Circuit proofs are currently verified only in isolation. Public outputs of earlier circuits (e.g. C2) are not wired as public inputs of later circuits (e.g. C3, C4), so a node can pass per-proof verification even if the proofs are inconsistent across circuits.
Problem:
- Each circuit (C0–C7) is generated and verified independently.
- Public outputs from one circuit are not enforced as public inputs of the next.
- Cross-circuit consistency is implicit (same prover, same data) instead of enforced in verification.
- A malicious node could, in principle, produce proofs that verify individually but use inconsistent data across circuits.
We need to implement full circuit chaining from C0 through C7, ensuring:
- Public output → public input wiring: Each circuit’s public outputs are explicitly used as the public inputs of the next circuit in the flow.
- Cross-circuit verification: Verifiers check that downstream proofs’ public inputs match upstream proofs’ public outputs.
Possible blockers:
Commitment mismatch: C2 and C3 use different commitment schemes:
- C2: compute_share_encryption_commitment_from_shares (includes party_idx, mod_idx in the hash).
- C3/C4: compute_share_encryption_commitment_from_message (hashes only the message coefficients).
They must be aligned so that C3.expected_message_commitment == C2.public_signals[recipient][row] can be checked, and similarly for C4.
Circuit proofs are currently verified only in isolation. Public outputs of earlier circuits (e.g. C2) are not wired as public inputs of later circuits (e.g. C3, C4), so a node can pass per-proof verification even if the proofs are inconsistent across circuits.
Problem:
We need to implement full circuit chaining from C0 through C7, ensuring:
Possible blockers:
Commitment mismatch: C2 and C3 use different commitment schemes:
They must be aligned so that C3.expected_message_commitment == C2.public_signals[recipient][row] can be checked, and similarly for C4.