Author: Weikeng Chen
Original link: https://blog.polyhedra.network/tee-in-polyhedra/
Polyhedra is introducing a new layer of security mechanism for its cross-chain bridging protocol, oracle system, and verifiable AI market, relying on the Trusted Execution Environment (TEE) implemented through Google Confidential Computing technology. After extensive research on current mainstream TEE solutions, Polyhedra chose to build its TEE security module based on Google Confidential Space and was the first to verify a new proof mechanism combining zero-knowledge and TEE (ZK-TEE) - enabling computation results running on Google Cloud to be verified on the EVM chain, opening up a new path for native interoperability between trusted computing and blockchain.
This security layer will be gradually deployed to multiple zero-knowledge core products under Polyhedra, covering cross-chain interoperability systems between multiple chains. Meanwhile, Polyhedra also plans to natively integrate TEE proof capabilities and AI applications with TEE security protection into its self-developed EXPchain through pre-compiled contracts.
What is TEE?
TEE, which stands for "Trusted Execution Environment", is a CPU technology. It allows the CPU to perform computations in encrypted and integrity-protected memory - even cloud service providers (like Google Cloud), operating systems, or other systems in the same virtual machine environment cannot view this data.
In other words, TEE can guarantee the confidentiality and security of data during use at the hardware level.
This technology is actually widely used. For example, Apple devices default to full-disk encryption (also called "data protection"), which is based on the TEE on Apple chips. Only after unlocking the device with a fingerprint or password can users access sensitive information like passwords and keys stored on the device. Microsoft's Windows system is similar, with recent versions supporting full-disk encryption (BitLocker) under TEE protection. This means the disk will only unlock if the operating system and boot process have not been tampered with.
(Note: The translation continues in the same manner for the rest of the text, maintaining the specified translations for specific terms and preserving the XML tags.)Here is the English translation:The State Committee system has been running stably for about a year. However, it is worth noting that the ZK aggregated signatures generated by the State Committee are not as secure as the complete ZK proofs generated for the entire consensus process. Therefore, we have imposed restrictions on this scheme in the rapid confirmation mechanism: it is only applicable to cross-chain transfers of small assets; for large assets, Polyhedra recommends that users use the official L2 to L1 bridging channel to obtain stronger security guarantees.
In ZKML scenarios, especially those requiring instant execution (such as AI trading robots), achieving "quick finality" is particularly crucial. To this end, Polyhedra is exploring introducing TEE (Trusted Execution Environment) in its verifiable AI technology stack as a solution, running AI inference processes in computing environments with TEE to ensure data credibility and verifiability of execution results.
We plan to use Google Vertex AI's model library to prove that a model's output indeed comes from a Vertex AI API call, or prove the results through TEE from official ChatGPT or DeepSeek API services. Although this requires a certain degree of trust in the platform providers (such as Google, OpenAI), we believe this is an acceptable engineering assumption, especially when used in conjunction with on-chain ZKML computations.
If users wish to run custom models, we can also deploy the model in Nvidia GPU instances supporting TEE (recently supported by Google). This mechanism can be used in parallel with ZKML proofs: ZK proofs can be generated when the system is challenged, or generated later as an insurance supplement mechanism. For example, in insurance mechanisms for AI trading robots or agents, operators can generate ZKML proofs before reaching the insurance limit to release security margins, thereby enhancing the transaction throughput of the agent system and enabling it to handle more tasks under the original insurance amount.
Non-Blockchain Interoperability: Connecting On-Chain and Real-World Trusted Channels
Polyhedra has been exploring the application of zero-knowledge proofs (ZKP) in non-blockchain scenarios, with representative cases including reserve proof systems for centralized exchanges (CEX), achieving auditability through privacy-preserving verification of databases. Additionally, we are actively promoting interoperability between chains and off-chain systems, such as providing trusted oracles for stock, gold, silver, and other traditional financial asset prices for AI trading robots and real-world assets (RWA), or implementing on-chain identity authentication through social login methods like Google login and Auth 0.
Off-chain data is primarily divided into two categories:
JWT (JSON Web Token) signature data: Can be directly verified on EVM (although with high gas costs), or verified after being wrapped by ZK proof. Polyhedra adopts the latter method.
TLS (Transport Layer Security) data: Can be proven through ZK-TLS, but current technology requires users to trust MPC nodes used for reconstructing TLS keys. ZK-TLS performs well for simple web pages or API data, but becomes costly when handling complex web pages or PDF documents.
In this context, Polyhedra has introduced the ZK-TEE solution. We can run a TLS client in a trusted execution environment (TEE), generate a trusted computing proof through Google Confidential Computing, and then convert it to a ZK-TEE proof on-chain to achieve secure reading and verification of off-chain data.
This TLS client has a universal architecture, runs efficiently, and can support almost all TLS connection scenarios, including but not limited to:
Accessing financial websites like Nasdaq to obtain stock prices
Executing stock account transactions on behalf of users
Performing fiat currency transfers through online banking to achieve "cross-domain bridging" with traditional bank accounts
Searching and booking flights and hotels
Obtaining real-time cryptocurrency prices from multiple centralized exchanges (CEX) and decentralized exchanges (DEX)
In AI scenarios, the credibility of non-blockchain data is particularly important. Current large language models (LLM) not only receive user input but also use search engines or methods like LangGraph and Model Context Protocol (MCP) to dynamically obtain external data. Through TEE, we can verify the authenticity of these data sources. For example, AI agents solving mathematical problems can call Wolfram Mathematica or remote Wolfram Alpha API services and use TEE to guarantee the integrity of these calls and results.
Privacy Protection: Building a Trusted AI Inference Environment
[The translation continues in the same manner. Would you like me to complete the entire translation?]Polyhedra's innovative breakthrough lies in: using ZK-TEE proof technology to compress TEE certification proofs into compact proofs that can be efficiently verified on-chain. Taking zkBridge as an example, we will soon demonstrate how this technology can provide security guarantees for multiple products.
SGX, SEV, and TDX: Choosing and Comparing TEE Technologies
In the process of building a product ecosystem supported by Trusted Execution Environment (TEE), Polyhedra has conducted an in-depth study of the three mainstream TEE implementation technologies, which are:
Intel SGX (Software Guard Extensions): Applicable to some Intel server-grade CPUs;
AMD SEV (Secure Encrypted Virtualization): Widely applicable to AMD EPYC series CPUs;
Intel TDX (Trust Domain Extensions): A technology targeting the new generation of Intel Xeon processors.
The following is our comparative analysis of these three technologies and our thoughts on actual selection:
In the ZKML field, Polyhedra might run a TEE agent, calling Google Vertex API or external AI API services for inference, and verifying whether the model output comes from Vertex API and has not been tampered with; or directly running AI models through confidential computing on Nvidia GPUs without using Google model libraries. It is worth noting that privacy protection is a byproduct in this solution. We can easily hide the model's parameters, inputs, and outputs, thereby ensuring data confidentiality.
3. Verifiable AI Marketplace
For the verifiable AI marketplace, including MCP servers, Polyhedra adopts a similar strategy: by running a TEE agent, or directly running applications where possible. For example, in MCP services requiring mathematical solving, we can choose to set up a TEE agent connecting to Wolfram Alpha, or directly run a local copy of Mathematica. In some scenarios, we must use a TEE agent, such as when interacting with flight booking systems, Slack, or search engines. It is particularly noteworthy that TEE can also transform a service that does not comply with MCP standards (such as any Web2 API) into an MCP-compliant service by proxying architectural and format conversions between services.
Outlook: TEE Integration Will Accelerate Product Implementation and Bring Multiple Values
The introduction of TEE technology is an important supplement to Polyhedra's technology stack. In the future, we will prioritize deployment in cross-chain bridge modules and gradually expand to AI inference and decentralized service markets. TEE technology will significantly reduce user costs, accelerate transaction finality, achieve greater interoperability across ecosystems, and provide users with entirely new privacy protection features.
