TrustEdge — Trustable Edge AI (Rust)

TrustEdge is a Rust prototype for privacy-preserving, provenance-aware edge audio streaming. What started as a simple file encryption demo has evolved into a complete network stack with three binaries, comprehensive documentation, and production-ready security features.

Key Features

  • Three Binaries: CLI (trustedge-audio), server (trustedge-server), and client (trustedge-client)
  • Complete Network Stack: Real-time streaming with validation and tamper detection
  • Enhanced Key Management: Keyring integration, PBKDF2 derivation, key ID support
  • Production Security: Comprehensive validation, test vectors, security invariants
  • Full Documentation: Format specs, protocol docs, threat model, roadmap

Architecture

  • Private by default: Audio chunks encrypted with AES-256-GCM before leaving device
  • Provenance by design: Each chunk carries signed manifest (C2PA-inspired) bound to AEAD AAD
  • Streaming-friendly: Fixed nonce discipline and per-chunk records
  • Network-ready: Client-server architecture with comprehensive validation

Current Status

M1 Milestone (Format v1) - COMPLETED 🚀 M2 Milestone (Key Management) - IN PROGRESS
📋 M3 Milestone (Verification & QA) - PLANNED

Tech Stack

  • Language: Rust (stable)
  • Crypto: AES-256-GCM, Ed25519 signatures, BLAKE3 hashing
  • Key Derivation: PBKDF2-SHA256 (100k iterations)
  • Serialization: Bincode for compactness and speed
  • Network: TCP streaming with validation protocol

Quick Start

# Build all binaries
cargo build --release

# Encrypt with keyring-derived key
./target/release/trustedge-audio \
  --input ./sample.wav \
  --envelope ./sample.trst \
  --use-keyring \
  --salt-hex <32-hex-chars>

# Start server
./target/release/trustedge-server \
  --listen 127.0.0.1:8080 \
  --use-keyring \
  --salt-hex <32-hex-chars> \
  --decrypt

# Stream to server
./target/release/trustedge-client \
  --server 127.0.0.1:8080 \
  --file ./sample.wav \
  --use-keyring \
  --salt-hex <32-hex-chars>

Documentation

  • FORMAT.md: Binary format specification
  • PROTOCOL.md: Network protocol for streaming
  • THREAT_MODEL.md: Security analysis and mitigations
  • ROADMAP.md: Project milestones and features
  • SECURITY.md: Security policy and reporting

Security Features

  • Strict validation: Header consistency, key ID validation, sequencing
  • Security invariants: Fail-safe design with comprehensive checks
  • Test vectors: Golden hash verification for format stability
  • Tamper detection: Any validation failure aborts processing

License

Mozilla Public License 2.0 (MPL-2.0)

GitHub Repo