►
From YouTube: Agoric + Protocol Labs // Part 3 - Distributed Secure Cross-chain Messages - Mark Miller
Description
Part 3: Distributed Secure Cross-chain Messages
We are rapidly moving into a world of many chains. So how do we turn JavaScript into a distributed secure programming language, where an object on one chain can asynchronously send a message to an object to another chain. We show how our vat model, through the IBC and CapTP protocols, can turn SES into a distributed, cross-chain, secure programming language.
A
So
how
do
we
turn
all
of
this
into
a
distributed?
Secure,
programming,
languages,
language,
where
an
object
in
one
vat
can
asynchronously
send
a
message
to
an
object
and
another
vat,
so
we're
focused
now
on
the
VAT
level
and
on
the
protocols
below
and
above
it,
the
IBC
protocol
and
the
cap.
Tp
protocol.
A
A
All
of
the
vats
within
the
same
swing
set
interact
with
each
other
through
the
swing
set,
nano
kernel
and
the
order
of
message.
Delivery
among
the
vats
within
the
swing
set
is
deterministic
so
that
all
the
validators
replicating
the
same
computation
get
the
same
order
and
proceed
in
the
same
manner.
A
How
is
it
that
an
object
in
one
vat
can
effectively
hold
a
capability
to
an
object
in
another
vet?
While
these
trapezoids
are
what
are
what
is
called
a
c-list?
Each
trapezoid
is
a
c-list
which
is
a
table
mapping
from
integer
indices
to
capabilities
to
object
references.
This
notion
of
a
c-list
is
most
familiar
from
unix
with
file
descriptor
indices.
A
program
running
under
unix
uses
a
number
a
file
descriptor
index
to
talk
to
the
kernel
about
a
file
descriptor.
A
A
Well,
each
swingset
has
a
special
that
we
call
the
comms
bat,
where
the
comms
that
engages
in
the
same
trick,
just
as
the
Nano
kernel
sitting
between
a
bunch
of
vats,
has
to
have
separate
C
lists
facing
each
VAT.
The
coms
VAT
has
to
have
one
such
table
facing
its
kernel
in
order
to
get
to
the
other
vats
within
its
swing
set,
and
then
it
has
another
table
for
each
other
platform
that
it's
securely
communicating
with
so
of
the
swing
set
in
the
upper
left.
A
The
table
facing
right
is
the
table
for
talking
to
the
the
swingset.
The
platform
on
the
right,
and
likewise
with
the
table
facing
down
and
object,
messages
need
to
get
sent
from
from
the
left
side
to
the
right
side
in
a
secure
manner.
In
order
to
bring
about
this
entertained
object
communication.
Well
now
we
have
several
problems
we
need
to
solve.
A
A
So
we
can
make
use
of
that
observation
by
creating
a
fabric,
a
network
of
real
layers
between
these
chains
to
to
carry
traffic
from
one
chain
to
another.
So
each
of
these
pipes
represents
an
IBC
channel
and
the
channel
watches
the
chains
on
each
side
watches
the
chain
on
the
left,
to
look
at
the
log
to
see
if
a
message
got
logged,
that's
marked
as
a
message
intended
for
delivery
to
another
chain
and
when
it
sees
that
it
relays
it
to
a
broadcast
mechanism
now
the
broadcast
mechanism.
A
If
every
chain
has
its
own
theory
of
legitimacy,
then
how
do
we
deal
with
the
heterogenous
requirements
having
to
speak
two
different
chains
in
different
ways
and
having
to
validate
different
chains
in
different
ways?
Well,
every
time
somebody
constructs
a
chain
architecture,
they
also
construct
a
like
client
and
the
like
client
embodies
the
logic
for
speaking
to
the
chain,
they're
co-designed
with
and
for
validating
that
something
that
allegedly
happened
on
the
chain
actually
happened
on
the
chain.
A
A
And
having
validated
that
those
messages
can
now
proceed
into
the
swing
set
and
turn
into
object
messages,
so
these
outer
cylinders
are
the
IBC
layer.
The
object
messages
on
these
capabilities
going
within
the
pipe.
That's
the
cap,
TP
layer,
built
on
the
IBC
layer
and
now
I'll
take
questions
on
that
layer.
B
A
The
the
between
chain
communication,
that
happens
by
virtue
of
IBC
and
cap
TP
swing
set,
is
for
communication
between
multiple
vats
within
one
chain
and
the
reason
to
have
a
larger
deterministic
unit,
then
single
that
single
VAT
is
a
synchronous
unit.
You
could
create
a
valid
architecture
where
each
VAT
was
also
the
largest
deterministic
unit
and
then
to
have
all
of
the
interact.
All
of
the
asynchronous
interaction
between
vats
itself
be
non-deterministic
as
well.
The
problem
is
that
that
means
you
would
have
to
pay
the
costs
of
a
consensus
mechanism.
A
Every
time
you
resolve
the
non
determinism
into
a
deterministic
message
or
a
rival
order
of
messages
and
there's
nothing
to
be
gained
for
multiple
vats
within
a
single
chain,
there's
nothing
to
be
gained
by
letting
them
run
non-deterministically
with
regard
to
each
other,
so
by
collecting
them
together
into
an
overall
deterministic
set
of
vats.
With
the
swing
set,
we
now
only
need
the
consensus
mechanism
with
the
RAI
with
regard
to
the
arrival
order
of
messages
arriving
at
the
chain
as
a
whole.
I.
B
A
Know
the
VAT
is
also
the
unit
of
portability
and
migration.
A
VAT
that
started
up
in
one
swing,
set
eventually
with
more
engineering,
can
be
pickled
and
moved
and
restarted
elsewhere,
with
all
of
the
capabilities
being
forwarded
to
make
it
to
the
vats
new
location.
So
the
logic
of
the
object
computation
within
of
that
should
be
completely
independent
of
what
chain
it's
running
on
and
I'll.
A
Explain,
actually
why
that
turns
out
to
be
very
important
as
we
get
to
the
world
of
smart
contracting,
it
has
to
do
with
this
issue.
Of
mutual
credibility
is
a
smart
contract
that
starts
off
locally,
can
be
mutually
credible
to
a
small
community,
but
as
the
smart
contract
proceeds
it
might
need
to
become
credible
to
a
larger
community,
and
at
that
point,
if
you
have
agreement
among
the
participants
to
migrate
it
to
a
more
public
place,
we'll
be
able
to
do
so
and
have
the
computation
itself
continue.
A
C
You
talk
a
little
bit
more
about
the
requirements
of
Iowa
client
in
terms
of
so
I
think
the
best
analogy
I
can
think
of
it's
like
the
Lightning
Network
they're,
trying
to
implement
this
protocol
neutrino,
which
is
basically
kind
of
like
a
bloom
filter.
So
if
you
imagine
every
capability
a
being
identified
by
a
hash,
you
could
put
these
longer
bloom
filter
in
kind
of
in
a
white
client
context.
Get
some
state
updates
just
for
your
set
of
capabilities.
Is
that
what
you
would
need
out
of
this
sort
of
like
client?
C
Yeah
briefly,
briefly,
at
different
chains
is
going
to
be
following
the
other
ones.
It's
specifically
following
the
set
of
messages
instead
of
IBC
messages
coming
from
that
chain,
so
the
messages
need
to
be
created
in
a
way
that
you
can
very
efficiently
make
sure.
This
is
the
next
message
in
that
sequence,
there
are
no
missing
messages
and
you'll
have
a
light
client
on
the
receiving
side,
just
enough
to
make
sure
that
the
relayer
supply
data
really
does
represent
the
subset
of
all
the
events
on
the
sending
chain
that
represent
messages
being
sent
over
that
channel.
C
D
Are
the
combats
instantiate
within
a
chain
or
around
the
chain?
And
and
so
I
can
imagine
two
scenarios,
one
where
there's
a
combat:
that's
actually
a
contract
within
a
chain
receiving
messages
and
multiplexing
between
them
and
sending
them
to
the
other
contracts
or
a
program
that
is
actually
receiving
the
IBC
message
and
then
D
muxing
and
then
sending
to
the
right
contract
kind
of
curious
around
that
and
then
mate
and
the
message
semantics
that
you
need
to
maybe
plug
in
entirely
new
systems
into
this.
A
So
the
coms
VAT
is
written
as
a
very
specialized
program,
and
it's
written
to
do
this
coordination
with
particular
other
chains
such
that
the
other
vats
within
the
check
within
that
swing
set,
as
well
as
the
swingset
kernel,
are
not
actually
even
aware
that
there
are
other
chains
all
of
the
awareness
that
there
that
there
exists.
Other
chains
are
really
the
responsibility
of
the
comms
VAT
so
to
the
other
vets
within
the
swing
set.
A
It's
as
if
the
entire
world
of
other
chains
is
inside
the
comms
bat
and
like
manner
to
each
VAT,
it's
as
if
the
entire
rest
of
the
world
is
inside
the
kernel
that
it's
talking
to
so
there's
these
levels
of
virtualization.
One
reason
that
that's
actually
very
nice
is
that
there's
nothing
privileged
about
the
comms
that
other
than
that
it's
given
access
to
the
network
and
it's
given
the
ability
to
use
certain
cryptographic
keys
in
order
to
speak
on
the
network.