It is gone now, but IIRC Microsoft was working on a blockchain for inter-enterprise settlement that ran in the secure enclave. It had extremely high throughput and all of the parties could “trust” that the code running was the same, so they were all following the same rules. Neat concept, they killed it before ever sharing source code.
I have seen a deployed altcoin built on SGX. Can't remember the name or if it was even successful.
In my opinion, it's a huge risk.
With a regular blockchain, the fact that someone might maliciously be running the wrong code is baked into the design, and the security model has to handle it.
With SGX, you are relying on Intel's security model to make sure everyone is running the same code. If SGX is ever broken (which it has been, to some extent) and a malicious node is running different code, then your whole security model falls apart and they can start attacking the blockchain.
You might argue that you can design the blockchain to be secure even when SGX is broken. But if it's secure enough without SGX, why use SGX? You risk your security model being broken due to a bug and nobody realizing due to SGX protecting it, until SGX stops protecting.
Plus, you exclude people who don't have SGX from running your blockchain.
Before that, from the same inspiration, Signal built SVR[1], a recovery system for the address book that uses SGX to ensure the servers cannot decrypt the backup.
Yeah mobilecoin makes heavy use of SGX. For what it’s worth Intel isn’t going to deprecate this server side for modern use cases anytime soon.
The trade offs between zk and hardware accelerated encryption still lean towards hardware though I’m not sure how much longer that will be true. It’s very difficult to imagine a general purpose ZK machine, but you don’t need general purpose compute to get most of the value out of defi as it exists today.
In short, we’re 5-10 years away from the first general compute zk machines/vm’s imho but bespoke zk circuits are starting to appear for many use cases. Checkout plonky2 as a cool example of a modern fast zk circuit, the polygon team is doing great work here.
We’ve been working towards a fully zk winterfell implementation/proposal but it’s not there yet.
In closing, one of the unique things in mobilecoin is private information recovery at scale using MobileCoin fog (https://mobilecoin.com/news/fog-foward-in-oblivious-computin...) which isn’t possible with any zk circuit I’ve ever seen (due to the need to store lots of information durably with fast access that doesn’t leak access patterns to the server).
That is a good strategy. I hope the ZK VMs come to a reasonable performance before SGX goes fully away. Even though Intel won’t kill it for Xeon soon, I wouldn’t be surprised if they did in 5 years.
I wonder whether we can have our cake and eat it too; are there plans for FPGA-accelerated ZK machines?
It wasn’t designed for public blockchains, it was designed for uses in mid-trust environments (“enterprise blockchain”), trading off some level of trust for performance.
Are you thinking of Secret Network? If I remember correctly, they use SGX for transaction privacy (transactions are encrypted with a key that is only known to enclaves). An SGX break I think would just make it a generic proof of stake network but maybe the way they ended up doing smart contracts is different?
Yeah, I think secret network is the one I'm remembering. It's been a long time since I was paying attention to the cryptocurrency space.
My consern is that it hasn't been tested as a generic proof of stake network and there is a risk that it might not degrade as expected.
It also means the blockchain can't be independently verified. If someone was to exploit it in a way that gave themselves extra coins, then nobody would ever know because all evidence is hidden inside the secure enclave.
How big is the risk? I'm not sure. I just suspect it's bigger than the advantage you get from using SGX; There are other ways to get privacy.
It seems like this argument proves too much, because it rules out defense in depth. Why have multiple layers of defense when one perfect layer does the job?
I think the answer is that you're never really sure that your defense is perfect, and that's true of both SGX and byzantine algorithms.
Yeah, the Foreshadow attack leaked signing keys, so you could attest to a modified program running outside an enclave. I think other attacks didn't get that far though
