Verifiable subnet recovery with private state
1. Objective
The internet computer consists of subnets that should run in a robust manner. That is, up to < 1/3rd of the replicas of a subnet can be malicious or unavailable, and the subnet will still make progress. If more replicas are unavailable at one time, the subnet would stall, and canisters can no longer progress update messages. For such scenarios, the IC supports a subnet recovery operation: via NNS proposals, the governance system can instruct other replicas to take over the responsibility of the subnet immediately. This proposal is about ensuring such NNS proposals are verifiable without revealing the state of a subnet.
2. Background
The current state of subnet recovery is as follows:
- Foundation has read access to NNS subnet and its own nodes for all application subnets
- Read access to state on application subnets can be granted to SSH keys via NNS proposals (and removed afterwards), which enables reading the latest subnet state and blockchain artifacts
- If a subnet is stuck, the foundation can perform subnet recovery by
- obtaining the state + recent blockchain of subnet, which defines a last good state of the subnet
- Make a recovery NNS proposal including that state hash, which may also indicate which nodes should take over the responsibility of the subnet
- The voters currently cannot verify that this proposal is done correctly
- If we’d release the state + blockchain artifacts, the community could verify the proposal
- But then the state is made public, which is not desirable
3. Milestones
1: Subnet recovery is fully verifiable if the subnet state is public.
Some subnets may hold sensitive information, while others do not. One potential forward direction is to distinguish between these, and first make subnet recovery fully verifiable if the state can be public. This means that every voter can ensure that the state is the correct state and verify all aspects of the proposal.
2: Encrypted subnets can be recovered in a verifiable manner.
Once subnets run with trusted execution environment capabilities (find the relevant motion proposal here), this can significantly improve the confidentiality guarantees. For such subnets, subnet recovery should still be available, without affecting confidentiality. This requires significant protocol changes and extensions
- The NNS can create encryption keys for every subnet, which are securely held inside the trusted execution environment
- A subnet will produce blockchain artifacts that can be validated cryptographically while not revealing subnet state. That likely means that e.g. catch-up packages must sign encrypted state.
- From an encrypted state and blockchain artifacts, a verifiable subnet recovery can be performed. That means that the NNS can give the new subnet members the relevant decryption key, and they can recover from the state implied by the encrypted state and the blockchain artifacts.
4. Discussion leads
5. Skills and Expertise necessary to accomplish this
The first milestone is mainly an engineering effort. The second milestone is a much greater effort, and will require cryptographic protocol design and trusted execution environment expertise.
6. What are we asking the community
- Review comments, ask questions, give feedback
- Vote accept or reject on NNS Motion
- Participate in technical discussions as the motion moves forward