Update ERC-7573: Added releaseKey method to IDecryptionContract

Merged by EIP-Bot.

ERCS/erc-7573.md

@@ -114,16 +114,16 @@ function inceptTransfer(bytes32 id, int amount, address from, string memory keyE
 
 Called from the receiver of the amount to initiate payment transfer. Emits a `PaymentTransferIncepted`.
 The parameter `id` is an identifier of the trade. The parameter `from` is the address of the sender of the payment (the address of the receiver is `msg.sender`).
-The parameter `keyEncryptedSuccess` is an encryption of the key and will be decrypted if the transfer is successful in a call to `transferAndDecrypt`.
-The parameter `keyEncryptedFailure` is an encryption of the key and will be decrypted if the transfer fails in a call to `transferAndDecrypt` or if `cancelAndDecrypt`is successful.
+The parameter `keyEncryptedSuccess` is an encryption of a key and will be decrypted if the transfer is successful in a call to `transferAndDecrypt`.
+The parameter `keyEncryptedFailure` is an encryption of a key and will be decrypted if the transfer fails in a call to `transferAndDecrypt` or if `cancelAndDecrypt` is successful.
 
 ##### Transfer: `transferAndDecrypt`
 
 ```solidity
 function transferAndDecrypt(bytes32 id, int amount, address to, string memory keyEncryptedSuccess, string memory keyEncryptedFailure) external;
 ```
 
-Called from the sender of the amount to initiate completion of the payment transfer. Emits a `TransferKeyRequested` and `TransferKeyReleased` with keys depending on completion success.
+Called from the sender of the amount to initiate completion of the payment transfer. Emits a `TransferKeyRequested` with keys depending on completion success.
 The parameter `id` is an identifier of the trade. The parameter `to` is the address of the receiver of the payment (the sender of the payment (from) is implicitly the `msg.sender`).
 The parameter `keyEncryptedSuccess` is an encryption of the key and will be decrypted if the transfer is successful.
 The parameter `keyEncryptedFailure` is an encryption of the key and will be decrypted if the transfer failed.
@@ -141,6 +141,19 @@ Called from the receiver of the amount to cancel payment transfer (cancels the i
 
 The method must be called from the caller of a previous call to `inceptTransfer`
 with the exact same arguments and cancels this specific transfer.
+If these preconditions are meet and a valid call to `transferAndDecrypt` has not been issued before,
+i.e. if `keyEncryptedSuccess` has not been dissued in a `TransferKeyRequested` event,
+then this method emits a `TransferKeyRequested` with the key `keyEncryptedFailure`.
+
+##### Release of ILockingContract Access Key: `releaseKey`
+
+```solidity
+function releaseKey(bytes32 id, string memory key) external;
+```
+
+Called from the (possibly external) decryption oracle.
+
+Emits the event `TransferKeyReleased` with the value of `key` if the call was eligible.
 
 ##### Summary
 
@@ -155,6 +168,7 @@ interface IDecryptionContract {
     function inceptTransfer(bytes32 id, int amount, address from, string memory keyEncryptedSuccess, string memory keyEncryptedFailure) external;
     function transferAndDecrypt(bytes32 id, int amount, address to, string memory keyEncryptedSuccess, string memory keyEncryptedFailure) external;
     function cancelAndDecrypt(bytes32 id, address from, string memory keyEncryptedSuccess, string memory keyEncryptedFailure) external;
+    function releaseKey(bytes32 id, string memory key) external;
 }
 ```
 
@@ -190,6 +204,45 @@ allow the flexible use of different encryption schemes.
 The decryption/encryption scheme should be inferable from the contents
 of the `encryptedKey`.
 
+### Ensuring Secure Key Decryption - Key Format
+
+It has to be ensured that the description oracle decrypts a key only for the eligible contract.
+
+It seems as if this would require us to introduce a concept of eligibility to the description oracle, which would imply a kind of state.
+
+A fully stateless decryption can be realized by introducing a document format for the key and a corresponding eligibility verification protocol. We propose the following elements:
+
+- The (unencrypted) key documents contain the address of the payment contract implementing `IDecryptionContract`.
+- The decryption oracle offers a stateless function `verify` that that receives an encrypted key and returns the callback address (that will be used for the `releaseKey` call) that is stored inside the decrypted key without returning the decrypted key.
+- When an encrypted key is presented to the decryption oracle, the oracle decrypts the document and passes the decrypted key to `releaseKey` of the callback contract address found within the document decrypted key.
+
+We propose the following XML schema for the document of the decrypted key:
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:tns="http://finnmath.net/erc/ILockingContract" attributeFormDefault="unqualified" elementFormDefault="qualified" targetNamespace="http://finnmath.net/erc/ILockingContract" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+    <xs:element name="releaseKey">
+        <xs:complexType>
+            <xs:simpleContent>
+                <xs:extension base="xs:string">
+                    <xs:attribute name="contract" type="xs:string" use="required" />
+                </xs:extension>
+            </xs:simpleContent>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>
+```
+
+A corresponding sample XML shown below.
+```xml
+<root xmlns:ilc="http://finnmath.net/erc/ILockingContract">
+    <ilc:releaseKey contract="eea9e1da-d56a-4c0a-9c08-f2e76f616426">
+        827364591027394857293847592374958273948572938475923749582739485729384
+        43928... random data ensuring the uniqueness of this document... 29384
+        7495827394857293847592374958273948572938475923749582739485729384759237
+    </ilc:releaseKey>
+</root>
+```
+
 ## Security Considerations
 
 No known security issues up to now.

assets/erc-7573/contracts/IDecryptionContract.sol

@@ -63,7 +63,7 @@ interface IDecryptionContract {
 
     /**
      * @notice Called from the sender of the amount to initiate completion of the payment transfer.
-     * @dev emits a {TransferKeyRequested} and {TransferKeyReleased} with keys depending on completion success.
+     * @dev emits a {TransferKeyRequested} with keys depending on completion success.
      * @param id the trade identifier of the trade.
      * @param amount the amount to be transferred.
      * @param to The address of the receiver of the payment. Note: the sender of the payment (from) is implicitly the message.sender.
@@ -74,11 +74,19 @@ interface IDecryptionContract {
 
     /**
      * @notice Called from the receiver of the amount to cancel payment transfer (cancels the incept transfer).
-     * @dev emits a {TransferKeyRequested} and {TransferKeyReleased}
+     * @dev emits a {TransferKeyRequested}
      * @param id the trade identifier of the trade.
      * @param from The address of the sender of the payment. Note: the receiver of the payment (to) is implicitly the message.sender.
      * @param keyEncryptedSuccess Encryption of the key that is emitted upon success.
      * @param keyEncryptedFailure Encryption of the key that is emitted upon failure.
      */
     function cancelAndDecrypt(bytes32 id, address from, string memory keyEncryptedSuccess, string memory keyEncryptedFailure) external;
+
+    /*+
+     * @notice Called from the (possibly external) decryption oracle.
+     * @dev emits a {TransferKeyReleased} (if the call was eligible).
+     * @param id the trade identifier of the trade.
+     * @param key Decrypted key.
+     */
+    function releaseKey(bytes32 id, string memory key) external;
 }