Mempool: admit encrypted-payload transactions on signature + NIZK without decryption

[hanzo-dev]

Goal

Extend the mempool admission policy to accept transactions whose payload is an FHE ciphertext (under the network's threshold TFHE public key) + a NIZK proof of well-formedness. Validators admit on signature + fee + NIZK, never decrypt at admission.

Current state

vms/txs/mempool/mempool.go (Tx interface, Mempool[T] generic) has no extra-field validation hook. The Add() method is the only admission point. Per-account FIFO is present via unissuedTxs linked.Hashmap.

What needs to land

1. Extended transaction type carrying (ciphertext, NIZK_proof) as a new payload variant. Plaintext metadata: signature, fee bid, sender, expiry.
2. Admission hook: pluggable validator that runs signature verify + fee check + NIZK verify (using the luxfi/precompile/fhe interface for the NIZK), all without decryption.
3. Per-account FIFO ordering inside the encrypted-payload pool partition.
4. Budget enforcement: the bootstrap meter from the FHE precompile is consulted at admission (reject if the ciphertext would exceed per-tx ops cap).

Dependencies

• Real distributed FHE decryption: luxfi/threshold encrypted-mempool issue
• TFHE precompile (0x0700...) already registered: luxfi/precompile/fhe/module.go
• Block proposer hook: luxfi/consensus / luxfi/evm proposervm extension

Acceptance

• An encrypted-payload tx propagates through the mempool and is included in a block; validators show ciphertext + plaintext metadata in their mempool inspector, never plaintext content
• Tests: malformed ciphertext (fails NIZK) is rejected at admission with no decryption attempt

[linear]

LUX-538

[hanzo-dev]

Architectural paper: luxfi/papers — lux-encrypted-mempool/lux-encrypted-mempool.tex (commit f82966f) covers the protocol, GPU-native pipeline, security theorems, and the build punch list. This issue is one of the L2.x items in §6 of that paper.