Skip to main content

Decryption & Attestations

The is_validsignature function verifies Ed25519 signatures for attested decryption results from the covalidator network.

On-Chain Verification

pub fn verify_decryption(
    ctx: Context<VerifyDecryption>,
    handles: Vec<Vec<u8>>,
    plaintext_values: Vec<Vec<u8>>,
) -> Result<()> {
    let cpi_ctx = CpiContext::new(
        ctx.accounts.inco_lightning_program.to_account_info(),
        VerifySignature {
            instructions: ctx.accounts.instructions.to_account_info(),
            signer: ctx.accounts.authority.to_account_info(),
        },
    );

    // Verify Ed25519 signatures from previous instruction
    // The covalidator signs hash(handle + plaintext_value)
    let results = is_validsignature(
        cpi_ctx,
        1,                      // expected signature count
        Some(handles),          // handles being verified
        Some(plaintext_values), // claimed plaintext values
    )?;

    // If we get here, signatures are valid
    // Use the verified plaintext values
    Ok(())
}

How Attestation Works

  1. Request decryption: Client requests decryption of a handle they have access to
  2. Covalidator processes: The covalidator network decrypts the value in a TEE
  3. Sign attestation: Covalidator signs hash(handle + plaintext_value) with Ed25519
  4. Verify on-chain: Program verifies the signature using is_validsignature

Verification Parameters

ParameterDescription
expected_countNumber of signatures expected in the instruction
handlesVector of handle bytes being verified
plaintext_valuesVector of claimed plaintext values

Account Requirements

The verification requires access to the instructions sysvar: 
#[derive(Accounts)]
pub struct VerifyDecryption<'info> {
    #[account(mut)]
    pub authority: Signer<'info>,

    /// CHECK: Inco Lightning program
    #[account(address = INCO_LIGHTNING_ID)]
    pub inco_lightning_program: AccountInfo<'info>,

    /// CHECK: Instructions sysvar for signature verification
    #[account(address = solana_program::sysvar::instructions::ID)]
    pub instructions: AccountInfo<'info>,
}
The Ed25519 signature must be provided in a previous instruction in the same transaction. The is_validsignature function verifies against the instructions sysvar.

Client-Side Decryption

Decryption is initiated client-side using the JavaScript SDK. The SDK handles requesting decryption from the covalidator: 
import { decrypt } from '@inco/solana-sdk/attested-decrypt';

// Request decryption from covalidator
const result = await decrypt([handle]);
console.log(result.plaintexts[0]);  // Decrypted value
For on-chain verification of decrypted values, use the ed25519Instructions from the result to build a verification transaction. See Attested Decrypt for details.
See the JavaScript SDK Attested Decrypt documentation for complete usage and examples.