Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Glossary

audience: all

Domain terms as they are used in this book and in the source.

Aggregator. The untrusted node that XOR-folds client envelopes for a round into a single AggregateEnvelope and forwards it to the committee. One aggregator in v1; a tree of aggregators in v2. Runs as zipnet aggregator.

Any-trust. Security assumption where anonymity holds as long as at least one party in a designated set is honest. The zipnet committee is an any-trust set.

Zipnet::<D>::* constructors. The three public entry points from a mosaik network handle to typed zipnet handles: Zipnet::<D>::submit (writer), Zipnet::<D>::receipts (encrypted per-submission outcomes), and Zipnet::<D>::read (decoded shuffled outputs). Each takes &Arc<Network> and a &zipnet::Config, derives every deployment-local ID internally, and returns a typed handle (Submitter<D>, Receipts<D>, Reader<D>). See Quickstart — publish and read.

deployment_id. The pure function Zipnet::<D>::deployment_id(&Config) -> UniqueId that produces the on-wire identity for a deployment. Useful for handshake diagnostics: both sides compute it locally and compare without any wire traffic.

Bond. mosaik term for a persistent QUIC connection between two members of the same Raft group, authenticated by the shared GroupKey.

Broadcast vector. B = num_slots * slot_bytes bytes of output per round. Default 16 KiB. Each finalized round commits one broadcast vector to the Broadcasts collection.

Client. A node that authors messages and seals them into envelopes inside a TEE. In the mock path (v1 default), the TEE is replaced by a plain process; see Security checklist.

ClientBundle. Public pair (ClientId, dh_pub) gossiped via a discovery ticket so servers can derive per-client pads.

ClientId. 32-byte blake3-keyed hash of the client’s X25519 public key. Stable as long as the client’s DH secret is stable.

Committee. The set of any-trust servers that collectively unblind the round’s aggregate. In v1 this is a Raft group with a bespoke CommitteeMachine state machine. One committee per instance.

Cover traffic. Client envelopes carrying a zero message, sent to widen the anonymity set at negligible extra cost. The SDK sends cover envelopes by default while a Submitter<D> handle is open but idle. See Publishing messages.

DC net. Dining Cryptographers network — the XOR-based anonymous broadcast construction zipnet descends from. See Chaum 1988.

DH secret. An X25519 static secret held by a client or a server. Compromise of one party’s DH secret only affects that party; compromise of every committee server’s DH secret breaks anonymity.

Encrypted mempool. The canonical motivating deployment shape: TEE-attested wallets seal transactions and publish them through zipnet; builders read the ordered log of sealed transactions; no single party can link a transaction back to its sender. Zipnet supplies the anonymous publish channel; the encryption of the payload itself (threshold, TEE-unsealing, etc.) sits on top.

Envelope. A client’s per-round contribution: a broadcast-vector- sized buffer containing message ‖ tag at the client’s slot and zeros elsewhere, XORed with the sum of the client’s per-server pads.

Falsification tag. A keyed-blake3 output of the plaintext message, written alongside the message in the same slot. Verifies that a slot’s payload is intact (§3, “ROMHash” in the paper).

Fold. The aggregator’s XOR combine of all envelopes for a round.

Footprint scheduling. The paper’s two-channel slot reservation scheme (§3.2). v2 feature.

GroupId. mosaik’s 32-byte identifier for a Raft group, derived from the GroupKey, consensus config, state machine signature, and any TicketValidator signatures. Fully determined by the deployment fingerprint (Config + datum schema) plus the deployment crate version.

GroupKey. Shared committee secret. Admission gate for joining the committee’s Raft group.

Deployment. A single zipnet deployment — one committee, one ACL, one set of round parameters — sharing a universe with other zipnet deployments and other mosaik services. Operators stand up and retire deployments; users bind to them by Config + datum schema.

Instance name. The intent component of a deployment’s fingerprint — a short, stable, namespaced string (e.g. acme.mainnet, preview.alpha, dev.ops) that lives as Config::name. Flat namespace per universe — name collisions alone do not silently bond (the window, init, and schema must all match) but it still pays to namespace defensively (<org>.<purpose>.<env>).

Config. The const-constructible zipnet::Config struct that bundles the deployment fingerprint: instance name, ShuffleWindow, and 32-byte init salt. Every field folds into the on-wire identity via Zipnet::<D>::deployment_id. Operators publish the Config (or its serialised fingerprint) as part of the handshake; consumers compile it in.

ShuffleWindow. The operating-window half of the deployment fingerprint: round period, participant bounds, fold and round deadlines. Ship one of the presets (interactive() or archival()) unless you have a specific reason to tune.

ShuffleDatum. Trait every shuffler payload type implements. Carries const TYPE_TAG: UniqueId (schema fingerprint) and const WIRE_SIZE: usize (exact bytes-on-the-wire size), plus encode / decode. Both constants fold into the deployment identity.

LiveRound. The currently-open round’s header: round id, client roster snapshot, server roster snapshot.

mosaik. The Flashbots library on which this prototype is built. Provides discovery, typed streams, consensus groups, and replicated collections. See docs.mosaik.world.

MR_TD. 48-byte Intel TDX guest measurement. Published by the operator out of band; pinned by clients; enforced by the mosaik Tdx bonding layer. See TEE-gated deployments.

Pad. The output of the KDF for a given (client, server, round) triple; length B. XOR of pads is the DC-net’s one-time key.

Partial unblind. One committee server’s XOR of its per-client pads over the round’s participant set. XORing all partials into the aggregate yields the broadcast.

PeerId. mosaik identifier for a node: its ed25519 public key (via iroh). Different from ClientId / ServerId (which are DH-key-based).

Raft. The consensus protocol used by the committee group. mosaik uses a modified Raft with abstention votes.

Ratchet. Stepping the shared secret forward one round; shared_secret ← HKDF(shared_secret). Provides forward secrecy. v2 feature.

Round. One execution of the protocol: OpenRound → SubmitAggregate → N_S × SubmitPartial → finalize.

RoundId. Monotonically increasing integer; r0, r1, ....

RoundParams. Static shape of a round: num_slots, slot_bytes, tag_len, wire_version. Immutable for the lifetime of a deployment.

ServerBundle. Public pair (ServerId, dh_pub) gossiped via a discovery ticket so clients can derive per-server pads.

ServerId. 32-byte blake3-keyed hash of a committee server’s X25519 public key.

Slot. One slot_bytes-byte region of the broadcast vector. One active client per slot per round (modulo deterministic collisions).

State machine signature. UniqueId mixed into GroupId derivation. Bumped whenever apply semantics or Command shape changes.

TEE. Trusted Execution Environment. Intel TDX in the production path; mock in the v1 default path.

TDX. Intel Trust Domain Extensions — the TEE zipnet targets. Guest measurement is MR_TD. See TEE-gated deployments.

Ticket. Opaque bytes attached to a signed PeerEntry in mosaik discovery. Zipnet uses tickets of classes zipnet.bundle.client and zipnet.bundle.server to distribute DH pubkeys, and relies on mosaik’s require_ticket for per-instance ACL on the public primitives.

Universe. The shared mosaik NetworkId on which zipnet (and any other mosaik service) runs. The zipnet facade exports the constant zipnet::UNIVERSE = unique_id!("mosaik.universe"). Many deployments, and many unrelated services, coexist on one universe.

XOR. Exclusive-or over equal-length byte buffers. The DC-net’s fundamental operation.