Skip to content

Commit a65a716

Browse files
authored
Private Blockspace (name change from PDA) (#56)
* BREAKING: pda->pbs naming
1 parent 1c48b4c commit a65a716

File tree

16 files changed

+175
-185
lines changed

16 files changed

+175
-185
lines changed

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ edition = "2024"
99
authors = ["Nuke <nuke-web3@proton.me>"]
1010
license = "MIT"
1111
homepage = "https://celestia.org"
12-
repository = "https://github.com/celestiaorg/eq-service"
12+
repository = "https://github.com/celestiaorg/private-blockspace-proxy"
1313

1414
[workspace.dependencies]
1515
zkvm-common = { path = "zkVM/common", default-features = false, version = "0.3.0" }

Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -56,15 +56,15 @@ RUN --mount=type=cache,id=target_cache,target=/app/target \
5656
# Build the final binary, embbeding ELF
5757
RUN --mount=type=cache,id=target_cache,target=/app/target \
5858
cargo build --release && \
59-
strip /app/target/release/pda-proxy && \
60-
cp target/release/pda-proxy /app/pda-proxy # pop out of cache
59+
strip /app/target/release/pbs-proxy && \
60+
cp target/release/pbs-proxy /app/pbs-proxy # pop out of cache
6161

6262
####################################################################################################
6363
FROM nvidia/cuda:12.9.1-base-ubuntu24.04 AS runtime
6464

6565
# SP1 CUDA support needs Docker-in-Docker to run `moongate-server` prover service
6666
# Internally run on localhost:3000
6767
COPY --from=base-dev /usr/bin/docker /usr/bin/docker
68-
COPY --from=builder /app/pda-proxy /usr/local/bin/pda-proxy
68+
COPY --from=builder /app/pbs-proxy /usr/local/bin/pbs-proxy
6969

70-
ENTRYPOINT ["/usr/local/bin/pda-proxy"]
70+
ENTRYPOINT ["/usr/local/bin/pbs-proxy"]

README.md

Lines changed: 38 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Private Data Availability Proxy
1+
# Private Blockspace Proxy
22

33
A [Celestia Data Availability (DA)](https://celestia.org) proxy, enabling use of the [canonical JSON RPC](https://node-rpc-docs.celestia.org/) but intercepting and [**_verifiably_** encrypting](./doc/verifiable_encryption.md) sensitive data before submission on the public DA network, and enable decryption on retrieval.
44
Non-sensitive calls are unmodified.
@@ -18,24 +18,11 @@ Presently all HTTP requests to the proxy are transparently proxied to an upstrea
1818
- `blob.Submit` encrypts before proxy submission of a _signed transaction_ to upstream gRPC `app` endpoint.
1919
- `blob.Get` and `blob.GetAll` proxy result verifies the [Verifiable Encryption](./doc/verifiable_encryption.md) proof, and decrypts before forwarding to the client.
2020

21-
## Known Limitations
22-
23-
At time of writing, as it should be possible to change these limitations internally:
24-
25-
- [ ] https://github.com/celestiaorg/pda-proxy/issues/11
26-
- [ ] https://github.com/celestiaorg/pda-proxy/issues/12
27-
28-
It's possible to change these, but requires upstream involvement:
29-
30-
- [Max blob size on Celestia](https://docs.celestia.org/how-to-guides/submit-data#maximum-blob-size) is presently ~2MB
31-
32-
> Please [open an issue](https://github.com/celestiaorg/pda-proxy/issues) if you have any requests!
33-
3421
## Interact
3522

3623
First you need to [configure](#configure) your environment and nodes.
3724

38-
The PDA proxy depends on a connection to:
25+
The proxy depends on a connection to:
3926

4027
1. A \[self\] hosted Celestia Data Availability (DA) Node and Consensus App Node to submit and retrieve (verifiable encrypted) blob data.
4128
- Easy integration with [QuickNode](https://www.quicknode.com/docs/celestia) for both nodes at one endpoint, token auth supported.
@@ -51,16 +38,16 @@ source .env
5138
# blob.Get
5239
curl -H "Content-Type: application/json" -H "Authorization: Bearer $CELESTIA_NODE_WRITE_TOKEN" -X POST \
5340
--data '{ "id": 1, "jsonrpc": "2.0", "method": "blob.Get", "params": [ 4499999, "AAAAAAAAAAAAAAAAAAAAAAAAAFHMGnPWX5X2veY=", "S2iIifIPdAjQ33KPeyfAga26FSF3IL11WsCGtJKSOTA="] }' \
54-
$PDA_SOCKET
41+
$PBS_SOCKET
5542
# blob.GetAll
5643
curl -H "Content-Type: application/json" -H "Authorization: Bearer $CELESTIA_NODE_WRITE_TOKEN" -X POST \
5744
--data '{ "id": 1, "jsonrpc": "2.0", "method": "blob.GetAll", "params": [ 4499999, [ "AAAAAAAAAAAAAAAAAAAAAAAAAFHMGnPWX5X2veY=" ] ] }' \
58-
$PDA_SOCKET
45+
$PBS_SOCKET
5946
# blob.Submit (dummy data)
6047
# Note: send "{}" as empty `tx_config` object, so the node uses it's default key to sign & submit to Celestia
6148
curl -H "Content-Type: application/json" -H "Authorization: Bearer $CELESTIA_NODE_WRITE_TOKEN" -X POST \
6249
--data '{ "id": 1, "jsonrpc": "2.0", "method": "blob.Submit", "params": [ [ { "namespace": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAMJ/xGlNMdE=", "data": "DEADB33F", "share_version": 0, "commitment": "aHlbp+J9yub6hw/uhK6dP8hBLR2mFy78XNRRdLf2794=", "index": -1 } ], { } ] }' \
63-
https://$PDA_SOCKET \
50+
https://$PBS_SOCKET \
6451
--verbose \
6552
--insecure
6653
# ^^^^ DO NOT use insecure TLS in real scenarios!
@@ -69,7 +56,7 @@ cd scripts
6956
./test_example_data_file_via_curl.sh
7057
```
7158

72-
Celestia has many [API client libraries](https://docs.celestia.org/how-to-guides/submit-data#api) to build around a PDA proxy.
59+
Celestia has many [API client libraries](https://docs.celestia.org/how-to-guides/submit-data#api) to build around a proxy.
7360

7461
### Request Flow
7562

@@ -78,47 +65,47 @@ Celestia has many [API client libraries](https://docs.celestia.org/how-to-guides
7865
```mermaid
7966
sequenceDiagram
8067
participant JSON RPC Client
81-
participant PDA Proxy
68+
participant PBS Proxy
8269
participant Celestia Node
83-
JSON RPC Client->>+PDA Proxy: blob.Submit(blobs, options)<br>{AUTH_TOKEN in header}
84-
PDA Proxy->>PDA Proxy: Job Processing...<br>{If no DB entry, start new zkVM Job}
85-
PDA Proxy->>-JSON RPC Client: Response{"Call back"}
86-
PDA Proxy->>PDA Proxy: ...Job runs to completion...
87-
JSON RPC Client->>+PDA Proxy: blob.Submit(blobs, options)<br>{AUTH_TOKEN in header}
88-
PDA Proxy->>PDA Proxy: Query Job DB<br>Done!<br>{Job Result cached}
89-
PDA Proxy->>Celestia Node: blob.Submit(V. Encrypt. blobs, options)
90-
Celestia Node->>PDA Proxy: Response{Inclusion Block Height}
91-
PDA Proxy->>-JSON RPC Client: Response{Inclusion Block Height}
70+
JSON RPC Client->>+PBS Proxy: blob.Submit(blobs, options)<br>{AUTH_TOKEN in header}
71+
PBS Proxy->>PBS Proxy: Job Processing...<br>{If no DB entry, start new zkVM Job}
72+
PBS Proxy->>-JSON RPC Client: Response{"Call back"}
73+
PBS Proxy->>PBS Proxy: ...Job runs to completion...
74+
JSON RPC Client->>+PBS Proxy: blob.Submit(blobs, options)<br>{AUTH_TOKEN in header}
75+
PBS Proxy->>PBS Proxy: Query Job DB<br>Done!<br>{Job Result cached}
76+
PBS Proxy->>Celestia Node: blob.Submit(V. Encrypt. blobs, options)
77+
Celestia Node->>PBS Proxy: Response{Inclusion Block Height}
78+
PBS Proxy->>-JSON RPC Client: Response{Inclusion Block Height}
9279
```
9380

9481
#### (Try Decrypt) `blob.[Get|GetAll]`
9582

9683
```mermaid
9784
sequenceDiagram
9885
participant JSON RPC Client
99-
participant PDA Proxy
86+
participant PBS Proxy
10087
participant Celestia Node
10188
102-
JSON RPC Client->>+PDA Proxy: blob.Get(height, namespace, commitment)
103-
PDA Proxy->>Celestia Node: <Passthrough>
104-
Celestia Node->>PDA Proxy: Response{namespace,data,<br>share_version,commitment,index}
105-
PDA Proxy->>PDA Proxy: *Try* deserialize & decrypt
106-
PDA Proxy->>-JSON RPC Client: *Success* -> Response{...,decrypted bytes,...}
107-
PDA Proxy->>JSON RPC Client: *Failure* -> <Passthrough>
89+
JSON RPC Client->>+PBS Proxy: blob.Get(height, namespace, commitment)
90+
PBS Proxy->>Celestia Node: <Passthrough>
91+
Celestia Node->>PBS Proxy: Response{namespace,data,<br>share_version,commitment,index}
92+
PBS Proxy->>PBS Proxy: *Try* deserialize & decrypt
93+
PBS Proxy->>-JSON RPC Client: *Success* -> Response{...,decrypted bytes,...}
94+
PBS Proxy->>JSON RPC Client: *Failure* -> <Passthrough>
10895
```
10996

11097
#### Transparent Proxy (all other calls)
11198

11299
```mermaid
113100
sequenceDiagram
114101
participant JSON RPC Client
115-
participant PDA Proxy
102+
participant PBS Proxy
116103
participant Celestia Node
117104
118-
JSON RPC Client->>+PDA Proxy: Request{<Anything else>}<br>{AUTH_TOKEN in header}
119-
PDA Proxy->>Celestia Node: <Passthrough>
120-
Celestia Node->>PDA Proxy: <Passthrough>
121-
PDA Proxy->>-JSON RPC Client: Response{<Normal API response}
105+
JSON RPC Client->>+PBS Proxy: Request{<Anything else>}<br>{AUTH_TOKEN in header}
106+
PBS Proxy->>Celestia Node: <Passthrough>
107+
Celestia Node->>PBS Proxy: <Passthrough>
108+
PBS Proxy->>-JSON RPC Client: Response{<Normal API response}
122109
```
123110

124111
## Operate
@@ -176,10 +163,10 @@ The images are available:
176163

177164
```sh
178165
# ghcr:
179-
docker pull ghcr.io/celestiaorg/pda-proxy
166+
docker pull ghcr.io/celestiaorg/private-blockspace-proxy
180167

181168
# Docker hub:
182-
docker pull celestiaorg/pda-proxy
169+
docker pull celestiaorg/private-blockspace-proxy
183170
```
184171

185172
_Don't forget you need to [configure your environment](#configure)_.
@@ -221,16 +208,16 @@ just docker-run
221208
222209
# If you are only running:
223210
source .env
224-
mkdir -p $PDA_DB_PATH
211+
mkdir -p $PBS_DB_PATH
225212
# Note socket assumes running "normally" with docker managed by root
226213
docker run --rm -it \
227214
--user $(id -u):$(id -g) \
228215
-v /var/run/docker.sock:/var/run/docker.sock \
229-
-v $PDA_DB_PATH:$PDA_DB_PATH \
216+
-v $PBS_DB_PATH:$PBS_DB_PATH \
230217
--env-file {{ env-settings }} \
231-
--env RUST_LOG=pda_proxy=debug \
218+
--env RUST_LOG=pbs_proxy=debug \
232219
--network=host \
233-
-p $PDA_PORT:$PDA_PORT \
220+
-p $PBS_PORT:$PBS_PORT \
234221
"$DOCKER_CONTAINER_NAME"
235222
```
236223

@@ -249,8 +236,8 @@ Then:
249236
1. Clone the repo
250237

251238
```sh
252-
git clone https://github.com/your-repo-name/pda-proxy.git
253-
cd pda-proxy
239+
git clone https://github.com/your-repo-name/private-blockspace-proxy.git
240+
cd private-blockspace-proxy
254241
```
255242

256243
1. Choose a Celestia Node
@@ -291,10 +278,10 @@ just docker-run
291278
292279
## Setup
293280
source .env
294-
mkdir -p $PDA_DB_PATH
281+
mkdir -p $PBS_DB_PATH
295282
296283
## Run (example)
297-
[docker|podman] run --rm -it -v $PDA_DB_PATH:$PDA_DB_PATH --env-file .env --env RUST_LOG=eq_service=debug --network=host -p $PDA_PORT:$PDA_PORT pda_proxy
284+
[docker|podman] run --rm -it -v $PBS_DB_PATH:$PBS_DB_PATH --env-file .env --env RUST_LOG=eq_service=debug --network=host -p $PBS_PORT:$PBS_PORT pbs_proxy
298285
```
299286

300287
Importantly, the DB should persist, and the container must have access to connect to the DA light client (likely port 26658) and Succinct network ports (HTTPS over 443).

compose.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -27,32 +27,32 @@ services:
2727
retries: 10
2828
start_period: 3s
2929

30-
pda-proxy:
30+
pbs-proxy:
3131
image: ghcr.io/celestiaorg/${DOCKER_CONTAINER_NAME}:latest
32-
# image: local/pda-proxy # OPTIONAL: for local development
32+
# image: local/pbs-proxy # OPTIONAL: for local development
3333
# build: . # OPTIONAL: for local development
3434
depends_on:
3535
celestia-node:
3636
condition: service_healthy
3737
volumes:
3838
- /var/run/docker.sock:/var/run/docker.sock
3939
# - ./service/static:/app/static # OPTIONAL: for local development
40-
- ${PDA_DB_PATH}:${PDA_DB_PATH}
40+
- ${PBS_DB_PATH}:${PBS_DB_PATH}
4141
- /etc/letsencrypt/live/${TLS_DOMAIN}/fullchain.pem:/etc/letsencrypt/live/${TLS_DOMAIN}/fullchain.pem
4242
- /etc/letsencrypt/live/${TLS_DOMAIN}/privkey.pem:/etc/letsencrypt/live/${TLS_DOMAIN}/privkey.pem
4343
environment:
4444
# NOTE: Overrides any .env settings
4545
- TLS_CERTS_PATH=/etc/letsencrypt/live/${TLS_DOMAIN}/fullchain.pem
4646
- TLS_KEY_PATH=/etc/letsencrypt/live/${TLS_DOMAIN}/privkey.pem
47-
- RUST_LOG=pda_proxy=debug
47+
- RUST_LOG=pbs_proxy=debug
4848
# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' celestia-light-mocha-4
4949
- CELESTIA_NODE_SOCKET=172.18.0.2:26658
5050
env_file:
5151
- /app/.env
5252
networks:
5353
- internal
5454
ports:
55-
- "443:${PDA_PORT}" # Public HTTPS
55+
- "443:${PBS_PORT}" # Public HTTPS
5656
restart: unless-stopped
5757

5858
networks:

doc/verifiable_encryption.md

Lines changed: 17 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<h1 align="center"> Verifiable Encryption</h1>
1+
<h1 align="center">Verifiable Encryption</h1>
22

33
<p align="center">
44
<a href="https://www.youtube.com/watch?v=6P7yWZ4Cshs">
@@ -13,7 +13,7 @@
1313

1414
> “Don’t trust. Verify.”
1515
16-
This document introduces **Verifiable Encryption (VE)** and explores how it enables **Private Data Availability (PDA)** - a transformative new primitive for secure, decentralized systems.
16+
This document introduces **Verifiable Encryption (VE)** and explores how it enables **Private Blockspace** - a transformative new primitive for accountable, offchain systems.
1717

1818
## Verifiable Encryption
1919

@@ -43,9 +43,9 @@ However, not all data should be exposed to the world.
4343
Some datasets are **too sensitive** for full transparency.
4444
The challenge: **How can we ensure critical data is available, yet only selectively disclosed under prearranged conditions**?
4545

46-
## The Power of VE + PDA
46+
## The Power of VE
4747

48-
By combining **Verifiable Encryption** with **Private Data Availability**, we unlock a powerful new primitive: **auditable yet private data**.
48+
By combining **Verifiable Encryption** with **Private Blockspace**, we unlock a powerful new primitive: **auditable yet private data**.
4949

5050
With integration into **existing or novel Key Management Systems (KMS)**, VE allows one to define:
5151

@@ -55,30 +55,30 @@ With integration into **existing or novel Key Management Systems (KMS)**, VE all
5555

5656
This means:
5757

58-
- Anyone (users, smart contracts, off-chain agents) can verify that encrypted data is available and satisfies certain properties.
58+
- Anyone (users, smart contracts, offchain agents) can verify that encrypted data is available and satisfies certain properties.
5959
- Only authorized parties can decrypt and access the sensitive contents.
6060

6161
## Use Cases
6262

6363
We’ve outlined a few use cases below - but would love to hear your ideas too!
64-
💡 [Open an issue](https://github.com/celestiaorg/pda-proxy/issues) to share feature requests or novel applications of VE and PDA.
64+
💡 [Open an issue](https://github.com/celestiaorg/private-blockspace-proxy/issues) to share feature requests or novel applications of Private Blockspace.
6565

6666
### _Programmable Privacy for Web3 dApps_
6767

68-
VE and PDA align closely with the principles of [local-first access control](https://www.inkandswitch.com/keyhive/notebook/), enabling **secure collaboration** across decentralized applications.
68+
VE and Private Blockspace align closely with the principles of [local-first access control](https://www.inkandswitch.com/keyhive/notebook/), enabling **secure collaboration** across decentralized applications.
6969

7070
In a world where chain data is globally replicated and indexed, **encryption at rest** becomes essential for access control and selective disclosure.
7171

7272
#### Example Applications
7373

74-
- **PDA as a database** for collaborative dApps with fine-grained access control.
74+
- **VE'd database** for collaborative dApps with fine-grained access control.
7575
- **Private rollups** with programmable cryptography, enabling [obfuscated state](https://0xparc.org/blog/programmable-cryptography-1).
7676
- **Private bridging and escrow** sending verifiably correct but private messages around web2 and/or web3 apps.
77-
- **Drop-in support** for existing DA users via a [proxy service](../README.md), simplifying migration to PDA.
77+
- **Drop-in support** for existing DA users via a [proxy service](../README.md), simplifying migration to Private Blockspace.
7878

7979
### _Trustless Data Markets_
8080

81-
With VE, PDA, and escrow contracts you can construct protocols to build trustless exchange of data access
81+
With VE, Private Blockspace, and escrow contracts you can construct protocols to build trustless exchange of data access
8282
See the [Stock0](https://dorahacks.io/buidl/14098) media market hackathon project for some great inspiration!
8383

8484
Here is a [diagram inspired by them](https://docs.google.com/presentation/d/1qq1QXSBcThOjaQ2OcEyS8cwNyAHs3SnC76YrBMAYENk) of an example setup of inputs for a market:
@@ -97,7 +97,7 @@ flowchart LR
9797
> NOTE: Celestia does _not_ guarantee that data will be available forever!
9898
> See [the docs on retrievability](https://docs.celestia.org/learn/retrievability#data-retrievability-and-pruning-in-celestia-node) for the latest safe assumptions to use.
9999
100-
With PDA, sensitive data can be publicly published in encrypted form, with **predefined methods for recovery** - without revealing its contents.
100+
With Private Blockspace, sensitive data can be publicly published in encrypted form, with **predefined methods for recovery** - without revealing its contents.
101101

102102
This unlocks a new class of **verifiable, resilient backups**.
103103

@@ -115,13 +115,16 @@ The **anchor** acts as a bridge, connecting **any protocol** to a **proof** that
115115

116116
## Future Work and Research Directions
117117

118-
While VE for PDA is still evolving, the potential is enormous.
118+
While VE for Private Blockspace is still evolving, the potential is enormous.
119119
Current implementations have limitations, but these are rapidly being addressed by:
120120

121-
- Enabling performance improvements, **confidential compute**, and **scalable parallelization** of PDA workflows.
121+
- Enabling performance improvements, **confidential compute**, and **scalable parallelization** of Private Blockspace workflows.
122122
- **Hybrid systems** combining:
123123
- Trusted Execution Environments (TEEs),
124124
- Multi-Party Computation (MPC),
125125
- and Zero-Knowledge Proofs (ZKPs),
126+
- **Account-centric key management systems** empowering end-users to declare keys to use for VE by operators.
126127

127-
For deeper insights, see our ongoing [research discussion here](https://docs.google.com/document/d/1XZyuOxdMm5INcHwQZOZ8ALRk_YkvicNwQHSfOVs8hoM/).
128+
For more, see:
129+
- [(Historical) research document](https://docs.google.com/document/d/1XZyuOxdMm5INcHwQZOZ8ALRk_YkvicNwQHSfOVs8hoM/)
130+
- [Account-centric model for Private Blockspace research discussion](https://forum.celestia.org/t/account-user-centric-private-data-avalibility/2155/)

example.env

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@ TLS_DOMAIN="your.domain.com"
2929
TLS_CERTS_PATH=
3030
TLS_KEY_PATH=
3131
# ONLY for development, you may use dummy TLS setup from source ./service/static
32-
# TLS_CERTS_PATH=/full/path/to/pda-proxy/service/static/sample.pem
33-
# TLS_KEY_PATH=/full/path/to/pda-proxy/service/static/sample.rsa
32+
# TLS_CERTS_PATH=/full/path/to/pbs-proxy/service/static/sample.pem
33+
# TLS_KEY_PATH=/full/path/to/pbs-proxy/service/static/sample.rsa
3434

3535
#### Service Settings
3636

@@ -40,17 +40,17 @@ TLS_KEY_PATH=
4040
# UNSAFE_HTTP_UPSTREAM=true # comment this out or unset to force https
4141

4242
# More info on docker in README.md
43-
# https://github.com/nuke-web3/pda-proxy/
44-
DOCKER_CONTAINER_NAME="ghcr.io/celestiaorg/pda-proxy"
43+
# https://github.com/celestiaorg/private-blockspace-proxy
44+
DOCKER_CONTAINER_NAME="ghcr.io/celestiaorg/pbs-proxy"
4545

46-
PDA_DB_PATH=/tmp/db-pda-service-testing
46+
PBS_DB_PATH=/tmp/db-pbs-service-testing
4747
# 32 byte key used for ChaCha20 encryption
4848
ENCRYPTION_KEY=
4949
# Expects a socket with ip & port specified (not transport)
5050
# NOTE: 0.0.0.0 binding will allow the service to be accessible to inbound
51-
PDA_SOCKET=0.0.0.0:26657
51+
PBS_SOCKET=0.0.0.0:26657
5252
# Explicit port for docker (can't compute with --env-file)
53-
PDA_PORT=26657
53+
PBS_PORT=26657
5454

5555
#### ZK Proof Settings
5656

0 commit comments

Comments
 (0)