Reevaluating Neuron Control Restrictions

Authors: B² = @bjoern @bjoernek

TL;DR

The Internet Computer Protocol prevents canisters from directly controlling neurons, a measure intended to block neuron sales and ensure long-term thinking in voting behavior. However, these restrictions can be circumvented by a canister using threshold ECDSA (tECDSA) and HTTP outcalls.

This situation calls for a reassessment of these restrictions, potentially unlocking new use cases. In the event of relaxing these restrictions, enhancing the long-term binding between neuron controllers and neurons becomes crucial as this is beneficial for the voting behavior and security of the Internet Computer.

A recommended solution is to strengthen the bond between neuron controllers and neurons via Proof-of-Knowledge (PoK) of the cryptographic key through which the neuron is controlled. Users could be incentivized to participate in such a scheme by adjustments to the neuron’s voting power, and hence also voting rewards, with the aim to prevent the formation of a deep neuron market.

We warmly invite the community to share their feedback on the proposed approach.

Background

Restrictions on Neuron Control
In the ICP network, neurons represent decision-making entities that participate in governance by voting on proposals. To ensure long-term thinking in voting behavior, control over neurons is restricted: Currently only so-called self-authenticating principals can be set as the controller of a neuron, see code here. A self-authenticating principal is an entity that utilizes its own cryptographic key pair (consisting of a private and a public key) to authenticate itself. For example, a user relying on Internet Identity, Quill or a Ledger hardware wallet is of this kind. Canisters, which do not possess self-authenticating principals, are therefore excluded from directly controlling neurons.

Reason for the Restrictions on Neuron Control
The restriction is based on the requirement that neurons should not be sold - when canisters can control neurons directly, one can sell a neuron by selling the canister that controls it. It is considered important for neurons to be non-transferable/no-sellable because

• neurons should have an incentive to vote in the long-term interest of the Internet Computer and
• to avoid the possibility of attacks where an attacker acquires tokens only for a short amount of time, votes on a malicious proposal (e.g. transfer tokens) and then sells the neurons again. Similar types of attacks have been executed on DAOs in the past (example).

Circumventing Restrictions on Neuron Control
Despite these safeguards, there are a few ways to bypass the restrictions on neuron control:

• Threshold ECDSA (tECDSA): As canisters are able to control tECDSA keys, which are a feature of the Internet Computer Protocol, they can also sign ingress messages to the Internet Computer and thereby act as the controller of a neuron (making calls via HTTP to appear as ingress).
• Canister signatures: A canister can control a neuron through canister signatures, again making calls via HTTP to appear as ingress.

Furthermore, it is also possible to control a neuron via an Internet Identity (II) and sell the II.

Please note that the current abilities to circumvent neuron ownership & sell restrictions are not considered an immediate risk to the Internet Computer yet. A significant fraction of the total voting power of existing NNS neurons (including Seed & ECT neurons) is not controlled by canisters/II. Hence, a material part of the voting power of existing neurons cannot end up on the neuron market. Moreover, the transferability of II-controlled neurons poses a smaller concern, typically affecting only smaller neurons.

Revisiting Neuron Control Restrictions

Given that the restriction for canisters to not control neurons can be circumvented relatively easily, it should be considered to drop that restriction. This was suggested by several community members already. Lifting that restriction would bring the following benefits

• Facilitate NNS neurons that are SNS controlled: SNSs already chose to do this (e.g. OpenChat) or plan to do it (e.g. GoldDAO), providing them a continuous income to cover cycles fees and involving SNSs in NNS governance. Allowing this behavior more directly would simplify the current more complicated workflow via tECDSA.
• Consistency with SNS: As opposed to the NNS, the SNS framework does not apply restrictions on neuron controllers.
• Facilitate organizational neuron ownership: An organization could control a neuron via a canister.

Ideas for the way forward

Acknowledging the potential for circumvention, we recommend to lift the restrictions on canister neuron control while still encouraging the core principle of non-transferability to safeguard the Internet Computer’s security. A promising approach involves introducing a neuron attribute that significantly tightens the link between a neuron and its initial controller, making it more risky to sell a neuron and thus practically re-establishing the non-transferability of the original design.

Enhancing Controller-Neuron Binding
To strengthen this connection, we propose linking neuron control explicitly to a unique cryptographic key, known to the owner. If as a private user you know the private key, then you cannot un-know it and hence you keep the control even if the controllership is transferred. A practical method to achieve this enduring bond is through a Proof-of-Knowledge (PoK) of the controller’s private cryptographic key. To counteract potential workarounds via threshold ECDSA (tECDSA) or threshold BLS (tBLS), an interactive Schnorr PoK, inherently incompatible with these protocols, is suggested.

Incentivization Structure for Enhanced Controller-Neuron Binding
The overall objective of the incentive structure is to deter the creation of a deep market for neurons. This is intended to make it difficult for an attacker to amass a significant amount of neurons quickly, exercise voting power in a harmful way, and then dispose of the neurons with minimal financial loss.

To further this objective, neurons without the enhanced controller-neuron binding via PoK could receive lower voting power and, consequently, lower rewards. Specifically, neurons without this binding, such as those controlled by canisters, could face a voting power reduction of up to 20%, depending on their dissolve delay. This reduction would range from 0% for neurons with no dissolve delay to 20% for those with an eight-year dissolve delay, applying linear interpolation for periods in between. The motivation for this time-dependence is to encourage non-transferability in particular for neurons with long dissolve delays and thus longer commitment to the network. The maximum reduction (in this instance, 20%) could be a parameter subject to modification through an NNS (Network Nervous System) vote.

In order to prevent creating a counterproductive incentive for neuron dissolution among existing neuron holders and to honor the commitment of current neuron holders, it is suggested that the voting power reduction for non-PoK neurons would only apply after a to be defined cut-off date (assuming that this proposal would be approved via a motion proposal one could for example use the approval date of the motion proposal). Instead of reducing the voting power for PoK-non-compliant neurons, an alternative could be to increase the voting power for PoK-compliant neurons. This change would essentially yield the same overall impact. Yet, as PoK-compliant neurons are expected to become the norm, the approach of decreasing voting power for non-PoK neurons appears more logical.

Application Across Types of Neuron Control

• New User-Controlled Neurons via Quill/Ledger hardware wallets: Eligible for the PoK scheme, reinforcing user ownership.
• New Canister-Controlled Neurons (both directly controlled by canister or through threshold ECDSA or canister signatures): Ineligible for PoK, aligning with the proposed restrictions lifting.
• New User-Controlled Neurons via Identity Identity (II): Due to BLS reliance, these neurons cannot participate in the PoK scheme directly. An alternative might involve assigning a non-modifiable “disbursement key,” enhancing rewards while introducing a mechanism that complicates neuron transfer, thus indirectly bolstering non-transferability. A disbursement key works as follows: If you know the disbursement key (and the neuron id) of the II controlled neuron then you would able to disburse to a specified account (using a new kind of neuron operation). This key, once set, cannot be changed. Knowing the key is irreversible, creates a risk for buyers: the previous owner could potentially access the neuron’s ICP in the future.

Suggested Phased Implementation

To effectively transition to the new framework a phased roll-out is proposed.

1. Phase 1 (soon): Lift restrictions on canister control over neurons.
2. Phase 2 (next): Adjust the voting power. New neurons lacking a self-authenticating principal will receive reduced voting power and rewards.
3. Phase 3 (mid-term): Introduce the additional PoK described above (and a disbursement key of neurons controlled via II). Lower rewards would apply to all new neurons without this additional PoK (or disbursement key).

I’ll take your entire stock.

(More nuanced comments soon).

I totally agree that we should lift the restrictions of canister-controlled neurons, as it’s technically possible to do it.

I don’t think we should penalize canister-controlled neurons, because then it would probably circle back to more brittle workarounds.

If we ever have Schnorr Threshold Signatures, would it be possible to generate this PoK?

In this situation, transferring votes, including through ‘Known Neurons’, should not be possible. The issue of buying votes renders the acquisition of neurons for voting redundant. While still theoretical, the problem of vote transferring poses a more serious threat than the hypothetical situation of buying neurons to sway voting outcomes. This discussion is relevant only if we are genuinely concerned about conducting proper voting.

Moreover, transferring votes is a much more serious issue than the hypothetical scenario of purchasing neurons to tip the scales in voting. Again, this all makes sense if we are truly talking about fair voting.

And yes, before one can purchase locked neurons, they must possess a sufficient amount of ICP. What is the current ratio of ICP in the market versus ICP in neurons?

The current ratio is shown on the dashboard’s Neurons page.

NNS, Internet Identity, Staking, and Neuron are already OVER complicated for users. And now we’re making it even more complicated; users are already avoiding DFinity! One of the good things about Internet Identity is the ability to connect multiple keys and manage them. If a key is lost or something happens, you delete it, buy a new one, and register it. This approach was a major plus and solved many problems, including losing access to your wallet. But with this new key/entry introduction in the neuron, we’re bringing back the problem. If I understand correctly, will it not be possible to change the newly introduced key/entry in the neuron?

For my initial reaction, I feel that DFINITY may be focusing on the wrong areas. I believe the effort used to write this post could be better allocated to core development, instead of pursuing less impactful endeavors.

My second point, more constructive, concerns the apparent penalization of genuinely decentralized alternative staking platforms built on the IC. In the mid-term, this approach seems to penalize true decentralized staking via Internet Identity (II), arguably the best authentication tool available. Meanwhile, increased rewards are being directed to ledger-controlled neurons, even though recent governance decisions have highlighted the ledger’s centralization issues.

Lastly, I advocate for an approach similar to that of SNS neurons. Regardless of whether it’s a mid-term or long-term strategy, all neurons should be transferable by design. The argument that purchasing neurons directly equates to buying voting power is overly simplistic. There’s a known case of a neuron accumulating approximately 10% of followee voting power without any financial expenditure or disclosing its neuron stake. Acquiring such a stake on the market would cost hundreds of millions and take years in the current climate. A vibrant neuron market could potentially stabilize or even increase value, with neurons possibly being sold at a premium rather than a discount. Furthermore, controlling 10% is unlikely to enable attacks in most scenarios.

Given these points, I strongly oppose the current strategy and encourage a reconsideration towards more decentralized, equitable approaches. Let’s not undermine what’s already complex.

If we’re talking about the integrity of voting, I would touch upon and return to the topic of voting transparency. Currently, there’s still no complete list of all neurons, something that has been much discussed. There’s no way to know how following works, who is following whom. How the voting process works, which neurons voted on their own, which neurons voted automatically through the functionality of following other neurons, and which neurons are followed to see their entire voting behavior. Right now, it’s a black box; why not open it up… provide all the information and make the network more open?

We are changing and trying to improve the system, but we do not understand how this system currently works; there’s no full transparency. In the case of Ethereum, Bitcoin, and true blockchains - data in the blockchain is available to ALL. Here, it’s the opposite.

The original post has the answer.

A significant fraction of the total voting power of existing NNS neurons (including Seed & ECT neurons) is not controlled by canisters/II

Now they want to give even more power and more rewards to those neurons.

Read it again. Staking with a ledger (3rd party) is better than staking with Internet Identity (native).

Was this post sponsored by Ledger Nano?

@Jam I want to make sure we’re on the same page: The idea is that also newly created II-controlled neurons could benefit from full rewards by using a disbursement key (see Section ‘Applications Across Types of Neuron Control’). Existing II-controlled neurons would anyway receive full rewards due to the suggested cut-off date.

No, you cannot. Schnorr Threshold Signatures would be a non-interactive scheme and hence it would not support the envisioned interactive proof.

I was referring to a phased implementation where additional PoK will be introduced mid-term in the 3rd phase, after the voting power has already been reduced in the 2nd phase.

I have a different view on this point.

• When users lock their ICP in a neuron, it motivates them to vote in ways that benefit the Internet Computer’s long-term interests.
• If a user chooses to delegate their voting power to another neuron, the responsibility lies with them to do their research and select a neuron that they believe will vote in alignment with their preferences for the Internet Computer’s long-term interests.
• The delegation model, therefore, does not inherently pose more risk than direct voting, provided that users are diligent in selecting neurons to delegate to. This assumes that both in delegating and in direct voting, decisions are made with careful consideration of the Internet Computer’s long-term interests.

What criteria are used to define “new neurons”? All neurons that do not have a Self-Authenticating principal should be targeted. However, before that, please clarify the information on all neurons. It’s unclear how this change would affect the distribution of voting power.

I have sympathy and understand the rationale for this request for making the voting behaviour of all NNS neurons public. On the other hand, I would also consider it to be a legitimate view to favor secrecy in voting, protecting the privacy of voters. This issue opens up a wider debate that probably goes beyond the scope of this post.

See the comment in the post “In order to prevent creating a counterproductive incentive for neuron dissolution among existing neuron holders and to honor the commitment of current neuron holders, it is suggested that the voting power reduction for non-PoK neurons would only apply after a to be defined cut-off date (assuming that this proposal would be approved via a motion proposal one could for example use the approval date of the motion proposal).” So new neurons would be those created after the suggested cut-off date.

I believe this way, you are entitled to think differently, and someone else has their own opinion. Everyone is entitled to their opinion. Statistics and an open voting system, regarding who votes directly or through a following mechanism, would clarify things. For example, I risk my assets in a neuron and choose, in my opinion, a reliable neuron to follow. There are many like me, and eventually, this very neuron, which may have only a few hundred ICP behind it, represents thousands of neurons with millions of ICP, and this very neuron doesn’t even know about the responsibility of these millions of ICP! And one day, it receives a profitable offer to vote differently this time. It will risk its 100 ICP but sell its vote very profitably! Why not? Since we’re discussing the possibility of buying a huge number of neurons from the market for voting. Ultimately, users will give their votes to other neurons, which in turn have a lower risk, and their vote can be bought out.

By the way, I like the first phase. It has the same functionality as it is now with SNS neurons. However, the second and third phases are counterproductive, and there are many other things much more important to the community and ecosystem. After several years, we still do not have a wallet! It is mind-blowing.