Continuum AI is now public. Try out the most secure GenAI service!
Blog
How confidential computing enables highly secure and scalable management of digital assets
David Knichel
The cryptocurrency market has faced huge financial losses because of wallet security breaches, showing just how important strong security measures are. That’s where confidential computing comes in. It protects your secret keys and keeps your software safe by isolating data and code with hardware technologies like Intel SGX and AMD SEV, even when you're using third-party services.
Confidential computing also works great with Multi-Party Computation (MPC), which spreads out the signature process across multiple secure endpoints. This makes it really tough for hackers to get to your funds.
Tools like EGo, MarbleRun, and Contrast make it easy to integrate Confidential Computing, offering scalable and secure ways to manage your digital assets. All these tools are open source and available on our GitHub. Need help getting started? We’ve got your back—just reach out!
Do you like big numbers? We have one for you: $2,117,082,212,092. That is around 2 trillion dollars. This is the total market capitalization – so the total value – of all cryptocurrencies combined. This is around 10 times more value than in 2020. There even exist single wallets that hold billions of dollars in digital assets. The rapid accumulation of capital and immense value within the crypto space can be difficult to comprehend, making the secure and scalable management of digital assets more essential than ever. Let’s face it—no one likes to see their money disappear or fall into the wrong hands.
Unfortunately, many people and companies have suffered significant financial losses due to security breaches in the crypto space. Frequent hacks, like those at Mt. Gox in 2014, Bitfinex in 2016, Coincheck in 2018, and DMM Bitcoin in 2024, highlight the vulnerabilities of crypto platforms and wallets. These incidents are damaging for several reasons: clients lose their funds (worth millions of dollars), platforms face severe financial strain or bankruptcy, and public trust in cryptocurrencies takes a significant hit. So, how can we significantly enhance security while maintaining scalability? The answer is right in the blog title: confidential computing!
Confidential computing is an emerging technology that comes with strong protection guarantees regarding secret key material and software integrity. Even when deployed on third-party infrastructure (like the cloud) and the system is compromised, it ensures that you keep complete ownership of your data and secrets. It is rooted in providing high isolation between your stored secrets and deployed code on the one hand, and the rest of the system and environment on the other. This strong separation is enforced by special hardware extensions that are integrated in many common processor architectures. Examples being Intel SGX and AMD SEV, making confidential computing possible on many common server architectures. When applying confidential computing, your code and your secrets are effectively shielded from other system components and the external environment. It’s much like a hardware-enforced vault for your secrets and code, even in foreign territory.
Securing digital assets is all about securely storing and managing secret key material. Transferring an asset from an account means cryptographically signing a digital transaction with the account’s private key. Naturally, it is the highest priority to keep this key secret as getting hold of the key means having control of the account’s funds. As asset management platform and wallet provider often manage tens of thousands of accounts, keeping their account keys secure is the backbone of their services and hence their business. The speed of development within the blockchain space increases the need for solutions that offer high security guarantees while ensuring effective scalability. Storing the keys in the context of a database on simple hard drives within a classic server infrastructure is a bad idea because compromising the server would enable access to all secrets and hence to all funds. This becomes even more relevant when using third-party infrastructures as the provider naturally has – even physical - access to it.
Confidential computing on the other hand enables the creation of hardware-enforced signature “oracles” that run completely isolated from the rest of the system and environment while keeping the account keys securely stored – even in the cloud. It enables the creation of an interface (even a remote API) that can sign transactions but will never expose the key, not even to the operating system the interface is running on or to privileged system administrators. Even when your signature oracle is running in the cloud and your administrative cloud credentials are leaked or the server’s operating system is compromised, an extraction of the account keys or altering the code of the oracle is not possible. This is because of the solid hardware-enforced isolation of the oracle, which confidential computing ensures through leveraging technologies like Intel SGX or AMD SEV. Now a party that wants to initiate a transaction must authenticate towards the oracle’s interface through strong means (i.e. 2FA) and can sign transactions while your oracle’s code and the account secret are completely enclaved.
Multi-Party Computation (MPC) is a technology that significantly enhances the security of digital assets. It uses cryptographic methods to distribute signature schemes across multiple parties. In an MPC system, the creation of signatures is spread over several endpoints, ensuring that the account’s private key is never held by a single entity.
No individual endpoint can independently generate a valid transaction signature. Instead, all endpoints (or a predefined number above a certain threshold) must approve a transaction. This approach makes it much harder for adversaries to steal funds, as they would need to compromise multiple endpoints simultaneously. For example, one endpoint might run locally on the user’s device, another on a private server, and a third in the cloud. Confidential computing can be seamlessly integrated with Multi-Party Computation (MPC), allowing for high security and easy scalability when managing a large number of accounts. For each account, confidential computing enables the creation of signing oracles on multiple endpoints, providing robust protection for both the key material and the code of each endpoint. Even when your oracles run on multiple cloud services and all your cloud credentials are leaked, the key material remains secure.
This integration also helps reduce the risk of stolen funds, even in the event of security breaches within the underlying confidential computing hardware architecture. For example, you could deploy one enclaved endpoint using Intel SGX and another using AMD SEV. Even if a vulnerability is discovered in AMD SEV, the endpoints running on Intel SGX would remain secure, ensuring overall security (secure funds) when utilizing MPC.
Not at all. There are developer-friendly tools available that make integrating confidential computing into your product straightforward. These tools work seamlessly with common DevOps technologies and practices, making it easy to scale Confidential Computing together with your product.
EGo is a Software Development Kit (SDK) for creating SGX-ready applications in Go. It streamlines the development process and has already gained popularity among crypto organizations looking to leverage SGX’s capabilities. EGo makes the creation of hardware-enforced signature oracles straightforward by abstracting the complexities of confidential computing behind the scenes.
MarbleRun is a valuable tool that facilitates the orchestration of SGX applications. It is particularly effective for applying confidential computing when handling numerous asset accounts and operating in distributed environments, such as those utilizing MPC. MarbleRun streamlines the verification, configuration, and authentication of application components, ensuring both scalability and reliability.
Edgeless Systems further offers Contrast, the all-in-one confidential containers platform. Contrast keeps containers in secure micro VMs, which work similarly to enclaves and encrypt data at all times. The difference is, that one doesn’t need to adjust the application and can simply deploy the already existing containers.
All these tools are open source, with their code available on our GitHub repository. Want to elevate the protection of your digital assets to the next level? You are not alone—we are here to help. Just reach out!
