TEE is hotly debated again: A new dawn in the dilemma of privacy technology development?

Original title: "TEE is hotly discussed again: a new dawn in the dilemma of privacy technology development?"

Original author: Linda Bell, ChainFeeds

With the growing demand for privacy protection, TEE has once again become the focus of discussion. Although TEE has been discussed several years ago, it has not been widely adopted due to hardware security issues. However, as MPC and ZK technologies encounter challenges in performance and technical requirements, many researchers and developers have refocused on TEE.

This trend has also triggered discussions on Twitter about whether TEE will replace ZK technology. Some users believe that TEE and ZK are complementary rather than competitive because they solve different problems and neither is perfect. Other users pointed out that AWS and Intel provide higher security than Rollup's multi-signature protection. Considering the scalability of TEE in the design space, which is not possible with ZK, this trade-off is worth it.

What is TEE?

TEE is not a strange concept. TEE technology, namely "Secure Enclave", is applied in the Apple mobile phones we often use. Its main function is to protect users' sensitive information and perform encryption operations. Secure Enclave is integrated into the system-level chip and isolated from the main processor to ensure high security. For example, whenever you use Touch ID or Face ID, Secure Enclave will verify your biometric information and protect it from being leaked.

TEE stands for Trusted Execution Environment, which is a secure area within a computer or mobile device that runs independently of the main operating system. Its main features include: isolation from the main operating system, even if the main operating system is attacked, internal data and execution are still safe; through hardware support and encryption technology, internal code and data are prevented from being tampered with during operation; encryption technology is used to protect sensitive data and prevent leakage.

Currently, the common TEE implementations are as follows:

· Intel SGX:Provides a hardware-supported isolated execution environment, creating a secure memory area (enclave) to protect sensitive data and code.

· ARM TrustZone:Creates a secure world and a normal world within the processor, with the secure world running sensitive operations and the normal world handling ordinary tasks.

· AWS Nitro Enclaves:Based on the AWS Nitro TPM security chip, it provides a trusted execution environment in the cloud, designed for cloud computing scenarios that process confidential data.

In the encryption market, TEE technology is most commonly used for off-chain computing in a trusted and secure environment. At the same time, TEE's Remote Attestation function allows remote users to verify the integrity of the code running in the TEE, ensuring the security of data processing. However, TEE also has the problem of insufficient decentralization because they rely on centralized suppliers such as Intel and AWS. If these hardware have backdoors or vulnerabilities, system security may be threatened. But as an auxiliary means, TEE technology is easy to build and low-cost, suitable for application scenarios that require high security and privacy protection. These advantages also enable TEE technology to be applied to various cryptographic applications, such as privacy protection and enhanced Layer2 security.

TEE Project Inventory

Flashbots: Private transactions and decentralized block building through SGX

Flashbots began exploring privacy technologies related to trusted execution environments such as SGX in 2022, and used it as an important building block for trustless collaboration on the transaction supply chain. In March 2023, Flashbots successfully ran a block builder in the SGX enclace, a trusted execution environment developed by Intel, taking a step towards achieving private transactions and decentralization of block builders. With SGX enclace, block builders and other infrastructure providers cannot see the content of user transactions, and builders build verifiable valid blocks within the enclave and report their bids truthfully, potentially eliminating the need for mev-boost relays. In addition, this technology helps reduce the risk of exclusive order flow, allowing transactions to remain private while still being accessible to all block builders running within the enclave.

While TEE does provide external resource access and privacy protection, its performance is not as high as non-TEE technology. And there are some centralization risks. Flashbots found that relying on TEE alone cannot solve all problems, and it is necessary to combine other security measures and introduce other entities to verify the TEE's calculations and code to ensure the transparency and trustworthiness of the system. Therefore, Flashbots envisioned a network composed of TEEs (Kettles), and a trusted permissionless public chain (SUAVE Chain) responsible for managing this network and hosting programs to be run in TEEs. This is the basic concept of SUAVE.

SUAVE (Single Unified Auction for Value Expression) is an infrastructure designed to solve MEV-related challenges, focusing on separating the roles of memory pool and block generation from existing blockchains to form an independent network (sorting layer) that can serve as a plug-and-play memory pool and decentralized block builder for any blockchain.

(For more SUAVE introductions, please refer to ChainFeeds previous article)

SUAVE will be launched in two phases. The first version is SUAVE Centauri , including the Privacy Order Flow Auction (OFA) and SUAVE Devnet (testnet). This version of the implementation does not involve cryptography and TEE technology. The second version is Andromeda, which will run execution nodes in a trusted execution environment (such as SGX). In order to ensure that the calculations and code on the offline TEE nodes run as expected, Flashbots enables smart contracts to verify messages from the TEE through the remote attestation function of the TEE. The specific steps include: adding a new pre-compilation function to the Solidity code to generate remote attestations; using the SGX processor to generate attestations; fully verifying the attestations on the chain; and using the Automata-V3-DCAP library to verify these attestations.

In summary, SUAVE will replace the current third party by integrating TEE. Applications running in the SUAVE system (such as order flow auctions or block builders) will run inside the TEE, and the TEE calculation and code integrity will be ensured by on-chain remote attestations.

Taiko: Building a multi-proof system Raiko through SGX

The concept of TEE can also be extended to Rollup to build a multi-proof system. Multi-proof refers to generating multiple types of proofs for a block, similar to Ethereum's multi-client mechanism. This mechanism ensures that even if one proof has a vulnerability, other proofs are still valid.

Under the multi-proof mechanism, any user interested in generating proofs can run a node and extract data such as transactions and Merkle proofs of all state accesses. Different types of proofs are generated using this data, and then all the proofs are submitted together to the smart contract, which verifies the correctness of the proof. For the proof generated by the TEE, it is necessary to check whether the ECDSA signature is signed by the expected address. When all the proofs are verified and the block hash is confirmed to be consistent, the block will be marked as proven and recorded on the chain.

Taiko is using Intel SGX technology to build a multi-proof system Raiko to verify Taiko and Ethereum blocks. By using SGX, Taiko is able to ensure data privacy and security when performing critical tasks, and even if there are potential vulnerabilities, TEE can provide additional protection to prevent attackers from compromising the proof system. SGX proofs can be run on a single computer and take only a few seconds to complete, without affecting the efficiency of generating proofs. In addition, Taiko introduced a new architecture that supports compiling client programs into a format that can run in ZK and TEE, ensuring the correctness of block state transitions, and evaluating performance and efficiency through benchmarking and monitoring.

Although TEE provides many advantages, there are still some challenges in the implementation process. For example, the SGX setting needs to support CPUs from different cloud providers and optimize the gas cost during the verification process. In addition, a secure channel needs to be established to verify the correctness of calculations and codes. To address these challenges, Taiko uses Gramine OS to encapsulate running applications in a trusted enclave and provides easy-to-use Docker and Kubernetes configurations, so that any user with an SGX-capable CPU can easily deploy and manage these applications.

According to Taiko's announcement, Raiko currently supports SP1, Risc0 and SGX, and is constantly working on integrating Jolt and Powdr. In the future, Taiko plans to integrate more Riscv32 ZK-VM, expand Wasm ZK-VM, directly integrate with Reth to achieve real-time proof of blocks, and adopt a modular architecture to support multi-chain block proof.

Scroll: Collaborating with Automata to develop TEE Prover

Scroll’s multi-proof mechanism aims to achieve three goals: enhance L2 security, not increase finality time, and introduce only marginal costs to L2 transactions. Therefore, in addition to ZK proofs, Scroll needs to balance finality and cost-effectiveness when choosing a secondary proof mechanism. Fraud proofs, although highly secure, have too long finality time. And zkEVM validators, while powerful, are expensive and complex to develop. Finally, Scroll chose to use TEE Prover proposed by Justin Drake as a secondary proof mechanism.

TEE Prover runs in a protected TEE environment, can quickly execute transactions and generate proofs, so it does not increase finality. In addition, another important advantage of TEE Prover is its efficiency. The overhead associated with the proof process is negligible.

Scroll is currently working with modular proof layer Automata to develop TEE Prover for Scroll. Automata is a modular verification layer designed to extend machine-level trust to Ethereum via TEE coprocessors.Scroll’s TEE Prover consists of two main components, on-chain and off-chain:

· SGX Prover: An off-chain component that runs in the enclave and is used to check whether the state root after executing a block in the enclave matches the existing state root, and then submits a Proof of Execution (PoE) to the SGX Verifier.

· SGX Verifier: This is a smart contract deployed on the L1 chain that needs to verify whether the state transition proposed by the SGX Prover and the proof report submitted by the Intel SGX enclave are correct.

SGX Prover monitors the transaction batches submitted by the sorter on L1 to ensure that the data used to perform the state transition is complete and has not been tampered with. SGX Prover then generates a block proof (PoB) containing all the necessary information to ensure that all nodes involved in verification and execution use the same data set. After execution, SGX Prover submits the proof of execution (PoE) to L1. SGX Verifier will then check whether the PoE is signed by a valid SGX Prover.

SGX Prover is written in the Rust programming language and uses SputnikVM as its EVM engine for executing smart contracts. The implementation can be compiled and run on machines that support SGX hardware mode, and can also be debugged in a non-SGX environment. SGX Verifier uses Automata's open source DCAP v3 verification library to verify the entire block history of the Scroll testnet.

In addition, to reduce trust issues for TEE implementations and hardware manufacturers, Scroll is also working on a protocol to aggregate TEE Provers from different hardware and clients. The protocol will be combined with a threshold signature scheme. The threshold signature scheme is a cryptographic technique that allows multiple participants to jointly generate a signature that is valid only when at least a certain number of participants agree. Specifically, the TEE Prover requires at least T provers out of multiple (e.g., N) TEE provers to generate consistent proofs.

Automata: Enhancing the security and privacy of blockchains with TEE coprocessors

Automata Network is a modular verification layer that uses hardware as a common Root of Trust, enabling many use cases, including multi-validator systems based on TEE validators, providing fairness and privacy for RPC relays, and building blocks in encrypted enclaves.

As mentioned above, Scroll's multi-proof system was developed in cooperation with Automata. In addition, Automata has also introduced TEE coprocessors as multi-proof AVS to the EigenLayer mainnet. TEE coprocessors are hardware that performs specific computing tasks to supplement or expand the capabilities of the main chain. Automata Network's TEE coprocessors extend the functionality of blockchains by performing secure computations in a TEE-isolated area.

Specifically, Multi-Prover AVS is a task control center that coordinates and manages multiple independent validators according to the requirements of different protocols. Individual protocols can publicly publish tasks that need to be verified, and then a committed TEE committee incentivized by long-term rewards can be organized. Nodes (operators) that actually perform verification can register to participate in these tasks and can cooperate with each other to ensure security. Users who hold tokens and are willing to support the security of the protocol are stakers, who entrust the staking rights to trusted operators. This staking enhances the economic security required by the protocol in its early stages, because the staked funds serve as a guarantee to incentivize operators to work honestly and efficiently. EigenLayer creates a permissionless market that allows stakers, operators, and protocols to participate freely.

Secret Network: Privacy protection based on SGX technology

The privacy public chain Secret Network mainly implements data privacy protection through Secret Contract and TEE. To achieve this goal, Secret Network uses Intel SGX trusted execution environment technology, and to ensure network consistency, Secret Network only allows the use of Intel SGX chips, and does not support other TEE technologies.

Secret Network uses a remote attestation process to verify the integrity and security of the SGX security zone. Each full node creates an attestation report before registration to prove that its CPU uses the latest hardware upgrade and verifies it on the chain. After the new node obtains the consensus shared key, it can process calculations and transactions in the network in parallel, thereby ensuring the overall security of the network. In order to reduce possible attack vectors, Secret Network chooses to use SGX-SPS (Server Platform Service) instead of SGX-ME (Management Engine).

In terms of implementation, Secret Network uses SGX for computations with encrypted inputs, outputs, and states. This means that data remains encrypted throughout its lifecycle to prevent unauthorized access. In addition, each verification node of Secret Network uses an Intel SGX-enabled CPU to process transactions, ensuring that sensitive data is only decrypted within the security zone of each verification node and cannot be accessed from the outside.

Oasis: Building Privacy Smart Contracts with SGX

The privacy computing network Oasis adopts a modular architecture, dividing consensus and smart contract execution into the consensus layer and the ParaTimes layer, respectively. As the smart contract execution layer, ParaTimes consists of multiple parallel ParaTimes, each of which represents a computing environment with a shared state. This allows Oasis to process complex computing tasks in one environment and simple transactions in another.

ParaTimes can be divided into two types: privacy and non-privacy. Different ParaTimes can run different virtual machines and can be designed as permissioned or permissionless systems. As one of Oasis' core value propositions, Oasis has launched two privacy smart contracts in combination with TEE technology: Cipher and Sapphire. Both use Inte SGX's TEE technology. The encrypted data and smart contracts will enter the TEE together, the data will be decrypted and processed by the smart contract, and then encrypted again when it is output. This process ensures that the data remains confidential throughout the entire processing process and is not leaked to node operators or application developers. The difference is that Sapphire is a privacy EVM-compatible ParaTime, while Cipher is a privacy ParaTime used to execute Wasm smart contracts.

Bool Network: Combining MPC, ZKP and TEE technologies to enhance the security and decentralization of Bitcoin verification

Bool Network combines MPC, ZKP and TEE technologies to transform the external validator cluster into a dynamic hidden committee (DHC) to enhance network security.

In the dynamic hidden committee, in order to solve the problem of private key exposure caused by the need for consensus signatures by external verification nodes during the verification process, Bool Network introduced TEE technology. For example, through Intel SGX technology, private keys are encapsulated in TEE, allowing node devices to run in a local security zone, while other components in the system cannot access the data. Through remote attestation, witness nodes can present proof to verify that they are indeed running in TEE and storing keys, and other nodes or smart contracts can verify these reports on the chain.

In addition, BOOL Network is completely open to access, and any entity with a TEE device can become a verification node by staking BOOL.

Marlin: Decentralized cloud computing with TEE and ZK coprocessor

Marlin is a verifiable computing protocol that combines a trusted execution environment and a ZK coprocessor to delegate complex workloads to a decentralized cloud.

Marlin includes multiple types of hardware and subnetworks. Its TEE technology is mainly used on the subnetwork Marlin Oyster. Oyster is an open platform that allows developers to deploy customized computing tasks or services on untrusted third-party hosts. Oyster currently relies mainly on AWS Nitro Enclaves, a trusted execution environment based on the AWS Nitro TPM security chip. In order to realize the vision of decentralization, Oyster may be compatible with more hardware vendors in the future. In addition, Oyster allows DAOs to directly configure enclaves through smart contract calls without the need for specific members to manage SSH or other authentication keys. This approach reduces reliance on manual operations.

Phala Network: SGX-Prover, a multi-proof system based on TEE

Phala Network is a decentralized off-chain computing infrastructure dedicated to achieving data privacy and secure computing through TEE. Currently, Phala Network only supports Intel SGX as its TEE hardware. Based on the decentralized TEE network, Phala Network has built a TEE-based multi-proof system Phala SGX-Prover. Specifically, the off-chain module sgx-prover generates a TEE Proof containing the calculation results after running the state transition program, and submits it to the on-chain sgx-verifier for verification.

In order to address users' concerns about SGX centralization, Phala Network introduced two roles: Gatekeeper and Worker. Gatekeeper is elected by PHA token holders through NPoS and is responsible for managing network keys and overseeing the economic model. Workers run on SGX hardware. By introducing a key rotation mechanism, Gatekeepers can ensure the security of the TEE network.

Currently, Phala Network has more than 30,000 TEE devices registered and operated by users around the world. In addition, Phala Network is also exploring TEE-based fast finality solutions. In theory, fast finality can be achieved based on TEE proofs, and ZK proofs are only provided when necessary.

Summary

Facing the debate on Twitter, Uniswap CEO Hayden Adams also expressed his views. He said, "The negative comments received by TEE all imply that the pursuit of perfection has hindered good results. There are trade-offs in everything. In the field of protecting blockchains, the more tools available, the better."

Through the exploration of the above use cases, we can see the application potential of TEE technology in solving privacy and security issues. For example, Flashbots uses TEE to achieve private transactions and decentralized construction, while Taiko and Scroll use TEE to implement a multi-proof system to ensure the security of L2 transactions. However, most projects currently rely on a single centralized supplier, which may bring certain risks. In the future, it may be possible to be compatible with more hardware suppliers, and by setting the node ratio to ensure that the nodes run on different hardware, to further reduce the centralization risk caused by over-reliance on a certain supplier.

Original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群： https://t.me/theblockbeats

Telegram 交流群： https://t.me/BlockBeats_App

Twitter 官方账号： https://twitter.com/BlockBeatsAsia