feat: split C2 with wrapper [skip-line-limit]

.github/workflows/ci.yml

@@ -923,7 +923,7 @@ jobs:
           find circuits/bin/evm -name '*.vk' | head -20
 
       - name: Run ZK prover e2e tests
-        run: cargo test -p e3-zk-prover --test local_e2e_tests -- --nocapture
+        run: cargo test -p e3-zk-prover --test local_e2e_tests -- --nocapture --test-threads=1
 
   build_e3_support_dev:
     needs: [detect_changes]

circuits/bin/dkg/Nargo.toml

@@ -1,8 +1,12 @@
 [workspace]
 members = [
     "pk",
-    "sk_share_computation",
-    "e_sm_share_computation",
     "share_encryption",
     "share_decryption",
-]
+    "sk_share_computation_base",
+    "e_sm_share_computation_base",
+    "share_computation_chunk",
+    "share_computation_chunk_batch",
+    "share_computation"
+]
+

circuits/bin/dkg/e_sm_share_computation_base/Nargo.toml

@@ -0,0 +1,7 @@
+[package]
+name = "e_sm_share_computation_base"
+type = "bin"
+authors = [""]
+
+[dependencies]
+lib = { path = "../../../lib" }

circuits/bin/dkg/e_sm_share_computation_base/src/main.nr

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+//
+// This file is provided WITHOUT ANY WARRANTY;
+// without even the implied warranty of MERCHANTABILITY
+// or FITNESS FOR A PARTICULAR PURPOSE.
+
+use lib::configs::default::dkg::{L_THRESHOLD, N, SHARE_COMPUTATION_E_SM_BIT_SECRET};
+use lib::configs::default::{N_PARTIES, T};
+use lib::core::dkg::share_computation::base::SmudgingNoiseShareComputationBase;
+use lib::math::polynomial::Polynomial;
+
+fn main(
+    expected_secret_commitment: pub Field,
+    e_sm_secret: [Polynomial<N>; L_THRESHOLD],
+    // y is public so wrapper can enforce consistency with chunk circuits
+    y: pub [[[Field; N_PARTIES + 1]; L_THRESHOLD]; N],
+) -> pub [[Field; L_THRESHOLD]; N_PARTIES] {
+    let circuit: SmudgingNoiseShareComputationBase<N, L_THRESHOLD, N_PARTIES, T, SHARE_COMPUTATION_E_SM_BIT_SECRET> =
+        SmudgingNoiseShareComputationBase::new(expected_secret_commitment, e_sm_secret, y);
+    circuit.execute()
+}

circuits/bin/dkg/share_computation/Nargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "share_computation"
+type = "bin"
+authors = [""]
+
+[dependencies]
+lib = { path = "../../../lib" }
+bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20260102", directory = "barretenberg/noir/bb_proof_verification" }

circuits/bin/dkg/share_computation/src/main.nr

@@ -0,0 +1,66 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+//
+// This file is provided WITHOUT ANY WARRANTY;
+// without even the implied warranty of MERCHANTABILITY
+// or FITNESS FOR A PARTICULAR PURPOSE.
+
+// Level 2: final_wrapper
+use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_honk_proof_non_zk};
+use lib::configs::default::dkg::SHARE_COMPUTATION_N_BATCHES as N_BATCHES;
+use lib::math::commitments::{compute_recursive_aggregation_commitment, compute_vk_hash};
+
+// Public inputs of each batch wrapper proof (as exposed by `share_computation_chunk_batch`).
+// Layout: [base_key_hash, chunk_key_hash, batch_idx, aggregated_commitment].
+pub global BATCH_WRAPPER_PUBLIC_INPUTS: u32 = 4;
+
+fn main(
+    batch_verification_key: UltraHonkVerificationKey,
+    batch_proofs: [UltraHonkProof; N_BATCHES],
+    batch_public_inputs: [[Field; BATCH_WRAPPER_PUBLIC_INPUTS]; N_BATCHES],
+    batch_key_hash: pub Field,
+) -> pub (Field, Field) {
+    // 1. Verify all batch proofs (non-zk).
+    for i in 0..N_BATCHES {
+        verify_honk_proof_non_zk(
+            batch_verification_key,
+            batch_proofs[i],
+            batch_public_inputs[i],
+            batch_key_hash,
+        );
+    }
+
+    // 2. Assert shared fields are identical across all batches.
+    for i in 1..N_BATCHES {
+        assert(
+            batch_public_inputs[i][0] == batch_public_inputs[0][0],
+            "base_key_hash mismatch across batches",
+        );
+        assert(
+            batch_public_inputs[i][1] == batch_public_inputs[0][1],
+            "chunk_key_hash mismatch across batches",
+        );
+    }
+
+    // 3. Assert batch_idx values are ordered 0..N_BATCHES.
+    for i in 0..N_BATCHES {
+        assert(batch_public_inputs[i][2] == i as Field, "batch_idx out of order");
+    }
+
+    // 4. Fold all per-batch aggregated_commitment values into a single commitment.
+    let mut commitments = Vec::new();
+    for i in 0..N_BATCHES {
+        commitments.push(batch_public_inputs[i][3]);
+    }
+    let final_commitment = compute_recursive_aggregation_commitment(commitments);
+
+    // 5. Hash the full VK chain: inner VK hashes (base, chunk) from batch public
+    //    inputs + the batch VK hash that verified this level. This combined fingerprint
+    //    lets the verifier check the entire proof genealogy.
+    let mut vk_hashes: Vec<Field> = Vec::new();
+    vk_hashes.push(batch_public_inputs[0][0]); // base_key_hash (same across all batches)
+    vk_hashes.push(batch_public_inputs[0][1]); // chunk_key_hash (same across all batches)
+    vk_hashes.push(batch_key_hash); // VK hash of the batch circuit that produced these proofs
+    let key_hash = compute_vk_hash(vk_hashes);
+
+    (key_hash, final_commitment)
+}

circuits/bin/dkg/share_computation_chunk/Nargo.toml

@@ -0,0 +1,7 @@
+[package]
+name = "share_computation_chunk"
+type = "bin"
+authors = [""]
+
+[dependencies]
+lib = { path = "../../../lib" }

circuits/bin/dkg/share_computation_chunk/src/main.nr

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+//
+// This file is provided WITHOUT ANY WARRANTY;
+// without even the implied warranty of MERCHANTABILITY
+// or FITNESS FOR A PARTICULAR PURPOSE.
+
+use lib::configs::default::dkg::{
+    L_THRESHOLD, PARITY_MATRIX, SHARE_COMPUTATION_BIT_SHARE, SHARE_COMPUTATION_CHUNK_CONFIGS,
+    SHARE_COMPUTATION_CHUNK_SIZE,
+};
+use lib::configs::default::{N_PARTIES, T};
+use lib::core::dkg::share_computation::chunk::ShareComputationChunk;
+
+fn main(
+    // y_chunk is public so wrapper can enforce consistency with base circuit
+    y_chunk: pub [[[Field; N_PARTIES + 1]; L_THRESHOLD]; SHARE_COMPUTATION_CHUNK_SIZE],
+) {
+    let circuit: ShareComputationChunk<L_THRESHOLD, N_PARTIES, T, SHARE_COMPUTATION_BIT_SHARE, SHARE_COMPUTATION_CHUNK_SIZE> =
+        ShareComputationChunk::new(SHARE_COMPUTATION_CHUNK_CONFIGS, y_chunk, PARITY_MATRIX);
+    circuit.execute()
+}

circuits/bin/dkg/share_computation_chunk_batch/Nargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "share_computation_chunk_batch"
+type = "bin"
+authors = [""]
+
+[dependencies]
+lib = { path = "../../../lib" }
+bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20260102", directory = "barretenberg/noir/bb_proof_verification" }

circuits/bin/dkg/share_computation_chunk_batch/src/main.nr

@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+//
+// This file is provided WITHOUT ANY WARRANTY;
+// without even the implied warranty of MERCHANTABILITY
+// or FITNESS FOR A PARTICULAR PURPOSE.
+
+// Level 1: chunk_batch_wrapper
+
+use bb_proof_verification::{UltraHonkVerificationKey, UltraHonkZKProof, verify_honk_proof};
+use lib::configs::default::dkg::{
+    L_THRESHOLD, N, SHARE_COMPUTATION_CHUNK_SIZE,
+    SHARE_COMPUTATION_CHUNKS_PER_BATCH as CHUNKS_PER_BATCH,
+};
+use lib::configs::default::N_PARTIES;
+use lib::math::commitments::compute_recursive_aggregation_commitment;
+
+pub global BASE_PUBLIC_INPUTS: u32 =
+    1 + (N * L_THRESHOLD * (N_PARTIES + 1)) + (N_PARTIES * L_THRESHOLD);
+
+pub global CHUNK_PUBLIC_INPUTS: u32 = SHARE_COMPUTATION_CHUNK_SIZE * L_THRESHOLD * (N_PARTIES + 1);
+
+// Each batch wrapper takes:
+// - base proof (for y consistency)
+// - CHUNKS_PER_BATCH chunk proofs
+// - CHUNK_BATCH_IDX to know which y slice to check
+
+fn main(
+    base_verification_key: UltraHonkVerificationKey,
+    base_proof: UltraHonkZKProof,
+    base_public_inputs: [Field; BASE_PUBLIC_INPUTS],
+    base_key_hash: pub Field,
+    chunk_verification_key: UltraHonkVerificationKey,
+    chunk_proofs: [UltraHonkZKProof; CHUNKS_PER_BATCH],
+    chunk_public_inputs: [[Field; CHUNK_PUBLIC_INPUTS]; CHUNKS_PER_BATCH],
+    chunk_key_hash: pub Field,
+    batch_idx: pub u32, // which batch this is
+) -> pub Field {
+    // Verify base proof
+    verify_honk_proof(
+        base_verification_key,
+        base_proof,
+        base_public_inputs,
+        base_key_hash,
+    );
+
+    // Verify each chunk in this batch and enforce y consistency
+    for i in 0..CHUNKS_PER_BATCH {
+        verify_honk_proof(
+            chunk_verification_key,
+            chunk_proofs[i],
+            chunk_public_inputs[i],
+            chunk_key_hash,
+        );
+
+        let chunk_idx = batch_idx * CHUNKS_PER_BATCH + i;
+        let base_y_start = 1 + chunk_idx * CHUNK_PUBLIC_INPUTS;
+        for j in 0..CHUNK_PUBLIC_INPUTS {
+            assert(
+                base_public_inputs[base_y_start + j] == chunk_public_inputs[i][j],
+                "y consistency check failed",
+            );
+        }
+    }
+
+    // Aggregate public inputs
+    let mut aggregated_public_inputs = Vec::new();
+    for i in 0..BASE_PUBLIC_INPUTS {
+        aggregated_public_inputs.push(base_public_inputs[i]);
+    }
+    for i in 0..CHUNKS_PER_BATCH {
+        for j in 0..CHUNK_PUBLIC_INPUTS {
+            aggregated_public_inputs.push(chunk_public_inputs[i][j]);
+        }
+    }
+
+    compute_recursive_aggregation_commitment(aggregated_public_inputs)
+}

circuits/bin/dkg/sk_share_computation_base/Nargo.toml

@@ -0,0 +1,7 @@
+[package]
+name = "sk_share_computation_base"
+type = "bin"
+authors = [""]
+
+[dependencies]
+lib = { path = "../../../lib" }

circuits/bin/dkg/sk_share_computation_base/src/main.nr

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+//
+// This file is provided WITHOUT ANY WARRANTY;
+// without even the implied warranty of MERCHANTABILITY
+// or FITNESS FOR A PARTICULAR PURPOSE.
+
+use lib::configs::default::dkg::{L_THRESHOLD, N, SHARE_COMPUTATION_SK_BIT_SECRET};
+use lib::configs::default::{N_PARTIES, T};
+use lib::core::dkg::share_computation::base::SecretKeyShareComputationBase;
+use lib::math::polynomial::Polynomial;
+
+fn main(
+    expected_secret_commitment: pub Field,
+    sk_secret: Polynomial<N>,
+    // y is public so wrapper can enforce consistency with chunk circuits
+    y: pub [[[Field; N_PARTIES + 1]; L_THRESHOLD]; N],
+) -> pub [[Field; L_THRESHOLD]; N_PARTIES] {
+    let circuit: SecretKeyShareComputationBase<N, L_THRESHOLD, N_PARTIES, T, SHARE_COMPUTATION_SK_BIT_SECRET> =
+        SecretKeyShareComputationBase::new(expected_secret_commitment, sk_secret, y);
+    circuit.execute()
+}

circuits/bin/recursive_aggregation/wrapper/dkg/share_computation/src/main.nr

@@ -5,13 +5,13 @@
 // or FITNESS FOR A PARTICULAR PURPOSE.
 
 use bb_proof_verification::{UltraHonkVerificationKey, UltraHonkZKProof, verify_honk_proof};
-use lib::configs::default::dkg::L_THRESHOLD;
-use lib::{configs::default::N_PARTIES, math::commitments::compute_recursive_aggregation_commitment};
+use lib::math::commitments::compute_recursive_aggregation_commitment;
 
-// Number of proofs.
+// Each SK/ESM final C2 proof is wrapped individually after the two-level pipeline.
 pub global N_PROOFS: u32 = 1;
-/// Number of public inputs/outputs per proof.
-pub global N_PUBLIC_INPUTS: u32 = (L_THRESHOLD * N_PARTIES) + 1;
+// The final share_computation circuit exposes 3 public outputs:
+//   batch_key_hash (pub param) + (key_hash, commitment) return tuple.
+pub global N_PUBLIC_INPUTS: u32 = 3;
 
 fn main(
     verification_key: UltraHonkVerificationKey,