theinterfold · hmzakhalid · Feb 23, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -34,7 +34,9 @@ permissions:
 
 jobs:
   rust_tests:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
 
@@ -80,7 +82,9 @@ jobs:
         run: 'cargo test --test integration -- --nocapture'
 
   zk_prover_integration:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
 
@@ -109,7 +113,9 @@ jobs:
         run: 'cargo test -p e3-zk-prover --features integration-tests --test integration_tests -- --nocapture'
 
   build_e3_support_risc0:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
       - name: Generate tags
@@ -146,7 +152,9 @@ jobs:
             type=gha,mode=max,scope=e3-support
 
   build_ciphernode_image:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
 
@@ -186,7 +194,9 @@ jobs:
             type=gha,mode=max,scope=ciphernode
 
   test_contracts:
-    runs-on: 'ubuntu-latest'
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - name: 'Check out the repo'
         uses: 'actions/checkout@v6'
@@ -221,7 +231,9 @@ jobs:
           echo "✅ Passed" >> $GITHUB_STEP_SUMMARY
 
   test_net:
-    runs-on: 'ubuntu-latest'
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - name: 'Check out the repo'
         uses: 'actions/checkout@v6'
@@ -234,7 +246,9 @@ jobs:
           echo "✅ Passed" >> $GITHUB_STEP_SUMMARY
 
   integration_prebuild:
-    runs-on: 'ubuntu-latest'
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - name: 'Check out the repo'
         uses: 'actions/checkout@v6'
@@ -291,7 +305,9 @@ jobs:
 
   ciphernode_integration_test:
     needs: [integration_prebuild, build_enclave_cli, build_sdk]
-    runs-on: 'ubuntu-latest'
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     strategy:
       matrix:
         test-suite: [base, persist]
@@ -353,7 +369,9 @@ jobs:
           echo "✅ Passed" >> $GITHUB_STEP_SUMMARY
 
   build_enclave_cli:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
         with:
@@ -384,7 +402,9 @@ jobs:
           retention-days: 1
 
   crisp_unit:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     needs: [build_crisp_sdk]
     steps:
       - uses: actions/checkout@v6
@@ -457,7 +477,9 @@ jobs:
         run: 'pnpm test:contracts'
 
   crisp_e2e:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     needs: [build_enclave_cli, build_crisp_sdk]
     steps:
       - uses: actions/checkout@v6
@@ -565,7 +587,9 @@ jobs:
           retention-days: 30
 
   build_circuits:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
         with:
@@ -618,7 +642,9 @@ jobs:
           if-no-files-found: error
 
   zk_prover_e2e:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     needs: [build_circuits]
     steps:
       - uses: actions/checkout@v6
@@ -657,7 +683,9 @@ jobs:
         run: cargo test -p e3-zk-prover --test local_e2e_tests -- --nocapture
 
   build_e3_support_dev:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
         with:
@@ -686,7 +714,9 @@ jobs:
           if-no-files-found: error
 
   build_sdk:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
         with:
@@ -735,7 +765,9 @@ jobs:
           if-no-files-found: warn
 
   build_crisp_sdk:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     steps:
       - uses: actions/checkout@v6
 
@@ -779,7 +811,9 @@ jobs:
           if-no-files-found: warn
 
   template_integration:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     needs: [build_enclave_cli, build_e3_support_dev, build_sdk]
     steps:
       - uses: actions/checkout@v6
@@ -839,7 +873,9 @@ jobs:
           pnpm test:integration
 
   test_enclave_init:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     needs: [build_enclave_cli, build_e3_support_dev]
     steps:
       - name: Install pnpm
@@ -876,7 +912,9 @@ jobs:
           enclave init mycitest --verbose --template=${{ github.server_url }}/${{ github.repository }}.git#${BRANCH}:templates/default
 
   contrib-readme-job:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: enclave-ci
+      labels: [enclave-ci-runner]
     name: Populate Contributors List
     # Only run on main branch to avoid branch conflicts
     if: github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, 'contrib-readme-action')

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/events/src/enclave_event/compute_request/mod.rs b/crates/events/src/enclave_event/compute_request/mod.rs
@@ -83,6 +83,7 @@ impl ToString for ComputeRequest {
             ComputeRequestKind::Zk(req) => match req {
                 ZkRequest::PkBfv(_) => "ZkPkBfv",
                 ZkRequest::PkGeneration(_) => "ZkPkGeneration",
+                ZkRequest::ShareComputation(_) => "ZkShareComputation",
             },
         }
         .to_string()

diff --git a/crates/events/src/enclave_event/compute_request/zk.rs b/crates/events/src/enclave_event/compute_request/zk.rs
@@ -9,19 +9,37 @@ use derivative::Derivative;
 use e3_crypto::SensitiveBytes;
 use e3_fhe_params::BfvPreset;
 use e3_utils::utility_types::ArcBytes;
-use e3_zk_helpers::CiphernodesCommitteeSize;
+use e3_zk_helpers::{computation::DkgInputType, CiphernodesCommitteeSize};
 use serde::{Deserialize, Serialize};
 
 /// ZK proof generation request variants.
 #[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
 pub enum ZkRequest {
-    /// Generate proof for BFV public key (T0).
+    /// Generate proof for BFV public key (C0).
     PkBfv(PkBfvProofRequest),
-    /// Generate proof for PK generation (T1a).
+    /// Generate proof for PK generation (C1).
     PkGeneration(PkGenerationProofRequest),
+    /// Generate proof for share and esm computation (C2a and C2b).
+    ShareComputation(ShareComputationProofRequest),
 }
 
-/// Request to generate a proof for BFV public key generation (T0).
+/// Request to generate a proof for share computation (C2a or C2b).
+#[derive(Derivative, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
+#[derivative(Debug)]
+pub struct ShareComputationProofRequest {
+    /// Raw secret polynomial bytes (sk or e_sm — witness, encrypted at rest).
+    pub secret_raw: SensitiveBytes,
+    /// Bincode-serialized SharedSecret containing Shamir shares (witness, encrypted at rest).
+    pub secret_sss_raw: SensitiveBytes,
+    /// Which secret type (SecretKey or SmudgingNoise).
+    pub dkg_input_type: DkgInputType,
+    /// BFV preset for parameter resolution.
+    pub params_preset: BfvPreset,
+    /// The size of the committee.
+    pub committee_size: CiphernodesCommitteeSize,
+}
+
+/// Request to generate a proof for BFV public key generation (C0).
 #[derive(Derivative, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
 #[derivative(Debug)]
 pub struct PkBfvProofRequest {
@@ -31,7 +49,7 @@ pub struct PkBfvProofRequest {
     pub params_preset: BfvPreset,
 }
 
-/// Request to generate a proof for PK share generation (T1a).
+/// Request to generate a proof for PK share generation (C1).
 #[derive(Derivative, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
 #[derivative(Debug)]
 pub struct PkGenerationProofRequest {
@@ -86,6 +104,15 @@ pub enum ZkResponse {
     PkBfv(PkBfvProofResponse),
     /// Proof for PK generation (T1a).
     PkGeneration(PkGenerationProofResponse),
+    /// Proof for share and esm computation (T2a and T2b).
+    ShareComputation(ShareComputationProofResponse),
+}
+
+/// Response containing a generated share computation proof.
+#[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
+pub struct ShareComputationProofResponse {
+    pub proof: Proof,
+    pub dkg_input_type: DkgInputType,
 }
 
 /// Response containing a generated BFV public key proof.
@@ -100,6 +127,15 @@ pub struct PkGenerationProofResponse {
     pub proof: Proof,
 }
 
+impl ShareComputationProofResponse {
+    pub fn new(proof: Proof, dkg_input_type: DkgInputType) -> Self {
+        Self {
+            proof,
+            dkg_input_type,
+        }
+    }
+}
+
 impl PkBfvProofResponse {
     pub fn new(proof: Proof) -> Self {
         Self { proof }

diff --git a/crates/events/src/enclave_event/mod.rs b/crates/events/src/enclave_event/mod.rs
@@ -36,6 +36,7 @@ mod plaintext_output_published;
 mod proof;
 mod publickey_aggregated;
 mod publish_document;
+mod share_computation_proof_signed;
 mod shutdown;
 mod signed_proof;
 mod sync_effect;
@@ -83,6 +84,7 @@ pub use plaintext_output_published::*;
 pub use proof::*;
 pub use publickey_aggregated::*;
 pub use publish_document::*;
+pub use share_computation_proof_signed::*;
 pub use shutdown::*;
 pub use signed_proof::*;
 use strum::IntoStaticStr;
@@ -215,6 +217,7 @@ pub enum EnclaveEventData {
     TicketSubmitted(TicketSubmitted),
     PlaintextOutputPublished(PlaintextOutputPublished),
     PkGenerationProofSigned(PkGenerationProofSigned),
+    ShareComputationProofSigned(ShareComputationProofSigned),
     EnclaveError(EnclaveError),
     E3RequestComplete(E3RequestComplete),
     E3Failed(E3Failed),
@@ -468,6 +471,7 @@ impl EnclaveEventData {
             EnclaveEventData::DecryptionshareCreated(ref data) => Some(data.e3_id.clone()),
             EnclaveEventData::PlaintextAggregated(ref data) => Some(data.e3_id.clone()),
             EnclaveEventData::PkGenerationProofSigned(ref data) => Some(data.e3_id.clone()),
+            EnclaveEventData::ShareComputationProofSigned(ref data) => Some(data.e3_id.clone()),
             EnclaveEventData::CiphernodeSelected(ref data) => Some(data.e3_id.clone()),
             EnclaveEventData::ThresholdShareCreated(ref data) => Some(data.e3_id.clone()),
             EnclaveEventData::ThresholdSharePending(ref data) => Some(data.e3_id.clone()),
@@ -519,6 +523,7 @@ impl_event_types!(
     PlaintextAggregated,
     PublishDocumentRequested,
     PkGenerationProofSigned,
+    ShareComputationProofSigned,
     E3RequestComplete,
     E3Failed,
     E3StageChanged,

diff --git a/crates/events/src/enclave_event/share_computation_proof_signed.rs b/crates/events/src/enclave_event/share_computation_proof_signed.rs
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+//
+// This file is provided WITHOUT ANY WARRANTY;
+// without even the implied warranty of MERCHANTABILITY
+// or FITNESS FOR A PARTICULAR PURPOSE.
+
+use crate::{E3id, SignedProofPayload};
+use actix::Message;
+use serde::{Deserialize, Serialize};
+use std::fmt::{self, Display};
+
+#[derive(Message, Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
+#[rtype(result = "()")]
+pub struct ShareComputationProofSigned {
+    pub e3_id: E3id,
+    pub party_id: u64,
+    pub signed_proof: SignedProofPayload,
+}
+
+impl Display for ShareComputationProofSigned {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{:?}", self)
+    }
+}