Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Committee rotation, key refresh, successor chain

audience: ai

The signer-δ committee does not stay fixed. Key material rotates on a declared cadence; committee membership changes as providers register, retire, or degrade; consumers follow the rotation through the organism’s retirement chain without re-publishing their own CoalitionConfig. This chapter walks all four loops: proactive key refresh, committee-membership rotation, retirement markers, and multi-operator fleets.

Part II’s four worked examples end here. Every mosaik surface the book’s thesis names has been exercised across searcher-α, bridge-β, oracle-γ, and signer-δ.

Proactive key refresh

The committee’s DKG aggregate public key is pinned into Config.committee_pk_digest. A rotation produces a new DKG-generated key; every committee member resharing its long-term key share to the new dealing produces a new committee_pk_digest and a new organism id.

The refresh shape:

  window 0: committee runs DKG round 0
    │   publishes Config_v0 with committee_pk_digest = PK_0
    │   signer-δ.v0 stable_id = S_0
    │
  window 1: committee runs DKG round 1 alongside round 0
    │   both active; outcomes from either verify
    │   against their respective published pk
    │   publishes Config_v1 with committee_pk_digest = PK_1
    │   signer-δ.v1 stable_id = S_1
    │   retirement marker on v0:
    │     reason = Rotation
    │     replacement = OrganismRef { stable_id: S_1, content_hash: v1_hash }
    │
  window 2: v0 goes read-only for grace period
    │   new requests go to v1 only
    │
  window 3: v0 decommissioned; v1 continues

Consumers that pinned v0’s stable id and content hash follow the retirement marker’s replacement pointer to rebind. Consumers that pinned only the stable id continue against v1 without any consumer-side change — the committee published new keys, the retirement chain records it, the consumer’s TicketValidator re-composes on next read.

Why not lazy key refresh

Leaving the key in place until compromise is detected is the other design choice. This organism does not take it: proactive refresh is a precondition for the TdxPlusReproducibleBuild level (every refresh produces a fresh DKG log that a third party can audit against the reproducible source) and it bounds the damage window from a hypothetical share extraction. Real deployments typically refresh on a 7- to 30-day cadence; the cadence itself is published in Config.content (not modelled in this example crate, but a clean extension).

Committee-membership rotation

Committee membership is a separate rotation axis from key refresh. A provider whose capacity or attestation level changes — hardware refresh, attestation-service endpoint change, TDX firmware patch — republishes its ProviderCard. A provider retiring emits its own retirement marker and drops out of the next DKG round’s dealing set.

use coalition::{ComponentRef, RetirementMarker, RetirementInstant};

// Provider-side retirement commit.
let marker = RetirementMarker::rotation(
    RetirementInstant::AtTimestamp(now_unix_ms()),
    successor_provider_ref,
);

The signer-δ operator scans provider retirement markers at each rotation window and includes the successor provider in the next committee. Consumers that cared about a specific provider unpin its provider id from their audit set; consumers that filtered by attestation level never noticed the swap.

Variable attestation mix across rotations

The variance is the point. A rotation may raise or lower the committee’s attestation mix:

  • Raising. A signer-δ operator hardening posture moves the committee toward more TdxRaTlsBidirectional and TdxPlusReproducibleBuild members. Consumers whose floor is at or below the new mix see their admission broaden (more outcomes meet their floor).
  • Lowering. A signer-δ operator under cost pressure rotates in TdxLocal or Software members. Consumers whose floor is at or above the new mix see their admission narrow; the outcomes whose aggregate_attestation_level falls below the floor are simply not admitted.

The consumer’s TicketValidator handles both cases without any consumer-side code change. The floor is the floor.

Retirement markers

The substrate’s retirement primitive handles every shutdown path. Four shapes relevant to signer-δ:

// Planned rotation with successor.
RetirementMarker::rotation(
    RetirementInstant::AtTimestamp(effective_at),
    successor_organism_ref,
);

// Permanent retirement without successor.
RetirementMarker::retired(
    RetirementInstant::AtTimestamp(effective_at),
);

// Operator exit — non-compulsion anchor.
RetirementMarker::operator_exit(
    RetirementInstant::AtTimestamp(effective_at),
);

// Emergency (share extraction, TDX zero-day, etc.).
// Same shape; `reason = Emergency`. Pair with an
// out-of-band security advisory.

Consumers observe retirement markers on the signer’s public outcome collection. A retirement marker is the last commit on the stream; after it, no new outcomes are admitted. Consumers whose bond to the organism outlives the marker see ConnectTimeout on next subscribe.

Multi-operator fleets

The signer’s trust model admits independent operators running the same image with the same declared Measurements. Two operators running identical deployments land identical committee_pk_digest under identical DKG seeds (and distinct organism_ids because the instance names differ).

Fleet shape:

pub const SIGNER_DELTA_OP1: CoalitionConfig<'static> = /* signer-δ-op1 */;
pub const SIGNER_DELTA_OP2: CoalitionConfig<'static> = /* signer-δ-op2 */;
pub const SIGNER_DELTA_OP3: CoalitionConfig<'static> = /* signer-δ-op3 */;

// Consumer subscribes to all three; applies
// consumer-side aggregation (first to respond,
// majority-matching, etc.).

A consumer wanting redundancy submits to the fleet; the first respondent’s signature is taken as authoritative, and a consumer sufficiently paranoid to cross-check runs all three and requires byte-identical signature bytes (works for non-interactive schemes; interactive schemes produce different-but-valid signatures across operators’ DKG rounds).

This is the answer to operator failure, collusion resistance (modulo the shared image), and geographic diversity. The substrate’s non- compulsion property holds: operators join or leave the fleet voluntarily, and no instance compels any other.

Chronicle for the rotation log

For operators who want a tamper-evident record of every rotation and retirement, signer-δ may optionally ship the Chronicle basic service from chapter 7 onward. The Chronicle records every coalition-level event — committee rotation, retirement marker, key refresh, ACL bump — without recording every signature (the outcome collection is already a public audit of those).

Operator exit

At any time, the signer-δ operator can emit an OperatorExit retirement marker and stop running the binary. Consumers observing the marker fail over to another operator in the fleet; consumers without a fleet see the signatures stop. Nothing in the substrate keeps the operator running.

The trust model is strong because the operator can leave: the attestation floor is an admission criterion on the consumer side, the operator’s exit is the substrate’s non-compulsion anchor, and the two together mean a consumer never depends on a single operator being both honest and forced to stay online.

What Part II ends with

Across four parallel examples:

  • searcher-α (web3) — an AI searcher binds to a block-building lattice and a Compute market, submits sealed bundles, and grows a reputation surface around itself.
  • bridge-β (web2) — a compute-bridge operator wraps four cloud backends behind one TDX- attested provider identity and competes on the coordination-market rate.
  • oracle-γ — a standalone organism publishes one Stream<PriceTick> per token pair with the whole trust model anchored on a declared TDX Measurements set.
  • signer-δ — a generic threshold-signature organism hosts a market of providers at varying attestation levels; consumers gate admission on aggregate attestation.

The four examples together walk consumer, provider, publisher, and committee-organism roles — every primitive rung the book’s thesis names.

Cross-references