How Trusted Execution Environments are Shaping Data Security and Privacy Computing

Background and Motivation

Rapid growth of China’s digital economy has increased the volume of data containing sensitive personal and business information. Privacy risks such as misuse, leakage, and reverse inference have driven the need for verifiable, controllable, and high‑efficiency privacy‑computing solutions.

Trusted Execution Environment (TEE)

A TEE is a hardware‑backed isolated execution area on a device that runs code and processes data independently of an untrusted operating system, guaranteeing confidentiality and integrity of the workload.

Hardware and Software Landscape

Hardware vendors : HaiGuang, Zhaoxin, FeiTeng, KunPeng and others embed TEE capabilities in CPUs, SoCs, and accelerators.

Software stack (three layers):

TEE SDKs – e.g., Intel SGX SDK, Open Enclave SDK TEE OS – e.g., Occlum TEE cluster / orchestration – e.g.,

KueTEE

Interoperability of Heterogeneous TEEs

To lower integration cost across organizations, a unified remote‑attestation workflow and a standardized attestation‑report format are defined. The workflow includes:

Generation of a TEE‑specific quote by the enclave.

Encapsulation of the quote into a common JSON‑based report.

Verification by a remote attestation service that abstracts vendor‑specific details.

TEE Technology Comparison

The three mature TEE implementations are:

Intel SGX – wide software ecosystem, but enclave entry/exit incurs performance overhead and requires code refactoring.

AMD SEV – encrypts entire VMs, strong isolation for virtualized workloads, but depends heavily on OS semantics.

ARM TrustZone – hardware‑level secure and non‑secure world separation, lower attack surface, and full compliance with China’s autonomous network security requirements.

TEE‑Based Large‑Model Privacy Protection

A typical scenario involves three parties: model provider, data provider, and compute provider. The workflow is:

All parties perform remote attestation against a unified attestation service and obtain a signed enclave certificate.

Data provider encrypts raw data with a session key derived from the enclave’s public key and sends the ciphertext to the compute provider.

Model provider either sends the clear model (if the model is public) or encrypts the model parameters similarly.

Inside the enclave, data are decrypted, training or inference is executed, and intermediate results are kept inside the enclave.

After computation, the enclave securely erases raw data and returns only the encrypted model updates or inference results to the respective parties.

Key Components of the Solution

Remote Attestation Instance Management Service – creates, migrates, and updates attestation instances for multiple users.

Standardized APIs & Protocols – define encrypted communication, identity authentication, and authorization to ensure only authorized entities can invoke enclave functions.

Inter‑TEE Data Format – a common schema for encrypted payloads, enabling seamless data exchange between heterogeneous TEEs.

Hybrid TEE/REE Execution – compute‑intensive operators (e.g., matrix multiplication) run on REE accelerators (GPU/FPGA) while sensitive data handling stays inside the TEE.

Algorithm Framework Support – TensorFlow, PyTorch, Caffe, PaLM, LLaMA, and other open/closed‑source model formats are accommodated.

Model Repository – stores model metadata (name, version, parameter size, I/O schema) and provides APIs for online or batch inference.

Data Engineering Pipeline – ingests structured and unstructured data, performs labeling, annotation, and preprocessing before feeding encrypted data to the enclave.

Training Workflow

Data and model owners obtain enclave certificates via remote attestation.

Data owners encrypt their datasets and send ciphertext to the training enclave.

Model owners optionally encrypt model parameters and transmit them.

The enclave decrypts inputs inside the secure boundary, runs training (optionally accelerated by REE GPUs), and produces encrypted model updates.

Encrypted updates are returned to the model owner, who can aggregate them with other participants.

Inference Workflow

Model provider, data consumer, and inference service complete remote attestation.

Data consumer encrypts raw inference inputs and sends them to the enclave.

Enclave loads the model (plain or encrypted), performs inference, and returns encrypted results.

Results are decrypted by the data consumer outside the enclave.

Future Evolution

Privacy‑computing will continue to mature through:

Multi‑technology fusion – combining TEE with secure multiparty computation, homomorphic encryption, and differential privacy to address diverse trust assumptions.

Performance optimization – leveraging distributed parallelism, model compression, and hardware accelerators (GPU, FPGA, dedicated crypto ASICs) to reduce enclave overhead.

Open, flexible integration – standardized interfaces enable seamless connection to big‑data pipelines, data warehouses, and AI model registries.

Cross‑domain synergy – embedding TEE‑based privacy computing in blockchain for auditability, edge computing for low‑latency scenarios, and 5G/6G networks for ubiquitous secure data services.