feat: add C4-C6 and C1-C2 links [skip-line-limit]

[0xjei]

Summary by CodeRabbit

Release Notes

• Documentation

  • Updated DKG protocol flow documentation with refined commitment consistency checks and explicit decryption verification phases.

• New Features

  • Added commitment consistency verification between key generation and share computation phases.
  • Re-enabled commitment verification between decryption output and final output generation phases.

• Refactor

  • Restructured commitment consistency checking with updated equality constraints and refined verification ordering.
  • Updated protocol configuration parameters for decryption operations.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Apr 7, 2026 1:25pm
enclave-docs	Ready	Preview, Comment	Apr 7, 2026 1:25pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates DKG circuit commitment consistency checking and normalization pipelines. It adds C1→C2 commitment links, re-enables C4→C6 links, updates secret-verification routines to reverse and center coefficients before hashing, modifies share decryption to normalize aggregated polynomials via coefficient reduction and reordering, and adjusts supporting helper computations and tests accordingly.

Changes

Cohort / File(s)	Summary
Flow Trace Documentation agent/flow-trace/04_DKG_AND_COMPUTATION.md	Updated commitment consistency checking constraints, re-partitioned C4 verification workflow phases, and clarified ZK proof output types and normalization/hashing steps for C4a/C4b.
Circuit Configuration circuits/lib/src/configs/insecure/dkg.nr	Updated SHARE_COMPUTATION_E_SM_BIT_SECRET global constant from 24 to 28 to align bit-secret sizing for share computation parameters.
Share Computation Circuit circuits/lib/src/core/dkg/share_computation.nr	Modified secret-verification routines to preprocess secrets by reversing polynomial coefficients and centering values (for smudging noise) before computing commitments, aligning with C1 convention.
Share Decryption Circuit & Executable circuits/bin/dkg/share_decryption/src/main.nr, circuits/lib/src/core/dkg/share_decryption.nr	Added moduli public input parameter and introduced normalization step (reduce, reverse, center) for aggregated polynomials before commitment computation; updated execute() signature.
ZK-Helpers Share Computation crates/zk-helpers/src/circuits/dkg/share_computation/computation.rs	Updated bound and input computation to match C1 commitment conventions: reversed secret-key limb and centered smudging-noise coefficients before hashing.
ZK-Helpers Share Decryption Test crates/zk-helpers/src/circuits/dkg/share_decryption/computation.rs	Updated unit test to immutably clone and reverse share coefficients for commitment computation; adjusted comment references.
Commitment Links Infrastructure crates/zk-prover/src/actors/commitment_links/c1_to_c2.rs, crates/zk-prover/src/actors/commitment_links/mod.rs	Added new C1ToC2aSkCommitmentLink and C1ToC2bESmCommitmentLink implementations for same-party C1→C2 consistency checks; re-enabled C4→C6 commitment links in default configuration.
E2E Tests crates/zk-prover/tests/local_e2e_tests.rs	Introduced normalize_crt_for_commitment() helper; updated test assertions to compute expected C4 commitments using normalized (reduced, reversed, centered) aggregated CRT polynomials.

Sequence Diagram(s)

sequenceDiagram
    participant C1 as C1<br/>(PkGeneration)
    participant LinkC1C2 as C1→C2<br/>(CommitmentLink)
    participant C2a as C2a<br/>(ShareComputation)
    participant C2b as C2b<br/>(ShareComputation)
    participant LinkC4C6 as C4→C6<br/>(CommitmentLink)
    participant C4 as C4<br/>(ShareDecryption)
    participant C6 as C6<br/>(ZK Verify)

    C1->>C1: Generate sk_commitment,<br/>e_sm_commitment
    C1-->>LinkC1C2: Export commitments<br/>in public signals

    LinkC1C2->>C2a: Verify C1 sk_commitment<br/>matches expected input
    LinkC1C2->>C2b: Verify C1 e_sm_commitment<br/>matches expected input
    C2a->>C2a: Verify secret commitment<br/>(reverse + hash)
    C2b->>C2b: Verify secret commitment<br/>(reverse + center + hash)

    C2a-->>C4: Aggregated shares<br/>(via C2 commitments)
    C2b-->>C4: Aggregated smudging<br/>(via C2 commitments)
    C4->>C4: Normalize aggregated<br/>(reduce mod + reverse + center)
    C4->>C4: Hash normalized polynomial
    C4-->>LinkC4C6: Export normalized<br/>commitments

    LinkC4C6->>C6: Verify C4 normalized<br/>commitments match C6 witness
    C6->>C6: Verify ZK proof<br/>with matched commitments

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: link c4 and c6 #1492: Adds and registers C4→C6 commitment-link implementations tying C4 decryption-share commitments to C6 expected inputs.
• refactor: improve c7 circuit computation [skip-line-limit] #1315: Modifies DKG polynomial normalization/reduction and commitment pipelines with coefficient reversal and centering across circuits.
• chore: refactor ccc before ZK verification [skip-line-limit] #1490: Implements the pre-ZK commitment consistency phase, adding CommitmentLink infrastructure and C1→C2/C4→C6 cross-circuit checks with orchestration.

Suggested reviewers

• hmzakhalid
• ctrlc03

Poem

🐰 Commitments now flow from C1 through C2's ground,
Reversed and centered, each coefficient found!
C4 normalizes what C6 shall trace,
With links that verify each bounded space. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding commitment links between C1-C2 circuits and re-enabling C4-C6 links, which are the primary objectives reflected across the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ref/c4-link-c6

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

crates/zk-prover/src/actors/commitment_links/c1_to_c2.rs (1)

55-108: Optional: reduce duplication between C2a and C2b link implementations.

extract_source_values and check_signals are structurally identical apart from the source field name. A tiny shared helper (or small generic constructor pattern) would reduce maintenance overhead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/zk-prover/src/actors/commitment_links/c1_to_c2.rs` around lines 55 -
108, Both C1ToC2a/C1ToC2b implementations duplicate extract_source_values and
check_signals logic; factor the common logic into shared helpers and call them
from each link. Create a helper like fn extract_field_value_from_pk(field_name:
&str, public_signals: &[u8]) -> Option<FieldValue> that uses
CircuitName::PkGeneration.output_layout().extract_field(...) and copies into a
[u8; FIELD_BYTE_LEN], and a helper fn target_matches_field(value: &FieldValue,
target_public_signals: &[u8]) -> bool that checks length and byte equality; then
update C1ToC2bESmCommitmentLink::extract_source_values and ::check_signals (and
the C2a link) to call these helpers instead of duplicating code.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@agent/flow-trace/04_DKG_AND_COMPUTATION.md`:
- Around line 464-467: Update the descriptive text for ShareVerificationActor to
reflect the correct number of phases: replace the phrase "same 2-phase
verification" with "3-phase verification" so it matches the subsequent Phase
1/Phase 2/Phase 3 list; locate the occurrence near the ShareVerificationActor
section in 04_DKG_AND_COMPUTATION.md and update that wording only.

---

Nitpick comments:
In `@crates/zk-prover/src/actors/commitment_links/c1_to_c2.rs`:
- Around line 55-108: Both C1ToC2a/C1ToC2b implementations duplicate
extract_source_values and check_signals logic; factor the common logic into
shared helpers and call them from each link. Create a helper like fn
extract_field_value_from_pk(field_name: &str, public_signals: &[u8]) ->
Option<FieldValue> that uses
CircuitName::PkGeneration.output_layout().extract_field(...) and copies into a
[u8; FIELD_BYTE_LEN], and a helper fn target_matches_field(value: &FieldValue,
target_public_signals: &[u8]) -> bool that checks length and byte equality; then
update C1ToC2bESmCommitmentLink::extract_source_values and ::check_signals (and
the C2a link) to call these helpers instead of duplicating code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6e3b2869-2fd7-426a-95d3-588131fbdb22

📥 Commits

Reviewing files that changed from the base of the PR and between a07fd4d and 585282d.

📒 Files selected for processing (10)

• agent/flow-trace/04_DKG_AND_COMPUTATION.md
• circuits/bin/dkg/share_decryption/src/main.nr
• circuits/lib/src/configs/insecure/dkg.nr
• circuits/lib/src/core/dkg/share_computation.nr
• circuits/lib/src/core/dkg/share_decryption.nr
• crates/zk-helpers/src/circuits/dkg/share_computation/computation.rs
• crates/zk-helpers/src/circuits/dkg/share_decryption/computation.rs
• crates/zk-prover/src/actors/commitment_links/c1_to_c2.rs
• crates/zk-prover/src/actors/commitment_links/mod.rs
• crates/zk-prover/tests/local_e2e_tests.rs

[coderabbitai]

🧹 Nitpick comments (2)

circuits/lib/src/core/dkg/share_decryption.nr (2)

80-82: Make the no-wrap assumption explicit.

Line 80 depends on the unreduced coefficient sum staying below the backend field modulus until normalize_aggregated runs. Because ShareDecryption is generic over H and the supplied moduli, a future preset bump could silently change this from integer-sum-then-reduce into field-wrap-then-reduce. I’d pin that as an explicit preset-level precondition or test.

Also applies to: 92-97

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@circuits/lib/src/core/dkg/share_decryption.nr` around lines 80 - 82, The
comment warns that ShareDecryption’s assumption that the unreduced sum H*q_l <
backend field modulus is implicit; make this explicit by adding a preset-level
precondition (or invariant) that pins H and q_l versus the circuit/backend field
modulus and document it where ShareDecryption is defined, and add a
unit/integration test that asserts H * q_l < FIELD_MODULUS for all presets; also
update the comment near normalize_aggregated to state the no-wrap requirement
explicitly and reference the invariant so future preset bumps will fail the test
if they violate the assumption.

---

123-124: Pick one canonical normalization order.

Line 123 documents reduce -> reverse -> center, while Lines 153-155 implement reverse -> reduce -> center, and crates/zk-prover/tests/local_e2e_tests.rs:101-116 uses the first order. The output is the same, but keeping multiple “canonical” spellings around the C4→C6 link makes future audits harder. I’d either reorder Lines 154-155 to match the Rust helper/docs or make the commutativity explicit.

♻️ Suggested note

-        // Step 3: Normalize to match C6's representation: reduce mod q, reverse, center.
+        // Step 3: Normalize to match C6's representation.
+        // Reverse and per-coefficient reduction commute, so this helper uses
+        // reverse -> reduce -> center while Rust-side helpers may spell it
+        // reduce -> reverse -> center.

Also applies to: 153-155

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@circuits/lib/src/core/dkg/share_decryption.nr` around lines 123 - 124, Pick
one canonical normalization order and make code + tests consistent: choose the
order used by normalize_aggregated::<N, L>(aggregated, moduli) (reduce ->
reverse -> center) and update the other implementation that currently does
reverse -> reduce -> center so it performs reduce then reverse then center, and
adjust the local_e2e_tests that assume the first order if needed; ensure any
inline docs/comments describing the steps are updated to match the chosen
canonical ordering.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@circuits/lib/src/core/dkg/share_decryption.nr`:
- Around line 80-82: The comment warns that ShareDecryption’s assumption that
the unreduced sum H*q_l < backend field modulus is implicit; make this explicit
by adding a preset-level precondition (or invariant) that pins H and q_l versus
the circuit/backend field modulus and document it where ShareDecryption is
defined, and add a unit/integration test that asserts H * q_l < FIELD_MODULUS
for all presets; also update the comment near normalize_aggregated to state the
no-wrap requirement explicitly and reference the invariant so future preset
bumps will fail the test if they violate the assumption.
- Around line 123-124: Pick one canonical normalization order and make code +
tests consistent: choose the order used by normalize_aggregated::<N,
L>(aggregated, moduli) (reduce -> reverse -> center) and update the other
implementation that currently does reverse -> reduce -> center so it performs
reduce then reverse then center, and adjust the local_e2e_tests that assume the
first order if needed; ensure any inline docs/comments describing the steps are
updated to match the chosen canonical ordering.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e9f0add3-d4cd-45f7-af85-c65e4316519b

📥 Commits

Reviewing files that changed from the base of the PR and between 585282d and 69168a6.

📒 Files selected for processing (1)

• circuits/lib/src/core/dkg/share_decryption.nr