安德鲁·米勒的TEEs

我认为现在共识领域正在发生的是这样一种理念：不是所有观点都统一，而是存在一个系统，你可以带入自己的假设前提，同一系统的不同用户群体拥有不同的威胁假设，只要他们基于的假设是合理的，就能安全使用系统；而那些阈值设置过低的人则不然。

What I would characterize is happening now in consensus is the idea of having not all of it's like many viewpoints, but one system, like you bring your own set of assumptions, you have many different groups of users of the same system that have different threat assumptions and whichever ones the assumptions that they base on are justified, they get a secure use of the system and someone whose threshold was set inappropriately low.

可能存在某种设置，使他们遭遇双花攻击或被踢出网络，无法获得活跃性，但其他人都能继续运行。

Maybe there's a setting where they have a double spend or are kicked off the network, fail to get liveness, but everyone else keeps going.

这就是所谓的主观性，或者突然想到的——不是忘记正确术语——比如异构信任假设或灵活BFT之类的叫法。

So this is either subjectivity or suddenly, not forgetting the right phrase, like heterogeneous trust assumptions or flexible BFTs, maybe, know, the name of that.

换句话说，如果你不局限于单一假设前提，或许能找到新的假设集合从而实现转向。

So in other words, if if you don't just have one set of assumptions and, okay, we can maybe find a new set of assumptions and that pivots it.

对。

Yeah.

现在我们可以建立精细的多层次假设，这开启了许多可能性。

Now we can just have, you know, find nuanced multilayer assumptions and that opens up a lot of possibility.

在诸如高性能Aptos、SUI和Mistin这类项目中就能看到：它们拥有高速主路径、合理的次级路径，以及最坏情况应对方案。

I think you see this in like the high performance Aptos and SUI and Mistin kind of things where you've got like a very fast pipeline, path and a reasonable like, secondary path and then some, you know, worst case.

这有点像从同步模式切换到异步模式的机制

And that's kind of like your switch from synchronous to asynchronous

有意思。

Interesting.

运作。

Operation.

我认为这就是我对当前共识发展方向的理解。

And I think that's how I would characterize the direction consensus has opened now.

是的。

Yeah.

我是说，我觉得在那个时代，整个领域都有这种想法，可能有点超前，但像Thunder这样的项目就专注于快速路径和慢速路径的分离，这在大多数数据库设计或非加密领域都很常见，你经常会看到这种设计。

I mean, I feel like from that era, there was this whole there was you know, I think maybe it was a little before its time, but something like Thunder was all about this, like, fast and slow path separation, which, you know, is common in most database design or really any non crypto thing, you've you tend to find that type of thing.

让我觉得奇怪的是，我记得最初阅读共识论文时感到兴奋，总觉得很多论文都有实质性的改进，比如热门论文中显著减少了轮次，或者降低了每轮所需的带宽。

I think the thing that's weird to me is that I remember when I first got excited by reading consensus papers, I always felt like it was there was, like, a a a real improvement that occurred in in a lot of papers, like, you know, in, you know, hot stuff, I I, like, shrunk the number of rounds decidedly, or I, like, shrunk the bandwidth required per round.

在Tendermint中，PBFT的表述非常简洁，在某些方面甚至比原始表述更清晰。

In Tendermint, you know, I have kind of very clean formulation of PBFT that's, like, almost cleaner than the original formulation in some ways.

但后来我读到这些关于异构信任假设的论文时，感觉就是：好吧。

But then I, like, read these papers where with, like, the heterogeneous trust assumptions where it's like, okay.

你想要保持乐观。

You wanna be optimistic.

你只需要20%的诚实节点。

You only need 20% honest.

哦，好吧。

Oh, okay.

不。

No.

我最坏情况下需要50%。

I need, like, worst case, 50%.

随便吧。

Whatever.

我感觉这有点像在泰坦尼克号上挪动甲板椅。

I feel like there's a little bit of moving deck chairs on the Titanic.

就像，反正这件事最终都会失败。

Like, it's like the the thing is gonna crash anyway.

而且，人们已经构建了这些东西。

And, like, people have already built these things.

考虑到测试这些代码库有多困难，他们不会再构建10个相同形式的代码库了。

They're not gonna build 10 more code bases of the same form given how hard it is to test these code bases.

所以我觉得共识研究真的迷失了方向。

So like, I I feel like consensus research has really lost its way.

这是我作为外部观察者的看法

That's like me as an outside observer

它又迷失方向了。

It's lost its way again.

又迷失方向了。

Lost its way again.

是的。

Yes.

那确实如此。

That's that's true.

又迷失方向了。

Lost its way again.

这里的'又'字很关键。

Again is a very key word there.

还是说这是一种新的停滞？

Or is this a new stagnation?

你是这个意思吗？

Is that sort of what you mean?

这种停滞是否类似于比特币区块链这种新范式出现之前你们经历过的？

Is this stagnation similar to what you had experienced before the Bitcoin blockchain kind of new paradigm showed up?

对。

Yeah.

我想这就是我想说的。

I guess that's what I would say.

我是说，对。

I mean, I yeah.

我在这里没有最好的答案。

I don't have the best answers here.

我...我想这就是事物发展的自然规律，当重大变革解决一段时间后，嗯。

I I I guess that that is the natural flow of things once the big changes are solved for a while Mhmm.

直到出现一个全新的范式，稍微改变所有人的方向。

Until there's a whole new paradigm that shifts everyone around a bit.

你会看到更多所谓的——你知道的——带有贬义的渐进式研究论文，它们优化了某些方面，但与其他方面形成权衡，并非完美方案，或者只是些小改进，又或者改善了次要方面，比如让你的非快速路径变得更快。

You get more what you call, you know, pejoratively, you know, incremental research papers that optimize something, but it's in a trade off with others, not a slam dunk or it's small improvements, not a or it's improving the less important thing, like it's making your non fast path faster.

你怎么推销备份场景的性能？

How do you sell the backup case performance?

这太难推销了。

It's too hard to sell.

所以我想说也许是的。

So I would say maybe yeah.

你可能是对的，但即便如此，也只有当某个领域能提出不同方案时——我敢打赌会是共识机制领域。

You could be right, but if so, that's only if any field will come up with something different to do, I would bet on consensus doing so.

在TE或ZK领域，他们以某种更根本的方式改变了异步模型。

Over TE or ZK, where, like, they changed the asynchronous model in some more fundamental way.

是的。

Yeah.

这是个好问题。

That's a good question.

ZK目前是否已经趋于饱和，还是说作为技术和密码学领域仍有发展空间？

Is ZK being saturated at this point yet or still has, you know, just as a technical and cryptography field still further to go?

我不确定是否有好的答案。

I'm not sure I have a good answer.

我最近刚做了一个关于ZK过去六七年发展历程的演讲。

I actually just recently did a talk on the history of ZK in the last six years, seven years.

我逐年梳理了每年发表的研究成果及其意义。

And I was going through like each year and what kind of research was being published and what it meant.

2019到2020年间，如果你看那些极其重要成果的发表频率，会发现非常高。

And 2019, 2020, if you look at the frequency of like incredibly important work being published, it's very, very high.

我认为这是我们领域在证明系统方面见过的最高峰，或者像查找表这样的全新技术被引入，折叠方案也是首次出现。

And I think it's the highest our space ever saw for proving systems or a brand new technique like lookup tables were introduced, folding schemes were introduced for the first time.

你确实能看到这种压缩效应和如此多的兴奋点。

You really see this compression and so much excitement.

有人在2019年底创造了'Snarktember'、'Snarktober'这样的词，但第二年我们又有了更多研究成果。

Somebody coined in late twenty nineteen, like Snarktember, Snarktober, you know, but then the next year we had even more research.

所以我们不得不在第二年再次这样做。

So we had to do it again the next year.

那肯定是Micarah给起的名字。

That's gotta have been Micarah's name for it.

我记得这事。

I remember that.

而且

And

确实是。

It was.

但对我来说最值得注意的是，这是学术界与产业界桥梁的成功故事，因为那些传统上被视为重大技术贡献、被广泛引用并被认为是突破性的成果。

But but what's also so notable to me about this is that to me is the the success story of that academic to industry bridge because that that stands out as, what are traditionally like, those are huge technical contributions that get cited and are regarded as, you know, breakthroughs.

而这些贡献却来自产业界，在一个通常由大学主导这类贡献的领域。

And those came from industry in a field that is primarily those kind of contributions come from the universities.

所以这对我来说是最酷的故事。

So that's like the the coolest story for me there.

是的。

Yeah.

不过话说回来，延续这个故事到今天，现在也有新的研究成果不断涌现。

That said though, just to continue on that story to today, nowadays there are works that are coming out.

我认为即使在2024年，至少有两项工作带来了某种程度的范式转变，只是目前影响还没那么大。

I think there are still, like in 2024, there's like at least two works that have created somewhat of a paradigm shift, but not as much so far.

2023年可能Binious有些类似的感觉，也许Jolt也算，但总共有两项。

In 2023, maybe Binious has like a slightly similar vibe, maybe Jolt, but then there's two.

而2019、2020年那会儿，几乎每个系统都在创新，我查过清单，那两年确实非常疯狂。

Whereas like really in 2019, 2020, every one of the systems that's coming at, I mean, I, I went through the list and it was kind of wild in that two year period.

大约有14项研究确实产生了非常深远的影响并带来了变革。

There's about like 14 works that were really, really influential and changed something.

其中一些研究，你知道的，彻底改变了现状。

And some of them, you know, completely changed it.

我们现在在研究领域没有看到同样的频率，我认为ZK目前更多是在应用案例方面，如何应用这些系统才是真正令人兴奋的地方。

That we're not seeing at the same frequency on the research side where I think ZK is today is it's just on the use case side and like how, like where you apply these systems is where it's very, very exciting.

是的。

Yeah.

不过我想更深入地探讨TE相关的内容。

I wanna dive more into the TE stuff though.

我们之前简单聊过你最初对它的看法或出发点，但后来你开始在这方面产出一些研究成果。

So we talked a little bit about what you had initially felt about it or where, where you were coming from, but you started to produce some work on it.

这篇名为《Delegatee》的论文发表于2018年。

This paper delegatee came out in 2018.

能跟我详细说说这个吗？

Tell me a little bit about that.

你是继续了那项工作，还是只做了这一次？

Did you continue with that work or did you just like do this one off?

你是怎么重新回到这个项目上的？

How did you get back to it?

是的。

Yeah.

当时TEE（可信执行环境）已经存在。

The, so TEEs were around at the time.

对我来说，介于两者之间的是多方计算。

I mean, for me, the the kind of thing in between is multi party computation.

很明显，我们在Hawk项目上遇到了瓶颈。

So it became clear that you reach a wall with what we can do for Hawk.

Hawk只使用了零知识证明和标准的区块链技术。

Hawk just use zero knowledge proofs and then standard blockchain stuff.

但这确实令人不满意，因为拍卖应用中存在一个能看到你所有失败出价的拍卖师。

But it was really unsatisfying because the auction application has this auctioneer who sees all of your failed bids.

你无法获得交易后隐私或失败竞价的隐私保护。

You don't get any post trade privacy or failed bid privacy.

文章末尾有一段提到，你可以用多方计算来实例化这个管理方，但我当时不知道该如何运用。

And there's a paragraph in the end of it that's like, you could instantiate this manager party with multi party computation, but I didn't know how to use that at the time.

所以很明显，尤其是REJUUL，我想当时Donsong也在做一堆与SGX相关的项目。

And so it was clear that REJUUL especially, and I guess Donsong at the time, doing a bunch of SGX related projects.

比如Town Cryer，我记得那段时间是RE实验室的热门项目。

Like Town Cryer was, I think, the hot thing from RE's lab around that time.

那应该是2017或2018年的事。

That must be 2017 or 2018.

其实我也不太确定具体时间。

I'm actually not exactly sure.

我想我之所以记得是因为我记得所有Chain Link支持者都在大力宣传它

I think I I think I remember that because I just remembered all the chain link marines shilling it

持续了好一阵子。

for a while.

是的。

Yeah.

没错。

That's right.

所以我意识到，对我来说，这两种方法是绕过仅靠零知识证明存在局限性的替代方案。

So I was aware that, you know, those to me are two alternatives of ways of getting around the thing that the zero knowledge proofs alone, you know, have this limit.

使用零知识证明时存在见证人，审批者必须知道见证人，即用于生成证明的秘密数据。

So with the zero knowledge proofs, there's a witness, the approver has to know the witness, the secret data to make the proof of it.

它擅长展示你已有数据的事实，这些数据可以存在于UTXO中，通过添加承诺和公钥加密，你可以构建这些很酷的功能——Zcash就是这样运作的，而Hawk拍卖系统中承诺与揭示的部分解决方案也是类似原理。

So it's good at showing facts about data that you already have and that can already in a UTXO and by adding commitments and public key encryption, you can build these cool, you know, Zcash works like this and, you know, the commit and reveal kind of partial solution to an auction with Hawk works like that.

但如果你真想对隐私数据进行计算，其实没有其他选择。

But if you really want to compute on private data, you don't really have alternatives.

要么采用多方计算，将数据秘密共享后在其上进行计算。

So there's either multi party computation where it secret shared data and you compute on that.

这就是我全力押注并持续研究三年左右的解决路径。

And that was the path that I bet hard on and kept working on for, you know, three years or so as the way around that.

我当时还是认为SGX很糟糕，整个TPM和可信硬件的概念对用户有害，也危害自由。

And I kind of, you know, I was still in the SGX sucks and the whole concept of TPMs and trusted hardware is bad and bad for users and bad for freedom.

所以我完全没考虑这条路。

So I really just tuned it out.

但TowneCryer其实是基于SGX的预言机，它能获取敏感数据——比如在你登录网站时监视TLS连接，然后利用远程认证功能生成证明，这很像零知识证明。

But TowneCryer of course is like a SGX based Oracle, so it would have this access to sensitive data like it is watching alongside your TLS connection when you log into some website and it can make then a proof using this remote attestation feature, which is a lot like a ZK proof.

这很像现在用ZK TLS或TLS公证这些技术能实现的功能。

This is a lot like something you could do now with ZK TLS or TLS notary, these kind of things.

但它可以生成，比如说，你银行账户内容的摘要。

But it can make, for example, you know, a summary of what was in your bank account.

它就像一个预言机，甚至可以是能进行一些计算和过滤的预言机。

And it's like an Oracle and it can even be an Oracle that does some computing and filtering on it.

这就是他们的论文，确实非常酷。

So that was their paper and it was really pretty cool.

我们不会尝试用纯多方计算来做类似的事情，因为当我们开始尝试基于多方计算处理隐私数据时，框架太难用了，性能也太慢，所以我们只能研究非常模式化的东西，比如一个简单的自动化做市商——虽然是自动化做市商，但你看不到流动性池的规模。

We wouldn't try to do something like that with pure MPC because when we started trying to do MPC based computing on private data, so difficult to use the frameworks and so performance slow that we would work on very stylized like a simple automated market maker that's like an automated market maker, but you don't see the size of the liquidity pool.

所以这有点像一种暗池交易，分批进行。

So it's kind of a dark pool proceeding in batches.

这是你和Mucora合作的论文。

This was the paper you did with Mucora.

对吧？

Right?

是的。

Yeah.

没错。

That's right.

Rattel，一个作为侧链的MPC，我们花了近三年时间研究。

Rattel, an MPC as a side chain, which we worked on for nearly three years.

那篇论文写得很艰难，部分原因是MPC太难搞了。

That was a tough grind of a paper in part because the MPC was difficult to work with.

我压缩了这部分内容，想多谈谈TE，但最终我得出的结论是，真正让我信服的是这种共谋攻击的概念。

And I compressed this to be able to talk more about, you know, TE's, but I kind of reached the conclusion that, well, really what did it for me is this notion of a collusion attack.

所以我大概能看出，即便我们尝试处理数据集，性能仍然是个问题，数据库需要在MPC内部使用不经意RAM，这将持续带来困难。

So I could kind of see that, okay, performance is an issue even when we try to do data sets, databases will need oblivious RAM inside the MPC, so it's going to continuous be a difficulty.

但从某种程度上说，即使我们解决了所有性能问题，仍然会很不理想，因为我们不得不选择终端节点作为MPC集合。

But in a way, even if we fixed all the performance issues, it would still be so unsatisfying because we have to pick end nodes to be our MPC set.

而合谋风险在于这些数据是秘密共享的。

And the collusion risk is that it's secret shared data.

是的，你可以对秘密共享数据进行计算，并仅重构最终输出供所有人查看。

So yeah, you can do a computation on the secret shared data and only reconstruct final output for everyone to see.

但如果那些节点想这么做，它们完全可以联合起来串通，合并各自的份额并解密所有内容，包括所有中间值和原始输入。

But if those nodes wanted to, they could just work together and collude and just combine their shares and decrypt everything, all the intermediate values, all the original inputs.

你甚至无法让它们证明自己没有这样做，也无法通过询问获得任何令人信服的答案。

And you can even get them to prove to you they haven't done that and you can't, you know, ask them whether they've done that and get anything, you know, confidence inspiring as an answer.

所以我本可以继续攻坚，不断解决性能挑战和可编程性挑战，但那将成为最大的障碍。

So I could grind it out further and keep chipping away at the performance challenges and the programmability challenges, but that would then be the the biggest brick wall.

正是在那时，我开始接受TEs是必要的这个事实。

And that was when I started to accept, you know, that TEs are necessary.

即便MPC能正常运行，你仍然需要TEs。

And even if the MPC works, you'd still want TEs too.

这就是我现在的理解框架。

And that's kind of my modern framing of it.

我可以回顾那些曾被我忽略的事情，比如那份Town论文。

And I could go back to then the things that had passed me aside where that, you know, Town paper.

我参与了Delegatee项目，它很像Town Cryer，但还具备写入权限。

I helped with Delegatee, which is a lot like Town Cryer, but with write access as well.

这样TEE就能代表你向你授权的账户发送消息。

So the TEE can then, you know, send messages to an account you've authorized on your behalf.

这开启了许多有趣的讨论空间，比如将Web2账户变成租赁服务。

And that opens up all of these kind of weird opportunities that I think are fun to talk about, like turning Web two accounts into, you know, rental offerings.

这是你能用它们实现的某种奇特而意外的功能。

It's kind of a strange, surprising thing you can do with those.

后来Akheden论文发表了，我参与了一点工作，最终发展成了Oasis项目。

And then the Akheden paper came out, which I helped with a little bit that turned into Oasis.

那大概是2018年的事。

That was like 2018.

但我当时仍然对TEEs感到愤怒。

But I still was angry about TEEs.

我在那篇论文中唯一的贡献就是区块链中的竞态条件问题，比如上传下载那部分。

Like, my only help on that paper was like race condition in the blockchain, like upload download bit.

那时候我还是很讨厌TEEs。

I still hated the TEEs at that point.

所以，是的，之后我又在MPC上坚持研究了好几年。

So, yeah, I kept at it for a couple of years on MPC then.

不过说到MPC，你是在某个时间点意识到它的局限性太大，还是说这项工作就像在试图创造一个MPC目前（甚至可能永远）都不适合的环境？

So the MPC though, you just at some point realized the limitations were too great or the work would just be grinding like almost trying to create an environment that MPC wasn't necessarily suitable for yet or maybe will ever be.

所以你最终选择了TEE，但你是否仍将其视为一个过渡方案？就像'我们现在先用着'这样。

So you kinda went for TE, but do you still see it as an intermediate solution or intermediary solution where you're like, we're gonna use it for now.

我们之后会替换它，但目前还没有更好的替代方案？

We will replace it, but there's nothing yet that can do better?

还是你认为它将始终是技术栈的一部分？

Or do you think it will always be part of the stack?

这是个绝妙的问题。

That that's a perfect question.

我认为这可能是关于这些技术最重要的问题。

I think that's maybe the the most important question for these.

因为如果只是工作和性能的问题，我可能会选择继续埋头苦干，坚持钻研下去。

Because yeah, if it were just a matter of work and make performance, I would probably prefer to grind it out and keep, you know, chugging away at that.

不。

No.

在一个即使是最前沿的密码学（更不用说全同态加密FHE）包括各种形式的混淆加密和见证加密等技术，甚至超越FHE的未来密码学体系，在密码学家的理想中，即使所有密码学技术都发挥到极致，仍然无法消除对可信硬件的需求——那种能实现状态持久化的硬件。你本质上需要某种不可逆的权利，而没有任何密码学协议能提供这种不可逆权利，它必须来自外部系统。

In a world where cryptography, even the very fancy cryptography, like let alone FHE and but even other things like full on obfuscation of some flavor and witness encryption, that kind of, you know, even beyond FHE future crypto stack, even in the, you know, dreams of cryptographers, if all the cryptography does what it can, it still doesn't get rid of the need for something like trusted hardware that can have statefulness like you need, you fundamentally need some, you know, irreversible right, and there's just no cryptography protocol that gives you an irreversible right that that needs to come from something external.

也许不一定非得是可信硬件，但就我目前所知，这是唯一符合要求的解决方案。

Maybe it doesn't have to be trusted hardware, but that's the only thing in my mind that seems to fit there.

我想...确实，从历史来看你总是比我超前几年，除了在DeFi领域。

I I guess, like, yeah, I think, you know, you're always a couple years ahead of me historically, except in DeFi.

而且，我想说我得承认，我自己也最终得出了非常相似的结论。

And, I I would say I would say that, you know, I I came around to a very similar realization.

并不是说我不认为ZKVM会构建出很多酷炫的东西，但我确实认为在很多应用场景中，人们只是想快速尝试某些东西，而且他们最初也不希望把所有数据都公开在区块链上。

Not that I don't think that there'll be a lot of cool things built with ZKVMs, but I do think there's a lot of applications where people just wanna try something and do it quickly, and they also don't want to have all their data public in a blockchain initially.

他们愿意在硬件方面做出这种权衡。

And they're willing to make the trade off with the hardware.

因为，如果想想那些使用移动钱包的人——可以说90%的移动钱包用户其实在硬件层面都做出了同样的权衡。

Because, like, if I think about people who are using, like, 90% of people who are using mobile wallets arguably are making the same trade off hardware wise.

对吧？

Right?

他们使用面部识别和手机或电脑TEE中的各种认证机制。

They're using face ID and whatever attestation that is in the TEE in their phone or or in their computer.

我觉得对于加密货币的新用户来说，TEE和非TEE的区别某种程度上对他们而言几乎为零。

Like, I feel like the the new users of crypto, the difference between TEE and not TEE is, like, zero to them to some extent.

所以我认为，既然人们已经在用户界面方面做出这种妥协，以避免终端用户实际感知到复杂性，那么这某种程度上就很能说明问题了。

And so, you know, I think if people are already on the user interface side making that compromise so that the end user doesn't effectively oblivious up, then it's sort of clear that, hey.

看吧

Look.

也许用T这类技术增强现有合约，比如做这种凭证匹配，类似TLS那种东西

Maybe augmenting existing contracts with T's kind of, yeah, doing this credential, like, matching, doing kind of the TLS type of stuff.

感觉如果你愿意做这些假设，对终端用户的影响可能会更大

It just feels like it's probably gonna be more impactful to the end user if you're willing to make those assumptions.

我觉得显然，roll up就是那种...没错，对BZK来说非常合理的地方

I think, like, obviously, roll ups are a place where, yeah, it makes a ton of sense to BZK.

对吧？

Right?

毕竟输入本来就是公开的，而且大家对输入已经达成共识了

Like, the input is just public anyway, and everyone's already agreed on the input.

但我觉得从MEV领域转向TEE这件事很有意思，这更像是需求驱动创新，而不是内生性地把它当作解决方案

So it's like but I I I feel like there is this whole world of things where I think it's, like, interesting that people from MEV land came into TEE is kind of out of, you know, necessity being the mother of all innovation versus sort of, like, endogenously thinking of it as a solution.

所以我很好奇，既然你已经皈依'飞地'福音好几年了——我本来想用'秘密会议'conclave'和'enclave'玩个双关梗的，但没完全想好

So I'm I'm just kinda curious, like, now that you've you've had, like, a few years of conversion into the gospel of the the enclave, I was trying to figure out if I could make some type of pun with conclave and enclave, but it wasn't quite wasn't quite closer.

不过，你知道，有哪些事情比你预想的要简单？

But, you know, like, what are kind of the things you think that are easier than what you expected?

还有哪些事情比预想的更难？

What other things are harder?

你觉得这些权衡取舍是怎样的？

Sort of like, how what do you view the trade offs as?

因为，你已经在所有这些不同系统中编写过代码，所以你有更高层次的视角。

Because, like, you've kind of written code in all of these different systems, so you have sort of a high level overview.

是啊。

Yeah.

我的意思是，也许可以基于你刚才说的内容展开，我目前有两种构想。

I mean, maybe just building on, you know, what you were just saying, like, I have two visions in mind.

一种是当下我认为会发生的情况，另一种则是我认为应该发生的情况，或者说从架构角度应该追求的理想状态。

One is what I think is gonna happen right now, and the other is what I, you know, think should happen or is like the architectural ideal to build towards.

对我而言，未来应该追求的理想状态是：我们将拥有多方计算节点来处理全同态加密的解密工作，这些节点会组成多方计算网络来执行解密但运行在可信硬件中，从而防止节点串通或进行未经授权的解密操作。

To me, the ideal to build towards is on in the future we will have, you know, multi party computation nodes doing the decryption stuff for FHE and these nodes will to prevent that collision risk, there will be an MPC of them doing the decryption but they will run-in trusted hardware that prevent those nodes from colluding or doing decryption on anything that they shouldn't.

那么希望到那个时候，由于只是解密操作，不会受限于这些节点的性能瓶颈，我们就不必依赖某一家或两家制造商的SGX等技术了。

And then hopefully at those point, because it's just decryption, it's not bottlenecked on their performance of those, we wouldn't be having to use SGX or something from one or two manufacturers.

我们将能够利用一些区块链原生的验证机制，无需信任可信执行环境（TE）的替代方案——虽然我无法具体说明实现方式，但或许那些曾研发比特币ASIC芯片、如今致力于Snark加速器的团队会转向开发TE技术，这样我们甚至不必默认接受TE技术中集中化可信制造商这一环节。

We'd be able to use some blockchain native verify don't trust TE alternative that come from, you know, I can't say how to do that, but maybe the kind of people that were doing Bitcoin ASICs and now are doing Snark accelerators, they work on TE's next, maybe that'll be a way we don't even have to take the centralized trusted manufacturer part of the story of TE's for granted.

所以对我来说，这显然是我们技术上应该努力追求的长期目标。

So to me, that's very clearly the long term goal to technically strive towards.

但正如你所说，就目前市场现实而言，这并不是我现在想要实现的。

But exactly what you said, as just a market pragmatist now, this isn't what I'm trying to make happen.

我认为这是不可避免的趋势。

This is just the observation I think is inevitable.

如果可能的话我会抵制这种做法，但人们会把TEE当作捷径。

I'd push against it if I could, but people are gonna take TEE's as a shortcut.

无论零知识证明变得多简单，我认为在TEE中运行等效程序并使用远程认证作为替代方案会更简单。

It's no matter how easy the ZK proofs get, I think it's going to be easier to make the equivalent, run it in ATEE and use the remote attestation as a substitute in lieu of a ZK proof.

这样更快、更便宜，开发起来可能也更容易。

It's just faster, cheaper, probably going to turn out easier to develop.

即便我会劝阻这种做法，我认为人们还是会将其视为开发捷径。

And even if I would discourage it, I think people are just going to take it as a development shortcut.

而且我认为，你可以看到在L2中，即使是乐观估计，也可能将完成故障证明视为一项延期事项。

And I think, you know, you can see that in L2s, even with optimism that might take, you know, finishing the fault proofs as like a deferred thing.

我能想象你设计一个多证明者系统。

I can imagine you design a multi prover system.

我们有零知识证明和可信执行环境。

We've got ZK proofs and TEE.

是的。

Yeah.

但显然你可以更快、更容易且性能更优地推出可信执行环境方案。

But obviously you can ship the TEE one, you know, maybe faster, easier and better performance.

所以即使我不希望这样，我认为这很可能成为吸引人们采用的第一卖点。

So even when I don't want that, I think that's likely the first appeal that people are going to see that's going to make this catch on.

另一件...我应该说更容易的事，这确实是让我能够快速切入的关键——不仅从研究角度，我想我还发现了一个套利机会，可以这么说。

The other thing that's, what you I would say was easier, really this is about the first thing that made it easy for me to swing into this, not just from a research perspective, but I think I started to pick up an arbitrage opportunity, I guess you would say.

也许这是我唯一注意到的一点，但我开始意识到所有那些FUD帖子——你知道，我并不是唯一一个轻信了关于TEE的反DRM信息以及它们漏洞序列信息的人。

Maybe this is the only one I've picked up on, but I started to realize that all those FUD posts, you know, I wasn't the only one who ate up that anti DRM message about TEEs and then also like the vulnerability sequence message of them as well.

但那些条件反射般的反应，FUD人士在回复评论中说的话，甚至那些研究TEE的公司都对此避而不谈。

But the knee jerk reactions, the FUD people would say in reply comments and even companies working on TEs just wouldn't talk about it.

事实证明，很多公司长期以来一直在研究这些技术，只是大多保持沉默，因为提起这件事本身就是负面公关。

Turns out there are a lot of companies that have been working on these for a long time and just mostly being quiet because it's negative PR to even bring it up.

我开始意识到这些回应并不那么站得住脚。

I started to realize that the responses weren't that defensible.

他们留下了太多显而易见的漏洞，你知道，很容易被反驳。

They were leaving open too many easy, you know, answers to counter them.

很大程度上，也许我们稍后会讨论的是，你知道，那些并不完全的软件缓解措施，在这个TEE的世界里，你完全受制于它们。

And a large part of this, maybe we talk about it a moment is like, you know, software mitigations that aren't it's not entirely you're just given this world of TEEs and, you know, you're completely at their whim.

它们就像是，你知道，类似ZK后端这样的粗糙技术工具。

They're kind of, you know, crude technical tools like a ZK back end.

这取决于，你知道，我们这些区块链集成者，你知道，如何处理它以及如何规避问题。

And it's up to, you know, us blockchain integrators, you know, what to do with it and how to work around it.

意识到反TEE的恐慌宣传已经朝错误方向或极端方向走得太远，我认为这让他们容易受到我当时恰好想提出的笨拙心理战术的影响。

So realizing that the anti T FUD campaign had swung too far in the wrong direction or in the extreme direction, I think, just left them open for clumsy psyops that I was in the right mood to bring.

所以我也想说，我认为存在一种务实的密码朋克方式，这基本上就是你所说的那种方式。

So I also would would say, you know, I think there's the pragmatic cypherpunk approach, which is how I would kind of term what you're saying.

然后还有务实的资本主义方式，我会这样描述，就是，你知道，纯粹的投资规模。

And then there's the pragmatic capitalist approach, which I will describe as the following, which is, you know, the sheer amount of investment.

大家都会想，嘿。

You Everyone thinks about, hey.

虽然对ZK证明投入了这么多投资，有人在做硬件等等，但可能仍然只占TEEs总投资的1%左右。哇。

There's been all this investment in ZK proving, people building hardware, whatever, is still probably on the order of 1% of the investment in Ts overall Woah.

在加密货币领域之外。

Outside of outside of crypto.

你是说包括英特尔和AMD的开发成本？

You're including, like, the development costs of Intel and AMD?

是的。

Yeah.

英伟达，没错

The NVIDIA yeah.

正是如此

Exactly.

英特尔的开发成本加上英伟达的，再加上苹果为他们的TEE收购所有硬件公司的花费

Intel's development costs plus NVIDIA's plus Apple's acquisitions of all the hardware companies they bought for their TEs.

实际上推动TEE性能发展的最大动力远超加密货币领域能企及的——你看，人们想在TEE里进行AI推理，因为他们害怕模型权重被盗或被黑客攻击，大量间谍活动已促使许多模型运营商开始在安全飞地中进行推理服务

And there's actually a much bigger driver of TEE performance than anything crypto can really match, which is, you know, if I look at the fact that people want to do inference for AI in TEEs because, like, they're afraid of people stealing their weights or, like, hacking, you know, the a lot of the espionage stuff has basically made some of the model operators start to do inference and then offer inference in in enclaves.

这将比其他任何因素都更能激励硬件加速发展——单纯从资金投入和人力规模来看就是如此

That is going to just incentivize much faster hardware development than anything else, I think, just like simply by the pure sheer amount of dollars and people involved.

某种程度上，你可以认为AI是搭了加密货币的便车——GPU性能提升最初是因为人们开始挖矿

And so that you know, if you think about AI as riding the coattails of crypto in some ways, in that GPU performance got better because people started mining.

于是我们开始制造这种低能耗、高内存吞吐的GPU，而不是纯粹的图形显卡

And so then we started making these, like, you know, kind of low energy, high RAM throughput GPUs versus the pure graphics card GPUs.

所以嘛，免责声明或者说利益声明都行

And so, yeah, disclaimer or disclosure, whatever.

我是说，我2014到15年那会儿还是个CUDA开发者，那时候用NVCC简直恶心到爆。

I mean, I used to be a CUDA developer, like, in 2014 and '15 when it was deeply disgusting to use NVCC.

不过我搞图形的时候做过不少OpenCL开发。

But I did a lot of OpenCL when I was in graphics.

是啊。

Yeah.

没错。

Yeah.

我...我做过很多蛋白质折叠之类的研究，不幸的是那时候不得不跟那些玩意儿打交道。

I I did a lot of, like, protein folding stuffs and I unfortunately had the misfortune of dealing with the stuff back then.

你提到的这个发展势头啊...

You're bringing up the, you know, the the momentum of this.

我觉得这特别重要，几乎就像...虽然我把它当成自己发现的某种技术，这些可信执行环境的使用方式，可能就像人们采用零知识证明那样，但这些本质上都是产品对吧？

I think that's totally important and it's almost like, I mean, I'm treating this like something I've discovered in a way, these TEs to use, maybe the way, you know, people pick up ZK proofs, but I mean these are products, right?

它们就是被设计来这样使用的。

And they're made to be used this way.

观察这个现象，这些产品的交付方式真是耐人寻味。

And looking at it, so interesting the way that these are delivered.

我还没能完全理解其中的全部战略影响，但这种分发策略你觉得如何？

I haven't been able to wrap my mind full around all the strategic consequences of this, but like how's that for a distribution strategy?

就像突然发现，你所有的服务器芯片里都内置了TEE功能。

Like surprise, all of your server chips just have tea in them.

是啊。

Yeah.

这已经不是用户愿不愿意为附加功能买单的问题了。

Like it's not a matter of are people gonna pay enough for the extra tea add on?

更像是服务器本身就具备这个功能，当你打开SDK使用时它们就已经存在了。

It's kind of just like your servers have this, they're already there, you know, when you choose to open the SDK and use it.

从这个角度看，某种程度上这几乎显得不可避免或者说显而易见。

And when you'll see it from that lens, it's almost just seems inevitable or obvious in some way.

就像，这个趋势不会消失。

Like, this isn't going away.

AMD和英特尔在某种程度上都采用了相同的虚拟机方法来处理TDX和SCV SNP的安全飞地，这已成为他们默认的工作模式。

The fact that AMD and Intel have kind of converged on the same, you know, virtual machine approach to enclaves with TDX and SCV SNP is their, you know, mode of working.

看起来这将成为一种预期标配——是的，每台云服务器都将具备这种能力。

It seems like this is just gonna be an expected default that, yeah, every cloud machine has this kind of capability.

任何运行现代计算卡进行推理或训练的机器，显然都会尽力为你提供这种受保护的环境。

Anything running a modern, you know, compute card for doing inference or training just obviously is going to do its best to provide you this protected environment.

谁不想要在这些设备上勾选机密计算选项呢？

Who wouldn't want, you know, the confidential compute checkbox in those.

所以我确实无法跳出我的加密视角来看待这个问题，但正如我所说，这种趋势的势头远远超出了我们对它们的预期范围。

So I I can't really view outside of my kind of crypto viewpoint of this, but that's just, the momentum of that, you know, far exceeds, as I was saying, that's far exceeding just the scope of, what we want from them.

我认为一个更善意且合理的解释是：加密技术帮助GPU变得更便宜、性能更好——嗯。

And I think a a a more a nice sort of charitable interpretation is, you know, crypto help GPUs get a lot cheaper and better Mhmm.

2012到2018年间。

2012 to 2018.

在此期间，这使得人们能够以更低成本进行大量AI架构实验。

In that time, that enabled people to do a lot of architectural experimentation in AI much more cheaply.

从GANs到transformers，以及中间所有其他架构，应有尽有。

You know, everything from GANs to to transformers and all the other architectures in the middle.

而现在加密技术可以乘着AI的东风，搭上T等技术的顺风车。

And now crypto gets to ride the coattails of AI putting Ts and everything.

因为，我真的认为，这可能会比加密技术推动TEs发展多上百倍。

Because, like, I really do think, like, that will drive TEs a 100 times more than crypto probably.

哇哦。

Woah.

而且它会出现在，比如，每个设备中。

And and it'll be in, like, every device.

说得好。

That's a great point.

喜欢这个观点。

Love it.

我想请教一下过去几年行业里发生的一些事情，特别是NTEs，因为你刚才提到它们大约在2018年开始出现在某些领域。

I wanna just ask about some of the what was happening in the industry over the last few years, NTEs, because you sort of hinted at this where like they started to pop up in things back in 2018.

对我来说，TEE（可信执行环境）最初是和SGX及英特尔划等号的。

To me, Ts were SGX and Intel sort of synonymous.

但自那以后，我感觉它们突然出现在所有其他领域。

But since then I feel like they've popped up in all these other places.

这是否也改变了某些事情？

Has that changed something as well?

我知道不只有英特尔在做，但至少当我最初了解时，那就是英特尔的SGX技术。

I I know it wasn't only Intel, but at least like when I learned about it, that was Intel SGX.

那就是当时的TEE标准。

That was the TE standard.

是的。

Yeah.

这个问题更多是关于哪些公司在使用它，还是关于其他类型的TEE？

I I mean, this question's about, what are the companies using it or about what are the other TEs more?

对。

Yeah.

这类技术被加入的历史是怎样的？

Just sort of what's the history of that kind of being added?

我是说，我最了解的是Oasis，它是由Don Song及其合著者在那篇Ikedan论文基础上构建的。

I mean, the ones that I was aware of the most, I was aware of Oasis that was built, you know, by Don Song and coauthors out of that Ikedan paper.

我开始密切关注Secret Network。

I started to follow Secret Network really well.

也许当时最激励我的是看到他们在私有NFT领域的成就。

Maybe one of the things that was then most inspiring for me was just seeing what they did with private NFTs.

我对他们的隐私代币相当失望，尤其是从Zcash的角度来看。

I was pretty down on their privacy tokens, especially coming from the Zcash world.

我认为他们的声明言过其实，而且在技术细节上有很多值得商榷的决策。

I thought their claims were overstated and then had, you know, technical beef to pick on kind of nitpick decisions.

不过你知道，这些问题都是可以解决的。

But, you know, those are all fixable.

尽管如此，长期来看我还是更看好ZK证明在隐私领域的应用。

Still, it's like I kind of favor the ZK proofs for this long term, you know, privacy.

但他们确实做了一些非常酷的应用，对我来说就像是：没错，这正是我希望看到创新者如何利用工具箱里的新工具。

But there were a bunch of things that they've done that were really cool applications that to me is like, yes, this is what I wanna see innovators doing with, an extra tool in the toolbox.

所以他们有防右键保存的NFT，这些NFT带有只有拥有者才能查看的私有元数据。

So they have right click resistant NFTs that have private metadata that only the owner of the NFT can see.

右键保存问题在公链NFT上确实存在，但在具备足够多功能性机密数据的链上就不一样了。

So right clicking is, you know, a public chain NFTs problem on a chain with, you know, sufficiently versatile confidential data.

你可以进入一个全新的世界，那里确实存在值得用这种方式保护的资产价值。

You can have this whole other world where there's actually like, you know, property worth protecting that way.

另一个让我特别感兴趣的是，他们有几个版本的Uniswap克隆产品。

And the other one that I found so interesting was, well, they had a couple versions of a Uniswap clone.

如果你拿Uniswap为例，直接在机密智能合约中运行其克隆版，它就会自动变成暗池交易——每次按区块批量处理交易，你看不到单笔交易，失败交易更是完全不可见。

If you take a Uniswap and you just run the Uniswap clone in a confidential smart contracts, It automatically is like a dark pool that one block at a time does a batch, but you don't see the individual trades and failed trades you don't see at all.

更有趣的是他们的Compound克隆产品Sienna借贷协议。

And then the even more interesting one was their their compound clone, Sienna lend.

如果你直接把Compound架构放到机密环境中运行，得到的就是防狙击功能。

If So you just take compound structure and run it in the confidential world, what you get is the snipe resistance.

就像你仍然拥有账户一样。

It's like you still have accounts.

根据预言机报告的价格变动，账户持有不同组合的抵押品，账户可能会资不抵债或不会。

Accounts have different portfolios of collateral depending on the price changes reported by an oracle, an account can go insolvent or not.

如果账户对某一种抵押品过度暴露，那么该抵押品的价格变动就会使其面临风险。

And if it's over, you know, overexposed to one kind of collateral, then that's, you know, makes it risky to a change in that collateral.

但在这里，你的投资组合头寸是隐藏的。

But here you keep your portfolio positions hidden.

规则是，如果它们确实被清算，就会披露投资组合账户，因为这是清算人需要看到的。

The rule is that if they are in fact liquidated, discloses the portfolio accounts because that's what liquidators need to see.

但你免疫的是狙击行为，即有人可以看到你对某一种代币过度暴露，然后我可以操纵该代币的价格，从而影响你的整体抵押品健康状况。

But what you're immune to is sniping where someone can see, you're overexposed to this one token and I can move the price on that one token and that would tip over your whole, you know, collateral health.

所以这就是你通过一行代码改变Compound代码所得到的。

So that's what you get with like a one line change to the, you know, compound code.

我有点过于简化了，但这基本上就是你得到的东西。

I'm oversimplifying a little, but that's essentially, you know, what you get.

回到我最初的问题，因为我实际上并不一定是指那些使用TEE的公司，而是指那些突然内置了TEE的硬件公司。

Just to go back to my initial question, because I actually wasn't necessarily talking about companies that used Ts, but rather hardware companies that had Ts all of a sudden in them.

据我了解，过去几年里，TEE出现在更多地方了。

As I understand it in the last few years, teas have popped up in more places.

对吧？

Right?

比如现在有更多芯片、更多产品、更多公司——我不确定苹果是否一直都有TEE。

Like there's more chips that are more products, more companies that are actually I I don't know if Apple always had teas.

可能那时候也有。

Maybe it did back then too.

但感觉确实变得更加普遍了。

But like, I feel like, yeah, it just sort of becomes more ubiquitous.

并非所有TEE都是相同的。

Not all TEEs are the same.

我的意思是，对我们这些试图用TEE构建酷炫去中心化系统的Web3区块链从业者来说，只有部分功能最具吸引力，并非所有TEE都适合。

And I mean, I would describe there's a handful of features that are most appealing to us as Web three blockchain people trying to build a cool decentralized system using the TEEs and then not all of them are fit for it.

而且我认为实际上像手机中的某些TEE，我不确定它们在多大程度上适合我们想要实现的目标。

And I think actually the some of the ones like in mobile phones, I don't know to what degree they actually are suitable for what we would want to do with them.

SGX以及同类产品（包括H系列和AMD的解决方案）的优势在于它们是用户可编程的，因此不需要原始设备制造商进行预置。

What's great about SGX and the, you know, the others in that class, I think it's true of the h one hundreds and the AMD ones as well, is like they're user programmable, So there's no like OEM that has to insert those.

许多TEE是为物联网设备设计的，但关键在于——甚至包括远程认证——是从管理控制器到现场部署在客户家中的设备之间的验证。

A lot of TE's are like for IoT devices, but then it's about and there's even remote attestation, but it's about from the admin controller to the devices out in the field and customers houses.

你能确认自己是在向自有设备提供云服务吗？因为这些设备是由你们自己的OEM组装商制造的。

Can you know that you're providing your cloud service to your own device because you built it from your own OEM, you know, assembler.

这就像是，远程认证只有两方参与，但部署设备的人同时也是需要被说服的依赖方。

And it's like, you know, it's only two parties like remote attestation, but the person who set the device out there is also the same one who's the relying party trying to be convinced of it.

因此我认为，在某种程度上，许多最广泛使用的TEE都属于这种更受限制的类型。

And so, I think that to some degree, a lot of the most widely used Ts are of that more constrained kind.

比如你可能可以使用TEE，但必须通过Play商店或苹果商店以某种方式协助。

Like you may be able to use the T but only with the Play Store or Apple Store's help in some way.

所以在处理器层面真正有趣的是，一旦它离开了处理器公司的掌控，基本上就完全不受他们控制了。

And so what's really interesting about this at the processor level is really once it's left the, you know, processor company, it's largely out of their control.

这其中确实存在一层不透明性，让我们很难完全信任英特尔无法干预。

There's absolutely a layer of opaqueness to this that makes it hard to say we fully trust that, you know, Intel can't touch it.

这里存在一个明显的攻击面，如果他们想设置后门，完全可以做到。

There's like an obvious attack surface where if they wanted to have a backdoor, they could.

如果他们想为间谍飞地签署虚假的远程认证证书——这种飞地可以加入网络但无法真正保护任何数据——他们显然也能做到。

If they wanted to sign a fake remote attestation certificate for a spy enclave that could join networks but not actually protect anything, they obviously could.

但至少从设计上，处理器一旦离开工厂就脱离了他们的直接控制，这种架构确实存在。

But at least they do have the structure that by design the processors, you know, out of their direct control once it leaves the factory.

我觉得云环境中的这种架构很有意思——基于Azure SGX的服务器在某种程度上实现了英特尔与Azure之间的职责分离，毕竟实际运营的是Azure。

I think it's actually really interesting what you have in this cloud environment where like an Azure SGX based server is somehow a little bit of separation of duties between Intel and Azure, like Azure are operating it.

你希望的是，如果真出现底层攻击（比如拥有物理攻击实验室的人试图从中榨取数据）的情况...

And what you hope is that if it turns out that there's, you know, an undervolding attack that someone with a physical, you know, attack lab, you know, could be squeezing some data out of it.

Azure承诺不会这么做。

Azure is promising not to do that.

这些服务器就放在他们的普通机架里。

They have it in their ordinary racks.

他们以尊重的方式对待客户。

They're treating their customers with respect.

至少他们是这么声称的。

They're at least claiming that.

所以这有点像'好篱笆造就好邻居'，即使不是完全控制，这种职责分离似乎也有实际意义——英特尔需要违背自己的设计规范，而Azure还得协助他们才能破坏某些东西。

So it's kind of like the locks make good neighbors, even if it's perfect control, it does seem like a meaningful separation of duties, like Intel would have to, you know, not follow their own design and Azure would have to help them make use of it to break something.

然后回到之前说的，如果他们要对隐私数据进行大规模监控，可能同样困难。

And, you know, and then back to like, if they would do this for bulk surveillance over privacy data, maybe that's as difficult.

但对于MEV应用来说，比如Flashbots表示我们主要只需要20秒左右的MEV时间来处理这些隐私数据——即使他们能发动国家级攻击或合谋攻击，也不会为了短暂截取MEV而暴露这种能力并在企业客户面前自毁声誉。

But then for an MEV application where like Flashbots says, we mainly just need this for like, you know, twenty seconds of, know, MEV time negotiating over this private data, Even if they could do this nation state level attack or colluding attack, they're not gonna burn revealing that capability and embarrassing themselves in front of their enterprise customers just to skim MEV for however long they can.

所以这某种程度上回答了我为什么对Flashbots感到兴奋。

So I mean, that that kind of answers the like why I'm, you know, I'm excited about Flashbots for that.

这是个更具体的应用场景，至少在这个场景下应该是可行的。

Like it's a it's a narrower use case where like at at least this should be able to do it.

如果连这个用例都实现不了，那些更困难的长期隐私用例就更没希望了。

If it can't work for this use case, then the, you know, harder long term privacy cases, don't have a shot.

所以我想补充一点，我认为这实际上非常重要，而且我觉得加密领域的人有时会被文化熏陶不去思考这一点，那就是隐私具有一种天然的时间价值。

So another thing I would add here, which I think is actually quite important, and I think a thing people in crypto sometimes are cultured to not think about is that there's a sort of natural time value of privacy.

比如，某些应用确实需要持久的隐私保护，或者至少在不可篡改的意义上保持同步证明的永久性。

Like, some applications actually do need persistent privacy or or at least non manipulable in the sense of, like, a sync proof tamper proofness forever.

对吧？

Right?

因此，就像一个rollup需要永远保持其所有有效性证明的正确性，只要它还在运行。

So, like, a roll up needs to have all the proofs that it's been valid to be right forever as it's still operating.

另一方面，像DEX订单流在区块最终确认前只需要几分钟的隐私保护，最多也就是区块最终确认所需的时间。

On the other hand, something like DEX order flow in a block before the block is finalized is only a few minutes, you know, at most, say, takes to finalize that you actually need the privacy for.

嗯。

Mhmm.

因为在那之后，是否有人知道就无关紧要了。

Because after that, it doesn't matter if anyone knows.

他们之后也无法进行抢先交易。

It's not like they can front run it afterwards.

这就像是已经确认并执行完毕了。

It's like it's already confirmed, already executed.

你也无法真正重放这笔交易。

You can't really replay the transaction either.

所以某种程度上来说，事情已经完成了。

And so it's it's kind of it's it's done.

这种瞬时隐私的概念，或者说围绕特定事件及时生效的隐私，在很多应用中都非常重要。

And this notion of, like, ephemeral privacy or privacy that's, like, just in time around certain events is very important to have in a lot of applications.

实际上我并不需要FaceID永久保护我的照片隐私。

You don't actually need I don't need face ID to give me privacy of my picture forever.

我真正需要的是它在验证所需的短暂时间内保护隐私，之后就会删除。

I actually need it for the small time it has to use to validate and then it deletes it.

因此我认为，在考虑隐私成本与隐私持续时间之间的关系时，有个非常重要的思考维度。

And so I think there is a a very important piece of thinking about the cost of privacy versus the duration of privacy.

想象你有两个坐标轴，一个比较这类隐私的成本，另一个比较我需要隐私保护的时长。

Imagine you have, like, two axes and you're comparing, like, how much does it cost for this type of privacy versus how long do I need the privacy for?

有些应用场景下，你愿意支付极高成本，因为你需要隐私性或简洁性保持很长时间。

And there's some applications where you're willing to pay a very huge cost because you need a long time where either the privacy or succinctness properties need to be true.

Rollups就是其中之一，我基本上会说时间是无限或任意长的。

Roll ups being one where I I basically would say time is infinite or arbitrary long.

对吧？

Right?

但另一方面，MEV在这个频谱上是非常短暂的。

But MEV on the other hand of this this spectrum is, like, very short.

问题在于，中间地带存在哪些事物？

And the question is, what are the things that are in the middle?

我认为中间地带的事物，目前我见过的只有AI类应用——比如我不希望你立即知道我的查询记录。

I think the things that are in the middle, the only things I've seen so far have really been, like, the AI type of stuff where it's like, I don't want you to know my queries that I made for a while.

但在多次查询后，你或许能通过统计汇总得出某些结论。

But after many of them, you might be able to statistically aggregate something and say something about it.

但当下这一刻，我不希望你知晓。

But immediately, I don't want you to know.

在一段时间内，我不希望你知道。

And for some amount of time, I don't want you to know.

我不确定加密应用有哪些。

And I I am not sure what the crypto applications are.

对吧？

Right?

金融领域的大部分隐私保护需求都是短期的。

The finance stuff is very short duration privacy for the most part.

要知道，你可能会说借贷等少数场景确实需要稍长的持续时间，但即便如此，这种情况也相当罕见。

You know, you can argue maybe lending and a couple things do have a little longer duration, but even then, it's it's quite unlikely.

而Roll ups则是无限持续时间的。

And then roll ups are infinite duration.

但是，这个中间地带到底是什么呢？

But, like, what is the middle?

我认为ZK虚拟机和TE的特点在于，它们都希望在这个中间地带找到解决方案，但可能会从不同的方向实现突破。

And I think the thing about ZK VMs and TE is they're both hoping to find something in that middle, but they might end up finding it from different directions.

对吧？

Right?

就像，Ts可能会从极短持续时间过渡到中等程度，而ZK VMs则会从超长持续时间向中等程度发展，但它们可能永远不会交汇。

Like, Ts might go from, like, the very low low duration to something in the middle, and ZK VMs will go from something very long duration to something in the middle, but they might never meet.

它们可能只是各自存在于自己的世界里。

They might just be in their own world.

这就是为什么我认为那种'它们在竞争，大家在推特上互相攻击'的观点...算了，抱歉。

And and that's why I think this idea that they're, like, competing and everyone fighting each other on Twitter is like anyway, sorry.

这是我关于这个话题的个人执念

That's my hobby horse on on the like

不

No.

这很有趣

That's interesting.

你发现了一个处于中间状态的假设

And you've identified like a that's a it's a hypothesis in the middle.

比如，它们要么有重叠部分。

Like, they either overlap.

有些应用非常诱人，值得用零知识证明来处理。

There's some applications that are juicy and you can afford to do ZK for them.

而TEA方案也因其短期性而适用。

And the tea is appropriate as well for the short termness of it.

但也许实际情况是它们没有交集——有些诱人应用对TEA方案的独立可信度过于敏感，同时又因性能等原因不适合采用零知识证明。

But maybe it's the case they don't overlap and there's juicy applications that are too sensitive to trust the teas on their own, but they're also too performance or something to, you know, for, for the ZK to be a good fit for it.

我是说，这就是为什么你认为AI应用确实适合这个领域。

I mean, that's why you're saying the AI applications do fit in.

是的，我没有完美答案，但这是个很好的问题。

Yeah, I don't have a good answer, but that's a nice question.

我觉得我们现在应该立即转向MEVT话题。

I feel like we should jump very much now into the MEVT.

我知道我们已有所涉及，但你们正在开展的工作——如果能详细了解你的具体参与情况以及当前在该课题上的研究进展，将会很有帮助。

I know we've touched on it, but the work that you've been doing, I think it would be great for us to understand exactly what your involvement has been and kind of your current work around the topic.

其实在这期节目之前我就问过你，你是Flashbots的成员吗？

I actually asked you before this episode, like, are you part of Flashbots?

对。

Yeah.

我不太确定，我在一些演讲中见过你。

Like I don't, I don't, I see you at talks.

有时候你的名字下面会标注Flashbots。

Sometimes your name is like, there's Flashbots under your name.

所以我有点困惑。

So I'm like confused.

所以，也许你可以分享一下。

So yeah, maybe you can just share.

是的。

Yeah.

我是Flashbots的成员，同时也在协助其他几个项目。

I'm a mate at Flashbots and I've been helping with a couple of other projects on the side as well.

酷。

Cool.

尤其是周期性的工作，同时我还在处理一些大学的事务。

Cycles especially and still have some, university things that I'm doing.

是的。

Yeah.

而且我本来就经常在各种项目之间跳来跳去。

And I kind of hop around and hop on lots of projects generally anyway.

但我认为我所扮演的角色其实相当稳定，可以很好地描述清楚。

But the role that I've been playing, I think has been fairly consistent for a while that I can describe it, you know, well enough.

我的兴趣主要在于，不仅推动使用（技术），还要帮助人们反驳那些我认为错误的反对论点，让他们接受使用的重要性。

Largely my interest has been on, you know, not only promoting the use of teas, like helping people counter, you know, what I think are the wrong arguments against it and maybe accept that using it's important.

但我真正感兴趣的是如何更清晰地使用它，特别是要识别技术债务或开发者需要规避的陷阱。

But I'm really interested in bringing more clarity on how to use it and especially to identify like what is the tech debt or what are the pitfalls that software developers need to know.

我通常持这种态度：你知道，我们能做很多事。

I generally take this attitude that's, you know, like we can do a lot.

我们很强大，要知道，红外工程师和整个Web3生态系统都是如此。

We're powerful, you know, infrared engineers, the web three ecosystem broadly.

我们不会让零知识证明的复杂性阻碍我们很好地掌握如何使用它们。

We don't let the complexity of zero knowledge proofs, you know, stop us from figuring out how to use them very well.

所以在使用TEE时存在很多陷阱。

So there's a lot of pitfalls in working with TEEs.

你必须防止侧信道攻击。

You have to prevent side channels.

这些非常微妙，因为你需要选择威胁模型，然后针对这些威胁选择相应的缓解措施。

Those are very nuanced because you have to pick like what threat model you want and then also choose which mitigations you apply for those.

你需要采取措施防止重放攻击，这通常需要利用区块链。

You have to do things like preventing replay attacks, which generally involves making use of the block chain.

这真的很有趣，区块链和TEE是如何互补的。

Like, it's really interesting how block chains and TEEs are complementary.

我的意思是，就像我们刚才讨论ZK和TEE如何互补一样。

I mean, maybe in the same way our conversation was just about how ZK and TEEs are complementary.

对于共识协议、区块链和TEE来说确实如此。

It's definitely true of consensus protocols and block chains and TEEs as well.

二者缺一不可，最重要的设计模式之一就是在安全飞地程序中内置区块链网络的轻客户端。

You can't have one without the other and, you know, one of the most important design patterns is to have a light client for a blockchain network inside an enclave program.

这样TEE安全飞地就能与区块链绑定，只执行区块链的指令。

That's how you have the enclave, the TEE locked into the blockchain and only doing what the blockchain says.

就像用区块链作为控制平面，而TEE作为协处理器来执行具体工作。

It's like you use the blockchain for a control plane and a TEE as the, you know, coprocessor to do the work of that.

我在Flashbots的主要贡献是这个Surah项目，它就像个教程模式。

So the main thing I've contributed to at Flashbots is this Surah project, which is like a tutorial mode.

某种程度上就是回归Akheden论文并快速实践。

It's in a way just going back to the Akheden paper and speed running it.

我们这样定位它，因为其功能类似Fala、Oasis和秘密网络。

That's how we framed it because it's similar in what it does to say Fala and Oasis and secret network.

但它的目标是用绝对最精简的代码量来实现。

But it's meant to do so in an absolute minimal amount of code.

我认为我们核心代码大约有2000行，这还不包括我们导入使用的所有包。

I think our core thing of it was like a 2,000 lines on top of, you know, all the packages that we import to use it.

所以它主要是帮助大家达成共识，比如可能会遇到哪些陷阱，如何正确连接这些组件，以及如何思考安全目标。

So it's just basically meant to help get everyone on the same page on like what are the pitfalls that can go wrong, what do you need to do to connect these, you know, properly, how to think about what the security goals are.

这又回到了Hawk论文中那个激励性的例子。

And it goes back to that same, you know, motivating example from the Hawk paper of it.

这是一个密封投标拍卖，你希望即使对失败的投标也能保护隐私，所以不能简单地提交和公开。

It's a sealed bid auction where you want to provide failed bid privacy even for the losing bid, so you can't just do commit and reveal.

而且，这是Hawk的变体，只不过管理者只在TEE中运行，它使用远程认证而不是Hawk使用的EK证明。

And, it's Hawk except the manager only runs in a TEE and it uses the remote attestation instead of where Hawk used as EK proof.

你刚才已经谈到了Web2时代的东西，比如TLS公证。

You sort of already talked a little bit about something from like Web two, the TLS notary.

虽然这可能不完全是你现在研究的内容，但我不太理解TEE在其中扮演什么角色。

How does this like, I realize this might be not exactly what you're working on right now, but I didn't quite understand how TEs factor into that.

我知道一些专注于零知识证明的项目正在尝试TLS公证概念，将Web2网页引入区块链，为现实世界创建证明，某种程度上几乎成为了预言机。

Like I know some ZK focused projects that are playing with the TLS notary concept of bringing web to like web pages, making proofs about the web on a blockchain, sort of almost becoming a bit of an oracle for like the real world or something.

是的。

Yeah.

TEEs是如何在这种场景中被使用的？

How do Ts get used in this way?

我的意思是，如果你不介意的话，能否用一句话描述下它在零知识证明版本中是如何运作的？

I mean, if if you don't mind, can you give me like, your one sentence description of how it works in the ZK version of that?

呃，我可能不是最适合解释的人。

Well, I I would probably not be the perfect person to explain it.

但据我理解，你需要为网站的某个状态创建零知识证明。

But as far as I understand, you create a ZKP of some state of a website.

比如你想证明——我不知道具体例子——你的银行对账单在网站上显示的内容，你就能在链上创建这个证明。

So if you were trying to prove like, I don't know, that your bank statement says something on a website that you would be able to create a proof that you'd write on chain.

我可能完全说错了。

I'm probably totally butchering it.

确实应该让这些团队的专业人士来解释会更准确。

And really one of these teams should say it better.

我是说，另一个例子是ZK电子邮件，这个我理解得更清楚些，就是实际采用电子邮件格式的场景。

I mean, another one would be, and this one I understand a little bit better would be like ZK email, which is where you're actually taking the format of an email.

比如说在邮件里，最好的例子就是Venmo发送给你的余额通知或转账到账通知。

So say in an email, you're I mean, the best example here is like Venmo sends you your balance or something that has just been transferred to you.

你可以针对那个金额、那个邮件模板创建一个证明，然后将其写入区块链。

You could create a proof about that amount, about that email template that you could then write on chain.

本质上你获得了关于邮件签名的证明，这确保了邮件的真实性。

And you have a proof about a signature from it essentially that's giving you this authenticity of it.

对。

Yeah.

你几乎是从中创建了一个签名。

You create a signature out of it almost.

就像，这只是一封普通邮件。

Like, it's just an email.

就是纯文本的电子邮件。

It's like just a plain text email.

我的意思是，唯一需要挑剔或者说最大的挑战在于，你知道，用TLS做这个并不简单，你不能简单地对你看到的内容做零知识证明，因为TLS存在这种可否认性问题，比如它是Diffie-Hellman密钥。

I mean, the only nitpick or or, I think the biggest just challenge of why, you know, it's not trivial to do this with TLS, you can't just, like, make a zero knowledge proof about what you saw is that there's this deniability issue with TLS where, like, it's a Diffie Hellman key.

所以，如果你是会話中的一方，你可以假装代表另一方在会话中发送消息。

So, like, you once if you're one of the parties in the session, can pretend you're making messages on behalf of the other party as a session.

仅仅因为我制作了一个关于我在TLS会话中看到内容的证明，我也可以伪造一个我看到内容的假证明，因为我拥有与服务器相同的密钥来制作这个证明。

So just because I make a proof of what I saw on a TLS session, I could also make a fake proof of what I saw because I have the same key that the server had to make that.

所以你必须绕过这个问题，这就是为什么这些系统要更复杂一些。

So you just have to work around this and this is why these systems are a little more complex.

要么中间有个中继，比如代理，你知道，在中间，或者像Deco项目，我猜是另一个Arijoules。

There's either like a relay in between, like a a proxy, you know, in the middle or like the deco project, guess was another Arijoules.

嗯。

Mhmm.

我知道一点的那个项目，是它的秘密共享版本。

One that I know a bit that's like a secret shared version of that.

这就是你必须解决的技术难题。

So that's the technical problem that you have to get around.

你可以通过这几种方式解决，比如在中间设置一个代理来读取TLS会话，它拥有少量密钥并证明自己没有滥用，这样你仍能看到TLS会话输出但无法获得用于伪造的密钥。

You can get around, you know, one of these handful of ways and having a proxy in the middle reading the TLS session that it has the little key and it proves that it's not doing that and you get to still see the output of the TLS session but you don't have that key that would make it, you know, possible to spoof.

这就是如何用TEE（可信执行环境）作为替代方案的方法。

That's how you go about using TEE as a substitute for that.

它可以作为替代方案，但最好能实现ZK（零知识证明）版本。

So it can be used as a substitute for it but do the ZK version, you know, if you can.

但对我来说最激动人心的是获得写入权限这个概念。

But to me, what's super exciting about this is that, that idea of having write access, right?

ZK TLS这些技术适用于登录和账户读取权限场景。

So ZK TLS and all of those are good for login and for read access to an account.

但真正能限制写入权限的——他们称之为'encumbrance'（权限限制）。

But being able to actually encumber the right access of either the it's called like encumbrance.

这也是后来Arijoule与他的学生Mahimna等人以及James Austen跟进研究的论文内容。

And this is also a later Arijoule's paper with Mahimna, other of his students and James Austen's worked on follow-up things of this.

比如委托机制总是涉及将会话放入TEE中。

Like delegatee is always about putting a session into a TEE.

现在你可以出售这个访问权限。

Now you can sell off this access to it.

你也可以对根账户设置使用权限制。

You can also do encumbrance of the root account.

就像你走忘记密码转移账户流程，但现在你把密码恢复到一个可信执行环境中。

It's like you go through the forgot password transfer account flow, but now you recover your password into a TEE.

所以现在你没有账户密码，只有可信执行环境拥有密码。

So now you don't have the password to the account, only the TEE has a password to it.

它附带各种限制条件，比如在什么情况下允许写入操作，同时还能继续遵循区块链上的规则执行。

And it comes with whatever are its constraints on, you know, under what conditions it's allowed to write or on and then it can still be following on, you know, a thing from the blockchain to do it.

我们现在做了这个演示。

We made this demo now.

我说'我们'，但这主要是Flashbots的Xinyuan和以太坊基金会受助人Ryan MacArthur的成果。

I say we, but this is especially Xinyuan from Flashbots and, Ryan MacArthur, who's an Ethereum foundation grantee.

他们开发了这个Twitter使用权限制应用，更准确地说应该叫Twitter委托应用——Teleport。

They made this Twitter encumbrance app or Twitter delegation app, is better precisely called, Teleport.

最佳方案。

Best.

基本上就是将正确的会话授权放入可信执行环境中。

And it basically is you put a right session authorized into the TEE.

但可信执行环境比Twitter认证更严格的地方在于，它只允许你发布一次。

But what the TEE enforces more narrow than what Twitter auth says is that you only get to post once.

就像你创建一个一次性链接，让任何获得该链接的人可以从你的Twitter账户发帖，但仅限一次。

So it's like you make a one time use link that lets anyone you give the link to post from your Twitter account but just once.

我认为你还可以给它附加一个大型语言模型过滤器作为净化器。

And I think you attach an LLM filter to it as well as like a little sanitizer.

对于Twitter认证来说，它只有读取权限或读写权限。

So to the Twitter auth, all Twitter auth has is read access or read write access.

是的。

Yeah.

但仅有读取权限不够，而无限期的读写权限又过于强大。

But like reads not enough and read write indefinitely is way too strong.

太过分了。

Too much.

是啊。

Yeah.

所以读写任何内容、删除帖子、取消关注、更改个人资料照片。

So read write anything, delete posts, unfollow people, change your profile photo.

因此是TEE在声明，你把它当作Twitter授权使用——就Twitter而言，你过度分享了，但它强制要求只能遵守每次策略仅限一次性使用的政策。

So it's the TEE that's saying you're giving it as Twitter, as far as Twitter's concerned, you're oversharing, but it is enforcing that it's only going to stick to the policy of, you know, one time use per policy only.

我明白你的意思了。

I see what you're saying though.

确实，在我见过的所有ZK TLS方案中，都是只读的。

It's true that in all of the ZK TLS stuff that I've seen, it's read.

你读取数据然后在链上进行处理。

You it's read and then you do something with it on chain.

但你的意思是实际上是将访问权限委托给了TEE。

But what you're saying is you're actually well, you're delegating the access to the TEE.

嗯。

Mhmm.

然后它可以在可编程的限制下执行操作。

And then it can do stuff with limitations that's programmable.

确实如此。

Exactly.

是的。

Yeah.

超越了应用程序本身。

Beyond the application itself.

这真的很有趣。

That's really interesting.

你总是可以通过超额抵押来解决第一个问题，对吧？

And you can always sort of web three your way around the first problem through over collateralization, right?

就像如果你只有这个读取预言机，但你想说，我承诺我会按照区块链合约的指示发送任何邮件信息。

Like if all you have is this read oracle, but you wanna say like, I promise I will, you know, send whatever message through my email that the blockchain contract tells me to do.

你总是可以设置惩罚机制，比如我必须向合约展示我的ZK TLS证明，证明我确实发送了承诺的邮件，否则就会受到惩罚。

You You could always set up slashing, like I have to show my ZK TLS proof to the contract that I did send the email that I said I would, and if I don't, it slashes me.

唯一的缺点就是这种方式使用超额抵押带来的复杂性和成本问题。

The only drawback there is just the complexity and cost of, you know, using over collateralization that way.

所以是的，这就像是另一种替代方案。

So yeah, this is like an alternative to that.

这就像是对正确访问的一种主动保证。

It's like a proactive guarantee over right access.

我其实完全没想过这一点。

I hadn't actually thought about that at all.

所以这对我来说是个新概念。

So this is a new concept for me.

其实我们之前讨论过一些，我认为当你从这个角度思考MEV时——即你只需要短期隐私保护。

You know, we we actually have talked a little bit about, I think when you think about MEV from this kind of lens of, hey, you only need privacy in a short term sense.

要知道，DeFi的其他部分和链上交易确实需要更长期的隐私保护。

You know, other parts of DeFi and kind of transactions on chain do need longer term privacy.

我去听了这个讲座，说实话我完全没听懂，因为我确实觉得这些点对点信用网络很难理解谁会真正使用它们。

And I went to this talk, which I admittedly really didn't understand because I do find these peer to peer credit networks very hard to understand who would use personally.

不过，我想我听到了‘液化’这个概念，所以或许理解这是什么以及如何思考会很有帮助。

But, like, I I think I heard this concept of liquefaction, so maybe it would be great to kind of understand what that is and how to think about that.

让我从委托和担保的角度来解释液化这个概念。

Let me explain liquefaction in terms of how it relates to this delegation and encumbrance story.

首先，存在一些理由会让你想要阻止这种委托行为。

First of all, there's reasons you would want to discourage this delegation.

这是个有点争议的话题，因为它在某种程度上改变了授权规则，超出了原始账户提供者已有的权限范围。

It's a little bit of a controversial topic, you know, even what to do because it somehow is, you know, changing the rules of authorization, you know, beyond what the original account provider is already providing.

在很多情况下你不想支持这种分割行为，比如在投票购买场景中，你肯定不希望二级市场出现在你的投票购买能力上。

There's many cases where you would like not to support this kind of fractionalizing, like vote buying is a place where you don't want a secondary market popping up on, you know, into your your vote buying ability.

所以液化就是指采用类似灵魂绑定代币的方式，仅基于外部账户（EOA）的做法。

So liquefaction is the name for taking like, you know, soulbound token approach that's just based on EOA accounts.

我特意说明这点是因为灵魂绑定还包含社交恢复的概念。

I'm making this distinction because soulbound also has like the social recovery notion.