Chain Key Cryptography

The Internet Computer can scale to millions of node machines with the help of Chain Key Cryptography. It is the innovation that enables the IC blockchain to have a single public key through which the authenticity of artifacts generated by the Internet Computer can be verified by any device, even smartwatches. This is a key feature that separates the Internet Computer from traditional blockchains such as Ethereum that are unable to accomplish such a verification without requiring an abundance of data.

The Internet Computer’s Chain Key Cryptography provides the following features:

Before taking a deep dive into Chain Key Cryptography, let’s cover some important basics that help us to better understand the concepts outlined in the following.

The Internet Computer consists of numerous node machines spread across the world. The node machines run the Internet Computer Protocol (ICP) and execute canister smart contracts. The protocol itself connects all the nodes of the network and orchestrates the smart contract execution on the node machines.

The network’s node machines are partitioned into subnets. When a new canister is uploaded onto the network, it is assigned to a subnet. Only the nodes participating in a canister’s subnet can run its code.

Let us assume a user interacts with the front-end of a dApp deployed on the Internet Computer. This will cause the ICP to send a message to the canister. In the next step, the canister is executed by the Internet Computer based on the input of the message. Once executed, an output message is computed which can be queried back by the user. The canister’s state is updated as defined by its code when the message is executed.

Correctness of results as well as robustness against failure is achieved by running each canister on multiple nodes. This ensures nodes have to agree on message ordering as well as the result of each computation.

Users of the Internet Computer need to be able to verify the correctness of the results that are transmitted to them. Similarly, users need to be able to verify that returned messages did indeed originate from the Internet Computer. An additional requirement is that messages queried by a user need to be signed by all the nodes that are hosting the canister the message is queried from.

Chain Key Cryptography ensures that the aforementioned security requirements can be implemented on the Internet Computer. With the help of Chain Key Cryptography, all nodes in the network receive secret key shares enabling them to jointly sign messages. This creates a signature that can only be verified by using the public key of the Internet Computer.

Each subnet hosted on the Internet Computer has its own public key through which it can authenticate messages. The nodes forming a subnet have a share of the subnet’s secret key which corresponds to the subnet’s public key. A message can be jointly signed based on the threshold signature scheme, i.e. if a predetermined number of nodes reach consensus. A user can then verify the signature on the message via the public key of the subnet. The Internet Computer can, in turn, sign the public keys of all subnets.

In comparison, the validation of a smart contract running on Ethereum requires an open Ethereum client to download 400GB of blockchain data. While the size of the Internet Computer’s public key will always remain the same, the required download size of Ethereum grows linearly with time.

Chain Key Cryptography allows the Internet Computer to scale to thousands of subnets and beyond. For each subnet, there is an individual public key corresponding to it. But how does the network securely generate, manage, and maintain these secret keys and their corresponding public keys? How is the network’s security ensured when failing nodes have to be replaced or nodes added to form new subnets? Also, how can the network be protected from attackers trying to compromise nodes or block communication? Let’s find out in the following.

On the one hand, a standard threshold signing algorithm is used to enable node machines to jointly sign messages. On the other hand, new cryptography is used to generate and maintain all keys in the network. These are the two main procedures by means of which the Internet Computer securely generates and manages keys:

Different cryptographic primitives are used to build these two procedures, including:

The NNS subnet is responsible for generating the public key of a new subnet and distributing corresponding key shares among the nodes running the new subnet. To tolerate malicious nodes, the Internet Computer Protocol implements the following approach to avoid the dependency on a single trusted dealer:

The criterion for Chain Key Cryptography to generate secure key materials is that a single dealer in the network is honest. This criterion is satisfied as long as the number of nodes within the NNS subnet acting as dealers is higher than one-third. This is the process that prepares nodes for operating a new subnet:

Nodes operating a subnet may need to be replaced because of having failed or being compromised by attackers who have gained access to the node’s respective share of the secret key. For this reason, nodes have to maintain their secret key shares. If a node is being replaced, the secret key share has to be replaced as well.

To replace the secret key share, the remaining nodes of the subnet reshare their own secret key shares. As a result, each remaining node of the subnet receives a sharing of the original secret key share from the other nodes. The “shares of a share” are then recombined to form a new, ordinary secret key share.

This amounts to a fresh generation and sharing of a secret key. Consequently, the same procedure is followed when generating a new key: Nodes share the original secret key share to obtain a new share of the secret key share. These shares are then encrypted for the new set of nodes running the subnet and a noninteractive zero-knowledge proof is added to verify this was done correctly. Once the correctness is verified, the nodes of the subnet will delete their old secret key shares.

The resharing process of the secret key shares ensures the following:

A new node that joins an existing subnet requires secret key shares of the subnet as well as the current state of the subnet’s canisters. To get the current state of all canisters in the subnet, the new node can request the canister state from all existing nodes operating the subnet. To verify the authenticity and correctness of state, the stats of all canisters are being threshold signed by all other nodes.

The aforementioned process of state certification and noninteractive key resharing are expensive operations. For this reason, it can only be done in regular intervals, for example, every 200 blocks. To accomplish this, subnets produce so-called catch-up packages in which all the information new nodes require to operate the subnet is bundled. At the same time, these catch-up packages enable the subnet’s existing nodes to resume their operation when being cut off from the network.

Catch-up packages introduce features that ensure the subnet’s execution is provided in a well-defined state.

Once a catch-up package has been generated by a subnet, the subnet’s previous state can be deleted. Doing so allows the Internet Computer to be a lot more storage efficient. This is a major difference from traditional blockchains which maintain state indefinitely which increases their size considerably over time.

With the help of catch-up packages, the Internet Computer can revive a subnet – even in cases in which the majority of the subnet’s nodes have crashed. To revive a subnet, only a single node needs to have survived, allowing the IC to recover the catch-up package, generate new keys, and form a new subnet that continues to run the canisters based on the state specified in the catch-up package.

The third functionality catch-up packages provide to the Internet Computer is load balancing. Should a given canister in a subnet require more resources due to increased popularity/demand than the subnet can provide, the subnet is split into two subnets. Both subnets will continue from the same catch-up package but the canisters are now evenly spread out across both subnets.

The most crucial feature of catch-up packages is that they provide an option for the Internet Computer Protocol to upgrade itself. This is done by instructing a subnet’s nodes to produce a catch-up package but to run a different version of the protocol thereafter. This allows the Internet Computer to add new features to the protocol and to fix bugs.