Professional Documents
Culture Documents
Nervos
Nervos
Number: "0001"
Category: Informational
Status: Final
Author: The Nervos Team
Created: 2019-09-12
---
We start this document with a detailed examination of the problems that public
permissionless blockchains face today and the existing solutions attempting to
solve them. We hope this provides the necessary context for our readers to
understand our own rationale on how best to approach these challenges, and our
underlying design decisions. We then provide a high-level walkthrough of all parts
of the Nervos Network, with a focus on how they work together to support the
overall vision of the network.
## 2. Background
The blockchain community has proposed many scalability solutions in recent years.
In general, we can divide these solutions into two categories: on-chain scaling and
off-chain scaling.
On-chain scaling solutions aim to expand the throughput of the consensus process
and create blockchains with native throughput that rivals centralized systems. Off-
chain scaling solutions only use the blockchain as a secure asset and settlement
platform, while moving nearly all transactions to upper layers.
Bitcoin Cash (BCH) adopts this approach to scale its peer-to-peer payment network.
The Bitcoin Cash protocol began with a maximum block size of 8 MB, which was later
increased to 32 MB, and which will continue to be increased indefinitely as
transaction demand increases. For reference, following Bitcoin's (BTC)
implementation of Segregated Witness in August 2017, the Bitcoin protocol now
allows for an average block size of around 2 MB.
In the scope of a datacenter, the math works out. If 7.5 billion people each create
2 on-chain transactions per day, the network will require production of 26 GB
blocks every 10 minutes, leading to a blockchain growth rate of 3.75 TB per day or
1.37 PB per year[3]. These storage and bandwidth requirements are reasonable for
any cloud service today.
Though placing the burden of a growing network's costs on its operators may seem to
be a reasonable decision, it could be short-sighted for two reasons:
This goal is consistent with our observations of transactional network usage. Users
of these systems are indifferent to significant long-run trade-offs because they
will only utilize the network for a short time. Once their goods or services have
been received and their payment has been settled, these users no longer have any
concern for the network's effective operation. The acceptance of these trade-offs
is apparent in the widespread use of centralized crypto-asset exchanges, as well as
more centralized blockchains. These systems are popular primarily for their
convenience and transactional efficiency.
Some smart contract platforms have taken similar approaches to scaling blockchain
throughput, allowing only a limited set of "super computer" validators to
participate in the consensus process and independently validate the blockchain.
These designs allow the multiple chains to utilize a shared security model, while
allowing high throughput and fast transactions inside shards (Ethereum) or para-
chains (Polkadot). Though each of these systems is a network of interconnected
blockchains, they differ in regard to the protocols running on each chain. In
Ethereum 2.0, every shard runs the same protocol, while in Polkadot, each para-
chain can run a customized protocol, created through the Substrate framework.
In these multi-chain architectures, each dApp (or instance of a dApp) only resides
on a single chain. Though developers today are accustomed to the ability to build
dApps that seamlessly interact with any other dApp on the blockchain, design
patterns will need to adapt to new multi-chain architectures. If a dApp is split
across different shards, mechanisms will be required to keep state synced across
different instances of the dApp (residing on different shards). Additionally,
though layer 2 mechanisms can be deployed for fast cross-shard communication,
cross-shard transactions will require global consensus and introduce confirmation
latency.
Sharding has its own advantages and challenges. If shards can be truly independent
and cross-shard needs are minimal, a blockchain can linearly scale its throughput
by increasing the number of shards. This is best suited for self-contained
applications that don't require outside state or collaboration with other
applications.
On a more technical note, sharding typically requires a "1 + N" topology, in which
N chains connect to one meta-chain, introducing an upper bound on the number of
shards a meta-chain can support without itself running into scalability issues.
These technologies demonstrate how a store of value network such as Bitcoin could
be used for everyday payments. The most typical example of a layer 2 solution in
practice is a payment channel between a customer and a coffee shop. Let's assume
Alice visits the Bitcoin Coffee Shop every morning. At the beginning of the month,
she deposits funds into a Lightning payment channel she has opened with the coffee
shop. As she visits each day, she cryptographically signs the coffee shop's right
to take some of the funds, in exchange for her coffee. These transactions happen
instantly and are completely peer-to-peer, "off-chain", allowing for a smooth
customer experience. The Lightning channel is trustless, Alice or the coffee shop
can close the channel at any time, taking the funds they are owed at that time.
Payment channel technologies such as Lightning are only one example of an off-chain
scaling technique; there are many maturing technologies that can safely scale
blockchain throughput in this way. While payment channels include off-chain
agreements to channel balances between two parties, state channels include off-
chain agreements to arbitrary state between channel participants. This
generalization can be the basis of scalable, trustless, decentralized applications.
A single state channel can even be utilized by multiple applications, allowing for
even greater efficiency. When one party is ready to exit the channel, they can
submit the agreed upon cryptographic proof to the blockchain, which will then
execute the agreed state transitions.
For a full node to keep up with the progression of the blockchain, it must have
adequate computational throughput to validate transactions, bandwidth throughput to
receive transactions, and storage capacity to store the entire global state. To
control a full node's operating cost, the protocol has to take measures to bound
the throughput or capacity growth of all three of these resources. Most blockchain
protocols bound their computational or bandwidth throughput, but very few bound the
growth of the global state. As these chains grow in size and length of operation,
full node operation costs will irreversibly increase.
While there has been a lot of research into consensus protocols in recent years, we
believe crypto-economics is an understudied field. Broadly speaking, current
crypto-economic models for layer 1 protocols are primarily focused on incentives
and punishments to ensure network consensus, and native tokens are mostly used to
pay transaction fees or to satisfy staking requirements that provide Sybil
resistance.
We believe that a well-designed economic model should go beyond the consensus
process and ensure the long-term sustainability of the protocol as well. In
particular, the economic model should be designed with the following goals:
The Bitcoin protocol caps the size of blocks and enforces a fixed block time. This
makes the network's bandwidth throughput a scarce resource that users must bid on
through transaction fees. Bitcoin Script doesn't allow loops, making the length of
the script a good approximation of its computational complexity. In general,
greater demand for block space translates into higher transaction fees for users.
Additionally, the more inputs, outputs or computational steps that are involved in
a transaction, the more a user will also pay in transaction fees.
The intrinsic value of Bitcoin comes almost entirely from its monetary premium
(society's willingness to treat it as money) and in particular, the willingness to
hold it as a store of value. Because miner income is denominated in BTC, this
perception has to hold for Bitcoin's economic model to be sustainable. In other
words, Bitcoin's security model is circular - it depends on the collective belief
that the network is sustainably secure and can therefore be used as a monetary
store of value.
Bitcoin's block size cap effectively sets the barrier for network participation -
the lower the block size cap is, the easier it is for non-professionals to run full
nodes. The Bitcoin global state is its UTXO set, with its growth rate also
effectively capped by the block size limit. Users are incentivized to create and
utilize UTXOs efficiently; creating more UTXO's translates into higher transaction
fees. However, no incentives are provided to encourage combining of UTXOs and
reduction of the size of the global state; once a UTXO is created, it will occupy
the global state for free until it is spent.
Bitcoin has a total supply hard-cap and its new issuance via block rewards will
eventually drop to zero. This could cause two problems:
First, if Bitcoin continues to succeed as a store of value, the unit value of BTC
will continue to increase, and the total value the network secures will also
increase (as more monetary value moves on to the network). A store of value
platform has to be able to raise its security budget as the value it protects
increases over time, otherwise, it invites attackers to double spend and steal the
assets of the network.
When the cost to break protocol security is less than the profit they can earn
acting honestly, attackers will always attack. This is analogous to a city that has
to raise its military spending as the wealth inside the city increases. Without
this investment, sooner or later the city will be attacked and looted.
With the existence of block rewards, Bitcoin is able to scale security to the
aggregate value it stores - if Bitcoin's price doubles, the income that miners
receive from block rewards will also double, therefore they can afford to produce
twice the hash rate, making the network twice as expensive to attack.
This however changes when the predictable block rewards drop to zero. Miners will
have to rely entirely on transaction fees; their income will no longer scale to the
value of the Bitcoin asset, but will be determined by the transaction demand of the
network. If transaction demand is not high enough to fill the available block
space, total transaction fees will be minuscule. Since transaction fees are
strictly a function of block space demand and independent from the price of a
Bitcoin, this will have a profound impact on Bitcoin's security model. For Bitcoin
to remain secure, we'd have to assume consistent, over-capacity transaction demand,
that also scales to the price of Bitcoin. These are very strong assumptions.
Second, when the predictable block rewards stop, variance in per block income for
miners increases, and provides incentives for miners to fork, instead of advancing
the blockchain. In the extreme case, when a miner's mempool is empty and they
receive a block loaded with fees, their incentive is to fork the chain and steal
the fees, as opposed to advancing the chain and producing a block with potentially
no income[5]. This is known as the "fee sniping" challenge in the Bitcoin
community, to which a satisfying solution has not yet been found, without removing
Bitcoin's hard-cap.
The typical economic model of smart contract platforms faces even more challenges.
Let's use Ethereum as an example. Ethereum's scripting allows loops, therefore the
length of a script doesn't reflect the script's computational complexity. This is
the reason Ethereum doesn't cap block size or bandwidth throughput, but
computational throughput (expressed in the block gas limit).
To get their transactions recorded on the Ethereum blockchain, users bid on the per
computation cost they're willing to pay in transaction fees. Ethereum uses the
concept of "gas" as measurement of computational cost priced in ETH, and the "gas
price" rate control ensures that the cost per step of computation is independent of
price movements of the native token. The intrinsic value of the ETH token comes
from its position as the payment token of the decentralized computation platform;
it is the only currency that can be used to pay for computation on Ethereum.
Ethereum's global state is represented with the EVM's state trie, the data
structure that contains the balances and internal state of all accounts. When new
accounts or contract values are created, the size of the global state expands.
Ethereum charges fixed amounts of gas for insertion of new values into its state
storage and offers a fixed "gas stipend" that offsets a transaction's gas costs
when values are removed.
A "pay once, occupy forever" storage model doesn't match the ongoing cost structure
of miners and full nodes, and the model provides no incentive for users to
voluntarily remove state or remove state sooner. As a result, Ethereum has
experienced rapid growth of its state size. A larger state size slows down
transaction processing and raises the operating cost of full nodes. Without strong
incentives to clear state, this is a trend that's bound to continue.
Unlike Bitcoin, which specifies the block size limit in its core protocol, Ethereum
allows miners to dynamically adjust the block gas limit when they produce blocks.
Miners with advanced hardware and significant bandwidth are able to produce more
blocks, effectively dominating this voting process. Their interest is to adjust the
block gas limit upward, raise the bar of participation and force smaller miners out
of the competition. This is another factor that contributes to the quickly rising
cost of full node operation.
Smart contract platforms like Ethereum are multi-asset platforms. They support
issuance and transactions of all types of crypto-assets, typically represented as
"tokens". They also provide security to not only their own native tokens, but the
value of all crypto-assets on the platform. "Store of value" in a multi-asset
context therefore refers to the value preservation property that benefits both the
platform's native tokens and the crypto-assets stored on the platform.
With its block rewards, Bitcoin has an excellent "store of value" economic model.
Miners are paid a fixed block reward denominated in BTC, and thus their income
rises along with the price of BTC. Therefore, the platform has the ability to raise
revenue for miners to increase security (measured by the cost of attack) while
maintaining a sustainable economic model.
Smart contract platforms that are not designed to function as a store of value have
to rely on the native token's monetary premium (the willingness of people to hold
the tokens beyond their intrinsic value) to support its ongoing security. This is
only feasible if one platform dominates with unique features that can't be found
elsewhere, or out-competes others by delivering the lowest possible cost of
transactions.
Ethereum currently enjoys such dominance and can therefore maintain its monetary
premium. However, with the rise of competing platforms, many designed for higher
TPS and providing similar functionality, it's an open question as to whether
reliance on a monetary premium alone can sustain a blockchain platform's security,
especially if the native tokens are explicitly not designed or believed to be
money. Furthermore, even if a platform can provide unique features, its monetary
premium can be abstracted away by the user interface through efficient swaps (very
likely when mass adoption of blockchain finally comes). Users would hold assets
they're most familiar with, such as Bitcoin or stable coins, and acquire platform
tokens just in time to pay for transaction fees. In either case, the foundation of
a platform's crypto-economics would collapse.
Layer 1 multi-asset platforms have to provide sustainable security for all of the
crypto-assets they secure. In other words, they have to have an economic model
designed for a store of value.
Dash was the first project to utilize a treasury to ensure ongoing development was
funded in-protocol. While sustainably supporting the protocol's development, this
design makes a compromise in regard to the sustainability of the value of the
cryptocurrency. Like most blockchain treasuries, this model relies on inflation-
based funding, which erodes the value of long-term holdings.
The Nervos Network uses a treasury model that provides sustainable funding for core
development. Treasury funds come from targeted inflation of short-term token
holders, while the effects of this inflation are mitigated for long-term holders.
More information about this mechanism is described in (4.6).
The first example of blockchain interoperability was atomic swaps between Bitcoin
and Litecoin. The trustless exchange of Bitcoin for Litecoin and vice-versa is made
possible not through in-protocol mechanisms, but through a shared cryptographic
standard (specifically usage of the SHA2-256 hash function).
Similarly, the design of Ethereum 2.0 allows for interconnection of many shard
chains, all running the same protocol and utilizing the same cryptographic
primitives. This uniformity will be valuable when customizing the protocol for
inter-shard communication, however Ethereum 2.0 will not be interoperable with
other blockchains that do not utilize the same cryptographic primitives.
The crypto-economics of cross-chain networks may need further study as well. For
both Cosmos and Polkadot, native tokens are used for staking, governance and
transaction fees. Putting aside the crypto-economic dynamics introduced by staking,
which can't alone give a native token intrinsic value (discussed in 4.2.4),
reliance on cross-chain transactions to capture ecosystem value can be a weak
model. In particular, cross-chain transactions are a weakness, not a strength of
multi-chain networks, just as cross-shard transactions are a weakness of sharded
databases. They introduce latency, as well as the loss of atomicity and
composability. There is a natural tendency for applications that need to interact
with each other to eventually move to reside on the same blockchain to reduce
cross-chain overhead, reducing the demand for cross-chain transactions and
therefore demand for the native token.
Cross-chain networks benefit from network effects - the more interconnected chains
there are in a network, the more valuable the network is, and the more attractive
it is to potential new participants in the network. Ideally, such value would be
captured by the native token and used to further encourage the growth of the
network. However, in a pooled security network such as Polkadot, higher cost of
network participation becomes a deterrent for the network to accrue further value.
In a loosely connected network like Cosmos, if we assume same cross-chain
transaction demand and fees, higher cost of staking participation lowers the
expected return for validators, discouraging further staking participation.
With its layered approach, the Nervos Network is also a multi-chain network.
Architecturally, Nervos uses the cell model and a low-level virtual machine to
support true customization and user-created cryptographic primitives, enabling
interoperability across heterogeneous blockchains (covered in 4.4.1). Crypto-
economically, the Nervos Network concentrates value (instead of message passing) to
its root chain. This mechanism raises the network's security budget as the
aggregate value secured by the network rises. This is covered in detail in (4.4).
We believe that the best way to construct a system is not to build an all-
encompassing single layer, but rather to decouple concerns and address them at
different layers. By doing this, the layer 1 blockchain can focus on being secure,
neutral, decentralized and open public infrastructure, while smaller, layer 2
networks can be specially-designed to best suit the context of their usage.
In the Nervos Network, the layer 1 protocol (the Common Knowledge Base) is the
value preservation layer of the entire network. It is philosophically inspired by
Bitcoin and is an open, public and proof of work-based blockchain, designed to be
maximally secure and censorship-resistant, to serve as a decentralized custodian of
value and crypto-assets. Layer 2 protocols leverage the security of the layer 1
blockchain to provide unbounded scalability and minimal transaction fees, and also
allow for application-specific trade-offs in regard to trust models, privacy and
finality.
Here are the core principles that led to the design of the Nervos Network:
The Nervos Common Knowledge Base (CKB) is designed to store all kinds of common
knowledge, not limited to money. For example, the CKB could store user-defined
crypto-assets, such as fungible and non-fungible tokens, as well as valuable
cryptographic proofs that provide security for higher-layer protocols, such as
payment channels (5.2) and commit chains (5.4).
Both Bitcoin and the Nervos CKB are common knowledge storage and verification
systems. Bitcoin stores its global state as the UTXO set, and verifies state
transitions through hard-coded rules and scripts embedded in transactions. The
Nervos CKB generalizes Bitcoin's data structure and scripting capabilities, stores
global state as the set of active programmable cells, and verifies state
transitions through user-defined, Turing-complete scripts that run in a virtual
machine.
While the Nervos CKB has full smart contract capabilities like those of Ethereum
and other platforms, its economic model is designed for common knowledge
preservation, instead of payment for decentralized computation.
Bitcoin's Nakamoto Consensus (NC) is well-received due to its simplicity and low
communication overhead. However, NC suffers from two drawbacks: 1) its transaction
processing throughput is far from satisfactory, and 2) it is vulnerable to selfish
mining attacks, in which attackers can gain additional block rewards by deviating
from the protocol's prescribed behavior.
The CKB consensus protocol is a variant of NC that raises its performance limit and
selfish mining resistance while keeping its merits. By identifying and eliminating
the bottleneck in NC's block propagation latency, our protocol supports very short
block intervals without sacrificing security. A shortened block interval not only
increases throughput, but also lowers transaction confirmation latency. By
incorporating all valid blocks into the difficulty adjustment calculation, selfish
mining is no longer profitable in our protocol.
Nervos CKB increases the throughput of PoW consensus with a consensus algorithm
derived from Nakamoto Consensus. The algorithm uses the blockchain's orphan rate
(the percentage of valid blocks that are not part of the canonical chain) as a
measurement of connectivity across the network.
The protocol targets a fixed orphan rate. In response to a low orphan rate target
difficulty is lowered (increasing the rate of block production) and when the orphan
rate crosses a defined threshold, target difficulty is increased (decreasing the
rate of block production).
This allows for utilization of the network's entire bandwidth capabilities. A low
orphan rate indicates that the network is well-connected and can handle greater
data transmission; the protocol then increases throughput under these conditions.
The bottleneck in any blockchain network is block propagation. The Nervos CKB
consensus protocol eliminates the block propagation bottleneck by modifying
transaction confirmation into a two step process: 1) propose and 2) commit.
A transaction must first be proposed in the "proposal zone" of a block (or one of
its uncles). The transaction will then be committed if it appears in a block's
"commitment zone" within a defined window following its proposal. This design
eliminates the block propagation bottleneck, as a new block's committed
transactions will have already been received and verified by all nodes when
proposed.
Researchers observe that the unfair profit opportunity is rooted in the difficulty
adjustment mechanism of Nakamoto Consensus, which neglects orphaned blocks when
estimating the network's computing power. This leads to lower mining difficulty and
higher time-averaged block rewards.
The Nervos CKB consensus protocol incorporates uncle blocks into the difficulty
adjustment calculation, making selfish mining no longer profitable. This holds
regardless of attack strategy or duration; a miner is unable to gain unfair rewards
through any combination of honest and selfish mining.
Our analysis shows that with a two-step transaction confirmation process, de facto
selfish mining is also eliminated via a limited attack time window.
PoW mining incurs real-world expenses that can exceed mining proceeds without
diligent cost supervision. Those in power are required to stay innovative, pursue
sound business strategies and continue to invest in infrastructure to remain
dominant. Mining equipment, mining pool operations and access to cheap energy are
all subject to changes from technological innovation. It is difficult to maintain
monopolization of all three over long periods of time.
In addition, PoS validators have one unique power: control of the validator set.
Acceptance of a transaction that allows a validator to join the consensus group is
in the hands of existing validators. Colluding efforts to influence the validator
set through transaction censorship and ordering manipulation would be difficult to
detect, as well as difficult to punish. Conversely, consensus participation in PoW
systems is truly open and isn't subject to the current power structure. Advantages
are not given to early participants of the system.
Regarding token economics, while it is believed that staking can attract capital
looking to earn yield (and therefore increase demand for the native token), this is
not the whole picture. All PoS projects will eventually see their staking rate
stabilize, and capital entering and leaving the pool of staked capital would then
be roughly the same. The staking mechanism by itself will not increase demand for
the native token. In other words, though the introduction of staking provides
demand for the native token in the initial phase of a project (as the staking rate
rises), staking alone can't provide long-term demand for the native token and
therefore can't be a native token's only intrinsic value.
Long-term token holders in a PoS system have 3 options: they can 1) manage
infrastructure and run a validating node on their own to receive new issuance, 2)
delegate their tokens to a third party and trust their integrity and
infrastructure, or 3) have the value of their tokens diluted by ongoing issuance.
None of these options are particularly attractive to long-term, store of value
oriented token holders.
Nervos CKB blocks can be proposed by any node, provided that 1) the block is valid;
and 2) the proposer has solved a computationally difficult puzzle called the proof-
of-work. The proof-of-work puzzle is defined in terms of the block that is being
proposed; this guarantees that the solution to the puzzle uniquely identifies a
block.
Bitcoin's proof-of-work requires finding a valid nonce such that the result of
applying a hash function on the block header satisfies a certain level of
difficulty. For Bitcoin, the hash function is twice-iterated SHA2–256. While SHA2
was a good choice for Bitcoin, the same is not true for cryptocurrencies that come
after it. A large amount of dedicated hardware has been developed to mine Bitcoin,
a great deal of which sits idle, having been rendered obsolete by efficiency
improvements.
A new cryptocurrency utilizing the same proof-of-work puzzle would make this
deprecated hardware useful once again. Even up-to-date hardware can be rented and
re-purposed to mine a new coin. The distribution of mining power for a SHA2-based
coin would be very difficult to predict and susceptible to sudden and large
changes. This argument also applies to algorithmic optimizations tailored to SHA2,
which have been developed to make software computation of the function cheaper as
well.
However, the intended unavailability of mining hardware is only the case initially.
In the long run, deployments of dedicated mining hardware are beneficial,
significantly increasing the challenges of attacking the network. Therefore, in
addition to being new, an ideal proof-of-work function for a new cryptocurrency is
also simple, significantly lowering the barrier for hardware development.
Security is the obvious third design goal. While a known vulnerability could be
exploited by all miners equally, and would merely result in a higher difficulty, an
undisclosed vulnerability could lead to a mining optimization that provides the
discoverer(s) an advantage in excess of their contributed mining power share. The
best way to avoid this situation is to make a strong argument for invulnerability.
Eaglesong is a new hash function developed specifically for Nervos CKB proof-of-
work, but is also suitable in other use cases in which a secure hash function is
needed. The design criteria were exactly as listed above: novelty, simplicity and
security. We wanted a design that was simultaneously novel enough to constitute a
small step forward for science, as well as close enough to existing designs to make
a strong security argument.
To the best of our knowledge, Eaglesong is the first hash function (or function,
for that matter) that successfully combines all three design principles.
Nervos CKB utilizes the Cell Model, a new construction that can provide many of the
benefits of the Account model (utilized in Ethereum), while preserving the asset
ownership and proof-based verification properties of the UTXO model (utilized in
Bitcoin).
The cell model is focused on state. Cells contain arbitrary data, which could be
simple, such as a token amount and an owner, or more complex, such as code
specifying verification conditions for a token transfer. The CKB's state machine
executes scripts associated with cells to ensure the integrity of a state
transition.
In addition to storing data of their own, cells can reference data in other cells.
This allows for user-owned assets and the logic governing them to be separated.
This is in contrast to account-based smart contract platforms, in which state is
internal property of a smart contract and has to be accessed through smart contract
interfaces. On Nervos CKB, cells are independent state objects that are owned, and
can be referenced and passed around directly. Cells can express true "bearable
assets", belonging to their owners (just as UTXOs are bearable assets to Bitcoin
owners), while referencing a cell that holds logic ensuring the integrity of state
transitions.
Cell model transactions are also state transition proofs. A transaction's input
cells are removed from the set of active cells and output cells are added to the
set. Active cells comprise the global state of the Nervos CKB, and are immutable:
once cells have been created, they cannot be changed.
RISC-V is an open-source RISC instruction set architecture that was created in 2010
to facilitate development of new hardware and software, and is a royalty-free,
widely understood and widely audited instruction set.
- Stability: The RISC-V core instruction set has been finalized and frozen, as well
as widely implemented and tested. The core RISC-V instruction set is fixed and will
never require an update.
- Open and Supported: RISC-V is provided under a BSD license and supported by
compilers such as GCC and LLVM, with Rust and Go language implementations under
development. The RISC-V Foundation includes more than 235 member organizations
furthering the instruction set's development and support.
- Simplicity and Extensibility: The RISC-V instruction set is simple. With support
for 64-bit integers, the set contains only 102 instructions. RISC-V also provides a
modular mechanism for extended instruction sets, enabling the possibility of vector
computing or 256-bit integers for high-performance cryptographic algorithms.
- Accurate Resource Pricing: The RISC-V instruction set can be run on a physical
CPU, providing an accurate estimation of the machine cycles required for executing
each instruction and informing virtual machine resource pricing.
CKB-VM is a low-level RISC-V virtual machine that allows for flexible, Turing-
complete computation. Through use of the widely implemented ELF format, CKB-VM
scripts can be developed with any language that can be compiled to RISC-V
instructions.
Once deployed, existing public blockchains are more or less fixed. Upgrading
foundational elements, such as cryptographic primitives, involve multi-year
undertakings or are simply not possible.
CKB-VM takes a step back, and moves primitives previously built into custom VMs to
cells on top of the virtual machine. Though CKB scripts are more low-level than
smart contracts in Ethereum, they carry the significant benefit of flexibility,
enabling a responsive platform and foundation for the progressing decentralized
economy.
Cells can store executable code and reference other cells as dependencies. Almost
all algorithms and data structures are implemented as CKB scripts stored within
cells. By keeping the VM as simple as possible and offloading program storage to
cells, updating key algorithms is as simple as loading the algorithm into a new
cell and updating existing references.
Thanks to the low-level nature of the CKB-VM and the availability of tooling in the
RISC-V community, it's easy to compile down other VMs (such as Ethereum's EVM)
directly into the CKB-VM. This has several advantages:
The native token of the Nervos CKB is the "Common Knowledge Byte", or CKByte for
short. CKBytes entitle a token holder to occupy part of the total state storage of
the blockchain. For example, by holding 1000 CKBytes, a user is able to create a
cell of 1000 bytes in capacity or multiple cells adding up to 1000 bytes in
capacity.
Using CKBytes to store data on the CKB creates an opportunity cost to CKByte
owners; they will not be able to deposit occupied CKBytes into the NervosDAO to
receive a portion of the secondary issuance. CKBytes are market priced, and thus an
economic incentive is provided for users to voluntarily release state storage to
meet the high demand of expanding state. After a user releases state storage, they
will receive an amount of CKBytes equivalent to the size of state (in bytes) their
data was occupying.
The economic model of the CKB allows issuance of the native token to bound state
growth, maintaining a low barrier of participation and ensuring decentralization.
As CKBytes become a scarce resource, they can be priced and allocated most
efficiently.
The genesis block of the Nervos Network will contain 33.6 billion CKBytes, of which
8.4 billion will be immediately burned. New issuance of CKBytes includes two parts
- base issuance and secondary issuance. Base issuance is limited to a finite total
supply (33.6 billion CKBytes), with an issuance schedule similar to Bitcoin. The
block reward halves approximately every 4 years, until reaching 0 new issuance. All
base issuance is awarded to miners as incentives to protect the network. The
secondary issuance has a constant issuance rate of 1.344 billion CKBytes per year
and is designed to impose an opportunity cost for state storage occupation. After
the base issuance stops, there will only be secondary issuance.
Nervos CKB includes a special smart contract called the NervosDAO, which functions
as an "inflation shelter" against the effects of the secondary issuance. CKByte
owners can deposit their tokens into the NervosDAO and receive a portion of
secondary issuance that exactly offsets inflationary effects from secondary
issuance. For long-term token holders, as long as they lock their tokens in the
NervosDAO, the inflationary effect of secondary issuance is only nominal. With the
effects of secondary issuance mitigated, these users are effectively holding hard-
capped tokens like Bitcoin.
While CKBytes are being used to store state, they cannot be used to earn secondary
issuance rewards through the NervosDAO. This makes the secondary issuance a
constant inflation tax, or "state rent" on state storage occupation. This economic
model imposes state storage fees proportional to both the space and time of
occupation. It is more sustainable than the "pay once, occupy forever" model used
by other platforms, and is more feasible and user-friendly than other state rent
solutions that require explicit payments.
Miners are compensated with both block rewards and transaction fees. For block
rewards, when a miner mines a block, they would receive the block's full base
issuance reward, and a portion of secondary issuance. The portion is based on state
occupation, for example: if half of all native tokens are being used to store
state, a miner would receive half of the secondary issuance reward for the block.
Additional information about the distribution of secondary issuance is included in
the next section (4.6). In the long term, when base issuance stops, miners will
still receive "state rent" income that's independent of transactions, but tied to
the adoption of the Nervos Common Knowledge Base.
The Nervos CKB is designed to translate demand for a multitude of assets into
demand for a single asset, and use it to compensate the miners to secure the
network.
The treasury fund will be used to fund ongoing research and development of the
protocol, as well as building the ecosystem of the Nervos Network. The use of the
treasury funds will be open, transparent and on-chain for everyone to see. Compared
to an inflation-based treasury funding model, this model doesn't dilute long-term
token holders (who have deposited their tokens into the NervosDAO). Funding of
protocol development is strictly derived from the opportunity cost to short-term
token holders.
The treasury won't be activated immediately upon the main-net launch of the Nervos
Common Knowledge Base. With the community's approval, it will be activated with a
hard-fork later, only after the Nervos Foundation has exhausted the Ecosystem Fund,
included in the Genesis block. Prior to activation of the treasury, this portion of
the secondary issuance will be burned.
Some projects conduct governance via a "benevolent dictator for life" (such as
Linus Torvalds to Linux). We acknowledge that this makes a project highly
efficient, cohesive, and also charming: people love heroes; however, this is
contradictory to decentralization, the core value of blockchain.
There are not yet viable answers to the questions of governance, so for Nervos
Network we will take an evolving approach. We expect the community to develop
organically in the early days and over time, as more tokens are mined, mining
becomes more distributed, and more developers are engaged, governance
responsibilities will gradually become more decentralized. Over the long term,
community-based governance will manage the protocol upgrade process and resource
allocation from the treasury.
Community-based governance for blockchains is a very new field and there are many
worthy on-going experiments. We recognize that this is not a trivial topic, and
time is required to fully study, observe, and iterate to arrive at an optimal
approach. We're taking a conservative approach to community-based governance in the
short-term, while remaining fully committed to this direction in the long run.
Layer 2 users depend on security provided by the layer 1 blockchain, and utilize
this security when moving assets between layers or settling a dispute. This
function is similar to a court system: the court doesn't have to monitor and
validate all transactions, but only serves as a place to record key evidence and to
settle disputes. Similarly, in a blockchain context, the layer 1 blockchain allows
participants to transact off-chain, and in the case of a disagreement provides them
with the ability to bring cryptographic evidence to the blockchain and penalize
dishonesty.
Payment channels are created between two parties that transact often. They provide
a low-latency, immediate payment experience that transactions done directly on a
global blockchain could never provide. Payment channels function similar to a bar
tab - you can open a tab with a bartender and keep ordering drinks, but only settle
the tab and pay the final amount when you're ready to leave the bar. In the
operation of a payment channel, participants exchange messages containing
cryptographic commitments to their balances and can update these balances an
unlimited number of times off-chain, before they're ready to close the channel and
settle balances back on the blockchain.
Bidirectional payment channels are more complicated, but start to show the scope of
possibilities for layer 2 technologies. In these payment channels, funds flow back
and forth between parties. This allows for "rebalancing" of payment channels and
opens up the possibility of payments across channels through a shared counterparty.
This enables networks of payment channels, such as Bitcoin's Lightning Network.
Funds can be transferred from Party A to Party B without a direct channel between
them, as long as Party A can find a path through an intermediary with connections
open to both parties.
Just as payment channels can scale on-chain payments, state channels can scale any
on-chain transactions. While a payment channel is limited to managing balances
between two parties, a state channel is an agreement on arbitrary state, enabling
everything from a game of trustless chess to scalable decentralized applications.
This describes the general notion of commit-chain designs, the basis of an emerging
family of protocols including Plasma. The Plasma white paper[7] released by Vitalik
Buterin and Joseph Poon in 2017 lays out an ambitious vision. Though all Plasma
chains are currently asset-based, and can only store fungible and non-fungible
token ownership (and transfers), trustless code execution (or smart contracts) is
an active area of research.
The principal reason why the Verifier does not simply verify the claim naïvely on
his own is efficiency — by interacting with a Prover, the Verifier can verify
claims that would be prohibitively expensive to verify otherwise. This complexity
gap can come from a variety of sources: 1) the Verifier may be running lightweight
hardware that can support only space-bounded or time-bounded (or both)
computations, 2) naïve verification may require access to a long sequence of
nondeterministic choices, 3) naïve verification may be impossible because the
Verifier does not possess certain secret information.
The construction outlined above should be able to support more complex state
transitions beyond simple transactions, including DEX's, multiple tokens, and
privacy-preserving computation.
Layer 2 token economics may involve compensation for critical infrastructure (such
as validators and watchtowers), as well as application-specific incentive design.
Critical layer 2 infrastructure tends to work better with a duration-based,
subscription model. In the Nervos Network, this pricing structure can be easily
implemented through the CKB's opportunity cost-based payment method. Service
providers can collect fees on their users' "deposits" through the NervosDAO. Layer
2 developers can then focus token economic models on incentives specific to their
applications.
In a way, this pricing model is exactly how users pay for state storage on the CKB
as well. They're essentially paying a subscription fee to miners with the
distribution of their inflation rewards issued by the NervosDAO.
The CKB is the base layer of the Nervos Network, with the highest security and
highest degree of decentralization. Owning and transacting assets on the CKB comes
with the highest cost, however provides the most secure and accessible asset
storage in the network and allows for maximum composability. The CKB is best suited
for high value assets and long-term asset preservation.
The Common Knowledge Base is the first layer 1 blockchain built specifically to
support layer 2 protocols:
The Common Knowledge Base aims to be the infrastructure to store the world's most
valuable common knowledge, with the best-in-class layer 2 ecosystem providing the
most scalable and efficient blockchain transactions.
With its layered architecture, the Nervos Network can scale on layer 2 to any
number of participants, while still maintaining the vital properties of
decentralization and asset preservation. Layer 2 protocols can make use of any type
of layer 1 commitment or cryptographic primitive, enabling great flexibility and
creativity in designing transactional systems to support a growing layer 2 user
base. Layer 2 developers can choose their own trade-offs in regard to throughput,
finality, privacy and trust models that work best in the context of their
applications and users.
In the Nervos Network, layer 1 (CKB) is used for state verification, while layer 2
is responsible for state generation. State channels and side-chains are examples of
state generation, however any type of generate-verify pattern is supported, such as
a zero-knowledge proof generation cluster. Wallets also operate at layer 2, running
arbitrary logic, generating new state and submitting state transitions to the CKB
for validation. Wallets in the Nervos Network are very powerful because they are
state generators, with full control over state transitions.
Both Muta and Axon are currently under heavy development. We'll open source the
frameworks soon, and RFCs for both Muta and Axon are also on the way.
This inflation cost can be targeted because users own the consensus space their
data occupies. This model also includes a native mechanism for users to remove
their state from the consensus space. Coupled with the economic incentives of state
rent, this ensures that state size will always be moving toward the minimum amount
of data required by network participants.
Finally, state rent provides an ongoing reward to miners through new token
issuance. This predictable income incentivizes miners to advance the blockchain,
instead of forking profitable blocks to take the transaction fees.
The economic model of the Common Knowledge Base is designed to align incentives for
all participants in the ecosystem.
The Nervos Common Knowledge Base is built explicitly for secure value preservation,
instead of cheap transaction fees. This critical positioning will attract store of
value users, similar to the user community of Bitcoin, instead of medium of
exchange users.
Medium of exchange use cases have a tendency to always push a blockchain network
toward centralization, in pursuit of greater efficiency and low fees. Without
significant fee income for infrastructure operators that secure the network (miners
or validators), security must be funded through monetary inflation, or is simply
under-funded. Monetary inflation is detrimental to long-term holders, and under-
funded security is detrimental to any stakeholder of the network.
Store of value users however, have strong demands for censorship resistance and
asset security. They rely on miners to provide this, and in turn compensate them
for their role. In a store of value network, these parties have aligned interests.
By aligning the incentives of all participants, a united Nervos community can grow,
and the aligned economic system of the network is also expected be hard-fork
resistant.
For any blockchain to remain secure as the value of assets secured by the platform
increases, the system must have a mechanism to capture value as the value of assets
secured grows. By bounding state, the CKB makes the state space a scarce and
market-priced resource. As demand for asset storage on the network rises, the
system is expected to better compensate the miners for securing such assets.
Over time, we expect the economic density of the CKB to increase. CKBytes will be
used for high-value asset storage and low-value assets will to move to blockchains
connected to the CKB, such as layer 2 side-chains. Instead of directly securing
assets, the CKB can be used as a trust root to secure an entire side-chain’s
ecosystem through, for example, a few hundred bytes of cryptographic proofs. The
economic density of such proofs is extraordinarily high, further supporting the
demand curve of storage space: analogous to a small parcel of land significantly
increasing its economic density by supporting a skyscraper.
Finally, through the design of the NervosDAO and its "inflation shelter" function,
long-term token holders will always retain a fixed percentage of total issuance,
making the native token itself a robust store of value.
Take for example cryptocurrency exchanges - countries such as Japan and Singapore
have issued licenses to exchanges and created regulatory requirements. A compliant
exchange or a branch of a global exchange could build a layer 2 trading chain,
import user identities and assets and then conduct legal business in accordance
with local regulatory requirements.
In the future, it is expected that the Nervos Network will also use layer 2 side-
chains and applications as the foundation of large-scale user adoption, in
cooperation with leading companies in this space.
# References
[2] Vitalik Buterin. "Ethereum White Paper: A Next Generation Smart Contract &
Decentralized Application Platform". Nov 2013
http://blockchainlab.com/pdf/Ethereum_white_paper-
a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-
buterin.pdf
[4] Gur Huberman, Jacob Leshno, Ciamac C. Moallemi. "Monopoly Without a Monopolist:
An Economic Analysis of the Bitcoin Payment System". Bank of Finland Research
Discussion Paper No. 27/2017. 6 Sep 2017, https://papers.ssrn.com/sol3/papers.cfm?
abstract_id=3032375
[5] Miles Carlsten, Harry Kalodner, S. Matthew Weinberg, Arvind Narayanan. "On the
Instabiliity of Bitcoin Without the Block Reward". Oct 2016,
https://www.cs.princeton.edu/~smattw/CKWN-CCS16.pdf
[6] Lewis Gudgeon, Perdo Moreno-Sanchez, Stefanie Roos, Patrick McCorry, Arthur
Gervais. "SoK: Off The Chain Transactions". 17 Apr 2019,
https://eprint.iacr.org/2019/360.pdf
[7] Joseph Poon, Vitalik Buterin. "Plasma: Scalable Autonomous Smart Contracts". 11
Aug 2017, https://plasma.io/plasma.pdf
[8] Vitalik Buterin. "On-chain scaling to potentially ~500 tx/sec through mass tx
validation". 22 Sep 2018, https://ethresear.ch/t/on-chain-scaling-to-potentially-
500-tx-sec-through-mass-tx-validation/3477