Skip to content

chore: Improved handshake registry privacy docs #24018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vezenovm wants to merge 4 commits into
base: merge-train/fairies-v5
Choose a base branch
from
Open

chore: Improved handshake registry privacy docs #24018

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
65797d4
improved privacy docs
vezenovm Jun 11, 2026
f8ab674
Apply suggestions from code review
vezenovm Jun 16, 2026
7b1fb98
update docs
vezenovm Jun 16, 2026
841c86c
Merge remote-tracking branch 'origin/mv/handshake-registry-privacy-do…
vezenovm Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions noir-projects/noir-contracts/contracts/standard/handshake_registry_contract/src/main.nr
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,14 @@ global NON_INTERACTIVE_HANDSHAKE: u8 = 1;
/// [`HandshakeRegistry::validate_handshake`] to check an app-siloed secret against the current stored handshake. The
/// private surfaces silo against `msg_sender()`, so a contract can only obtain or validate secrets siloed to itself.
///
/// # Privacy
/// The siloing described above means reading handshakes never compromises message secrecy: a reader only ever
/// derives secrets siloed to its own address. Handshake metadata is weaker, though. Incoming handshakes are announced

@nchamo nchamo Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The whole

Incoming handshakes are announced
/// via a bootstrap log under a tag derived from the recipient address (see
/// [`HandshakeRegistry::non_interactive_handshake`]), so their existence, count, and timing are observable by anyone
/// who knows that address, and [`HandshakeRegistry::get_handshakes`] exposes their decrypted payload to in-scope
/// callers.

is only applicable to non-interactive, it's weird that we specify that here

@vezenovm vezenovm Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I switched to having this on non_interactive_handshake and linking to it in the module comment

/// via a bootstrap log under a tag derived from the recipient address (see
/// [`HandshakeRegistry::non_interactive_handshake`]), so their existence, count, and timing are observable by anyone
/// who knows that address, and [`HandshakeRegistry::get_handshakes`] exposes their decrypted payload to in-scope
/// callers.
///
/// Currently only implements the non-interactive flow (see [`HandshakeRegistry::non_interactive_handshake`]).
#[aztec(::aztec::macros::AztecConfig::new().custom_sync_state(crate::handshake_registry_sync))]
pub contract HandshakeRegistry {
Expand Down Expand Up @@ -159,6 +167,12 @@ pub contract HandshakeRegistry {
/// Returns a page of discovered handshakes addressed to `recipient`.
///
/// `total_count` is the full list length, so callers can determine whether more pages remain.
///
/// # Privacy
/// Returns the decrypted discovery payload (`eph_pk`, `mode`) to any caller that knows `recipient` and has it in
/// scope. `mode` narrows the category of apps the recipient uses; `eph_pk` does not weaken secrecy. See the
/// contract's privacy notes above for the full model. Restricting this read to contract-sync execution is a
/// possible future hardening.
Comment thread
vezenovm marked this conversation as resolved.
Outdated
#[external("utility")]
unconstrained fn get_handshakes(recipient: AztecAddress, page_offset: u32) -> HandshakePage {
let handshakes = get_all_handshakes(self.context.this_address(), recipient);
Expand Down
Loading