Thanks to Mark Simkin, Andrew Miler, Hasu, Reid Yager, Jonathan Passerat-Palmbach, Fred Hjalmarrson for feedback and insightful discussions
Frontier AI companies are calling for and working and researching TEEs. Apple has a TEE-based cloud offering. Signal, an iconic privacy platform, relies on TEEs for contact discovery. 40% of Ethereum’s blocks are built in TEEs and Solana is headed in the same direction. Many of the most exciting ideas being explored in our space like agentic economies and encumbrance are being explored with TEE substrates, while security-oriented protocols relying on SNARKs or MPC look to TEEs to bolster security. In the bigger picture, secure hardware can be found in a large and growing fraction of mobile phones, every Xbox and PlayStation, every bank and sim card, hardware wallets etc.
With this growing interest, it is not surprising that the recent wiretap and battering RAM “attacks” on Intel SGX and AMD SEV have sparked renewed debate over the merits of TEEs for crypto use cases. On one hand these “attacks” serve as a reminder that these TEE products don’t include physical access in their security models (which is why “attack” is in quotation marks). On the other hand, most TEE deployers know this and have designed their systems to be cloud-based precisely to avoid allowing arbitrary physical access. What should be done about TEEs that don’t protect against physical attackers is an important discussion, but not the focus of this post. To me, the most striking aspect of these discussions is the misguided comparison between technologies. We do not evaluate FHE/MPC based solely on the security and performance of these systems today, but rather where we think R&D and investment can take them in 5-10 years. Evaluating secure hardware solely on the merits of a few products that are on the market today is a mistake we as a community consistently make.
Secure hardware is likely to continue to be valuable for a large set of use cases even when assuming dramatic improvements in “software crypto” and provide unique properties that complement other technologies. There are plenty of reasons to think that TEEs can dramatically improve, and there are many reasons to want this to happen. Below is a forward-looking case for TEEs.
The Argument Overview
In Defense of TEEs
- Much of the history of TEE breaks is not due to inherent limitations of secure hardware technology. Attacks like wiretap and battering RAM, are a reflection of a historic lack of demand for high security TEEs. The technology to protect against them has existed for a long time. In fact, SGX used to have memory integrity protection (against replay attacks), but this was taken out due to performance overheads. Similarly, plenty of research has designed mechanisms for safe speculation - probably the most famous TEE attack vector -, but these have simply never been implemented. Intel, AMD etc, sell TEEs aimed at a class of users who are not willing to sacrifice more than a few percent of performance (or money) for security. At the same time, rigorous hardware security research ends up being channeled into simple, low-power, cost-constrained devices like bank and sim cards, or hardware wallets. This field of research has advanced substantially in recent years, making security measures more efficient and scalable to much more complex circuitry. In other words, thus far, no one has really tried to target a set of tradeoffs that suit “web3” use cases, and recent research has made this much more feasible.
- The entire hardware industry has been opposed to open source (until recently) and has actively legally pursued researchers who expose flaws in hardware, which has slowed the feedback loops needed to make technical progress. Building on the growing open hardware movement will allow us to tap into these feedback cycles to improve secure hardware much faster than the current rate, in which designs are marketed a.
- Hardware supply chains pose a risk for backdoor insertion, but this can be addressed. For a particular device and manufacturer, open sourcing as much as possible of the hardware design, coupled with independent sampling for audits from a diverse set of labs, would already significantly improve the status quo. There are ongoing lines of research working on improving the efficacy and efficiency of detection technologies and trojan-resistant designs. Ideally, this can bring us to statements like “if k/m verifiers are honest, then…”. On top of this, using multi-device systems from different manufacturers/supply chains, allow us to dramatically reduce this risk as well. More extensive writing on the topic can be found here.
- Security is not binary. Cryptographic schemes rely on various assumptions, some of which we have proven to be false (e.g. hash functions as random oracles). Even if our proofs hold, we must also have faith in the correctness of our software implementations and the hardware that executes them. Symmetric crypto like AES doesn’t even come with a proof except for not being broken for a long time. This doesn’t mean that we will have the same confidence in secure hardware as we do in AES - the attack surface area is much larger. It does, however, mean that there isn’t an inherent “holy vs. unholy” distinction that is sometimes promoted by those (who claim to be holy).
The Case for TEEs
- TEEs work well in conjunction with other cryptographic schemes. For example, MPC schemes can tolerate certain thresholds of corrupt or colluding actors of certain types (active or passive). In these cases, TEEs provide a layer of defense against collusion, removing some of the political complexity of selecting committees to trust and translating an abstract trust assumption into a concrete dollar amount of security (1,2,3). TEEs can also be used to relax the underlying threat model of the cryptographic scheme. Schemes that are secure against adversaries actively attacking them are orders of magnitude less efficient than those which assume the adversary is only listening, but behaving correctly. Using TEEs can allow us to use the latter kind of protocol. ZIPNet is a great example of this, in which a TEE break can cause a loss of liveness but not of confidentiality, while the system is much more efficient than without TEEs. Similarly, TEEs have been combined with FHE to provide efficiency savings while still keeping a confidentiality safety net.
- TEEs will always be substantially more performant than purely software-based security. Consider that even if FHE can be verifiably executed with no computational overhead (a very strong assumption), the decryption keys likely need to be held by a threshold decryption committee that is not colocated in the same datacentre - i.e. with non-negligible latency. Complex interactions involving multiple services would then require decrypting the output of one computation and re-encrypting to a different committee to perform yet another round of computation and decryption. For some latency-sensitive use cases like ad auctions and trading/MEV for which latencies are measures in milliseconds (or less), such latency overhead is not tenable. Should the current excitement about “agentic economies” pan out, then we should expect algorithmic competition to emphasise latency in a similar way in many more places.
- Another important dimension to consider is geographic decentralisation. If the latency of a secure system is dominated by communication overhead, there is a natural incentive for nodes to be colocated, undermining the global neutrality properties some crypto systems are after. As TEEs can help to minimise this communication overhead, they can help to soften this colocation incentive.
- Secure hardware has applicability in domains in which traditional crypto doesn’t. One may want some assurances that a security camera is not sending video feeds anywhere other than a local secure server, or that a video is indeed coming from a camera and not a generative model. If we end up with humanoid robots that can generate enough force to kill a person in our homes, we would like to know that they have the appropriate safe software loaded. Developing open secure hardware will help to bring security to these physical domains - breaking the “digital only” limitations that we see in current crypto systems.
For the past year, my collaborators and I have been putting together an effort to produce more secure, open TEEs. Some updates can be found here and a cleaner elaboration is coming soon ™.