theinterfold · ctrlc03 · Mar 31, 2026 · Mar 29, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/crates/events/src/enclave_event/proof.rs b/crates/events/src/enclave_event/proof.rs
@@ -53,7 +53,8 @@ impl Proof {
     /// Extract a named public input field from this proof's public signals.
     ///
     /// Public inputs sit at the **start** of `public_signals`, before any
-    /// return values.
+    /// return values.  The field name must match one declared in the circuit's
+    /// [`CircuitInputLayout`].
     pub fn extract_input(&self, field_name: &str) -> Option<ArcBytes> {
         let layout = self.circuit.input_layout();
         layout
@@ -180,6 +181,8 @@ impl CircuitName {
         format!("recursive_aggregation/wrapper/{}", self.dir_path())
     }
 
+    /// Public input layout for this circuit.
+    ///
     /// Public output (return value) layout for this circuit.
     pub fn output_layout(&self) -> CircuitOutputLayout {
         match self {
@@ -344,4 +347,43 @@ mod tests {
         let proof = make_proof(CircuitName::PkGeneration, &[]);
         assert!(proof.extract_output("pk_commitment").is_none());
     }
+
+    #[test]
+    fn input_layout_share_encryption() {
+        let layout = CircuitName::ShareEncryption.input_layout();
+        assert_eq!(layout.field_count(), Some(2));
+    }
+
+    #[test]
+    fn input_layout_other_circuits_none() {
+        assert_eq!(CircuitName::PkBfv.input_layout().field_count(), Some(0));
+        assert_eq!(
+            CircuitName::PkGeneration.input_layout().field_count(),
+            Some(0)
+        );
+    }
+
+    #[test]
+    fn extract_input_from_share_encryption() {
+        // C3: 2 pub inputs at HEAD + rest of signals
+        let mut signals = vec![0u8; 96];
+        signals[0..32].copy_from_slice(&[0xAA; 32]); // expected_pk_commitment
+        signals[32..64].copy_from_slice(&[0xBB; 32]); // expected_message_commitment
+
+        let proof = make_proof(CircuitName::ShareEncryption, &signals);
+        assert_eq!(
+            &*proof.extract_input("expected_pk_commitment").unwrap(),
+            &[0xAA; 32]
+        );
+        assert_eq!(
+            &*proof.extract_input("expected_message_commitment").unwrap(),
+            &[0xBB; 32]
+        );
+    }
+
+    #[test]
+    fn extract_input_from_non_input_circuit() {
+        let proof = make_proof(CircuitName::PkBfv, &[0u8; 32]);
+        assert!(proof.extract_input("anything").is_none());
+    }
 }
diff --git a/crates/zk-helpers/src/circuits/output_layout.rs b/crates/zk-helpers/src/circuits/output_layout.rs
@@ -110,42 +110,6 @@ impl CircuitOutputLayout {
     }
 }
 
-// ── Public input layout (fields at the HEAD of public_signals) ──────────────
-
-/// Describes the public input fields of a circuit.
-/// Inputs sit at the **start** of `public_signals`, before any return values.
-#[derive(Debug, Clone, PartialEq, Eq, Hash)]
-pub enum CircuitInputLayout {
-    /// Fixed number of named `Field`-sized inputs, known at compile time.
-    Fixed { fields: &'static [OutputField] },
-    /// No known public input layout.
-    None,
-}
-
-impl CircuitInputLayout {
-    /// Extract a named public input field from raw `public_signals` bytes.
-    /// Inputs sit at the **start** of `public_signals`.
-    pub fn extract_field<'a>(&self, public_signals: &'a [u8], name: &str) -> Option<&'a [u8]> {
-        let fields = match self {
-            CircuitInputLayout::Fixed { fields } => fields,
-            _ => return None,
-        };
-        let idx = fields.iter().position(|f| f.name == name)?;
-        let offset = idx * FIELD_BYTE_LEN;
-        let end = offset + FIELD_BYTE_LEN;
-        if public_signals.len() < end {
-            return None;
-        }
-        Some(&public_signals[offset..end])
-    }
-}
-
-/// C3 — Share encryption public inputs.
-pub const SHARE_ENCRYPTION_INPUTS: &[OutputField] = &[
-    f("expected_pk_commitment"),
-    f("expected_message_commitment"),
-];
-
 /// C6 — Threshold share decryption public inputs.
 pub const THRESHOLD_SHARE_DECRYPTION_INPUTS: &[OutputField] =
     &[f("expected_sk_commitment"), f("expected_e_sm_commitment")];
@@ -178,6 +142,61 @@ pub const PK_AGGREGATION_OUTPUTS: &[OutputField] = &[f("commitment")];
 /// C6 — Threshold share decryption (prefix commitment to `d`, per CRT limb).
 pub const THRESHOLD_SHARE_DECRYPTION_OUTPUTS: &[OutputField] = &[f("d_commitment")];
 
+// ── Per-circuit input field constants ───────────────────────────────────────
+
+/// C3 — Share encryption public inputs (at HEAD of `public_signals`).
+pub const SHARE_ENCRYPTION_INPUTS: &[OutputField] = &[
+    f("expected_pk_commitment"),
+    f("expected_message_commitment"),
+];
+
+/// Describes the public input layout of a circuit.
+///
+/// Unlike [`CircuitOutputLayout`] which indexes from the TAIL of
+/// `public_signals`, input fields sit at the HEAD.
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub enum CircuitInputLayout {
+    /// Fixed number of `Field`-sized inputs, names known at compile time.
+    Fixed { fields: &'static [OutputField] },
+    /// The circuit has no named public inputs (or they are not tracked).
+    None,
+}
+
+impl CircuitInputLayout {
+    /// Number of fixed input fields, or `None` for void layouts.
+    pub fn field_count(&self) -> Option<usize> {
+        match self {
+            CircuitInputLayout::Fixed { fields } => Some(fields.len()),
+            CircuitInputLayout::None => Some(0),
+        }
+    }
+
+    /// Look up a field index by name.
+    pub fn field_index(&self, name: &str) -> Option<usize> {
+        match self {
+            CircuitInputLayout::Fixed { fields } => fields.iter().position(|f| f.name == name),
+            _ => None,
+        }
+    }
+
+    /// Extract a named input field from raw `public_signals` bytes.
+    ///
+    /// Input fields sit at the **beginning** of `public_signals`.
+    /// This method indexes from the head (offset = idx * FIELD_BYTE_LEN).
+    pub fn extract_field<'a>(&self, public_signals: &'a [u8], name: &str) -> Option<&'a [u8]> {
+        let fields = match self {
+            CircuitInputLayout::Fixed { fields } => fields,
+            _ => return None,
+        };
+        let idx = fields.iter().position(|f| f.name == name)?;
+        let offset = idx * FIELD_BYTE_LEN;
+        if public_signals.len() < offset + FIELD_BYTE_LEN {
+            return None;
+        }
+        Some(&public_signals[offset..offset + FIELD_BYTE_LEN])
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -332,6 +351,31 @@ mod tests {
         );
     }
 
+    // ── CircuitInputLayout tests ────────────────────────────────────────
+
+    #[test]
+    fn extract_input_field_from_head() {
+        let layout = CircuitInputLayout::Fixed {
+            fields: SHARE_ENCRYPTION_INPUTS,
+        };
+        let mut signals = vec![0u8; 128];
+        signals[0..32].copy_from_slice(&[0xAA; 32]);
+        signals[32..64].copy_from_slice(&[0xBB; 32]);
+
+        assert_eq!(
+            layout
+                .extract_field(&signals, "expected_pk_commitment")
+                .unwrap(),
+            &[0xAA; 32]
+        );
+        assert_eq!(
+            layout
+                .extract_field(&signals, "expected_message_commitment")
+                .unwrap(),
+            &[0xBB; 32]
+        );
+    }
+
     #[test]
     fn extract_c6_public_inputs_via_input_layout() {
         let layout = CircuitInputLayout::Fixed {
@@ -366,6 +410,45 @@ mod tests {
             .is_none());
     }
 
+    #[test]
+    fn input_layout_nonexistent_field_returns_none() {
+        let layout = CircuitInputLayout::Fixed {
+            fields: SHARE_ENCRYPTION_INPUTS,
+        };
+        let signals = vec![0u8; 64];
+        assert!(layout.extract_field(&signals, "nonexistent").is_none());
+    }
+
+    #[test]
+    fn input_layout_none_returns_none() {
+        let layout = CircuitInputLayout::None;
+        let signals = vec![0u8; 64];
+        assert!(layout.extract_field(&signals, "anything").is_none());
+    }
+
+    #[test]
+    fn input_signals_too_short_returns_none() {
+        let layout = CircuitInputLayout::Fixed {
+            fields: SHARE_ENCRYPTION_INPUTS,
+        };
+        let signals = vec![0u8; 32];
+        assert!(layout
+            .extract_field(&signals, "expected_message_commitment")
+            .is_none());
+    }
+
+    #[test]
+    fn input_field_count() {
+        assert_eq!(
+            CircuitInputLayout::Fixed {
+                fields: SHARE_ENCRYPTION_INPUTS
+            }
+            .field_count(),
+            Some(2)
+        );
+        assert_eq!(CircuitInputLayout::None.field_count(), Some(0));
+    }
+
     /// C7 (`DecryptedSharesAggregation`) has no `-> pub` return values; metadata uses `None`.
     #[test]
     fn c7_void_output_extract_field_returns_none() {