Let’s Grow the Internet Computer Network: Why and How, and General Updates
The time has come to start growing the Internet Computer’s network of nodes again. The process has been on pause while technical work has been performed that makes it easier for amateur node providers to acquire, install and operate, ICP node machines, which are standardized computing devices.
We are hoping new node providers will step forward to run additional node machines, as well as existing providers, especially in Europe and Asia. Furthermore, we are also hoping that node providers will help increase security by adding “declarations of good intent” to new node provider profiles hosted by the NNS (the “Network Nervous System” DAO that controls the Internet Computer blockchain’s network).
As per usual, the DFINITY Foundation intends to submit motion proposals to the NNS, to help coalesce community opinion, and more proposals to make the necessary technical changes when there is agreement.
Update: what’s driving demand for nodes
The Internet Computer network needs more node machines, and more node providers, for a variety of reasons. I will cover the primary drivers of this demand in some detail, which shall double as an general update:
1. Chain Key TX
Chain Key TX refers to new Internet Computer functionality, which enables hosted canister smart contracts to create signed transactions for execution on other blockchains.
The Internet Computer’s canister smart contracts are gaining new powers that will enable them to directly interact with other blockchains, including Bitcoin. The new “Chain Key TX” functionality enables hosted smart contracts to create accounts on other blockchains, such as a public key that represents an Ethereum Externally-owned Account (EOA), and then sign transactions using those accounts. This can be used both to perform simple cryptocurrency transactions on other blockchains, and invoke smart contract software they host. Smart contracts on the Internet Computer will be able to act as “meta glue” that ties several blockchains together, completely trustlessly.
The new Chain Key TX functionality has been developed by extending the unique chain key crypto network protocols that create the Internet Computer. As such, it relies only on advanced cryptography and protocol math, making the functionality a game-changer for the blockchain and web3 ecosystem.
Chain Key TX functionality makes blockchains interoperable, and removes the need for trusted “bridge” services, which wrap crypto assets on a source blockchain, so the wrapped version of the asset can be used on a destination blockchain. In the first 9 months of this year (2022), the value hacked from these bridges has grown to be measured in the billions of dollars. So far, they have mostly been recapitalized by those deeply invested in the blockchains involved, but if they continue the hacks will eventually cause systemic failures that ripple across the entire DeFi ecosystem, for example because wrapped assets widely used to borrow other assets, suddenly lose all their value.
DeFi developers will also be delighted by this new functionality, since it will enable them to create new things. For example, it would be possible to create a fully on-chain DEX on the Internet Computer that enables users to trade crypto assets from a range of independent blockchains, without the assets ever leaving their blockchains of origin. There are also many other ways to use the functionality.
In 2021, the Uniswap exchange on Ethereum delisted half of the tokens once available for trading from its website. The problem was that although the financial rails provided by the Uniswap smart contracts lived on-chain and were upgraded in a decentralized way by a DAO, Uniswap’s website ran in a centralized way on a cloud computing service, making it vulnerable to hacking and censorship, and making its developers liable for perceived regulatory infractions as owner-controllers, since they could modify the website at will, and their credit cards pay for its continued operation.
Chain Key TX functionality now provides a solution to such problems for the Ethereum DeFi community, which many are already experimenting with. They — or others — can now run a fully decentralized web front-ends on the Internet Computer, which can be completely controlled by DAOs. These front-ends, and the smart contracts that create them, can directly and trustlessly integrate with the relevant Ethereum smart contracts using Chain Key TX (see this demonstration of a Uniswap front-end being served by Internet Computer smart contracts, and a user initiating a transaction using their laptop’s fingerprint sensor via Internet Identity).
Those building primarily on the Internet Computer will also be able to leverage Chain Key TX to implement fantastic new features. For example, a web3 chat/messaging service running on the Internet Computer blockchain might provide user accounts that are also crypto wallets. These could host crypto assets that are native to other blockchains, where they remain, untouched by risky bridges which also are cumbersome to use (withdrawing from a bridge usually takes hours!). Its users can then be enabled to transfer crypto assets using simple chat messages. For example, one user might send another ten thousand satoshis with a “happy birthday” message, causing a real transaction on Bitcoin’s ledger to occur.
Smart contract developers will typically use Chain Key TX to execute transactions on other blockchains, then retrieve the result using “HTTPS outcalls” (another new feature that allows smart contracts to retrieve information from systems outside the Internet Computer environment, such as from Ethereum nodes, by making HTTP requests whose results are processed by network consensus — see this recent demonstration of a smart contract securely pulling in price feeds from Coinbase, without need for a trusted oracle service).
However, because the Bitcoin uses a UTXO model, this approach cannot be used. For this reason, Chain Key TX provides special APIs to simplify interacting with the Bitcoin network, which is supported by the network downloading and processing Bitcoin blocks, to maintain the current UTXO. This has made it super easy for canister smart contract code to receive and send bitcoin directly on the Bitcoin ledger, and has made it possible to create native Bitcoin DeFi services for the first time.
Technical tip: the Internet Computer network is comprised of subnet blockchains, which are combined into one seamless blockchain environment for hosting smart contracts, by its chain key crypto protocols. Subnets can also be used for special purposes such as hosting the NNS, or helping with functionality like Chain Key TX…
To provide the new Chain Key TX functionality, the Internet Computer network must add dedicated “Threshold E(d|C)DSA” subnet blockchains, which will take care of the secure creation and management of the cryptographic private key material involved. The chain key crypto protocols that power the Internet Computer network enable these subnets to securely initialize shares of private key material across their nodes, continually reshare the material so that nodes can join and leave subnets at any time, perform processes that defeat adaptive adversaries, backup key material to other subnets, and sign the transactions that will be executed by other blockchains in a secure and fault tolerant manner.
For a bunch of reasons related to cryptography, the new Threshold E(d|C)DSA subnets will have a higher replication factor (more nodes) than others. In addition, these subnets will utilize node machines built to the Generation 2 specification that have SEV-SNP virtual machine encryption hardware on board, such that if an adversary gains physical access to a node machine, all they shall find inside is encrypted bytes — although, crucially, this technology only provides additional protection, since hardware is fallible, and the security and liveness guarantees provided by subnets always depend upon protocol math and encryption.
The Internet Computer network needs new Generation 2 machines in its networks, and ideally new node providers, so that the NNS can form a sufficient number of Threshold E(d|C)DSA subnets to meet expected demand for Chain Key TX functionality.
2. SNS (Service Nervous System) DAOs
An “SNS” is a special kind of DAO created by the Internet Computer blockchain to control web3 services running on-chain, which allows such services to run autonomously like protocols.
For the first time in blockchain history, the Internet Computer makes it possible for developers to fully decentralize web3 services, such as mass market SocialFi and GameFi services, and run them in the mode of “protocols” by assigning full control to DAOs. This is because, firstly, the Internet Computer makes it possible to to eschew the use of centralized traditional IT, such as Big Tech’s cloud computing services, and build web3 services entirely from advanced smart contracts on the blockchain, since the new breed of smart contract the Internet Computer provides can economically process and store vast amounts of data, and can even process HTTP requests to service web experiences directly to users.
But there’s a second part to the decentralization puzzle that’s been solved. Smart contracts are only able to create, update and configure other smart contracts that are also hosted within the blockchain environment — and cannot, for example, exert control over centralized traditional IT, such as a database or web server running on a cloud computing service such as AWS (Amazon Web Services). This means that a DAO (decentralized autonomous organization), which is itself built using smart contracts, can never take full control over a web3 service whose architecture involves traditional IT. However, because web3 services can be built entirely using smart contracts using the Internet Computer, this means that — for the very first time in history — it is now possible to run a web3 service under the full control of a DAO, which will perform all configurations and updates, allowing the service to run in the mode of an autonomous protocol.
The DAOs that will now fully control web3 services will mediate the wishes of communities of thousands or even millions of holders of governance tokens, many of whom will be end-users. These autonomous digital democracies in cypherspace will provide a highly compelling alternative to traditional frameworks for human organization and economics provided by governments, such as corporations, partnerships, foundations, trusts and funds. Due to their innate and game-changing advantages, we believe DAOs will quickly become the organizational structure of choice for web3 projects.
Recognizing the overwhelming importance of DAOs to the crypto project, the DFINITY Foundation has developed a particular flavor of DAO called an SNS (or “Service Nervous System”), which has been designed for the demanding task of controlling a web3 service. This will supplement community-developed DAO frameworks. The design of SNS DAO framework derives learnings from the NNS (Network Nervous System) DAO that controls the Internet Computer network, which is arguably the most sophisticated DAO in existence today.
For those unfamiliar with the NNS: members of the Internet Computer community stake ICP governance tokens inside the NNS to create “voting neurons.” These are used to vote on whether submitted proposals are adopted or rejected. Neuron owners can vote manually, or entirely automatically, by configuring their neurons to follow neurons owned by people or organizations they trust, in a system of “ liquid democracy,” to earn voting rewards.
When the NNS adopts a proposal, it executes the proposal completely automatically. For example, when a proposal to upgrade the replica (“client”) software running on the network’s node machines is adopted, the network’s nodes are upgraded automatically — which is a more decentralized, less risky, and much more friction-free way to update a blockchain as compared with traditional blockchains need to upgrade their protocols using forks. Even though the NNS is completely permissionless, it has already successfully processed and executed many hundreds of proposals since mainnet launch 17 months ago (10 May 2021), rapidly evolving the network, while rejecting malicious and spam proposals.
The SNS framework will enable developers who have built a web3 service using smart contracts on the Internet Computer, and/or other blockchains combined via Chain Key TX functionality, to fully decentralize operations by assigning control to an DAO, so that their service can truly transition to running in the mode of a decentralized autonomous protocol.
Game-changing advantages can be realized by such web3 projects taking this step, including:
- Decentralized fundraising without ICOs. The SNS can raise money from the decentralized ecosystem by selling governance tokens, which its community can decide how to deploy, for example paying core developers or invested organizations as contractors.
- Running much more securely. Once a web3 service is assigned to an SNS, all updates must be adopted and applied by the SNS. No developer, organization, or hacker, can directly make those updates to insert malicious code, making it much safer for the web3 service to store and manage vast token wealth.
- Tokenization as a protocol. Once a web3 service is running as a protocol, advanced tokenization strategies can be implemented by contributing developers without exposing them to heightened regulatory risk — for example to create powerful user incentives. This contrasts to a web3 service running under the control of a group of developers or company, say, which makes them responsible for the token functionality.
- Viral growth through ownership. End users can be incentivized by distributing SNS governance tokens to them, making them “owners” of the web3 service. For example, tokens might be given to a user that refers other users and is helping to drive viral growth, or who participates in tasks such as content moderation. In the future, users will be both owners, and part of team that runs web3 services such as social networks.
- Programmable Web. A web3 service can advertise APIs it has made available to other web3 services as “permanent,” such that other projects can build upon them without the risk they will later be deplatformed — providing true “programmable web” functionality within the web3 ecosystem that enables collaboration via “service composition,” which will drive powerful network effects.
- Realizing web3. Once a web3 service is running as a protocol, it truly becomes part of the public internet, which is permissionless and open, becoming a worthy competitor to the monopolistic and proprietary centralized Web 2.0 services run by Big Tech.
The process involved in assigning a web3 service to an SNS is as follows:
- Submit proposal to decentralize. The developer of the web3 service must first submit a proposal to the NNS suggesting that full control over the service be assigned to an SNS. This proposal contains numerous configurations that will direct any following steps.
- The NNS decides to adopt the proposal. The NNS must adopt the proposal. The decision to proceed with assigning a web3 service to an SNS is always taken as an autonomous expression of the wishes of the decentralized Internet Computer community.
- The NNS bootstraps a new SNS. The NNS creates a new SNS. The NNS configures the SNS as the controller of the web3 service’s “root” smart contract. This places the SNS in control of the service, and make it autonomous.
- The governance token ledger is created. The SNS cannot adopt and reject proposals to update or configure the web3 service yet, because there are no governance tokens that allow community members to vote. Therefore, the SNS automatically creates a governance token ledger, which is functionally the same as the ICP governance token ledger. It typically creates a billion tokens.
- A decentralization sale is scheduled. The SNS cannot adopt and reject proposals to update or configure the web3 service yet, because its governance tokens are not held by community members. Therefore, the SNS automatically schedules a “decentralization sale” to distribute governance tokens to the community.
- The community is notified about the sale. The NNS displays the upcoming decentralization sale in its “launchpad” to notify ICP community members who might like to participate. It can also participate in the sale itself via its ICP “community fund” functionality.
- The decentralization sale runs. The SNS runs the decentralization sale, distributing governance tokens to large numbers of anonymous web3 community members around the world. In a reversal of ICO practices, the proceeds of the sale are not forwarded to the developers, and are instead held by the SNS itself, under the control of its decentralized community.
- Governance tokens are distributed. The participants in the decentralization sale all purchase the governance tokens at the same price, preventing them “flipping” tokens on each other. The governance tokens are distributed to them in the form of baskets of voting neurons, which have different lockups to create a form of vesting schedule.
- Handicapped “founder tokens” are distributed. The developers of the web3 service receive an allocation of the governance tokens in the form of “founder tokens,” which are also delivered as a basket of voting neurons. However, the voting power of these neurons is handicapped, to ensure that at all times, the developers do not hold a majority of voting power.
- The service distributes tokens to end-users. The algorithms of the web3 service, and the SNS directly, can now distribute governance tokens to end users to make them owners and part of team. The SNS can pay the developers, and any other entities contributing in some way, to perform work and services in the role of contractors (albeit there can be no legal contract, since the SNS is autonomous software running in extranational cypherspace, rather than a legal entity). Depending on how many governance tokens were held in reserve, the SNS can later run more decentralization sales to raise additional funding for the project as necessary.
- The service grows and prospers in cypherspace. The governance token ledger is compatible with the requirements of major crypto exchanges, making it possible for an exchange like Coinbase to list them (in addition to the multitude of DEXs that will appear on-chain). Thus, an entirely new economic arena will be created in which developers and entrepreneurs can participate. This will particularly assist those located outside Silicon Valley, where venture capital hard to access. The aim is to unlock the doors of opportunity for the vast army of technical and entrepreneurial talent distributed around the world, who increasingly will realize their dreams the Internet Computer.
Since the governance tokens of web3 services will sometimes accrue enormous value, it is essential they are hosted in the most secure way possible. When the NNS instantiates a new SNS, and it creates its governance token ledger, this will occur on a new type of “Fiduciary subnet,” which have a configuration roughly analogous to the subnet that currently hosts the NNS and ICP ledger. The replication factor of these subnets will be higher, requiring more nodes, and for regulatory reasons, we believe they should have less than one third of their nodes in the USA — demanding the network add extra nodes in Europe and Asia.
3. Canister smart contact tags: Fiduciary, storage…
Developers will be able to tag smart contracts they upload to the Internet Computer, for example to gain access to special fiduciary capabilities, or inexpensive persistent memory to they can store large amounts of media files. Such tagging will allow developers to select which tradeoffs are more important to them.
At the current time, when smart contract developers deploy to the Internet Computer, they are always installed upon “Application subnets.” However, in the foregoing, I mentioned both the forthcoming Threshold E(d|C)DSA subnets and Fiduciary subnets (note these types of subnets already exist within the Internet Computer network are supporting beta functionality that developers are using today). Threshold E(d|C)DSA subnets are system subnets designed for internal use by the Internet Computer network, which support Chain Key TX functionality. Fiduciary subnets are a general type of subnet that host smart contracts developers upload.
In the future, it will be possible to “tag” canister smart contract software when you upload it to the Internet Computer, to tell the blockchain what type of subnet blockchain you would like your smart contract to be hosted on. Subnets are invisible to smart contracts when they interact, but because different types of subnets have different hardware configurations, some things change. For example, smart contracts hosted by a type of subnet that increases the replication of computation, such as the Threshold E(d|C)DSA and Fiduciary types of subnet that use more nodes for security reasons, will consume more cycles when performing some computations.
Pro Tip for developers: Threshold E(d|C)DSA and Fiduciary subnets are designed to provide the highest possible level of security, and withstand even concerted collusion between node providers and physical raids on node machines in data centers by villains or hostile governments. Their purpose is to host cryptographic key material, both endogenous and exogenous, of the greatest value. To protect that value, only smart contracts tagged “Fiduciary” may use Chain Key TX functionality, or interact with SNS instances and ledgers of governance tokens. However, it will be possible to create Fiduciary smart contracts that accept function calls from Application smart contracts, making it possible to create proxies. Web3 services will typically adopt security capability architectures, allowing end-users interacting with smart contracts on inexpensive Application subnets to securely initiate Chain Key TX via proxies on Fiduciary subnets.
Subnets can also have less replication. For example, we hope to eventually add a “Storage” subnet type, which replicates data processing and storage across only four nodes. This will enable Storage smart contracts to leverage persistent memory pages very inexpensively, making it more economical to store a user photo and video libraries in smart contracts, or their newsfeed say, with the tradeoff being that contracts are hosted with much weaker security and liveness guarantees.
Pro Tip for developers: Due to the much weaker security and liveness guarantees that Storage subnets provide to hosted smart contracts, smart contracts tagged “Storage” will not be able to call into other smart contracts. However, this will not stop them playing the role of perfect data buckets.
Fiduciary and Storage subnets are part of a trend that will see different subnet types proliferate. Developers will tag their smart contracts to choose the optimal tradeoffs for the specific web3 services they are building. Eventually, some subnets types might use node machines packing special kinds of hardware, such as Tensor chips for AI.
But for now, the situation is relatively simple — we need to add more Generation 2 nodes to support the creation of new types of subnet.
4. Regulatory Concerns
The Internet Computer’s NNS governance system must adapt its network architecture to address multiple concerns, including the need to minimize regulatory risks.
Recently, there were concerns that the SEC had suggested the US government had primacy and dominion over transactions on the Ethereum network, because its nodes were clustered in the USA, with similar logic now applying to Ethereum staking power held by US entities. There are even rumors that there is work afoot in the US Treasury Department on transaction “mempool filter” that it will seek to force Ethereum nodes located in the USA to install. Such ideas, and such steps, could be immensely harmful to Ethereum, and any other decentralized network. The purpose of a public blockchain is essentially to extend the global internet, which draws strength from being an open and permissionless utility available to everyone everywhere. Smart contracts must execute in cypherspace, and not be rooted in a jurisdiction unless by choice. This is what makes them great for creating international financial rails, for example.
When the NNS constructs subnets, by default it draws node machines from independent node providers, which are situated in independent data centers, in different geographies, and different jurisdictions, using a system of “deterministic decentralization”, which I describe later in this post. The purpose is to create subnets with required security and liveness guarantees, but with the very minimum of replication of data processing and storage across different node machines, since this adds cost. Another purpose is to ensure smart contracts are hosted in cypherspace, rather than being rooted in a jurisdiction, and that they are therefore not vulnerable to regulatory shifts in specific jurisdictions.
Regarding these jurisdictional considerations, we argue we should aim to reduce to the proportion of nodes used by the Internet Computer that are located in the USA. This means we need more machines that are situated in Europe and Asia.
Pro Tip: We also think developers should be able to tag their smart contracts with geographies and jurisdictions. For example, a smart contract developer might tag their code “EU.” This would result in their smart contract running on a subnet whose nodes were all located inside the European Union if one were available (these would be “weak” tags). This might satisfy concerns about regulations like GDPR — although we do not believe GDPR applies to smart contracts. Alternatively, if a smart contract will only serve people located in Europe, a subnet composed only from EU nodes might provide greater performance. Another application would be tagging a smart contract to ensure its compute is not replicated on node machines situated inside the USA.
5. Explosive web3 growth
As the number of web3 services running from the Internet Computer blockchain continues to grow, the network must increase its capacity
The number of developers, web3 services, and users hosted by the Internet Computer blockchain continues to grow, such that at the time of writing, it currently processes almost half a billion transactions a day, when including the pre-finalized “query call” transactions involved with serving a web experience. This is vastly more transactions than any other blockchain processes today. The huge transaction volume directly results from the Internet Computer uniquely making it possible to construct web3 social media services entirely from smart contracts.
Today, there are already even mass market chat/messaging services running entirely from the Internet Computer, where they have been constructed from smart contracts. These serve the interactive web experience directly to end-users by processing HTTP requests, and process and store every individual text message, photo and video that end-users send on the blockchain using “update calls” (i.e. traditional transactions).
As time goes on, the number of transactions processed every day will continue to climb, first into the billions, then the tens of billions, and eventually into the trillions, and beyond. Luckily, the Internet Computer has a novel blockchain architecture made possible by chain key crypto, which enables to play this World Computer role. The intention is that one day the Internet Computer will drive a blockchain singularity, and host the majority of humanity’s online systems and services.
Under the hood, the Internet Computer adds capacity for hosting smart contract computation and data by forming new subnet blockchains, which it combines into one unified blockchain environment, using chain key crypto. Each subnet is hosted by dedicated nodes, which represent dedicated node machines, which together form a sovereign network.
To create new subnets, the NNS needs to have unassigned node machines available in the Internet Computer network. Existing and prospective node providers may now wish to make new node machines available, but it is important to understand how “deterministic decentralization” will drive NNS demand for node machines.
The NNS and deterministic decentralization
Deterministic decentralization is the process by which the Internet Computer’s governance system replicates computation and data across node machines, to achieve required levels of security, liveness and other properties, while incurring the minimum possible hardware cost.
The overall Internet Computer network is composed from individual subnet blockchains that each add additional capacity for hosting smart contract computation and data. The subnets are combined into a single blockchain environment using “chain key crypto,” which allows them to securely pass transactions and their results back and forth, without the need to access the blocks of peer subnets to verify they are running correctly and their messages are tamper free. The NNS governance system lives on its own subnet, and it transmits special verifiable transactions across the entire network to configure the subnets, for example by modifying the sets of nodes hosting them, or forming new subnets from unassigned nodes.
At any given moment, a subnet blockchain is hosted by a specific set of node machines that are dedicated to that task. These replicate all the subnet’s computation and persistent memory (data storage). When configuring the set of nodes that host a subnet, the NNS must do several things. On the one hand, it must form a subnet from a set of nodes that together provide the required levels of security, liveness, and other properties. On the other hand, it must seek to minimize the number of nodes involved in hosting a subnet to reduce expense. Each node is created by a dedicated node machine that is typically expensive to build or acquire. The more nodes involved in hosting a subnet, the more expensive the computation it hosts.
One might expect that the strength of the security and liveness guarantees provided by a subnet blockchain derives simply from the number of nodes that it combines. This misconception is understandable, since many Proof of Stake blockchains tout the number of “validator nodes” in their network as proof of the decentralization and security they provide. But there is actually a lot more involved in deriving measures of these properties than simply counting nodes.
Trivially, if a subnet employed a vast number of nodes, but those nodes belonged to a single node provider, then that node provider could simply switch them all off to kill the subnet, and could even chose to discard the subnet’s data. For this reason, a subnet’s nodes must come from multiple node providers, and they must be diverse enough that even collusion between malicious providers, which aims to stop or corrupt the subnet in some way, is overwhelmingly unlikely to succeed.
But diversity of node providers is also insufficient. Even if they are diverse, if too many of their nodes have been installed in the same data center, then some data center employee might switch the node machines off, or tamper with them to attack the subnet. The geography and jurisdiction of the data centers involved is also important. For example, if the data centers were diverse but clustered around a city, then a nuclear attack on the city might break the subnet, and, if the data centers hosting the nodes were too clustered in some jurisdiction, such as the European Union, say, then the subnet would be vulnerable to unpredictable action by a hostile state agency.
The “Nakamoto coefficient” is a popular industry measure of decentralization that counts the number of independent parties that must fail or collude to interrupt a blockchain. But the security and liveness guarantees provided by blockchains clearly depends on the decentralization of their nodes in a much more holistic way. For the purposes of building out the Internet Computer network then, when a proposal is submitted to the NNS to form a new subnet from unassigned nodes, the NNS must examine a hierarchy of decentralization concerns before adopting the proposal and forming the subnet.
All available information about the nodes must be considered, including the identities of the node providers, the data centers the nodes are installed inside, the geography of the data centers, and the jurisdictions that those geographies lie within. Subnets are thus formed from nodes so selected as to ensure decentralization deterministically (i.e. in a process of “deterministic decentralization”), which takes many factors into account.
By using deterministic decentralization to achieve security and liveness goals while minimizing hardware replication, it is planned that the Internet Computer will eventually host online systems and services with greater efficiency than traditional IT, and thus reduce the CO₂ emissions of all tech, not just blockchain, in the role of a World Computer.
While traditional blockchains utilize anonymous nodes and very high replication factors, such as Ethereum, which at the time of writing expensively replicates its computation and data across 430,000+ “validators,” their web3 developers can utilize the Internet Computer to offload data processing and storage, as well as serve their front-ends in a decentralized way. The Internet Computer blockchain therefore provides an invaluable addition to the web3 ecosystem.
For prospective and existing node providers, deterministic decentralization imposes some special constraints. Most traditional PoS blockchains allow anyone can spin up a “validator node” on a cloud computing service, which then automatically joins the network (third party services often make this as easy as a button click). By contrast, Internet Computer blockchain node providers must first build or purchase special standardized node machines, and then install them within a physical rack in a data center, which is more onerous, not least because the node machines are expensive. Meanwhile, only nodes that support deterministic decentralization can be inducted into the network.
The NNS shall provide a system of proposals to help the node provider community resolve: a) how many nodes that they can provide, given that minimally the NNS will wish to stripe their nodes across different subnets, and b) what nodes in different data centers, geographies and jurisdictions the NNS will wish to induct.
Stay in touch on the forums to get a sense of what is happening.
The new improved node provider framework
A new process has been developed for adding node machines to the Internet Computer network, which is much simplified over earlier processes, making it easier to participate.
In the rush to Internet Computer mainnet launch and genesis, May 2021, there were some bumps in the road. One of these was that somehow the process for installing new node machines, and becoming a node provider, became much more complicated than had been intended. An enormous amount of work has now been done to create a new process that matches what was originally planned in 2018. This will make it far easier for anyone to become a node provider, if they are willing to make the necessary investments in node hardware, and node installation and maintenance. The process involved in running will now be as follows (slightly simplified):
- Submit a proposal to the NNS to create a new “node provider profile.”
- Choose a data center for which a “data center profile” already exists inside the NNS, or submit a proposal to the NNS to create a new profile.
- Submit an NNS proposal to add a “node operator record” that links your node provider profile with the data center chosen, which specifies the number of node machines that the network will allow you to run from that location (the NNS will adopt and reject such proposals according to deterministic decentralization considerations I outlined above).
- Physically install your node machines in the chosen data center facility.
- Create an image for a USB thumb drive, which contains the installer for the current replica (“client”) software, and the node operator record that links the machine to your node provider profile.
- Boot your node machines using this USB image by inserting a thumb drive into suitable USB socket and switching the machine on. This will install the replica software, and once it is running, the node machine will use the node operator record supplied to automatically register itself with your node provider profile inside the NNS
More detailed information can be found on the Internet Computer wiki, which is constantly updated: https://wiki.internetcomputer.org/wiki/Node_Provider_Onboarding
Declarations of good intent
We will require node providers to declare good intent when creating their node provider profiles, which will add significant additional security to the network by leaning on the “larger games of life.”
Proof-of-Stake vs Proof-of-Useful-Work
Demanding that node providers stake ICP to add machines will not increase security to the levels required, but will add costs. We therefore stick with pure Proof-of-Useful-Work.
The Internet Computer might accurately be described as a “Proof-of-Useful-Work” network, since each node must continue to earn its membership within the network. This means that, among other things, each node must correctly participate in the production of blocks within their subnet, since the NNS will eject (or “slash”) faulty nodes that statistically deviate in the absence of mitigating data.
The network does not currently require node providers to stake ICP to join new nodes to the network. That is because, the cost of the node machine hardware, and the investment in time and effort involved with installing and maintaining node machines, act as a kind of financial stake, which ensures that node providers have skin in the game. This hardware “stake” is already significant, since Generation 2 node machines now cost around $20,000 USD. An advantage is that the value of a hardware stake is not volatile in the manner of the ICP cryptocurrency, increasing security.
The current scheme meets the demands of the “3 E’s of Sybil Resistance,” a blockchain rubric I devised in 2014: 1) The purchase of node machines, and the effort involved in installing them, creates “Entry Cost”, 2) the need to keep the node machines running in data centers, creates “Existence Cost”, and 3) node slashing creates an “Exit Penalty,” since a node provider cannot expect to quickly obtain a new node operator record to re-add an ejected node machine, and there will be inevitable losses involved in reselling the used hardware. That nodes can only be added to the network via the Network Nervous System governance DAO, provides additional Sybil resistance.
Nonetheless, we wish to increase the security of Fiduciary subnets, and those supporting Chain Key TX functionality. Those interested in blockchain architecture might wonder whether this could be done, by requiring node providers to also stake ICP. Before analyzing this thought, let us first note that staked capital has a cost, just like hardware, since it might be converted into a risk-free interest bearing bond, such as treasury bill, and that potential income has been lost. Therefore, if node providers were required to stake some amount of ICP in order to add a node machine to the network, ultimately, the network would be consuming more resources, and this cost would have to be borne by smart contracts, with the result more “cycles” would be consumed by smart contract computations and use of memory pages. That would be bad.
The question, then, is how much security might be gained by requiring staking on top of the provision of node machine hardware. The nuanced answer is “not a lot” for the following reason: on the many Proof-of-Stake blockchains we see today, which are often hosted by large numbers of “validator” software nodes running on cloud computing services, which numbers are used for marketing, it is in fact subsets of those nodes that control the blockchain at any given moment, and the value of their staked cryptocurrency is often dwarfed by the value of transactions they process.
For example, the Ethereum network contains a vast number of software nodes, more than 430,000 at the time of writing, each of which has been added to the network by a minimum stake of 32 ETH. However, the chain’s blocks are produced and witnessed by committees selected by its random beacon, and may be as small as 111 nodes. The total value backing nodes in these committees might be around $5,000,000 USD then, but they will sometimes process DeFi transactions worth billions. This reflects how cryptoeconomic assumptions can break in practice.
Nick Szabo wrote a wonderful piece that talks about small game fallacies. To quote: “A small-game fallacy occurs when game theorists, economists, or others trying to apply game-theoretic or microeconomic techniques to real-world problems, posit a simple, and thus cognizable, interaction, under a very limited and precise set of rules, whereas real-world analogous situations take place within longer-term and vastly more complicated games with many more players: ‘the games of life.’”.
Some of his points are relevant here. Firstly, the common wisdom that Proof-of-Stake blockchains can increase security in a linear way by requiring nodes stake more value, is overly simplistic, since the belief depends on numerous subtle assumptions that are unlikely to hold. Secondly, human behavior, such as being honest, also depends upon powerful “games of life,” rather than the microeconomics of Proof-of-Stake blockchains, and this is what we must leverage here. The games of life involve things that exist outside of the blockchain environment, such as the judicial system.
For the reasons discussed, stake may not be enough to dissuade malicious node providers from colluding to break a subnet for pecuniary advantage. However, if colluding node providers would likely lose all their ill-gotten gains, because they could successfully be sued for damages by other node providers, and other parties, then that would provide a tremendous incentive to behave honestly. If node providers engaging in nefarious behavior also faced jail, that would create an even greater incentive to behave honestly.
We wish to activate powerful “games of life” dynamics within the Internet Computer network, to incentivize honest behavior with great force, such that the subnets supporting Chain Key TX functionality, and SNS DAOs and their governance token ledgers, can safely host billions of dollars in collected value.
Declaring good intent, and an understanding of purpose
In pursuit of the foregoing, we shall ask node providers to add declarations to their NNS node provider profiles. In this, they will accept that they are liable for the financial damage and harm caused in the highly unlikely event that they maliciously collude with other node providers to subvert the functioning of the network. Node providers will also declare that they understand that deliberately subverting the protocol, by modifying code, colluding with other malicious node providers, or otherwise, constitutes the misuse of a computer system.
The declaration, in an otherwise unregulated space, will ensure that malicious node providers stand to lose far more than they might gain through collusion, and moreover, expose them to criminal law, such as the UK’s 1990 Computer Misuse Act. We believe the declaration will greatly increase security, to the benefit of all node providers, all developers and entrepreneurs building on the network, and every user of an online system or web3 service hosted by the network.
The declaration is not yet finalized, but will be something like: “I hereby guarantee to the world that I shall honestly operate the node machines I provide, and that should I behave dishonestly, for example by deliberately interfering with my node machine(s) to prevent them correctly processing ICP protocol messages, in collusion with others or alone, that I will be liable to users of the network, and to other node providers, for any damages caused. I further declare I am aware that any deliberate interference with a node machine, which causes it to incorrectly process ICP protocol messages, represents a misuse of that hardware, and of any hardware it interacts with, and that in some jurisdictions, that may constitute a crime.”
TL;DR we continue to innovate and improve the network along all key axes. The new node provider framework will make it easier to participate in hosting the network, making it easier for the community to scale-out the Internet Computer’s capacity to meet demand. Super thanks to everyone staying the course on this incredible journey to achieve blockchain singularity with a true World Computer.
More news and details soon.