feat: onchain verification for C7, C5 [skip-line-limit]

circuits/lib/src/configs/default/mod.nr

@@ -13,4 +13,4 @@ pub use super::insecure::threshold;
 
 /// Max number of non-zero coefficients in the message polynomial.
 /// This is a conservative estimate that should be okay for most use cases.
-pub global MAX_MSG_NON_ZERO_COEFFS: u32 = 80;
+pub global MAX_MSG_NON_ZERO_COEFFS: u32 = 100;

circuits/lib/src/core/threshold/pk_aggregation.nr

@@ -23,8 +23,9 @@ impl<let L: u32> Configs<L> {
 /// Public Key Aggregation (Circuit 5).
 ///
 /// Verifies that for each CRT basis l and each coefficient i:
-/// - pk0_agg[l][i] = sum_h(pk0[h][l][i]) mod q_l
-/// - pk1_agg[l][i] = sum_h(pk1[h][l][i]) mod q_l
+/// - pk0_agg[l][i] = sum_h(pk0[h][l][i]) mod q_l (witnesses use centered coefficients; aggregation
+///   uses a half-q shift so [`ModU128::reduce_mod`] sees small non-negative integers)
+/// - pk1_agg[l][i] = pk1[0][l][i] (all parties share pk1 = a, aggregated pk1 = a)
 pub struct PkAggregation<let N: u32, let H: u32, let L: u32, let BIT_PK: u32> {
     /// Circuit parameters including CRT moduli
     configs: Configs<L>,
@@ -74,7 +75,7 @@ impl<let N: u32, let H: u32, let L: u32, let BIT_PK: u32> PkAggregation<N, H, L,
         }
     }
 
-    fn verify_pk_for_basis(
+    fn verify_pk0_for_basis(
         self,
         pk: [[Polynomial<N>; L]; H],
         pk_agg: [Polynomial<N>; L],
@@ -83,21 +84,33 @@ impl<let N: u32, let H: u32, let L: u32, let BIT_PK: u32> PkAggregation<N, H, L,
         let q_l = self.configs.qis[basis_idx];
         let mod_q_l = ModU128::new(q_l);
 
+        let half_qi: Field = (q_l - 1) / 2;
+        let h_half_qi: Field = H as Field * half_qi;
+
         for coeff_idx in 0..N {
-            // Sum pk coefficients from all honest parties
-            let mut sum_pk: Field = 0;
+            let mut sum_shifted: Field = 0;
             for party_idx in 0..H {
-                sum_pk = sum_pk + pk[party_idx][basis_idx].coefficients[coeff_idx];
+                sum_shifted =
+                    sum_shifted + pk[party_idx][basis_idx].coefficients[coeff_idx] + half_qi;
             }
+            let sum_reduced = mod_q_l.reduce_mod(sum_shifted);
 
-            // Reduce mod q_l
-            let sum_pk_reduced = mod_q_l.reduce_mod(sum_pk);
+            let expected =
+                mod_q_l.reduce_mod(pk_agg[basis_idx].coefficients[coeff_idx] + h_half_qi);
+            assert(sum_reduced == expected, "pk0 aggregation mismatch");
+        }
+    }
 
-            // Verify equality
-            assert(
-                sum_pk_reduced == pk_agg[basis_idx].coefficients[coeff_idx],
-                "pk aggregation mismatch",
-            );
+    /// pk1 is the same (a) for all parties; pk1_agg = a
+    fn verify_pk1(self, basis_idx: u32) {
+        for coeff_idx in 0..N {
+            for party_idx in 0..H {
+                assert(
+                    self.pk1[party_idx][basis_idx].coefficients[coeff_idx]
+                        == self.pk1_agg[basis_idx].coefficients[coeff_idx],
+                    "pk1 mismatch",
+                );
+            }
         }
     }
 
@@ -107,10 +120,10 @@ impl<let N: u32, let H: u32, let L: u32, let BIT_PK: u32> PkAggregation<N, H, L,
         // 0. Verify pk commitments
         self.verify_pk_commitments();
 
-        // 1. Verify pk0 & pk1 aggregations for each CRT basis
+        // 1. Verify pk0 aggregation (sum) and pk1 (all equal to a, pk1_agg = a)
         for basis_idx in 0..L {
-            self.verify_pk_for_basis(self.pk0, self.pk0_agg, basis_idx);
-            self.verify_pk_for_basis(self.pk1, self.pk1_agg, basis_idx);
+            self.verify_pk0_for_basis(self.pk0, self.pk0_agg, basis_idx);
+            self.verify_pk1(basis_idx);
         }
 
         // 2. Commit to aggregated threshold public key

crates/aggregator/Cargo.toml

@@ -22,6 +22,7 @@ e3-trbfv = { workspace = true }
 e3-bfv-client = { workspace = true }
 e3-request = { workspace = true }
 e3-sortition = {  workspace = true }
+e3-zk-helpers = { workspace = true }
 e3-utils = { workspace = true }
 serde = { workspace = true }
 tracing = { workspace = true }

crates/aggregator/src/proof_fold.rs

@@ -9,7 +9,7 @@ use e3_events::{
     prelude::*, BusHandle, ComputeRequest, CorrelationId, E3id, EventContext, Proof, Sequenced,
     ZkRequest,
 };
-use tracing::{error, info, warn};
+use tracing::{error, info};
 
 /// Manages the state of a sequential `FoldProofs` operation.
 ///
@@ -28,6 +28,9 @@ pub struct ProofFoldState {
     total_steps: Option<usize>,
     /// Set when all fold steps have completed.
     pub result: Option<Proof>,
+    /// `start` was called with zero proofs — folding is complete with no aggregate.
+    #[serde(default)]
+    pub fold_input_was_empty: bool,
 }
 
 impl ProofFoldState {
@@ -38,6 +41,7 @@ impl ProofFoldState {
             remaining: Vec::new(),
             total_steps: None,
             result: None,
+            fold_input_was_empty: false,
         }
     }
 
@@ -59,7 +63,7 @@ impl ProofFoldState {
 
     /// Begin folding `proofs` sequentially.
     ///
-    /// - 0 proofs → `result` stays `None`
+    /// - 0 proofs → `result` stays `None`, `fold_input_was_empty` is set (caller can treat fold as done)
     /// - 1 proof  → `result` is set immediately, no ZK request dispatched
     /// - N proofs → first fold step dispatched; subsequent steps follow via `handle_response`
     pub fn start(
@@ -70,9 +74,17 @@ impl ProofFoldState {
         e3_id: &E3id,
         ec: &EventContext<Sequenced>,
     ) -> Result<()> {
+        self.correlation = None;
+        self.accumulated = None;
+        self.remaining.clear();
+        self.total_steps = None;
+        self.result = None;
+        self.fold_input_was_empty = false;
+
         match proofs.len() {
             0 => {
                 info!("{label}: no proofs to fold");
+                self.fold_input_was_empty = true;
                 Ok(())
             }
             1 => {