Ensure C6 proofs are bound to the same secrets that were proved in C4: C6’s expected_sk_commitment and expected_e_sm_commitment must match the return values of that party’s C4 proofs (one SK proof, one or more ESM proofs).
Tasks:
- After
VerificationKind::DecryptionProofs completes, cache per party:
- The C4 “return” commitment from the single SK decryption proof (C4a).
- The C4 “return” commitments from each ESM decryption proof (C4b), in a defined order (e.g. by esi_index).
- When
VerificationKind::ThresholdDecryptionProofs completes:
- For each party, parse C6’s
expected_sk_commitment (field 0) and expected_e_sm_commitment (field 1) from the C6 proof public signals.
- Compare to the cached C4 return value(s) for that party (SK vs first C4b or aggregated as per C6 design; confirm in code how C6 aggregates multiple C4b outputs if applicable).
- On mismatch: mark sender dishonest and emit failure for the C6 signed payload.
- Use the same cache store as in Issue 4 (keyed by e3_id); extend it to hold C4 return commitments per party.
Acceptance criteria:
- C6 proof whose expected commitments do not match the cached C4 outputs causes the sender to be marked dishonest and the C6 payload to be reported.
- Test: valid C4 proofs, then C6 proof with wrong expected commitments; verifier marks sender dishonest.
Ensure C6 proofs are bound to the same secrets that were proved in C4: C6’s
expected_sk_commitmentandexpected_e_sm_commitmentmust match the return values of that party’s C4 proofs (one SK proof, one or more ESM proofs).Tasks:
VerificationKind::DecryptionProofscompletes, cache per party:VerificationKind::ThresholdDecryptionProofscompletes:expected_sk_commitment(field 0) andexpected_e_sm_commitment(field 1) from the C6 proof public signals.Acceptance criteria: