PrivateDO
Search or ask AI
Root docs
Repository viewer
Legacy docs parity surface
Back to repository viewer
Repository document

REFHE Protocol

refhe-protocol.md

Boundary

This route preserves legacy markdown access inside the Next.js surface. The raw repository file remains authoritative.

Open raw file

<!-- SPDX-License-Identifier: AGPL-3.0-or-later -->

REFHE Protocol

REFHE is the encrypted-computation boundary for confidential payroll, bonus, and grant batches inside PrivateDAO.

It does not pretend to perform fully homomorphic execution on-chain. Instead, it binds an off-chain encrypted evaluation process to a proposal-bound on-chain envelope that must be settled before the confidential payout can execute.

What REFHE Adds

  • a proposal-bound `RefheEnvelope` PDA
  • immutable links between:
  • DAO
  • proposal
  • confidential payout plan
  • encrypted input ciphertext hash
  • evaluation policy hash
  • evaluation key hash
  • result ciphertext hash
  • result commitment hash
  • proof bundle hash
  • verifier program binding
  • execution gating:
  • if a REFHE envelope exists for a confidential payout proposal, execution is blocked until the envelope is settled

Why It Exists

Confidential payout plans already protect the employee-level manifest by keeping only hashes and aggregate settlement metadata on-chain.

REFHE upgrades that model by adding an authority-settled encrypted-evaluation step:

  • a confidential payout plan is configured on-chain
  • a REFHE envelope is configured against that payout plan
  • encrypted evaluation runs off-chain
  • the result bundle is settled on-chain by the DAO authority
  • the payout becomes executable only after the REFHE boundary is satisfied

On-Chain Boundary

Current on-chain enforcement is honest and strict:

  • no REFHE envelope:
  • confidential payout executes normally after proposal pass + timelock
  • REFHE envelope exists but is not settled:
  • execution is rejected
  • REFHE envelope is settled without a verifier program:
  • execution is rejected
  • REFHE envelope is settled by the DAO authority with a verifier program:
  • execution may proceed once the proposal is executable

This makes REFHE a real execution gate, not a UI-only tag. It does not claim that the PrivateDAO program re-executes or cryptographically verifies the REFHE computation on-chain.

Account Model

  • `ConfidentialPayoutPlan`
  • encrypted manifest hash
  • ciphertext hash
  • settlement recipient
  • aggregate amount
  • `RefheEnvelope`
  • model URI
  • policy hash
  • input ciphertext hash
  • evaluation key hash
  • result ciphertext hash
  • result commitment hash
  • proof bundle hash
  • verifier program
  • status: `Configured` or `Settled`

Commands

Configure the payout batch:

DAO_PDA="$DAO_PDA"
PROPOSAL_PDA="$PROPOSAL_PDA"
SETTLEMENT_WALLET="$SETTLEMENT_WALLET"
MANIFEST_HASH="$MANIFEST_HASH"
CIPHERTEXT_HASH="$CIPHERTEXT_HASH"

npm run configure:confidential-payout -- \
  --dao "$DAO_PDA" \
  --proposal "$PROPOSAL_PDA" \
  --confidential-type salary \
  --settlement-recipient "$SETTLEMENT_WALLET" \
  --payout-asset sol \
  --payout-total 2.5 \
  --recipient-count 6 \
  --manifest-uri "box://privatedao/payroll/epoch-7" \
  --manifest-hash "$MANIFEST_HASH" \
  --ciphertext-hash "$CIPHERTEXT_HASH"

Configure REFHE:

DAO_PDA="$DAO_PDA"
PROPOSAL_PDA="$PROPOSAL_PDA"
REFHE_POLICY_HASH="$REFHE_POLICY_HASH"
REFHE_INPUT_HASH="$REFHE_INPUT_HASH"
REFHE_EVALUATION_KEY_HASH="$REFHE_EVALUATION_KEY_HASH"

npm run configure:refhe -- \
  --dao "$DAO_PDA" \
  --proposal "$PROPOSAL_PDA" \
  --model-uri "box://privatedao/refhe/payroll-eval-epoch-7" \
  --policy-hash "$REFHE_POLICY_HASH" \
  --input-ciphertext-hash "$REFHE_INPUT_HASH" \
  --evaluation-key-hash "$REFHE_EVALUATION_KEY_HASH"

Settle REFHE:

DAO_PDA="$DAO_PDA"
PROPOSAL_PDA="$PROPOSAL_PDA"
REFHE_RESULT_CIPHERTEXT_HASH="$REFHE_RESULT_CIPHERTEXT_HASH"
REFHE_RESULT_COMMITMENT_HASH="$REFHE_RESULT_COMMITMENT_HASH"
REFHE_PROOF_BUNDLE_HASH="$REFHE_PROOF_BUNDLE_HASH"
REFHE_VERIFIER_PROGRAM="$REFHE_VERIFIER_PROGRAM"

npm run settle:refhe -- \
  --dao "$DAO_PDA" \
  --proposal "$PROPOSAL_PDA" \
  --result-ciphertext-hash "$REFHE_RESULT_CIPHERTEXT_HASH" \
  --result-commitment-hash "$REFHE_RESULT_COMMITMENT_HASH" \
  --proof-bundle-hash "$REFHE_PROOF_BUNDLE_HASH" \
  --verifier-program "$REFHE_VERIFIER_PROGRAM"

Inspect:

PROPOSAL_PDA="$PROPOSAL_PDA" npm run inspect:refhe -- --proposal "$PROPOSAL_PDA"

Review Path

  • [confidential-payments.md](confidential-payments.md)
  • [confidential-payroll-flow.md](confidential-payroll-flow.md)
  • [refhe-operator-flow.md](refhe-operator-flow.md)
  • [refhe-security-model.md](refhe-security-model.md)
  • [refhe-audit-scope.md](refhe-audit-scope.md)
  • [assets/refhe-flow.svg](assets/refhe-flow.svg)