Time to Rethink: Trust Brokerage Using Trusted Execution Environments

  • Patrick Koeberl
  • Vinay Phegade
  • Anand Rajan
  • Thomas Schneider
  • Steffen SchulzEmail author
  • Maria Zhdanova
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9229)


Mining and analysis of digital data has the potential to provide improved quality of life and offer even life-saving insights. However, loss of privacy or secret information would be detrimental to these goals and inhibit widespread application. Traditional data protection measures tend to result in the formation of data silos, severely limiting the scope and yield of “Big Data”. Technology such as privacy-preserving multi-party computation (MPC) and data de-identification can break these silos enabling privacy-preserving computation. However, currently available de-identification schemes tend to suffer from privacy/utility trade-offs, and MPC has found deployment only in niche applications.

As the assurance and availability of hardware-based Trusted Execution Environments (TEEs) is increasing, we propose an alternative direction of using TEEs as “neutral” environments for efficient yet secure multi-party computation. To this end, we survey the current state of the art, propose a generic initial solution architecture and identify remaining challenges.


Data Utility Data Owner Differential Privacy Private Information Retrieval Statistical Disclosure Control 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Asokan, N., Ekberg, J.E., Kostiainen, K., Rajan, A., Rozas, C., Sadeghi, A.R., Schulz, S., Wachsmann, C.: Mobile trusted computing. Proceedings of the IEEE 102(8), 1189–1206 (2014)CrossRefGoogle Scholar
  2. 2.
    Berger, S., Cáceres, R., Pendarakis, D.E., Sailer, R., Valdez, E., Perez, R., Schildhauer, W., Srinivasan, D.: TVDc: Managing security in the trusted virtual datacenter. Operating Syst. Rev. 42(1), 40–47 (2008)CrossRefGoogle Scholar
  3. 3.
    Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J.D., Nielsen, J.B., Nielsen, K., Pagter, J., Schwartzbach, M., Toft, T.: Secure multiparty computation goes live. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 325–343. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  4. 4.
    Dalenius, T.: The invasion of privacy problem and statistics production. an overview. Statistik Tidskrift 12, 213–225 (1974)Google Scholar
  5. 5.
    Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J.H., Métayer, D.L., Tirtea, R., Schiffner, S.: Privacy and data protection by design - from policy to engineering. Technical report, ENISA (2015)Google Scholar
  6. 6.
    Defrawy, K.E., Francillon, A., Perito, D., Tsudik, G.: SMART: Secure and minimal architecture for (establishing a dynamic) root of trust. In: Network and Distributed System Security Symposium (NDSS 2012). The Internet Society (2012)Google Scholar
  7. 7.
    Demmler, D., Schneider, T., Zohner, M.: Ad-hoc secure two-party computation on mobile devices using hardware tokens. In: USENIX Security Symposium, pp. 893–908. USENIX (2014)Google Scholar
  8. 8.
    Domingo-Ferrer, J., Torra, V.: A critique of k-anonymity and some of its enhancements. In: Conference on Availability, Reliability and Security (ARES 2008) (2008)Google Scholar
  9. 9.
    Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  10. 10.
    Dwork, C.: A firm foundation for private data analysis. Commun. ACM 54(1), 86–95 (2011)CrossRefGoogle Scholar
  11. 11.
    Global Platform: TEE system architecture v1.0 (2011).
  12. 12.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Symposium on Theory of Computing (STOC 1987), pp. 218–229. ACM (1987)Google Scholar
  13. 13.
    Hazay, C., Lindell, Y.: Constructions of truly practical secure protocols using standard smartcards. In: ACM CCS 2008, pp. 491–500. ACM (2008)Google Scholar
  14. 14.
    Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: Hardware and Architectural Support for Security and Privacy (HASP). ACM (2013)Google Scholar
  15. 15.
    Koeberl, P., Schulz, S., Sadeghi, A.R., Varadharajan, V.: Trustlite: A security architecture for tiny embedded devices. In: European Conference on Computer Systems (EuroSys). ACM (2014)Google Scholar
  16. 16.
    Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay – a secure two-party computation system. In: USENIX Security Symposium, pp. 287–302. USENIX (2004)Google Scholar
  17. 17.
    McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB reduction and attestation. In: Security and Privacy (S&P), pp. 143–158. IEEE (2010)Google Scholar
  18. 18.
    McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: European Conference on Computer Systems (EuroSys), pp. 315–328. ACM (2008)Google Scholar
  19. 19.
    McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. In: Hardware and Architectural Support for Security and Privacy (HASP). ACM (2013)Google Scholar
  20. 20.
    Noorman, J., Agten, P., Daniels, W., Strackx, R., Van Herrewege, A., Huygens, C., Preneel, B., Verbauwhede, I., Piessens, F.: Sancus: Low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In; USENIX Security Symposium. USENIX (2013)Google Scholar
  21. 21.
    Pfitzmann, B., Riordan, J., Stüble, C., Waidner, M., Weber, A.: The PERSEUS system architecture. Technical report, RZ 3335 (#93381), IBM Research (2001)Google Scholar
  22. 22.
    Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G., Russinovich, M.: VC3: Trustworthy data analytics in the cloud using SGX. In: IEEE Security and Privacy (S&P 2015). IEEE (2015)Google Scholar
  23. 23.
    Schwartz, E.J., Brumley, D., McCune, J.M.: A contractual anonymity system. In: Network and Distributed System Security (NDSS). The Internet Society (2010)Google Scholar
  24. 24.
    Singaravelu, L., Pu, C., Haertig, H., Helmuth, C.: Reducing TCB complexity for security-sensitive applications: three case studies. In: European Conference on Computer Systems (EuroSys). ACM SIGOPS (2006)Google Scholar
  25. 25.
    Sweeney, L.: k-anonymity: A model for protecting privacy. Int. J. Uncertainty, Fuzziness Knowl.-Based Syst. 10(05), 557–570 (2002)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Verykios, V.S., Bertino, E., Fovino, I.N., Provenza, L.P., Saygin, Y., Theodoridis, Y.: State-of-the-art in privacy preserving data mining. SIGMOD Rec. 33(1), 50–57 (2004)CrossRefGoogle Scholar
  27. 27.
    Yao, A.C.: How to generate and exchange secrets. In; Foundations of Computer Science (FOCS 1986). pp. 162–167. IEEE (1986)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Patrick Koeberl
    • 1
  • Vinay Phegade
    • 2
  • Anand Rajan
    • 2
  • Thomas Schneider
    • 3
  • Steffen Schulz
    • 1
    Email author
  • Maria Zhdanova
    • 4
  1. 1.Intel LabsDarmstadtGermany
  2. 2.Intel LabsPortlandUSA
  3. 3.TU DarmstadtDarmstadtGermany
  4. 4.Fraunhofer SITDarmstadtGermany

Personalised recommendations