Add ECDSA decrypt result signature docs (from #8)

deep-dive/cofhe-components/task-manager.mdx

@@ -1,13 +1,45 @@
 ---
 title: TaskManager
-description: "On-chain entry point for CoFHE integration that initiates FHE operations and generates unique handles for encrypted computation tasks"
+description: "On-chain entry point for CoFHE integration that initiates FHE operations, generates unique handles, and verifies decrypt result signatures"
 ---
 
 
 | Aspect | Description |
 |---------|-------------|
 | **Type** | Contract deployed on the destination blockchain |
 | **Function** | Acts as the on-chain entry point for CoFHE integration |
-| **Responsibilities** | • Initiates FHE operations by serving as the on-chain entry point. The dApp contract calls the FHE.sol library which triggers the TaskManager contract to submit a new encrypted computation task. <br/>• Generates unique handles that act as references to the results of FHE operations. These results are computed asynchronously off-chain. <br/>• Emits structured events containing the unique handle of the ciphertext, operation type, and other required metadata. |
+| **Responsibilities** | • Initiates FHE operations by serving as the on-chain entry point. The dApp contract calls the FHE.sol library which triggers the TaskManager contract to submit a new encrypted computation task. <br/>• Generates unique handles that act as references to the results of FHE operations. These results are computed asynchronously off-chain. <br/>• Emits structured events containing the unique handle of the ciphertext, operation type, and other required metadata. <br/>• Verifies ECDSA signatures on client-published decrypt results and stores them on-chain. |
 | **Deployment** | A separate Task Manager Contract is deployed for each supported destination chain, enabling chain-specific integrations |
 
+## Decrypt Result Signature Verification
+
+The TaskManager supports **permissionless publishing of decrypt results**. Anyone holding a valid ECDSA signature from the Threshold Network's Dispatcher can publish a decrypt result on-chain. The TaskManager verifies the signature before storing the result.
+
+### Key State
+
+| Variable | Description |
+|----------|-------------|
+| `decryptResultSigner` | Address of the authorized Threshold Network signer. Set to `address(0)` to skip verification (debug mode). |
+
+### Functions
+
+| Function | Description |
+|----------|-------------|
+| `publishDecryptResult(ctHash, result, signature)` | Verify signature and store the decrypt result on-chain. Emits `DecryptionResult`. |
+| `publishDecryptResultBatch(ctHashes[], results[], signatures[])` | Batch publish multiple results in one transaction for gas efficiency. |
+| `verifyDecryptResult(ctHash, result, signature)` | Verify a signature without publishing (view). Reverts on failure. |
+| `verifyDecryptResultSafe(ctHash, result, signature)` | Verify a signature without publishing (view). Returns `false` on failure. |
+| `setDecryptResultSigner(address)` | Admin-only. Set the authorized signer address. |
+
+### Signature Message Format
+
+The signed message is a fixed **76-byte** buffer:
+
+| Field | Size | Encoding |
+|-------|------|----------|
+| `result` | 32 bytes | uint256, big-endian, left-padded with zeros |
+| `enc_type` | 4 bytes | i32, big-endian (extracted from ctHash metadata) |
+| `chain_id` | 8 bytes | u64, big-endian (from `block.chainid`) |
+| `ct_hash` | 32 bytes | uint256, big-endian |
+
+The message is hashed with `keccak256` and verified using OpenZeppelin's `ECDSA.tryRecover`. The `enc_type` and `chain_id` are derived on-chain, binding each signature to a specific ciphertext type and chain.

deep-dive/cofhe-components/threshold-network.mdx

@@ -39,3 +39,36 @@ The coordinator splits the CT into individual Learning With Errors (LWE) CT bloc
 
 The MPC protocol consists of multiple stages. In each stage, a partymember performs a calculation on a received input and returns the result (a.k.a. intermediate result) to the Coordinator. Each intermediate result gets sent back to the coordinator in order to get distributed among other partymembers as an input for the next stage.
 
+## Dispatcher Signing
+
+The Threshold Network's **Dispatcher** component signs every decrypt and sealoutput result with an ECDSA key. This signature enables on-chain verification — clients can publish signed decrypt results directly to the TaskManager contract via `FHE.publishDecryptResult()`.
+
+### Signed Message Format
+
+For decrypt results, the Dispatcher produces a fixed **76-byte** message before signing:
+
+| Field | Size | Encoding |
+|-------|------|----------|
+| `result` | 32 bytes | uint256, big-endian, left-padded with zeros |
+| `enc_type` | 4 bytes | i32, big-endian |
+| `chain_id` | 8 bytes | u64, big-endian |
+| `ct_hash` | 32 bytes | uint256, big-endian |
+
+This format is aligned with Solidity types so the TaskManager can reconstruct and verify the same hash on-chain using `_computeDecryptResultHash`.
+
+### Signature V Format
+
+The ECDSA recovery ID (`v` value) can be returned in two formats, controlled by the HTTP header `X-Signature-V-Format`:
+
+| Header Value | V Format | Use Case |
+|-------------|----------|----------|
+| `"raw"` (default) | 0-3 | General purpose, k256 native |
+| `"evm"` | 27-28 | Direct use with Solidity's `ecrecover` / OpenZeppelin `ECDSA.recover` |
+
+<Note>
+For on-chain verification via `FHE.publishDecryptResult()`, use `"evm"` format so the signature is directly compatible with the TaskManager's ECDSA verification.
+</Note>
+
+### Signer Registration
+
+The Dispatcher's signing key address is registered on-chain as `decryptResultSigner` in the TaskManager contract. Only results signed by this address are accepted. Setting it to `address(0)` disables verification (debug mode only).

deep-dive/data-flows/decryption-request-flow.mdx

@@ -55,18 +55,16 @@ The Threshold Network performs secure decryption:
 - Perform secure decryption
 </Step>
 
-<Step title="FheOS Notifies the Result Processor with the decrypt result">
+<Step title="Result Delivery">
 After decryption is complete: 7️⃣
 
-- Call appropriate callback function on the Result Processor
-- The Result Processor publishes the result back to the TaskManager on the host chain
-</Step>
-
-<Step title="TaskManager emit event with decryption result">
-The TaskManager finalizes the decryption process: 8️⃣
+- The Threshold Network returns the plaintext along with an **ECDSA signature** to the client (via the Client SDK)
+- The client (or any relayer) calls `FHE.publishDecryptResult(ctHash, result, signature)` or `FHE.verifyDecryptResult(ctHash, result, signature)` on-chain
+- The on-chain contract verifies the signature before accepting the result
 
-- Provide decrypted result by emitting an event `DecryptionResult`
-- The event consists of `ciphertext handle`, `result`, `requestor` (of that decrypt operation)
+<Note>
+This enables permissionless result delivery — anyone holding a valid signature can publish. This is useful for client-driven settlement or relayer patterns.
+</Note>
 </Step>
 </Steps>
 

docs.json

@@ -218,7 +218,7 @@
               "deep-dive/data-flows/encryption-request-flow",
               "deep-dive/data-flows/fhe-operation-request-flow",
               "deep-dive/data-flows/decryption-request-flow",
-              "deep-dive/data-flows/decrypt-from-cofhejs"
+              "deep-dive/data-flows/off-chain-decryption-flow"
             ]
           },
           { 

fhe-library/core-concepts/decryption-operations.mdx

@@ -42,12 +42,23 @@ The client calls `decryptForView` off-chain to obtain the plaintext for display
 Use `decryptForTx` when you need to act on the decrypted value in a smart contract. Use `decryptForView` when you only need to display the value in a UI.
 </Note>
 
+### 3. Client-Published Decryption (Signature-Verified)
+
+The client decrypts off-chain via `decryptForTx`, receives the plaintext result along with an **ECDSA signature** from the Threshold Network's Dispatcher, and then publishes the result on-chain by calling `FHE.publishDecryptResult()`. The TaskManager verifies the signature on-chain before storing the result.
+
+This combines the best of both worlds: the client controls when the result lands on-chain, while the contract can still use the decrypted value.
+
+<Note>
+The signature cryptographically proves the result came from the authorized Threshold Network. No trust in the publisher is required — anyone holding a valid signature can submit it.
+</Note>
+
 ### Comparison Table
 
 | Method | Visibility | Gas Cost | Smart Contract Usable | Best For |
 |--------|-----------|----------|----------------------|----------|
 | **`decryptForTx`** | Public (once published on-chain) | Gas for the publish/verify tx | Yes | Public results, contract logic |
 | **`decryptForView`** | Private (off-chain only) | None | No | UI display, confidential data |
+| **Client-Published (signature)** | Public (on-chain) | Medium | Yes | Client-driven settlement, permissionless delivery |
 
 ---
 
@@ -237,6 +248,33 @@ await tx.wait();
 
 ---
 
+## Batch Client-Published Decryption
+
+```solidity
+function publishMultipleResults(
+    uint256[] memory ctHashes,
+    uint256[] memory results,
+    bytes[] memory signatures
+) external {
+    FHE.publishDecryptResultBatch(ctHashes, results, signatures);
+}
+```
+
+---
+
+## Signature Verification Functions
+
+When using client-published decryption, two verification functions are available:
+
+| Function | Behavior on Invalid Signature |
+|----------|-------------------------------|
+| `FHE.verifyDecryptResult(ctHash, result, signature)` | Reverts |
+| `FHE.verifyDecryptResultSafe(ctHash, result, signature)` | Returns `false` |
+
+Both functions accept type-specific overloads for `ebool`, `euint8`, `euint16`, `euint32`, `euint64`, `euint128`, and `eaddress`.
+
+---
+
 ## Best Practices
 
 <CardGroup cols={2}>

fhe-library/core-concepts/require.mdx

@@ -43,8 +43,9 @@ require(msg.sender == owner, "Not authorized");
 // Good - use select for encrypted logic
 euint32 result = FHE.select(encryptedCondition, valueA, valueB);
 
-// Bad - require on encrypted condition leaks information!
-require(FHE.decrypt(encryptedValue.gt(threshold)), "Value too low");
+// Bad - require on encrypted condition is not possible!
+// FHE.decrypt was removed — decryption is now off-chain only
+// require(FHE.decrypt(encryptedValue.gt(threshold)), "Value too low");
 ```
 
 ---