TLOSMultiWitness.sol - N-of-M threshold witness encryption #52
Description
Parent Issue
Closes part of #47
Description
Build a threshold witness encryption contract where a secret is revealed when N out of M authorized witnesses provide their codes.
Use Case
Traditional threshold schemes use Shamir secret sharing or multisig. TLOS enables:
- M code holders registered at deployment
- Secret released when any N provide valid codes
- Codes are independent (not Shamir shares)
- Each code protected by 2^76 puzzle
Example Flow
Witnesses (M=5) Contract Anyone
| | |
| deploy(codeHashes[5], N=3) | |
|------------------------------->| threshold = 3 |
| | |
| provideCode(code1, puzzle) | |
|------------------------------->| count = 1 |
| | |
| provideCode(code2, puzzle) | |
|------------------------------->| count = 2 |
| | |
| provideCode(code3, puzzle) | |
|------------------------------->| count = 3 >= N |
| | |
| |--- SECRET REVEALED ------------->|
Key Features
- M code hashes stored at deployment
- Configurable threshold N (1 <= N <= M)
- Each code can only be used once
- Order-independent (any N codes work)
- Optional: weighted codes (some worth more)
- Optional: time-locked threshold changes
Security Model
- What's hidden: The secret, individual codes
- What's public: M, N, which codes have been used
- Guarantee: Must brute-force N codes (N × 2^76 minimum)
Use Cases
- Corporate secret recovery (3-of-5 executives)
- Inheritance with multiple heirs required
- Distributed key custody
- Emergency access with quorum
Comparison to Shamir
| Aspect | Shamir | TLOSMultiWitness |
|---|---|---|
| Share generation | Complex math | Independent codes |
| On-chain verification | Needs assembly | Puzzle-protected |
| Brute-force resistance | None (just hashes) | 2^76 per code |
| Flexibility | Fixed at creation | Could add time constraints |
Acceptance Criteria
- Contract compiles and passes tests
- Various N-of-M configurations tested
- Edge cases: N=1, N=M, duplicate codes
- Gas benchmark documented