Summary
It's clear that when we start running any larger sized wasm programs with the hyperchain the throughput results will decline sharply. The best solution is to execute those programs on fewer nodes than the entire validator set and then have the rest of those validators do consensus on the proof before updating the state.
The main question in doing this with a TEE is how much do you trust Intel SGX or its services? If you trusted them completely you would only need to run the program once. If you trusted them a little less than that you may want a small handful of nodes to form a committee to run the program just in case a few managed to break security. This is what is currently being done on Oasis.
If we use more than 1 enclave suddenly we aren't trusting Intel, we are trusting the match of results between Intel and AMD for now(and others in the future). So we use both so that an attack someone would perform would need to find vulnerabilities in both. If we make the assumption that this isn't realistic that someone could accomplish we can reduce the computation to just one pair randomly selected in each region. Those are the assumptions for circumstances where the manufacturer gets something wrong.
There's also the part about decentralizing the attestation so that we aren't choosing between
1. Contacting Intel to verify the attestation on every trip
2. Building our own attestation but relying on a single verifier to give us results
3. Registering with their plan to have a SAAS to verify measurements initially, post results to a blockchain, and then use low level integrity monitoring to ensure there are no changes or misdirected behaviour.
Instead we make no assumptions about any 3rd parties outside the network and use our own validators to run the enclave binary of joining nodes - evaluate them against a policy, mint an attestation token which goes on the blockchain so non-validators can verify, the hash of the identity key of attested validators goes into a smart contract accumulator and we get on-blockchain authentication on the round trip every time the compute node fetches the contract from state.
Last updated