromised old share cannot be slipped in.
  • Attestation gate at KMS. Decryption of a share happens only when the Nitro attestation document matches the enclave-image hash policy. A signer running outside the authorised image cannot decrypt anything.
  • Fail closed. If any participant aborts or any phase fails validation, the entire session is dropped; there is no retry path that could produce a partial or alternate signature.

Out of scope here

  • Why DKLS23 was chosen over alternatives — see Cryptography.
  • Threshold and refresh cadence — see Key lifecycle.
  • The encryption-at-rest and attestation flow — see Key storage.