@inco/lightning 0.9.0-devnet-test-4 → 0.10.0-devnet-1

package/src/lightning-parts/DecryptionAttester.sol

@@ -1,8 +1,13 @@
 // SPDX-License-Identifier: No License
 pragma solidity ^0.8;
 
-import {DecryptionAttestation} from "./DecryptionAttester.types.sol";
+import {
+    DecryptionAttestation,
+    ElementAttestationWithProof,
+    ReencryptionAttestation
+} from "./DecryptionAttester.types.sol";
 import {EIP712Upgradeable} from "@openzeppelin/contracts-upgradeable/utils/cryptography/EIP712Upgradeable.sol";
+import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
 import {SignatureVerifier} from "./primitives/SignatureVerifier.sol";
 import {IDecryptionAttester} from "./interfaces/IDecryptionAttester.sol";
 
@@ -14,10 +19,20 @@ import {IDecryptionAttester} from "./interfaces/IDecryptionAttester.sol";
 /// on-chain verification that a decryption was performed correctly by authorized covalidators.
 abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier, EIP712Upgradeable {
 
+    using ECDSA for bytes32;
+
+    /// @dev Thrown when attestations and signatures arrays have different lengths.
+    error AttestationsSignaturesLengthMismatch(uint256 attestationsLength, uint256 signaturesLength);
+
     /// @dev EIP-712 type hash for DecryptionAttestation struct.
     bytes32 constant DECRYPTION_ATTESTATION_STRUCT_HASH =
         keccak256("DecryptionAttestation(bytes32 handle,bytes32 value)");
 
+    /// @dev EIP-712 type hash for Reencryption struct.
+    /// Matches the Go-side definition in eip712.go: Reencryption(bytes user_ciphertext,bytes32 handle,bytes signature)
+    bytes32 constant REENCRYPTION_ATTESTATION_STRUCT_HASH =
+        keccak256("Reencryption(bytes user_ciphertext,bytes32 handle,bytes signature)");
+
     /// @notice Computes the EIP-712 digest for a decryption attestation.
     /// @dev Used to verify signatures from covalidators attesting to a decryption result.
     /// @param decryption The decryption attestation containing the handle and decrypted value.
@@ -28,12 +43,28 @@ abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier,
         );
     }
 
+    /// @notice Computes the EIP-712 digest for a reencryption attestation.
+    /// @param attestation The reencryption attestation containing handle, userCiphertext, and encryptedSignature.
+    /// @return The EIP-712 typed data hash.
+    function reencryptionAttestationDigest(ReencryptionAttestation memory attestation) public view returns (bytes32) {
+        return _hashTypedDataV4(
+            keccak256(
+                abi.encode(
+                    REENCRYPTION_ATTESTATION_STRUCT_HASH,
+                    keccak256(attestation.userCiphertext),
+                    attestation.handle,
+                    keccak256(attestation.encryptedSignature)
+                )
+            )
+        );
+    }
+
     /// @notice Validates a decryption attestation against covalidator signatures.
     /// @dev Verifies that the attestation was signed by the required threshold of covalidators.
     /// @param decryption The decryption attestation to validate.
     /// @param signatures Array of signatures from covalidators.
     /// @return True if the attestation has valid signatures from the required covalidators.
-    function isValidDecryptionAttestation(DecryptionAttestation memory decryption, bytes[] memory signatures)
+    function isValidDecryptionAttestation(DecryptionAttestation memory decryption, bytes[] calldata signatures)
         public
         view
         returns (bool)
@@ -41,4 +72,95 @@ abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier,
         return isValidSignature(decryptionAttestationDigest(decryption), signatures);
     }
 
+    /// @notice Validates an elist decryption attestation with commitment proof against covalidator signatures.
+    /// @dev Verifies that the attestation was signed by the required threshold of covalidators and validates the proof construction.
+    ///      Each element can be either a pre-computed hash or a commitment-value pair.
+    /// @param elistHandle The elist handle that was decrypted
+    /// @param proofElements Array of proved values. Each can provide either pairHash directly, or commitment+value to compute the pairHash
+    /// @param proof The expected proof that should match keccak256 of all concatenated pair hashes
+    /// @param signatures Array of signatures from covalidators
+    /// @return bool True if the attestation has valid signatures and proof verification succeeds
+    function isValidEListDecryptionAttestation(
+        bytes32 elistHandle,
+        ElementAttestationWithProof[] calldata proofElements,
+        bytes32 proof,
+        bytes[] calldata signatures
+    ) public view override returns (bool) {
+        DecryptionAttestation memory attestation = DecryptionAttestation({handle: elistHandle, value: proof});
+
+        // Verify the provided proof by reconstructing it from the provided value-commitment pairs and/or hashes.
+        bytes32[] memory elementHashes = new bytes32[](proofElements.length);
+        for (uint256 i = 0; i < proofElements.length; i++) {
+            // Use pre-computed hash if provided, otherwise compute from commitment and value
+            if (proofElements[i].pairHash != bytes32(0)) {
+                elementHashes[i] = proofElements[i].pairHash;
+            } else {
+                elementHashes[i] = keccak256(abi.encodePacked(proofElements[i].commitment, proofElements[i].value));
+            }
+        }
+
+        // Single allocation: encode all hashes at once
+        bytes32 computedProof = keccak256(abi.encodePacked(elementHashes));
+        if (computedProof != proof) {
+            return false;
+        }
+
+        return isValidDecryptionAttestation(attestation, signatures);
+    }
+
+    /// @notice Validates reencryption attestations from multiple covalidators against the threshold.
+    /// @dev Each covalidator produces a different ciphertext (X-Wing encryption is randomized),
+    ///      so each attestation has a unique digest. Each is verified individually and the function
+    ///      checks that at least `threshold` unique authorized signers attested.
+    /// @param attestations Array of reencryption attestations, one per covalidator.
+    /// @param signatures Array of envelope signatures, one per attestation (same order).
+    /// @return True if at least `threshold` unique authorized covalidators signed valid attestations.
+    function isValidReencryptionAttestation(
+        ReencryptionAttestation[] calldata attestations,
+        bytes[] calldata signatures
+    ) public view returns (bool) {
+        if (attestations.length != signatures.length) {
+            revert AttestationsSignaturesLengthMismatch(attestations.length, signatures.length);
+        }
+
+        uint256 threshold = getThreshold();
+        if (threshold == 0 || attestations.length < threshold) {
+            return false;
+        }
+
+        address[] memory recoveredSigners = new address[](attestations.length);
+        address lastSigner = address(0);
+        uint256 correctSignaturesCount = 0;
+        uint256 validCount = 0;
+
+        for (uint256 i = 0; i < attestations.length && correctSignaturesCount < threshold; i++) {
+            bytes32 digest = reencryptionAttestationDigest(attestations[i]);
+            (address currentSigner, ECDSA.RecoverError err,) = digest.tryRecover(signatures[i]);
+
+            if (err != ECDSA.RecoverError.NoError) {
+                continue;
+            }
+
+            // Duplicate detection (same pattern as SignatureVerifier.isValidSignature)
+            if (currentSigner > lastSigner) {
+                lastSigner = currentSigner;
+            } else {
+                for (uint256 j = 0; j < validCount; ++j) {
+                    if (currentSigner == recoveredSigners[j]) {
+                        return false;
+                    }
+                }
+            }
+
+            recoveredSigners[validCount] = currentSigner;
+            validCount++;
+
+            if (isSigner(currentSigner)) {
+                correctSignaturesCount++;
+            }
+        }
+
+        return correctSignaturesCount >= threshold;
+    }
+
 }

package/src/lightning-parts/DecryptionAttester.types.sol

@@ -5,3 +5,23 @@ struct DecryptionAttestation {
     bytes32 handle;
     bytes32 value; // encoded bool or uint256 // todo switch this to bytes
 }
+
+/**
+ * @notice Represents a decrypted elist value that can be either a pre-computed hash or a commitment-value pair
+ * @param pairHash Pre-computed keccak256(abi.encodePacked(commitment, value)). If non-zero, this is used directly
+ * @param commitment Commitment value. Only used if pairHash is zero
+ * @param value Decrypted value (encoded as bytes32 in Solidity). Only used if pairHash is zero
+ * @dev If pairHash is provided (non-zero), commitment and value are ignored. Otherwise, hash is computed as
+ *      keccak256(abi.encodePacked(commitment, value)) using Solidity's packed ABI encoding
+ */
+struct ElementAttestationWithProof {
+    bytes32 pairHash;
+    bytes32 commitment;
+    bytes32 value;
+}
+
+struct ReencryptionAttestation {
+    bytes32 handle;
+    bytes userCiphertext;
+    bytes encryptedSignature;
+}

package/src/lightning-parts/EList.sol

@@ -0,0 +1,397 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+import {
+    ETypes,
+    EOps,
+    typeToBitMask,
+    typeBitSize,
+    isTypeSupported,
+    IndexOutOfRange,
+    InvalidRange,
+    ListTypeMismatch,
+    ListTooLong,
+    UnsupportedType,
+    elist
+} from "../Types.sol";
+import {EncryptedOperations} from "./EncryptedOperations.sol";
+import {EncryptedInput} from "./EncryptedInput.sol";
+import {EListHandleGeneration} from "./primitives/EListHandleGeneration.sol";
+import {IEList} from "./interfaces/IEList.sol";
+
+/// @dev Maximum number of elements allowed in an encrypted list.
+uint16 constant MAX_LIST_LENGTH = type(uint16).max;
+
+/// @title EList
+/// @notice Provides operations for encrypted lists (elist) - ordered collections of encrypted values.
+/// @dev Encrypted lists are immutable; all operations return new list handles rather than modifying in place.
+/// Lists are homogeneous - all elements must be of the same encrypted type. Operations are processed
+/// by the covalidator off-chain.
+abstract contract EList is IEList, EncryptedOperations, EncryptedInput, EListHandleGeneration {
+
+    event NewEList(bytes32 indexed result, ETypes listType, bytes32[] handles, uint256 eventId);
+    event EListAppend(elist indexed list, bytes32 indexed value, elist indexed result, uint256 eventId);
+    event EListGet(elist indexed list, uint16 indexed index, bytes32 indexed result, uint256 eventId);
+    event EListGetOr(
+        elist indexed list, bytes32 index, bytes32 indexed defaultValue, bytes32 indexed result, uint256 eventId
+    );
+    event EListSet(elist list, bytes32 indexed index, bytes32 indexed value, elist indexed result, uint256 eventId);
+    event EListInsert(elist list, bytes32 indexed index, bytes32 indexed value, elist indexed result, uint256 eventId);
+    event EListConcat(elist indexed list1, elist indexed list2, elist indexed result, uint256 eventId);
+    event EListSlice(
+        elist list,
+        bytes32 indexed start,
+        uint16 length,
+        bytes32 indexed defaultValue,
+        elist indexed result,
+        uint256 eventId
+    );
+    event EListRange(
+        uint256 indexed start, uint256 indexed end, ETypes listType, elist indexed result, uint256 eventId
+    );
+    event EListShuffle(elist indexed list, uint256 indexed counter, elist indexed result, uint256 eventId);
+    event EListReverse(elist indexed list, elist indexed result, uint256 eventId);
+
+    /// @dev Returns the total bit size of an elist: length * typeBitSize(elementType).
+    function _elistBits(bytes32 handle) internal pure returns (uint256) {
+        return uint256(lengthOf(handle)) * typeBitSize(listTypeOf(handle));
+    }
+
+    /// @notice Creates a new encrypted list from client-encrypted inputs.
+    /// @dev Internal function that processes multiple encrypted inputs without individual payment.
+    /// Payment should be handled by the caller for the batch.
+    /// @param inputs Array of encrypted inputs with prepended handles.
+    /// @param listType The type of elements in the list.
+    /// @param user The user address that encrypted the values.
+    /// @return newList The new encrypted list handle.
+    function newEListFromInputs(bytes[] calldata inputs, ETypes listType, address user)
+        internal
+        returns (elist newList)
+    {
+        require(inputs.length <= MAX_LIST_LENGTH, ListTooLong(uint32(inputs.length), MAX_LIST_LENGTH));
+        require(isTypeSupported(listType), UnsupportedType(listType));
+
+        // TODO: Add a new event to create new elist from inputs, can be done as an upgrade to optimize for gas and castore.
+        bytes32[] memory handles = new bytes32[](inputs.length);
+        for (uint256 i = 0; i < inputs.length; i++) {
+            // we check payment for multiple inputs ahead of this func
+            handles[i] = newInputNotPayingNotEmitting(inputs[i], user, listType);
+        }
+        return newEListFromHandles(handles, listType);
+    }
+
+    /// @notice Creates a new encrypted list from existing encrypted handles.
+    /// @dev Validates that all handles are of the expected type and caller has access.
+    /// @param handles Array of encrypted value handles to include in the list.
+    /// @param listType The type of elements in the list (must match handle types).
+    /// @return newList The new encrypted list handle.
+    function newEListFromHandles(bytes32[] memory handles, ETypes listType) internal returns (elist newList) {
+        require(handles.length <= MAX_LIST_LENGTH, ListTooLong(uint32(handles.length), MAX_LIST_LENGTH));
+        require(isTypeSupported(listType), UnsupportedType(listType));
+        for (uint256 i = 0; i < handles.length; i++) {
+            checkInput(handles[i], typeToBitMask(listType));
+        }
+
+        bytes32 newHandle = createListInputHandle(handles, listType);
+
+        allowTransientInternal(newHandle, msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(newHandle, id));
+        emit NewEList(newHandle, listType, handles, id);
+        return elist.wrap(newHandle);
+    }
+
+    /// @notice Creates a new encrypted list from existing encrypted handles.
+    /// @dev External wrapper for newEListFromHandles.
+    /// @param handles Array of encrypted value handles to include in the list.
+    /// @param listType The type of elements in the list.
+    /// @return newList The new encrypted list handle.
+    function newEList(bytes32[] memory handles, ETypes listType)
+        external
+        payable
+        payingElistFee(uint256(handles.length) * typeBitSize(listType))
+        returns (elist newList)
+    {
+        return newEListFromHandles(handles, listType);
+    }
+
+    /// @notice Creates a new encrypted list from client-encrypted inputs.
+    /// @dev This is a paid operation. Payment scales with the number of inputs.
+    /// @param inputs Array of encrypted inputs with prepended handles.
+    /// @param listType The type of elements in the list.
+    /// @param user The user address that encrypted the values.
+    /// @return newList The new encrypted list handle.
+    function newEList(bytes[] calldata inputs, ETypes listType, address user)
+        external
+        payable
+        payingElistFee(uint256(inputs.length) * typeBitSize(listType))
+        returns (elist newList)
+    {
+        return newEListFromInputs(inputs, listType, user);
+    }
+
+    /// @notice Appends an encrypted value to the end of an encrypted list.
+    /// @dev Returns a new list with the value appended; original list is unchanged.
+    /// @param list The encrypted list to append to.
+    /// @param value The encrypted value to append (must match list element type).
+    /// @return result A new encrypted list with the value appended.
+    function listAppend(elist list, bytes32 value)
+        external
+        payable
+        payingElistFee(_elistBits(elist.unwrap(list)) + typeBitSize(listTypeOf(elist.unwrap(list))))
+        returns (elist result)
+    {
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+        checkInput(value, typeToBitMask(listTypeOf(elist.unwrap(list))));
+
+        result = elist.wrap(
+            createListResultHandle(
+                EOps.EListAppend,
+                listTypeOf(elist.unwrap(list)),
+                lengthOf(elist.unwrap(list)) + 1,
+                abi.encodePacked(elist.unwrap(list), value)
+            )
+        );
+        uint256 id = getNextEventId();
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListAppend(list, value, result, id);
+    }
+
+    /// @notice Retrieves an encrypted element at a specific index.
+    /// @dev Reverts if the index is out of range. For safe access with a default, use listGetOr.
+    /// @param list The encrypted list to access.
+    /// @param i The index to retrieve (0-based).
+    /// @return result The encrypted element at the specified index.
+    function listGet(elist list, uint16 i) external returns (bytes32 result) {
+        require(i < lengthOf(elist.unwrap(list)), IndexOutOfRange(i, lengthOf(elist.unwrap(list))));
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+
+        result =
+            createResultHandle(EOps.EListGet, listTypeOf(elist.unwrap(list)), abi.encodePacked(elist.unwrap(list), i));
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(result, id));
+        emit EListGet(list, i, result, id);
+    }
+
+    /// @notice Retrieves an encrypted element at an encrypted index, with a default value for out-of-range access.
+    /// @dev Returns the default value if the index is out of range. Index must be euint256.
+    /// @param list The encrypted list to access.
+    /// @param index The encrypted index to retrieve.
+    /// @param defaultValue The encrypted value to return if index is out of range.
+    /// @return result The encrypted element at the index, or defaultValue if out of range.
+    function listGetOr(elist list, bytes32 index, bytes32 defaultValue) external returns (bytes32 result) {
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+        checkInput(defaultValue, typeToBitMask(listTypeOf(elist.unwrap(list))));
+        checkInput(index, typeToBitMask(ETypes.Uint256)); //Currently we only support euint256 for index
+
+        result = createResultHandle(
+            EOps.EListGetOr, listTypeOf(elist.unwrap(list)), abi.encodePacked(elist.unwrap(list), index, defaultValue)
+        );
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(result, id));
+        emit EListGetOr(list, index, defaultValue, result, id);
+    }
+
+    /// @notice Sets an encrypted element at an encrypted index.
+    /// @dev Returns a new list with the element replaced; original list is unchanged.
+    /// Index must be euint256. If the encrypted index is out of bounds, the operation
+    /// is silently ignored by the covalidator and the returned list is identical to the input.
+    /// This is by design: because the index is encrypted, reverting would leak information
+    /// about whether the index was valid.
+    /// @param list The encrypted list to modify.
+    /// @param index The encrypted index to set.
+    /// @param value The new encrypted value (must match list element type).
+    /// @return result A new encrypted list with the element replaced, or unchanged if index is out of bounds.
+    function listSet(elist list, bytes32 index, bytes32 value)
+        external
+        payable
+        payingElistFee(_elistBits(elist.unwrap(list)))
+        returns (elist result)
+    {
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+        checkInput(index, typeToBitMask(ETypes.Uint256)); //Currently we only support euint256 for index
+        checkInput(value, typeToBitMask(listTypeOf(elist.unwrap(list))));
+
+        result = elist.wrap(
+            createListResultHandle(
+                EOps.EListSet,
+                listTypeOf(elist.unwrap(list)),
+                lengthOf(elist.unwrap(list)),
+                abi.encodePacked(elist.unwrap(list), index, value)
+            )
+        );
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListSet(list, index, value, result, id);
+    }
+
+    /// @notice Inserts an encrypted element at an encrypted index, shifting subsequent elements.
+    /// @dev Returns a new list with one additional element. Index must be euint256.
+    /// @param list The encrypted list to modify.
+    /// @param index The encrypted index at which to insert.
+    /// @param value The encrypted value to insert (must match list element type).
+    /// @return result A new encrypted list with the element inserted.
+    function listInsert(elist list, bytes32 index, bytes32 value)
+        external
+        payable
+        payingElistFee(_elistBits(elist.unwrap(list)) + typeBitSize(listTypeOf(elist.unwrap(list))))
+        returns (elist result)
+    {
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+        checkInput(index, typeToBitMask(ETypes.Uint256)); //Currently we only support euint256 for index
+        checkInput(value, typeToBitMask(listTypeOf(elist.unwrap(list))));
+
+        result = elist.wrap(
+            createListResultHandle(
+                EOps.EListInsert,
+                listTypeOf(elist.unwrap(list)),
+                lengthOf(elist.unwrap(list)) + 1,
+                abi.encodePacked(elist.unwrap(list), index, value)
+            )
+        );
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListInsert(list, index, value, result, id);
+    }
+
+    /// @notice Concatenates two encrypted lists into a new list.
+    /// @dev Both lists must have the same element type. Returns a new list with all elements.
+    /// @param lhs The first encrypted list.
+    /// @param rhs The second encrypted list (must have same element type as lhs).
+    /// @return result A new encrypted list containing all elements from both lists.
+    function listConcat(elist lhs, elist rhs)
+        external
+        payable
+        payingElistFee(_elistBits(elist.unwrap(lhs)) + _elistBits(elist.unwrap(rhs)))
+        returns (elist result)
+    {
+        checkInput(elist.unwrap(lhs), typeToBitMask(ETypes.List));
+        checkInput(elist.unwrap(rhs), typeToBitMask(ETypes.List));
+        ETypes lhsType = listTypeOf(elist.unwrap(lhs));
+        ETypes rhsType = listTypeOf(elist.unwrap(rhs));
+        require(lhsType == rhsType, ListTypeMismatch(lhsType, rhsType));
+
+        result = elist.wrap(
+            createListResultHandle(
+                EOps.EListConcat,
+                listTypeOf(elist.unwrap(lhs)),
+                lengthOf(elist.unwrap(lhs)) + lengthOf(elist.unwrap(rhs)),
+                abi.encodePacked(elist.unwrap(lhs), elist.unwrap(rhs))
+            )
+        );
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListConcat(lhs, rhs, result, id);
+    }
+
+    /// @notice Extracts a slice from an encrypted list starting at an encrypted index.
+    /// @dev Returns a new list of the specified length. Uses defaultValue for out-of-range positions.
+    /// @param list The encrypted list to slice.
+    /// @param start The encrypted starting index.
+    /// @param len The number of elements to include in the slice.
+    /// @param defaultValue The encrypted value to use for out-of-range positions.
+    /// @return result A new encrypted list containing the slice.
+    function listSlice(elist list, bytes32 start, uint16 len, bytes32 defaultValue)
+        external
+        payable
+        payingElistFee(uint256(len) * typeBitSize(listTypeOf(elist.unwrap(list))))
+        returns (elist result)
+    {
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+        checkInput(defaultValue, typeToBitMask(listTypeOf(elist.unwrap(list))));
+        checkInput(start, typeToBitMask(ETypes.Uint256));
+
+        result = elist.wrap(
+            createListResultHandle(
+                EOps.EListSlice,
+                listTypeOf(elist.unwrap(list)),
+                len,
+                abi.encodePacked(elist.unwrap(list), start, defaultValue)
+            )
+        );
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListSlice(list, start, len, defaultValue, result, id);
+    }
+
+    /// @notice Creates an encrypted list containing a range of encrypted integers.
+    /// @dev Creates a list of euint256 values from start (inclusive) to end (exclusive).
+    /// @param start The starting value (inclusive).
+    /// @param end The ending value (exclusive). Must be >= start.
+    /// @param listType The type of elements in the list.
+    /// @return result A new encrypted list containing the range [start, end).
+    function listRange(uint16 start, uint16 end, ETypes listType)
+        external
+        payable
+        payingElistFee(uint256(end - start) * typeBitSize(listType))
+        returns (elist result)
+    {
+        require(start <= end, InvalidRange(start, end));
+
+        result =
+            elist.wrap(createListResultHandle(EOps.EListRange, listType, end - start, abi.encodePacked(start, end)));
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListRange(start, end, listType, result, id);
+    }
+
+    /// @notice Randomly shuffles the elements of an encrypted list.
+    /// @dev This is a paid operation. Returns a new list with elements in random order.
+    /// The shuffle is cryptographically secure, computed by the covalidator.
+    /// @param list The encrypted list to shuffle.
+    /// @return result A new encrypted list with elements in random order.
+    function listShuffle(elist list)
+        external
+        payable
+        payingElistFee(_elistBits(elist.unwrap(list)))
+        returns (elist result)
+    {
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+        randCounter++;
+        result = elist.wrap(
+            createListResultHandle(
+                EOps.EListShuffle,
+                listTypeOf(elist.unwrap(list)),
+                lengthOf(elist.unwrap(list)),
+                abi.encodePacked(elist.unwrap(list), bytes32(randCounter))
+            )
+        );
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListShuffle(list, randCounter, result, id);
+    }
+
+    /// @notice Reverses the order of elements in an encrypted list.
+    /// @dev Returns a new list with elements in reverse order; original list is unchanged.
+    /// @param list The encrypted list to reverse.
+    /// @return result A new encrypted list with elements in reverse order.
+    function listReverse(elist list)
+        external
+        payable
+        payingElistFee(_elistBits(elist.unwrap(list)))
+        returns (elist result)
+    {
+        checkInput(elist.unwrap(list), typeToBitMask(ETypes.List));
+
+        result = elist.wrap(
+            createListResultHandle(
+                EOps.EListReverse,
+                listTypeOf(elist.unwrap(list)),
+                lengthOf(elist.unwrap(list)),
+                abi.encodePacked(elist.unwrap(list))
+            )
+        );
+        allowTransientInternal(elist.unwrap(result), msg.sender);
+        uint256 id = getNextEventId();
+        setDigest(abi.encodePacked(elist.unwrap(result), id));
+        emit EListReverse(list, result, id);
+    }
+
+}