ve-core: verifiable encryption for secp256k1 secrets

what it is

verifiable encryption is encryption with a public check attached. the recipient can open the ciphertext; anyone else can verify, from public data, what it decrypts to, without decrypting it.

ve-core does this for one plaintext: a secp256k1 scalar. a private key, a FROST signing share, a share of an MPC-distributed key. seal it to a recipient key; verify rejects it unless the scalar's public key is the target you name, c = m·g must equal t. a holder of only the public key learns exactly which scalar is sealed, and never sees it.

useful wherever a secp256k1 secret crosses a trust boundary: escrow, custody handoff, auditable backup, wallet recovery, an MPC setup. it is the difference between a spare key you assume fits and one you have already tried in the lock.

one key, or a package

one scalar, one recipient: you know the target t = m·g, seal the scalar to the recipient key, and anyone with the ciphertext, target, and context can verify it. only the recipient's secret key opens it.

or split the scalar into shares (a FROST or MPC sharing), so no one holds it whole. seal each share to its own recipient with its own proof. that bundle is a package; it checks out only when the shares' public keys add up to the target your protocol expects. one swapped or junk share fails up front.

single or split, the same narrow job: verifiable encryption of secp256k1 scalars.

two backends, one interface

ve-core is the seam: the plaintext, the binding context, and the backend trait family. pick a backend and the rest is the same.

cl-hsmq-encryption. verifiable encryption in the CL framework: the BICYCL construction with the BCL24 ciphertext-correctness proof, over imaginary-quadratic class groups. pure rust, no gmp, no gpl.
ec-segve. segmented verifiable encryption on native secp256k1: each scalar split into limbs under curve elgamal, with base-b range proofs, an exact-integer carry chain, and a linking sigma under one fiat-shamir challenge. native curve, so a hardware wallet can seed-root the recipient key.

what makes it hold up

it cannot lie about what is inside. the proof is knowledge-sound, so a passing check pins the ciphertext to one scalar: the private key for the public key you named. no sealing junk or a wrong key that only surfaces when someone finally opens it. checked when the ciphertext is made, recipient absent.

it does not reveal the secret. to anyone without the recipient key, the ciphertext leaks nothing beyond its commitment, which was public anyway.

you cannot forget to check. verify hands back the commitment it proved, never a bare ok; you accept only if it equals the one you expected. the check is the return value, not a step you can skip.

using it

let (pk, sk) = keygen()?;
let ct = pk.seal(&secret, &ctx)?;         // ciphertext + correctness proof
pk.verify(&ct, &target, &ctx)?;           // proof holds AND the scalar maps to `target`
let secret = sk.open(&ct, &ctx)?;         // verify, then decrypt

pure rust. variable-time, for software adversaries observing messages and stored ciphertexts, not local side-channel attackers. heavily audited. not published yet: no crates.io, no public source.

reading

cl-hsmq

beaugrand, castagnos, laguillaumie. efficient succinct zero-knowledge arguments in the CL framework. eprint 2024/1966.
bouvier, castagnos, imbert, laguillaumie. BICYCL: implements cryptography in class groups. eprint 2022/1466.
castagnos, laguillaumie. linearly homomorphic encryption from DDH. ct-rsa 2015.
dobson, galbraith, smith. trustless unknown-order groups. eprint 2020/196. class-group element compression.
van der poorten. a note on NUCOMP. math. comp. 2003. class-group composition arithmetic.
mccurley. cryptographic key distribution and computation in class groups. 1989. the class-number bound.
rfc 8949. concise binary object representation. the canonical CBOR wire encoding.

ec-segve

camenisch, shoup. practical verifiable encryption and decryption of discrete logarithms. crypto 2003. the verifiable-encryption template.
cramer, damgård, schoenmakers. proofs of partial knowledge and simplified design of witness hiding protocols. crypto 1994. the OR range proofs.
pedersen. non-interactive and information-theoretic secure verifiable secret sharing. crypto 1991. the hiding commitments.
maurer. unifying zero-knowledge proofs of knowledge. africacrypt 2009. the shared-response linking sigma.
pointcheval, stern. security arguments for digital signatures and blind signatures. j. cryptology 2000. the forking lemma, for knowledge-soundness.
faz-hernández et al. hashing to elliptic curves. rfc 9380. the NUMS generator H.