Introduction
Fully Homomorphic Encryption (FHE) and Multi-Party Computation (MPC) are foundational technologies for privacy-preserving computation, enabling operations on encrypted data without decryption. However, their adoption in real-world systems, particularly blockchain and decentralized networks, faces challenges such as computational overhead, key management risks, and trust assumptions. This chapter explores how Phala Network’s TEE can act as a 2FA mechanism to enhance the security and practicality of FHE/MPC workflows. Check out earlier thoughts on SGX as 2FA for FHE/MPC and Drawbacks in FHE Blockchain and how TEE can helpChallenges in FHE/MPC Systems
Key Management Risks- Secure key generation, storage, and usage are critical vulnerabilities
- Key compromise threatens data confidentiality and computation integrity
- Software-based solutions remain susceptible to memory attacks and insider threats
- FHE introduces significant computational overhead, impractical for time-sensitive applications
- MPC reduces individual computation but increases network communication and coordination costs
- Both technologies face scalability challenges in high-throughput environments
- Systems rely on honest-majority assumptions that weaken with participant count
- Collusion attacks become feasible when economic incentives align for malicious actors
- Lack of accountability mechanisms when malicious behavior occurs
- Threshold schemes vulnerable to withholding attacks that prevent result finalization
TEE as a 2FA Mechanism: Architectural Overview
TEEs provide hardware-enforced isolation for sensitive operations, combining the benefits of TEE with cryptographic protocols. When integrated with FHE/MPC, TEEs act as a secondary trust layer, ensuring:- Secure Key Generation/Storage: Cryptographic keys are generated and stored within the TEE, isolated from the host OS or untrusted applications.
- Computation Integrity: Critical operations (e.g., decryption of FHE results or MPC coordination) are verified within the TEE.
- Attestation: Remote parties can cryptographically verify that computations were executed in a genuine TEE.
Workflow Example
- MPC nodes build a docker image and deploy it to Phala Cloud, see the tutorial.
- A master key is generated inside an TEE and never exposed externally.
- The MPC node signs a public verification key, which is shared with the network.
- The MPC node generate a attestation proof that prove the key generation and storage are done in a genuine TEE.
- Users encrypt data using FHE and send to FHE server.
- FHE finished the computation and encrypt the result with the MPC key.
- The MPC nodes in TEE decrypting intermediate results and return the result to users.
Case Studies
| 🔐 Fairblock: Building Unruggable AI with an MPC-TEE Hybrid Architecture | fairblock_tee_registry.png | Fairblock GitHub |
| 🗳️ Mind Network: Leverage TEE and FHE Build Blind Voting | fhe_tee_voting.png | Mind Network Case Study |
