Handle Gateway ​
The Handle Gateway is a Rust service running in Intel TDX. It is the single entry point for creating, storing and accessing encrypted handle data. It encrypts plaintext values using the KMS public key, interacts with an AWS S3 bucket of handles, and coordinates decryption delegation with the KMS.
Role in the Protocol ​
The Handle Gateway sits between users/Runners and the encrypted data store. It has four main responsibilities:
- Encrypt plaintext values submitted by users (via SDK), then store them as handles.
- Verify access control by checking the on-chain ACLs.
- Delegate decryption by coordinating with the KMS and serving the cryptographic material to authorized users and Runners.
- Store encrypted computation results submitted by Runners as handles.
How It Works ​
Handle Creation ​
Encryption Process ​
User Decryption ​
Storage ​
Current Implementation
The current implementation uses an AWS S3 bucket without finance-grade certifications. The production environment will target a S3 bucket service with finance-grade certifications to provide regulatory compliance and auditability guarantees for encrypted data at rest.
Exchange Format Conventions ​
- Data exchanged in JSON format
- Object keys use camelCase
- Binary data encoded as hexadecimal strings with
0xprefix
Learn More ​
- KMS - Key Management Service
- Runner - Computation execution
- Nox Smart Contracts - On-chain contracts
- Global Architecture Overview