feat: config verification circuit [skip-line-limit]

[zahrajavar]

This PR adds the ConfigVerification circuit, which verifies that all derived configuration parameters are correctly computed from primitive parameters.
Changes:
Added config_verification circuit that validates:
DKG derived values (Q_MOD_T)
DKG bounds (share_encryption)
Threshold derived values (Q_MOD_T, Q_INVERSE_MOD_T)
Threshold bounds (pk_generation, share_decryption)
user_data_encryption bounds
Cross-config consistency between DKG and Threshold configs

It also closes #1265

Follow-up: Issues #1264 and #1305 will be addressed in the next iteration after updating config values.

Summary by CodeRabbit

• New Features

  • Added configuration validation tool to verify cryptographic parameter integrity across threshold and encryption operations.
  • Enhanced parameter naming for improved consistency and clarity in encryption configurations.

• Improvements

  • Updated verification logic for decryption operations with refined parameter tracking.
  • Reorganized modulus-related parameters for better configuration maintainability.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Feb 16, 2026 2:35pm
enclave-docs	Ready	Preview, Comment	Feb 16, 2026 2:35pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces configuration updates and verification infrastructure across DKG, threshold, and Greco schemes. Changes include adding new global constants (Q_MOD_T, PK_GENERATION_B_ENC, PLAINTEXT_MODULUS), renaming DKG_SHARE_ENCRYPTION_* to SHARE_ENCRYPTION_*, updating share_decryption notation to per-basis semantics, and adding a comprehensive config verification binary that validates derived values, bounds, and cross-configuration consistency.

Changes

Cohort / File(s)	Summary
Configuration Constants circuits/lib/src/configs/secure/threshold.nr, circuits/lib/src/configs/insecure/threshold.nr	Added Q_MOD_T and PK_GENERATION_B_ENC globals; updated PK_GENERATION_E_SM_BOUND value and PK generation config construction.
Share Encryption Config Renames circuits/lib/src/configs/insecure/dkg.nr, circuits/lib/src/configs/secure/dkg.nr	Renamed DKG_SHARE_ENCRYPTION_* globals to SHARE_ENCRYPTION_*; added PLAINTEXT_MODULUS and Q_MOD_T; updated SHARE_ENCRYPTION_CONFIGS initialization with new parameter order.
Share Encryption Codegen crates/zk-helpers/src/circuits/dkg/share_encryption/codegen.rs	Added PLAINTEXT_MODULUS and Q_MOD_T globals; replaced {}_T and {}_Q_MOD_T with references to shared globals and configs.
PK Generation Codegen & Computation crates/zk-helpers/src/circuits/threshold/pk_generation/codegen.rs, crates/zk-helpers/src/circuits/threshold/pk_generation/computation.rs	Added computation of b_enc value from BfvPreset; replaced CiphernodesCommittee with empty tuple () for Computation trait implementations; updated generate_configs signature to use preset parameter.
User Data Encryption Codegen & Computation crates/zk-helpers/src/circuits/threshold/user_data_encryption/codegen.rs, crates/zk-helpers/src/circuits/threshold/user_data_encryption/computation.rs	Added Q_MOD_T global generation; changed q_mod_t_mod_p to q_mod_t computation using preset; updated generate_configs to derive additional modulus-related parameters.
Share Decryption Verification circuits/lib/src/core/threshold/share_decryption.nr	Updated notation from aggregated s/e to per-basis s_i/e_i/c_0i/c_1i/r_1i/r_2i; renamed verification steps; adjusted range-check logic to exclude sk/e_sm; updated Fiat-Shamir payload construction and documentation.
Config Verification Binary circuits/bin/config/Nargo.toml, circuits/bin/config/src/main.nr	Added new verification binary with comprehensive checks: verify DKG derived values and bounds, threshold derived values/bounds, PK generation/share decryption/Greco bounds, and cross-config consistency via asserts.
Share Encryption Binary circuits/bin/dkg/share_encryption/src/main.nr	Updated constant imports from DKG_SHARE_ENCRYPTION_* to SHARE_ENCRYPTION_*; added pk1is parameter; updated ShareEncryption constructor invocation.
Support & Metadata crates/fhe-params/src/constants.rs, scripts/lint-circuits.sh	Added clarifying comments to NUM_PARTIES constants; added bin/config to lint script directories.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: update circuits configs and benches [skip-line-limit] #1284: Extensive config/global renames and Q_MOD_T/PLAINTEXT_MODULUS adjustments across DKG and share-encryption configurations.
• refactor: add share_decryption circuit [skip-line-limit] #1280: Modifications to share_decryption.nr verification semantics with per-basis notation and commitment-based validation updates.
• feat: add share-encryption circuit gen [skip-line-limit] #1267: Share-encryption config constants renaming and share-encryption binary parameter updates.

Suggested labels

noir

Suggested reviewers

• cedoor

Poem

🐰 New configs bloom, per-basis now they sing,
Verification checks with Q_MOD_T take wing,
Encryption shares dance in symmetric grace,
Constants renamed bring order to this space. ✨

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 30.77% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: config verification circuit' accurately describes the main change - adding a ConfigVerification circuit to verify derived configuration parameters.
Linked Issues check	✅ Passed	The PR implements the requirement from issue #1265 to merge Greco config verification into the main config verification circuit, consolidating verification logic into a single proof.
Out of Scope Changes check	✅ Passed	All changes are within scope: configuration constant additions/updates, share_decryption notation updates, new share_encryption binary, verification circuit implementation, and codegen updates to support the configuration verification objectives.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch config-verification-circuit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[0xjei]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[0xjei]

not ready to merge unless I get an answer from @zahrajavar on the Q_MOD_T vs Q_MOD_T_MOD_P