correction + legend placement

* refactor: move and rewrite configuration

* fix wasm

.github/workflows/ci.yml

@@ -18,10 +18,11 @@ env:
   # We need a higher number of parallel rayon tasks than the default (which is 4)
   # in order to prevent a deadlock, c.f.
   #   - https://github.com/tlsnotary/tlsn/issues/548
-  #   - https://github.com/privacy-scaling-explorations/mpz/issues/178
+  #   - https://github.com/privacy-ethereum/mpz/issues/178
   # 32 seems to be big enough for the foreseeable future
   RAYON_NUM_THREADS: 32
-  RUST_VERSION: 1.89.0
+  RUST_VERSION: 1.92.0
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
   clippy:
@@ -32,7 +33,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_VERSION }}
           components: clippy
@@ -41,7 +42,7 @@ jobs:
         uses: Swatinem/rust-cache@v2.7.7
 
       - name: Clippy
-        run: cargo clippy --keep-going --all-features --all-targets --locked -- -D warnings
+        run: cargo clippy --keep-going --all-features --all-targets --locked
 
   fmt:
     name: Check formatting

.github/workflows/releng.yml

@@ -6,7 +6,7 @@ on:
       tag:
         description: 'Tag to publish to NPM'
         required: true
-        default: 'v0.1.0-alpha.13-pre'
+        default: 'v0.1.0-alpha.14-pre'
 
 jobs:
   release:

.github/workflows/rustdoc.yml

@@ -23,7 +23,6 @@ jobs:
       - name: "rustdoc"
         run: crates/wasm/build-docs.sh
 
-
       - name: Deploy
         uses: peaceiris/actions-gh-pages@v3
         if: ${{ github.ref == 'refs/heads/dev' }}

.github/workflows/updatemain.yml

@@ -1,6 +1,7 @@
 name: Fast-forward main branch to published release tag
 
 on:
+  workflow_dispatch:
   release:
     types: [published]
 

Cargo.toml

@@ -66,25 +66,27 @@ tlsn-harness-runner = { path = "crates/harness/runner" }
 tlsn-wasm = { path = "crates/wasm" }
 tlsn = { path = "crates/tlsn" }
 
-mpz-circuits = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-circuits = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-memory-core = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-circuits-data = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-common = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-memory-core = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-core = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-common = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-vm-core = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-core = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-garble = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-vm-core = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-garble-core = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-garble = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-ole = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-garble-core = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-ot = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-ole = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-share-conversion = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-ot = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-fields = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-share-conversion = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-zk = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-fields = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
-mpz-hash = { git = "https://github.com/privacy-scaling-explorations/mpz", rev = "3d90b6c" }
+mpz-zk = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
+mpz-hash = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
+mpz-ideal-vm = { git = "https://github.com/privacy-ethereum/mpz", rev = "9c343f8" }
 
-rangeset = { version = "0.2" }
+rangeset = { version = "0.4" }
 serio = { version = "0.2" }
-spansy = { git = "https://github.com/tlsnotary/tlsn-utils", rev = "6168663" }
+spansy = { git = "https://github.com/tlsnotary/tlsn-utils", rev = "6f1a934" }
 uid-mux = { version = "0.2" }
-websocket-relay = { git = "https://github.com/tlsnotary/tlsn-utils", rev = "6168663" }
+websocket-relay = { git = "https://github.com/tlsnotary/tlsn-utils", rev = "6f1a934" }
 
 aead = { version = "0.4" }
 aes = { version = "0.8" }
@@ -110,7 +112,7 @@ elliptic-curve = { version = "0.13" }
 enum-try-as-inner = { version = "0.1" }
 env_logger = { version = "0.10" }
 futures = { version = "0.3" }
-futures-rustls = { version = "0.26" }
+futures-rustls = { version = "0.25" }
 generic-array = { version = "0.14" }
 ghash = { version = "0.5" }
 hex = { version = "0.4" }

crates/attestation/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "tlsn-attestation"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2024"
 
 [features]
@@ -9,7 +9,7 @@ fixtures = ["tlsn-core/fixtures", "dep:tlsn-data-fixtures"]
 
 [dependencies]
 tlsn-tls-core = { workspace = true }
-tlsn-core = { workspace = true }
+tlsn-core = { workspace = true, features = ["mozilla-certs"] }
 tlsn-data-fixtures = { workspace = true, optional = true }
 
 bcs = { workspace = true }
@@ -23,9 +23,9 @@ thiserror = { workspace = true }
 tiny-keccak = { workspace = true, features = ["keccak"] }
 
 [dev-dependencies]
-alloy-primitives = { version = "0.8.22", default-features = false }
+alloy-primitives = { version = "1.3.1", default-features = false }
-alloy-signer = { version = "0.12", default-features = false }
+alloy-signer = { version = "1.0", default-features = false }
-alloy-signer-local = { version = "0.12", default-features = false }
+alloy-signer-local = { version = "1.0", default-features = false }
 rand06-compat = { workspace = true }
 rstest = { workspace = true }
 tlsn-core = { workspace = true, features = ["fixtures"] }

crates/attestation/src/builder.rs

@@ -5,7 +5,7 @@ use rand::{Rng, rng};
 use tlsn_core::{
     connection::{ConnectionInfo, ServerEphemKey},
     hash::HashAlgId,
-    transcript::TranscriptCommitment,
+    transcript::{TranscriptCommitment, encoding::EncoderSecret},
 };
 
 use crate::{
@@ -25,6 +25,7 @@ pub struct Sign {
     connection_info: Option<ConnectionInfo>,
     server_ephemeral_key: Option<ServerEphemKey>,
     cert_commitment: ServerCertCommitment,
+    encoder_secret: Option<EncoderSecret>,
     extensions: Vec<Extension>,
     transcript_commitments: Vec<TranscriptCommitment>,
 }
@@ -86,6 +87,7 @@ impl<'a> AttestationBuilder<'a, Accept> {
                 connection_info: None,
                 server_ephemeral_key: None,
                 cert_commitment,
+                encoder_secret: None,
                 transcript_commitments: Vec::new(),
                 extensions,
             },
@@ -106,6 +108,12 @@ impl AttestationBuilder<'_, Sign> {
         self
     }
 
+    /// Sets the secret for encoding commitments.
+    pub fn encoder_secret(&mut self, secret: EncoderSecret) -> &mut Self {
+        self.state.encoder_secret = Some(secret);
+        self
+    }
+
     /// Adds an extension to the attestation.
     pub fn extension(&mut self, extension: Extension) -> &mut Self {
         self.state.extensions.push(extension);
@@ -129,6 +137,7 @@ impl AttestationBuilder<'_, Sign> {
             connection_info,
             server_ephemeral_key,
             cert_commitment,
+            encoder_secret,
             extensions,
             transcript_commitments,
         } = self.state;
@@ -159,6 +168,7 @@ impl AttestationBuilder<'_, Sign> {
                 AttestationBuilderError::new(ErrorKind::Field, "handshake data was not set")
             })?),
             cert_commitment: field_id.next(cert_commitment),
+            encoder_secret: encoder_secret.map(|secret| field_id.next(secret)),
             extensions: extensions
                 .into_iter()
                 .map(|extension| field_id.next(extension))

crates/attestation/src/fixtures.rs

@@ -1,5 +1,4 @@
 //! Attestation fixtures.
-
 use tlsn_core::{
     connection::{CertBinding, CertBindingV1_2},
     fixtures::ConnectionFixture,
@@ -13,7 +12,10 @@ use tlsn_core::{
 use crate::{
     Attestation, AttestationConfig, CryptoProvider, Extension,
     request::{Request, RequestConfig},
-    signing::SignatureAlgId,
+    signing::{
+        KeyAlgId, SignatureAlgId, SignatureVerifier, SignatureVerifierProvider, Signer,
+        SignerProvider,
+    },
 };
 
 /// A Request fixture used for testing.
@@ -102,7 +104,8 @@ pub fn attestation_fixture(
     let mut provider = CryptoProvider::default();
     match signature_alg {
         SignatureAlgId::SECP256K1 => provider.signer.set_secp256k1(&[42u8; 32]).unwrap(),
-        SignatureAlgId::SECP256R1 => provider.signer.set_secp256r1(&[42u8; 32]).unwrap(),
+        SignatureAlgId::SECP256K1ETH => provider.signer.set_secp256k1eth(&[43u8; 32]).unwrap(),
+        SignatureAlgId::SECP256R1 => provider.signer.set_secp256r1(&[44u8; 32]).unwrap(),
         _ => unimplemented!(),
     };
 
@@ -122,3 +125,68 @@ pub fn attestation_fixture(
 
     attestation_builder.build(&provider).unwrap()
 }
+
+/// Returns a crypto provider which supports only a custom signature alg.
+pub fn custom_provider_fixture() -> CryptoProvider {
+    const CUSTOM_SIG_ALG_ID: SignatureAlgId = SignatureAlgId::new(128);
+
+    // A dummy signer.
+    struct DummySigner {}
+    impl Signer for DummySigner {
+        fn alg_id(&self) -> SignatureAlgId {
+            CUSTOM_SIG_ALG_ID
+        }
+
+        fn sign(
+            &self,
+            msg: &[u8],
+        ) -> Result<crate::signing::Signature, crate::signing::SignatureError> {
+            Ok(crate::signing::Signature {
+                alg: CUSTOM_SIG_ALG_ID,
+                data: msg.to_vec(),
+            })
+        }
+
+        fn verifying_key(&self) -> crate::signing::VerifyingKey {
+            crate::signing::VerifyingKey {
+                alg: KeyAlgId::new(128),
+                data: vec![1, 2, 3, 4],
+            }
+        }
+    }
+
+    // A dummy verifier.
+    struct DummyVerifier {}
+    impl SignatureVerifier for DummyVerifier {
+        fn alg_id(&self) -> SignatureAlgId {
+            CUSTOM_SIG_ALG_ID
+        }
+
+        fn verify(
+            &self,
+            _key: &crate::signing::VerifyingKey,
+            msg: &[u8],
+            sig: &[u8],
+        ) -> Result<(), crate::signing::SignatureError> {
+            if msg == sig {
+                Ok(())
+            } else {
+                Err(crate::signing::SignatureError::from_str(
+                    "invalid signature",
+                ))
+            }
+        }
+    }
+
+    let mut provider = CryptoProvider::default();
+
+    let mut signer_provider = SignerProvider::default();
+    signer_provider.set_signer(Box::new(DummySigner {}));
+    provider.signer = signer_provider;
+
+    let mut verifier_provider = SignatureVerifierProvider::empty();
+    verifier_provider.set_verifier(Box::new(DummyVerifier {}));
+    provider.signature = verifier_provider;
+
+    provider
+}

crates/attestation/src/lib.rs

@@ -219,7 +219,7 @@ use tlsn_core::{
     connection::{ConnectionInfo, ServerEphemKey},
     hash::{Hash, HashAlgorithm, TypedHash},
     merkle::MerkleTree,
-    transcript::TranscriptCommitment,
+    transcript::{TranscriptCommitment, encoding::EncoderSecret},
 };
 
 use crate::{
@@ -327,6 +327,7 @@ pub struct Body {
     connection_info: Field<ConnectionInfo>,
     server_ephemeral_key: Field<ServerEphemKey>,
     cert_commitment: Field<ServerCertCommitment>,
+    encoder_secret: Option<Field<EncoderSecret>>,
     extensions: Vec<Field<Extension>>,
     transcript_commitments: Vec<Field<TranscriptCommitment>>,
 }
@@ -372,6 +373,7 @@ impl Body {
             connection_info: conn_info,
             server_ephemeral_key,
             cert_commitment,
+            encoder_secret,
             extensions,
             transcript_commitments,
         } = self;
@@ -389,6 +391,13 @@ impl Body {
             ),
         ];
 
+        if let Some(encoder_secret) = encoder_secret {
+            fields.push((
+                encoder_secret.id,
+                hasher.hash_separated(&encoder_secret.data),
+            ));
+        }
+
         for field in extensions.iter() {
             fields.push((field.id, hasher.hash_separated(&field.data)));
         }

crates/attestation/src/presentation.rs

@@ -91,6 +91,11 @@ impl Presentation {
                 transcript.verify_with_provider(
                     &provider.hash,
                     &attestation.body.connection_info().transcript_length,
+                    attestation
+                        .body
+                        .encoder_secret
+                        .as_ref()
+                        .map(|field| &field.data),
                     attestation.body.transcript_commitments(),
                 )
             })

crates/attestation/src/request.rs

@@ -20,7 +20,10 @@ use serde::{Deserialize, Serialize};
 
 use tlsn_core::hash::HashAlgId;
 
-use crate::{Attestation, Extension, connection::ServerCertCommitment, signing::SignatureAlgId};
+use crate::{
+    Attestation, CryptoProvider, Extension, connection::ServerCertCommitment,
+    serialize::CanonicalSerialize, signing::SignatureAlgId,
+};
 
 pub use builder::{RequestBuilder, RequestBuilderError};
 pub use config::{RequestConfig, RequestConfigBuilder, RequestConfigBuilderError};
@@ -41,44 +44,102 @@ impl Request {
     }
 
     /// Validates the content of the attestation against this request.
-    pub fn validate(&self, attestation: &Attestation) -> Result<(), InconsistentAttestation> {
+    pub fn validate(
+        &self,
+        attestation: &Attestation,
+        provider: &CryptoProvider,
+    ) -> Result<(), AttestationValidationError> {
         if attestation.signature.alg != self.signature_alg {
-            return Err(InconsistentAttestation(format!(
+            return Err(AttestationValidationError::inconsistent(format!(
                 "signature algorithm: expected {:?}, got {:?}",
                 self.signature_alg, attestation.signature.alg
             )));
         }
 
         if attestation.header.root.alg != self.hash_alg {
-            return Err(InconsistentAttestation(format!(
+            return Err(AttestationValidationError::inconsistent(format!(
                 "hash algorithm: expected {:?}, got {:?}",
                 self.hash_alg, attestation.header.root.alg
             )));
         }
 
         if attestation.body.cert_commitment() != &self.server_cert_commitment {
-            return Err(InconsistentAttestation(
+            return Err(AttestationValidationError::inconsistent(
-                "server certificate commitment does not match".to_string(),
+                "server certificate commitment does not match",
             ));
         }
 
         // TODO: improve the O(M*N) complexity of this check.
         for extension in &self.extensions {
             if !attestation.body.extensions().any(|e| e == extension) {
-                return Err(InconsistentAttestation(
+                return Err(AttestationValidationError::inconsistent(
-                    "extension is missing from the attestation".to_string(),
+                    "extension is missing from the attestation",
                 ));
             }
         }
 
+        let verifier = provider
+            .signature
+            .get(&attestation.signature.alg)
+            .map_err(|_| {
+                AttestationValidationError::provider(format!(
+                    "provider not configured for signature algorithm id {:?}",
+                    attestation.signature.alg,
+                ))
+            })?;
+
+        verifier
+            .verify(
+                &attestation.body.verifying_key.data,
+                &CanonicalSerialize::serialize(&attestation.header),
+                &attestation.signature.data,
+            )
+            .map_err(|_| {
+                AttestationValidationError::inconsistent("failed to verify the signature")
+            })?;
+
         Ok(())
     }
 }
 
 /// Error for [`Request::validate`].
 #[derive(Debug, thiserror::Error)]
-#[error("inconsistent attestation: {0}")]
+#[error("attestation validation error: {kind}: {message}")]
-pub struct InconsistentAttestation(String);
+pub struct AttestationValidationError {
+    kind: ErrorKind,
+    message: String,
+}
+
+impl AttestationValidationError {
+    fn inconsistent(msg: impl Into<String>) -> Self {
+        Self {
+            kind: ErrorKind::Inconsistent,
+            message: msg.into(),
+        }
+    }
+
+    fn provider(msg: impl Into<String>) -> Self {
+        Self {
+            kind: ErrorKind::Provider,
+            message: msg.into(),
+        }
+    }
+}
+
+#[derive(Debug)]
+enum ErrorKind {
+    Inconsistent,
+    Provider,
+}
+
+impl std::fmt::Display for ErrorKind {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            ErrorKind::Inconsistent => write!(f, "inconsistent"),
+            ErrorKind::Provider => write!(f, "provider"),
+        }
+    }
+}
 
 #[cfg(test)]
 mod test {
@@ -93,7 +154,8 @@ mod test {
     use crate::{
         CryptoProvider,
         connection::ServerCertOpening,
-        fixtures::{RequestFixture, attestation_fixture, request_fixture},
+        fixtures::{RequestFixture, attestation_fixture, custom_provider_fixture, request_fixture},
+        request::{AttestationValidationError, ErrorKind},
         signing::SignatureAlgId,
     };
 
@@ -113,7 +175,9 @@ mod test {
         let attestation =
             attestation_fixture(request.clone(), connection, SignatureAlgId::SECP256K1, &[]);
 
-        assert!(request.validate(&attestation).is_ok())
+        let provider = CryptoProvider::default();
+
+        assert!(request.validate(&attestation, &provider).is_ok())
     }
 
     #[test]
@@ -134,7 +198,9 @@ mod test {
 
         request.signature_alg = SignatureAlgId::SECP256R1;
 
-        let res = request.validate(&attestation);
+        let provider = CryptoProvider::default();
+
+        let res = request.validate(&attestation, &provider);
         assert!(res.is_err());
     }
 
@@ -156,7 +222,9 @@ mod test {
 
         request.hash_alg = HashAlgId::SHA256;
 
-        let res = request.validate(&attestation);
+        let provider = CryptoProvider::default();
+
+        let res = request.validate(&attestation, &provider);
         assert!(res.is_err())
     }
 
@@ -184,11 +252,62 @@ mod test {
         });
         let opening = ServerCertOpening::new(server_cert_data);
 
-        let crypto_provider = CryptoProvider::default();
+        let provider = CryptoProvider::default();
         request.server_cert_commitment =
-            opening.commit(crypto_provider.hash.get(&HashAlgId::BLAKE3).unwrap());
+            opening.commit(provider.hash.get(&HashAlgId::BLAKE3).unwrap());
 
-        let res = request.validate(&attestation);
+        let res = request.validate(&attestation, &provider);
         assert!(res.is_err())
     }
+
+    #[test]
+    fn test_wrong_sig() {
+        let transcript = Transcript::new(GET_WITH_HEADER, OK_JSON);
+        let connection = ConnectionFixture::tlsnotary(transcript.length());
+
+        let RequestFixture { request, .. } = request_fixture(
+            transcript,
+            encoding_provider(GET_WITH_HEADER, OK_JSON),
+            connection.clone(),
+            Blake3::default(),
+            Vec::new(),
+        );
+
+        let mut attestation =
+            attestation_fixture(request.clone(), connection, SignatureAlgId::SECP256K1, &[]);
+
+        // Corrupt the signature.
+        attestation.signature.data[1] = attestation.signature.data[1].wrapping_add(1);
+
+        let provider = CryptoProvider::default();
+
+        assert!(request.validate(&attestation, &provider).is_err())
+    }
+
+    #[test]
+    fn test_wrong_provider() {
+        let transcript = Transcript::new(GET_WITH_HEADER, OK_JSON);
+        let connection = ConnectionFixture::tlsnotary(transcript.length());
+
+        let RequestFixture { request, .. } = request_fixture(
+            transcript,
+            encoding_provider(GET_WITH_HEADER, OK_JSON),
+            connection.clone(),
+            Blake3::default(),
+            Vec::new(),
+        );
+
+        let attestation =
+            attestation_fixture(request.clone(), connection, SignatureAlgId::SECP256K1, &[]);
+
+        let provider = custom_provider_fixture();
+
+        assert!(matches!(
+            request.validate(&attestation, &provider),
+            Err(AttestationValidationError {
+                kind: ErrorKind::Provider,
+                ..
+            })
+        ))
+    }
 }

crates/attestation/src/serialize.rs

@@ -49,5 +49,6 @@ impl_domain_separator!(tlsn_core::connection::ConnectionInfo);
 impl_domain_separator!(tlsn_core::connection::CertBinding);
 impl_domain_separator!(tlsn_core::transcript::TranscriptCommitment);
 impl_domain_separator!(tlsn_core::transcript::TranscriptSecret);
+impl_domain_separator!(tlsn_core::transcript::encoding::EncoderSecret);
 impl_domain_separator!(tlsn_core::transcript::encoding::EncodingCommitment);
 impl_domain_separator!(tlsn_core::transcript::hash::PlaintextHash);

crates/attestation/src/signing.rs

@@ -202,6 +202,14 @@ impl SignatureVerifierProvider {
             .map(|s| &**s)
             .ok_or(UnknownSignatureAlgId(*alg))
     }
+
+    /// Returns am empty provider.
+    #[cfg(any(test, feature = "fixtures"))]
+    pub fn empty() -> Self {
+        Self {
+            verifiers: HashMap::default(),
+        }
+    }
 }
 
 /// Signature verifier.
@@ -229,6 +237,14 @@ impl_domain_separator!(VerifyingKey);
 #[error("signature verification failed: {0}")]
 pub struct SignatureError(String);
 
+impl SignatureError {
+    /// Creates a new error with the given message.
+    #[allow(clippy::should_implement_trait)]
+    pub fn from_str(msg: &str) -> Self {
+        Self(msg.to_string())
+    }
+}
+
 /// A signature.
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct Signature {

crates/attestation/tests/api.rs

@@ -64,7 +64,6 @@ fn test_api() {
 
     let encoding_commitment = EncodingCommitment {
         root: encoding_tree.root(),
-        secret: encoder_secret(),
     };
 
     let request_config = RequestConfig::default();
@@ -96,12 +95,13 @@ fn test_api() {
         .connection_info(connection_info.clone())
         // Server key Notary received during handshake
         .server_ephemeral_key(server_ephemeral_key)
+        .encoder_secret(encoder_secret())
         .transcript_commitments(vec![TranscriptCommitment::Encoding(encoding_commitment)]);
 
     let attestation = attestation_builder.build(&provider).unwrap();
 
     // Prover validates the attestation is consistent with its request.
-    request.validate(&attestation).unwrap();
+    request.validate(&attestation, &provider).unwrap();
 
     let mut transcript_proof_builder = secrets.transcript_proof_builder();
 

crates/components/cipher/Cargo.toml

@@ -5,7 +5,7 @@ description = "This crate provides implementations of ciphers for two parties"
 keywords = ["tls", "mpc", "2pc", "aes"]
 categories = ["cryptography"]
 license = "MIT OR Apache-2.0"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2021"
 
 [lints]
@@ -15,7 +15,7 @@ workspace = true
 name = "cipher"
 
 [dependencies]
-mpz-circuits = { workspace = true }
+mpz-circuits = { workspace = true, features = ["aes"] }
 mpz-vm-core = { workspace = true }
 mpz-memory-core = { workspace = true }
 
@@ -24,11 +24,9 @@ thiserror = { workspace = true }
 aes = { workspace = true }
 
 [dev-dependencies]
-mpz-garble = { workspace = true }
+mpz-common = { workspace = true, features = ["test-utils"] }
-mpz-common = { workspace = true }
+mpz-ideal-vm = { workspace = true }
-mpz-ot = { workspace = true }
 
 tokio = { version = "1", features = ["macros", "rt", "rt-multi-thread"] }
-rand = { workspace = true }
 ctr = { workspace = true }
 cipher = { workspace = true }

crates/components/cipher/src/aes/mod.rs

@@ -2,7 +2,7 @@
 
 use crate::{Cipher, CtrBlock, Keystream};
 use async_trait::async_trait;
-use mpz_circuits::circuits::AES128;
+use mpz_circuits::{AES128_KS, AES128_POST_KS};
 use mpz_memory_core::binary::{Binary, U8};
 use mpz_vm_core::{prelude::*, Call, Vm};
 use std::fmt::Debug;
@@ -12,13 +12,35 @@ mod error;
 pub use error::AesError;
 use error::ErrorKind;
 
+/// AES key schedule: 11 round keys, 16 bytes each.
+type KeySchedule = Array<U8, 176>;
+
 /// Computes AES-128.
 #[derive(Default, Debug)]
 pub struct Aes128 {
     key: Option<Array<U8, 16>>,
+    key_schedule: Option<KeySchedule>,
     iv: Option<Array<U8, 4>>,
 }
 
+impl Aes128 {
+    // Allocates key schedule.
+    //
+    // Expects the key to be already set.
+    fn alloc_key_schedule(&self, vm: &mut dyn Vm<Binary>) -> Result<KeySchedule, AesError> {
+        let ks: KeySchedule = vm
+            .call(
+                Call::builder(AES128_KS.clone())
+                    .arg(self.key.expect("key is set"))
+                    .build()
+                    .expect("call should be valid"),
+            )
+            .map_err(|err| AesError::new(ErrorKind::Vm, err))?;
+
+        Ok(ks)
+    }
+}
+
 #[async_trait]
 impl Cipher for Aes128 {
     type Error = AesError;
@@ -45,18 +67,22 @@ impl Cipher for Aes128 {
     }
 
     fn alloc_block(
-        &self,
+        &mut self,
         vm: &mut dyn Vm<Binary>,
         input: Array<U8, 16>,
     ) -> Result<Self::Block, Self::Error> {
-        let key = self
+        self.key
-            .key
             .ok_or_else(|| AesError::new(ErrorKind::Key, "key not set"))?;
 
+        if self.key_schedule.is_none() {
+            self.key_schedule = Some(self.alloc_key_schedule(vm)?);
+        }
+        let ks = *self.key_schedule.as_ref().expect("key schedule was set");
+
         let output = vm
             .call(
-                Call::builder(AES128.clone())
+                Call::builder(AES128_POST_KS.clone())
-                    .arg(key)
+                    .arg(ks)
                     .arg(input)
                     .build()
                     .expect("call should be valid"),
@@ -67,11 +93,10 @@ impl Cipher for Aes128 {
     }
 
     fn alloc_ctr_block(
-        &self,
+        &mut self,
         vm: &mut dyn Vm<Binary>,
     ) -> Result<CtrBlock<Self::Nonce, Self::Counter, Self::Block>, Self::Error> {
-        let key = self
+        self.key
-            .key
             .ok_or_else(|| AesError::new(ErrorKind::Key, "key not set"))?;
         let iv = self
             .iv
@@ -89,10 +114,15 @@ impl Cipher for Aes128 {
         vm.mark_public(counter)
             .map_err(|err| AesError::new(ErrorKind::Vm, err))?;
 
+        if self.key_schedule.is_none() {
+            self.key_schedule = Some(self.alloc_key_schedule(vm)?);
+        }
+        let ks = *self.key_schedule.as_ref().expect("key schedule was set");
+
         let output = vm
             .call(
-                Call::builder(AES128.clone())
+                Call::builder(AES128_POST_KS.clone())
-                    .arg(key)
+                    .arg(ks)
                     .arg(iv)
                     .arg(explicit_nonce)
                     .arg(counter)
@@ -109,12 +139,11 @@ impl Cipher for Aes128 {
     }
 
     fn alloc_keystream(
-        &self,
+        &mut self,
         vm: &mut dyn Vm<Binary>,
         len: usize,
     ) -> Result<Keystream<Self::Nonce, Self::Counter, Self::Block>, Self::Error> {
-        let key = self
+        self.key
-            .key
             .ok_or_else(|| AesError::new(ErrorKind::Key, "key not set"))?;
         let iv = self
             .iv
@@ -143,10 +172,15 @@ impl Cipher for Aes128 {
         let blocks = inputs
             .into_iter()
             .map(|(explicit_nonce, counter)| {
+                if self.key_schedule.is_none() {
+                    self.key_schedule = Some(self.alloc_key_schedule(vm)?);
+                }
+                let ks = *self.key_schedule.as_ref().expect("key schedule was set");
+
                 let output = vm
                     .call(
-                        Call::builder(AES128.clone())
+                        Call::builder(AES128_POST_KS.clone())
-                            .arg(key)
+                            .arg(ks)
                             .arg(iv)
                             .arg(explicit_nonce)
                             .arg(counter)
@@ -172,15 +206,12 @@ mod tests {
     use super::*;
     use crate::Cipher;
     use mpz_common::context::test_st_context;
-    use mpz_garble::protocol::semihonest::{Evaluator, Garbler};
+    use mpz_ideal_vm::IdealVm;
     use mpz_memory_core::{
         binary::{Binary, U8},
-        correlated::Delta,
         Array, MemoryExt, Vector, ViewExt,
     };
-    use mpz_ot::ideal::cot::ideal_cot;
     use mpz_vm_core::{Execute, Vm};
-    use rand::{rngs::StdRng, SeedableRng};
 
     #[tokio::test]
     async fn test_aes_ctr() {
@@ -190,10 +221,11 @@ mod tests {
         let start_counter = 3u32;
 
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (mut gen, mut ev) = mock_vm();
+        let mut gen = IdealVm::new();
+        let mut ev = IdealVm::new();
 
-        let aes_gen = setup_ctr(key, iv, &mut gen);
+        let mut aes_gen = setup_ctr(key, iv, &mut gen);
-        let aes_ev = setup_ctr(key, iv, &mut ev);
+        let mut aes_ev = setup_ctr(key, iv, &mut ev);
 
         let msg = vec![42u8; 128];
 
@@ -252,10 +284,11 @@ mod tests {
         let input = [5_u8; 16];
 
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (mut gen, mut ev) = mock_vm();
+        let mut gen = IdealVm::new();
+        let mut ev = IdealVm::new();
 
-        let aes_gen = setup_block(key, &mut gen);
+        let mut aes_gen = setup_block(key, &mut gen);
-        let aes_ev = setup_block(key, &mut ev);
+        let mut aes_ev = setup_block(key, &mut ev);
 
         let block_ref_gen: Array<U8, 16> = gen.alloc().unwrap();
         gen.mark_public(block_ref_gen).unwrap();
@@ -294,18 +327,6 @@ mod tests {
         assert_eq!(ciphertext_gen, expected);
     }
 
-    fn mock_vm() -> (impl Vm<Binary>, impl Vm<Binary>) {
-        let mut rng = StdRng::seed_from_u64(0);
-        let delta = Delta::random(&mut rng);
-
-        let (cot_send, cot_recv) = ideal_cot(delta.into_inner());
-
-        let gen = Garbler::new(cot_send, [0u8; 16], delta);
-        let ev = Evaluator::new(cot_recv);
-
-        (gen, ev)
-    }
-
     fn setup_ctr(key: [u8; 16], iv: [u8; 4], vm: &mut dyn Vm<Binary>) -> Aes128 {
         let key_ref: Array<U8, 16> = vm.alloc().unwrap();
         vm.mark_public(key_ref).unwrap();

crates/components/cipher/src/lib.rs

@@ -55,7 +55,7 @@ pub trait Cipher {
 
     /// Allocates a single block in ECB mode.
     fn alloc_block(
-        &self,
+        &mut self,
         vm: &mut dyn Vm<Binary>,
         input: Self::Block,
     ) -> Result<Self::Block, Self::Error>;
@@ -63,7 +63,7 @@ pub trait Cipher {
     /// Allocates a single block in counter mode.
     #[allow(clippy::type_complexity)]
     fn alloc_ctr_block(
-        &self,
+        &mut self,
         vm: &mut dyn Vm<Binary>,
     ) -> Result<CtrBlock<Self::Nonce, Self::Counter, Self::Block>, Self::Error>;
 
@@ -75,7 +75,7 @@ pub trait Cipher {
     /// * `len` - Length of the stream in bytes.
     #[allow(clippy::type_complexity)]
     fn alloc_keystream(
-        &self,
+        &mut self,
         vm: &mut dyn Vm<Binary>,
         len: usize,
     ) -> Result<Keystream<Self::Nonce, Self::Counter, Self::Block>, Self::Error>;

crates/components/deap/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "tlsn-deap"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2021"
 
 [lints]
@@ -19,11 +19,8 @@ futures = { workspace = true }
 tokio = { workspace = true, features = ["sync"] }
 
 [dev-dependencies]
-mpz-circuits = { workspace = true }
+mpz-circuits = { workspace = true, features = ["aes"] }
-mpz-garble = { workspace = true }
+mpz-common = { workspace = true, features = ["test-utils"] }
-mpz-ot = { workspace = true }
+mpz-ideal-vm = { workspace = true }
-mpz-zk = { workspace = true }
 
 tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread"] }
-rand = { workspace = true }
-rand06-compat = { workspace = true }

crates/components/deap/src/lib.rs

@@ -15,7 +15,7 @@ use mpz_vm_core::{
     memory::{binary::Binary, DecodeFuture, Memory, Repr, Slice, View},
     Call, Callable, Execute, Vm, VmError,
 };
-use rangeset::{Difference, RangeSet, UnionMut};
+use rangeset::{ops::Set, set::RangeSet};
 use tokio::sync::{Mutex, MutexGuard, OwnedMutexGuard};
 
 type Error = DeapError;
@@ -210,10 +210,12 @@ where
     }
 
     fn commit_raw(&mut self, slice: Slice) -> Result<(), VmError> {
+        let slice_range = slice.to_range();
+
         // Follower's private inputs are not committed in the ZK VM until finalization.
-        let input_minus_follower = slice.to_range().difference(&self.follower_input_ranges);
+        let input_minus_follower = slice_range.difference(&self.follower_input_ranges);
         let mut zk = self.zk.try_lock().unwrap();
-        for input in input_minus_follower.iter_ranges() {
+        for input in input_minus_follower {
             zk.commit_raw(
                 self.memory_map
                     .try_get(Slice::from_range_unchecked(input))?,
@@ -266,7 +268,7 @@ where
                 mpc.mark_private_raw(slice)?;
                 // Follower's private inputs will become public during finalization.
                 zk.mark_public_raw(self.memory_map.try_get(slice)?)?;
-                self.follower_input_ranges.union_mut(&slice.to_range());
+                self.follower_input_ranges.union_mut(slice.to_range());
                 self.follower_inputs.push(slice);
             }
         }
@@ -282,7 +284,7 @@ where
                 mpc.mark_blind_raw(slice)?;
                 // Follower's private inputs will become public during finalization.
                 zk.mark_public_raw(self.memory_map.try_get(slice)?)?;
-                self.follower_input_ranges.union_mut(&slice.to_range());
+                self.follower_input_ranges.union_mut(slice.to_range());
                 self.follower_inputs.push(slice);
             }
             Role::Follower => {
@@ -382,37 +384,27 @@ enum ErrorRepr {
 
 #[cfg(test)]
 mod tests {
-    use mpz_circuits::circuits::AES128;
+    use mpz_circuits::AES128;
     use mpz_common::context::test_st_context;
-    use mpz_core::Block;
+    use mpz_ideal_vm::IdealVm;
-    use mpz_garble::protocol::semihonest::{Evaluator, Garbler};
-    use mpz_ot::ideal::{cot::ideal_cot, rcot::ideal_rcot};
     use mpz_vm_core::{
-        memory::{binary::U8, correlated::Delta, Array},
+        memory::{binary::U8, Array},
         prelude::*,
     };
-    use mpz_zk::{Prover, ProverConfig, Verifier, VerifierConfig};
-    use rand::{rngs::StdRng, SeedableRng};
 
     use super::*;
 
     #[tokio::test]
     async fn test_deap() {
-        let mut rng = StdRng::seed_from_u64(0);
-        let delta_mpc = Delta::random(&mut rng);
-        let delta_zk = Delta::random(&mut rng);
-
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (rcot_send, rcot_recv) = ideal_rcot(Block::ZERO, delta_zk.into_inner());
-        let (cot_send, cot_recv) = ideal_cot(delta_mpc.into_inner());
 
-        let gb = Garbler::new(cot_send, [0u8; 16], delta_mpc);
+        let leader_mpc = IdealVm::new();
-        let ev = Evaluator::new(cot_recv);
+        let leader_zk = IdealVm::new();
-        let prover = Prover::new(ProverConfig::default(), rcot_recv);
+        let follower_mpc = IdealVm::new();
-        let verifier = Verifier::new(VerifierConfig::default(), delta_zk, rcot_send);
+        let follower_zk = IdealVm::new();
 
-        let mut leader = Deap::new(Role::Leader, gb, prover);
+        let mut leader = Deap::new(Role::Leader, leader_mpc, leader_zk);
-        let mut follower = Deap::new(Role::Follower, ev, verifier);
+        let mut follower = Deap::new(Role::Follower, follower_mpc, follower_zk);
 
         let (ct_leader, ct_follower) = futures::join!(
             async {
@@ -478,21 +470,15 @@ mod tests {
 
     #[tokio::test]
     async fn test_deap_desync_memory() {
-        let mut rng = StdRng::seed_from_u64(0);
-        let delta_mpc = Delta::random(&mut rng);
-        let delta_zk = Delta::random(&mut rng);
-
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (rcot_send, rcot_recv) = ideal_rcot(Block::ZERO, delta_zk.into_inner());
-        let (cot_send, cot_recv) = ideal_cot(delta_mpc.into_inner());
 
-        let gb = Garbler::new(cot_send, [0u8; 16], delta_mpc);
+        let leader_mpc = IdealVm::new();
-        let ev = Evaluator::new(cot_recv);
+        let leader_zk = IdealVm::new();
-        let prover = Prover::new(ProverConfig::default(), rcot_recv);
+        let follower_mpc = IdealVm::new();
-        let verifier = Verifier::new(VerifierConfig::default(), delta_zk, rcot_send);
+        let follower_zk = IdealVm::new();
 
-        let mut leader = Deap::new(Role::Leader, gb, prover);
+        let mut leader = Deap::new(Role::Leader, leader_mpc, leader_zk);
-        let mut follower = Deap::new(Role::Follower, ev, verifier);
+        let mut follower = Deap::new(Role::Follower, follower_mpc, follower_zk);
 
         // Desynchronize the memories.
         let _ = leader.zk().alloc_raw(1).unwrap();
@@ -564,21 +550,15 @@ mod tests {
     // detection by the follower.
     #[tokio::test]
     async fn test_malicious() {
-        let mut rng = StdRng::seed_from_u64(0);
-        let delta_mpc = Delta::random(&mut rng);
-        let delta_zk = Delta::random(&mut rng);
-
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (rcot_send, rcot_recv) = ideal_rcot(Block::ZERO, delta_zk.into_inner());
-        let (cot_send, cot_recv) = ideal_cot(delta_mpc.into_inner());
 
-        let gb = Garbler::new(cot_send, [1u8; 16], delta_mpc);
+        let leader_mpc = IdealVm::new();
-        let ev = Evaluator::new(cot_recv);
+        let leader_zk = IdealVm::new();
-        let prover = Prover::new(ProverConfig::default(), rcot_recv);
+        let follower_mpc = IdealVm::new();
-        let verifier = Verifier::new(VerifierConfig::default(), delta_zk, rcot_send);
+        let follower_zk = IdealVm::new();
 
-        let mut leader = Deap::new(Role::Leader, gb, prover);
+        let mut leader = Deap::new(Role::Leader, leader_mpc, leader_zk);
-        let mut follower = Deap::new(Role::Follower, ev, verifier);
+        let mut follower = Deap::new(Role::Follower, follower_mpc, follower_zk);
 
         let (_, follower_res) = futures::join!(
             async {

crates/components/deap/src/map.rs

@@ -1,7 +1,7 @@
 use std::ops::Range;
 
 use mpz_vm_core::{memory::Slice, VmError};
-use rangeset::Subset;
+use rangeset::ops::Set;
 
 /// A mapping between the memories of the MPC and ZK VMs.
 #[derive(Debug, Default)]

crates/components/hmac-sha256/Cargo.toml

@@ -5,7 +5,7 @@ description = "A 2PC implementation of TLS HMAC-SHA256 PRF"
 keywords = ["tls", "mpc", "2pc", "hmac", "sha256"]
 categories = ["cryptography"]
 license = "MIT OR Apache-2.0"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2021"
 
 [lints]
@@ -20,14 +20,13 @@ mpz-core = { workspace = true }
 mpz-circuits = { workspace = true }
 mpz-hash = { workspace = true }
 
+sha2 = { workspace = true, features = ["compress"] }
 thiserror = { workspace = true }
 tracing = { workspace = true }
-sha2 = { workspace = true }
 
 [dev-dependencies]
-mpz-ot = { workspace = true, features = ["ideal"] }
-mpz-garble = { workspace = true }
 mpz-common = { workspace = true, features = ["test-utils"] }
+mpz-ideal-vm = { workspace = true }
 
 criterion = { workspace = true, features = ["async_tokio"] }
 tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread"] }

crates/components/hmac-sha256/benches/prf.rs

@@ -4,14 +4,12 @@ use criterion::{criterion_group, criterion_main, Criterion};
 
 use hmac_sha256::{Mode, MpcPrf};
 use mpz_common::context::test_mt_context;
-use mpz_garble::protocol::semihonest::{Evaluator, Garbler};
+use mpz_ideal_vm::IdealVm;
-use mpz_ot::ideal::cot::ideal_cot;
 use mpz_vm_core::{
-    memory::{binary::U8, correlated::Delta, Array},
+    memory::{binary::U8, Array},
     prelude::*,
     Execute,
 };
-use rand::{rngs::StdRng, SeedableRng};
 
 #[allow(clippy::unit_arg)]
 fn criterion_benchmark(c: &mut Criterion) {
@@ -29,8 +27,6 @@ criterion_group!(benches, criterion_benchmark);
 criterion_main!(benches);
 
 async fn prf(mode: Mode) {
-    let mut rng = StdRng::seed_from_u64(0);
-
     let pms = [42u8; 32];
     let client_random = [69u8; 32];
     let server_random: [u8; 32] = [96u8; 32];
@@ -39,11 +35,8 @@ async fn prf(mode: Mode) {
     let mut leader_ctx = leader_exec.new_context().await.unwrap();
     let mut follower_ctx = follower_exec.new_context().await.unwrap();
 
-    let delta = Delta::random(&mut rng);
+    let mut leader_vm = IdealVm::new();
-    let (ot_send, ot_recv) = ideal_cot(delta.into_inner());
+    let mut follower_vm = IdealVm::new();
-
-    let mut leader_vm = Garbler::new(ot_send, [0u8; 16], delta);
-    let mut follower_vm = Evaluator::new(ot_recv);
 
     let leader_pms: Array<U8, 32> = leader_vm.alloc().unwrap();
     leader_vm.mark_public(leader_pms).unwrap();

crates/components/hmac-sha256/src/hmac.rs

@@ -54,10 +54,11 @@ mod tests {
     use crate::{
         hmac::hmac_sha256,
         sha256, state_to_bytes,
-        test_utils::{compute_inner_local, compute_outer_partial, mock_vm},
+        test_utils::{compute_inner_local, compute_outer_partial},
     };
     use mpz_common::context::test_st_context;
     use mpz_hash::sha256::Sha256;
+    use mpz_ideal_vm::IdealVm;
     use mpz_vm_core::{
         memory::{
             binary::{U32, U8},
@@ -83,7 +84,8 @@ mod tests {
     #[tokio::test]
     async fn test_hmac_circuit() {
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (mut leader, mut follower) = mock_vm();
+        let mut leader = IdealVm::new();
+        let mut follower = IdealVm::new();
 
         let (inputs, references) = test_fixtures();
         for (input, &reference) in inputs.iter().zip(references.iter()) {

crates/components/hmac-sha256/src/lib.rs

@@ -72,10 +72,11 @@ fn state_to_bytes(input: [u32; 8]) -> [u8; 32] {
 #[cfg(test)]
 mod tests {
     use crate::{
-        test_utils::{mock_vm, prf_cf_vd, prf_keys, prf_ms, prf_sf_vd},
+        test_utils::{prf_cf_vd, prf_keys, prf_ms, prf_sf_vd},
         Mode, MpcPrf, SessionKeys,
     };
     use mpz_common::context::test_st_context;
+    use mpz_ideal_vm::IdealVm;
     use mpz_vm_core::{
         memory::{binary::U8, Array, MemoryExt, ViewExt},
         Execute,
@@ -123,7 +124,8 @@ mod tests {
 
         // Set up vm and prf
         let (mut ctx_a, mut ctx_b) = test_st_context(128);
-        let (mut leader, mut follower) = mock_vm();
+        let mut leader = IdealVm::new();
+        let mut follower = IdealVm::new();
 
         let leader_pms: Array<U8, 32> = leader.alloc().unwrap();
         leader.mark_public(leader_pms).unwrap();

crates/components/hmac-sha256/src/prf.rs

@@ -339,8 +339,9 @@ fn gen_merge_circ(size: usize) -> Arc<Circuit> {
 
 #[cfg(test)]
 mod tests {
-    use crate::{prf::merge_outputs, test_utils::mock_vm};
+    use crate::prf::merge_outputs;
     use mpz_common::context::test_st_context;
+    use mpz_ideal_vm::IdealVm;
     use mpz_vm_core::{
         memory::{binary::U8, Array, MemoryExt, ViewExt},
         Execute,
@@ -349,7 +350,8 @@ mod tests {
     #[tokio::test]
     async fn test_merge_outputs() {
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (mut leader, mut follower) = mock_vm();
+        let mut leader = IdealVm::new();
+        let mut follower = IdealVm::new();
 
         let input1: [u8; 32] = std::array::from_fn(|i| i as u8);
         let input2: [u8; 32] = std::array::from_fn(|i| i as u8 + 32);

crates/components/hmac-sha256/src/prf/function.rs

@@ -137,10 +137,11 @@ impl Prf {
 mod tests {
     use crate::{
         prf::{compute_partial, function::Prf},
-        test_utils::{mock_vm, phash},
+        test_utils::phash,
         Mode,
     };
     use mpz_common::context::test_st_context;
+    use mpz_ideal_vm::IdealVm;
     use mpz_vm_core::{
         memory::{binary::U8, Array, MemoryExt, ViewExt},
         Execute,
@@ -166,7 +167,8 @@ mod tests {
         let mut rng = ThreadRng::default();
 
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (mut leader, mut follower) = mock_vm();
+        let mut leader = IdealVm::new();
+        let mut follower = IdealVm::new();
 
         let key: [u8; 32] = rng.random();
         let start_seed: Vec<u8> = vec![42; 64];

crates/components/hmac-sha256/src/test_utils.rs

@@ -1,25 +1,10 @@
 use crate::{sha256, state_to_bytes};
-use mpz_garble::protocol::semihonest::{Evaluator, Garbler};
-use mpz_ot::ideal::cot::{ideal_cot, IdealCOTReceiver, IdealCOTSender};
-use mpz_vm_core::memory::correlated::Delta;
 use rand::{rngs::StdRng, Rng, SeedableRng};
 
 pub(crate) const SHA256_IV: [u32; 8] = [
     0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
 ];
 
-pub(crate) fn mock_vm() -> (Garbler<IdealCOTSender>, Evaluator<IdealCOTReceiver>) {
-    let mut rng = StdRng::seed_from_u64(0);
-    let delta = Delta::random(&mut rng);
-
-    let (cot_send, cot_recv) = ideal_cot(delta.into_inner());
-
-    let gen = Garbler::new(cot_send, [0u8; 16], delta);
-    let ev = Evaluator::new(cot_recv);
-
-    (gen, ev)
-}
-
 pub(crate) fn prf_ms(pms: [u8; 32], client_random: [u8; 32], server_random: [u8; 32]) -> [u8; 48] {
     let mut label_start_seed = b"master secret".to_vec();
     label_start_seed.extend_from_slice(&client_random);

crates/components/key-exchange/Cargo.toml

@@ -5,7 +5,7 @@ description = "Implementation of the 3-party key-exchange protocol"
 keywords = ["tls", "mpc", "2pc", "pms", "key-exchange"]
 categories = ["cryptography"]
 license = "MIT OR Apache-2.0"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2021"
 
 [lints]
@@ -40,6 +40,7 @@ tokio = { workspace = true, features = ["sync"] }
 [dev-dependencies]
 mpz-ot = { workspace = true, features = ["ideal"] }
 mpz-garble = { workspace = true }
+mpz-ideal-vm = { workspace = true }
 
 rand_core = { workspace = true }
 tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread"] }

crates/components/key-exchange/src/exchange.rs

@@ -459,9 +459,7 @@ mod tests {
     use mpz_common::context::test_st_context;
     use mpz_core::Block;
     use mpz_fields::UniformRand;
-    use mpz_garble::protocol::semihonest::{Evaluator, Garbler};
+    use mpz_ideal_vm::IdealVm;
-    use mpz_memory_core::correlated::Delta;
-    use mpz_ot::ideal::cot::{ideal_cot, IdealCOTReceiver, IdealCOTSender};
     use mpz_share_conversion::ideal::{
         ideal_share_convert, IdealShareConvertReceiver, IdealShareConvertSender,
     };
@@ -484,7 +482,8 @@ mod tests {
     async fn test_key_exchange() {
         let mut rng = StdRng::seed_from_u64(0).compat();
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (mut gen, mut ev) = mock_vm();
+        let mut gen = IdealVm::new();
+        let mut ev = IdealVm::new();
 
         let leader_private_key = SecretKey::random(&mut rng);
         let follower_private_key = SecretKey::random(&mut rng);
@@ -625,7 +624,8 @@ mod tests {
     async fn test_malicious_key_exchange(#[case] malicious: Malicious) {
         let mut rng = StdRng::seed_from_u64(0);
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (mut gen, mut ev) = mock_vm();
+        let mut gen = IdealVm::new();
+        let mut ev = IdealVm::new();
 
         let leader_private_key = SecretKey::random(&mut rng.compat_by_ref());
         let follower_private_key = SecretKey::random(&mut rng.compat_by_ref());
@@ -704,7 +704,8 @@ mod tests {
     #[tokio::test]
     async fn test_circuit() {
         let (mut ctx_a, mut ctx_b) = test_st_context(8);
-        let (gen, ev) = mock_vm();
+        let gen = IdealVm::new();
+        let ev = IdealVm::new();
 
         let share_a0_bytes = [5_u8; 32];
         let share_a1_bytes = [2_u8; 32];
@@ -834,16 +835,4 @@ mod tests {
 
         (leader, follower)
     }
-
-    fn mock_vm() -> (Garbler<IdealCOTSender>, Evaluator<IdealCOTReceiver>) {
-        let mut rng = StdRng::seed_from_u64(0);
-        let delta = Delta::random(&mut rng);
-
-        let (cot_send, cot_recv) = ideal_cot(delta.into_inner());
-
-        let gen = Garbler::new(cot_send, [0u8; 16], delta);
-        let ev = Evaluator::new(cot_recv);
-
-        (gen, ev)
-    }
 }

crates/components/key-exchange/src/lib.rs

@@ -8,7 +8,7 @@
 //! with the server alone and forward all messages from and to the follower.
 //!
 //! A detailed description of this protocol can be found in our documentation
-//! <https://docs.tlsnotary.org/protocol/notarization/key_exchange.html>.
+//! <https://tlsnotary.org/docs/mpc/key_exchange>.
 
 #![deny(missing_docs, unreachable_pub, unused_must_use)]
 #![deny(clippy::all)]

crates/components/key-exchange/src/mock.rs

@@ -26,8 +26,7 @@ pub fn create_mock_key_exchange_pair() -> (MockKeyExchange, MockKeyExchange) {
 
 #[cfg(test)]
 mod tests {
-    use mpz_garble::protocol::semihonest::{Evaluator, Garbler};
+    use mpz_ideal_vm::IdealVm;
-    use mpz_ot::ideal::cot::{IdealCOTReceiver, IdealCOTSender};
 
     use super::*;
     use crate::KeyExchange;
@@ -40,12 +39,12 @@ mod tests {
 
         is_key_exchange::<
             MpcKeyExchange<IdealShareConvertSender<P256>, IdealShareConvertReceiver<P256>>,
-            Garbler<IdealCOTSender>,
+            IdealVm,
         >(leader);
 
         is_key_exchange::<
             MpcKeyExchange<IdealShareConvertSender<P256>, IdealShareConvertReceiver<P256>>,
-            Evaluator<IdealCOTReceiver>,
+            IdealVm,
         >(follower);
     }
 }

crates/components/key-exchange/src/point_addition.rs

@@ -4,7 +4,7 @@
 //! protocol has semi-honest security.
 //!
 //! The protocol is described in
-//! <https://docs.tlsnotary.org/protocol/notarization/key_exchange.html>
+//! <https://tlsnotary.org/docs/mpc/key_exchange>
 
 use crate::{KeyExchangeError, Role};
 use mpz_common::{Context, Flush};

crates/core/Cargo.toml

@@ -5,7 +5,7 @@ description = "Core types for TLSNotary"
 keywords = ["tls", "mpc", "2pc", "types"]
 categories = ["cryptography"]
 license = "MIT OR Apache-2.0"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2021"
 
 [lints]
@@ -13,6 +13,7 @@ workspace = true
 
 [features]
 default = []
+mozilla-certs = ["dep:webpki-root-certs", "dep:webpki-roots"]
 fixtures = [
     "dep:hex",
     "dep:tlsn-data-fixtures",
@@ -44,7 +45,8 @@ sha2 = { workspace = true }
 thiserror = { workspace = true }
 tiny-keccak = { workspace = true, features = ["keccak"] }
 web-time = { workspace = true }
-webpki-roots = { workspace = true }
+webpki-roots = { workspace = true, optional = true }
+webpki-root-certs = { workspace = true, optional = true }
 rustls-webpki = { workspace = true, features = ["ring"] }
 rustls-pki-types = { workspace = true }
 itybity = { workspace = true }
@@ -57,5 +59,7 @@ generic-array = { workspace = true }
 bincode = { workspace = true }
 hex = { workspace = true }
 rstest = { workspace = true }
+tlsn-core = { workspace = true, features = ["fixtures"] }
+tlsn-attestation = { workspace = true, features = ["fixtures"] }
 tlsn-data-fixtures = { workspace = true }
 webpki-root-certs = { workspace = true }

crates/core/src/config.rs

@@ -0,0 +1,7 @@
+//! Configuration types.
+
+pub mod prove;
+pub mod prover;
+pub mod tls;
+pub mod tls_commit;
+pub mod verifier;

crates/core/src/config/prove.rs

@@ -0,0 +1,189 @@
+//! Proving configuration.
+
+use rangeset::set::{RangeSet, ToRangeSet};
+use serde::{Deserialize, Serialize};
+
+use crate::transcript::{Direction, Transcript, TranscriptCommitConfig, TranscriptCommitRequest};
+
+/// Configuration to prove information to the verifier.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProveConfig {
+    server_identity: bool,
+    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
+    transcript_commit: Option<TranscriptCommitConfig>,
+}
+
+impl ProveConfig {
+    /// Creates a new builder.
+    pub fn builder(transcript: &Transcript) -> ProveConfigBuilder<'_> {
+        ProveConfigBuilder::new(transcript)
+    }
+
+    /// Returns `true` if the server identity is to be proven.
+    pub fn server_identity(&self) -> bool {
+        self.server_identity
+    }
+
+    /// Returns the sent and received ranges of the transcript to be revealed,
+    /// respectively.
+    pub fn reveal(&self) -> Option<&(RangeSet<usize>, RangeSet<usize>)> {
+        self.reveal.as_ref()
+    }
+
+    /// Returns the transcript commitment configuration.
+    pub fn transcript_commit(&self) -> Option<&TranscriptCommitConfig> {
+        self.transcript_commit.as_ref()
+    }
+
+    /// Returns a request.
+    pub fn to_request(&self) -> ProveRequest {
+        ProveRequest {
+            server_identity: self.server_identity,
+            reveal: self.reveal.clone(),
+            transcript_commit: self
+                .transcript_commit
+                .clone()
+                .map(|config| config.to_request()),
+        }
+    }
+}
+
+/// Builder for [`ProveConfig`].
+#[derive(Debug)]
+pub struct ProveConfigBuilder<'a> {
+    transcript: &'a Transcript,
+    server_identity: bool,
+    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
+    transcript_commit: Option<TranscriptCommitConfig>,
+}
+
+impl<'a> ProveConfigBuilder<'a> {
+    /// Creates a new builder.
+    pub fn new(transcript: &'a Transcript) -> Self {
+        Self {
+            transcript,
+            server_identity: false,
+            reveal: None,
+            transcript_commit: None,
+        }
+    }
+
+    /// Proves the server identity.
+    pub fn server_identity(&mut self) -> &mut Self {
+        self.server_identity = true;
+        self
+    }
+
+    /// Configures transcript commitments.
+    pub fn transcript_commit(&mut self, transcript_commit: TranscriptCommitConfig) -> &mut Self {
+        self.transcript_commit = Some(transcript_commit);
+        self
+    }
+
+    /// Reveals the given ranges of the transcript.
+    pub fn reveal(
+        &mut self,
+        direction: Direction,
+        ranges: &dyn ToRangeSet<usize>,
+    ) -> Result<&mut Self, ProveConfigError> {
+        let idx = ranges.to_range_set();
+
+        if idx.end().unwrap_or(0) > self.transcript.len_of_direction(direction) {
+            return Err(ProveConfigError(ErrorRepr::IndexOutOfBounds {
+                direction,
+                actual: idx.end().unwrap_or(0),
+                len: self.transcript.len_of_direction(direction),
+            }));
+        }
+
+        let (sent, recv) = self.reveal.get_or_insert_default();
+        match direction {
+            Direction::Sent => sent.union_mut(&idx),
+            Direction::Received => recv.union_mut(&idx),
+        }
+
+        Ok(self)
+    }
+
+    /// Reveals the given ranges of the sent data transcript.
+    pub fn reveal_sent(
+        &mut self,
+        ranges: &dyn ToRangeSet<usize>,
+    ) -> Result<&mut Self, ProveConfigError> {
+        self.reveal(Direction::Sent, ranges)
+    }
+
+    /// Reveals all of the sent data transcript.
+    pub fn reveal_sent_all(&mut self) -> Result<&mut Self, ProveConfigError> {
+        let len = self.transcript.len_of_direction(Direction::Sent);
+        let (sent, _) = self.reveal.get_or_insert_default();
+        sent.union_mut(&(0..len));
+        Ok(self)
+    }
+
+    /// Reveals the given ranges of the received data transcript.
+    pub fn reveal_recv(
+        &mut self,
+        ranges: &dyn ToRangeSet<usize>,
+    ) -> Result<&mut Self, ProveConfigError> {
+        self.reveal(Direction::Received, ranges)
+    }
+
+    /// Reveals all of the received data transcript.
+    pub fn reveal_recv_all(&mut self) -> Result<&mut Self, ProveConfigError> {
+        let len = self.transcript.len_of_direction(Direction::Received);
+        let (_, recv) = self.reveal.get_or_insert_default();
+        recv.union_mut(&(0..len));
+        Ok(self)
+    }
+
+    /// Builds the configuration.
+    pub fn build(self) -> Result<ProveConfig, ProveConfigError> {
+        Ok(ProveConfig {
+            server_identity: self.server_identity,
+            reveal: self.reveal,
+            transcript_commit: self.transcript_commit,
+        })
+    }
+}
+
+/// Request to prove statements about the connection.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProveRequest {
+    server_identity: bool,
+    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
+    transcript_commit: Option<TranscriptCommitRequest>,
+}
+
+impl ProveRequest {
+    /// Returns `true` if the server identity is to be proven.
+    pub fn server_identity(&self) -> bool {
+        self.server_identity
+    }
+
+    /// Returns the sent and received ranges of the transcript to be revealed,
+    /// respectively.
+    pub fn reveal(&self) -> Option<&(RangeSet<usize>, RangeSet<usize>)> {
+        self.reveal.as_ref()
+    }
+
+    /// Returns the transcript commitment configuration.
+    pub fn transcript_commit(&self) -> Option<&TranscriptCommitRequest> {
+        self.transcript_commit.as_ref()
+    }
+}
+
+/// Error for [`ProveConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct ProveConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {
+    #[error("range is out of bounds of the transcript ({direction}): {actual} > {len}")]
+    IndexOutOfBounds {
+        direction: Direction,
+        actual: usize,
+        len: usize,
+    },
+}

crates/core/src/config/prover.rs

@@ -0,0 +1,33 @@
+//! Prover configuration.
+
+use serde::{Deserialize, Serialize};
+
+/// Prover configuration.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProverConfig {}
+
+impl ProverConfig {
+    /// Creates a new builder.
+    pub fn builder() -> ProverConfigBuilder {
+        ProverConfigBuilder::default()
+    }
+}
+
+/// Builder for [`ProverConfig`].
+#[derive(Debug, Default)]
+pub struct ProverConfigBuilder {}
+
+impl ProverConfigBuilder {
+    /// Builds the configuration.
+    pub fn build(self) -> Result<ProverConfig, ProverConfigError> {
+        Ok(ProverConfig {})
+    }
+}
+
+/// Error for [`ProverConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct ProverConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {}

crates/core/src/config/tls.rs

@@ -0,0 +1,111 @@
+//! TLS client configuration.
+
+use serde::{Deserialize, Serialize};
+
+use crate::{
+    connection::ServerName,
+    webpki::{CertificateDer, PrivateKeyDer, RootCertStore},
+};
+
+/// TLS client configuration.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TlsClientConfig {
+    server_name: ServerName,
+    /// Root certificates.
+    root_store: RootCertStore,
+    /// Certificate chain and a matching private key for client
+    /// authentication.
+    client_auth: Option<(Vec<CertificateDer>, PrivateKeyDer)>,
+}
+
+impl TlsClientConfig {
+    /// Creates a new builder.
+    pub fn builder() -> TlsConfigBuilder {
+        TlsConfigBuilder::default()
+    }
+
+    /// Returns the server name.
+    pub fn server_name(&self) -> &ServerName {
+        &self.server_name
+    }
+
+    /// Returns the root certificates.
+    pub fn root_store(&self) -> &RootCertStore {
+        &self.root_store
+    }
+
+    /// Returns a certificate chain and a matching private key for client
+    /// authentication.
+    pub fn client_auth(&self) -> Option<&(Vec<CertificateDer>, PrivateKeyDer)> {
+        self.client_auth.as_ref()
+    }
+}
+
+/// Builder for [`TlsClientConfig`].
+#[derive(Debug, Default)]
+pub struct TlsConfigBuilder {
+    server_name: Option<ServerName>,
+    root_store: Option<RootCertStore>,
+    client_auth: Option<(Vec<CertificateDer>, PrivateKeyDer)>,
+}
+
+impl TlsConfigBuilder {
+    /// Sets the server name.
+    pub fn server_name(mut self, server_name: ServerName) -> Self {
+        self.server_name = Some(server_name);
+        self
+    }
+
+    /// Sets the root certificates to use for verifying the server's
+    /// certificate.
+    pub fn root_store(mut self, store: RootCertStore) -> Self {
+        self.root_store = Some(store);
+        self
+    }
+
+    /// Sets a DER-encoded certificate chain and a matching private key for
+    /// client authentication.
+    ///
+    /// Often the chain will consist of a single end-entity certificate.
+    ///
+    /// # Arguments
+    ///
+    /// * `cert_key` - A tuple containing the certificate chain and the private
+    ///   key.
+    ///
+    ///   - Each certificate in the chain must be in the X.509 format.
+    ///   - The key must be in the ASN.1 format (either PKCS#8 or PKCS#1).
+    pub fn client_auth(mut self, cert_key: (Vec<CertificateDer>, PrivateKeyDer)) -> Self {
+        self.client_auth = Some(cert_key);
+        self
+    }
+
+    /// Builds the TLS configuration.
+    pub fn build(self) -> Result<TlsClientConfig, TlsConfigError> {
+        let server_name = self.server_name.ok_or(ErrorRepr::MissingField {
+            field: "server_name",
+        })?;
+
+        let root_store = self.root_store.ok_or(ErrorRepr::MissingField {
+            field: "root_store",
+        })?;
+
+        Ok(TlsClientConfig {
+            server_name,
+            root_store,
+            client_auth: self.client_auth,
+        })
+    }
+}
+
+/// TLS configuration error.
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct TlsConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+#[error("tls config error")]
+enum ErrorRepr {
+    #[error("missing required field: {field}")]
+    MissingField { field: &'static str },
+}

crates/core/src/config/tls_commit.rs

@@ -0,0 +1,94 @@
+//! TLS commitment configuration.
+
+pub mod mpc;
+
+use serde::{Deserialize, Serialize};
+
+/// TLS commitment configuration.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TlsCommitConfig {
+    protocol: TlsCommitProtocolConfig,
+}
+
+impl TlsCommitConfig {
+    /// Creates a new builder.
+    pub fn builder() -> TlsCommitConfigBuilder {
+        TlsCommitConfigBuilder::default()
+    }
+
+    /// Returns the protocol configuration.
+    pub fn protocol(&self) -> &TlsCommitProtocolConfig {
+        &self.protocol
+    }
+
+    /// Returns a TLS commitment request.
+    pub fn to_request(&self) -> TlsCommitRequest {
+        TlsCommitRequest {
+            config: self.protocol.clone(),
+        }
+    }
+}
+
+/// Builder for [`TlsCommitConfig`].
+#[derive(Debug, Default, Clone, Serialize, Deserialize)]
+pub struct TlsCommitConfigBuilder {
+    protocol: Option<TlsCommitProtocolConfig>,
+}
+
+impl TlsCommitConfigBuilder {
+    /// Sets the protocol configuration.
+    pub fn protocol<C>(mut self, protocol: C) -> Self
+    where
+        C: Into<TlsCommitProtocolConfig>,
+    {
+        self.protocol = Some(protocol.into());
+        self
+    }
+
+    /// Builds the configuration.
+    pub fn build(self) -> Result<TlsCommitConfig, TlsCommitConfigError> {
+        let protocol = self
+            .protocol
+            .ok_or(ErrorRepr::MissingField { name: "protocol" })?;
+
+        Ok(TlsCommitConfig { protocol })
+    }
+}
+
+/// TLS commitment protocol configuration.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[non_exhaustive]
+pub enum TlsCommitProtocolConfig {
+    /// MPC-TLS configuration.
+    Mpc(mpc::MpcTlsConfig),
+}
+
+impl From<mpc::MpcTlsConfig> for TlsCommitProtocolConfig {
+    fn from(config: mpc::MpcTlsConfig) -> Self {
+        Self::Mpc(config)
+    }
+}
+
+/// TLS commitment request.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TlsCommitRequest {
+    config: TlsCommitProtocolConfig,
+}
+
+impl TlsCommitRequest {
+    /// Returns the protocol configuration.
+    pub fn protocol(&self) -> &TlsCommitProtocolConfig {
+        &self.config
+    }
+}
+
+/// Error for [`TlsCommitConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct TlsCommitConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {
+    #[error("missing field: {name}")]
+    MissingField { name: &'static str },
+}

crates/core/src/config/tls_commit/mpc.rs

@@ -0,0 +1,241 @@
+//! MPC-TLS commitment protocol configuration.
+
+use serde::{Deserialize, Serialize};
+
+// Default is 32 bytes to decrypt the TLS protocol messages.
+const DEFAULT_MAX_RECV_ONLINE: usize = 32;
+
+/// MPC-TLS commitment protocol configuration.
+#[derive(Clone, Debug, Deserialize, Serialize)]
+#[serde(try_from = "unchecked::MpcTlsConfigUnchecked")]
+pub struct MpcTlsConfig {
+    /// Maximum number of bytes that can be sent.
+    max_sent_data: usize,
+    /// Maximum number of application data records that can be sent.
+    max_sent_records: Option<usize>,
+    /// Maximum number of bytes that can be decrypted online, i.e. while the
+    /// MPC-TLS connection is active.
+    max_recv_data_online: usize,
+    /// Maximum number of bytes that can be received.
+    max_recv_data: usize,
+    /// Maximum number of received application data records that can be
+    /// decrypted online, i.e. while the MPC-TLS connection is active.
+    max_recv_records_online: Option<usize>,
+    /// Whether the `deferred decryption` feature is toggled on from the start
+    /// of the MPC-TLS connection.
+    defer_decryption_from_start: bool,
+    /// Network settings.
+    network: NetworkSetting,
+}
+
+impl MpcTlsConfig {
+    /// Creates a new builder.
+    pub fn builder() -> MpcTlsConfigBuilder {
+        MpcTlsConfigBuilder::default()
+    }
+
+    /// Returns the maximum number of bytes that can be sent.
+    pub fn max_sent_data(&self) -> usize {
+        self.max_sent_data
+    }
+
+    /// Returns the maximum number of application data records that can
+    /// be sent.
+    pub fn max_sent_records(&self) -> Option<usize> {
+        self.max_sent_records
+    }
+
+    /// Returns the maximum number of bytes that can be decrypted online.
+    pub fn max_recv_data_online(&self) -> usize {
+        self.max_recv_data_online
+    }
+
+    /// Returns the maximum number of bytes that can be received.
+    pub fn max_recv_data(&self) -> usize {
+        self.max_recv_data
+    }
+
+    /// Returns the maximum number of received application data records that
+    /// can be decrypted online.
+    pub fn max_recv_records_online(&self) -> Option<usize> {
+        self.max_recv_records_online
+    }
+
+    /// Returns whether the `deferred decryption` feature is toggled on from the
+    /// start of the MPC-TLS connection.
+    pub fn defer_decryption_from_start(&self) -> bool {
+        self.defer_decryption_from_start
+    }
+
+    /// Returns the network settings.
+    pub fn network(&self) -> NetworkSetting {
+        self.network
+    }
+}
+
+fn validate(config: MpcTlsConfig) -> Result<MpcTlsConfig, MpcTlsConfigError> {
+    if config.max_recv_data_online > config.max_recv_data {
+        return Err(ErrorRepr::InvalidValue {
+            name: "max_recv_data_online",
+            reason: format!(
+                "must be <= max_recv_data ({} > {})",
+                config.max_recv_data_online, config.max_recv_data
+            ),
+        }
+        .into());
+    }
+
+    Ok(config)
+}
+
+/// Builder for [`MpcTlsConfig`].
+#[derive(Debug, Default)]
+pub struct MpcTlsConfigBuilder {
+    max_sent_data: Option<usize>,
+    max_sent_records: Option<usize>,
+    max_recv_data_online: Option<usize>,
+    max_recv_data: Option<usize>,
+    max_recv_records_online: Option<usize>,
+    defer_decryption_from_start: Option<bool>,
+    network: Option<NetworkSetting>,
+}
+
+impl MpcTlsConfigBuilder {
+    /// Sets the maximum number of bytes that can be sent.
+    pub fn max_sent_data(mut self, max_sent_data: usize) -> Self {
+        self.max_sent_data = Some(max_sent_data);
+        self
+    }
+
+    /// Sets the maximum number of application data records that can be sent.
+    pub fn max_sent_records(mut self, max_sent_records: usize) -> Self {
+        self.max_sent_records = Some(max_sent_records);
+        self
+    }
+
+    /// Sets the maximum number of bytes that can be decrypted online.
+    pub fn max_recv_data_online(mut self, max_recv_data_online: usize) -> Self {
+        self.max_recv_data_online = Some(max_recv_data_online);
+        self
+    }
+
+    /// Sets the maximum number of bytes that can be received.
+    pub fn max_recv_data(mut self, max_recv_data: usize) -> Self {
+        self.max_recv_data = Some(max_recv_data);
+        self
+    }
+
+    /// Sets the maximum number of received application data records that can
+    /// be decrypted online.
+    pub fn max_recv_records_online(mut self, max_recv_records_online: usize) -> Self {
+        self.max_recv_records_online = Some(max_recv_records_online);
+        self
+    }
+
+    /// Sets whether the `deferred decryption` feature is toggled on from the
+    /// start of the MPC-TLS connection.
+    pub fn defer_decryption_from_start(mut self, defer_decryption_from_start: bool) -> Self {
+        self.defer_decryption_from_start = Some(defer_decryption_from_start);
+        self
+    }
+
+    /// Sets the network settings.
+    pub fn network(mut self, network: NetworkSetting) -> Self {
+        self.network = Some(network);
+        self
+    }
+
+    /// Builds the configuration.
+    pub fn build(self) -> Result<MpcTlsConfig, MpcTlsConfigError> {
+        let Self {
+            max_sent_data,
+            max_sent_records,
+            max_recv_data_online,
+            max_recv_data,
+            max_recv_records_online,
+            defer_decryption_from_start,
+            network,
+        } = self;
+
+        let max_sent_data = max_sent_data.ok_or(ErrorRepr::MissingField {
+            name: "max_sent_data",
+        })?;
+
+        let max_recv_data_online = max_recv_data_online.unwrap_or(DEFAULT_MAX_RECV_ONLINE);
+        let max_recv_data = max_recv_data.ok_or(ErrorRepr::MissingField {
+            name: "max_recv_data",
+        })?;
+
+        let defer_decryption_from_start = defer_decryption_from_start.unwrap_or(true);
+        let network = network.unwrap_or_default();
+
+        validate(MpcTlsConfig {
+            max_sent_data,
+            max_sent_records,
+            max_recv_data_online,
+            max_recv_data,
+            max_recv_records_online,
+            defer_decryption_from_start,
+            network,
+        })
+    }
+}
+
+/// Settings for the network environment.
+///
+/// Provides optimization options to adapt the protocol to different network
+/// situations.
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default)]
+pub enum NetworkSetting {
+    /// Reduces network round-trips at the expense of consuming more network
+    /// bandwidth.
+    Bandwidth,
+    /// Reduces network bandwidth utilization at the expense of more network
+    /// round-trips.
+    #[default]
+    Latency,
+}
+
+/// Error for [`MpcTlsConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct MpcTlsConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {
+    #[error("missing field: {name}")]
+    MissingField { name: &'static str },
+    #[error("invalid value for field({name}): {reason}")]
+    InvalidValue { name: &'static str, reason: String },
+}
+
+mod unchecked {
+    use super::*;
+
+    #[derive(Deserialize)]
+    pub(super) struct MpcTlsConfigUnchecked {
+        max_sent_data: usize,
+        max_sent_records: Option<usize>,
+        max_recv_data_online: usize,
+        max_recv_data: usize,
+        max_recv_records_online: Option<usize>,
+        defer_decryption_from_start: bool,
+        network: NetworkSetting,
+    }
+
+    impl TryFrom<MpcTlsConfigUnchecked> for MpcTlsConfig {
+        type Error = MpcTlsConfigError;
+
+        fn try_from(value: MpcTlsConfigUnchecked) -> Result<Self, Self::Error> {
+            validate(MpcTlsConfig {
+                max_sent_data: value.max_sent_data,
+                max_sent_records: value.max_sent_records,
+                max_recv_data_online: value.max_recv_data_online,
+                max_recv_data: value.max_recv_data,
+                max_recv_records_online: value.max_recv_records_online,
+                defer_decryption_from_start: value.defer_decryption_from_start,
+                network: value.network,
+            })
+        }
+    }
+}

crates/core/src/config/verifier.rs

@@ -0,0 +1,56 @@
+//! Verifier configuration.
+
+use serde::{Deserialize, Serialize};
+
+use crate::webpki::RootCertStore;
+
+/// Verifier configuration.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct VerifierConfig {
+    root_store: RootCertStore,
+}
+
+impl VerifierConfig {
+    /// Creates a new builder.
+    pub fn builder() -> VerifierConfigBuilder {
+        VerifierConfigBuilder::default()
+    }
+
+    /// Returns the root certificate store.
+    pub fn root_store(&self) -> &RootCertStore {
+        &self.root_store
+    }
+}
+
+/// Builder for [`VerifierConfig`].
+#[derive(Debug, Default)]
+pub struct VerifierConfigBuilder {
+    root_store: Option<RootCertStore>,
+}
+
+impl VerifierConfigBuilder {
+    /// Sets the root certificate store.
+    pub fn root_store(mut self, root_store: RootCertStore) -> Self {
+        self.root_store = Some(root_store);
+        self
+    }
+
+    /// Builds the configuration.
+    pub fn build(self) -> Result<VerifierConfig, VerifierConfigError> {
+        let root_store = self
+            .root_store
+            .ok_or(ErrorRepr::MissingField { name: "root_store" })?;
+        Ok(VerifierConfig { root_store })
+    }
+}
+
+/// Error for [`VerifierConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct VerifierConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {
+    #[error("missing field: {name}")]
+    MissingField { name: &'static str },
+}

crates/core/src/connection.rs

@@ -116,84 +116,75 @@ pub enum KeyType {
     SECP256R1 = 0x0017,
 }
 
-/// Signature scheme on the key exchange parameters.
+/// Signature algorithm used on the key exchange parameters.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
 #[serde(rename_all = "lowercase")]
 #[allow(non_camel_case_types, missing_docs)]
-pub enum SignatureScheme {
+pub enum SignatureAlgorithm {
-    RSA_PKCS1_SHA1 = 0x0201,
+    ECDSA_NISTP256_SHA256,
-    ECDSA_SHA1_Legacy = 0x0203,
+    ECDSA_NISTP256_SHA384,
-    RSA_PKCS1_SHA256 = 0x0401,
+    ECDSA_NISTP384_SHA256,
-    ECDSA_NISTP256_SHA256 = 0x0403,
+    ECDSA_NISTP384_SHA384,
-    RSA_PKCS1_SHA384 = 0x0501,
+    ED25519,
-    ECDSA_NISTP384_SHA384 = 0x0503,
+    RSA_PKCS1_2048_8192_SHA256,
-    RSA_PKCS1_SHA512 = 0x0601,
+    RSA_PKCS1_2048_8192_SHA384,
-    ECDSA_NISTP521_SHA512 = 0x0603,
+    RSA_PKCS1_2048_8192_SHA512,
-    RSA_PSS_SHA256 = 0x0804,
+    RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
-    RSA_PSS_SHA384 = 0x0805,
+    RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
-    RSA_PSS_SHA512 = 0x0806,
+    RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
-    ED25519 = 0x0807,
 }
 
-impl fmt::Display for SignatureScheme {
+impl fmt::Display for SignatureAlgorithm {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self {
-            SignatureScheme::RSA_PKCS1_SHA1 => write!(f, "RSA_PKCS1_SHA1"),
+            SignatureAlgorithm::ECDSA_NISTP256_SHA256 => write!(f, "ECDSA_NISTP256_SHA256"),
-            SignatureScheme::ECDSA_SHA1_Legacy => write!(f, "ECDSA_SHA1_Legacy"),
+            SignatureAlgorithm::ECDSA_NISTP256_SHA384 => write!(f, "ECDSA_NISTP256_SHA384"),
-            SignatureScheme::RSA_PKCS1_SHA256 => write!(f, "RSA_PKCS1_SHA256"),
+            SignatureAlgorithm::ECDSA_NISTP384_SHA256 => write!(f, "ECDSA_NISTP384_SHA256"),
-            SignatureScheme::ECDSA_NISTP256_SHA256 => write!(f, "ECDSA_NISTP256_SHA256"),
+            SignatureAlgorithm::ECDSA_NISTP384_SHA384 => write!(f, "ECDSA_NISTP384_SHA384"),
-            SignatureScheme::RSA_PKCS1_SHA384 => write!(f, "RSA_PKCS1_SHA384"),
+            SignatureAlgorithm::ED25519 => write!(f, "ED25519"),
-            SignatureScheme::ECDSA_NISTP384_SHA384 => write!(f, "ECDSA_NISTP384_SHA384"),
+            SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA256 => {
-            SignatureScheme::RSA_PKCS1_SHA512 => write!(f, "RSA_PKCS1_SHA512"),
+                write!(f, "RSA_PKCS1_2048_8192_SHA256")
-            SignatureScheme::ECDSA_NISTP521_SHA512 => write!(f, "ECDSA_NISTP521_SHA512"),
+            }
-            SignatureScheme::RSA_PSS_SHA256 => write!(f, "RSA_PSS_SHA256"),
+            SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA384 => {
-            SignatureScheme::RSA_PSS_SHA384 => write!(f, "RSA_PSS_SHA384"),
+                write!(f, "RSA_PKCS1_2048_8192_SHA384")
-            SignatureScheme::RSA_PSS_SHA512 => write!(f, "RSA_PSS_SHA512"),
+            }
-            SignatureScheme::ED25519 => write!(f, "ED25519"),
+            SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA512 => {
+                write!(f, "RSA_PKCS1_2048_8192_SHA512")
+            }
+            SignatureAlgorithm::RSA_PSS_2048_8192_SHA256_LEGACY_KEY => {
+                write!(f, "RSA_PSS_2048_8192_SHA256_LEGACY_KEY")
+            }
+            SignatureAlgorithm::RSA_PSS_2048_8192_SHA384_LEGACY_KEY => {
+                write!(f, "RSA_PSS_2048_8192_SHA384_LEGACY_KEY")
+            }
+            SignatureAlgorithm::RSA_PSS_2048_8192_SHA512_LEGACY_KEY => {
+                write!(f, "RSA_PSS_2048_8192_SHA512_LEGACY_KEY")
+            }
         }
     }
 }
 
-impl TryFrom<tls_core::msgs::enums::SignatureScheme> for SignatureScheme {
+impl From<tls_core::verify::SignatureAlgorithm> for SignatureAlgorithm {
-    type Error = &'static str;
+    fn from(value: tls_core::verify::SignatureAlgorithm) -> Self {
-
+        use tls_core::verify::SignatureAlgorithm as Core;
-    fn try_from(value: tls_core::msgs::enums::SignatureScheme) -> Result<Self, Self::Error> {
-        use tls_core::msgs::enums::SignatureScheme as Core;
-        use SignatureScheme::*;
-        Ok(match value {
-            Core::RSA_PKCS1_SHA1 => RSA_PKCS1_SHA1,
-            Core::ECDSA_SHA1_Legacy => ECDSA_SHA1_Legacy,
-            Core::RSA_PKCS1_SHA256 => RSA_PKCS1_SHA256,
-            Core::ECDSA_NISTP256_SHA256 => ECDSA_NISTP256_SHA256,
-            Core::RSA_PKCS1_SHA384 => RSA_PKCS1_SHA384,
-            Core::ECDSA_NISTP384_SHA384 => ECDSA_NISTP384_SHA384,
-            Core::RSA_PKCS1_SHA512 => RSA_PKCS1_SHA512,
-            Core::ECDSA_NISTP521_SHA512 => ECDSA_NISTP521_SHA512,
-            Core::RSA_PSS_SHA256 => RSA_PSS_SHA256,
-            Core::RSA_PSS_SHA384 => RSA_PSS_SHA384,
-            Core::RSA_PSS_SHA512 => RSA_PSS_SHA512,
-            Core::ED25519 => ED25519,
-            _ => return Err("unsupported signature scheme"),
-        })
-    }
-}
-
-impl From<SignatureScheme> for tls_core::msgs::enums::SignatureScheme {
-    fn from(value: SignatureScheme) -> Self {
-        use tls_core::msgs::enums::SignatureScheme::*;
         match value {
-            SignatureScheme::RSA_PKCS1_SHA1 => RSA_PKCS1_SHA1,
+            Core::ECDSA_NISTP256_SHA256 => SignatureAlgorithm::ECDSA_NISTP256_SHA256,
-            SignatureScheme::ECDSA_SHA1_Legacy => ECDSA_SHA1_Legacy,
+            Core::ECDSA_NISTP256_SHA384 => SignatureAlgorithm::ECDSA_NISTP256_SHA384,
-            SignatureScheme::RSA_PKCS1_SHA256 => RSA_PKCS1_SHA256,
+            Core::ECDSA_NISTP384_SHA256 => SignatureAlgorithm::ECDSA_NISTP384_SHA256,
-            SignatureScheme::ECDSA_NISTP256_SHA256 => ECDSA_NISTP256_SHA256,
+            Core::ECDSA_NISTP384_SHA384 => SignatureAlgorithm::ECDSA_NISTP384_SHA384,
-            SignatureScheme::RSA_PKCS1_SHA384 => RSA_PKCS1_SHA384,
+            Core::ED25519 => SignatureAlgorithm::ED25519,
-            SignatureScheme::ECDSA_NISTP384_SHA384 => ECDSA_NISTP384_SHA384,
+            Core::RSA_PKCS1_2048_8192_SHA256 => SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA256,
-            SignatureScheme::RSA_PKCS1_SHA512 => RSA_PKCS1_SHA512,
+            Core::RSA_PKCS1_2048_8192_SHA384 => SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA384,
-            SignatureScheme::ECDSA_NISTP521_SHA512 => ECDSA_NISTP521_SHA512,
+            Core::RSA_PKCS1_2048_8192_SHA512 => SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA512,
-            SignatureScheme::RSA_PSS_SHA256 => RSA_PSS_SHA256,
+            Core::RSA_PSS_2048_8192_SHA256_LEGACY_KEY => {
-            SignatureScheme::RSA_PSS_SHA384 => RSA_PSS_SHA384,
+                SignatureAlgorithm::RSA_PSS_2048_8192_SHA256_LEGACY_KEY
-            SignatureScheme::RSA_PSS_SHA512 => RSA_PSS_SHA512,
+            }
-            SignatureScheme::ED25519 => ED25519,
+            Core::RSA_PSS_2048_8192_SHA384_LEGACY_KEY => {
+                SignatureAlgorithm::RSA_PSS_2048_8192_SHA384_LEGACY_KEY
+            }
+            Core::RSA_PSS_2048_8192_SHA512_LEGACY_KEY => {
+                SignatureAlgorithm::RSA_PSS_2048_8192_SHA512_LEGACY_KEY
+            }
         }
     }
 }
@@ -201,8 +192,8 @@ impl From<SignatureScheme> for tls_core::msgs::enums::SignatureScheme {
 /// Server's signature of the key exchange parameters.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerSignature {
-    /// Signature scheme.
+    /// Signature algorithm.
-    pub scheme: SignatureScheme,
+    pub alg: SignatureAlgorithm,
     /// Signature data.
     pub sig: Vec<u8>,
 }
@@ -359,20 +350,23 @@ impl HandshakeData {
         message.extend_from_slice(&server_ephemeral_key.kx_params());
 
         use webpki::ring as alg;
-        let sig_alg = match self.sig.scheme {
+        let sig_alg = match self.sig.alg {
-            SignatureScheme::RSA_PKCS1_SHA256 => alg::RSA_PKCS1_2048_8192_SHA256,
+            SignatureAlgorithm::ECDSA_NISTP256_SHA256 => alg::ECDSA_P256_SHA256,
-            SignatureScheme::RSA_PKCS1_SHA384 => alg::RSA_PKCS1_2048_8192_SHA384,
+            SignatureAlgorithm::ECDSA_NISTP256_SHA384 => alg::ECDSA_P256_SHA384,
-            SignatureScheme::RSA_PKCS1_SHA512 => alg::RSA_PKCS1_2048_8192_SHA512,
+            SignatureAlgorithm::ECDSA_NISTP384_SHA256 => alg::ECDSA_P384_SHA256,
-            SignatureScheme::RSA_PSS_SHA256 => alg::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
+            SignatureAlgorithm::ECDSA_NISTP384_SHA384 => alg::ECDSA_P384_SHA384,
-            SignatureScheme::RSA_PSS_SHA384 => alg::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
+            SignatureAlgorithm::ED25519 => alg::ED25519,
-            SignatureScheme::RSA_PSS_SHA512 => alg::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+            SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA256 => alg::RSA_PKCS1_2048_8192_SHA256,
-            SignatureScheme::ECDSA_NISTP256_SHA256 => alg::ECDSA_P256_SHA256,
+            SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA384 => alg::RSA_PKCS1_2048_8192_SHA384,
-            SignatureScheme::ECDSA_NISTP384_SHA384 => alg::ECDSA_P384_SHA384,
+            SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA512 => alg::RSA_PKCS1_2048_8192_SHA512,
-            SignatureScheme::ED25519 => alg::ED25519,
+            SignatureAlgorithm::RSA_PSS_2048_8192_SHA256_LEGACY_KEY => {
-            scheme => {
+                alg::RSA_PSS_2048_8192_SHA256_LEGACY_KEY
-                return Err(HandshakeVerificationError::UnsupportedSignatureScheme(
+            }
-                    scheme,
+            SignatureAlgorithm::RSA_PSS_2048_8192_SHA384_LEGACY_KEY => {
-                ))
+                alg::RSA_PSS_2048_8192_SHA384_LEGACY_KEY
+            }
+            SignatureAlgorithm::RSA_PSS_2048_8192_SHA512_LEGACY_KEY => {
+                alg::RSA_PSS_2048_8192_SHA512_LEGACY_KEY
             }
         };
 
@@ -402,8 +396,6 @@ pub enum HandshakeVerificationError {
     InvalidServerEphemeralKey,
     #[error("server certificate verification failed: {0}")]
     ServerCert(ServerCertVerifierError),
-    #[error("unsupported signature scheme: {0}")]
-    UnsupportedSignatureScheme(SignatureScheme),
 }
 
 #[cfg(test)]

crates/core/src/display.rs

@@ -1,11 +1,11 @@
-use rangeset::RangeSet;
+use rangeset::set::RangeSet;
 
 pub(crate) struct FmtRangeSet<'a>(pub &'a RangeSet<usize>);
 
 impl<'a> std::fmt::Display for FmtRangeSet<'a> {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.write_str("{")?;
-        for range in self.0.iter_ranges() {
+        for range in self.0.iter() {
             write!(f, "{}..{}", range.start, range.end)?;
             if range.end < self.0.end().unwrap_or(0) {
                 f.write_str(", ")?;

crates/core/src/fixtures.rs

@@ -10,7 +10,8 @@ use hex::FromHex;
 use crate::{
     connection::{
         CertBinding, CertBindingV1_2, ConnectionInfo, DnsName, HandshakeData, KeyType,
-        ServerEphemKey, ServerName, ServerSignature, SignatureScheme, TlsVersion, TranscriptLength,
+        ServerEphemKey, ServerName, ServerSignature, SignatureAlgorithm, TlsVersion,
+        TranscriptLength,
     },
     transcript::{
         encoding::{EncoderSecret, EncodingProvider},
@@ -47,7 +48,7 @@ impl ConnectionFixture {
                     CertificateDer(include_bytes!("fixtures/data/tlsnotary.org/ca.der").to_vec()),
                 ],
                 sig: ServerSignature {
-                    scheme: SignatureScheme::RSA_PKCS1_SHA256,
+                    alg: SignatureAlgorithm::RSA_PKCS1_2048_8192_SHA256,
                     sig: Vec::<u8>::from_hex(include_bytes!(
                         "fixtures/data/tlsnotary.org/signature"
                     ))
@@ -92,7 +93,7 @@ impl ConnectionFixture {
                     CertificateDer(include_bytes!("fixtures/data/appliedzkp.org/ca.der").to_vec()),
                 ],
                 sig: ServerSignature {
-                    scheme: SignatureScheme::ECDSA_NISTP256_SHA256,
+                    alg: SignatureAlgorithm::ECDSA_NISTP256_SHA256,
                     sig: Vec::<u8>::from_hex(include_bytes!(
                         "fixtures/data/appliedzkp.org/signature"
                     ))

crates/core/src/fixtures/transcript.rs

@@ -2,12 +2,13 @@
 
 use aead::Payload as AeadPayload;
 use aes_gcm::{aead::Aead, Aes128Gcm, NewAead};
+#[allow(deprecated)]
 use generic_array::GenericArray;
 use rand::{rngs::StdRng, Rng, SeedableRng};
 use tls_core::msgs::{
     base::Payload,
     codec::Codec,
-    enums::{ContentType, HandshakeType, ProtocolVersion},
+    enums::{HandshakeType, ProtocolVersion},
     handshake::{HandshakeMessagePayload, HandshakePayload},
     message::{OpaqueMessage, PlainMessage},
 };
@@ -15,7 +16,7 @@ use tls_core::msgs::{
 use crate::{
     connection::{TranscriptLength, VerifyData},
     fixtures::ConnectionFixture,
-    transcript::{Record, TlsTranscript},
+    transcript::{ContentType, Record, TlsTranscript},
 };
 
 /// The key used for encryption of the sent and received transcript.
@@ -103,7 +104,7 @@ impl TranscriptGenerator {
 
         let explicit_nonce: [u8; 8] = seq.to_be_bytes();
         let msg = PlainMessage {
-            typ: ContentType::ApplicationData,
+            typ: ContentType::ApplicationData.into(),
             version: ProtocolVersion::TLSv1_2,
             payload: Payload::new(plaintext),
         };
@@ -138,7 +139,7 @@ impl TranscriptGenerator {
         handshake_message.encode(&mut plaintext);
 
         let msg = PlainMessage {
-            typ: ContentType::Handshake,
+            typ: ContentType::Handshake.into(),
             version: ProtocolVersion::TLSv1_2,
             payload: Payload::new(plaintext.clone()),
         };
@@ -180,6 +181,7 @@ fn aes_gcm_encrypt(
     let mut nonce = [0u8; 12];
     nonce[..4].copy_from_slice(&iv);
     nonce[4..].copy_from_slice(&explicit_nonce);
+    #[allow(deprecated)]
     let nonce = GenericArray::from_slice(&nonce);
     let cipher = Aes128Gcm::new_from_slice(&key).unwrap();
 

crates/core/src/hash.rs

@@ -191,6 +191,11 @@ impl Hash {
             len: value.len(),
         }
     }
+
+    /// Returns a byte slice of the hash value.
+    pub fn as_bytes(&self) -> &[u8] {
+        &self.value[..self.len]
+    }
 }
 
 impl rs_merkle::Hash for Hash {
@@ -291,14 +296,14 @@ mod sha2 {
         fn hash(&self, data: &[u8]) -> super::Hash {
             let mut hasher = ::sha2::Sha256::default();
             hasher.update(data);
-            super::Hash::new(hasher.finalize().as_slice())
+            super::Hash::new(hasher.finalize().as_ref())
         }
 
         fn hash_prefixed(&self, prefix: &[u8], data: &[u8]) -> super::Hash {
             let mut hasher = ::sha2::Sha256::default();
             hasher.update(prefix);
             hasher.update(data);
-            super::Hash::new(hasher.finalize().as_slice())
+            super::Hash::new(hasher.finalize().as_ref())
         }
     }
 }

crates/core/src/lib.rs

@@ -12,196 +12,18 @@ pub mod merkle;
 pub mod transcript;
 pub mod webpki;
 pub use rangeset;
+pub mod config;
 pub(crate) mod display;
 
-use rangeset::{RangeSet, ToRangeSet, UnionMut};
 use serde::{Deserialize, Serialize};
 
 use crate::{
-    connection::{HandshakeData, ServerName},
+    connection::ServerName,
     transcript::{
-        Direction, PartialTranscript, Transcript, TranscriptCommitConfig, TranscriptCommitRequest,
+        encoding::EncoderSecret, PartialTranscript, TranscriptCommitment, TranscriptSecret,
-        TranscriptCommitment, TranscriptSecret,
     },
 };
 
-/// Configuration to prove information to the verifier.
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct ProveConfig {
-    server_identity: bool,
-    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
-    transcript_commit: Option<TranscriptCommitConfig>,
-}
-
-impl ProveConfig {
-    /// Creates a new builder.
-    pub fn builder(transcript: &Transcript) -> ProveConfigBuilder<'_> {
-        ProveConfigBuilder::new(transcript)
-    }
-
-    /// Returns `true` if the server identity is to be proven.
-    pub fn server_identity(&self) -> bool {
-        self.server_identity
-    }
-
-    /// Returns the ranges of the transcript to be revealed.
-    pub fn reveal(&self) -> Option<&(RangeSet<usize>, RangeSet<usize>)> {
-        self.reveal.as_ref()
-    }
-
-    /// Returns the transcript commitment configuration.
-    pub fn transcript_commit(&self) -> Option<&TranscriptCommitConfig> {
-        self.transcript_commit.as_ref()
-    }
-}
-
-/// Builder for [`ProveConfig`].
-#[derive(Debug)]
-pub struct ProveConfigBuilder<'a> {
-    transcript: &'a Transcript,
-    server_identity: bool,
-    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
-    transcript_commit: Option<TranscriptCommitConfig>,
-}
-
-impl<'a> ProveConfigBuilder<'a> {
-    /// Creates a new builder.
-    pub fn new(transcript: &'a Transcript) -> Self {
-        Self {
-            transcript,
-            server_identity: false,
-            reveal: None,
-            transcript_commit: None,
-        }
-    }
-
-    /// Proves the server identity.
-    pub fn server_identity(&mut self) -> &mut Self {
-        self.server_identity = true;
-        self
-    }
-
-    /// Configures transcript commitments.
-    pub fn transcript_commit(&mut self, transcript_commit: TranscriptCommitConfig) -> &mut Self {
-        self.transcript_commit = Some(transcript_commit);
-        self
-    }
-
-    /// Reveals the given ranges of the transcript.
-    pub fn reveal(
-        &mut self,
-        direction: Direction,
-        ranges: &dyn ToRangeSet<usize>,
-    ) -> Result<&mut Self, ProveConfigBuilderError> {
-        let idx = ranges.to_range_set();
-
-        if idx.end().unwrap_or(0) > self.transcript.len_of_direction(direction) {
-            return Err(ProveConfigBuilderError(
-                ProveConfigBuilderErrorRepr::IndexOutOfBounds {
-                    direction,
-                    actual: idx.end().unwrap_or(0),
-                    len: self.transcript.len_of_direction(direction),
-                },
-            ));
-        }
-
-        let (sent, recv) = self.reveal.get_or_insert_default();
-        match direction {
-            Direction::Sent => sent.union_mut(&idx),
-            Direction::Received => recv.union_mut(&idx),
-        }
-
-        Ok(self)
-    }
-
-    /// Reveals the given ranges of the sent data transcript.
-    pub fn reveal_sent(
-        &mut self,
-        ranges: &dyn ToRangeSet<usize>,
-    ) -> Result<&mut Self, ProveConfigBuilderError> {
-        self.reveal(Direction::Sent, ranges)
-    }
-
-    /// Reveals the given ranges of the received data transcript.
-    pub fn reveal_recv(
-        &mut self,
-        ranges: &dyn ToRangeSet<usize>,
-    ) -> Result<&mut Self, ProveConfigBuilderError> {
-        self.reveal(Direction::Received, ranges)
-    }
-
-    /// Builds the configuration.
-    pub fn build(self) -> Result<ProveConfig, ProveConfigBuilderError> {
-        Ok(ProveConfig {
-            server_identity: self.server_identity,
-            reveal: self.reveal,
-            transcript_commit: self.transcript_commit,
-        })
-    }
-}
-
-/// Error for [`ProveConfigBuilder`].
-#[derive(Debug, thiserror::Error)]
-#[error(transparent)]
-pub struct ProveConfigBuilderError(#[from] ProveConfigBuilderErrorRepr);
-
-#[derive(Debug, thiserror::Error)]
-enum ProveConfigBuilderErrorRepr {
-    #[error("range is out of bounds of the transcript ({direction}): {actual} > {len}")]
-    IndexOutOfBounds {
-        direction: Direction,
-        actual: usize,
-        len: usize,
-    },
-}
-
-/// Configuration to verify information from the prover.
-#[derive(Debug, Default, Clone, Serialize, Deserialize)]
-pub struct VerifyConfig {}
-
-impl VerifyConfig {
-    /// Creates a new builder.
-    pub fn builder() -> VerifyConfigBuilder {
-        VerifyConfigBuilder::new()
-    }
-}
-
-/// Builder for [`VerifyConfig`].
-#[derive(Debug, Default)]
-pub struct VerifyConfigBuilder {}
-
-impl VerifyConfigBuilder {
-    /// Creates a new builder.
-    pub fn new() -> Self {
-        Self {}
-    }
-
-    /// Builds the configuration.
-    pub fn build(self) -> Result<VerifyConfig, VerifyConfigBuilderError> {
-        Ok(VerifyConfig {})
-    }
-}
-
-/// Error for [`VerifyConfigBuilder`].
-#[derive(Debug, thiserror::Error)]
-#[error(transparent)]
-pub struct VerifyConfigBuilderError(#[from] VerifyConfigBuilderErrorRepr);
-
-#[derive(Debug, thiserror::Error)]
-enum VerifyConfigBuilderErrorRepr {}
-
-/// Payload sent to the verifier.
-#[doc(hidden)]
-#[derive(Debug, Serialize, Deserialize)]
-pub struct ProvePayload {
-    /// Handshake data.
-    pub handshake: Option<(ServerName, HandshakeData)>,
-    /// Transcript data.
-    pub transcript: Option<PartialTranscript>,
-    /// Transcript commitment configuration.
-    pub transcript_commit: Option<TranscriptCommitRequest>,
-}
-
 /// Prover output.
 #[derive(Serialize, Deserialize)]
 pub struct ProverOutput {
@@ -220,6 +42,8 @@ pub struct VerifierOutput {
     pub server_name: Option<ServerName>,
     /// Transcript data.
     pub transcript: Option<PartialTranscript>,
+    /// Encoding commitment secret.
+    pub encoder_secret: Option<EncoderSecret>,
     /// Transcript commitments.
     pub transcript_commitments: Vec<TranscriptCommitment>,
 }

crates/core/src/transcript.rs

@@ -26,7 +26,11 @@ mod tls;
 
 use std::{fmt, ops::Range};
 
-use rangeset::{Difference, IndexRanges, RangeSet, Union};
+use rangeset::{
+    iter::RangeIterator,
+    ops::{Index, Set},
+    set::RangeSet,
+};
 use serde::{Deserialize, Serialize};
 
 use crate::connection::TranscriptLength;
@@ -38,8 +42,7 @@ pub use commit::{
 pub use proof::{
     TranscriptProof, TranscriptProofBuilder, TranscriptProofBuilderError, TranscriptProofError,
 };
-pub use tls::{Record, TlsTranscript};
+pub use tls::{ContentType, Record, TlsTranscript};
-pub use tls_core::msgs::enums::ContentType;
 
 /// A transcript contains the plaintext of all application data communicated
 /// between the Prover and the Server.
@@ -107,8 +110,14 @@ impl Transcript {
         }
 
         Some(
-            Subsequence::new(idx.clone(), data.index_ranges(idx))
+            Subsequence::new(
-                .expect("data is same length as index"),
+                idx.clone(),
+                data.index(idx).fold(Vec::new(), |mut acc, s| {
+                    acc.extend_from_slice(s);
+                    acc
+                }),
+            )
+            .expect("data is same length as index"),
         )
     }
 
@@ -130,11 +139,11 @@ impl Transcript {
         let mut sent = vec![0; self.sent.len()];
         let mut received = vec![0; self.received.len()];
 
-        for range in sent_idx.iter_ranges() {
+        for range in sent_idx.iter() {
             sent[range.clone()].copy_from_slice(&self.sent[range]);
         }
 
-        for range in recv_idx.iter_ranges() {
+        for range in recv_idx.iter() {
             received[range.clone()].copy_from_slice(&self.received[range]);
         }
 
@@ -187,12 +196,20 @@ pub struct CompressedPartialTranscript {
 impl From<PartialTranscript> for CompressedPartialTranscript {
     fn from(uncompressed: PartialTranscript) -> Self {
         Self {
-            sent_authed: uncompressed
+            sent_authed: uncompressed.sent.index(&uncompressed.sent_authed_idx).fold(
-                .sent
+                Vec::new(),
-                .index_ranges(&uncompressed.sent_authed_idx),
+                |mut acc, s| {
+                    acc.extend_from_slice(s);
+                    acc
+                },
+            ),
             received_authed: uncompressed
                 .received
-                .index_ranges(&uncompressed.received_authed_idx),
+                .index(&uncompressed.received_authed_idx)
+                .fold(Vec::new(), |mut acc, s| {
+                    acc.extend_from_slice(s);
+                    acc
+                }),
             sent_idx: uncompressed.sent_authed_idx,
             recv_idx: uncompressed.received_authed_idx,
             sent_total: uncompressed.sent.len(),
@@ -208,7 +225,7 @@ impl From<CompressedPartialTranscript> for PartialTranscript {
 
         let mut offset = 0;
 
-        for range in compressed.sent_idx.iter_ranges() {
+        for range in compressed.sent_idx.iter() {
             sent[range.clone()]
                 .copy_from_slice(&compressed.sent_authed[offset..offset + range.len()]);
             offset += range.len();
@@ -216,7 +233,7 @@ impl From<CompressedPartialTranscript> for PartialTranscript {
 
         let mut offset = 0;
 
-        for range in compressed.recv_idx.iter_ranges() {
+        for range in compressed.recv_idx.iter() {
             received[range.clone()]
                 .copy_from_slice(&compressed.received_authed[offset..offset + range.len()]);
             offset += range.len();
@@ -305,12 +322,16 @@ impl PartialTranscript {
 
     /// Returns the index of sent data which haven't been authenticated.
     pub fn sent_unauthed(&self) -> RangeSet<usize> {
-        (0..self.sent.len()).difference(&self.sent_authed_idx)
+        (0..self.sent.len())
+            .difference(&self.sent_authed_idx)
+            .into_set()
     }
 
     /// Returns the index of received data which haven't been authenticated.
     pub fn received_unauthed(&self) -> RangeSet<usize> {
-        (0..self.received.len()).difference(&self.received_authed_idx)
+        (0..self.received.len())
+            .difference(&self.received_authed_idx)
+            .into_set()
     }
 
     /// Returns an iterator over the authenticated data in the transcript.
@@ -320,7 +341,7 @@ impl PartialTranscript {
             Direction::Received => (&self.received, &self.received_authed_idx),
         };
 
-        authed.iter().map(|i| data[i])
+        authed.iter_values().map(move |i| data[i])
     }
 
     /// Unions the authenticated data of this transcript with another.
@@ -340,24 +361,20 @@ impl PartialTranscript {
             "received data are not the same length"
         );
 
-        for range in other
+        for range in other.sent_authed_idx.difference(&self.sent_authed_idx) {
-            .sent_authed_idx
-            .difference(&self.sent_authed_idx)
-            .iter_ranges()
-        {
             self.sent[range.clone()].copy_from_slice(&other.sent[range]);
         }
 
         for range in other
             .received_authed_idx
             .difference(&self.received_authed_idx)
-            .iter_ranges()
         {
             self.received[range.clone()].copy_from_slice(&other.received[range]);
         }
 
-        self.sent_authed_idx = self.sent_authed_idx.union(&other.sent_authed_idx);
+        self.sent_authed_idx.union_mut(&other.sent_authed_idx);
-        self.received_authed_idx = self.received_authed_idx.union(&other.received_authed_idx);
+        self.received_authed_idx
+            .union_mut(&other.received_authed_idx);
     }
 
     /// Unions an authenticated subsequence into this transcript.
@@ -369,11 +386,11 @@ impl PartialTranscript {
         match direction {
             Direction::Sent => {
                 seq.copy_to(&mut self.sent);
-                self.sent_authed_idx = self.sent_authed_idx.union(&seq.idx);
+                self.sent_authed_idx.union_mut(&seq.idx);
             }
             Direction::Received => {
                 seq.copy_to(&mut self.received);
-                self.received_authed_idx = self.received_authed_idx.union(&seq.idx);
+                self.received_authed_idx.union_mut(&seq.idx);
             }
         }
     }
@@ -384,10 +401,10 @@ impl PartialTranscript {
     ///
     /// * `value` - The value to set the unauthenticated bytes to
     pub fn set_unauthed(&mut self, value: u8) {
-        for range in self.sent_unauthed().iter_ranges() {
+        for range in self.sent_unauthed().iter() {
             self.sent[range].fill(value);
         }
-        for range in self.received_unauthed().iter_ranges() {
+        for range in self.received_unauthed().iter() {
             self.received[range].fill(value);
         }
     }
@@ -402,13 +419,13 @@ impl PartialTranscript {
     pub fn set_unauthed_range(&mut self, value: u8, direction: Direction, range: Range<usize>) {
         match direction {
             Direction::Sent => {
-                for range in range.difference(&self.sent_authed_idx).iter_ranges() {
+                for r in range.difference(&self.sent_authed_idx) {
-                    self.sent[range].fill(value);
+                    self.sent[r].fill(value);
                 }
             }
             Direction::Received => {
-                for range in range.difference(&self.received_authed_idx).iter_ranges() {
+                for r in range.difference(&self.received_authed_idx) {
-                    self.received[range].fill(value);
+                    self.received[r].fill(value);
                 }
             }
         }
@@ -486,7 +503,7 @@ impl Subsequence {
     /// Panics if the subsequence ranges are out of bounds.
     pub(crate) fn copy_to(&self, dest: &mut [u8]) {
         let mut offset = 0;
-        for range in self.idx.iter_ranges() {
+        for range in self.idx.iter() {
             dest[range.clone()].copy_from_slice(&self.data[offset..offset + range.len()]);
             offset += range.len();
         }
@@ -611,12 +628,7 @@ mod validation {
             mut partial_transcript: CompressedPartialTranscriptUnchecked,
         ) {
             // Change the total to be less than the last range's end bound.
-            let end = partial_transcript
+            let end = partial_transcript.sent_idx.iter().next_back().unwrap().end;
-                .sent_idx
-                .iter_ranges()
-                .next_back()
-                .unwrap()
-                .end;
 
             partial_transcript.sent_total = end - 1;
 

crates/core/src/transcript/commit.rs

@@ -2,7 +2,7 @@
 
 use std::{collections::HashSet, fmt};
 
-use rangeset::ToRangeSet;
+use rangeset::set::ToRangeSet;
 use serde::{Deserialize, Serialize};
 
 use crate::{
@@ -114,7 +114,19 @@ impl TranscriptCommitConfig {
     /// Returns a request for the transcript commitments.
     pub fn to_request(&self) -> TranscriptCommitRequest {
         TranscriptCommitRequest {
-            encoding: self.has_encoding,
+            encoding: self.has_encoding.then(|| {
+                let mut sent = RangeSet::default();
+                let mut recv = RangeSet::default();
+
+                for (dir, idx) in self.iter_encoding() {
+                    match dir {
+                        Direction::Sent => sent.union_mut(idx),
+                        Direction::Received => recv.union_mut(idx),
+                    }
+                }
+
+                (sent, recv)
+            }),
             hash: self
                 .iter_hash()
                 .map(|((dir, idx), alg)| (*dir, idx.clone(), *alg))
@@ -289,14 +301,14 @@ impl fmt::Display for TranscriptCommitConfigBuilderError {
 /// Request to compute transcript commitments.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TranscriptCommitRequest {
-    encoding: bool,
+    encoding: Option<(RangeSet<usize>, RangeSet<usize>)>,
     hash: Vec<(Direction, RangeSet<usize>, HashAlgId)>,
 }
 
 impl TranscriptCommitRequest {
     /// Returns `true` if an encoding commitment is requested.
-    pub fn encoding(&self) -> bool {
+    pub fn has_encoding(&self) -> bool {
-        self.encoding
+        self.encoding.is_some()
     }
 
     /// Returns `true` if a hash commitment is requested.
@@ -308,6 +320,11 @@ impl TranscriptCommitRequest {
     pub fn iter_hash(&self) -> impl Iterator<Item = &(Direction, RangeSet<usize>, HashAlgId)> {
         self.hash.iter()
     }
+
+    /// Returns the ranges of the encoding commitments.
+    pub fn encoding(&self) -> Option<&(RangeSet<usize>, RangeSet<usize>)> {
+        self.encoding.as_ref()
+    }
 }
 
 #[cfg(test)]

crates/core/src/transcript/encoding.rs

@@ -19,6 +19,4 @@ use crate::hash::TypedHash;
 pub struct EncodingCommitment {
     /// Merkle root of the encoding commitments.
     pub root: TypedHash,
-    /// Seed used to generate the encodings.
-    pub secret: EncoderSecret,
 }

crates/core/src/transcript/encoding/proof.rs

@@ -1,6 +1,6 @@
 use std::{collections::HashMap, fmt};
 
-use rangeset::{RangeSet, UnionMut};
+use rangeset::set::RangeSet;
 use serde::{Deserialize, Serialize};
 
 use crate::{
@@ -8,7 +8,7 @@ use crate::{
     merkle::{MerkleError, MerkleProof},
     transcript::{
         commit::MAX_TOTAL_COMMITTED_DATA,
-        encoding::{new_encoder, Encoder, EncodingCommitment},
+        encoding::{new_encoder, Encoder, EncoderSecret, EncodingCommitment},
         Direction,
     },
 };
@@ -48,13 +48,14 @@ impl EncodingProof {
     pub fn verify_with_provider(
         &self,
         provider: &HashProvider,
+        secret: &EncoderSecret,
         commitment: &EncodingCommitment,
         sent: &[u8],
         recv: &[u8],
     ) -> Result<(RangeSet<usize>, RangeSet<usize>), EncodingProofError> {
         let hasher = provider.get(&commitment.root.alg)?;
 
-        let encoder = new_encoder(&commitment.secret);
+        let encoder = new_encoder(secret);
         let Self {
             inclusion_proof,
             openings,
@@ -102,7 +103,7 @@ impl EncodingProof {
             }
 
             expected_leaf.clear();
-            for range in idx.iter_ranges() {
+            for range in idx.iter() {
                 encoder.encode_data(*direction, range.clone(), &data[range], &mut expected_leaf);
             }
             expected_leaf.extend_from_slice(blinder.as_bytes());
@@ -232,10 +233,7 @@ mod test {
     use crate::{
         fixtures::{encoder_secret, encoder_secret_tampered_seed, encoding_provider},
         hash::Blake3,
-        transcript::{
+        transcript::{encoding::EncodingTree, Transcript},
-            encoding::{EncoderSecret, EncodingTree},
-            Transcript,
-        },
     };
 
     use super::*;
@@ -246,7 +244,7 @@ mod test {
         commitment: EncodingCommitment,
     }
 
-    fn new_encoding_fixture(secret: EncoderSecret) -> EncodingFixture {
+    fn new_encoding_fixture() -> EncodingFixture {
         let transcript = Transcript::new(POST_JSON, OK_JSON);
 
         let idx_0 = (Direction::Sent, RangeSet::from(0..POST_JSON.len()));
@@ -257,10 +255,7 @@ mod test {
 
         let proof = tree.proof([&idx_0, &idx_1].into_iter()).unwrap();
 
-        let commitment = EncodingCommitment {
+        let commitment = EncodingCommitment { root: tree.root() };
-            root: tree.root(),
-            secret,
-        };
 
         EncodingFixture {
             transcript,
@@ -275,11 +270,12 @@ mod test {
             transcript,
             proof,
             commitment,
-        } = new_encoding_fixture(encoder_secret_tampered_seed());
+        } = new_encoding_fixture();
 
         let err = proof
             .verify_with_provider(
                 &HashProvider::default(),
+                &encoder_secret_tampered_seed(),
                 &commitment,
                 transcript.sent(),
                 transcript.received(),
@@ -295,13 +291,19 @@ mod test {
             transcript,
             proof,
             commitment,
-        } = new_encoding_fixture(encoder_secret());
+        } = new_encoding_fixture();
 
         let sent = &transcript.sent()[transcript.sent().len() - 1..];
         let recv = &transcript.received()[transcript.received().len() - 2..];
 
         let err = proof
-            .verify_with_provider(&HashProvider::default(), &commitment, sent, recv)
+            .verify_with_provider(
+                &HashProvider::default(),
+                &encoder_secret(),
+                &commitment,
+                sent,
+                recv,
+            )
             .unwrap_err();
 
         assert!(matches!(err.kind, ErrorKind::Proof));
@@ -313,7 +315,7 @@ mod test {
             transcript,
             mut proof,
             commitment,
-        } = new_encoding_fixture(encoder_secret());
+        } = new_encoding_fixture();
 
         let Opening { idx, .. } = proof.openings.values_mut().next().unwrap();
 
@@ -322,6 +324,7 @@ mod test {
         let err = proof
             .verify_with_provider(
                 &HashProvider::default(),
+                &encoder_secret(),
                 &commitment,
                 transcript.sent(),
                 transcript.received(),
@@ -337,7 +340,7 @@ mod test {
             transcript,
             mut proof,
             commitment,
-        } = new_encoding_fixture(encoder_secret());
+        } = new_encoding_fixture();
 
         let Opening { blinder, .. } = proof.openings.values_mut().next().unwrap();
 
@@ -346,6 +349,7 @@ mod test {
         let err = proof
             .verify_with_provider(
                 &HashProvider::default(),
+                &encoder_secret(),
                 &commitment,
                 transcript.sent(),
                 transcript.received(),

crates/core/src/transcript/encoding/tree.rs

@@ -1,7 +1,7 @@
 use std::collections::HashMap;
 
 use bimap::BiMap;
-use rangeset::{RangeSet, UnionMut};
+use rangeset::set::RangeSet;
 use serde::{Deserialize, Serialize};
 
 use crate::{
@@ -99,7 +99,7 @@ impl EncodingTree {
             let blinder: Blinder = rand::random();
 
             encoding.clear();
-            for range in idx.iter_ranges() {
+            for range in idx.iter() {
                 provider
                     .provide_encoding(direction, range, &mut encoding)
                     .map_err(|_| EncodingTreeError::MissingEncoding { index: idx.clone() })?;
@@ -222,14 +222,12 @@ mod tests {
 
         let proof = tree.proof([&idx_0, &idx_1].into_iter()).unwrap();
 
-        let commitment = EncodingCommitment {
+        let commitment = EncodingCommitment { root: tree.root() };
-            root: tree.root(),
-            secret: encoder_secret(),
-        };
 
         let (auth_sent, auth_recv) = proof
             .verify_with_provider(
                 &HashProvider::default(),
+                &encoder_secret(),
                 &commitment,
                 transcript.sent(),
                 transcript.received(),
@@ -260,14 +258,12 @@ mod tests {
             .proof([&idx_0, &idx_1, &idx_2, &idx_3].into_iter())
             .unwrap();
 
-        let commitment = EncodingCommitment {
+        let commitment = EncodingCommitment { root: tree.root() };
-            root: tree.root(),
-            secret: encoder_secret(),
-        };
 
         let (auth_sent, auth_recv) = proof
             .verify_with_provider(
                 &HashProvider::default(),
+                &encoder_secret(),
                 &commitment,
                 transcript.sent(),
                 transcript.received(),

crates/core/src/transcript/proof.rs

@@ -1,6 +1,10 @@
 //! Transcript proofs.
 
-use rangeset::{Cover, Difference, Subset, ToRangeSet, UnionMut};
+use rangeset::{
+    iter::RangeIterator,
+    ops::{Cover, Set},
+    set::ToRangeSet,
+};
 use serde::{Deserialize, Serialize};
 use std::{collections::HashSet, fmt};
 
@@ -10,7 +14,7 @@ use crate::{
     hash::{HashAlgId, HashProvider},
     transcript::{
         commit::{TranscriptCommitment, TranscriptCommitmentKind},
-        encoding::{EncodingProof, EncodingProofError, EncodingTree},
+        encoding::{EncoderSecret, EncodingProof, EncodingProofError, EncodingTree},
         hash::{hash_plaintext, PlaintextHash, PlaintextHashSecret},
         Direction, PartialTranscript, RangeSet, Transcript, TranscriptSecret,
     },
@@ -22,6 +26,12 @@ const DEFAULT_COMMITMENT_KINDS: &[TranscriptCommitmentKind] = &[
     TranscriptCommitmentKind::Hash {
         alg: HashAlgId::SHA256,
     },
+    TranscriptCommitmentKind::Hash {
+        alg: HashAlgId::BLAKE3,
+    },
+    TranscriptCommitmentKind::Hash {
+        alg: HashAlgId::KECCAK256,
+    },
     TranscriptCommitmentKind::Encoding,
 ];
 
@@ -48,6 +58,7 @@ impl TranscriptProof {
         self,
         provider: &HashProvider,
         length: &TranscriptLength,
+        encoder_secret: Option<&EncoderSecret>,
         commitments: impl IntoIterator<Item = &'a TranscriptCommitment>,
     ) -> Result<PartialTranscript, TranscriptProofError> {
         let mut encoding_commitment = None;
@@ -83,6 +94,13 @@ impl TranscriptProof {
 
         // Verify encoding proof.
         if let Some(proof) = self.encoding_proof {
+            let secret = encoder_secret.ok_or_else(|| {
+                TranscriptProofError::new(
+                    ErrorKind::Encoding,
+                    "contains an encoding proof but missing encoder secret",
+                )
+            })?;
+
             let commitment = encoding_commitment.ok_or_else(|| {
                 TranscriptProofError::new(
                     ErrorKind::Encoding,
@@ -92,6 +110,7 @@ impl TranscriptProof {
 
             let (auth_sent, auth_recv) = proof.verify_with_provider(
                 provider,
+                secret,
                 commitment,
                 self.transcript.sent_unsafe(),
                 self.transcript.received_unsafe(),
@@ -129,7 +148,7 @@ impl TranscriptProof {
             }
 
             buffer.clear();
-            for range in idx.iter_ranges() {
+            for range in idx.iter() {
                 buffer.extend_from_slice(&plaintext[range]);
             }
 
@@ -351,7 +370,7 @@ impl<'a> TranscriptProofBuilder<'a> {
         if idx.is_subset(committed) {
             self.query_idx.union(&direction, &idx);
         } else {
-            let missing = idx.difference(committed);
+            let missing = idx.difference(committed).into_set();
             return Err(TranscriptProofBuilderError::new(
                 BuilderErrorKind::MissingCommitment,
                 format!(
@@ -567,12 +586,12 @@ impl fmt::Display for TranscriptProofBuilderError {
 #[cfg(test)]
 mod tests {
     use rand::{Rng, SeedableRng};
-    use rangeset::RangeSet;
+    use rangeset::prelude::*;
     use rstest::rstest;
     use tlsn_data_fixtures::http::{request::GET_WITH_HEADER, response::OK_JSON};
 
     use crate::{
-        fixtures::encoding_provider,
+        fixtures::{encoder_secret, encoding_provider},
         hash::{Blake3, Blinder, HashAlgId},
         transcript::TranscriptCommitConfigBuilder,
     };
@@ -599,7 +618,12 @@ mod tests {
 
         let provider = HashProvider::default();
         let err = transcript_proof
-            .verify_with_provider(&provider, &transcript.length(), &[])
+            .verify_with_provider(
+                &provider,
+                &transcript.length(),
+                Some(&encoder_secret()),
+                &[],
+            )
             .err()
             .unwrap();
 
@@ -637,7 +661,10 @@ mod tests {
     }
 
     #[rstest]
-    fn test_reveal_with_hash_commitment() {
+    #[case::sha256(HashAlgId::SHA256)]
+    #[case::blake3(HashAlgId::BLAKE3)]
+    #[case::keccak256(HashAlgId::KECCAK256)]
+    fn test_reveal_with_hash_commitment(#[case] alg: HashAlgId) {
         let mut rng = rand::rngs::StdRng::seed_from_u64(0);
         let provider = HashProvider::default();
         let transcript = Transcript::new(GET_WITH_HEADER, OK_JSON);
@@ -645,7 +672,6 @@ mod tests {
         let direction = Direction::Sent;
         let idx = RangeSet::from(0..10);
         let blinder: Blinder = rng.random();
-        let alg = HashAlgId::SHA256;
         let hasher = provider.get(&alg).unwrap();
 
         let commitment = PlaintextHash {
@@ -672,6 +698,7 @@ mod tests {
             .verify_with_provider(
                 &provider,
                 &transcript.length(),
+                None,
                 &[TranscriptCommitment::Hash(commitment)],
             )
             .unwrap();
@@ -683,7 +710,10 @@ mod tests {
     }
 
     #[rstest]
-    fn test_reveal_with_inconsistent_hash_commitment() {
+    #[case::sha256(HashAlgId::SHA256)]
+    #[case::blake3(HashAlgId::BLAKE3)]
+    #[case::keccak256(HashAlgId::KECCAK256)]
+    fn test_reveal_with_inconsistent_hash_commitment(#[case] alg: HashAlgId) {
         let mut rng = rand::rngs::StdRng::seed_from_u64(0);
         let provider = HashProvider::default();
         let transcript = Transcript::new(GET_WITH_HEADER, OK_JSON);
@@ -691,7 +721,6 @@ mod tests {
         let direction = Direction::Sent;
         let idx = RangeSet::from(0..10);
         let blinder: Blinder = rng.random();
-        let alg = HashAlgId::SHA256;
         let hasher = provider.get(&alg).unwrap();
 
         let commitment = PlaintextHash {
@@ -719,6 +748,7 @@ mod tests {
             .verify_with_provider(
                 &provider,
                 &transcript.length(),
+                None,
                 &[TranscriptCommitment::Hash(commitment)],
             )
             .unwrap_err();

crates/core/src/transcript/tls.rs

@@ -10,10 +10,53 @@ use crate::{
 use tls_core::msgs::{
     alert::AlertMessagePayload,
     codec::{Codec, Reader},
-    enums::{AlertDescription, ContentType, ProtocolVersion},
+    enums::{AlertDescription, ProtocolVersion},
     handshake::{HandshakeMessagePayload, HandshakePayload},
 };
 
+/// TLS record content type.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub enum ContentType {
+    /// Change cipher spec protocol.
+    ChangeCipherSpec,
+    /// Alert protocol.
+    Alert,
+    /// Handshake protocol.
+    Handshake,
+    /// Application data protocol.
+    ApplicationData,
+    /// Heartbeat protocol.
+    Heartbeat,
+    /// Unknown protocol.
+    Unknown(u8),
+}
+
+impl From<ContentType> for tls_core::msgs::enums::ContentType {
+    fn from(content_type: ContentType) -> Self {
+        match content_type {
+            ContentType::ChangeCipherSpec => tls_core::msgs::enums::ContentType::ChangeCipherSpec,
+            ContentType::Alert => tls_core::msgs::enums::ContentType::Alert,
+            ContentType::Handshake => tls_core::msgs::enums::ContentType::Handshake,
+            ContentType::ApplicationData => tls_core::msgs::enums::ContentType::ApplicationData,
+            ContentType::Heartbeat => tls_core::msgs::enums::ContentType::Heartbeat,
+            ContentType::Unknown(id) => tls_core::msgs::enums::ContentType::Unknown(id),
+        }
+    }
+}
+
+impl From<tls_core::msgs::enums::ContentType> for ContentType {
+    fn from(content_type: tls_core::msgs::enums::ContentType) -> Self {
+        match content_type {
+            tls_core::msgs::enums::ContentType::ChangeCipherSpec => ContentType::ChangeCipherSpec,
+            tls_core::msgs::enums::ContentType::Alert => ContentType::Alert,
+            tls_core::msgs::enums::ContentType::Handshake => ContentType::Handshake,
+            tls_core::msgs::enums::ContentType::ApplicationData => ContentType::ApplicationData,
+            tls_core::msgs::enums::ContentType::Heartbeat => ContentType::Heartbeat,
+            tls_core::msgs::enums::ContentType::Unknown(id) => ContentType::Unknown(id),
+        }
+    }
+}
+
 /// A transcript of TLS records sent and received by the prover.
 #[derive(Debug, Clone)]
 pub struct TlsTranscript {

crates/core/src/webpki.rs

@@ -53,6 +53,21 @@ impl RootCertStore {
     pub fn empty() -> Self {
         Self { roots: Vec::new() }
     }
+
+    /// Creates a root certificate store with Mozilla root certificates.
+    ///
+    /// These certificates are sourced from [`webpki-root-certs`](https://docs.rs/webpki-root-certs/latest/webpki_root_certs/). It is not recommended to use these unless the
+    /// application binary can be recompiled and deployed on-demand in the case
+    /// that the root certificates need to be updated.
+    #[cfg(feature = "mozilla-certs")]
+    pub fn mozilla() -> Self {
+        Self {
+            roots: webpki_root_certs::TLS_SERVER_ROOT_CERTS
+                .iter()
+                .map(|cert| CertificateDer(cert.to_vec()))
+                .collect(),
+        }
+    }
 }
 
 /// Server certificate verifier.
@@ -82,8 +97,12 @@ impl ServerCertVerifier {
         Ok(Self { roots })
     }
 
-    /// Creates a new server certificate verifier with Mozilla root
+    /// Creates a server certificate verifier with Mozilla root certificates.
-    /// certificates.
+    ///
+    /// These certificates are sourced from [`webpki-root-certs`](https://docs.rs/webpki-root-certs/latest/webpki_root_certs/). It is not recommended to use these unless the
+    /// application binary can be recompiled and deployed on-demand in the case
+    /// that the root certificates need to be updated.
+    #[cfg(feature = "mozilla-certs")]
     pub fn mozilla() -> Self {
         Self {
             roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),

crates/examples/Cargo.toml

@@ -15,6 +15,7 @@ tlsn-server-fixture = { workspace = true }
 tlsn-server-fixture-certs = { workspace = true }
 spansy = { workspace = true }
 
+anyhow = { workspace = true }
 bincode = { workspace = true }
 chrono = { workspace = true }
 clap = { version = "4.5", features = ["derive"] }
@@ -24,6 +25,7 @@ hex = { workspace = true }
 hyper = { workspace = true, features = ["client", "http1"] }
 hyper-util = { workspace = true, features = ["full"] }
 k256 = { workspace = true, features = ["ecdsa"] }
+serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [
   "rt",
@@ -36,11 +38,18 @@ tokio = { workspace = true, features = [
 tokio-util = { workspace = true }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
+noir = { git = "https://github.com/zkmopro/noir-rs", tag = "v1.0.0-beta.8", features = [
+  "barretenberg",
+] }
 
 [[example]]
 name = "interactive"
 path = "interactive/interactive.rs"
 
+[[example]]
+name = "interactive_zk"
+path = "interactive_zk/interactive_zk.rs"
+
 [[example]]
 name = "attestation_prove"
 path = "attestation/prove.rs"

crates/examples/README.md

@@ -4,5 +4,7 @@ This folder contains examples demonstrating how to use the TLSNotary protocol.
 
 * [Interactive](./interactive/README.md): Interactive Prover and Verifier session without a trusted notary.
 * [Attestation](./attestation/README.md): Performing a simple notarization with a trusted notary.
+* [Interactive_zk](./interactive_zk/README.md): Interactive Prover and Verifier session demonstrating zero-knowledge age verification using Noir.
+
 
 Refer to <https://tlsnotary.org/docs/quick_start> for a quick start guide to using TLSNotary with these examples.

crates/examples/attestation/prove.rs

@@ -4,6 +4,7 @@
 
 use std::env;
 
+use anyhow::{anyhow, Result};
 use clap::Parser;
 use http_body_util::Empty;
 use hyper::{body::Bytes, Request, StatusCode};
@@ -23,12 +24,17 @@ use tlsn::{
         Attestation, AttestationConfig, CryptoProvider, Secrets,
     },
     config::{
-        CertificateDer, PrivateKeyDer, ProtocolConfig, ProtocolConfigValidator, RootCertStore,
+        prove::ProveConfig,
+        prover::ProverConfig,
+        tls::TlsClientConfig,
+        tls_commit::{mpc::MpcTlsConfig, TlsCommitConfig},
+        verifier::VerifierConfig,
     },
     connection::{ConnectionInfo, HandshakeData, ServerName, TranscriptLength},
-    prover::{state::Committed, ProveConfig, Prover, ProverConfig, ProverOutput, TlsConfig},
+    prover::{state::Committed, Prover, ProverOutput},
     transcript::{ContentType, TranscriptCommitConfig},
-    verifier::{Verifier, VerifierConfig, VerifierOutput, VerifyConfig},
+    verifier::{Verifier, VerifierOutput},
+    webpki::{CertificateDer, PrivateKeyDer, RootCertStore},
 };
 use tlsn_examples::ExampleType;
 use tlsn_formats::http::{DefaultHttpCommitter, HttpCommit, HttpTranscript};
@@ -47,7 +53,7 @@ struct Args {
 }
 
 #[tokio::main]
-async fn main() -> Result<(), Box<dyn std::error::Error>> {
+async fn main() -> Result<()> {
     tracing_subscriber::fmt::init();
 
     let args = Args::parse();
@@ -87,64 +93,63 @@ async fn prover<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
     uri: &str,
     extra_headers: Vec<(&str, &str)>,
     example_type: &ExampleType,
-) -> Result<(), Box<dyn std::error::Error>> {
+) -> Result<()> {
     let server_host: String = env::var("SERVER_HOST").unwrap_or("127.0.0.1".into());
     let server_port: u16 = env::var("SERVER_PORT")
         .map(|port| port.parse().expect("port should be valid integer"))
         .unwrap_or(DEFAULT_FIXTURE_PORT);
 
-    // Create a root certificate store with the server-fixture's self-signed
-    // certificate. This is only required for offline testing with the
-    // server-fixture.
-    let mut tls_config_builder = TlsConfig::builder();
-    tls_config_builder
-        .root_store(RootCertStore {
-            roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
-        })
-        // (Optional) Set up TLS client authentication if required by the server.
-        .client_auth((
-            vec![CertificateDer(CLIENT_CERT_DER.to_vec())],
-            PrivateKeyDer(CLIENT_KEY_DER.to_vec()),
-        ));
-
-    let tls_config = tls_config_builder.build().unwrap();
-
-    // Set up protocol configuration for prover.
-    let mut prover_config_builder = ProverConfig::builder();
-    prover_config_builder
-        .server_name(ServerName::Dns(SERVER_DOMAIN.try_into().unwrap()))
-        .tls_config(tls_config)
-        .protocol_config(
-            ProtocolConfig::builder()
-                // We must configure the amount of data we expect to exchange beforehand, which will
-                // be preprocessed prior to the connection. Reducing these limits will improve
-                // performance.
-                .max_sent_data(tlsn_examples::MAX_SENT_DATA)
-                .max_recv_data(tlsn_examples::MAX_RECV_DATA)
-                .build()?,
-        );
-
-    let prover_config = prover_config_builder.build()?;
-
     // Create a new prover and perform necessary setup.
-    let prover = Prover::new(prover_config).setup(socket.compat()).await?;
+    let prover = Prover::new(ProverConfig::builder().build()?)
+        .commit(
+            TlsCommitConfig::builder()
+                // Select the TLS commitment protocol.
+                .protocol(
+                    MpcTlsConfig::builder()
+                        // We must configure the amount of data we expect to exchange beforehand,
+                        // which will be preprocessed prior to the
+                        // connection. Reducing these limits will improve
+                        // performance.
+                        .max_sent_data(tlsn_examples::MAX_SENT_DATA)
+                        .max_recv_data(tlsn_examples::MAX_RECV_DATA)
+                        .build()?,
+                )
+                .build()?,
+            socket.compat(),
+        )
+        .await?;
 
     // Open a TCP connection to the server.
     let client_socket = tokio::net::TcpStream::connect((server_host, server_port)).await?;
 
     // Bind the prover to the server connection.
-    // The returned `mpc_tls_connection` is an MPC TLS connection to the server: all
+    let (tls_connection, prover_fut) = prover
-    // data written to/read from it will be encrypted/decrypted using MPC with
+        .connect(
-    // the notary.
+            TlsClientConfig::builder()
-    let (mpc_tls_connection, prover_fut) = prover.connect(client_socket.compat()).await?;
+                .server_name(ServerName::Dns(SERVER_DOMAIN.try_into()?))
-    let mpc_tls_connection = TokioIo::new(mpc_tls_connection.compat());
+                // Create a root certificate store with the server-fixture's self-signed
+                // certificate. This is only required for offline testing with the
+                // server-fixture.
+                .root_store(RootCertStore {
+                    roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
+                })
+                // (Optional) Set up TLS client authentication if required by the server.
+                .client_auth((
+                    vec![CertificateDer(CLIENT_CERT_DER.to_vec())],
+                    PrivateKeyDer(CLIENT_KEY_DER.to_vec()),
+                ))
+                .build()?,
+            client_socket.compat(),
+        )
+        .await?;
+    let tls_connection = TokioIo::new(tls_connection.compat());
 
     // Spawn the prover task to be run concurrently in the background.
     let prover_task = tokio::spawn(prover_fut);
 
     // Attach the hyper HTTP client to the connection.
     let (mut request_sender, connection) =
-        hyper::client::conn::http1::handshake(mpc_tls_connection).await?;
+        hyper::client::conn::http1::handshake(tls_connection).await?;
 
     // Spawn the HTTP task to be run concurrently in the background.
     tokio::spawn(connection);
@@ -165,7 +170,7 @@ async fn prover<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
     }
     let request = request_builder.body(Empty::<Bytes>::new())?;
 
-    info!("Starting an MPC TLS connection with the server");
+    info!("Starting connection with the server");
 
     // Send the request to the server and wait for the response.
     let response = request_sender.send_request(request).await?;
@@ -175,7 +180,7 @@ async fn prover<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
     assert!(response.status() == StatusCode::OK);
 
     // The prover task should be done now, so we can await it.
-    let mut prover = prover_task.await??;
+    let prover = prover_task.await??;
 
     // Parse the HTTP transcript.
     let transcript = HttpTranscript::parse(prover.transcript())?;
@@ -217,7 +222,7 @@ async fn prover<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
 
     let request_config = builder.build()?;
 
-    let (attestation, secrets) = notarize(&mut prover, &request_config, req_tx, resp_rx).await?;
+    let (attestation, secrets) = notarize(prover, &request_config, req_tx, resp_rx).await?;
 
     // Write the attestation to disk.
     let attestation_path = tlsn_examples::get_file_path(example_type, "attestation");
@@ -238,11 +243,11 @@ async fn prover<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
 }
 
 async fn notarize(
-    prover: &mut Prover<Committed>,
+    mut prover: Prover<Committed>,
     config: &RequestConfig,
     request_tx: Sender<AttestationRequest>,
     attestation_rx: Receiver<Attestation>,
-) -> Result<(Attestation, Secrets), Box<dyn std::error::Error>> {
+) -> Result<(Attestation, Secrets)> {
     let mut builder = ProveConfig::builder(prover.transcript());
 
     if let Some(config) = config.transcript_commit() {
@@ -257,25 +262,27 @@ async fn notarize(
         ..
     } = prover.prove(&disclosure_config).await?;
 
+    let transcript = prover.transcript().clone();
+    let tls_transcript = prover.tls_transcript().clone();
+    prover.close().await?;
+
     // Build an attestation request.
     let mut builder = AttestationRequest::builder(config);
 
     builder
         .server_name(ServerName::Dns(SERVER_DOMAIN.try_into().unwrap()))
         .handshake_data(HandshakeData {
-            certs: prover
+            certs: tls_transcript
-                .tls_transcript()
                 .server_cert_chain()
                 .expect("server cert chain is present")
                 .to_vec(),
-            sig: prover
+            sig: tls_transcript
-                .tls_transcript()
                 .server_signature()
                 .expect("server signature is present")
                 .clone(),
-            binding: prover.tls_transcript().certificate_binding().clone(),
+            binding: tls_transcript.certificate_binding().clone(),
         })
-        .transcript(prover.transcript().clone())
+        .transcript(transcript)
         .transcript_commitments(transcript_secrets, transcript_commitments);
 
     let (request, secrets) = builder.build(&CryptoProvider::default())?;
@@ -283,15 +290,18 @@ async fn notarize(
     // Send attestation request to notary.
     request_tx
         .send(request.clone())
-        .map_err(|_| "notary is not receiving attestation request".to_string())?;
+        .map_err(|_| anyhow!("notary is not receiving attestation request"))?;
 
     // Receive attestation from notary.
     let attestation = attestation_rx
         .await
-        .map_err(|err| format!("notary did not respond with attestation: {err}"))?;
+        .map_err(|err| anyhow!("notary did not respond with attestation: {err}"))?;
+
+    // Signature verifier for the signature algorithm in the request.
+    let provider = CryptoProvider::default();
 
     // Check the attestation is consistent with the Prover's view.
-    request.validate(&attestation)?;
+    request.validate(&attestation, &provider)?;
 
     Ok((attestation, secrets))
 }
@@ -300,14 +310,7 @@ async fn notary<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
     socket: S,
     request_rx: Receiver<AttestationRequest>,
     attestation_tx: Sender<Attestation>,
-) -> Result<(), Box<dyn std::error::Error>> {
+) -> Result<()> {
-    // Set up Verifier.
-    let config_validator = ProtocolConfigValidator::builder()
-        .max_sent_data(tlsn_examples::MAX_SENT_DATA)
-        .max_recv_data(tlsn_examples::MAX_RECV_DATA)
-        .build()
-        .unwrap();
-
     // Create a root certificate store with the server-fixture's self-signed
     // certificate. This is only required for offline testing with the
     // server-fixture.
@@ -315,20 +318,25 @@ async fn notary<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
         .root_store(RootCertStore {
             roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
         })
-        .protocol_config_validator(config_validator)
         .build()
         .unwrap();
 
-    let mut verifier = Verifier::new(verifier_config)
+    let verifier = Verifier::new(verifier_config)
-        .setup(socket.compat())
+        .commit(socket.compat())
+        .await?
+        .accept()
         .await?
         .run()
         .await?;
 
-    let VerifierOutput {
+    let (
-        transcript_commitments,
+        VerifierOutput {
-        ..
+            transcript_commitments,
-    } = verifier.verify(&VerifyConfig::default()).await?;
+            encoder_secret,
+            ..
+        },
+        verifier,
+    ) = verifier.verify().await?.accept().await?;
 
     let tls_transcript = verifier.tls_transcript().clone();
 
@@ -385,12 +393,16 @@ async fn notary<S: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
         .server_ephemeral_key(tls_transcript.server_ephemeral_key().clone())
         .transcript_commitments(transcript_commitments);
 
+    if let Some(encoder_secret) = encoder_secret {
+        builder.encoder_secret(encoder_secret);
+    }
+
     let attestation = builder.build(&provider)?;
 
     // Send attestation to prover.
     attestation_tx
         .send(attestation)
-        .map_err(|_| "prover is not receiving attestation".to_string())?;
+        .map_err(|_| anyhow!("prover is not receiving attestation"))?;
 
     Ok(())
 }

crates/examples/attestation/verify.rs

@@ -12,8 +12,8 @@ use tlsn::{
         signing::VerifyingKey,
         CryptoProvider,
     },
-    config::{CertificateDer, RootCertStore},
     verifier::ServerCertVerifier,
+    webpki::{CertificateDer, RootCertStore},
 };
 use tlsn_examples::ExampleType;
 use tlsn_server_fixture_certs::CA_CERT_DER;

crates/examples/interactive/interactive.rs

@@ -3,6 +3,7 @@ use std::{
     net::{IpAddr, SocketAddr},
 };
 
+use anyhow::Result;
 use http_body_util::Empty;
 use hyper::{body::Bytes, Request, StatusCode, Uri};
 use hyper_util::rt::TokioIo;
@@ -11,11 +12,18 @@ use tokio_util::compat::{FuturesAsyncReadCompatExt, TokioAsyncReadCompatExt};
 use tracing::instrument;
 
 use tlsn::{
-    config::{CertificateDer, ProtocolConfig, ProtocolConfigValidator, RootCertStore},
+    config::{
+        prove::ProveConfig,
+        prover::ProverConfig,
+        tls::TlsClientConfig,
+        tls_commit::{mpc::MpcTlsConfig, TlsCommitConfig, TlsCommitProtocolConfig},
+        verifier::VerifierConfig,
+    },
     connection::ServerName,
-    prover::{ProveConfig, Prover, ProverConfig, TlsConfig},
+    prover::Prover,
     transcript::PartialTranscript,
-    verifier::{Verifier, VerifierConfig, VerifierOutput, VerifyConfig},
+    verifier::{Verifier, VerifierOutput},
+    webpki::{CertificateDer, RootCertStore},
 };
 use tlsn_server_fixture::DEFAULT_FIXTURE_PORT;
 use tlsn_server_fixture_certs::{CA_CERT_DER, SERVER_DOMAIN};
@@ -46,7 +54,7 @@ async fn main() {
     let (prover_socket, verifier_socket) = tokio::io::duplex(1 << 23);
     let prover = prover(prover_socket, &server_addr, &uri);
     let verifier = verifier(verifier_socket);
-    let (_, transcript) = tokio::join!(prover, verifier);
+    let (_, transcript) = tokio::try_join!(prover, verifier).unwrap();
 
     println!("Successfully verified {}", &uri);
     println!(
@@ -64,61 +72,57 @@ async fn prover<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
     verifier_socket: T,
     server_addr: &SocketAddr,
     uri: &str,
-) {
+) -> Result<()> {
     let uri = uri.parse::<Uri>().unwrap();
     assert_eq!(uri.scheme().unwrap().as_str(), "https");
     let server_domain = uri.authority().unwrap().host();
 
-    // Create a root certificate store with the server-fixture's self-signed
+    // Create a new prover and perform necessary setup.
-    // certificate. This is only required for offline testing with the
+    let prover = Prover::new(ProverConfig::builder().build()?)
-    // server-fixture.
+        .commit(
-    let mut tls_config_builder = TlsConfig::builder();
+            TlsCommitConfig::builder()
-    tls_config_builder.root_store(RootCertStore {
+                // Select the TLS commitment protocol.
-        roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
+                .protocol(
-    });
+                    MpcTlsConfig::builder()
-    let tls_config = tls_config_builder.build().unwrap();
+                        // We must configure the amount of data we expect to exchange beforehand,
+                        // which will be preprocessed prior to the
+                        // connection. Reducing these limits will improve
+                        // performance.
+                        .max_sent_data(tlsn_examples::MAX_SENT_DATA)
+                        .max_recv_data(tlsn_examples::MAX_RECV_DATA)
+                        .build()?,
+                )
+                .build()?,
+            verifier_socket.compat(),
+        )
+        .await?;
 
-    // Set up protocol configuration for prover.
+    // Open a TCP connection to the server.
-    let mut prover_config_builder = ProverConfig::builder();
+    let client_socket = tokio::net::TcpStream::connect(server_addr).await?;
-    prover_config_builder
-        .server_name(ServerName::Dns(server_domain.try_into().unwrap()))
-        .tls_config(tls_config)
-        .protocol_config(
-            ProtocolConfig::builder()
-                .max_sent_data(MAX_SENT_DATA)
-                .max_recv_data(MAX_RECV_DATA)
-                .build()
-                .unwrap(),
-        );
 
-    let prover_config = prover_config_builder.build().unwrap();
+    // Bind the prover to the server connection.
-
+    let (tls_connection, prover_fut) = prover
-    // Create prover and connect to verifier.
+        .connect(
-    //
+            TlsClientConfig::builder()
-    // Perform the setup phase with the verifier.
+                .server_name(ServerName::Dns(SERVER_DOMAIN.try_into()?))
-    let prover = Prover::new(prover_config)
+                // Create a root certificate store with the server-fixture's self-signed
-        .setup(verifier_socket.compat())
+                // certificate. This is only required for offline testing with the
-        .await
+                // server-fixture.
-        .unwrap();
+                .root_store(RootCertStore {
-
+                    roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
-    // Connect to TLS Server.
+                })
-    let tls_client_socket = tokio::net::TcpStream::connect(server_addr).await.unwrap();
+                .build()?,
-
+            client_socket.compat(),
-    // Pass server connection into the prover.
+        )
-    let (mpc_tls_connection, prover_fut) =
+        .await?;
-        prover.connect(tls_client_socket.compat()).await.unwrap();
+    let tls_connection = TokioIo::new(tls_connection.compat());
-
-    // Wrap the connection in a TokioIo compatibility layer to use it with hyper.
-    let mpc_tls_connection = TokioIo::new(mpc_tls_connection.compat());
 
     // Spawn the Prover to run in the background.
     let prover_task = tokio::spawn(prover_fut);
 
     // MPC-TLS Handshake.
     let (mut request_sender, connection) =
-        hyper::client::conn::http1::handshake(mpc_tls_connection)
+        hyper::client::conn::http1::handshake(tls_connection).await?;
-            .await
-            .unwrap();
 
     // Spawn the connection to run in the background.
     tokio::spawn(connection);
@@ -130,14 +134,13 @@ async fn prover<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
         .header("Connection", "close")
         .header("Secret", SECRET)
         .method("GET")
-        .body(Empty::<Bytes>::new())
+        .body(Empty::<Bytes>::new())?;
-        .unwrap();
+    let response = request_sender.send_request(request).await?;
-    let response = request_sender.send_request(request).await.unwrap();
 
     assert!(response.status() == StatusCode::OK);
 
     // Create proof for the Verifier.
-    let mut prover = prover_task.await.unwrap().unwrap();
+    let mut prover = prover_task.await??;
 
     let mut builder = ProveConfig::builder(prover.transcript());
 
@@ -153,10 +156,8 @@ async fn prover<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
         .expect("the secret should be in the sent data");
 
     // Reveal everything except for the secret.
-    builder.reveal_sent(&(0..pos)).unwrap();
+    builder.reveal_sent(&(0..pos))?;
-    builder
+    builder.reveal_sent(&(pos + SECRET.len()..prover.transcript().sent().len()))?;
-        .reveal_sent(&(pos + SECRET.len()..prover.transcript().sent().len()))
-        .unwrap();
 
     // Find the substring "Dick".
     let pos = prover
@@ -167,28 +168,21 @@ async fn prover<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
         .expect("the substring 'Dick' should be in the received data");
 
     // Reveal everything except for the substring.
-    builder.reveal_recv(&(0..pos)).unwrap();
+    builder.reveal_recv(&(0..pos))?;
-    builder
+    builder.reveal_recv(&(pos + 4..prover.transcript().received().len()))?;
-        .reveal_recv(&(pos + 4..prover.transcript().received().len()))
-        .unwrap();
 
-    let config = builder.build().unwrap();
+    let config = builder.build()?;
 
-    prover.prove(&config).await.unwrap();
+    prover.prove(&config).await?;
-    prover.close().await.unwrap();
+    prover.close().await?;
+
+    Ok(())
 }
 
 #[instrument(skip(socket))]
 async fn verifier<T: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
     socket: T,
-) -> PartialTranscript {
+) -> Result<PartialTranscript> {
-    // Set up Verifier.
-    let config_validator = ProtocolConfigValidator::builder()
-        .max_sent_data(MAX_SENT_DATA)
-        .max_recv_data(MAX_RECV_DATA)
-        .build()
-        .unwrap();
-
     // Create a root certificate store with the server-fixture's self-signed
     // certificate. This is only required for offline testing with the
     // server-fixture.
@@ -196,20 +190,56 @@ async fn verifier<T: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
         .root_store(RootCertStore {
             roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
         })
-        .protocol_config_validator(config_validator)
+        .build()?;
-        .build()
-        .unwrap();
     let verifier = Verifier::new(verifier_config);
 
-    // Receive authenticated data.
+    // Validate the proposed configuration and then run the TLS commitment protocol.
-    let VerifierOutput {
+    let verifier = verifier.commit(socket.compat()).await?;
-        server_name,
+
-        transcript,
+    // This is the opportunity to ensure the prover does not attempt to overload the
-        ..
+    // verifier.
-    } = verifier
+    let reject = if let TlsCommitProtocolConfig::Mpc(mpc_tls_config) = verifier.request().protocol()
-        .verify(socket.compat(), &VerifyConfig::default())
+    {
-        .await
+        if mpc_tls_config.max_sent_data() > MAX_SENT_DATA {
-        .unwrap();
+            Some("max_sent_data is too large")
+        } else if mpc_tls_config.max_recv_data() > MAX_RECV_DATA {
+            Some("max_recv_data is too large")
+        } else {
+            None
+        }
+    } else {
+        Some("expecting to use MPC-TLS")
+    };
+
+    if reject.is_some() {
+        verifier.reject(reject).await?;
+        return Err(anyhow::anyhow!("protocol configuration rejected"));
+    }
+
+    // Runs the TLS commitment protocol to completion.
+    let verifier = verifier.accept().await?.run().await?;
+
+    // Validate the proving request and then verify.
+    let verifier = verifier.verify().await?;
+
+    if !verifier.request().server_identity() {
+        let verifier = verifier
+            .reject(Some("expecting to verify the server name"))
+            .await?;
+        verifier.close().await?;
+        return Err(anyhow::anyhow!("prover did not reveal the server name"));
+    }
+
+    let (
+        VerifierOutput {
+            server_name,
+            transcript,
+            ..
+        },
+        verifier,
+    ) = verifier.accept().await?;
+
+    verifier.close().await?;
 
     let server_name = server_name.expect("prover should have revealed server name");
     let transcript = transcript.expect("prover should have revealed transcript data");
@@ -232,7 +262,7 @@ async fn verifier<T: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
     let ServerName::Dns(server_name) = server_name;
     assert_eq!(server_name.as_str(), SERVER_DOMAIN);
 
-    transcript
+    Ok(transcript)
 }
 
 /// Render redacted bytes as `🙈`.

crates/examples/interactive_zk/.gitignore

@@ -0,0 +1,5 @@
+!noir/target/
+# Ignore everything inside noir/target
+noir/target/*
+# Except noir.json
+!noir/target/noir.json

crates/examples/interactive_zk/README.md

@@ -0,0 +1,167 @@
+# Interactive Zero-Knowledge Age Verification with TLSNotary
+
+This example demonstrates **privacy-preserving age verification** using TLSNotary and zero-knowledge proofs. It allows a prover to demonstrate they are 18+ years old without revealing their actual birth date or any other personal information.
+
+## 🔍 How It Works (simplified overview)
+
+```mermaid
+sequenceDiagram
+    participant S as Tax Server<br/>(fixture)
+    participant P as Prover
+    participant V as Verifier
+
+    P->>S: Request tax data (with auth token) (MPC-TLS)
+    S->>P: Tax data including `date_of_birth` (MPC-TLS)
+    P->>V: Share transcript with redactions
+    P->>V: Commit to blinded hash of birth date
+    P->>P: Generate ZK proof of age ≥ 18
+    P->>V: Send ZK proof
+    V->>V: Verify transcript & ZK proof
+    V->>V: ✅ Confirm: Prover is 18+ (no birth date revealed)
+```
+
+### The Process
+
+1. **MPC-TLS Session**: The Prover fetches tax information containing their birth date, while the Verifier jointly verifies the TLS session to ensure the data comes from the authentic server.
+2. **Selective Disclosure**:
+   * The authorization token is **redacted**: the Verifier sees the plaintext request but not the token.
+   * The birth date is **committed** as a blinded hash: the Verifier cannot see the date, but the Prover is cryptographically bound to it.  
+   (Depending on the use case more data can be redacted or revealed)
+3. **Zero-Knowledge Proof**: The Prover generates a ZK proof that the committed birth date corresponds to an age ≥ 18.
+4. **Verification**: The Verifier checks both the TLS transcript and the ZK proof, confirming age ≥ 18 without learning the actual date of birth.
+
+
+### Example Data
+
+The tax server returns data like this:
+```json
+{
+    "tax_year": 2024,
+    "taxpayer": {
+        "idnr": "12345678901",
+        "first_name": "Max",
+        "last_name": "Mustermann",
+        "date_of_birth": "1985-03-12",
+        // ...
+    }
+}
+```
+
+## 🔐 Zero-Knowledge Proof Details
+
+The ZK circuit proves: **"I know a birth date that hashes to the committed value AND indicates I am 18+ years old"**
+
+**Public Inputs:**
+- ✅ Verification date
+- ✅ Committed blinded hash of birth date
+
+**Private Inputs (Hidden):**
+- 🔒 Actual birth date plaintext
+- 🔒 Random blinder used in hash commitment
+
+**What the Verifier Learns:**
+- ✅ The prover is 18+ years old
+- ✅ The birth date is authentic (from the MPC-TLS session)
+
+Everything else remains private.
+
+## 🏃 Run the Example
+
+1. **Start the test server** (from repository root):
+   ```bash
+   RUST_LOG=info PORT=4000 cargo run --bin tlsn-server-fixture
+   ```
+
+2. **Run the age verification** (in a new terminal):
+   ```bash
+   SERVER_PORT=4000 cargo run --release --example interactive_zk
+   ```
+
+3. **For detailed logs**:
+   ```bash
+   RUST_LOG=debug,yamux=info,uid_mux=info SERVER_PORT=4000 cargo run --release --example interactive_zk
+   ```
+
+### Expected Output
+
+```
+Successfully verified https://test-server.io:4000/elster
+Age verified in ZK: 18+ ✅
+
+Verified sent data:
+GET https://test-server.io:4000/elster HTTP/1.1
+host: test-server.io
+connection: close
+authorization: 🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈🙈
+
+Verified received data:
+🙈🙈🙈🙈🙈🙈🙈🙈[truncated for brevity]...🙈🙈🙈🙈🙈"tax_year":2024🙈🙈🙈🙈🙈...
+```
+
+> 💡 **Note**: In this demo, both Prover and Verifier run on the same machine. In production, they would operate on separate systems.
+> 💡 **Note**: This demo assumes that the tax server serves correct data, and that only the submitter of the tax data has access to the specified page.
+
+## 🛠 Development
+
+### Project Structure
+
+```
+interactive_zk/
+├── prover.rs                   # Prover implementation
+├── verifier.rs                 # Verifier implementation  
+├── types.rs                    # Shared types
+└── interactive_zk.rs           # Main example runner
+├── noir/                       # Zero-knowledge circuit
+│   ├── src/main.n              # Noir circuit code
+│   ├── target/                 # Compiled circuit artifacts
+│   └── Nargo.toml              # Noir project config
+│   └── Prover.toml             # Example input for `nargo execute`
+│   └── generate_test_data.rs   # Rust script to generate Noir test data
+└── README.md
+```
+
+### Noir Circuit Commands
+
+We use [Mopro's `noir_rs`](https://zkmopro.org/docs/crates/noir-rs/) for ZK proof generation.  The **circuit is pre-compiled and ready to use**. You don't need to install Noir tools to run the example. But if you want to change or test the circuit in isolation, you can use the following instructions.
+
+Before you proceed, we recommend to double check that your Noir tooling matches the versions used in Mopro's `noir_rs`:
+```sh
+# Install correct Noir and BB versions (important for compatibility!)
+noirup --version 1.0.0-beta.8
+bbup -v 1.0.0-nightly.20250723
+```
+
+If you don't have `noirup` and `bbup` installed yet, check [Noir's Quick Start](https://noir-lang.org/docs/getting_started/quick_start).
+
+To compile the circuit, go to the `noir` folder and run `nargo compile`.
+
+To check and experiment with the Noir circuit, you can use these commands:
+
+* Execute Circuit: Compile the circuit and run it with sample data from `Prover.toml`:
+    ```sh
+    nargo execute
+    ```
+* Generate Verification Key: Create the verification key needed to verify proofs
+    ```sh
+    bb write_vk -b ./target/noir.json -o ./target
+    ```
+* Generate Proof: Create a zero-knowledge proof using the circuit and witness data.
+    ```sh
+    bb prove --bytecode_path ./target/noir.json --witness_path ./target/noir.gz -o ./target
+    ```
+* Verify Proof: Verify that a proof is valid using the verification key.
+    ```sh
+    bb verify -k ./target/vk -p ./target/proof
+    ```
+* Run the Noir tests:
+    ```sh
+    nargo test --show-output
+    ```
+  To create extra tests, you can use `./generate_test_data.rs` to help with generating correct blinders and hashes.
+
+## 📚 Learn More
+
+- [TLSNotary Documentation](https://docs.tlsnotary.org/)
+- [Noir Language Guide](https://noir-lang.org/)
+- [Zero-Knowledge Proofs Explained](https://ethereum.org/en/zero-knowledge-proofs/)
+- [Mopro ZK Toolkit](https://zkmopro.org/)

crates/examples/interactive_zk/interactive_zk.rs

@@ -0,0 +1,60 @@
+mod prover;
+mod types;
+mod verifier;
+
+use anyhow::Result;
+use prover::prover;
+use std::{
+    env,
+    net::{IpAddr, SocketAddr},
+};
+use tlsn_server_fixture::DEFAULT_FIXTURE_PORT;
+use tlsn_server_fixture_certs::SERVER_DOMAIN;
+use verifier::verifier;
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    tracing_subscriber::fmt::init();
+
+    let server_host: String = env::var("SERVER_HOST").unwrap_or("127.0.0.1".into());
+    let server_port: u16 = env::var("SERVER_PORT")
+        .map(|port| port.parse().expect("port should be valid integer"))
+        .unwrap_or(DEFAULT_FIXTURE_PORT);
+
+    // We use SERVER_DOMAIN here to make sure it matches the domain in the test
+    // server's certificate.
+    let uri = format!("https://{SERVER_DOMAIN}:{server_port}/elster");
+    let server_ip: IpAddr = server_host
+        .parse()
+        .map_err(|e| anyhow::anyhow!("Invalid IP address '{server_host}': {e}"))?;
+    let server_addr = SocketAddr::from((server_ip, server_port));
+
+    // Connect prover and verifier.
+    let (prover_socket, verifier_socket) = tokio::io::duplex(1 << 23);
+    let (prover_extra_socket, verifier_extra_socket) = tokio::io::duplex(1 << 23);
+
+    let (_, transcript) = tokio::try_join!(
+        prover(prover_socket, prover_extra_socket, &server_addr, &uri),
+        verifier(verifier_socket, verifier_extra_socket)
+    )?;
+
+    println!("---");
+    println!("Successfully verified {}", &uri);
+    println!("Age verified in ZK: 18+ ✅\n");
+
+    println!(
+        "Verified sent data:\n{}",
+        bytes_to_redacted_string(transcript.sent_unsafe())
+    );
+    println!(
+        "Verified received data:\n{}",
+        bytes_to_redacted_string(transcript.received_unsafe())
+    );
+
+    Ok(())
+}
+
+/// Render redacted bytes as `🙈`.
+pub fn bytes_to_redacted_string(bytes: &[u8]) -> String {
+    String::from_utf8_lossy(bytes).replace('\0', "🙈")
+}

crates/examples/interactive_zk/noir/Nargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "noir"
+type = "bin"
+authors = [""]
+
+[dependencies]
+sha256 = { tag = "v0.1.5", git = "https://github.com/noir-lang/sha256" }
+date = { tag = "v0.5.4", git = "https://github.com/madztheo/noir-date.git" }

crates/examples/interactive_zk/noir/Prover.toml

@@ -0,0 +1,8 @@
+blinder = [108, 93, 120, 205, 15, 35, 159, 124, 243, 96, 22, 128, 16, 149, 219, 216]
+committed_hash = [186, 158, 101, 39, 49, 48, 26, 83, 242, 96, 10, 221, 121, 174, 62, 50, 136, 132, 232, 58, 25, 32, 66, 196, 99, 85, 66, 85, 255, 1, 202, 254]
+date_of_birth = "1985-03-12"
+
+[proof_date]
+day = "29"
+month = "08"
+year = "2025"

crates/examples/interactive_zk/noir/generate_test_data.rs

@@ -0,0 +1,64 @@
+#!/usr/bin/env -S cargo +nightly -Zscript
+---
+[package]
+name = "generate_test_data"
+version = "0.0.0"
+edition = "2021"
+publish = false
+
+[dependencies]
+sha2 = "0.10"
+rand = "0.8"
+chrono = "0.4"
+---
+use chrono::Datelike;
+use chrono::Local;
+use rand::RngCore;
+use sha2::{Digest, Sha256};
+
+fn main() {
+    // 1. Birthdate string (fixed)
+    let dob_str = "1985-03-12"; // 10 bytes long
+
+    let proof_date = Local::now().date_naive();
+    let proof_year = proof_date.year();
+    let proof_month = proof_date.month();
+    let proof_day = proof_date.day();
+
+    // 2. Generate random 16-byte blinder
+    let mut blinder = [0u8; 16];
+    rand::thread_rng().fill_bytes(&mut blinder);
+
+    // 3. Concatenate blinder + dob string bytes
+    let mut preimage = Vec::with_capacity(26);
+    preimage.extend_from_slice(dob_str.as_bytes());
+    preimage.extend_from_slice(&blinder);
+
+    // 4. Hash it
+    let hash = Sha256::digest(&preimage);
+
+    let blinder = blinder
+        .iter()
+        .map(|b| b.to_string())
+        .collect::<Vec<_>>()
+        .join(", ");
+    let committed_hash = hash
+        .iter()
+        .map(|b| b.to_string())
+        .collect::<Vec<_>>()
+        .join(", ");
+
+    println!(
+        "
+// Private input
+let date_of_birth = \"{dob_str}\";
+let blinder = [{blinder}];
+
+// Public input
+let proof_date = date::Date {{ year: {proof_year}, month: {proof_month}, day: {proof_day} }};
+let committed_hash = [{committed_hash}];
+
+main(proof_date, committed_hash, date_of_birth, blinder);
+"
+    );
+}

crates/examples/interactive_zk/noir/src/main.nr

@@ -0,0 +1,82 @@
+use dep::date::Date;
+
+fn main(
+    // Public inputs
+    proof_date: pub date::Date, // "2025-08-29"
+    committed_hash: pub [u8; 32], // Hash of (blinder || dob string)
+    // Private inputs
+    date_of_birth: str<10>, // "1985-03-12"
+    blinder: [u8; 16], // Random 16-byte blinder
+) {
+    let is_18 = check_18(date_of_birth, proof_date);
+
+    let correct_hash = check_hash(date_of_birth, blinder, committed_hash);
+
+    assert(correct_hash);
+    assert(is_18);
+}
+
+fn check_18(date_of_birth: str<10>, proof_date: date::Date) -> bool {
+    let dob = parse_birth_date(date_of_birth);
+    let is_18 = dob.add_years(18).lt(proof_date);
+    println(f"Is 18? {is_18}");
+    is_18
+}
+
+fn check_hash(date_of_birth: str<10>, blinder: [u8; 16], committed_hash: [u8; 32]) -> bool {
+    let hash_input: [u8; 26] = make_hash_input(date_of_birth, blinder);
+    let computed_hash = sha256::sha256_var(hash_input, 26);
+    let correct_hash = computed_hash == committed_hash;
+    println(f"Correct hash? {correct_hash}");
+    correct_hash
+}
+
+fn make_hash_input(dob: str<10>, blinder: [u8; 16]) -> [u8; 26] {
+    let mut input: [u8; 26] = [0; 26];
+    for i in 0..10 {
+        input[i] = dob.as_bytes()[i];
+    }
+    for i in 0..16 {
+        input[10 + i] = blinder[i];
+    }
+    input
+}
+
+pub fn parse_birth_date(birth_date: str<10>) -> date::Date {
+    let date: [u8; 10] = birth_date.as_bytes();
+    let date_str: str<8> =
+        [date[0], date[1], date[2], date[3], date[5], date[6], date[8], date[9]].as_str_unchecked();
+    Date::from_str_long_year(date_str)
+}
+
+#[test]
+fn test_max_is_over_18() {
+    // Private input
+    let date_of_birth = "1985-03-12";
+    let blinder = [120, 80, 62, 10, 76, 60, 130, 98, 147, 161, 139, 126, 27, 236, 36, 56];
+
+    // Public input
+    let proof_date = date::Date { year: 2025, month: 9, day: 2 };
+    let committed_hash = [
+        229, 118, 202, 216, 213, 230, 125, 163, 48, 178, 118, 225, 84, 7, 140, 63, 173, 255, 163,
+        208, 163, 3, 63, 204, 37, 120, 254, 246, 202, 116, 122, 145,
+    ];
+
+    main(proof_date, committed_hash, date_of_birth, blinder);
+}
+
+#[test(should_fail)]
+fn test_under_18() {
+    // Private input
+    let date_of_birth = "2010-08-01";
+    let blinder = [160, 23, 57, 158, 141, 195, 155, 132, 109, 242, 48, 220, 70, 217, 229, 189];
+
+    // Public input
+    let proof_date = date::Date { year: 2025, month: 8, day: 29 };
+    let committed_hash = [
+        16, 132, 194, 62, 232, 90, 157, 153, 4, 231, 1, 54, 226, 3, 87, 174, 129, 177, 80, 69, 37,
+        222, 209, 91, 168, 156, 9, 109, 108, 144, 168, 109,
+    ];
+
+    main(proof_date, committed_hash, date_of_birth, blinder);
+}

crates/examples/interactive_zk/prover.rs

@@ -0,0 +1,390 @@
+use std::net::SocketAddr;
+
+use crate::types::received_commitments;
+
+use super::types::ZKProofBundle;
+
+use anyhow::Result;
+use chrono::{Datelike, Local, NaiveDate};
+use http_body_util::Empty;
+use hyper::{body::Bytes, header, Request, StatusCode, Uri};
+use hyper_util::rt::TokioIo;
+use k256::sha2::{Digest, Sha256};
+use noir::{
+    barretenberg::{
+        prove::prove_ultra_honk, srs::setup_srs_from_bytecode,
+        verify::get_ultra_honk_verification_key,
+    },
+    witness::from_vec_str_to_witness_map,
+};
+use serde_json::Value;
+use spansy::{
+    http::{BodyContent, Requests, Responses},
+    Spanned,
+};
+use tls_server_fixture::{CA_CERT_DER, SERVER_DOMAIN};
+use tlsn::{
+    config::{
+        prove::{ProveConfig, ProveConfigBuilder},
+        prover::ProverConfig,
+        tls::TlsClientConfig,
+        tls_commit::{mpc::MpcTlsConfig, TlsCommitConfig},
+    },
+    connection::ServerName,
+    hash::HashAlgId,
+    prover::Prover,
+    transcript::{
+        hash::{PlaintextHash, PlaintextHashSecret},
+        Direction, TranscriptCommitConfig, TranscriptCommitConfigBuilder, TranscriptCommitmentKind,
+        TranscriptSecret,
+    },
+    webpki::{CertificateDer, RootCertStore},
+};
+
+use tlsn_examples::{MAX_RECV_DATA, MAX_SENT_DATA};
+use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
+use tokio_util::compat::{FuturesAsyncReadCompatExt, TokioAsyncReadCompatExt};
+use tracing::instrument;
+
+#[instrument(skip(verifier_socket, verifier_extra_socket))]
+pub async fn prover<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
+    verifier_socket: T,
+    mut verifier_extra_socket: T,
+    server_addr: &SocketAddr,
+    uri: &str,
+) -> Result<()> {
+    let uri = uri.parse::<Uri>()?;
+
+    if uri.scheme().map(|s| s.as_str()) != Some("https") {
+        return Err(anyhow::anyhow!("URI must use HTTPS scheme"));
+    }
+
+    let server_domain = uri
+        .authority()
+        .ok_or_else(|| anyhow::anyhow!("URI must have authority"))?
+        .host();
+
+    // Create a new prover and perform necessary setup.
+    let prover = Prover::new(ProverConfig::builder().build()?)
+        .commit(
+            TlsCommitConfig::builder()
+                // Select the TLS commitment protocol.
+                .protocol(
+                    MpcTlsConfig::builder()
+                        // We must configure the amount of data we expect to exchange beforehand,
+                        // which will be preprocessed prior to the
+                        // connection. Reducing these limits will improve
+                        // performance.
+                        .max_sent_data(MAX_SENT_DATA)
+                        .max_recv_data(MAX_RECV_DATA)
+                        .build()?,
+                )
+                .build()?,
+            verifier_socket.compat(),
+        )
+        .await?;
+
+    // Open a TCP connection to the server.
+    let client_socket = tokio::net::TcpStream::connect(server_addr).await?;
+
+    // Bind the prover to the server connection.
+    let (tls_connection, prover_fut) = prover
+        .connect(
+            TlsClientConfig::builder()
+                .server_name(ServerName::Dns(SERVER_DOMAIN.try_into()?))
+                // Create a root certificate store with the server-fixture's self-signed
+                // certificate. This is only required for offline testing with the
+                // server-fixture.
+                .root_store(RootCertStore {
+                    roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
+                })
+                .build()?,
+            client_socket.compat(),
+        )
+        .await?;
+    let tls_connection = TokioIo::new(tls_connection.compat());
+
+    // Spawn the Prover to run in the background.
+    let prover_task = tokio::spawn(prover_fut);
+
+    // MPC-TLS Handshake.
+    let (mut request_sender, connection) =
+        hyper::client::conn::http1::handshake(tls_connection).await?;
+
+    // Spawn the connection to run in the background.
+    tokio::spawn(connection);
+
+    // MPC-TLS: Send Request and wait for Response.
+    let request = Request::builder()
+        .uri(uri.clone())
+        .header("Host", server_domain)
+        .header("Connection", "close")
+        .header(header::AUTHORIZATION, "Bearer random_auth_token")
+        .method("GET")
+        .body(Empty::<Bytes>::new())?;
+
+    let response = request_sender.send_request(request).await?;
+
+    if response.status() != StatusCode::OK {
+        return Err(anyhow::anyhow!(
+            "MPC-TLS request failed with status {}",
+            response.status()
+        ));
+    }
+
+    // Create proof for the Verifier.
+    let mut prover = prover_task.await??;
+
+    let transcript = prover.transcript().clone();
+    let mut prove_config_builder = ProveConfig::builder(&transcript);
+
+    // Reveal the DNS name.
+    prove_config_builder.server_identity();
+
+    let sent: &[u8] = transcript.sent();
+    let received: &[u8] = transcript.received();
+    let sent_len = sent.len();
+    let recv_len = received.len();
+    tracing::info!("Sent length: {}, Received length: {}", sent_len, recv_len);
+
+    // Reveal the entire HTTP request except for the authorization bearer token
+    reveal_request(sent, &mut prove_config_builder)?;
+
+    // Create hash commitment for the date of birth field from the response
+    let mut transcript_commitment_builder = TranscriptCommitConfig::builder(&transcript);
+    transcript_commitment_builder.default_kind(TranscriptCommitmentKind::Hash {
+        alg: HashAlgId::SHA256,
+    });
+    reveal_received(
+        received,
+        &mut prove_config_builder,
+        &mut transcript_commitment_builder,
+    )?;
+
+    let transcripts_commitment_config = transcript_commitment_builder.build()?;
+    prove_config_builder.transcript_commit(transcripts_commitment_config);
+
+    let prove_config = prove_config_builder.build()?;
+
+    // MPC-TLS prove
+    let prover_output = prover.prove(&prove_config).await?;
+    prover.close().await?;
+
+    // Prove birthdate is more than 18 years ago.
+    let received_commitments = received_commitments(&prover_output.transcript_commitments);
+    let received_commitment = received_commitments
+        .first()
+        .ok_or_else(|| anyhow::anyhow!("No received commitments found"))?; // committed hash (of date of birth string)
+    let received_secrets = received_secrets(&prover_output.transcript_secrets);
+    let received_secret = received_secrets
+        .first()
+        .ok_or_else(|| anyhow::anyhow!("No received secrets found"))?; // hash blinder
+    let proof_input = prepare_zk_proof_input(received, received_commitment, received_secret)?;
+    let proof_bundle = generate_zk_proof(&proof_input)?;
+
+    // Sent zk proof bundle to verifier
+    let serialized_proof = bincode::serialize(&proof_bundle)?;
+    verifier_extra_socket.write_all(&serialized_proof).await?;
+    verifier_extra_socket.shutdown().await?;
+
+    Ok(())
+}
+
+// Reveal everything from the request, except for the authorization token.
+fn reveal_request(request: &[u8], builder: &mut ProveConfigBuilder<'_>) -> Result<()> {
+    let reqs = Requests::new_from_slice(request).collect::<Result<Vec<_>, _>>()?;
+
+    let req = reqs
+        .first()
+        .ok_or_else(|| anyhow::anyhow!("No requests found"))?;
+
+    if req.request.method.as_str() != "GET" {
+        return Err(anyhow::anyhow!(
+            "Expected GET method, found {}",
+            req.request.method.as_str()
+        ));
+    }
+
+    let authorization_header = req
+        .headers_with_name(header::AUTHORIZATION.as_str())
+        .next()
+        .ok_or_else(|| anyhow::anyhow!("Authorization header not found"))?;
+
+    let start_pos = authorization_header
+        .span()
+        .indices()
+        .min()
+        .ok_or_else(|| anyhow::anyhow!("Could not find authorization header start position"))?
+        + header::AUTHORIZATION.as_str().len()
+        + 2;
+    let end_pos =
+        start_pos + authorization_header.span().len() - header::AUTHORIZATION.as_str().len() - 2;
+
+    builder.reveal_sent(&(0..start_pos))?;
+    builder.reveal_sent(&(end_pos..request.len()))?;
+
+    Ok(())
+}
+
+fn reveal_received(
+    received: &[u8],
+    builder: &mut ProveConfigBuilder<'_>,
+    transcript_commitment_builder: &mut TranscriptCommitConfigBuilder,
+) -> Result<()> {
+    let resp = Responses::new_from_slice(received).collect::<Result<Vec<_>, _>>()?;
+
+    let response = resp
+        .first()
+        .ok_or_else(|| anyhow::anyhow!("No responses found"))?;
+    let body = response
+        .body
+        .as_ref()
+        .ok_or_else(|| anyhow::anyhow!("Response body not found"))?;
+
+    let BodyContent::Json(json) = &body.content else {
+        return Err(anyhow::anyhow!("Expected JSON body content"));
+    };
+
+    // reveal tax year
+    let tax_year = json
+        .get("tax_year")
+        .ok_or_else(|| anyhow::anyhow!("tax_year field not found in JSON"))?;
+    let start_pos = tax_year
+        .span()
+        .indices()
+        .min()
+        .ok_or_else(|| anyhow::anyhow!("Could not find tax_year start position"))?
+        - 11;
+    let end_pos = tax_year
+        .span()
+        .indices()
+        .max()
+        .ok_or_else(|| anyhow::anyhow!("Could not find tax_year end position"))?
+        + 1;
+    builder.reveal_recv(&(start_pos..end_pos))?;
+
+    // commit to hash of date of birth
+    let dob = json
+        .get("taxpayer.date_of_birth")
+        .ok_or_else(|| anyhow::anyhow!("taxpayer.date_of_birth field not found in JSON"))?;
+
+    transcript_commitment_builder.commit_recv(dob.span())?;
+
+    Ok(())
+}
+
+// extract secret from prover output
+fn received_secrets(transcript_secrets: &[TranscriptSecret]) -> Vec<&PlaintextHashSecret> {
+    transcript_secrets
+        .iter()
+        .filter_map(|secret| match secret {
+            TranscriptSecret::Hash(hash) if hash.direction == Direction::Received => Some(hash),
+            _ => None,
+        })
+        .collect()
+}
+
+#[derive(Debug)]
+pub struct ZKProofInput {
+    dob: Vec<u8>,
+    proof_date: NaiveDate,
+    blinder: Vec<u8>,
+    committed_hash: Vec<u8>,
+}
+
+// Verify that the blinded, committed hash is correct
+fn prepare_zk_proof_input(
+    received: &[u8],
+    received_commitment: &PlaintextHash,
+    received_secret: &PlaintextHashSecret,
+) -> Result<ZKProofInput> {
+    assert_eq!(received_commitment.direction, Direction::Received);
+    assert_eq!(received_commitment.hash.alg, HashAlgId::SHA256);
+
+    let hash = &received_commitment.hash;
+
+    let dob_start = received_commitment
+        .idx
+        .min()
+        .ok_or_else(|| anyhow::anyhow!("No start index for DOB"))?;
+    let dob_end = received_commitment
+        .idx
+        .end()
+        .ok_or_else(|| anyhow::anyhow!("No end index for DOB"))?;
+    let dob = received[dob_start..dob_end].to_vec();
+    let blinder = received_secret.blinder.as_bytes().to_vec();
+    let committed_hash = hash.value.as_bytes().to_vec();
+    let proof_date = Local::now().date_naive();
+
+    assert_eq!(received_secret.direction, Direction::Received);
+    assert_eq!(received_secret.alg, HashAlgId::SHA256);
+
+    let mut hasher = Sha256::new();
+    hasher.update(&dob);
+    hasher.update(&blinder);
+    let computed_hash = hasher.finalize();
+
+    if committed_hash != computed_hash.as_ref() as &[u8] {
+        return Err(anyhow::anyhow!(
+            "Computed hash does not match committed hash"
+        ));
+    }
+
+    Ok(ZKProofInput {
+        dob,
+        proof_date,
+        committed_hash,
+        blinder,
+    })
+}
+
+fn generate_zk_proof(proof_input: &ZKProofInput) -> Result<ZKProofBundle> {
+    tracing::info!("🔒 Generating ZK proof with Noir...");
+
+    const PROGRAM_JSON: &str = include_str!("./noir/target/noir.json");
+
+    // 1. Load bytecode from program.json
+    let json: Value = serde_json::from_str(PROGRAM_JSON)?;
+    let bytecode = json["bytecode"]
+        .as_str()
+        .ok_or_else(|| anyhow::anyhow!("bytecode field not found in program.json"))?;
+
+    let mut inputs: Vec<String> = vec![];
+    inputs.push(proof_input.proof_date.day().to_string());
+    inputs.push(proof_input.proof_date.month().to_string());
+    inputs.push(proof_input.proof_date.year().to_string());
+    inputs.extend(proof_input.committed_hash.iter().map(|b| b.to_string()));
+    inputs.extend(proof_input.dob.iter().map(|b| b.to_string()));
+    inputs.extend(proof_input.blinder.iter().map(|b| b.to_string()));
+
+    let proof_date = proof_input.proof_date.to_string();
+    tracing::info!(
+        "Public inputs : Proof date ({}) and committed hash ({})",
+        proof_date,
+        hex::encode(&proof_input.committed_hash)
+    );
+    tracing::info!(
+        "Private inputs: Blinder ({}) and Date of Birth ({})",
+        hex::encode(&proof_input.blinder),
+        String::from_utf8_lossy(&proof_input.dob)
+    );
+
+    tracing::debug!("Witness inputs {:?}", inputs);
+
+    let input_refs: Vec<&str> = inputs.iter().map(String::as_str).collect();
+    let witness = from_vec_str_to_witness_map(input_refs).map_err(|e| anyhow::anyhow!(e))?;
+
+    // Setup SRS
+    setup_srs_from_bytecode(bytecode, None, false).map_err(|e| anyhow::anyhow!(e))?;
+
+    // Verification key
+    let vk = get_ultra_honk_verification_key(bytecode, false).map_err(|e| anyhow::anyhow!(e))?;
+
+    // Generate proof
+    let proof = prove_ultra_honk(bytecode, witness.clone(), vk.clone(), false)
+        .map_err(|e| anyhow::anyhow!(e))?;
+    tracing::info!("✅ Proof generated ({} bytes)", proof.len());
+
+    let proof_bundle = ZKProofBundle { vk, proof };
+    Ok(proof_bundle)
+}

crates/examples/interactive_zk/types.rs

@@ -0,0 +1,21 @@
+use serde::{Deserialize, Serialize};
+use tlsn::transcript::{hash::PlaintextHash, Direction, TranscriptCommitment};
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct ZKProofBundle {
+    pub vk: Vec<u8>,
+    pub proof: Vec<u8>,
+}
+
+// extract commitment from prover output
+pub fn received_commitments(
+    transcript_commitments: &[TranscriptCommitment],
+) -> Vec<&PlaintextHash> {
+    transcript_commitments
+        .iter()
+        .filter_map(|commitment| match commitment {
+            TranscriptCommitment::Hash(hash) if hash.direction == Direction::Received => Some(hash),
+            _ => None,
+        })
+        .collect()
+}

crates/examples/interactive_zk/verifier.rs

@@ -0,0 +1,219 @@
+use crate::types::received_commitments;
+
+use super::types::ZKProofBundle;
+use anyhow::Result;
+use chrono::{Local, NaiveDate};
+use noir::barretenberg::verify::{get_ultra_honk_verification_key, verify_ultra_honk};
+use serde_json::Value;
+use tls_server_fixture::CA_CERT_DER;
+use tlsn::{
+    config::{tls_commit::TlsCommitProtocolConfig, verifier::VerifierConfig},
+    connection::ServerName,
+    hash::HashAlgId,
+    transcript::{Direction, PartialTranscript},
+    verifier::{Verifier, VerifierOutput},
+    webpki::{CertificateDer, RootCertStore},
+};
+use tlsn_examples::{MAX_RECV_DATA, MAX_SENT_DATA};
+use tlsn_server_fixture_certs::SERVER_DOMAIN;
+use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite};
+use tokio_util::compat::TokioAsyncReadCompatExt;
+use tracing::instrument;
+
+#[instrument(skip(socket, extra_socket))]
+pub async fn verifier<T: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
+    socket: T,
+    mut extra_socket: T,
+) -> Result<PartialTranscript> {
+    let verifier = Verifier::new(
+        VerifierConfig::builder()
+            // Create a root certificate store with the server-fixture's self-signed
+            // certificate. This is only required for offline testing with the
+            // server-fixture.
+            .root_store(RootCertStore {
+                roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
+            })
+            .build()?,
+    );
+
+    // Validate the proposed configuration and then run the TLS commitment protocol.
+    let verifier = verifier.commit(socket.compat()).await?;
+
+    // This is the opportunity to ensure the prover does not attempt to overload the
+    // verifier.
+    let reject = if let TlsCommitProtocolConfig::Mpc(mpc_tls_config) = verifier.request().protocol()
+    {
+        if mpc_tls_config.max_sent_data() > MAX_SENT_DATA {
+            Some("max_sent_data is too large")
+        } else if mpc_tls_config.max_recv_data() > MAX_RECV_DATA {
+            Some("max_recv_data is too large")
+        } else {
+            None
+        }
+    } else {
+        Some("expecting to use MPC-TLS")
+    };
+
+    if reject.is_some() {
+        verifier.reject(reject).await?;
+        return Err(anyhow::anyhow!("protocol configuration rejected"));
+    }
+
+    // Runs the TLS commitment protocol to completion.
+    let verifier = verifier.accept().await?.run().await?;
+
+    // Validate the proving request and then verify.
+    let verifier = verifier.verify().await?;
+    let request = verifier.request();
+
+    if !request.server_identity() || request.reveal().is_none() {
+        let verifier = verifier
+            .reject(Some(
+                "expecting to verify the server name and transcript data",
+            ))
+            .await?;
+        verifier.close().await?;
+        return Err(anyhow::anyhow!(
+            "prover did not reveal the server name and transcript data"
+        ));
+    }
+
+    let (
+        VerifierOutput {
+            server_name,
+            transcript,
+            transcript_commitments,
+            ..
+        },
+        verifier,
+    ) = verifier.accept().await?;
+
+    verifier.close().await?;
+
+    let server_name = server_name.expect("server name should be present");
+    let transcript = transcript.expect("transcript should be present");
+
+    // Create hash commitment for the date of birth field from the response
+    let sent = transcript.sent_unsafe().to_vec();
+    let sent_data = String::from_utf8(sent.clone())
+        .map_err(|e| anyhow::anyhow!("Verifier expected valid UTF-8 sent data: {e}"))?;
+
+    if !sent_data.contains(SERVER_DOMAIN) {
+        return Err(anyhow::anyhow!(
+            "Verification failed: Expected host {SERVER_DOMAIN} not found in sent data"
+        ));
+    }
+
+    // Check received data.
+    let received_commitments = received_commitments(&transcript_commitments);
+    let received_commitment = received_commitments
+        .first()
+        .ok_or_else(|| anyhow::anyhow!("Missing hash commitment"))?;
+
+    assert!(received_commitment.direction == Direction::Received);
+    assert!(received_commitment.hash.alg == HashAlgId::SHA256);
+
+    let committed_hash = &received_commitment.hash;
+
+    // Check Session info: server name.
+    let ServerName::Dns(server_name) = server_name;
+    if server_name.as_str() != SERVER_DOMAIN {
+        return Err(anyhow::anyhow!(
+            "Server name mismatch: expected {SERVER_DOMAIN}, got {}",
+            server_name.as_str()
+        ));
+    }
+
+    // Receive ZKProof information from prover
+    let mut buf = Vec::new();
+    extra_socket.read_to_end(&mut buf).await?;
+
+    if buf.is_empty() {
+        return Err(anyhow::anyhow!("No ZK proof data received from prover"));
+    }
+
+    let msg: ZKProofBundle = bincode::deserialize(&buf)
+        .map_err(|e| anyhow::anyhow!("Failed to deserialize ZK proof bundle: {e}"))?;
+
+    // Verify zk proof
+    const PROGRAM_JSON: &str = include_str!("./noir/target/noir.json");
+    let json: Value = serde_json::from_str(PROGRAM_JSON)
+        .map_err(|e| anyhow::anyhow!("Failed to parse Noir circuit: {e}"))?;
+
+    let bytecode = json["bytecode"]
+        .as_str()
+        .ok_or_else(|| anyhow::anyhow!("Bytecode field missing in noir.json"))?;
+
+    let vk = get_ultra_honk_verification_key(bytecode, false)
+        .map_err(|e| anyhow::anyhow!("Failed to get verification key: {e}"))?;
+
+    if vk != msg.vk {
+        return Err(anyhow::anyhow!(
+            "Verification key mismatch between computed and provided by prover"
+        ));
+    }
+
+    let proof = msg.proof.clone();
+
+    // Validate proof has enough data.
+    // The proof should start with the public inputs:
+    // * We expect at least 3 * 32 bytes for the three date fields (day, month,
+    //   year)
+    // * and 32*32 bytes for the hash
+    let min_bytes = (32 + 3) * 32;
+    if proof.len() < min_bytes {
+        return Err(anyhow::anyhow!(
+            "Proof too short: expected at least {min_bytes} bytes, got {}",
+            proof.len()
+        ));
+    }
+
+    // Check that the proof date is correctly included in the proof
+    let proof_date_day: u32 = u32::from_be_bytes(proof[28..32].try_into()?);
+    let proof_date_month: u32 = u32::from_be_bytes(proof[60..64].try_into()?);
+    let proof_date_year: i32 = i32::from_be_bytes(proof[92..96].try_into()?);
+    let proof_date_from_proof =
+        NaiveDate::from_ymd_opt(proof_date_year, proof_date_month, proof_date_day)
+            .ok_or_else(|| anyhow::anyhow!("Invalid proof date in proof"))?;
+    let today = Local::now().date_naive();
+    if (today - proof_date_from_proof).num_days() < 0 {
+        return Err(anyhow::anyhow!(
+            "The proof date can only be today or in the past: provided {proof_date_from_proof}, today {today}"
+        ));
+    }
+
+    // Check that the committed hash in the proof matches the hash from the
+    // commitment
+    let committed_hash_in_proof: Vec<u8> = proof
+        .chunks(32)
+        .skip(3) // skip the first 3 chunks
+        .take(32)
+        .map(|chunk| *chunk.last().unwrap_or(&0))
+        .collect();
+    let expected_hash = committed_hash.value.as_bytes().to_vec();
+    if committed_hash_in_proof != expected_hash {
+        tracing::error!(
+            "❌ The hash in the proof does not match the committed hash in MPC-TLS: {} != {}",
+            hex::encode(&committed_hash_in_proof),
+            hex::encode(&expected_hash)
+        );
+        return Err(anyhow::anyhow!(
+            "Hash in proof does not match committed hash in MPC-TLS"
+        ));
+    }
+    tracing::info!(
+        "✅ The hash in the proof matches the committed hash in MPC-TLS ({})",
+        hex::encode(&expected_hash)
+    );
+
+    // Finally verify the proof
+    let is_valid = verify_ultra_honk(msg.proof, msg.vk)
+        .map_err(|e| anyhow::anyhow!("ZKProof Verification failed: {e}"))?;
+    if !is_valid {
+        tracing::error!("❌ Age verification ZKProof failed to verify");
+        return Err(anyhow::anyhow!("Age verification ZKProof failed to verify"));
+    }
+    tracing::info!("✅ Age verification ZKProof successfully verified");
+
+    Ok(transcript)
+}

crates/formats/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "tlsn-formats"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2021"
 
 [lints]

crates/harness/build.sh

@@ -3,7 +3,19 @@
 # Ensure the script runs in the folder that contains this script
 cd "$(dirname "$0")"
 
-cargo build --release --package tlsn-harness-runner --package tlsn-harness-executor --package tlsn-server-fixture --package tlsn-harness-plot
+RUNNER_FEATURES=""
+EXECUTOR_FEATURES=""
+
+if [ "$1" = "debug" ]; then
+    RUNNER_FEATURES="--features debug"
+    EXECUTOR_FEATURES="--no-default-features --features debug"
+fi
+
+cargo build --release \
+    --package tlsn-harness-runner $RUNNER_FEATURES \
+    --package tlsn-harness-executor $EXECUTOR_FEATURES \
+    --package tlsn-server-fixture \
+    --package tlsn-harness-plot
 
 mkdir -p bin
 

crates/harness/core/src/bench.rs

@@ -9,6 +9,7 @@ pub const DEFAULT_UPLOAD_SIZE: usize = 1024;
 pub const DEFAULT_DOWNLOAD_SIZE: usize = 4096;
 pub const DEFAULT_DEFER_DECRYPTION: bool = true;
 pub const DEFAULT_MEMORY_PROFILE: bool = false;
+pub const DEFAULT_REVEAL_ALL: bool = false;
 
 pub const WARM_UP_BENCH: Bench = Bench {
     group: None,
@@ -20,6 +21,7 @@ pub const WARM_UP_BENCH: Bench = Bench {
     download_size: 4096,
     defer_decryption: true,
     memory_profile: false,
+    reveal_all: true,
 };
 
 #[derive(Deserialize)]
@@ -79,6 +81,8 @@ pub struct BenchGroupItem {
     pub defer_decryption: Option<bool>,
     #[serde(rename = "memory-profile")]
     pub memory_profile: Option<bool>,
+    #[serde(rename = "reveal-all")]
+    pub reveal_all: Option<bool>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -97,6 +101,8 @@ pub struct BenchItem {
     pub defer_decryption: Option<bool>,
     #[serde(rename = "memory-profile")]
     pub memory_profile: Option<bool>,
+    #[serde(rename = "reveal-all")]
+    pub reveal_all: Option<bool>,
 }
 
 impl BenchItem {
@@ -132,6 +138,10 @@ impl BenchItem {
         if self.memory_profile.is_none() {
             self.memory_profile = group.memory_profile;
         }
+
+        if self.reveal_all.is_none() {
+            self.reveal_all = group.reveal_all;
+        }
     }
 
     pub fn into_bench(&self) -> Bench {
@@ -145,6 +155,7 @@ impl BenchItem {
             download_size: self.download_size.unwrap_or(DEFAULT_DOWNLOAD_SIZE),
             defer_decryption: self.defer_decryption.unwrap_or(DEFAULT_DEFER_DECRYPTION),
             memory_profile: self.memory_profile.unwrap_or(DEFAULT_MEMORY_PROFILE),
+            reveal_all: self.reveal_all.unwrap_or(DEFAULT_REVEAL_ALL),
         }
     }
 }
@@ -164,6 +175,8 @@ pub struct Bench {
     pub defer_decryption: bool,
     #[serde(rename = "memory-profile")]
     pub memory_profile: bool,
+    #[serde(rename = "reveal-all")]
+    pub reveal_all: bool,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]

crates/harness/core/src/rpc.rs

@@ -22,7 +22,10 @@ pub enum CmdOutput {
     GetTests(Vec<String>),
     Test(TestOutput),
     Bench(BenchOutput),
-    Fail { reason: Option<String> },
+    #[cfg(target_arch = "wasm32")]
+    Fail {
+        reason: Option<String>,
+    },
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]

crates/harness/executor/.cargo/config.toml

@@ -1,10 +1,14 @@
 [target.wasm32-unknown-unknown]
 rustflags = [
-    "-C",
+    "-Ctarget-feature=+atomics,+bulk-memory,+mutable-globals,+simd128",
-    "target-feature=+atomics,+bulk-memory,+mutable-globals,+simd128",
+    "-Clink-arg=--shared-memory",
-    "-C",
     # 4GB
-    "link-arg=--max-memory=4294967296",
+    "-Clink-arg=--max-memory=4294967296",
+    "-Clink-arg=--import-memory",
+    "-Clink-arg=--export=__wasm_init_tls",
+    "-Clink-arg=--export=__tls_size",
+    "-Clink-arg=--export=__tls_align",
+    "-Clink-arg=--export=__tls_base",
     "--cfg",
     'getrandom_backend="wasm_js"',
 ]

crates/harness/executor/Cargo.toml

@@ -4,6 +4,12 @@ version = "0.1.0"
 edition = "2024"
 publish = false
 
+[features]
+# Disable tracing events as a workaround for issue 959. 
+default = ["tracing/release_max_level_off"]
+# Used to debug the executor itself.
+debug = []
+
 [lib]
 name = "harness_executor"
 crate-type = ["cdylib", "rlib"]
@@ -28,8 +34,7 @@ tokio = { workspace = true, features = ["full"] }
 tokio-util = { workspace = true, features = ["compat"] }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
-# Disable tracing events as a workaround for issue 959. 
+tracing = { workspace = true }
-tracing = { workspace = true, features = ["release_max_level_off"] }
 wasm-bindgen = { workspace = true }
 tlsn-wasm = { workspace = true }
 js-sys = { workspace = true }

crates/harness/executor/src/bench/prover.rs

@@ -5,9 +5,15 @@ use futures::{AsyncReadExt, AsyncWriteExt, TryFutureExt};
 
 use harness_core::bench::{Bench, ProverMetrics};
 use tlsn::{
-    config::{CertificateDer, ProtocolConfig, RootCertStore},
+    config::{
+        prove::ProveConfig,
+        prover::ProverConfig,
+        tls::TlsClientConfig,
+        tls_commit::{TlsCommitConfig, mpc::MpcTlsConfig},
+    },
     connection::ServerName,
-    prover::{ProveConfig, Prover, ProverConfig, TlsConfig},
+    prover::Prover,
+    webpki::{CertificateDer, RootCertStore},
 };
 use tlsn_server_fixture_certs::{CA_CERT_DER, SERVER_DOMAIN};
 
@@ -22,41 +28,47 @@ pub async fn bench_prover(provider: &IoProvider, config: &Bench) -> Result<Prove
     let sent = verifier_io.sent();
     let recv = verifier_io.recv();
 
-    let mut builder = ProtocolConfig::builder();
+    let prover = Prover::new(ProverConfig::builder().build()?);
-    builder.max_sent_data(config.upload_size);
-
-    builder.defer_decryption_from_start(config.defer_decryption);
-    if !config.defer_decryption {
-        builder.max_recv_data_online(config.download_size + RECV_PADDING);
-    }
-    builder.max_recv_data(config.download_size + RECV_PADDING);
-
-    let protocol_config = builder.build()?;
-
-    let mut tls_config_builder = TlsConfig::builder();
-    tls_config_builder.root_store(RootCertStore {
-        roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
-    });
-    let tls_config = tls_config_builder.build()?;
-
-    let prover = Prover::new(
-        ProverConfig::builder()
-            .tls_config(tls_config)
-            .protocol_config(protocol_config)
-            .server_name(ServerName::Dns(SERVER_DOMAIN.try_into().unwrap()))
-            .build()?,
-    );
 
     let time_start = web_time::Instant::now();
 
-    let prover = prover.setup(verifier_io).await?;
+    let prover = prover
+        .commit(
+            TlsCommitConfig::builder()
+                .protocol({
+                    let mut builder = MpcTlsConfig::builder()
+                        .max_sent_data(config.upload_size)
+                        .defer_decryption_from_start(config.defer_decryption);
+
+                    if !config.defer_decryption {
+                        builder = builder.max_recv_data_online(config.download_size + RECV_PADDING);
+                    }
+
+                    builder
+                        .max_recv_data(config.download_size + RECV_PADDING)
+                        .build()
+                }?)
+                .build()?,
+            verifier_io,
+        )
+        .await?;
 
     let time_preprocess = time_start.elapsed().as_millis();
     let time_start_online = web_time::Instant::now();
     let uploaded_preprocess = sent.load(Ordering::Relaxed);
     let downloaded_preprocess = recv.load(Ordering::Relaxed);
 
-    let (mut conn, prover_fut) = prover.connect(provider.provide_server_io().await?).await?;
+    let (mut conn, prover_fut) = prover
+        .connect(
+            TlsClientConfig::builder()
+                .server_name(ServerName::Dns(SERVER_DOMAIN.try_into()?))
+                .root_store(RootCertStore {
+                    roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
+                })
+                .build()?,
+            provider.provide_server_io().await?,
+        )
+        .await?;
 
     let (_, mut prover) = futures::try_join!(
         async {
@@ -86,14 +98,27 @@ pub async fn bench_prover(provider: &IoProvider, config: &Bench) -> Result<Prove
 
     let mut builder = ProveConfig::builder(prover.transcript());
 
+    // When reveal_all is false (the default), we exclude 1 byte to avoid the
+    // reveal-all optimization and benchmark the realistic ZK authentication path.
+    let reveal_sent_range = if config.reveal_all {
+        0..sent_len
+    } else {
+        0..sent_len.saturating_sub(1)
+    };
+    let reveal_recv_range = if config.reveal_all {
+        0..recv_len
+    } else {
+        0..recv_len.saturating_sub(1)
+    };
+
     builder
         .server_identity()
-        .reveal_sent(&(0..sent_len))?
+        .reveal_sent(&reveal_sent_range)?
-        .reveal_recv(&(0..recv_len))?;
+        .reveal_recv(&reveal_recv_range)?;
 
-    let config = builder.build()?;
+    let prove_config = builder.build()?;
 
-    prover.prove(&config).await?;
+    prover.prove(&prove_config).await?;
     prover.close().await?;
 
     let time_total = time_start.elapsed().as_millis();

crates/harness/executor/src/bench/verifier.rs

@@ -2,33 +2,31 @@ use anyhow::Result;
 
 use harness_core::bench::Bench;
 use tlsn::{
-    config::{CertificateDer, ProtocolConfigValidator, RootCertStore},
+    config::verifier::VerifierConfig,
-    verifier::{Verifier, VerifierConfig, VerifyConfig},
+    verifier::Verifier,
+    webpki::{CertificateDer, RootCertStore},
 };
 use tlsn_server_fixture_certs::CA_CERT_DER;
 
-use crate::{IoProvider, bench::RECV_PADDING};
+use crate::IoProvider;
-
-pub async fn bench_verifier(provider: &IoProvider, config: &Bench) -> Result<()> {
-    let mut builder = ProtocolConfigValidator::builder();
-    builder
-        .max_sent_data(config.upload_size)
-        .max_recv_data(config.download_size + RECV_PADDING);
-
-    let protocol_config = builder.build()?;
 
+pub async fn bench_verifier(provider: &IoProvider, _config: &Bench) -> Result<()> {
     let verifier = Verifier::new(
         VerifierConfig::builder()
             .root_store(RootCertStore {
                 roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
             })
-            .protocol_config_validator(protocol_config)
             .build()?,
     );
 
-    let verifier = verifier.setup(provider.provide_proto_io().await?).await?;
+    let verifier = verifier
-    let mut verifier = verifier.run().await?;
+        .commit(provider.provide_proto_io().await?)
-    verifier.verify(&VerifyConfig::default()).await?;
+        .await?
+        .accept()
+        .await?
+        .run()
+        .await?;
+    let (_, verifier) = verifier.verify().await?.accept().await?;
     verifier.close().await?;
 
     Ok(())

crates/harness/executor/test_plugins/basic.rs

@@ -1,10 +1,17 @@
 use tlsn::{
-    config::{CertificateDer, ProtocolConfig, ProtocolConfigValidator, RootCertStore},
+    config::{
+        prove::ProveConfig,
+        prover::ProverConfig,
+        tls::TlsClientConfig,
+        tls_commit::{TlsCommitConfig, mpc::MpcTlsConfig},
+        verifier::VerifierConfig,
+    },
     connection::ServerName,
     hash::HashAlgId,
-    prover::{ProveConfig, Prover, ProverConfig, TlsConfig},
+    prover::Prover,
     transcript::{TranscriptCommitConfig, TranscriptCommitment, TranscriptCommitmentKind},
-    verifier::{Verifier, VerifierConfig, VerifierOutput, VerifyConfig},
+    verifier::{Verifier, VerifierOutput},
+    webpki::{CertificateDer, RootCertStore},
 };
 use tlsn_server_fixture_certs::{CA_CERT_DER, SERVER_DOMAIN};
 
@@ -21,35 +28,35 @@ const MAX_RECV_DATA: usize = 1 << 11;
 crate::test!("basic", prover, verifier);
 
 async fn prover(provider: &IoProvider) {
-    let mut tls_config_builder = TlsConfig::builder();
+    let prover = Prover::new(ProverConfig::builder().build().unwrap())
-    tls_config_builder.root_store(RootCertStore {
+        .commit(
-        roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
+            TlsCommitConfig::builder()
-    });
+                .protocol(
-
+                    MpcTlsConfig::builder()
-    let tls_config = tls_config_builder.build().unwrap();
+                        .max_sent_data(MAX_SENT_DATA)
-
+                        .max_recv_data(MAX_RECV_DATA)
-    let server_name = ServerName::Dns(SERVER_DOMAIN.try_into().unwrap());
+                        .defer_decryption_from_start(true)
-    let prover = Prover::new(
+                        .build()
-        ProverConfig::builder()
+                        .unwrap(),
-            .server_name(server_name)
+                )
-            .tls_config(tls_config)
+                .build()
-            .protocol_config(
+                .unwrap(),
-                ProtocolConfig::builder()
+            provider.provide_proto_io().await.unwrap(),
-                    .max_sent_data(MAX_SENT_DATA)
+        )
-                    .max_recv_data(MAX_RECV_DATA)
+        .await
-                    .defer_decryption_from_start(true)
+        .unwrap();
-                    .build()
-                    .unwrap(),
-            )
-            .build()
-            .unwrap(),
-    )
-    .setup(provider.provide_proto_io().await.unwrap())
-    .await
-    .unwrap();
 
     let (tls_connection, prover_fut) = prover
-        .connect(provider.provide_server_io().await.unwrap())
+        .connect(
+            TlsClientConfig::builder()
+                .server_name(ServerName::Dns(SERVER_DOMAIN.try_into().unwrap()))
+                .root_store(RootCertStore {
+                    roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
+                })
+                .build()
+                .unwrap(),
+            provider.provide_server_io().await.unwrap(),
+        )
         .await
         .unwrap();
 
@@ -113,33 +120,34 @@ async fn prover(provider: &IoProvider) {
 
 async fn verifier(provider: &IoProvider) {
     let config = VerifierConfig::builder()
-        .protocol_config_validator(
-            ProtocolConfigValidator::builder()
-                .max_sent_data(MAX_SENT_DATA)
-                .max_recv_data(MAX_RECV_DATA)
-                .build()
-                .unwrap(),
-        )
         .root_store(RootCertStore {
             roots: vec![CertificateDer(CA_CERT_DER.to_vec())],
         })
         .build()
         .unwrap();
 
-    let verifier = Verifier::new(config);
+    let verifier = Verifier::new(config)
-
+        .commit(provider.provide_proto_io().await.unwrap())
-    let VerifierOutput {
+        .await
-        server_name,
+        .unwrap()
-        transcript_commitments,
+        .accept()
-        ..
+        .await
-    } = verifier
+        .unwrap()
-        .verify(
+        .run()
-            provider.provide_proto_io().await.unwrap(),
-            &VerifyConfig::default(),
-        )
         .await
         .unwrap();
 
+    let (
+        VerifierOutput {
+            server_name,
+            transcript_commitments,
+            ..
+        },
+        verifier,
+    ) = verifier.verify().await.unwrap().accept().await.unwrap();
+
+    verifier.close().await.unwrap();
+
     let ServerName::Dns(server_name) = server_name.unwrap();
 
     assert_eq!(server_name.as_str(), SERVER_DOMAIN);

crates/harness/harness.Dockerfile

@@ -1,6 +1,8 @@
 FROM rust AS builder
 WORKDIR /usr/src/tlsn
 
+ARG DEBUG=0
+
 RUN \
     rustup update; \
     apt update && apt install -y clang; \
@@ -10,7 +12,12 @@ RUN \
 COPY . .
 RUN \
     cd crates/harness; \
-    ./build.sh;
+    # Pass `--build-arg DEBUG=1` to `docker build` if you need to debug the harness.
+    if [ "$DEBUG" = "1" ]; then \
+      ./build.sh debug; \
+    else \
+      ./build.sh; \
+    fi
 
 FROM debian:latest
 

crates/harness/plot/Cargo.toml

@@ -7,10 +7,9 @@ publish = false
 [dependencies]
 tlsn-harness-core = { workspace = true }
 # tlsn-server-fixture = { workspace = true }
-charming = { version = "0.5.1", features = ["ssr"] }
+charming = { version = "0.6.0", features = ["ssr"] }
-csv = "1.3.0"
 clap = { workspace = true, features = ["derive", "env"] }
-itertools = "0.14.0"
+polars = { version = "0.44", features = ["csv", "lazy"] }
 toml = { workspace = true }
 
 

crates/harness/plot/README.md

@@ -0,0 +1,111 @@
+# TLSNotary Benchmark Plot Tool
+
+Generates interactive HTML and SVG plots from TLSNotary benchmark results. Supports comparing multiple benchmark runs (e.g., before/after optimization, native vs browser).
+
+## Usage
+
+```bash
+tlsn-harness-plot <TOML> <CSV>... [OPTIONS]
+```
+
+### Arguments
+
+- `<TOML>` - Path to Bench.toml file defining benchmark structure
+- `<CSV>...` - One or more CSV files with benchmark results
+
+### Options
+
+- `-l, --labels <LABEL>...` - Labels for each dataset (optional)
+  - If omitted, datasets are labeled "Dataset 1", "Dataset 2", etc.
+  - Number of labels must match number of CSV files
+- `--min-max-band` - Add min/max bands to plots showing variance
+- `-h, --help` - Print help information
+
+## Examples
+
+### Single Dataset
+
+```bash
+tlsn-harness-plot bench.toml results.csv
+```
+
+Generates plots from a single benchmark run.
+
+### Compare Two Runs
+
+```bash
+tlsn-harness-plot bench.toml before.csv after.csv \
+  --labels "Before Optimization" "After Optimization"
+```
+
+Overlays two datasets to compare performance improvements.
+
+### Multiple Datasets
+
+```bash
+tlsn-harness-plot bench.toml native.csv browser.csv wasm.csv \
+  --labels "Native" "Browser" "WASM"
+```
+
+Compare three different runtime environments.
+
+### With Min/Max Bands
+
+```bash
+tlsn-harness-plot bench.toml run1.csv run2.csv \
+  --labels "Config A" "Config B" \
+  --min-max-band
+```
+
+Shows variance ranges for each dataset.
+
+## Output Files
+
+The tool generates two files per benchmark group:
+
+- `<output>.html` - Interactive HTML chart (zoomable, hoverable)
+- `<output>.svg` - Static SVG image for documentation
+
+Default output filenames:
+- `runtime_vs_bandwidth.{html,svg}` - When `protocol_latency` is defined in group
+- `runtime_vs_latency.{html,svg}` - When `bandwidth` is defined in group
+
+## Plot Format
+
+Each dataset displays:
+- **Solid line** - Total runtime (preprocessing + online phase)
+- **Dashed line** - Online phase only
+- **Shaded area** (optional) - Min/max variance bands
+
+Different datasets automatically use distinct colors for easy comparison.
+
+## CSV Format
+
+Expected columns in each CSV file:
+- `group` - Benchmark group name (must match TOML)
+- `bandwidth` - Network bandwidth in Kbps (for bandwidth plots)
+- `latency` - Network latency in ms (for latency plots)
+- `time_preprocess` - Preprocessing time in ms
+- `time_online` - Online phase time in ms
+- `time_total` - Total runtime in ms
+
+## TOML Format
+
+The benchmark TOML file defines groups with either:
+
+```toml
+[[group]]
+name = "my_benchmark"
+protocol_latency = 50  # Fixed latency for bandwidth plots
+# OR
+bandwidth = 10000      # Fixed bandwidth for latency plots
+```
+
+All datasets must use the same TOML file to ensure consistent benchmark structure.
+
+## Tips
+
+- Use descriptive labels to make plots self-documenting
+- Keep CSV files from the same benchmark configuration for valid comparisons
+- Min/max bands are useful for showing stability but can clutter plots with many datasets
+- Interactive HTML plots support zooming and hovering for detailed values

crates/harness/plot/bin/plot.rs

@@ -1,17 +1,18 @@
 use std::f32;
 
 use charming::{
-    Chart, HtmlRenderer,
+    Chart, HtmlRenderer, ImageRenderer,
     component::{Axis, Legend, Title},
-    element::{AreaStyle, LineStyle, NameLocation, Orient, TextStyle, Tooltip, Trigger},
+    element::{
+        AreaStyle, ItemStyle, LineStyle, LineStyleType, NameLocation, Orient, TextStyle, Tooltip,
+        Trigger,
+    },
     series::Line,
     theme::Theme,
 };
 use clap::Parser;
-use harness_core::bench::{BenchItems, Measurement};
+use harness_core::bench::BenchItems;
-use itertools::Itertools;
+use polars::prelude::*;
-
-const THEME: Theme = Theme::Default;
 
 #[derive(Parser, Debug)]
 #[command(author, version, about)]
@@ -19,72 +20,131 @@ struct Cli {
     /// Path to the Bench.toml file with benchmark spec
     toml: String,
 
-    /// Path to the CSV file with benchmark results
+    /// Paths to CSV files with benchmark results (one or more)
-    csv: String,
+    csv: Vec<String>,
 
-    /// Prover kind: native or browser
+    /// Labels for each dataset (optional, defaults to "Dataset 1", "Dataset 2", etc.)
-    #[arg(short, long, value_enum, default_value = "native")]
+    #[arg(short, long, num_args = 0..)]
-    prover_kind: ProverKind,
+    labels: Vec<String>,
 
     /// Add min/max bands to plots
     #[arg(long, default_value_t = false)]
     min_max_band: bool,
 }
 
-#[derive(Debug, Clone, Copy, PartialEq, Eq, clap::ValueEnum)]
-enum ProverKind {
-    Native,
-    Browser,
-}
-
-impl std::fmt::Display for ProverKind {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            ProverKind::Native => write!(f, "Native"),
-            ProverKind::Browser => write!(f, "Browser"),
-        }
-    }
-}
-
 fn main() -> Result<(), Box<dyn std::error::Error>> {
     let cli = Cli::parse();
 
-    let mut rdr = csv::Reader::from_path(&cli.csv)?;
+    if cli.csv.is_empty() {
+        return Err("At least one CSV file must be provided".into());
+    }
+
+    // Generate labels if not provided
+    let labels: Vec<String> = if cli.labels.is_empty() {
+        cli.csv
+            .iter()
+            .enumerate()
+            .map(|(i, _)| format!("Dataset {}", i + 1))
+            .collect()
+    } else if cli.labels.len() != cli.csv.len() {
+        return Err(format!(
+            "Number of labels ({}) must match number of CSV files ({})",
+            cli.labels.len(),
+            cli.csv.len()
+        )
+        .into());
+    } else {
+        cli.labels.clone()
+    };
+
+    // Load all CSVs and add dataset label
+    let mut dfs = Vec::new();
+    for (csv_path, label) in cli.csv.iter().zip(labels.iter()) {
+        let mut df = CsvReadOptions::default()
+            .try_into_reader_with_file_path(Some(csv_path.clone().into()))?
+            .finish()?;
+
+        let label_series = Series::new("dataset_label".into(), vec![label.as_str(); df.height()]);
+        df.with_column(label_series)?;
+        dfs.push(df);
+    }
+
+    // Combine all dataframes
+    let df = dfs
+        .into_iter()
+        .reduce(|acc, df| acc.vstack(&df).unwrap())
+        .unwrap();
 
     let items: BenchItems = toml::from_str(&std::fs::read_to_string(&cli.toml)?)?;
     let groups = items.group;
 
-    // Prepare data for plotting.
-    let all_data: Vec<Measurement> = rdr
-        .deserialize::<Measurement>()
-        .collect::<Result<Vec<_>, _>>()?;
-
     for group in groups {
-        if group.protocol_latency.is_some() {
+        // Determine which field varies in benches for this group
-            let latency = group.protocol_latency.unwrap();
+        let benches_in_group: Vec<_> = items
-            plot_runtime_vs(
+            .bench
-                &all_data,
+            .iter()
-                cli.min_max_band,
+            .filter(|b| b.group.as_deref() == Some(&group.name))
-                &group.name,
+            .collect();
-                |r| r.bandwidth as f32 / 1000.0, // Kbps to Mbps
+
-                "Runtime vs Bandwidth",
+        if benches_in_group.is_empty() {
-                format!("{} ms Latency, {} mode", latency, cli.prover_kind),
+            continue;
-                "runtime_vs_bandwidth.html",
-                "Bandwidth (Mbps)",
-            )?;
         }
 
-        if group.bandwidth.is_some() {
+        // Check which field has varying values
-            let bandwidth = group.bandwidth.unwrap();
+        let bandwidth_varies = benches_in_group
+            .windows(2)
+            .any(|w| w[0].bandwidth != w[1].bandwidth);
+        let latency_varies = benches_in_group
+            .windows(2)
+            .any(|w| w[0].protocol_latency != w[1].protocol_latency);
+        let download_size_varies = benches_in_group
+            .windows(2)
+            .any(|w| w[0].download_size != w[1].download_size);
+
+        if download_size_varies {
+            let upload_size = group.upload_size.unwrap_or(1024);
             plot_runtime_vs(
-                &all_data,
+                &df,
+                &labels,
                 cli.min_max_band,
                 &group.name,
-                |r| r.latency as f32,
+                "download_size",
+                1.0 / 1024.0, // bytes to KB
+                "Runtime vs Response Size",
+                format!("{} bytes upload size", upload_size),
+                "runtime_vs_download_size",
+                "Response Size (KB)",
+                true, // legend on left
+            )?;
+        } else if bandwidth_varies {
+            let latency = group.protocol_latency.unwrap_or(50);
+            plot_runtime_vs(
+                &df,
+                &labels,
+                cli.min_max_band,
+                &group.name,
+                "bandwidth",
+                1.0 / 1000.0, // Kbps to Mbps
+                "Runtime vs Bandwidth",
+                format!("{} ms Latency", latency),
+                "runtime_vs_bandwidth",
+                "Bandwidth (Mbps)",
+                false, // legend on right
+            )?;
+        } else if latency_varies {
+            let bandwidth = group.bandwidth.unwrap_or(1000);
+            plot_runtime_vs(
+                &df,
+                &labels,
+                cli.min_max_band,
+                &group.name,
+                "latency",
+                1.0,
                 "Runtime vs Latency",
-                format!("{} bps bandwidth, {} mode", bandwidth, cli.prover_kind),
+                format!("{} bps bandwidth", bandwidth),
-                "runtime_vs_latency.html",
+                "runtime_vs_latency",
                 "Latency (ms)",
+                true, // legend on left
             )?;
         }
     }
@@ -92,83 +152,51 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     Ok(())
 }
 
-struct DataPoint {
-    min: f32,
-    mean: f32,
-    max: f32,
-}
-
-struct Points {
-    preprocess: DataPoint,
-    online: DataPoint,
-    total: DataPoint,
-}
-
 #[allow(clippy::too_many_arguments)]
-fn plot_runtime_vs<Fx>(
+fn plot_runtime_vs(
-    all_data: &[Measurement],
+    df: &DataFrame,
+    labels: &[String],
     show_min_max: bool,
     group: &str,
-    x_value: Fx,
+    x_col: &str,
+    x_scale: f32,
     title: &str,
     subtitle: String,
     output_file: &str,
     x_axis_label: &str,
-) -> Result<Chart, Box<dyn std::error::Error>>
+    legend_left: bool,
-where
+) -> Result<Chart, Box<dyn std::error::Error>> {
-    Fx: Fn(&Measurement) -> f32,
+    let stats_df = df
-{
+        .clone()
-    fn data_point(values: &[f32]) -> DataPoint {
+        .lazy()
-        let mean = values.iter().copied().sum::<f32>() / values.len() as f32;
+        .filter(col("group").eq(lit(group)))
-        let max = values.iter().copied().reduce(f32::max).unwrap_or_default();
+        .with_column((col(x_col).cast(DataType::Float32) * lit(x_scale)).alias("x"))
-        let min = values.iter().copied().reduce(f32::min).unwrap_or_default();
+        .with_columns([
-        DataPoint { min, mean, max }
+            (col("time_preprocess").cast(DataType::Float32) / lit(1000.0)).alias("preprocess"),
-    }
+            (col("time_online").cast(DataType::Float32) / lit(1000.0)).alias("online"),
+            (col("time_total").cast(DataType::Float32) / lit(1000.0)).alias("total"),
+        ])
+        .group_by([col("x"), col("dataset_label")])
+        .agg([
+            col("preprocess").min().alias("preprocess_min"),
+            col("preprocess").mean().alias("preprocess_mean"),
+            col("preprocess").max().alias("preprocess_max"),
+            col("online").min().alias("online_min"),
+            col("online").mean().alias("online_mean"),
+            col("online").max().alias("online_max"),
+            col("total").min().alias("total_min"),
+            col("total").mean().alias("total_mean"),
+            col("total").max().alias("total_max"),
+        ])
+        .sort(["dataset_label", "x"], Default::default())
+        .collect()?;
 
-    let stats: Vec<(f32, Points)> = all_data
+    // Build legend entries
-        .iter()
+    let mut legend_data = Vec::new();
-        .filter(|r| r.group.as_deref() == Some(group))
+    for label in labels {
-        .map(|r| {
+        legend_data.push(format!("Total Mean ({})", label));
-            (
+        legend_data.push(format!("Online Mean ({})", label));
-                x_value(r),
+    }
-                r.time_preprocess as f32 / 1000.0, // ms to s
-                r.time_online as f32 / 1000.0,
-                r.time_total as f32 / 1000.0,
-            )
-        })
-        .sorted_by(|a, b| a.0.partial_cmp(&b.0).unwrap())
-        .chunk_by(|entry| entry.0)
-        .into_iter()
-        .map(|(x, group)| {
-            let group_vec: Vec<_> = group.collect();
-            let preprocess = data_point(
-                &group_vec
-                    .iter()
-                    .map(|(_, t, _, _)| *t)
-                    .collect::<Vec<f32>>(),
-            );
-            let online = data_point(
-                &group_vec
-                    .iter()
-                    .map(|(_, _, t, _)| *t)
-                    .collect::<Vec<f32>>(),
-            );
-            let total = data_point(
-                &group_vec
-                    .iter()
-                    .map(|(_, _, _, t)| *t)
-                    .collect::<Vec<f32>>(),
-            );
-            (
-                x,
-                Points {
-                    preprocess,
-                    online,
-                    total,
-                },
-            )
-        })
-        .collect();
 
     let mut chart = Chart::new()
         .title(
@@ -179,14 +207,6 @@ where
                 .subtext_style(TextStyle::new().font_size(16)),
         )
         .tooltip(Tooltip::new().trigger(Trigger::Axis))
-        .legend(
-            Legend::new()
-                .data(vec!["Preprocess Mean", "Online Mean", "Total Mean"])
-                .top("80")
-                .right("110")
-                .orient(Orient::Vertical)
-                .item_gap(10),
-        )
         .x_axis(
             Axis::new()
                 .name(x_axis_label)
@@ -205,73 +225,156 @@ where
                 .name_text_style(TextStyle::new().font_size(21)),
         );
 
-    chart = add_mean_series(chart, &stats, "Preprocess Mean", |p| p.preprocess.mean);
+    // Add legend with conditional positioning
-    chart = add_mean_series(chart, &stats, "Online Mean", |p| p.online.mean);
+    let legend = Legend::new()
-    chart = add_mean_series(chart, &stats, "Total Mean", |p| p.total.mean);
+        .data(legend_data)
+        .top("80")
+        .orient(Orient::Vertical)
+        .item_gap(10);
 
-    if show_min_max {
+    let legend = if legend_left {
-        chart = add_min_max_band(
+        legend.left("110")
-            chart,
+    } else {
-            &stats,
+        legend.right("110")
-            "Preprocess Min/Max",
+    };
-            |p| &p.preprocess,
+
-            "#ccc",
+    chart = chart.legend(legend);
-        );
+
-        chart = add_min_max_band(chart, &stats, "Online Min/Max", |p| &p.online, "#ccc");
+    // Define colors for each dataset
-        chart = add_min_max_band(chart, &stats, "Total Min/Max", |p| &p.total, "#ccc");
+    let colors = vec![
+        "#5470c6", "#91cc75", "#fac858", "#ee6666", "#73c0de", "#3ba272", "#fc8452", "#9a60b4",
+    ];
+
+    for (idx, label) in labels.iter().enumerate() {
+        let color = colors.get(idx % colors.len()).unwrap();
+
+        // Total time - solid line
+        chart = add_dataset_series(
+            &chart,
+            &stats_df,
+            label,
+            &format!("Total Mean ({})", label),
+            "total_mean",
+            false,
+            color,
+        )?;
+
+        // Online time - dashed line (same color as total)
+        chart = add_dataset_series(
+            &chart,
+            &stats_df,
+            label,
+            &format!("Online Mean ({})", label),
+            "online_mean",
+            true,
+            color,
+        )?;
+
+        if show_min_max {
+            chart = add_dataset_min_max_band(
+                &chart,
+                &stats_df,
+                label,
+                &format!("Total Min/Max ({})", label),
+                "total",
+                color,
+            )?;
+        }
     }
-    // Save the chart as HTML file.
+    // Save the chart as HTML file (no theme)
     HtmlRenderer::new(title, 1000, 800)
-        .theme(THEME)
+        .save(&chart, &format!("{}.html", output_file))
-        .save(&chart, output_file)
+        .unwrap();
+
+    // Save SVG with default theme
+    ImageRenderer::new(1000, 800)
+        .theme(Theme::Default)
+        .save(&chart, &format!("{}.svg", output_file))
+        .unwrap();
+
+    // Save SVG with dark theme
+    ImageRenderer::new(1000, 800)
+        .theme(Theme::Dark)
+        .save(&chart, &format!("{}_dark.svg", output_file))
         .unwrap();
 
     Ok(chart)
 }
 
-fn add_mean_series(
+fn add_dataset_series(
-    chart: Chart,
+    chart: &Chart,
-    stats: &[(f32, Points)],
+    df: &DataFrame,
-    name: &str,
+    dataset_label: &str,
-    extract: impl Fn(&Points) -> f32,
+    series_name: &str,
-) -> Chart {
+    col_name: &str,
-    chart.series(
+    dashed: bool,
-        Line::new()
+    color: &str,
-            .name(name)
+) -> Result<Chart, Box<dyn std::error::Error>> {
-            .data(
+    // Filter for specific dataset
-                stats
+    let mask = df.column("dataset_label")?.str()?.equal(dataset_label);
-                    .iter()
+    let filtered = df.filter(&mask)?;
-                    .map(|(x, points)| vec![*x, extract(points)])
+
-                    .collect(),
+    let x = filtered.column("x")?.f32()?;
-            )
+    let y = filtered.column(col_name)?.f32()?;
-            .symbol_size(6),
+
-    )
+    let data: Vec<Vec<f32>> = x
+        .into_iter()
+        .zip(y.into_iter())
+        .filter_map(|(x, y)| Some(vec![x?, y?]))
+        .collect();
+
+    let mut line = Line::new()
+        .name(series_name)
+        .data(data)
+        .symbol_size(6)
+        .item_style(ItemStyle::new().color(color));
+
+    let mut line_style = LineStyle::new();
+    if dashed {
+        line_style = line_style.type_(LineStyleType::Dashed);
+    }
+    line = line.line_style(line_style.color(color));
+
+    Ok(chart.clone().series(line))
 }
 
-fn add_min_max_band(
+fn add_dataset_min_max_band(
-    chart: Chart,
+    chart: &Chart,
-    stats: &[(f32, Points)],
+    df: &DataFrame,
+    dataset_label: &str,
     name: &str,
-    extract: impl Fn(&Points) -> &DataPoint,
+    col_prefix: &str,
     color: &str,
-) -> Chart {
+) -> Result<Chart, Box<dyn std::error::Error>> {
-    chart.series(
+    // Filter for specific dataset
+    let mask = df.column("dataset_label")?.str()?.equal(dataset_label);
+    let filtered = df.filter(&mask)?;
+
+    let x = filtered.column("x")?.f32()?;
+    let min_col = filtered.column(&format!("{}_min", col_prefix))?.f32()?;
+    let max_col = filtered.column(&format!("{}_max", col_prefix))?.f32()?;
+
+    let max_data: Vec<Vec<f32>> = x
+        .into_iter()
+        .zip(max_col.into_iter())
+        .filter_map(|(x, y)| Some(vec![x?, y?]))
+        .collect();
+
+    let min_data: Vec<Vec<f32>> = x
+        .into_iter()
+        .zip(min_col.into_iter())
+        .filter_map(|(x, y)| Some(vec![x?, y?]))
+        .rev()
+        .collect();
+
+    let data: Vec<Vec<f32>> = max_data.into_iter().chain(min_data).collect();
+
+    Ok(chart.clone().series(
         Line::new()
             .name(name)
-            .data(
+            .data(data)
-                stats
-                    .iter()
-                    .map(|(x, points)| vec![*x, extract(points).max])
-                    .chain(
-                        stats
-                            .iter()
-                            .rev()
-                            .map(|(x, points)| vec![*x, extract(points).min]),
-                    )
-                    .collect(),
-            )
             .show_symbol(false)
             .line_style(LineStyle::new().opacity(0.0))
             .area_style(AreaStyle::new().opacity(0.3).color(color)),
-    )
+    ))
 }

crates/harness/runner/Cargo.toml

@@ -7,6 +7,10 @@ publish = false
 [lib]
 name = "harness_runner"
 
+[features]
+# Used to debug the runner itself.
+debug = []
+
 [dependencies]
 tlsn-harness-core = { workspace = true }
 tlsn-server-fixture = { workspace = true }

crates/harness/runner/src/debug_prelude.rs

@@ -0,0 +1,17 @@
+#![allow(unused_imports)]
+pub use futures::FutureExt;
+
+pub use tracing::{debug, error};
+
+pub use chromiumoxide::{
+    Browser, Page,
+    cdp::{
+        browser_protocol::{
+            log::{EventEntryAdded, LogEntryLevel},
+            network::{EnableParams, SetCacheDisabledParams},
+            page::ReloadParams,
+        },
+        js_protocol::runtime::EventExceptionThrown,
+    },
+    handler::HandlerConfig,
+};

crates/harness/runner/src/executor.rs

@@ -21,6 +21,9 @@ use harness_core::{
 
 use crate::{Target, network::Namespace, rpc::Rpc};
 
+#[cfg(feature = "debug")]
+use crate::debug_prelude::*;
+
 pub struct Executor {
     ns: Namespace,
     config: ExecutorConfig,
@@ -66,20 +69,34 @@ impl Executor {
                     Id::One => self.config.network().rpc_1,
                 };
 
-                let process = duct::cmd!(
+                let mut args = vec![
-                    "sudo",
+                    "ip".into(),
-                    "ip",
+                    "netns".into(),
-                    "netns",
+                    "exec".into(),
-                    "exec",
+                    self.ns.name().into(),
-                    self.ns.name(),
+                    "env".into(),
-                    "env",
                     format!("CONFIG={}", serde_json::to_string(&self.config)?),
-                    executor_path
+                ];
-                )
+
-                .stdout_capture()
+                if cfg!(feature = "debug") {
-                .stderr_capture()
+                    let level = &std::env::var("RUST_LOG").unwrap_or("debug".to_string());
-                .unchecked()
+                    args.push("env".into());
-                .start()?;
+                    args.push(format!("RUST_LOG={}", level));
+                };
+
+                args.push(executor_path.to_str().expect("valid path").into());
+
+                let process = duct::cmd("sudo", args);
+
+                let process = if !cfg!(feature = "debug") {
+                    process
+                        .stdout_capture()
+                        .stderr_capture()
+                        .unchecked()
+                        .start()?
+                } else {
+                    process.unchecked().start()?
+                };
 
                 let rpc = Rpc::new_native(rpc_addr).await?;
 
@@ -119,10 +136,13 @@ impl Executor {
                     "--no-sandbox",
                     format!("--user-data-dir={tmp}"),
                     format!("--allowed-ips=10.250.0.1"),
-                )
+                );
-                .stderr_capture()
+
-                .stdout_capture()
+                let process = if !cfg!(feature = "debug") {
-                .start()?;
+                    process.stderr_capture().stdout_capture().start()?
+                } else {
+                    process.start()?
+                };
 
                 const TIMEOUT: usize = 10000;
                 const DELAY: usize = 100;
@@ -171,6 +191,38 @@ impl Executor {
                     .new_page(&format!("http://{wasm_addr}:{wasm_port}/index.html"))
                     .await?;
 
+                #[cfg(feature = "debug")]
+                tokio::spawn(register_listeners(page.clone()).await?);
+
+                #[cfg(feature = "debug")]
+                async fn register_listeners(page: Page) -> Result<impl Future<Output = ()>> {
+                    let mut logs = page.event_listener::<EventEntryAdded>().await?.fuse();
+                    let mut exceptions =
+                        page.event_listener::<EventExceptionThrown>().await?.fuse();
+
+                    Ok(futures::future::join(
+                        async move {
+                            while let Some(event) = logs.next().await {
+                                let entry = &event.entry;
+                                match entry.level {
+                                    LogEntryLevel::Error => {
+                                        error!("{:?}", entry);
+                                    }
+                                    _ => {
+                                        debug!("{:?}: {}", entry.timestamp, entry.text);
+                                    }
+                                }
+                            }
+                        },
+                        async move {
+                            while let Some(event) = exceptions.next().await {
+                                error!("{:?}", event);
+                            }
+                        },
+                    )
+                    .map(|_| ()))
+                }
+
                 page.execute(EnableParams::builder().build()).await?;
                 page.execute(SetCacheDisabledParams {
                     cache_disabled: true,

crates/harness/runner/src/lib.rs

@@ -6,6 +6,9 @@ mod server_fixture;
 pub mod wasm_server;
 mod ws_proxy;
 
+#[cfg(feature = "debug")]
+mod debug_prelude;
+
 use std::time::Duration;
 
 use anyhow::Result;
@@ -24,20 +27,18 @@ use cli::{Cli, Command};
 use executor::Executor;
 use server_fixture::ServerFixture;
 
+#[cfg(feature = "debug")]
+use crate::debug_prelude::*;
+
 use crate::{cli::Route, network::Network, wasm_server::WasmServer, ws_proxy::WsProxy};
 
-#[derive(Debug, Clone, Copy, PartialEq, Eq, clap::ValueEnum)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, clap::ValueEnum, Default)]
 pub enum Target {
+    #[default]
     Native,
     Browser,
 }
 
-impl Default for Target {
-    fn default() -> Self {
-        Self::Native
-    }
-}
-
 struct Runner {
     network: Network,
     server_fixture: ServerFixture,
@@ -113,6 +114,9 @@ impl Runner {
 }
 
 pub async fn main() -> Result<()> {
+    #[cfg(feature = "debug")]
+    tracing_subscriber::fmt::init();
+
     let cli = Cli::parse();
     let mut runner = Runner::new(&cli)?;
 
@@ -227,6 +231,9 @@ pub async fn main() -> Result<()> {
                 // Wait for the network to stabilize
                 tokio::time::sleep(Duration::from_millis(100)).await;
 
+                #[cfg(feature = "debug")]
+                debug!("Starting bench in group {:?}", config.group);
+
                 let (output, _) = tokio::try_join!(
                     runner.exec_p.bench(BenchCmd {
                         config: config.clone(),

crates/harness/toml/bandwidth.toml

@@ -0,0 +1,25 @@
+#### Bandwidth ####
+
+[[group]]
+name = "bandwidth"
+protocol_latency = 25
+
+[[bench]]
+group = "bandwidth"
+bandwidth = 10
+
+[[bench]]
+group = "bandwidth"
+bandwidth = 50
+
+[[bench]]
+group = "bandwidth"
+bandwidth = 100
+
+[[bench]]
+group = "bandwidth"
+bandwidth = 250
+
+[[bench]]
+group = "bandwidth"
+bandwidth = 1000

crates/harness/toml/download.toml

@@ -0,0 +1,37 @@
+[[group]]
+name = "download_size"
+protocol_latency = 10
+bandwidth = 200
+upload-size = 2048
+
+[[bench]]
+group = "download_size"
+download-size = 1024
+
+[[bench]]
+group = "download_size"
+download-size = 2048
+
+[[bench]]
+group = "download_size"
+download-size = 4096
+
+[[bench]]
+group = "download_size"
+download-size = 8192
+
+[[bench]]
+group = "download_size"
+download-size = 16384
+
+[[bench]]
+group = "download_size"
+download-size = 32768
+
+[[bench]]
+group = "download_size"
+download-size = 65536
+
+[[bench]]
+group = "download_size"
+download-size = 131072

crates/harness/toml/latency.toml

@@ -0,0 +1,25 @@
+#### Latency ####
+
+[[group]]
+name = "latency"
+bandwidth = 1000
+
+[[bench]]
+group = "latency"
+protocol_latency = 10
+
+[[bench]]
+group = "latency"
+protocol_latency = 25
+
+[[bench]]
+group = "latency"
+protocol_latency = 50
+
+[[bench]]
+group = "latency"
+protocol_latency = 100
+
+[[bench]]
+group = "latency"
+protocol_latency = 200

crates/mpc-tls/Cargo.toml

@@ -5,7 +5,7 @@ description = "TLSNotary MPC-TLS protocol"
 keywords = ["tls", "mpc", "2pc"]
 categories = ["cryptography"]
 license = "MIT OR Apache-2.0"
-version = "0.1.0-alpha.13-pre"
+version = "0.1.0-alpha.14-pre"
 edition = "2021"
 
 [lints]
@@ -33,7 +33,6 @@ mpz-ole = { workspace = true }
 mpz-share-conversion = { workspace = true }
 mpz-vm-core = { workspace = true }
 mpz-memory-core = { workspace = true }
-mpz-circuits = { workspace = true }
 
 ludi = { git = "https://github.com/sinui0/ludi", rev = "e511c3b", default-features = false }
 serio = { workspace = true }
@@ -57,9 +56,9 @@ pin-project-lite = { workspace = true }
 web-time = { workspace = true }
 
 [dev-dependencies]
-mpz-ole = { workspace = true, features = ["test-utils"] }
+mpz-common = { workspace = true, features = ["test-utils"] }
-mpz-ot = { workspace = true }
+mpz-ot = { workspace = true, features = ["ideal"] }
-mpz-garble = { workspace = true }
+mpz-ideal-vm = { workspace = true }
 
 cipher-crate = { package = "cipher", version = "0.4" }
 generic-array = { workspace = true }

crates/mpc-tls/src/leader.rs

@@ -41,6 +41,7 @@ use tls_core::{
         message::{OpaqueMessage, PlainMessage},
     },
     suites::SupportedCipherSuite,
+    verify::verify_sig_determine_alg,
 };
 use tlsn_core::{
     connection::{CertBinding, CertBindingV1_2, ServerSignature, TlsVersion, VerifyData},
@@ -327,12 +328,20 @@ impl MpcTlsLeader {
             .map(|cert| CertificateDer(cert.0.clone()))
             .collect();
 
+        let mut sig_msg = Vec::new();
+        sig_msg.extend_from_slice(&client_random.0);
+        sig_msg.extend_from_slice(&server_random.0);
+        sig_msg.extend_from_slice(server_kx_details.kx_params());
+
+        let server_signature_alg = verify_sig_determine_alg(
+            &server_cert_details.cert_chain()[0],
+            &sig_msg,
+            server_kx_details.kx_sig(),
+        )
+        .expect("only supported signature should have been accepted");
+
         let server_signature = ServerSignature {
-            scheme: server_kx_details
+            alg: server_signature_alg.into(),
-                .kx_sig()
-                .scheme
-                .try_into()
-                .expect("only supported signature scheme should have been accepted"),
             sig: server_kx_details.kx_sig().sig.0.clone(),
         };
 

crates/mpc-tls/src/msg.rs

@@ -72,4 +72,5 @@ pub(crate) struct ServerFinishedVd {
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
+#[allow(dead_code)]
 pub(crate) struct CloseConnection;

crates/mpc-tls/src/record_layer.rs

@@ -487,7 +487,7 @@ impl RecordLayer {
 
             sent_records.push(Record {
                 seq: op.seq,
-                typ: op.typ,
+                typ: op.typ.into(),
                 plaintext: op.plaintext,
                 explicit_nonce: op.explicit_nonce,
                 ciphertext,
@@ -505,7 +505,7 @@ impl RecordLayer {
 
             recv_records.push(Record {
                 seq: op.seq,
-                typ: op.typ,
+                typ: op.typ.into(),
                 plaintext,
                 explicit_nonce: op.explicit_nonce,
                 ciphertext: op.ciphertext,
@@ -578,7 +578,7 @@ impl RecordLayer {
 
             recv_records.push(Record {
                 seq: op.seq,
-                typ: op.typ,
+                typ: op.typ.into(),
                 plaintext,
                 explicit_nonce: op.explicit_nonce,
                 ciphertext: op.ciphertext,

crates/mpc-tls/src/record_layer/aead/aes_gcm.rs

@@ -456,9 +456,8 @@ mod tests {
     };
     use mpz_common::context::test_st_context;
     use mpz_core::Block;
-    use mpz_garble::protocol::semihonest::{Evaluator, Garbler};
+    use mpz_ideal_vm::IdealVm;
-    use mpz_memory_core::{binary::U8, correlated::Delta};
+    use mpz_memory_core::binary::U8;
-    use mpz_ot::ideal::cot::ideal_cot;
     use mpz_share_conversion::ideal::ideal_share_convert;
     use rand::{rngs::StdRng, SeedableRng};
     use rstest::*;
@@ -574,13 +573,8 @@ mod tests {
     }
 
     fn create_vm(key: [u8; 16], iv: [u8; 4]) -> ((impl Vm<Binary>, Vars), (impl Vm<Binary>, Vars)) {
-        let mut rng = StdRng::seed_from_u64(0);
+        let mut vm_0 = IdealVm::new();
-        let block = Block::random(&mut rng);
+        let mut vm_1 = IdealVm::new();
-        let (sender, receiver) = ideal_cot(block);
-
-        let delta = Delta::new(block);
-        let mut vm_0 = Garbler::new(sender, [0u8; 16], delta);
-        let mut vm_1 = Evaluator::new(receiver);
 
         let key_ref_0 = vm_0.alloc::<Array<U8, 16>>().unwrap();
         vm_0.mark_public(key_ref_0).unwrap();

crates/mpc-tls/src/record_layer/aead/ghash.rs

@@ -193,7 +193,7 @@ where
         };
 
         // Divide by block length and round up.
-        let block_count = input.len() / 16 + (input.len() % 16 != 0) as usize;
+        let block_count = input.len() / 16 + !input.len().is_multiple_of(16) as usize;
 
         if block_count > MAX_POWER {
             return Err(ErrorRepr::InputLength {
@@ -282,11 +282,11 @@ fn build_ghash_data(mut aad: Vec<u8>, mut ciphertext: Vec<u8>) -> Vec<u8> {
     let len_block = ((associated_data_bitlen as u128) << 64) + (text_bitlen as u128);
 
     // Pad data to be a multiple of 16 bytes.
-    let aad_padded_block_count = (aad.len() / 16) + (aad.len() % 16 != 0) as usize;
+    let aad_padded_block_count = (aad.len() / 16) + !aad.len().is_multiple_of(16) as usize;
     aad.resize(aad_padded_block_count * 16, 0);
 
     let ciphertext_padded_block_count =
-        (ciphertext.len() / 16) + (ciphertext.len() % 16 != 0) as usize;
+        (ciphertext.len() / 16) + !ciphertext.len().is_multiple_of(16) as usize;
     ciphertext.resize(ciphertext_padded_block_count * 16, 0);
 
     let mut data: Vec<u8> = Vec::with_capacity(aad.len() + ciphertext.len() + 16);