feat: add proxy approach

Author: th4s

Cargo.lock

@@ -65,21 +65,21 @@ tlsn-sdk-core = { path = "crates/sdk-core" }
 tlsn-wasm = { path = "crates/wasm" }
 tlsn = { path = "crates/tlsn" }
 
-mpz-circuits = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-circuits-data = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-memory-core = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-common = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-core = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-vm-core = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-garble = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-garble-core = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-ole = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-ot = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-share-conversion = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-fields = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-zk = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-hash = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
-mpz-ideal-vm = { git = "https://github.com/privacy-ethereum/mpz", tag = "v0.1.0-alpha.5" }
+mpz-circuits = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-circuits-data = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-memory-core = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-common = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-core = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-vm-core = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-garble = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-garble-core = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-ole = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-ot = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-share-conversion = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-fields = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-zk = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-hash = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
+mpz-ideal-vm = { git = "https://github.com/privacy-ethereum/mpz", branch = "fix/zk-ot-alloc" }
 
 futures-plex = { git = "https://github.com/tlsnotary/tlsn-utils", rev = "dd419bf" }
 rangeset = { version = "0.4" }
@@ -140,7 +140,7 @@ regex = { version = "1.10" }
 ring = { version = "0.17" }
 rs_merkle = { git = "https://github.com/tlsnotary/rs-merkle.git", rev = "85f3e82" }
 rstest = { version = "0.17" }
-rustls = { version = "0.21" }
+rustls = { version = "0.23", default-features = false }
 rustls-pemfile = { version = "1.0" }
 rustls-webpki = { version = "0.103" }
 rustls-pki-types = { version = "1.12" }
@@ -152,6 +152,7 @@ sha2 = { version = "0.10" }
 signature = { version = "2.2" }
 thiserror = { version = "1.0" }
 tiny-keccak = { version = "2.0" }
+tls-parser = { version = "0.12" }
 tokio = { version = "1.38" }
 tokio-util = { version = "0.7" }
 toml = { version = "0.8" }

Cargo.toml

@@ -25,7 +25,9 @@ fixtures = [
 [dependencies]
 tlsn-data-fixtures = { workspace = true, optional = true }
 tlsn-tls-core = { workspace = true, features = ["serde"] }
+
 rangeset = { workspace = true, features = ["serde"] }
+mpz-memory-core = { workspace = true }
 
 aead = { workspace = true, features = ["alloc"], optional = true }
 aes-gcm = { workspace = true, optional = true }

crates/core/Cargo.toml

@@ -1,6 +1,7 @@
 //! TLS commitment configuration.
 
 pub mod mpc;
+pub mod proxy;
 
 use serde::{Deserialize, Serialize};
 
@@ -61,6 +62,8 @@ impl TlsCommitConfigBuilder {
 pub enum TlsCommitProtocolConfig {
     /// MPC-TLS configuration.
     Mpc(mpc::MpcTlsConfig),
+    /// Proxy-TLS configuration.
+    Proxy(proxy::ProxyTlsConfig),
 }
 
 impl From<mpc::MpcTlsConfig> for TlsCommitProtocolConfig {
@@ -69,6 +72,12 @@ impl From<mpc::MpcTlsConfig> for TlsCommitProtocolConfig {
     }
 }
 
+impl From<proxy::ProxyTlsConfig> for TlsCommitProtocolConfig {
+    fn from(config: proxy::ProxyTlsConfig) -> Self {
+        Self::Proxy(config)
+    }
+}
+
 /// TLS commitment request.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TlsCommitRequest {
@@ -82,6 +91,21 @@ impl TlsCommitRequest {
     }
 }
 
+/// Settings for the network environment.
+///
+/// Provides optimization options to adapt the protocol to different network
+/// situations.
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default)]
+pub enum NetworkSetting {
+    /// Reduces network round-trips at the expense of consuming more network
+    /// bandwidth.
+    Bandwidth,
+    /// Reduces network bandwidth utilization at the expense of more network
+    /// round-trips.
+    #[default]
+    Latency,
+}
+
 /// Error for [`TlsCommitConfig`].
 #[derive(Debug, thiserror::Error)]
 #[error(transparent)]

crates/core/src/config/tls_commit.rs

@@ -1,5 +1,6 @@
 //! MPC-TLS commitment protocol configuration.
 
+use crate::config::tls_commit::NetworkSetting;
 use serde::{Deserialize, Serialize};
 
 // Default is 32 bytes to decrypt the TLS protocol messages.
@@ -181,21 +182,6 @@ impl MpcTlsConfigBuilder {
     }
 }
 
-/// Settings for the network environment.
-///
-/// Provides optimization options to adapt the protocol to different network
-/// situations.
-#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default)]
-pub enum NetworkSetting {
-    /// Reduces network round-trips at the expense of consuming more network
-    /// bandwidth.
-    Bandwidth,
-    /// Reduces network bandwidth utilization at the expense of more network
-    /// round-trips.
-    #[default]
-    Latency,
-}
-
 /// Error for [`MpcTlsConfig`].
 #[derive(Debug, thiserror::Error)]
 #[error(transparent)]

crates/core/src/config/tls_commit/mpc.rs

@@ -0,0 +1,102 @@
+//! Proxy-TLS commitment protocol configuration.
+
+use crate::{config::tls_commit::NetworkSetting, connection::DnsName};
+use serde::{Deserialize, Serialize};
+
+/// Proxy-TLS commitment protocol configuration.
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct ProxyTlsConfig {
+    /// Whether the `deferred decryption` feature is toggled on from the start
+    /// of the TLS connection.
+    defer_decryption_from_start: bool,
+    /// Network settings.
+    network: NetworkSetting,
+    /// The server name.
+    server_name: DnsName,
+}
+
+impl ProxyTlsConfig {
+    /// Creates a new builder.
+    pub fn builder() -> ProxyTlsConfigBuilder {
+        ProxyTlsConfigBuilder::default()
+    }
+
+    /// Returns whether the `deferred decryption` feature is toggled on from the
+    /// start of the TLS connection.
+    pub fn defer_decryption_from_start(&self) -> bool {
+        self.defer_decryption_from_start
+    }
+
+    /// Returns the network settings.
+    pub fn network(&self) -> NetworkSetting {
+        self.network
+    }
+
+    /// Returns the server name.
+    pub fn server_name(&self) -> &DnsName {
+        &self.server_name
+    }
+}
+
+/// Builder for [`ProxyTlsConfig`].
+#[derive(Debug, Default)]
+pub struct ProxyTlsConfigBuilder {
+    defer_decryption_from_start: Option<bool>,
+    network: Option<NetworkSetting>,
+    server_name: Option<DnsName>,
+}
+
+impl ProxyTlsConfigBuilder {
+    /// Sets whether the `deferred decryption` feature is toggled on from the
+    /// start of the connection.
+    pub fn defer_decryption_from_start(mut self, defer_decryption_from_start: bool) -> Self {
+        self.defer_decryption_from_start = Some(defer_decryption_from_start);
+        self
+    }
+
+    /// Sets the network settings.
+    pub fn network(mut self, network: NetworkSetting) -> Self {
+        self.network = Some(network);
+        self
+    }
+
+    /// Sets the server name.
+    pub fn server_name(mut self, server_name: DnsName) -> Self {
+        self.server_name = Some(server_name);
+        self
+    }
+
+    /// Builds the configuration.
+    pub fn build(self) -> Result<ProxyTlsConfig, ProxyTlsConfigError> {
+        let Self {
+            defer_decryption_from_start,
+            network,
+            server_name,
+        } = self;
+
+        let defer_decryption_from_start = defer_decryption_from_start.unwrap_or(true);
+        let network = network.unwrap_or_default();
+        let server_name = server_name.ok_or(ProxyTlsConfigError(ErrorRepr::MissingField {
+            name: "server_name",
+        }))?;
+
+        let config = ProxyTlsConfig {
+            defer_decryption_from_start,
+            network,
+            server_name,
+        };
+
+        Ok(config)
+    }
+}
+
+/// Error for [`ProxyTlsConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct ProxyTlsConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {
+    #[error("missing field: {name}")]
+    MissingField { name: &'static str },
+}

crates/core/src/config/tls_commit/proxy.rs

@@ -2,12 +2,16 @@
 
 use serde::{Deserialize, Serialize};
 
-use crate::webpki::RootCertStore;
+use crate::{
+    config::tls_commit::{TlsCommitProtocolConfig, TlsCommitRequest},
+    webpki::RootCertStore,
+};
 
 /// Verifier configuration.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct VerifierConfig {
     root_store: RootCertStore,
+    mode: ConnectionMode,
 }
 
 impl VerifierConfig {
@@ -20,12 +24,18 @@ impl VerifierConfig {
     pub fn root_store(&self) -> &RootCertStore {
         &self.root_store
     }
+
+    /// Returns the accepted mode.
+    pub fn mode(&self) -> ConnectionMode {
+        self.mode
+    }
 }
 
 /// Builder for [`VerifierConfig`].
 #[derive(Debug, Default)]
 pub struct VerifierConfigBuilder {
     root_store: Option<RootCertStore>,
+    mode: ConnectionMode,
 }
 
 impl VerifierConfigBuilder {
@@ -35,12 +45,74 @@ impl VerifierConfigBuilder {
         self
     }
 
+    /// Uses multi-party computation for creating commitments.
+    pub fn mpc(mut self) -> Self {
+        self.mode = ConnectionMode::Mpc;
+        self
+    }
+
+    /// Uses proxy mode for creating commitments.
+    pub fn proxy(mut self) -> Self {
+        self.mode = ConnectionMode::Proxy;
+        self
+    }
+
+    /// Allows both modes for creating commitments.
+    pub fn universal(mut self) -> Self {
+        self.mode = ConnectionMode::Universal;
+        self
+    }
+
     /// Builds the configuration.
     pub fn build(self) -> Result<VerifierConfig, VerifierConfigError> {
         let root_store = self
             .root_store
             .ok_or(ErrorRepr::MissingField { name: "root_store" })?;
-        Ok(VerifierConfig { root_store })
+        let mode = self.mode;
+
+        Ok(VerifierConfig { root_store, mode })
+    }
+}
+
+/// The mode of operation the verifier accepts.
+///
+/// Sets how the TLS transcript commitments can be created.
+#[derive(Default, Debug, Clone, Copy, PartialEq, Serialize, Deserialize)]
+pub enum ConnectionMode {
+    /// Only accepts multi-party computation.
+    #[default]
+    Mpc,
+    /// Only accepts proxy mode.
+    Proxy,
+    /// Accepts both modes.
+    Universal,
+}
+
+impl ConnectionMode {
+    /// Checks if the verifier supports the mode of operation requested.
+    pub fn agrees_with(&self, request: &TlsCommitRequest) -> bool {
+        let config = request.protocol();
+
+        if matches!(self, Self::Universal) {
+            return true;
+        }
+        if matches!(self, Self::Mpc) && matches!(config, TlsCommitProtocolConfig::Mpc(_)) {
+            return true;
+        }
+        if matches!(self, Self::Proxy) && matches!(config, TlsCommitProtocolConfig::Proxy(_)) {
+            return true;
+        }
+        false
+    }
+}
+
+impl std::fmt::Display for ConnectionMode {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            ConnectionMode::Mpc => write!(f, "MPC mode"),
+            ConnectionMode::Proxy => write!(f, "Proxy mode"),
+            ConnectionMode::Universal => write!(f, "Universal mode"),
+        }
     }
 }
 

crates/core/src/config/verifier.rs

@@ -15,13 +15,30 @@ pub use rangeset;
 pub mod config;
 pub(crate) mod display;
 
+pub use mpz_memory_core::{binary::U8, Array};
+
 use serde::{Deserialize, Serialize};
 
 use crate::{
     connection::ServerName,
     transcript::{PartialTranscript, TranscriptCommitment, TranscriptSecret},
 };
 
+/// TLS session keys.
+#[derive(Debug, Clone)]
+pub struct SessionKeys {
+    /// Client write key.
+    pub client_write_key: Array<U8, 16>,
+    /// Client write IV.
+    pub client_write_iv: Array<U8, 4>,
+    /// Server write key.
+    pub server_write_key: Array<U8, 16>,
+    /// Server write IV.
+    pub server_write_iv: Array<U8, 4>,
+    /// Server write MAC key.
+    pub server_write_mac_key: Array<U8, 16>,
+}
+
 /// Prover output.
 #[derive(Serialize, Deserialize)]
 pub struct ProverOutput {