refactor: add share_decryption circuit [skip-line-limit]

circuits/bin/threshold/share_decryption/src/main.nr

@@ -15,24 +15,24 @@ use lib::math::polynomial::Polynomial;
 fn main(
     expected_sk_commitment: pub Field,
     expected_e_sm_commitment: pub Field,
-    c_0: pub [Polynomial<N>; L],
-    c_1: pub [Polynomial<N>; L],
+    ct0: pub [Polynomial<N>; L],
+    ct1: pub [Polynomial<N>; L],
     sk: [Polynomial<N>; L],
     e_sm: [Polynomial<N>; L],
-    r_1: [Polynomial<(2 * N) - 1>; L],
-    r_2: [Polynomial<N - 1>; L],
+    r1: [Polynomial<(2 * N) - 1>; L],
+    r2: [Polynomial<N - 1>; L],
     d: [Polynomial<N>; L],
 ) {
     let share_decryption: ShareDecryption<N, L, SHARE_DECRYPTION_BIT_CT, SHARE_DECRYPTION_BIT_SK, SHARE_DECRYPTION_BIT_E_SM, SHARE_DECRYPTION_BIT_R1, SHARE_DECRYPTION_BIT_R2, SHARE_DECRYPTION_BIT_D> = ShareDecryption::new(
         SHARE_DECRYPTION_CONFIGS,
         expected_sk_commitment,
         expected_e_sm_commitment,
-        c_0,
-        c_1,
+        ct0,
+        ct1,
         sk,
         e_sm,
-        r_1,
-        r_2,
+        r1,
+        r2,
         d,
     );
     share_decryption.execute()

circuits/lib/src/configs/insecure/threshold.nr

@@ -108,23 +108,20 @@ pub global USER_DATA_ENCRYPTION_CONFIGS: UserDataEncryptionConfigs<N, L> = UserD
 
 /************************************
 -------------------------------------
-share_decryption (GRECO)
+share_decryption
 -------------------------------------
 ************************************/
 
-// share_decryption - bit parameters
-pub global SHARE_DECRYPTION_BIT_CT: u32 = 36;
-pub global SHARE_DECRYPTION_BIT_SK: u32 = 36;
-pub global SHARE_DECRYPTION_BIT_E_SM: u32 = 36;
-pub global SHARE_DECRYPTION_BIT_R1: u32 = 44;
-pub global SHARE_DECRYPTION_BIT_R2: u32 = 36;
-pub global SHARE_DECRYPTION_BIT_D: u32 = 36;
+pub global SHARE_DECRYPTION_BIT_CT: u32 = 35;
+pub global SHARE_DECRYPTION_BIT_SK: u32 = 35;
+pub global SHARE_DECRYPTION_BIT_E_SM: u32 = 35;
+pub global SHARE_DECRYPTION_BIT_R1: u32 = 43;
+pub global SHARE_DECRYPTION_BIT_R2: u32 = 35;
+pub global SHARE_DECRYPTION_BIT_D: u32 = 35;
 
-// share_decryption - bounds
 pub global SHARE_DECRYPTION_R1_BOUNDS: [Field; L] = [8796083584897, 8796061564801];
 pub global SHARE_DECRYPTION_R2_BOUNDS: [Field; L] = [34359701504, 34359615488];
 
-// share_decryption - configs
 pub global SHARE_DECRYPTION_CONFIGS: ShareDecryptionConfigs<L> =
     ShareDecryptionConfigs::new(QIS, SHARE_DECRYPTION_R1_BOUNDS, SHARE_DECRYPTION_R2_BOUNDS);
 

circuits/lib/src/configs/secure/threshold.nr

@@ -118,25 +118,22 @@ pub global USER_DATA_ENCRYPTION_CONFIGS: UserDataEncryptionConfigs<N, L> = UserD
 
 /************************************
 -------------------------------------
-share_decryption (CIRCUIT 6)
+share_decryption
 -------------------------------------
 ************************************/
 
-// share_decryption - bit parameters
-pub global SHARE_DECRYPTION_BIT_CT: u32 = 53;
-pub global SHARE_DECRYPTION_BIT_SK: u32 = 53;
-pub global SHARE_DECRYPTION_BIT_E_SM: u32 = 53;
-pub global SHARE_DECRYPTION_BIT_R1: u32 = 65;
-pub global SHARE_DECRYPTION_BIT_R2: u32 = 53;
-pub global SHARE_DECRYPTION_BIT_D: u32 = 53;
+pub global SHARE_DECRYPTION_BIT_CT: u32 = 52;
+pub global SHARE_DECRYPTION_BIT_SK: u32 = 52;
+pub global SHARE_DECRYPTION_BIT_E_SM: u32 = 52;
+pub global SHARE_DECRYPTION_BIT_R1: u32 = 64;
+pub global SHARE_DECRYPTION_BIT_R2: u32 = 52;
+pub global SHARE_DECRYPTION_BIT_D: u32 = 52;
 
-// share_decryption - bounds
 pub global SHARE_DECRYPTION_R1_BOUNDS: [Field; L] =
     [4611686035875690497, 9223372037660080129, 9223372045176272897, 9223372051618723841];
 pub global SHARE_DECRYPTION_R2_BOUNDS: [Field; L] =
     [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728];
 
-// share_decryption - configs
 pub global SHARE_DECRYPTION_CONFIGS: ShareDecryptionConfigs<L> =
     ShareDecryptionConfigs::new(QIS, SHARE_DECRYPTION_R1_BOUNDS, SHARE_DECRYPTION_R2_BOUNDS);
 

circuits/lib/src/core/threshold/share_decryption.nr

@@ -45,10 +45,10 @@ pub struct ShareDecryption<let N: u32, let L: u32, let BIT_CT: u32, let BIT_SK:
     expected_e_sm_commitment: Field,
 
     /// Ciphertext components (public witnesses)
-    /// c_0 components for each CRT basis (degree N-1 polynomials with N coefficients)
-    c_0: [Polynomial<N>; L],
-    /// c_1 components for each CRT basis (degree N-1 polynomials with N coefficients)
-    c_1: [Polynomial<N>; L],
+    /// ct0 components for each CRT basis (degree N-1 polynomials with N coefficients)
+    ct0: [Polynomial<N>; L],
+    /// ct1 components for each CRT basis (degree N-1 polynomials with N coefficients)
+    ct1: [Polynomial<N>; L],
 
     /// Aggregated sum of sk shares (secret witness)
     sk: [Polynomial<N>; L],
@@ -58,8 +58,8 @@ pub struct ShareDecryption<let N: u32, let L: u32, let BIT_CT: u32, let BIT_SK:
     e_sm: [Polynomial<N>; L],
 
     /// Quotient polynomials for lifting to Z (secret witnesses)
-    r_1: [Polynomial<2 * N - 1>; L],
-    r_2: [Polynomial<N - 1>; L],
+    r1: [Polynomial<2 * N - 1>; L],
+    r2: [Polynomial<N - 1>; L],
 
     /// Party's computed decryption share
     /// (public witnesses)
@@ -71,24 +71,24 @@ impl<let N: u32, let L: u32, let BIT_CT: u32, let BIT_SK: u32, let BIT_E_SM: u32
         configs: Configs<L>,
         expected_sk_commitment: Field,
         expected_e_sm_commitment: Field,
-        c_0: [Polynomial<N>; L],
-        c_1: [Polynomial<N>; L],
+        ct0: [Polynomial<N>; L],
+        ct1: [Polynomial<N>; L],
         sk: [Polynomial<N>; L],
         e_sm: [Polynomial<N>; L],
-        r_1: [Polynomial<2 * N - 1>; L],
-        r_2: [Polynomial<N - 1>; L],
+        r1: [Polynomial<2 * N - 1>; L],
+        r2: [Polynomial<N - 1>; L],
         d: [Polynomial<N>; L],
     ) -> Self {
         ShareDecryption {
             configs,
             expected_sk_commitment,
             expected_e_sm_commitment,
-            c_0,
-            c_1,
+            ct0,
+            ct1,
             sk,
             e_sm,
-            r_1,
-            r_2,
+            r1,
+            r2,
             d,
         }
     }
@@ -141,12 +141,12 @@ impl<let N: u32, let L: u32, let BIT_CT: u32, let BIT_SK: u32, let BIT_E_SM: u32
         inputs.push(self.expected_e_sm_commitment);
 
         // Flatten ciphertext components (public inputs)
-        inputs = flatten::<_, _, BIT_CT>(inputs, self.c_0);
-        inputs = flatten::<_, _, BIT_CT>(inputs, self.c_1);
+        inputs = flatten::<_, _, BIT_CT>(inputs, self.ct0);
+        inputs = flatten::<_, _, BIT_CT>(inputs, self.ct1);
 
         // Flatten quotient polynomials (secret witnesses)
-        inputs = flatten::<_, _, BIT_R1>(inputs, self.r_1);
-        inputs = flatten::<_, _, BIT_R2>(inputs, self.r_2);
+        inputs = flatten::<_, _, BIT_R1>(inputs, self.r1);
+        inputs = flatten::<_, _, BIT_R2>(inputs, self.r2);
 
         // Flatten decryption shares (public outputs)
         inputs = flatten::<_, _, BIT_D>(inputs, self.d);
@@ -205,12 +205,12 @@ impl<let N: u32, let L: u32, let BIT_CT: u32, let BIT_SK: u32, let BIT_E_SM: u32
         // Check quotient polynomials are within bounds
         for basis_idx in 0..L {
             // r_1 quotients can be negative (modulus quotients)
-            self.r_1[basis_idx].range_check_2bounds::<BIT_R1>(
+            self.r1[basis_idx].range_check_2bounds::<BIT_R1>(
                 self.configs.r1_bounds[basis_idx],
                 self.configs.r1_bounds[basis_idx],
             );
             // r_2 quotients (cyclotomic quotients)
-            self.r_2[basis_idx].range_check_2bounds::<BIT_R2>(
+            self.r2[basis_idx].range_check_2bounds::<BIT_R2>(
                 self.configs.r2_bounds[basis_idx],
                 self.configs.r2_bounds[basis_idx],
             );
@@ -261,16 +261,16 @@ impl<let N: u32, let L: u32, let BIT_CT: u32, let BIT_SK: u32, let BIT_E_SM: u32
     /// The circuit will fail if the decryption share computation formula doesn't hold for the specified basis.
     fn verify_decryption_share_computation(self, basis_idx: u32, gamma: Field) {
         // Evaluate ciphertext components at gamma
-        let c_0_at_gamma = self.c_0[basis_idx].eval(gamma);
-        let c_1_at_gamma = self.c_1[basis_idx].eval(gamma);
+        let c_0_at_gamma = self.ct0[basis_idx].eval(gamma);
+        let c_1_at_gamma = self.ct1[basis_idx].eval(gamma);
 
         // Evaluate aggregated sums at gamma
         let sk_at_gamma = self.sk[basis_idx].eval(gamma);
         let e_sm_at_gamma = self.e_sm[basis_idx].eval(gamma);
 
         // Evaluate quotient polynomials at gamma
-        let r_1_at_gamma = self.r_1[basis_idx].eval(gamma);
-        let r_2_at_gamma = self.r_2[basis_idx].eval(gamma);
+        let r_1_at_gamma = self.r1[basis_idx].eval(gamma);
+        let r_2_at_gamma = self.r2[basis_idx].eval(gamma);
 
         // Evaluate cyclotomic polynomial X^N + 1 at gamma
         let cyclo_at_gamma = gamma.pow_32(N as Field) + 1;

crates/zk-helpers/src/bin/zk_cli.rs

@@ -20,12 +20,19 @@ use e3_zk_helpers::circuits::dkg::share_computation::circuit::{
 };
 use e3_zk_helpers::codegen::{write_artifacts, CircuitCodegen};
 use e3_zk_helpers::computation::DkgInputType;
-use e3_zk_helpers::dkg::share_decryption::{ShareDecryptionCircuit, ShareDecryptionCircuitInput};
+use e3_zk_helpers::dkg::share_decryption::{
+    ShareDecryptionCircuit as DkgShareDecryptionCircuit,
+    ShareDecryptionCircuitInput as DkgShareDecryptionCircuitInput,
+};
 use e3_zk_helpers::dkg::share_encryption::{ShareEncryptionCircuit, ShareEncryptionCircuitInput};
 use e3_zk_helpers::registry::{Circuit, CircuitRegistry};
 use e3_zk_helpers::threshold::pk_aggregation::PkAggregationCircuit;
 use e3_zk_helpers::threshold::pk_aggregation::PkAggregationCircuitInput;
 use e3_zk_helpers::threshold::pk_generation::{PkGenerationCircuit, PkGenerationCircuitInput};
+use e3_zk_helpers::threshold::share_decryption::{
+    ShareDecryptionCircuit as ThresholdShareDecryptionCircuit,
+    ShareDecryptionCircuitInput as ThresholdShareDecryptionCircuitInput,
+};
 use e3_zk_helpers::threshold::user_data_encryption::{
     UserDataEncryptionCircuit, UserDataEncryptionCircuitInput,
 };
@@ -159,8 +166,9 @@ fn main() -> Result<()> {
     registry.register(Arc::new(UserDataEncryptionCircuit));
     registry.register(Arc::new(PkGenerationCircuit));
     registry.register(Arc::new(ShareEncryptionCircuit));
-    registry.register(Arc::new(ShareDecryptionCircuit));
+    registry.register(Arc::new(DkgShareDecryptionCircuit));
     registry.register(Arc::new(PkAggregationCircuit));
+    registry.register(Arc::new(ThresholdShareDecryptionCircuit));
 
     // Handle list circuits flag.
     if args.list_circuits {
@@ -211,7 +219,7 @@ fn main() -> Result<()> {
     // Only share-computation has a witness-type choice (secret-key vs smudging-noise). pk always uses secret key.
     let has_witness_type = circuit_meta.name() == ShareComputationCircuit::NAME
         || circuit_meta.name() == ShareEncryptionCircuit::NAME
-        || circuit_meta.name() == ShareDecryptionCircuit::NAME;
+        || circuit_meta.name() == DkgShareDecryptionCircuit::NAME;
 
     let dkg_input_type = if has_witness_type {
         // Share-computation: require --witness when generating Prover.toml; default secret-key for configs-only.
@@ -247,6 +255,7 @@ fn main() -> Result<()> {
 
     run_with_spinner(|| {
         let circuit_name = circuit_meta.name();
+        let committee = CiphernodesCommitteeSize::Small.values();
         let artifacts = match circuit_name {
             name if name == <PkCircuit as Circuit>::NAME => {
                 let sample = PkCircuitInput::generate_sample(preset);
@@ -257,7 +266,7 @@ fn main() -> Result<()> {
             name if name == <ShareComputationCircuit as Circuit>::NAME => {
                 let sample = ShareComputationCircuitInput::generate_sample(
                     preset,
-                    CiphernodesCommitteeSize::Small,
+                    committee,
                     dkg_input_type,
                 );
 
@@ -270,7 +279,7 @@ fn main() -> Result<()> {
                 })?;
                 let sample = ShareEncryptionCircuitInput::generate_sample(
                     preset,
-                    CiphernodesCommitteeSize::Small,
+                    committee,
                     dkg_input_type,
                     sd.z,
                     sd.lambda,
@@ -286,33 +295,34 @@ fn main() -> Result<()> {
                 circuit.codegen(preset, &sample)?
             }
             name if name == <PkGenerationCircuit as Circuit>::NAME => {
-                let sample = PkGenerationCircuitInput::generate_sample(
-                    preset,
-                    CiphernodesCommitteeSize::Small.values(),
-                )?;
+                let sample = PkGenerationCircuitInput::generate_sample(preset, committee)?;
 
                 let circuit = PkGenerationCircuit;
                 circuit.codegen(preset, &sample)?
             }
-            name if name == <ShareDecryptionCircuit as Circuit>::NAME => {
-                let sample = ShareDecryptionCircuitInput::generate_sample(
+            name if name == <DkgShareDecryptionCircuit as Circuit>::NAME => {
+                let sample = DkgShareDecryptionCircuitInput::generate_sample(
                     preset,
-                    CiphernodesCommitteeSize::Small,
+                    committee,
                     dkg_input_type,
-                );
+                )?;
 
-                let circuit = ShareDecryptionCircuit;
+                let circuit = DkgShareDecryptionCircuit;
                 circuit.codegen(preset, &sample)?
             }
             name if name == <PkAggregationCircuit as Circuit>::NAME => {
-                let sample = PkAggregationCircuitInput::generate_sample(
-                    preset,
-                    CiphernodesCommitteeSize::Small.values(),
-                )?;
+                let sample = PkAggregationCircuitInput::generate_sample(preset, committee)?;
 
                 let circuit = PkAggregationCircuit;
                 circuit.codegen(preset, &sample)?
             }
+            name if name == <ThresholdShareDecryptionCircuit as Circuit>::NAME => {
+                let sample =
+                    ThresholdShareDecryptionCircuitInput::generate_sample(preset, committee)?;
+
+                let circuit = ThresholdShareDecryptionCircuit;
+                circuit.codegen(preset, &sample)?
+            }
             name => return Err(anyhow!("circuit {} not yet implemented", name)),
         };
 

crates/zk-helpers/src/circuits/dkg/pk/codegen.rs

@@ -73,7 +73,7 @@ mod tests {
     use super::*;
     use crate::codegen::write_artifacts;
     use crate::dkg::pk::PkCircuitInput;
-    use crate::utils::compute_pk_bit;
+    use crate::utils::compute_modulus_bit;
 
     use e3_fhe_params::{build_pair_for_preset, BfvPreset};
     use tempfile::TempDir;
@@ -121,7 +121,7 @@ mod tests {
         assert!(configs_path.exists());
 
         let configs_content = std::fs::read_to_string(&configs_path).unwrap();
-        let pk_bit = compute_pk_bit(&dkg_params);
+        let pk_bit = compute_modulus_bit(&dkg_params);
 
         assert!(configs_content.contains(
             format!(

crates/zk-helpers/src/circuits/dkg/pk/computation.rs

@@ -13,7 +13,7 @@ use crate::circuits::dkg::pk::circuit::PkCircuit;
 use crate::circuits::dkg::pk::circuit::PkCircuitInput;
 use crate::crt_polynomial_to_toml_json;
 use crate::get_zkp_modulus;
-use crate::utils::compute_pk_bit;
+use crate::utils::compute_modulus_bit;
 use crate::CircuitsErrors;
 use crate::{CircuitComputation, Computation};
 use e3_fhe_params::build_pair_for_preset;
@@ -113,7 +113,7 @@ impl Computation for Bits {
             build_pair_for_preset(preset).map_err(|e| CircuitsErrors::Sample(e.to_string()))?;
 
         Ok(Bits {
-            pk_bit: compute_pk_bit(&dkg_params),
+            pk_bit: compute_modulus_bit(&dkg_params),
         })
     }
 }
@@ -190,7 +190,7 @@ mod tests {
 
         let bounds = Bounds::compute(BfvPreset::InsecureThreshold512, &()).unwrap();
         let bits = Bits::compute(BfvPreset::InsecureThreshold512, &()).unwrap();
-        let expected_bits = compute_pk_bit(&dkg_params);
+        let expected_bits = compute_modulus_bit(&dkg_params);
 
         assert_eq!(bounds.pk_bound, BigUint::from(1125899906777088u128));
         assert_eq!(bits.pk_bit, expected_bits);

crates/zk-helpers/src/circuits/dkg/share_computation/codegen.rs

@@ -153,9 +153,10 @@ mod tests {
 
     #[test]
     fn test_toml_generation_and_structure() {
+        let committee = CiphernodesCommitteeSize::Small.values();
         let sample = ShareComputationCircuitInput::generate_sample(
             BfvPreset::InsecureThreshold512,
-            CiphernodesCommitteeSize::Small,
+            committee,
             DkgInputType::SecretKey,
         );