Summary

PolyCrypt GmbH proposes to strengthen the Shutter protocol through the trusted execution environment (TEE) capabilities of Intel’s SGX technology. This addresses one of the goals mentioned in the Shutter Roadmap. SGX is essentially a high-security black-box within the CPU that can prove correctness of computation and confidentiality of data, even against attackers that have full control over the operating system with full privileges. Using remote attestation, the TEE can prove that the expected code is running, thus Keypers can prove to users and to each other that they run the correct software, within a tamperproof black-box. Another important SGX feature used here is sealing: the ability to hardware-encrypt data for storage on disk so that only an approved executable can unseal it again, and only from within the protected context of SGX.

Our approach called ShutterTEE will run the core cryptographic components of the Shutter protocol inside a TEE, thereby providing an additional layer of security for the Shutter ecosystem. ShutterTEE offers two crucial security benefits:

1. Collusion prevention: A shortcoming of threshold cryptography (as leveraged by Shutter) is that a collusion of up to t keypers can recover the secret key and decrypt shielded transactions prematurely. By running at least one Shutter Keyper inside a TEE enclave, we can guarantee that epoch keys are not prematurely released. We will guarantee interoperability between TEE Keypers and Keypers running on an unprotected machine.
2. Compromise hardening: While TEEs are not unbreakable, they offer an additional layer of trust. In particular, most attacks against TEEs require that the operator/server running the TEE is behaving malicious and executes a sophisticated attack on the host system. By running the Shutter Keyper inside an enclave, it becomes significantly harder to compromise the Shutter ecosystem (For a discussion on hedging complex cryptographic protocols via TEEs see also https://ethresear.ch/t/2fa-zk-rollups-using-sgx/14462).

In the scope of this proposal, a proof of concept is built, and will be used for testing and refinement until the Shutter community decides to deploy the changes into production. The proof of concept modifies the Keyper software in these three ways:

1. The permanent and epoch keys will be sealed (encrypted) via SGX, and only the authorized and unmodified Keyper node software, running securely in SGX can access and unseal (decrypt) them. This prevents intentional leaks or targeted hacking of Keypers, as even administrator-level access to a Keyper machine will not be able to reveal the secret keys. Using this principle, both the long-term keys, as well as the epoch keys are secured.
2. We harden the mechanism that reveals the epoch keys after an epoch has ended, preventing any (intentional or when hacked) premature disclosure of the epoch decryption key. This is achieved by verifying the blockchain’s progression inside SGX and using the blockchain as a trusted source of time instead of relying on the Keyper’s own operating system time (which is easy to manipulate). Only when a block that is finalized on the blockchain with a timestamp that lies within a new epoch is witnessed, the previous epoch’s key is revealed. This ensures that as long as the blockchain’s timestamps are accurate, and the Keyper is unable to forge the consensus of the blockchain, the Keypers will not be able to release the decryption keys prematurely, thus preventing collusion.
3. Keyper nodes can choose not to cooperate with nodes that do not run within SGX or do not run the correct executable. The Keypers prove to each other that they have the correct version of the official node software, and that it is running in the trusted execution environment. This feature is optional and will only be implemented in this Proof of Concept if time permits.

Milestones

Milestone 1: Run Keyper code in SGX (50%)

For the first milestone, we will modify the existing Keyper code so that it can run in an SGX. This includes checking if the libraries used will compile and work correctly, separate Keyper logic from any File I/O and other code that does not run inside an SGX, sealing the key material, and testing if everything still works. At this point the key material is protected from malicious code running outside of the TEE, but the Keyper still relies on a Full-Node TEE for any on-chain state including the current time.

Milestone 2: Verify integrity of on-chain data using the consensus mechanism (50%)

To function correctly the Keyper needs to know the current time and what happened on-chain. As long as the Keyper blindly trusts a Full-Node to give it the correct data, malicious code outside of the TEE could manipulate the Keyper into handing out key material prematurely. To prevent this attack vector, the TEE has to verify the consensus of the underlying ledger and check validity of all data (using merkle proofs). We have already written a significant part of this for our Erdstall Layer-2 solution, and hence, this milestone is mainly about modifying it to work with the data needed by Shutter and integrating it with the code from Milestone 1.

Motivation and Outlook

Currently, Keypers are not technically forced to obey the protocol and can reveal their master keys or the key shares for the next epoch before the scheduled time, either intentionally, or as the result of a cyber attack on their machine. SGX can be used to enforce honest and correct behavior, as well as data security even against administrator-level attackers. This proposal increases the trust of users in the honest operation and security of the Keypers.

Once the Keypers are trusted and secured, the foundation is laid to also fortify the sequencer of Rollup systems. Currently, there is a weak point where the sequencer fails to include some transactions which have been revealed (for example in case of high transaction volume). A future proposal would aim to employ similar hardening techniques to ensure that only transactions that get included on the Rollup chain are actually revealed. Thus, the current proposal is a prerequisite for strengthening MEV resistant rollups.

ShutterTEE also allows for two possible extensions that may be developed in follow-up projects:

1. Slashing mechanism: ShutterTEE offers strong collusion prevention. Hence, if an epoch secret key share is released prematurely, it may be possible to develop a method for slashing malicious keypers that release their key share prematurely. While designing such a slashing mechanism is not part of this proposal, we believe that collusion prevention is an important first step towards this goal.
2. Addressing the ``stuck in the mempool problem’’: Currently all transactions of an epoch get public when the epoch key is released even if the shielded transactions are still in the mempool (i.e., they have not been confirmed in a block yet). An easy extension of ShutterTEE allows to address this problem, where the decryption of the shielded transactions is done inside the TEE only if they are already part of a confirmed block.

Feasibility

PolyCrypt GmbH, a spin-off from the Technical University of Darmstadt, was founded by former members of the applied cryptography research group. The company specializes in developing Layer-2 solutions like State Channels for cross-chain and arbitrary contract execution, as well as Layer-2 solutions using Trusted-Execution-Environments (TEE). The ShutterTEE technology will re-use some of the tech-stack that was developed as part of Erdstall project (https://erdstall.dev/), which is an SGX-based Layer-2 solution.

Funding

• Milestone 1: $40k USDC + 200k SHU
• Milestone 2: $38k USDC + 150k SHU

Great proposal, clearly laid out, looking forward to community discussion and feedback on this!

Recent meme which supports this proposal: x.com

One thing you could consider is increasing the SHU amount, but offering to lock up the allocation, e.g. for a year via Sablier or via the mechanism used during the Shutter DAO 0x36 Genesis allocation. This would signal a deeper and longer term commitment to the Shutter ecosystem. But also interested in hearing what DAO members have to say to this!

Thanks for the feedback! Yes, vesting is fine and we can also adjust the stake in SHU as we very much believe in the technology!

So here would be our new proposal:

• Milestone 1: 35k USDC + 350k SHU
• Milestone 2: 34k USDC + 300k SHU

Vesting of the SHU token for 1 year is fine.

What do you think?

Do we have an indication as to whether keypers have hardware capable of running SGX and if not whether they would be inclined to upgrade? (I assume this initiative would only make sense longer term, if all keypers ran the SGX version?)

Thanks for your feedback! I do not know what hardware keypers are currently using. However, buying an SGX capable system is cheap. I guess one can get such a system for approx. ~$1.000.

I think the set-up can also make sense if some keypers only use it. Notice that this will make it harder for keypers to be attacked by cyberattacks. Moreover, if more than 50% (or the threshold for reconstruction) use SGX, then collusion can be prevented.

We currently plan to first develop a PoC to get some experience for migrating Shutter keypers onto SGX. This can also be a good starting point for a future collaboration to secure Rollups against MEV.

I very much like the concept of this proposal, but would love to see a confirmation from the Shutter development team that this proposal makes sense (@luis, should we infer this from your comment above, or are there other voices that could add a technical endorsement?)

We recently gave a grant to our friends at dappnode to develop a shutter keyper package on their hardware. I wonder if they could comment on if their branded hardware supports SGX, or if it would be possible to offer such a unit (@Lanski) … Those custom covers would make a great canvas for the Shutter logo…

If this proposal is endorsed and passes, I would personally choose to run this setup.

Re: the SHU. I might be alone in this, but I believe this might not be the ideal time to be using SHU as a compensation tool. This might be a topic for another thread, but if given the choice I would vote for the compensation to be all USDC.

Our team did have a look at this and they think that from a technical perspective this proposal makes sense and has the potential to harden the protocol and reduce trust assumptions.

Would also point to this post by Justin Drake which the proposer mentioned where the approach of “fortifying” or “hedging” security via TEEs is also proposed: 2FA zk-rollups using SGX - zk-s[nt]arks - Ethereum Research so this further strengthens the validity of the general approach.

Love those ideas in regards to dappnode!

I agree. I think Shutter DAO 0x36 should focus on paying grants in stablecoins - USDGLO (if we have USDGLO) or USDC (if we don’t have USDGO). A few reasons:

• 0x36 has sufficient stablecoins for these payment
• the price of SHU is unreasonably low
• if a grant recipient wishes to align incentives and/or benefit from an (expected) increase in price of SHU, then they should use some % of the grant payment to purchase SHU on the open market

Note: I am making this comment in my personal capacity, not as a brainbot employee.

Thanks a lot for the feedback. Do I get it right that the community would prefer that the grant will be paid entirely in USDC?

@sebastian.faust - I’m planning to start a separate thread on the topic of paying grants and services in USDC or USDGLO, so that the community can discuss and come to a consensus on the best approach.

That said, you might need to post this proposal before that discussion concludes. In which case I’d suggest requesting in all USDGLO, unless we see some other feedback that disagrees.

Would that cause you any issues?

Thanks a lot for your feedback. We are fine with requesting the following total funds (split into two milestones as outlined in my original proposal):

• 75.000 USDC
• 25.000 dollar worth in USDGLO or SHU (as preferred by the community)

We checked the USDGLO and it is not listed on coinbase or any other major exchange. It also has extremely low trading volume, so it does not look like a liquid market. Unfortunately, I could not figure out where to sell a large amount of USDGLO without taking major slippage risk.

As we need to pay our developers from the tokens (in EUR), we must immediately swap the tokens to EUR when we receive them from the DAO. Hence, we would very much prefer to receive USDC from the DAO to ensure that we can actually cover the costs of development.

Hi everyone!

Thanks a lot for the feedback. I just launched a vote on Snapshot. Looking forward working on this!

https://snapshot.org/#/shutterdao0x36.eth/proposal/0x12a66abfcea753eee38727deb2a0277251cb76fc7afb0ff2118bdeadabb2945d