Nexus: A Decentralized Cloud Computing Network

A Decentralized Cloud Computing Network, Hyperscaling Ethereum compute, storage and I/O.

Nexus: A Decentralized Cloud Computing Network

Nexus Labs - Nov 2022

Introduction

We introduce Nexus, a Decentralized Cloud Computing Network. Nexus is a network of externally-aware, self-executing, replicated state machines, designed to hyperscale Ethereum with high-performance compute, storage, and I/O.

Formally, Nexus is a verifiable cloud computing platform powered by multi-party-computation and state-machine-replication technology. It enables arbitrary WASM applications to run on application-specific decentralized cloud computing networks.

Nexus' execution layer consists of a deterministic sandboxed WASM-based virtual machine with a traditional von Neumann architecture (i.e. with dedicated memory, storage, filesystem and I/O). This means that writing applications for Nexus is almost indistinguishable from writing applications for traditional serverless cloud computing platforms like Google Cloud, and in fact many existent cloud applications and libraries can be ported directly.

In what follows, we present Nexus' high-level design, motivation and goals.

Nexus Labs is also building Nexus Zero, a general-purpose verifiable cloud computing platform powered by zero-knowledge proofs and a zero-knowledge virtual machine (zkVM) with von Neumann architecture. See our research blog for more details.

Motivation

Nexus is an attempt to achieve general-purpose verifiable cloud computing, and it is designed in particular to scale Ethereum applications through off-chain computational power.

Ethereum applications can outsource compute, storage and I/O to application-specific decentralized cloud computing networks on Nexus. In particular, this enables Ethereum applications to run high-performance compute, store large amounts of data, or interoperate with external systems by off-loading compute to a Nexus Cloud, while maintaining decentralization, safety and liveness gurantees (in contrast to using AWS or Google Cloud).

Decentralized Cloud Networks

Decentralized Cloud Networks (DCNs), or simply Clouds, are externally-aware, self-executing, replicated state machines. They provide blockchain applications with dedicated off-chain computational power, replicated storage and event-driven I/O capabilities which enable them to interact with external systems.

Each network maintains internal consensus, and runs special-purpose Multi-Party Computation (MPC) protocols to read and write state across blockchains. Cloud networks provide applications with a general-purpose WASM-based execution environment for executing deterministic gas-metered WASM applications.

A Nexus Cloud is thus a generalization of a cloud server in traditional cloud computing, but where security is provided by safety and liveness guarantees founded on decentralization, distributed systems and cryptography, not trust.

Nexus Zero is a further attempt to maximize the safety guarantees of verifiable cloud computing through provably secure computation using zero-knowledge proofs instead of state-machine-replication.

Decentralized Cloud Functions

Nexus provides a platform for Decentralized Cloud Functions (DCFs), the decentralized analog of cloud functions in traditional serverless cloud computing.

Decentralized Cloud Functions are deterministic programs similar to blockchain smart contracts. However, they enjoy capabilities that traditional smart contracts do not. They have:

  • Read/write access to blockchain state
  • Read/write access to Internet state
  • Read/write access to other Clouds
  • The ability to react to events.
  • Access to unpredictable randomness
  • High storage and computation

Nexus Functions execute on dedicated, application-specific, Cloud networks. Just as traditional Web2 cloud functions, Nexus Functions are able to compose with other Nexus Functions hosted on disparate Clouds.

The Nexus Virtual Machine (NVM)

A Decentralized Cloud Function on Nexus is simply a WebAssembly (WASM) binary executed in a sandboxed, deterministic and metered virtual machine, the Nexus Virtual Machine (NVM).

Developers can program decentralized cloud functions in any language that compiles to WebAssembly, including Rust and JavaScript. This means they can directly import existent codebases and libraries with minimal modifications.

Example

Next, we show a simple Decentralized Cloud Function on Nexus. This function:

  1. Is called in response to user-defined events.
  2. Reads, computes, and writes on blockchain and Internet state.
use nexus_sdk::{nexus, Ethereum, Internet};

#[nexus]
struct Function {}

#[nexus]
impl Function {
    pub fn execute(&mut self) {
        // Read blockchain or Internet state
        let data = self.env().read(Internet, ENDPOINT_1);
        // Run any computation
        let hash = crypto::sha256(data);
        // Write to blockchain or Internet state
        self.env().write(Ethereum, ENDPOINT_2, hash);
    }
}

Security

Nexus is a Turing-complete application platform for decentralized verifiable computing based on Byzantine-Fault-Tolerant (BFT) State-Machine-Replication (SMR) and (special-purpose) Multi-Party Computation (MPC) technology. This implies that each cloud, if instantiated independently from the rest of the network, can withstand at most $f < n/3$ Byzantine faults, as all traditional blockchain systems with instant finality do. Users can flexibly instantiate networks of configurable size to achieve higher security guarantees.

Nexus Zero does not have the $f < n/3$ limitation, as safety is mathematically guaranteed.

Within such bounds, Cloud Networks provide Functions with total correctness. That is, they ensure:

  • Safety: Cloud functions produce the correct output.
  • Liveness: Cloud functions eventually produce some output (cannot be censored).

Blockchain protocols can use Nexus as a source of safety and/or liveness for general off-chain compute, storage and I/O.

  • Sourcing safety and liveness from Nexus means that a blockchain protocol can outsouce computation to a Cloud which then reaches independent internal consensus on the result of such computation.
  • Sourcing only liveness from Nexus means that a blockchain protocol can outsource proof-generation to a Cloud which engages in censorship-resistant coordinated compute.
  • Examples of protocols sourcing both safety and liveness from Nexus include threshold-based cross-chain bridges, threshold-based Web2 oracles, threshold-based Web3 oracles, threshold-based computational oracles and (threshold-based) sidechains.
  • Examples of protocols sourcing only liveness from Nexus include proof-based cross-chain bridges, proof-based Web2 oracles, ¬†proof-based Web3 oracles, proof-based computational oracles and (proof-based) rollups. Proof-based architectures include ZK, optimistic, and any other validity proofs like Merkle proofs.

We will explore more of these applications in the next section.

Scaling Cloud Security: Inheriting Global Security

Clouds are, however, not isolated systems. They form part of a single interconnected network, the Nexus Network. We're actively researching a mechanism, called Global Security Inheritance (GSI), which will allow Nexus Clouds to engage in a protocol that will enable them to be secure even if all but one Cloud node fail, assuming all of Nexus is secure, through a rewinding technique.

In other words, if successful, GSI will allow clouds to move from a threshold $f < n/3$ security assumption to an existencial honesty assumption: at least one Cloud node is honest + all of Nexus is secure. Hence the term inheritance (see the Appendix below).

Applications

Decentralized Cloud Functions enable a new class of decentralized programs:

Externally-aware, self-executing, decentralized applications.

We will explore a few of the applications enabled by Nexus, before diving into the architecture.

Decentralized Off-Chain Computation

Nexus Functions can carry out any heavy computation which would be infeasible to compute on-chain, including heavy cryptographic primitives and floating-point arithmethic. This is possible by computing in a reduced security environment (as Clouds are typically smaller than the underlying blockchains).

Nexus gives developers the flexibility to run any computations in an arbitrarily-sized Cloud. These computations can be anything, from pure computations to ZK/Optimistic proof-generation.

  • Off-chain general-purpose computation: Any computation can be outsourced from a blockchain to a Cloud. Developers earn much higher computational power at the cost of depending on a Cloud for both safety and liveness.
  • Off-chain ZK/Optimistic proving: Protocols can outsource proof-generation to a Cloud, sourcing only liveness from the network (see Liveness Networks below).

Decentralized Off-Chain Storage

Nexus Clouds enable developers to rent space for off-chain storage,  allowing them to build:

  • Storage networks for NFT metadata
  • Any kind of decentralized database

Nexus Clouds give smart contracts access to cheaper storage (as compared to on-chain storage) by providing them with access to a dedicated storage network.

Most importantly, Nexus applications keep internal state and have access to a dedicated sandboxed POSIX-like filesystem. The NVM can run any WASM application that is WASI-compliant, as follows:

use std::io::prelude::*;
use std::fs;

#[nexus:main]
fn main() {
  // Access a sandboxed filesystem
  let mut file = fs::File::create("/text/helloworld.txt").unwrap();

  // Write the text to the file we created
  write!(file, "Hello world!\n").unwrap();
}

Web2-Web3 Interoperability

Functions on Nexus can read and write from and to Internet endpoints, as well as be triggered in response to Internet events. This allows developers to program their own Web2 oracles and allow smart contracts to consume real-world data. Further, Web2 data can be aggregated and processed in arbitrary ways on the Cloud before injecting the data into a blockchain, enabling previously computationally impossible Web2 oracle systems (e.g. parsing HTML data, computing over images, etc.).

Web2-Web3 interoperability enables a whole suite of blockchain applications: prediction markets, decentralized insurance, dynamic NFTs, decentralized identity systems, synthetic assets, etc.

Web3-Web3 Interoperability

In a nutshell, Nexus enables smart contracts to react to events, as well as read and write state, on the same or foreign chains.

The classic problem of cross-chain communication can be solved trivially with a Nexus Cloud. Nexus provides a Proof-of-Stake / Threshold-based solution to blockchain interoperability. This improves on centralized and static multi-sig architectures with a decentralized, dynamically-sized, open network of nodes engaging in Proof-of-Stake consensus.

Not only this, but Decentralized Cloud Functions massively extend the capabilities of traditional message-passing bridges. Unlike most current cross-chain bridges (which are based on the message-passing framework), Nexus Clouds enable:

  • Event-monitoring / cross-chain listeners (not only message-passing)
  • Read/write access to all smart contracts (not only connected contracts)
  • Read access to all historic blockchain states (not only current state)

Building Threshold, Optimistic and ZK bridges with Nexus

Threshold bridges offer fast-finality and are blockchain-agnostic, but introduce new security assumptions (though these can be improved arbitrarily through a larger, more decentralized, network) and are moderately complex. Optimistic bridges are simple, blockchain-agnostic and introduce minimal security assumptions, but offer slow-finality. ZK bridges offer fast-finality and introduce minimal security assumptions, but are not blockchain-agnostic and are complex (increasing the surface for the most common practical bridge vulnerability: bugs).

As mentioned, Nexus enables developers to trivially build a threshold bridge, sourcing safety and liveness from a Nexus Cloud. Nexus also enables proof-based bridge architectures (optimistic/ZK) to source liveness from a Cloud, in the form of a proof-generating Liveness Network (discussed below).

Liveness Networks: Decentralized Networks of Provers

A bounty-based protocol is one which offers an open bounty $B$ in exchange for completing a task $T$. Examples include:

  • ZK/optimistic rollup sequencers & fraud provers.
  • ZK/optimistic bridge oracles & fraud provers.
  • ZK/optimistic computational oracles & fraud provers.
  • Smart contract automation: Liquidations, AMM limit orders, money streams, etc.

Open bounties are a simple mechanism, but have many well-known downsides. Bounty-hunters are susceptible to 1) MEV-extraction, 2) failed transaction costs, 3) unpredictable profits and 4) obscured decentralization. This happens for a simple reason: workers are bounty-hunters who rush in an adversarial, uncoordinated, winner-takes-all fashion. Nexus introduces a solution to all four problems in the form of a Liveness Network.

A Liveness Network is a Nexus Cloud which swaps out the economically-inefficient design of unorganized and adversarial parties, for a Proof-of-Stake-based economically-efficient design of organized and cooperating parties.

Nexus thus allows developers to instantiate dedicated decentralized cloud computing networks for ZK/Optimistic proof generation or any other type of computation.

Nexus - Ethereum : Decentralizing Sequencers

The endgame of blockchain scaling is the rollup-centric future of Ethereum. Fractal scaling is the recursive composition of rollups $(L_2, L_3, \dots, L_n)$ settling on top of an $L_1$ blockchain.

Rollups provide the ultimate blockchain scalability solution as they inherit safety from Ethereum. They, however, do not inherit liveness, having most rollups thus depend on centralized sequencers.

Rollups can inherit liveness from Nexus through Liveness Networks. This means that application-specific rollups can deploy their own fully decentralized rollup on a Nexus Cloud, inheriting both safety from Ethereum and liveness from Nexus.

Architecture

Nexus is an open and decentralized network of cloud computing nodes engaging in Proof-of-Stake consensus; it is a replicated state machine of replicated state machines. A single Cloud instance is composed of four layers: 1) consensus, 2) randomness generation, 3) I/O, and 4) execution. Further, the network as a whole is composed of a network of communicating Clouds which self-orchestrate.

Informally, we have:

  • Consensus: An instance of a Byzantine-Fault-Tolerant State-Machine-Replication (BFT-SMR) protocol in the partially synchronous communication model (with the classic $f < n/3$ bound).
  • Randomness: The network executes Distributed Key Generation (DKG) protocols for generating shared cryptographic keys and shared randomness.
  • I/O: This includes Threshold Signature Schemes for BLS signatures (blockchain write) and running a suite of full nodes (blockchain read), in addition to separate consensus protocols for Internet reads and writes (discussed in a separate paper) as well as cross-cloud (IBC-like) reads and writes (also to be discussed separately).
  • Orchestration: Node sampling, Cloud instantiation, and job scheduling. This layer is also in charge of accountability (slashings) and Global Security Inheritance.
  • Execution: The Nexus Virtual Machine, a protocol-agnostic WASI-compliant WASM-based virtual machine for deterministic sandboxed execution.

The details of each component will be released in the future as part of our research efforts, with formal security proofs, in separate papers.

Join Us

We're looking for exeptional scientists and engineers who believe in Ethereum's values and want to join us in our mission to make blockchains useful. We're currently hiring: jobs.nexus.xyz.

Reach out to us on Twitter or by email jobs@nexus.xyz.

We welcome a small group of early partners and organizations interested in using our technology. Please reach out to hello@nexus.xyz.

How to Get Involved

  • Follow us on Twitter
  • Refer a scientist or engineer. We offer $10k for each successful referral we hire. Contact us at jobs@nexus.xyz for more details.

Appendix

A Note About GSI

For the interested reader, we give a brief description of the GSI mechanism.

For a Cloud Network of size $n$, if one node $X_1$ claims fraud, a network of size $2^1 n$ is randomly sampled using the VRF. The $2^1 n$-cloud simulates the computation and attempts to reach consensus. If it finds that $X_1$'s claim is valid, all dishonest nodes of the $n$-cloud get slashed and $X_1$ rewarded; else if $X_1$'s claim is found invalid, $X_1$ gets slashed and the rest rewarded; else if during the computation a node $X_2 \neq X_1$ from the $2^1 n$-cloud claims fraud, a Cloud of size $2^2n$ is sampled. This continues $k = \log N$ times until $\lfloor 2^k n \rfloor = N$ is all of Nexus.