One of the most critical security challenges in blockchain networks is protecting cryptographic keys. While hardware wallets provide a robust solution for individual users, securing validator keys in Ethereum’s consensus layer requires a different approach. Hardware Security Modules (HSMs) are commonly used in secure environments to protect private keys and execute cryptographic operations without exposing sensitive material.
However, there has been a notable absence of open-source HSMs supporting BLS signatures, the cryptographic scheme essential for Ethereum validators. Recognizing this gap, Decentralized Security initiated the development of an open-source BLS-HSM in 2021, supported by the Ethereum Foundation’s Eth2 staking community grants. Our goal is to offer an affordable, open-source firmware solution that allows anyone to protect their validator keys effectively.
Project Overview
The BLS-HSM project was initially funded in 2021 by the Ethereum Foundation‘s staking community grant programme. In 2022, we received a new grant to continue its development and improve its capabilities.
Our goal is to provide open source firmware that can run on low-cost hardware, democratising validator security without hardware price being a barrier. Development is currently focused on the ARM Cortex-M33 architecture, using Nordic Semiconductor’s nRF9160DK and nRF5340DK development boards, along with its Thingy:91 and Thingy:53 prototyping platforms.
The software is based on Zephyr RTOS, which facilitates portability to other ARM Cortex-M33 compatible boards. For the implementation of BLS signatures, we use Supranational’s blst library.
Prototypes and Features
We have developed two primary prototypes:
- CLI-based prototype – A command-line interface to create BLS key pairs, sign, and verify messages over a serial port. This prototype serves as a foundational test for the cryptographic library.
- Remote signer – A fully functional Ethereum remote signer that protects validator keys using ARM TrustZone, implementing the Web3Signer ETH2 API over a serial port
In addition to these ARM-based versions, we have developed equivalent non-ARM implementations that operate over a TCP socket instead of a serial port. This allows developers to contribute and test the project without requiring specific hardware.
To simplify testing, we provide precompiled binaries for the ARM versions, though we encourage users to build them from source. Detailed instructions are available in GitHub repository
Challenges and Limitations
Throughout development, we encountered several technical challenges:
- Memory constraints: BLS signatures require significant memory, posing initial difficulties on ARM Cortex-M33.
- Performance bottlenecks: Signing operations take approximately one second, requiring further optimizations.
- SCRYPT incompatibility: Due to high memory demands, we cannot support SCRYPT-based keystore imports. Instead, we use PBKDF2, though it takes over a minute for key import.
- Serial to Socket bridge: The remote signer operates over a serial port, requiring a bridge to work seamlessly with Ethereum consensus clients.
Ongoing Developments
We are actively working on multiple enhancements:
- LTE-enabled remote signer: This feature will allow validator keys to remain with the user at all times. However, implementing TLS server sockets on our hardware presents a challenge.
- TF-M (Trusted Firmware-M) support: Transitioning from Secure Partition Manager (SPM) to TF-M will facilitate portability to more devices and enable QEMU-based testing on standard PCs.
- Slashing protection: Currently, the signer does not store slashing protection data persistently. We are researching secure storage solutions.
- Full support for Thingy:91 and Thingy:53: Our goal is to make these the primary platforms for our project, including OTA updates via BLE.
- New hardware support: We are exploring the OKdo E1 board, a cost-effective alternative with ARM Cortex-M33.
- Secure keystore import: We are investigating using displays, touchscreens, and multi-channel input methods (e.g., keystore over LTE, password over Bluetooth) to enhance security.
Get Involved
BLS-HSM is an open source and evolving project. We invite the community to test it, report problems and contribute to its development. If you are interested, visit our GitHub repository and share your feedback.
Together, we can improve the security of validators on Ethereum and make cryptographic key protection more accessible to everyone.