The reencryption process involves converting a ciphertext that was encrypted with the FHE blockchain key into one that is encrypted with the NaCl public key generated by the client. First, the user needs to provide two elements:
The NaCl box private/public key pair is generated by the client library (fhevmjs).
A signature of an EIP-712 object that contains the public key and the contract authorized to initiate a reencryption request.
Then, the contract verifies the signature by generating the EIP-712 with the provided public key and contract address. The signature must match the msg.sender. If the signature match, the contract can return the reencryption of the value with the provided public key
Note that this mechanism grants the application (whether web-based or node-based) access to all the ciphertext made available by the mentioned contract for the user.
You can generate the data to sign by using the generatePublicKey method. To sign, we'll use the eth_signTypedData_v4 method available on wallets.
Getting a reencryption needs to be implemented into the contract and on the client side. We'll take the balanceOf method of an ERC-20 contract.
This view function needs to validate the user to prevent anyone to reencrypt any user's balance. To prevent this, the user provides a signature of the given public key and the contract address. Since this is something very useful, fhEVM library provide an abstract to use in your contract:
The modifier onlySignedPublicKey(publicKey, signature) will verify the signature of the user.
When generating the public key using generatePublicKey, the corresponding private key is kept by the fhEVM instance and linked to the specified contract. To decrypt a value using the user's private key, you only need to provide the contract address and the encrypted value.