Off-Chain Decryption Flow
Overview
This document lays out the complete flow of off-chain decryption requests. There are two methods for decrypting encrypted data off-chain:decryptForTx— Returns the plaintext value and a Threshold Network signature. Used when the decrypted value needs to be submitted on-chain (e.g., viaFHE.publishDecryptResultorFHE.verifyDecryptResult).decryptForView— Returns only the plaintext value. Used for UI display or off-chain reads where no on-chain proof is needed.
Key Components
decryptForTx Flow
UsedecryptForTx when you need to submit the decrypted value on-chain with a proof.
1
Fetching the CtHash
Solidity contract:Fetch the
CtHash from the chain:All encrypted types (
euint8, euint16, euint32, euint64, euint128, ebool, eaddress) are wrappers around bytes32. The data returned from the contract can be used as a CtHash directly.2
Request Decryption
Call If the value was granted access via
decryptForTx on the SDK client. Since FHE.allowPublic was used, no permit is needed:FHE.allow (not allowPublic), use .withPermit() instead:3
Threshold Network Verification
Behind the scenes:
- The SDK sends the decryption request to the Threshold Network
- The Threshold Network verifies on-chain that the requester has access to the
CtHashvia the ACL - The Threshold Network performs secure decryption
- The Threshold Network signs the plaintext result and returns both the plaintext and the signature
4
Submit On-Chain with Proof
The SDK returns an object containing the decrypted value and signature. Submit these on-chain:The on-chain function verifies the signature using
FHE.publishDecryptResult or FHE.verifyDecryptResult:decryptForView Flow
UsedecryptForView when you only need to display the value in the UI — no on-chain transaction is needed.
1
Fetching the CtHash
The contract must have granted access to the user via
FHE.allow or FHE.allowSender:2
Request Decryption
Call
decryptForView with a permit (required since this is user-specific data):3
Threshold Network Verification
Behind the scenes:
- The SDK sends the decryption request with the user’s permit to the Threshold Network
- The Threshold Network verifies the permit’s signature and checks on-chain that
permit.issuerhas access to theCtHashvia the ACL - The Threshold Network performs secure decryption
- The plaintext value is returned to the SDK (no signature needed since this is view-only)