TEE Prover with Scroll

TL;DR: Automata introduces TEE Prover in a multi-prover system with Scroll. The first implementation of Intel SGX as an independent proof alongside SNARK verification improves prover diversity and the overall resilience of Ethereum’s rollup-centric future. Read more in Scroll’s announcement here.

Rollups are in wide use today as they scale the application layer of Ethereum horizontally. Zero-knowledge rollups (ZK-rollups) such as Scroll are typically represented as arithmetic circuits where a prover generates proof to show that the compute has been performed correctly. These proofs reveal no information other than their own validity.

It’s worth taking a look under the hood at how zero-knowledge proofs are generated and verified. A combination of advancements in hardware and cryptographic algorithms are beginning to provide alternatives to generating proof computation in rollup systems and other decentralized contexts. We introduce, for the first time, a TEE Prover implementation with Scroll, that is emphatically more resilient, secure, and transparent than single-prover systems.

Prover diversity with TEEs

Our work on TEE Prover dates back to our previous efforts on a block builder within TEEs, which showed the practicality and potential of using Intel SGX to bring transaction confidentiality to mempools. This article expands upon several excellent points made in a post by Justin from the Ethereum Foundation on the usefulness of Intel SGX within a multi-prover model:

• Verifiable trust. Proof generation happens within an isolated execution environment which is safeguarded against unauthorized access. Attestation verifies the integrity of the secure enclave, and by extension, maintains trust in the proof system.
• Correctness. Layering SGX-based proofs not only introduces redundancy but also mitigates systemic vulnerabilities faced by zero-knowledge proofs. Last year, ChainLight reported a vulnerability in the zkSync Era mainnet, that if exploited, would have exposed $1.9 billion to risk. The technical assurances of the secure enclave significantly reduce the risks of a simultaneous bug affecting the entire network.
• Lightweight. Intel SGX receives and processes input data within enclaves only as required, and is able to perform verification on the expected output of block execution without the need to reference or rely on a persistent state.
• Efficient. While the generation of zero-knowledge proofs can be a time and resource-intensive endeavor, demands on SGX proofs are less severe. The process can, in fact, be of the same simplicity and ease as verifying an ECDSA signature.

The implementation of Intel SGX as a separate, independent proof is not only an undeniable improvement to current proving systems, but is also desirable for the reasons above: Technical properties which go well beyond what is currently available in other setups.

TEE Prover with Scroll

Our design of the TEE Prover with Scroll has two main components.

1. SGX Prover. An off-chain component that checks that the post-state root matches the existing state root after block execution within the secure enclave, and submits the Proof of Execution (PoE) to the SGX Verifier.
2. SGX Verifier. An L1 contract that confirms the correctness of state transition proposed by the SGX Prover. It also verifies the attestation report submitted by the Intel SGX enclave to ensure prover integrity.

The SGX Prover monitors the batch transactions committed by the sequencer on the L1 chain and creates Proof of Block (PoB) that includes the information necessary for re-execution of L2 blocks and transactions. SGX Prover executes the state transition following the rollup’s spec without using any ZK circuit. For example, Scroll has a slight difference from Ethereum when implementing zkEVM and the SGX Prover must follow it to generate the same state transition. After the execution, the SGX Prover submits a Proof of Execution (PoE) to L1 to show the state transition result based on the same input that ZK prover uses.

Once PoE is submitted on-chain, the SGX Verifier will check if the PoE is signed by a valid SGX Prover. This requires a very lightweight `ecrecover` call to check the PoE Signer is from a list of SGX Provers who have passed the attestation. The attestation establishes a trust state where the entire stack that SGX Prover is running on can be verified. Many TEE solutions will have a similar process, known as remote attestation.

On-chain verification of Intel SGX

Remote attestation allows a remote party to programmatically verify the integrity and immutable properties of the Intel SGX enclave and therefore trust the execution. Using a smart contract as a remote party creates a public and transparent on-chain anchor that enables trust composability — other smart contracts can also trust the computation from the enclave. Furthermore, the latest Intel SGX attestation protocol (DCAP v3) removes the dependency on a centralized attestation service as seen in the previous EPID attestation. Our recent efforts in developing a Solidity version of DCAP attestation allowed for the full verification of attestation reports from enclaves to take place on-chain.

The attestation report contains the cryptographic measurement of the execution environment, including hardware, software, and custom data. It provides two important properties that are key to the SGX Prover design:

(1) Integrity: the SGX Prover is running an expected version of the software and runs in a genuine TEE that no one else can forge or modify, including the infrastructure operator;

(2) Authenticity, the SGX prover holds a keypair that never leaves the TEE. The public key is included in the attestation report so anyone can verify the origin of the message by verifying the attestation report.

Note that the SGX Prover key has a validity period, and is refreshed at the end of each validity period using the randomness from hardware. are produced with a high level of entropy and are at once both unbiased and unpredictablKeyse, with the integrity of the process reinforced by the attestation of the tamper-proof enclave.

Building in the public

We’ve open-sourced the SGX Prover and SGX Verifier in one mono-repo under Apache 2.0 license: https://github.com/automata-network/sgx-prover

SGX Prover

• A rust implementation that uses SputnikVM as the EVM engine within the secure enclave
• It can be compiled and running in SGX hardware mode on capable machines (e.g., Azure Standard DC4s v3)
• The same code supports both SGX and non-SGX builds for easier debugging. The initial benchmark showed that SGX incurs ~10% performance overhead in block verification.

SGX Verifier

• It uses our previously open-sourced DCAP v3 attestation library for fully on-chain attestation https://github.com/automata-network/automata-dcap-v3-attestation. it was ported based on Intel’s official open-source implementation and specs.

With these, we have been able to achieve:

1. 100% verification of the entire block history of Scroll testnet. This shows that our implementation is compliant with Scroll zkEVM specification and future protocol changes will be tracked and adapted in SGX Prover
2. The entire supply chain for SGX Prover can be verified at each key step, including open-source development, reproducible build and artifact, runtime attestation, and verification.

Multi-prover systems: What’s next

TEE Prover is very new, and we hope to see more implementations and ideas around what trusted execution environments, beyond the scope of Intel SGX and our work with Scroll, can bring to the rollup space. The push for prover diversity encourages greater decentralization and resilience; Different proof constructions allow potentially adversarial results to be verified against each other, for example.

Some of the features we plan to add in the near future:

• Improving the diversity of TEE technologies for the TEE prover. This helps in the creation of versatile multi-prover systems that can be adapted to different requirements.
• Bringing TEE prover to more validity-proof systems. One interesting axis is to also consider how TEEs such as Intel SGX can support fraud proofs, as in the case of optimistic rollups.
• Better frameworks for TEE prover in decision-making scenarios involving consensus and governance mechanisms of the protocol

For perspective, follow Scroll’s post to find out more about TEE Prover and how it scales security on the L2 here. We also greatly appreciate feedback, so reach out.

About Automata Network

Automata Network is a modular attestation layer that extends machine-level trust to Ethereum by leveraging optimistic rollups and zero-knowledge proofs in its Proof of Machinehood approach. The application-specific rollup allows on-chain verification for out-of-protocol computation, which creates an unbroken chain of trust that extends upwards through the entire Web3 stack.

Website | Telegram | Discord | X | Github | Newsletter