Microsoft is making a blockchain that’s fit for business

Confidentiality and good conduct

Using the TEE also gives businesses the privacy and confidentiality that’s currently hard to get from a blockchain. Take a supply chain that involves multiple suppliers and multiple retailers – the transparency of blockchain addresses problems of reconciliation and avoiding fraud, but you don’t want one retailer to see what orders another retailer is placing, or one supplier to see who is ordering from their competition and what price they’re paying.

“Some ledgers use zero knowledge proofs and side chains to try to provide some privacy and confidentiality, but those are extremely complicated and resource intensive. They often require some central authority as the root of trust, for example for cryptographic keys for zero knowledge proofs, and the models of interacting with chains are very cumbersome,” Russinovich pointed out.

With Coco, the TEE just enforces the rules in the constitution and the smart contracts, which includes data access rules to give you privacy and confidentiality. “If we’re in a consortium, we can agree rules that say if a transaction is marked as private only the parties involved can see the contents. That is simply an ACL just like it would be on a file in a folder, so you don't have to jump through cryptographic hoops. If you ask for a list of transactions in the blockchain, it just omits the ones you don't have access to.”

Trusting the other members of the consortium means you can vote on undoing problematic transactions instead of having to fork the blockchain the way you do today, if it turns out there was a mistake in the smart contract, say. “You can have a blockchain that’s much more resilient to mistakes,” Russinovich observed.

Managing the membership works the same way. He noted: “When I suggest a new member comes into the consortium, we vote by executing an admin transaction to the Coco network. The Coco network looks at the constitution and sees it says if a majority say yes, then the network allows the new member to join their own TEE into the network.”

Vault protection

Microsoft is working on another framework called Vault that will add extra protection. “We're doing research on ways to defend against malfeasance and compromise of the code running in the enclave,” Russinovich told us. Vault will let members of a consortium monitor what other members are doing and eject someone who’s behaving badly. “They can detect a member who is doing denial of service by not allowing transactions from particular members, or when a member is trying to fork the blockchain.”

Initially Coco works with the Intel Software Guard eXtensions (SGX), but Russinovich expects it to come to other secure enclaves like the Hyper-V-protected Virtual Secure Mode that already protects the logon process and domain credentials in Windows 10. He says: “There are going to be multiple levels of secure enclaves, and different enclaves will be suitable depending on the risk profile of the consortium.”

If you’re confident a partner isn’t going to hook up a logic analyzer to try and get secrets out of the hardware, you can still trust Hyper-V to protect the network even if that partner is attacked by hackers.

Coco won’t only work on Azure. When the open source Coco code is made available later in the year, you’ll be able to create blockchain networks using your own servers too, or another public cloud.

Russinovich describes himself as having been somewhat skeptical about blockchains but Coco has changed his mind by building on the hardware security of trusted execution environments. He notes: “We view it as the missing piece in the enterprise blockchain stack.”


Mary (Twitter, Google+, website) started her career at Future Publishing, saw the AOL meltdown first hand the first time around when she ran the AOL UK computing channel, and she's been a freelance tech writer for over a decade. She's used every version of Windows and Office released, and every smartphone too, but she's still looking for the perfect tablet. Yes, she really does have USB earrings.