As the demand for privacy protection continues to grow, TEE has once again become a focal point of discussion. Although TEE was discussed several years ago, it was not widely adopted due to hardware security issues. However, as MPC and ZK technologies face challenges in performance and technical requirements, many researchers and developers are refocusing on TEE.

This trend has also sparked discussions on Twitter about whether TEE will replace ZK technology. Some users believe that TEE and ZK are complementary rather than competitive, as they solve different problems and neither is perfect. Other users point out that the security provided by AWS and Intel is higher than the multi-signature protection of Rollup. Considering the extensibility of TEE in design space, which ZK cannot achieve, this trade-off is deemed worthwhile.

What is TEE?

TEE is not a new concept. The TEE technology, known as “Secure Enclave,” is used in the Apple devices we commonly use. Its primary function is to protect users’ sensitive information and perform encryption operations. The Secure Enclave is integrated into the system-on-chip and is isolated from the main processor to ensure high security. For instance, every time you use Touch ID or Face ID, the Secure Enclave verifies your biometric information and ensures this data is not leaked.

TEE stands for Trusted Execution Environment. It is a secure area within a computer or mobile device that operates independently of the main operating system. Its main features include: isolation from the main operating system, ensuring internal data and execution remain secure even if the main OS is attacked; using hardware support and encryption technology to prevent internal code and data from being tampered with during execution; and protecting sensitive data from leakage using encryption technology.

Currently, common TEE implementations include:

• Intel SGX: Provides a hardware-supported isolated execution environment, creating a secure memory area (enclave) to protect sensitive data and code.
• ARM TrustZone: Creates a secure world and a normal world within the processor, with the secure world running sensitive operations and the normal world handling regular tasks.
• AWS Nitro Enclaves: Based on AWS Nitro TPM security chips, providing a trusted execution environment in the cloud, designed specifically for cloud computing scenarios involving confidential data.

In the crypto market, TEE technology is most commonly used for off-chain computation in a trusted and secure environment. Additionally, TEE’s remote attestation feature allows remote users to verify the integrity of the code running within the TEE, ensuring data processing security. However, TEE also has decentralization issues, as it relies on centralized vendors like Intel and AWS. If these hardware components have backdoors or vulnerabilities, system security could be compromised. Yet, as an auxiliary tool, TEE technology is easy to build and cost-effective, suitable for applications requiring high security and privacy protection. These advantages make TEE technology applicable to various crypto applications, such as privacy protection and enhancing Layer 2 security.

TEE Project Review

Flashbots: Achieving Private Transactions and Decentralized Block Building with SGX

In 2022, Flashbots began exploring privacy technologies related to Trusted Execution Environments (TEE) like SGX, considering them as crucial building blocks for trustless collaboration in the transaction supply chain. In March 2023, Flashbots successfully operated a block builder within Intel’s SGX enclave, marking a step forward towards private transactions and decentralized block builders. By utilizing SGX enclaves, block builders and other infrastructure providers cannot see the contents of user transactions. Builders can construct verifiable valid blocks within the enclave and honestly report their bids, potentially eliminating the need for mev-boost relays. Additionally, this technology helps mitigate the risk of exclusive order flows, allowing transactions to remain private while still being accessible to all block builders operating within the enclave.

While TEE does provide external resource access and privacy protection, its performance is not as high as non-TEE technologies. There are also centralization risks. Flashbots found that relying solely on TEE does not solve all issues; additional security measures and other entities are needed to verify TEE computations and code, ensuring system transparency and trustworthiness. Therefore, Flashbots envisioned a network composed of TEEs (Kettles) along with a trusted permissionless public chain (SUAVE Chain) to manage this network and host the programs running within the TEEs. This forms the basic concept of SUAVE.

SUAVE (Single Unified Auction for Value Expression) is an infrastructure aimed at addressing MEV-related challenges, focusing on separating the roles of mempool and block production from existing blockchains to form an independent network (ordering layer), which can serve as a plug-and-play mempool and decentralized block builder for any blockchain.

(More SUAVE introduction can be found in the previous ChainFeeds article)

SUAVE will be launched in two phases. The first version, SUAVE Centauri, includes private order flow auctions (OFA) and SUAVE Devnet (testnet). This version does not involve cryptography and TEE technology. The second version, Andromeda, will operate execution nodes in trusted execution environments like SGX. To ensure that computations and code running on offline TEE nodes work as expected, Flashbots will use TEE’s remote attestation feature, allowing smart contracts to verify messages from the TEE. Specific steps include: adding new precompiled functions to Solidity code to generate remote attestations; generating attestations using SGX processors; fully verifying attestations on-chain; and using the Automata-V3-DCAP library to validate these attestations.

In summary, SUAVE will integrate TEE to replace current third parties, with applications running within the SUAVE system (like order flow auctions or block builders) operating in TEE and ensuring the integrity of TEE computations and code through on-chain remote attestation.

Taiko: Building a Multi-Proof System Raiko through SGX

The concept of TEE can also be extended to Rollup to build a multi-proof system. Multi-proof refers to generating multiple types of proofs for a single block, similar to Ethereum’s multi-client mechanism. This ensures that even if one proof has vulnerabilities, the other proofs remain valid.

In a multi-proof mechanism, any user interested in generating proofs can run a node to extract data such as transactions and all state access Merkle proofs. Using this data, different types of proofs are generated and then submitted together to a smart contract, which verifies the correctness of the proofs. For proofs generated by TEE, it’s necessary to check whether the ECDSA signature is signed by the expected address. Once all proofs pass verification and confirm that the block hash matches, the block is marked as proven and recorded on the chain.

Taiko is using Intel SGX technology to build the multi-proof system Raiko for verifying Taiko and Ethereum blocks. By using SGX, Taiko can ensure data privacy and security during critical tasks, providing an additional layer of protection even if there are potential vulnerabilities. SGX proofs can run on a single computer and be completed in just a few seconds, without affecting the efficiency of proof generation. Additionally, Taiko has launched a new architecture that supports compiling client programs to run in both ZK and TEE environments, ensuring the correctness of block state transitions and evaluating performance and efficiency through benchmarking and monitoring.

Despite the many advantages provided by TEE, there are still some challenges during implementation. For instance, SGX setups need to support CPUs from different cloud providers and optimize gas costs during the verification process. Moreover, a secure channel needs to be established to verify the correctness of computations and code. To address these challenges, Taiko uses Gramine OS to encapsulate running applications within a secure enclave and provides easy-to-use Docker and Kubernetes configurations, enabling any user with SGX-enabled CPUs to conveniently deploy and manage these applications.

According to Taiko’s announcement, Raiko currently supports SP1, Risc0, and SGX, and they are continuously working to integrate Jolt and Powdr. In the future, Taiko plans to integrate more Riscv32 ZK-VM, expand Wasm ZK-VM, directly integrate with Reth to achieve real-time block proofs, and adopt a modular architecture to support multi-chain block proofs.

Scroll: Developing TEE Prover in Collaboration with Automata

The multi-proof mechanism of Scroll aims to achieve three goals: enhancing L2 security, not increasing finality time, and introducing only marginal costs to L2 transactions. Therefore, besides ZK proofs, Scroll needed to balance finality and cost-effectiveness when choosing an auxiliary proof mechanism. Although fraud proofs offer high security, their finality time is too long. While zkEVM verifiers are powerful, their development costs are high and complex. Ultimately, Scroll chose to use the TEE Prover proposed by Justin Drake as an auxiliary proof mechanism.

The TEE Prover operates in a protected TEE environment, allowing it to quickly execute transactions and generate proofs without increasing finality. Another significant advantage of the TEE Prover is its efficiency, as the overhead related to the proof process is negligible.

Currently, Scroll is collaborating with the modular proof layer Automata to develop the TEE Prover for Scroll. Automata is a modular verification layer designed to extend machine-level trust to Ethereum through TEE coprocessors. Scroll’s TEE Prover consists of two main components: on-chain and off-chain.

• SGX Prover: The off-chain component runs in an enclave to check whether the state root after block execution in the enclave matches the existing state root, and then submits a Proof of Execution (PoE) to the SGX Verifier.
• SGX Verifier: This smart contract is deployed on the L1 chain to verify the state transitions proposed by the SGX Prover and the proof report submitted by the Intel SGX enclave.

The SGX Prover monitors the batches of transactions submitted by the sequencer on L1 to ensure the data used during state transitions is complete and unaltered. The SGX Prover then generates a Block Proof (PoB) including all necessary information, ensuring that all nodes involved in verification and execution use the same dataset. After execution, the SGX Prover submits the PoE to L1, and the SGX Verifier checks if the PoE is signed by a valid SGX Prover.

The SGX Prover is written in Rust and uses SputnikVM as its EVM engine for executing smart contracts. This implementation can be compiled and run on machines supporting SGX hardware mode, and can also be debugged in non-SGX environments. The SGX Verifier uses the open-source DCAP v3 verification library by Automata to verify the entire block history of the Scroll testnet.

To reduce reliance on TEE implementations and hardware manufacturers, Scroll is also exploring a protocol to aggregate TEE Provers from different hardware and clients. This protocol will incorporate a threshold signature scheme, a cryptographic technique that allows multiple participants to jointly generate a signature, which is valid only if at least a certain number of participants agree. Specifically, TEE Prover requires multiple (e.g., N) TEE Provers to generate a consistent proof from at least T Provers.

Automata: Enhancing Blockchain Security and Privacy with TEE Coprocessors

Automata Network is a modular verification layer that uses hardware as a common Root of Trust. It enables a variety of use cases, including a multi-verifier system based on TEE verifiers, fairness and privacy for RPC relays, and building blocks within encrypted enclaves.

As mentioned earlier, Scroll’s multi-proof system was developed in collaboration with Automata. Additionally, Automata introduced TEE coprocessors as multi-prover AVS into the EigenLayer mainnet. A TEE coprocessor is hardware designed to perform specific computational tasks, complementing or extending the capabilities of the main chain. Automata Network’s TEE coprocessor extends blockchain functionality by executing secure computations within a TEE enclave.

Specifically, the Multi-Prover AVS is a task control center responsible for coordinating and managing multiple independent verifiers according to the requirements of different protocols. Protocols can publicly post tasks that need verification, and an incentivized committee of dedicated TEE nodes can be organized to handle these tasks. Nodes (operators) interested in verification can register to participate and collaborate to ensure security. Token holders who wish to support protocol security act as stakers, delegating their staking rights to trusted operators. This staking enhances the economic security needed in the early stages of the protocol because the staked funds serve as a guarantee, incentivizing operators to work honestly and efficiently. EigenLayer creates a permissionless market that allows stakers, operators, and protocols to freely participate.

Secret Network: Privacy Protection Based on SGX Technology

The privacy blockchain Secret Network mainly achieves data privacy protection through Secret Contracts and TEE. To this end, Secret Network adopts Intel SGX Trusted Execution Environment technology, and to ensure network consistency, Secret Network only allows the use of Intel SGX chips and does not support other TEE technologies.

Secret Network uses a remote attestation process to verify the integrity and security of the SGX enclave. Each full node creates an attestation report before registration, proving that its CPU has the latest hardware updates, and this is verified on-chain. Once new nodes obtain the shared consensus key, they can process network computations and transactions in parallel, thus ensuring overall network security. To reduce potential attack vectors, Secret Network chooses to use SGX-SPS (Server Platform Services) instead of SGX-ME (Management Engine).

In specific implementation, Secret Network uses SGX to perform computations with encrypted inputs, outputs, and states. This means that data remains encrypted throughout its lifecycle, preventing unauthorized access. Furthermore, each verification node of Secret Network uses an Intel SGX-supported CPU to process transactions, ensuring that sensitive data is decrypted only within the secure enclave of each verification node and is not accessible externally.

Oasis: Utilizing SGX to Build Private Smart Contracts

The privacy computing network Oasis adopts a modular architecture, separating consensus and smart contract execution into the consensus layer and the ParaTimes layer. As the smart contract execution layer, ParaTimes consists of multiple parallel ParaTimes, each representing a computational environment with a shared state. This allows Oasis to handle complex computational tasks in one environment and simple transactions in another.

ParaTimes can be classified into private and non-private types, with different ParaTimes capable of running different virtual machines. They can also be designed as permissioned or permissionless systems. As one of the core value propositions of Oasis, the network combines TEE technology to introduce two types of private smart contracts: Cipher and Sapphire. Both utilize Intel SGX’s TEE technology. Encrypted data and smart contracts enter the TEE together, where the data is decrypted and processed by the smart contract, and then re-encrypted upon output. This process ensures that data remains confidential throughout, preventing leakage to node operators or application developers. The difference is that Sapphire is a privacy EVM-compatible ParaTime, while Cipher is a privacy ParaTime for executing Wasm smart contracts.

Bool Network: Enhancing Bitcoin Verification Security and Decentralization with MPC, ZKP, and TEE Technologies

Bool Network integrates MPC, ZKP, and TEE technologies to transform external verifier clusters into a Dynamic Hidden Committee (DHC), thereby enhancing network security.

In the Dynamic Hidden Committee, to address the issue of private key exposure during the consensus signature process by external verification nodes, Bool Network introduces TEE technology. For example, by using Intel SGX technology, private keys are encapsulated in TEE, allowing node devices to operate within a local secure area where other system components cannot access the data. Through remote attestation, witness nodes can present proof to verify that they are indeed running within a TEE and storing keys securely. Other nodes or smart contracts can then verify these reports on-chain.

Additionally, BOOL Network is fully open for participation; any entity with TEE equipment can stake BOOL tokens to become a verification node.

Marlin: Decentralized Cloud Computing with TEE and ZK Coprocessors

Marlin is a verifiable computing protocol that combines Trusted Execution Environments (TEE) and Zero-Knowledge (ZK) coprocessors to delegate complex workloads to a decentralized cloud.

Marlin includes various types of hardware and sub-networks. Its TEE technology is primarily applied in the Marlin Oyster sub-network. Oyster is an open platform that allows developers to deploy custom computing tasks or services on untrusted third-party hosts. Currently, Oyster mainly relies on AWS Nitro Enclaves, a trusted execution environment based on AWS Nitro TPM security chips. To achieve a decentralized vision, Oyster may support more hardware vendors in the future. Additionally, Oyster allows DAOs to configure enclaves directly via smart contracts without needing specific members to manage SSH or other authentication keys, thereby reducing reliance on manual operations.

Phala Network: TEE-Based Multi-Proof System SGX-Prover

Phala Network is a decentralized off-chain computing infrastructure dedicated to achieving data privacy and secure computing through TEE. Currently, Phala Network only supports Intel SGX as its TEE hardware. Leveraging a decentralized TEE network, Phala Network has built the TEE-based multi-proof system Phala SGX-Prover. Specifically, the off-chain module sgx-prover runs the state transition program, generates a TEE Proof containing the computation results, and submits it to the on-chain sgx-verifier for verification.

To address concerns about SGX centralization, Phala Network introduced two roles: Gatekeeper and Worker. Gatekeepers are elected by PHA token holders through NPoS and are responsible for managing network keys and overseeing the economic model. Workers operate on SGX hardware. By introducing a key rotation mechanism, Gatekeepers can ensure the security of the TEE network.

Currently, Phala Network has over 30,000 TEE devices registered and operated by users globally. Additionally, Phala Network is exploring TEE-based fast finality solutions. Theoretically, fast finality can be achieved based on TEE proofs, providing ZK proofs only when necessary.

Summary

In the face of the debates on Twitter, Uniswap CEO Hayden Adams also shared his views, stating, “The negativity they get on crypto twitter has strong “perfection is the enemy of good” vibes. Everything has tradeoffs. The more tools at our disposal the better when scaling/securing blockchains and their peripheral components”.

Exploring the use cases mentioned above, it is evident that TEE technology has potential applications in addressing privacy and security issues. For example, Flashbots achieve private transactions and decentralized construction through TEE, while Taiko and Scroll use TEE to implement multi-proof systems, ensuring the security of L2 transactions. However, most projects currently rely on a single centralized vendor, which could pose some risks. In the future, it might be possible to support more hardware vendors and set node ratios to ensure that nodes run on different hardware, further reducing the centralization risks caused by over-reliance on a single vendor.

statement:

1. This article is reproduced from [ChainFeeds Research], the copyright belongs to the original author [LindaBell], if you have any objections to the reprint, please contact the Gate Learn team, and the team will handle it as soon as possible according to relevant procedures.

2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.

3. Other language versions of the article are translated by the Gate Learn team and are not mentioned in Gate.io, the translated article may not be reproduced, distributed or plagiarized.