TDX architecture

Sugar Rush is designed to operate within an Intel TDX trusted enclave. This means that it can generate an attestation, which commits to:

• The public key of the Intel TDX chip, which can be verified against an Intel root certificate
• The specific hash of firmware running on the chip
• The specific hash of the virtual machine that is being loaded
• The cryptographic session key for this particular boot
• Arbitrary user data

The virtual machine is a very slim image that runs a startup ceremony, and then starts the Gummiworm consensus node and the Sugar Rush ledger process.

That startup ceremony is in the form of a dedicated rust binary, called sugar-rush-boot. It is responsible for:

• Validating the integrity of any at-rest configuration and reporting errors early if possible
• If not present, generating any ephemeral or group key material
• (in the future) Constructing, if needed, the L1 initialization transaction to initialize the hydra head
• Generating the relevant configuration for both gummiworm and the sugar rush ledger
• Starting those processes or systemd services

In particular, the key derivation process for the group key mentioned above is described here.

Utilizing the attestations and the generated group key, the sugar rush ledger nodes can:

• Demonstrate to users the lack of front-running code or backdoors
• Receive orders encrypted for the TEE itself, preventing delay/reorder attacks on order flow

External services may open a websocket connection to Sugar Rush (or one of its ingestion proxies). The opening handshake of this connection re-affirms the attestation above, and generates a unique shared secret between the user and the enclave.

From there, the user may send messages that initiate deposits, post L2 transactions, request withdrawals, query data, or subscribe to continuous updates.

The server responds in kind.