> ## Documentation Index
> Fetch the complete documentation index at: https://docs.inco.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Decryption

> How to decrypt data in Solana programs

# Decryption & Attestations

The `is_validsignature` function verifies Ed25519 signatures for attested decryption results from the covalidator network.

## On-Chain Verification

```rust theme={null}
pub fn verify_decryption(
    ctx: Context<VerifyDecryption>,
    handles: Vec<Vec<u8>>,
    plaintext_values: Vec<Vec<u8>>,
) -> Result<()> {
    let cpi_ctx = CpiContext::new(
        ctx.accounts.inco_lightning_program.to_account_info(),
        VerifySignature {
            instructions: ctx.accounts.instructions.to_account_info(),
            signer: ctx.accounts.authority.to_account_info(),
        },
    );

    // Verify Ed25519 signatures from previous instruction
    // The covalidator signs hash(handle + plaintext_value)
    let results = is_validsignature(
        cpi_ctx,
        1,                      // expected signature count
        Some(handles),          // handles being verified
        Some(plaintext_values), // claimed plaintext values
    )?;

    // If we get here, signatures are valid
    // Use the verified plaintext values
    Ok(())
}
```

## How Attestation Works

```mermaid theme={null}
sequenceDiagram
    participant Client as Client (Browser/App)
    participant Gateway as Inco Gateway
    participant Coval as Covalidator (TEE)
    participant Chain as Solana Program

    Note over Client: User wants to decrypt<br/>handle for their balance

    Client->>Client: Sign authentication message<br/>with wallet

    Client->>Gateway: decrypt(handles, { address, signature })

    Gateway->>Gateway: Verify wallet signature

    Gateway->>Coval: Forward decrypt request

    Note over Coval: Check allowance on-chain

    Coval->>Chain: Query: is_allowed(handle, address)?

    alt Allowance Exists
        Chain-->>Coval: ✅ Allowed
        Coval->>Coval: Decrypt in TEE
        Coval->>Coval: Sign attestation:<br/>Ed25519(hash(handle + plaintext))
        Coval-->>Gateway: { plaintext, ed25519_signature }
        Gateway-->>Client: { plaintexts, ed25519Instructions }
    else No Allowance
        Chain-->>Coval: ❌ Not allowed
        Coval-->>Gateway: Error: Access denied
        Gateway-->>Client: Error: No decrypt permission
    end
```

### Complete Attested Decryption Flow

```mermaid theme={null}
flowchart TD
    subgraph Client["1️⃣ Client Side"]
        A["Request decrypt()"] --> B["SDK signs auth<br/>with wallet"]
        B --> C["Send to Gateway"]
    end

    subgraph Allowance["2️⃣ Allowance Check"]
        D{{"Covalidator queries<br/>Solana"}}
        E["Check Allowance PDA:<br/>[handle, address]"]
        F["✅ PDA Exists"]
        G["❌ No PDA"]
    end

    subgraph Decrypt["3️⃣ Decryption (TEE)"]
        H["Decrypt ciphertext"]
        I["Sign attestation"]
        J["Return plaintext +<br/>Ed25519 instruction"]
    end

    subgraph Verify["4️⃣ On-Chain Verification"]
        K["Build Transaction"]
        L["Add Ed25519 instruction"]
        M["Add program instruction"]
        N["is_validsignature()"]
        O["✅ Verified!"]
    end

    C --> D
    D --> E
    E -->|"exists"| F
    E -->|"missing"| G
    F --> H
    H --> I
    I --> J
    J --> K
    K --> L
    L --> M
    M --> N
    N --> O

    style A fill:#667eea,color:#fff
    style F fill:#2ecc71,color:#fff
    style G fill:#e74c3c,color:#fff
    style H fill:#4ecdc4,color:#fff
    style O fill:#2ecc71,color:#fff
```

### Summary

1. **Request decryption**: Client requests decryption of a handle they have access to
2. **Covalidator processes**: The covalidator network decrypts the value in a TEE
3. **Sign attestation**: Covalidator signs `hash(handle + plaintext_value)` with Ed25519
4. **Verify on-chain**: Program verifies the signature using `is_validsignature`

## Verification Parameters

| Parameter          | Description                                      |
| ------------------ | ------------------------------------------------ |
| `expected_count`   | Number of signatures expected in the instruction |
| `handles`          | Vector of handle bytes being verified            |
| `plaintext_values` | Vector of claimed plaintext values               |

## Account Requirements

The verification requires access to the instructions sysvar:

```rust theme={null}
#[derive(Accounts)]
pub struct VerifyDecryption<'info> {
    #[account(mut)]
    pub authority: Signer<'info>,

    /// CHECK: Inco Lightning program
    #[account(address = INCO_LIGHTNING_ID)]
    pub inco_lightning_program: AccountInfo<'info>,

    /// CHECK: Instructions sysvar for signature verification
    #[account(address = solana_program::sysvar::instructions::ID)]
    pub instructions: AccountInfo<'info>,
}
```

<Note>
  The Ed25519 signature must be provided in a previous instruction in the same transaction. The `is_validsignature` function verifies against the instructions sysvar.
</Note>

## Client-Side Decryption

Decryption is initiated client-side using the [JavaScript SDK](/svm/js-sdk/attestations/attested-decrypt). The SDK handles requesting decryption from the covalidator:

```typescript theme={null}
import { decrypt } from '@inco/solana-sdk/attested-decrypt';

// Request decryption from covalidator
const result = await decrypt([handle]);
console.log(result.plaintexts[0]);  // Decrypted value
```

For on-chain verification of decrypted values, use the `ed25519Instructions` from the result to build a verification transaction. See [Attested Decrypt](/svm/js-sdk/attestations/attested-decrypt) for details.

<Note>
  See the [JavaScript SDK Attested Decrypt documentation](/svm/js-sdk/attestations/attested-decrypt) for complete usage and examples.
</Note>
