Glosario

Trusted Execution Environments (TEEs)

Hard

Trusted Execution Environments (TEEs) are secure areas within a main processor that provide a protected space where sensitive code and data can operate.

What Are TEEs?

Trusted Execution Environments (TEEs) are secure areas within a main processor. They provide a protected space where sensitive code and data can operate without fear of tampering or observation from the outside world. In the context of web3, think of TEEs as impenetrable vaults within nodes or validators, safeguarding private keys, confidential smart contract data, and critical decentralized application (dApp) operations from potential threats in the broader network environment.

The concept of TEEs isn't new. It originated in the mid-2000s when the Open Mobile Terminal Platform (OMTP) defined them in their "Advanced Trusted Environment: OMTP TR1" standard. This standard outlined two security profiles: one targeting software attacks and another addressing both software and hardware threats.

At their core, TEEs consist of two main components: a hardware isolation mechanism and a secure operating system running on top of that isolation. This combination creates a robust barrier between the TEE and the rest of the system. Only trusted applications have access to the full power of the device's processor, peripherals, and memory within this protected zone. Meanwhile, the hardware isolation shields these resources from user-installed apps running in the main operating system.

TEEs rely on a "hardware root of trust" to prevent simulation by user-controlled software. This root of trust is typically a set of private keys embedded directly into the chip during manufacturing. These keys are immutable and serve as the foundation for the TEE's security model.

TEEs have become increasingly used in web3 to enable privacy-preserving smart contracts and enhance the security of decentralized applications. This trend has led to the development of TEE-based "confidential computing" platforms specifically designed for blockchains. They allow developers to build dApps that can process sensitive data off-chain while still maintaining the trust and transparency benefits of blockchains.

What Are They Used For in Web2?

TEEs have a wide range of applications across various industries, and are included as standard in all new NVIDIA H100 GPUs. They're commonly used in Digital Rights Management (DRM) to protect high-value content like 4K movies or premium audio from unauthorized access or copying. In the realm of mobile financial services, TEEs secure mobile wallets, contactless payments, and point-of-sale terminals by safeguarding sensitive financial data.

Authentication is another key use case for TEEs. They provide a secure environment for biometric identification methods such as facial recognition, fingerprint scanning, and voice authorization. Enterprises and government organizations leverage TEEs to handle confidential information on mobile devices and server infrastructure securely.

In the world of software development, TEEs enable secure modular programming. They allow for the creation of isolated, secure modules within larger software systems, enhancing overall security and reliability. With the rise of digital assets, TEEs are increasingly used to implement secure crypto-wallets, offering enhanced protection for storing and managing tokens.

How Are They Useful in Web3?

In the world of web3, TEEs offer several compelling advantages. They enable confidential smart contract execution, allowing developers to build dApps that protect sensitive user data without sacrificing functionality. By offloading complex computations to TEEs, blockchain can process transactions more efficiently, improving overall scalability.

TEEs can act as trusted intermediaries between different blockchain networks, facilitating secure cross-chain transactions and data exchange. They can also serve as secure environments for oracle computations, ensuring the integrity of external data fed into smart contracts.

TEEs are used by multiple projects for these purposes, including Secret Network, Oasis Network, Automata, Phala, Marlin, and Flashbots.

Some layer 2 scaling solutions leverage TEEs to perform off-chain computations securely, reducing the burden on the main blockchain while maintaining security guarantees. In the realm of decentralized finance (DeFi), TEEs enable the development of applications that can process sensitive financial data without exposing it to the public blockchain.

For crypto wallets and other blockchain applications, TEEs provide a secure environment for storing and managing private keys. This adds an extra layer of protection against potential attacks or breaches.

While TEEs offer significant benefits for web3 applications, it's important to note that they're not without challenges. The reliance on hardware manufacturers introduces a degree of centralization, which can be at odds with the decentralized ethos of many blockchain projects. Additionally, while rare, hardware vulnerabilities in TEEs can potentially compromise the security of the entire system.

Despite these challenges, the unique combination of security, performance, and flexibility offered by TEEs makes them a powerful tool in the web3 developer's arsenal. As the technology continues to evolve, we can expect to see even more innovative uses of TEEs in the blockchain space, pushing the boundaries of what's possible in decentralized systems.

How Do They Differ From Zero-knowledge Proofs?

While both TEEs and zero-knowledge proofs (ZKPs) aim to enhance privacy and security in digital systems, they approach these goals in fundamentally different ways. TEEs use hardware-based isolation and encryption to protect data and computations. ZKPs, on the other hand, are purely cryptographic protocols that allow one party to prove knowledge of information without revealing the information itself.

In terms of performance, TEEs generally offer better results for complex computations. ZKPs can be computationally expensive, especially for intricate proofs, although verification is typically fast. TEEs provide a more flexible environment for general-purpose computations, while ZKPs often require custom circuits for specific use cases, which can limit their applicability.

The trust models of these technologies also differ. TEEs rely on trust in the hardware manufacturer and the integrity of the hardware itself. ZKPs don't require trust in any third party but rely on the mathematical properties of the cryptographic protocols.

When it comes to data handling, TEEs can work with and protect large amounts of data in real-time. ZKPs are more suited to proving specific statements about data without revealing the data itself. In terms of scalability, TEEs can handle multiple users and applications concurrently with relative ease. Scaling ZKPs for multi-party scenarios can be more challenging, especially when privacy between parties is required.






About the Author: Harry Roberts is Head of Product at Oasis. With a background in security audits and firmware development, Harry transitioned to web3 after exploring ZK-SNARKs through an Ethereum Foundation grant. He was drawn to Oasis for its confidential EVM capabilities, seeing it as an opportunity to build privacy-preserving decentralized applications. Harry is passionate about improving blockchain usability and privacy, believing technological solutions are needed to protect user data. He sees potential for confidential smart contracts to enable new use cases in gaming and finance.


Oasis develops privacy-preserving blockchain infrastructure that enables confidential smart contracts and encrypted data processing for Web3 applications. The project is also working on integrating privacy and verifiability features for AI systems, aiming to support responsible development of decentralized AI technologies.