chore(xof): add backward_compatibility layer for csprng byte start

Add an enum that allows to represent where the CSPRNG for the
CompressedXofKeySet must start. This is to accommodate for the csprng bug
that was fixed in tfhe-csprng 0.9 to still be able to load 1.5.4 (csprng
0.8.1) data correctly

Defaults to first byte, backward_compatibility handles old data that was
versioned with it.

Author: tmontaigu

tfhe/src/high_level_api/backward_compatibility/xof_key_set.rs

@@ -1,13 +1,50 @@
-use tfhe_versionable::VersionsDispatch;
+use std::convert::Infallible;
+
+use tfhe_csprng::seeders::XofSeed;
+use tfhe_versionable::{Upgrade, Version, VersionsDispatch};
 
 use crate::high_level_api::xof_key_set::{CompressedXofKeySet, XofKeySet};
+use crate::xof_key_set::XofSeedStart;
+use crate::{CompressedCompactPublicKey, CompressedServerKey};
+
+#[derive(Version)]
+pub struct CompressedXofKeySetV0 {
+    seed: XofSeed,
+    compressed_public_key: CompressedCompactPublicKey,
+    compressed_server_key: CompressedServerKey,
+}
+
+impl Upgrade<CompressedXofKeySet> for CompressedXofKeySetV0 {
+    type Error = Infallible;
+
+    fn upgrade(self) -> Result<CompressedXofKeySet, Self::Error> {
+        let Self {
+            seed,
+            compressed_public_key,
+            compressed_server_key,
+        } = self;
+
+        Ok(CompressedXofKeySet::from_raw_parts(
+            // Start on second byte to keep backward compatibility with csprng bug
+            XofSeedStart::SecondByte(seed),
+            compressed_public_key,
+            compressed_server_key,
+        ))
+    }
+}
 
 #[derive(VersionsDispatch)]
 pub enum CompressedXofKeySetVersions {
-    V0(CompressedXofKeySet),
+    V0(CompressedXofKeySetV0),
+    V1(CompressedXofKeySet),
 }
 
 #[derive(VersionsDispatch)]
 pub enum XofKeySetVersions {
     V0(XofKeySet),
 }
+
+#[derive(VersionsDispatch)]
+pub enum XofSeedStartVersions {
+    V0(XofSeedStart),
+}

tfhe/src/high_level_api/xof_key_set/mod.rs

@@ -2,7 +2,9 @@ mod internal;
 #[cfg(test)]
 mod test;
 
-use crate::backward_compatibility::xof_key_set::CompressedXofKeySetVersions;
+use crate::backward_compatibility::xof_key_set::{
+    CompressedXofKeySetVersions, XofSeedStartVersions,
+};
 use crate::core_crypto::commons::generators::MaskRandomGenerator;
 use crate::keys::{
     CompressedReRandomizationKey, IntegerServerKeyConformanceParams, ReRandomizationKeyGenInfo,
@@ -24,6 +26,7 @@ use crate::{
     CompressedReRandomizationKeySwitchingKey, CompressedServerKey, Config, ServerKey, Tag,
 };
 use serde::{Deserialize, Serialize};
+use tfhe_csprng::generators::aes_ctr::{AesCtrParams, TableIndex};
 
 use crate::core_crypto::commons::generators::NoiseRandomGenerator;
 use crate::shortint::atomic_pattern::compressed::CompressedAtomicPatternServerKey;
@@ -55,14 +58,47 @@ use crate::high_level_api::keys::expanded::IntegerExpandedServerKey;
 //        - Re-Rand Public Key (stored in ServerKey) derived from compute params
 // 11) SNS Compression Key
 
+/// Holds a [XofSeed] and the byte at which the random generator should start.
+/// This maintains backward compatibility with tfhe-rs=1.5.4 (csprng=0.8.1)
+/// where the generator started at the second byte.
+///
+/// Default conversion [From] a [XofSeed] selects the first byte.
+#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize, Versionize)]
+#[versionize(XofSeedStartVersions)]
+pub enum XofSeedStart {
+    FirstByte(XofSeed),
+    SecondByte(XofSeed),
+}
+
+impl From<XofSeed> for XofSeedStart {
+    fn from(seed: XofSeed) -> Self {
+        Self::FirstByte(seed)
+    }
+}
+
+impl From<XofSeedStart> for AesCtrParams {
+    fn from(val: XofSeedStart) -> Self {
+        match val {
+            XofSeedStart::FirstByte(xof_seed) => Self {
+                seed: xof_seed.into(),
+                first_index: TableIndex::FIRST,
+            },
+            XofSeedStart::SecondByte(xof_seed) => Self {
+                seed: xof_seed.into(),
+                first_index: TableIndex::SECOND,
+            },
+        }
+    }
+}
+
 /// Compressed KeySet which respects the [Threshold (Fully) Homomorphic Encryption]
 /// regarding the random generator used, and the order of key generation
 ///
 /// [Threshold (Fully) Homomorphic Encryption]: https://eprint.iacr.org/2025/699
 #[derive(Clone, Serialize, Deserialize, Versionize)]
 #[versionize(CompressedXofKeySetVersions)]
 pub struct CompressedXofKeySet {
-    seed: XofSeed,
+    seed: XofSeedStart,
     compressed_public_key: CompressedCompactPublicKey,
     compressed_server_key: CompressedServerKey,
 }
@@ -335,7 +371,7 @@ impl CompressedXofKeySet {
         );
 
         Ok(Self {
-            seed: pub_seed,
+            seed: XofSeedStart::FirstByte(pub_seed),
             compressed_public_key,
             compressed_server_key,
         })
@@ -375,7 +411,7 @@ impl CompressedXofKeySet {
     }
 
     pub fn from_raw_parts(
-        pub_seed: XofSeed,
+        pub_seed: impl Into<XofSeedStart>,
         mut compressed_public_key: CompressedCompactPublicKey,
         compressed_server_key: CompressedServerKey,
     ) -> Self {
@@ -384,13 +420,19 @@ impl CompressedXofKeySet {
             .tag_mut()
             .set_data(compressed_server_key.tag.data());
         Self {
-            seed: pub_seed,
+            seed: pub_seed.into(),
             compressed_public_key,
             compressed_server_key,
         }
     }
 
-    pub fn into_raw_parts(self) -> (XofSeed, CompressedCompactPublicKey, CompressedServerKey) {
+    pub fn into_raw_parts(
+        self,
+    ) -> (
+        XofSeedStart,
+        CompressedCompactPublicKey,
+        CompressedServerKey,
+    ) {
         let Self {
             seed,
             mut compressed_public_key,

utils/tfhe-backward-compat-data/data/1_6/high_level_api/compressed_xof_key_set.bcode

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c9f23ebfa45863063a5ec97fead026a027fef5ba3206d981a5fef7df39adcf94
-size 138497811
+oid sha256:94eb63d050bc99eb8da1d52532b22bdbed3099ddcaddc884cd6a2854ab6713ff
+size 138497819

utils/tfhe-backward-compat-data/data/1_6/high_level_api/compressed_xof_key_set.cbor

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2d12df3e41e17b3f8bb1b7febd181e5f9e3c9e2a8ed168f0af8707eb6536e246
-size 155791615
+oid sha256:e97defb1929960a4bb7142d696ee6316ac92ab485606e7966f75340b72c861e6
+size 155791630