chore(zk): hash the value of k with the statement

nsarlin-zama · nsarlin-zama · commit 02a2e41b03a4 · 2025-10-27T16:34:23.000+01:00
diff --git a/tfhe-zk-pok/src/backward_compatibility/pke_v2.rs b/tfhe-zk-pok/src/backward_compatibility/pke_v2.rs
@@ -181,6 +181,7 @@ impl<G: Curve> Upgrade<Proof<G>> for ProofV2<G> {
                 mode: hash_mode,
                 proven_zero_bits_encoding: PkeV2ProvenZeroBitsEncoding::MsbZeroBitsCountOnly,
                 hashed_bound_type: PkeV2HashedBoundType::SquaredEuclideanNorm,
+                hash_k: false,
             },
         })
     }
@@ -394,6 +395,7 @@ where
                 mode: hash_mode,
                 proven_zero_bits_encoding: PkeV2ProvenZeroBitsEncoding::MsbZeroBitsCountOnly,
                 hashed_bound_type: PkeV2HashedBoundType::SquaredEuclideanNorm,
+                hash_k: false,
             },
         })
     }
diff --git a/tfhe-zk-pok/src/proofs/pke_v2/hashes.rs b/tfhe-zk-pok/src/proofs/pke_v2/hashes.rs
@@ -86,6 +86,8 @@ pub struct PkeV2HashConfig {
     pub(crate) mode: PkeV2HashMode,
     pub(crate) proven_zero_bits_encoding: PkeV2ProvenZeroBitsEncoding,
     pub(crate) hashed_bound_type: PkeV2HashedBoundType,
+    /// Should we also hash the value of k with the statement
+    pub(crate) hash_k: bool,
 }
 
 impl Default for PkeV2HashConfig {
@@ -97,6 +99,7 @@ impl Default for PkeV2HashConfig {
             mode: PkeV2HashMode::Compact,
             proven_zero_bits_encoding: PkeV2ProvenZeroBitsEncoding::AnyBitAnySlot,
             hashed_bound_type: PkeV2HashedBoundType::InfiniteNorm,
+            hash_k: true,
         }
     }
 }
@@ -113,6 +116,10 @@ impl PkeV2HashConfig {
     pub fn hashed_bound(&self) -> PkeV2HashedBoundType {
         self.hashed_bound_type
     }
+
+    pub fn hash_k(&self) -> bool {
+        self.hash_k
+    }
 }
 
 /// Encode the bits proven to be 0 in a plaintext list.
@@ -349,9 +356,16 @@ impl<'a> RHash<'a> {
             PkeV2HashedBoundType::InfiniteNorm => B_inf.to_le_bytes().to_vec(),
         };
 
+        let hashed_k = if config.hash_k {
+            k.to_le_bytes().to_vec()
+        } else {
+            Vec::new()
+        };
+
         let x_bytes = [
             q.to_le_bytes().as_slice(),
             (d as u64).to_le_bytes().as_slice(),
+            &hashed_k.as_slice(),
             &hashed_bound,
             t_input.to_le_bytes().as_slice(),
             encoded_zero_bits.as_slice(),
diff --git a/tfhe-zk-pok/src/proofs/pke_v2/mod.rs b/tfhe-zk-pok/src/proofs/pke_v2/mod.rs
@@ -2352,6 +2352,7 @@ mod tests {
                         proven_zero_bits_encoding:
                             PkeV2ProvenZeroBitsEncoding::MsbZeroBitsCountOnly,
                         hashed_bound_type: PkeV2HashedBoundType::SquaredEuclideanNorm,
+                        hash_k: false,
                     };
                     let proof = prove_impl(
                         (&public_param, &public_commit),
diff --git a/tfhe/src/integer/ciphertext/compact_list.rs b/tfhe/src/integer/ciphertext/compact_list.rs
@@ -1185,6 +1185,15 @@ impl IntegerProvenCompactCiphertextListConformanceParams {
             ..self
         }
     }
+
+    /// Reject the proof conformance if k is not hashed. This has no effect on
+    /// PkeV1 proofs
+    pub fn force_hash_k(self) -> Self {
+        Self {
+            zk_conformance_params: self.zk_conformance_params.force_hash_k(),
+            ..self
+        }
+    }
 }
 
 #[cfg(feature = "zk-pok")]
diff --git a/tfhe/src/shortint/ciphertext/zk.rs b/tfhe/src/shortint/ciphertext/zk.rs
@@ -279,6 +279,15 @@ impl ProvenCompactCiphertextListConformanceParams {
             ..self
         }
     }
+
+    /// Reject the proof conformance if k is not hashed. This has no effect on
+    /// PkeV1 proofs
+    pub fn force_hash_k(self) -> Self {
+        Self {
+            zk_conformance_params: self.zk_conformance_params.force_hash_k(),
+            ..self
+        }
+    }
 }
 
 impl ParameterSetConformant for ProvenCompactCiphertextList {
diff --git a/tfhe/src/zk/mod.rs b/tfhe/src/zk/mod.rs
@@ -123,6 +123,7 @@ pub struct CompactPkeV2ProofConformanceParams {
     accepted_hash_mode: EnumSet<PkeV2HashMode>,
     accepted_proven_zero_bits_encoding: EnumSet<PkeV2ProvenZeroBitsEncoding>,
     accepted_hashed_bound_type: EnumSet<PkeV2HashedBoundType>,
+    accepted_hash_k_mode: EnumSet<bool>,
 }
 
 impl Default for CompactPkeV2ProofConformanceParams {
@@ -152,11 +153,16 @@ impl CompactPkeV2ProofConformanceParams {
         accepted_hashed_bound_type.insert(PkeV2HashedBoundType::SquaredEuclideanNorm);
         accepted_hashed_bound_type.insert(PkeV2HashedBoundType::InfiniteNorm);
 
+        let mut accepted_hash_k_mode = EnumSet::new();
+        accepted_hash_k_mode.insert(true);
+        accepted_hash_k_mode.insert(false);
+
         Self {
             accepted_compute_load,
             accepted_hash_mode,
             accepted_proven_zero_bits_encoding,
             accepted_hashed_bound_type,
+            accepted_hash_k_mode,
         }
     }
 
@@ -209,6 +215,17 @@ impl CompactPkeV2ProofConformanceParams {
             ..self
         }
     }
+
+    /// Reject the proof conformance if k is not hashed
+    pub fn force_hash_k(self) -> Self {
+        let mut accepted_hash_k_mode = self.accepted_hash_k_mode;
+        accepted_hash_k_mode.remove(false);
+
+        Self {
+            accepted_hash_k_mode,
+            ..self
+        }
+    }
 }
 
 impl ParameterSetConformant for ProofV2<Curve> {
@@ -227,6 +244,9 @@ impl ParameterSetConformant for ProofV2<Curve> {
             && parameter_set
                 .accepted_hashed_bound_type
                 .contains(self.hash_config().hashed_bound())
+            && parameter_set
+                .accepted_hash_k_mode
+                .contains(self.hash_config().hash_k())
             && self.is_usable()
     }
 }
@@ -289,13 +309,22 @@ impl CompactPkeProofConformanceParams {
         forbidden_hashed_bound_type: ZkPkeV2HashedBoundType,
     ) -> Self {
         match self {
-            // There is no hash mode to configure in PkeV1
+            // There is no hashed bound to configure in PkeV1
             Self::PkeV1(params) => Self::PkeV1(params),
             Self::PkeV2(params) => {
                 Self::PkeV2(params.forbid_hashed_bound_type(forbidden_hashed_bound_type))
             }
         }
     }
+
+    /// Reject the proof conformance if k is not hashed. This has no effect on
+    /// PkeV1 proofs
+    pub fn force_hash_k(self) -> Self {
+        match self {
+            Self::PkeV1(params) => Self::PkeV1(params),
+            Self::PkeV2(params) => Self::PkeV2(params.force_hash_k()),
+        }
+    }
 }
 
 impl ParameterSetConformant for CompactPkeProof {

Original file line number	Diff line number	Diff line change
`@@ -1185,6 +1185,15 @@ impl IntegerProvenCompactCiphertextListConformanceParams {`
`1185`	`1185`	`..self`
`1186`	`1186`	`}`
`1187`	`1187`	`}`
	`1188`	`+`
	`1189`	`+ /// Reject the proof conformance if k is not hashed. This has no effect on`
	`1190`	`+ /// PkeV1 proofs`
	`1191`	`+ pub fn force_hash_k(self) -> Self {`
	`1192`	`+ Self {`
	`1193`	`+ zk_conformance_params: self.zk_conformance_params.force_hash_k(),`
	`1194`	`+ ..self`
	`1195`	`+ }`
	`1196`	`+ }`
`1188`	`1197`	`}`
`1189`	`1198`
`1190`	`1199`	`#[cfg(feature = "zk-pok")]`
Original file line number	Diff line number	Diff line change
`@@ -279,6 +279,15 @@ impl ProvenCompactCiphertextListConformanceParams {`
`279`	`279`	`..self`
`280`	`280`	`}`
`281`	`281`	`}`
	`282`	`+`
	`283`	`+ /// Reject the proof conformance if k is not hashed. This has no effect on`
	`284`	`+ /// PkeV1 proofs`
	`285`	`+ pub fn force_hash_k(self) -> Self {`
	`286`	`+ Self {`
	`287`	`+ zk_conformance_params: self.zk_conformance_params.force_hash_k(),`
	`288`	`+ ..self`
	`289`	`+ }`
	`290`	`+ }`
`282`	`291`	`}`
`283`	`292`
`284`	`293`	`impl ParameterSetConformant for ProvenCompactCiphertextList {`