Skip to main content

Overview

A T3 Network (T3N) node, also referred to as a TEE node, is a participant in the T3N peer-to-peer network that runs inside a hardware-backed Trusted Execution Environment (TEE). The TEE provides confidential, tamper-resistant, and remotely attestable execution, ensuring that workloads run as intended and that data remains protected from node operators. Applications on T3N are packaged as TEE contracts. Each contract is executed by the node’s WASM runtime (Wasmtime) in a sandbox that limits it to a set of granted host functions, and the whole runtime executes inside the TEE. T3N nodes provide the runtime environment required to run these contracts, including:
  • Post-quantum encrypted communication channels
  • Authentication and attestation services
  • Consensus-backed storage (a distributed key-value store replicated across the cluster using the Raft consensus protocol and protected with Merkle-tree integrity proofs)
  • Host functions that allow TEE contracts to interact with external systems and network services
All communication with T3N nodes is end-to-end encrypted. Data can only be decrypted within attested TEEs through T3N’s threshold encryption mechanism, preventing node operators, infrastructure providers, and other unauthorized parties from accessing sensitive information.
The T3 Network currently utilizes Intel TDX (Trust Domain Extensions) to run Secure Encrypted Virtual Machines. Future versions will support other TEEs.

TEE Contract

A TEE contract is a WebAssembly (WASM) binary that executes within a WASM sandbox hosted by a T3N node. It enables developers to run application-specific logic on private data inside the TEE. TEE contracts are stored off-chain in content-addressable storage (CAS) and are not persisted directly on T3N nodes. Instead, the node registry maintains references to contract artifacts, allowing nodes to retrieve and execute the correct contract version on demand. A TEE contract is invoked only after the requested data has been securely decrypted within an attested TEE and all required authentication and authorization checks have been successfully completed.
TEE contract processing (Light mode)

Execution Flow

The execution flow within a T3N node ensures that data, code, and computation remain secure and isolated. The contract execution relies on two primary data sources: the parameters from the user’s request and the user’s private data fetched from the storage(i.e., CAS). For example, when a client requests the execution of a TEE contract on user data, the node orchestrates a secure process: decrypting the request, fetching and decrypting both the user’s data and the contract code, executing the logic within a sandbox, and returning an encrypted response. The sequence diagram below illustrates this lifecycle:

Steps

1

Request Initiation & Decryption

The client sends an encrypted execution request to a TEE Node. Inside the secure enclave, the TEE decrypts the request to identify the target TEE contract, function, and input parameters.
2

Data Retrieval

The TEE queries the Key-Value (KV) Store using a Decentralized Identifier (DID) to locate the user’s data. It retrieves a reference (CID) and fetches the encrypted data blob from external Content Addressable Storage (CAS).
3

Data Decryption

The TEE securely decrypts the user’s data using the cluster’s encryption key (CEK).
4

TEE Contract Retrieval

The TEE resolves the requested TEE contract’s location from the KV Store registry and fetches the corresponding TEE contract bytecode from CAS.
5

TEE Contract Execution

The TEE executes the TEE contract in an isolated sandbox, providing it with the decrypted user data and input data. Finally, the execution result is encrypted and returned to the client.