ve-core: verifiable encryption for secp256k1 secrets

what it is

verifiable encryption is encryption with a public check attached. the recipient can open the ciphertext; anyone else can verify, from public data, what it decrypts to, without decrypting it.

ve-core does this for one plaintext: a secp256k1 scalar. a private key, a FROST signing share, an MPC key share. seal it to a recipient key; verify rejects it unless the scalar's public key is the target you name, c = m·g must equal t.

useful wherever a secp256k1 secret crosses a trust boundary.

what it's for

set up someone who is offline. seal a key to a person or device that is not online, and let anyone confirm they got the right one without seeing it.
check your own backups. back up a key and confirm the backup really restores it.
escrow and inheritance. leave a key with an agent or a successor, provably the right key, sealed until it is needed.
fair exchange. release a secret only when anyone can check it is the right one. atomic swaps and escrowed payments work this way.

one key, or a package

one scalar, one recipient: you know the target t = m·g, seal the scalar to the recipient key, and anyone with the ciphertext, target, and context can verify it. only the recipient's secret key opens it.

or, when a key is already split across participants (a FROST or MPC sharing), each participant seals their share to the same recipient, with its own proof. together the sealed shares are a package; it checks out only when their public keys add up to the target the group certified. one wrong share fails the whole package up front.

two backends, one interface

ve-core is the seam: the plaintext, the binding context, and the backend trait family.

cl-hsmq-encryption. verifiable encryption in the CL framework: the BICYCL construction with the BCL24 ciphertext-correctness proof, over imaginary-quadratic class groups. pure rust, no gmp, no gpl.
ec-segve. segmented verifiable encryption on native secp256k1: each scalar split into limbs under curve elgamal, with base-b range proofs, an exact-integer carry chain, and a linking sigma under one fiat-shamir challenge. native curve, so a hardware wallet can seed-root the recipient key.

what makes it hold up

it cannot lie about what is inside. the proof is knowledge-sound, so a passing check pins the ciphertext to one scalar: the private key for the public key you named. nobody can seal junk that checks out now and fails when it is opened. checked when the ciphertext is made, recipient absent.

it does not reveal the secret. to anyone without the recipient key, the ciphertext leaks nothing beyond its commitment, which was public anyway.

the check is built in. verify returns the commitment it proved, not a bare ok; you accept only if it equals your target. there is no accept path that skips the comparison.

using it

let (pk, sk) = keygen()?;
let ct = pk.seal(&secret, &ctx)?;         // ciphertext + correctness proof
pk.verify(&ct, &target, &ctx)?;           // proof holds AND the scalar maps to `target`
let secret = sk.open(&ct, &ctx)?;         // verify, then decrypt

pure rust. variable-time, for software adversaries observing messages and stored ciphertexts, not local side-channel attackers. heavily audited. not published yet: no crates.io, no public source.

reading

cl-hsmq

beaugrand, castagnos, laguillaumie. efficient succinct zero-knowledge arguments in the CL framework. eprint 2024/1966.
bouvier, castagnos, imbert, laguillaumie. BICYCL: implements cryptography in class groups. eprint 2022/1466.
castagnos, laguillaumie. linearly homomorphic encryption from DDH. ct-rsa 2015.
dobson, galbraith, smith. trustless unknown-order groups. eprint 2020/196. class-group element compression.
van der poorten. a note on NUCOMP. math. comp. 2003. class-group composition arithmetic.
mccurley. cryptographic key distribution and computation in class groups. 1989. the class-number bound.
rfc 8949. concise binary object representation. the canonical CBOR wire encoding.

ec-segve

camenisch, shoup. practical verifiable encryption and decryption of discrete logarithms. crypto 2003. the verifiable-encryption template.
cramer, damgård, schoenmakers. proofs of partial knowledge and simplified design of witness hiding protocols. crypto 1994. the OR range proofs.
pedersen. non-interactive and information-theoretic secure verifiable secret sharing. crypto 1991. the hiding commitments.
maurer. unifying zero-knowledge proofs of knowledge. africacrypt 2009. the shared-response linking sigma.
pointcheval, stern. security arguments for digital signatures and blind signatures. j. cryptology 2000. the forking lemma, for knowledge-soundness.
faz-hernández et al. hashing to elliptic curves. rfc 9380. the NUMS generator H.