Today's story is a collaborative exploration of TEEs written with Oliver Jaros from CMT Digital. Collaborating with external researchers is like playing multiplayer games: it helps us tap into specialists' expertise while building a new perspective for our audience.
Last week, we wrote about how passkey wallets can simplify wallet creation for retail users. You may have noticed the term "Trusted Execution Environments" (TEEs) in that piece. Today, Oliver joins Shlok to break down how TEEs work and why they matter. We'll explore specific applications using TEEs and the use cases they enable.
While TEEs have generated excitement among investors and researchers in the space, there's limited literature on how or where they accrue value. Today's story addresses that gap.
This is the first of several stories we've been developing with external collaborators. If you're a researcher interested in co-authoring with us, please fill out the form below.
Uber's San Francisco headquarters resembles most tech companies—an open floor plan for employees to move, mix, and share ideas freely. Yet in the main floor's centre stood a room where few employees had set foot. Metal and glass walls, a switch to make transparent walls opaque, and frequent security guards made this room and its activities a mystery to most workers.
This was Uber’s “War Room”—a space that operated round the clock for executives to brainstorm and tackle the company's biggest problems. Built for confidentiality, the room granted entry strictly on a need-to-know basis. Such secrecy made sense. Uber battled competitors worldwide to dominate the ride-hailing market. Rivals would pounce upon any leak in tactics or strategy. What happened in the War Room stayed there.1
Such private enclosures within otherwise accessible spaces are common. When Apple works on a secret project, it houses the assigned team in buildings separate from the main headquarters. The Capitol and other U.S. government buildings contain Sensitive Compartmentalised Information Facilities (SCIFs) with soundproof walls and electromagnetic shielding for sensitive discussions. Our homes and hotel rooms have safes to protect valuables from workers and intruders.
Secure enclaves extend beyond the physical world. Today, we store data and process information largely on computers. As our reliance on silicon-based machines grows, so does the risk of attacks and compromises. Like Uber's War Room, computers need a separate space to store the most sensitive data and perform critical computations. This space is known as a Trusted Execution Environment (TEE).
While TEEs have recently become a buzzword in crypto, their purpose and capabilities are often misunderstood. With this article, we hope to change that. Here, we explain everything you need to know about TEEs: what they are, why they are important, the ways in which we already use them every day, and, finally, how they can help build better web3 applications.
Already Everywhere
Let’s start with a more formal definition of TEEs.
TEEs are specialised secure areas within a device’s main processor that ensure the confidentiality of the data and code being processed. TEEs provide an isolated execution environment separate from the main operating system, which is crucial for maintaining data security in applications handling sensitive information.
TEEs provide two main assurances.
Isolated Execution: TEEs run code in an isolated environment. This means that even if the main operating system is compromised, the code and data within the TEE remain secure.
Memory Encryption: Data processed within a TEE is encrypted. This ensures that even if attackers gain access to the physical memory, they cannot decipher the sensitive information stored within the TEE.
To understand why TEEs are so important, we need only look as far as the device you might be reading this article on: the iPhone. FaceID has become the primary way for an iPhone to authenticate a user trying to access the device. While it works almost like magic, much happens under the hood in the few hundred milliseconds it takes for the device to detect whether you are (or are not) allowed to unlock it.
A dot projector projects over 30,000 invisible infrared (IR) dots onto the user's face. An IR camera captures this pattern and an IR image of the face. In low-light conditions, a flood illuminator enhances visibility.
The processor receives this raw data and creates a mathematical model of the face, including depth data, contours, and unique features.
The mathematical model is compared to the one stored from the initial setup of FaceID. If the models match with sufficient accuracy, a "success" signal is sent to the iOS system, and the device unlocks. If the comparison fails, the device remains locked.
FaceID is used not only to unlock the device but also to authenticate other actions like signing into apps and making payments.
The consequences of any security breaches are dire. If the model creation and comparison process is compromised, it will allow non-device-owners to unlock the device, access the owner's personal data, and conduct fraudulent financial transactions. If an attacker manages to extract the stored mathematical model of a user's face, it would lead to theft of biometric data and a severe invasion of privacy.
Naturally, Apple must be highly methodical about how they implement FaceID. All processing and storage occur through the "Secure Enclave," a separate processor built into the iPhone and other Apple devices. The Secure Enclave is unique to a device and functions in isolation from the rest of the memory and processes. It is designed so that even if the rest of the device is compromised, attackers cannot access it. Apart from biometrics, it also stores and secures user payment information, passwords, keychains, and health data.
The Secure Enclave is nothing but an example of a TEE.
Because most computers handle sensitive data and computations, nearly all processor manufacturers now provide some form of TEE out-of-the-box. Intel offers the Software Guard Extension (SGX), AMD has the AMD Secure Processor, ARM features its TrustZone, Qualcomm provides a Secure Foundation, and Nvidia’s latest GPUs come with Confidential Computing.
Software variants of TEE also exist. AWS Nitro Enclaves, for instance, allow you to create isolated compute environments to protect and process highly sensitive data within Amazon's regular EC2 instances. Similarly, both Google Cloud and Microsoft Azure offer Confidential Computing.
Apple recently announced Private Cloud Compute, a cloud intelligence system designed to privately process AI requests that devices cannot serve locally. OpenAI is also working on a similar secure infrastructure for AI cloud computing.
TEEs are exciting in part because of their ubiquity across personal computers and cloud service providers. It enables developers to create applications that benefit from sensitive user data without worrying about data leaks and security breaches. It also directly improves UX by enabling innovations like biometric authentication and passkeys.
So, what does any of this have to do with crypto?
Attestations
Recall that TEEs provide a space for computations that cannot be tampered with by an external party. This might remind you of another technology that provides similar computing assurances—the blockchain. Smart contracts are essentially computer code that, once deployed, is automatically enforced and executed and cannot be altered by external actors.
However, running computations on the blockchain has a couple of limitations:
Compared to typical computers, blockchains have limited processing power. A block on Ethereum, for example, is generated every 12 seconds and can only hold a maximum of 2 MB of data. That is less than the capacity of a floppy disk, an obsolete technology that was last popular when I was born. While blockchains are becoming faster and more powerful, they still cannot natively execute complex algorithms like those behind Apple’s FaceID.
Blockchains lack native privacy. All ledger data is visible to everyone, making them unsuitable for applications relying on private information such as personal identification, bank balances, credit scores, and medical histories.
These limitations don't apply to TEEs. While TEEs are slower than regular processors (with a 10-100% overhead depending on the use case), they remain orders of magnitude faster than blockchains. Additionally, TEEs are inherently privacy-preserving, encrypting all processed data by default.
Naturally, on-chain applications requiring privacy and more computing power can benefit from TEEs' complementary capabilities. However, blockchains are highly trusted computing environments where every data point on the ledger should be traceable to its source and replicated across numerous independent computers. In contrast, TEE processes occur locally in physical or cloud environments.
We need a way to bridge the gap between these two technologies. This is where remote attestations come in. Let’s take a brief detour to the mediaeval world to understand what they are.
Before the invention of technologies like the telephone, telegraph, and internet, handwritten letters delivered by human messengers were the only means of sending messages across long distances. But how could recipients ensure a message truly came from the intended sender and had not been tampered with? For hundreds of years, wax seals served this purpose.
Envelopes containing letters were secured with hot wax stamped with a unique and intricate design, often the coat of arms or symbol of a king, noble, or religious figure. Because each design was unique to a sender and nearly impossible to reproduce without the original stamp, recipients could be confident of the message's authenticity. Moreover, as long as the seal remained intact, they could also be assured that the message had not been tampered with.
A remote attestation is the modern equivalent of such seals—a cryptographic proof generated by a TEE that allows the holder to verify the integrity and authenticity of the code running within it and confirm that the TEE hasn't been tampered with. Here is how it works:
The TEE generates a report containing information about its state and the code running inside it. This report is cryptographically signed using keys only available to genuine TEE hardware. The signed report is sent to the remote verifier. The verifier checks the signature to ensure the report comes from genuine TEE hardware. It then examines the report contents to confirm the expected code is running and has not been modified. If verification succeeds, the remote party can trust the TEE and the code running inside it.
To bridge the gap between blockchains and TEEs, these reports can be posted on-chain, and the proof can be verified by designated smart contracts.
So, how can TEEs make crypto applications better?
TEE in Action
Flashbots leads in MEV (Maximal Extractable Value) infrastructure for the Ethereum blockchain. MEV refers to additional profits extractable by ordering, including, or excluding transactions in a block. It exists due to the lag between when users submit transactions to the mempool (a waiting area for transactions) and when the block leader executes them. During this period, sophisticated actors can exploit information leaked in unprocessed transactions for harmful activities like front-running.
Flashbot's solution, MEV-boost, separates proposers (who process transactions) from block builders (who construct MEV-optimised blocks). It introduces a trusted entity called a Relay, which acts as an intermediary between proposers and builders. Relays verify block validity, conduct auctions to select winning blocks, and prevent validators from exploiting MEV opportunities identified by builders.
The issue lies in the centralisation of the Relay layer. Three Relays process over 80% of all blocks. As outlined in this blog post, this centralisation risks Relays censoring transactions, colluding with builders to give some preference over others, and potentially stealing MEV themselves.
Why is the Relay function not facilitated directly by smart contracts? First, the Relay software is complex and cannot be run directly on-chain. Moreover, using a Relay is to keep the inputs (blocks created by builders) private so that MEV is not stolen.
This scenario is precisely where TEEs prove most valuable. By running relay software in a TEE, Relays can maintain the privacy of incoming blocks while still providing an attestation that the winning block was selected fairly without collusion. Flashbots is developing SUAVE, currently in testnet, to bring this TEE-powered infrastructure to life.
Both this publication and CMT Digital recently explored how solver networks and intents are helping to abstract chains and address the crypto UX problem. A key component of these solutions is the order flow auction, a generalised version of the auction conducted in MEV boost. TEEs can enhance the fairness and efficiency of these order flow auctions.
Another sector of crypto where TEEs are proving useful is decentralised physical infrastructure networks (DePIN) applications. DePIN networks are devices that contribute resources (such as bandwidth, computation, energy, mobile data, or GPUs) in exchange for token rewards. Naturally, supply-side participants have an incentive to game the system by altering the DePIN software to show, for example, duplicate contributions from the same device to earn more rewards.
However, as we have seen, most modern devices have some form of built-in TEE. The network can require generating proof of the device's unique identifier created via its TEE, ensuring it is genuine and running the expected secure software. The DePIN network could then remotely verify that contributions are legitimate and secure. Bagel is a data DePIN network that is exploring using TEEs.
Joel recently discussed passkeys and how they offer a step-function improvement in securing, managing, and recovering wallets. Passkeys are public-private key pairs that eliminate the need for seed phrase management, enable cross-platform wallets, allow social and biometric authentication, and simplify lost-key recovery. The private keys are stored in the TEE of either the local device or a cloud solution, depending on the wallet infrastructure implementation.
Clave and Capsule leverage passkeys for embedded consumer wallets. Ledger, the leading hardware wallet company, uses a TEE to securely generate and store private keys. CMT Digital portfolio company Lit Protocol provides the infrastructure for decentralised signing, encryption, and compute to developers of apps, wallets, protocols, and AI agents. It uses TEEs as part of its key management and computation network.
As it becomes increasingly difficult to distinguish AI-generated images from authentic ones, major camera manufacturers like Sony, Nikon, and Canon are integrating technology that assigns digital signatures to captured images in real time. This is another variant of TEE. They also provide the infrastructure for third parties to check the provenance of images by verifying proofs. While this infrastructure is currently centralised, we expect these proofs to be attested on-chain in the future.
Last week, I wrote about how zkTLS can help bring web2 information to web3 in a verifiable manner. zkTLS makes it easier for web3 projects to bootstrap networks and solve the cold start problem. We discussed two ways to go about zkTLS: multi-party computation (MPC) or a proxy. TEE offers a third method: processing the server connection in a device's secure enclave and posting the computation attestation on-chain. Clique is a project that is implementing TEE-based zkTLS.
Both Scroll and Taiko are Ethereum Layer-2 solutions experimenting with multi-prover approaches where they integrate TEEs alongside ZK proofs. TEEs allow for faster, more cost-effective proof generation without increasing finality time. They complement ZK proofs by adding diversity in proving mechanisms and mitigating bugs and vulnerabilities.
At the infrastructure level, projects are emerging to support the growing number of applications using TEE remote attestations. Automata is launching a modular attestation chain as an Eigenlayer AVS (Actively Validiated Service), serving as a registry for remote attestations and making them publicly verifiable and easily accessible. Automata's compatibility with various EVM-chains enables composable TEE proofs across the EVM ecosystem.
Flashbots is developing a Sirrah, a TEE coprocessor, to establish a secure channel between TEE nodes and blockchains. Flashbots also provides the code for developers to create Solidity applications that can easily verify TEE attestations. They are using Automata’s attestation chain mentioned above.
Not all Roses
While TEEs are versatile and have already found applications across various sectors in crypto, the technology is not without its challenges. Builders looking to incorporate TEE should keep some factors in mind.
The primary consideration is evident from the name itself—TEEs require a trusted setup. This means that developers and users have to trust the device manufacturer or cloud provider to uphold security guarantees and not possess (or provide external actors like the government with) a backdoor into the system.
Another potential vulnerability is a side-channel attack. Imagine taking a multiple-choice test in a classroom where you cannot see anyone's paper. However, you notice your classmate circles quickly when choosing answer A, but takes longer for B, C, or D. You can use this information to infer their choices.
Side-channel attacks work similarly. Attackers exploit indirect information such as power consumption or timing variations to deduce sensitive data processed within the TEE. Mitigating these vulnerabilities requires careful implementation of cryptographic operations and constant-time algorithms to minimise observable variations in the TEE's code execution.
TEEs like Intel’s SGX have been proven to have vulnerabilities. The SGAxe attack, published in 2020, exploited a flaw in Intel SGX to extract encryption keys from secure enclaves, potentially compromising sensitive data in cloud environments. In 2021, researchers showcased the "SmashEx" attack, which could crash SGX enclaves and potentially leak secret information. The "Prime+Probe" technique was a side-channel attack to extract cryptographic keys from SGX enclaves by observing cache access patterns. These examples underscore the ongoing cat-and-mouse game between security researchers and potential attackers.
One reason Linux powers most of the world's servers is its robust security. This stems from its open-source nature and the thousands of programmers who continuously test the software and squash bugs as they arise. The same approach can be applied to hardware as well. OpenTitan is an open-source project aiming to make the silicon root of trust (RoT), another term for a Trusted Execution Environment (TEE), more transparent, trustworthy, and, ultimately, secure.
What’s Next?
Apart from TEEs, several other privacy-preserving technologies are available to builders—zero-knowledge proofs, multi-party computation, and fully homomorphic encryption. While a full comparison among these is beyond the scope of this article, TEEs stand out for two reasons.
First, their ubiquity. While the infrastructure for other technologies remains nascent, TEEs, as discussed earlier, are already mainstream and integrated into most modern computers. This reduces technology risk for founders looking to leverage privacy technology. Second, TEEs have significantly lower processing overhead compared to alternatives. Although this property involves security tradeoffs, it can be a pragmatic solution for many use cases.
Ultimately, if you are considering whether TEEs are suitable for your product, ask yourself these questions:
Does my problem require attestations of complex off-chain compute proven back on chain?
Do the inputs or primary data points of my application need to be private?
If you answer yes to either question 1 or 2, then TEEs are worth exploring.
However, given that TEEs are still prone to attacks, it is worth keeping security in mind. If the value secured by your application is lower than the cost of an attack, which can run into the millions, you can consider TEEs by themselves. However, if you are building security-critical applications like wallets and rollups, consider using decentralised TEE networks like Lit Protocol or use TEEs in conjunction with other technologies like ZK proofs.
If you are an investor, you might be wondering where value accrues from TEE and whether any billion dollar companies will emerge using this technology.
In the short term, as teams continue experimenting with TEEs, we see value accruing at the infrastructure level. This includes TEE-specific rollups like Automata and Sirrah, as well as protocols like Lit that provide key building blocks for other applications using TEEs. As more TEE coprocessors get built out, the cost of private off-chain compute will come down.
Over the long term, we envision applications and products leveraging TEEs (and their lowering costs) surpassing the infrastructure layer in value. However, users will adopt them not because they use TEEs but because they are excellent products solving genuine problems. We are already seeing early glimpses of this trend in wallets like Capsule, which provide a vastly improved UX compared to browser wallets. Many DePIN networks, which may use TEEs solely for authentication rather than as part of their core product, will also accrue tremendous value.
With each passing week, our belief in the thesis that we are amid a shift from the fat-protocol thesis to the fat-application thesis only strengthens. We expect technologies like TEE to follow this trend.
Your X timeline will not tell you this, but with technologies like TEE maturing, there have rarely been more exciting times to be in crypto.
Binging CoolVision videos,
Shlok Khemani
DISCLOSURES FROM CMT DIGITAL
For informational purposes only, nothing herein should be construed as investment advice nor an offering to buy or sell any security or investment. CMT Digital and its affiliates may have investments in companies referenced. Any investments or portfolio companies discussed are not representative of all investments of CMT Digital and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar results. A list of portfolio companies may be found at: cmt.digital/portfolio. The list of portfolio companies is updated periodically and may not reflect the most recent CMT Digital investments. Past performance of CMT Digital investments and pooled investment vehicles are not necessarily indicative of future results. Views expressed by any individuals are solely those of the individual author or speaker and do not necessarily reflect the views of CMT Digital. Views and opinions are as of the date provided and subject to change without notice.
I refer to Uber’s War Room in the past tense because, as part of a wave of cultural and leadership changes, it was renamed the “Peace Room” in 2017.