feat: integrate share encryption proofs [skip-line-limit]

[ctrlc03]

fix #1333

Summary by CodeRabbit

• New Features

  • Added share-encryption proofs (C3a/C3b) end-to-end in the ZK flow and proof publishing.
  • Exposed per-share encryption randomness via a new encryption-witness type and extended encryption APIs.
  • Threshold flows now collect and aggregate additional share-encryption proofs.

• Chores

  • Standardized proof naming from T-* → C-* and renamed signed proof payloads to DkgProofSigned.
  • Increased timeouts/durations in collectors and test helpers to accommodate longer flows.

• Tests

  • Updated integration tests and artifacts to include new proof kinds and timing adjustments.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Feb 26, 2026 10:09am
enclave-docs	Ready	Preview, Comment	Feb 26, 2026 10:09am

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new share-encryption ZK proof path (C3a/C3b) with request/response types and prover wiring; renames ShareComputationProofSigned → DkgProofSigned and remaps proof-type nomenclature (T* → C*); captures BFV encryption randomness for ZK witnesses; extends keyshare state to track encryption proofs; increases several timeouts in tests/examples.

Changes

Cohort / File(s)	Summary
Event & proof type refactor crates/events/src/enclave_event/share_computation_proof_signed.rs, crates/events/src/enclave_event/mod.rs, crates/events/src/enclave_event/signed_proof.rs	Renamed ShareComputationProofSigned → DkgProofSigned; updated EventType/From mappings; renamed ProofType variants (T* → C*) and updated circuit_name/slash_reason mappings and tests.
ZK request/response additions crates/events/src/enclave_event/compute_request/zk.rs, crates/events/src/enclave_event/compute_request/mod.rs	Added ZkRequest::ShareEncryption, ShareEncryptionProofRequest and ShareEncryptionProofResponse; added ToString mapping for ShareEncryption.
Multithread & prover integration crates/multithread/src/multithread.rs, crates/zk-prover/src/actors/proof_request.rs	Wired ShareEncryption path into multithread ZK flow and ProofRequestActor: new handler, proof-kind variants, pending-proof storage for encryption proofs, request routing, and publishing DkgProofSigned for C3a/C3b.
BFV encryption witness extraction crates/trbfv/src/shares/bfv_encrypted.rs	Added BfvEncryptionWitness and encrypt_extended/encrypt_all_extended to return per-row/per-recipient RNS randomness and ciphertexts for ZK witnesses.
Keyshare state machine crates/keyshare/src/threshold_keyshare.rs, crates/keyshare/src/threshold_share_collector.rs	Replaced ShareComputationProofSigned usage with DkgProofSigned; added signed SK/E_SM share-encryption proof vectors to AggregatingDecryptionKey/ReadyForDecryption/Decrypting and propagated through transitions; increased DEFAULT_COLLECTION_TIMEOUT 120s→600s.
Pending requests & proofs crates/events/src/enclave_event/threshold_share_pending.rs, crates/zk-prover/src/actors/proof_request.rs	Extended ThresholdSharePending and PendingThresholdProofs to track per-recipient encryption proofs and expected counts; updated constructors, completeness logic, and signing/publishing to include C3a/C3b.
Tests & examples updates crates/tests/tests/integration.rs, examples/CRISP/server/.env.example, examples/CRISP/test/crisp.spec.ts, templates/default/tests/integration.spec.ts	Added C3 artifacts and test wiring, adjusted circuit refs (T→C), changed esi_per_ct, increased multiple timeouts and env durations.
Dev scripts & templates templates/default/..., packages/enclave-contracts/scripts/utils.ts, templates/default/deployed_contracts.json, templates/default/enclave.config.yaml	Switched local chain target to localhost/anvil, enforced YAML quoting, updated deployment block numbers/addresses, added MyProgram entry, and adjusted various scripts to use TCP wait and new envs.
ComputeRequest ToString & small tests crates/events/src/enclave_event/compute_request/mod.rs, crates/events/src/enclave_event/test_event.rs	Added mapping for ZkRequest::ShareEncryption → "ZkShareEncryption" and simplified a test import path.

Sequence Diagram(s)

sequenceDiagram
  participant Client as ComputeRequestor
  participant Multithread as MultithreadActor
  participant ZkProver as ZkProver
  participant ProofReq as ProofRequestActor
  participant Keyshare as KeyshareStateMachine

  Client->>Multithread: ComputeRequest (ZkRequest::ShareEncryption)
  Multithread->>ZkProver: Prove ShareEncryption (share_row, ciphertext, u/e0/e1 RNS)
  ZkProver-->>Multithread: ZkResponse::ShareEncryption (ShareEncryptionProofResponse)
  Multithread->>ProofReq: Deliver proof response
  ProofReq->>ProofReq: Store proof in PendingThresholdProofs (sk/e_sm enc maps)
  ProofReq-->>Keyshare: Publish DkgProofSigned (C3a/C3b)
  Keyshare->>Keyshare: Update state (aggregate encryption proofs -> ReadyForDecryption/Decrypting)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• refactor: improve c7 circuit computation [skip-line-limit] #1315 — adds and wires ShareEncryption ZK proof path and related circuit/types used here.
• feat: trbfv integration test [skip-line-limit] #969 — overlaps on introducing C3 share-encryption proof types and ZK prover/event plumbing.
• feat: add sk_share and e_sm_share #1290 — modifies DKG/share-computation proof surfaces and ProofType mappings that intersect these changes.

Suggested labels

ciphernode

Suggested reviewers

• hmzakhalid

Poem

🐰 I hopped through circuits, found RNS in rows,

C3a and C3b where encryption grows.
I gathered randomness, proof carrots in hand,
Sent signed proofs hopping across the land.
Longer the wait, sweeter the harvest — hop! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Most changes relate to share encryption proof integration. However, several changes appear tangential: environment timeout increases (E3_DURATION, maxWaitMs, threshold_share_collector timeout), chain name changes (hardhat→localhost/anvil), YAML quoting normalization, and test infrastructure updates are not directly required for share encryption proof integration.	Consider separating infrastructure/configuration updates (timeouts, chain names, YAML formatting, test setup) from core share encryption proof implementation into a dedicated refactoring PR.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat: integrate share encryption proofs' clearly and accurately summarizes the main change: adding support for share encryption proof circuits (C3a/C3b) into the ciphernode.
Linked Issues check	✅ Passed	The PR implements the objective from #1333 to integrate share encryption proofs (T3/C3 circuits) by adding ShareEncryptionProofRequest/Response types, extending ZkRequest/ZkResponse enums, and implementing proof generation and handling across multiple crates.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/integrate-share-encryption-proofs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (9)

crates/trbfv/src/shares/bfv_encrypted.rs (2)

39-51: BfvEncryptionWitness has no derive macros — consider adding Debug at minimum.

Unlike every other struct in this file (which all derive Debug at least), BfvEncryptionWitness has no derives. If any downstream code needs to log or inspect witnesses during development, the lack of Debug will be an obstacle. If Poly and Ciphertext don't implement Debug, a custom implementation or derivative formatting (as used elsewhere in this file) would work.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/trbfv/src/shares/bfv_encrypted.rs` around lines 39 - 51, Add a Debug
impl for BfvEncryptionWitness so it matches the other structs: update the
BfvEncryptionWitness declaration to derive(Debug) (or use the same derivative
formatting used elsewhere in this file) and if Poly or Ciphertext lack Debug,
provide a custom Debug implementation for BfvEncryptionWitness that
formats/inspects the fields (share_row, ciphertext, u_rns, e0_rns, e1_rns)
appropriately or uses the existing derivative helper. Ensure the chosen approach
matches the file's existing pattern for non-Debug types so the struct can be
logged/inspected.

---

102-140: Code duplication between encrypt and encrypt_extended.

The two methods share nearly identical structure (loop over moduli rows, encode plaintext, encrypt, collect ciphertexts). The only difference is which encrypt call is used and whether witnesses are collected. This is acceptable for clarity, but if the shared logic grows, consider extracting the common loop into a helper that takes a closure/strategy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/trbfv/src/shares/bfv_encrypted.rs` around lines 102 - 140, Refactor
the duplicated loop in encrypt and encrypt_extended into a shared helper (e.g.,
process_share_rows or with_share_encryption) that accepts the ShamirShare,
recipient_pk, params, rng and a closure/strategy to perform the per-row
encryption (closure should call Plaintext::try_encode then invoke either
recipient_pk.try_encrypt or recipient_pk.try_encrypt_extended and return the
ciphertext plus optional witness data); then have encrypt call the helper with a
closure that returns only ciphertexts and encrypt_extended call it with a
closure that returns ciphertexts plus BfvEncryptionWitness items and collect
those into witnesses; keep the encoding step (Plaintext::try_encode) and error
contexts the same and preserve ArcBytes::from_bytes(&ct.to_bytes()) usage when
building ciphertexts.

crates/events/src/enclave_event/compute_request/zk.rs (1)

156-163: Missing new constructor for ShareEncryptionProofResponse.

ShareComputationProofResponse (line 177) has a new() factory method. For consistency, consider adding one here as well — especially since the struct has four fields.

Proposed constructor

+impl ShareEncryptionProofResponse {
+    pub fn new(proof: Proof, dkg_input_type: DkgInputType, recipient_party_id: usize, row_index: usize) -> Self {
+        Self { proof, dkg_input_type, recipient_party_id, row_index }
+    }
+}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/events/src/enclave_event/compute_request/zk.rs` around lines 156 -
163, Add a standard constructor for ShareEncryptionProofResponse similar to
ShareComputationProofResponse: implement an impl block for
ShareEncryptionProofResponse with a pub fn new(proof: Proof, dkg_input_type:
DkgInputType, recipient_party_id: usize, row_index: usize) -> Self that returns
Self { proof, dkg_input_type, recipient_party_id, row_index } so callers can
construct the struct via ShareEncryptionProofResponse::new(...).

crates/keyshare/src/threshold_share_collector.rs (1)

23-23: Timeout increased 5× (120s → 600s) — consider making it configurable.

The jump from 2 to 10 minutes is substantial. This is presumably needed because C3a/C3b proof generation adds significant per-share latency. A hardcoded 600s default works for now, but as the proof pipeline matures, consider exposing this as a configuration parameter so operators can tune it for their hardware.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/keyshare/src/threshold_share_collector.rs` at line 23, Replace the
hardcoded const DEFAULT_COLLECTION_TIMEOUT with a configurable option: add a
timeout field to the collector's configuration or constructor (e.g., a Duration
parameter on ThresholdShareCollector::new or a CollectorConfig struct) and use
that value as the collection timeout with Duration::from_secs(600) as the
fallback default; update usages of DEFAULT_COLLECTION_TIMEOUT to read the
instance config (or parameter) instead of the const so operators can tune the
timeout at runtime via config/CLI/env.

crates/events/src/enclave_event/signed_proof.rs (1)

32-33: Doc comment still says "T0" but variant is now C0PkBfv.

-    /// T0 — BFV public key proof (Proof 0).
+    /// C0 — BFV public key proof (Proof 0).
     C0PkBfv = 0,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/events/src/enclave_event/signed_proof.rs` around lines 32 - 33, The
doc comment for the enum variant C0PkBfv is stale (mentions "T0"); update the
documentation comment above the C0PkBfv variant so it references the correct
variant name and purpose (e.g., "C0 — BFV public key proof (Proof 0)" or
similar) to match the variant identifier C0PkBfv and its intent in
signed_proof.rs.

crates/events/src/enclave_event/mod.rs (1)

39-39: Consider renaming the module file to match the new type name.

The module is still named share_computation_proof_signed (line 39, re-exported at line 87) but now exports DkgProofSigned. This creates a naming mismatch that could confuse future readers. Consider renaming the file to dkg_proof_signed.rs and updating the mod/pub use declarations.

Also applies to: 87-87

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/events/src/enclave_event/mod.rs` at line 39, The module file and
declarations still use the old name share_computation_proof_signed while the
type exported is DkgProofSigned; rename the file to dkg_proof_signed.rs and
update the module declaration (mod share_computation_proof_signed -> mod
dkg_proof_signed) and the re-export (pub use
...::share_computation_proof_signed::DkgProofSigned -> pub use
...::dkg_proof_signed::DkgProofSigned) so the file, mod name, and exported type
are consistent.

crates/multithread/src/multithread.rs (2)

652-653: Dummy SecretKey allocation — document the intent more explicitly.

A random secret key is generated solely to satisfy the ShareEncryptionCircuitData struct constraint but is never used in the proof computation. While the comment hints at this, consider adding a note about why the struct requires it (e.g., Inputs::compute skips it), so future readers aren't alarmed by the allocation of sensitive key material that's immediately discarded.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/multithread/src/multithread.rs` around lines 652 - 653, The dummy
secret key allocation (dummy_sk = SecretKey::random(&dkg_params, &mut OsRng))
used only to satisfy ShareEncryptionCircuitData should have a clearer
explanatory comment: state that ShareEncryptionCircuitData requires a SecretKey
field but Inputs::compute deliberately ignores it (so the key is not used in
proof computation) and that generating it here is only to construct the struct
and does not persist or influence secrets; update the comment near
SecretKey::random/ShareEncryptionCircuitData/Inputs::compute to explicitly
document this intent and any safety considerations (no storage, no exposure).

---

469-498: Duplicate step numbering in comments.

Steps 4 and 5/6/7 were re-numbered but step 4 appears twice (lines 458 and 469). Minor comment inconsistency.

Suggested fix

-    // 4. Compute parity matrix
+    // 5. Compute parity matrix
     let committee = req.committee_size.values();
...
-    // 5. Build circuit data
+    // 6. Build circuit data
...
-    // 6. Generate proof
+    // 7. Generate proof
...
-    // 7. Return response
+    // 8. Return response

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/multithread/src/multithread.rs` around lines 469 - 498, Update the
inline step comments to use a consistent, sequential numbering around the parity
matrix and circuit/proof sections: change the duplicate "4." comment before
compute_parity_matrix to the correct number (e.g., "5.") and renumber the
subsequent comments so the sequence flows into the ShareComputationCircuitData
construction and proof generation block where compute_parity_matrix,
ShareComputationCircuitData, ShareComputationCircuit, and prove(...) are used,
ensuring comments reflect their logical order.

crates/zk-prover/src/actors/proof_request.rs (1)

210-270: Variable names still use t1_corr/t2a_corr/t2b_corr — consider aligning with C1/C2 naming.

Log messages were updated to C1/C2a/C2b but the correlation ID variable names still use the old t1_/t2a_/t2b_ prefix.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/zk-prover/src/actors/proof_request.rs` around lines 210 - 270, Rename
the correlation-id variables to match the C1/C2a/C2b naming used in logs: change
t1_corr -> c1_corr, t2a_corr -> c2a_corr, and t2b_corr -> c2b_corr; update all
uses in CorrelationId::new(), self.threshold_correlation.insert(...) calls, the
ComputeRequest::zk(...) publish calls, and the corresponding removal/retain
calls (self.threshold_correlation.remove/retain and
self.pending_threshold.remove) so identifiers match consistently (references:
CorrelationId, self.threshold_correlation, ComputeRequest::zk, ZkRequest
variants PkGeneration/ShareComputation).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/keyshare/src/threshold_keyshare.rs`:
- Around line 947-972: The loop building C3b proof requests can produce
duplicate (recipient_party_id, row_index) across multiple ESI ciphertexts; fix
by adding an esi_index field to ShareEncryptionProofRequest and using
(esi_index, recipient_party_id, row_index) as the unique key in
PendingThresholdProofs (update proof_request.rs to change its HashMap key and
callers), then populate esi_index when pushing into
e_sm_share_encryption_requests (use the outer loop index over esi_witnesses) and
adjust any matching/lookup logic (e.g., is_complete and insertion paths) to
account for the new three-tuple key so proofs from different ESI indices do not
collide.

In `@crates/tests/tests/integration.rs`:
- Around line 556-598: The expected_count for the share generation phase
undercounts C2/C3 proof-related ComputeRequest/ComputeResponse pairs and
DkgProofSigned events; update the calculation used before calling
nodes.take_history_with_timeout (the second block that defines expected_count
and calls take_history_with_timeout) to include: per-party C2a and C2b compute
request/response pairs, per-party/per-recipient/per-modulus C3a and C3b compute
pairs (accounting for threshold::MODULI length and recipients+ESI), plus the
corresponding DkgProofSigned events (one per proof), so the total reflects the
extra ~340 events the reviewer enumerated; adjust the numeric expression
assigned to expected_count (and related comment/println) near the share
generation timer to match the full event total so the test no longer hangs.

In `@crates/zk-prover/src/actors/proof_request.rs`:
- Around line 478-512: The C3a/C3b signing loops (iterating
pending.sk_share_encryption_proofs and pending.e_sm_share_encryption_proofs)
must follow the same fail-fast behavior as C1/C2: if self.sign_proof(...)
returns None or if self.bus.publish(...) returns Err, stop processing and
return/abort instead of just logging and continuing; update the loops around
sign_proof (ProofType::C3aSkShareEncryption and
ProofType::C3bESmShareEncryption) and DkgProofSigned publishing to return early
on any signing or publish failure so that ThresholdShareCreated events are not
emitted with missing proofs. Ensure the control flow mirrors the earlier C1/C2
handling (early return on failure) rather than swallowing errors.

---

Nitpick comments:
In `@crates/events/src/enclave_event/compute_request/zk.rs`:
- Around line 156-163: Add a standard constructor for
ShareEncryptionProofResponse similar to ShareComputationProofResponse: implement
an impl block for ShareEncryptionProofResponse with a pub fn new(proof: Proof,
dkg_input_type: DkgInputType, recipient_party_id: usize, row_index: usize) ->
Self that returns Self { proof, dkg_input_type, recipient_party_id, row_index }
so callers can construct the struct via ShareEncryptionProofResponse::new(...).

In `@crates/events/src/enclave_event/mod.rs`:
- Line 39: The module file and declarations still use the old name
share_computation_proof_signed while the type exported is DkgProofSigned; rename
the file to dkg_proof_signed.rs and update the module declaration (mod
share_computation_proof_signed -> mod dkg_proof_signed) and the re-export (pub
use ...::share_computation_proof_signed::DkgProofSigned -> pub use
...::dkg_proof_signed::DkgProofSigned) so the file, mod name, and exported type
are consistent.

In `@crates/events/src/enclave_event/signed_proof.rs`:
- Around line 32-33: The doc comment for the enum variant C0PkBfv is stale
(mentions "T0"); update the documentation comment above the C0PkBfv variant so
it references the correct variant name and purpose (e.g., "C0 — BFV public key
proof (Proof 0)" or similar) to match the variant identifier C0PkBfv and its
intent in signed_proof.rs.

In `@crates/keyshare/src/threshold_share_collector.rs`:
- Line 23: Replace the hardcoded const DEFAULT_COLLECTION_TIMEOUT with a
configurable option: add a timeout field to the collector's configuration or
constructor (e.g., a Duration parameter on ThresholdShareCollector::new or a
CollectorConfig struct) and use that value as the collection timeout with
Duration::from_secs(600) as the fallback default; update usages of
DEFAULT_COLLECTION_TIMEOUT to read the instance config (or parameter) instead of
the const so operators can tune the timeout at runtime via config/CLI/env.

In `@crates/multithread/src/multithread.rs`:
- Around line 652-653: The dummy secret key allocation (dummy_sk =
SecretKey::random(&dkg_params, &mut OsRng)) used only to satisfy
ShareEncryptionCircuitData should have a clearer explanatory comment: state that
ShareEncryptionCircuitData requires a SecretKey field but Inputs::compute
deliberately ignores it (so the key is not used in proof computation) and that
generating it here is only to construct the struct and does not persist or
influence secrets; update the comment near
SecretKey::random/ShareEncryptionCircuitData/Inputs::compute to explicitly
document this intent and any safety considerations (no storage, no exposure).
- Around line 469-498: Update the inline step comments to use a consistent,
sequential numbering around the parity matrix and circuit/proof sections: change
the duplicate "4." comment before compute_parity_matrix to the correct number
(e.g., "5.") and renumber the subsequent comments so the sequence flows into the
ShareComputationCircuitData construction and proof generation block where
compute_parity_matrix, ShareComputationCircuitData, ShareComputationCircuit, and
prove(...) are used, ensuring comments reflect their logical order.

In `@crates/trbfv/src/shares/bfv_encrypted.rs`:
- Around line 39-51: Add a Debug impl for BfvEncryptionWitness so it matches the
other structs: update the BfvEncryptionWitness declaration to derive(Debug) (or
use the same derivative formatting used elsewhere in this file) and if Poly or
Ciphertext lack Debug, provide a custom Debug implementation for
BfvEncryptionWitness that formats/inspects the fields (share_row, ciphertext,
u_rns, e0_rns, e1_rns) appropriately or uses the existing derivative helper.
Ensure the chosen approach matches the file's existing pattern for non-Debug
types so the struct can be logged/inspected.
- Around line 102-140: Refactor the duplicated loop in encrypt and
encrypt_extended into a shared helper (e.g., process_share_rows or
with_share_encryption) that accepts the ShamirShare, recipient_pk, params, rng
and a closure/strategy to perform the per-row encryption (closure should call
Plaintext::try_encode then invoke either recipient_pk.try_encrypt or
recipient_pk.try_encrypt_extended and return the ciphertext plus optional
witness data); then have encrypt call the helper with a closure that returns
only ciphertexts and encrypt_extended call it with a closure that returns
ciphertexts plus BfvEncryptionWitness items and collect those into witnesses;
keep the encoding step (Plaintext::try_encode) and error contexts the same and
preserve ArcBytes::from_bytes(&ct.to_bytes()) usage when building ciphertexts.

In `@crates/zk-prover/src/actors/proof_request.rs`:
- Around line 210-270: Rename the correlation-id variables to match the
C1/C2a/C2b naming used in logs: change t1_corr -> c1_corr, t2a_corr -> c2a_corr,
and t2b_corr -> c2b_corr; update all uses in CorrelationId::new(),
self.threshold_correlation.insert(...) calls, the ComputeRequest::zk(...)
publish calls, and the corresponding removal/retain calls
(self.threshold_correlation.remove/retain and self.pending_threshold.remove) so
identifiers match consistently (references: CorrelationId,
self.threshold_correlation, ComputeRequest::zk, ZkRequest variants
PkGeneration/ShareComputation).

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aa91f39 and bdb2fb7.

📒 Files selected for processing (16)

• crates/events/src/enclave_event/compute_request/mod.rs
• crates/events/src/enclave_event/compute_request/zk.rs
• crates/events/src/enclave_event/mod.rs
• crates/events/src/enclave_event/share_computation_proof_signed.rs
• crates/events/src/enclave_event/signed_proof.rs
• crates/events/src/enclave_event/test_event.rs
• crates/events/src/enclave_event/threshold_share_pending.rs
• crates/keyshare/src/threshold_keyshare.rs
• crates/keyshare/src/threshold_share_collector.rs
• crates/multithread/src/multithread.rs
• crates/tests/tests/integration.rs
• crates/trbfv/src/shares/bfv_encrypted.rs
• crates/zk-prover/src/actors/proof_request.rs
• examples/CRISP/server/.env.example
• examples/CRISP/test/crisp.spec.ts
• templates/default/tests/integration.spec.ts

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

crates/tests/tests/integration.rs (1)

577-598: ⚠️ Potential issue | 🟠 Major

expected_count = 65 still excludes C2a/C2b/C3a/C3b proof events — now more severe since this PR activates C3.

The share-generation window does not account for:

• C2a (SkShareComputation) — 1 ComputeRequest + 1 ComputeResponse per party = 10 events
• C2b (ESmShareComputation) — 1 ComputeRequest + 1 ComputeResponse per party = 10 events
• C3a (SkShareEncryption) — 5 recipients × N moduli × 5 parties × 2 = ~100 events (2 moduli for insecure_512 threshold preset)
• C3b (ESmShareEncryption) — 1 ESI × 5 recipients × N moduli × 5 parties × 2 = ~100 events
• Plus DkgProofSigned events for each of the above proofs

Since C3 (share_encryption) is activated by this PR, the excess events will accumulate between this take_history_with_timeout call and the next one. When the decryption-key phase then collects its 16 events, those events will likely include buffered C3-related entries rather than KeyshareCreated/PublicKeyAggregated, causing the h.last() == PublicKeyAggregated assertion at line 633 to panic.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/tests/tests/integration.rs` around lines 577 - 598, The current
expected_count used with nodes.take_history_with_timeout(...) omits
C2a/C2b/C3a/C3b proof events (and their DkgProofSigned follow-ups) so the
share-generation wait will return too early; update the wait to account for
those events by either (a) increasing the expected_count variable to include
SkShareComputation (C2a), ESmShareComputation (C2b), SkShareEncryption (C3a),
ESmShareEncryption (C3b) and their corresponding DkgProofSigned events based on
the active threshold preset (e.g., add 10+10+~100+~100 + matching signed events
for insecure_512), or (b) replace the fixed-count wait around
take_history_with_timeout(0, expected_count, ...) with a loop that polls history
until you observe the PublicKeyAggregated event (use h.event_types() / h.last()
/ scanning) to avoid hardcoding counts; adjust the code that asserts h.last() ==
PublicKeyAggregated accordingly so it checks the scanned events for
PublicKeyAggregated rather than assuming exact event counts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/tests/tests/integration.rs`:
- Line 388: The test changed the runtime value to let esi_per_ct = 1 but the
adjacent section header comment ("// 2. Trigger E3Requested") still documents
esi_per_ciphertext = 3; update that stale doc-comment to esi_per_ciphertext = 1
to match the actual variable (esi_per_ct) and ensure the comment in the "2.
Trigger E3Requested" block reflects the new value.

---

Duplicate comments:
In `@crates/tests/tests/integration.rs`:
- Around line 577-598: The current expected_count used with
nodes.take_history_with_timeout(...) omits C2a/C2b/C3a/C3b proof events (and
their DkgProofSigned follow-ups) so the share-generation wait will return too
early; update the wait to account for those events by either (a) increasing the
expected_count variable to include SkShareComputation (C2a), ESmShareComputation
(C2b), SkShareEncryption (C3a), ESmShareEncryption (C3b) and their corresponding
DkgProofSigned events based on the active threshold preset (e.g., add
10+10+~100+~100 + matching signed events for insecure_512), or (b) replace the
fixed-count wait around take_history_with_timeout(0, expected_count, ...) with a
loop that polls history until you observe the PublicKeyAggregated event (use
h.event_types() / h.last() / scanning) to avoid hardcoding counts; adjust the
code that asserts h.last() == PublicKeyAggregated accordingly so it checks the
scanned events for PublicKeyAggregated rather than assuming exact event counts.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bdb2fb7 and 876f1d0.

📒 Files selected for processing (2)

• crates/tests/tests/integration.rs
• templates/default/tests/integration.spec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• templates/default/tests/integration.spec.ts

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/zk-prover/src/actors/proof_request.rs (1)

184-184: ⚠️ Potential issue | 🟡 Minor

Log messages still reference "T0" while ProofType was renamed to C0PkBfv.

The proof-type enum values have been renamed to C0/C1/C2a/C2b/C3a/C3b, and most log messages use the new naming. However, several T0-related log messages were missed:

• Line 184: "Requesting T0 proof generation" → should be C0
• Line 572: "Signed T0 proof for party ..." → should be C0
• Line 579: "Failed to sign T0 proof payload ..." → should be C0
• Line 603: "T0 proof request failed for E3 ..." → should be C0

Suggested fix

-        info!("Requesting T0 proof generation");
+        info!("Requesting C0 PkBfv proof generation");

-                    "Signed T0 proof for party {} (signer: {})",
+                    "Signed C0 proof for party {} (signer: {})",

-                error!("Failed to sign T0 proof payload: {err} — proof will not be published");
+                error!("Failed to sign C0 proof payload: {err} — proof will not be published");

-                "T0 proof request failed for E3 {}: {err} — key will not be published without proof",
+                "C0 proof request failed for E3 {}: {err} — key will not be published without proof",

Also applies to: 565-565, 572-572, 579-579, 603-603

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/zk-prover/src/actors/proof_request.rs` at line 184, Several log
messages still reference the old "T0" name; update all occurrences to the new C0
naming (matching the renamed ProofType C0PkBfv). Locate the log statements in
proof_request.rs that contain "Requesting T0 proof generation", "Signed T0 proof
for party", "Failed to sign T0 proof payload", and "T0 proof request failed for
E3" and replace "T0" with "C0" so messages read e.g. "Requesting C0 proof
generation", "Signed C0 proof for party ...", "Failed to sign C0 proof payload
...", and "C0 proof request failed for E3 ...". Ensure string formatting and any
surrounding context (function names/variables) remain unchanged.

♻️ Duplicate comments (1)

crates/zk-prover/src/actors/proof_request.rs (1)

478-516: Past concern about C3a/C3b signing failures has been addressed.

Signing failures now use let Some(...) else { return; } (lines 482-484, 502-504), which prevents ThresholdShareCreated events from being published with incomplete proof coverage. This is consistent with the C1/C2 early-return pattern.

The remaining difference — bus.publish errors for DkgProofSigned just log without returning — is also consistent with how C1/C2 proofs handle publish failures (lines 445-475).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/zk-prover/src/actors/proof_request.rs` around lines 478 - 516, The
reviewer marked the previous concern as resolved (signing now uses early-return
in sign_proof for ProofType::C3aSkShareEncryption and
ProofType::C3bESmShareEncryption in the loops over
pending.sk_share_encryption_proofs and pending.e_sm_share_encryption_proofs), so
no code change is required; leave the existing logic in proof_request.rs (the
for-loops that call self.sign_proof and then self.bus.publish DkgProofSigned)
as-is and ignore this duplicate review comment.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@crates/zk-prover/src/actors/proof_request.rs`:
- Line 184: Several log messages still reference the old "T0" name; update all
occurrences to the new C0 naming (matching the renamed ProofType C0PkBfv).
Locate the log statements in proof_request.rs that contain "Requesting T0 proof
generation", "Signed T0 proof for party", "Failed to sign T0 proof payload", and
"T0 proof request failed for E3" and replace "T0" with "C0" so messages read
e.g. "Requesting C0 proof generation", "Signed C0 proof for party ...", "Failed
to sign C0 proof payload ...", and "C0 proof request failed for E3 ...". Ensure
string formatting and any surrounding context (function names/variables) remain
unchanged.

---

Duplicate comments:
In `@crates/zk-prover/src/actors/proof_request.rs`:
- Around line 478-516: The reviewer marked the previous concern as resolved
(signing now uses early-return in sign_proof for ProofType::C3aSkShareEncryption
and ProofType::C3bESmShareEncryption in the loops over
pending.sk_share_encryption_proofs and pending.e_sm_share_encryption_proofs), so
no code change is required; leave the existing logic in proof_request.rs (the
for-loops that call self.sign_proof and then self.bus.publish DkgProofSigned)
as-is and ignore this duplicate review comment.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 876f1d0 and bc8837e.

📒 Files selected for processing (4)

• crates/tests/tests/integration.rs
• crates/zk-prover/src/actors/proof_request.rs
• examples/CRISP/server/.env.example
• examples/CRISP/test/crisp.spec.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• examples/CRISP/server/.env.example
• examples/CRISP/test/crisp.spec.ts

[coderabbitai]

♻️ Duplicate comments (2)

crates/keyshare/src/threshold_keyshare.rs (1)

947-972: ⚠️ Potential issue | 🟡 Minor

C3b proof requests can collide on (recipient,row) across ESI ciphertexts.

If multiple ESI ciphertexts are ever supported, (recipient_party_id, row_index) will not be unique; proofs can overwrite each other downstream. Consider adding esi_index to the request key or asserting the single‑ESI constraint where requests are built.
Based on learnings: the current circuit accepts only one smudging error per decryption (esi_sss_raw[0]).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/keyshare/src/threshold_keyshare.rs` around lines 947 - 972, The
ShareEncryptionProofRequest keys built in the loop over esi_witnesses can
collide because (recipient_party_id, row_index) is not unique across multiple
ESI ciphertexts; update the construction in the loop that builds
e_sm_share_encryption_requests (loop over esi_witnesses and pushing
ShareEncryptionProofRequest) to include an esi_index identifier (e.g., add an
esi_index field to ShareEncryptionProofRequest and populate it from the outer
loop index) or, if multiple ESIs are not supported, assert/validate that
esi_witnesses.len() == 1 before building requests to prevent silent overwrites;
touch the ShareEncryptionProofRequest type and all downstream uses that depend
on recipient_party_id/row_index keys to incorporate the new esi_index or enforce
the single‑ESI constraint.

crates/zk-prover/src/actors/proof_request.rs (1)

52-110: ⚠️ Potential issue | 🟡 Minor

C3b proof keying can collide if multiple ESI ciphertexts appear.

C3b proofs are keyed only by (recipient_party_id, row_index) while the expected count tracks all requests; if multiple ESI ciphertexts are ever supported, proofs from different ESI indices can overwrite each other and is_complete() may never be satisfied. Consider adding an esi_index to the key or asserting the single‑ESI constraint at the request source.
Based on learnings: the current circuit accepts only one smudging error per decryption (esi_sss_raw[0]).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/zk-prover/src/actors/proof_request.rs` around lines 52 - 110,
PendingThresholdProofs currently keys C3b proofs by (recipient_party_id,
row_index) which can collide if multiple ESI ciphertexts (different esi_index)
are present; update the data model and logic to include an esi_index in the C3b
key or enforce single‑ESI at the source: modify PendingThresholdProofs to use
e_sm_share_encryption_proofs: HashMap<(usize, usize, usize), Proof> (or similar
tuple) and update expected_e_sm_enc_count accordingly, change
ThresholdProofKind::ESmShareEncryption to include esi_index, and update
store_proof and is_complete to insert/check using the extended key (and any call
sites that construct/consume ESmShareEncryption proof keys) so proofs from
different ESI indices cannot overwrite each other.

🧹 Nitpick comments (4)

templates/default/tests/integration.spec.ts (1)

164-166: Consider replacing the magic duration with a named/configurable constant.
This helps keep test timing knobs centralized (e.g., shared test config or env override) and easier to tune across suites.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/default/tests/integration.spec.ts` around lines 164 - 166, Replace
the magic literal assigned to duration with a named configurable constant so
test timing is centralized; e.g., introduce a constant
(TEST_INPUT_WINDOW_DURATION or similar) or read from a shared test config/env
and use that instead of the hardcoded 300 where duration is passed into
calculateInputWindow(publicClient, duration); update any related references
(duration, calculateInputWindow call) to use the new constant so it's easy to
tune across suites.

crates/keyshare/src/threshold_share_collector.rs (1)

23-23: Consider making the 10‑minute timeout configurable.
Hardcoding 600s may not fit all deployments and can delay failure handling if upstream timeouts are shorter; consider wiring it through config or the parent actor so it can be tuned without a code change.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/keyshare/src/threshold_share_collector.rs` at line 23,
DEFAULT_COLLECTION_TIMEOUT is hardcoded to 600s; make the timeout configurable
by replacing the const with a configurable Duration field (e.g.,
collection_timeout) on the ThresholdShareCollector (or its constructor) and wire
that field from the parent actor or config object instead of using
DEFAULT_COLLECTION_TIMEOUT; update any places that referenced the const (e.g.,
new()/start()/collect_* functions) to use the instance field and add a sensible
default in the parent or config parsing path so existing behavior remains if not
overridden.

crates/events/src/enclave_event/share_computation_proof_signed.rs (1)

14-18: File name no longer matches the struct name.

The file is still named share_computation_proof_signed.rs but the struct has been renamed to DkgProofSigned. Consider renaming the file to dkg_proof_signed.rs (and updating mod.rs accordingly) to keep the naming consistent.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/events/src/enclave_event/share_computation_proof_signed.rs` around
lines 14 - 18, The struct declared is DkgProofSigned but the file is still named
share_computation_proof_signed.rs; rename the file to dkg_proof_signed.rs and
update any module declarations that reference the old file name (e.g., entries
in mod.rs or use paths) to point to dkg_proof_signed so the module name matches
the struct name DkgProofSigned and imports (E3id, SignedProofPayload) continue
to resolve.

crates/tests/tests/integration.rs (1)

580-584: 3000-second timeout for ThresholdShareCreated events may be overly generous.

With C3a/C3b proofs now generated per-party per-recipient per-modulus-row, the proof generation workload has increased significantly, which justifies a larger timeout. However, 3000s (50 minutes) is quite high — if something is actually broken, the test will just hang for a very long time before failing. Consider whether a lower value (e.g., 600–900s) would be sufficient while still catching legitimate slow runs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/tests/tests/integration.rs` around lines 580 - 584, The test uses an
excessively long 3000s timeout for awaiting ThresholdShareCreated events which
can mask failures; change the Duration passed to nodes.take_history_with_timeout
(call site using Duration::from_secs(3000)) to a lower, still-generous value
such as Duration::from_secs(900) (or 600–900s range) to catch real slow runs but
fail faster on broken runs; keep the rest of the call involving shares_timer,
expected, and nodes.take_history_with_timeout unchanged and adjust if you
observe flakiness during CI.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@crates/keyshare/src/threshold_keyshare.rs`:
- Around line 947-972: The ShareEncryptionProofRequest keys built in the loop
over esi_witnesses can collide because (recipient_party_id, row_index) is not
unique across multiple ESI ciphertexts; update the construction in the loop that
builds e_sm_share_encryption_requests (loop over esi_witnesses and pushing
ShareEncryptionProofRequest) to include an esi_index identifier (e.g., add an
esi_index field to ShareEncryptionProofRequest and populate it from the outer
loop index) or, if multiple ESIs are not supported, assert/validate that
esi_witnesses.len() == 1 before building requests to prevent silent overwrites;
touch the ShareEncryptionProofRequest type and all downstream uses that depend
on recipient_party_id/row_index keys to incorporate the new esi_index or enforce
the single‑ESI constraint.

In `@crates/zk-prover/src/actors/proof_request.rs`:
- Around line 52-110: PendingThresholdProofs currently keys C3b proofs by
(recipient_party_id, row_index) which can collide if multiple ESI ciphertexts
(different esi_index) are present; update the data model and logic to include an
esi_index in the C3b key or enforce single‑ESI at the source: modify
PendingThresholdProofs to use e_sm_share_encryption_proofs: HashMap<(usize,
usize, usize), Proof> (or similar tuple) and update expected_e_sm_enc_count
accordingly, change ThresholdProofKind::ESmShareEncryption to include esi_index,
and update store_proof and is_complete to insert/check using the extended key
(and any call sites that construct/consume ESmShareEncryption proof keys) so
proofs from different ESI indices cannot overwrite each other.

---

Nitpick comments:
In `@crates/events/src/enclave_event/share_computation_proof_signed.rs`:
- Around line 14-18: The struct declared is DkgProofSigned but the file is still
named share_computation_proof_signed.rs; rename the file to dkg_proof_signed.rs
and update any module declarations that reference the old file name (e.g.,
entries in mod.rs or use paths) to point to dkg_proof_signed so the module name
matches the struct name DkgProofSigned and imports (E3id, SignedProofPayload)
continue to resolve.

In `@crates/keyshare/src/threshold_share_collector.rs`:
- Line 23: DEFAULT_COLLECTION_TIMEOUT is hardcoded to 600s; make the timeout
configurable by replacing the const with a configurable Duration field (e.g.,
collection_timeout) on the ThresholdShareCollector (or its constructor) and wire
that field from the parent actor or config object instead of using
DEFAULT_COLLECTION_TIMEOUT; update any places that referenced the const (e.g.,
new()/start()/collect_* functions) to use the instance field and add a sensible
default in the parent or config parsing path so existing behavior remains if not
overridden.

In `@crates/tests/tests/integration.rs`:
- Around line 580-584: The test uses an excessively long 3000s timeout for
awaiting ThresholdShareCreated events which can mask failures; change the
Duration passed to nodes.take_history_with_timeout (call site using
Duration::from_secs(3000)) to a lower, still-generous value such as
Duration::from_secs(900) (or 600–900s range) to catch real slow runs but fail
faster on broken runs; keep the rest of the call involving shares_timer,
expected, and nodes.take_history_with_timeout unchanged and adjust if you
observe flakiness during CI.

In `@templates/default/tests/integration.spec.ts`:
- Around line 164-166: Replace the magic literal assigned to duration with a
named configurable constant so test timing is centralized; e.g., introduce a
constant (TEST_INPUT_WINDOW_DURATION or similar) or read from a shared test
config/env and use that instead of the hardcoded 300 where duration is passed
into calculateInputWindow(publicClient, duration); update any related references
(duration, calculateInputWindow call) to use the new constant so it's easy to
tune across suites.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc8837e and a4c7047.

📒 Files selected for processing (17)

• crates/events/src/enclave_event/compute_request/mod.rs
• crates/events/src/enclave_event/compute_request/zk.rs
• crates/events/src/enclave_event/mod.rs
• crates/events/src/enclave_event/share_computation_proof_signed.rs
• crates/events/src/enclave_event/signed_proof.rs
• crates/events/src/enclave_event/test_event.rs
• crates/events/src/enclave_event/threshold_share_pending.rs
• crates/keyshare/src/threshold_keyshare.rs
• crates/keyshare/src/threshold_share_collector.rs
• crates/multithread/src/multithread.rs
• crates/tests/tests/integration.rs
• crates/trbfv/src/shares/bfv_encrypted.rs
• crates/zk-prover/src/actors/proof_request.rs
• crates/zk-prover/src/config.rs
• examples/CRISP/server/.env.example
• examples/CRISP/test/crisp.spec.ts
• templates/default/tests/integration.spec.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• crates/trbfv/src/shares/bfv_encrypted.rs
• examples/CRISP/test/crisp.spec.ts
• crates/events/src/enclave_event/test_event.rs
• examples/CRISP/server/.env.example

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@templates/default/deploy/default.ts`:
- Around line 93-94: The call to updateE3Config currently uses a
possibly-undefined hre.globalOptions.network (variable chain); instead, resolve
the chain name reliably from the provider (e.g., use hre.getChainId() or
provider.request('eth_chainId') and map to a network name) before calling
updateE3Config so you never pass undefined; update the code that sets chain
(referencing hre.globalOptions.network and variable chain) to fall back to a
provider-derived chain name and then call updateE3Config(chain,
path.join(__dirname, '..', 'enclave.config.yaml'), contractMapping).

In `@templates/default/scripts/test_integration.sh`:
- Around line 22-29: The current line using export $(enclave print-env --chain
localhost) can break values with spaces/newlines; replace this word-splitting
approach by enabling automatic export (set -a), then capture and source the
enclave print-env output so all variables (including those with spaces/newlines)
are preserved; specifically modify the script around the export invocation (the
line with "export $(enclave print-env --chain localhost)") to run set -a, feed
enclave print-env --chain localhost into a shell source/read mechanism, then run
set +a afterwards so the environment is exported safely for the concurrently
block that follows.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a4c7047 and d31bf85.

📒 Files selected for processing (10)

• examples/CRISP/enclave.config.yaml
• packages/enclave-contracts/scripts/utils.ts
• templates/default/deploy/default.ts
• templates/default/deployed_contracts.json
• templates/default/enclave.config.yaml
• templates/default/scripts/dev_ciphernodes.sh
• templates/default/scripts/dev_frontend.sh
• templates/default/scripts/dev_server.sh
• templates/default/scripts/test_integration.sh
• templates/default/tests/integration.spec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• templates/default/tests/integration.spec.ts