Add ECIES operations

Author: satiracode

README.md

@@ -1,8 +1,10 @@
-# TKeeper
-![](assets/gitkeeper.png)
+![](assets/tkeeper-github.png)
 
-**TKeeper** is a threshold signature service that provides a simple REST API for distributed signing using **GG20 (Threshold ECDSA)** and **FROST (Threshold Schnorr)** protocols. The service abstracts the complexity of multiparty computation: to sign a message or generate a key, a client just needs to send a single HTTP request.  
-Powered by [tss4j](https://github.com/exploit-org/tss4j) - our threshold cryptography library.
+**TKeeper** is a threshold cryptographic engine that provides a simple REST API for:
+- Distributed signing using **GG20 (Threshold ECDSA)** and **FROST (Threshold Schnorr)** protocols. 
+- Distributed encryption using **ECIES** (Elliptic Curve Integrated Encryption Scheme).
+
+The service abstracts the complexity of multiparty computation: to sign a message or generate a key, a client just needs to send a single HTTP request. Powered by [tss4j](https://github.com/exploit-org/tss4j) - our threshold cryptography library.
 
 It is suitable for custody systems, MPC-based wallets, and backend services that require distributed key management and signing without exposing private keys to any single participant.
 
@@ -27,4 +29,4 @@ See [docs](docs) for detailed documentation, or visit [docs.exploit.org/tkeeper]
 user-friendly view.
 
 ## License
-Finja is licensed under the [Apache License, Version 2.0](LICENSE.md)
+TKeeper is licensed under the [Apache License, Version 2.0](LICENSE.md)

assets/gitkeeper.png

@@ -10,6 +10,7 @@ repositories {
 }
 
 dependencies {
+    implementation 'org.msgpack:jackson-dataformat-msgpack:0.9.10'
     implementation 'io.quarkiverse.loggingsentry:quarkus-logging-sentry:2.1.3'
     implementation enforcedPlatform("${quarkusPlatformGroupId}:${quarkusPlatformArtifactId}:${quarkusPlatformVersion}")
     implementation("io.quarkus:quarkus-hibernate-validator")
@@ -27,14 +28,15 @@ dependencies {
 
     implementation 'com.fasterxml.jackson.module:jackson-module-kotlin:2.18.3'
 
-    implementation 'org.exploit:gg20:0.0.1'
-    implementation 'org.exploit:frost:0.0.1'
-
-    implementation 'org.exploit:ed25519:0.0.1'
-    implementation 'org.exploit:secp256k1:0.0.1'
-
-    implementation 'org.exploit:tss4j:0.0.1'
-    implementation 'org.exploit:crypto:1.0.0'
+    implementation 'org.exploit:bigint:0.0.2'
+    implementation 'org.exploit:ed25519:0.0.2'
+    implementation 'org.exploit:secp256k1:0.0.2'
+    implementation 'org.exploit:sodium:0.0.2'
+    implementation 'org.exploit:tss4j:0.0.2'
+    implementation 'org.exploit:frost:0.0.2'
+    implementation 'org.exploit:gg20:0.0.2'
+    implementation 'org.exploit:ecies:0.0.2'
+    implementation 'org.exploit:crypto:1.0.2'
 
     implementation("org.exploit:tss4j-natives:1.0.0:linux-amd64@jar")
     implementation("org.exploit:tss4j-natives:1.0.0:macos-aarch64@jar")
@@ -51,12 +53,13 @@ dependencies {
     implementation 'software.amazon.awssdk:kms:2.31.33'
     implementation 'com.google.cloud:google-cloud-kms:2.63.0'
     implementation 'com.oracle.oci.sdk:oci-java-sdk-keymanagement:3.63.3'
+    implementation 'io.github.jopenlibs:vault-java-driver:6.2.0'
 
     testImplementation 'io.quarkus:quarkus-junit5'
 }
 
 group 'org.exploit'
-version '1.0.0-BETA'
+version '1.0.0-RC1'
 
 java {
     sourceCompatibility = JavaVersion.VERSION_17

assets/tkeeper-github.png

@@ -158,6 +158,14 @@ Deletes the distributed key from **all peers**. The initiating node contacts eve
 
 ---
 
+## 7. ECIES (Encryption/Decryption)
+### `POST /ecies/encrypt`
+Encrypts data using ECIES with the specified key ID and cipher.
+- See: [Encryption & Decryption](ecies.md)
+### `POST /ecies/decrypt`
+Decrypts data using ECIES with the specified key ID and cipher.
+- See: [Encryption & Decryption](ecies.md)
+
 ## Permissions Overview
 
 Each endpoint requires a specific permission token.  

build.gradle

@@ -1,14 +1,18 @@
 # TKeeper Overview
 
-TKeeper is a secure threshold signature service built on top of multiparty computation (MPC). It allows multiple participants to cooperatively sign messages without ever reconstructing the private key in full.
+TKeeper is a secure threshold cryptography engine built on top of multiparty computation (MPC). It allows multiple participants to cooperatively sign or encrypt messages without ever reconstructing the private key in full.
 
 At its core, TKeeper implements two well-established threshold signature schemes:
 
+## Distributed signing
 - **GG20** – for threshold ECDSA signatures
 - **FROST** – for threshold Schnorr signatures
 
 These protocols allow distributed signing using elliptic curves (`SECP256K1` and `ED25519`), ensuring strong cryptographic guarantees while maintaining flexibility across use cases.
 
+## Distributed encryption
+* **ECIES** – EC ElGamal KEM + AEAD, backed by DLEQ proofs. Perfect forward secrecy with per-message HKDF.
+
 To protect key material at rest, TKeeper includes a configurable **seal & unseal mechanism**. Depending on configuration, the local key share is either manually unsealed using Shamir shares, or automatically decrypted using cloud KMS providers like AWS or Google Cloud.
 
 All access to signing, key generation, or configuration is protected by a strict **permission-based authorization model**, enforced via JWT tokens. Each request must include the necessary scope in its `permissions` field to be accepted.

docs/API.md

@@ -47,7 +47,6 @@ Performs a threshold signature over one or more messages.
 ```json
 {
   "keyId": "my-key-id",
-  "curve": "SECP256K1",
   "type": "GG20",
   "operations": {
     "message1": "base64-encoded data",
@@ -59,7 +58,6 @@ Performs a threshold signature over one or more messages.
 #### Fields
 
 - `keyId`: identifier of the key to sign with
-- `curve`: elliptic curve (`SECP256K1` or `ED25519`)
 - `type`: session type (`GG20` or `FROST`)
 - `operations`: map of operation ID → base64-encoded message
 
@@ -84,8 +82,6 @@ Verifies a signature against a key.
 
 ```json
 {
-  "sigType": "SCHNORR",
-  "curve": "SECP256K1",
   "keyId": "my-key-id",
   "data64": "base64-encoded message",
   "signature64": "base64-encoded signature"
@@ -94,17 +90,10 @@ Verifies a signature against a key.
 
 #### Fields
 
-- `sigType`: optional; can be `ECDSA` or `SCHNORR`
-- `curve`: elliptic curve used
 - `keyId`: key to verify against
 - `data64`: base64-encoded original message
 - `signature64`: base64-encoded signature
 
-If `sigType` is not provided, it falls back to:
-
-- `SECP256K1` → `ECDSA`
-- `ED25519` → `SCHNORR`
-
 #### Response
 
 ```json

docs/INDEX.md

@@ -129,7 +129,7 @@ seal:
 
 > Unseal is automatic at startup.
 
-See [SEAL.md](SEAL.md) for more details on sealing and unsealing.
+See [seal.md](seal.md) for more details on sealing and unsealing.
 
 ---
 
@@ -152,7 +152,7 @@ keeper:
 - `jwt.jwks-location`: URL of the JWKS endpoint for public key retrieval.
 - `jwt.refresh`: optional refresh interval for reloading the JWKS.
 
-See [SEAL.md](AUTH.md) for authentication options and JWT integration.
+See [auth.md](auth.md) for authentication options and JWT integration.
 
 ---
 

docs/SIGN.md

@@ -0,0 +1,47 @@
+# Encrypting / Decrypting with ECIES
+
+TKeeper provides threshold ECIES encryption/decryption.
+Encryption is done with the public key and is stateless; decryption is MPC-based — the private key is never reconstructed.
+
+## Supported curves
+Currently only Weierstrass curves are supported (e.g `SECP256K1`) to be used for ECIES.
+
+## Supported ciphers
+- `AES_GCM`: AES-256 in Galois/Counter Mode (GCM)
+
+## API
+
+### Encryption
+#### Endpoint
+**POST** `/v1/keeper/ecies/encrypt`
+```json
+{
+  "keyId": "my-key-id",
+  "cipher": "AES_GCM",
+  "plaintext64": "base64-encoded data"
+}
+```
+
+Sample response:
+```json
+{
+  "ciphertext64": "base64-encoded-ciphertext"
+}
+```
+
+### Decryption
+#### Endpoint
+**POST** `/v1/keeper/ecies/decrypt`
+```json
+{
+  "keyId": "my-key-id",
+  "cipher": "AES_GCM",
+  "ciphertext64": "base64-encoded-ciphertext"
+}
+```
+Sample response:
+```json
+{
+  "plaintext64": "base64-encoded-plaintext"
+}
+```