From The Blog

October 27, 2020
October 27, 2020

A Simple Explanation of Confidential Computing: Part One

Reimagining the padlock in your browser You’re probably reading this article in a web browser. And there’s probably a little padlock on the address bar somewhere. This is how you know you’re “secure”. But have you ever stopped to ask yourself what that actually means? Secure in what way? What does that padlock actually represent?… Read more »

Reimagining the padlock in your browser

You’re probably reading this article in a web browser. And there’s probably a little padlock on the address bar somewhere. This is how you know you’re “secure”.

We’ve all been trained to “check for the padlock”. But how many of us ever think about what it means and what protections it provides?

But have you ever stopped to ask yourself what that actually means? Secure in what way? What does that padlock actually represent? What protection is it giving you? What bad things could happen to you if the padlock wasn’t there?
And in any case, isn’t there a padlock when you browse to sites like Facebook? And yet aren’t they appearing in the news every day accused of “selling” or “misusing” your data? How can they do this if they have the padlock and the padlock means it’s “secure”?

The answer, of course, is that the padlock is there simply to ensure you really are logged in to Facebook and not some other site. And it ensures that nobody can intercept your private information as it flows back and forth between your computer and Facebook’s data centres.

That’s important, of course. But notice what that padlock doesn’t do. That padlock doesn’t tell you anything about what Facebook will do with your data. You just know you’re sharing your data with them and not somebody else.

The padlock in your browser keeps your data safe as it travels to and from your favourite social media service. But the social media site can still do whatever they want with it once that information arrives.

But imagine if the world worked differently. Imagine if there was a different type of web browser. One where the padlock wasn’t only there to confirm who you were sharing your private information with but one where the padlock helped you control exactly what they could do with your data. Isn’t that actually what the world needs?

And it’s not just users of social media who have this problem. Large firms do too. Traders want to buy and sell stocks for the best prices in the most liquid venues. But they don’t want the operators of those venues using their orders to trade against them.

Imagine if there was a way to put a “padlock” on your information so that it could only be used in ways you had agreed to. It would be as if services that worked this way were somehow “tamperproof”

It’s as if they want a “padlock” around their orders that means the data can only be used for matching purposes and not to give the market operator an unfair advantage. We need a way to make that stock exchange somehow “tamperproof”, where not even the operator of the market can gain an unfair advantage.

It turns out that pretty much any time multiple firms need to transact with each other they have this dilemma: they need to share some information in order to do business but they’re paranoid about what their counterparts might do with this information.

But what if we could do better? What if there was a way to send data to somebody and be able to control exactly what they could or couldn’t do with it?

It turns out that such a thing is possible. And it’s made possible by a concept called Confidential Computing. The key idea is this:

Confidential Computing makes it possible to run programs on somebody else’s computer but where the owner of that computer can neither influence nor observe what’s happening.

And it’s this concept we need in order to imagine padlocks on browsers that tell you what will happen to your data, not only who you’re sharing it with. It also makes it possible to keep mobile phones secure and even run sensitive workloads in the cloud.

And it will also enable us to build provably fair markets, enable secure multi-party fraud analytics solutions, and change the economics of market data services, and more.

But hang on… scroll back to that definition I just gave. I said Confidential Computing lets us build computers whose owners no longer fully control them, right? Who would want that?!

It’s bad enough when today’s computers let you do what you want. Why would anybody pay good money for one that is DESIGNED to ignore their wishes?! It turns out that if you can PROVE you own such a computer some really powerful opportunities open up.

“Making it impossible to fully control your own computer” might sound weird to some readers, especially anybody who feels like that’s how their present computer works! If you’ve ever forgotten the password to your laptop or been unable to open a protected Excel spreadsheet, it might feel like today’s computers do a pretty fine job of acting like they have more power over you rather than the other way round.

But the reality is that somebody in control of a computer can do what they want. They can change what the programs do and they can inspect all the information they’re processing. And this is why when you send data to a website or other service, you’re totally reliant on the honesty of the firm with whom your interacting. There is nothing technological that constrains what they can do with your information.

And it is this problem that explains why the padlocks in today’s browsers work the way they do. Once you send your information to Facebook’s computers, there is literally nothing your browser can do to control what happens to it. Facebook operate their own computers and if they want to change what their algorithms do then they’re free to do so and you would never know.

But, with the emerging world of Confidential Computing, we can begin to imagine a world where that padlock is so much more meaningful… a world where it does indeed tell you what will happen to your data, not merely the identity of the megacorp with whom you’re sharing it.

And the fundamental concept upon which all this rests is the idea of running computations on a computer in a way that is protected from the owner of that computer attempting to subvert them or see what they are doing.

In part two of this series, I talk in more detail about how this surprisingly subtle concept is at the heart of your mobile phone’s security and how it might make even the most conservative firms get comfortable with moving to the cloud.

But that’s not the most interesting bit. I also show how Confidential Computing could be about to unleash a wave of new ‘tamperproof application’ that could indeed transform stock trading, fraud analysis, market data services and more.

R3’s Confidential Computing product, Conclave, is in Beta. Conclave is the highly productive way to build ‘tamperproof’ services: write in Java and develop on any platform.

October 26, 2020
October 26, 2020

CordaCon 2020 developer highlights — day two

Let’s pick up from where we left off with the previous article on CordaCon 2020 developer highlights — day one. Take your pick of these exciting talks from the second day of our annual flagship event CordaCon 2020.

Let’s pick up from where we left off with the previous article on CordaCon 2020 developer highlights — day one. Take your pick of these exciting talks from the second day of our annual flagship event CordaCon 2020.

Beyond Blockchain: How Confidential Computing is the Last Piece of the Market Transformation Jigsaw — R3 CTO Richard Brown

Confidential Computing provides the missing piece of the puzzle:

  • Conclave uses Confidential Computing and Intel SGX to provide assurance to users that data will be processed in a secure and tamper-proof way.
  • Conclave enables service providers to build new privacy-preserving solutions for market-level collaboration.

Conclave: Multi-party Computation Made Easy — R3 Lead Platform Engineer Mike Hearn

Imagine a sealed bid auction in which:
1. User 1 proposes a bid to the enclave (recorded on the ledger).
2. User 2 proposes a bid to the enclave (recorded on the ledger).
3. User 3 (auctioneer) receives the output from the enclave (the winner) and stores it on the ledger.
As a result, User 3 never sees the bids.

Wallets Prototype — Deep Dive — R3 Software Engineer Will Hester


Performance — Now, Then and What’s to Come — R3 Software Engineer Dimos Raptis

Performance-related improvements:

  • Tuning options for Artemis to control flush/ack frequencies.
  • p2p message compression.
  • New sendAll API for sending messages to multiple counterparties.

Thanks for watching the brief developer highlights from day two — stay tuned for more highlights from day three of CordaCon 2020.

Peter Li is a Developer Evangelist at R3, an enterprise blockchain software firm working with a global ecosystem of more than 350 participants across multiple industries from both the private and public sectors to develop on Corda — its open-source blockchain platform, and Corda Enterprise — a commercial version of Corda for enterprise usage.

Follow us on Twitter here.

This document has been composed with the free online HTML converter. Access it here and use it every time for document editing.

August 11, 2020
August 11, 2020

Conclave Beta 3: GraalVM, Mail, more

A new Conclave release finishes off the core feature set you need Today we’re announcing a new beta release of Conclave, a platform that makes it easy to use secure hardware enclaves with Java. You can use enclaves to: Solve complex multi-party data problems, by running programs on a computer that prevents the hardware owner from seeing… Read more »

A new Conclave release finishes off the core feature set you need

Today we’re announcing a new beta release of Conclave, a platform that makes it easy to use secure hardware enclaves with Java. You can use enclaves to:

  • Solve complex multi-party data problems, by running programs on a computer that prevents the hardware owner from seeing the calculations.
  • Protect sensitive data from the cloud.
  • Make your hosted service auditable and trustworthy.
  • Upgrade privacy on distributed ledger platforms like Corda.

Good use cases might include analytics, auctions, order books, or verifying transactions.

In Conclave Beta 3 we have fleshed out the base feature set available in earlier releases by adding Mail, our communications API, and by integrating support for a new JVM: GraalVM Native Image. You can also now build enclaves on macOS, as well as Linux and Windows when using the Avian JVM.

What are enclaves?

Conclave gives an ordinary Java JAR some new security super powers. It can:

  • Protect its memory from the owner of the computer where it runs, as well as the host JVM that loaded it.
  • Prove its identity to third parties over the internet. Loading an enclave gives you a serialisable EnclaveInstanceInfo object that describes its code hash and code signer.
  • Generate encryption keys that are only accessible to that enclave. Clients can then use the EnclaveInstanceInfo to exchange encrypted messages with the enclave, without the host computer or JVM being able to read them.

You can think of a Conclave enclave as a sub-JVM loaded into the same process as your host JVM. Once loaded both the host and remote clients can exchange data with it.

By encapsulating the core of your business logic in an enclave you can build perfectly auditable services which anyone can trust. How? If you share the enclave code with them under either an open source or, more commonly, a proprietary audit license then with just one command they can compile a byte-for-byte identical enclave to the one you are using. The code hash of that enclave can then be compared to the code hash in the received EnclaveInstanceInfo to be sure the code they are reading is the code that’s really running. The only party that needs to be trusted is the CPU manufacturer.

You can read more about enclaves, how they work and how best to use them in Conclave’s documentation.

What is mail?

Mails are what Conclave calls the encrypted messages you can send to and from an enclave. How mail moves around is up to you — you could use HTTP, plain TCP sockets, message queues, files, embed them in other protocols or anything else you wish. Conclave handles the cryptography and leaves transport up to you.

Mail is designed to solve a variety of different problems that enclaves face:

  • How to communicate securely with clients, given the host is untrusted.
  • How to avoid needing an external database, as regular databases are not designed to stop administrators accessing the administered data and enclaves themselves have a weak grip on time.
  • How to stop the host dropping or re-ordering messages.
  • How to stop the host snooping by measuring the size of the messages going in and out of the enclave.
  • And other miscellaneous challenges.

The mail API is simple and presents you with an email-like interface. Behind the scenes Conclave can perform ordering checks, message padding, replay on restart and other

You can read more about mail in the documentation.

Cross-platform development

In beta 3 we’ve added support for truly cross-platform development. Even though enclaves only run on Linux, you can work on an enclave project on Linux, Windows and macOS. Cross-compilation support means you can compile an enclave either for upload to a server, or to reproduce a remote enclave and audit it, on any OS.

Client code can additionally run on any platform that supports Java. Enclaves can be loaded both into the protected environment and also the host JVM, allowing ordinary and convenient step-through debugging, full white-box unit testing and more. If there’s user demand we may also add support for non-JVM hosts and clients.

GraalVM Native Images

An enclave does not trust the host operating system, so it must carry everything it needs into the protected memory space. The GraalVM Native Image tool is ideally suited for this use case, as it produces small, self contained and ahead-of-time compiled native code from Java programs. An embedded JVM called SubstrateVM provides runtime services like garbage collection.

That’s why in beta 3 we’ve added support for using native images. The benefits over the alternative runtime are much better performance, reduced memory usage, and no warmup time. However, it comes at the cost of losing support for dynamic bytecode loading and for compiling enclaves on non-Linux platforms. If you want to use frameworks that do this, you will need to continue using the Avian runtime for now. In the long term we plan to phase out the use of Avian, as SubstrateVM gets better.

Using Native Image with Conclave is easy, you just specify you want it in your Gradle build and the rest is automatic.

Learn how to write an enclave, host and client

Conclave comes with a simple tutorial that takes you through the basics of enclave-oriented development. You write an enclave that simply reverses any strings sent to it, a host that loads the enclave and connects it to a raw TCP socket, and a client that verifies the identity of the enclave and then sends it encrypted strings for reversal.

Along the way you will learn everything you need to build enclave-oriented programs.


Download Conclave Beta and get started

Conclave Beta 3 is available for non-production and evaluation use. Just visit our web site and click “download”.

June 29, 2020
June 29, 2020

The Curious World of Confidential Computing: Sharing Without Sharing

Collective Intelligence From Concealed Data How much do you earn? Are you underpaid or overpaid relative to your colleagues? Ever wanted to find out? How might you do it? You could just ask your colleagues what they earn. But you probably won’t be thanked. How much do you earn? How might you find out if you’re under… Read more »

Collective Intelligence From Concealed Data

How much do you earn?

Are you underpaid or overpaid relative to your colleagues? Ever wanted to find out? How might you do it?

You could just ask your colleagues what they earn. But you probably won’t be thanked.

I guess you could hack into your firm’s HR systems. But some firms discourage that sort of thing. So, you will probably do what everybody else does and enter your details into Glassdoor.

It turns out companies have the same problem when it comes to accessing vital information about their industry that depends on knowledge of other companies’ confidential data. But their equivalent of Glassdoor is either really expensive or simply doesn’t exist.

For example, securities firms know what stocks and bonds they’ve bought and sold, and for what prices, but what does the whole market look like? They really need to know so they can price competitively and ensure best execution for their clients. But, at the same time, their competitors don’t want them to see their confidential data. So, each firm shares their data confidentially with a market data firm, which then sells back a processed, anonymised dataset to everybody in the market.

You can find this problem everywhere you look in fact: insurers who need to share information about fraudulent claims without breaching confidentiality rules… participants in online auctions who don’t want the auctioneer to exploit knowledge of how much they’ll pay… patients who would like to contribute their records to help fight a disease but who would be devastated if information about their disease became public.

Any situation where you have to give up valuable data in order to receive some broader valuable insight back in return is probably an example of this phenomenon.

And these situations share the same problem that makes them really hard to address:

You can’t trust somebody else’s computer.

The sad reality is that if you send data to somebody else’s computer, you only have their word for what they’ll do with it. Yes… the reassuring little green padlock in your browser can give you confidence about who you’re communicating with. But it says nothing about what they’ll do with your data when you upload it.

The result is that you either don’t send the data at all or you have to introduce a neutral third-party firm into your market to provide the aggregation function that none of you trust any of the others to perform.

This, as we’ve seen, is often expensive and there isn’t always an appropriate body to perform this activity.

But what if…

What if you could be sure what somebody else’s computer will do with your data? You and your customers and competitors could benefit from the collective intelligence that arises when multiple sets of data are brought together… whilst simultaneously being assured that your own data is concealed from everybody else, including whoever is hosting the service.

You wouldn’t even need to worry who hosted the service. If this technology worked as it should, you would learn nothing you weren’t supposed to even if you controlled the physical computer performing the calculations. You could call it “collective intelligence from concealed data”.

In effect, imagine a world where the “green padlock” didn’t tell you who was processing your data, but where it told you what they were doing with it.

It turns out that this technology actually exists!

There are various forms: “homomorphic encryption” is one approach and “trusted execution environments” are another. In this article, I’m focused on the latter.

Indeed, if you’re reading this on a PC, your computer probably has this capability hidden inside it without you even knowing. But you’re probably not using it: the technology has been just too difficult for regular developers to exploit.

Well, that’s about to change.

It will soon be possible for regular software developers to build systems that can, in effect, be remotely audited. Systems where owners of extremely valuable data can independently verify what will happen with their data before they submit it. Many firms are working on variants of this vision and it will be game-changing.

This interests me because I’m CTO of the firm behind one of the most successful blockchain platforms used by businesses today. And “taming” this capability will provide a critical building block for our aspiration to transform entire industries.

To see why, we need to look back to work my team and I kicked off almost five years ago. Our work to bring the power of blockchain architectures to business led to a fundamental insight: the world now possesses the tools, technology, insight and motivation to solve problems that afflict whole markets, not just individual firms. It is now possible to build systems that enable all the firms in an industry to collaborate digitally to an extent previously unimaginable outside some special cases.

The cryptographic, consensus and distributed systems techniques embedded inside the original blockchain platforms pointed the way. And firms, such as R3 and IBM IBM 0.0%, picked up the baton and built systems like Corda, Hyperledger Fabric and others to bring these concepts into the mainstream. We made it possible to build applications that automated the processes of whole markets. We applied the “What You See Is What I See” property of blockchains to eliminate swathes of complexity and inconsistency between firms.

Bringing firms into sync about data they share in common is only one part of the puzzle, however. As we discussed above, sometimes firms in a market need to collaborate but absolutely must not share their data with each other. They need to be sure that “What You See Is Absolutely NOT What I See”!

This is why the industry has been working, for years now, to master and tame the “trusted execution” – some call it “confidential computing” – technology necessary to make the “collective intelligence from concealed data” vision a reality. You need both approaches, transparency and privacy, in your platform to cover all scenarios.

In my firm’s case, the capability we’re working on to do this is called Conclave. We feel privileged to sit alongside our peers and competitors working in the same field as members of the Confidential Computing Consortium, which is helping drive collaboration between all the firms in this field.

It’s immensely exciting to see the pieces fall into place for what could become a wholesale reimagining of how firms do business with each other.

April 15, 2020
April 15, 2020

Conclave Beta is Here!

Making enclaves easy We are pleased to announce the first beta release of Conclave, our new platform for building secure hardware enclaves in Java. In this post we’ll look at what Conclave is, take a brief look at how you can use it and then look at the roadmap towards the first production release. What is Conclave?… Read more »

Making enclaves easy

We are pleased to announce the first beta release of Conclave, our new platform for building secure hardware enclaves in Java.

In this post we’ll look at what Conclave is, take a brief look at how you can use it and then look at the roadmap towards the first production release.

What is Conclave?

Modern CPUs from Intel and others include support for creating enclaves. Enclaves create a tamper-proofed space for programs to execute, so that they can process data without the owner of the physical hardware being able to inspect or interfere with it.

If you can run computations without anyone having access to them, not even people who can open the computer up and modify it, then you have a powerful tool for solving all sorts of business problems. Anywhere collaboration is needed but trust is expensive can benefit from enclave technology.

Unfortunately, enclaves can be tricky to develop. The technology is complex and it’s typical for enclaves to be written in relatively low level, low productivity languages like C or Rust. As such, virtually no line-of-business applications benefit from this technology today, even though they theoretically could.

Conclave brings secure multi-party computation (or ‘confidential computing’) to the business world with three key advantages:

  1. Easily write business logic in any JVM bytecode compatible language like Java, Kotlin and Scala. The JVM eliminates memory management errors that could otherwise undermine the security of the enclave, without needing complex linear type systems.
  2. Simplified technology, with straightforward tutorials and documentation. Build an enclave using a simple Gradle plugin. The sample app requires just a few lines of code.
  3. Designed with Corda in mind, R3’s distributed ledger platform.

Existing approaches to making enclaves require a great deal of expertise in a brand new technology. Conclave makes it easy for any Java developer to get started in less than an hour.

Conclave is the foundation of the SGX support we’re developing to protect Corda transaction histories. By running smart contract logic inside an enclave it becomes possible to build a private and peer to peer yet also completely consistent database.

Beta 1 and the roadmap

Today we’re announcing the availability of the first release in the Conclave beta program. Over the upcoming beta releases the feature set will be fleshed out, usability enhanced and performance upgraded. Some of the things we’re researching include:

  • A higher level API for encrypted asynchronous messaging. In Beta 1 you must handle message encryption to/from enclaves using the standard Java APIs for it. In future we plan both a standalone API and integration into the Corda flow framework for authenticated, peer-to-peer inter-organizational messaging.
  • Support for the Intel DCAP/FLC features, which give hardware owners direct control over which enclaves are authorized to run on their systems.
  • Support for developing enclaves on Windows and macOS without the need for Docker/Linux VMs.
  • Ability to fully audit the enclave contents via a source sharing license.
  • Support for storing enclave signing keys in HSMs.
  • Upgrades to the embedded JVM running inside the enclave.
  • Even higher level APIs for modeling common business problems, such as a joint computation that occurs once per day with a threshold of participants.
  • Automated mitigation of side channel attacks, including those that involve the design of your own application logic.

How to join the beta program

Conclave Beta is open to all! It only takes three steps:

  1. Visit https://www.r3.com/conclave-beta/ and accept the license agreement to download the SDK. If you find our ideas intriguing you might also want to subscribe to our newsletter.
  2. Join the conclave-discuss mailing list, where you’ll have a direct line to the Conclave development team.
  3. Read the documentation and write an enclave.

– Authored by Mike Hearn, Lead Platform Engineer at R3