My proposal is about discussing weather the Cartesi Machine will be able to allow and execute state changing off-chain requests, all while maintaining decentralization through Dave.
I have a very very high level proposal that is mainly made to think about which would be the implications of this type of system, if it is possible and to evaluate any advantages and disadvantages.
here’s a diagram of what I’m thinking about at a high level:
The User will “login” in the application by signing a message or executing a transaction on-chain that will then be picked up by the State-fold Server and ask the Auth Server to generate its credential in the machine. The off-chain State Server receives and parse any communications (ability to use both UDP and TCP in a somewhat custom way would be a very big plus) from an endpoint that will then send to the Auth Server to be Authorized. If it does authorize it, it is then collected by the dispatcher as a valid message and give the machine the possibility to execute it and change the state, on the other hand if it does not authorize it, it is discarded. In the macine we can check based on auth token the account that has interacted with the app.
To reduce any DDoS, we can give each authorized party a fixed amount of requests second, for forgery we can make the login take place each time a user wants to have a session and discard it as a tight timeout period expires, which is still way less wallet activity from the standard action per transaction. The client does not incur any risk on any asset in its wallet.
It also can serve as an account abstraction, where user is not required to sign each time a transaction for a state change to happen and it does not pay gas as the dApp can choose weather to implement or not a gas structure inside the dApp (maybe to discourage misbehaving).
Finally, each input that the dispatcher gets it is then saved and added to the data used for the Dave consensus, thus anyone can reproduce the execution and check the result posted on chain.
Thinking about my solution I encountered a difficulty, how do we notify the correct client with the token? Would be enough to pass the data to the endpoint the client needs, then the machine parses it and sends an http with the token? Is it secure? To mitigate client IP forgery, before sending the token request the client can send a warm up request, in which the machine sends a generated key for encryption, then the client encrypts the payload to send on chain, it sends it and then the machine can securely decrypt the message and do its work without any risk to the client from being DDoS from a malicious actor
I am really interested in what you guys might think about it.
I think that Cartesi should aim at being able to bring any type of application on chain.