refactor: proof integration cleanup

[ctrlc03]

fix #1380

Summary by CodeRabbit

• Bug Fixes

  • Fixed field naming inconsistencies in decryption proof handling to ensure correct data alignment during verification processes.

• Refactor

  • Improved internal naming conventions and code structure to enhance maintainability and reduce future errors.

• Chores

  • Updated documentation and test references to reflect standardized naming conventions.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Mar 16, 2026 4:04pm
enclave-docs	Ready	Preview, Comment	Mar 16, 2026 4:04pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR renames ProofType enum variants from T-prefixed notation (T2, T5, T6) to C-prefixed notation (C4, C6, C7) and fixes a field name typo from signed_esm_decryption_proofs to signed_e_sm_decryption_proofs across multiple modules. A significant refactor introduces a generic VerifiableParty trait in share verification logic to consolidate duplicate verification paths.

Changes

Cohort / File(s)	Summary
Proof Type Enum Renames crates/events/src/enclave_event/signed_proof.rs, crates/zk-prover/src/actors/proof_request.rs	Renamed ProofType enum variants: T2DkgShareDecryption → C4DkgShareDecryption, T5ShareDecryption → C6ThresholdShareDecryption, T6DecryptedSharesAggregation → C7DecryptedSharesAggregation. Updated circuit_names and slash_reason mappings accordingly. Updated unit tests to reference new variant names.
Field Name Fixes (signed_esm → signed_e_sm) crates/events/src/enclave_event/compute_request/zk.rs, crates/events/src/enclave_event/decryption_key_shared.rs, crates/keyshare/src/threshold_keyshare.rs, crates/multithread/src/multithread.rs	Fixed typo in public/internal field name from signed_esm_decryption_proofs to signed_e_sm_decryption_proofs in PartyShareDecryptionProofsToVerify, DecryptionKeyShared, and related structures. Updated all references to use corrected field name.
Share Verification Refactor crates/zk-prover/src/actors/share_verification.rs	Introduced generic VerifiableParty trait with party_id() and signed_proofs() methods. Implemented for PartyProofsToVerify and PartyShareDecryptionProofsToVerify. Replaced separate verify_share_proofs and verify_decryption_proofs methods with unified generic verify_proofs<P: VerifiableParty> method, consolidating verification logic and reducing duplication.
Documentation Update crates/trbfv/src/gen_pk_share_and_sk_sss.rs	Updated documentation comments for pk0_share_raw, sk_raw, and eek_raw fields from T1a context reference to C1 context.
Test Updates packages/enclave-contracts/test/Slashing/CommitteeExpulsion.spec.ts	Updated test comment to reference C6ThresholdShareDecryption instead of T5ShareDecryption (value remains unchanged).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: finalisation proofs [skip-line-limit] #1377: Modifies the same proof-related API surface — renaming ProofType variants (T2/T5/T6 → C4/C6/C7) and the signed_esm_decryption_proofs field, directly overlapping verification flow changes.
• chore: refactor proof gen to zk-prover [skip-line-limit] #1372: Renames the DecryptionKeyShared/PartyShareDecryptionProofsToVerify field from signed_esm_decryption_proofs to signed_e_sm_decryption_proofs and updates ProofType variants across the same ZK prover and keyshare integration.
• refactor: missing circuits in zk-prover [skip-line-limit] #1317: Modifies signed_proof.rs with proof and circuit naming updates — shares the same enum variant renaming pattern and test updates.

Suggested labels

ciphernode

Suggested reviewers

• hmzakhalid
• cedoor

Poem

🐰 From T's to C's, the proofs align,

A typo squashed, proof names now shine,

VerifiableParty takes the stage,

Unifying code, page by page,

Cleaner debt, refactored and wise! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor: proof integration cleanup' is directly related to the main changes which address proof integration code debt including naming inconsistencies and field renames.
Linked Issues check	✅ Passed	All coding changes align with issue #1380 objectives: naming inconsistencies resolved (T→C variants), full circuit names applied, and duplicate verification logic consolidated via VerifiableParty trait.
Out of Scope Changes check	✅ Passed	All changes are scoped to proof integration cleanup: field renames, enum variant renames, trait introduction for verification consolidation, and corresponding documentation updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/proofs-integration-cleanup

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

crates/zk-prover/src/actors/share_verification.rs (1)

198-253: Cache signed_proofs() once per passed party to avoid repeated allocations.

The current implementation rebuilds cloned proof vectors multiple times per party across validation/address/hash steps. Consider caching once and reusing.

♻️ Suggested refactor

-        let mut ecdsa_passed_parties = Vec::new();
+        let mut ecdsa_passed_parties = Vec::new();
+        let mut proofs_by_party: HashMap<u64, Vec<SignedProofPayload>> = HashMap::new();
@@
-        for party in &party_proofs {
-            let proofs = party.signed_proofs();
-            let result =
-                self.ecdsa_validate_signed_proofs(party.party_id(), &proofs, &e3_id_str, label);
+        for party in &party_proofs {
+            let party_id = party.party_id();
+            let proofs = party.signed_proofs();
+            let result = self.ecdsa_validate_signed_proofs(party_id, &proofs, &e3_id_str, label);
             if result.passed {
                 ecdsa_passed_parties.push(party.clone());
+                proofs_by_party.insert(party_id, proofs);
             } else {
-                ecdsa_dishonest.insert(party.party_id());
+                ecdsa_dishonest.insert(party_id);
                 if let Some((ref signed, addr)) = result.failed_payload {
-                    self.emit_signed_proof_failed(&e3_id, signed, addr, party.party_id(), &ec);
+                    self.emit_signed_proof_failed(&e3_id, signed, addr, party_id, &ec);
                 }
             }
         }
@@
-        for party in &party_proofs {
-            if !ecdsa_dishonest.contains(&party.party_id()) {
-                let proofs = party.signed_proofs();
-                if let Some(first_signed) = proofs.first() {
+        for party in &ecdsa_passed_parties {
+            let party_id = party.party_id();
+            if let Some(proofs) = proofs_by_party.get(&party_id) {
+                if let Some(first_signed) = proofs.first() {
                     if let Ok(addr) = first_signed.recover_address() {
-                        party_addresses.insert(party.party_id(), addr);
+                        party_addresses.insert(party_id, addr);
                     }
                 }
             }
         }
@@
         let mut party_proof_hashes: HashMap<u64, Vec<(ProofType, [u8; 32])>> = HashMap::new();
         for party in &ecdsa_passed_parties {
-            let hashes: Vec<(ProofType, [u8; 32])> = party
-                .signed_proofs()
-                .iter()
+            let party_id = party.party_id();
+            let Some(proofs) = proofs_by_party.get(&party_id) else {
+                continue;
+            };
+            let hashes: Vec<(ProofType, [u8; 32])> = proofs
+                .iter()
                 .map(|signed| {
                     let msg = (
                         Bytes::copy_from_slice(&signed.payload.proof.data),
                         Bytes::copy_from_slice(&signed.payload.proof.public_signals),
                     )
                         .abi_encode();
                     (signed.payload.proof_type, keccak256(&msg).into())
                 })
                 .collect();
-            party_proof_hashes.insert(party.party_id(), hashes);
+            party_proof_hashes.insert(party_id, hashes);
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/zk-prover/src/actors/share_verification.rs` around lines 198 - 253,
The code repeatedly calls party.signed_proofs() and clones the proof vectors
multiple times; cache each passed party's signed_proofs once and reuse it for
address recovery and proof-hash computation. After you build
ecdsa_passed_parties, create a HashMap<u64, Vec<_>> (keyed by party.party_id())
populated with party.signed_proofs() for each party in ecdsa_passed_parties,
then use that cached map instead of calling party.signed_proofs() again in the
address-recovery loop and the party_proof_hashes construction; leave the
existing failed-path that calls emit_signed_proof_failed / result.failed_payload
unchanged. Ensure you reference ecdsa_passed_parties, party_addresses,
party_proof_hashes, and ecdsa_validate_signed_proofs when applying the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/events/src/enclave_event/decryption_key_shared.rs`:
- Line 33: The serialized field was renamed to signed_e_sm_decryption_proofs
which will break deserialization of older payloads using
signed_esm_decryption_proofs; add a serde alias on the struct field declaration
(the field named signed_e_sm_decryption_proofs in the
DecryptionKeyShared/enclave_event struct in decryption_key_shared.rs) using
#[serde(alias = "signed_esm_decryption_proofs")] so both old and new names
deserialize correctly while keeping the Rust field name unchanged.

---

Nitpick comments:
In `@crates/zk-prover/src/actors/share_verification.rs`:
- Around line 198-253: The code repeatedly calls party.signed_proofs() and
clones the proof vectors multiple times; cache each passed party's signed_proofs
once and reuse it for address recovery and proof-hash computation. After you
build ecdsa_passed_parties, create a HashMap<u64, Vec<_>> (keyed by
party.party_id()) populated with party.signed_proofs() for each party in
ecdsa_passed_parties, then use that cached map instead of calling
party.signed_proofs() again in the address-recovery loop and the
party_proof_hashes construction; leave the existing failed-path that calls
emit_signed_proof_failed / result.failed_payload unchanged. Ensure you reference
ecdsa_passed_parties, party_addresses, party_proof_hashes, and
ecdsa_validate_signed_proofs when applying the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cc496e8c-71c3-4fab-bc77-ad4f29e3d391

📥 Commits

Reviewing files that changed from the base of the PR and between e06bcbc and 687b910.

📒 Files selected for processing (9)

• crates/events/src/enclave_event/compute_request/zk.rs
• crates/events/src/enclave_event/decryption_key_shared.rs
• crates/events/src/enclave_event/signed_proof.rs
• crates/keyshare/src/threshold_keyshare.rs
• crates/multithread/src/multithread.rs
• crates/trbfv/src/gen_pk_share_and_sk_sss.rs
• crates/zk-prover/src/actors/proof_request.rs
• crates/zk-prover/src/actors/share_verification.rs
• packages/enclave-contracts/test/Slashing/CommitteeExpulsion.spec.ts

[cedoor]

utACK