The Internet Computer’s chain-key ECDSA signing capabilities based on threshold ECDSA are one of the best, maybe even the best, USP of the platform. Threshold ECDSA allows smart contract to compute ECDSA signatures on chain, with the private key being secret shared among many replica nodes. This allows for integrating with any other blockchain that supports ECDSA as signature scheme for singing transactions.
The current pricing for computing one threshold ECDSA signature is ~26.15B cycles on a high-replication subnet (~ 3.4 USD cents) and 10B cycles for the test key on a 13-node subnet.
This price is still rather high and prevents certain use cases to be realized on the Internet Computer. In this forum post we propose to reduce the cost for computing a threshold ECDSA signature substantially. The reduction is envisioned to implemented immediately, before protocol throughput improvements are rolled out.
The current price is based on benchmarks representing the current threshold ECDSA performance, with an optimization that increases throughput by ~2x being already anticipated in the price, but not yet implemented. The price to be cost covering in the applied pricing model (recovering the subnet cost) would be ~2x the current price, i.e., ~6.8 USD cents per signature.
@victorshoup has proposed multiple improvements to the implementation of the current threshold ECDSA protocol that are expected to result in a 10x improvement of the throughput of threshold ECDSA on the same subnet configuration (hardware, subnet size etc.). Two notable improvements are batch processing and parallelizing the crypto operations to multiple cores. These improvements are planned to be tackled by our engineering teams, with a timeframe of around 1/2 year to realize those 10x gains in throughput.
Considering the implementation of those improvements, we can expect the throughput of threshold ECDSA to increase by 10x in the next 1/2 year to 5 signatures / second, the baseline being the current throughput of 0.5 signatures / second.
DFINITY furthermore has ideas on how to dramatically improve throughput of threshold ECDSA using a completely new protocol architecture, requiring a complete reimplementation of the protocol. The expected throughput improvements using this are in the range of 20x–100x.
The protocols for this are not designed yet and the improvement factor is a rough estimate of where we could land. Performing the protocol research and implementing the resulting new protocols is not in the near-term scope of work of the Foundation. This is work to come in the 5-year planning horizon.
Considering these improvements, we can expect the throughput of threshold ECDSA to increase by 20x–100x in the next 5 years solely due to protocol improvements, the baseline being the current throughput of 0.5 signatures / second.
Over the time horizon of 5 years, a notable decrease of compute, storage, and connectivity cost can be expected. This will yield a constant factor that is hard to predict, but something in the range of 2x or more seems very reasonable to materialize in practice.
- CPU production costs reduce over time within a given semiconductor process, meaning lower cost for buying the chips for server manufacturers or node providers. Moving to more advanced nodes means initial large investments for setting up new fabs by the semiconductor companies, but with cost decreases over time, this has so far always resulted in price reduction of CPUs. Note that Moore’s law has been slowing down, but has in no way come to an end, and is not expected to in the next 6+ years.
- Flash has seen steep price decreases over recent years and further decreases are to be expected within the next 5 years.
- Global Internet bandwidth has been growing rapidly in the recent years, increasing competition and driving prices down. Thus, bandwidth prices for IP transit have been going down in almost all region and this is a trend expected to continue in the coming years, particularly in the now still expensive regions where the IC will receive new nodes.
For the considered 5-year timeframe, I expect at least 2 new generations of IC nodes to be defined. No one knows now how these generations will look like, but clearly the cost per MIPS and per TB of storage will be lower than today, so will be connectivity cost when hosting them in data centers. Improvements in cpu fabrication technology will also drive power consumption per operation down, resulting in lower direct power cost and additional reductions in indirect cost such as cooling.
In a successful IC ecosystem, which is the assumption we are working with, one can expect the node provider business to become more competitive so that the spectrum of price quotes for different node providers and regions will narrow and the average price paid for a node globally will move towards the lower end of this spectrum. Similarly, I would expect that the node provider rewards in relation to investment would reduce further from the still very generous earnings per year for a node in a successful Internet Computer ecosystem.
Taking all of those cost reductions for compute, storage, and bandwidth into account, as well as expected reduced node operating costs in terms of ICP payout, this would give a reasonable factor of reduction over the next 5 years in ICP paid out per node per month. A 2x–4x improvement sounds more than reasonable to assume here.
Further, more aggressive approaches to bring the node cost for nodes running threshold ECDSA down could be to use specially-tailored nodes for this purpose that save on NVMe and RAM cost, thereby reducing the node cost by a further solid constant factor. Nodes with FPGA-based accelerators for the required operations may further help drive performance up and cost down substantially. None of this is currently planned to be done for the reasons of resulting in a non-homogeneous node pool, but is mentioned here for completeness of how threshold ECSDA-related costs can be driven down further if necessary to make best possible use of this feature of the IC.
The current cycles pricing, even though it anticipates already a 2x improvement in throughput that is pending implementation, is too costly for different use cases related to integrating with low-gas-fee blockchains and also stablecoin use cases on the Internet Computer. Thus, the current price is an inhibitor to adoption of exciting projects that can help the ecosystem grow, while growth of adoption is what we are in clear need of.
To facilitate wider adoption of threshold ECDSA signing on the IC and help the IC at large, we propose to decrease the cycles price for a signature on the production subnet by a factor of 50, the benchmark price being the 26.15B cycles (~3.4 USD cents) per signature. The new price would thus be around 523M cycles or 0.068 USD cents per signature.
The current implementation will be improved to yield a throughput improvement of about 10x to around 5 signatures per second in the next 1/2 year. For the longer-term future, we can expect an up to 100x improvement in throughput with a completely different protocol architecture and a reimplementation of the protocol based on this novel architecture.
Considering the reductions in node costs and operating costs in a more competitive environment and resulting reduced paid out rewards per node as argued above together with the expected protocol improvements, we expect that the proposed reduction of 50x is well within where the IC will be in the fast-moving technology landscape given the above-discussed improvements.
The main motivation for this proposed price reduction is to get adoption of threshold ECDSA for new use cases for which it is not applicable given the current per-signature pricing.
This price reduction proposal is targeted at helping the IC ecosystem to grow further and to better leverage one of its strongest weapons — threshold ECDSA. The main risk associated with this proposal is DoS against the threshold ECDSA feature. However, the gains to be expected for the IC ecosystem may well outweigh the risks.
Let me know what you think about moving forward with this proposal.