Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions solutions/LP-0002.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
# LP-0002 Solution: Private M-of-N Multisig

**Submitted by:** Tranquil-Flow

## Summary

This submission implements a private M-of-N multisig primitive for LEZ. Shielded members approve a proposal client-side, produce unlinkable per-proposal nullifiers, and execute a threshold-gated action without revealing which members approved. The repository includes the Rust workspace, SDK, SPEL IDL, RISC0 heavy-lane artifacts, historical public LEZ testnet evidence with fail-closed reset handling, a native Qt/QML Basecamp `.lgx-portable` evaluator package with alice/bob install evidence, and reproducible evaluator scripts. The fresh human-recorded narrated demo is available at https://youtu.be/Wssfp_rkC54.

## Repository

- **Repo:** https://github.com/Tranquil-Flow/lp-0002-private-multisig
- **License:** MIT
- **Narrated demo:** https://youtu.be/Wssfp_rkC54

## Approach

The system is split into audit-friendly layers:

1. `core/` implements member commitments, proposal binding, threshold relation checks, context-bound nullifiers, replay identifiers, and the public journal privacy boundary.
2. `sdk/` exposes a high-level `MultisigSession` workflow for create, propose, approve, prove, and execute.
3. `consumer-demo/` is a standalone clone-and-run integration app that imports the public crates as library dependencies and exercises five realistic multisig scenarios.
4. `methods/` and `methods/guest/` contain the RISC0 threshold-proof guest and executable wrapper guest.
5. `host/` verifies real RISC0 receipt artifacts, prepares LEZ/NSSA payloads, and records file-backed evidence for the heavy lane.
6. `lez-program/` models the LEZ verifier gate with deterministic account-state mutation and replay protection.
7. `basecamp-app/` contains the native Qt/QML Logos Basecamp plugin package; `flake.nix`/`flake.lock` expose `.#lgx-portable` for evaluator-loadable packages and `.#lgx` for local scaffold installs, and `submission/BASECAMP_INSTALL_EVIDENCE.json` records M4 alice/bob profile install evidence.

The proof design keeps member identity private. The public journal reveals multisig/proposal/action binding, threshold and approval counts, sorted nullifiers, member root/count, and proof identifiers, but not raw member secrets or member commitments. Nullifiers bind approvals to the proposal context so a member cannot approve twice while remaining unlinkable across proposals.

The LEZ evidence is intentionally explicit about the current transport boundary. The full RISC0 receipt is verified host-side and persisted as file-backed evidence. Historical pre-reset public-testnet deploy/execute evidence is retained for audit. A reset-era v0.2.0 refresh on 2026-06-28 produced a fresh current public-testnet deploy tx `c7157a473cb512bf7e1803d4377d9f65e9406a7ff98efeda48b65c0d4915a13b` for ProgramBinary SHA-256 `8f74ccc446990f5437b5f6c6e731deac6653992e0a64abcecdff7bff0c5575e1` / program id `1557176a639868b0363e9106c75fe0748ceb42e65f5f1a6778dd05b6baebb57d`. The same input shape passes local v0.2.0 `Program::execute` and `ValidatedStateDiff::from_public_transaction`, but current public execute attempts `352eb699507aea4d4ca6963a50bef1473a2b944dfd7713116cbf82eabfeec3bf` and `fc4165ac2437bd6533444c5e010b2d248aed678daadfad277af1dd0f1fef6ca8` are not included by the endpoint. Therefore this submission claims current deploy evidence plus local v0.2.0 execution validation, not current live execute inclusion.

## Success Criteria Checklist

### Functionality

- [x] Any M-of-N member holding a shielded LEZ account can submit an approval without revealing their identity to on-chain observers or other members.
- [x] The verifier confirms a threshold of M approvals without recording which members approved.
- [x] Double-vote prevention is implemented through context-bound nullifiers.
- [x] A completed execution is unlinkable to an individual member's shielded account.
- [x] Proof generation runs client-side; the repository includes real `RISC0_DEV_MODE=0` proof artifacts and host verification scripts.
- [x] A reference threshold-gated action is delivered through the SDK, consumer demo, LEZ-shaped wrapper, and recorded historical public-testnet evidence.
- [x] Current reset-era public LEZ testnet deploy evidence: `c7157a473cb512bf7e1803d4377d9f65e9406a7ff98efeda48b65c0d4915a13b`.
- [ ] Current reset-era public LEZ testnet execute inclusion. v0.2.0 local execution/diff validation passes, but public execute attempts `352eb699507aea4d4ca6963a50bef1473a2b944dfd7713116cbf82eabfeec3bf` and `fc4165ac2437bd6533444c5e010b2d248aed678daadfad277af1dd0f1fef6ca8` are not included; this remains a transparent blocker.
- [x] Full documentation and a clean public repository are delivered.

### Usability

- [x] Module/SDK provided via the `sdk/` crate and `MultisigSession` API.
- [x] Logos Basecamp GUI package provided under `basecamp-app/`, including native Qt/QML plugin source, metadata, CMake build instructions, `.#lgx-portable` evaluator packaging, and alice/bob profile install evidence.
- [x] SPEL IDL provided under `interfaces/lp0002.idl.json` with discriminators and documented instruction/error surfaces.

### Reliability

- [x] Proof generation and verification failures surface deterministic typed errors.
- [x] Partial approvals are preserved and resumable through serde round-tripping of the approval accumulator.
- [x] Verifier errors and SDK errors are deterministic and documented in `docs/PROTOCOL.md`.

### Performance

- [x] Proof-generation measurements, receipt/journal sizes, wrapper payload metrics, and historical public LEZ testnet cost evidence are documented in `submission/BENCHMARKS.md` and `submission/LEZ_COST_BENCHMARKS.json`; current reset-era tx refresh remains open.
- [x] Current LEZ tooling does not expose stable per-transaction CU counters; the submission records this limitation explicitly rather than inventing CU numbers.

### Supportability

- [x] Current program deployment evidence on the reset-era public LEZ testnet: `c7157a473cb512bf7e1803d4377d9f65e9406a7ff98efeda48b65c0d4915a13b`.
- [ ] Current execute inclusion on the reset-era public LEZ testnet; public execute attempts are retained as blocker evidence and do not support a current-live execute claim.
- [x] End-to-end LEZ/RISC0 smoke scripts are included, with evaluator commands in `submission/EVALUATOR_GUIDE.md`.
- [x] CI configuration is present in the linked repository as `.github/workflows/ci.yml` and `.gitlab-ci.yml`; local/evaluator validation evidence is also documented in `submission/CI_EVIDENCE.md`.
- [x] README documents deployment, program identifiers, SDK usage, CLI/demo usage, and Basecamp package usage.
- [x] A reproducible demo script is provided at repository root as `demo.sh`; the heavy-lane path is available through `scripts/demo-heavy-lane.sh`.
- [x] Fresh narrated demo video: https://youtu.be/Wssfp_rkC54

## FURPS Self-Assessment

### Functionality

The workspace implements the private threshold relation, proposal binding, nullifier-based double-vote prevention, replay protection, SDK integration, consumer app, native Basecamp package, SPEL IDL, real RISC0 proof verification, historical public LEZ testnet inclusion evidence, and fresh current public-testnet deploy evidence. The main caveat is transparently documented: current reset-era public execute inclusion is still blocked even though local v0.2.0 execution/diff validation passes.

### Usability

Evaluators can start with `./demo.sh` for the fast clone-and-run consumer flow, then use `submission/EVALUATOR_GUIDE.md` for the heavy-lane evidence path. Developers can import the SDK crate, inspect the consumer demo, or build the native Basecamp plugin from `basecamp-app/`.

### Reliability

The Rust workspace includes unit and integration tests for privacy boundaries, duplicate approvals, invalid indices, insufficient approvals, replay protection, serialization/resume behavior, IDL consistency, and verifier errors. Readiness validators catch stale documentation, missing artifacts, IDL drift, and publication-gate regressions.

### Performance

The submission includes safe-lane timings, RISC0 fixture measurements, serialized receipt/journal sizes, NSSA wrapper payload metrics, account counts, and historical public-testnet inclusion evidence plus current reset-era deploy evidence. LEZ per-transaction CU counters are not currently exposed by the available tooling, so the cost evidence records that limitation in machine-readable form; current reset-era execute inclusion remains blocked and is not overclaimed.

### Supportability

The repository is MIT licensed, public, documented, and organized as a reproducible Rust workspace. `submission/EVALUATOR_GUIDE.md`, `docs/SPEC_COMPLIANCE.md`, `docs/PROTOCOL.md`, `submission/TESTNET_EVIDENCE.json`, and `submission/BENCHMARKS.md` give reviewers the paths, commands, evidence identifiers, and known limitations needed to independently assess the submission.

## Terms & Conditions

I have read and agree to the Logos Lambda Prize TERMS.md and confirm that this submission is original work published under the MIT license.
Loading