Acknowledgment: Special thanks to the Taiko team, the Fireblocks team, Patrick from Secret Network, and Ikuma from Tané for feedback on this article.
The blockchain technology stack has made significant advancements, yet it continues to encounter a range of challenges. As the adoption of rollups expands, the challenges associated with scalability and interoperability are becoming increasingly pronounced. Furthermore, conducting transactions on public blockchains still compromises privacy and the Miner Extractable Value (MEV) factor remains a critical concern.
In response to these challenges, zero-knowledge (ZK) technology has emerged as a powerful solution, experiencing significant evolution in recent years, to mitigate those issues. However, ZK technology is still in its early stages, with a considerable risk for security vulnerabilities due to bugs, and its adoption is limited by high computational costs and complex implementation requirements.
In this evolving tech landscape, there’s an increasing number of projects utilizing Trusted Execution Environments (TEEs), specifically Intel SGX, to address privacy, scalability, and interoperability challenges. Although it has had vulnerabilities in the past as shown in SGX.Fail, the enthusiasm for SGX is evident, with industry figures like Georgios, a partner at Paradigm, frequently expressing high expectations for its impact.
Our team at TOKI, by providing an IBC bridge, is also adopting SGX as a key element in our security model. TOKI Implements a multi-prover approach combining SGX and MPC.
This blog post aims to showcase a variety of blockchain projects that utilize SGX, highlighting its significant impact on advancements within the entire blockchain field. We hope that more projects will become interested in utilizing SGX, thereby advancing the entire industry.
What are TEE and Intel SGX?
TEE is a hardware-based tamper-proof solution that separates the area of the processor from the rest of the CPU. Among most types of TEE implementations, SGX is the most widely adopted.
As the diagram above illustrates, SGX has a key component called an “enclave”, which is an isolated environment in the computer’s memory. SGX acts like a secure vault in the processor itself, combining strong encryption and hardware-level isolation to safeguard enclave programs. Therefore, even if a hacker gains access to applications, OS, hypervisor, BIOS, etc, the enclave will remain secure.
The enclave plays a pivotal role in the blockchain space in terms of privacy and security because it enables the confidential storage of private data and the secure execution of code.
For more details, please check out the articles below.
- Why multi-prover matters. SGX as a possible solution.
- Achieving superior blockchain security with SGX and ZK proofs
Notable Blockchain Projects Using SGX (TEE)
In this section, we will explore notable blockchain projects that utilize SGX, and explain why and how they are using or considering using SGX.
TOKI, Taiko, and Scroll are implementing SGX as one of the proof elements to hedge the risk of bugs and vulnerabilities in certain single-proving systems when solving scalability and interoperability issues. Oasis Network, Secret Network, Flashbots, and a lot more are leveraging the privacy features provided by SGX. Flashbots is approaching specifically the MEV problem with it.
We will provide a summary of each project and an overview of how they are using SGX.
Next, let’s look into each project one by one.
TOKI
Project Summary:
TOKI is an IBC-enabled cross-chain bridge across multiple blockchains including Ethereum, BNB Chain, L2 chains such as Arbitrum and Optimism, and Cosmos. TOKI is set to be launched in Q2 2024 on the testnets of Ethereum and BNB Chain. The team is one of the leading contributors to IBC, especially known as the core contributor of ibc-solidity, which enables EVM chains to communicate with other blockchains via IBC.
How to Apply SGX:
TOKI uses SGX to replace light client verification in an enclave and send the proof generated in the enclave to the destination blockchain. Additionally, TOKI adopts a multi-prover approach that combines SGX and MPC to enhance security, while maintaining low verification costs. This approach renders it impractically difficult for attackers to compromise the system, as they would need to hack multiple SGX nodes simultaneously. In order to further elevate the security level, TOKI plans to combine ZK-proof with the multi-prover approach. Find out more here.
Taiko
Project Summary:
Taiko is a type-1 ZK-EVM (fully Ethereum-equivalent ZK-Rollups) and aims to scale Ethereum in a manner that emulates Ethereum as closely as possible. Taiko has launched a series of testnets since its first testnet in Dec 2022, and the latest testnet as of writing is Katla Testnet (Alpha-6). The mainnet launch is scheduled for ‘Early 2024’ according to the roadmap.
How to Apply SGX:
Taiko is the first ZK-EVM to announce its multi-prover approach. Taiko incorporates SGX as part of its multi-prover approach to enhance the security and reliability of its ZK-Rollup. Taiko uses both zk proofs and SGX-based proofs, and the Rollup smart contract verifies these proofs respectively. For a zk proof, that means running the verifier on the proof. For an SGX-based proof, this is just checking that some ECDSA signature containing the expected data is signed by the expected address.
Once all proofs pass the verification and the expected number of proofs are provided, a final check ensures that all proofs have the same blockhash. Then, the block is marked as proven. Find out more here.
Secret Network
Project Summary:
Secret Network is a blockchain protocol that enables new use cases for dApps by providing secure confidential computation at the smart contract level. It enables developers to build dApps that safeguard user data by making input, output and (shared) state encrypted by default. Built with Cosmos SDK, Secret Network ensures interoperability with other blockchains that support IBC. Secret Network also provides its confidential computation to many other blockchain ecosystems through cross-chain communication protocols, allowing developers to build encryption enabled cases on nearly any EVM chain, with additional ecosystems like Solana and Near planned for the future.
How to Apply SGX:
Secret Network employs SGX to allow for encrypted input and access controlled output so that users can use blockchain dApps freely without worrying about privacy. Computation over a shared encrypted state allows developers to build applications with sensitive information at the core that was not possible before. Each node within the network is verifiably running a genuine SGX enclave, ensuring that data remains encrypted and secure throughout the contract lifecycle. The encrypted data can only be decrypted and accessed within the SGX enclave, providing an additional layer of security against unauthorized access. Find out more here.
Fireblocks
Project Summary:
Fireblocks is an enterprise-grade platform offering a secure infrastructure for moving, storing, and issuing digital assets. It enables digital exchanges, lending desks, custodians, banks, trading desks, and hedge funds to efficiently scale their digital asset operations through the Fireblocks Network and MPC-based Wallet Infrastructure. Serving thousands of financial institutions, Fireblocks has secured the transfer of over $4 trillion in digital assets and offers a comprehensive insurance policy covering assets both in storage and in transit.
How to Apply SGX:
Fireblocks has built a multi-layer security matrix that layers MPC, secure enclaves, its signature Policy Engine, and an asset transfer network to provide the strongest software and hardware defense available against evolving attack vectors. As no security technology alone is unbreakable, Fireblocks’ approach to security protects all attack surfaces in a redundant structure to provide multiple fail-safes, in the event one security control fails.
Fireblocks utilizes Intel SGX, a hardware-level enclave that isolates selected code and data within a system. It is designed to protect the cryptographic material, the cryptographic algorithm (MPC and ZKPs), and the execution of sensitive parts of the software from both insiders (such as rogue admins) and hackers.
As the MPC key shares are stored in SGX, they cannot be extracted even if malware or a hacker has control over the server’s OS — as the memory space and the data in the SGX enclave are encrypted. Fireblocks also utilizes SGX to secure API keys. In the trusted execution environments (TEEs) where Fireblocks store these exchange credentials, the information cannot be retrieved by hackers, inside colluders, or even Fireblocks employees.
Flashbots
Project Summary:
Flashbots is a research and development organization focused on mitigating the adverse effects of MEV extraction techniques and safeguarding state-rich blockchains like Ethereum from potential existential risks associated with MEV. Among its most notable initiatives is Flashbots Alpha, a platform designed to facilitate transparent and efficient MEV transactions by enabling direct communication between searchers and miners.
How to Apply SGX:
Flashbots implemented a block builder within an SGX enclave, marking a significant advancement toward ensuring transaction confidentiality and decentralizing the block-building role in the Ethereum ecosystem. This initiative is now live on the Ethereum Sepolia testnet according to the blog post. Flashbots also tries to leverage SGX to achieve complete privacy and permissionlessness in MEV auctions with ‘MEV-SGX’, addressing the challenges posed by current MEV extraction techniques that could present existential risks to blockchains. Find out more here.
Furthermore, Andrew Miller, in a recent post on the Flashbots blog, introduced their new experimental product, Sirrah, a TEE-based Coprocessor. This product extends the smart contract environment of blockchains with TEE-based secure computing, showcasing promising potential.
Oasis Network
Project Summary:
Oasis Network is a privacy-enabled blockchain platform. Since its launch in 2020, it has attracted developers interested in the privacy aspect and there are over 40 applications as of this publication. Oasis Network consists of two layers: the consensus layer and the ParaTime layer. Sapphire and Cipher, two of the ParaTime layers, support SGX for confidential smart contracts.
How to Apply SGX:
Oasis Network utilizes SGX to execute smart contracts confidentially. In their confidential ParaTimes, encrypted data is sent into the secure enclave along with the smart contract, where the data is decrypted and processed. After processing, the data is encrypted again before being sent out of the enclave. This entire process ensures the confidentiality of the data, preventing node operators and app developers from accessing it. Find out more here.
Conclusion
In this blog post, we’ve taken a deep dive into the world of major blockchain projects that are harnessing TEE, especially SGX. We’ve explored how these projects are integrating SGX into their products and the unique advantages it brings to the table.
From what we’ve observed, SGX stands out as a crucial technological pillar for many leading projects. Its potential and effectiveness are set to be further validated in the times ahead. The way it is utilized by Flashbots, Oasis Network, and Secret Network is a very effective option because it does not impact users’ funds and improves privacy. Furthermore, in terms of security, the effectiveness is greatly enhanced by incorporating a multi-prover approach, as done by TOKI, Taiko, and Scroll.
While SGX continues to evolve and face its set of challenges, its status as a viable and valuable option remains undisputed. Looking forward to 2024, we anticipate a surge in projects that leverage SGX technology.
As for TOKI, we aim to prove its potential through building a multi-prover based IBC-bridge consisting of SGX and MPC, leading to, and contributing to projects that not only embrace SGX but also pioneer the multi-prover approach. Let’s build together! If you are interested in this initiative, feel free to contact us at contact [at] toki.finance.
Follow us on X (formerly Twitter) and see our Linktree page for more details.
