@openzeppelin/confidential-contracts 0.2.0 → 0.3.0

package/token/{ConfidentialFungibleToken.sol → ERC7984/ERC7984.sol}

@@ -1,14 +1,16 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Confidential Contracts (last updated v0.2.0) (token/ConfidentialFungibleToken.sol)
+// OpenZeppelin Confidential Contracts (last updated v0.3.0) (token/ERC7984/ERC7984.sol)
 pragma solidity ^0.8.27;
 
 import {FHE, externalEuint64, ebool, euint64} from "@fhevm/solidity/lib/FHE.sol";
-import {IConfidentialFungibleToken} from "./../interfaces/IConfidentialFungibleToken.sol";
-import {FHESafeMath} from "./../utils/FHESafeMath.sol";
-import {ConfidentialFungibleTokenUtils} from "./utils/ConfidentialFungibleTokenUtils.sol";
+import {ERC165} from "@openzeppelin/contracts/utils/introspection/ERC165.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {IERC7984} from "./../../interfaces/IERC7984.sol";
+import {FHESafeMath} from "./../../utils/FHESafeMath.sol";
+import {ERC7984Utils} from "./utils/ERC7984Utils.sol";
 
 /**
- * @dev Reference implementation for {IConfidentialFungibleToken}.
+ * @dev Reference implementation for {IERC7984}.
  *
  * This contract implements a fungible token where balances and transfers are encrypted using the Zama fhEVM,
  * providing confidentiality to users. Token amounts are stored as encrypted, unsigned integers (`euint64`)
@@ -22,87 +24,94 @@ import {ConfidentialFungibleTokenUtils} from "./utils/ConfidentialFungibleTokenU
  * - Transfer and call pattern
  * - Safe overflow/underflow handling for FHE operations
  */
-abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
+abstract contract ERC7984 is IERC7984, ERC165 {
     mapping(address holder => euint64) private _balances;
     mapping(address holder => mapping(address spender => uint48)) private _operators;
-    mapping(uint256 requestId => euint64 encryptedAmount) private _requestHandles;
     euint64 private _totalSupply;
     string private _name;
     string private _symbol;
-    string private _tokenURI;
+    string private _contractURI;
+
+    /// @dev Emitted when an encrypted amount `encryptedAmount` is requested for disclosure by `requester`.
+    event AmountDiscloseRequested(euint64 indexed encryptedAmount, address indexed requester);
 
     /// @dev The given receiver `receiver` is invalid for transfers.
-    error ConfidentialFungibleTokenInvalidReceiver(address receiver);
+    error ERC7984InvalidReceiver(address receiver);
 
     /// @dev The given sender `sender` is invalid for transfers.
-    error ConfidentialFungibleTokenInvalidSender(address sender);
+    error ERC7984InvalidSender(address sender);
 
     /// @dev The given holder `holder` is not authorized to spend on behalf of `spender`.
-    error ConfidentialFungibleTokenUnauthorizedSpender(address holder, address spender);
+    error ERC7984UnauthorizedSpender(address holder, address spender);
 
     /// @dev The holder `holder` is trying to send tokens but has a balance of 0.
-    error ConfidentialFungibleTokenZeroBalance(address holder);
+    error ERC7984ZeroBalance(address holder);
 
     /**
      * @dev The caller `user` does not have access to the encrypted amount `amount`.
      *
      * NOTE: Try using the equivalent transfer function with an input proof.
      */
-    error ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(euint64 amount, address user);
+    error ERC7984UnauthorizedUseOfEncryptedAmount(euint64 amount, address user);
 
     /// @dev The given caller `caller` is not authorized for the current operation.
-    error ConfidentialFungibleTokenUnauthorizedCaller(address caller);
+    error ERC7984UnauthorizedCaller(address caller);
 
     /// @dev The given gateway request ID `requestId` is invalid.
-    error ConfidentialFungibleTokenInvalidGatewayRequest(uint256 requestId);
+    error ERC7984InvalidGatewayRequest(uint256 requestId);
 
-    constructor(string memory name_, string memory symbol_, string memory tokenURI_) {
+    constructor(string memory name_, string memory symbol_, string memory contractURI_) {
         _name = name_;
         _symbol = symbol_;
-        _tokenURI = tokenURI_;
+        _contractURI = contractURI_;
+    }
+
+    /// @inheritdoc ERC165
+    function supportsInterface(bytes4 interfaceId) public view virtual override(IERC165, ERC165) returns (bool) {
+        return interfaceId == type(IERC7984).interfaceId || super.supportsInterface(interfaceId);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function name() public view virtual returns (string memory) {
         return _name;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function symbol() public view virtual returns (string memory) {
         return _symbol;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function decimals() public view virtual returns (uint8) {
         return 6;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
-    function tokenURI() public view virtual returns (string memory) {
-        return _tokenURI;
+    /// @inheritdoc IERC7984
+    function contractURI() public view virtual returns (string memory) {
+        return _contractURI;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTotalSupply() public view virtual returns (euint64) {
         return _totalSupply;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialBalanceOf(address account) public view virtual returns (euint64) {
         return _balances[account];
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function isOperator(address holder, address spender) public view virtual returns (bool) {
         return holder == spender || block.timestamp <= _operators[holder][spender];
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function setOperator(address operator, uint48 until) public virtual {
         _setOperator(msg.sender, operator, until);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransfer(
         address to,
         externalEuint64 encryptedAmount,
@@ -111,43 +120,37 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         return _transfer(msg.sender, to, FHE.fromExternal(encryptedAmount, inputProof));
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransfer(address to, euint64 amount) public virtual returns (euint64) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
         return _transfer(msg.sender, to, amount);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFrom(
         address from,
         address to,
         externalEuint64 encryptedAmount,
         bytes calldata inputProof
     ) public virtual returns (euint64 transferred) {
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transfer(from, to, FHE.fromExternal(encryptedAmount, inputProof));
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFrom(
         address from,
         address to,
         euint64 amount
     ) public virtual returns (euint64 transferred) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transfer(from, to, amount);
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferAndCall(
         address to,
         externalEuint64 encryptedAmount,
@@ -158,21 +161,18 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferAndCall(
         address to,
         euint64 amount,
         bytes calldata data
     ) public virtual returns (euint64 transferred) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
         transferred = _transferAndCall(msg.sender, to, amount, data);
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFromAndCall(
         address from,
         address to,
@@ -180,59 +180,58 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         bytes calldata inputProof,
         bytes calldata data
     ) public virtual returns (euint64 transferred) {
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transferAndCall(from, to, FHE.fromExternal(encryptedAmount, inputProof), data);
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFromAndCall(
         address from,
         address to,
         euint64 amount,
         bytes calldata data
     ) public virtual returns (euint64 transferred) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transferAndCall(from, to, amount, data);
         FHE.allowTransient(transferred, msg.sender);
     }
 
     /**
-     * @dev Discloses an encrypted amount `encryptedAmount` publicly via an {IConfidentialFungibleToken-AmountDisclosed}
-     * event. The caller and this contract must be authorized to use the encrypted amount on the ACL.
+     * @dev Starts the process to disclose an encrypted amount `encryptedAmount` publicly by making it
+     * publicly decryptable. Emits the {AmountDiscloseRequested} event.
      *
-     * NOTE: This is an asynchronous operation where the actual decryption happens off-chain and
-     * {finalizeDiscloseEncryptedAmount} is called with the result.
+     * NOTE: Both `msg.sender` and `address(this)` must have permission to access the encrypted amount
+     * `encryptedAmount` to request disclosure of the encrypted amount `encryptedAmount`.
      */
-    function discloseEncryptedAmount(euint64 encryptedAmount) public virtual {
+    function requestDiscloseEncryptedAmount(euint64 encryptedAmount) public virtual {
         require(
-            FHE.isAllowed(encryptedAmount, msg.sender) && FHE.isAllowed(encryptedAmount, address(this)),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(encryptedAmount, msg.sender)
+            FHE.isAllowed(encryptedAmount, msg.sender),
+            ERC7984UnauthorizedUseOfEncryptedAmount(encryptedAmount, msg.sender)
         );
 
-        bytes32[] memory cts = new bytes32[](1);
-        cts[0] = euint64.unwrap(encryptedAmount);
-        uint256 requestID = FHE.requestDecryption(cts, this.finalizeDiscloseEncryptedAmount.selector);
-        _requestHandles[requestID] = encryptedAmount;
+        FHE.makePubliclyDecryptable(encryptedAmount);
+        emit AmountDiscloseRequested(encryptedAmount, msg.sender);
     }
 
-    /// @dev Finalizes a disclose encrypted amount request.
-    function finalizeDiscloseEncryptedAmount(
-        uint256 requestId,
-        uint64 amount,
-        bytes[] memory signatures
+    /**
+     * @dev Publicly discloses an encrypted value with a given decryption proof. Emits the {AmountDisclosed} event.
+     *
+     * NOTE: May not be tied to a prior request via {requestDiscloseEncryptedAmount}.
+     */
+    function discloseEncryptedAmount(
+        euint64 encryptedAmount,
+        uint64 cleartextAmount,
+        bytes calldata decryptionProof
     ) public virtual {
-        FHE.checkSignatures(requestId, signatures);
+        bytes32[] memory handles = new bytes32[](1);
+        handles[0] = euint64.unwrap(encryptedAmount);
 
-        euint64 requestHandle = _requestHandles[requestId];
-        require(FHE.isInitialized(requestHandle), ConfidentialFungibleTokenInvalidGatewayRequest(requestId));
-        emit AmountDisclosed(requestHandle, amount);
+        bytes memory cleartextMemory = abi.encode(cleartextAmount);
 
-        _requestHandles[requestId] = euint64.wrap(0);
+        FHE.checkSignatures(handles, cleartextMemory, decryptionProof);
+        emit AmountDisclosed(encryptedAmount, cleartextAmount);
     }
 
     function _setOperator(address holder, address operator, uint48 until) internal virtual {
@@ -241,18 +240,18 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
     }
 
     function _mint(address to, euint64 amount) internal returns (euint64 transferred) {
-        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(address(0)));
+        require(to != address(0), ERC7984InvalidReceiver(address(0)));
         return _update(address(0), to, amount);
     }
 
     function _burn(address from, euint64 amount) internal returns (euint64 transferred) {
-        require(from != address(0), ConfidentialFungibleTokenInvalidSender(address(0)));
+        require(from != address(0), ERC7984InvalidSender(address(0)));
         return _update(from, address(0), amount);
     }
 
     function _transfer(address from, address to, euint64 amount) internal returns (euint64 transferred) {
-        require(from != address(0), ConfidentialFungibleTokenInvalidSender(address(0)));
-        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(address(0)));
+        require(from != address(0), ERC7984InvalidSender(address(0)));
+        require(to != address(0), ERC7984InvalidReceiver(address(0)));
         return _update(from, to, amount);
     }
 
@@ -266,7 +265,7 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         euint64 sent = _transfer(from, to, amount);
 
         // Perform callback
-        ebool success = ConfidentialFungibleTokenUtils.checkOnTransferReceived(msg.sender, from, to, sent, data);
+        ebool success = ERC7984Utils.checkOnTransferReceived(msg.sender, from, to, sent, data);
 
         // Try to refund if callback fails
         euint64 refund = _update(to, from, FHE.select(success, FHE.asEuint64(0), sent));
@@ -283,7 +282,7 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
             _totalSupply = ptr;
         } else {
             euint64 fromBalance = _balances[from];
-            require(FHE.isInitialized(fromBalance), ConfidentialFungibleTokenZeroBalance(from));
+            require(FHE.isInitialized(fromBalance), ERC7984ZeroBalance(from));
             (success, ptr) = FHESafeMath.tryDecrease(fromBalance, amount);
             FHE.allowThis(ptr);
             FHE.allow(ptr, from);

package/token/{extensions/ConfidentialFungibleTokenERC20Wrapper.sol → ERC7984/extensions/ERC7984ERC20Wrapper.sol}

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Confidential Contracts (last updated v0.2.0) (token/extensions/ConfidentialFungibleTokenERC20Wrapper.sol)
+// OpenZeppelin Confidential Contracts (last updated v0.3.0) (token/ERC7984/extensions/ERC7984ERC20Wrapper.sol)
 
 pragma solidity ^0.8.27;
 
@@ -9,23 +9,27 @@ import {IERC20} from "@openzeppelin/contracts/interfaces/IERC20.sol";
 import {IERC20Metadata} from "@openzeppelin/contracts/interfaces/IERC20Metadata.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import {SafeCast} from "@openzeppelin/contracts/utils/math/SafeCast.sol";
-import {ConfidentialFungibleToken} from "./../ConfidentialFungibleToken.sol";
+import {ERC7984} from "./../ERC7984.sol";
 
 /**
- * @dev A wrapper contract built on top of {ConfidentialFungibleToken} that allows wrapping an `ERC20` token
- * into a confidential fungible token. The wrapper contract implements the `IERC1363Receiver` interface
+ * @dev A wrapper contract built on top of {ERC7984} that allows wrapping an `ERC20` token
+ * into an `ERC7984` token. The wrapper contract implements the `IERC1363Receiver` interface
  * which allows users to transfer `ERC1363` tokens directly to the wrapper with a callback to wrap the tokens.
  *
  * WARNING: Minting assumes the full amount of the underlying token transfer has been received, hence some non-standard
  * tokens such as fee-on-transfer or other deflationary-type tokens are not supported by this wrapper.
  */
-abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleToken, IERC1363Receiver {
+abstract contract ERC7984ERC20Wrapper is ERC7984, IERC1363Receiver {
     IERC20 private immutable _underlying;
     uint8 private immutable _decimals;
     uint256 private immutable _rate;
 
-    /// @dev Mapping from gateway decryption request ID to the address that will receive the tokens
-    mapping(uint256 decryptionRequest => address) private _receivers;
+    mapping(euint64 unwrapAmount => address recipient) private _unwrapRequests;
+
+    event UnwrapRequested(address indexed receiver, euint64 amount);
+    event UnwrapFinalized(address indexed receiver, euint64 encryptedAmount, uint64 cleartextAmount);
+
+    error InvalidUnwrapRequest(euint64 amount);
 
     constructor(IERC20 underlying_) {
         _underlying = underlying_;
@@ -41,7 +45,7 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
         }
     }
 
-    /// @inheritdoc ConfidentialFungibleToken
+    /// @inheritdoc ERC7984
     function decimals() public view virtual override returns (uint8) {
         return _decimals;
     }
@@ -71,7 +75,7 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
         bytes calldata data
     ) public virtual returns (bytes4) {
         // check caller is the token contract
-        require(address(underlying()) == msg.sender, ConfidentialFungibleTokenUnauthorizedCaller(msg.sender));
+        require(address(underlying()) == msg.sender, ERC7984UnauthorizedCaller(msg.sender));
 
         // mint confidential token
         address to = data.length < 20 ? from : address(bytes20(data));
@@ -102,15 +106,11 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
      * @dev Unwraps tokens from `from` and sends the underlying tokens to `to`. The caller must be `from`
      * or be an approved operator for `from`. `amount * rate()` underlying tokens are sent to `to`.
      *
-     * NOTE: This is an asynchronous function and waits for decryption to be completed off-chain before disbursing
-     * tokens.
+     * NOTE: The unwrap request created by this function must be finalized by calling {finalizeUnwrap}.
      * NOTE: The caller *must* already be approved by ACL for the given `amount`.
      */
     function unwrap(address from, address to, euint64 amount) public virtual {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
         _unwrap(from, to, amount);
     }
 
@@ -127,35 +127,40 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
         _unwrap(from, to, FHE.fromExternal(encryptedAmount, inputProof));
     }
 
-    /**
-     * @dev Fills an unwrap request for a given request id related to a decrypted unwrap amount.
-     */
-    function finalizeUnwrap(uint256 requestID, uint64 amount, bytes[] memory signatures) public virtual {
-        FHE.checkSignatures(requestID, signatures);
-        address to = _receivers[requestID];
-        require(to != address(0), ConfidentialFungibleTokenInvalidGatewayRequest(requestID));
-        delete _receivers[requestID];
+    /// @dev Fills an unwrap request for a given cipher-text `burntAmount` with the `cleartextAmount` and `decryptionProof`.
+    function finalizeUnwrap(
+        euint64 burntAmount,
+        uint64 burntAmountCleartext,
+        bytes calldata decryptionProof
+    ) public virtual {
+        address to = _unwrapRequests[burntAmount];
+        require(to != address(0), InvalidUnwrapRequest(burntAmount));
+        delete _unwrapRequests[burntAmount];
 
-        SafeERC20.safeTransfer(underlying(), to, amount * rate());
+        bytes32[] memory handles = new bytes32[](1);
+        handles[0] = euint64.unwrap(burntAmount);
+
+        bytes memory cleartexts = abi.encode(burntAmountCleartext);
+
+        FHE.checkSignatures(handles, cleartexts, decryptionProof);
+
+        SafeERC20.safeTransfer(underlying(), to, burntAmountCleartext * rate());
+
+        emit UnwrapFinalized(to, burntAmount, burntAmountCleartext);
     }
 
     function _unwrap(address from, address to, euint64 amount) internal virtual {
-        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(to));
-        require(
-            from == msg.sender || isOperator(from, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender)
-        );
+        require(to != address(0), ERC7984InvalidReceiver(to));
+        require(from == msg.sender || isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
 
         // try to burn, see how much we actually got
         euint64 burntAmount = _burn(from, amount);
+        FHE.makePubliclyDecryptable(burntAmount);
 
-        // decrypt that burntAmount
-        bytes32[] memory cts = new bytes32[](1);
-        cts[0] = euint64.unwrap(burntAmount);
-        uint256 requestID = FHE.requestDecryption(cts, this.finalizeUnwrap.selector);
+        assert(_unwrapRequests[burntAmount] == address(0));
+        _unwrapRequests[burntAmount] = to;
 
-        // register who is getting the tokens
-        _receivers[requestID] = to;
+        emit UnwrapRequested(to, burntAmount);
     }
 
     /**

package/token/ERC7984/extensions/ERC7984Freezable.sol

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.3.0) (token/ERC7984/extensions/ERC7984Freezable.sol)
+
+pragma solidity ^0.8.27;
+
+import {FHE, ebool, euint64, externalEuint64} from "@fhevm/solidity/lib/FHE.sol";
+import {FHESafeMath} from "../../../utils/FHESafeMath.sol";
+import {ERC7984} from "../ERC7984.sol";
+
+/**
+ * @dev Extension of {ERC7984} that implements a confidential
+ * freezing mechanism that can be managed by an authorized account with
+ * {setConfidentialFrozen} functions.
+ *
+ * The freezing mechanism provides the guarantee to the contract owner
+ * (e.g. a DAO or a well-configured multisig) that a specific confidential
+ * amount of tokens held by an account won't be transferable until those
+ * tokens are unfrozen.
+ *
+ * Inspired by https://github.com/OpenZeppelin/openzeppelin-community-contracts/blob/master/contracts/token/ERC20/extensions/ERC20Freezable.sol
+ */
+abstract contract ERC7984Freezable is ERC7984 {
+    /// @dev Confidential frozen amount of tokens per address.
+    mapping(address account => euint64 encryptedAmount) private _frozenBalances;
+
+    /// @dev Emitted when a confidential amount of token is frozen for an account
+    event TokensFrozen(address indexed account, euint64 encryptedAmount);
+
+    /// @dev Returns the confidential frozen balance of an account.
+    function confidentialFrozen(address account) public view virtual returns (euint64) {
+        return _frozenBalances[account];
+    }
+
+    /// @dev Returns the confidential available (unfrozen) balance of an account. Gives ACL allowance to `account`.
+    function confidentialAvailable(address account) public virtual returns (euint64) {
+        euint64 amount = _confidentialAvailable(account);
+        FHE.allowThis(amount);
+        FHE.allow(amount, account);
+        return amount;
+    }
+
+    /// @dev Internal function to calculate the available balance of an account. Does not give any allowances.
+    function _confidentialAvailable(address account) internal virtual returns (euint64) {
+        (ebool success, euint64 unfrozen) = FHESafeMath.tryDecrease(
+            confidentialBalanceOf(account),
+            confidentialFrozen(account)
+        );
+        return FHE.select(success, unfrozen, FHE.asEuint64(0));
+    }
+
+    /// @dev Internal function to freeze a confidential amount of tokens for an account.
+    function _setConfidentialFrozen(address account, euint64 encryptedAmount) internal virtual {
+        FHE.allowThis(encryptedAmount);
+        FHE.allow(encryptedAmount, account);
+        _frozenBalances[account] = encryptedAmount;
+        emit TokensFrozen(account, encryptedAmount);
+    }
+
+    /**
+     * @dev See {ERC7984-_update}.
+     *
+     * The `from` account must have sufficient unfrozen balance,
+     * otherwise 0 tokens are transferred.
+     * The default freezing behavior can be changed (for a pass-through for instance) by overriding
+     * {_confidentialAvailable}. The internal function is used for actual gating (not the public function)
+     * to avoid unnecessarily granting ACL allowances.
+     */
+    function _update(address from, address to, euint64 encryptedAmount) internal virtual override returns (euint64) {
+        if (from != address(0)) {
+            euint64 unfrozen = _confidentialAvailable(from);
+            encryptedAmount = FHE.select(FHE.le(encryptedAmount, unfrozen), encryptedAmount, FHE.asEuint64(0));
+        }
+        return super._update(from, to, encryptedAmount);
+    }
+}

package/token/ERC7984/extensions/ERC7984ObserverAccess.sol

@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.3.0) (token/ERC7984/extensions/ERC7984ObserverAccess.sol)
+
+pragma solidity ^0.8.27;
+
+import {FHE, euint64} from "@fhevm/solidity/lib/FHE.sol";
+import {ERC7984} from "../ERC7984.sol";
+
+/**
+ * @dev Extension of {ERC7984} that allows each account to add a observer who is given
+ * permanent ACL access to its transfer and balance amounts. A observer can be added or removed at any point in time.
+ */
+abstract contract ERC7984ObserverAccess is ERC7984 {
+    mapping(address account => address) private _observers;
+
+    /// @dev Emitted when the observer is changed for the given account `account`.
+    event ERC7984ObserverAccessObserverSet(address account, address oldObserver, address newObserver);
+
+    /// @dev Thrown when an account tries to set a `newObserver` for a given `account` without proper authority.
+    error Unauthorized();
+
+    /**
+     * @dev Sets the observer for the given account `account` to `newObserver`. Can be called by the
+     * account or the existing observer to abdicate the observer role (may only set to `address(0)`).
+     */
+    function setObserver(address account, address newObserver) public virtual {
+        address oldObserver = observer(account);
+        require(msg.sender == account || (msg.sender == oldObserver && newObserver == address(0)), Unauthorized());
+        if (oldObserver != newObserver) {
+            if (newObserver != address(0)) {
+                euint64 balanceHandle = confidentialBalanceOf(account);
+                if (FHE.isInitialized(balanceHandle)) {
+                    FHE.allow(balanceHandle, newObserver);
+                }
+            }
+
+            emit ERC7984ObserverAccessObserverSet(account, oldObserver, _observers[account] = newObserver);
+        }
+    }
+
+    /// @dev Returns the observer for the given account `account`.
+    function observer(address account) public view virtual returns (address) {
+        return _observers[account];
+    }
+
+    function _update(address from, address to, euint64 amount) internal virtual override returns (euint64 transferred) {
+        transferred = super._update(from, to, amount);
+
+        address fromObserver = observer(from);
+        address toObserver = observer(to);
+
+        if (fromObserver != address(0)) {
+            FHE.allow(confidentialBalanceOf(from), fromObserver);
+            FHE.allow(transferred, fromObserver);
+        }
+        if (toObserver != address(0)) {
+            FHE.allow(confidentialBalanceOf(to), toObserver);
+            if (toObserver != fromObserver) {
+                FHE.allow(transferred, toObserver);
+            }
+        }
+    }
+}