There is a persistent myth in algorithmic trading: You can have speed, or you can have security, but you cannot have both.

The conventional wisdom says that keeping your API keys on the same server as your trading bot is reckless, but necessary. “If I use a vault,” the argument goes, “I’ll add 200 milliseconds of latency to every trade. And in this market, latency is death.”

Here is the data that breaks the myth, and why local enclave signing changes the architecture.

The Source of the Myth: Network Round-Trips

The myth exists because, historically, it was true.

If you wanted to secure your API keys properly, you used a cloud service like AWS Key Management Service (KMS), or an institutional Multi-Party Computation (MPC) provider like Fireblocks.

The physics of signing a trade with AWS KMS:

1. Your bot decides to trade.
2. It sends an API request over the AWS backbone to the KMS service.
3. KMS receives the request, authenticates it, pulls the key, signs the payload, and sends the signature back.

The Physics: Even in the same AWS region (e.g., us-east-1), the network round-trip + API gateway processing adds meaningful latency. AWS publishes KMS API latencies in the tens-of-milliseconds range. MPC providers like Fireblocks add network hops outside your VPC entirely, pushing signing latency into the hundreds of milliseconds.

So the myth is grounded in reality: network-bound security is too slow for latency-sensitive trading.

The Paradigm Shift: Compute-Bound Security

The error in the myth is assuming that the vault has to live across a network.

With Hardware Enclaves (like AWS Nitro Enclaves), the architecture changes. An enclave is an isolated, cryptographically secure environment on the same physical CPU where your bot is running.

There is no network hop. There is no API gateway.

Communication happens over a virtual socket via the hypervisor.

The Benchmark Data

We ran 10,000 continuous EdDSA signing operations using an AWS c6i.metal instance. Here are the measured results from ZeroCopy’s Rust implementation:

AWS KMS and Fireblocks latencies are representative of publicly known characteristics of those systems, not ZeroCopy benchmarks. ZeroCopy’s 42µs P50 and ~50µs P99 are from our own measurements on c6i.metal.

(Note: 1 millisecond = 1,000 microseconds. AWS KMS at ~25ms = ~25,000µs.)

The Exchange Processing Paradox

“But plain text is still 40µs faster than ZeroCopy,” you might say.

True. But here is the critical context: Binance’s matching engine takes between 2,000µs and 10,000µs to process an API request.

If your signing takes 42µs, you are signing the transaction 50x to 250x faster than the exchange can even accept it.

The bottleneck is not the signature. The bottleneck is the fiber optic cable between your server and the exchange, and the exchange’s internal queue.

By using a local hardware enclave, you eliminate the theft risk associated with plain text keys, and you add ~40µs of latency that is entirely invisible to the final execution time.

You can have both. It’s a matter of moving the vault from the network to the CPU.