diff --git a/solutions/LP-0002.md b/solutions/LP-0002.md new file mode 100644 index 0000000..6544d9a --- /dev/null +++ b/solutions/LP-0002.md @@ -0,0 +1,96 @@ +# LP-0002 Solution: Private M-of-N Multisig + +**Submitted by:** Tranquil-Flow + +## Summary + +This submission implements a private M-of-N multisig primitive for LEZ. Shielded members approve a proposal client-side, produce unlinkable per-proposal nullifiers, and execute a threshold-gated action without revealing which members approved. The repository includes the Rust workspace, SDK, SPEL IDL, RISC0 heavy-lane artifacts, historical public LEZ testnet evidence with fail-closed reset handling, a native Qt/QML Basecamp `.lgx-portable` evaluator package with alice/bob install evidence, and reproducible evaluator scripts. The fresh human-recorded narrated demo is available at https://youtu.be/Wssfp_rkC54. + +## Repository + +- **Repo:** https://github.com/Tranquil-Flow/lp-0002-private-multisig +- **License:** MIT +- **Narrated demo:** https://youtu.be/Wssfp_rkC54 + +## Approach + +The system is split into audit-friendly layers: + +1. `core/` implements member commitments, proposal binding, threshold relation checks, context-bound nullifiers, replay identifiers, and the public journal privacy boundary. +2. `sdk/` exposes a high-level `MultisigSession` workflow for create, propose, approve, prove, and execute. +3. `consumer-demo/` is a standalone clone-and-run integration app that imports the public crates as library dependencies and exercises five realistic multisig scenarios. +4. `methods/` and `methods/guest/` contain the RISC0 threshold-proof guest and executable wrapper guest. +5. `host/` verifies real RISC0 receipt artifacts, prepares LEZ/NSSA payloads, and records file-backed evidence for the heavy lane. +6. `lez-program/` models the LEZ verifier gate with deterministic account-state mutation and replay protection. +7. `basecamp-app/` contains the native Qt/QML Logos Basecamp plugin package; `flake.nix`/`flake.lock` expose `.#lgx-portable` for evaluator-loadable packages and `.#lgx` for local scaffold installs, and `submission/BASECAMP_INSTALL_EVIDENCE.json` records M4 alice/bob profile install evidence. + +The proof design keeps member identity private. The public journal reveals multisig/proposal/action binding, threshold and approval counts, sorted nullifiers, member root/count, and proof identifiers, but not raw member secrets or member commitments. Nullifiers bind approvals to the proposal context so a member cannot approve twice while remaining unlinkable across proposals. + +The LEZ evidence is intentionally explicit about the current transport boundary. The full RISC0 receipt is verified host-side and persisted as file-backed evidence. Historical pre-reset public-testnet deploy/execute evidence is retained for audit. A reset-era v0.2.0 refresh on 2026-06-28 produced a fresh current public-testnet deploy tx `c7157a473cb512bf7e1803d4377d9f65e9406a7ff98efeda48b65c0d4915a13b` for ProgramBinary SHA-256 `8f74ccc446990f5437b5f6c6e731deac6653992e0a64abcecdff7bff0c5575e1` / program id `1557176a639868b0363e9106c75fe0748ceb42e65f5f1a6778dd05b6baebb57d`. The same input shape passes local v0.2.0 `Program::execute` and `ValidatedStateDiff::from_public_transaction`, but current public execute attempts `352eb699507aea4d4ca6963a50bef1473a2b944dfd7713116cbf82eabfeec3bf` and `fc4165ac2437bd6533444c5e010b2d248aed678daadfad277af1dd0f1fef6ca8` are not included by the endpoint. Therefore this submission claims current deploy evidence plus local v0.2.0 execution validation, not current live execute inclusion. + +## Success Criteria Checklist + +### Functionality + +- [x] Any M-of-N member holding a shielded LEZ account can submit an approval without revealing their identity to on-chain observers or other members. +- [x] The verifier confirms a threshold of M approvals without recording which members approved. +- [x] Double-vote prevention is implemented through context-bound nullifiers. +- [x] A completed execution is unlinkable to an individual member's shielded account. +- [x] Proof generation runs client-side; the repository includes real `RISC0_DEV_MODE=0` proof artifacts and host verification scripts. +- [x] A reference threshold-gated action is delivered through the SDK, consumer demo, LEZ-shaped wrapper, and recorded historical public-testnet evidence. +- [x] Current reset-era public LEZ testnet deploy evidence: `c7157a473cb512bf7e1803d4377d9f65e9406a7ff98efeda48b65c0d4915a13b`. +- [ ] Current reset-era public LEZ testnet execute inclusion. v0.2.0 local execution/diff validation passes, but public execute attempts `352eb699507aea4d4ca6963a50bef1473a2b944dfd7713116cbf82eabfeec3bf` and `fc4165ac2437bd6533444c5e010b2d248aed678daadfad277af1dd0f1fef6ca8` are not included; this remains a transparent blocker. +- [x] Full documentation and a clean public repository are delivered. + +### Usability + +- [x] Module/SDK provided via the `sdk/` crate and `MultisigSession` API. +- [x] Logos Basecamp GUI package provided under `basecamp-app/`, including native Qt/QML plugin source, metadata, CMake build instructions, `.#lgx-portable` evaluator packaging, and alice/bob profile install evidence. +- [x] SPEL IDL provided under `interfaces/lp0002.idl.json` with discriminators and documented instruction/error surfaces. + +### Reliability + +- [x] Proof generation and verification failures surface deterministic typed errors. +- [x] Partial approvals are preserved and resumable through serde round-tripping of the approval accumulator. +- [x] Verifier errors and SDK errors are deterministic and documented in `docs/PROTOCOL.md`. + +### Performance + +- [x] Proof-generation measurements, receipt/journal sizes, wrapper payload metrics, and historical public LEZ testnet cost evidence are documented in `submission/BENCHMARKS.md` and `submission/LEZ_COST_BENCHMARKS.json`; current reset-era tx refresh remains open. +- [x] Current LEZ tooling does not expose stable per-transaction CU counters; the submission records this limitation explicitly rather than inventing CU numbers. + +### Supportability + +- [x] Current program deployment evidence on the reset-era public LEZ testnet: `c7157a473cb512bf7e1803d4377d9f65e9406a7ff98efeda48b65c0d4915a13b`. +- [ ] Current execute inclusion on the reset-era public LEZ testnet; public execute attempts are retained as blocker evidence and do not support a current-live execute claim. +- [x] End-to-end LEZ/RISC0 smoke scripts are included, with evaluator commands in `submission/EVALUATOR_GUIDE.md`. +- [x] CI configuration is present in the linked repository as `.github/workflows/ci.yml` and `.gitlab-ci.yml`; local/evaluator validation evidence is also documented in `submission/CI_EVIDENCE.md`. +- [x] README documents deployment, program identifiers, SDK usage, CLI/demo usage, and Basecamp package usage. +- [x] A reproducible demo script is provided at repository root as `demo.sh`; the heavy-lane path is available through `scripts/demo-heavy-lane.sh`. +- [x] Fresh narrated demo video: https://youtu.be/Wssfp_rkC54 + +## FURPS Self-Assessment + +### Functionality + +The workspace implements the private threshold relation, proposal binding, nullifier-based double-vote prevention, replay protection, SDK integration, consumer app, native Basecamp package, SPEL IDL, real RISC0 proof verification, historical public LEZ testnet inclusion evidence, and fresh current public-testnet deploy evidence. The main caveat is transparently documented: current reset-era public execute inclusion is still blocked even though local v0.2.0 execution/diff validation passes. + +### Usability + +Evaluators can start with `./demo.sh` for the fast clone-and-run consumer flow, then use `submission/EVALUATOR_GUIDE.md` for the heavy-lane evidence path. Developers can import the SDK crate, inspect the consumer demo, or build the native Basecamp plugin from `basecamp-app/`. + +### Reliability + +The Rust workspace includes unit and integration tests for privacy boundaries, duplicate approvals, invalid indices, insufficient approvals, replay protection, serialization/resume behavior, IDL consistency, and verifier errors. Readiness validators catch stale documentation, missing artifacts, IDL drift, and publication-gate regressions. + +### Performance + +The submission includes safe-lane timings, RISC0 fixture measurements, serialized receipt/journal sizes, NSSA wrapper payload metrics, account counts, and historical public-testnet inclusion evidence plus current reset-era deploy evidence. LEZ per-transaction CU counters are not currently exposed by the available tooling, so the cost evidence records that limitation in machine-readable form; current reset-era execute inclusion remains blocked and is not overclaimed. + +### Supportability + +The repository is MIT licensed, public, documented, and organized as a reproducible Rust workspace. `submission/EVALUATOR_GUIDE.md`, `docs/SPEC_COMPLIANCE.md`, `docs/PROTOCOL.md`, `submission/TESTNET_EVIDENCE.json`, and `submission/BENCHMARKS.md` give reviewers the paths, commands, evidence identifiers, and known limitations needed to independently assess the submission. + +## Terms & Conditions + +I have read and agree to the Logos Lambda Prize TERMS.md and confirm that this submission is original work published under the MIT license.