Written by

Julian Deschler

Published

October 15, 2024

What is DeCC (Decentralized Confidential Computing)?

DeCC, or Decentralized Confidential Computing, is a novel approach to enabling encrypted computation without centralized parties.

In today's digital society, data privacy is often taken for granted. Many of us don’t consider the safety of our sensitive information as we go about our daily activities, such as booking travel, making purchases, or paying bills online. However, the reality is that our data is constantly at risk, and more than conventional security technologies may be required. The potential attack surface for malicious actors is vast with traditional computing. With so much sensitive data held in so many different locations across different apps and software, that attack surface grows exponentially. So, how can we reduce this risk and better protect our data? The answer lies in confidential computing and the innovative approach we at Arcium have taken.

Traditional Confidential Computing

To start, let's delve into how traditional data is securely processed. To simplify it, we can picture using an app on our phone that requires a purchase. Utilizing this app, your data will exist in three states: at rest, in transit, and in use. Data at rest is stored or considered inactive. This would be the app using some sort of cloud storage to hold your sensitive data for future purchases. Then, there is data in transit, where data moves between locations. In this example, your payment would be processed through a third party to communicate to your credit card company that you purchased the item. Third, we have data in use, any data currently accessed or processed by users or other software, in this case, inputting your saved credit card information to make the purchase. Data in use is the most susceptible, but all states are at risk.

The problem boils down to how the current compute stack works. To visualize this, imagine vertical blocks stacked on top of one another. At the bottom, you have your hardware. Next is the hypervisor, which runs virtual machines on a single physical machine or hardware. On top of this is the operating system, another type of software that manages the hardware and hypervisor, allowing everything to communicate appropriately. Finally, at the top, you have the app used for purchases. But why is your data at risk in all states? Within this computation stack, every layer is vulnerable and can expose all other connected layers. If someone attacks the app, all other stack components (OS, hypervisor, and hardware) are also vulnerable. This entire computation stack works together with no separation. Another way to visualize it is a castle. Once a tiny section of a wall is breached or the gate is knocked down, all areas within the castle are easily accessed. The attack surface is much too large in traditional data processing, but advancements in secure processing come in the form of traditional confidential computing.

We mention the term "traditional" purposely, but we will review this later. Let's shorten traditional confidential computing to TradCC for this article. TradCC revolutionized how data was securely processed while in use. TradCC utilizes a foundational technology term you may or may not have heard of in order to process data in secure enclaves. A more widely used term for secure enclaves is Trusted Execution Environment (TEE). This safe area (enclave) of a device's processor protects data and code from outside threats. These TEEs provide several fundamental security properties:

Isolation: The enclave is completely isolated from the rest of the system, preventing other components, including the operating system and hypervisor, from accessing the data inside.

Runtime Memory Encryption: Data within the enclave is always encrypted, maintaining confidentiality even during processing.

Sealing: This allows the enclave to securely store data within an otherwise untrusted system, protecting it even if other system parts are compromised.

Remote Attestation: This feature enables the enclave to prove to a remote party that it is secure and running on legitimate hardware, ensuring the processing environment's integrity.

All of these work together to ensure that sensitive data is always protected. TradCC's main advantage is its ability to significantly reduce the attack surface for malicious actors. With data encrypted throughout the entire process, even if someone hacks the hypervisor or OS, the data remains useless to them.

Now, the term TEE covers various implementations, with notable ones being:

Intel SGX: Introduced in 2015, Intel SGX allows individual parts of an application, like cryptographic functions, to run inside a secure enclave. This evolved to include all applications or containers running within these enclaves for enhanced security.

AMD SEV: Enables entire virtual machines, including the operating system, to run inside an enclave. This "lift and shift" approach adds the benefits of confidential computing to legacy applications by protecting the entire VM's data.

Intel TDX: Similar to AMD SEV, Intel TDX supports running entire VMs in secure enclaves, providing confidentiality and integrity to legacy applications and their operating systems.

Apple Private Cloud Compute: Apple designed a hardware-based trusted execution platform for processing work from their new AI solutions. This PCC falls into the category of secure enclaves, but in this case, Apple offloads user data to data centers.

Drawbacks to TEEs

TEEs may seem fantastic in their application and may make data seem impenetrable from outside hacks, but in reality, they have significant drawbacks:

Hardware Vulnerabilities: In TradCC, the secure enclave is always hardware-based. The TEE exists on the device's processor and is vulnerable to malicious intent during installation. For example, the entire supply chain can be targeted where hardware is manufactured or firmware/software is distributed. Attackers can insert and distribute malware to exploit these areas within the supply chain to access sensitive information.

Side-Channel Attacks: These attacks exploit security weaknesses in modern processors. They target the program or code directly being processed, aiming to exfiltrate sensitive information, including cryptographic keys (which TradCC uses to encrypt the data) by measuring coincidental hardware emissions. To simplify, imagine confidential computing data is your car using GPS. A side-channel attack would measure changes in the gas tank, car's weight, heat of the engine, etc., to reveal information about the car's use, places or distances traveled, or what is stored in the trunk.

Firmware, Microcode, and SDK Bugs: TEEs can be vulnerable to attacks exploiting weaknesses in the code or data used to encrypt and process sensitive data. Any update or initial bug in the code can be found and used to gain access.

TradCC is an excellent step towards securing sensitive data, but these challenges significantly reduce that security. TEEs are significant in practice, but they are easily exploitable if appropriately targeted. Truthfully, they only provide one solution to something that should require multiple failsafes. Arcium is providing the exact solution to the issues facing TradCC and TEEs, and it comes in the form of Decentralized Confidential Computing.

Decentralized Confidential Computing (DeCC)

DeCC combines a range of technology designed to ensure sensitive data can be processed securely without exposure or tampering, even during active use. It is very similar to what we previously covered with TradCC but is also very different. It combines two powerful concepts: decentralization, where data is distributed across multiple locations, and confidentiality, which keeps data private and protected from unauthorized access. The need for robust data privacy has become increasingly critical due to Web 2 and TradCC issues/hacks and because new technologies like blockchain technology are expanding into various fields, such as finance, infrastructure, social networks, scientific research, and beyond.

Traditional blockchains are inherently transparent, which, while beneficial for transparency and trust, poses a significant limitation for applications that require data confidentiality. This is where DeCC comes into play. By enabling secure data processing in a decentralized manner, DeCC ensures that sensitive information remains confidential, opening up many new use cases in the Web3 landscape. DeCC employs various tools and technologies, both together and separately. These features help DeCC be applied in a wide variety of different use cases:

Multi-Party Computation (MPC): This protocol allows multiple parties to jointly compute a function over their inputs while keeping those inputs private. It’s basically a collaborative effort where participants contribute to the final result without revealing their data. MPC ensures that no single party can access the complete dataset, enhancing data security and privacy.

Zero-knowledge proofs (ZKPs): Enable one party to prove to another that a statement is true without revealing additional information.

Fully-Homomorphic Encryption (FHE): A form of encryption that allows computations to be performed on encrypted data without needing to decrypt it first. This means that data can remain encrypted throughout the entire processing cycle, providing an additional layer of security.

Trusted Execution Environment (TEE): We mentioned this previously, but DeCC does utilize TEEs, but they work in conjunction with the previously mentioned technologies to make it much more robust and address the drawbacks.

To understand DeCC better, let's revisit the example of using a phone app to make a purchase. DeCC ensures that your data stays secure and private at all stages, whether it's at rest, in transit, or in use. Your payment information is encrypted while stored, ready for use whenever you need it. During the transaction, DeCC's advanced features keep your data secure and private, even as it's sent to third parties. And if a hacker intercepts your data, it's useless because it's encrypted and protected at every step. DeCC's comprehensive security measures significantly reduce the risk of data breaches, so the next time you make a purchase on your app, you can rest easy knowing your sensitive data is safe.

Arcium & DeCC

Arcium is a revolutionary network that leverages the principles of TradCC and extends them into the realm of DeCC. Arcium provides a trustless, verifiable, and highly efficient framework for running encrypted computations. Its distributed architecture uses multiple nodes to perform MPC tasks, forming Clusters designed to handle specific functions under various protocols define in a Multiparty eXecution Environments. Throughout the process, data remains encrypted, ensuring that sensitive information is never exposed.

Arcium's advanced framework creates a robust and secure environment for data processing. By building on the foundational security properties of DeCC, Arcium enables secure, encrypted computations and data collaboration across multiple nodes. This significantly reduces the potential attack surface and ensures robust data privacy and security at every data lifecycle stage. By distributing data processing tasks across multiple nodes and guaranteeing that no single entity has full access to the data, Arcium leverages the strengths of decentralization and confidentiality to provide unparalleled data protection.

Practical Applications

DeCC and Arcium's network offers robust solutions across various industries. Here, we focus on four key areas: Artificial Intelligence (AI), Decentralized Physical Infrastructure Networks (DePIN), Decentralized Finance (DeFi), and Gaming. Each of these sectors can benefit significantly from the enhanced security and privacy provided by DeCC.

AI

AI applications often process vast amounts of sensitive data, such as personal information and confidential datasets. DeCC is crucial in securing these processes by encrypting data during AI model training. Technologies like MPC allow multiple parties to train AI models together without exposing their data, ensuring privacy while leveraging diverse sources for more robust models. We will most likely cover AI applications in a separate blog, but for now, we can cover a few extremely important use-cases. For instance, medical diagnosis can significantly improve with access to a vast number of data sets. However, these data sets often include sensitive patient data, limiting means to potentially life-saving information. This is where DeCC can be implemented. For example, in Alzheimer’s disease diagnosis, researchers can use privacy-preserving machine learning with neuroimaging data. Secure MPC enables collaborative model development without compromising patient privacy, allowing data from different healthcare providers to be used effectively and securely. Similarly, AI is also used to enhance cancer detection by providing doctors with clearer, more accurate diagnostic tools. Advanced imaging techniques and machine learning models analyze medical images to identify early signs of cancer, often with greater precision than traditional methods. AI algorithms can compare new patient scans with thousands of previous cases to detect subtle patterns indicative of cancer. MPC frameworks can handle numerous inputs from different data sources that contain sensitive patient data, ensuring it remains confidential while enabling the development of these powerful AI models, facilitating early detection and treatment, and potentially saving millions of lives.

DePIN

DePIN integrates physical infrastructure with decentralized technologies, often dealing with sensitive operational data where security and privacy are paramount. Managing critical data in applications such as smart grids or decentralized transportation systems necessitates stringent security measures. DeCC ensures that this data is processed securely, preventing unauthorized access and tampering. This is essential for maintaining the integrity and efficiency of these systems, as it allows for privacy-preserving computation while enabling decentralized applications to operate without compromising on data confidentiality. By leveraging DeCC, DePIN networks can provide robust and secure solutions, fostering innovation and trust in decentralized infrastructures.

DeFi

DeFi platforms enable financial transactions and services without traditional intermediaries, but blockchain technology's transparency can sometimes expose sensitive financial data. DeCC provides secure and private financial services, going beyond just protecting transaction details. A crucial area is encrypted Automated Market Makers (AMMs). While AMMs facilitate decentralized trading without the need for order books, they can still expose user trades and positions. By encrypting the details of trades and liquidity positions, DeFi platforms can protect user privacy and maintain trading integrity, preventing exploitative practices. Similarly, encrypted lending protocols can significantly enhance privacy on DeFi lending platforms. These platforms allow users to borrow and lend assets without intermediaries, but they often reveal details like collateral amounts and borrowing rates. Overall, encryption ensures that these details remain private, safeguarding users' financial strategies and sensitive information and creating a more secure and private lending experience. Until now, DeFi’s potential has been limited by the transparent nature of blockchains and risks around data security. With DeCC, DeFi can finally become a viable alternative to traditional financial systems, opening the door for institutions, enterprises, and even governments to utilize decentralized systems.

Gaming

DeCC is a game-changer for the gaming industry, ensuring that sensitive information stays secure and private. Imagine playing Battleship or Poker without worrying about your opponent knowing your ship locations or your cards. DeCC makes this possible by keeping everything confidential and preventing cheating. In the world of online multiplayer games, like MMORPGs, DeCC protects your character's information, inventory, and strategies, ensuring a fair game for everyone. Even in the latest VR and AR games, DeCC safeguards real-time data from players' movements and environments, protecting their privacy. By using advanced cryptographic techniques, DeCC creates a more secure and private gaming experience, boosting player trust and allowing for innovative game designs that prioritize fairness and security.

The Future of Data Security

DeCC represents a significant advancement in data security, eliminating the issues that face TradCC and offering much more robust security solutions. Arcium stands at the forefront of this revolution, offering a robust and secure framework for the future of data privacy and security. By integrating DeCC into decentralized systems, Arcium is poised to drive broader adoption of decentralized technologies and empower a new wave of secure, innovative applications. The DeCC Alliance, which includes Arcium and other notable projects including Acurast, Aleo, Automata, Fairblock, Fhenix, iExec, Inco, Integritee, Intmax, Marlin, Mind Network, Oasis, Partisia, Phala, Secret Network, Swisstronik, TEN, Ternoa, and Zama, is dedicated to educating the public about DeCC. This coalition aims to establish DeCC as a fundamental category within Web3 technology, highlighting its capabilities and promoting awareness. In a world where we constantly share personal details online, confidential computing and networks like Arcium offer a beacon of hope, ensuring our most sensitive data remains protected.

If you are interested in learning more about how Arcium enables DeCC, read our docs and stay updated by following us on X.

References: