TEE-Based Security & Confidential Computing
Version: 0.1.0
Date: March 2026
Status: Technical Specification
Abstract
Tenzro Network integrates Trusted Execution Environments (TEEs) as a foundational component of its security architecture, not a peripheral add-on. TEE integration influences validator selection, consensus weight, proof generation, and execution confidentiality across the entire protocol stack.
This paper presents a comprehensive analysis of TEE-based security in Tenzro, covering four supported platforms: Intel TDX (Trust Domain Extensions), AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging), AWS Nitro Enclaves, and NVIDIA GPU Confidential Computing. We describe the attestation verification pipeline, key management without seed phrases, private AI inference, hybrid ZK-in-TEE execution, and TEE-weighted consensus mechanisms.
TEE-attested validators receive 2x weight in HotStuff-2 leader selection, creating economic incentives for hardware-backed validation. TEE enclaves enable confidential AI inference where model weights and user inputs remain encrypted in memory, preventing unauthorized access even by cloud providers. The hybrid ZK-in-TEE architecture combines zero-knowledge proofs with hardware attestation for defense-in-depth verifiability.
1. Introduction
1.1 Motivation
Decentralized AI infrastructure faces three critical trust problems:
- Model Confidentiality — AI providers need to protect proprietary model weights while serving inference to untrusted clients
- Input Privacy — Users require guarantees that their queries (which may contain sensitive data) are not logged, exfiltrated, or used for training
- Execution Integrity — Verifiers need cryptographic proof that computations (inference, settlements, key operations) executed correctly without tampering
Traditional cloud computing relies on trust in the cloud provider. Zero-knowledge proofs provide cryptographic verifiability but cannot protect runtime confidentiality. TEEs bridge this gap by providing hardware-enforced isolation with cryptographic attestation.
1.2 TEE as First-Class Infrastructure
In Tenzro's architecture, TEEs are not an optional sidecar or external service. TEE integration is first-class infrastructure that affects:
- Consensus — TEE-attested validators receive 2x weight in HotStuff-2 leader selection
- Proof Generation — ZK proofs generated inside TEEs carry dual attestation (cryptographic + hardware)
- Key Management — MPC threshold wallets store key shares in TEE-protected enclaves, enabling auto-provisioned wallets without seed phrases
- AI Inference — Models registered with TEE attestation provide verifiable confidential inference
- Settlement — High-value settlements can require TEE-attested execution for additional assurance
2. Supported TEE Platforms
Tenzro supports four TEE platforms, each implementing a common provider interface for consistent cross-platform functionality.
| Platform | Provider | Technology | Feature |
|---|---|---|---|
| Intel TDX | Intel TDX Provider | Trust Domain Extensions for VM-level isolation with memory encryption | Intel TDX |
| AMD SEV-SNP | AMD SEV-SNP Provider | Secure Encrypted Virtualization with Secure Nested Paging | AMD SEV-SNP |
| AWS Nitro | AWS Nitro Provider | Cloud-based Nitro Enclaves with cryptographic attestation | AWS Nitro |
| NVIDIA GPU | NVIDIA GPU Provider | GPU Confidential Computing for Hopper/Blackwell/Ada Lovelace with NRAS attestation | NVIDIA GPU |
2.1 Common Provider Interface
All TEE implementations conform to a common provider interface, ensuring consistent functionality across platforms:
- Attestation Generation — Create hardware-signed attestation reports
- Type Identification — Query the specific TEE vendor and platform
- Availability Checking — Determine if TEE hardware is present and accessible
- Metadata Access — Retrieve platform-specific capabilities and configuration
This abstraction enables application-layer code to work generically across all TEE platforms while platform-specific features are handled transparently.
3. NVIDIA GPU Confidential Computing
NVIDIA GPU Confidential Computing represents a critical advancement for AI workloads, enabling confidential inference directly on GPU hardware with memory encryption and cryptographic attestation.
3.1 Supported GPU Architectures
The NvidiaGpuProvider supports three GPU architecture families:
| Architecture | GPU Models | Key Features |
|---|---|---|
| Hopper | H100, H200 | Up to 80GB HBM3, FP8 precision, Transformer Engine |
| Blackwell | B100, B200 | Next-gen architecture with enhanced AI performance |
| Ada Lovelace | L40S | 48GB GDDR6, multi-workload optimization |
3.2 NRAS Attestation
NVIDIA Remote Attestation Service (NRAS) provides cryptographic proof that GPU computations executed on genuine NVIDIA hardware with Confidential Computing enabled. NRAS attestation reports include:
- GPU Architecture — Hopper, Blackwell, or Ada Lovelace
- VRAM Capacity — Total GPU memory available
- Compute Capability — CUDA compute capability version
- Driver Version — NVIDIA driver version string
- Certificate Chain — NVIDIA root CA to GPU certificate
- Timestamp — Report generation time
NRAS Report Max Age: 24 hours
Attestation reports older than 24 hours are rejected during verification to ensure freshness and prevent replay attacks.
3.3 GPU Capabilities
GPU metadata includes:
- Architecture — GPU architecture family (Hopper, Blackwell, Ada Lovelace)
- VRAM Capacity — Total GPU memory in gigabytes
- Compute Capability — CUDA compute capability version
- Driver Version — NVIDIA driver version string
3.4 Confidential Inference on GPU
With GPU Confidential Computing, AI model weights and user inputs are encrypted in GPU memory. Only the TEE enclave (running on the GPU) can access plaintext data. The host system, cloud provider, and other VMs cannot read encrypted GPU memory.
This enables privacy-preserving AI inference where:
- Model providers can serve proprietary models without exposing weights
- Users can submit sensitive queries without fear of logging or exfiltration
- Verifiers can cryptographically verify that inference ran on genuine NVIDIA GPU hardware via NRAS attestation
4. Automatic TEE Detection
Tenzro nodes automatically detect available TEE hardware at startup. Detection probes platforms in priority order:
- Intel TDX — Check for TDX module presence
- AMD SEV-SNP — Query SEV status
- AWS Nitro — Detect Nitro Enclave availability
- NVIDIA GPU — Check for GPU Confidential Computing support
The first available TEE is selected. If no TEE hardware is detected, nodes operate in standard mode without hardware attestation capabilities.
4.1 Explicit TEE Selection
For deployments requiring a specific TEE vendor, the protocol supports explicit vendor selection. If the requested vendor is unavailable, an error is returned rather than falling back to another platform.
5. Attestation Report Structure
TEE attestation reports provide cryptographic proof that code is running in a genuine TEE with expected measurements. The report structure is vendor-agnostic and includes:
- Vendor — TEE platform (IntelTdx | AmdSevSnp | AwsNitro | NvidiaGpu)
- Quote — Hardware-signed attestation quote
- Measurement — Code measurement hash
- Signature — Vendor signature over quote
- Vendor Data — Platform-specific extensions
- Timestamp — Report generation time
5.1 Field Semantics
| Field | Description |
|---|---|
| vendor | TEE platform (Intel, AMD, AWS, NVIDIA) |
| quote | Platform-specific attestation quote signed by hardware root of trust |
| measurement | Hash of code/data loaded into TEE |
| signature | Vendor signature binding quote to hardware identity |
| vendor_data | Platform-specific extensions (e.g., GPU capabilities, runtime configuration) |
| timestamp | Report generation timestamp for freshness validation |
6. Attestation Verification
Attestation verification validates TEE attestation reports through a multi-step process:
- Quote Structure Validation — Verify quote matches vendor-specific format
- Measurement Verification — Check that measurement field corresponds to expected code hash or trusted enclave digest
- Signature Chain Verification — Validate that signature chains to vendor root of trust (Intel attestation CA, AMD ASK/ARK, AWS Nitro root, NVIDIA CA)
- Timestamp Freshness — Ensure timestamp is within acceptable window to prevent replay attacks
6.1 Verification Result
Verification results include:
- Validity Status — Overall verification result
- Vendor — TEE platform
- Hardware Verified — Quote signature valid
- Measurements Valid — Measurement matches expected
- Certificate Chain Valid — Chains to vendor root CA
- Error Message — Details if verification failed
7. TEE Registry
The TEE registry maintains a network-wide directory of TEE-attested entities. Providers register their TEE capabilities and periodically submit fresh attestation reports to remain in good standing.
7.1 TEE Capacity Information
Each registered provider exposes capacity information:
- Maximum Concurrent Jobs — Maximum parallel TEE workloads
- Active Jobs — Currently running jobs
- Total CPU Cores — Total CPU cores in TEE
- Available CPU Cores — Available CPU cores
- Supported Vendors — TEE types supported
7.2 Provider Registration
TEE providers register with the network by submitting their provider ID, TEE type, attestation report, and capacity information. Providers must periodically refresh their attestations (recommended: every 6 hours) to maintain active status.
7.3 Querying Providers
The registry supports multiple query patterns:
- By TEE Type — Filter providers by specific TEE vendor (Intel TDX, AMD SEV-SNP, etc.)
- By Capacity — Find providers with sufficient available resources
- Attestation Verification — Check if a provider's attestation is current and valid
8. TEE-Weighted Consensus
Tenzro's HotStuff-2 BFT consensus gives TEE-attested validators 2x weight in leader selection. This creates economic incentives for validators to run on genuine TEE hardware while improving network security.
8.1 Leader Selection Weight
Leader selection uses weighted random sampling where:
- Standard validator — Weight = stake amount
- TEE-attested validator — Weight = stake amount × 2
A validator with 1,000,000 TNZO staked running in Intel TDX has the same leader selection probability as a standard validator with 2,000,000 TNZO staked.
8.2 Attestation Verification at Epoch Boundaries
TEE attestation is verified when validators join the active set and revalidated at epoch boundaries (approximately every 24 hours). Stale or invalid attestations result in:
- Loss of 2x weight — Validator reverts to standard weight = stake amount
- No slashing — Attestation expiration is not a slashable offense (distinguishes from malicious behavior)
- Re-attestation allowed — Validator can submit fresh attestation to regain 2x weight
8.3 Economic Incentive Analysis
Consider two validators with equal 1M TNZO stake:
| Validator | TEE | Weight | Expected Annual Blocks |
|---|---|---|---|
| Alice | None | 1,000,000 | ~876 blocks/year |
| Bob | Intel TDX | 2,000,000 | ~1,752 blocks/year |
Bob's 2x weight results in double the expected block proposals and thus double the gas fee rewards.
9. Confidential AI Inference
TEE-based confidential inference protects both model weights and user inputs throughout the inference pipeline.
9.1 Inference Flow
- User submits inference request with
require_tee: true - Inference router selects TEE-capable provider from registry (filters by
has_valid_attestation) - Model and input loaded inside TEE enclave — plaintext never visible to host OS or cloud provider
- Inference executes in isolated memory — GPU memory encrypted for NVIDIA GPU TEE, CPU memory encrypted for TDX/SEV-SNP/Nitro
- Provider generates attestation binding result to model hash, input hash, and hardware identity
- Result and attestation returned to user
- Anyone can verify attestation against vendor root certificate to confirm inference ran on genuine TEE hardware
9.2 Example: Confidential LLM Inference
For confidential LLM inference, users submit requests with TEE enforcement enabled. The inference router selects a TEE-capable provider, executes the model in the isolated environment, and returns both the result and a TEE attestation. The attestation can be independently verified to confirm the inference ran on genuine TEE hardware with the claimed model.
9.3 Threat Model
Confidential inference assumes:
- TEE hardware is honest — Intel/AMD/AWS/NVIDIA hardware correctly implements isolation and attestation
- Host OS is untrusted — Cloud provider, hypervisor, and other VMs cannot access TEE memory
- Network is untrusted — Inference requests/responses encrypted in transit (TLS 1.3)
- Side-channels exist but are mitigated — Constant-time algorithms, cache partitioning, speculative execution defenses
If TEE hardware is compromised (e.g., microarchitectural attack), the attestation signature remains valid but isolation is broken. Hybrid ZK-in-TEE provides additional defense-in-depth.
10. Hybrid ZK-in-TEE
Hybrid ZK-in-TEE combines zero-knowledge proofs with TEE attestation to provide defense-in-depth: if one trust assumption fails, the other provides fallback verification.
10.1 Architecture
In hybrid mode, the TEE enclave generates both:
- ZK proof — Cryptographic proof that computation executed correctly (Groth16 SNARK on BN254 curve)
- TEE attestation — Hardware-signed attestation binding proof to TEE enclave
Verifiers check both proofs. The computation is trusted if either:
- ZK proof valid AND TEE attestation valid (highest assurance)
- ZK proof valid (TEE compromised but computation verifiable via ZK)
- TEE attestation valid (ZK trusted setup compromised but TEE isolation protects execution)
10.2 Use Case: Verifiable Confidential Inference
For maximum assurance, providers can generate ZK proofs of inference correctness inside TEE enclaves. The TEE attestation proves the ZK proof was generated correctly, while the ZK proof proves the computation was correct. Verifiers check both proofs and accept the result if either verification passes, providing resilience against attacks on either trust layer.
10.3 Defense-in-Depth Rationale
Different attack vectors compromise different trust assumptions:
| Attack | ZK Compromised? | TEE Compromised? | Hybrid Defense |
|---|---|---|---|
| Trusted setup backdoor | Yes | No | TEE attestation still valid |
| Microarchitectural side-channel | No | Yes | ZK proof still valid |
| Circuit implementation bug | Yes | No | TEE attestation still valid |
| Malicious prover code | No | No | Both detect |
For critical applications (high-value settlements, sensitive inference), hybrid ZK-in-TEE provides maximum assurance by layering cryptographic and hardware-based verification.
11. TEE Precompile
The VM runtime exposes TEE functionality to smart contracts via a precompiled contract at address 0x0000...0004.
11.1 Precompile Methods
| Method | Input | Output |
|---|---|---|
verify_attestation | Serialized AttestationReport | bool (valid/invalid) |
request_enclave_execution | Job spec (code hash, input data) | Job ID |
query_provider_status | Provider address | TeeCapacity struct |
11.2 Example: On-Chain Attestation Verification
Smart contracts can verify TEE attestations on-chain using the TEE precompile. The precompile accepts a serialized attestation report and returns a boolean indicating validity. This enables on-chain applications to enforce TEE requirements programmatically.
12. Security Considerations
12.1 Threat Model
Tenzro's TEE integration assumes:
- TEE hardware is honest — Intel, AMD, AWS, and NVIDIA correctly implement isolation and attestation specifications
- Side-channel attacks are possible — Speculative execution, cache timing, power analysis may leak information
- Vendor root keys are secure — Intel/AMD/AWS/NVIDIA attestation root CA private keys are not compromised
- Network is adversarial — All network traffic assumed monitored; TLS 1.3 mandatory
12.2 Mitigations
| Attack Vector | Mitigation |
|---|---|
| Stale attestation replay | Freshness window (24h for NVIDIA, 6h recommended for others) |
| Side-channel leakage | Hybrid ZK-in-TEE provides fallback if TEE isolation breached |
| Compromised vendor root CA | Multi-vendor support (no single point of failure) |
| Network MitM | TLS 1.3 with mutual authentication for all TEE communication |
12.3 Attestation Freshness Windows
Different TEE platforms have different attestation validity periods:
| Platform | Max Age (Hard Limit) | Recommended Refresh |
|---|---|---|
| NVIDIA GPU (NRAS) | 24 hours | 6 hours |
| Intel TDX | No enforced limit | 6 hours |
| AMD SEV-SNP | No enforced limit | 6 hours |
| AWS Nitro | No enforced limit | 6 hours |
Attestation reports older than the maximum age are automatically rejected during verification to prevent replay attacks.
13. Related Work
For additional technical details on related components:
- Tenzro Ledger: L1 Settlement Layer — HotStuff-2 consensus with TEE-weighted validators
- Zero-Knowledge Proofs & GPU-Accelerated Proving — Hybrid ZK-in-TEE architecture
- Tenzro Network: Decentralized AI Infrastructure — Confidential inference with TEE attestation
- TDIP: Tenzro Decentralized Identity Protocol — MPC key management in TEE enclaves
14. Conclusion
Trusted Execution Environments are foundational to Tenzro's security architecture, providing hardware-enforced confidentiality and cryptographic attestation across the protocol stack. Support for four TEE platforms (Intel TDX, AMD SEV-SNP, AWS Nitro, NVIDIA GPU) ensures vendor diversity and prevents single points of failure.
TEE-weighted consensus creates economic incentives for validators to run on genuine hardware while improving network security. Confidential AI inference protects model weights and user inputs with memory encryption. Hybrid ZK-in-TEE provides defense-in-depth by layering cryptographic and hardware-based verification.
As TEE technology matures and new platforms emerge, Tenzro's abstraction layer enables seamless integration of additional providers while maintaining consistent application-layer interfaces.