Modules Overview

ic/managed/verifier

  • Purpose: The Verity Verifier canister is responsible for verifying TLS proofs, performing pre-computations for the ZK VDPE, and producing proofs of computation for external verification.
  • Usage:
    • Verification: Verifies TLS proofs via inter-canister calls or external system updates.
    • Pre-computation: Prepares computations for the ZK VDPE.
    • Proof Production: Generates proofs for verification in systems like a zkVM.
    • Security Protocol: Orchestrates a protocol to ensure the security and integrity of Verity Notary network nodes.

rs/verity-client

  • Purpose: A Rust SDK for interfacing with a Verity Prover.
  • Usage: Used in the host application to generate TLS attestations and interact with the Verity Prover.

    • Code Reference:

      use verity_client::client::{VerityClient, VerityClientConfig};
use verity_verify_remote::{
    config::Config,
    ic::{Verifier, DEFAULT_IC_GATEWAY_LOCAL},
};
use verity_verify_tls::verify_proof;
// use verity_dp_zk_host::generate_groth16_proof;

pub const DEFAULT_PROVER_URL: &str = "http://127.0.0.1:8080";
pub const DEFAULT_VERITY_VERIFIER_ID: &str = "bkyz2-fmaaa-aaaaa-qaaaq-cai";

/// The input parameters for the zk_circuit
///
/// Contains the details needed for proof verification
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct ZkInputParam {
    /// Session header information
    pub tls_proof: String,
    /// Proof of substrings
    pub remote_verifier_proof: String,
    /// Remote verifier's ECDSA public key
    pub remote_verifier_public_key: String,
}

#[derive(Deserialize, Serialize, Debug, Clone)]
pub struct RemoteVerificationProof {
    pub results: Vec<String>,
    pub root: String,
    pub signature: String,
}

#[tokio::main()]
async fn main() -> anyhow::Result<()> {
    env::set_var("RISC0_DEV_MODE", "1"); // Included to ensure the zkVM prover is fast for demo purposes.

    // Initialize tracing. In order to view logs, run `RUST_LOG=info cargo run`
    tracing_subscriber::fmt()
        .with_env_filter(tracing_subscriber::filter::EnvFilter::from_default_env())
        .init();

    // Entry point of the program
    println!("Hello Verity zkTLS Demo!");

    // -------------------- // THE PLAN // ------------------------
    // Generate a TLS attestation using Verity Client
    // Pepare the TLS proof for the guest
    // Call the zkVM guest for zkSNARK
    // Verify the SNARK
    // -------------------- // THE PLAN // ------------------------

    println!("Proving a GET request using VerityClient...");

    let config = VerityClientConfig {
        prover_url: String::from(DEFAULT_PROVER_URL),
    };

    let client = VerityClient::new(config);

rs/verify-remote

  • Purpose: Sends TLS proofs/attestations to the IC for partial or full verification.
  • Usage:

    • Partial Verification: Used when leveraging the zkVM to maintain high performance by partially verifying proofs.

    • Full Verification: Used when the data processed is public.

    • Code Reference:

      let rv_identity_path = "fixtures/identity.pem";
let rv_id = DEFAULT_VERITY_VERIFIER_ID.to_string();
let rv_config = Config::new(
    DEFAULT_IC_GATEWAY_LOCAL.to_string(),
    rv_identity_path.to_string(),
    rv_id,
);

// 2. Create verifier from a config file
let remote_verifier = Verifier::from_config(&rv_config).await.unwrap();

// 3. Extract our the public/private sub-proofs
let proof_value: serde_json::Value = serde_json::from_str(&response.proof).unwrap();
let session = proof_value["session"].to_string();

// 4. Verify a proof and get the response
let verified_by_remote = remote_verifier
    .verify_proof(
        // You can verify multiple proofs at once
        vec![session],
        notary_pub_key,
    )
    .await
    .unwrap();

// Assuming `verified_by_remote` is of type `VerifierResponse` and has a field `results`
// which is a vector of some type that has a method `get_content()`.
let leaves: Vec<String> = verified_by_remote
    .results
    .iter()
    .map(|proof_response| proof_response.get_content())
    .collect();

rs/verify-local

  • Purpose: Performs TLS proof verification by combining remote proof of computation verification with private facets of the TLS proof.
  • Usage: Primarily used in the zkVM guest environment to verify TLS proofs.

    • Code Reference:

      use verity_verify_local::{self, ecdsa::validate_ecdsa_signature, merkle::validate_merkle_tree};
use verity_verify_tls::verify_proof;

/// The input parameters for the zk_circuit
///
/// Contains the details needed for proof verification
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct ZkInputParam {
    /// Session header information
    pub tls_proof: String,
    /// Proof of substrings
    pub remote_verifier_proof: String,
    /// Remote verifier's ECDSA public key
    pub remote_verifier_public_key: String,
}

#[derive(Deserialize, Debug, Clone)]
pub struct RemoteVerificationProof {
    pub results: Vec<String>,
    pub root: String,
    pub signature: String,
}

fn main() {
    // Read the input data for this application.
    let input_bytes: Vec<u8> = env::read();

    let params: String = String::from_utf8(input_bytes).unwrap();
    let params: ZkInputParam = serde_json::from_str(params.as_str()).unwrap();

    // Verify the Tls proof -- partially.
    let (recv, sent) = verify_proof(&params.tls_proof).unwrap();

    // Verify the remote verifier's verification of the other part.
    let remote_verification_proof: RemoteVerificationProof =
        serde_json::from_str(params.remote_verifier_proof.as_str()).unwrap();

    // Verify the signature and the Merkle tree root
    let root_hash = &remote_verification_proof.root;
    let is_signature_valid = validate_ecdsa_signature(
        &remote_verification_proof.signature,
        root_hash,
        &params.remote_verifier_public_key,
    )
    .unwrap();
    let is_merkle_valid = validate_merkle_tree(&remote_verification_proof.results, root_hash);

    // Return the verification result
    assert!(is_signature_valid && is_merkle_valid);

    // write public output to the journal
    env::commit(&recv);
    env::commit(&sent);
}

rs/verity-tls

  • Purpose: Abstracts the verification of TLS proofs produced by the Verity Network.
  • Usage: Utilised in both the host and guest environments to verify TLS proofs.
    • Code Reference: 
      // Totally optional to verify proof on host too.
// For the sake of this demo, we'll verify the proof on the host to ensure both the zkVM and host agree to the verification.
let verified_by_host: (String, String) =
    verify_proof(&response.proof, &notary_pub_key).unwrap();

zk

  • Purpose: Provides utilities and tests supporting zkVM usage.
  • Usage: Supports the zkVM environment by providing necessary utilities for proof generation and verification.

Conclusion

The Verity DP framework provides a comprehensive set of modules that facilitate the generation and verification of zkTLS proofs. Each module plays a crucial role in ensuring the integrity and privacy of data processed within the Verity platform.

Modules Overview

ic/managed/verifier

  • Purpose: The Verity Verifier canister is responsible for verifying TLS proofs, performing pre-computations for the ZK VDPE, and producing proofs of computation for external verification.
  • Usage:
    • Verification: Verifies TLS proofs via inter-canister calls or external system updates.
    • Pre-computation: Prepares computations for the ZK VDPE.
    • Proof Production: Generates proofs for verification in systems like a zkVM.
    • Security Protocol: Orchestrates a protocol to ensure the security and integrity of Verity Notary network nodes.

rs/verity-client

  • Purpose: A Rust SDK for interfacing with a Verity Prover.
  • Usage: Used in the host application to generate TLS attestations and interact with the Verity Prover.

    • Code Reference:

      use verity_client::client::{VerityClient, VerityClientConfig};
use verity_verify_remote::{
    config::Config,
    ic::{Verifier, DEFAULT_IC_GATEWAY_LOCAL},
};
use verity_verify_tls::verify_proof;
// use verity_dp_zk_host::generate_groth16_proof;

pub const DEFAULT_PROVER_URL: &str = "http://127.0.0.1:8080";
pub const DEFAULT_VERITY_VERIFIER_ID: &str = "bkyz2-fmaaa-aaaaa-qaaaq-cai";

/// The input parameters for the zk_circuit
///
/// Contains the details needed for proof verification
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct ZkInputParam {
    /// Session header information
    pub tls_proof: String,
    /// Proof of substrings
    pub remote_verifier_proof: String,
    /// Remote verifier's ECDSA public key
    pub remote_verifier_public_key: String,
}

#[derive(Deserialize, Serialize, Debug, Clone)]
pub struct RemoteVerificationProof {
    pub results: Vec<String>,
    pub root: String,
    pub signature: String,
}

#[tokio::main()]
async fn main() -> anyhow::Result<()> {
    env::set_var("RISC0_DEV_MODE", "1"); // Included to ensure the zkVM prover is fast for demo purposes.

    // Initialize tracing. In order to view logs, run `RUST_LOG=info cargo run`
    tracing_subscriber::fmt()
        .with_env_filter(tracing_subscriber::filter::EnvFilter::from_default_env())
        .init();

    // Entry point of the program
    println!("Hello Verity zkTLS Demo!");

    // -------------------- // THE PLAN // ------------------------
    // Generate a TLS attestation using Verity Client
    // Pepare the TLS proof for the guest
    // Call the zkVM guest for zkSNARK
    // Verify the SNARK
    // -------------------- // THE PLAN // ------------------------

    println!("Proving a GET request using VerityClient...");

    let config = VerityClientConfig {
        prover_url: String::from(DEFAULT_PROVER_URL),
    };

    let client = VerityClient::new(config);

rs/verify-remote

  • Purpose: Sends TLS proofs/attestations to the IC for partial or full verification.
  • Usage:

    • Partial Verification: Used when leveraging the zkVM to maintain high performance by partially verifying proofs.

    • Full Verification: Used when the data processed is public.

    • Code Reference:

      let rv_identity_path = "fixtures/identity.pem";
let rv_id = DEFAULT_VERITY_VERIFIER_ID.to_string();
let rv_config = Config::new(
    DEFAULT_IC_GATEWAY_LOCAL.to_string(),
    rv_identity_path.to_string(),
    rv_id,
);

// 2. Create verifier from a config file
let remote_verifier = Verifier::from_config(&rv_config).await.unwrap();

// 3. Extract our the public/private sub-proofs
let proof_value: serde_json::Value = serde_json::from_str(&response.proof).unwrap();
let session = proof_value["session"].to_string();

// 4. Verify a proof and get the response
let verified_by_remote = remote_verifier
    .verify_proof(
        // You can verify multiple proofs at once
        vec![session],
        notary_pub_key,
    )
    .await
    .unwrap();

// Assuming `verified_by_remote` is of type `VerifierResponse` and has a field `results`
// which is a vector of some type that has a method `get_content()`.
let leaves: Vec<String> = verified_by_remote
    .results
    .iter()
    .map(|proof_response| proof_response.get_content())
    .collect();

rs/verify-local

  • Purpose: Performs TLS proof verification by combining remote proof of computation verification with private facets of the TLS proof.
  • Usage: Primarily used in the zkVM guest environment to verify TLS proofs.

    • Code Reference:

      use verity_verify_local::{self, ecdsa::validate_ecdsa_signature, merkle::validate_merkle_tree};
use verity_verify_tls::verify_proof;

/// The input parameters for the zk_circuit
///
/// Contains the details needed for proof verification
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct ZkInputParam {
    /// Session header information
    pub tls_proof: String,
    /// Proof of substrings
    pub remote_verifier_proof: String,
    /// Remote verifier's ECDSA public key
    pub remote_verifier_public_key: String,
}

#[derive(Deserialize, Debug, Clone)]
pub struct RemoteVerificationProof {
    pub results: Vec<String>,
    pub root: String,
    pub signature: String,
}

fn main() {
    // Read the input data for this application.
    let input_bytes: Vec<u8> = env::read();

    let params: String = String::from_utf8(input_bytes).unwrap();
    let params: ZkInputParam = serde_json::from_str(params.as_str()).unwrap();

    // Verify the Tls proof -- partially.
    let (recv, sent) = verify_proof(&params.tls_proof).unwrap();

    // Verify the remote verifier's verification of the other part.
    let remote_verification_proof: RemoteVerificationProof =
        serde_json::from_str(params.remote_verifier_proof.as_str()).unwrap();

    // Verify the signature and the Merkle tree root
    let root_hash = &remote_verification_proof.root;
    let is_signature_valid = validate_ecdsa_signature(
        &remote_verification_proof.signature,
        root_hash,
        &params.remote_verifier_public_key,
    )
    .unwrap();
    let is_merkle_valid = validate_merkle_tree(&remote_verification_proof.results, root_hash);

    // Return the verification result
    assert!(is_signature_valid && is_merkle_valid);

    // write public output to the journal
    env::commit(&recv);
    env::commit(&sent);
}

rs/verity-tls

  • Purpose: Abstracts the verification of TLS proofs produced by the Verity Network.
  • Usage: Utilised in both the host and guest environments to verify TLS proofs.
    • Code Reference: 
      // Totally optional to verify proof on host too.
// For the sake of this demo, we'll verify the proof on the host to ensure both the zkVM and host agree to the verification.
let verified_by_host: (String, String) =
    verify_proof(&response.proof, &notary_pub_key).unwrap();

zk

  • Purpose: Provides utilities and tests supporting zkVM usage.
  • Usage: Supports the zkVM environment by providing necessary utilities for proof generation and verification.

Conclusion

The Verity DP framework provides a comprehensive set of modules that facilitate the generation and verification of zkTLS proofs. Each module plays a crucial role in ensuring the integrity and privacy of data processed within the Verity platform.