Fortanix “Ignite
One-Time Signer”

Secure your Ignite nodes with secure, non-slashing signer plugin with Fortanix

Download Solution Brief

hero image


As the world leader in the deployment of Trusted Execution Environments, Fortanix provides operators of Ignite (formerly Tendermint) validator nodes a mechanism to prevent double-signing of Ignite proposals and votes. The main component of the solution is a Fortanix DSM plugin which validates that the proposals and votes are well formed, tracks the state of the protocol, and ensures that double-signing is prevented. The solution forms part of the Fortanix Secure Web3 Infrastructure suite of tools and is provided as a managed

In this briefing document, we outline the motivations behind our design choices and highlight how our design choices improve the security of Proof-of-Stake blockchains such as Ignite.

In Proof-of-Stake (POS) blockchains such as Ignite, validator nodes do not expend resources to “mine” the next block. Rather, they validate and sign proposals and votes. Since no resources are expended in signing, validators are incentivised to double-sign or equivocate. This creates forks in the blockchain. To avoid forks, it is important to ensure that validators maintain high integrity signers which track the state of the consensus protocol and only sign proposals and votes while ensuring that proposals and votes are not getting double-signed.

Nothing at Stake

In Proof-of-Work blockchains, if a miner misbehaves, for example, by trying to fork the blockchain, it ends up hurting itself. Mining on top of an incorrect block is a waste of effort. This is not true in Proof-of-Stake blockchains. If there is a fork in the blockchain, a validator node is in fact incentivized to support both the main chain and the fork. This is because there is always some small probability that the forked chain turns out to be the main chain in the long term. This is known as the “Nothing at Stake” problem, where deviation from the prescribed protocol is incentivized.

One mechanism to solve this problem is for the validator to use a signer that tracks the state of the protocol and ensures that double-signing is prevented. Developing such a signer is quite challenging. It needs to ensure that the code used to validate proposals and votes and to ensure double sign prevention is executed with high integrity. Also, the signer needs to be always online, and should operate in cluster mode to be able to recover from failures.


Figure 1: A quorum protected Fortanix DSM Plugin which includes logic for validating Ignite proposals and votes and is a critical component of the Fortanix Ignite One Time Signer solution.


The main benefit of the Fortanix One Time Signer solution is that it ensures that Ignite validators do not deviate from the prescribed protocol and indulge in selfish behaviour which could lead to forks in the blockchain. Moving forward, Fortanix intends to support One Time Signers for other Proof-of-Stake protocols such as Ethereum 2.0, Solana, Cardano, etc.

Ready to test Fortanix Runtime Encryption?

request a demo