Chain-Key Transactions
For the reasons outlined here, the threshold signature scheme used to implement chain-key cryptography is based on BLS signatures. While BLS signatures have distinct advantages, they are simply not compatible with other blockchains. To achieve maximum compatibility with other blockchains, the IC implements chain-key transactions with threshold ECDSA signatures.
Implementing a secure and efficient threshold signing protocol for ECDSA is much more challenging than for BLS signatures. While there has been a flurry of research on threshold ECDSA in recent years, none of these protocols meet the demanding requirements of the Internet Computer: they all either assume a synchronous network (meaning that the protocols will fail or become insecure if messages are unexpectedly delayed) or provide no robustness (meaning that the ability to produce signatures is completely lost if a single node should crash) or both. Neither of these assumptions are acceptable on the IC: security and liveness must hold even an an asynchronous network with many faulty nodes.
DFINITY has designed, analyzed, and implemented a new threshold ECDSA signing protocol that works over an asynchronous network and is quite robust (it will still produce signatures if up to a third of the nodes in a subnet are crashed or corrupt) while still delivering acceptable performance. Papers written by DFINITY's researchers describe the protocol in detail and prove the key elements of its security.
The Internet Computer Community Adopts Threshold ECDSA Signatures Motion Proposal
