Feature: verifiable and privacy preserving delegated onchain digital asset publication

[sid030sid]

This feature allows company admins to authorize the trust anchor to publish their digital assets on behalf of their company without revealing the identity of the authorizing company admin and without compromising verifiability. This feature relies on the ASCS's fork of the circom-ecdsa repo, in particular by doing these steps:

https://github.com/ASCS-eV/circom-ecdsa/tree/feat/secure-and-variable-groupsig-verification?tab=readme-ov-file#private-secure-on-chain-group-signature-verification-with-variable-group-size. (note: consider that the branch with the README containing the steps to do may have been merged into main).

For review of this feature, please read the text under Desired feature for private digital asset publication of this feature's branch.

[bakiberkay]

I have tested the changes, and I have 46/46 tests passing.

Review Findings

1. Merge conflicts; this PR drops security overrides and engines from package.json which impacts CI/CD. The overrides for elliptic , undici and lodash-es are security patches for known vulnerabilities from their side. Dropping them reintroduces these vulnerabilities and causes these npm audit issues again. When resolving, the overrides block shouldbe preserved. Additionally the new ZKP tests depend on circom-zkp-generator artifcats and verifier contracts and they are both gitignored, so they won't exist in CI. Running npx hardhat test in CI will fail on this file. Excluding them from CI runs would be great (--ignore ./test/DIDMultisigController.privatePublish.test.ts)
2. (Important note: this issue is a Claude suggestion. It requires regenerating the circom circuit, wasm, zkey and verifier contracts, which needs a heavy change.) abi.encodePacked() with dynamic string has hash collision risk. Both paths use it with a string argument, which Solidity warn against. Dynamic types are concatanated without lenght prefixes, so different inputs can produce identical byte sequence. These are at DIDMultisigController.sol lines 318 and 549. Changing them to abi.encode() instead of abi.encodePacked() is a suggested fix.
3. There is a cross-instance signature replay risk; both publishing paths public and private omit the contracts own address from the signed/hashed message. In case there are 2 trust anchors (which is not true for our use case with ASCS being the only trust anchor, but this issue holds for general use), and they deploy seperate DIDMultisigController instances on the same chain, a signature/proof made for trustAnchor A is valid on trustAnchor B's contract. Using address(this) as an additional argument in the hash could be better maybe?
4. Some more issues with lower priority, again would be out of scope for this PR, they can be addressed as future work.

Test Times

DIDMultisigController – private publishing on marketplace
  ✔ Group of 4 admins can publish via ZKP (16609ms)
  ✔ Group of 2 admins can publish via ZKP (15672ms)
  ✔ Fails if valid admin includes non-admin (group of 4) (15510ms)
  ✔ Fails if invalid admin attempts to generate a proof for a group they do not belong to (8382ms)
  ✔ Prevents nonce reuse (15310ms)

Thanks for the work and I wish you a pleasant day!

[flhps]

Well done!

[sid030sid]

Please note that the test "Fails if valid admin includes non-admin (group of 4)" --> logs "ERROR: 4 Error in template Main_201 line: 109" in the console, which is exactly the error this test wants to trigger.