Validator–TEE trust boundaries for Flashnet’s intent engine
Actor | Non-delegable responsibilities |
---|---|
User | 1. Signs an intent that encodes the desired state change. 2. Funds the on-spark address referenced in the intent. 3. Chooses a fee and nonce, retaining unilateral ability to cancel by spending these funds elsewhere before execution. |
Validator₁…Validatorₙ | 1. Hold one Shamir shard Shardᵢ for every on-spark Seed , with threshold m ≤ n required for reconstruction.2. Independently verify every incoming intent: signature, nonce freshness, expiry, fee correctness, and required on-spark balance. 3. If valid, emit an attestation {intent_hash, sigᵢ, enc(Shardᵢ, TEE_pk)} and forward it to the TEE.4. Slashable for withholding shards or signing invalid intents. |
TEE | 1. Publishes a verifiable remote-attestation quote proving the expected enclave software. 2. Runs the deterministic Spark state-transition logic. 3. Creates a new Seed when persistent state is required and secret-shares it to validators.4. Waits for m distinct attestations. Only then reconstructs the Seed , claims funds, and emits the resulting Spark transaction + event. |
n − m
offline or malicious validators while preventing sub-threshold collusion.m
attestations are collected.