What are TEEs?

Trusted Execution Environments (TEEs) provide hardware-based secure computing through isolated execution zones within processors where sensitive code and data remain protected even from privileged system software. Think of them as a vault inside your CPU where sensitive code runs protected from everything else.

This isolation addresses computational integrity by ensuring that code executes exactly as intended without tampering, while privacy is maintained through encryption of both data in memory and computational results.

Secure Enclaves

Encrypted and isolated regions of memory and computation, inaccessible to the OS and other applications.

Hardware Isolation

CPU extensions like Intel SGX or ARM TrustZone to enforce hardware-level isolation.

TEEs vs. ZKPs

Trusted Execution Environments

Performant for general computation

Suitable for real-time applications

Hardware-based security guarantees

Requires trust in chip manufacturers

Vulnerable to hardware attacks

Zero-Knowledge Proofs

Pure cryptographic guarantees

No hardware trust assumptions

Stronger theoretical security

High computational overhead

Limited to specific computations

Key Limitations

zkTLS Trust Model

The zkTLS protocol enables proving properties about TLS (used by HTTPS) connections using zero-knowledge proofs, allowing a client to demonstrate to a verifier that they successfully established a secure connection with a particular server and exchanged specific data, without revealing the private communication contents.

This centralized trust model fundamentally conflicts with blockchain’s decentralized trust assumptions, where no single entity should have privileged authority and all protocol rules should be verifiable by any participant.

Missing GPU Support

While TEEs like Intel SGX and ARM TrustZone provide robust security guarantees for CPU-based operations, they lack native support for securing GPU compute workloads, creating a critical gap for blockchain applications that require high-performance parallel processing.

This limitation is particularly acute for applications like AI model inference and cryptographic operations that could benefit from GPU acceleration. The absence of GPU support in TEEs means that any computation requiring GPU acceleration must either be performed outside the trusted environment (sacrificing security guarantees) or be executed much less efficiently on CPUs within the enclave.

Additionally, the lack of standardized protocols for GPU attestation means that even if hardware manufacturers were to implement GPU TEE support, significant work would be needed to integrate these capabilities into existing blockchain verification frameworks.

Ritual’s Innovation

Improved TLS Provenance

Ritual introduces a TEE-based proof of TLS provenance which improves upon zkTLS’s trust model by having the TLS connection terminate inside a secure enclave.

The TEE can generate cryptographic attestations proving that a legitimate TLS connection was established and specific data was exchanged, while keeping private keys and session data confidential. Rather than trusting a central verifier, participants would only need to trust the TEE manufacturer’s attestation keys (which, while still centralized, presents a smaller attack surface and aligns better with existing web PKI trust assumptions).

The TEE could validate TLS certificates against multiple root certificate authorities and generate succinct proofs of valid certificate chains, allowing decentralized verification of TLS properties without exposing private communication. This approach provides many of the same guarantees as zkTLS but with trust assumptions that are more compatible with blockchain protocols.

GPU Workload Support

Ritual introduces an innovative approach to extend TEE-based verifiable computation to GPU workloads, specifically focusing on AI inference.

The protocol uses a CPU-based TEE to orchestrate and attest to GPU operations, creating a secure bridge between the trusted CPU environment and the untrusted but high-performance GPU.

The TEE verifies inputs, manages cryptographic operations, and validates GPU computation results by checking specific properties and invariants of the GPU output - essentially creating a verified sandbox for GPU workloads.

This architecture enables Ritual to maintain the security properties of TEEs while unlocking the massive parallel processing capabilities of GPUs for AI inference. For instance, the TEE can verify model weights, validate input preprocessing, and ensure the integrity of the inference results without requiring direct GPU attestation capabilities.

This hybrid approach provides a practical solution for bringing GPU-accelerated AI inference into the realm of verifiable computation, enabling new use cases in decentralized AI inference while maintaining strong security guarantees through the TEE’s attestation capabilities.