refactor: new proof aggregation [skip-line-limit]

[cedoor]

Summary

Refactors proof aggregation around ad-hoc Noir bins under circuits/bin/recursive_aggregation/, replacing the old generic fold/ and wrapper/ trees. Aggregation is expressed as explicit fold + aggregator circuits with clear public layouts and key hashes.

Recursive aggregation layout

Circuit	Role
c2ab_fold	Combines C2a + C2b ZK proofs; surfaces C2 public inputs for downstream folds.
c3_fold	Sequential C3 fold: inner ZK ShareEncryption + optional prior c3_fold non-ZK proof (is_first_step, slot_index).
c3ab_fold	Combines final sk-chain and e_sm-chain c3_fold outputs.
c4ab_fold	Combines C4a + C4b folds for the C4 path.
node_fold	Per-node DKG fold: C0, C1, c2ab_fold, c3ab_fold, c4ab_fold with same-party assertions between stages.
nodes_fold	Sequential non-ZK fold of H node_fold proofs (one honest slot per step), chained with prior nodes_fold.
dkg_aggregator	Verifies one non-ZK nodes_fold proof + C5 (pk_aggregation) ZK; enforces cross-node grids and C5↔node public links.
c6_fold	Sequential fold of T+1 C6 (ThresholdShareDecryption) rows for the phase-7 path.
decryption_aggregator	Verifies one non-ZK c6_fold proof + C7 ZK; ties folded C6 columns to c7_public.

Removed: recursive_aggregation/fold/ and recursive_aggregation/wrapper/ (legacy two-proof fold and generic wrappers).

How reviewers can test

1. Compile recursive-aggregation circuits (needed for zk-prover tests that read circuits/bin/...):

   pnpm install
   pnpm build:circuits --group recursive_aggregation

2. Barretenberg — integration tests expect bb on PATH; they print a skip message if it’s missing.

3. Optional zk-prover integration targets (not run by default CI for this crate yet):

   # Fold accumulators: sequential C3/C6 fold, ABI slot checks, pipeline JSON + artifact staging
   cargo test -p e3-zk-prover --test fold_accumulators_e2e_tests -- --nocapture
   
   # Full correlated node_fold chain (C0→…→node_fold); heavier, use single thread
   cargo test -p e3-zk-prover --test node_fold_correlated_e2e_tests -- --nocapture --test-threads=1

   CI still runs e3-zk-prover’s integration_tests and local_e2e_tests only; these two are for local / follow-up CI if you wire them in.

What those zk-prover tests cover

Test crate	Purpose
fold_accumulators_e2e_tests	generate_sequential_c3_fold / generate_sequential_c6_fold (prove + verify), slot counts from compiled c3_fold / c6_fold JSON, staging of recursive-aggregation artifacts, and loading the node_fold pipeline (C2ab → C3ab → C4ab → node_fold) without a full correlated DKG witness story.
node_fold_correlated_e2e_tests	One end-to-end run with correlated witnesses (C1/C2/C3/C4 commitments aligned) through node_fold prove + verify.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Apr 16, 2026 0:29am
enclave-docs	Ready	Preview, Comment	Apr 16, 2026 0:29am

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a4c4ca99-d574-4525-b9c5-7303dbae401f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/new-proof-aggregation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cedoor]

Could you do an early review of the new recursive-aggregation circuits? @zahrajavar @0xjei

[0xjei]

Could you do an early review of the new recursive-aggregation circuits? @zahrajavar @0xjei

sure, will get a proper look tomorrow 🙏

[0xjei]

agreed in chat on fixing the C3 fold stuff

[zahrajavar]

@cedoor Isn't this checking party_i.c3_pk[j] == party_j.c0_pk ?
The comment should be "cross-node C0 --> C3"

[zahrajavar]

In handle_encryption_key_received() function here

enclave/crates/zk-prover/src/actors/proof_verification.rs

Line 80 in f82f3ef

fn handle_encryption_key_received(

We are missing this check in the first sync point
Verifies C0 commitment binding for ALL parties (N checks): hash(pk_j) == C0_j.pk_commit (for each party j)
This checks bfv_public_key matches the pk_commitment in the C0 proof's public values.
We need a check like this

let layout = CircuitName::PkBfv.output_layout();
let proof_pk_commitment = layout.extract_field(&proof.public_signals, "pk_commitment")
   .expect("C0 must have pk_commitment");

let computed_pk_commitment = compute_dkg_pk_commitment_from_bfv_pk(
   &msg.key.bfv_public_key, 
   preset
);

if proof_pk_commitment != computed_pk_commitment.as_slice() {
   error!("C0 binding check FAILED for party {}", msg.key.party_id);
   // Emit SignedProofFailed - blame the SENDER
   self.emit_signed_proof_failed(&msg.e3_id, &signed, recovered_address, msg.key.party_id, &ec);
   return;
}```