@inco/lightning 0.8.0-devnet-28 → 0.8.0-devnet-30

package/manifest.yaml

@@ -3,6 +3,7 @@ incoLightning_devnet_v9_269218568:
     name: incoLightning_devnet_v9_269218568
     majorVersion: 9
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0x6c9132D324231D2F68a1491686b0d4c10ee7d257"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc007202d6e9ea2805def71308"
@@ -25,6 +26,7 @@ incoLightning_devnet_v8_985328058:
     name: incoLightning_devnet_v8_985328058
     majorVersion: 8
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0x43119Ad1F673E998CE4f3BB305bB92Bd5ab97E3B"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc009045f766b38e5a773da9ba"
@@ -47,6 +49,7 @@ incoLightning_devnet_v7_24560427:
     name: incoLightning_devnet_v7_24560427
     majorVersion: 7
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0xA2275E60cCEd081fFD7373593c44ebc30E6Efe66"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc0057b7694d1492d2775d132b"
@@ -69,6 +72,7 @@ incoLightning_devnet_v6_281949651:
     name: incoLightning_devnet_v6_281949651
     majorVersion: 6
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0xDF3830489208461f72Df6E45D0e6cbF9DBB74fe1"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc009531587de02194b1b7a9d3"
@@ -91,6 +95,7 @@ incoLightning_devnet_v5_203964628:
     name: incoLightning_devnet_v5_203964628
     majorVersion: 5
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0x8D5D75CC00E2Fc84ec4dE085aE1708223591c6b6"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00c573fb2bf617e75b6210d4"
@@ -113,6 +118,7 @@ incoLightning_devnet_v4_409204766:
     name: incoLightning_devnet_v4_409204766
     majorVersion: 4
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0x4046b737B454b0430FBF29cea070e3337AdE95aD"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc003b3f2c4caeb6f787dcce1e"
@@ -135,6 +141,7 @@ incoLightning_devnet_v3_976859633:
     name: incoLightning_devnet_v3_976859633
     majorVersion: 3
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0x4732520194584a04Cac0224e067658619F4086bD"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00ef1fab551c72a93b0637f1"
@@ -157,6 +164,7 @@ incoLightning_testnet_v2_889158349:
     name: incoLightning_testnet_v2_889158349
     majorVersion: 2
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: testnet
     executorAddress: "0x168FDc3Ae19A5d5b03614578C58974FF30FCBe92"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc005e0f44aac1a914b715cecd"
@@ -179,6 +187,7 @@ incoLightning_demonet_v2_467437523:
     name: incoLightning_demonet_v2_467437523
     majorVersion: 2
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: demonet
     executorAddress: "0xA95EAbCE575f5f1e52605358Ee893F6536166378"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc0071f74686446f14c7b469d3"
@@ -201,6 +210,7 @@ incoLightning_alphanet_v2_976644394:
     name: incoLightning_alphanet_v2_976644394
     majorVersion: 2
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: alphanet
     executorAddress: "0xc0d693DeEF0A91CE39208676b6da09B822abd199"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc000822f11f6e30f933e76d2a"
@@ -223,6 +233,7 @@ incoLightning_devnet_v2_295237520:
     name: incoLightning_devnet_v2_295237520
     majorVersion: 2
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0xC64BB070D6F5aa796e79fA19c1008647ffF736ED"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc008d5a963bd519d8493f5190"
@@ -258,6 +269,7 @@ incoLightning_alphanet_v1_725458969:
     name: incoLightning_alphanet_v1_725458969
     majorVersion: 1
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: alphanet
     executorAddress: "0x28676Cd3b10b03b2FDF105Ba280425b45a674F2A"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc004dfbe338c6966a22bcca19"
@@ -292,6 +304,7 @@ incoLightning_devnet_v1_904635675:
     name: incoLightning_devnet_v1_904635675
     majorVersion: 1
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0x3473820DcAa71Af8157b93C7f2bf1c676A2A39A6"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc007d63c0fdca6698ac7cc51b"
@@ -325,6 +338,7 @@ incoLightning_testnet_v0_183408998:
     name: incoLightning_testnet_v0_183408998
     majorVersion: 0
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: testnet
     executorAddress: "0x63D8135aF4D393B1dB43B649010c8D3EE19FC9fd"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00d75ffa0caf0797c3f12d66"
@@ -370,6 +384,7 @@ incoLightning_demonet_v0_863421733:
     name: incoLightning_demonet_v0_863421733
     majorVersion: 0
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: demonet
     executorAddress: "0xeBAFF6D578733E4603b99CBdbb221482F29a78E1"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00834654f6d289ccc7e5ab25"
@@ -403,6 +418,7 @@ incoLightning_alphanet_v0_297966649:
     name: incoLightning_alphanet_v0_297966649
     majorVersion: 0
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: alphanet
     executorAddress: "0x4651DfD7729aE5568092E7351fAaD872266d4CBd"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc0023f7798f470fdf5e9da639"
@@ -436,6 +452,7 @@ incoLightning_devnet_v0_340846814:
     name: incoLightning_devnet_v0_340846814
     majorVersion: 0
     deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
+    owner: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC"
     pepper: devnet
     executorAddress: "0x3B22be60Ae699933959CA3cE147C96caa88Ccd3D"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00b001d6742fded0dd599ede"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inco/lightning",
-  "version": "0.8.0-devnet-28",
+  "version": "0.8.0-devnet-30",
   "repository": "https://github.com/Inco-fhevm/inco-monorepo",
   "files": [
     "src/",

package/src/DeployUtils.sol

@@ -90,29 +90,32 @@ contract DeployUtils is Script {
     /// @notice Full deployment of IncoLightning and IncoVerifier using configuration
     /// @dev Computes salts from deployer and pepper, then deploys both contracts.
     ///      Should be wrapped in prank (testing) or broadcast (production).
-    /// @param deployer The address that will own both deployed proxies (MUST be tx signer)
+    /// @param deployer The deployer address used in salt for CreateX permissioned deploy protection
+    /// @param owner The address that will own both deployed proxies (can be a multisig)
     /// @param pepper Entropy string to avoid address collision with previous deployments
     /// @param quoteVerifier The Automata quote verifier for TEE attestation validation
     /// @return lightningProxy The deployed IncoLightning proxy
     /// @return verifierProxy The deployed IncoVerifier proxy
-    function deployIncoLightningUsingConfig(address deployer, string memory pepper, IQuoteVerifier quoteVerifier)
-        internal
-        returns (IIncoLightning lightningProxy, IIncoVerifier verifierProxy)
-    {
+    function deployIncoLightningUsingConfig(
+        address deployer,
+        address owner,
+        string memory pepper,
+        IQuoteVerifier quoteVerifier
+    ) internal returns (IIncoLightning lightningProxy, IIncoVerifier verifierProxy) {
         (bytes32 lightningSalt, bytes32 verifierSalt) = getIncoSalts(deployer, pepper);
-        lightningProxy = deployLightning(lightningSalt, verifierSalt, deployer);
-        verifierProxy = deployVerifier(verifierSalt, lightningProxy, deployer, quoteVerifier);
+        lightningProxy = deployLightning(lightningSalt, verifierSalt, owner);
+        verifierProxy = deployVerifier(verifierSalt, lightningProxy, owner, quoteVerifier);
         console.log(
-            "Deploying Inco with executor: %s, deployerAddress: %s, lightning salt: %s",
+            "Deploying Inco with executor: %s, owner: %s, lightning salt: %s",
             vm.toString(address(lightningProxy)),
-            vm.toString(deployer),
+            vm.toString(owner),
             vm.toString(lightningSalt)
         );
     }
 
     /// @notice Computes the standard salts for IncoLightning and IncoVerifier
     /// @dev Uses the contract names and major version from IncoLightningConfig
-    /// @param deployer The deployer address
+    /// @param deployer The deployer address mixed into the salt for CreateX permissioned deploy protection
     /// @param pepper The pepper string for salt generation
     /// @return lightningSalt Salt for IncoLightning deployment
     /// @return verifierSalt Salt for IncoVerifier deployment
@@ -130,9 +133,9 @@ contract DeployUtils is Script {
     ///      computed from salt since it may not be deployed yet.
     /// @param lightningSalt The salt for CreateX deployment
     /// @param verifierSalt The salt used to compute the verifier address
-    /// @param deployer The address that will own the proxy
+    /// @param owner The address that will own the proxy
     /// @return lightningProxy The deployed proxy cast to IIncoLightning
-    function deployLightning(bytes32 lightningSalt, bytes32 verifierSalt, address deployer)
+    function deployLightning(bytes32 lightningSalt, bytes32 verifierSalt, address owner)
         internal
         returns (IIncoLightning lightningProxy)
     {
@@ -142,10 +145,7 @@ contract DeployUtils is Script {
             deployProxy({
                 salt: lightningSalt,
                 implem: address(lightningImplem),
-                initCall: abi.encodeWithSelector(
-                    IIncoLightning.initialize.selector,
-                    deployer // owner
-                )
+                initCall: abi.encodeWithSelector(IIncoLightning.initialize.selector, owner)
             })
         );
     }
@@ -155,26 +155,20 @@ contract DeployUtils is Script {
     ///      so it can be referenced in the verifier.
     /// @param verifierSalt The salt for CreateX deployment
     /// @param lightning The previously deployed IncoLightning proxy
-    /// @param deployer The address that will own the proxy
+    /// @param owner The address that will own the proxy
     /// @param quoteVerifier The Automata quote verifier for TEE attestation
     /// @return verifierProxy The deployed proxy cast to IIncoVerifier
-    function deployVerifier(
-        bytes32 verifierSalt,
-        IIncoLightning lightning,
-        address deployer,
-        IQuoteVerifier quoteVerifier
-    ) internal returns (IIncoVerifier verifierProxy) {
+    function deployVerifier(bytes32 verifierSalt, IIncoLightning lightning, address owner, IQuoteVerifier quoteVerifier)
+        internal
+        returns (IIncoVerifier verifierProxy)
+    {
         IncoVerifier verifierImplem = new IncoVerifier(address(lightning));
         verifierProxy = IIncoVerifier(
             deployProxy({
                 salt: verifierSalt,
                 implem: address(verifierImplem),
                 initCall: abi.encodeWithSelector(
-                    IIncoVerifier.initialize.selector,
-                    deployer, // owner
-                    VERIFIER_NAME,
-                    lightning.getMajorVersion(),
-                    quoteVerifier
+                    IIncoVerifier.initialize.selector, owner, VERIFIER_NAME, lightning.getMajorVersion(), quoteVerifier
                 )
             })
         );

package/src/Lib.alphanet.sol

@@ -6,7 +6,8 @@
 pragma solidity ^0.8;
 
 import { IncoLightning } from "./IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType } from "./Types.sol";
+import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType, HandleMismatch, InvalidTEEAttestation, UnexpectedDecryptedValue } from "./Types.sol";
+import { asBool } from "./shared/TypeUtils.sol";
 import { DecryptionAttestation, ElementAttestationWithProof } from "./lightning-parts/DecryptionAttester.types.sol";
 
 IncoLightning constant inco = IncoLightning(payable(0xc0d693DeEF0A91CE39208676b6da09B822abd199));
@@ -687,7 +688,8 @@ library e {
     ///  @dev costs the inco fee
     ///  @return The encrypted random value
     function rand() internal returns (euint256) {
-        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRand.selector, ETypes.Uint256));
+        bytes32 boundHandle = euint256.unwrap(asEuint256(0));
+        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRandBounded.selector, boundHandle, ETypes.Uint256));
         return euint256.wrap(result);
     }
 
@@ -1194,4 +1196,28 @@ library e {
     function verifyEListDecryption(elist elistHandle, ElementAttestationWithProof[] memory proofElements, bytes32 proof, bytes[] memory signatures) internal view returns (bool) {
         return inco.incoVerifier().isValidEListDecryptionAttestation(elist.unwrap(elistHandle), proofElements, proof, signatures);
     }
+
+    ///  @notice Checks a decryption attestation for an encrypted bool against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(ebool handle, bool expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(ebool.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(asBool(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
+    ///  @notice Checks a decryption attestation for an encrypted uint256 against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(euint256 handle, uint256 expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(euint256.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(uint256(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
 }

package/src/Lib.demonet.sol

@@ -6,7 +6,8 @@
 pragma solidity ^0.8;
 
 import { IncoLightning } from "./IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType } from "./Types.sol";
+import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType, HandleMismatch, InvalidTEEAttestation, UnexpectedDecryptedValue } from "./Types.sol";
+import { asBool } from "./shared/TypeUtils.sol";
 import { DecryptionAttestation, ElementAttestationWithProof } from "./lightning-parts/DecryptionAttester.types.sol";
 
 IncoLightning constant inco = IncoLightning(payable(0xA95EAbCE575f5f1e52605358Ee893F6536166378));
@@ -687,7 +688,8 @@ library e {
     ///  @dev costs the inco fee
     ///  @return The encrypted random value
     function rand() internal returns (euint256) {
-        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRand.selector, ETypes.Uint256));
+        bytes32 boundHandle = euint256.unwrap(asEuint256(0));
+        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRandBounded.selector, boundHandle, ETypes.Uint256));
         return euint256.wrap(result);
     }
 
@@ -1194,4 +1196,28 @@ library e {
     function verifyEListDecryption(elist elistHandle, ElementAttestationWithProof[] memory proofElements, bytes32 proof, bytes[] memory signatures) internal view returns (bool) {
         return inco.incoVerifier().isValidEListDecryptionAttestation(elist.unwrap(elistHandle), proofElements, proof, signatures);
     }
+
+    ///  @notice Checks a decryption attestation for an encrypted bool against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(ebool handle, bool expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(ebool.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(asBool(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
+    ///  @notice Checks a decryption attestation for an encrypted uint256 against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(euint256 handle, uint256 expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(euint256.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(uint256(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
 }

package/src/Lib.devnet.sol

@@ -6,7 +6,8 @@
 pragma solidity ^0.8;
 
 import { IncoLightning } from "./IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType } from "./Types.sol";
+import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType, HandleMismatch, InvalidTEEAttestation, UnexpectedDecryptedValue } from "./Types.sol";
+import { asBool } from "./shared/TypeUtils.sol";
 import { DecryptionAttestation, ElementAttestationWithProof } from "./lightning-parts/DecryptionAttester.types.sol";
 
 IncoLightning constant inco = IncoLightning(payable(0x6c9132D324231D2F68a1491686b0d4c10ee7d257));
@@ -687,7 +688,8 @@ library e {
     ///  @dev costs the inco fee
     ///  @return The encrypted random value
     function rand() internal returns (euint256) {
-        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRand.selector, ETypes.Uint256));
+        bytes32 boundHandle = euint256.unwrap(asEuint256(0));
+        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRandBounded.selector, boundHandle, ETypes.Uint256));
         return euint256.wrap(result);
     }
 
@@ -1194,4 +1196,28 @@ library e {
     function verifyEListDecryption(elist elistHandle, ElementAttestationWithProof[] memory proofElements, bytes32 proof, bytes[] memory signatures) internal view returns (bool) {
         return inco.incoVerifier().isValidEListDecryptionAttestation(elist.unwrap(elistHandle), proofElements, proof, signatures);
     }
+
+    ///  @notice Checks a decryption attestation for an encrypted bool against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(ebool handle, bool expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(ebool.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(asBool(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
+    ///  @notice Checks a decryption attestation for an encrypted uint256 against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(euint256 handle, uint256 expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(euint256.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(uint256(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
 }

package/src/Lib.sol

@@ -6,7 +6,8 @@
 pragma solidity ^0.8;
 
 import { IncoLightning } from "./IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType } from "./Types.sol";
+import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType, HandleMismatch, InvalidTEEAttestation, UnexpectedDecryptedValue } from "./Types.sol";
+import { asBool } from "./shared/TypeUtils.sol";
 import { DecryptionAttestation, ElementAttestationWithProof } from "./lightning-parts/DecryptionAttester.types.sol";
 
 IncoLightning constant inco = IncoLightning(payable(0x6c9132D324231D2F68a1491686b0d4c10ee7d257));
@@ -687,7 +688,8 @@ library e {
     ///  @dev costs the inco fee
     ///  @return The encrypted random value
     function rand() internal returns (euint256) {
-        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRand.selector, ETypes.Uint256));
+        bytes32 boundHandle = euint256.unwrap(asEuint256(0));
+        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRandBounded.selector, boundHandle, ETypes.Uint256));
         return euint256.wrap(result);
     }
 
@@ -1194,4 +1196,28 @@ library e {
     function verifyEListDecryption(elist elistHandle, ElementAttestationWithProof[] memory proofElements, bytes32 proof, bytes[] memory signatures) internal view returns (bool) {
         return inco.incoVerifier().isValidEListDecryptionAttestation(elist.unwrap(elistHandle), proofElements, proof, signatures);
     }
+
+    ///  @notice Checks a decryption attestation for an encrypted bool against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(ebool handle, bool expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(ebool.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(asBool(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
+    ///  @notice Checks a decryption attestation for an encrypted uint256 against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(euint256 handle, uint256 expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(euint256.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(uint256(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
 }

package/src/Lib.template.sol

@@ -12,8 +12,12 @@ import {
     IndexOutOfRange,
     InvalidRange,
     SliceOutOfRange,
-    UnsupportedListType
+    UnsupportedListType,
+    HandleMismatch,
+    InvalidTEEAttestation,
+    UnexpectedDecryptedValue
 } from "./Types.sol";
+import {asBool} from "./shared/TypeUtils.sol";
 import {DecryptionAttestation, ElementAttestationWithProof} from "./lightning-parts/DecryptionAttester.types.sol";
 
 // forge-lint: disable-next-line(screaming-snake-case-const)
@@ -694,7 +698,9 @@ library e {
     /// @dev costs the inco fee
     /// @return The encrypted random value
     function rand() internal returns (euint256) {
-        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRand.selector, ETypes.Uint256));
+        bytes32 boundHandle = euint256.unwrap(asEuint256(0));
+        bytes32 result =
+            _callWithFeeRetry(abi.encodeWithSelector(inco.eRandBounded.selector, boundHandle, ETypes.Uint256));
         return euint256.wrap(result);
     }
 
@@ -1245,4 +1251,42 @@ library e {
             .isValidEListDecryptionAttestation(elist.unwrap(elistHandle), proofElements, proof, signatures);
     }
 
+    /**
+     * @notice Checks a decryption attestation for an encrypted bool against an expected plaintext value
+     * @param handle The encrypted handle
+     * @param expected The expected plaintext value
+     * @param decryption The decryption attestation to verify
+     * @param signatures The covalidator signatures for the attestation
+     * @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+     */
+    function requireEqual(
+        ebool handle,
+        bool expected,
+        DecryptionAttestation memory decryption,
+        bytes[] memory signatures
+    ) internal view {
+        require(ebool.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(asBool(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
+    /**
+     * @notice Checks a decryption attestation for an encrypted uint256 against an expected plaintext value
+     * @param handle The encrypted handle
+     * @param expected The expected plaintext value
+     * @param decryption The decryption attestation to verify
+     * @param signatures The covalidator signatures for the attestation
+     * @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+     */
+    function requireEqual(
+        euint256 handle,
+        uint256 expected,
+        DecryptionAttestation memory decryption,
+        bytes[] memory signatures
+    ) internal view {
+        require(euint256.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(uint256(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
 }

package/src/Lib.testnet.sol

@@ -6,7 +6,8 @@
 pragma solidity ^0.8;
 
 import { IncoLightning } from "./IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType } from "./Types.sol";
+import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType, HandleMismatch, InvalidTEEAttestation, UnexpectedDecryptedValue } from "./Types.sol";
+import { asBool } from "./shared/TypeUtils.sol";
 import { DecryptionAttestation, ElementAttestationWithProof } from "./lightning-parts/DecryptionAttester.types.sol";
 
 IncoLightning constant inco = IncoLightning(payable(0x168FDc3Ae19A5d5b03614578C58974FF30FCBe92));
@@ -687,7 +688,8 @@ library e {
     ///  @dev costs the inco fee
     ///  @return The encrypted random value
     function rand() internal returns (euint256) {
-        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRand.selector, ETypes.Uint256));
+        bytes32 boundHandle = euint256.unwrap(asEuint256(0));
+        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRandBounded.selector, boundHandle, ETypes.Uint256));
         return euint256.wrap(result);
     }
 
@@ -1194,4 +1196,28 @@ library e {
     function verifyEListDecryption(elist elistHandle, ElementAttestationWithProof[] memory proofElements, bytes32 proof, bytes[] memory signatures) internal view returns (bool) {
         return inco.incoVerifier().isValidEListDecryptionAttestation(elist.unwrap(elistHandle), proofElements, proof, signatures);
     }
+
+    ///  @notice Checks a decryption attestation for an encrypted bool against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(ebool handle, bool expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(ebool.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(asBool(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
+    ///  @notice Checks a decryption attestation for an encrypted uint256 against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(euint256 handle, uint256 expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(euint256.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(uint256(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
 }

package/src/Types.sol

@@ -264,6 +264,9 @@ error ListTypeMismatch(ETypes lhs, ETypes rhs);
 error UnsupportedListType(ETypes listType);
 error UnsupportedType(ETypes actual);
 error UnexpectedType(ETypes actual, bytes32 expectedTypes);
+error HandleMismatch();
+error InvalidTEEAttestation();
+error UnexpectedDecryptedValue();
 
 string constant EVM_HOST_CHAIN_PREFIX = "evm/";
 uint8 constant HANDLE_VERSION = 0;

package/src/libs/incoLightning_alphanet_v0_297966649.sol

@@ -6,7 +6,8 @@
 pragma solidity ^0.8;
 
 import { IncoLightning } from "../IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType } from "../Types.sol";
+import { ebool, euint256, eaddress, ETypes, elist, IndexOutOfRange, InvalidRange, SliceOutOfRange, UnsupportedListType, HandleMismatch, InvalidTEEAttestation, UnexpectedDecryptedValue } from "../Types.sol";
+import { asBool } from "../shared/TypeUtils.sol";
 import { DecryptionAttestation, ElementAttestationWithProof } from "../lightning-parts/DecryptionAttester.types.sol";
 
 IncoLightning constant inco = IncoLightning(payable(0x4651DfD7729aE5568092E7351fAaD872266d4CBd));
@@ -687,7 +688,8 @@ library e {
     ///  @dev costs the inco fee
     ///  @return The encrypted random value
     function rand() internal returns (euint256) {
-        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRand.selector, ETypes.Uint256));
+        bytes32 boundHandle = euint256.unwrap(asEuint256(0));
+        bytes32 result = _callWithFeeRetry(abi.encodeWithSelector(inco.eRandBounded.selector, boundHandle, ETypes.Uint256));
         return euint256.wrap(result);
     }
 
@@ -1194,4 +1196,28 @@ library e {
     function verifyEListDecryption(elist elistHandle, ElementAttestationWithProof[] memory proofElements, bytes32 proof, bytes[] memory signatures) internal view returns (bool) {
         return inco.incoVerifier().isValidEListDecryptionAttestation(elist.unwrap(elistHandle), proofElements, proof, signatures);
     }
+
+    ///  @notice Checks a decryption attestation for an encrypted bool against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(ebool handle, bool expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(ebool.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(asBool(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
+
+    ///  @notice Checks a decryption attestation for an encrypted uint256 against an expected plaintext value
+    ///  @param handle The encrypted handle
+    ///  @param expected The expected plaintext value
+    ///  @param decryption The decryption attestation to verify
+    ///  @param signatures The covalidator signatures for the attestation
+    ///  @dev Reverts if the handle doesn't match, the decrypted value doesn't match the expected value, or the attestation is invalid
+    function requireEqual(euint256 handle, uint256 expected, DecryptionAttestation memory decryption, bytes[] memory signatures) internal view {
+        require(euint256.unwrap(handle) == decryption.handle, HandleMismatch());
+        require(uint256(decryption.value) == expected, UnexpectedDecryptedValue());
+        require(inco.incoVerifier().isValidDecryptionAttestation(decryption, signatures), InvalidTEEAttestation());
+    }
 }