Threshold ECDSA Signatures

Indeed, this is very much a pity and I want to apologize for the inconvenience, but here are two key reasons why we cannot release the GA version now:

  • We need to get performance to an acceptable level for 34-node or larger subnets. We can currently do 1.5 signatures/s on a 13-node subnet and performance decreases faster than linear with the replication factors. Thus, engineering has to solve some challenge here which does take some time. The performance was impossible to assess upfront, therefore this is a new work item that we could not plan for in any way.
  • We need another security audit, which must be done on a final version of the code, if there are too many changes after it, it’s meaningless.
  • We need to do further testing and reviewing the code ourselves in order to make sure things are as they should be.

If we would release a production key now, it would make moving ahead with optimizations much harder or impossible for the case that optimizations change certain aspects of the protocol. And we cannot start the security review before the code is stable after the optimizations, as otherwise the review would be rather worthless.

Regarding the security-related items, let me quote @mparikh’s comment from the Bitcoin thread:

In this game, “only the paranoid survive”.

How true, we must not take a risk here and release prematurely without the assurance steps we have in mind. Secure must be a top priority for a cryptographic feature like this one.

And w.r.t. performance, we would like to at least get close to 1 signature per second on the large subnet, which would likely be good enough for a first GA release.

Hope this explains a little better why we must do some more work before releasing the feature for production.

14 Likes