Introducing SP1-2FA: Adding a Second Layer of Security to zkVMs with TEEs

Introducing SP1-2FA: Adding a Second Layer of Security to zkVMs with TEEs

Today, we’re announcing SP1-2FA, the newest feature on the Succinct Prover Network that adds a second layer of protection to SP1 through Trusted Execution Environments (TEEs). This advancement furthers our vision for building the best zkVM for developers, building on the recent performance improvements from SP1 Turbo and the ease of using the Succinct Prover Network's proving infrastructure.

SP1-2FA represents our continued commitment to strengthening SP1's security through multiple complementary approaches. This new feature builds on our existing security investments in SP1, including rigorous third-party audits and reviews from security experts, giving developers an additional safeguard they can enable in production with just a single line of code. Looking ahead, we're also advancing our formal verification initiatives to provide mathematical guarantees of SP1's security properties, creating a comprehensive security strategy that combines practical safeguards with theoretical correctness.

How SP1-2FA Works

SP1-2FA creates a two-factor authentication system for your applications built on SP1 by using two separate verification methods:

  • Zero-Knowledge Proofs: The SP1 RISC-V zkVM process generates cryptographic proofs that your program ran correctly on the given input. These proofs are secured by rigorous audits, open source code reviews, and innovations in the underlying cryptography.
  • TEE Attestations: As a second layer of security, your program runs in a secure hardware environment that provides a hardware-level security guarantee that the execution wasn’t tampered with.

The system checks that both methods produce identical results before accepting a proof, giving you protection even if vulnerabilities are found in either system. Developers can enable this feature with just a single line of code when using the Succinct Prover Network.

Security Architecture

Under the hood, SP1-2FA leverages AWS Nitro enclaves to provide a secure hardware environment for running your SP1 application. When you enable SP1-2FA, the enclave executes your program in SP1's "execution mode": our internal RISC-V emulator implementation modified to be compatible with our precompiles.

This architecture combines two powerful security measures, significantly raising the security of SP1 for production deployments by requiring attackers to compromise both systems simultaneously. The result is strong real-world security delivered through a simple experience for developers.

It's important to note that SP1-2FA protects against vulnerabilities in the proof system, not bugs in your code. Application bugs must still be addressed through testing and auditing.

Integrate with 1 Line of Code

Adding SP1-2FA to your application requires just adding a single line of code to your existing requests to the Succinct Prover Network:

For onchain verification, simply use the new set of SP1VerifierGateway contracts that now support both standard proofs and TEE-verified proofs. No additional configuration needed.

More information is available in our documentation.

Availability

SP1-2FA is now available on the Succinct Prover Network in private beta, with a security audit provided by Zenith. Please reach out via our partner form or through existing channels such as Telegram to explore enabling SP1-2FA for your application.

Conclusion

SP1-2FA establishes a new industry standard for zkVM security by combining the security of zero-knowledge proofs with Trusted Execution Environments (TEEs). This dual approach creates a robust system for production environments while keeping implementation remarkably simple for SP1 developers. Stay tuned for more updates on our formal verification efforts and continued investment into security audits.

Read more