On-chain verification of AWS Nitro Enclave attestations

On-chain verification of AWS Nitro Enclave attestations

Trusted Execution Environments (TEEs) ensure computational integrity by executing code on hardware that’s isolated from the rest of the system. This prevents other applications, including the host, from modifying the results of computations executed in them. This is especially important in the context of coprocessors and decentralized compute networks where untrusted hosts run mission critical applications on behalf of other users.

What are enclave attestations?

An important step in ensuring that code in fact runs in a TEE is the attestation process. An attestation, usually received from the hardware, proves to an untrusting user that his application is running inside a TEE and that the host isn’t attacking him by running the app outside and passing him incorrect results. Various manufacturers of TEEs exist. In this article, we are specifically interested in the AWS Nitro Enclave implementation.

In order to determine whether an application is running inside the TEE, the user first needs to check whether the TEE itself was set up correctly. In order to accomplish this, the enclave images that are used to create the enclaves are measured to obtain unique identifiers called PCRs. These PCR values are included in the attestation document created by the Nitro hypervisor.

On-chain verification of attestations

The attestations received from enclaves can be verified easily off-chain. However, in order to enable results to be consumed by smart contracts, it is beneficial to verify the attestations on-chain.

The attestation document is encoded in the CBOR format and signed using the COSE structure. It also contains the certificate bundle needed to verify the validity of the signature. All certificates in the bundle are X.509 certificates which use P-384 and SHA384 to sign the certificates and the attestation document.  The root of the cert chain is the AWS Nitro Root key.

Puffer Finance and Automata Network have implemented such verification contracts for Intel SGX which uses a different signature scheme. 

An optimized verification contract 

We found some repositories which implement P-384 with sha256 and modified them to work with SHA384. We optimized these libraries to bring the gas down from 400 million to 150 million. We further decreased the gas costs to less than 70 million by making further optimizations to the codebase and split the attestation process into 2 stages. 

1. The first stage is the verification of the certificate chain which is the most expensive part of the attestation verification process. A certificate can be verified in around 12-13 million gas and its verification can be reused if the certificate is part of another certificate chain. 

2. Once the individual certificates are verified, the attestation can be verified as part of the second stage in less than 20 million gas which brings the verification of Nitro Enclave attestations into practical ranges for most blockchain platforms including Ethereum.

Github repo: https://github.com/marlinprotocol/NitroProver

Test addresses: 



Arbiscan contract
Gas costs for the initial unoptimized version
Gas costs for the initial unoptimized version
First optimizations based on bytes parsing
First optimizations based on bytes parsing
Restructured code to decrease delegateCalls to libraries
Restructured code to decrease delegateCalls to libraries

Future improvements

While the gas costs are already in the practical range for verification on chain, we have identified areas to optimize further by reworking the libraries so attestations can be verified in a single transaction. It is also worth noting that the code has not been audited as yet. Follow our repo for future updates!

Shoutout to the authors of the below repos which were used in the Nitro attestation verifier in whole or in part

- https://github.com/LogvinovLeon/estid-sig

- https://github.com/yangfh2004/SolSha2Ext

- https://github.com/owlprotocol/solidity-cbor/tree/develop

- https://github.com/JonahGroendal/asn1-decode/

- https://github.com/bokkypoobah/BokkyPooBahsDateTimeLibrary

Follow our official social media channels to get the latest updates as and when they come out!

Twitter | Telegram Announcements | Telegram Chat | Discord | Website

Stay connected

Subscribe to our newsletter.