Confidential Consensus

Currently, the Confidential Computing community is focused on use cases with very high security requirements, like the government and military, where applications must be protected from the Cloud Service Provider or the host machine in general. These scenarios involve a traditional client/server environment where the server just needs to be a bit more secure.

Diagram showing a cloud service provider host containing a security critical service guest

Confidential Computing can be used for much more than that though. As currently envisioned, Trusted Execution Environments (TEEs) provided by Confidential Computing systems offer an exciting trade off built on specialized hardware encryption features. If you trust the hardware provider, you can run code on data that even the host cannot see or interfere with.

Diagram showing how a guest in a TEE can be attacked while one not in one can be. — If you trust the TEE features, you don't have to trust the host

This has the potential to enable a new class of federated systems where the host of a given instance has well-defined limits to the data they can view and the actions they can perform. If the clients can verify that the instance is running in a TEE and is running open source code they have audited, they can know what the host can and can't do with their data. This could be especially valuable in social media & messaging applications where users want to know that their privacy is being protected.

Diagram showing two users talking to a service instance within a TEE as a way to talk to each other. — Users can interact through a federated instance without trusting the operator

In a fully distributed system, we can achieve Confidential Consensus where each node runs in a TEE and acts as a replicated state machine processing encrypted events so that some of the system's state remains private. Such systems will need a way to securely bootstrap so that the initial node(s) are known to be in TEEs and a way to ensure that any new nodes added to the system are also TEEs. This approach could offer a more dynamic and redundant version of a federated system where groups of users form networks representing a given instance or the ability to create a more globally distributed system.

Diagram showing three TEEs each running a node and users talking to various nodes.

To pull this off, Confidential Computing systems will need to be flexible enough that they can run on diverse hardware. To this end frameworks like Enarx that abstract individual hardware security features and enable cross-platform usage will be crucial.