Introducing Erdstall: Scaling Ethereum using Trusted Execution Environments

We describe a new scaling technology called Erdstall. The idea follows a recent research direction that explores the idea of building a Plasma system using a Trusted Execution Environment (TEE). Erdstall, which was one of the winning finalists of the EthGlobal Hackathon, is an implementation of this technology and is currently being developed by the Perun Team.

As discussed in earlier blog posts, blockchains ― and Ethereum in particular ― do not scale very well and suffer from the resulting increase of transaction fees and confirmation delays. Multiple solutions to this issue have been proposed. The most promising directions are so-called 2nd Layer solutions, which lift the transaction load off-chain. In these systems, users only send expensive on-chain transactions to join and leave the system and in case of disputes. All other actions, like transferring coins, tokens or even evaluating smart contracts, are processed without touching the blockchain at no or significantly reduced cost. A central building block of these systems is a smart contract, which holds the funds that are processed off-chain. This contract defines all rules on how users can withdraw the funds when leaving the system.

Among the 2nd Layer scaling solutions are so-called Plasma protocols. The key idea behind Plasma is that a central operator collects all transactions from users and processes them locally off-chain. However, the operator is not trusted, meaning he can wrongly alter the state, e.g., by stealing or freezing coins of users. To prevent these kinds of attacks, users verify if the operator’s state transitions are valid. The operator submits a summary of all transactions to the Plasma contract, often in the form of a Merkle tree commitment. This summary has the size of a hash and is much smaller and thus cheaper than if all transactions were stored and processed on-chain. Using this statement, the correctness of the Plasma system can then either be verified by the contract using Zero-Knowledge proofs or by the users in complex challenge-response protocols. The advantage of Plasma over, e.g., channels, is that it does not require intermediary users to lock additional money, which is used for collateral costs. While honest users will always have the guarantee that they get the collateral back, it still increases the costs for using payment channel networks over systems like Plasma.

However, designing a secure Plasma system is non-trivial and many proposals never reached maturity. Among the challenges Plasma systems face are support for mass exits ― a high number of parallel disputes ― and ensuring data availability such that users have sufficient information about the Plasma system to dispute correctly. Instead of targeting these challenges, the Erdstall approach simplifies the Plasma construction by changing the setup of the Plasma operator. This simplification gives a higher level of security and allows us to build a more efficient Plasma construction because it eliminates some of the attack vectors of previous constructions.

Erdstall: Plasma with TEEs

The key idea is that the operators do not update the Plasma state by themselves but run a trusted system that processes user transactions. This trusted system is a secure enclave inside a so-called Trusted Execution Environment (TEE), e.g., Intel’s SGX which is included in most modern CPUs today. TEEs have the following interesting features that allow us to simplify the Plasma protocol:

1. Secure execution of code. The device is hardened against outside influence, meaning the operators — and all systems that they control — cannot change the TEE’s computation result. This feature is essential since it guarantees that the TEE will update the Plasma state correctly
2. Private State. All computation and state in the TEE is kept hidden from the operator unless explicitly specified. That means the TEE can generate, store and sign with cryptographic keys that authenticate Plasma funds on-chain without the operator learning the key.
3. Attestation. The third important property of TEEs is that users can verify that they are sending their coins to a Plasma system which is running inside a TEE. Additionally, they are ensured that the TEE is processing their transactions using a specific Plasma program, which will only do valid Plasma state updates. In particular, attestation guarantees that the operator cannot launch a man-in-the-middle attack and change user inputs.

Using these features, we can increase the performance of the Plasma system significantly. The operator only becomes an untrusted message broker while the TEE processes all transactions in the system. Note that using the TEE, we now have the guarantee that the Plasma state will always be updated correctly. This means we do not need an on-chain state summary, which significantly reduces the costs of the system.

However, the operator is still untrusted. This means he can still control which inputs get to the TEE and which state updates are forwarded to the users. To account for potential attacks of this kind, we still need to punish the operators should they start withholding information from the users. For this purpose, we require an on-chain challenge-response dispute process in case of data withholding.

Erdstall in more detail

The setup for Erdstall is similar to existing Plasma protocols. All funds that are handled by the system off-chain are locked in an on-chain smart contract. To join the system, users deposit their funds into this contract. The contract funds are unlocked using a cryptographic signing key controlled by the Erdstall program running inside the TEE. In regular intervals, users get signed updates — so-called balance proofs — which a user can use if he wants to leave the system.

The locked funds in the Erdstall smart contract can only be unlocked in two ways. Either during a normal exit with a balance proof of the current epoch, signed by the TEE or when the system gets frozen after the operator was caught cheating. In this case, users withdraw their funds using the balance proofs of the penultimate, that is, unchallenged, epoch. However, the operator cannot benefit from such behavior and is incentivized to never let this happen. Additional penalties can be built into the system to incentivise correct behavior even more.

Similar to all Plasma solutions, Erdstall proceeds in so-called epochs. Inside an epoch, we distinguish between three phases. First, the deposit phase, in which users fund the Plasma contract. Then follows the update phase, in which users can send transactions to each other. And lastly, the exit phase, in which users can exit the system by sending their latest balance proof to the smart contract for exiting. After calling exit, users can unlock their balance in the Erdstall smart contract and withdraw these funds after the exit phase. Note that only the deposit and exit require expensive on-chain transactions while all actions during the transaction phase are free of cost.

At the end of the transaction phase, a user gets an updated and signed statement of his state (the balance proof). If no such statement was received by the end of the phase, either the TEE stopped working, or the operator decided not to forward the statement to the user. Since users need this statement to get their funds back, they must request the balance proof by posting a challenge to the operator on the blockchain during the following exit phase. Now the operator must respond with the correct statement to each challenge or else the contract (and the Erdstall system) gets frozen. Should this happen, all users can retrieve the funds they possessed in the previous phase, and the operator can be punished. The punishment is used to provide an incentive for the operator to behave honestly and keep the system running.

Most users that joined the system will not want to exit immediately but instead continue to use their funds off-chain. This means only the transaction phase is interesting for them and they do not need the deposit and exit phase. For better performance, epochs are pipelined such that all these phases are executed in parallel.

In the 2020 EthGlobal Hackathon, the Perun team showed a Proof-of-Concept implementation of Erdstall. The first benchmarks show that the system can support up to 2000 transactions per second, making it over a hundred times faster than the current Ethereum platform.

In summary, Erdstall simplifies the Plasma setup and minimizes interactions with the blockchain. This makes Erdstall more efficient and reduces the on-chain costs for running the system. We are now working on improving the Erdstall code and preparing a release on the Görli and Rinkeby testnets. While the current proposal only considers on-chain processing of transactions, we are also working on an extension of the system to allow EVM instructions, making off-chain evaluation of smart contracts possible. In the long term, we are investigating horizontal scaling options by spreading the task of maintaining the system to multiple operators that jointly update the Erdstall state. This will allow us to scale the system even further.

If you are interested in learning more about the Erdstall product and how it can be used to scale your business, visit our website (https://erdstall.dev/) and our GitHub repo or contact us directly by writing us an email at hi@erstall.dev.