feat: link C2 to C3/C4 [skip-line-limit]

agent/flow-trace/04_DKG_AND_COMPUTATION.md

@@ -262,6 +262,16 @@ ProofRequestActor receives ThresholdSharePending
    → Ensures no incomplete data is gossiped
 ```
 
+**C2 inner vs wrapper:** For each C2a/C2b request, the prover builds a **recursive** proof for
+`sk_share_computation` / `e_sm_share_computation`. That **inner** `Proof` is what
+`PendingThresholdProofs` stores and what gets ECDSA-signed for gossip
+(`ProofType::C2aSkShareComputation` / `C2bESmShareComputation`). When node proof aggregation is
+enabled, the prover also returns a **wrapper** proof (`CircuitName::ShareComputation`); the actor
+publishes `DKGInnerProofReady` with that wrapper for folding, but does not replace the signed inner
+payload. Verifiers treat C2a/C2b as allowing both inner and wrapper circuit names
+(`ProofType::circuit_names()`); multithread ZK verify uses standard `bb verify` for inner circuits
+and the wrapper VK path when the bundle’s circuit is `ShareComputation`.
+
 ### Step 6: Collect All Threshold Shares (with C2/C3 Verification)
 
 ```
@@ -327,7 +337,14 @@ ShareVerificationActor receives ShareVerificationDispatched(kind=ShareProofs)
 │   │
 │   ├─ CommitmentConsistencyChecker (per-E3 actor) receives this:
 │   │   ├─ Caches each party's (address, proof_type) → {public_signals, data_hash}
-│   │   ├─ Evaluates all registered CommitmentLinks (e.g. C1→C5 pk_commitment)
+│   │   ├─ Evaluates all registered CommitmentLinks:
+│   │   │     C0→C3  (SourceMustExistInTargets): C3's expected_pk_commitment ∈ any C0 pk_commitment
+│   │   │     C1→C5  (CrossParty):               C1's pk_commitment ∈ C5 expected pk inputs
+│   │   │     C2→C3  (SameParty):                C3's expected_message_commitment ∈ C2's share commitments
+│   │   │     C2→C4  (SourceMustExistInTargets): C2's L share commitments for recipient R exactly
+│   │   │                                         match C4_R's expected_commitments row for sender X
+│   │   │     C6→C7  (CrossParty):                C6's d_commitment matches C7's expected_d_commitment
+│   │   │
 │   │   ├─ On mismatch: publishes CommitmentConsistencyViolation
 │   │   │   → AccusationManager initiates accusation quorum (see Part 5)
 │   │   └─ Responds with CommitmentConsistencyCheckComplete { inconsistent_parties }
@@ -342,7 +359,8 @@ ShareVerificationActor receives ShareVerificationDispatched(kind=ShareProofs)
 │   │     party_proofs, // consistency-passing parties' ZK proof data
 │   │   })
 │   │
-│   ├─ ZkActor verifies each proof via: bb verify -k vk -p proof
+│   ├─ Multithread ZK verify: inner circuits → `bb verify` with recursive VK;
+│   │   `ShareComputation` (wrapper) → wrapper VK / `verify_wrapper_proof` path
 │   │   → Returns per-party pass/fail results
 │   │
 │   └─ On ComputeResponse:
@@ -812,7 +830,7 @@ Slash Reasons by Proof Type:
 │  ├─ Subscribes to *Pending events (proof requests)                 │
 │  ├─ Dispatches ComputeRequest::zk to ZkActor                      │
 │  ├─ Collects responses, signs proofs (ECDSA EIP-191)               │
-│  ├─ Manages pending proof state (C1-C3 batch, C4 batch)           │
+│  ├─ Manages pending proof state (C1–C3 and C4 proof bundles per E3) │
 │  └─ Publishes *Created / *Signed events when all proofs complete   │
 │                                                                     │
 │  ProofVerificationActor (C0 Verification)                          │

circuits/README.md

@@ -43,21 +43,22 @@ how phases, commitments, and circuit IDs line up end to end, read
 [Cryptography](https://docs.theinterfold.com/cryptography) (source:
 [`docs/pages/cryptography.mdx`](../docs/pages/cryptography.mdx)).
 
-**C2** is implemented as a **pipeline** of packages (base, chunk, batch, final `share_computation`),
-not a single crate.
+**C2** uses **inner** recursive proofs plus an optional **wrapper**: `sk_share_computation`
+(**C2a**) and `e_sm_share_computation` (**C2b**) prove the Shamir-share computation; the wrapper
+`recursive_aggregation/wrapper/dkg/share_computation` (`CircuitName::ShareComputation`) re-verifies
+a single inner C2 proof at a time and compresses public inputs for folding / aggregation. Gossip and
+threshold signing use the **inner** proof; the wrapper is produced separately when node proof
+aggregation is enabled.
 
 ### DKG (`bin/dkg/`)
 
-| Path                            | ID       | `CircuitName`                | Role                                          |
-| ------------------------------- | -------- | ---------------------------- | --------------------------------------------- |
-| `pk`                            | C0       | `PkBfv`                      | Commit to individual BFV public key           |
-| `sk_share_computation_base`     | C2 inner | `SkShareComputationBase`     | Shamir shares (`y`) for secret contribution   |
-| `e_sm_share_computation_base`   | C2 inner | `ESmShareComputationBase`    | Shamir shares (`y`) for smudging noise        |
-| `share_computation_chunk`       | C2 inner | `ShareComputationChunk`      | Reed–Solomon parity on a coefficient slice    |
-| `share_computation_chunk_batch` | C2 inner | `ShareComputationChunkBatch` | Binds base proof to a batch of chunk proofs   |
-| `share_computation`             | **C2**   | `ShareComputation`           | Final C2 step; aggregates inner proofs        |
-| `share_encryption`              | C3       | `ShareEncryption`            | BFV encryption of shares under recipient keys |
-| `share_decryption`              | C4       | `DkgShareDecryption`         | Decrypt shares; aggregate; commitments for P4 |
+| Path                     | ID  | `CircuitName`         | Role                                          |
+| ------------------------ | --- | --------------------- | --------------------------------------------- |
+| `pk`                     | C0  | `PkBfv`               | Commit to individual BFV public key           |
+| `sk_share_computation`   | C2a | `SkShareComputation`  | Secret-key track Shamir shares (`y`)          |
+| `e_sm_share_computation` | C2b | `ESmShareComputation` | Smudging-noise track Shamir shares (`y`)      |
+| `share_encryption`       | C3  | `ShareEncryption`     | BFV encryption of shares under recipient keys |
+| `share_decryption`       | C4  | `DkgShareDecryption`  | Decrypt shares; aggregate; commitments for P4 |
 
 ### Threshold (`bin/threshold/`)
 
@@ -73,11 +74,12 @@ not a single crate.
 
 ### Recursive aggregation (`bin/recursive_aggregation/`)
 
-| Path                  | `CircuitName` | Role                                                      |
-| --------------------- | ------------- | --------------------------------------------------------- |
-| `fold`                | `Fold`        | Fold two wrapper outputs                                  |
-| `wrapper/dkg/*`       | —             | Verifies inner DKG proofs; compresses public inputs       |
-| `wrapper/threshold/*` | —             | Verifies inner threshold proofs; compresses public inputs |
+| Path                            | `CircuitName`      | Role                                                                               |
+| ------------------------------- | ------------------ | ---------------------------------------------------------------------------------- |
+| `fold`                          | `Fold`             | Fold two wrapper outputs                                                           |
+| `wrapper/dkg/share_computation` | `ShareComputation` | C2 wrapper: one inner C2a or C2b proof per wrap; VK genealogy + compressed outputs |
+| `wrapper/dkg/*`                 | —                  | Verifies inner DKG proofs; compresses public inputs                                |
+| `wrapper/threshold/*`           | —                  | Verifies inner threshold proofs; compresses public inputs                          |
 
 Wrapper parameters are documented in
 [`wrapper/README.md`](bin/recursive_aggregation/wrapper/README.md).

circuits/bin/dkg/Nargo.toml

@@ -3,10 +3,7 @@ members = [
     "pk",
     "share_encryption",
     "share_decryption",
-    "sk_share_computation_base",
-    "e_sm_share_computation_base",
-    "share_computation_chunk",
-    "share_computation_chunk_batch",
-    "share_computation"
+    "sk_share_computation",
+    "e_sm_share_computation",
 ]
 

circuits/bin/dkg/share_computation_chunk_batch/Nargo.toml → circuits/bin/dkg/e_sm_share_computation/Nargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "share_computation_chunk_batch"
+name = "e_sm_share_computation"
 type = "bin"
 authors = [""]
 

circuits/bin/dkg/e_sm_share_computation/README.md

@@ -0,0 +1,12 @@
+# `e_sm_share_computation` — C2b (share computation)
+
+Correct Threshold Smudging Noise Share Computation (**Circuit 2b**). Verifies the expected secret
+commitment, checks secret consistency (`y[i][j][0] == e_sm[j][i]` per modulus), performs range
+checks (`y` in `[0, q_j)`), and enforces Reed–Solomon parity using the preset `PARITY_MATRIX`.
+Commits computed party shares for downstream aggregation.
+
+|           |                                                                                           |
+| --------- | ----------------------------------------------------------------------------------------- |
+| **Core**  | [`lib/src/core/dkg/share_computation.nr`](../../../lib/src/core/dkg/share_computation.nr) |
+| **Index** | [Circuit package index](../../../README.md#circuit-package-index)                         |
+| **Docs**  | [Noir Circuits](../../../../docs/pages/noir-circuits.mdx)                                 |

circuits/bin/dkg/e_sm_share_computation/src/main.nr

@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+//
+// This file is provided WITHOUT ANY WARRANTY;
+// without even the implied warranty of MERCHANTABILITY
+// or FITNESS FOR A PARTICULAR PURPOSE.
+
+use lib::configs::default::dkg::{
+    L_THRESHOLD, N, PARITY_MATRIX, SHARE_COMPUTATION_BIT_SHARE, SHARE_COMPUTATION_E_SM_BIT_SECRET,
+    SHARE_COMPUTATION_E_SM_CONFIGS,
+};
+use lib::configs::default::{N_PARTIES, T};
+use lib::core::dkg::share_computation::SmudgingNoiseShareComputation;
+use lib::math::polynomial::Polynomial;
+
+fn main(
+    expected_secret_commitment: pub Field,
+    e_sm_secret: [Polynomial<N>; L_THRESHOLD],
+    y: [[[Field; N_PARTIES + 1]; L_THRESHOLD]; N],
+) -> pub [[Field; L_THRESHOLD]; N_PARTIES] {
+    let share_computation_e_sm: SmudgingNoiseShareComputation<N, L_THRESHOLD, N_PARTIES, T, SHARE_COMPUTATION_E_SM_BIT_SECRET, SHARE_COMPUTATION_BIT_SHARE> = SmudgingNoiseShareComputation::new(
+        SHARE_COMPUTATION_E_SM_CONFIGS,
+        expected_secret_commitment,
+        e_sm_secret,
+        y,
+        PARITY_MATRIX,
+    );
+
+    share_computation_e_sm.execute()
+}