Bringing TEE Attestations On Chain

Blocky's Chain Integrations are currently under development. We are excited to share a demo of a working prototype that demonstrates how to bring attestations onto Base Mainnet.

The following diagram shows the process of the interactions for a User, who obtains attestation from the Blocky Attestation Service and wants to process attested data in their smart contract.

1. A User requests an Enclave Attestation (EA) from the Blocky Attestation Service running in a TEE.
2. The Blocky Attestation Service returns an EA, which among other things, attests to the enclave application public key, enclAppPubKey, corresponding to an enclave application private key generated in a TEE enclave.
3. The User uses bky-as to verify the EA to extract the attested enclAppPubkey.
4. The User calls the setTASigningKey function in the User Contract to set the enclAppPubkey in contract memory.
5. The User requests a Transitive Attestation (TA) from the Blocky Attestation Service, for example containing the results of the bky-as attest-api-call command.
6. The Blocky Attestation Service returns a TA signed with the enclave application's private key.
7. The User calls the processAttestedAPICallClaims function in the User Contract to process the TA and its attested data.
8. The User Contract invokes the Blocky Contract to verify that the TA was signed with the enclave application's private key. The verify function uses ecrecover and matches the recovered public key against enclAppPubkey.
9. The Blocky Contract returns the claims attested by the TA.
10. The User Contract processes the claims data.

Check out the video below to see the whole process!

You can also find the TA on the Base Mainnet at the following address: 0xA026aB454E1e2605337bEfc43B2062D560933BDD