The main service targets of the DaoliCloud Web3.0 DN-PK Service are individual users and their personally owned Internet-connecting devices.
Q2: Isn’t the domain name only used for Web websites? My personal device is not a website, so why should I use a domain name?
A2: Indeed, the main purpose of traditional DNS domain name services is for visiting Internet websites. Compared with using IP addresses, domain names are short and easy for the human brain to recognize and remember. Binding the IP address of a website with a domain name not only makes it easier for people to access the website, but a good domain name also helps with brand building and promotion of the website.
However, most of the devices connected to the Internet are not Web websites, but personal client devices, IoT devices (industrial IoT devices are also accounting for an increasing proportion of the Internet). Most of these non-website nodes, which account for the majority of the Internet (and their share is growing rapidly), do not have DNS domain names. An Internet device without a domain name cannot fully benefit from the strong protection of Internet security that public key cryptography tools can offer. For the Internet, the network infrastructure that has entered the IoT era, this status quo of security shortcoming can no longer be ignored. In the next few Q&As, we will discuss the current situation that public-key cryptography has not fully played a role in protecting Internet security, and discuss it from the perspective of examining the development of the Internet.
Therefore, DaoliCloud aims to provide new domain name services for personally owned devices, client devices, and IoT devices. This positioning is not to turn these devices into Internet websites. Since the new domain name DN-PK is also a public key, DaoliCloud Web3.0 DN-PK Service can allow personal devices, client devices, and IoT devices register DN-PK, and fully and effectively use the security services provided by public-key cryptography to interconnect and interoperate conveniently and securely on the Internet.
Q3: In the above description: DaoliCloud DN-PK service that allows personal devices, client devices, and IoT devices to fully and effectively use the security services provided by public key cryptography tools, what does it mean to emphasize the full and effective use with boldface words?
A3: PublicKey cryptography tools provide two useful security services:
Security service 2 “Digital Signature for Identity Authentication” is indispensable for the secure interconnection of networked devices, Internet finance, digital payment, e-commerce, and the possession and trading of digital assets. Obtaining both of these two security services can be regarded as full and effective use, or full benefiting from the security services provided by public-key cryptography. The current state of Internet security is that most client devices cannot fully benefit from the security services provided by public-key cryptography because these devices cannot issue digital signature for identity authentication. Most client devices do not have Internet names as a result of not using DNS Service, and consequently they have no good means to prove their identity even though digital-siganture-based identity authentication has been pervasively used by Web servers for many years. Let us discuss in the following few Q&As why most client devices do not use DNS Service.
Q4: Let my personal device be accessible on the internet? Aren’t you kidding me! Would I have security?
A4: You asked an excellent question. For personal devices to be accessed on the Internet, security is of course the top priority!
The Web3.0 domain name (hereinafter referred to as W3-DN) that you choose for your device is not only resolvable to your device from the Internet, but also has a more important purpose called “DomainName-as-PublicKey, DN-PK): The domain name is also a cryptographic public key, which can protect your device to exclude any access without the permission of the domain name owner. This is because when you register a W3-DN, the DaoliCloud W3-DN Service system will require you to submit a digital signature for system verification. Since only you have the private key in your W3-DN device that matches the public key of your device, you are the only possible signer. Validity refers to the digital signature you submitted to the system in that the system uses your W3-DN as the verification public key to decide acceptance if the verification algorithm answers yes. Therefore, only you can authorize the DaoliCloud DN-PK Service to associate and bind the W3-DN you are registering with the public key of your device, so the W3-DN domain name you are registering for the device is equal to your device’s public key. DN-PK allows you to easily manage and control the security of your device’s access on the Internet.
Q5: I see, the DaoliCloud W3-DN I registered for my device is my cryptography public key! There is also a private key in my device that matches my W3-DN which is the public key. How does DaoliCloud DN-PK Service allow me to easily operate my device to ensure that any access without my permission is excluded?
A5: DaoliCloud W3-DN-PK Service uses a simple and easy-to-understand whitelist principle to allow you to easily operate your device so that it can only be securely accessed by visitors you have listed in the whitelist. For example, you have device-1, and the DN-PK you have registered for it is called “MyDesktopPC”. You also have device-2, and the DN-PK you have registered for it is called “MySmartphone”. If you want the “MyDesktopPC” device to be accessed only by “MySmartphone” device, then you can place only one DN-PK entry in the whitelist of the “MyDesktopPC” device, and the entry content is “MySmartphone”. When “MySmartphone” requests access to “MyDesktopPC”, the latter will check the whitelist and demand “MySmartphone” to issue a cryptographic digital signature. Only if “MyDesktopPC” uses “MySmartphone” as the public key and verifies the digital signature submitted by the requesting party with YES verification result, can access be accepted. Conversely, you can make “MySmartphone” only accessible by “MyDesktopPC”.
DN-PK can also be used to encrypt network communications. The underlying working communication traffic of the DaoliCloud System are all encrypted by the DN-PKs of the participating nodes in the DaoliCloud Blockchain using the TLS (Transport Layer Security) protocol. The DN-PK can also encrypt the data stored by the user to protect the privacy of personal data.
Q6: Personal devices and client devices are generally not configured with a dedicated (i.e., fixed, unchanged during the lifetime of a service term) public IP address. Devices without a dedicated IP address can be accessed using an Internet name. How can this be possible?
A6: Yes, personal devices, client devices, and even IoT “smart-dust” devices are generally not configured with a dedicated IP address. Generally, individuals will not spend money to buy or rent dedicated IP addresses for such economical devices.
The network on which the DaoliCloud DN-PK Service works is a peer-to-peer network. Devices connected to the DaoliCloud peer-to-peer network are treated equally in terms of communication functions. The DaoliCloud software system does not distinguish whether a device connected in is using a dedicated IP address or using a temporary IP address. When the IP address of a device changes, the DaoliCloud software system will be triggered to automatically update the association betwee the DN-PK and the changed new IP address on the device. For a device that connects in the DaoliCloud DN-PK system with a fixed IP address, the system will never be triggered to update the existing association. For a device that connects in using a temporary IP address, a time-to-time event of IP address change will trigger the system to update the new association between the DN-PK and the newly changed IP address, and the updating will be completed immediately upon triggering. Applications on the device cannot detect that the system has operated an association update. Logically looking at the communication function of DaoliCloud peer-to-peer network, all devices participating in the DaoliCloud DN-PK Service system communicate using DN-PKs. Physical attributes of the IP address will not affect the system function at all.
In contrast, the network of the traditional DNS Service is not a peer-to-peer network. As far as we know, traditional DNS Service cannot be provided to devices that are not configured with dedicated IP addresses (such as the case for a large number of client devices). Even for devices configured with dedicated IP addresses, traditional DNS Service still requires domain name users having good network skills to operate (usually mundane) network configurations in order to associate a DNS domain name to a dedicated IP address.
Q7: When IPv6 technology becomes pervasive even for client devices, IP(v6) addresses will no longer be scarce, and individual users’ Internet-connected devices will all have dedicated (i.e., fixed) IPv6 addresses. Will DaoliCloud W3-DN-PK Service be needed to connect and secure personal devices in the Internet?
A7: As IPv6 technology becomes more pervasive in the future, it is very likely that individual users will have their own fixed public IPv6 addresses even for each user having multiple IPv6 addresses dedicated for many of her/his IoT devices. This is because IPv6 addresses are 128-bit binary strings, and the number of addresses is estimated to exceed the number of quarks in the known universe, at any rate enough for individual users to have multiple private IPv6 addresses. Since the degree of randomness of IPv6 addresses is much greater than that of IPv4, which is only a 32-bit binary string, and since even IPv4 addresses need to be used with domain names that are easy for the human brain to recognize and remember, it will certainly be more necessary that IPv6 addresses be associated to domain names. Therefore, the pervasiveness of IPv6 technology must be a huge boost to the Internet domain name services.
Q8: When registering a DN-PK, a user usually would choose a string that is easy for the human brain to recognize and remember and is much shorter than the public key that is associated to the DN-PK. Then wouldn’t it be the case that the DN-PK Service provided by DaoliCloud has turned the cryptographic public key into a string that is easy for the human brain to recognize and remember?
A8: Yes, your observation is correct and very insightful! For security reasons, cryptographic public keys are usually very long strings of random numbers (the public key algorithm used by DaoliCloud system is called BN256, and the public key length of this algorithm is 4096 bits of binary number) which is not suitable for the brain to recognize or memorize. DaoliCloud DN-PK Service will associate the DN-PK selected by the user to the user’s public key in the time of the DN-PK registration. When registering a DN-PK, a rational or sensible user would likely choose a string that is easy to recognize and remember. In particular, one should choose a short string (such as “Hello-World”) as the DN-PK for ease of use.
Similar to what we have discussed in Q&A-6 that the user of the DaoliCloud W3-DN-PK Service does not need to purchase or rent a dedicated IP address for her/his devices, the user of the DaoliCloud DN-PK Service also does not need to purchase a so-called CA authority certificate (Certification Authority PublicKey Certificate) for her/his DN-PK. Let us review the two DN-PKs examples in Q&A-5. “MySmartphone” and “MyDesktopPC” are both DN-PKs selected by you. When selecting a DN-PK, you should rationally choose a name that is easy to recognize, remember, and short (this is exactly the case for these two DN-PKs). So there is no need for you to let a so-called “trusted” authoritative CA third party issue a CA certificate for your two easy-to-recognize-and-memorize DN-PKs. (Not to mention paying for the CA certificate service!)
Q9: What are the CA authority and CA authority certificate in Q&A-8?
A9: Since the public key is a very long random string (the length of the public key used by DaoliCloud system is 4096 bits), it is completely unsuitable for the human brain to recognize, let alone remember. Shortly after the emergence of public-key cryptography, a CA public-key certificate issuance (service) industry emerged. It is stipulated that CA (Certification Authority) is an authority who has “unconditional trust” from all public key users. CA uses the digital signature method to issue certificates to users’ public keys where a CA certificate for a user is a digital signature of the CA that associates the user’s name and public key. Since the number of CAs is small, and so is the number of CAs’ public keys, therefore the verification of CAs’ certificates is an easily operable task. Thus, by verifying the digital signatures in the top-to-bottom manner in a hierarchical tree structure, starting from the top (root of the tree) by verifying the CA’s signature, identity authentication based on the digital signature is also easily operable step-by-step to the user in the bottom of the hierarchical tree. Obviously, the public-key user must need not only her/his public key, but also a name to be associated to the public key. In the Internet practice, the name of the public-key user is a DNS domain name.
The notion of “unconditional trust” that a CA demands from all public-key users has been unrealistically strong since the beginning of the Web 1.0 era, so strong that it has been limiting public-key users to a small fraction of the Internet nodes. In fact, the traditional CA certificate industry has little hope to open up the huge individual user market. Individual users’ devices do not even have a fixed IP address, let alone a DNS domain name. How can they buy a CA certificate to associate a public key to non-existing domain name? (Except domain name squartters or speculators.)
Q10: Can I understand the DaoliCloud DN-PK Service as follows: Upgrading a client device to a website server protected by the secure https protocol?
A10: If we only look at the strength of security protection for Internet-connected devices, the DaoliCloud DN-PK Service and https security protocol both provide Internet-connected devices with security protection in the strength of public key cryptography. However, it is inaccurate to simply similize DaoliCloud DN-PK Service and https protocol. The user requirements that DaoliCloud DN-PK Service aims to meet are way beyond the reach of the https protocol.
First of all, the two technologies are very different in the positioning of the device’s applicable objects. Devices suitable for the secure https protocol: on the client side, are mainly web browsers, and on the server side, are website servers. For a large number of personal devices and IoT devices in need of connecting to the Internet, it would be too cumbersome to use a browser on the client side (connection requesting side), let alone using something as heavy as a website server on the server side (service responding side). Things that web pages and websites need to consider, such as high-definition pixels, dynamic and fast response, etc., are not what many personal devices and/or IoT device would value. To put it simply, a large number of personal devices and/or IoT devices will not appear on the client side as web browsers, let alone on the server side as website servers. The so-called “website” is actually only a small subset of all nodes on the Internet. A large number of networked devices (especially personal ones) on the Internet are not websites. These devices that are not websites need to be easily and securely interconnected in the range of the Internet.
DaoliCloud DN-PK Service is positioned to serve a large number of personal devices that are not for website purposes. These devices still need Internet names to easily and securely connect one another, especially they need to use public keys for secure access control so that they can always exclude unauthorized access. Thankfully due to no need of web browser not website usages, DaoliCloud software can be specifically designed to be extremely lightweight. Q&A-27 We will provide a detailed analysis for the heaviest part of the device resources consumption by the DaoliCloud software (that is, the blockchain part) to explain how lightly it uses device resources.
Q11: Traditional DNS domain names have a prescribed format, but this new domain name of DaoliCloud has no format. Why is this?
A11: Traditional DNS domain names, e.g., hostname.example.tld, require domain names to have a hierarchical format (the rightmost part of the format tld = top-level-dn, top-level domain name, com is the most famous top-level domain name), while DaoliCloud Web3 DN-PK has no any structure. Of course, we can understand this unstructured DN-PK as a single-layer structure with the hostname “DeviceName” at the bottom of the traditional DNS domain name hierarchical structure. Traditional DNS domain names must follow a hierarchical format structure in order to meet the following design requirements of the DNS Service system: DNS deploys the system’s resolution service provision facilities as a tree-like hierarchical structure, allowing the DNS resolution algorithm to use the tree top-down recursive execution and improve execution efficiency. However, this tree-like hierarchical deployment of service facilities determines that traditional DNS resolution must rely on some key or critically-important service points to provide critical services. As we all know, the DNS Service has a domain name attack: “make you disappear from the Internet”, as well as the so-called “cache pollution attack”, which all refer to attackers targeting some critically-important service facilities that provide critical resolution steps in the DNS Service. This kind of attack that disables critical service facilities of traditional DNS occurs frequently. Sometimes the attacker is even within a critical service facility. The scope of the attack, even as large as a country (tld = country code, national domain name), has actually happened.
For unstructured DaoliCloud DN-PK names, the routing resolution algorithm works in a peer-to-peer network. This resolution service is provided by a physically widely distributed peer-to-peer network service with extremely high redundancy. There exist no any critical service point in the peer-to-peer network. This is why and how DaoliCloud W3-DN-PK Service eliminates unreliability (due to either attackability or service outage) of domain name resolution.
Q12: Since the DaoliCloud W3-DN-PK can be regarded as a single-layer structural domain name of the bottom hostname of a traditional DNS domain name, then after I have registered the single-layer DaoliCloud DN-PK “hello-world”, won’t “hello-world.dns” also become a traditional DNS domain name, where “dns” is a traditional DNS domain name?
A12: Your understanding of how traditional DNS Service works is very accurate. When “dns” is a traditional DNS domain name and “dn-pk” is a DaoliCloud W3-DN-PK, then “dn-pk.dns” is indeed a traditional DNS domain name. Existing web-browsers, OSes of the “dn-pk” registration device, plus the entire DNS Service outside the “dn-pk” registration device, all directly support resoluting “dn-pk.dns”. In other words, if you use a device with a traditional DNS domain name to participate in the DaoliCloud network, then you can further provide many other DaoliCloud W3-DN-PK domain names with the traditional DNS resolution service.
However, this usage that is fully compatible with the traditional DNS Service is not what DaoliCloud’s W3-DN-PK Service is after. The usecase scenario for the traditional DNS Service is more-or-less about ease of accessing websites. In fact, “websites” only constitute a tiny fraction of all nodes on the Internet. A far more numerously large number of nodes on the Internet are not websites but personally owned devices and/or IoT smart dusts. This large number of non-website nodes need names for convenient resolution, and public keys for secure access, and they are objectives for the mission of DaoliCloud W3-DN-PK Service.
Q13: The well-known blockchain Ethereum launched a new type of domain name service called ENS (Ethereum Name Service) a few years ago. Some people in the industry believe that ENS has Web3.0 significance. What is the difference between DaoliCloud Web3.0 DN-PK Service and ENS?
A13: This question actually asks two sub-questions: Sub-question-1: What is Web3.0? Sub-question-2: What is the difference between DaoliCloud Web3.0 DN-PK Service and Ethereum ENS Service which has the Web3.0 significance? Since Sub-question-1 has a certain openness, let us spend the next several Q&As on explaining our interpretation of Web3.0. We will also defer the main part of our answer to Sub-question-2 to Q&A-25. Here we only discuss and answer an easier-to-distinguish part of Sub-question-2. The easier-to-distinguish part of our answer to Sub-question-2 is: What is the difference between the service objects and value proposition of the DaoliCloud Web3.0 DN-PK Service, and the service objects of the ENS Service.
DaoliCloud W3-DN-PK Service mainly targets personally owned, client, and IoT devices. So far, such devices usually do not use domain names to express their presence on the Internet, nor do they fully benefit from public-key cryptography (see Q&A-3 for the meaning of fully benefit from public-key cryptography). The value proposition of DaoliCloud W3-DN-PK Service aims to allow a large number of personally owned, client, and IoT devices to have Internet domain names, so that they can use domain names to communicate with each other, and to allow individual users to use DN-PK to manage and control the security access policies of these devices.
The objective of ENS Service (from our understanding) is mainly the wallets of the Ethereum blockchain. The most understandable service value should be: to operate Ethereum transactions between Ethereum wallets, to use the wallet’s domain name which is brain recognizable will be far easier and less error-prone than to directly use the wallet’s cryptographic address which is a long and random looking string. As far as we can discern, this user value provided by ENS Service seems to be no any difference from the value provided by the traditional DNS Service.
We have noticed that the ENS Service allows a “wallet.eth” domain name to be bound to an Internet website. The bound website can be accessed with the “wallet.eth” domain name. Again as far as we can discern, this use of “wallet.eth” domain name to bind websites (considering binding as a service) does not seem to have any difference from the traditional DNS domain name service: binding DNS domain names and websites. Of course, since the registration of the “wallet.eth” domain name is based on blockchain technology, and blockchain storage has a highly redundant distribution, this domain name may not disappear easily (this is the so-called senction resistance property). We need to point out: the Ethereum blockchain itself does not provide the redundant, reliable, sanctions-resistant hosting services for website contents. We will discuss in the following Q&A that the well-known public blockchains (including the Ethereum blockchain) are completely unsuitable for website hosting services due to their high running and usage costs. As far as we know, so far there exist no public blockchain for sanction-resistant and/or anti-loss protection for bulk data. If you are not a privileged person (super rich?), the website you bind with the “wallet.eth” domain name may still disappear. In our understanding, the ENS Service is not immune to any undesirable attribute of Web 2.0 that Web3.0 wishes to improve.
Q14: What exactly is Web3.0? What does it have to do with me?
A14: The Internet of Things (IoT) era has arrived. Individuals, families, and organizations will increasingly have a variety of Internet-connected devices, ranging from handheld, wearable, home smart products, to ubiquitous facilities such as vehicles, smart offices, public services, smart cities,… and even the metaverse. You will definitely need, and will own more and more, IoT devices. Therefore, you will also have an increasingly strong need to name your IoT devices so that they can communicate with each other through the names you give them, allowing you to conveniently and effectively control the security policies of their access. The domain name is the network identity of the networked device. When you have more and more networked devices, the network identities that your devices need, i.e., you need, are domain names. So why should we Web3.0 as the adjective to modify the domain names you need?
Today, there are many kinds of network service providers who provide the so-called Web2.0 services, and through their services allowing you to “own” various Web2.0 network identities within the scope of the types of services they provide. Here we put quotation marks around you “owning” various Web 2.0 network identities because this “owning” can contain at least three levels of non-complimentary meanings or interpretations. The first interpretation of “owning” is somewhat compassionate: Your Web 2.0 network identity is fragmented. An identity only works within the service scope of a Web 2.0 network service provider. These fragmented network identities split the Internet into disjointed silos with poor user-friendliness. The second meaning of “owning” has a less welcome connotation: The usage of your personal device connecting the Internet is very different from that of websites. The general purpose of websites is to build, nourish and promote brands and social influence. For personally owned devices, privacy and the security of anonymous attributes are crucially important. For personal devices (imagine wearable private devices), very few people would feel comfortable for their security and privacy being managed or service provisioned by Web2.0 service providers. The third interpretation of “owning” is a simple disproof of “owning”: Your Web2.0 network identity is actually and exactly owned by the Web2.0 network service provider, being an important asset for it to profit; these Web 2.0 network identities may also disappear due to some bad reasons (such as sanctions by the service provider, or the loss of the service provider).
The reason why network identities based on public blockchain technology can be named Web3 domain names is because this new type of network identity you have can not only be resolved to your device in the Internet, but also it is truly owned by you yourself. Your Web3.0 domain name is a digital asset that truly belongs to you. It is not blocked by fragmented service providers in terms of scope of use, and will never disappear for reasons other than you. In Q&A-16, we will demonstrate a simple (for dummies) use of your DaoliCloud DN-PK to see how easy it is to use and to allow any number of your client or IoT devices to communicate with each other.
Obviously, such a Web3 domain name must be unique in the entire Internet. Otherwise, not only cannot it be correctly resolved to the only domain name registration device, but it will also be impossible to use the domain name, that is, the public key to control your device’s secure access. To ensure uniqueness, registration of Web3 domain names follows the first-come, first-served principle. A good domain name should also be short, easy for the human brain to remember and therefore easy to use. When choosing a name, many people will choose a name that has personal preferences, is easy for brand promotion, has self-recognized or common-sensed beauty, taste, novelty, has special commemorative significance, has distinctive exclusive characteristics, and other attributes. Therefore, to register the DaoliCloud Web3 DN-PK, you should hurry up, register a good DN-PK! Register early, own early!
(Work in Progress…)
DaoliCloud (Digital Asset Open Ledger for Inexpensive Web3 Services) is an open, permissionless, inexpensive, and secure platform for all sorts of computers (hereinafter referred to as node or nodes) to participate in, and thereby become an Internet server. The DaoliCloud Platform has the following properties:
Let us provide some comments/explanations on these properties.
Property 1 means that a node participating in the DaoliCloud Platform is in the same fashion as a node participating in a public and permissionless blockchain. Indeed, the layer-1 software for the DaoliCloud Platform does implement a permissionless blockchain. With this property, the open ledger for DaoliCloud’s digital assets, like that for the existing public and permissionless blockchains, can also securely record transactions for a number of very useful digital assets that have been enabled by public and permissionless blockchains. These very useful digital assets are: decentralized-moneys, non-fungible-tokens (NFTs), or stable coins, etc. The DaoliCloud Platform can also support blockchain smart contracts to run on the decentralized nodes.
Property 2 suggests that the technical element underlying the operation of the DaoliCloud Platform has a much lowered cost than those underlying the operations of the existing public and permissionless blockchains, e.g., Proofs-of-Work (PoW) or Proofs-of-Stake (PoS). Indeed, to improve the operation efficiencies for, and to lower the transaction fees for the digital assets enabled by, the existing public and permissionless blockchains are two main motives for the work of the DaoliCloud Platform.
Properties 3–5 simply state that a node participating in the DaoliCloud Platform has the full capabilities that an SSL/TLS secured web-/apps-/cloud-server does. Since obviously a node of a permissionless blockchain has a public key, this public key can of course secure the node in the fashion of the SSL/TLS protocol. Moreover, the public key can also be bound to a human-friendly DN token for the digital asset open ledger to record the binding relation. Thus, a node participating in the DaoliCloud Platform can indeed function as an SSL/TLS secured web/apps/cloud server.
Properties 3–5 Enabled Service Examples: As a permissionless platform, a user can register a DN and/or an NFT-token for its participating node, and let the blockchain platform provide IP resolution and routing services, using the DN and/or NFT to access the node from the Internet, e.g., to view the original image of the NFT artworks which the node as a the Web server is servicing; when routing using the DN, the node can be used as a cloud server for the user’s own use or to provide Web services to others. As far as we know, the provision of such services is unknown for the existing public blockchains.
In the remainder of this writing, we will introduce the work of the DaoliCloud Platform in the following way. We first discuss and observe that a public and/or permissionless blockchain can have a wide range of and valuable applications. However, the popular mode of operation in the existing public blockchains has problems such as high operating costs and low service efficiency. Regarding how to lower the operating cost, and improve the service efficiency, of the public blockchain, we will give an open and detailed presentation to the working principle and system implementation of the DaoliCloud Platform.
Bitcoin began a very useful mechanism for public-key credential establishment. Let us describe the mechanism and reason about our appreciation of its usefulness as follows.
Securing a coin (digital asset) in a digital wallet (by the wallet’s public key), and recording the asset’s transaction(s) in the blockchain open ledger, Bitcoin, by way of digital asset transaction, manages security associations between a digital asset and a bunch of public keys. These security associations are managed as follows. Before taking place a transaction, the public keys of the asset transaction senders are securing the asset, and those of the asset transaction receivers are about to secure the asset. After completing the transaction, the latter bunch of the public keys become securing the asset, whereas the associations with the former are removed. The state changes of these security associations can be looked up from the open ledger of Bitcoin with the correctness proved by digital signatures using the involved public keys. That a digital asset has value for its transaction involvers means that these involvers will have self-concerned responsibilities to carefully verify the transaction enabling digital signatures. The cryptographically verifiable asset transaction evidence recorded in the open ledger does establish cryptographic credential(s) for the involved public key(s). Undoubtedly, so established public-key credential has the validity that makes a much better sense than the conventional public-key credential validity that crudely stipulates the credential owner to place in advance an unconditional trust on some centralized third party, e.g., a certification authority (CA), or a centralized web service provider.
Notice that the above argument for public-key credential establishment assumes absolutely no trust whatsoever on any third party. Therefore so established public-key credential can be referred to as “zero-trust public-key credential.”
Zero-trust public-key certificates are enormously useful. For example, a Web service system can greatly reduce the attack surface of the system by eliminating the unconditional trust on CA and/or on centralized service providers; users avoid the service costs of CA or third parties; users can also enjoy anonymity;; in addition, because there is no need to register in advance a participation identity, or pre-setup a public-key certificate, permissionless participation in a Web service system becomes practical.
Permissionless online participation in an open and scalable network system can easily lead to uncontrolled participation chaos. Not surprisingly, to organize an order out of permissionless participation caused disorder is a task of non-trivial difficulty. Order organization methods adopted by the existing public and/or permissionless blockchains have shown, with no exception, high blockchain operation costs and/or low service efficiencies (to discuss why in the next section). Consequently, digital assets enabled by these blockchains are in an unfavorable status quo of being rather expensive to transact. High blockchain operation costs, low blockchain service efficiencies, and expensive asset transaction fees are also likely responsible for a universally eminent phenomenon in decentralized finance (DiFi) enabled by such blockchains: DiFi digital assets have infamously volatile exchange rates (or highly risk stable-coin collateral), making them easily susceptible to speculative hype.
In summary, the remarkable usefulness of zero-trust public-key credential that the existing public and/or permissionless blockchains have creatively enabled has limited applicability to only a small number of “special-interest” digital assets, where the modifier “special-interest” means that the users of such digital assets do not care high transaction fees. Also, it has been difficult for zero-trust public-key credential to find wide applications.
So far known means for public and permissionless blockchains to organize enthusiastic permissionless participants into orderly blockchain functioning servers are with no exception about some voting mechanisms, such as Proofs-of-Work (PoW) voting for computing power, or Proofs-of-Stake (PoS) voting for wealth ownership. These voting mechanisms, while originally designed to sort out a fair order from unordered, possibly chaotic, participants, later turned out to be more important in preventing a so-called Sybil attack. The rationale for preventing the Sybil attack is to have the permissionless blockchain participants compete for who can spend more money, or take higher financial investment risks, as a fair means of gaining the entitlement to operate the blockchain (of course to allow the competition winner to profit from the operation). No matter whether the voting is PoW- or PoS-based, all formulations of voting give rise to competition with increasing fierceness. It is the increasingly fierce nature of the voting competitions that has led to the increasingly higher operational costs for running these voting based blockchains, and increasingly lowered efficiencies for such blockchains to serve their users, and for special-interest digital assets enabled by such blockchains to be expensive to transact, and with high volatility for speculation. Consequently and unfortunately, the greatly useful zero-trust public-key cryptography enabled by such blockchains have limited applications of poor scalability.
The DaoliCloud blockchain proposes a new, non-voting and non-competition model for public and permissionless blockchain, which can fairly organize orderly blockchain service providers out of chaotically unordered permissionless participants, and at the same time prevent Sybil attacks. Due to the avoidance of high cost and inefficient voting competitions, we hope that the DaoliCloud blockchain can have the following advantages: 1. Qualified blockchain resource (compute, storage, network) service provisioning participants would become numerous, and thereby they would have much improved efficiency for providing blockchain resource services; 2. The cost of using blockchain services would be much lowered, and thereby the blockchain enabled digital assets would become inexpensive to transact, and no longer be an easy target for speculation; 3. Most usefully, zero-trust public-key cryptography would become widely and affordably usable by a mass of users, and be suitable for pervasive applications, with the users and applications are in an open and scalable system. The advantage number 3 is the most important motivation for us to have been working on the DaoliCloud Platform.
In the Bitcoin whitepaper, Satoshi Nakamoto described a what he named “One-CPU-One-Vote” Bitcoin blockchain security design: every node connected to the Bitcoin network, including every online client wallet, regardless of its CPU capacity, speed, and price, can equally and fairly vote for the network’s security decisions. Because this design creates a completely decentralized blockchain network, Nakamoto firmly believed that Bitcoin based on this everyone-voting design would have very strong decentralized security. Also because everyone voting essentially constitutes everyone contributing compute resource equally, Nakamoto also hoped that this equal compute resource contribution design would by virtue of “give-and-take” dilute lowering the cost of using Bitcoin. Since every node connecting the Bitcoin network is contributing compute resources to the network, when using Bitcoin services (e.g., making transactions), it should also receive compensation in the form of cost-lowered services (e.g., reduced transaction fees). Unfortunately, the rational design of equality, fairness, and give-and-take broke down embarrassingly and irreversibly in real-world practice. Shortly after Bitcoin’s public operation, online client wallets lost their voting entitlement and the ability to provide computr resources to the Bitcoin network. As a result, users (mostly client wallet holders) have had to pay increasingly expensive fees when using Bitcoin services.
In fact, as far as the currently known public blockchains (especially Bitcoin) are concerned, online client wallets overall only constitute a net cost center, consuming expensive blockchain network resources. These expensive network resources are provided and maintained by some “permissionless” (the meaning of the quotation marks will become clear in a moment) blockchain operators who participate in competitions. Either (in the Proof-of-Work, PoW, mining model) these “permissionless” competing blockchain operators are PoW mining pools or farms whose scale grows larger and larger. The reason for this is that PoW blockchain operators need to continuously expand and upgrade the performance and scale of their mining equipment to have the upper hand in PoW hashing power, and for this, they need to constantly increase their operating expenses (mainly for mining electricity consumption). Or alternatively (in the Proof-of-Stake, PoS, voting model), they are PoS equity investment parties whose risk capital injection amounts keep increasing (due to the speculative nature of PoS). The reason for this is that PoS blockchain operators need to continuously increase their risk capital injection to compete for more PoS block generation rights. Therefore, for public blockchains based on PoW or PoS models, competitive maintenance of the dominant operation of blockchains means competitive increase of operating expenses.
As a result that all known “permissionless” blockchains use various online voting schemes to select blockchain database operators, the vast majority of the blockchain users, namely client wallet possessors, are excluded from the “permissionless” competition because each of them either has negligible compute power to contribute to a PoW blockchain, or only owns trivial assets to qualify block generation for a PoS blockchain. Their individual and uncoordinated participation in a “permissionless” online voting blockchain clearly cannot make any meaningful impact on the fair operation of the blockchain, let alone their client wallet CPU being counted in the “One-CPU-One-Vote” ideal fancied by Nakamoto. In fact, for an online voting system to have security, i.e., the authenticity and fairness of the votes, it depends on many hard-to-satisfy assumptions. Years of research efforts have shown that it is very difficult to design a secure online voting scheme for running in an open network environment. For example, there is a so-called Sybil attack applicable to PoW mining blockchains based on Nakamoto’s “One-CPU-One-Vote” ideal, where an attacker can use very low-cost methods to create a large number of fake votes that are very difficult to distinguish from real ones. The existing PoW and PoS public blockchains defend against Sybil attacks by requiring participants to engage in an endless and increasingly intense competition through PoW or PoS. Straightforwardly speaking, PoW competition is about spending money on machines and electricity, while PoS competition is about buying PoS service rights. Therefore, the qualified operators, i.e., service providers, formed by these public blockchains through fierce competition actually work in a closed environment with growingly higher entry barriers. Sybil attackers cannot effectively attack without spending a lot of, and growingly more, moneys.
For PoW “permissionless” public blockchains, not only are online client wallet users unable to contribute compute resources, but many powerful cloud servers are also unable to do so because they have no hope of winning in PoW mining without pooling with specialized mining hardware. For PoS “permissionless” public blockchains, the capital price of PoS equity can fluctuate dramatically due to speculation, and hence the proportion of nodes who qualify PoS block generation among all blockchain participants may even be lower than that in PoW mining. Currently known “permissionless” public blockchains have unfortunately all deteriorated into de-facto permissioned ones due to the permission threshold for obtaining blockchain operating rights through competitions being so high. Also in terms of network service quality, such permissioned public blockchains provide network services by only relying on a fraction of “smart” nodes, so-called full-nodes, to bear the burden of service requests from an overwhelmingly large population of “dumb” nodes, resulting in an inefficient and unreasonable design for network throughput. Fortunately, these public blockchains have discovered a few meaningful usecases which are either not very cost-sensitive, or favored by speculative investors. Decentralized moneys and Non-Fungible Tokens (NFTs) are two prominent examples of such special usecases.
A decentralized coin or an NFT-token is essentially a digital asset, and such a digital asset can be reliably, robustly, and securely routed to/from the Internet (when connected to a blockchain). The reliability and robustness of routing are due to the fact that each network service node in a public blockchain network acts as a network router and can broadcast the user’s request to the entire blockchain network. The security of routing is a more significant public blockchain service, which is worth further elaboration as follows. The wallet that stores decentralized-coins or NFT-tokens is strongly protected by public-key cryptography. The assets in the wallet can only be controlled or disposed of exclusively by the (asset) owner of the wallet. When disposing of a digital asset, the asset owner must use the private key protected by the wallet to sign the asset, where the private key matches the wallet’s public key. These useful security properties are enabled by public-key cryptography, and can be publicly verified using the wallet’s public key.
With the outstanding advantage of protecting private assets with public-key cryptography, the special assets of decentralized-money, NFT-tokens, although costly to use due to the low efficiency of the network services provided by public blockchains, and despite their users having been few due to their prices often fluctuating dramatically (possibly due to speculation), have played an important role in inspiring a new demand for Internet services, namely Web3. That is, these few types of special digital assets that have been proven to be feasible by the existing public blockchains are very meaningful, and there is a strong need to generalize them to a broader range of digital asset applications for a mass of users to own and have exclusive control of, at pervasively affordable costs to use.
There should be many usecases for general-purpose Web3 digital assets. For example, if a decentralized money has stable face values like a fiat currency does, and its transaction fees are low, then it does qualify a general-purpose Web3 asset and may become widely used. As another example, Web2 infrastructure services of domain name registration, resolution, and CA certificate issuance exist with various security risks due to their strong Web2 centralization attributes. In fact, domain names and CA certificates are essentially NFTs. In comparison with the known blockchain special-asset NFTs, DN and CA as NFTs would have much broader and practical usefulness, e.g., they are easy for human users to recognize, click-authentication, and -route, and have less speculative value. Thus, if low-cost NFT-style registration, resolution and authentication services can be developed for DN and CA certificate applications, then these services would also qualify as general-purpose Web3 digital assets, and might give rise to a very wide adoption. For yet one more example, with the routing-to-public-key service enabled by blockchain servers, a mass of client devices such as laptop PCs can become Web3 servers for https hosting web pages. The emergence of Web3 represents a revolutionary challenge to the current situation in which the vast majority of Internet digital assets are concentrated in the hands of a few large Web2 service providers. Of course, to promote the adoption of general Web3 digital assets, breakthroughs must be made to overcome the current limitation of public blockchains supporting only a few special digital assets with a small number of users.
DaoliCloud is a permissionless public blockchain technology that aims to provide a mass of users with a wide and affordable range of Web3 digital asset applications. The key to improving digital assets in this way is a new model for blockchain security and resource utilization, which can be described as follows. Every CPU participating in the DaoliCloud blockchain, especially every online client wallet’s CPU, can serve a “One-CPU-One-Firewall” security function to protect the local node itself against adverse effects of erroneous messages the node may receive from the blockchain network. Unlike the desperate situation of client wallets being ineligible to participate in PoW-mining-, or PoS-staking-, based global online voting, the “One-CPU-One-Firewall” security design is a local decision on accepting/rejecting blocking messages which appear in the blockchain network. A CPU of any grade, including a low-end one, can competently make such a local decision. Let us explain below why such a local decision is easy to make.
Messages that relate to appending blocks to the blockchain are called “kernel messages” and they are designed to have the following properties. (1) A kernel message is easily generated and verified because it includes a digital signature. (2) Kernel messages are only allowed to appear in the blockchain network at a globally aligned time interval, where a node can align its local time to a global time is due to a novel method of using a CPU’s local clock. (We shall explain this method in the next section.) With these properties for kernel messages, the DaoliCloud blockchain always deterministically appends a unique block (and thereby adds the chain height by 1) at a globally known time interval; that is, the chain never forks. For a non-forking blockchain, the local (applications) DB which is distributed at each participating node can be maintained (i.e., for the DB entries being created, searched, inserted, updated, or deleted) to be always in the search-key-sorted state, and hence the DB process can be complete in O(log n) time (n being the size of, i.e., number of items in, the DB). With this low time complexity, the applications DB of the blockchain can be quickly processed (e.g., against double registration of a DN token, or double spending of a coin), even the job is done by a low-end CPU.
The remaining “magic” in need of explanation is why and how the DaoliCloud blockchain can have a global clock for all participating CPUs of any quality grades to precisely align time for sending/receiving/forwarding the blockchain kernel service messages.
A low-end CPU today may have a rather inaccurate clock to drift clock cycles, either gain or lose the cycle counts, at rates of hundreds of parts per million (ppm) clock cycles. The DaoliCloud blockchain is designed to tolerate permissionless participation by very poor quality CPUs, as poor as to tolerate clock inaccuracy up to 1,000-ppm, for them to still be able to make fair and sound contributions to the blockchain. Consider letting the blockchain use a one-minute-long time epoch to append a block. Then the maximum clock drift of a 1,000-ppm poor CPU clock will not exceed 0.06 seconds in each one-minute-long epoch, or the maximum time gap between two such poor CPUs will not exceed 0.12 seconds (due to one drifting faster, and the other doing slower, each by maximum 0.06 seconds). Thus, the local clock of any-quality CPU is sufficiently accurate (with accuracy bounded by 0.12 seconds) to measure a one-minute-long epoch and become ready to execute a time event. The time events of DaoliCloud’s interest include, e.g., to broadcast, receive, or forward a kernel message. Consider that, e.g., one-second-long network latency is a reasonable network quality for a blockchain to have to bare with, then mixing the maximum of 0.12-second CPU clock error with second-long network latency, the blockchain would not be able to notice existing any clock inaccuracy. Further notice that, upon each time moment of receiving new kernel messages, a CPU begins to measure the next one-minute-long blockchain epoch. Therefore, with low or high qualities, all blockchain participating CPUs will align the beginning time of each blockchain epoch upon receipt of kernel messages. The DaoliCloud blockchain does have a global clock as the blockchain consensus, and this global clock has the network latency aligned accuracy forever.
To this end, we know that every node participating in the DaoliCloud blockchain, regardless of the quality of its CPU, is indeed capable of the security design function of “One-CPU-One-Firewall”, so that the node can accept semantically valid and time valid (kernel) messages, or reject invalid ones which are treated as attacking messages.
As a blockchain using kernel messages, DaoliCloud has pioneered the concept of a Blockchain Operating System (BOS), and implemented the new concept into a working system. The BOS lets a set of permissionless nodes be organized in an orderly manner, and grants them the privilege of broadcasting kernel service messages to saturate the entire blockchain network. So, the BOS message service features reliability, robustness and ease of authentication.
Generating a BOS message and verifying its authenticity, both jobs are very easy that can be competently processed by an online client wallet. Then broadcasting, receiving BOS messages, judging their correctness, forwarding correct ones or discarding erroneous ones, these are about all the tasks that every “One-CPU-One-Firewall” node in DaoliCloud is supposed to competently operate. The compute resource requirement for a node to provide such a firewall function is so low that in a lite (as lite as an Internet dust) software implementation, or in an expensive professional-grade heavy asset server hardware implementation, the resultant firewalls would function with no difference. More to the point, the local independent behavior of a “One-CPU-One-Firewall” cannot be remotely interfered with over the network, regardless of how weak the interfered target is, or how strong of the interfering party is. With this “One-CPU-One-Firewall” property, a mass of online client wallets in DaoliCloud are no longer being cost centers as in all known public blockchains, on the contrary, they become production centers. In large numbers and with wide physical distribution, the blockchain firewall function provided by online client wallets is very strong, reliable and robust.
Being able to combine online client wallets to a blockchain production center, DaoliCloud makes a significant change to the current blockchain status quo of placing the burden of the entire blockchain service requests over to a much smaller number of heavy-asset servers. In the new blockchain model of inclusively utilizing compute power of every online client wallet, the cost of a wallet obtaining blockchain services would be greatly reduced. A clear give-and-take scenario takes place here: for a wallet to use blockchain services, it has to connect to the blockchain network, and the connection makes the wallet to provide firewall service to the blockchain! In contrast, in the current status quo of only placing the burden of all users’ service requests over to heavy-asset servers, we know that a blockchain necessarily needs to find some rather clever, expensive, and often volatile pricing methods to enable the blockchain service provider to charge service fees to client wallets in order to compensate for the growing expenses related to participating in endless competition, such as increasing equipment resource investments, operational costs, or (speculative) venture capital investments. Through these comparisons, we have outlined why and how the cost of pervasive use of Web3 applications can be reduced to a level that can be widely affordable for (individual) users.
DaoliCloud uses a random noise algorithm to find random, redundant, orderly, and permissionless nodes, which are called “Uncles.” The random noise algorithm and its output are inspired by Ethereum blockchain technology. Ethereum rewards its Uncles for their noise block generation contributions, which can help save electricity consumption. However, DaoliCloud requires its Uncles to provide more meaningful blockchain services. Orderly Uncles are a set of physically decentralized nodes with logically centralized and consistent behavior to send simple kernel messages. In this working principle, Uncles serve as the kernel resource for the Blockchain Operating System (BOS). The most significantly meaningful BOS kernel layer (layer 1) service is a decentralized global clock, which allows any node in the blockchain network, including any online client wallet, to easily verify the robustness and accuracy of the clock against malicious interference. The accurate global clock establishes a global consensus on deterministic updating the blockchain DB (the local copy for each node). Useful BOS services on the application layer (Layer 2) include: (i) Decentralized payment transactions, in which moneys have stable face price and transactions have low fees, just like the cases for a fiat money. (ii) Naming and routing services for users’ Web3 digital assets, allowing users to use various decentralized identities (DIDs) to exclusively control and dispose of their digital assets, as well as for altruistic use of a name or an icon. With a large number of client wallets providing resource and security services, DaoliCloud can support affordable, public-key secured (such as through HTTPS hosts) Web3 services.
If the cost of participating in a permissionless blockchain is very low, and as a result of participation, the participants can be easily seen on the Internet (of course, under the premise that the participants are willing to publicize their wallet public key addresses by the blockchain and be widely visible), then in addition to digital assets such as decentralized coins, NFTs, and stable coins that can be used as decentralized transaction instruments, the blockchain will also have the potential to create some more general, useful, and interesting digital asset use cases . For example, the application scenario described below is achievable: a permissionless node in the blockchain, because it only needs to consume a negligible amount of its resource to maintain the operation of the blockchain, can have the bigger part of its resources (that is not needed for maintaining the operation of the blockchain) used for providing IT-as-a-Service (ITaaS) value-added cloud services, such as infrastructure as a service (IaaS), platform as a service (PaaS) , software as a service (IaaS), in exchange for service fee revenue.
Unlike the traditional ITaaS market, in which cloud service providers have to make a large amount of upfront capital investment to enter the market, and thus easily form a monopoly in the service providers side of the market, the ITaaS platform created by this blockchain has the following two new attributes. 1. In the market supply side: the permissionless participating nodes of the blockchain are nothing more than some mass-produced commodity cloud servers and/or personal computers (desktops and/or laptops) which are also ITaaS cloud servers and provide services, the barriers to market entry are very low; many small businesses, even a large number of amateur individuals, have sufficient capabilities to enter the service provisioning market, and can stay online for a long time to serve, and they gather together to become a significant chunk of the ITaaS cloud services providers. 2. In the market consumers side: the consumers of this blockchain-enabled ITaaS market will likely have a large number of users because they now enjoy a major improvement in service quality. This major improvement in consumer service quality is: ITaaS users are now the holders of blockchain wallets, so they have zero-trust public-key certificates, which can protect their data in the cloud with the security strength of public-key cryptography, and thus they no longer have to live the old lifestyle when using the traditional ITaaS cloud services, that are forced to obey some unconditional trust requirements imposed by the cloud service providers.
In the above exemplified blockchain usecase for the new ITaaS market, ITaaS, as online services being exchanged in between supplies and demands, actually becomes a blockchain asset. Not only is ITaaS resource a broadly useful, but it is likely to achieve enormous usage and transaction volume. This blockchain asset, because of in large volume of supply and demand, have the power to lower, level, and stabilize their prices. The low and stable prices of such useful blockchain asset are comparable to the prices of the digital assets that are blockchain transaction instruments (i.e., decentralized currencies, stable coins), so that there is a stable and low exchange rate between these two assets in that the latter (digital currencies) can be conveniently used as an online digital transaction instrument for purchasing the former (blockchain ITaaS asset). We believe that this low-cost, permissionless blockchain being able to publicize the Internet route-able addresses of participating nodes (making it convenient to become a cloud server), can not only generalize blockchain assets and commodify them for many valuable usecases, but also would help to promote the use of blockchain decentralized digital currencies for wider, fairer, less speculative, and more sustainable uses.
Blockchain Operating System (BOS). Decentralized Clock. Decentralized Identity (DID). Zero-Trust Public-key Cryptography. Web3 Services.