When Corda starts using SGX on the Notary, why bother decentralizing the Notary into a Notary cluster?

Question

When Corda Notaries start processing transactions inside the Intel SGX enclave, it appears that even the owner/admin of the server hosting the Notary node has no control over the execution of the smart contract or read access to transaction data. Hence a single Notary owner could not act in a malicious manner to prevent the transaction being executed as it should be.

If this is true, then what are the benefits from having a cluster of Notaries, owned by multiple different entities, that reach consensus on the result of a transaction?

Answer 1

There are several reasons:

• In the first version of Corda's SGX integration, SGX hardware will be used to validate the transaction chain. However, it won't be used to force the notary to give valid notarisation results (i.e. the notary can still lie and say that a state that was already spent is unspent, or that a state was is unspent was already spent). Notary clusters can address this until providing notarisation results has also been moved into the SGX enclave
• Defence in depth - combining a BFT notary with SGX hardware provides a second line of defence if a flaw is found in SGX
• Redundancy - if you're running a single-node notary and for some reason the SGX hardware become unusable, you won't be able to extract the historical list of spent states. With a notary cluster, the list of spent states is replicated