Aggregated Attestations: A Heads Up for Bakers

NomadicLabs · May 15, 2025, 4:05pm

TL;DR: Aggregating attestations can improve Tezos’ L1 performance and security. Achieving this requires adoption of a new signature scheme for consensus operations.

We’re excited to share a sneak peek into an initiative for making Tezos’ L1 lighter, more secure, and ready for further optimizations.

In the upcoming S protocol proposal we plan to include changes to how the Tenderbake consensus algorithm handles consensus committees and attestations.

The purpose is to

Reduce the network’s bandwidth and storage demand
Strengthen Tezos L1’s security
Simplify rewards calculation
Pave the way for future optimizations, including faster block times

For this to happen, bakers must adopt a new signature scheme for consensus operations. In this post we explain the changes, what they mean for bakers, and how we intend to make it a smooth transition for all.

Aggregating attestations

The S proposal will introduce aggregated attestations, enabled by the BLS cryptographic scheme (the one behind tz4 addresses).

Aggregated attestations enable significant efficiency gains by allowing individual attestations in a block to be summarized into a single operation, instead of having one operation per attesting baker.

A clear gain is that it cuts bandwidth and storage needs dramatically – up to 63x less, from 900 MB/day to 14 MB/day.

If enough bakers adopt the BLS signature scheme by migrating to tz4 addresses, it also allows for each block to be attested by all bakers. Right now, only a subset of bakers (180–200 out of ~300) attest to each block due to bandwidth and disk footprint considerations. A single, aggregated attestation operation removes the need for this limitation.

Having all bakers attest each block has several benefits:

More attestations per block make L1 more secure.
Rewards calculation is simplified, as attestations exactly match staking power.
The need to calculate attesting rights at each block is removed, boosting network performance.

A step-wise transition

To support this evolution, bakers are encouraged to adopt tz4 for their consensus operations.

Protocol S initiates a smooth transition phase to accommodate this change. During this period, blocks will carry both individual attestations (from bakers using tz1, tz2, or tz3 addresses) and a single aggregated attestation (from those using tz4).

As tz4 adoption grows, we will eventually be able to move to a more streamlined model with just one aggregated attestation per block – unlocking greater scalability and performance across the network.

What it means for bakers

There are a few things bakers should be aware of for this transition.

Consensus keys: Bakers using separate consensus keys can keep their existing manager key, and simply generate a tz4 key for consensus.

DAL companion key: When using a tz4 consensus key for signing blocks and (pre)attestations, you’ll also need a second tz4 key to participate in the DAL. Due to differences in how consensus data and DAL data are handled, the same key can’t be used to aggregate both consensus attestations and DAL attestations in a block. The DAL companion key is generated similarly to a consensus key and integrated seamlessly into the baking process.

Hardware signers: Signing and verifying with tz4 addresses (using the BLS12-381 curve) is more computationally intensive, and is currently not supported by Ledger hardware devices. Signing times for tz4 addresses on these devices are 5–10x longer compared to other addresses, which is prohibitively slow. We’re working on solutions like leveraging OCaml 5 parallel processing and exploring faster signing hardware.

More info coming

In upcoming posts, we will share more details into how aggregated attestations work, and how we intend to address challenges like the increased computational load of BLS12-381.

In the meantime, we are happy to hear from community members who may have questions or concerns about the changes.

Let’s aggregate!

RichAyotte · May 16, 2025, 11:08am

Would the Xilinx Spartan-7 be fast enough to sign using BLS12-381?

RichAyotte · May 16, 2025, 1:25pm

The Ledger Nano X does support the BLS12-381 curve.

WalletSniper · May 16, 2025, 6:00pm

When I think about aggregated attestations, I see how they simplify the staking process by combining multiple attestations into one operation. This reduces blockchain congestion, lowers fees, and speeds up validation. For me as a baker, it’s a vital update that optimizes staking performance in blockchain networks.

iiAku · May 16, 2025, 8:53pm

I wonder if running such lib on a rpi or any embeded system could be a signing hardware option ?

murbard · May 17, 2025, 7:09am

There’s a prototype rpi signer that’s pretty neat, I would happily gift one to every OG baker using a nano, but it needs a bit of work. @germanD can you post a pic?

LiberteZ · May 17, 2025, 7:50pm

@germanD Say something.

VincentPoulain · May 17, 2025, 7:52pm

Ok! From the inside, and from the outside too
We’ll be presenting this in more detail very soon. Stay tuned!

RichAyotte · May 17, 2025, 10:07pm

How fast can it sign?

murbard · May 18, 2025, 9:14am

More than needed for block production, it has quad core 1Ghz ARM processor so it should be capable of hundreds of sigs / sec without too much of a sweat or optimization.

iiAku · May 18, 2025, 7:47pm

I might not know exactly what are the security concerns about hsm/signing hardware. If we assume a rpi could be the signer piece for a baker in lieu and place of a ledger. At the end of the day it’s seems to be a computational hardware system running some signing software/program. I wonder how it would be possible and feasible to have the signer itself running alongside other baking components (node/DAL etc) ? Are there any security concerns or anything that would prevent doing that or anything else I don’t know that require to run the signing part on an external hardware ?

ACoquereau · May 19, 2025, 7:10am

From our experiments, signing with BLS on a Ledger Nano X is possible but take too long (more than 1 second) regarding our baker needs to send consensus operation within our current block time and future one. Using Ledger Nano X to sign BLS consensus operations might lead to attestation miss.

Val · May 19, 2025, 1:22pm

Looks familiar.

Val · May 19, 2025, 6:12pm

If you are interested in real-world performance, here is an example of tz1 signing on Ghostnet from March 24, using the Octez signer in a setup similar to the one @VincentPoulain described.

Note: This setup was not optimized; it was intended as an exploratory test by Tez Capital to determine what could be achieved and how.

RichAyotte · May 19, 2025, 10:22pm

Perhaps for the ambitious, here’s a nice device with an FPGA that could be programmed for fast BLS12-381.

Nikolay-everstake · May 20, 2025, 8:09am

Hello. We use Signatory and Google KMS, which do not support the BLS12-381 curve. AWS KMS and Yubihsm2 also do not support it.

v32 · May 20, 2025, 8:34am

introducing enterprise bakers to the “guy with a glock” security model is going to be interesting

chrispinnock · May 24, 2025, 7:29am

I am looking at a solution that uses an HSM (could also use a KMS) to store a master secret and then secure compute solutions (e.g. Nitro enclaves) to deterministically generate the key and hold it securely. AWS has a lot of blog articles and resources on BLS signing using a similar architecture.

Zir0h · May 24, 2025, 7:50am

Does that mean that signatory already supports BLS in some way?

VincentPoulain · May 25, 2025, 5:23am

This is a work in progress. It is not finalized yet, but indeed, Signatory plans to support BLS signing.