NOTE: This is a very early version of the SkyeKiwi Network. It is in heavy development. We will not advise anyone to use in production environment yet.
A fun background story behind our logo
Little do people know that among all Greek letters, Sigma is a special one. Not only because it’s the Greek for S and S for SkyeKiwi(duh..), but also because it’s the only Greek letter that can be written in three ways: uppercase “Σ”, lowercase “σ” and lowercase in word-final position “ς” and English likely adopt “ς” as “S” (they do look alike, right?). We make our logo to honor the Greeks’ letter Sigma but intentionally leave out the “ς” ( at a word-final position :) ), to keep this a secret (Shhhh... ). To read more on this fun Greek fact. Link
The SkyeKiwi Network is a confidential smart contract execution blockchain based on the SkyeKiwi Protocol.
Component Name | Description | Status |
---|---|---|
crates/skw-blockchain-* |
The main Substrate based blockchain client | See Below |
crates/skw-vm-* |
The offchain NEAR compatible VM | Early Internal Alpha |
crates/skw-sgx-* |
SkyeKiwi Protocol in Intel SGX Enclave | Internal Alpha |
crates/skw-contract-* |
Secret Smart Contract SDK, a wild cousin of NEAR SDK | Early Internal Alpha |
crates/near-* |
NEAR Compatible Tests | N/A |
enclave/* |
Intel SGX Enclave for offchain runtime | Impl SkyeKiwi Protocol, Early Internal Alpha |
mock-enclave/* |
Mock offchain runtime connector | Not implemented yet |
skw-tools-chaos/* |
Chaos Party! Spawn blockchain with random calls | Not ready |
skw-tools-scripts/* |
CI Scripts/Build Scripts etc. | Up to date |
teaclave-sgx-sdk/* |
Submodule for Rust Intel SGX SDK | Up to date |
Language Dependncies: nodejs
(used to run scripts), rust
(developing langauge) and docker
. Any modern version of the tools should do.
Substrate Based Blockchain
The SkyeKiwi Network blockchain is based on Substrate and currently contains 3 major pallets:
pallet-registry
for SecretKeeper Registration; Status: Internal Alpha
pallet-secrets
for secret registration: Late Alpha
pallet-s-contract
for an exposed interface to call secret contracts: Alpha
pallet-parentchain
for syncing offchain blocks on chain: Alpha
There is not a chain-spec
file yet to run a test-net. Est. Avaliable by the end of Feberuray 2022.
SkyeKiwi Offchain VM & Contract SDK
The SkyeKiwi Network offchain VM, (mostly) compatible with the NEAR VM. It's generally a simplified version of the NEAR Protocol VM BUT
- without staking & validator information (Status: Alpha Stage)
- use
wasmi
to be enclave friendly instead ofwasmer
orwasmtime
(Status: Alpha Stage) - Use Static Lrc Cache for compiled contracts (Status: Alpha Stage)
- use SGX Protected FIles for state instead of RocksDB (Status: Alpha Stage)
- Less strict account balance check (Status: Early Alpha)
- Allow arbitrary state patching bypassing all runtime checks. Note: the VM will run in SGX Enclave .. so this will still ba safe (Status: Alpha Stage)
For Contract SDK
- Roughly exactly the same as the NEAR Contracts. Developer in the NEAR ecosystem can easily re-deploy the contract as a secret contract to the SkyeKiwi Network with little changes to the contract source code. (Status: Alpha Stage)
- SkyeKiwi VM Runtime Simulator (Status: Not Ready)
SkyeKiwi Protocol in Intel SGX Enclave
The SGX version of the SkyeKiwi Protocol follows the exact same formats as the client version of the SkyeKiwi Protocol. However, implementations differs greatly, to reduce memory copies and referencing and better fit the SGX Enclave environment.
As a result:
- The default enclave heap size allocated is
0xf00000
bytes. As a result, it will be hard to process secrets larger than 1MB. The process might panic. Generally, the SkyeKiwi Protocol inside the SGX Enclave is designed to process secret smart contract states ... and they rarely reaches these much of storage usage either way. Plus, we always have the option to allocate more memory to the enclave. - The IPFS module does not comes with the automatic fallback function as the client side yet. Not a top priority for us yet. For testers, if your enclave tests failed because of
HttpErrors
. Try again. - The typical
upstream
anddownstream
processing is now divided into three seperated steps:pre-processing
,encrypt-cid-list
andpost-processing
. We might blog about it later, or we might find a better arch for it later. Details below.
Building & Testing
- Make sure all Rust env are correctly installed.
Here's the cheatsheet.
To Install Rust:
curl https://sh.rustup.rs -sSf | sh -s -- -y
source ~/.cargo/env
Install target wasm32
rustup target add wasm32-unknown-unknown --toolchain nightly
(note: remove "--toolchain nightly" for Apple M1)
yarn main:build
Will generate three binaries: skyekiwi-node
, skw-vm-engine-cli
and skw-vm-interface
under /target/release/.
skyekiwi-node
is the Substrate based blockchain binary.
skw-vm-engine-cli
is a testing tool for manualy run a low-level SkyeKiwi Offchain VM secret contract.
skw-vm-interface
is used to executing transactions in complete runtime environment. Supported types of transactions are deploy
to deploy contracts; create_account
to create accounts; call
to invoke smart contract calls and view_method_call
to view the secret state.
yarn main:test
Might take a while to finish!
Will run tests on:
- All pallets included in the Substrate blockchain
- The Contract SDK
- The offchain VM
- etc.
- Run Enclave Tests:
Currently, the enclave only contains code to run unit tests and integration tests. It is recommanded to run inside the Docker enviornment provided by teaclave-sgx-sdk
. Make sure you have Docker installed and launched; then run yarn enclave:sim
to enter into a interactive environment to work witht eh enclave code. Instead, run yarn enclave:ci
to simple run all tests inside the enclave.
Note: the enclave runs on Intel SGX Platform, therefore, AMD based computers, cloud VMs, or ARM based computers (like Apple M1 MacBooks) cannot run the docker simulation of the real enclave. For more information, refer to Apache/Teaclave-SGX-SDK.
For most users, READMEs on the TypeScript version of the SkyeKiwi Protocol will be more applicable. https://github.com/skyekiwi/skyekiwi-protocol. It's a known issue that most browser wallet extensions have limited to none supports to decrypt/encrypt with ECDH based encryption. We have been working on this problem.
For curious users who want to integrate the TEE version of the SkyeKiwi Protocol to their code, it won't be as straightforwards as the TypeScript version. Guess a general descriptions of how secrets are processed inside the enclave will be helpful.
There are the Trust and Untrusted parts of the protocol. A generaly principle is to NEVER have the unencrypted secrets exposed to the untrusted parts, while minimize the exposure of the metadata to the untrusted parts as well. The calls into the enclaves are called ecall
, and the processing on the untrusted parts are called host
or app
. In our implementation of the SkyeKiwi Protocol inside TEE, the upstream
and downstream
processes are broken down to three calls:
ecall_protocol_upstream_pre
: to pre-packaging the file from the SGX protected filesystem, encrypt them and emit to the normal file system for the host
to upload to IPFS.
ecall_protocol_upstream_cid_list
: to encrypt the CID list we got from uploading from the previous step.
ecall_protocol_upstream_seal
: to process the CID list and seal the metadata to the desired recipients.
For the downstream procss, it's symmetrical to the upstream process but reversed.
ecall_protocol_downstream_pre
: reverse the processed metadata from ecall_protocol_upstream_seal
;
ecall_protocol_downstream_cid_list
: reverse the processed CID list from ecall_protocol_upstream_cid_list
;
ecall_protocol_downstream_unseal
: reverse the processed metadata from ecall_protocol_upstream_pre
;
The metadata packaged are identitical to the metadata from the TypeScript implementation.
The bridge between the offchain runtime to the mainchain is not fully functional yet and this tutorial acts as a simple overview of the process
- Prepare the secret contract to be deployed: for developers, two things need to be prepared: 1. the contract sdk is contained within
crates/skw-contract-sdk
, it has a similar interface as the NEAR Protocol smart contracts. Prepare the smart contract and compile it into a.wasm
file. 2. Define the initial calls make to the secret contracts. These calls can be used to define the genesis management roles of the secret contracts, define the authentication schema or issue the initial supply of fungible tokens etc. Developers have the options to make these calls public or encrypted to the needs of the secret contract. - Deploy the secret contract: a TypeScript package
@skyekiwi/s-contract
is intent to wrap the process of encoding the initial calls and will register the encoded initial calls as normal secrets to thepallet-secrets
, and call intopallet-s-contract
to register the wasm blob and notify the offchain runtime to fetch the contract and deploy into the offchain runtime. For the offchain runtime nodes, they will fetch the initial state, unseal the initial state following the SkyeKiwi Protocol and push an offchain commands to the runtime, deploy and setup the secret contract. - Interact with the Secret Contract: there are two types of calls - execution calls that alter the secret state and view call that read the secret state. The end users by default is able to use the most recent
shard secret key
that can be obtained frompallet-s-contract
to encrypt the calls that only the TEE enclaves running the shards is able to decrypt. The calls will be encoded with borsh and be pushed topallet-s-contract
, while the offchain runtime will listen for all new incoming calls once the block is finalized on the mainchain and be assigned acallIndex
. When a call is fetched by the offchain runtime, it will be verified for transaction validity and if the origin has the correct authentication criteria for performing such transaction. The outcome of either success or failed call will be pushed back to the mainchain atpallet-parentchain
. - Proxy Re-encryption: is one of the features offered by the offchain runtime that is able to re-encrypt the metadata generated by the SkyeKiwi Protocol in the contrtact runtime by calling the high-level
UpdateEncryptionSchema
API of the SkyeKiwi Protocol. It will be exposed either as a host function of the wasm virtual machine runtime. - Reading Outcomes: the outcomes from the offchain runtime are also encoded with borsh and pushed to the
pallet-parentchain
, use can make queries toapi.query.parentchain.outcome
by passing in thecallIndex
assigned on step 3. The outcome will be either encrypted or public and for encrypted outcomes, only the transaction origin is able to read them.
Like all blockchains, it will take a few stages before the network launch into mainnet and so are we. The SkyeKiwi Network is generally divided to the main chain and a shadow chain. The main chain is the public interface of the SkyeKiwi Network, while the the shadowchain is not a full-fledged blockchain, but a virtual blockchain in form of offchain runtimes to execute secret contracts. The shadow chain is sharded and will have more shards over time. The shadowchain is a modified version of the runtime of the NEAR Protocol.
Stage 1: Testnet Alpha
Testnet Alpha is a PoA testnet for the main chain and runs the shadow chain (the mock-enclave
) on trusted servers instead of trusted TEE hardwares, while the shadow chain will have only one shard running. Testnet Alpha is capable of executing a mostly full functional secret contracts without a few host functions. Tokens on testnet alpha has no money value.
Stage 2: Testnet Beta Testnet Beta is a NPoS testnet for the main chain and runs shadow chain on a mixture of trusted servers and trusted hardwares, while the shadow chain will still have only one shard running. Testnet Beta is capable of executing full functional secret contracts. Tokens on testnet Beta has no money value.
Stage 3 Sigma Network Testnet Sigma is the final pre-mainnet testnet that features all functionalities with complete host functions and a centralized bridge connect to the placeholder token issuance network that has money value for tokens, with NPoS mainnet and trusted hardware enclaves. It's in place for final checkups on chain economical paramters and correcct gas counting offchain. There will be only one shard running offchain. It will be the standalone network.
Stage 4 Mainnet Mainnet is the parachain ready version of the Sigma Network that will be connect on Kusama and the Octupus Network for bridging to the NEAR ecosystem.
Stage 5 and After Mainnet Upgrades New shards will be added to the offchain VM gradually. The first shard will be a general purpose NEAR sdk focused shard, while the second shard will be an EVM compatible shard, further down the line, high throughput shard, high security shard will be added one by one.
AR="${LLVM_PATH}/bin/llvm-ar" CC="${LLVM_PATH}/bin/clang" cargo ...
The entire code within this repository is licensed under the GPLv3.
Please contact us if you have questions about the licensing of our products.