Skip to content
Tendermint validator implementation that uses a CodeSafe machine on an nShield.
Branch: master
Clone or download
Duncan Jones
Latest commit 903559f Feb 5, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd Initial commit Nov 20, 2017
mocks Initial commit Nov 20, 2017
module Reduce scope of package constant Feb 5, 2018
validator Initial commit Nov 20, 2017
.gitignore Initial commit Nov 20, 2017
Gopkg.lock Update to Tendermint 0.15.0 Feb 5, 2018
LICENSE Initial commit Nov 20, 2017 Add link to SEE machine project Nov 20, 2017

Thales Tendermint HSM Validator

Validators are a core component of a blockchain and are responsible for validating new transactions and agreeing an canonical order for the next block. This process is known as consensus.

Tendermint is a popular consensus engine used by many open source projects. In conjunction with Tendermint developers, Thales eSecurity has introduced the ability to protect validator signing keys and consensus logic using a hardware security module (HSM). This project contains the Go parts of the HSM validator implementation, which communicate with the software running inside the Thales nShield HSM.

Thales HSM

Why protect validators with HSMs?

Large, public blockchains, such as Bitcoin or Ethereum, enjoy robust security properties due to their sheer scale. To compromise one of these networks requires control of over 50% of the mining power on the planet. Not a realistic option for attackers.

By contrast, smaller permissioned chains must rely on traditional means of security to prevent bad actors from subverting the ledger contents. When you have only 5 or 10 nodes, subverting the necessary 1/3 of participants becomes a realistic prospect if insufficient protections are employed to protect signing keys and consensus logic.

Thales HSM PrivValidator

At Thales eSecurity we have helped design the Tendermint PrivValidator interface (link), which we implement in this GitHub project. A PrivValidator implementation is reponsible for protecting a private key and deciding whether to sign votes, proposals and heartbeats (see this page for an overview of the consensus protocol).

Our implementation protects the private key within our HSM security model and ensures that votes and proposals cannot be double-signed (by preventing height regressions).

The complete implementation includes the Go code presented in this project, plus an accompanying CodeSafe machine that runs within the nShield HSM. The CodeSafe machine ensures the private keys are only used if the consensus is executed correctly.

To learn more

If you would like to learn more about this project, please contact us via our website:

You can’t perform that action at this time.