Google's 'System of Enclaves' Patent and the Problem of Trusting More Than One

Most introductions to confidential computing describe a single enclave: a protected region that runs one piece of code and hides its memory from everything outside. Real deployments are messier. A service is many components, often on many machines, and if each runs in its own enclave then the security question shifts from “is this enclave protected?” to “how do these enclaves decide to trust one another?”

US10776503B2, “System of enclaves,” granted to Google LLC on September 15, 2020, takes on that composition problem. Classified under G06F 21/6218 and related data-protection classes, it describes enclaves as members of a system that establish trust relationships, not as isolated black boxes.

The interesting move in the claim is treating attestation and trust as a relationship between enclaves rather than a property of one. An enclave can attest — prove cryptographically what code it is running and that it sits behind genuine hardware — and a system of enclaves uses those attestations to decide which peers may exchange secrets and data. The architecture is about who may talk to whom, on what cryptographic evidence.

This is exactly the gap between the demo and the deployment. The demo shows one enclave keeping a key safe. The deployment has a front-end enclave, a processing enclave, and a storage enclave, possibly across data centers, that must hand encrypted data along a chain without any link being forced to trust the untrusted host in between. A “system of enclaves” names and claims the connective tissue.

The usual caveats hold. This is a granted patent (B2), not an application, so the claim survived examination; and it is a method and architecture, not a product announcement. Google's Asylo open-source enclave framework is the obvious context, but the patent stands as a description of how to compose trusted execution environments.

For the IP-strategy reader, the signal is that the major cloud providers were, by 2020, patenting not just the enclave primitive but the orchestration around it. Owning the composition layer — attestation, inter-enclave trust, data sealing across enclaves — is arguably more strategically durable than owning any single enclave mechanism.