Rollback protection with ephemeral identities for tee-based consensus protocols

The invention claimed is: 1 . A rollback protection method for preventing message equivocation in a consensus system, wherein the consensus system comprises a number of distributed computational nodes connected by a data communication network and configured to run a trusted execution environment (TEE)-based consensus protocol, the method comprising: executing, within a TEE of a first node of the number of distributed computational nodes, a trusted component instance, wherein the trusted component instance comprises volatile protected memory with protected data stored therein and a protected piece of code implementing at least a part of a consensus algorithm; generating, by the trusted component instance, identity data comprising a unique ephemeral identity, and storing the identity data in the volatile protected memory of the trusted component instance; certifying, by the trusted component instance, a message of the consensus algorithm, wherein a certified consensus algorithm message is generated by cryptographically binding at least parts of the consensus algorithm message to the unique ephemeral identity of the trusted component instance and at least parts of the protected data of the trusted component instance; retrieving, by the first node, the unique ephemeral identity from the trusted component instance; and sending, by the first node, the retrieved unique ephemeral identity to each of the remaining nodes of the number of distributed computational nodes, wherein each of the remaining nodes is configured to forward the retrieved unique ephemeral identity received from the first node to each of the other remaining nodes such that the retrieved unique ephemeral identity is acceptable by one of the remaining nodes based on the unique ephemeral identities forwarded from each of the other remaining nodes matching according to the consensus protocol. 2 . The method according to claim 1 , further comprising: accepting, by the one of the remaining nodes, the retrieved unique ephemeral identity upon reception of the unique ephemeral identities forwarded from each of the other remaining nodes of the number of distributed computer nodes that are all determined to be matching according to the consensus protocol; and verifying, by the one of the remaining nodes, the certified consensus algorithm message received from the first node against the accepted unique ephemeral identity. 3 . The method according to claim 1 , further comprising: creating and initializing, during a node restart of the first node, a new instance of the trusted component; and retrieving, by the restarted first node, a new unique ephemeral identity from the volatile protected memory of the trusted component instance, and submitting the new unique ephemeral identity as a proposal of the consensus algorithm to each of the remaining nodes such that the new unique ephemeral identity is acceptable by each of the remaining nodes once consensus on the submitted proposal is reached. 4 . The method according to claim 1 , wherein the network is a blockchain network. 5 . A node in a network configured to run a consensus algorithm to reach consensus with a number of other nodes connected by the network the node comprising one or more processors which, alone or in combination, are configured to: execute, within a trusted execution environment (TEE) of the node, a trusted component instance, wherein the trusted component instance comprises volatile protected memory with protected data stored therein and a protected piece of code implementing at least a part of the consensus algorithm; generate, by the trusted component instance, identity data comprising a unique ephemeral identity and storing the identity data in the volatile protected memory of the trusted component instance; certify, by the trusted component instance, a message of the consensus algorithm, wherein a certified consensus algorithm message is generated by cryptographically binding at least parts of the consensus algorithm message to the unique ephemeral identity of the trusted component instance and at least parts of the protected data of the trusted component instance; retrieving, by the first node, the unique ephemeral identity from the trusted component instance; and sending, by the first node, the retrieved unique ephemeral identity to each of the remaining nodes of the number of distributed computational nodes, wherein each of the remaining nodes is configured to forward the retrieved unique ephemeral identity received from the first node to each of the other remaining nodes such that the retrieved unique ephemeral identity is acceptable by one of the remaining nodes based on the unique ephemeral identities forwarded from each of the other remaining nodes matching according to the consensus protocol. 6 . The node according to claim 5 , wherein the trusted component instance is configured to randomly generate the unique ephemeral identity as a binary numeral value. 7 . The node according to claim 5 , wherein the trusted component instance is configured to generate the identity data as a new cryptographic key pair, wherein the public key represents the unique ephemeral identity of the trusted component instance, and wherein the secret key is used by the trusted component instance to produce a digital signature over at least parts of the certified consensus algorithm message. 8 . The node according to claim 5 , further configured to execute MinBFT as a consensus protocol, wherein the node is further configured to: maintain a counter value in the trusted component instance's volatile protected memory; and increment the counter value and include the incremented counter value in a signed payload of the digital signature produced when certifying the binding of the certified consensus algorithm message with the unique ephemeral identity of the trusted component instance. 9 . The node according to claim 5 , further configured to execute FastBFT as a consensus protocol, wherein the node is further configured to: maintain a pair of counter value and view number value in the trusted component instance's volatile protected memory; increment the counter value and to include the pair of incremented counter value and view number value in a signed payload of the digital signature produced when certifying the binding of the certified consensus algorithm message with the unique ephemeral identity of the trusted component instance; and reset the counter value to an initial value on each increment of the view number value. 10 . The node according to claim 5 , further configured to perform, during a restart of the node, the following steps: create and initialize a new instance of the trusted component; retrieve a new unique ephemeral identity generated by the trusted component instance; and submit the new unique ephemeral identity as a proposal of the consensus algorithm to each of the remaining nodes. 11 . The node according to claim 5 , wherein the TEE is provided by a dedicated hardware device, as a CPU feature, as OS kernel, by virtualization technology, or by application software. 12 . The node according to claim 5 , further configured to utilize Intel SGX as the TEE to execute the trusted component of the consensus algorithm, wherein an Intel SGX enclave represents the trusted component instance. 13 . A consensus system with a rollback protection mechanism for preventing message equivocation, the system comprising a number of distributed computational nodes connected by a data communication network, each of the computational nodes being configured according to claim 5 .